d

Shellcode Programming: The Complete Documentation

• This category contains 18 Papers
• The last paper was added on 2007-03-26 (YYYY-MM-DD)

Applying Polymorphism to Alphanumeric IA-32/IA-32e/AMD-64 Shellcode

Published on 2004-10-05, by Matt Conover, ©Matt Conover.

Rix (rix 2001) should be credited with being the pioneer of IA32 alphanumeric shellcode and showing it is possible. His Phrack article was the first to demonstrate feasibility. What rix did could be more called a translator than an encoder. There was no fixed payload followed by a blob of encoded shellcode that needed to be decoded. In shellcode terms this was quite innovative but really blew up the shellcode size.

Basics of Shellcoding (The)

Published on 2004-02-09, by Angelo Rosiello, ©Angelo Rosiello.

A shellcode is a group of instructions which can be executed while another program is running. Nowadays lots of examples show how a shellcode can be ux- ecuted while an application is running and its followings is pro- posed us by vulnerabilities' exploits. In order to get advantage from a vulnerability it is indispens- able to inject a shellcode because we have to get the control of a running application. The goal of this article is not to explain all the possibilities of injecting a shellcode developed during last years, but to analyze and understand its essence.

Creating Arbitrary Shellcode In Unicode Expanded Strings

Published on 2002-01-08, by Chris Anley, ©NGSSoftware Ltd..

The paper is intended to be read by the portion of the security community responsible for creating protective mechanisms to guard against shellcode type security flaws; the intention is to remove the perception that Unicode buffer overflows are non exploitable and thereby improve the general state of network security. It is often the case that several classes of overflow or format string bug are labelled denial of service attacks when in fact it is possible to execute arbitrary code. This paper deals with one of these classes of overflow.

Designing Shellcode Demystified

Published on 2002-10-22, by Murat Balaban, ©Murat Balaban.

In our previous paper, Buffer Overflows Demystified, we told you that there will be more papers on these subjects. We kept our promise. Here is the second paper from the same series. The paper is about the fundamentals of shellcode design and totally Linux 2.2 on IA-32 specifig. The base principles apply to all architectures, whereas the details might obviously not.

History and Advances in Windows Shellcode

Published on 2004-06-22, by sk, ©Phrack Magazine.

Firewall is everywhere in the Internet now. Most of the exploits released in the public have little concern over firewall rules because they are just proof of concept. In real world, we would encounter targets with firewall that will make exploitation harder. We need to overcome these obstacles for a successful penetration testing job. The research of this paper started when we need to take over (own) a machine which is heavily protected with rigid firewall rules. Although we can reach the vulnerable service but the strong firewall rules between us and the server hinder all standard exploits useless.

Introduction to Shellcoding - How to exploit buffer overflows

Published on 2004, by Michel Blomgren, ©Michel Blomgren.

Shellcode is a piece of machine-readable code, or script code that has just one mission; to open up a command interpreter (shell) on the target system so that an “attacker” can type in commands in the same fashion as a regular authorized user or system administrator of that system can do (with a few not-so-important exceptions of course). However, in order to get remote access to the shell, you're going to need some kind of networking support1 in that shellcode too. There's more to shellcoding than just having a program execute /bin/sh or cmd.exe. This white paper will introduce you to shellcodes, how they're used in practice, and how they are used with buffer overflow vulnerabilities.

Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 1)

Published on 2005-06-16, by Don Parker, ©TechGenix Ltd..

There are many threats out there today, which are of concern to the network security analyst. Some of the threats can be mitigated to a certain extent through the use of various hardware, and software solutions. A good example of this would be how you defend against that ever-present pest; distributed denial of service attack. Several vendors have come up with some good hardware solutions for this network attack. Much like other vendors have sold enterprise class firewalls to help protect the corporate network. What the two above noted examples have in common though is that a solution is provided by a third party. These solutions are easily implemented with a little vendor side training for the in-house network security staff.

This brings me to a theme that I have written about before; the training of the network security analyst. Without training your network security staff, whose mandate is the protection of your corporate cyber assets, will be woefully unprepared to carry out their duties. One very good example of how the lack of training can affect you is what this three-part article series is all about. Specifically just what is shellcode obfuscation, and how does it impact the network security analyst at your work who may not be aware of this threat.

Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 2)

Published on 2005-06-07, by Don Parker, ©TechGenix Ltd..

In this second part we will actually see what a NOP sled is, and looks like. Furthermore, we will use an exploit with an existing NOP sled to see how it shows up on an IDS such as Snort with a default ruleset in place.

To pick up where part one of the article series left off we will now actually look at a fully functional exploit, which has a NOP sled in it. What we shall do in this part is compile the exploit, and then use it against a lab box. This lab box will have Snort running on it with a default ruleset. The actual exploit itself will be MS03-026 and the exploit code itself is downloadable from here. Please note that this exploit code needs to be compiled on a computer running Linux or a Windows machine running Cygwin. For those of you who may be a little confused by how people know to compile specific code under one O/S or another here is a little tip. Take a look at the #include section of the exploit code. There are specific ones that are only found on either win32 or Linux.

Obfuscated Shellcode, the Wolf in Sheep's Clothing (Part 3)

Published on 2005-06-06, by Don Parker, ©TechGenix Ltd..

In this last part of the three part series based on shellcode obfuscation, we will actually substitute the well known NOP sled for one of a differing function. We will also see what, if any, changes are noticed by Snort.

We saw in part two of this article series that intrusion detection system vendors will use the presence of the NOP aka 0x90 sled as a component when building signatures for buffer overflow exploits. Though it is not the only component of the signature it is one, which most network security analysts readily recognize. This brings us to the point where we will cut out the 0x90 and put some other function, or character in its place. Our goal in doing this is to see how the intrusion detection system will react. Will it still see it as a buffer overflow attempt, or will it not? During my research into this interesting area of exploit development I came across a list of idempotent substitutions that was provided by Dragos Ruiu of Cansecwest fame. It is from this list that we will choose to build our newer, and stealthier sled.

PowerPC / OS X (Darwin) Shellcode Assembly

Published on 2003, by B-r00t, ©scriptkiddie.net.

The initial purpose of this document was to simply consolidate and summarise the author’s own research on the PowerPC architecture. However, it provides an easy introduction to the basics of the PowerPC architecture in its 32bit implementation for those new to the subject, and has therefore been made freely available.

Shellcode: the assembly cocktail

Published on April 20, 2003, by Samy Bahra, ©Infosecwriters.com.

Shellcode is the key to the successful exploitation of buffer overflows (the most common security vulnerability these days) and other memory-oriented security holes. By many, authoring elegant shellcode is considered an art. You are about to learn why...

Shellcoding for Linux and Windows Tutorial

Published on 2004, by steve hanna, ©steve hanna.

Shellcoding in its most literal sense, means writing code that will return a remote shell when executed. The meaning of shellcode has evolved, it now represents any byte code that will be inserted into an exploit to accomplish a desired task.

Writing IA32 Restricted Instruction Set Shellcode Decoder Loops

Published on 2004, by Berend-Jan Wever, ©Berend-Jan Wever.

Lately I have been playing with a few vulnerabilities that, when exploited, required a shellcode that would be able to pass through heavy filtering before being run. A lot of data like filenames, paths, urls, etc... gets checked for illegal characters before being processed by an application. Filters that remove non-printable characters or convert everything to uppercase make exploitation difficult but not impossible. rix [1] and obscou [2] have already proven that it is possible to write working alphanumeric and unicode shellcode. I started working on a shellcode encoder that could encode any shellcode to alphanumeric shellcode, even 100% uppercase and/or unicode-proof. While doing so, I had an idea for a more universal solution to the problem of working with a restricted instruction set.

Writing IA32 Restricted Instruction Set Shellcode Decoder Loops

Published on 2004, by Berend-Jan Wever, ©Berend-Jan Wever.

Lately I have been playing with a few vulnerabilities that, when exploited, required a shellcode that would be able to pass through heavy filtering before being run. A lot of data like filenames, paths, urls, etc... gets checked for illegal characters before being processed by an application. Filters that remove non-printable characters or convert everything to uppercase make exploitation difficult but not impossible. rix and obscou have already proven that it is possible to write working alphanumeric and unicode shellcode. I started working on a shellcode encoder that could encode any shellcode to alphanumeric shellcode, even 100% uppercase and/or unicode-proof. While doing so, I had an idea for a more universal solution to the problem of working with a restricted instruction set.

Writing MIPS/IRIX shellcode

Published on January 14, 2001, by scut, ©TESO.

Writing shellcode for the MIPS/Irix platform is not much di.erent from writing shellcode for the x86 architecture. There are, however, a few tricks worth knowing when attempting to write clean shellcode (which does not have any NUL bytes and works completely independent from it's position).

Writing shellcode

Published on April 10, 2002, by zillion, ©safemode.org.

The shellcodes presented here have all been tested to work can be used in most exploits without a problem. However, these codes may cause serious damage to your computer and should therefor only be used against TEST systems that have NO network connectivity!. Imagin what happens if you run the backdoor on you system and forget about it....

Writing Shellcodes in Linux

Published on 2004-09-03, by Amitesh Singh, ©Amitesh Singh.

Shellcoding is a skill to write your machine codes in hexadecimal form. Many people lack it. From the view of security it is very important, as hackers use it to exploit vulnerable applications. In this article, we are working on Linux using the IA-32(x86) architecture. Basic knowledge of C, ASM(AT&T style) and working with debuggers (gdb & objdump)is required.

Writing UTF-8 compatible shellcodes

Published on 2004-03-31, by Thomas Wana, ©Thomas Wana.

This paper deals with the creation of shellcode that is recognized as valid by any UTF-8 parser. The problem is not unlike the alphanumeric shellcodes problem described by rix in phrack 57, but fortunately we have much more characters available, so we can almost always build shellcode that is valid UTF-8 and does what we want.