Advanced Shellcoding

The multiplicity of mul

This technique was originally developed by Sorbo of darkircop.net. The MUL instruction may seem trivial on the surface, and it's obvious purpose. But when faced with the difficult task of narrowing your shellcode, it proves to be very useful. First some background information on the mul instruction itself.

MUL performs both signed integers. It only takes one operand, the other is implicitly specified by register% eax. Then a common MUL instruction like this:

movl $ 0x0a,% eax

mul $ 0x0a

This multiplies the value stored in% eax by the operand and the revolution, which in this case would be 10 * 10 The result is then implicitly stored in EDX: EAX. The result is stored in a span of two registers, because it has the opportunity to be much higher than the previous value, possibly exceeding the capacity of a single register (this is also how floating points are stored in some cases, as a interesting side note).

So now the question is increasingly important. How can we use these attributes to our advantage when writing shellcode? Well, think about a second, the instruction has one operand, then, as it is a very common statement, there are only two bytes in our shellcode final. Multiply all that happens to the value stored in% eax, and stores the value in% edx% eax and two completely overwrite the contents of two registers, regardless of if you must store the result of multiplication. Mathematical put in the hat for a moment and think this is the only possible result of a multiplication by 0? The answer, as you guessed, is 0. I think it's time for a code, for example, so here it is:

Xorl% ECX, ECX%

% ECX mul

What is this shellcode to do? Well, not 0% ecx register using the xor instruction, so we know now that is 0% ecx. Then he made a Mul% ecx, which as we have learned is multiplied by the operand value in% eax, and then proceeds to store the result of this multiplication in EDX: EAX. Therefore, regardless of previous contents of% eax,% eax must now be 0. But that's not all,% edx 0'd too, because although it does not overflow always overwrites the% edx to the sign bit (leftmost bit) of% eax. Using this technique we can enumerate three registers in only three bytes, while any other method (I know) would have required at least six.
Instruction div

P is very similar to mul, it takes only one operand, and to share implicit value in% eax working. Even as, multi stores the results of the divide% eax. Once again, we need a means of understanding how our brains mathematically we can make use of this manual. But first, think of what is normally stored in% eax register. % Eax register to restore the value of the functions and / or system calls. Most system calls used shellcoding returns -1 (the complaints), or a positive value of some kind, only rarely return 0 (even if it happens). So if we know that when a system call is executed,% eax is not zero, and that teaching divl% eax,% eax will divide itself, and then save the result in% eax, we can say that the implementation of divl% eax instruction was after the system call to put a value of 1 in% eax. So ...

xorl Ebx% Ebx%

Mul% ebx

push% edx

pushl $ 0x3268732f

pushl $ 0x6e69622f

mov% esp,% ebx

push% edx

push Ebx%

mov% esp,% ECX

How to apply shellcoding? Well, their is another important theme,% eax is used, and that is to move certain that you want to call syscall int $ 0x80. It so happens that the syscall that corresponds to an exit (). Now, for example:

MOVB $ 0xb,% # to execve () syscall, does not return at all, if it fails, in which case it returns -1

int $ 0x80

% Eax # divl -1 / -1 = 1

int $ 0x80

Now we have a function 3 output bytes, where as before it was 5 bytes. But there is a catch if a syscall does return 0? Well in the odd situation where it could happen, you can do many different things inc% eax,% tag EAX, EAX% is not something that will make% eax different from zero. Some people say that the output is not important in shellcode, because your code is executed, if it comes out clean. They have the right too, if you really need to save 3 bytes to fit your shellcode in somewhere, the exit () is not worth keeping. But when your code is not finished, it will try to do what was after your last statement, which will probably generate a GIS (illegal instruction) PEB is a rather strange error and is logged by the system. Thus, an exit () simply adds an extra layer of stealth to your advantage, even if it fails or you can not erase all the newspapers, at least that part of your presence will be ready.

Unlock the power Leal

The statement is a Leal often overlooked in the shellcode, though very useful. Consider this little piece of shellcode.

xorl% ECX, ECX%

Leal 0x10 (% ecx),% eax

This will load the EAX value 17, and clear all bits of foreigners eax. This occurs because the load instruction Leal a variable of type long in desitination operates. In normal use, load the address of a variable in a register, creating a sort of pointer. However, since 0'd ecx is 0 and 17 = 17, loading the value 17 into eax instead of any real direction. In a normal shellcode would do something, to accomplish the same thing:

xorl% EAX, EAX%

movb $ 0x10,% eax

I can hear you say, but the shellcode is a byte shorter than the Leal, and you are right. But in a real shellcode you may already have a 0 on ECX register (or any other registry) to instruction xorl Leal shellcode is not counted. For example:

xorl% eax,% eax

Xorl% ebx,% ebx

movb $ 0x17,% al

int $ 0x80

xorl Ebx% Ebx%

Leal 0x17 (% ebx),% al

int $ 0x80

These two calls setuid shellcode (0), but you do it in 7 bytes, while the other there in 8th Again, I hear you say, but it is a single byte not much difference, and you Because here it does not make much difference (except in size shellcode pissing contests = p), but when applied to much larger shellcode, which has many function calls and do things like this often, it can save a lot space.