K0B4LT Posted October 27, 2014 Share Posted October 27, 2014 hi, i read some stuff in the internet that a shellcode is a code piece that exploits a venerability, but to make a shellcode what programming language is used to make it? and there is any more stuff that i need to know about the basic about shellcode? Quote Link to comment Share on other sites More sharing options...
sud0nick Posted October 28, 2014 Share Posted October 28, 2014 (edited) Shellcode can be difficult and it may take awhile to study it. Essentially, it is the hex version of machine instructions, written in assembly, that gives an attacker access to a shell by exploiting a vulnerability in a program. This means your code will have to be tailored to the processor architecture you are working with as each architecture consists of different instruction sets. After you write the assembly code you will need to create the hex version of it (this is the shellcode) and place it in a C program that can inject the code into memory. A good guide is The Shellcoder's Handbook (http://www.amazon.com/The-Shellcoders-Handbook-Discovering-Exploiting/dp/047008023X) and I'm sure you can find some information online. Edited October 28, 2014 by sud0nick Quote Link to comment Share on other sites More sharing options...
cooper Posted October 28, 2014 Share Posted October 28, 2014 When you attack a system with the goal of obtaining a shell on that machine, your attack contains of 2 parts: - The exploitation code - The shellcode The goal of the exploitation code is to use a programming flaw to gain control of the processor registers, specifically the Instruction Pointer (IP) register. This register points to the memory address of the next instruction to fetch and execute. The shellcode is code that is to be put into the memory space of the target machine and, if executed, starts a shell on the target machine that will run with the same privileges as the program on the target machine that's being exploited. When you exploit a flaw on a running program thread, you're quite literally taking over the processing flow of that program. It stops doing what the program was meant to do and instead does what you want it to do. Getting your shellcode into memory is the easy part. When you send a packet to a server, that whole packet gets into memory before the program is let loose on it. After you've placed your 'bad' data into memory in such a way that the flaw in the program flow is reached and you gain control of the registers, you get to the tricky bit: you need to get the IP to point at your shellcode and you don't really know where in memory that bit resides. There are solutions to that problem, obviously. I'm sure that book sud0nick referenced will go into great detail on that. Now, since you're effectively uploading binary, executable machine instructions (we are, after all, populating machine registers here) your shellcode has a tendency to be machine-specific. If you try to run 32-bit shellcode on an exploited 64-bit program chances are the program will crash rather than do your bidding. Same with trying x86 instructions on an Itanium or a Sparc or vice versa. Representing the shellcode as hex data makes it easier for you to work with it (you can write it to the screen for instance) but your target is going to want it in binary form. Lastly, you can potentially make your shellcode as elaborate as you want, but since most programs start with doing length checks on their input before going into any actual logic (where the real flaws tend to be) you typically want your shellcode to be as compact as possible. Here's an example of one that's 28 bytes and here's a long list of shellcode examples for various target machine types. Quote Link to comment Share on other sites More sharing options...
overwraith Posted October 28, 2014 Share Posted October 28, 2014 (edited) So do you tend to code your shellcode instructions in assembly first, or C, or do you just know what machine instructions do what? I kinda know in theory how an exploit works, just haven't ever made one from start to finish completely. Shell code seems to be the last hurdle (that and reversing). Edited October 28, 2014 by overwraith Quote Link to comment Share on other sites More sharing options...
cooper Posted October 28, 2014 Share Posted October 28, 2014 Never coded any shellcode myself, but I think it's straight-up assembly. Though if you look through a few of the non-obfuscated ones, they simply populate a few registers and then invoke a syscall to do the real heavy lifting. Quote Link to comment Share on other sites More sharing options...
overwraith Posted October 28, 2014 Share Posted October 28, 2014 Never coded any shellcode myself, but I think it's straight-up assembly. Though if you look through a few of the non-obfuscated ones, they simply populate a few registers and then invoke a syscall to do the real heavy lifting. I hope you're right, I bought myself an assembly book recently, am working my way down (up, whatever, towards root) the language hierarchy. Quote Link to comment Share on other sites More sharing options...
sud0nick Posted October 28, 2014 Share Posted October 28, 2014 (edited) So do you tend to code your shellcode instructions in assembly first, or C, or do you just know what machine instructions do what? I kinda know in theory how an exploit works, just haven't ever made one from start to finish completely. Shell code seems to be the last hurdle (that and reversing). You typically write your shellcode instructions in assembly first. The C program you need will inject the shellcode (in hex format) into memory. Here is an example of shellcode in a C array: char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x99\xb0" "\xa4\xcd\x80\x6a\x0b\x58\x51\x68" "\x2f\x2f\x73\x68\x2f\x62\x69\x6e" "\x89\xe3\x51\x89\xe2\x53\x89\xe1" "\xcd\x80"; int main(void) { int *ret; ret = (int *)&ret + 2; (*ret) = (int)shellcode; } I also wrote a C program a few years back, called sheller, to automatically take a .bin file and dump the hexcode into a C array in either a C or C++ program. You can check it out here: https://forum.intern0t.org/c-c/3791-sheller.html The only dependency required for sheller is hexdump. *EDIT: If you are a C guy and check out my program, I know it uses the goto and system functions. I was new to programming back then. Nevertheless, the program works. Edited October 28, 2014 by sud0nick Quote Link to comment Share on other sites More sharing options...
overwraith Posted October 28, 2014 Share Posted October 28, 2014 Goto's aren't that hard to fix, will check it out. Then again if it works don't fix it. Thanks for the links, and explaining how this stuff works. Quote Link to comment Share on other sites More sharing options...
cooper Posted October 28, 2014 Share Posted October 28, 2014 Kudos on making sure the thing was documented. If I look back at my early-days programming, it wasn't half as readable as that. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.