Show Menu
Cheatography

x86_32 Shellcode-Lab Cheat Sheet (DRAFT) by

Sheet for the Assembly and Shellcode-Lab.

This is a draft cheat sheet. It is a work in progress and is not finished yet.

GDB - Gnu Debugger - Initiation

gdb -q ./<­fil­e>
Start GDB in quiet mode
gdb -p <pi­d>
Attach to process-id
gdb -c <co­re> ./<­fil­e>
Load up a core file and the program
Those commands are executed to start GDB.

GDB - Commands - Run a program

run
r
Start the program
run testarg
r testarg
Start with an argument

GDB - Commands - Registers

info registers
i r
Show default registers
info registers all
i r a
Show all registers
info registers eax
i r eax
Show EAX register
Commands for showing the content of registers.

GDB - Commands - Examine

x $eax
Examine address in EAX
x/i $esp
Examine address at ESP interpret as instru­ction
x/s 0xffffffab
Examine address interpret as string
x/4s 0xffffffab
Print from that address 4 times
x/4xb
Examine in HEX repeat 4 times show in Bytes
disass­emble / disas
Disass­emble at current position
disas _start
Disass­emble from label _start
print / p system
Print address of libc system
Note: Examine needs valid addresses to function. Unit sizes: b, Bytes; h, Halfwords (two bytes);w, Words (four bytes); g, Giant words (eight bytes).

GDB - Commands - Breakpoint

break _start
b _start
Set a breakpoint at the label _start
break 5
b 5
Breakpoint at source line 5
break *0x443­32211
b *0x443­32211
Breakpoint at addres­s/o­ffset

GDB - Commands - Stepping

step
s
Step per line of source.
stepi
si
Step per machine instru­ction
continue
c
Continue program execution
 

GDB - Commands - Set and Call

call (int) mprote­ct(­0xD­EAD­BEEF, 0x1000, 1)
Execute mprotect() in debugee context.
call strcpy­(0x­dea­dbeef, "­hac­ky")
Write hacky to addr 0xdeadbeef
set follow­-fo­rk-mode child
Follow newly created childs
set (char [SIZE] ) 0xdeadbeef = "­my_­new­_ar­ray­"
Write data to address
set {int}0­xde­adbeef = 4
Set value at address to 4
set $eax = 0xdeadbeef
Set value of register EAX to 0xdeadbeef

GDB-GEF - Overview

gdb-gef
 
Start gdb-gef at comman­dline
gef help
 
Show help of GEF
start
 
Start program with auto breakp­oints set
kill
 
Kill current process
context
ctx
Show context
checksec
 
Check security features
vmmap
 
Show virtual memory map
python­-in­ter­active
pi
Start Python Interp­reter
python­-in­ter­active 23*5
pi 23*5
Use python interp­reter and calculate

GDB-GEF - Config­uration

gef config
Show running config­uration
gef config context
Configure GEF context
gef config contex­t.s­how­_op­cod­e_size 8
Set the opcode output to length of 8
gef config contex­t.l­ayout "­legend regs stack memory­"
Set only for widgets as output
gef save
Save running config­uration
Extra config­ura­tions for GDB-GEF
 

GCC - Overview

gcc -m32 <in­put> -o <ou­tpu­t>
Compile source for x86_32 arch.
gcc -m32 <in­put> -o <ou­tpu­t> -z execstack
Compile with executable stack
gcc -m32 <in­put> -o <ou­tpu­t> -g
Compile with debug symbols

NASM - Overview

nasm -f elf32 <in­put> -o <ou­tpu­t>.o
Creates x86_32 object file from assembly.
ld -m elf_i386 <in­put­>.o -o <ou­tpu­t>
Create x86_32 ELF from object file

OBJDUMP - Overview

objdump -d -M intel <fi­le>
Dump the opcodes in Intel Syntax
objdump -s -j <se­cti­on> <fi­le>
Dump only named section

STRACE - Overview

strace <fi­len­ame>
Starts program and tracing it
strace -p <pi­d>
Attaches at process-id
strace -o log.txt <fi­len­ame>
Writes output into a logfile
strace -f <fi­len­ame>
Also log child processes

PWNtools

pwn asm nop
Write NOP opcode
pwn asm nop 'mov eax, 1'
Write NOP and MOV opcode
pwn asm -f string nop
Outputs in \x Notation
pwn disasm 909090
Output the disass­embly of three NOPs

PERL - Basics for exploits

perl -e '{print "­A"x"1­024­"}'
Print 1024 times A

Student Files

lessons/
Assembler files, aimed at teaching x86_32 basics
shellcode/
Collection of bad shellc­odes, students have to improve
skeletons/
Skeleton Code files
exploits/
Exploits shellcode is ran against
tools/
Support tools for the training