Download presentation
Presentation is loading. Please wait.
Published byKory Edwards Modified over 8 years ago
1
Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)
2
Today – Advanced Shellcode What are shellcodes More about shellcodes Some more tools Function calls and the import table Polymorphic shellcodes Q&A
3
Shellcodes Originates from the unix shell executable “sh” Running sh essentially grants access to run any other command afterwards The term has been loosely generalized to fit any code that runs after a exploiting a vulnerability for code execution Last week we saw a very basic shell-code which avoids null bytes.
4
More advanced exploitation More robust & resillient – o Use trampolines instead of stack addresses o Don’t count on static function addresses – dlopen(), dlsym() o ‘Egg hunting’ for executable file headers o Avoid null bytes / Avoid other bytes / handle UTF8 / etc. o Shellcodes that will run / not crash on multiple architectures Do more complex things – o Add users, modify files, install malware o Manipulate program flow / memory o Open a shell back home
5
New tools! build_shellcode.py based on the patch_util_gcc.py script, but is made for simpler usage when creating shellcodes
6
New tools! shellcode_host – reads a binary shellcode as instructed via the command line, and simulates execution. shellcode_host_no_nulls – similar to shellcode_host, but the string is copied via strcpy, so no null characters (0x00) will be permitted in the body of the shellcode. stack_overflow_host – similar to shellcode_host in the sense that it will allow null bytes inside the shellcode, but here you must overflow the stack and control the return address yourself. stack_overflow_host_no_nulls – similar to stack_overflow_host, but no null bytes will be permitted
7
How external function calls work Many options - o syscall via int0x80 (as we've seen) o static lib – hard coded address (rare) o Dynamic lib - Assume already loaded, call directly (hard-coded address, not resilient) Call via the PLT / GOT (best method)
8
Global Offset Table
9
External function calls A call through it looks like - call _printf Which is actually a simple jmp - _printf proc near jmp ds:off_804A010 ; PLT entry _printf endp
10
Practical usage for external function calls We can call through the PLT entry directly Or, we could replicate what the original code would do, and just call the call-through function Of course – other methods could still work (namely, direct syscalls)
11
Polymorphic shellcodes Polymorphic code ~= self-modifying code Usually, polymorphic code is made of two parts: A Decoder + the actual code in encoded form o The decoder can thin and be built to withstand constraints such as: only printable chars Only [a-z][A-Z][0-9] Must be a valid utf-8 char Must not contain characters X,Y,Z Polymorphic shellcodes can be used to evade detectors that use signature based detection, by modifying the signature of the same functionality
12
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode ---
13
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode ---
14
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode ---
15
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1
16
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size
17
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size edxoriginal size
18
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size edxoriginal size+after_end–1
19
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size edxoriginal size+after_end–1
20
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop : mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end ecxoriginal size - 1 edxoriginal size+after_end–1
21
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop : mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end ecx0 edxafter_end + 0
22
Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop : mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end ecx0 edxafter_end + 0
23
This Week’s Exercise Counts as a double exercise! Write a shellcode for remote exploitation using sockets Exploit a network daemon remotely in several ways o Basic shellcode o Socket bound shell More advanced shellcodes o Hijack the original connection socket o Polymorphic shellcode bypassing limitations
24
The end Questions?
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.