TL;DR

Use the C language function asm to write shellcode.

This article is a part of my cheat sheet.

0x00 Prologue

Two weeks ago, I used c language to talk to the target vulnerable binary and executed the sent shellcode to get a shell. But I feel it’s verbose to use Python to generate the shell code. So I read several articles about writing ASM in c language.

0x01 Resource

http://brieflyx.me/2019/linux-tools/gcc-in-ctf/

0x02 Why not ATT

I am not familiar with ATT syntax since I spent most of my time on gdb which shows Intel syntax. So I write everything in Intel syntax. The following example doesn’t include any library and implement orw and shell.

0x03 Example

// gcc -nostdlib ./main.c -o ./main  -e entry
asm(
    "entry:\n"
    "call main\n"
);

int shell();
int write(int fd,char*buf,long size);
int read(int fd,char*buf,long size);
int open(char *path,long mod);

int main(){
    char buf[0x10]={0};
    write(1,"Enter \"n132\" to spawn a shell:\n",31);
    read(0,buf,0x10);
    if(buf[0]=='n' && buf[1]=='1' && buf[2]=='3' && buf[3]=='2')
        shell();
    return 0;
}
asm(
    "shell:\n"
    ".intel_syntax noprefix;\n"
    "mov rdi,0x68732f6e69622f\n"
    "push rdi\n"
    "mov rdi,rsp\n"
    "xor rsi,rsi\n"
    "xor rdx,rdx\n"
    "mov rax,0x3b\n"
    "syscall\n"
    "ret\n"
    ".att_syntax prefix;"
);
asm(
    "open:\n"
    ".intel_syntax noprefix;\n"
    "mov rax,2\n"
    "syscall\n"
    "ret\n"
    ".att_syntax prefix;"
);
asm(
    "read:\n"
    ".intel_syntax noprefix;\n"
    "mov rax,0\n"
    "syscall\n"
    "ret\n"
    ".att_syntax prefix;"
);
asm(
    "write:\n"
    ".intel_syntax noprefix;\n"
    "mov rax,1\n"
    "syscall\n"
    "ret\n"
    ".att_syntax prefix;"
);