Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

Published byKory Edwards Modified over 8 years ago

Similar presentations

Presentation on theme: "Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)"— Presentation transcript:

1 Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)

2 Today – Advanced Shellcode What are shellcodes More about shellcodes Some more tools Function calls and the import table Polymorphic shellcodes Q&A

3 Shellcodes Originates from the unix shell executable “sh” Running sh essentially grants access to run any other command afterwards The term has been loosely generalized to fit any code that runs after a exploiting a vulnerability for code execution Last week we saw a very basic shell-code which avoids null bytes.

4 More advanced exploitation More robust & resillient – o Use trampolines instead of stack addresses o Don’t count on static function addresses – dlopen(), dlsym() o ‘Egg hunting’ for executable file headers o Avoid null bytes / Avoid other bytes / handle UTF8 / etc. o Shellcodes that will run / not crash on multiple architectures Do more complex things – o Add users, modify files, install malware o Manipulate program flow / memory o Open a shell back home

5 New tools! build_shellcode.py based on the patch_util_gcc.py script, but is made for simpler usage when creating shellcodes

6 New tools! shellcode_host – reads a binary shellcode as instructed via the command line, and simulates execution. shellcode_host_no_nulls – similar to shellcode_host, but the string is copied via strcpy, so no null characters (0x00) will be permitted in the body of the shellcode. stack_overflow_host – similar to shellcode_host in the sense that it will allow null bytes inside the shellcode, but here you must overflow the stack and control the return address yourself. stack_overflow_host_no_nulls – similar to stack_overflow_host, but no null bytes will be permitted

7 How external function calls work Many options - o syscall via int0x80 (as we've seen) o static lib – hard coded address (rare) o Dynamic lib - Assume already loaded, call directly (hard-coded address, not resilient) Call via the PLT / GOT (best method)

8 Global Offset Table

9 External function calls A call through it looks like - call _printf Which is actually a simple jmp - _printf proc near jmp ds:off_804A010 ; PLT entry _printf endp

10 Practical usage for external function calls We can call through the PLT entry directly Or, we could replicate what the original code would do, and just call the call-through function Of course – other methods could still work (namely, direct syscalls)

11 Polymorphic shellcodes Polymorphic code ~= self-modifying code Usually, polymorphic code is made of two parts: A Decoder + the actual code in encoded form o The decoder can thin and be built to withstand constraints such as: only printable chars Only [a-z][A-Z][0-9] Must be a valid utf-8 char Must not contain characters X,Y,Z Polymorphic shellcodes can be used to evade detectors that use signature based detection, by modifying the signature of the same functionality

12 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode ---

13 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode ---

14 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode ---

15 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1

16 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size

17 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size edxoriginal size

18 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size edxoriginal size+after_end–1

19 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop: mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end - 1 ecxoriginal size edxoriginal size+after_end–1

20 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop : mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end ecxoriginal size - 1 edxoriginal size+after_end–1

21 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop : mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end ecx0 edxafter_end + 0

22 Simple Example jmp end start: pop ebx dec ebx mov ecx, [original shellcode size] decode_loop : mov edx, ecx add edx, ebx not byte ptr [edx] loop decode_loop jmp after_end end: call start after_end: ; --- here comes original shellcode --- regvalue ebxafter_end ecx0 edxafter_end + 0

23 This Week’s Exercise Counts as a double exercise! Write a shellcode for remote exploitation using sockets Exploit a network daemon remotely in several ways o Basic shellcode o Socket bound shell More advanced shellcodes o Hijack the original connection socket o Polymorphic shellcode bypassing limitations

24 The end Questions?

Download ppt "Introduction to InfoSec – Recitation 3 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (infosec15 at modprobe.net)"

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, 2010. All rights reserved. You may modify and copy this slide.

Assembly Language for x86 Processors 6th Edition Chapter 5: Procedures (c) Pearson Education, All rights reserved. You may modify and copy this slide.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad

Introduction to Information Security מרצים : Dr. Eran Tromer: Prof. Avishai Wool: מתרגלים : Itamar Gilad
Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec. 5 2007.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec
Countermeasures 0x610~0x650 2014. 12. 4 Seokmyung Hong.

Countermeasures 0x610~0x Seokmyung Hong.
Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 6 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
CS2422 Assembly Language & System Programming October 3, 2006.

CS2422 Assembly Language & System Programming October 3, 2006.
Position Independent Code self sufficiency of combining program.

Position Independent Code self sufficiency of combining program.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Practical Session 8 Computer Architecture and Assembly Language.

Practical Session 8 Computer Architecture and Assembly Language.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 15 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Similar presentations

Ads by Google