Solved

Linux Shell Code

Posted on 2011-09-16
13
691 Views
Last Modified: 2012-05-12
HI Experts - I have a homework problem that I have no idea to even begin, any guidance would be appreciated.  Take a look:

Question:
You are required to come up with a binary file containing some Linux shellcode such that the
following program will spawn a /bin/sh shell upon reading the binary file in the Linux lab virtual
machine. Note, the program has some primitive defense against “code injection” which searches
substring “/bin/sh” from the first line of the input binary file. For a full score, you need to find a
shellcode that does not contain substring “/bin/sh” but spawns “/bin/sh” shell (hint: you can use
registers to hold the string “/bin/sh”, and push them into the stack; or find some way to disguise your
“/bin/sh” string; Be creative to defeat the primitive content signature matching!)

Program is attached
<!-- saved from url=(0059)http://www.cs.gmu.edu/~xwangc/teaching/ISA674/code/testsh.c -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">/* testsh.c

*/

#include &lt;stdio.h&gt;
#include &lt;string.h&gt;

#define bufsz 100

const char msg[]="Usage: %s &lt;shellcode file&gt;\n";

static char buffer1[bufsz];
static char buffer2[bufsz];

void usage(char *self)
{ printf(msg, self);
  exit(1);
}

int main(int argc, char *argv[])
{ FILE *fp;
  void (*funcptr)();

  if (argc != 2) usage(argv[0]);

  if ((fp=fopen(argv[1], "rb"))==NULL)
  { printf("fail to open file: %s\n", argv[1]);
    exit(1);
  };

  fgets(buffer1, bufsz, fp);
  fclose(fp);

  strcpy(buffer2, buffer1); /* your shellcode should not contain \0x00 */

  if (strlen(buffer2)&gt;=40) /* your shellcode should be less than 40 bytes */
    printf("your shellcode is too long! 5 points penalty \n");

  if (strlen(buffer2)&lt;30) /* the shorter, the better the shell code is */
    printf("your shellcode is less than 30 bytes! 10 bonus points\n");

  if (strstr(buffer2, "/bin/sh"))
    printf("Malicious code detected! 15 points penalty \n");

  funcptr = (void *) buffer2;
  (*funcptr)();  /* execute your shell code */

  return 0 ;
}
</pre></body></html>

Open in new window

0
Comment
Question by:southpau1
  • 6
  • 4
  • 2
13 Comments
 
LVL 40

Expert Comment

by:noci
ID: 36552327
So start investigating....
http://www.lmgtfy.com/?q=shellcode
0
 
LVL 7

Author Comment

by:southpau1
ID: 36552376
Thanks, I am researching as well.  That's why I didn't just come out and ask for a solution.  Figured I would attack this problem from all fronts.
0
 
LVL 40

Expert Comment

by:noci
ID: 36553359
Ok, but the answer isn't too difficult anything else might be considered against the rules of EE.
0
 
LVL 7

Author Comment

by:southpau1
ID: 36553735
Do you know of a specific reference that can help me?  I've read a couple of papers at the top of the search results in Google an none are really beginner shellcode.
0
 
LVL 40

Accepted Solution

by:
noci earned 333 total points
ID: 36553765
Well shell code 101:

Make a short assembly program, it must fit the constraints of the program you try to invade.
The rest is a matter of trying to fit the constraints.
The more complex story can be found using the links....

Start trying...
0
 
LVL 53

Assisted Solution

by:Infinity08
Infinity08 earned 167 total points
ID: 36554059
The article "Smashing the stack for fun and profit" is imo the best reference on exploiting stack overflows :

        http://www.phrack.org/issues.html?issue=49&id=14#article

It also contains a nice introduction to writing shell code.
0
Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

 
LVL 7

Author Comment

by:southpau1
ID: 36577718
Ok guys, I have put together come C code that is close to working (I think).  It executes by itself, but the string does not concatenate correctly.  I'm not a C pro, can you help?
#include <string.h>
#include <stdlib.h> 

main(){
	char beg[4]="/bin";
	char end[3]="/sh";
	system(strcat(beg,end));	
	
}

Open in new window

0
 
LVL 40

Assisted Solution

by:noci
noci earned 333 total points
ID: 36577785
From 'man strcat'


The  strcat()  function appends the src string to the dest string, overwriting the null byte ('\0') at the end
of dest, and then adds a terminating null byte.  The strings may not overlap, and the dest  string  must  have
enough space for the result.

That should also set you thinking about your payload btw.
0
 
LVL 40

Expert Comment

by:noci
ID: 36965146
The problem this is quite basic knowledge. About how C strings work, and how to copy stuff around
It's clearly an assignment, as it is stated in the first sentence.
The answer has been given with a clear pointer, but not en exact answer, why his example will not work.

It hard to just not tell the right answer but point in the right direction...
As given the exercise is not too difficult.

0
 
LVL 53

Expert Comment

by:Infinity08
ID: 36967508
Since the question was asking for guidance, and that's what was provided, I recommend closing the question by accepting these posts :

        http:#36553765 (noci) : short overview of what needs to be done
        http:#36554059 (Infinity08) : a nice reference with examples, and a clear explanation
        http:#36577785 (noci) : some corrections for the first attempt from the asker

With this, the asker should have been able to make it work. I can only guess he did, because he didn't get back to us.
0
 
LVL 7

Author Closing Comment

by:southpau1
ID: 37046602
I was mostly given links to web pages, which I can find myself.  Was really hoping to get some expert insight, not just a web page.
0
 
LVL 40

Expert Comment

by:noci
ID: 37046850
not to offend, but...

This is home work, I cannot give you a solution directly (i don't do the homework for my kids either...)
You were given some pointers and whether that is a textbook reference [ rather hard to get sometimes ] or a pointer to a website [ more convenient ] it's a source for the knowledge you wish to acquire.

Then you did present your solution which fails on several grounds like [size] and [copy constraints]. You demonstrate to miss some basic understanding how stuff works just below the visible world. This was hinted using the strcat() manpage excerpt.

sorry to be rather blunt.. But I really do hope you score better then B...

0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
recursion example 16 112
Image decoding from Camera 3 72
Issues with C++ Class 19 81
max float value 3 26
A short article about problems I had with the new location API and permissions in Marshmallow
This is about my first experience with programming Arduino.
The goal of the video will be to teach the user the concept of local variables and scope. An example of a locally defined variable will be given as well as an explanation of what scope is in C++. The local variable and concept of scope will be relat…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now