Shellcode
What is shellcode?
- Assembler instructions that execute arbitrary code
- Usually C or C++
- Work best when raw assembler
Can I use it on today's systems?
- Yes
- dirtyc0w
- Almost any buffer overflow exploit uses it
Before we begin...
We need to know:
- Assembler
- EIP
global _start
section .data
random: db "Hello" 0xA
random_length: equ $-random
section .text
mov eax, 0x4
mov ebx, 0x1
mov ecx, random
mov edx, random_length
int 0x80
mov eax, 0x1
xor ebx, ebx
int 0x80How does the program stack work?
int main(){
int a = 1;
int b = 13;
}*main
a = 1
b = 13
How does the program stack work?
void trigger_me(){
int num2 = 31;
}
int main(){
int num = 1;
trigger_me();
}
*main
num = 1
*trigger_me
num2 = 31
Will pop it in EIP ->
Will pop it in EIP ->
Exploit
How do we exploit the stack and run execute our shellcode?
Vulnerable inputs
void some_random_func(){
char buff[10];
gets(buff)
}
int main(){
some_random_func();
}The stack when our value is <= 10:
buff[10] = "Hi"
0x080bf12
0x080bfc7
Vulnerable inputs
void some_random_func(){
char buff[10];
gets(buff)
}
int main(){
some_random_func();
}The stack when our value is > 10:
0x080bf12
0x080bfc7
buff[10] =
"Hiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"
Vulnerable inputs
void some_random_func(){
char buff[10];
gets(buff)
}
int main(){
some_random_func();
}The stack when our value is > 10:
0x080bf12
0x080bfc7
buff[10] =
0xSHELLCODEADDR
Syscalls
- We will use Linux syscalls
- Calls that invoke Kernel functions
- A lot of standard functions are wrapped around syscalls
- int 0x80 is used to perform syscalls in NASM (for stack related)
- syscall (x86-32bit) and sysenter (x86-64bit) do the same but are newer and faster. Some syscalls can't be executed with them...
Shellcode Writing
- The smaller the better
- Should NOT contain NULL bytes.
- Let's write some...
Some interesting literature:
- Shellcoder's Handbook - 1st & 2nd edition
- Sockets, Shellcode, Porting, and Coding
Shellcode
By Ivan Zlatanov
Shellcode
- 65
