GithubHelp home page GithubHelp logo

Analysis of linux shellcode about miasm HOT 12 CLOSED

cea-sec avatar cea-sec commented on July 17, 2024
Analysis of linux shellcode

from miasm.

Comments (12)

commial avatar commial commented on July 17, 2024

Can you supply the whole shellcode, or at least a minimalist example with the associated Python code ? That way, we will be able to reproduce and fix this issue.

In addition, please move your second question in a separate issue (and add the aforementioned code snippet).

from miasm.

Summus-31c04089c3cd80 avatar Summus-31c04089c3cd80 commented on July 17, 2024

This was the used shellcode : "\x31\xc0\x83\xc0\x29\x6a\x02\x5b\xcd\x80\x83\xe8\x04\xcd\x80"
I've since modified the python code , but it was a "basic" code, similar to this one : https://github.com/cea-sec/miasm/blob/master/example/jitter/x86_32.py (with the above given code part)

from miasm.

serpilliere avatar serpilliere commented on July 17, 2024

For the moment, put aside the libs. To have the same conditions, I first generate the following shellcode:

main:
    XOR EAX, EAX
    MOV AL, 1
    XOR EBX,EBX
    INT 0x80
    RET

So I assemble it:

python example/asm/shellcode.py x86_32 example/samples/x86_32_int80.S out.bin

And I emulate it:

$ python example/jitter/x86_32.py out.bin
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000000 XOR        EAX, EAX
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000002 MOV        AL, 0x1
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000002
40000004 XOR        EBX, EBX
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000004
40000006 INT        0x80
Traceback (most recent call last):
  File "example/jitter/x86_32.py", line 40, in <module>
    myjit.continue_run()
  File "/usr/local/lib/python2.7/dist-packages/miasm2/jitter/jitload.py", line 339, in continue_run
    return self.run_iterator.next()
  File "/usr/local/lib/python2.7/dist-packages/miasm2/jitter/jitload.py", line 311, in runiter_once
    assert(self.get_exception() == 0)
AssertionError

We have an error on the int 0x80. This instruction through an exception. The basic emulation code doesn't handle exceptions. To deal with it, you have to add an exception handler::

def exception_int(jitter):
    print 'interrupt!'
    return False
myjit.add_exception_handler(EXCEPT_INT_XX, exception_int)

(You have to import EXCEPT_INT_XX something like: from miasm2.jitter.csts import PAGE_READ, PAGE_WRITE, EXCEPT_INT_XX)

Result:

$ python xxx.py out.bin 
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000000 XOR        EAX, EAX
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000002 MOV        AL, 0x1
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000002
40000004 XOR        EBX, EBX
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000004
40000006 INT        0x80
interrupt!

And the shellcode stops (the return false makes the execution stop)

Now you have to implement your own system call for the int 0x80!

For example:

def exception_int(jitter):
    print 'interrupt!'
    print 'syscall num:', hex(jitter.cpu.EAX)
    jitter.cpu.EAX = 0x1337
    jitter.cpu.set_exception(0)
    return True

(Here, jitter.cpu.set_exception(0) resets the exception generated by the int 0x80)

And the result:

$ python xxx.py out.bin 
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000000 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000000 XOR        EAX, EAX
RAX 0000000000000000 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000000
40000002 MOV        AL, 0x1
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000002
40000004 XOR        EBX, EBX
RAX 0000000000000001 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000004
40000006 INT        0x80
interrupt!
syscall num: 0x1L
RAX 0000000000001337 RBX 0000000000000000 RCX 0000000000000000 RDX 0000000000000000
RSI 0000000000000000 RDI 0000000000000000 RSP 000000000123FFFC RBP 0000000000000000
zf 0000000000000001 nf 0000000000000000 of 0000000000000000 cf 0000000000000000
RIP 0000000040000008
40000008 RET

See EAX is 1337 after the system call.

from miasm.

serpilliere avatar serpilliere commented on July 17, 2024

It seems your posted shellcode doesn't have any call so it doesn't match your issue.

As @commial said, move this sub issue in another topic.

from miasm.

Summus-31c04089c3cd80 avatar Summus-31c04089c3cd80 commented on July 17, 2024

Ok thank you !
I moved the question about call in another topic, this shellcode was about this issue :)

So is it possible to execute an external function in the miasm VM ?
If i implement a syscall in python and execute it in the exception_handler, the environment should be different from the one where is executed the shellcode, right ?

from miasm.

serpilliere avatar serpilliere commented on July 17, 2024

No, if you modify jitter.cpu.EAX, it modify the EAX in the current VM.
I may not have understand your request: What do you mean by "external" function?

from miasm.

Summus-31c04089c3cd80 avatar Summus-31c04089c3cd80 commented on July 17, 2024

For example : getuid. I'm asking if the return will be the same if it is called by the python code or if it is called directly by the shellcode (in the VM) ?

from miasm.

serpilliere avatar serpilliere commented on July 17, 2024

The Miasm VM is there to simulate the behavior of a real machine. So you can set EAX to any uid you want here.

from miasm.

commial avatar commial commented on July 17, 2024

Note: the discussion on the second issue continues on #184.

from miasm.

Summus-31c04089c3cd80 avatar Summus-31c04089c3cd80 commented on July 17, 2024

Yeah that wasn't a good example, and i can not find another one.
The problem comes when the shellcode is expecting a specific value, but even in the VM this can not work since it is different from the target machine ...

from miasm.

serpilliere avatar serpilliere commented on July 17, 2024

Have you got a "good" example or the original shell code? (if you can share it with us)

from miasm.

Summus-31c04089c3cd80 avatar Summus-31c04089c3cd80 commented on July 17, 2024

I have not yet found a shellcode which generates a such problem.
So I'll close this issue, thank you for all the help you have given me !

from miasm.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.