Jump to content

shellcode question


K0B4LT

Recommended Posts

hi, i read some stuff in the internet that a shellcode is a code piece that exploits a venerability, but to make a shellcode what programming language is used to make it? and there is any more stuff that i need to know about the basic about shellcode?

Link to comment
Share on other sites

Shellcode can be difficult and it may take awhile to study it. Essentially, it is the hex version of machine instructions, written in assembly, that gives an attacker access to a shell by exploiting a vulnerability in a program. This means your code will have to be tailored to the processor architecture you are working with as each architecture consists of different instruction sets. After you write the assembly code you will need to create the hex version of it (this is the shellcode) and place it in a C program that can inject the code into memory. A good guide is The Shellcoder's Handbook (http://www.amazon.com/The-Shellcoders-Handbook-Discovering-Exploiting/dp/047008023X) and I'm sure you can find some information online.

Edited by sud0nick
Link to comment
Share on other sites

When you attack a system with the goal of obtaining a shell on that machine, your attack contains of 2 parts:

- The exploitation code

- The shellcode

The goal of the exploitation code is to use a programming flaw to gain control of the processor registers, specifically the Instruction Pointer (IP) register. This register points to the memory address of the next instruction to fetch and execute.

The shellcode is code that is to be put into the memory space of the target machine and, if executed, starts a shell on the target machine that will run with the same privileges as the program on the target machine that's being exploited.

When you exploit a flaw on a running program thread, you're quite literally taking over the processing flow of that program. It stops doing what the program was meant to do and instead does what you want it to do. Getting your shellcode into memory is the easy part. When you send a packet to a server, that whole packet gets into memory before the program is let loose on it. After you've placed your 'bad' data into memory in such a way that the flaw in the program flow is reached and you gain control of the registers, you get to the tricky bit: you need to get the IP to point at your shellcode and you don't really know where in memory that bit resides. There are solutions to that problem, obviously. I'm sure that book sud0nick referenced will go into great detail on that.

Now, since you're effectively uploading binary, executable machine instructions (we are, after all, populating machine registers here) your shellcode has a tendency to be machine-specific. If you try to run 32-bit shellcode on an exploited 64-bit program chances are the program will crash rather than do your bidding. Same with trying x86 instructions on an Itanium or a Sparc or vice versa. Representing the shellcode as hex data makes it easier for you to work with it (you can write it to the screen for instance) but your target is going to want it in binary form.

Lastly, you can potentially make your shellcode as elaborate as you want, but since most programs start with doing length checks on their input before going into any actual logic (where the real flaws tend to be) you typically want your shellcode to be as compact as possible. Here's an example of one that's 28 bytes and here's a long list of shellcode examples for various target machine types.

Link to comment
Share on other sites

So do you tend to code your shellcode instructions in assembly first, or C, or do you just know what machine instructions do what? I kinda know in theory how an exploit works, just haven't ever made one from start to finish completely. Shell code seems to be the last hurdle (that and reversing).

Edited by overwraith
Link to comment
Share on other sites

Never coded any shellcode myself, but I think it's straight-up assembly. Though if you look through a few of the non-obfuscated ones, they simply populate a few registers and then invoke a syscall to do the real heavy lifting.

Link to comment
Share on other sites

Never coded any shellcode myself, but I think it's straight-up assembly. Though if you look through a few of the non-obfuscated ones, they simply populate a few registers and then invoke a syscall to do the real heavy lifting.

I hope you're right, I bought myself an assembly book recently, am working my way down (up, whatever, towards root) the language hierarchy.

Link to comment
Share on other sites

So do you tend to code your shellcode instructions in assembly first, or C, or do you just know what machine instructions do what? I kinda know in theory how an exploit works, just haven't ever made one from start to finish completely. Shell code seems to be the last hurdle (that and reversing).

You typically write your shellcode instructions in assembly first. The C program you need will inject the shellcode (in hex format) into memory. Here is an example of shellcode in a C array:

char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x99\xb0"
	           "\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
		   "\x2f\x2f\x73\x68\x2f\x62\x69\x6e"
		   "\x89\xe3\x51\x89\xe2\x53\x89\xe1"
		   "\xcd\x80";

int main(void) {
			   
	int *ret;
	ret = (int *)&ret + 2;
	(*ret) = (int)shellcode;
}

I also wrote a C program a few years back, called sheller, to automatically take a .bin file and dump the hexcode into a C array in either a C or C++ program. You can check it out here: https://forum.intern0t.org/c-c/3791-sheller.html

The only dependency required for sheller is hexdump.

*EDIT: If you are a C guy and check out my program, I know it uses the goto and system functions. I was new to programming back then. Nevertheless, the program works.

Edited by sud0nick
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...