Shellcode

What is shellcode?

Assembler instructions that execute arbitrary code
Usually C or C++
Work best when raw assembler

Can I use it on today's systems?

Yes
dirtyc0w
Almost any buffer overflow exploit uses it

Before we begin...

We need to know:

Assembler

global _start

section .data
	random: db "Hello" 0xA
	random_length: equ $-random
    
section .text
	mov	eax, 0x4
    mov	ebx, 0x1
    mov ecx, random
    mov edx, random_length
    int 0x80   
    
    mov eax, 0x1
    xor ebx, ebx
    int 0x80

How does the program stack work?

int main(){
	int a = 1;
    int b = 13;
}

*main

a = 1

b = 13

How does the program stack work?

void trigger_me(){
	int num2 = 31;
}

int main(){
	int num = 1;
	trigger_me();
}

*main

num = 1

*trigger_me

num2 = 31

Will pop it in EIP ->

Exploit

How do we exploit the stack and run execute our shellcode?

Vulnerable inputs

void some_random_func(){
	char buff[10];
	gets(buff)
}

int main(){
	some_random_func();
}

The stack when our value is <= 10:

buff[10] = "Hi"

0x080bf12

0x080bfc7

Vulnerable inputs

void some_random_func(){
	char buff[10];
	gets(buff)
}

int main(){
	some_random_func();
}

The stack when our value is > 10:

0x080bf12

0x080bfc7

buff[10] =

"Hiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii"

Vulnerable inputs

void some_random_func(){
	char buff[10];
	gets(buff)
}

int main(){
	some_random_func();
}

The stack when our value is > 10:

0x080bf12

0x080bfc7

buff[10] =

0xSHELLCODEADDR

Syscalls

We will use Linux syscalls
Calls that invoke Kernel functions
A lot of standard functions are wrapped around syscalls
int 0x80 is used to perform syscalls in NASM (for stack related)
syscall (x86-32bit) and sysenter (x86-64bit) do the same but are newer and faster. Some syscalls can't be executed with them...

Shellcode Writing

The smaller the better
Should NOT contain NULL bytes.
Let's write some...

Some interesting literature:

Shellcoder's Handbook - 1st & 2nd edition
Sockets, Shellcode, Porting, and Coding