# candl: inclass1 lab instruction First, fetch the inclass1 to your home directory. ```bash $fetch inclass1 ``` ## Writing and building shellcode We prepared shellcode template (shellcode.S) and build script (Makefile) under `shellcode_template`. ```bash= inclass1/shellcode-template $ ls -trl total 0 lrwxrwxrwx 1 kjee kjee 55 Feb 10 12:22 shellcode.S.tmpl -> /home/labs/inclass1/shellcode-template/shellcode.S.tmpl lrwxrwxrwx 1 kjee kjee 47 Feb 10 12:22 Makefile -> /home/labs/inclass1/shellcode-template/Makefile ``` * Let's make a copy of `shellcode.S.tmpl` and add an instruction. ```bash= inclass1/shellcode-template $ cp shellcode.S.tmpl shellcode.S inclass1/shellcode-template $ echo "mov 0x1, %eax" >> shellcode.S ``` * You can build either 32-bit or 64-bit shellode by specifying targets for `make` command. ```bash= inclass1/shellcode-template $ make 32 gcc -m32 -c -o shellcode.o shellcode.S gcc -o shellcode shellcode.o -m32 objcopy -S -O binary -j .text shellcode.o shellcode.bin inclass1/shellcode-template $ make 64 gcc -m64 -c -o shellcode.o shellcode.S gcc -o shellcode shellcode.o -m64 objcopy -S -O binary -j .text shellcode.o shellcode.bin ``` The build script (Makefile) takes assembly file (shellcode.S) as an input and first produces object file (*shellcode.o*). You can see the contents of the object file by running `objdump` command. ```bash= inclass1/shellcode-template $ objdump -d shellcode.o shellcode.o: file format elf32-i386 Disassembly of section .text: 00000000 <main>: 0: a1 01 00 00 00 mov 0x1,%eax ``` Then it runs objcopy command to extract shellcode (*shellcode.bin*). You can check the hex representation of the shellcode. ```bash= inclass1/shellcode-template $ xxd shellcode.bin 00000000: a101 0000 00 ``` Or get a help from *pwntools* to dissassemble it. Please note that *pwntools* only support Intel syntax. Please don't get confused by it. ```python= from pwn import * import sys context.arch = 'amd64' # or 'i386' sc = sys.argv[1] with open(sc, "rb") as f: print(disasm(f.read())) ``` Then, you will get ```bash 0: a1 01 00 00 00 mov eax, ds:0x1 ``` ## shellcode challenges While you can use the provided shellcode template and build script to solve challenges, each inclass challenge also contains code for loading shellcode and it filtering rules. For instance, you will find `short-shellcode.c` under `inclass1/short-shellcode-32`. ```c ... 74 void check_non_zero(char *ptr, size_t size) { 75 for(int i=0; i<size; ++i) { 76 if(ptr[i] == '\0') { 77 printf("You have a zero character at position %d, char %d\n", \ 78 i, ptr[i] & 0xff); 79 exit(-1); 80 } 81 } 82 } 83 84 int main() { ... 104 check_non_zero(ptr, s_read); 105 ((void(*)())ptr)(); ``` For each challenge, you need to extend the template shellcode to pass the filter rules and get a privilged shell. Have fun! ###### tags: `candl`,`assembly`,`inclass`