Shellcode
Contents
Normal programs don't have a win function :(.
Make our own!
Shellcode is a piece of machine code that contains assembly instructions to give us control.
payload = shellcode + address of shellcode
Shellcodes are position independent
Writing shellcode
- Write the ASM by hand, and assemble using NASM, then extract the bytes
- Write test code in C
- pwntools + python = win
asm()
Uses of shell code
- Reverse shell
- Socket reuse
- Egghunter - small bit of shellcode (egg)
- An omelette egghunter finds the eggs (identifiable signature) and combines them together
- Download a second stage (larger payload)
Egghunter
Often we don't have enough space to write meaningful code.
When injecting shellcode in larger memory regions - We don't know where it is.
With an egghunter, we can write code to search for the larger shellcode and execute it.
We can do this by adding a 'signature' to identify the data as our shellcode
System Calls
System calls are executed through their syscall number.
number - eax
1 - ebx
2 - ecx
3 - edx
4 - esx
5 - edi
Strings
- To call
system("/bin/sh")
we need to somehow put the string "/bin/sh" - We should try to avoid using null-bytes in our shellcode, because the calling function might handle null bytes differently (i.e.
strcpy
stops when it reads a null byte)
Workarounds
"/bin/sh"
->"/bin//sh"
so that two full push instructions can be written.- If we need a null byte, we could use write the shellcode for a clear/xor instruction.
Usage
Shellcodes are position independent
- Approach one - Push string onto stack, then use value of esp
- Approach two - Add the string to the end of your shellcode, then offset from the address of your shellcode
NOP Sled
When we don't know the exact address of our shellcode, we can add some nop
(0x90
) instructions - which do nothing, but move to the next address.
If firewalls detect and block NOP*1000
, we could use other useless 1-byte instructions.
Preventing shellcode
mprotect
can disable the executability of a memory region by adding the NX bit - preventing shellcode
Circumventing the NX bit
// Next time :)
Other
- Syscall proxy
- Mosdef