SlideShare a Scribd company logo

Shellcode injection

Dhaval Kapil
Dhaval Kapil

A talk about injecting shellcode in a binary vulnerable to buffer overflow as well as bypassing ASLR(Address Space Layout Randomization)

Technology
1 of 26
Download to read offline
Shellcode Injection by Overflowing the Buffer and bypassing ASLR
● mount ● umount ● su ● sudo ● ping ● passwd
All are SUID binaries -rwsr-xr-x 1 root root 44168 May 8 2014 /bin/ping Execute with root permissions even when run by non-root users
char target[100]; strcpy(target, source); // Unrestricted copy - buffer overflow vulnerability Exploiting to execute your own code with root access!
@dhaval_kapil B. Tech Computer Science and Engineering Department IIT Roorkee DHAVAL KAPIL
Memory Layout of a C Program http://i.stack.imgur.com/1Yz9K.gif
Some Common Registers 1. %eip: instruction pointer register 2. %esp: stack pointer register 3. %ebp: base pointer register
Stack Layout
Overflowing the Buffer Overwriting return address char target[100]; strcpy(target, source); // Unrestricted copy - buffer overflow vulnerability
<return address> < %ebp > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ‘target’ points here Space allocated for ‘target’ Overwrite this STACK
● gets() ● scanf() ● sprintf() ● strcpy() ● strcat()
SHELLCODE INJECTION Make vulnerable programs execute your own code
Three step procedure: 1. Crafting Shellcode 2. Injecting Shellcode 3. Modify Execution Flow - Run the Shellcode
CRAFTING SHELLCODE ● Need to craft the compiled machine code ● Steps: ○ Write assembly code ○ Assemble this code ○ Extract bytes from machine code
x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex8 9xe3x50x89xe2x53x89xe1xb0x0bxcdx80
INJECTING SHELLCODE ● Input taken by the program ● External files read by the program ● Arguments to the program Somehow the shellcode injected should be loaded into the memory of the program with guessable addresses
TRANSFER EXECUTION FLOW ● Overwrite return address by overflowing the buffer ● Overwrite .got.plt/.fini_array section using a format string vulnerability Make any of these addresses point to your shellcode
<Address of target> random bytes - - - - random bytes random bytes random bytes shellcode - - - - shellcode shellcode ‘target’ points here Space allocated for ‘target’ STACK return address %ebp
Address of ‘target’ on the stack can be found using debuggers like gdb To prevent such attacks, modern operating systems implement ASLR
ASLR Address Space Layout Randomization ● Memory protection process ● Randomizes the location where executables are loaded in memory ● Nearly impossible to guess addresses on stack ● Probability of hitting a random address = 5.96046448e-8
NOP Sled ● Sequence of NOP(No-OPeration) instructions x90x90x90x90x90x90x90x90x90x90x90 ● ‘Slides’ CPU’s execution flow forward
Idea: ● payload = NOP sled(size n) + shellcode x90x90x90x90…x90 [SHELLCODE] ● Probability of success rate while attacking = n * 5.96046448 e-8 Bypassing ASLR
Size of NOP Sled Probability of shellcode execution Average no of tries needed to succeed once 40 2.384185e-06 419431 100 5.960464e-06 167773 500 2.980232e-05 33555 1000 5.960464e-05 16778 10000 5.960464e-04 1678 100000 5.960464e-03 168
● Inject payload in environment variable ● Not much restriction on size. Strings of order 100000 can be stored ● Environment variables are pushed on stack Bypassing payload size restriction
DEMO
Q & A Further Reading https://dhavalkapil.com/blogs/Shellcode-Injection/ Slides https://speakerdeck.com/dhavalkapil

Recommended

Chuong2
Chuong2Chuong2
Chuong2
bebuxauxi
 
03 lap trinh hop ngu voi 8086
03 lap trinh hop ngu voi 808603 lap trinh hop ngu voi 8086
03 lap trinh hop ngu voi 8086
onlylove511
 
Ngân hàng câu hỏi trắc nghiệm kiến trúc máy tính
Ngân hàng câu hỏi trắc nghiệm kiến trúc máy tínhNgân hàng câu hỏi trắc nghiệm kiến trúc máy tính
Ngân hàng câu hỏi trắc nghiệm kiến trúc máy tính
kakalaxaxa
 
Xử lí tín hiệu số
Xử lí tín hiệu số Xử lí tín hiệu số
Xử lí tín hiệu số
Tran An
 
Basic processing unit by aniket bhute
Basic processing unit by aniket bhuteBasic processing unit by aniket bhute
Basic processing unit by aniket bhute
Aniket Bhute
 
xử lý số tín hiệu -Chuong 4
xử lý số tín hiệu -Chuong 4xử lý số tín hiệu -Chuong 4
xử lý số tín hiệu -Chuong 4
Ngai Hoang Van
 
C đến C++ phần 1
C đến C++ phần 1C đến C++ phần 1
C đến C++ phần 1
TechMaster Vietnam
 
Bo nho
Bo nhoBo nho
Bo nho
trungnb22
 

Recommended

Chuong2
Chuong2Chuong2
Chuong2
bebuxauxi
 
03 lap trinh hop ngu voi 8086
03 lap trinh hop ngu voi 808603 lap trinh hop ngu voi 8086
03 lap trinh hop ngu voi 8086
onlylove511
 
Ngân hàng câu hỏi trắc nghiệm kiến trúc máy tính
Ngân hàng câu hỏi trắc nghiệm kiến trúc máy tínhNgân hàng câu hỏi trắc nghiệm kiến trúc máy tính
Ngân hàng câu hỏi trắc nghiệm kiến trúc máy tính
kakalaxaxa
 
Xử lí tín hiệu số
Xử lí tín hiệu số Xử lí tín hiệu số
Xử lí tín hiệu số
Tran An
 
Basic processing unit by aniket bhute
Basic processing unit by aniket bhuteBasic processing unit by aniket bhute
Basic processing unit by aniket bhute
Aniket Bhute
 
xử lý số tín hiệu -Chuong 4
xử lý số tín hiệu -Chuong 4xử lý số tín hiệu -Chuong 4
xử lý số tín hiệu -Chuong 4
Ngai Hoang Van
 
C đến C++ phần 1
C đến C++ phần 1C đến C++ phần 1
C đến C++ phần 1
TechMaster Vietnam
 
Bo nho
Bo nhoBo nho
Bo nho
trungnb22
 
Ktmt chuong 3
Ktmt chuong 3Ktmt chuong 3
Ktmt chuong 3
Tùng Tò Mò
 
Kiến trúc máy tính và hợp ngữ bài 06
Kiến trúc máy tính và hợp ngữ bài 06Kiến trúc máy tính và hợp ngữ bài 06
Kiến trúc máy tính và hợp ngữ bài 06
Nhóc Nhóc
 
Meteor IFAS, Epuration biologique des eaux usées
Meteor IFAS, Epuration biologique des eaux uséesMeteor IFAS, Epuration biologique des eaux usées
Meteor IFAS, Epuration biologique des eaux usées
Degrémont
 
Chap6
Chap6Chap6
Chap6
Thưởng Trần Công
 
mạch tổ hợp và mạch trình tự - Điện tử Đo lường
mạch tổ hợp và mạch trình tự - Điện tử Đo lườngmạch tổ hợp và mạch trình tự - Điện tử Đo lường
mạch tổ hợp và mạch trình tự - Điện tử Đo lường
Chia sẻ tài liệu học tập
 
DRPE : Evaluation du risque d’inondation
DRPE : Evaluation du risque d’inondationDRPE : Evaluation du risque d’inondation
DRPE : Evaluation du risque d’inondation
OECD Governance
 
Cau hoi-trac-nghiem-thong-tin-di-dong-co-dap-an
Cau hoi-trac-nghiem-thong-tin-di-dong-co-dap-anCau hoi-trac-nghiem-thong-tin-di-dong-co-dap-an
Cau hoi-trac-nghiem-thong-tin-di-dong-co-dap-an
Huynh MVT
 
Abh Sebou : Prevention et protection inondations
Abh Sebou : Prevention et protection inondationsAbh Sebou : Prevention et protection inondations
Abh Sebou : Prevention et protection inondations
OECD Governance
 
Agence Aménagement de la Vallée du Bouregreg
Agence Aménagement de la Vallée du BouregregAgence Aménagement de la Vallée du Bouregreg
Agence Aménagement de la Vallée du Bouregreg
OECD Governance
 
Os 5 - memory management
Os 5 - memory managementOs 5 - memory management
Os 5 - memory management
Dat Ngo
 
Chuong Iv1
Chuong Iv1Chuong Iv1
Chuong Iv1
ASSA Company
 
Penyusunan perencanaan sistem pengelolaan air limbah 2013
Penyusunan perencanaan sistem pengelolaan air limbah 2013Penyusunan perencanaan sistem pengelolaan air limbah 2013
Penyusunan perencanaan sistem pengelolaan air limbah 2013
Muhammmad AlKholif
 
Guide gestion eaux_pluviales_ruissellement
Guide gestion eaux_pluviales_ruissellementGuide gestion eaux_pluviales_ruissellement
Guide gestion eaux_pluviales_ruissellement
Souhila Benkaci
 
150 câu trắc nghiệm hệ thống viễn thông hệ đại học
150 câu trắc nghiệm hệ thống viễn thông hệ đại học150 câu trắc nghiệm hệ thống viễn thông hệ đại học
150 câu trắc nghiệm hệ thống viễn thông hệ đại học
dinhvan12345
 
Anhnh osg202-1
Anhnh osg202-1Anhnh osg202-1
Anhnh osg202-1
QuynBiVn1
 
Đề Cương ôn tập kiến trúc máy tính và thiết bị ngoại vi
Đề Cương ôn tập kiến trúc máy tính và thiết bị ngoại viĐề Cương ôn tập kiến trúc máy tính và thiết bị ngoại vi
Đề Cương ôn tập kiến trúc máy tính và thiết bị ngoại vi
Đỗ Đức Hùng
 
Trac nghiem thong tin di dong
Trac nghiem thong tin di dongTrac nghiem thong tin di dong
Trac nghiem thong tin di dong
Little April
 
Kiến trúc máy tính và hợp ngữ bài 04
Kiến trúc máy tính và hợp ngữ bài 04Kiến trúc máy tính và hợp ngữ bài 04
Kiến trúc máy tính và hợp ngữ bài 04
Nhóc Nhóc
 
Memory management ppt coa
Memory management ppt coaMemory management ppt coa
Memory management ppt coa
Bharti Khemani
 
EE5440 – Computer Architecture - Lecture 2
EE5440 – Computer Architecture - Lecture 2EE5440 – Computer Architecture - Lecture 2
EE5440 – Computer Architecture - Lecture 2
Dilawar Khan
 
Exploitation
ExploitationExploitation
Exploitation
Security B-Sides
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode mastering
Positive Hack Days
 

More Related Content

What's hot

Kiến trúc máy tính và hợp ngữ bài 06
Kiến trúc máy tính và hợp ngữ bài 06Kiến trúc máy tính và hợp ngữ bài 06
Kiến trúc máy tính và hợp ngữ bài 06
Nhóc Nhóc
 
Os 5 - memory management
Os 5 - memory managementOs 5 - memory management
Os 5 - memory management
Dat Ngo
 
Penyusunan perencanaan sistem pengelolaan air limbah 2013
Penyusunan perencanaan sistem pengelolaan air limbah 2013Penyusunan perencanaan sistem pengelolaan air limbah 2013
Penyusunan perencanaan sistem pengelolaan air limbah 2013
Muhammmad AlKholif
 
Guide gestion eaux_pluviales_ruissellement
Guide gestion eaux_pluviales_ruissellementGuide gestion eaux_pluviales_ruissellement
Guide gestion eaux_pluviales_ruissellement
Souhila Benkaci
 
150 câu trắc nghiệm hệ thống viễn thông hệ đại học
150 câu trắc nghiệm hệ thống viễn thông hệ đại học150 câu trắc nghiệm hệ thống viễn thông hệ đại học
150 câu trắc nghiệm hệ thống viễn thông hệ đại học
dinhvan12345
 
Đề Cương ôn tập kiến trúc máy tính và thiết bị ngoại vi
Đề Cương ôn tập kiến trúc máy tính và thiết bị ngoại viĐề Cương ôn tập kiến trúc máy tính và thiết bị ngoại vi
Đề Cương ôn tập kiến trúc máy tính và thiết bị ngoại vi
Đỗ Đức Hùng
 
Trac nghiem thong tin di dong
Trac nghiem thong tin di dongTrac nghiem thong tin di dong
Trac nghiem thong tin di dong
Little April
 
Kiến trúc máy tính và hợp ngữ bài 04
Kiến trúc máy tính và hợp ngữ bài 04Kiến trúc máy tính và hợp ngữ bài 04
Kiến trúc máy tính và hợp ngữ bài 04
Nhóc Nhóc
 

What's hot (20)

Ktmt chuong 3
Ktmt chuong 3Ktmt chuong 3
Ktmt chuong 3
 
Kiến trúc máy tính và hợp ngữ bài 06
Kiến trúc máy tính và hợp ngữ bài 06Kiến trúc máy tính và hợp ngữ bài 06
Kiến trúc máy tính và hợp ngữ bài 06
 
Meteor IFAS, Epuration biologique des eaux usées
Meteor IFAS, Epuration biologique des eaux uséesMeteor IFAS, Epuration biologique des eaux usées
Meteor IFAS, Epuration biologique des eaux usées
 
Chap6
Chap6Chap6
Chap6
 
mạch tổ hợp và mạch trình tự - Điện tử Đo lường
mạch tổ hợp và mạch trình tự - Điện tử Đo lườngmạch tổ hợp và mạch trình tự - Điện tử Đo lường
mạch tổ hợp và mạch trình tự - Điện tử Đo lường
 
DRPE : Evaluation du risque d’inondation
DRPE : Evaluation du risque d’inondationDRPE : Evaluation du risque d’inondation
DRPE : Evaluation du risque d’inondation
 
Cau hoi-trac-nghiem-thong-tin-di-dong-co-dap-an
Cau hoi-trac-nghiem-thong-tin-di-dong-co-dap-anCau hoi-trac-nghiem-thong-tin-di-dong-co-dap-an
Cau hoi-trac-nghiem-thong-tin-di-dong-co-dap-an
 
Abh Sebou : Prevention et protection inondations
Abh Sebou : Prevention et protection inondationsAbh Sebou : Prevention et protection inondations
Abh Sebou : Prevention et protection inondations
 
Agence Aménagement de la Vallée du Bouregreg
Agence Aménagement de la Vallée du BouregregAgence Aménagement de la Vallée du Bouregreg
Agence Aménagement de la Vallée du Bouregreg
 
Os 5 - memory management
Os 5 - memory managementOs 5 - memory management
Os 5 - memory management
 
Chuong Iv1
Chuong Iv1Chuong Iv1
Chuong Iv1
 
Penyusunan perencanaan sistem pengelolaan air limbah 2013
Penyusunan perencanaan sistem pengelolaan air limbah 2013Penyusunan perencanaan sistem pengelolaan air limbah 2013
Penyusunan perencanaan sistem pengelolaan air limbah 2013
 
Guide gestion eaux_pluviales_ruissellement
Guide gestion eaux_pluviales_ruissellementGuide gestion eaux_pluviales_ruissellement
Guide gestion eaux_pluviales_ruissellement
 
150 câu trắc nghiệm hệ thống viễn thông hệ đại học
150 câu trắc nghiệm hệ thống viễn thông hệ đại học150 câu trắc nghiệm hệ thống viễn thông hệ đại học
150 câu trắc nghiệm hệ thống viễn thông hệ đại học
 
Anhnh osg202-1
Anhnh osg202-1Anhnh osg202-1
Anhnh osg202-1
 
Đề Cương ôn tập kiến trúc máy tính và thiết bị ngoại vi
Đề Cương ôn tập kiến trúc máy tính và thiết bị ngoại viĐề Cương ôn tập kiến trúc máy tính và thiết bị ngoại vi
Đề Cương ôn tập kiến trúc máy tính và thiết bị ngoại vi
 
Trac nghiem thong tin di dong
Trac nghiem thong tin di dongTrac nghiem thong tin di dong
Trac nghiem thong tin di dong
 
Kiến trúc máy tính và hợp ngữ bài 04
Kiến trúc máy tính và hợp ngữ bài 04Kiến trúc máy tính và hợp ngữ bài 04
Kiến trúc máy tính và hợp ngữ bài 04
 
Memory management ppt coa
Memory management ppt coaMemory management ppt coa
Memory management ppt coa
 
EE5440 – Computer Architecture - Lecture 2
EE5440 – Computer Architecture - Lecture 2EE5440 – Computer Architecture - Lecture 2
EE5440 – Computer Architecture - Lecture 2
 

Viewers also liked

One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
Quinn Wilton
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
Ryan Wincey
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Z Chen
 

Viewers also liked (20)

Exploitation
ExploitationExploitation
Exploitation
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode mastering
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
Dns security
Dns securityDns security
Dns security
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Manual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT BrokerManual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT Broker
 
Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.
 
Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86 Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86
 
The Dark Arts of Hacking.
The Dark Arts of Hacking.The Dark Arts of Hacking.
The Dark Arts of Hacking.
 
DLL Injection
DLL InjectionDLL Injection
DLL Injection
 
DNS
DNSDNS
DNS
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
 

Similar to Shellcode injection

JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame Graphs
Brendan Gregg
 

Similar to Shellcode injection (20)

Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging Basics
 
Automate Payload Generation for a Given Binary and Perform Attack
Automate Payload Generation for a Given Binary and Perform AttackAutomate Payload Generation for a Given Binary and Perform Attack
Automate Payload Generation for a Given Binary and Perform Attack
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
 
php & performance
php & performance php & performance
php & performance
 
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame Graphs
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementation
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Cuda debugger
Cuda debuggerCuda debugger
Cuda debugger
 
Qore for the Perl Programmer
Qore for the Perl ProgrammerQore for the Perl Programmer
Qore for the Perl Programmer
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Perl at SkyCon'12
Perl at SkyCon'12Perl at SkyCon'12
Perl at SkyCon'12
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 

Shellcode injection

  • 1. Shellcode Injection by Overflowing the Buffer and bypassing ASLR
  • 2. ● mount ● umount ● su ● sudo ● ping ● passwd
  • 3. All are SUID binaries -rwsr-xr-x 1 root root 44168 May 8 2014 /bin/ping Execute with root permissions even when run by non-root users
  • 4. char target[100]; strcpy(target, source); // Unrestricted copy - buffer overflow vulnerability Exploiting to execute your own code with root access!
  • 5. @dhaval_kapil B. Tech Computer Science and Engineering Department IIT Roorkee DHAVAL KAPIL
  • 6. Memory Layout of a C Program http://i.stack.imgur.com/1Yz9K.gif
  • 7. Some Common Registers 1. %eip: instruction pointer register 2. %esp: stack pointer register 3. %ebp: base pointer register
  • 9. Overflowing the Buffer Overwriting return address char target[100]; strcpy(target, source); // Unrestricted copy - buffer overflow vulnerability
  • 10. <return address> < %ebp > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ‘target’ points here Space allocated for ‘target’ Overwrite this STACK
  • 11. ● gets() ● scanf() ● sprintf() ● strcpy() ● strcat()
  • 12. SHELLCODE INJECTION Make vulnerable programs execute your own code
  • 13. Three step procedure: 1. Crafting Shellcode 2. Injecting Shellcode 3. Modify Execution Flow - Run the Shellcode
  • 14. CRAFTING SHELLCODE ● Need to craft the compiled machine code ● Steps: ○ Write assembly code ○ Assemble this code ○ Extract bytes from machine code
  • 16. INJECTING SHELLCODE ● Input taken by the program ● External files read by the program ● Arguments to the program Somehow the shellcode injected should be loaded into the memory of the program with guessable addresses
  • 17. TRANSFER EXECUTION FLOW ● Overwrite return address by overflowing the buffer ● Overwrite .got.plt/.fini_array section using a format string vulnerability Make any of these addresses point to your shellcode
  • 18. <Address of target> random bytes - - - - random bytes random bytes random bytes shellcode - - - - shellcode shellcode ‘target’ points here Space allocated for ‘target’ STACK return address %ebp
  • 19. Address of ‘target’ on the stack can be found using debuggers like gdb To prevent such attacks, modern operating systems implement ASLR
  • 20. ASLR Address Space Layout Randomization ● Memory protection process ● Randomizes the location where executables are loaded in memory ● Nearly impossible to guess addresses on stack ● Probability of hitting a random address = 5.96046448e-8
  • 21. NOP Sled ● Sequence of NOP(No-OPeration) instructions x90x90x90x90x90x90x90x90x90x90x90 ● ‘Slides’ CPU’s execution flow forward
  • 22. Idea: ● payload = NOP sled(size n) + shellcode x90x90x90x90…x90 [SHELLCODE] ● Probability of success rate while attacking = n * 5.96046448 e-8 Bypassing ASLR
  • 23. Size of NOP Sled Probability of shellcode execution Average no of tries needed to succeed once 40 2.384185e-06 419431 100 5.960464e-06 167773 500 2.980232e-05 33555 1000 5.960464e-05 16778 10000 5.960464e-04 1678 100000 5.960464e-03 168
  • 24. ● Inject payload in environment variable ● Not much restriction on size. Strings of order 100000 can be stored ● Environment variables are pushed on stack Bypassing payload size restriction
  • 25. DEMO
  • 26. Q & A Further Reading https://dhavalkapil.com/blogs/Shellcode-Injection/ Slides https://speakerdeck.com/dhavalkapil