Shellcoding, an Introduction

Shellcoding, an introduction

Daniele Bellavista

University of Bologna, Scuola di Ingegneria ed Architettura
Cesena Security Network and Applications

December 24, 2012

Outline

(CeSeNA) December 24, 2012 2/1

Warm-Up

Materiale iniziale
La teoria di questa presentazione vale per sistemi Unix, FreeBSD e
Windows.
Il materiale ` tuttavia preparato per sistemi Linux 64 bit con kernel
e
>= 2.6 e processore > Pentium 4.
Per chi non ha 64 bit sono disponibili anche gli esempi a 32 bit.
Per chi non ha installato un OS Linux o non vuole sporcare il suo,
sono disponibili due Virtual Machine:
32 bit: sorry non ho fatto in tempo. . .
64 bit: sorry non ho fatto in tempo. . .


What is shellcoding?
Exploiting software vulnerabilities

Vulnerabilities like BOFs permit the insertion and the execution of a
custom payload.
The historical function of the payload is to spawn a shell (hence the
name shell-code).
If the exploited program runs as a privileged user, the payload can
assume the control of the system.

Prerequisites
Basic notion of:
Assembly language.
Memory structure.
System Calls.

System Memory
Memory management

Memory management is a vast topic, so let’s discuss from an
high-level viewpoint.
Thanks to the Virtual Memory Management, each process sees a ﬂat
addressing space of 128 TiB (4 GiB in 32 bit processors).
Users can create sections inside the memory with read, write and/or
execute permissions.
The basic operations for memory management are push and pop.
push Insert a 64-bit value into the top of the stack (the
bottom).
pop Retrieve a 64-bit value from the top of the stack (the
bottom).


Figure : Linux 64 bit memory management


Program Code

Text segment and instruction pointer

The code is saved in a RO and executable memory called Text
segment.
The current instruction is pointed by the Instruction Pointer.
The instruction pointer is a value stored into the CPU.


Program Stack

The stack is where function context,
called frame, resides.
The Base pointer points to the begin of
the frame.
The Stack pointer points to the ﬁrst
available memory location.

void f () {
int xx = 1 2 ; i n t yy = 2 3 ;
int zz = 24;
int sum = xx + yy + z z ;
}


Assembly Language

Low, low level programming

Assembly is the ﬁnal stage of the programming process.
Each instruction is directly converted into an number.
Writing the number on the CPU Command BUS cause the instruction
to be executed.
You can access to a set of 64 bit registers: rax, rbx, rcx, rdx, rsi, rdi,
r8, r9, r10, r11, r12, r13, r14, r15
As instruction pointer, base pointer and stack pointer the CPU uses
respectively rip, rbp and rsp.


Assembly Language: function call

The call/ret instructions

call address push the RIP into the stack.
ret pop the RIP from the stack.

Creating a frame for the function

The callee may need a stack for his own variables.
RBP is saved (pushed) into the stack.
The new RBP become the old RSP.
Before doing ret, the opposite operations must be performed.

(CeSeNA) December 24, 2012 10 / 1

Assembly Language: function call and stack


Assembly Language: function call and parameters
Where should I put the parameters?

If you are coding in pure ASM, you can do what you want.
Else, you have to follow the conventions (see
http://en.wikipedia.org/wiki/X86_calling_conventions#
List_of_x86_calling_conventions).

Linux calling convention, parameter order
First parameters:
x86-64: rdi, rsi, rdx, rcx, r8, and r9. For system calls, r10 is used
instead of rcx.
IA-32: ecx, edx. For system calls ebx, ecx, edx, esi, edi, ebp.
Other parameters are pushed into the stack.


System calls

Invoking the OS

User’s programs run in the exterior ring with PL 3, while kernel runs
in the inner ring with PL 0: Kernel can access to the hardware (ﬁles,
devices, . . . ), user not.
Syscalls form the interface between user and kernel.
E.g.: open(), read(), write(), chmod(), exec(), . . .


Try to use Syscalls
Using assembly

In order to ease the programmer duty, syscalls are identiﬁed by a
number.
In modern x86-64 processor, a syscall is invoked using the operation
syscall, putting the id in the register rax.
In modern x86 processor, a syscall is invoked using the operation
sysenter but a lot of operation must be performed before, so in the
following exercise we will use the old-fashion-way int 80h, which rises
a software interrupt.

1 mov r d i , 0 1 mov ebx , 0
2 mov r a x , 60 2 mov eax , 1
3 syscall 3 i n t 80 h


Linux Syscalls

Linux
Syscalls signatures: /. . . kernel-sources. . . /include/linux/syscall.h
Syscalls numbers: /usr/include/asm/unistd 64.h

1 unistd 64.h
2 #d e f i n e N R e x i t 60
3 syscall.h
4 asmlinkage long s y s e x i t ( i n t error code ) ;


Writing shellcodes

The ﬁnal preparation

First steps. . .

Testing platform: http://dl.dropbox.com/u/16169203/data.zip
Use nasm to compile your assembly code
Feed the tester with the output.

Exercise 0
Create a shellcode that does nothing!
Test it!


Writing shellcodes

Using a syscall

Exercise 1: The exit syscall

Use the exit syscall to terminate the program
Change your code setting the return code to 13h


Writing shellcodes

Data reference I

The reference problem

When you write a program you can use global data because, at
compile time, a static address is associated.
But your shellcode is not compiled with the program it’s intended to
run.
You must use relative addressing, but before IA-64 it was not possible.


Writing shellcodes

Data reference II

Old IA-32 way

You use a trick: jmp just before the data location, then do a call. Et
voil`! On the top of the stack there is the data address.
a

1 jmp message
2 run :
3 pop ebx ; now ebx c o n t a i n s t h e s t r i n g r e f e r e n c e
4 ; . . . shellcode
5 message :
6 c a l l run
7 db ’ CeSeNA ’ , 0 x0a , 0


Writing shellcodes

Data reference III

New IA-64 way

IA-64 introduces the RIP relative addressing.

1 l e a r d i , [ r e l message ] ; now ebx c o n t a i n s
2 ; the s t r i n g r e f e r e n c e
3 ; . . . shellcode
4

5 message db ’ CeSeNA ’ , 0 x0a , 0


Writing shellcodes

Data reference IV

Generic Way

You can pop the string in hex format over the stack.
The stack pointer is then the string reference.

1 push 0 x 0 0 0 a 4 1 4 e ; 0 x00 , 0 x0a , ’AN ’
2 push 0 x65536543 ; ’ eSeC ’
3 mov ebx , e s p ; now ebx c o n t a i n s t h e s t r i n g r e f e r e n c e
4 ; ...


Writing shellcodes

Data reference V

Exercise 2: print on stdout

Get the exercise skeleton.
Understand the code
Write your own message


Writing shellcodes

Execute a program

1 unistd 64 . h
2 #d e f i n e N R e x e c v e 59
3 syscall .h
4 i n t k e r n e l e x e c v e ( const char ∗ filename ,
5 const char ∗ const argv [ ] ,
6 c o n s t c h a r ∗ c o n s t envp [ ] ) ;

Exercise 3: A real shellcode, exec a shell!

4 HaXoRs
4 g33k
4 n00bz


Writing shellcodes

Reverse shell I
One shellcode to rule them all
Step to execute:
1 Open a socket to the attacker server.
2 Duplicate the socket ﬁle descriptor into 0 and 1 (and optionally 2).
3 Exec a shell.

Step1: Create a socket

The standard procedure involves socket creation and connection.
socket() and connect() syscalls.
The sockaddr in structure requires port in network byte order
(htons()) and ip address in numeric form (inet pton()).
The usual sockaddr in size is 16.


Writing shellcodes

Reverse shell II
1 l o n g s y s s o c k e t ( i n t domain ,
2 i n t type ,
3 int protocol ) ;
4 l o n g s y s c o n n e c t ( i n t fd ,
5 s t r u c t sockaddr user ∗,
6 int addrlen ) ;

1 struct sockaddr in {
2 short s i n f a m i l y ; // AF INET
3 unsigned short s i n p o r t ; // n e t w o r k o r d e r ( h t o n s ( ) )
4 struct in addr s i n a d d r ; // As 32 b i t
5 char sin zero [8];
6 };


Writing shellcodes

Reverse shell III

Step2: Duplicate the file descriptor

The return value of socket() is the file descriptor.
The syscall dup2() copy the file descriptor and close the destination.
dup2(fd, 0); dup2(fd, 1), dup2(fd, 2);

1 long sys dup2 ( unsigned i n t oldfd ,
2 u n s i g n e d i n t newfd )


Writing shellcodes

Reverse shell IV

Step3: Exec a shell
Already seen ;)

Exercise 4: Reverse shelling
Remember to open a server listening into a known address! E.g.: nc -l -p
1234, preparing reverse shell for 127.0.0.1:1234
4 HaXoRs
4 g33k
4 n00bz


Writing shellcodes

Shellcode optimization

Why optimization?
When writing a shellcode, you must consider various factors. The
most important are:
1 How the vulnerable program receives the payload.
2 How long the payload can be.
The previous exercise solutions, for instance, are not suitable in most
cases.
The next slides will discuss about the NULL byte presence.
About the payload length, it’s all about the exploiter expertise.


Writing shellcodes

String payload
zero-bytes problem

If the payload is red as a string, C interprets a zero byte as string
terminator, cutting the shellcode.
Zero-bytes presence is caused by data and addresses:
mov rax, 11h is equivalent to mov rax, 0000000000000011h.
lea rax, [rel message] is equivalent to lea rax, [rip + 0000. . . xxh].
execve for instance, requires a null terminated string and some null
parameters.
Solutions are quite straightforward:
Use xor operation to zero a register.
Use when possible smaller part of registers (e.g.: rax → eax → ax →
[ah,al])
Use add operation: immediate operators are not expanded.
Place not-null marker in strings and substitute them inside the code.
When using relative addressing, place the message above: oﬀset will be
negative [?].


Writing shellcodes

Zero-byte removal example
; S e t r a x = 60 h ; S e t t o 0 a mem a r e a
xor rax , rax n u l l db ’ x x x x ’
mov a l , 60 x o r rbx , r b x
mov [ r e l n u l l ] , ebx

; S e t r d i = 12 h
xor rdi , r d i ; terminate s t r i n g with 0
add r d i , 12 h message db ’ CeSeNA ’ , ’ x ’
x o r rbx , r b x
l e a r d i , [ r e l message ]
mov [ r d i +7] , b l
; Negative refe rence
message db ’ CeSeNA ’ , ’ x ’
l e a r d i , [ r e l message ]


Writing shellcodes

References


Shellcoding, an Introduction

More Related Content

What's hot

Viewers also liked

Similar to Shellcoding, an Introduction

Recently uploaded

Shellcoding, an Introduction