Jump to content
Tuts 4 You

sctest doesn't create proper graph

pcfx

By pcfx
in Programming and Coding

Recommended Posts

pcfx

pcfx

Posted
Posted

Hi guys,

I'm analyzing some shellcodes and therefore I'm using sctest for visualization. I recreated a hello_world.nasm file which uses sys_write to print string 'Hello World' and then sys_exit to exit the program but I can't create a graph file. The .dot file seems corrupted.

  

root@pcfx:~/shellcode/shell_hello_world# cat hello_world.nasm
; Filename: hello_world.nasm
; Author: PCFX
; Description :
;

BITS 32
global _start

section .text
_start:

	jmp short message
GOBACK:
	xor eax, eax
	xor ebx, ebx
	xor edx, edx
	mov al, 0x4
	mov bl, 0x1
	pop ecx
	mov dl, 0xc
	int 0x80

	xor eax, eax
	xor ebx, ebx
	mov al, 0x1
	int 0x80

message:
	call GOBACK
	db 0x48, 0x61, 0x6c, 0x6c, 0x6f, 0x20, 0x57, 0x65, 0x6c, 0x74, 0xa
root@pcfx:~/shellcode/shell_hello_world# nasm hello_world.nasm -o hello_world.bin
root@pcfx:~/shellcode/shell_hello_world# xxd -p ./hello_world.bin
eb1731c031db31d2b004b30159b20ccd8031c031dbb001cd80e8e4ffffff
48616c6c6f2057656c740a
root@pcfx:~/shellcode/shell_hello_world# ./opcode.py "eb1731c031db31d2b004b30159b20ccd8031c031dbb001cd80e8e4ffffff48616c6c6f2057656c740a"
\xeb\x17\x31\xc0\x31\xdb\x31\xd2\xb0\x04\xb3\x01\x59\xb2\x0c\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\xe4\xff\xff\xff\x48\x61\x6c\x6c\x6f\x20\x57\x65\x6c\x74\x0a
root@pcfx:~/shellcode/shell_hello_world# echo -ne "\xeb\x17\x31\xc0\x31\xdb\x31\xd2\xb0\x04\xb3\x01\x59\xb2\x0c\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80\xe8\xe4\xff\xff\xff\x48\x61\x6c\x6c\x6f\x20\x57\x65\x6c\x74\x0a" | sctest -vvv -Ss 1000 -G hello_world.dot
graph file hello_world.dot
verbose = 3
[emu 0x0x9c7e090 debug ] cpu state    eip=0x00417000
[emu 0x0x9c7e090 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x9c7e090 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: 
[emu 0x0x9c7e090 debug ] cpu state    eip=0x00417000
[emu 0x0x9c7e090 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x9c7e090 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: 
[emu 0x0x9c7e090 debug ] EB17                            jmp 0x19
[emu 0x0x9c7e090 debug ] cpu state    eip=0x00417019
[emu 0x0x9c7e090 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x9c7e090 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: 
[emu 0x0x9c7e090 debug ] E8E4FFFFFF                      call 0xffffffe9
[emu 0x0x9c7e090 debug ] cpu state    eip=0x00417002
[emu 0x0x9c7e090 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x9c7e090 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: 
[emu 0x0x9c7e090 debug ] 31C0                            xor eax,eax
[emu 0x0x9c7e090 debug ] cpu state    eip=0x00417004
[emu 0x0x9c7e090 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x9c7e090 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: PF ZF 
[emu 0x0x9c7e090 debug ] 31DB                            xor ebx,ebx
[emu 0x0x9c7e090 debug ] cpu state    eip=0x00417006
[emu 0x0x9c7e090 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x9c7e090 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: PF ZF 
[emu 0x0x9c7e090 debug ] 31D2                            xor edx,edx
[emu 0x0x9c7e090 debug ] cpu state    eip=0x00417008
[emu 0x0x9c7e090 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x9c7e090 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: PF ZF 
[emu 0x0x9c7e090 debug ] B004                            mov al,0x4
[emu 0x0x9c7e090 debug ] cpu state    eip=0x0041700a
[emu 0x0x9c7e090 debug ] eax=0x00000004  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x9c7e090 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: PF ZF 
[emu 0x0x9c7e090 debug ] B301                            mov bl,0x1
[emu 0x0x9c7e090 debug ] cpu state    eip=0x0041700c
[emu 0x0x9c7e090 debug ] eax=0x00000004  ecx=0x00000000  edx=0x00000000  ebx=0x00000001
[emu 0x0x9c7e090 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: PF ZF 
[emu 0x0x9c7e090 debug ] 59                              pop ecx
[emu 0x0x9c7e090 debug ] cpu state    eip=0x0041700d
[emu 0x0x9c7e090 debug ] eax=0x00000004  ecx=0x0041701e  edx=0x00000000  ebx=0x00000001
[emu 0x0x9c7e090 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: PF ZF 
[emu 0x0x9c7e090 debug ] B20C                            mov dl,0xc
[emu 0x0x9c7e090 debug ] cpu state    eip=0x0041700f
[emu 0x0x9c7e090 debug ] eax=0x00000004  ecx=0x0041701e  edx=0x0000000c  ebx=0x00000001
[emu 0x0x9c7e090 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: PF ZF 
[emu 0x0x9c7e090 debug ] CD80                            int 0x80
stepcount 9
copying vertexes
optimizing graph
vertex 0x9cd43a0
going forwards from 0x9cd43a0
 -> vertex 0x9cd6538
 -> vertex 0x9cd67e0
 -> vertex 0x9cd68b0
 -> vertex 0x9cd6a10
 -> vertex 0x9cd6b88
 -> vertex 0x9cd6d00
 -> vertex 0x9cd6e78
 -> vertex 0x9cd6ff0
copying edges for 0x9cd6ff0
vertex 0x9cd7168
going forwards from 0x9cd7168
copying edges for 0x9cd7168
[emu 0x0x9c7e090 debug ] cpu state    eip=0x00417011
[emu 0x0x9c7e090 debug ] eax=0x00000004  ecx=0x0041701e  edx=0x0000000c  ebx=0x00000001
[emu 0x0x9c7e090 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x9c7e090 debug ] Flags: PF ZF 
root@pcfx:~/shellcode/shell_hello_world# cat hello_world.dot
digraph G {
	//rankdir=LR
	node [fontname=Courier, labeljust=r];
}root@pcfx:~/shellcode/shell_hello_world# dot hello_world.dot -Tpng -o hello_world.png

pcfx

pcfx

Posted
  • Author
Posted (edited)

I tried some more things. I got this shellcode to work with sctest:

  

root@pcfx:~/shellcode/bin_sh# cat test.nasm
; Filename: bin_sh.nasm
; Author: PCFX
; Description:
;

BITS 32

global _start

section .text
_start:
	;write
;	xor eax, eax
;	mov al, 0x4
;	xor ebx, ebx
;	mov bl, 0x1
;	xor ecx, ecx
;	mov ecx, 0x41414141
;	xor edx, edx
;	mov dl, 0x4
;	int 0x80

	;mkdir
;	xor eax, eax
;	mov al, 0x27
;	xor ebx, ebx
;	mov dword [esp-0x4], ebx
;	mov dword [esp-0x8], 0x41414141
;	sub esp, 0x8
;	mov ebx, esp
;	xor ecx, ecx
;	mov cx, 0x1ed
;	int 0x80	

	;execve
	xor eax, eax
	push eax
	push dword 0x68732f2f
	push dword 0x6e69622f
	mov ebx, esp
	push eax
	push ebx
	mov ecx, esp
	mov al, 0xb
	xor edx, edx
	int 0x80
	
	;exit
	xor eax, eax
	xor ebx, ebx
	mov al, 0x1
	int 0x80
root@pcfx:~/shellcode/bin_sh# nasm test.nasm -o test.bin
root@pcfx:~/shellcode/bin_sh# xxd -p ./test.bin
31c050682f2f7368682f62696e89e3505389e1b00b31d2cd8031c031dbb0
01cd80
root@pcfx:~/shellcode/bin_sh# ./opcode.py "31c050682f2f7368682f62696e89e3505389e1b00b31d2cd8031c031dbb001cd80"
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\x31\xd2\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80
root@pcfx:~/shellcode/bin_sh# echo -ne "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\x31\xd2\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80" | sctest -vvv -
verbose = 3
root@pcfx:~/shellcode/bin_sh# echo -ne "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\x31\xd2\xcd\x80\x31\xc0\x31\xdb\xb0\x01\xcd\x80" | sctest -vvv -Ss 10000 -G tests.dot
graph file tests.dot
verbose = 3
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417000
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: 
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417000
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: 
[emu 0x0x88aa088 debug ] 31C0                            xor eax,eax
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417002
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fce  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 50                              push eax
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417003
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fca  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 682F2F7368                      push dword 0x68732f2f
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417008
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fc6  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 682F62696E                      push dword 0x6e69622f
[emu 0x0x88aa088 debug ] cpu state    eip=0x0041700d
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fc2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 89E3                            mov ebx,esp
[emu 0x0x88aa088 debug ] cpu state    eip=0x0041700f
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00416fc2
[emu 0x0x88aa088 debug ] esp=0x00416fc2  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 50                              push eax
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417010
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00416fc2
[emu 0x0x88aa088 debug ] esp=0x00416fbe  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 53                              push ebx
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417011
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00000000  edx=0x00000000  ebx=0x00416fc2
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 89E1                            mov ecx,esp
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417013
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00416fba  edx=0x00000000  ebx=0x00416fc2
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] B00B                            mov al,0xb
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417015
[emu 0x0x88aa088 debug ] eax=0x0000000b  ecx=0x00416fba  edx=0x00000000  ebx=0x00416fc2
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 31D2                            xor edx,edx
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417017
[emu 0x0x88aa088 debug ] eax=0x0000000b  ecx=0x00416fba  edx=0x00000000  ebx=0x00416fc2
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] CD80                            int 0x80
execve
int execve (const char *dateiname=00416fc2={/bin//sh}, const char * argv[], const char *envp[]);
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417019
[emu 0x0x88aa088 debug ] eax=0x0000000b  ecx=0x00416fba  edx=0x00000000  ebx=0x00416fc2
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 31C0                            xor eax,eax
[emu 0x0x88aa088 debug ] cpu state    eip=0x0041701b
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00416fba  edx=0x00000000  ebx=0x00416fc2
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 31DB                            xor ebx,ebx
[emu 0x0x88aa088 debug ] cpu state    eip=0x0041701d
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00416fba  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] B001                            mov al,0x1
[emu 0x0x88aa088 debug ] cpu state    eip=0x0041701f
[emu 0x0x88aa088 debug ] eax=0x00000001  ecx=0x00416fba  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] CD80                            int 0x80
sys_exit(2)
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417021
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00416fba  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
[emu 0x0x88aa088 debug ] 0000                            add [eax],al
cpu error error accessing 0x00000004 not mapped

stepcount 15
copying vertexes
optimizing graph
vertex 0x8900390
going forwards from 0x8900390
 -> vertex 0x8902530
 -> vertex 0x8902740
 -> vertex 0x8902878
 -> vertex 0x8902a60
 -> vertex 0x8902c48
 -> vertex 0x8902da8
 -> vertex 0x8902f20
 -> vertex 0x8903098
 -> vertex 0x8903210
copying edges for 0x8903210
 -> 0x89066e0
vertex 0x8903388
going forwards from 0x8903388
copying edges for 0x8903388
 -> 0x89067b8
vertex 0x8903728
going forwards from 0x8903728
 -> vertex 0x89037f8
 -> vertex 0x8903958
copying edges for 0x8903958
 -> 0x8906ab8
vertex 0x8903ad0
going forwards from 0x8903ad0
copying edges for 0x8903ad0
vertex 0x8903d20
going forwards from 0x8903d20
copying edges for 0x8903d20
[emu 0x0x88aa088 debug ] cpu state    eip=0x00417023
[emu 0x0x88aa088 debug ] eax=0x00000000  ecx=0x00416fba  edx=0x00000000  ebx=0x00000000
[emu 0x0x88aa088 debug ] esp=0x00416fba  ebp=0x00000000  esi=0x00000000  edi=0x00000000
[emu 0x0x88aa088 debug ] Flags: PF ZF 
int execve (
     const char * dateiname = 0x00416fc2 => 
           = "/bin//sh";
     const char * argv[] = [
           = 0x00416fba => 
               = 0x00416fc2 => 
                   = "/bin//sh";
           = 0x00000000 => 
             none;
     ];
     const char * envp[] = 0x00000000 => 
         none;
) =  0;
ERROR  exit (
     int status = 0;
) =  -1;
root@pcfx:~/shellcode/bin_sh# dot tests.dot -Tpng -o tests.png

Where could be the mistake? It must be possible to get a graph of sys_mkdir or sys_write system call. Can't the graph display "JMP_CALL_POP" technique? I made the mkdir shellcode without this method and it didn't work either. Nobody an idea?

Edited by pcfx

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...