Shellcode Development by S4j8rHb


   -Femi Oloyede
   -Pallavi Murudkar

 Introduction
 What can Shellcode do?

 Tools for Shellcode Development

 Understanding Shellcode

 Developing Shellcode

 Methods of Detecting Shellcode

 Shellcode is defined as a set of
  instructions injected and then
  executed by an exploited program
 Shellcodes are primarily used to
  exploit buffer overflows
 The most important task when
  creating shellcode is to make it small
  and executable
What can Shellcode do?

   Providing access to the attacked

   Spawning /bin/sh [or] cmd.exe (local

   Binding a shell to a port (remote shell)

   Adding root/admin user to the system
         Tools for Shellcode

   Nasm Used to write assembly code

   Gdb GNU debugger to analyze core dump files

   Objdump To disassemble file

   Ktrace Trace all system calls a process is using
Next ( Femi )

   Understanding Shellcode

   Developing Shellcode

   Methods of Detecting Shellcode
        Understanding Shellcode
   IA-32 Machine Architecture (instruction set &

   Program Flow dynamics - Processes Memory
    Organization and context switching during function-
    calls and interrupt processing.

   Shellcode is injected via the modification of the
    return address of a function by way of a stack-based
    buffer overflow.
          Machine Architecture

    Refer to IA-32 Intel® Architecture Software Developer's Manual Volume 1: Basic

    A large amount of computer software supports the platform, including operating
     systems such as MS-DOS, Windows, Linux, BSD, Solaris, and Mac OS X.

    EBP    Base pointer. Primarily used to hold the address of the current stack frame. Also sometimes
           used as a general data or address register.
    ESI    General register or "source index" for string operations. Also has a one-byte LODS[size]
           instruction for loading data from memory to the accumulator.

    EDI    General register or "destination index" for string operations. Also has a one-byte
           STOS[size] instruction to write data out of the accumulator.
    ESP    Stack pointer. Is used to hold the top address of the stack.
    EIP    Instruction pointer. Holds the current instruction address.
                 Program Flow Dynamics

           Lower memory address
                                      C code                        Assembly Code
    Text Area
                                      void A(int a, int b, int c)   pushl $3
                                      {                             pushl $2
Initialized and Un-                     char buffer1[5];            pushl $1
     initialized                        char buffer2[10];           call function
     Data Area                        }
                                                                    pushl %ebp
      Stack                           void main()                   movl %esp,%ebp
                                      {                             subl $20,%esp
                                        A (1, 2, 3);
                                        return 0;
              Higher memory address   }
         Program Flow Dynamics
 EIP (Instruction Pointer)                                   Address of last instruction in A

                                                           Address of previous frame pointer [push %ebp]

                                                                        Address of ‘return 0’ instruction of

 ESP (Stack Pointer) [sub1 $20, %esp]

Top of          Buffer2            Buffer1     SFP         RET      a        b      c           Bottom
Stack                                                                                           of Stack
                12                 8           4           4        4        4      4

                                         EBP (Base or frame Pointer) [mov1 $esp, %ebp]
           Stack Based Buffer Overflow
void A(char charPtr *str)
  char buffer[4];

void main()
  char BigggerString[12] = “AAAAAAAAAAAA”;

     Top of Stack      Buffer1 (4)   SFP (4)             RET (4)       charPtr   Bottom of
                       AAAA          AAAA                AAAA

                                               Stack Buffer Overflow
          Developing Shellcode

   Finding the Vulnerability
   Writing the Shellcode
       Shellcode is sequence of machine instructions or
       To take advantage of the injected code and to gain
        access to the target system, system calls must be
        On Linux there are two ways of implementing a
        system call, they are icall87/icall27 gates and ‘INT
        0x80’ software interrupts
       Example – Spawning a Shell

   Write C code                   #include <stdio.h>
                                   void main()
   Extract the assembly code      {
                                     char *name[2];

   Extract the opcode                 name[0] = "/bin/sh";
                                       name[1] = NULL;
   Append an function exit            execve(name[0], name, NULL);
    opcodes to allow the
    function exit gracefully
   Initialize a buffer with the
          Example – Spawning a Shell
char shellcode[] =

void main()
  int *retPtr;

    retPtr = (int *)&ret + 2;
    (*retPtr) = (int) shellcode;


      Top of        retPtr (4)     SFP (4)   RET (4)     …   Bottom
      Stack                                                  of Stack
                    Address of                Address
                    this + 2                     of
                    words                    shellcode

       Methods for Detecting
   NIDS (Network Intrusion Detection System) can be used to
    identify shellcode on the wire using Signature databases and
    Protocol analysis methods

   IPS (Intrusion Prevention System) identifies shellcode by
    running the code on a sandbox/virtualization in order to
    detect if the given code is malicious or not

   Shellcode is a powerful mechanism for the exploitation of
    software vulnerabilities.

   It is important that the shellcode developed is small in size

   Shellcode can be employed to automate software security tests,
    where the shellcode is written to expose and draw attention to
    security holes

To top