Dobin 0x31_Shellcode.pdf

Shellcode is the code we want to upload to the remote system

Our "evil code"

It is a set of instructions injected and executed by exploited software

Wikipedia:

In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. 

• Assemble instructions
• Native code which perfoms a certain action (like starting a shell)

Shellcode properties:

• Should be small
  • Because we maybe have small buffers in the vulnerable program
• Position independent
  • Don't know where it will be loaded in the vulnerable program
• No Null Characters (0x00)
  • Strcpy etc. will stop copying after Null bytes
• Self-Contained
  • Don't reference anything outside of shellcode

In a syscall we ask the kernel to do something for us

Why syscalls?

• Makes it easy to create shellcode
• Direct interface to the kernel

Alternative:

• Call LIBC code; write()
• Problem: Don't know where write() is located!

The syscall (system call) is the fundamental interface between an application and the Linux kernel.

Process Control:

• load
• execute
• end, abort
• create process (for example, fork)
• terminate process
• get/set process attributes
• wait for time, wait event, signal event
• allocate, free memory

File management:

• create file, delete file
• open, close
• read, write, reposition
• get/set file attributes

File descriptors?

• 0: Stdin
• 1: Stdout
• 2: Stderr

and also:

• Files
• Sockets (Network)