shellnoob
play

ShellNoob Because writing shellcode is fun, but sometimes painful - PowerPoint PPT Presentation

Aug 24, 2023 •194 likes •506 views

ShellNoob Because writing shellcode is fun, but sometimes painful Black Hat USA Yanick Fratantonio Arsenal 2013 UC Santa Barbara Who am I? PhD Student at UC Santa Barbara I play with the ShellPhish team What I do I like

  1. ShellNoob Because writing shellcode is fun, but sometimes painful Black Hat USA Yanick Fratantonio Arsenal 2013 UC Santa Barbara

  2. Who am I? ● PhD Student at UC Santa Barbara ● I play with the ShellPhish team ● What I do ○ I like low-level stuff ○ I worked on shellcode analysis ○ Now I'm on Android security ■ static / dynamic analysis ● Links ○ Website: http://cs.ucsb.edu/~yanick ○ Email: yanick [at] cs.ucsb.edu ○ Twitter: @reyammer

  3. Writing shellcode - why? ● Sometimes, something ad-hoc is required ● Even when you need something simple, there are problems with already written ones ● How about Shellcode generators? ○ Even the most advanced ones sometimes fail ■ And if they fail, you are fucked (good luck debugging them!) ● (any reference to Metasploit's shellcode generator is purely coincidental) ○ But please don't get me wrong, Metasploit is awesome :-)

  4. What's the issue? ● We have incredibly awesome tools that try to do incredibly difficult tasks ○ Shellcode generators are just one example ● This might be too complicated to be infallible ○ Metasploit is written by uber smart guys ○ Why are shellcode generators still not bullet-proof? ■ Extremely difficult stuff! ■ We need a plan B

  5. So what? ● It's good to have something crazy difficult that sometimes works ● But it's also good to have something simple that makes simple tasks even simpler

  6. Shellcode writing facts ● We need to be prepared to write shellcode ● Writing shellcode is fun, but some steps are boring, error-prone, and hence painful ● Most of such steps can be automated once for all!

  7. Examples of boring steps ● Shellcode on the web, that is almost exactly what you want, but still needs some tweaks ○ example: samples from shell-storm shellcode DB ● Sometimes they are not in the wanted format, and you need to "convert" them ○ assembly to hex ○ ELF to assembly ○ C to raw binary ■ I've seen VIM macros that you people wouldn't believe... ○ ...and all the other combinations

  8. Examples of boring steps (2) ● Syscall numbers ○ Which number was the "read" again? ○ 3 you say? Is that on Linux or FreeBSD? duuude! ● Resolving constants ○ O_CREAT was 0, right? oh, on FreeBSD you say? ○ Aaah, that was O_RDWR. Or maybe O_RDONLY? *Sentences in italic indicate real questions asked by myself or my fellow colleagues

  9. Examples of boring steps (3) ● Alright, I have the shellcode: now let's compile and test it ○ mmm, how can I do that? ● Let's run it in gdb ○ Hey it crashed, WTF? ○ oh, self modifying shellcode in the non-writable code segment? ■ no good :/ ● Now let's run it against the target ○ FUUUCK, if it contains byte "0x42" it gets corrupted. ○ Do you think that "inc %edx" will be a problem?

  10. ShellNoob to the rescue!

  11. Disclaimer -- What ShellNoob is NOT ● It's NOT a replacement for Metasploit's shellcode generator ● It will NOT try to generate shellcode for you ● It will NOT be bug-free ○ But the goal is simple enough that coders more skilled than me will fix them soon! ■ Go and start now: https://github.com/reyammer/shellnoob :-)

  12. What the hell is it then? ● A toolkit to help you write shellcode ● Design principles & goals ○ Extremely easy to deploy and use ○ Automate and make as easy as possible whatever it supposed to be easy ○ Trial & error should be cheap process ○ Portable & Flexible -- easy to extend ○ Easy to understand "what's going on" ■ To debug the tool ■ As a way to learn how to do it manually!

  13. Easy to deploy & use ● ShellNoob is a single self-contained python script (~1K LOC) ● Deployment? Just scp it on the target device ● If you want, you can "install" it ○ ./shellnoob.py --install ■ "cp shellnoob.py /usr/local/bin/snoob" ● You are now ready to hack!

  14. Conversion mode ● Usual task: convert the shellcode from one "format" to another one ● Input formats ○ --from-asm ○ --from-bin ○ --from-hex ○ --from-obj (an ELF) ○ --from-c ○ --from-shellstorm

  15. Conversion mode ● Usual task: convert the shellcode from one "format" to another one .section .text mov %ebx, %ecx ● Input formats mov %eax, %ebx xor %edx, %edx ○ --from-asm addb $0xff, %dl ○ --from-bin xor %eax, %eax ○ --from-hex movb $0x3, %al int $0x80 ○ --from-obj (an ELF) ○ --from-c Support for both ATT & Intel syntax! ○ --from-shellstorm

  16. Conversion mode ● Usual task: convert the shellcode from one "format" to another one '\x41\x42\x43\x44' ● Input formats ○ --from-asm '41424344' ○ --from-bin ○ --from-hex ○ --from-obj (an ELF) ○ --from-c ○ --from-shellstorm

  17. Conversion mode ● Usual task: convert the shellcode from one "format" to another one ● Input formats char shellcode[] = "\x6a\x0b\x58\x99" ○ --from-asm "\x52\x66\x68\x2d" ○ --from-bin "\x70\x89\xe1\x52" "\x6a\x68\x68\x2f"; ○ --from-hex ○ --from-obj (an ELF) ○ --from-c But be careful, it's just doing its best ○ --from-shellstorm in guessing what's the shellcode

  18. Conversion mode ● Usual task: convert the shellcode from one "format" to another one ● Input formats ○ --from-asm ○ --from-bin ○ --from-hex That's it! ShellNoob will download and ○ --from-obj (an ELF) convert the shellcode from the DB ○ --from-c ○ --from-shellstorm <shellcode_id>

  19. Conversion mode ● Usual task: convert the shellcode from one "format" to another one ● Output formats ○ --to-asm ○ --to-safeasm ○ --to-bin ○ --to-hex ○ --to-obj ○ --to-exe ○ --to-c, --to-completec ○ --to-python, --to-bash, --to-ruby

  20. Conversion mode ● Usual task: convert the shellcode from one "format" to another one ● Output formats ○ --to-asm .section .text ○ --to-safeasm jmp 0x37 # .byte 0xeb,0x35 pop %ebx # .byte 0x5b ○ --to-bin mov %ebx,%eax # .byte 0x89,0xd8 ○ --to-hex add $0xb,%eax # .byte 0x83,0xc0,0x0b ○ --to-obj ○ --to-exe ○ --to-c, --to-completec ○ --to-python, --to-bash, --to-ruby

  21. Conversion mode ● Usual task: convert the shellcode from one "format" to another one .section .text ● Output formats ... ○ --to-asm das # .ascii "/" je 0xac # .ascii "tm" ○ --to-safeasm jo 0x70 # .ascii "p/" ○ --to-bin jae 0xa8 # .ascii "se" arpl %si,0x65(%edx) # .ascii "cre" ○ --to-hex je 0xa0 # .ascii "tX" ○ --to-obj ○ --to-exe ○ --to-c, --to-completec ○ --to-python, --to-bash, --to-ruby

  22. Conversion mode ● Usual task: convert the shellcode from one "format" to another one ● Output formats ○ --to-asm .section .text .byte 0xeb,0x35 ○ --to-safeasm .byte 0x5b ○ --to-bin .byte 0x89,0xd8 .byte 0x83,0xc0,0x0b ○ --to-hex ○ --to-obj "safe mode" -- 100% assemblable ○ --to-exe ○ --to-c, --to-completec ○ --to-python, --to-bash, --to-ruby

  23. Uber flexible CLI ● Some examples (all equivalent) $ snoob --from-asm shell.asm --to-bin shell.bin $ snoob shell.asm --to-bin shell.bin $ snoob shell.asm --to-bin $ snoob shell.asm --to-bin - > shell.bin $ cat shell.asm | snoob --from-asm - --to-bin shell.bin ● Several switches $ snoob -c shell.asm --to-exe # prepend a breakpoint $ snoob --intel shell.asm --to-exe # Intel vs ATT syntax $ snoob --64 shell.asm --to-exe # 64bits vs 32bits mode

  24. Syscalls and constants ● When writing shellcode, you need to directly call syscalls: you need to know the numbers! ○ $ snoob --get-sysnum read ○ x86 ~> 3 ○ x86_64 ~> 0 ● Similarly, you need to resolve the constants! ○ $ snoob --get-const O_RDWR ○ O_RDWR ~> 2 ○ It can also be used to resolve the error numbers! ■ Example: EACCES ~> 13

  25. Interactive mode ● Quick ways to check which bytes a specific instruction is assembled to (and viceversa) ● Assembly ~> opcode ○ $ snoob -i --to-opcode ○ >> mov %eax, %ebx ○ mov %eax, %ebx ~> 89c3 ● Opcode ~> assembly ○ $ snoob -i --to-asm ○ >> 89c3 ○ 89c3 ~> mov %eax, %ebx

  26. Trial & error should be "cheap" ● You are convinced your shellcode is right, but there is a bug. Debug it! ● "Special" output modes ○ --to-strace $ snoob open-read-write-shell.asm --to-strace [ Process PID=15085 runs in 32 bit mode. ] open("/tmp/secret", O_RDONLY) = 3 read(3, "ThisIsMySecret", 255) = 14 write(1, "ThisIsMySecret", 14ThisIsMySecret) = 14 _exit(0) = ?

  27. Trial & error should be "cheap" ● You are convinced your shellcode is right, but there is a bug. Debug it! ● "Special" output modes ○ --to-strace ○ --to-gdb $ snoob open-read-write.asm --to-gdb Reading symbols from /tmp/tmpzTg_T0...(no debugging symbols found)...done. (gdb) Breakpoint 1 at 0x8048054 (gdb) A breakpoint is automatically set on the first instruction!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Study about behavior of a prototype ASIC for the upgraded ATLAS pixel detectors with low

Study about behavior of a prototype ASIC for the upgraded ATLAS pixel detectors with low

Yamagaya Shohei Study about behavior of a prototype ASIC for the upgraded ATLAS pixel detectors with low thresholds Year-End-Meeting 2019/12/23 Shohei Yamagaya (Osaka univ.) Introduction 2 ATLAS pixel detector will be upgraded for HL-LHC.

278 views • 15 slides
Alternative Mining Puzzles Essential Puzzle Requirements ASIC-Resistant Puzzles

Alternative Mining Puzzles Essential Puzzle Requirements ASIC-Resistant Puzzles

Cryptocurrency Technologies Alternative Mining Puzzles Alternative Mining Puzzles Essential Puzzle Requirements ASIC-Resistant Puzzles Proof-of-Useful-Work Non-outsourceable Puzzles Proof-of-Stake Virtual Mining Puzzles

474 views • 26 slides
IN3170/4170, Spring 2020 Philipp Hfliger hafliger@ifi.uio.no What to expect Content Why

IN3170/4170, Spring 2020 Philipp Hfliger hafliger@ifi.uio.no What to expect Content Why

IN3170/4170, Spring 2020 Philipp Hfliger hafliger@ifi.uio.no What to expect Content Why Application Specific Integrated Circuits? Why Transistor Level Digital? Why Analog? Course Goal Course Organization Content Why Application Specific

413 views • 24 slides
Chips4Makers Toolchain Is an ASIC made with fully open source tool chain possible ? Is it

Chips4Makers Toolchain Is an ASIC made with fully open source tool chain possible ? Is it

Chips4Makers Toolchain Is an ASIC made with fully open source tool chain possible ? Is it affordable ? Staf Verhaegen Overview Chips want to be free I have a dream Pilot Project: Retro-uC ASIC toolchain PCB toolchain

370 views • 25 slides
FSM$Modeling State$Diagrams$(SDs)$and$Algorithmic$State$

FSM$Modeling State$Diagrams$(SDs)$and$Algorithmic$State$

FSM$Modeling State$Diagrams$(SDs)$and$Algorithmic$State$ Machine$(ASM)$charts$Describe$Behavior$of$FSMs Translating$Directly$from$SD/ASMs$to$Verilog$is$ Advantageous No$Worry$about$Mistake$in$Logic$Simplification

260 views • 5 slides
Road map Midterm acomin Friday in class Exams page on web site has info + practice problems

Road map Midterm acomin Friday in class Exams page on web site has info + practice problems

Road map Midterm acomin Friday in class Exams page on web site has info + practice problems Todays lecture A first look at assembly Where is our data stored? The mov instruction and addressing modes Its bits all the way down

582 views • 14 slides
Usable assembly language for GPUs: a success story Daniel J. Bernstein, UIC Hsieh-Chung Chen,

Usable assembly language for GPUs: a success story Daniel J. Bernstein, UIC Hsieh-Chung Chen,

Usable assembly language for GPUs: a success story Daniel J. Bernstein, UIC Hsieh-Chung Chen, Harvard Chen-Mou Cheng, NTU Tanja Lange, Eindhoven Ruben Niederhagen, E+AS Peter Schwabe, Academia Sinica Bo-Yin Yang, Academia Sinica OpenSSL

494 views • 33 slides
Logging in Persistent Memory: to Cache, or Not to Cache? Mengjie Li, Matheus Ogleari , Jishen Zhao

Logging in Persistent Memory: to Cache, or Not to Cache? Mengjie Li, Matheus Ogleari , Jishen Zhao

Logging in Persistent Memory: to Cache, or Not to Cache? Mengjie Li, Matheus Ogleari , Jishen Zhao Persistent Memory STT-RAM, PCM, Memory CPU CPU ReRAM, NVDIMM, Battery-backed Load/store DRAM NVRAM DRAM, etc. Not persistent Persistent

308 views • 20 slides
DAME finder : A package to detect changes in allele-specific methylation Stephany Orjuela Len

DAME finder : A package to detect changes in allele-specific methylation Stephany Orjuela Len

DAME finder : A package to detect changes in allele-specific methylation Stephany Orjuela Len EuroBioc December 2019 Stands for D A ME Stands for Differential A ME Stands for Differential Allele-specific ME Stands for Differential

372 views • 24 slides
CENG 342 Digital Systems Algorithmic State Machine with Datapath (ASMD) Larry Pyeatt

CENG 342 Digital Systems Algorithmic State Machine with Datapath (ASMD) Larry Pyeatt

CENG 342 Digital Systems Algorithmic State Machine with Datapath (ASMD) Larry Pyeatt SDSM&amp;T Finite State Machine Review Any Finite state machine with two inputs, two Mealy outputs, two Moore outputs, and up to four states can be

515 views • 28 slides
Wildlife Corridors Background AB 498 (2015) by Assemblymember Levine AB 2087 (2016) by

Wildlife Corridors Background AB 498 (2015) by Assemblymember Levine AB 2087 (2016) by

Wildlife Corridors Background AB 498 (2015) by Assemblymember Levine AB 2087 (2016) by Assemblymember Levine Regional Conservation Investment Strategy (RCIS) SB 1 (2017) by Senator Beall Proposition 68 (2018) Wildlife

432 views • 6 slides
DIV 26000 AND HEAT TRACE FOR MECHANICAL SYSTEMS ACE/ASM DOS AND DONTS OF HEAT TRACE IN

DIV 26000 AND HEAT TRACE FOR MECHANICAL SYSTEMS ACE/ASM DOS AND DONTS OF HEAT TRACE IN

DIV 26000 AND HEAT TRACE FOR MECHANICAL SYSTEMS ACE/ASM DOS AND DONTS OF HEAT TRACE IN CHAPTER 149 FROM A DIV 26000 ELECTRICAL CONTRACTOR PROSPECTIVE Dos: Donts: Give us a heat trace spec in DIV26 Double spec it with

492 views • 4 slides
Cooperative Task Management without Manual Stack Management or, Event-driven Programming is Not

Cooperative Task Management without Manual Stack Management or, Event-driven Programming is Not

Cooperative Task Management without Manual Stack Management or, Event-driven Programming is Not the Opposite of Threaded Programming Atul Adya, Jon Howell, Marvin Theimer, William J. Bolosky, John R. Douceur Microsoft Research Presented by Li

249 views • 22 slides
SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key

SIDH on ARM: Faster Modular Multiplications for Faster Post-Quantum Supersingular Isogeny Key Exchange. Hwajeong Seo (Hansung University), Zhe Liu (Nanjing University of Aeronautics and Astronautics), Patrick Longa (Microsoft Research), Zhi

593 views • 36 slides
Fractions of Numbers Follow the slides 1 2 of 8 = __ Follow the step by step guide which will

Fractions of Numbers Follow the slides 1 2 of 8 = __ Follow the step by step guide which will

Fractions of Numbers Follow the slides 1 2 of 8 = __ Follow the step by step guide which will show you how to solve this. 1 2 of 8 = 1 Denominator 2 Split the number (that we are trying to find a fraction of) into two equal groups because

359 views • 15 slides
Aspect Based Sentiment Analysis Jared Kramer and Clara Gordon Overview Background Our

Aspect Based Sentiment Analysis Jared Kramer and Clara Gordon Overview Background Our

Aspect Based Sentiment Analysis Jared Kramer and Clara Gordon Overview Background Our Task Our Approach Results! Background Entity: The thing being described Aspect: A part of the thing being described The screen

482 views • 15 slides
Origin and future draft-kristensen-avt-rtp-h264-extension-00 split in two based on last IETF

Origin and future draft-kristensen-avt-rtp-h264-extension-00 split in two based on last IETF

Parameters for Static Macroblocks and Aspect Ratio in the RTP Payload Format for H.264 Video draft-ietf-avt-rtp-h264-params-00.txt Tom Kristensen, TANDBERG Roni Even, Polycom Origin and future draft-kristensen-avt-rtp-h264-extension-00

175 views • 5 slides
A L T EX template for presentation A Your name here Department of XXXX XXXX University Joint

A L T EX template for presentation A Your name here Department of XXXX XXXX University Joint

A L T EX template for presentation A Your name here Department of XXXX XXXX University Joint work with XXXX and XXXX Event, location, date, etc. Introduction 1/5 How to use this template? pdflatex slides.tex pdflatex

309 views • 8 slides
Toward the Optimal Bit Aspect Ratio in Magnetic Recording William E. Ryan Associate Professor

Toward the Optimal Bit Aspect Ratio in Magnetic Recording William E. Ryan Associate Professor

Toward the Optimal Bit Aspect Ratio in Magnetic Recording William E. Ryan Associate Professor The University of Arizona with contributions from Fan Wang, Roger Wood, and Yan Li March 25, 2004 Outline Background Channel Model

522 views • 26 slides
Responsive Web Design Introduction to Web Design Responsive Web Design Introduction to Web

Responsive Web Design Introduction to Web Design Responsive Web Design Introduction to Web

Responsive Web Design Introduction to Web Design Responsive Web Design Introduction to Web Design The control which designers know in the print medium, and A Dao of Web Design often desire in the web medium, is simply a function of the

297 views • 7 slides
Extruded meshes for high aspect ratio simulations in Firedrake and PyOP2 Gheoghe-Teodor (Doru)

Extruded meshes for high aspect ratio simulations in Firedrake and PyOP2 Gheoghe-Teodor (Doru)

Extruded meshes for high aspect ratio simulations in Firedrake and PyOP2 Gheoghe-Teodor (Doru) Bercea (a) , Andrew TT McRae (b) , Lawrence Mitchell (c) , David A Ham, Paul HJ Kelly (a) gheorghe-teodor.bercea08@imperial.ac.uk (b)

638 views • 30 slides
Wing Design I Lecture 8 ME EN 415 Andrew Ning aning@byu.edu Span b Area S Sweep

Wing Design I Lecture 8 ME EN 415 Andrew Ning aning@byu.edu Span b Area S Sweep

Wing Design I Lecture 8 ME EN 415 Andrew Ning aning@byu.edu Span b Area S Sweep Joaquim Martins Thickness distribution t Chord distribution c Twist distribution Definitions Aspect ratio Mean aerodynamic chord

95 views • 9 slides
CS615 - Aspects of System Administration Networking I Department of Computer Science Stevens

CS615 - Aspects of System Administration Networking I Department of Computer Science Stevens

CS615 - Aspects of System Administration Slide 1 CS615 - Aspects of System Administration Networking I Department of Computer Science Stevens Institute of Technology Jan Schaumann jschauma@stevens.edu https://stevens.netmeister.org/615/

1.21k views • 73 slides
SAMSUNG SAAT: Reverse Engineering for Perform ance Analysis 2004.05.25. Seon-Ah Lee, Seung-Mo

SAMSUNG SAAT: Reverse Engineering for Perform ance Analysis 2004.05.25. Seon-Ah Lee, Seung-Mo

SAMSUNG SAAT: Reverse Engineering for Perform ance Analysis 2004.05.25. Seon-Ah Lee, Seung-Mo Cho, Sung-Kwan Heo Mobile Solution Group Software Center Samsung Electronics salee@samsung.com Softw are Center 1 SAMSUNG Agenda Introduction

499 views • 11 slides

More recommend