Your SlideShare is downloading. ×
Anton Dorfman. Shellcode Mastering.
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Anton Dorfman. Shellcode Mastering.

696
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
696
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Shellcode Masteringby Anton Dorfman
  • 2. About me• Fan of & Fun with Assembly language• Reverser• Teach Reverse Engineering since 2001• Candidate of technical science
  • 3. Hands-on Lab structure• Basics of shellcode• Basic shellcode techniques• Shellcode optimization techniques• Optimization example analysis• Practice
  • 4. Required tools• Windows XP virtual machine• Windows 7 virtual machine• Olly Debugger• Masm32 by hutch v11• RadASM• Hview• Total Commander
  • 5. Basics of shellcode
  • 6. Shellcode features• Base independent• Small size of code• Written in Assembly Language• Used as payload in the exploitation ofvulnerabilities
  • 7. Types of shellcode• Local• Remote• Download and execute• Staged• Null-free shelcode
  • 8. Shellcode development tasks• Find yourself in memory (delta offset, value ofthe EIP register – program counter)• Addressing shellcode variables• Work with strings
  • 9. Windows specific shellcode tasks• Find kernel32.dll base address• Find entry points of needed Win32 API
  • 10. Basic shellcode techniques
  • 11. Usual program
  • 12. Call and Ret algorithms
  • 13. Delta offset• call next (or call $+5)• next:• pop ebp• sub ebp,offset next• Open Delta.asm• Compile and debug it• Add bytes before start and check
  • 14. Zero-null delta offset variant• call $+4• ret• pop ebp• Open DeltaNoNull.asm• Compile and debug it• Check instruction overlap
  • 15. Addressing shellcode variables• First – find delta offset of our code• Commonly used [reg+offset of instruction]• We can use any registers• Create VarUsing.asm• Write in it base-independent (shellcode-like)variant of “Usual program” example• Compile and debug it
  • 16. Addressing shellcode variablesthrough code blocks structure• call next• Var dd 12345678h• next:• pop esi – now points to Var• Create VarUsingBlocks.asm• Modify VarUsing.asm to use this tecnique• Compile and debug it
  • 17. Types of strings in shellcodes• Come parameters• Names of dll libraries• Names of Win32 API
  • 18. Using strings in stack• push ‘yt’• push ‘rewq’• mov esi,esp - esi now points to string ‘qwerty’• Create StringUsingStack.asm with using thistechnique and string you prefer• Create StringUsingBlock.asm with the using codeblocks structure technique• Compile and debug it
  • 19. Hashes are less then strings• One hash – 4 bytes• Hash procedure – x bytes• Total size of Win32 API names- y bytes• If (x+4) less then we must use hashes
  • 20. Restricted but weak hashes• We can check API namespace of the dlllibraries used in our shellcode for 2-byte oreven 1 byte hashes
  • 21. Few symbols less then hash• We can check API namespace of the dlllibraries used in our shellcode for uniquesymbols in different positions of the API name• If we find such “unique positions” we can usethem for checking needed APIs
  • 22. Find entry points of needed Win32 API• Using hardcoded addresses of API• Scan for GetProcAddress• Find API from Export
  • 23. Using hardcoded addresses of API• Find addresses of needed API in OS similar totarget• Harcode them into shellcode• For example:• call 7c801d7bh – kernel32.LoadLibraryA
  • 24. Ways to find kernel32.dll Base Address• Hardcoded address• PEB based (Process Environment Block)• SEH based (Structured Exception Handler)• From TOP of the STACK
  • 25. Kernel32.dll Base from PEB
  • 26. Kernel32.dll Base from PEB
  • 27. Kernel32.dll Base from SEH
  • 28. Kernel32.dll Base from TOP STACK
  • 29. Scan for GetProcAddress
  • 30. Find API from Export
  • 31. Shellcode optimizationtechniques
  • 32. Shellcode optimization techniques• Structural optimization• Less action – value reusing optimization• Local optimization
  • 33. Instruction format
  • 34. Types of Opcode byte
  • 35. ModR/M
  • 36. SIB
  • 37. Opcode map - 00h-77h
  • 38. Opcode map - 08h-7Fh
  • 39. Opcode map - 80h-F7h
  • 40. Opcode map - 88h-FFh
  • 41. Opcode in ModR/M
  • 42. Common optimization rules• Relative addresses, offsets and immediatevalues are less in instruction if they between -128: +127 (00h-0FFh)• Some instructions with eax/ax/al are less for 1byte• 1 byte instructions: push reg, pop reg, increg, dec reg, xchg eax,reg• Chained instructions are best
  • 43. Zeroing register• mov eax,00000000h – 5 bytes• xor eax,eax – 2 bytes• sub eax,eax – 2 bytes
  • 44. Assign “-1” to register• mov eax,0FFFFFFFFh (-1)• xor eax,eax (sub eax,eax) – 2 bytes• dec eax – 1 byte• or eax,-1 – 3 bytes
  • 45. Check register for zero• cmp eax,00000000h – 5 bytes• jz eax_is_zero – 2 bytes• test eax,eax (or eax,eax) – 2 bytes• jz eax_is_zero – 2 bytes• xchg eax,ecx – 1 byte• jecxz eax_is_zero – 2 bytes
  • 46. Check register for “-1”• cmp eax,0FFFFFFFFh – 5 bytes• jz eax_is_minus_1 – 2 bytes• inc eax – 1 byte• jz eax_is_minus_1 – 2 bytes• dec eax – 1 byte
  • 47. Assign 8bit value to register• mov eax,000000FFh – 5 bytes• xor eax,eax – 2 bytes• mov al,0FFh – 2 bytes• push 0FFh – 2 bytes• pop eax – 1 byte
  • 48. Отказ от стека
  • 49. Optimization example analysis
  • 50. Prehistory• In 3-th January 2009 guy with nickname “sl0n”made a proposal for “New Year competition ofsmallest download and execute shellcode”• Link:http://wasm.ru/forum/viewtopic.php?pid=288731• Participants: sl0n, takerZcencored, freeman, researcher (me)
  • 51. Branches of code optimization• Sl0n_185 - censored_170 - freeman_163• researcher_160 - researcher_149 NULL-FREEbranch• takerZ_160 - takerZ_160_148 -researcher_153 - takerZ_150 - researcher_141- takerZ_138 - researcher_137 -researcher_134
  • 52. Sl0n_185• Check the file 1_sl0n_185.asm• Analyze it structure and actions
  • 53. censored_170• Check the file 3_censored_170.asm• Analyze it structure and actions
  • 54. freeman_163• Check the file 4_freeman_163.asm• Analyze it structure and actions• Compare with previous• Extract optimization changes
  • 55. takerZ_160• Check the file 2_takerZ_160.asm• Compile and debug• Analyze it structure and actions• Compare with previous• Extract optimization changes
  • 56. takerZ_160_148• Check the file 21_takerZ_160_148.asm• Compile and debug• Analyze it structure and actions• Compare with previous• Extract optimization changes
  • 57. researcher_160• Check the file 5_researcher_160.asm• Compile and debug• Analyze it structure and actions• Compare with previous - 2_takerZ_160.asm• Extract optimization changes• Notify the Null-Free feature
  • 58. researcher_153• Check the file 6_researcher_153.asm• Compile and debug• Analyze it structure and actions• Compare with previous - 2_takerZ_160.asm• Extract optimization changes
  • 59. takerZ_150• Check the file 7_takerZ_150.asm• Compile and debug• Analyze it structure and actions• Compare with previous• Extract optimization changes
  • 60. researcher_149• Check the file 81_researcher_149.asm• Compile and debug• Analyze it structure and actions• Compare with previous• Extract optimization changes• Notify the Null-Free feature
  • 61. researcher_141• Check the file 8_researcher_141.asm• Compile and debug• Analyze it structure and actions• Compare with previous• Extract optimization changes
  • 62. takerZ_138• Check the file 9_takerZ_138.asm• Compile and debug• Analyze it structure and actions• Compare with previous• Extract optimization changes
  • 63. researcher_137• Check the file A_researcher_137.asm• Compile and debug• Analyze it structure and actions• Compare with previous• Extract optimization changes
  • 64. researcher_134• Check the file B_researcher_134.asm• Compile and debug• Analyze it structure and actions• Compare with previous• Extract optimization changes
  • 65. Task for Practice – VolgaCTF 2013Quals – PPC 400• You have some information about a remote vulnerability in aservice of our enemies. This service is based on sockets. You havealready developed an exploit and the second stage shellcode.• You should write x86 first stage shellcode. Its size should be nomore than XXX bytes. Null bytes are allowed.• Hardcoded entrypoint addresses of API and image base addressesof dlls are not allowed. Possible OS platform - Windows, except forWindows 7.• Shellcode must do reverse connect to address 127.0.0.1, port 20480(5000h), receive exactly 512 bytes (our second stage) to buffer andjump to it (first byte).• The guy who will check your shellcode is a lazy bastard, so you needto wait some time before he will answer.
  • 66. Questions ?