Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shellcode Development -Femi Oloyede -Pallavi Murudkar.

Published byKenneth Barber Modified over 9 years ago

Similar presentations

Presentation on theme: "Shellcode Development -Femi Oloyede -Pallavi Murudkar."— Presentation transcript:

1 Shellcode Development -Femi Oloyede -Pallavi Murudkar

2 Agenda Introduction What can Shellcode do? Tools for Shellcode Development Understanding Shellcode Developing Shellcode Methods of Detecting Shellcode

3 Introduction Shellcode is defined as a set of instructions injected and then executed by an exploited program Shellcodes are primarily used to exploit buffer overflows The most important task when creating shellcode is to make it small and executable

4 What can Shellcode do? Providing access to the attacked system Spawning /bin/sh [or] cmd.exe (local shell) Binding a shell to a port (remote shell) Adding root/admin user to the system Chmod()’ing /etc/shadow to be writeable

5 Tools for Shellcode development Nasm Used to write assembly code Gdb GNU debugger to analyze core dump files Objdump To disassemble file Ktrace Trace all system calls a process is using

6 Next ( Femi ) Understanding Shellcode Developing Shellcode Methods of Detecting Shellcode

7 Understanding Shellcode IA-32 Machine Architecture (instruction set & registers) Program Flow dynamics - Processes Memory Organization and context switching during function- calls and interrupt processing. Shellcode is injected via the modification of the return address of a function by way of a stack-based buffer overflow.

8 Machine Architecture Refer to IA-32 Intel® Architecture Software Developer's Manual Volume 1: Basic Architecture” A large amount of computer software supports the platform, including operating systems such as MS-DOS, Windows, Linux, BSD, Solaris, and Mac OS X. EBPBase pointer. Primarily used to hold the address of the current stack frame. Also sometimes used as a general data or address register. ESIGeneral register or "source index" for string operations. Also has a one-byte LODS[size] instruction for loading data from memory to the accumulator. EDIGeneral register or "destination index" for string operations. Also has a one-byte STOS[size] instruction to write data out of the accumulator. ESPStack pointer. Is used to hold the top address of the stack. EIPInstruction pointer. Holds the current instruction address.

9 Program Flow Dynamics

10 Program Flow Dynamics (cont)

11 Stack Based Buffer Overflow void A(char charPtr *str) { char buffer[4]; strcpy(buffer,str); } void main() { char BigggerString[12] = “AAAAAAAAAAAA”; A(Biggerstring); } SFP (4)charPtrRET (4)Buffer1 (4) AAAA Bottom of Stack Top of Stack Stack Buffer Overflow

12 Developing Shellcode Finding the Vulnerability Writing the Shellcode Shellcode is sequence of machine instructions or opcode. To take advantage of the injected code and to gain access to the target system, system calls must be used On Linux there are two ways of implementing a system call, they are icall87/icall27 gates and ‘INT 0x80’ software interrupts

13 Example – Spawning a Shell Write C code Extract the assembly code Extract the opcode Append an function exit opcodes to allow the function exit gracefully Initialize a buffer with the opcode.

14 Example – Spawning a Shell cont’

15 Methods for Detecting Shellcode NIDS (Network Intrusion Detection System) can be used to identify shellcode on the wire using Signature databases and Protocol analysis methods IPS (Intrusion Prevention System) identifies shellcode by running the code on a sandbox/virtualization in order to detect if the given code is malicious or not

16 Conclusion Shellcode is a powerful mechanism for the exploitation of software vulnerabilities. It is important that the shellcode developed is small in size Shellcode can be employed to automate software security tests, where the shellcode is written to expose and draw attention to security holes

17 Questions?

Download ppt "Shellcode Development -Femi Oloyede -Pallavi Murudkar."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Threads, SMP, and Microkernels

Threads, SMP, and Microkernels
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Utilizing the GDB debugger to analyze programs Background and application.

Utilizing the GDB debugger to analyze programs Background and application.
Chap 2 System Structures.

Chap 2 System Structures.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-

Threads, SMP, and Microkernels Chapter 4. Process Resource ownership - process is allocated a virtual address space to hold the process image Scheduling/execution-
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
OllyDbg Debuger.

OllyDbg Debuger.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google