Writing Shellcode for the exit() Syscall

Essentially, you now have all the pieces you need to make exit() shellcode. We have written the desired syscall in C, compiled and disassembled the binary, and understand what the actual instructions do. The last remaining step is to clean up our shellcode, get hexadecimal opcodes from the assembly, and test our shellcode to make sure it works. Let's look at how we can do a little optimization and cleaning of our shellcode.

We presently have seven instructions in our shellcode. We always want our shellcode to be as compact as possible to fit into small input areas, so let's do some trimming and optimization. Because our shellcode will be executed without having some other portion of code set up the arguments for it (in this case, getting the value to be placed in EBX from the stack), we will have to manually set this argument. We can easily do this by storing the value of into EBX . Additionally, we really need only the exit() syscall for the purposes of our shellcode, so we can safely ignore the group_exit() instructions and get the same desired effect. For efficiency, we won't be adding group_exit() instructions.

From a high level, our shellcode should

  1. Store the value of into EBX

  2. Store the value of 1 into EAX

  3. Execute int 0x80 instruction to make the syscall

start sidebar
Shellcode Size

You want to keep your shellcode as simple, or as compact, as possible. The smaller the shellcode, the more programs you can exploit with it. Remember, you will stuff shellcode into input areas. If you encounter a vulnerable input area that is n bytes long, you will need to fit all your shellcode into it, plus other instructions to call your shellcode, so the shellcode must be smaller than n . For this reason, whenever you write shellcode, you should always be conscious of size.

end sidebar
 

Let's write these three steps in assembly. We can then get an ELF binary; from this file we can finally extract the opcodes.

 Section  .text     global _start     _start:          mov ebx,0     mov eax,1     int 0x80 

Now we want to use the nasm assembler to create our object file, and then use the GNU linker to link object files:

 [slap@0day root] nasm -f elf exit_shellcode.asm [slap@0day root] ld -o exit_shellcode exit_shellcode.o 

Finally, we are ready to get our opcodes. In this example, we will use objdump. The objdump utility is a simple tool that displays the contents of object files in human readable form. It also prints out the opcode nicely when displaying contents of the object file, which makes it useful in designing shellcode. Run our exit_shellcode program through objdump, like this:

 [slap@0day root] objdump -d exit_shellcode exit_shellcode:     file format elf32-i386     Disassembly of section .text:     08048080 <.text>: 8048080:       bb 00 00 00 00          mov 
 [slap@0day root] objdump -d exit_shellcode exit_shellcode: file format elf32-i386 Disassembly of section .text: 08048080 <.text>: 8048080: bb 00 00 00 00 mov $0x0,%ebx 8048085: b8 01 00 00 00 mov $0x1,%eax 804808a: cd 80 int $0x80 
x0,%ebx 8048085: b8 01 00 00 00 mov
 [slap@0day root] objdump -d exit_shellcode exit_shellcode: file format elf32-i386 Disassembly of section .text: 08048080 <.text>: 8048080: bb 00 00 00 00 mov $0x0,%ebx 8048085: b8 01 00 00 00 mov $0x1,%eax 804808a: cd 80 int $0x80 
x1,%eax 804808a: cd 80 int
 [slap@0day root] objdump -d exit_shellcode exit_shellcode: file format elf32-i386 Disassembly of section .text: 08048080 <.text>: 8048080: bb 00 00 00 00 mov $0x0,%ebx 8048085: b8 01 00 00 00 mov $0x1,%eax 804808a: cd 80 int $0x80 
x80

You can see the assembly instructions on the far right. To the left is our opcode. All you need to do is place the opcode into a character array and whip up a little C to execute the string. Here is one way the finished product can look (remember, if you don't want to type this all out, visit the Shellcoder's Handbook Web site at www. wiley .com/compbooks/koziol ).

 char shellcode[] = "\xbb\x00\x00\x00\x00"                               "\xb8\x01\x00\x00\x00"                                      "\xcd\x80";                       int main() {       int *ret;   ret = (int *)&ret + 2;   (*ret) = (int)shellcode; } 

Now, compile the program and test the shellcode.

 [slap@0day slap] gcc -o wack wack.c [slap@0day slap] ./wack [slap@0day slap] 

It looks like the program exited normally. But how can we be sure it was actually our shellcode? You can use the system call tracer ( strace ) to print out every system call a particular program makes. Here is strace in action:

 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux",  node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS,  -1, 0) = 0x40016000  open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or  directory)  open("/etc/ld.so.cache", O_RDONLY)      = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3)                                = 0 open("/lib/tls/libc.so.6", O_RDONLY)    = 3 read(3, "7ELF 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
`VB4
 [slap@0day slap] strace ./wack execve ("./wack", ["./wack"], [/* 34 vars */]) = 0 uname ({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open ("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ? 
"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit(0) = ?

As you can see, the last line is our exit(0) syscall. If you'd like, go back and modify the shellcode to execute the exit_group() syscall.

 char shellcode[] = "\xbb\x00\x00\x00\x00"                               "\xb8\xfc\x00\x00\x00"                                      "\xcd\x80";                       int main() {       int *ret;   ret = (int *)&ret + 2;   (*ret) = (int)shellcode; } 

This exit_group() shellcode will have the same effect. Notice we changed the second opcode on the second line from \x01 ( 1 ) to \xfc ( 252 ), which will call exit_group() with the same arguments. Recompile the program and run strace again; you will see the new syscall.

 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS,  -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY)    = -1 ENOENT (No such file or  directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3)                                = 0 open("/lib/tls/libc.so.6", O_RDONLY)    = 3 read(3, "7ELF 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
`VB4
 [slap@0day slap] strace ./wack execve("./wack", ["./wack"], [/* 34 vars */]) = 0 uname({sys="Linux", node="0day.jackkoziol.com", ...}) = 0 brk(0) = 0x80494d8 old_mmap(NULL, 4096, PROT_READPROT_WRITE, MAP_PRIVATEMAP_ANONYMOUS, -1, 0) = 0x40016000 open("/etc/ld.so.preload", O_RDONLY) = -1 ENOENT (No such file or directory) open("/etc/ld.so.cache", O_RDONLY) = 3 fstat64(3, {st_mode=S_IFREG0644, st_size=78416, ...}) = 0 old_mmap(NULL, 78416, PROT_READ, MAP_PRIVATE, 3, 0) = 0x40017000 close(3) = 0 open("/lib/tls/libc.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`V\1B4\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ? 
"..., 512) = 512 fstat64(3, {st_mode=S_IFREG0755, st_size=1531064, ...}) = 0 old_mmap(0x42000000, 1257224, PROT_READPROT_EXEC, MAP_PRIVATE, 3, 0) = 0x42000000 old_mmap(0x4212e000, 12288, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXED, 3, 0x12e000) = 0x4212e000 old_mmap(0x42131000, 7944, PROT_READPROT_WRITE, MAP_PRIVATEMAP_FIXEDMAP_ANONYMOUS, -1, 0) = 0x42131000 close(3) = 0 set_thread_area({entry_number:-1 -> 6, base_addr:0x400169e0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 munmap(0x40017000, 78416) = 0 exit_group(0) = ?

You have now worked through one of the most basic shellcoding examples. You can see that shellcode actually works, but unfortunately , the shellcode you have created in this section is likely unusable in a real-world exploit. The next section will explore how to fix our shellcode so that it can be injected into an input area.



The Shellcoder's Handbook. Discovering and Exploiting Security
Hacking Ubuntu: Serious Hacks Mods and Customizations (ExtremeTech)
ISBN: N/A
EAN: 2147483647
Year: 2003
Pages: 198
Authors: Neal Krawetz

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net