Passion

제목 그대로 shellcode에 대한 사이트.


Shell-storm.org : http://www.shell-storm.org/

Shellcode.org : http://shellcode.org/  -> 없어짐

Metasploit.com : http://www.metasploit.com/

Projectshellcode : http://www.projectshellcode.com/

 
Oops, sorry for late. 

0x080483b4 <main+0>:    push   %ebp
0x080483b5 <main+1>:    mov    %esp,%ebp
0x080483b7 <main+3>:    sub    $0xa8,%esp                        extended 168
0x080483bd <main+9>:    and    $0xfffffff0,%esp
0x080483c0 <main+12>:   mov    $0x0,%eax                   
0x080483c5 <main+17>:   sub    %eax,%esp
0x080483c7 <main+19>:  cmpl   $0x1,0x8(%ebp)           agrc is at ebp+8
0x080483cb <main+23>:   jg     0x80483d9 <main+37>              if(agrc < 1)
0x080483cd <main+25>:   movl   $0x1,0xffffff74(%ebp)                return 1;
0x080483d7 <main+35>:   jmp    0x8048413 <main+95>
0x080483d9 <main+37>:   mov    0xc(%ebp),%eax            argv is at ebp+12
0x080483dc <main+40>:   add    $0x4,%eax                          address of argv + 4  means argv[1]
0x080483df <main+43>:   mov    (%eax),%eax                       eax = *argv[1]
0x080483e1 <main+45>:   mov    %eax,0x4(%esp)             
0x080483e5 <main+49>:   lea    0xffffff78(%ebp),%eax             eax = ebp-136 
0x080483eb <main+55>:   mov    %eax,(%esp)                
0x080483ee <main+58>:   call   0x80482d4 <strcpy@plt>         so call strcpy(ebp-136, argv[1])
0x080483f3 <main+63>:   lea    0xffffff78(%ebp),%eax       
0x080483f9 <main+69>:   mov    %eax,0x4(%esp)
0x080483fd <main+73>:   movl   $0x8048524,(%esp)
0x08048404 <main+80>:   call   0x80482b4 <printf@plt>          printf("%s", ebp-136)
0x08048409 <main+85>:   movl   $0x0,0xffffff74(%ebp)       
0x08048413 <main+95>:   mov    0xffffff74(%ebp),%eax         return 0;
0x08048419 <main+101>:  leave
0x0804841a <main+102>:  ret

Have you checked the stack in gdb? I can`t see [?3] in disassembled code.
Stack looks like this IMAO.

   ----------
   argv            ebp + 0C
   ----------
   argc            ebp + 8
   ----------
   return address  ebp + 4
   ----------
   ebp         
   ----------
   dummy          8bytes
   ----------
   buf            128byes
   ----------
 
Stack was extened 168 bytes, but it only uses 140bytes.
(dunno why extened 168bytes. i think that it`s up to the version of compiler, or something else. :$)

My english is quite bad. :(  I hope you understand me.

U can change the excutive flow by overwriting some func`s return address with your own code.
So basic BoF needs 2 points. Return address and shellcode`s one.

1.Check the program`s stack layout. usually EBP + 4 is Return address.
  esp is the edge of the stack. (ex. In GDB, by typing "X/16x $esp", u can see stack)

2. I made it.

3. Actually, the first line is shellcode.
  "\x8d\x4c\x24\x04\x83\xe4\xf0\xff\x71\xfc\x55\x..."
   Let`s look below the line
 
     void main()
{
        int *ret;             //declare variable        
       
         ret =(int *)&ret + 2;

        // &ret means ret`s address and casted to integer point
        // so "+2" ---> "+(int *)x2" -------> "+(4bytes)x2" = "+8bytes."
        // Think it as stack
       
high address
          --------------
           return address   +8
         --------------
                  ebp              +4
         --------------
                  ret               here is ret        
         ---------------
low address

        // U got it? It overwrites Main function`s return address.

        *ret = shell;
       
        // return address is pointed by ret. so shellcode will be excuted.
}

 This source is just for test that shellcode is whether to work or not.