Questions tagged [shellcode]
A `shellcode` or `eggshell` is a small program represented as a string of instructions in their hexadecimal encoding.
80 questions
0
votes
1
answer
287
views
Code injection to system process(lsass.exe)
I allocated an RWX (PAGE_EXECUTE_READWRITE) memory region inside LSASS.exe (i tried a RX codecave), then wrote my shellcode there.
After that, I tried to execute my shellcode via NtQueueApcThread → ...
- 1
1
vote
0
answers
134
views
Wargames RET2 Systems Shellcoding - Trouble using ```jmp``` instruction to connect parts of shellcode
I am doing the RET2 Systems Binary Exploitation course Wargames (https://wargames.ret2.systems/) and am working on the shellcoding chapter. I am learning about how to use jmp assembly instructions to ...
- 111
1
vote
1
answer
389
views
Why this x64 shellcode doesn't work?(segmentation fault)
I found a simple shellcode on the internet.
Then, to test this shellcode, I make the simple ret overwrite code.
test.c
#include <stdio.h>
#include <string.h>
char buf[100];
int main(void)...
- 55
2
votes
0
answers
245
views
Overwriting the Global Offset Table + format string vulnerability
I am trying to understand how to overwrite the Global Offset Table. On the book "Hacking: The Art of Exploitation". Following the example I get:
objdump -R ./fmt ...
- 31
2
votes
0
answers
108
views
The execution is not at AddressOfEntryPoint after patching .text section bytes
I have a shellcode and want to inject my shellcode into a PE file (a simple compiled c program that prints Hello World on the screen) . My shellcode size is 0x2a1 and the .text section of my PE file ...
2
votes
1
answer
73
views
Can ESP point to a global variable
This 3 lines of code are used by some encoders to get EIP into ECX register:
fldz
fnstenv [esp-C]
pop ecx
The 2 first instructions push some datas on stack and we get one of this into ECX on the last ...
- 787
2
votes
0
answers
389
views
neovim: pwntools process automatically stops when trying to invoke interactive shell
I'm using python pwntools.
I'm using python 3.10.x
This line of code should open a shell for me:
io.interactive()
But while running this file from vim using
!./% it doesn't open the shell doesn't ...
- 123
3
votes
0
answers
172
views
How to leak buffer address on the stack?
I am new to buffer overflows and I was trying to overwrite the saved RIP to point to a buffer containing a shellcode. The buffer is located onto the stack so its address is randomized. How can I leak ...
- 51
2
votes
0
answers
107
views
Invalid address when overwriting saved rip with buffer's address
I have an executable vulnerable to buffer overflows. The program takes a buffer of 104 chars and prints it (unfortunately, there is no format string vulnerability) until we feed it with a 0 or a \n, ...
- 51
3
votes
1
answer
123
views
x64 buffer overflow - tcp shell payload
ASLR: off
Canary: on
I have a binary that when run, it spawns zombie process on port 9191. I've been using ghidra and gdb to reverse engineer this and have found the buffer, canary, found the pop rdi ...
- 31
1
vote
1
answer
947
views
Reverse Engineering Go obfuscated binaries
I have been trying to understand the working of this go malware by reversing it, which can be found here , so basically this stuff takes a shellcode as an input, and converts it to an exe or dll file, ...
- 11
2
votes
1
answer
189
views
Am I missing symbols when RE'ing shellcode?
I have a question about reversing a tutorial which shows how to reverse engineering shellcode. My question is simple:
In figure 4, we see at (7) TEX.ProcessEnvironmentBlock: is this a comment, or was ...
2
votes
2
answers
1k
views
ShellCode not running as expected - showing segmentation fault core dump
I have already run this command. But my shellcode is not working for me:
gcc -fno-stack-protector -z execstack test.c -o test
./test
Segmentation fault (core dumped)
Here is my shellcode
#include <...
- 121
3
votes
2
answers
1k
views
How to load shellcode into Ghidra
I'm trying to learn more about reverse engineering, and I've found some shellcode embedded in a C program:
unsigned char shellcode[] =
"\x48\x83\xEC\x28\x48\x83\xE4\xF0\x48\x8D\x15\x66\...
- 175
1
vote
0
answers
81
views
Send file or non-printable character in Immunity Debugger arguments
I am a beginner in Reverse Engineering.
I am on Windows and using Immunity Debugger.
I would like to send my payload on the .exe file.
The payload contains non-printable characters.
How I can launch ...
- 141
1
vote
0
answers
200
views
Trying to call the Exit Shellcode in a c program
#include<stdio.h>
#include<stdint.h>
char shellcode[] = "\xb8\x3c\x00\x00\x00"
"\xbf\x14\x00\x00\x00"
"\x0f\x05";
int ...
- 11
0
votes
1
answer
98
views
Program goes to suspend when buffer overflow occurs
Full disclosure: I am seeking help to complete a college assignment. I am seeking help on steps where I am stuck and unable to move forward, not a ready made answer.
I need to exploit it to get a ...
6
votes
1
answer
621
views
WinDBG Hung on Shellcode Execution
I've been trying to debug a piece of simple shellcode with Windbg. To go over the steps I took, I allocated a buffer for the shellcode with .foreach /pS 5 ( register { .dvalloc 400 } ) { r @$t0 = ...
- 405
1
vote
1
answer
666
views
Injecting code into an ELF binary , got Segmentation fault(SIGSEGV)
I am currently working on an ELF-injector and my approach is standard: find code cave (long enough sequence of 0's), rewrite it with the instructions I want to execute and then jump back to the start ...
- 13
1
vote
1
answer
2k
views
Statically Reverse Engineering Shellcode - IDA to Ghidra
I'm trying to follow along with this tutorial which is using IDA in it's example. https://0ffset.net/reverse-engineering/malware-analysis/common-shellcode-techniques/
Hash: ...
- 13
1
vote
2
answers
287
views
How to extract port number from shellcode
I saw this shellcode and when they use the connect function they pass the port number 4444:
set_address:
push byte 0x05 ; retry counter
push 0x0100007F ; host 127.0.0.1
push ...
- 583
1
vote
1
answer
910
views
How can I get my shellcode to work outside of GDB?
I'm working inside a Warzone VM with no ALSR or NX bit. The program I'm trying to exploit is really simple:
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
/*
* compiled ...
- 113
1
vote
0
answers
139
views
PE Explorer vs. Debugger differences
I injected shellcode into an executable. Entrypoint is set to first shellcode instruction.
Shellcode: nop nop label: nop nop jmp label nopnop
which translate to: \x90\x90\x90\x90\xeb\xfc\x90\x90
...
- 21
0
votes
1
answer
89
views
NULL character (same code) different locations
I'd like to know why NASM generates different opcodes for the same code, when it's in the begin or end of the program?
This question is important because I found NULL characters when I compile the ...
- 3
2
votes
0
answers
448
views
Shellcode execution segfault
I have been trying to exploit simple buffer overflow caused by scanf. I'm working on x86 Linux. The point is to spawn a shell. I sucesfully overwritten return address and jumped into my shellcode. But ...
- 21
1
vote
1
answer
245
views
Shellcode not working correctly
I wrote a small program in assembly which is supposed to print "AAAA". It works fine when I run it directly, but when I run it as a shellcode in a c program, it doesn't work. Please help.
Here is the ...
- 23
1
vote
1
answer
274
views
ELF file crashing after executing shellcode
So after changing the entry point via the e_entry field I managed to execute my shellcode before returning control to the original entry point. Here's how I did it:
// write string and jump to OEP, ...
- 447
3
votes
1
answer
438
views
Why can I inherit handles from WSASocketA and not from socket?
I'm trying to write some custom shellcode to obtain a shell from a program.
Looking at the program intermodular calls, I found a call to socket(), and my initial plan was to use that to create a new ...
- 133
1
vote
1
answer
3k
views
How to pass param to execve to execute cat a file in x64 Asm? [closed]
I want execve("/bin/cat",["/bin/cat","/test/file"],NULL).
Here is my asm
xor %rdx, %rdx
push %rdx
sub $0x16, %rsp
movb $0x2f, 7(%rsp)
movl $0x2f6e6962, 8(%rsp)
movl $0x746163, 12(%rsp)
leaq 7(%rsp)...
- 111
2
votes
0
answers
210
views
Determine what architecture a piece of shellcode targets
After some personal research I didn't find any possible way or a paper to explain how to determine what architecture a given piece of shellcode may targets. The only obvious way I found would be to ...
- 121
3
votes
2
answers
2k
views
x86 shellcode leads to segmentation fault
I want to execute execve("/bin/dash", &"/bin/dash", NULL) on Ubuntu 64 bit with the following 32 bit shellcode:
global _start
_start:
xor eax, eax ; set eax = 0 to push a null without using ...
- 161
3
votes
4
answers
2k
views
segmentation fault at `mov byte [esi+7], al`
Section .text
global _start
_start:
jmp short GoToCall
shellcode:
pop esi
xor eax, eax
mov byte [esi+7], al
lea ...
- 121
0
votes
2
answers
704
views
exit() syscall within shellcode not working
int main()
{
char shellcode[] = "\xbb\x00\x00\x00\x00\xb8\x01\x00\x00\x00\xcd\x80";
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
I tried to run the above shellcode ...
- 121
2
votes
1
answer
4k
views
x86-64 CALL opcode + disassembly
Working a basic buffer overflow on a 64bit system and putting together some basic shellcode. The main program does a call to puts@plt. When I disassemble main in gdb, the opcodes show as:
e8 6b fe ff ...
- 225
6
votes
1
answer
532
views
Returning to usermode shellcode from windows kernel (Win10)
I have written a kernel exploit (for the latest Win10 64bit) that executes (or returns to from the kernel) token stealing shellcode, which is placed in the VirtulAlloc'ed memory in the userland.
The ...
- 329
1
vote
1
answer
2k
views
alphanumeric shellcode
I have generated an alphanumeric shellcode with this command:
msfvenom -a x86 --platform linux -p linux/x86/exec CMD=/bin/sh -e x86/alpha_mixed BufferRegister=ECX -f python
I am targeting a 32 bits ...
- 787
-2
votes
1
answer
466
views
Can anyone please explain the following dissasembly codes?
Disassembly:
0: 31 c9 xor ecx,ecx
2: f7 e1 mul ecx
4: 51 push ecx
5: 68 2f 2f 73 68 push 0x68732f2f
a: 68 2f 62 69 ...
2
votes
2
answers
1k
views
mprotect syscall not working
I want to modify the protection of the .text segment to RWX using a shellcode. In the shellcode, I can issue the syscall for mprotect however it's not working.
Per the sys_mprotect definition, it ...
- 775
0
votes
1
answer
597
views
Linux Assembly Syscall
I'm learning how to write shellcode by using Linux system call "execve" to spawn a shell with root access privilege.
Here i found a shellcode online:
http://shell-storm.org/shellcode/files/shellcode-...
- 27
3
votes
2
answers
1k
views
How to execute a specific shellcode with a non executable stack without using format string? (without ASLR and stack cookie)
First off we don't have ASLR and stack cookie, and assume we can't create our own files on this system
So I'm trying to execute a shellcode in this code, this is what i have done so far:
i have ...
- 155
4
votes
1
answer
1k
views
Heap Chunk Structure Does Not Contain Previous Section Info
I'm reading Shellcoder's Handbook to learn more about exploitation and overflows. I reached the chapter on Heap Overflows. The book mentions that a heap is split into chunks where each chunk contains ...
- 143
1
vote
0
answers
425
views
random address in call instruction
I am trying to use write system call shellcode in assembly but when i run it i am getting a segmentation fault. I did debug it and its because of the call instruction which is having a random address ...
- 19
3
votes
1
answer
950
views
Why do we need to know the address of shellcode?
I have read many articles regarding the buffer overflow exploit. Everywhere its written as follow.
"It's difficult to know the starting address of the shellcode"
Why do we need to know the address ...
7
votes
1
answer
1k
views
Shellcode challenge - shellcode works in test program, segfaults in actual binary
Currently working through an introductory shellcoding challenge, and having trouble getting the shellcode to work consistently.
I'm working on a 32bit Linux binary. I found this shellcode:
http://...
- 363
2
votes
1
answer
582
views
Meaning of code used to find kernel32.dll in shellcode
I'm attempting to reverse some shellcode created by metasploit to increase my understanding of shellcode. I understand the overall point of the code is attempting to locate kernel32.dll in the list of ...
- 21
1
vote
1
answer
456
views
How to find a fuction hash when manually resolving in shellcode?
I'm disassembling a shellcode and I found that it resolves adress of some function manually using the hash to find function in kernel32.dll.
example :
call findKernel32Base
....
push 0EC0E4E8Eh
call ...
- 215
2
votes
1
answer
714
views
Debugging Binary using Far Ret to switch Code Segment
It appears that GDB is unable to handle binaries which switch code segments.
Using pwntools*, it's trivial to generate a 32-bit intel binary which uses retf to switch to the 64-bit code segment. ...
- 2,367
0
votes
1
answer
303
views
2 Stage Shellcode Embedded in Doc file [Out Of Memory - Can't extract it]
So, here is the context: All start with a RTF file that has 3 objects. The first one loads a non-ASLR module "MSCOMCTL.OCX" and uses it to succed on a Heap Spray technique so it allocates enough ...
2
votes
1
answer
2k
views
how to find memory objects using immunity debugger
I am trying to exploit a program where I have to reuse a socket.
recv looks like this:
int recv(
_In_ SOCKET s, // socket ID
_Out_ char *buf,
_In_ int len,
_In_ int flags
);
I want to ...
- 123
1
vote
2
answers
3k
views
Basic shellcode doesn't work when read from stdin
I am working on a basic shellcode that will spawn a shell after getting called in a 32-bit program.
Here is the shellcode i'm using:
xor %eax,%eax
push %eax
push $0x68732f2f
push $...
- 13