Author Topic: A Brief Look into Shellcoding  (Read 2643 times)

0 Members and 1 Guest are viewing this topic.

Offline parad0x

  • VIP
  • Royal Highness
  • *
  • Posts: 638
  • Cookies: 118
    • View Profile
A Brief Look into Shellcoding
« on: October 15, 2015, 08:07:10 pm »
So it was a regular day on IRC and iTpHo3NiX asked me to write a tut a tut on something like shellcoding or CSRF or something else. I was going for CSRF but that needed to setup a web server and vuln shit so I decided to write on shellcoding :) Without further ado, let's begin.

A Brief Look into Shellcoding

Requirements
  • An x86 linux based OS (for simplifying the process)
  • Decent knowledge of Assembly language
  • A brain( without it, you can't do, trust me)

Alright, we are ready to start.

What really is a shellcode?

From wikipedia - a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Typically written in machine language
Too lazy to define myself :p

Let's get started :)

One thing to note : the shellcode is just like any other piece of code written in assembly language, it can be anything you want, from a hello world printing code to reverse connect shell code to adding users with root priv and anything, possiblities are just endless. We just need to take care of some stuff and I'll be explaining that to you, just keep going.

We'll start with a hello world code :
Code: (Assembly) [Select]
.data
Hello: .ascii "Hello\n"
.text

.globl _start

_start:
# Printing Hello to the screen

movl $4, %eax
movl $1, %ebx
leal Hello, %ecx
movl $6, %edx
int $0x80

# Exiting gracefully
movl $1, %eax
movl $0, %ebx
int $0x80


Now, it prints simply Hello on the command line and exits but the question is can we use this as shellcode? Umm... no because it got a fundamental problem with it and that is the address of the string is statically-binded into the program and when it is injected into another program's memory( as payload ), it won't work as that address may contain something else in that program's memory.

In the screenshot, you can see the highlighted part is the address of the string and is statically binded.

To overcome this problem, we'll have to write a PIC( Position Independent Code) so as to calculate its (string's) location on the fly when it is injected in the memory of a vuln program to execute this :)

Techniques for writing shellcode
There are bascailly (mostly used) 2 techniques for writing the shellcode :
  • CALL-POP
Well, the original is JMP-CALL-POP but I do a CALL-POP as it saves 2 bytes ;) Reason I described here - ShellcodeGod
  • Stack Method

I'll be using CALL-POP here, will use stack technique when it is required. :)
 


Writing the PIC
To get around this problem, we'll use the fact that when the call instruction is executed, it pushes the address of next instruction on the stack as a return address and we'll make this return address point to the string ;)

Code: (Assembly) [Select]
.text

.globl _start


execute:
# Printing Hello to the screen
xorl %eax, %eax
xorl %ebx, %ebx
xorl %edx, %edx

movb $4, %al
movb $1, %bl
popl %ecx # Poping the address of the string in the ECX register
movb $6, %dl
int $0x80

# Exiting gracefully
movb $1, %al
int $0x80

_start:
call execute
hello: .ascii "Hello\n"


Here, in the output you can see I assembled it simply and if you see the output of the both runs, both runs perfectly and in the disassembly of the PIC code, there is NO HARDCODED ADDRESS so we overcame the fundamental problem and this is ready to be used in the shellcode (I also optimized the shellcode and removed the nulls).



Let's try this as shellcode.

You may be thinking that ok, we got it running, we made it PIC but how will we put this in the memory?
Ans. To put this into a program's memory and run this, inject this as a char array of opcodes. What do I mean by that is disassemble the elf file (your shellcode) using objdump and extract the opcodes and then arrange them in order as an array and then make the return pointer to overwrite the return address with your shellcode's address so when the C program(given below) exits, it'll jump to your shellcode and therefore it'll execute this and we are done.
Use the bash script given below to automate this for you ;)


Cool.. it worked perfectly :)

Note : I used this shell script from Here (actually the first comment) to dump the opcodes from the objdump output.

Code: (bash) [Select]
for i in `objdump -d $1 | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" ; done
The C code for testing the shellcode is
Code: (C) [Select]
#include<stdio.h>

char shellcode[] = ""; // Your shellcode's opcodes in the double quotes

int main(void){

int *ret;

ret = (int *)&ret + 2;

(*ret) = (int)shellcode;


}

Well, this is the brief intro to shellcoding. What do I have in mind for the next post is to continue this and will teach you how to write some usable shellcode as payload like making directory with permission 777 and how to execute a shell ;)
Stay tuned.

I don't know why the fuck the images are blurry, they were crystal clear when I checked them but whatever.

If you have any doubts, just ask and if suggestions, I welcome them :)

Offline 0E 800

  • Not a VIP
  • VIP
  • Baron
  • *
  • Posts: 895
  • Cookies: 131
  • • тнε ιηтεяηεт ιs мү яεcүcℓε-вιη •
    • View Profile
Re: A Brief Look into Shellcoding
« Reply #1 on: October 16, 2015, 01:20:17 am »
Fuck you and your education, I cant come up with a clever comment.
Maybe after reading this 10 more times, it might start to make sense.

Ill come up with a question for you, just you wait.  ;)

PS - this is a tutorial?  ::)
« Last Edit: October 16, 2015, 01:27:42 am by 0E 800 »
The invariable mark of wisdom is to see the miraculous in the common.

Offline jimg

  • Serf
  • *
  • Posts: 22
  • Cookies: -5
    • View Profile
Re: A Brief Look into Shellcoding
« Reply #2 on: November 01, 2015, 12:50:38 pm »
I love this place its got everything you need to start off your hacking journey plus lots more for when the likes of me have started to get a grasp and know how to do things off our own back and the tutorials/explanations are excellent Thank You for writing that, Cheers.

Staff note: next thank-you-post is going to get deleted without a warning.
« Last Edit: November 01, 2015, 01:01:14 pm by TheWormKill »

Offline Mordred

  • Knight
  • **
  • Posts: 360
  • Cookies: 135
  • Nvllivs in Verba
    • View Profile
Re: A Brief Look into Shellcoding
« Reply #3 on: November 02, 2015, 10:19:38 am »
Nice tutorial parad0x.

But if I may, I have a suggestion. Shellcoding goes hand-in-hand with exploiting, and as such I personally believe it's nicer to teach/learn both at the same time. A tutorial (or a series of tutorials) on exploiting with everything that goes along (egg hunting, ASLR bypass, DEP bypass, etc) would be super nice for sure.

But still, good job!  :)
\x57\x68\x79\x20\x64\x69\x64\x20\x79\x6f\x75\x20\x65\x76\x65\x6e\x20\x66\x75\x63\x6b\x69\x6e\x67\x20\x73\x70\x65\x6e\x64\x20\x74\x68\x65\x20\x74\x69\x6d\x65\x20\x74\x6f\x20\x64\x65\x63\x6f\x64\x65\x20\x74\x68\x69\x73\x20\x6e\x69\x67\x67\x72\x3f\x20\x44\x61\x66\x75\x71\x20\x69\x73\x20\x77\x72\x6f\x6e\x67\x20\x77\x69\x74\x68\x20\x79\x6f\x75\x2e

Offline parad0x

  • VIP
  • Royal Highness
  • *
  • Posts: 638
  • Cookies: 118
    • View Profile
Re: A Brief Look into Shellcoding
« Reply #4 on: November 02, 2015, 01:33:26 pm »
Nice tutorial parad0x.

But if I may, I have a suggestion. Shellcoding goes hand-in-hand with exploiting, and as such I personally believe it's nicer to teach/learn both at the same time. A tutorial (or a series of tutorials) on exploiting with everything that goes along (egg hunting, ASLR bypass, DEP bypass, etc) would be super nice for sure.

But still, good job!  :)
Thank you very much for that and yeah I was thinking to launch something like that, some exploit writing series but the school shit isn't really giving me time to breath also, it may take some time.

Offline proxx

  • Avatarception
  • Global Moderator
  • Titan
  • *
  • Posts: 2803
  • Cookies: 256
  • ФФФ
    • View Profile
Re: A Brief Look into Shellcoding
« Reply #5 on: November 02, 2015, 08:44:41 pm »
I know we want to keep "thank you"  posts to a minimal but you just set the example for this subforum.
Thanks bro.
Wtf where you thinking with that signature? - Phage.
This was another little experiment *evillaughter - Proxx.
Evilception... - Phage

Offline jimg

  • Serf
  • *
  • Posts: 22
  • Cookies: -5
    • View Profile
Re: A Brief Look into Shellcoding
« Reply #6 on: December 06, 2015, 09:13:22 pm »
I've just noticed that i've got some sort of bollocking there for thanking the poster for me now understanding the meaning of shellcode, which i don't understand in the slightest especially since i've always been of the opinion having manners is a good thing so i really don't get what that's about plus i'm new to all this so if there's some reason for it couldn't you of just made me aware of it instead cos i'm baffled especially with others also saying thanks after my post and nothing is said to them,

Offline iTpHo3NiX

  • EZ's Pirate Captain
  • Administrator
  • Titan
  • *
  • Posts: 2920
  • Cookies: 328
    • View Profile
    • EvilZone
Re: A Brief Look into Shellcoding
« Reply #7 on: December 06, 2015, 11:03:43 pm »
I've just noticed that i've got some sort of bollocking there for thanking the poster for me now understanding the meaning of shellcode, which i don't understand in the slightest especially since i've always been of the opinion having manners is a good thing so i really don't get what that's about plus i'm new to all this so if there's some reason for it couldn't you of just made me aware of it instead cos i'm baffled especially with others also saying thanks after my post and nothing is said to them,

There is a thank you button if you want to say thank you. If you want to have a discussion, then you post. Say for example you had a question for further clarification or something added to the thread that you feel may help others. Simply thank you posts are not tolerated because we don't want a bunch of thank you posts that don't hold any meaning. There's a button for that. We have the montra Quality over Quantity. We don't need the forum littered with thank you posts.

Hope that clears it up for you now that this thread has successfully been derailed
[09:27] (+lenoch) iTpHo3NiX can even manipulate me to suck dick
[09:27] (+lenoch) oh no that's voluntary
[09:27] (+lenoch) sorry