Shellcode Without null bytes

2018-07-01 03:26:41

I am trying to convert an assembly program into null-free shellcode.

However, I am unsure how to go about this for certain instructions. Some of them way more complex than the examples I found in the web.

I used a C program from the web as an example, then converted to .s,using gcc -Wall -O -fverbose-asm -S example.c gcc -c example.s -o example.o gcc example.o -o example objdump -d example

.file   "test.c"
# GNU C (Debian 4.9.2-10) version 4.9.2 (x86_64-linux-gnu)
#   compiled by GNU C version 4.9.2, GMP version 6.0.0, MPFR version 3.1.2-p3, MPC version 1.0.2
# GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072
# options passed:  -imultiarch x86_64-linux-gnu test.c -mtune=generic
# -march=x86-64 -O -Wall -fverbose-asm
# options enabled:  -faggressive-loop-optimizations
# -fasynchronous-unwind-tables -fauto-inc-dec -fbranch-count-reg
# -fcombine-stack-adjustments -fcommon -fcompare-elim -fcprop-registers
# -fdefer-pop -fdelete-null-pointer-checks -fdwarf2-cfi-asm
# -fearly-inlining -feliminate-unused-debug-types -fforward-propagate
# -ffunction-cse -fgcse-lm -fgnu-runtime -fgnu-unique 
# -fguess-branch-probability -fident -fif-conversion -fif-conversion2
# -finline -finline-atomics -finline-functions-called-once -fipa-profile
# -fipa-pure-const -fipa-reference -fira-hoist-pressure
# -fira-share-save-slots -fira-share-spill-slots -fivopts
# -fkeep-static-consts -fleading-underscore -fmath-errno -fmerge-constants
# -fmerge-debug-strings -fmove-loop-invariants -fomit-frame-pointer
# -fpeephole -fprefetch-loop-arrays -freg-struct-return
# -fsched-critical-path-heuristic -fsched-dep-count-heuristic
# -fsched-group-heuristic -fsched-interblock -fsched-last-insn-heuristic
# -fsched-rank-heuristic -fsched-spec -fsched-spec-insn-heuristic
# -fsched-stalled-insns-dep -fshow-column -fshrink-wrap -fsigned-zeros
# -fsplit-ivs-in-unroller -fsplit-wide-types -fstrict-volatile-bitfields
# -fsync-libcalls -ftoplevel-reorder -ftrapping-math -ftree-bit-ccp
# -ftree-ccp -ftree-ch -ftree-coalesce-vars -ftree-copy-prop
# -ftree-copyrename -ftree-cselim -ftree-dce -ftree-dominator-opts
# -ftree-dse -ftree-forwprop -ftree-fre -ftree-loop-if-convert
# -ftree-loop-im -ftree-loop-ivcanon -ftree-loop-optimize
# -ftree-parallelize-loops= -ftree-phiprop -ftree-pta -ftree-reassoc
# -ftree-scev-cprop -ftree-sink -ftree-slsr -ftree-sra -ftree-ter
# -funit-at-a-time -funwind-tables -fverbose-asm -fzero-initialized-in-bss
# -m128bit-long-double -m64 -m80387 -malign-stringops
# -mavx256-split-unaligned-load -mavx256-split-unaligned-store
# -mfancy-math-387 -mfp-ret-in-387 -mfxsr -mglibc -mieee-fp
# -mlong-double-80 -mmmx -mno-sse4 -mpush-args -mred-zone -msse -msse2
# -mtls-direct-seg-refs

.section    .rodata.str1.1,"aMS",@progbits,1
.LC0:
.string "Could not create socket"
.LC1:
.string "127.0.0.1"
.LC2:
.string "connect error"
.LC3:
.string "Connectedn"
.section    .rodata.str1.8,"aMS",@progbits,1
.align 8
.LC4:
.string "Hola Redon , I really appreaciate your helpnrn"
.section    .rodata.str1.1
.LC5:
.string "Send failed"
.LC6:
.string "Data Sendn"
.LC7:
.string "recv failed"
.LC8:
.string "Reply receivedn"
.text
.globl  main
.type   main, @function
 main:
.LFB29:
.cfi_startproc
pushq   %rbx    #
.cfi_def_cfa_offset 16
.cfi_offset 3, -16
subq    $2016, %rsp #,
.cfi_def_cfa_offset 2032
movl    $0, %edx    #,
movl    $1, %esi    #,
movl    $2, %edi    #,
call    socket  #
movl    %eax, %ebx  #, socket_desc
cmpl    $-1, %eax   #, socket_desc
jne .L2 #,
movl    $.LC0, %edi #,
movl    $0, %eax    #,
call    printf  #
.L2:
movl    $.LC1, %edi #,
call    inet_addr   #
movl    %eax, 2004(%rsp)    # D.3169, server.sin_addr.s_addr
movw    $2, 2000(%rsp)  #, server.sin_family
movw    $14093, 2002(%rsp)  #, server.sin_port
movl    $16, %edx   #,
leaq    2000(%rsp), %rsi    #, tmp96
movl    %ebx, %edi  # socket_desc,
call    connect #
testl   %eax, %eax  # D.3168
jns .L3 #,
movl    $.LC2, %edi #,
call    puts    #
movl    $1, %eax    #, D.3168
jmp .L4 #
.L3:
movl    $.LC3, %edi #,
call    puts    #
movl    $0, %ecx    #,
movl    $46, %edx   #,
movl    $.LC4, %esi #,
movl    %ebx, %edi  # socket_desc,
call    send    #
testq   %rax, %rax  # D.3170
jns .L5 #,
movl    $.LC5, %edi #,
call    puts    #
movl    $1, %eax    #, D.3168
jmp .L4 #
.L5:
movl    $.LC6, %edi #,
call    puts    #
movl    $0, %ecx    #,
movl    $2000, %edx #,
movq    %rsp, %rsi  #,
movl    %ebx, %edi  # socket_desc,
call    recv    #
testq   %rax, %rax  # D.3170
jns .L6 #,
movl    $.LC7, %edi #,
call    puts    #
.L6:
movl    $.LC8, %edi #,
call    puts    #
movq    %rsp, %rdi  #,
call    puts    #
movl    $0, %eax    #, D.3168
.L4:
addq    $2016, %rsp #,
.cfi_def_cfa_offset 16
popq    %rbx    #
.cfi_def_cfa_offset 8
ret
.cfi_endproc
.LFE29:
.size   main, .-main
.ident  "GCC: (Debian 4.9.2-10) 4.9.2"
.section    .note.GNU-stack,"",@progbits

Wich give this:

 test:     file format elf64-x86-64


 Disassembly of section .init:

 0000000000400500 <_init>:
 400500:    48 83 ec 08             sub    $0x8,%rsp
 400504:    48 8b 05 fd 06 20 00    mov      0x2006fd(%rip),%rax        # 600c08 <_DYNAMIC+0x1d0>
 40050b:    48 85 c0                test   %rax,%rax
 40050e:    74 05                   je     400515 <_init+0x15>
 400510:    e8 7b 00 00 00          callq  400590 <__gmon_start__@plt>
 400515:    48 83 c4 08             add    $0x8,%rsp
 400519:    c3                      retq   

 Disassembly of section .plt:

 0000000000400520 <recv@plt-0x10>:
 400520:    ff 35 f2 06 20 00       pushq  0x2006f2(%rip)        # 600c18 <_GLOBAL_OFFSET_TABLE_+0x8>
 400526:    ff 25 f4 06 20 00       jmpq   *0x2006f4(%rip)        # 600c20 <_GLOBAL_OFFSET_TABLE_+0x10>
 40052c:    0f 1f 40 00             nopl   0x0(%rax)

 0000000000400530 <recv@plt>:
 400530:    ff 25 f2 06 20 00       jmpq        *0x2006f2(%rip)        # 600c28 <_GLOBAL_OFFSET_TABLE_+0x18>
 400536:    68 00 00 00 00          pushq  $0x0
 40053b:    e9 e0 ff ff ff          jmpq   400520 <_init+0x20>

 0000000000400540 <puts@plt>:
 400540:    ff 25 ea 06 20 00       jmpq   *0x2006ea(%rip)        # 600c30 <_GLOBAL_OFFSET_TABLE_+0x20>
 400546:    68 01 00 00 00          pushq  $0x1
 40054b:    e9 d0 ff ff ff          jmpq   400520 <_init+0x20>

 0000000000400550 <send@plt>:
 400550:    ff 25 e2 06 20 00       jmpq   *0x2006e2(%rip)        # 600c38 <_GLOBAL_OFFSET_TABLE_+0x28>
 400556:    68 02 00 00 00          pushq  $0x2
 40055b:    e9 c0 ff ff ff          jmpq   400520 <_init+0x20>

 0000000000400560 <printf@plt>:
 400560:    ff 25 da 06 20 00       jmpq   *0x2006da(%rip)        # 600c40 <_GLOBAL_OFFSET_TABLE_+0x30>
 400566:    68 03 00 00 00          pushq  $0x3
 40056b:    e9 b0 ff ff ff          jmpq   400520 <_init+0x20>

 0000000000400570 <__libc_start_main@plt>:
 400570:    ff 25 d2 06 20 00       jmpq   *0x2006d2(%rip)        # 600c48 <_GLOBAL_OFFSET_TABLE_+0x38>
 400576:    68 04 00 00 00          pushq  $0x4
 40057b:    e9 a0 ff ff ff          jmpq   400520 <_init+0x20>

 0000000000400580 <inet_addr@plt>:
 400580:    ff 25 ca 06 20 00       jmpq   *0x2006ca(%rip)        # 600c50 <_GLOBAL_OFFSET_TABLE_+0x40>
 400586:    68 05 00 00 00          pushq  $0x5
 40058b:    e9 90 ff ff ff          jmpq   400520 <_init+0x20>

 0000000000400590 <__gmon_start__@plt>:
 400590:    ff 25 c2 06 20 00       jmpq   *0x2006c2(%rip)        # 600c58 <_GLOBAL_OFFSET_TABLE_+0x48>
 400596:    68 06 00 00 00          pushq  $0x6
 40059b:    e9 80 ff ff ff          jmpq   400520 <_init+0x20>

 00000000004005a0 <connect@plt>:
 4005a0:    ff 25 ba 06 20 00       jmpq   *0x2006ba(%rip)        # 600c60 <_GLOBAL_OFFSET_TABLE_+0x50>
 4005a6:    68 07 00 00 00          pushq  $0x7
 4005ab:    e9 70 ff ff ff          jmpq   400520 <_init+0x20>

 00000000004005b0 <socket@plt>:
  4005b0:   ff 25 b2 06 20 00       jmpq   *0x2006b2(%rip)        # 600c68 <_GLOBAL_OFFSET_TABLE_+0x58>
  4005b6:   68 08 00 00 00          pushq  $0x8
  4005bb:   e9 60 ff ff ff          jmpq   400520 <_init+0x20>

  Disassembly of section .text:

  00000000004005c0 <_start>:
  4005c0:   31 ed                   xor    %ebp,%ebp
  4005c2:   49 89 d1                mov    %rdx,%r9
  4005c5:   5e                      pop    %rsi
  4005c6:   48 89 e2                mov    %rsp,%rdx
  4005c9:   48 83 e4 f0             and    $0xfffffffffffffff0,%rsp
  4005cd:   50                      push   %rax
  4005ce:   54                      push   %rsp
  4005cf:   49 c7 c0 30 08 40 00    mov    $0x400830,%r8
  4005d6:   48 c7 c1 c0 07 40 00    mov    $0x4007c0,%rcx
  4005dd:   48 c7 c7 b6 06 40 00    mov    $0x4006b6,%rdi
  4005e4:   e8 87 ff ff ff          callq  400570    <__libc_start_main@plt>
  4005e9:   f4                      hlt    
  4005ea:   66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)

  00000000004005f0 <deregister_tm_clones>:
  4005f0:   b8 87 0c 60 00          mov    $0x600c87,%eax
  4005f5:   55                      push   %rbp
  4005f6:   48 2d 80 0c 60 00       sub    $0x600c80,%rax
  4005fc:   48 83 f8 0e             cmp    $0xe,%rax
  400600:   48 89 e5                mov    %rsp,%rbp
  400603:   76 1b                   jbe    400620 <deregister_tm_clones+0x30>
  400605:   b8 00 00 00 00          mov    $0x0,%eax
  40060a:   48 85 c0                test   %rax,%rax
  40060d:   74 11                   je     400620 <deregister_tm_clones+0x30>
  40060f:   5d                      pop    %rbp
  400610:   bf 80 0c 60 00          mov    $0x600c80,%edi
  400615:   ff e0                   jmpq   *%rax
  400617:   66 0f 1f 84 00 00 00    nopw   0x0(%rax,%rax,1)
  40061e:   00 00 
  400620:   5d                      pop    %rbp
  400621:   c3                      retq   
  400622:   66 66 66 66 66 2e 0f    data16 data16 data16 data16  nopw %cs:0x0(%rax,%rax,1)
  400629:   1f 84 00 00 00 00 00 

  0000000000400630 <register_tm_clones>:
  400630:   be 80 0c 60 00          mov    $0x600c80,%esi
  400635:   55                      push   %rbp
  400636:   48 81 ee 80 0c 60 00    sub    $0x600c80,%rsi
  40063d:   48 c1 fe 03             sar    $0x3,%rsi
  400641:   48 89 e5                mov    %rsp,%rbp
  400644:   48 89 f0                mov    %rsi,%rax
  400647:   48 c1 e8 3f             shr    $0x3f,%rax
  40064b:   48 01 c6                add    %rax,%rsi
  40064e:   48 d1 fe                sar    %rsi
  400651:   74 15                   je     400668    <register_tm_clones+0x38>
  400653:   b8 00 00 00 00          mov    $0x0,%eax
  400658:   48 85 c0                test   %rax,%rax
  40065b:   74 0b                   je     400668 <register_tm_clones+0x38>
  40065d:   5d                      pop    %rbp
  40065e:   bf 80 0c 60 00          mov    $0x600c80,%edi
  400663:   ff e0                   jmpq   *%rax
  400665:   0f 1f 00                nopl   (%rax)
  400668:   5d                      pop    %rbp
  400669:   c3                      retq   
  40066a:   66 0f 1f 44 00 00       nopw   0x0(%rax,%rax,1)

  0000000000400670 <__do_global_dtors_aux>:
  400670:   80 3d 09 06 20 00 00    cmpb       $0x0,0x200609(%rip)        # 600c80 <__TMC_END__>
  400677:   75 11                   jne    40068a <__do_global_dtors_aux+0x1a>
  400679:   55                      push   %rbp
  40067a:   48 89 e5                mov    %rsp,%rbp
  40067d:   e8 6e ff ff ff          callq  4005f0 <deregister_tm_clones>
  400682:   5d                      pop    %rbp
  400683:   c6 05 f6 05 20 00 01    movb     $0x1,0x2005f6(%rip)        # 600c80 <__TMC_END__>
  40068a:   f3 c3                   repz retq 
  40068c:   0f 1f 40 00             nopl   0x0(%rax)

  0000000000400690 <frame_dummy>:
  400690:   bf 30 0a 60 00          mov    $0x600a30,%edi
  400695:   48 83 3f 00             cmpq   $0x0,(%rdi)
  400699:   75 05                   jne    4006a0     <frame_dummy+0x10>
  40069b:   eb 93                   jmp    400630   <register_tm_clones>
  40069d:   0f 1f 00                nopl   (%rax)
  4006a0:   b8 00 00 00 00          mov    $0x0,%eax
  4006a5:   48 85 c0                test   %rax,%rax
  4006a8:   74 f1                   je     40069b  <frame_dummy+0xb>
  4006aa:   55                      push   %rbp
  4006ab:   48 89 e5                mov    %rsp,%rbp
  4006ae:   ff d0                   callq  *%rax
  4006b0:   5d                      pop    %rbp
  4006b1:   e9 7a ff ff ff          jmpq   400630  <register_tm_clones>

  00000000004006b6 <main>:
  4006b6:   53                      push   %rbx
  4006b7:   48 81 ec e0 07 00 00    sub    $0x7e0,%rsp
  4006be:   ba 00 00 00 00          mov    $0x0,%edx
  4006c3:   be 01 00 00 00          mov    $0x1,%esi
  4006c8:   bf 02 00 00 00          mov    $0x2,%edi
  4006cd:   e8 de fe ff ff          callq  4005b0 <socket@plt>
  4006d2:   89 c3                   mov    %eax,%ebx
  4006d4:   83 f8 ff                cmp    $0xffffffff,%eax
  4006d7:   75 0f                   jne    4006e8 <main+0x32>
  4006d9:   bf 44 08 40 00          mov    $0x400844,%edi
  4006de:   b8 00 00 00 00          mov    $0x0,%eax
  4006e3:   e8 78 fe ff ff          callq  400560 <printf@plt>
  4006e8:   bf 5c 08 40 00          mov    $0x40085c,%edi
  4006ed:   e8 8e fe ff ff          callq  400580 <inet_addr@plt>
  4006f2:   89 84 24 d4 07 00 00    mov    %eax,0x7d4(%rsp)
  4006f9:   66 c7 84 24 d0 07 00    movw   $0x2,0x7d0(%rsp)
  400700:   00 02 00 
  400703:   66 c7 84 24 d2 07 00    movw   $0x370d,0x7d2(%rsp)
  40070a:   00 0d 37 
  40070d:   ba 10 00 00 00          mov    $0x10,%edx
  400712:   48 8d b4 24 d0 07 00    lea    0x7d0(%rsp),%rsi
  400719:   00 
  40071a:   89 df                   mov    %ebx,%edi
  40071c:   e8 7f fe ff ff          callq  4005a0 <connect@plt>
  400721:   85 c0                   test   %eax,%eax
  400723:   79 11                   jns    400736 <main+0x80>
  400725:   bf 66 08 40 00          mov    $0x400866,%edi
  40072a:   e8 11 fe ff ff          callq  400540 <puts@plt>
  40072f:   b8 01 00 00 00          mov    $0x1,%eax
  400734:   eb 7a                   jmp    4007b0 <main+0xfa>
  400736:   bf 74 08 40 00          mov    $0x400874,%edi
  40073b:   e8 00 fe ff ff          callq  400540 <puts@plt>
  400740:   b9 00 00 00 00          mov    $0x0,%ecx
  400745:   ba 2e 00 00 00          mov    $0x2e,%edx
  40074a:   be b8 08 40 00          mov    $0x4008b8,%esi
  40074f:   89 df                   mov    %ebx,%edi
  400751:   e8 fa fd ff ff          callq  400550 <send@plt>
  400756:   48 85 c0                test   %rax,%rax
  400759:   79 11                   jns    40076c <main+0xb6>
  40075b:   bf 7f 08 40 00          mov    $0x40087f,%edi
  400760:   e8 db fd ff ff          callq  400540 <puts@plt>
  400765:   b8 01 00 00 00          mov    $0x1,%eax
  40076a:   eb 44                   jmp    4007b0 <main+0xfa>
  40076c:   bf 8b 08 40 00          mov    $0x40088b,%edi
  400771:   e8 ca fd ff ff          callq  400540 <puts@plt>
  400776:   b9 00 00 00 00          mov    $0x0,%ecx
  40077b:   ba d0 07 00 00          mov    $0x7d0,%edx
  400780:   48 89 e6                mov    %rsp,%rsi
  400783:   89 df                   mov    %ebx,%edi
  400785:   e8 a6 fd ff ff          callq  400530 <recv@plt>
  40078a:   48 85 c0                test   %rax,%rax
  40078d:   79 0a                   jns    400799 <main+0xe3>
  40078f:   bf 96 08 40 00          mov    $0x400896,%edi
  400794:   e8 a7 fd ff ff          callq  400540 <puts@plt>
  400799:   bf a2 08 40 00          mov    $0x4008a2,%edi
  40079e:   e8 9d fd ff ff          callq  400540 <puts@plt>
  4007a3:   48 89 e7                mov    %rsp,%rdi
  4007a6:   e8 95 fd ff ff          callq  400540 <puts@plt>
  4007ab:   b8 00 00 00 00          mov    $0x0,%eax
  4007b0:   48 81 c4 e0 07 00 00    add    $0x7e0,%rsp
  4007b7:   5b                      pop    %rbx
  4007b8:   c3                      retq   
  4007b9:   0f 1f 80 00 00 00 00    nopl   0x0(%rax)

  00000000004007c0 <__libc_csu_init>:
  4007c0:   41 57                   push   %r15
  4007c2:   41 89 ff                mov    %edi,%r15d
  4007c5:   41 56                   push   %r14
  4007c7:   49 89 f6                mov    %rsi,%r14
  4007ca:   41 55                   push   %r13
  4007cc:   49 89 d5                mov    %rdx,%r13
  4007cf:   41 54                   push   %r12
  4007d1:   4c 8d 25 48 02 20 00    lea       0x200248(%rip),%r12        # 600a20 <__frame_dummy_init_array_entry>
  4007d8:   55                      push   %rbp
  4007d9:   48 8d 2d 48 02 20 00    lea    0x200248(%rip),%rbp        # 600a28 <__init_array_end>
  4007e0:   53                      push   %rbx
  4007e1:   4c 29 e5                sub    %r12,%rbp
  4007e4:   31 db                   xor    %ebx,%ebx
  4007e6:   48 c1 fd 03             sar    $0x3,%rbp
  4007ea:   48 83 ec 08             sub    $0x8,%rsp
  4007ee:   e8 0d fd ff ff          callq  400500 <_init>
  4007f3:   48 85 ed                test   %rbp,%rbp
  4007f6:   74 1e                   je     400816 <__libc_csu_init+0x56>
  4007f8:   0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
  4007ff:   00 
  400800:   4c 89 ea                mov    %r13,%rdx
  400803:   4c 89 f6                mov    %r14,%rsi
  400806:   44 89 ff                mov    %r15d,%edi
  400809:   41 ff 14 dc             callq  *(%r12,%rbx,8)
  40080d:   48 83 c3 01             add    $0x1,%rbx
  400811:   48 39 eb                cmp    %rbp,%rbx
  400814:   75 ea                   jne    400800  <__libc_csu_init+0x40>
  400816:   48 83 c4 08             add    $0x8,%rsp
  40081a:   5b                      pop    %rbx
  40081b:   5d                      pop    %rbp
  40081c:   41 5c                   pop    %r12
  40081e:   41 5d                   pop    %r13
  400820:   41 5e                   pop    %r14
  400822:   41 5f                   pop    %r15
  400824:   c3                      retq   
  400825:   66 66 2e 0f 1f 84 00    data16 nopw  %cs:0x0(%rax,%rax,1)
  40082c:   00 00 00 00 

0000000000400830 <__libc_csu_fini>:
 400830:    f3 c3                   repz retq 

 Disassembly of section .fini:

 0000000000400834 <_fini>:
 400834:    48 83 ec 08             sub    $0x8,%rsp
 400838:    48 83 c4 08             add    $0x8,%rsp
 40083c:    c3                      retq

As you can see it´sa lot .... First question would be... null bytes from my .init and .plt seccion will affect my shellcode or just only the ones in my .text Section?.

I know for example in a case where I have : ba 00 00 00 00 mov $0x0,%edx I can apply xor %edx,edx b8 01 00 00 00 mov $0x1,%eax, can apply xor %eax,eax aswell?

but what about the cases like : ff 35 f2 06 20 00 pushq 0x2006f2(%rip) or 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1)

Since Im a newbie who wants to learn any help would be appreciate, Yes I have read Smashing The Stack For Fun And Profit but english is not my mother language and like I said Im a newbie so not everything is clear for me.

Thanks in advanced.

链接地址: http://www.djcxy.com/p/86860.html

上一篇: 反转“if”语句以减少嵌套

下一篇: Shellcode没有空字节