SlideShare une entreprise Scribd logo

CNIT 127: 3: Shellcode

Sam Bowne
Sam Bowne

Slides for a college course at City College San Francisco. Based on "The Shellcoder's Handbook: Discovering and Exploiting Security Holes ", by Chris Anley, John Heasman, Felix Lindner, Gerardo Richarte; ASIN: B004P5O38Q. Instructor: Sam Bowne Class website: https://samsclass.info/127/127_F18.shtml

Formation
1  sur  44
Télécharger pour lire hors ligne
CNIT 127: Exploit Development
 
 Ch 3: Shellcode Updated 9=8-18
Topics • Protection rings • Syscalls • Shellcode • nasm Assembler • ld GNU Linker • objdump to see contents of object files • strace System Call Tracer • Removing Nulls • Spawning a Shell
Understanding System Calls
Shellcode • Written in assembler • Translated into hexadecimal opcodes • Intended to inject into a system by exploiting a vulnerability • Typically spawns a root shell, but may do something else
System Calls (or Syscalls) • Syscalls directly access the kernel, to: – Get input – Produce output – Exit a process – Execute a binary file – And more • They are the interface between protected kernel mode and user mode
Protection Rings • Although the x86 provides four rings, only rings 0 and 3 are used by Windows or Unix • Ring 3 is user- land • Ring 0 is kernel- land • Links Ch 3a-3c
Protecting the Kernel • Protected kernel mode – Prevents user applications from compromising the OS • If a user mode program attempts to access kernel memory, this generates an access exception • Syscalls are the interface between user mode and kernel mode
Libc • C library wrapper • C functions that perform syscalls • Advantages of libc – Allows programs to continue to function normally even if a syscall is changed – Provides useful functions, like malloc – (malloc allocates space on the heap) • See link Ch 3d
Syscalls use INT 0x80 1. Load syscall number into EAX 2. Put arguments in other registers 3. Execute INT 0x80 4. CPU switches to kernel mode 5. Syscall function executes
Syscall Number and Arguments • Syscall number is an integer in EAX • Up to six arguments are loaded into – EBX, ECX, EDX, ESI, EDI, and EBP • For more than six arguments, the first argument holds a pointer to a data structure
Demonstration Use 32-bit Kali
exit() • The libc exit function does a lot of preparation, carefully covering many possible situations, and then calls SYSCALL to exit
Disassembling exit • gdb e – disassemble main – disassemble exit • No useful labels in exit
Disassembling exit • gdb e – break main – run – disassemble 
 exit • Now useful labels appear!
Disassembling exit – disassemble __run_exit_handlers • All that stuff is error handling, to prepare for the syscall
Disassembling exit – disassemble __run_exit_handlers • The syscall is at the label _exit
Disassembling _exit • syscall 252 (0xfc), exit_group() (kill all threads) • syscall 1, exit() (kill calling thread) – Link Ch 3e • disassemble _exit
Writing Shellcode for the exit() Syscall
Shellcode Size • Shellcode should be as simple and compact as possible • Because vulnerabilities often only allow a small number of injected bytes – It therefore lacks error-handling, and will crash easily
Two Syscalls • exit_group skip this one • exit use this one, in the green box • From an earlier version of gcc
sys_exit Syscall • Two arguments: eax=1, ebx is return value (0 in our case) • Link Ch 3m
Simplest code for exit(0)
nasm and ld • nasm creates object file • ld links it, creating an executable ELF file
objdump • Shows the contents of object files
C Code to Test Shellcode • From link Ch 3k • Textbook version explained at link Ch 3i
Compile and Run • Textbook omits the "-z execstack" option • It's required now or you get a segfault • Next, we'll use "strace" to see all system calls when this program runs • That shows a lot of complex calls, and "exit(0)" at the end
Using strace • apt-get install strace
Injectable Shellcode
Getting Rid of Nulls • We have null bytes, which will terminate a string and break the exploit
Replacing Instructions • This instruction contains nulls – mov ebx,0 • This one doesn't – xor ebx,ebx • This instruction contains nulls, because it moves 32 bits – mov eax,1 • This one doesn't, moving only 8 bits – mov al, 1
OLD NEW
objdump of New Exit Shellcode
Spawning a Shell
Beyond exit() • The exit() shellcode stops the program, so it just a DoS attack • Any illegal instruction can make the program crash, so that's of no use • We want shellcode that offers the attacker a shell, so the attacker can type in arbitrary commands
Five Steps to Shellcode 1. Write high-level code 2. Compile and disassemble 3. Analyze the assembly 4. Clean up assembly, remove nulls 5. Extract commands and create shellcode
fork() and execve() • Two ways to create a new process in Linux • Replace a running process – Uses execve() • Copy a running process to create a new one – Uses fork() and execve() together
man execve
C Program to Use execve() • Static linking preserves our execve syscall
In gdb, disassemble main • Pushes 3 Arguments • Calls __execve
disassemble execve • Puts four parameters into edx, ecx, ebx, and eax • call *%gs:0x10 is a newer form of syscall • Same effect as INT 0x80
Versions of syscall • Link Ch 3n
Final Shellcode
CNIT 127: 3: Shellcode

Recommandé

Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
Sam Bowne
 
Aes
AesAes
Aes
Muhammad Asif
 
Cryptography
CryptographyCryptography
Cryptography
subodh pawar
 
Dining Philosopher's Problem
Dining Philosopher's ProblemDining Philosopher's Problem
Dining Philosopher's Problem
Yash Mittal
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithm
Sunita Kharayat
 
Run time storage
Run time storageRun time storage
Run time storage
Rasineni Madhan Mohan Naidu
 
Unit 1
Unit 1Unit 1
Unit 1
Trupti Kodinariya
 
Number theory and cryptography
Number theory and cryptographyNumber theory and cryptography
Number theory and cryptography
Yasser Ali
 

Recommandé

Practical Malware Analysis Ch12
Practical Malware Analysis Ch12Practical Malware Analysis Ch12
Practical Malware Analysis Ch12
Sam Bowne
 
Aes
AesAes
Aes
Muhammad Asif
 
Cryptography
CryptographyCryptography
Cryptography
subodh pawar
 
Dining Philosopher's Problem
Dining Philosopher's ProblemDining Philosopher's Problem
Dining Philosopher's Problem
Yash Mittal
 
Diffie hellman key exchange algorithm
Diffie hellman key exchange algorithmDiffie hellman key exchange algorithm
Diffie hellman key exchange algorithm
Sunita Kharayat
 
Run time storage
Run time storageRun time storage
Run time storage
Rasineni Madhan Mohan Naidu
 
Unit 1
Unit 1Unit 1
Unit 1
Trupti Kodinariya
 
Number theory and cryptography
Number theory and cryptographyNumber theory and cryptography
Number theory and cryptography
Yasser Ali
 
DES
DESDES
DES
Naga Srimanyu Timmaraju
 
Cryptanalysis 101
Cryptanalysis 101Cryptanalysis 101
Cryptanalysis 101
rahat ali
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
Rashmi Burugupalli
 
Approximation algorithms
Approximation algorithmsApproximation algorithms
Approximation algorithms
Ganesh Solanke
 
Cryptography
CryptographyCryptography
Cryptography
Kalyani Government Engineering College
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
Shashank Shetty
 
Compiler Design
Compiler DesignCompiler Design
Compiler Design
Mir Majid
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
DR RICHMOND ADEBIAYE
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Introduction to OpenMP
Introduction to OpenMPIntroduction to OpenMP
Introduction to OpenMP
Akhila Prabhakaran
 
AES by example
AES by exampleAES by example
AES by example
Shiraz316
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash function
Chirag Patel
 
Compiler Design(NANTHU NOTES)
Compiler Design(NANTHU NOTES)Compiler Design(NANTHU NOTES)
Compiler Design(NANTHU NOTES)
guest251d9a
 
Cryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSACryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSA
aritraranjan
 
block ciphers
block ciphersblock ciphers
block ciphers
Asad Ali
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
Mazin Alwaaly
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
amiable_indian
 
CPU SCHEDULING AND DEADLOCK
CPU SCHEDULING AND DEADLOCKCPU SCHEDULING AND DEADLOCK
CPU SCHEDULING AND DEADLOCK
Vicky Kumar
 
Deadlocks in operating system
Deadlocks in operating systemDeadlocks in operating system
Deadlocks in operating system
Sara Ali
 
Semophores and it's types
Semophores and it's typesSemophores and it's types
Semophores and it's types
Nishant Joshi
 
CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: Shellcode
Sam Bowne
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
Sam Bowne
 

Contenu connexe

Tendances

Compiler Design
Compiler DesignCompiler Design
Compiler Design
Mir Majid
 

Tendances (20)

DES
DESDES
DES
 
Cryptanalysis 101
Cryptanalysis 101Cryptanalysis 101
Cryptanalysis 101
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
Approximation algorithms
Approximation algorithmsApproximation algorithms
Approximation algorithms
 
Cryptography
CryptographyCryptography
Cryptography
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Compiler Design
Compiler DesignCompiler Design
Compiler Design
 
Symmetric encryption
Symmetric encryptionSymmetric encryption
Symmetric encryption
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Introduction to OpenMP
Introduction to OpenMPIntroduction to OpenMP
Introduction to OpenMP
 
AES by example
AES by exampleAES by example
AES by example
 
5. message authentication and hash function
5. message authentication and hash function5. message authentication and hash function
5. message authentication and hash function
 
Compiler Design(NANTHU NOTES)
Compiler Design(NANTHU NOTES)Compiler Design(NANTHU NOTES)
Compiler Design(NANTHU NOTES)
 
Cryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSACryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSA
 
block ciphers
block ciphersblock ciphers
block ciphers
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
 
Reliable Windows Heap Exploits
Reliable Windows Heap ExploitsReliable Windows Heap Exploits
Reliable Windows Heap Exploits
 
CPU SCHEDULING AND DEADLOCK
CPU SCHEDULING AND DEADLOCKCPU SCHEDULING AND DEADLOCK
CPU SCHEDULING AND DEADLOCK
 
Deadlocks in operating system
Deadlocks in operating systemDeadlocks in operating system
Deadlocks in operating system
 
Semophores and it's types
Semophores and it's typesSemophores and it's types
Semophores and it's types
 

Similaire à CNIT 127: 3: Shellcode

Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
Ajin Abraham
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
eurobsdcon
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
Aj MaChInE
 

Similaire à CNIT 127: 3: Shellcode (20)

CNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: ShellcodeCNIT 127: Ch 3: Shellcode
CNIT 127: Ch 3: Shellcode
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
CNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: ShellcodeCNIT 127 Ch 3: Shellcode
CNIT 127 Ch 3: Shellcode
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
202110 SESUG 49 UNIX X Command Tips and Tricks
202110 SESUG 49 UNIX X Command Tips and Tricks202110 SESUG 49 UNIX X Command Tips and Tricks
202110 SESUG 49 UNIX X Command Tips and Tricks
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection Mechanisms
 
Is That A Penguin In My Windows?
Is That A Penguin In My Windows?Is That A Penguin In My Windows?
Is That A Penguin In My Windows?
 
CNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you BeginCNIT 127 Ch 1: Before you Begin
CNIT 127 Ch 1: Before you Begin
 
Brief Introduction to Parallella
Brief Introduction to ParallellaBrief Introduction to Parallella
Brief Introduction to Parallella
 
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. TanenbaumA Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
A Reimplementation of NetBSD Based on a Microkernel by Andrew S. Tanenbaum
 
(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks(SAS) UNIX X Command Tips and Tricks
(SAS) UNIX X Command Tips and Tricks
 
【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス
【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス
【Unite 2017 Tokyo】パフォーマンス向上のためのスクリプトのベストプラクティス
 
Metasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel ExploitationMetasploit & Windows Kernel Exploitation
Metasploit & Windows Kernel Exploitation
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
CNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you BeginCNIT 127 Ch Ch 1: Before you Begin
CNIT 127 Ch Ch 1: Before you Begin
 
Linux device drivers
Linux device driversLinux device drivers
Linux device drivers
 

Plus de Sam Bowne

Plus de Sam Bowne (20)

Cyberwar
CyberwarCyberwar
Cyberwar
 
3: DNS vulnerabilities
3: DNS vulnerabilities 3: DNS vulnerabilities
3: DNS vulnerabilities
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
4 Mapping the Application
4 Mapping the Application4 Mapping the Application
4 Mapping the Application
 
3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2) 3. Attacking iOS Applications (Part 2)
3. Attacking iOS Applications (Part 2)
 
12 Elliptic Curves
12 Elliptic Curves12 Elliptic Curves
12 Elliptic Curves
 
11. Diffie-Hellman
11. Diffie-Hellman11. Diffie-Hellman
11. Diffie-Hellman
 
2a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 12a Analyzing iOS Apps Part 1
2a Analyzing iOS Apps Part 1
 
9 Writing Secure Android Applications
9 Writing Secure Android Applications9 Writing Secure Android Applications
9 Writing Secure Android Applications
 
12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)12 Investigating Windows Systems (Part 2 of 3)
12 Investigating Windows Systems (Part 2 of 3)
 
10 RSA
10 RSA10 RSA
10 RSA
 
12 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 312 Investigating Windows Systems (Part 1 of 3
12 Investigating Windows Systems (Part 1 of 3
 
9. Hard Problems
9. Hard Problems9. Hard Problems
9. Hard Problems
 
8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)8 Android Implementation Issues (Part 1)
8 Android Implementation Issues (Part 1)
 
11 Analysis Methodology
11 Analysis Methodology11 Analysis Methodology
11 Analysis Methodology
 
8. Authenticated Encryption
8. Authenticated Encryption8. Authenticated Encryption
8. Authenticated Encryption
 
7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)7. Attacking Android Applications (Part 2)
7. Attacking Android Applications (Part 2)
 
7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)7. Attacking Android Applications (Part 1)
7. Attacking Android Applications (Part 1)
 
5. Stream Ciphers
5. Stream Ciphers5. Stream Ciphers
5. Stream Ciphers
 
6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection6 Scope & 7 Live Data Collection
6 Scope & 7 Live Data Collection
 

Dernier

Dernier (20)

FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024FSB Advising Checklist - Orientation 2024
FSB Advising Checklist - Orientation 2024
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
ICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptxICT Role in 21st Century Education & its Challenges.pptx
ICT Role in 21st Century Education & its Challenges.pptx
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Interdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptxInterdisciplinary_Insights_Data_Collection_Methods.pptx
Interdisciplinary_Insights_Data_Collection_Methods.pptx
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Key note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdfKey note speaker Neum_Admir Softic_ENG.pdf
Key note speaker Neum_Admir Softic_ENG.pdf
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
TỔNG ÔN TẬP THI VÀO LỚP 10 MÔN TIẾNG ANH NĂM HỌC 2023 - 2024 CÓ ĐÁP ÁN (NGỮ Â...
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Sociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning ExhibitSociology 101 Demonstration of Learning Exhibit
Sociology 101 Demonstration of Learning Exhibit
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 

CNIT 127: 3: Shellcode

  • 1. CNIT 127: Exploit Development
 
 Ch 3: Shellcode Updated 9=8-18
  • 2. Topics • Protection rings • Syscalls • Shellcode • nasm Assembler • ld GNU Linker • objdump to see contents of object files • strace System Call Tracer • Removing Nulls • Spawning a Shell
  • 4. Shellcode • Written in assembler • Translated into hexadecimal opcodes • Intended to inject into a system by exploiting a vulnerability • Typically spawns a root shell, but may do something else
  • 5. System Calls (or Syscalls) • Syscalls directly access the kernel, to: – Get input – Produce output – Exit a process – Execute a binary file – And more • They are the interface between protected kernel mode and user mode
  • 6. Protection Rings • Although the x86 provides four rings, only rings 0 and 3 are used by Windows or Unix • Ring 3 is user- land • Ring 0 is kernel- land • Links Ch 3a-3c
  • 7. Protecting the Kernel • Protected kernel mode – Prevents user applications from compromising the OS • If a user mode program attempts to access kernel memory, this generates an access exception • Syscalls are the interface between user mode and kernel mode
  • 8. Libc • C library wrapper • C functions that perform syscalls • Advantages of libc – Allows programs to continue to function normally even if a syscall is changed – Provides useful functions, like malloc – (malloc allocates space on the heap) • See link Ch 3d
  • 9. Syscalls use INT 0x80 1. Load syscall number into EAX 2. Put arguments in other registers 3. Execute INT 0x80 4. CPU switches to kernel mode 5. Syscall function executes
  • 10. Syscall Number and Arguments • Syscall number is an integer in EAX • Up to six arguments are loaded into – EBX, ECX, EDX, ESI, EDI, and EBP • For more than six arguments, the first argument holds a pointer to a data structure
  • 12. exit() • The libc exit function does a lot of preparation, carefully covering many possible situations, and then calls SYSCALL to exit
  • 13. Disassembling exit • gdb e – disassemble main – disassemble exit • No useful labels in exit
  • 14. Disassembling exit • gdb e – break main – run – disassemble 
 exit • Now useful labels appear!
  • 15. Disassembling exit – disassemble __run_exit_handlers • All that stuff is error handling, to prepare for the syscall
  • 16. Disassembling exit – disassemble __run_exit_handlers • The syscall is at the label _exit
  • 17. Disassembling _exit • syscall 252 (0xfc), exit_group() (kill all threads) • syscall 1, exit() (kill calling thread) – Link Ch 3e • disassemble _exit
  • 18. Writing Shellcode for the exit() Syscall
  • 19. Shellcode Size • Shellcode should be as simple and compact as possible • Because vulnerabilities often only allow a small number of injected bytes – It therefore lacks error-handling, and will crash easily
  • 20. Two Syscalls • exit_group skip this one • exit use this one, in the green box • From an earlier version of gcc
  • 21. sys_exit Syscall • Two arguments: eax=1, ebx is return value (0 in our case) • Link Ch 3m
  • 22. Simplest code for exit(0)
  • 23. nasm and ld • nasm creates object file • ld links it, creating an executable ELF file
  • 24. objdump • Shows the contents of object files
  • 25. C Code to Test Shellcode • From link Ch 3k • Textbook version explained at link Ch 3i
  • 26. Compile and Run • Textbook omits the "-z execstack" option • It's required now or you get a segfault • Next, we'll use "strace" to see all system calls when this program runs • That shows a lot of complex calls, and "exit(0)" at the end
  • 27. Using strace • apt-get install strace
  • 29. Getting Rid of Nulls • We have null bytes, which will terminate a string and break the exploit
  • 30. Replacing Instructions • This instruction contains nulls – mov ebx,0 • This one doesn't – xor ebx,ebx • This instruction contains nulls, because it moves 32 bits – mov eax,1 • This one doesn't, moving only 8 bits – mov al, 1
  • 32. objdump of New Exit Shellcode
  • 34. Beyond exit() • The exit() shellcode stops the program, so it just a DoS attack • Any illegal instruction can make the program crash, so that's of no use • We want shellcode that offers the attacker a shell, so the attacker can type in arbitrary commands
  • 35. Five Steps to Shellcode 1. Write high-level code 2. Compile and disassemble 3. Analyze the assembly 4. Clean up assembly, remove nulls 5. Extract commands and create shellcode
  • 36. fork() and execve() • Two ways to create a new process in Linux • Replace a running process – Uses execve() • Copy a running process to create a new one – Uses fork() and execve() together
  • 38. C Program to Use execve() • Static linking preserves our execve syscall
  • 39. In gdb, disassemble main • Pushes 3 Arguments • Calls __execve
  • 40. disassemble execve • Puts four parameters into edx, ecx, ebx, and eax • call *%gs:0x10 is a newer form of syscall • Same effect as INT 0x80
  • 42.