Page History

lazenca0x0@ubuntu:~/ASM$ gcc -o shellshellcode -fno-stack-protector -z execstack --no-pie -m32 testshellcode.c
test.c:5:15: warning: array 'code' assumed to have one element
 unsigned char code[];
               ^
lazenca0x0@ubuntu:~/ASM$ ./shellshellcode 
Shellcode len : 2
Segmentation fault (core dumped)
lazenca0x0@ubuntu:~/ASM$ 

lazenca0x0@ubuntu:~/ASM$ gdb -q ./shellshellcode
Reading symbols from ./shellshellcode...(no debugging symbols found)...done.
gdb-peda$ disassemble main
Dump of assembler code for function main:
   0x0804846b <+0>:	lea    ecx,[esp+0x4]
   0x0804846f <+4>:	and    esp,0xfffffff0
   0x08048472 <+7>:	push   DWORD PTR [ecx-0x4]
   0x08048475 <+10>:	push   ebp
   0x08048476 <+11>:	mov    ebp,esp
   0x08048478 <+13>:	push   ecx
   0x08048479 <+14>:	sub    esp,0x14
   0x0804847c <+17>:	sub    esp,0xc
   0x0804847f <+20>:	push   0x804a040
   0x08048484 <+25>:	call   0x8048340 <strlen@plt>
   0x08048489 <+30>:	add    esp,0x10
   0x0804848c <+33>:	mov    DWORD PTR [ebp-0xc],eax
   0x0804848f <+36>:	sub    esp,0x8
   0x08048492 <+39>:	push   DWORD PTR [ebp-0xc]
   0x08048495 <+42>:	push   0x8048550
   0x0804849a <+47>:	call   0x8048320 <printf@plt>
   0x0804849f <+52>:	add    esp,0x10
   0x080484a2 <+55>:	sub    esp,0x8
   0x080484a5 <+58>:	push   0x804a040
   0x080484aa <+63>:	push   0x804a074
   0x080484af <+68>:	call   0x8048330 <strcpy@plt>
   0x080484b4 <+73>:	add    esp,0x10
   0x080484b7 <+76>:	mov    DWORD PTR [ebp-0x10],0x804a074
   0x080484be <+83>:	mov    eax,DWORD PTR [ebp-0x10]
   0x080484c1 <+86>:	call   eax
   0x080484c3 <+88>:	nop
   0x080484c4 <+89>:	mov    ecx,DWORD PTR [ebp-0x4]
   0x080484c7 <+92>:	leave  
   0x080484c8 <+93>:	lea    esp,[ecx-0x4]
   0x080484cb <+96>:	ret    
End of assembler dump.
gdb-peda$ b *0x080484af
Breakpoint 1 at 0x80484af
gdb-peda$ r
Starting program: /home/lazenca0x0/ASM/shell 
Shellcode len : 2
Breakpoint 1, 0x080484af in main ()
gdb-peda$ x/64bx 0x804a074
0x804a074 <code>:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
0x804a07c:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
0x804a084:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
0x804a08c:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
0x804a094:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
0x804a09c:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
0x804a0a4:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
0x804a0ac:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
gdb-peda$ 
gdb-peda$ x/64bx 0x804a040
0x804a040 <shellcode>:	0xe8	0x0f	0x00	0x00	0x00	0x48	0x65	0x6c
0x804a048 <shellcode+8>:	0x6c	0x6f	0x2c	0x20	0x77	0x6f	0x72	0x6c
0x804a050 <shellcode+16>:	0x64	0x21	0x0a	0x0d	0x59	0xb8	0x04	0x00
0x804a058 <shellcode+24>:	0x00	0x00	0xbb	0x01	0x00	0x00	0x00	0xba
0x804a060 <shellcode+32>:	0x0f	0x00	0x00	0x00	0xcd	0x80	0xb8	0x01
0x804a068 <shellcode+40>:	0x00	0x00	0x00	0xbb	0x00	0x00	0x00	0x00
0x804a070 <shellcode+48>:	0xcd	0x80	0x00	0x00	0xe8	0x0f	0x00	0x00
0x804a078:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
gdb-peda$ 

#include<stdio.h>
#include<string.h>

unsigned char shellcode [] = "\xeb\x15\x59\x31\xc0\xb0\x04\x31\xdb\xb3\x01\x31\xd2\xb2\x0f\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe6\xff\xff\xffHello, world!\n\r";
unsigned char code[] = "";

void main()
{
	int len = strlen(shellcode);
	printf("Shellcode len : %d\n",len);
	strcpy(code,shellcode);
	(*(void(*)()) code)();
}

lazenca0x0@ubuntu:~/ASM$ gcc -o shellshellcode2 -fno-stack-protector -z execstack --no-pie -m32 testshellcode2.c
lazenca0x0@ubuntu:~/ASM$ ./shellshellcode2 
Shellcode len : 43
Hello, world!
lazenca0x0@ubuntu:~/ASM$