6. Shellcode features
• Base independent
• Small size of code
• Written in Assembly Language
• Used as payload in the exploitation of
vulnerabilities
7. Types of shellcode
• Local
• Remote
• Download and execute
• Staged
• Null-free shelcode
8. Shellcode development tasks
• Find yourself in memory (delta offset, value of
the EIP register – program counter)
• Addressing shellcode variables
• Work with strings
9. Windows specific shellcode tasks
• Find kernel32.dll base address
• Find entry points of needed Win32 API
13. Delta offset
• call next (or call $+5)
• next:
• pop ebp
• sub ebp,offset next
• Open Delta.asm
• Compile and debug it
• Add bytes before start and check
14. Zero-null delta offset variant
• call $+4
• ret
• pop ebp
• Open DeltaNoNull.asm
• Compile and debug it
• Check instruction overlap
15. Addressing shellcode variables
• First – find delta offset of our code
• Commonly used [reg+offset of instruction]
• We can use any registers
• Create VarUsing.asm
• Write in it base-independent (shellcode-like)
variant of “Usual program” example
• Compile and debug it
16. Addressing shellcode variables
through code blocks structure
• call next
• Var dd 12345678h
• next:
• pop esi – now points to Var
• Create VarUsingBlocks.asm
• Modify VarUsing.asm to use this tecnique
• Compile and debug it
17. Types of strings in shellcodes
• Come parameters
• Names of dll libraries
• Names of Win32 API
18. Using strings in stack
• push ‘yt’
• push ‘rewq’
• mov esi,esp - esi now points to string ‘qwerty’
• Create StringUsingStack.asm with using this
technique and string you prefer
• Create StringUsingBlock.asm with the using code
blocks structure technique
• Compile and debug it
19. Hashes are less then strings
• One hash – 4 bytes
• Hash procedure – x bytes
• Total size of Win32 API names- y bytes
• If (x+4) less then we must use hashes
20. Restricted but weak hashes
• We can check API namespace of the dll
libraries used in our shellcode for 2-byte or
even 1 byte hashes
21. Few symbols less then hash
• We can check API namespace of the dll
libraries used in our shellcode for unique
symbols in different positions of the API name
• If we find such “unique positions” we can use
them for checking needed APIs
22. Find entry points of needed Win32 API
• Using hardcoded addresses of API
• Scan for GetProcAddress
• Find API from Export
23. Using hardcoded addresses of API
• Find addresses of needed API in OS similar to
target
• Harcode them into shellcode
• For example:
• call 7c801d7bh – kernel32.LoadLibraryA
24. Ways to find kernel32.dll Base Address
• Hardcoded address
• PEB based (Process Environment Block)
• SEH based (Structured Exception Handler)
• From TOP of the STACK
42. Common optimization rules
• Relative addresses, offsets and immediate
values are less in instruction if they between -
128: +127 (00h-0FFh)
• Some instructions with eax/ax/al are less for 1
byte
• 1 byte instructions: push reg, pop reg, inc reg,
dec reg, xchg eax,reg
• Chained instructions are best
50. Prehistory
• In 3-th January 2009 guy with nickname “sl0n”
made a proposal for “New Year competition of
smallest download and execute shellcode”
• Link:
http://wasm.ru/forum/viewtopic.php?pid=28
8731
• Participants: sl0n, takerZ cencored, freeman,
researcher (me)
54. freeman_163
• Check the file 4_freeman_163.asm
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
55. takerZ_160
• Check the file 2_takerZ_160.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
56. takerZ_160_148
• Check the file 21_takerZ_160_148.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
57. researcher_160
• Check the file 5_researcher_160.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous - 2_takerZ_160.asm
• Extract optimization changes
• Notify the Null-Free feature
58. researcher_153
• Check the file 6_researcher_153.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous - 2_takerZ_160.asm
• Extract optimization changes
59. takerZ_150
• Check the file 7_takerZ_150.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
60. researcher_149
• Check the file 81_researcher_149.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
• Notify the Null-Free feature
61. researcher_141
• Check the file 8_researcher_141.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
62. takerZ_138
• Check the file 9_takerZ_138.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
63. researcher_137
• Check the file A_researcher_137.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
64. researcher_134
• Check the file B_researcher_134.asm
• Compile and debug
• Analyze it structure and actions
• Compare with previous
• Extract optimization changes
65. Task for Practice – VolgaCTF 2013
Quals – PPC 400
• You have some information about a remote vulnerability in a
service of our enemies. This service is based on sockets. You have
already developed an exploit and the second stage shellcode.
• You should write x86 first stage shellcode. Its size should be no
more than XXX bytes. Null bytes are allowed.
• Hardcoded entrypoint addresses of API and image base addresses
of dlls are not allowed. Possible OS platform - Windows, except for
Windows 7.
• Shellcode must do reverse connect to address 127.0.0.1, port 20480
(5000h), receive exactly 512 bytes (our second stage) to buffer and
jump to it (first byte).
• The guy who will check your shellcode is a lazy bastard, so you need
to wait some time before he will answer.