Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

I386 ascii shellcode #1667

Merged
merged 23 commits into from
Sep 26, 2020
Merged

I386 ascii shellcode #1667

merged 23 commits into from
Sep 26, 2020

Conversation

TwoUnderscorez
Copy link
Contributor

I've written a module based on the Riley "Caezar" Eller's technique to bypass data filters, for buffer overflow exploits, on Intel x86 platforms.
http://julianor.tripod.com/bc/bypass-msb.txt
The algorithm to calculate the subtractions for warping around eax is based on https://github.com/VincentDary/PolyAsciiShellGen

@TwoUnderscorez TwoUnderscorez changed the title I386 ascii shellcode [WIP] I386 ascii shellcode Aug 26, 2020
@TwoUnderscorez TwoUnderscorez changed the title [WIP] I386 ascii shellcode I386 ascii shellcode Aug 26, 2020
@heapcrash
Copy link
Collaborator

It looks like your change to changelog.md modifies a lot of lines it shouldn't. Can you fix this? (git checkout origin/master -- CHANGELOG.md then add your change again)

@TwoUnderscorez
Copy link
Contributor Author

Sorry, my bad. I guess my IDE's auto-formatting kicked in and I've just not noticed. Hopefully it's good now.

@TwoUnderscorez
Copy link
Contributor Author

I did not realize you still support Python 2, so now that's fixed.

zachriggle
zachriggle requested changes Sep 5, 2020
View reviewed changes
docs/source/ascii_shellcode.rst Outdated Show resolved Hide resolved
pwnlib/ascii_shellcode.py Outdated

Examples:

>>> sc = hex2bytes('83c41831c031dbb006cd8053682f747479682f64657689e331c966b91227b005cd806a175831dbcd806a2e5853cd8031c050682f2f7368682f62696e89e3505389e199b00bcd80')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer we also have an ELF.from_bytes().process() test that actually runs some shellcode to ensure that it works. e.g.

>>> sc = shellcraft.echo("Hello world") + shellcraft.exit()
>>> ascii = ascii_shellcode(asm(sc))
>>> ELF.from_bytes(ascii).process().recvall()
b"Hello world"

Copy link
Contributor Author

@TwoUnderscorez TwoUnderscorez Sep 8, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added doctest.
Since the shellcode is executing from the code segment and is being unpacked onto the stack, I had to add a jmp esp to the end of the unpacker.
(Usually, the unpacker also runs on the stack, and when eip bumps into esp the unpacked shellcode starts executing).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FYI we also have a run_shellcode shortcut somewhere (with a similar debug_shellcode to aid development) that accepts bytes and returns a running process tube, just as above.

@Arusekk
Copy link
Member

Arusekk commented Sep 13, 2020

This code must be moved under pwnlib.encoders.i386.

@TwoUnderscorez
Copy link
Contributor Author

@Arusekk moved under pwnlib.encoders.i386.

Arusekk
Arusekk requested changes Sep 20, 2020
View reviewed changes
Copy link
Member

@Arusekk Arusekk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooofff. That's some great stuff! But I would like it better if it changed a bit. Here you have my MASSIVE review you will find helpful.

pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
pwnlib/encoders/i386/ascii_shellcode.py Outdated Show resolved Hide resolved
@TwoUnderscorez
Copy link
Contributor Author

Thanks for taking the time to review my code! I'll fix all the cosmetic / pack / bytearray stuff soon. As for python 2 <-> 3 compatible code, It'll probably take me a little longer since I'm less familiar with writing backwords compatible code.

@Arusekk
Copy link
Member

Arusekk commented Sep 20, 2020 via email

@Arusekk
Apply some of the suggestions from Arusekk's code review
aec09a2 
Co-authored-by: Arusekk <arek_koz@o2.pl>
@Arusekk Arusekk merged commit dc8d0e3 into Gallopsled:dev Sep 26, 2020
@TwoUnderscorez TwoUnderscorez mentioned this pull request Oct 3, 2020
Merged
Arusekk pushed a commit that referenced this pull request Oct 5, 2020
@TwoUnderscorez
Fix documentation of #1667 (#1693)
a0b3b24 
* add parameter max_subs to __init__

(cherry picked from commit d331be5)

* Beautify doc string

(cherry picked from commit ceebf47)

* Fix some typos

(cherry picked from commit 6bbbdce)

* Update CHANGELOG.md

* Revert changelog

#1693 (comment)

* Trigger CI
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Arusekk Arusekk Arusekk approved these changes

@zachriggle zachriggle Awaiting requested review from zachriggle

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@TwoUnderscorez @heapcrash @Arusekk @zachriggle