Presentation is loading. Please wait.

Presentation is loading. Please wait.

CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.

Published byJoanna Jefferson Modified over 9 years ago

Similar presentations

Presentation on theme: "CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object."— Presentation transcript:

1 CNIT 127: Exploit Development Ch 3: Shellcode

2 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing Nulls Spawning a Shell

3 Understanding System Calls

4 Shellcode Written in assembler Translated into hexadecimal opcodes Intended to inject into a system by exploiting a vulnerability Typically spawns a root shell, but may do something else

5 System Calls (or Syscalls) Syscalls directly access the kernel, to: – Get input – Produce output – Exit a process – Execute a binary file – And more They are the interface between protected kernel mode and user mode

6 Protection Rings Although the x86 provides four rings, only rings 0 and 3 are used by Windows or Unix Ring 3 is user-land Ring 0 is kernel- land Links Ch 3a-3c

7 Protecting the Kernel Protected kernel mode – Prevents user applications from compromising the OS If a user mode program attempts to access kernel memory, this generates an access exception Syscalls are the interface between user mode and kernel mode

8 Libc C library wrapper C functions that perform syscalls Advantages of libc – Allows programs to continue to function normally even if a syscall is changed – Provides useful functions, like malloc – (malloc allocates space on the heap) See link Ch 3d

9 Syscalls use INT 0x80 1.Load syscall number into EAX 2.Put arguments in other registers 3.Execute INT 0x80 4.CPU switches to kernel mode 5.Syscall function executes

10 Syscall Number and Arguments Syscall number is an integer in EAX Up to six arguments are loaded into – EBX, ECX, EDX, ESI, EDI, and EPB For more than six arguments, the first argument holds a pointer to a data structure

11 exit() The libc exit function does a lot of preparation, carefully covering many possible situations, and then calls SYSCALL to exit

12 Disassembling exit gdb e – disassemble main – disassemble exit – disassemble __run_exit_handlers All that stuff is error handling, to prepare for the syscall, which is at the label _exit disassemble _exit

13 Disassembling _exit syscall 252, exit_group() (kill all threads) syscall 1, exit() (kill calling thread) – Link Ch 3e

14 Writing Shellcode for the exit() Syscall

15 Shellcode Size Shellcode should be a simple and compact as possible Because vulnerabilities often only allow a small number of injected bytes – It therefore lacks error-handling, and will crash easily

16 Seven Instructions exit_group exit

17 Simplest code for exit(0)

18 nasm and ld nasm creates object file ld links it, creating an executable ELF file

19 objdump Shows the contents of object files

20 C Code to Test Shellcode From link Ch 3k Textbook version explained at link Ch 3i

21 Compile and Run Textbook omits the "-z execstack" option Next, we'll use "strace" to see all system calls when this program runs That shows a lot of complex calls, and "exit(0)" at the end

22 Using strace

23 Injectable Shellcode

24 Getting Rid of Nulls We have null bytes, which will terminate a string and break the exploit

25 Replacing Instructions This instruction contains nulls – mov ebx,0 This one doesn't – xor ebx,ebx This instruction contains nulls, because it moves 32 bits – mov eax,1 This one doesn't, moving only 8 bits – mov al, 1

26 OLD NEW

27 objdump of New Exit Shellcode

28 Spawning a Shell

29 Beyond exit() There's no use for exit() – any illegal instruction can make the program crash We want shellcode that offers the attacker a shell, so the attacker can type in arbitrary commands

30 Five Steps to Shellcode 1.Write high-level code 2.Compile and disassemble 3.Analyze the assembly 4.Clean up assembly, remove nulls 5.Extract commands and create shellcode

31 fork() and execve() Two ways to create a new process in Linux Replace a running process – Uses execve() Copy a running process to create a new one – Uses fork() and execve()

32 C Program to Use execve() See link Ch 3l

33 Recompile with Static objdump of main is long, but we only care about main and __execve

34 main() Pushes 3 Arguments Calls __execve

35 Man Page execve() takes three arguments

36 execve() Arguments 1.Pointer to a string containing the name of the program to execute – "/bin/sh" 2.Pointer to argument array – happy 3.Pointer to environment array – NULL

37 Objdump of __execve Puts four parameters into edx, ecx, ebx, and eax INT 80

38

39 Game Show Questions

40 Which item converts executable code into assembler? A.syscall B.nasm C.ld D.objdump E.strace 40

41 Which item lists all system calls when a program is run? A.syscall B.nasm C.ld D.objdump E.strace 41

42 Which item is used to go from user mode to kernel mode? A.syscall B.nasm C.ld D.objdump E.strace 42

43 Which item converts assembly code into object code? A.syscall B.nasm C.ld D.objdump E.strace 43

44 What instruction should be used to replace "mov eax,0" in shellcode? A.int 0x80 B.or eax, eax C.xor eax, eax D.cmp eax, eax E.None of the above 44

45 What instruction should be used to replace "mov eax,1" in shellcode? A.int 0x80 B.mov ah, 1 C.xor eax, eax D.mov al, 1 E.None of the above 45

Download ppt "CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object."

Similar presentations

Practical Malware Analysis

Practical Malware Analysis
Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.

Memory Protection: Kernel and User Address Spaces  Background  Address binding  How memory protection is achieved.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.

Program Development Tools The GNU (GNU’s Not Unix) Toolchain The GNU toolchain has played a vital role in the development of the Linux kernel, BSD, and.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++

1 Starting a Program The 4 stages that take a C++ program (or any high-level programming language) and execute it in internal memory are: Compiler - C++
Assembly 01. Outline Binary vs. Text Files Compiler vs. Assembler Mnemonic Assembly Process Development Process Debugging Example 1 this analogy will.

Assembly 01. Outline Binary vs. Text Files Compiler vs. Assembler Mnemonic Assembly Process Development Process Debugging Example 1 this analogy will.
RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.

RIVERSIDE RESEARCH INSTITUTE Helikaon Linux Debugger: A Stealthy Custom Debugger For Linux Jason Raber, Team Lead - Reverse Engineer.
Countermeasures 0x610~0x650 2014. 12. 4 Seokmyung Hong.

Countermeasures 0x610~0x Seokmyung Hong.
COSC 120 Computer Programming

COSC 120 Computer Programming
The Process Model.

The Process Model.
X86 ISA Compiler Baojian Hua Front End source code abstract syntax tree lexical analyzer parser tokens IR semantic analyzer.

X86 ISA Compiler Baojian Hua Front End source code abstract syntax tree lexical analyzer parser tokens IR semantic analyzer.
Attacks Using Stack Buffer Overflow Boxuan Gu

Attacks Using Stack Buffer Overflow Boxuan Gu
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)

David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 18: 0xCAFEBABE (Java Byte Codes)
1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.

1 CS503: Operating Systems Part 1: OS Interface Dongyan Xu Department of Computer Science Purdue University.
System Calls 1.

System Calls 1.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Similar presentations

Ads by Google