Linux Shell Code

HI Experts - I have a homework problem that I have no idea to even begin, any guidance would be appreciated.  Take a look:

You are required to come up with a binary file containing some Linux shellcode such that the
following program will spawn a /bin/sh shell upon reading the binary file in the Linux lab virtual
machine. Note, the program has some primitive defense against “code injection” which searches
substring “/bin/sh” from the first line of the input binary file. For a full score, you need to find a
shellcode that does not contain substring “/bin/sh” but spawns “/bin/sh” shell (hint: you can use
registers to hold the string “/bin/sh”, and push them into the stack; or find some way to disguise your
“/bin/sh” string; Be creative to defeat the primitive content signature matching!)

Program is attached
<!-- saved from url=(0059) -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">/* testsh.c


#include &lt;stdio.h&gt;
#include &lt;string.h&gt;

#define bufsz 100

const char msg[]="Usage: %s &lt;shellcode file&gt;\n";

static char buffer1[bufsz];
static char buffer2[bufsz];

void usage(char *self)
{ printf(msg, self);

int main(int argc, char *argv[])
{ FILE *fp;
  void (*funcptr)();

  if (argc != 2) usage(argv[0]);

  if ((fp=fopen(argv[1], "rb"))==NULL)
  { printf("fail to open file: %s\n", argv[1]);

  fgets(buffer1, bufsz, fp);

  strcpy(buffer2, buffer1); /* your shellcode should not contain \0x00 */

  if (strlen(buffer2)&gt;=40) /* your shellcode should be less than 40 bytes */
    printf("your shellcode is too long! 5 points penalty \n");

  if (strlen(buffer2)&lt;30) /* the shorter, the better the shell code is */
    printf("your shellcode is less than 30 bytes! 10 bonus points\n");

  if (strstr(buffer2, "/bin/sh"))
    printf("Malicious code detected! 15 points penalty \n");

  funcptr = (void *) buffer2;
  (*funcptr)();  /* execute your shell code */

  return 0 ;

Open in new window

Who is Participating?
nociConnect With a Mentor Software EngineerCommented:
Well shell code 101:

Make a short assembly program, it must fit the constraints of the program you try to invade.
The rest is a matter of trying to fit the constraints.
The more complex story can be found using the links....

Start trying...
nociSoftware EngineerCommented:
So start investigating....
southpau1Author Commented:
Thanks, I am researching as well.  That's why I didn't just come out and ask for a solution.  Figured I would attack this problem from all fronts.
7 new features that'll make your work life better

It’s our mission to create a product that solves the huge challenges you face at work every day. In case you missed it, here are 7 delightful things we've added recently to monday to make it even more awesome.

nociSoftware EngineerCommented:
Ok, but the answer isn't too difficult anything else might be considered against the rules of EE.
southpau1Author Commented:
Do you know of a specific reference that can help me?  I've read a couple of papers at the top of the search results in Google an none are really beginner shellcode.
Infinity08Connect With a Mentor Commented:
The article "Smashing the stack for fun and profit" is imo the best reference on exploiting stack overflows :

It also contains a nice introduction to writing shell code.
southpau1Author Commented:
Ok guys, I have put together come C code that is close to working (I think).  It executes by itself, but the string does not concatenate correctly.  I'm not a C pro, can you help?
#include <string.h>
#include <stdlib.h> 

	char beg[4]="/bin";
	char end[3]="/sh";

Open in new window

nociConnect With a Mentor Software EngineerCommented:
From 'man strcat'

The  strcat()  function appends the src string to the dest string, overwriting the null byte ('\0') at the end
of dest, and then adds a terminating null byte.  The strings may not overlap, and the dest  string  must  have
enough space for the result.

That should also set you thinking about your payload btw.
nociSoftware EngineerCommented:
The problem this is quite basic knowledge. About how C strings work, and how to copy stuff around
It's clearly an assignment, as it is stated in the first sentence.
The answer has been given with a clear pointer, but not en exact answer, why his example will not work.

It hard to just not tell the right answer but point in the right direction...
As given the exercise is not too difficult.

Since the question was asking for guidance, and that's what was provided, I recommend closing the question by accepting these posts :

        http:#36553765 (noci) : short overview of what needs to be done
        http:#36554059 (Infinity08) : a nice reference with examples, and a clear explanation
        http:#36577785 (noci) : some corrections for the first attempt from the asker

With this, the asker should have been able to make it work. I can only guess he did, because he didn't get back to us.
southpau1Author Commented:
I was mostly given links to web pages, which I can find myself.  Was really hoping to get some expert insight, not just a web page.
nociSoftware EngineerCommented:
not to offend, but...

This is home work, I cannot give you a solution directly (i don't do the homework for my kids either...)
You were given some pointers and whether that is a textbook reference [ rather hard to get sometimes ] or a pointer to a website [ more convenient ] it's a source for the knowledge you wish to acquire.

Then you did present your solution which fails on several grounds like [size] and [copy constraints]. You demonstrate to miss some basic understanding how stuff works just below the visible world. This was hinted using the strcat() manpage excerpt.

sorry to be rather blunt.. But I really do hope you score better then B...

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.