Download as PDF, PPTX
Uploaded bySam Bowne
CNIT 127: 3: Shellcode
The document covers exploit development with a focus on shellcode and system calls, explaining how shellcode is designed in assembler and used to inject into systems. It details the mechanisms of syscalls, particularly how they interface between user mode and kernel mode, and the process of writing effective shellcode, including the avoidance of null bytes. Additionally, it discusses creating a new process in Linux using fork() and execve(), and emphasizes the importance of simplicity in shellcode to ensure successful exploitation.
More Related Content
CNIT 127: 3: Shellcode
- 1. CNIT 127: ExploitDevelopment Ch 3: Shellcode Updated 9=8-18
- 2. Topics • Protection rings •Syscalls • Shellcode • nasm Assembler • ld GNU Linker • objdump to see contents of object files • strace System Call Tracer • Removing Nulls • Spawning a Shell
- 3.
- 4. Shellcode • Written inassembler • Translated into hexadecimal opcodes • Intended to inject into a system by exploiting a vulnerability • Typically spawns a root shell, but may do something else
- 5. System Calls (orSyscalls) • Syscalls directly access the kernel, to: – Get input – Produce output – Exit a process – Execute a binary file – And more • They are the interface between protected kernel mode and user mode
- 6. Protection Rings • Althoughthe x86 provides four rings, only rings 0 and 3 are used by Windows or Unix • Ring 3 is user- land • Ring 0 is kernel- land • Links Ch 3a-3c
- 7. Protecting the Kernel •Protected kernel mode – Prevents user applications from compromising the OS • If a user mode program attempts to access kernel memory, this generates an access exception • Syscalls are the interface between user mode and kernel mode
- 8. Libc • C librarywrapper • C functions that perform syscalls • Advantages of libc – Allows programs to continue to function normally even if a syscall is changed – Provides useful functions, like malloc – (malloc allocates space on the heap) • See link Ch 3d
- 9. Syscalls use INT0x80 1. Load syscall number into EAX 2. Put arguments in other registers 3. Execute INT 0x80 4. CPU switches to kernel mode 5. Syscall function executes
- 10. Syscall Number andArguments • Syscall number is an integer in EAX • Up to six arguments are loaded into – EBX, ECX, EDX, ESI, EDI, and EBP • For more than six arguments, the first argument holds a pointer to a data structure
- 11.
- 12. exit() • The libcexit function does a lot of preparation, carefully covering many possible situations, and then calls SYSCALL to exit
- 13. Disassembling exit • gdbe – disassemble main – disassemble exit • No useful labels in exit
- 14. Disassembling exit • gdbe – break main – run – disassemble exit • Now useful labels appear!
- 15. Disassembling exit – disassemble__run_exit_handlers • All that stuff is error handling, to prepare for the syscall
- 16. Disassembling exit – disassemble__run_exit_handlers • The syscall is at the label _exit
- 17. Disassembling _exit • syscall252 (0xfc), exit_group() (kill all threads) • syscall 1, exit() (kill calling thread) – Link Ch 3e • disassemble _exit
- 18. Writing Shellcode forthe exit() Syscall
- 19. Shellcode Size • Shellcodeshould be as simple and compact as possible • Because vulnerabilities often only allow a small number of injected bytes – It therefore lacks error-handling, and will crash easily
- 20. Two Syscalls • exit_groupskip this one • exit use this one, in the green box • From an earlier version of gcc
- 21. sys_exit Syscall • Twoarguments: eax=1, ebx is return value (0 in our case) • Link Ch 3m
- 22. Simplest code forexit(0)
- 23. nasm and ld •nasm creates object file • ld links it, creating an executable ELF file
- 24. objdump • Shows thecontents of object files
- 25. C Code toTest Shellcode • From link Ch 3k • Textbook version explained at link Ch 3i
- 26. Compile and Run •Textbook omits the "-z execstack" option • It's required now or you get a segfault • Next, we'll use "strace" to see all system calls when this program runs • That shows a lot of complex calls, and "exit(0)" at the end
- 27. Using strace • apt-getinstall strace
- 28.
- 29. Getting Rid ofNulls • We have null bytes, which will terminate a string and break the exploit
- 30. Replacing Instructions • Thisinstruction contains nulls – mov ebx,0 • This one doesn't – xor ebx,ebx • This instruction contains nulls, because it moves 32 bits – mov eax,1 • This one doesn't, moving only 8 bits – mov al, 1
- 31.
- 32. objdump of NewExit Shellcode
- 33.
- 34. Beyond exit() • Theexit() shellcode stops the program, so it just a DoS attack • Any illegal instruction can make the program crash, so that's of no use • We want shellcode that offers the attacker a shell, so the attacker can type in arbitrary commands
- 35. Five Steps toShellcode 1. Write high-level code 2. Compile and disassemble 3. Analyze the assembly 4. Clean up assembly, remove nulls 5. Extract commands and create shellcode
- 36. fork() and execve() •Two ways to create a new process in Linux • Replace a running process – Uses execve() • Copy a running process to create a new one – Uses fork() and execve() together
- 37.
- 38. C Program toUse execve() • Static linking preserves our execve syscall
- 39. In gdb, disassemblemain • Pushes 3 Arguments • Calls __execve
- 40. disassemble execve • Putsfour parameters into edx, ecx, ebx, and eax • call *%gs:0x10 is a newer form of syscall • Same effect as INT 0x80
- 41. Versions of syscall •Link Ch 3n
- 43.