Solved

Linux Shell Code

Posted on 2011-09-16
13
684 Views
Last Modified: 2012-05-12
HI Experts - I have a homework problem that I have no idea to even begin, any guidance would be appreciated.  Take a look:

Question:
You are required to come up with a binary file containing some Linux shellcode such that the
following program will spawn a /bin/sh shell upon reading the binary file in the Linux lab virtual
machine. Note, the program has some primitive defense against “code injection” which searches
substring “/bin/sh” from the first line of the input binary file. For a full score, you need to find a
shellcode that does not contain substring “/bin/sh” but spawns “/bin/sh” shell (hint: you can use
registers to hold the string “/bin/sh”, and push them into the stack; or find some way to disguise your
“/bin/sh” string; Be creative to defeat the primitive content signature matching!)

Program is attached
<!-- saved from url=(0059)http://www.cs.gmu.edu/~xwangc/teaching/ISA674/code/testsh.c -->
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"></head><body><pre style="word-wrap: break-word; white-space: pre-wrap;">/* testsh.c

*/

#include &lt;stdio.h&gt;
#include &lt;string.h&gt;

#define bufsz 100

const char msg[]="Usage: %s &lt;shellcode file&gt;\n";

static char buffer1[bufsz];
static char buffer2[bufsz];

void usage(char *self)
{ printf(msg, self);
  exit(1);
}

int main(int argc, char *argv[])
{ FILE *fp;
  void (*funcptr)();

  if (argc != 2) usage(argv[0]);

  if ((fp=fopen(argv[1], "rb"))==NULL)
  { printf("fail to open file: %s\n", argv[1]);
    exit(1);
  };

  fgets(buffer1, bufsz, fp);
  fclose(fp);

  strcpy(buffer2, buffer1); /* your shellcode should not contain \0x00 */

  if (strlen(buffer2)&gt;=40) /* your shellcode should be less than 40 bytes */
    printf("your shellcode is too long! 5 points penalty \n");

  if (strlen(buffer2)&lt;30) /* the shorter, the better the shell code is */
    printf("your shellcode is less than 30 bytes! 10 bonus points\n");

  if (strstr(buffer2, "/bin/sh"))
    printf("Malicious code detected! 15 points penalty \n");

  funcptr = (void *) buffer2;
  (*funcptr)();  /* execute your shell code */

  return 0 ;
}
</pre></body></html>

Open in new window

0
Comment
Question by:southpau1
  • 6
  • 4
  • 2
13 Comments
 
LVL 39

Expert Comment

by:noci
Comment Utility
So start investigating....
http://www.lmgtfy.com/?q=shellcode
0
 
LVL 7

Author Comment

by:southpau1
Comment Utility
Thanks, I am researching as well.  That's why I didn't just come out and ask for a solution.  Figured I would attack this problem from all fronts.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
Ok, but the answer isn't too difficult anything else might be considered against the rules of EE.
0
 
LVL 7

Author Comment

by:southpau1
Comment Utility
Do you know of a specific reference that can help me?  I've read a couple of papers at the top of the search results in Google an none are really beginner shellcode.
0
 
LVL 39

Accepted Solution

by:
noci earned 333 total points
Comment Utility
Well shell code 101:

Make a short assembly program, it must fit the constraints of the program you try to invade.
The rest is a matter of trying to fit the constraints.
The more complex story can be found using the links....

Start trying...
0
 
LVL 53

Assisted Solution

by:Infinity08
Infinity08 earned 167 total points
Comment Utility
The article "Smashing the stack for fun and profit" is imo the best reference on exploiting stack overflows :

        http://www.phrack.org/issues.html?issue=49&id=14#article

It also contains a nice introduction to writing shell code.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 7

Author Comment

by:southpau1
Comment Utility
Ok guys, I have put together come C code that is close to working (I think).  It executes by itself, but the string does not concatenate correctly.  I'm not a C pro, can you help?
#include <string.h>
#include <stdlib.h> 

main(){
	char beg[4]="/bin";
	char end[3]="/sh";
	system(strcat(beg,end));	
	
}

Open in new window

0
 
LVL 39

Assisted Solution

by:noci
noci earned 333 total points
Comment Utility
From 'man strcat'


The  strcat()  function appends the src string to the dest string, overwriting the null byte ('\0') at the end
of dest, and then adds a terminating null byte.  The strings may not overlap, and the dest  string  must  have
enough space for the result.

That should also set you thinking about your payload btw.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
The problem this is quite basic knowledge. About how C strings work, and how to copy stuff around
It's clearly an assignment, as it is stated in the first sentence.
The answer has been given with a clear pointer, but not en exact answer, why his example will not work.

It hard to just not tell the right answer but point in the right direction...
As given the exercise is not too difficult.

0
 
LVL 53

Expert Comment

by:Infinity08
Comment Utility
Since the question was asking for guidance, and that's what was provided, I recommend closing the question by accepting these posts :

        http:#36553765 (noci) : short overview of what needs to be done
        http:#36554059 (Infinity08) : a nice reference with examples, and a clear explanation
        http:#36577785 (noci) : some corrections for the first attempt from the asker

With this, the asker should have been able to make it work. I can only guess he did, because he didn't get back to us.
0
 
LVL 7

Author Closing Comment

by:southpau1
Comment Utility
I was mostly given links to web pages, which I can find myself.  Was really hoping to get some expert insight, not just a web page.
0
 
LVL 39

Expert Comment

by:noci
Comment Utility
not to offend, but...

This is home work, I cannot give you a solution directly (i don't do the homework for my kids either...)
You were given some pointers and whether that is a textbook reference [ rather hard to get sometimes ] or a pointer to a website [ more convenient ] it's a source for the knowledge you wish to acquire.

Then you did present your solution which fails on several grounds like [size] and [copy constraints]. You demonstrate to miss some basic understanding how stuff works just below the visible world. This was hinted using the strcat() manpage excerpt.

sorry to be rather blunt.. But I really do hope you score better then B...

0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Go is an acronym of golang, is a programming language developed Google in 2007. Go is a new language that is mostly in the C family, with significant input from Pascal/Modula/Oberon family. Hence Go arisen as low-level language with fast compilation…
If you’re thinking to yourself “That description sounds a lot like two people doing the work that one could accomplish,” you’re not alone.
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now