danielsauder

IT security is a matter of trust.

Dumping shellcode 64bit style

Problem: I had a shellcode that I compiled and used in a .c program. The compiled .c program crashed, but the executable from the assembly file worked.
Normally I use this line:

# objdump -d hello32|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

But this did not work.
The problem was in the following line in my assembly code:

mov rbx,0x68732f6e69622fff

When using objdump the problem will become more clear:

# objdump -d exbindshell
...
4000df:	48 bb 2f 2f 62 69 6e 	movabs $0x68732f6e69622f2f,%rbx
...

With the command above the “6e” will be missing in the shellcode.

Using this:

# objdump -d exbindshell|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

solved this problem for me (so far). The difference is the “cut -f1-7”.

Published by

Daniel

One response to “Dumping shellcode 64bit style”

  1. Shifting from 32bit to 64bit Linux Shellcode | govolution

    […] When dumping the shellcode I encountered a problem which I described in an earlier blog post. […]

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: