Shellcode Development -Femi Oloyede -Pallavi Murudkar

Agenda Introduction What can Shellcode do? Tools for Shellcode Development Understanding Shellcode Developing Shellcode Methods of Detecting Shellcode

Introduction Shellcode is defined as a set of instructions injected and then executed by an exploited program Shellcodes are primarily used to exploit buffer overflows The most important task when creating shellcode is to make it small and executable

What can Shellcode do? Providing access to the attacked system Spawning /bin/sh [or] cmd.exe (local shell) Binding a shell to a port (remote shell) Adding root/admin user to the system Chmod()’ing /etc/shadow to be writeable

Tools for Shellcode development Nasm Used to write assembly code Gdb GNU debugger to analyze core dump files Objdump To disassemble file Ktrace Trace all system calls a process is using

Next ( Femi ) Understanding Shellcode Developing Shellcode Methods of Detecting Shellcode

Understanding Shellcode IA-32 Machine Architecture (instruction set & registers) Program Flow dynamics - Processes Memory Organization and context switching during function- calls and interrupt processing. Shellcode is injected via the modification of the return address of a function by way of a stack-based buffer overflow.

Machine Architecture Refer to IA-32 Intel® Architecture Software Developer's Manual Volume 1: Basic Architecture” A large amount of computer software supports the platform, including operating systems such as MS-DOS, Windows, Linux, BSD, Solaris, and Mac OS X. EBPBase pointer. Primarily used to hold the address of the current stack frame. Also sometimes used as a general data or address register. ESIGeneral register or "source index" for string operations. Also has a one-byte LODS[size] instruction for loading data from memory to the accumulator. EDIGeneral register or "destination index" for string operations. Also has a one-byte STOS[size] instruction to write data out of the accumulator. ESPStack pointer. Is used to hold the top address of the stack. EIPInstruction pointer. Holds the current instruction address.

Program Flow Dynamics

Program Flow Dynamics (cont)

Stack Based Buffer Overflow void A(char charPtr *str) { char buffer[4]; strcpy(buffer,str); } void main() { char BigggerString[12] = “AAAAAAAAAAAA”; A(Biggerstring); } SFP (4)charPtrRET (4)Buffer1 (4) AAAA Bottom of Stack Top of Stack Stack Buffer Overflow

Developing Shellcode Finding the Vulnerability Writing the Shellcode Shellcode is sequence of machine instructions or opcode. To take advantage of the injected code and to gain access to the target system, system calls must be used On Linux there are two ways of implementing a system call, they are icall87/icall27 gates and ‘INT 0x80’ software interrupts

Example – Spawning a Shell Write C code Extract the assembly code Extract the opcode Append an function exit opcodes to allow the function exit gracefully Initialize a buffer with the opcode.

Example – Spawning a Shell cont’

Methods for Detecting Shellcode NIDS (Network Intrusion Detection System) can be used to identify shellcode on the wire using Signature databases and Protocol analysis methods IPS (Intrusion Prevention System) identifies shellcode by running the code on a sandbox/virtualization in order to detect if the given code is malicious or not

Conclusion Shellcode is a powerful mechanism for the exploitation of software vulnerabilities. It is important that the shellcode developed is small in size Shellcode can be employed to automate software security tests, where the shellcode is written to expose and draw attention to security holes

Questions?