Dobin 0x31_Shellcode.pdf
Dobin 0x31_Shellcode.pdf
Dobin 0x31_Shellcode.pdf
Kartei Details
| Karten | 20 |
|---|---|
| Sprache | English |
| Kategorie | Religion/Ethik |
| Stufe | Universität |
| Erstellt / Aktualisiert | 21.06.2019 / 28.06.2020 |
| Weblink |
https://card2brain.ch/box/20190621_dobin_0x31shellcode_pdf
|
| Einbinden |
<iframe src="https://card2brain.ch/box/20190621_dobin_0x31shellcode_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What is shellcode?
Shellcode is the code we want to upload to the remote system
Our "evil code"
It is a set of instructions injected and executed by exploited software
Wikipedia:
In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode.
How does a shellcode work?
- Assemble instructions
- Native code which perfoms a certain action (like starting a shell)
What are the proerties of shellcode?
Shellcode properties:
- Should be small
- Because we maybe have small buffers in the vulnerable program
- Position independent
- Don't know where it will be loaded in the vulnerable program
- No Null Characters (0x00)
- Strcpy etc. will stop copying after Null bytes
- Self-Contained
- Don't reference anything outside of shellcode
What are syscalls, why do we use them, what are the alternatives?
In a syscall we ask the kernel to do something for us
Why syscalls?
- Makes it easy to create shellcode
- Direct interface to the kernel
Alternative:
- Call LIBC code; write()
- Problem: Don't know where write() is located!
What is a syscall (acording to man page)?
The syscall (system call) is the fundamental interface between an application and the Linux kernel.
What can be controlled with a syscall in a process?
Process Control:
- load
- execute
- end, abort
- create process (for example, fork)
- terminate process
- get/set process attributes
- wait for time, wait event, signal event
- allocate, free memory
Name some things that can be done with syscalls in regard to file management.
File management:
- create file, delete file
- open, close
- read, write, reposition
- get/set file attributes
What are file descriptors?
File descriptors?
- 0: Stdin
- 1: Stdout
- 2: Stderr
and also:
- Files
- Sockets (Network)
what are the 3 steps needed in order to run shell code?
- Compile it
- Link it
- Execute it
What are problems with shellcode?
Problems with the shellcode:
- Null bytes (cant contain null bytes because it signals the end of a string)
- References data sectaion / Not position independent.
In shell code why are null bytes a problem?
Null bytes are a problem in shell code because:
- It's a string delimiter
- Strcpy() etc... will stop copying if ti encounters a 0 byte
How can you fix null bytes in shellcode?
- Replace instructions which contain 0 bytes
- Note: This is more an art than a thechnique.
In shellcode how can we fix stack references to make the shell code position independent?
Problem:
- The current shellcode refernces a string from the data section
- In an exploit we can only execute code
- not (yet) modified data
Solution:
- Remove dependency on the data section
- By storing the same data directly in the code
- And move it to the stack
How do we get data to be in the code section?
- Push the data onto the stack
- Reference the data on the stack (for the system call)
What are the different types of shell's provided by shellcode?
Local shell (privilege escalation)
Remote shell
- Reverse
- Bind
- Find
How does the Bind shell connect the attacker to the victim machine?
How does a reverse shell connect to the attacker to the victim?
How does a Find shell connect the attacker to the victim?
Why is metasploit a usefull tool when creating shellcode?
Metasploit is a framework that generates shell code for a wide variety of architectures.
How can you detect shell code?
How to detect shellcode usage:
- Find NOPs (lots of 0x90)
- Find stager
- Find stage 1 / stage 2
NIDS: Network based instruction detections system
HIDS: Host based intrusion detection system
These systems can detect shell code.
