Writing Custom ASCII Shellcode cvvonlinesu, ccbasesru

Extreme Hacking
Advanced Ethical Hacking Institute in Pune
Hello everyone!
This is going to be a very difficult tutorial so this may require that you have some knowledge in shellcode writing and basic assembly.
First, we will construct a loader that will make room on the stack, copy our payload, and execute it all on the stack at runtime.
This is the original shellcode:
Our goal is to create shellcode that does this exact thing but ONLY using instructions whose opcode is a printable ASCII character.
Why ASCII Shellcode?
There are a couple main reasons why ASCII shellcode can be extremely beneficial to an exploit (especially a remote exploit):
Through a simple C file, I generated all of the ASCII characters and their values:
Note: For some reason, I have been using 0x7e as the highest value. Don’t worry, nothing needs to be changed, but just note that you can go up to 7F, not 7E. My apologies.
Basics of Finding ASCII Instructions/Values
Note: Before I continue, you should know how I am getting the opcode of my commands. I put the command in a single ASM source file (1.asm) and run:
nasm 1.asm -f bin
hexdump -C 1
If you see any bytes with the value “66”, ignore it. It tells the compiler to use 16-bit instructions rather than 32 bit. Chances are, it won’t happen to you.
Right off the bat, we see that many commands are not encoded in ASCII. For example, we need to clear the EAX register because, since we are overwriting a return address, there may have been something moved into EAX as a return value. If we look at the opcode for:
Now, the command for XOR is within the ASCII limits, but since we cannot XOR EAX with itself, it won’t be cleared and there is no sense of using it.
We need to think of ways to clear out the EAX register. One very common way is to use the AND operator with EAX, then AND it again with the exact opposite number. The thing is, we need to find two numbers who are both opposites and in the range 0x20 and 0x7E. So, let’s go ahead and try this out.
I wrote another C algorithm to go ahead and check this for me 😉 This took longer than you might think…
C FIle Source:
How to use it:
If you just want to generate a list, change “#define SHOW 0” to “#define SHOW 1”. This will generate output that will tell you which ASCII characters have opposites in the ASCII range.
I’ll use the first output:
21 (!) , 5e (^)
What we would have to do now is replace “NUM_1_HERE” with 0x21212121 and “NUM_2_HERE” with 0x5e5e5e5e simply to ensure that they are, in fact, opposites. Be sure to change SHOW back to 0.
Let’s go ahead and compile our new ASM file to see if our code is within the ASCII boundaries:
nasm 1.asm -f bin
hexdump -C 1
On the left, we see (after removing 0x66’s):
Perfect! All of those are valid, printable ASCII characters that should not be blocked by any program. If they are, there are several more that you can try that are both alphanumeric (such as 38 (8) , 47 (G)). This works just as well.
Makin’ Room On The Stack
This is going to be a huge pain in the ass if you’ve never worked with shellcode before. This code is polymorphic so our loader will decode and execute the memory on the stack. However, we MUST make an offset large enough for our loader. I’m going to use 1,000 bytes and the rest will be filled with NOPs (note that \x90 is not an ASCII value. We’ll cross that bridge later).
1. How do we add space to the stack?
That’s simple! All we have to do is run:
However, if you compile this, there are two problems. It contains NULL bytes and some the non-NULL bytes are not within ASCII range. Thus, we have hit our first in the road.
Well, there are other things we can do. For example, we can move ESP into EAX and subtract the value from there, except the mov command is not within ASCII range. The only way that I see this is possible is by pushing ESP onto the stack and popping it into EAX.
Hooray! All of those work. Now, we need to subtract 1,000 bytes of space from EAX (ESP’s value). However, this is going to be a problem because it doesn’t have NULL bytes. Oh but wait, there’s more!
If any of you are familiar with TCP/IP stack attacks, there is an attack called NAT pinning. I’ll spare you the details, but essentially, some browsers are blocking IRC ports due to cross protocol scripting attacks that the NAT pinning uses. They block port 6667. However, since a port is only 16 bits long, if we add 65566 (2^16) to 6667, we get 72233. Since it will only read the lowest 16 bits, the value is actually used as 6667.
We are going to follow the same logic in reverse with our attack code. We are using 32 bit registers, right? 2^32 = 4294967296. If we subtract 1000 from that number, we can subtract THAT number from the register which will actually add more to it.
11001100 (204)
00001000 (8)
11010100 (212)
How can we do this via subtraction keeping in mind that we only check the last bits? Subtract binary 1000 from binary 2^8:
111001100 (204) (assume that a 1 is borrowed)

011111000 (2^8 – 8)
011010100 (212)
We need to subtract (2^32 – 1000) from EAX (which holds ESP’s value). We compile it, but something is wrong:
The number does not fall within the ASCII range which means we are going to have to break this up. I’ll first subtract 0x7e7e7e7e (maximum I can since 7e is the highest single byte) which leaves us with 2172747162.
Damn… this is still too large.
Note that, if we do any subtraction now, we must subtract at LEAST 0x20 from each byte or we will have either NULLs or bytes that are not in ASCII range. This won’t be a problem. Now we need to subtract values to make sure they BOTH fit in ASCII range.
(Reverse the order because of little endian) 0x81817d91 – 0x?? = 0x??
0x81 – 0x30 = 51 (ASCII)
0x81 – 0x30 = 51 (ASCII)
0x7d – 0x30 = 4d (ASCII)
0x9a – 0x30 = 6a (ASCII)
Therefore, our three numbers are now:
Our file so far:
We have the first part of our loader! Now we need to write the portion that actually spawns a shell. Let’s go!
Encoding Our Shellcode:
We already have shellcode that we know works (thanks to my tutorial at the top of this thread) so, instead of recreating it in this tutorial, I’ll just assume you read it (lol).
I’ll be testing our shellcode with this C file:
void exec();
unsigned char shellcode[] = “\xeb\x16\x5b\x31\xc0\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d​\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68”;
int main(int argc, char **argv){
printf(“Length: %d”, strlen(shellcode));
char i, j = 0;
for(i=0; i<=strlen(shellcode); i++) if((char)*(shellcode+i)0x7e) j = 1; if(!j) printf(" - Alphanumeric! "); else printf(" - Not Alphanumeric! "); exec(); return 0; } void exec(){ (*(void(*)())shellcode)(); } Which I’ve written to also tell us if it is or is not alphanumeric. As you can see, the shellcode I already have in there works fine. This, however, contains several bytes that are NOT in ASCII range. So, to correct for this, we are going to have to manually encode all of it. There is a very simple pattern and I’ve already shown it to you, so let’s get started. Our shellcode: Since this is little endian, we must change this. After I changed it to little endian, I separated it into groups of 4 bytes like this: Note: if you shellcode is NOT a multiple of 4, simply fill the rest with \x90 (NOP) but do not keep them \x00 (NULL). All of these values need to be pushed onto the stack. If we do this, our shellcode will be able to execute! The only issues are: Some of you can already see what we have to do. We need to mov the values into EAX, alter them so they get to the correct values, then push EAX onto the stack. www.extremehacking.org CEHv8 CHFIv8 ECSAv8 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE , Certified Ethical Hacking , Center For Advanced Security Training in India , IT Security Training Information Security Traning Courses in Pune , ceh certification in pune , Ethical Hacking Course in Pune cvvonlinesu ccbasesru