-6

I am calling a shellcode using buffer overflow to spawn a root shell. Can somebody explain what this shellcode exactly does? I have tried different shellcodes to spawn a root shell, but this was the only one which worked for me.

\x31\xdb\x89\xd8\xb0\x17\xcd\x80\x31\xdb
\x89\xd8\xb0\x2e\xcd\x80\x31\xc0\x50\x68
\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89
\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd
\x80
robert
  • 3,539
  • 3
  • 35
  • 56
  • 3
    You don't say how you tried to find an answer. Either you tried some method and should have asked: why doesn't method X work in this case, or you don't know any such method, and should have asked: how does one solve this kind of problem. Now you just dump some unreadable hex code and leave it to us to figure out. – Hans Lub Nov 27 '14 at 13:14
  • 2
    Do you know what 'shell code' basically is? What these hexadecimal numbers *represent*? – Jongware Nov 27 '14 at 13:14
  • @Hans Lub What I am doing is to overwrite the vtable pointer in a c++ code. I have a very limited knowledge of assembly language, so when I converted this code to assembly I was unable to tell what is happening. So I am understanding how the whole overflow process work, the only thing which is not clear, what this shellcode does. I have seen similar questions on this site. – robert Nov 27 '14 at 13:19
  • @Jongware Yes, I do. I would like a C equivalent of this code. An explanation of the assembly equivalent would be also helpful. – robert Nov 27 '14 at 13:21
  • 1
    Use a disassembler then, like http://www2.onlinedisassembler.com/odaweb/ – Hans Lub Nov 27 '14 at 13:25
  • 2
    *>I converted this code to assembly* So **why am I not seeing this assembly code in your post?** This is just numbers to me. Do you assume everybody has time to disassemble code for your sake or everybody knows by heart what each byte means? – Medinoc Nov 27 '14 at 13:27
  • @Hans Lub Have you read my previous comment written to you? – robert Nov 27 '14 at 13:28
  • @Medinoc converting this code to assembly is a one line command. And my question is for those who have time and like working with such codes. – robert Nov 27 '14 at 13:30
  • @Hans Lub: "you just dump some unreadable hex code". Actually many tutorials just dump some unreadable hex code, without explanation. The source of this is: http://seanmurphree.com/blog/?p=157 – robert Nov 27 '14 at 13:57

1 Answers1

3

On first glance, the code appears to do setuid(0), then setgid(0), then call sys_execve() on some values (which include ASCII codes for "/bin//sh").

Looks like this is pure "payload" code, since I don't see anything to ensure the code is executed on the first place (buffer overflow, stack smashing, etc.).

(Thanks to @Hans Lub for the disassembler link)

Medinoc
  • 6,577
  • 20
  • 42