Reverse engineering - Shellcodes techniques

Download Reverse engineering - Shellcodes techniques

Post on 22-May-2015




2 download

Embed Size (px)


Reverse engineering Shellcodes techniques


<ul><li> 1. Reverse Engineering Shellcodes TechniquesThe concept of reverse engineering process is well known, yetin this article we are not about to discuss the technologicalprinciples of reverse engineering but rather focus on one of thecore implementations of reverse engineering in the security arena.Throughout this article well go over the shellcodes concept,the various types and the understanding of the analysis beingperformed by a shellcode for a software/program.Shellcode is named as it does since it is usu-allyYOURSELFiT REVERSE most cases there is the use of standard TCP/IPstarts with a specific shell command.socket connections to allow the access.The shellcode gives the initiator control ofRemote shellcodes can be versatile and arethe target machine by using vulnerability on thedistinguished based on the manner in which theaimed system and which was identified in ad-vance.connection is established: Reverse shell orShellcode is in fact a certain piece of codea connect-back shellcode is the remote shell-code(not too large) which is used as a payload (the partwhich enables the initiator to open a con-nectionof a computer virus which performs a malicious ac-tion)towards the target machine as well as afor the purpose of an exploitation of softwaresconnection back to the source machine initiatingvulnerabilities.the shellcode. Another type of remote shellcodeShellcode is commonly written in machine codeis when the initiator wishes to bind to a certainyet any relevant piece of code which performs theport and based on this unique access, may con-nectrelevant actions may be identified as a control the target machine, this is knownShellcodes purpose would mainly be to take con-trolas a bindshell shellcode.over a local or remote machine (via network) Another, less common, shellcodes type is whenthe form the shellcode will run depends mainly ona connection which was established (yet not closedthe initiator of the shellcode and his/hers goals byprior to the run of the shellcode ) will be utilized to-wardsexecuting it.the vulnerable process and thus the initiatorcan re-use this connection to communicate back toThe Various Shellcodes Techniquesthe source this is known as a socket-reuse shell-codeWhen the initiator of the shellcode has no limitsas the socket is re-used by the means of accessing towards the destinationDue to the fact that socket-reuse shellcode re-quiresmachine for vulnerabilitys exploitation it is bestactive connection detection and determina-tionto perform a local shellcode. Local shellcodeas to which connection can be re-used out ofis when a higher-privileged process can be ac-cessed(most likely) many open connections is it consideredlocally and once executed successfully,a bit more difficult to activate such a shellcode, butwill open the access to the target with high privi-leges.nonetheless there is a need for such a shellcode asThe second option refers to a remote run,firewalls can detect the outgoing connections madewhen the initiator of the shellcode is limited as farby connect-back shellcodes and /or incoming con-nectionsas the target where the vulnerable process is run-ningmade by bindshell shellcodes.(in case a machine is located on a local net-workFor these reasons a socket-reuse shellcodeor intranet) in this case the shellcode isshould be used in highly secure systems as it doesremote shellcode as it may provide penetrationnot create any new connections and therefore isto the target machine across the network and inharder to detect and block.30 03/2013 </li></ul> <p> 2. A different type of shellcode is the downloadand execute shellcode. This type of shellcodedirects the target to download a certain execut-ablefile outside the target machine itself and tolocate it locally as well as executing it. A vari-ationof this type of shellcode downloads andloads a library.This type of shellcode allows the code to besmaller than usual as it does not require to spawna new process on the target system nor to cleanpost execution (as it can be done via the libraryloaded into the process).An additional type of shellcode comes from theneed to run the exploitation in stages, due to thelimited amount of data that one can inject into thetarget process in order to execute it usefully anddirectly such a shellcode is called a stagedshellcode.The form in which a staged shellcode may workwould be (for example) to first run a small pieceof shellcode which will trigger a download of an-otherpiece of shellcode (most likely larger) andthen loading it to the processs memory and ex-ecutingit.Egg-hunt shellcode and Omelets shellcodeare the last two types of shellcode which will bementioned. Egg-hunt shellcode is a form ofstaged shellcode yet the difference is that inEgg-hunt shellcode one cannot determine whereit will end up on the target process for the stagein which the second piece of code is downloadedand executed. When the initiator can only inject amuch smaller sized block of data into the processthe Omelets shellcode can be used as it looksfor multiple small blocks of data (eggs) and recom-binesthem into one larger block (the omelet) whichwill be subsequently executed.Introduction to MSFPAYLOAD CommandIn this part well focus on the msfpayload command.This command is used to generate and output allof the various types of shellcode that are availablewithin Metasploit. This tool is mostly used for thegeneration of shellcode for an exploit that is cur-rentlynot available within the Metasploits frame-work.Another use for this command is for testingof the different types of shellcode and options be-forefinalizing a module.Although it is not fully visible within its help ban-ner(as can be seen in the image below) this toolhas many different options and variables availablebut they may not all be fully realized without a prop-erintroduction.# msfpayload -hType the following command to show the vastnumbers of different types of shellcodes available(based on which one can customize a specific ex-ploit):# msfpayload lOne can browse the wide list (as seen in the im-agebelow) of payloads that are listed and shownas the output for the msfpayload l command:Figure 2.In this case we chose the shell_bind_tcp pay-loadas an example. Prior to the continuum of ouraction let us change our working directory to theMetasploit framework as so:Figure 1..TGQBZMPBE)FMQ*OGPSNBUJPOFigure 2..TGQBZMPBE1BZMPBE-JTUFigure 31 3. YOURSELF# cd /pentest/exploits/frameworkRequiredDefault setting: 4444Once a payload was selected (in this case theRHOSTshell _ bind _ tcp payload) there are two switch-esNot requiredthat are used most often when crafting theNo default settingpayload for the exploit you are creating.In the example below we have selected a sim-pleSetting these options in msfpayload is very sim-ple.Windows bind shellcode (shell _ bind _ tcp).An example is shown below of changing theiT When we add the command-line argument O forexit technique and listening port of a certain shella payload, we receive all of the available relevant(Figure 4):REVERSE options for that payload:# ./msfpayload windows/shell_bind_tcp EXITFUNC=seh# msfpayload windows/shell_bind_tcp OLPORT=8080 OAs seen in the output below these are results forNow that all is configured, the only option left iso argument for this specific payload: Figure specify the output type such as C, Perl, Raw,As can be seen from the output, one can config-ureetc. For this example C was chosen as the shell-codesthree different options with this specific pay-load.output (Figure 5):Each options variables (if required) will comewith a default settings and a short description as to#./msfpayload windows/shell_bind_tcp EXITFUNC=sehits use and information:LPORT=8080 CEXITFUNCNow that we have our fully customized shellcode,Requiredit can be used for any exploit. The next phase isDefault setting: processhow a shellcode can be generated as a WindowsLPORTexecutable by using the msfpayload command.msfpayload provides the functionality to outputthe generated payload as a Windows executable.This is useful to test the generated shellcode ac-tuallyprovides the expected results, as well as forsending the executable to the target (via email,HTTP, or even via a Download and Executepayload).The main issue with downloading an executableonto the victims system is that it is likely to be cap-turedby Anti-Virus software installed on the target.To demonstrate the Windows executable gen-erationwithin Metasploit the use of the windows/exec payload is shown below. As such the initialFigure 4.need is to determine the options that one must pro-vide4QFDJGZJOHUIF4IFMMDPEF0QUJPOT%BUBfor this payload, as was done previously usingthe Summary (S) option:$ msfpayload windows/exec SName: Windows Execute CommandVersion: 5773Platform: [Windows]Arch: x86Needs Admin: NoTotal size: 113Provided by:vlad902Figure 5.(FOFSBUJOHUIF4IFMMDPEF6TJOH.TGQBZMPBE32 03/2013 4. Basic options:Name Current Setting Required Description---- --------------- -------- -----------CMD yes the command string to executeEXITFUNC thread yes Exit technique: seh, thread,processDescription:Execute an arbitrary commandAs can be seen the only option is to specify theCMD option. One simply needs to execute calc.exe so that we can test it on our own systems.In order to generate a Windows executable us-ingMetasploit one needs to specify the X out-putoption. This will display the executable on thescreen, therefore there is a need to pipe it to a filewhich will call pscalc.exe, as shown below:$ msfpayload windows/exec CMD=calc.exe Xpscalc.exeCreated by msfpayload ( windows/execLength: 121Options: CMD=calc.exeNow an executable file in the relevant directo-rycalled pscalc.exe is shown. One may confirmthis by using the following command:$ ls -l pscalc.exe-rw-r--r-- 1 Administrator mkpasswd 4637Oct 9 08:53 pscalc.exeAs can be seen this file is not set to being an ex-ecutable,so one will need to set the executablepermissions on it using via the following com-mand:$ chmod 755 pscalc.exeIt is now testable by executing the pscalc.exeWindows executable. The following commandshould trigger the Windows Calculator to be dis-playedon your system.$ ./pscalc.exeAs was mentioned in the beginning of the arti-clewe have focused on one aspect of the securi-tysfield reverse engineering concept the shell-codes.This is a very basic know how for the useof shellcodes but it should be the first step andthe gates open for a further and a much morein depth search of the versatile use and featuresshellcodes can supply.ERAN GOLDSTEINEran Goldstein is the founder ofFrogteam|Security, a cyber securi-tyvendor company in USA and Israel.He is also the creator and developer ofTotal Cyber Security TCS productline. Eran Goldstein is a senior cybersecurity expert and a software devel-operwith over 10 years of experience. He specializes atpenetration testing, reverse engineering, code reviewsand application vulnerability assessments. Eran has avast experience in leading and tutoring courses in appli-cationsecurity, software analysis and secure develop-mentas EC-Council Instructor (C|EI). For more informa-tionabout Eran and his company you may go to: d v e r t i s e m e n t </p>