In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called “shellcode” because it typically starts a shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient [Mike et al, 2005]. However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code.
Proof-of-Concept (POC)
The development bottom-line for an exploit is the Proof-of-Concept (POC). An exploit is made so that the system can be tested of any kind of vulnerabilities left which needs to be patched. It’s the only goal is to demonstrate if a security flaw exists and is done by often causing the vulnerable program to malfunction in a noticeable manner, such as terminating prematurely or abnormally (Arce, 2004).
There are three components for a usable exploit are as follows:
a) The Attack vector is a mechanism that the exploit uses to manifest a vulnerability in a system (Arce, 2004). Information gathering/social engineering can be done to establish the possible attack vectors required to gain access into the system. [Gallegos-Segovia et al, 2017]
b) Exploitation technique is an algorithm which gives control to the attacker by altering a vulnerable program’s execution [Arce, 2004].
c) Exploitation payload: Once an exploit takes control over a vulnerable program by exploiting its bug, it immediately fulfils the attacker’s goal where the payload is a functional component which implements the exploit’s desired goal [Arce, 2004].
A shellcode can bypass an intrusion detection system by encoding itself into polymorphic forms which in turn helps in evading the IPS which detects a shellcode according to the signatures extracted from variants of shellcode [Cheng et al, 2011]. It’s basically like encoding the payload and placing it in front of a decoder before sending it. When the victim executes the malicious program, the decoder rewrites it into the initial payload and then the victim executes it [Chaboya et al, 2006].
In a code injection attack, the attacker first focuses on gaining control of the system’s program counter.
Program Counter (PC): It is a special-purpose machine register that identifies the next available instruction scheduled for execution. After gaining control of PC, an attacker can redirect the program execution and instead of running the malicious code thereby disrupting the intended behaviour of the program. Depending on the vulnerability the attacker targets, the injected code can have several forms such as source code for an interpreted scripting-language engine, intermediate byte-code, or natively-executable machine code [Mason et al, 2009].
The side-channel attacks: These vary in two different ways which are as follows:
Timing Attacks (the attacker learns the total time taken by the computation)
Simple Power Analysis(leakage due to different types of power consumption depending on the different machine instructions) [Molnar, EECS].
The challenges of the transplanted shellcode, which are as follows:
The separation of the shellcode from the exploit is extremely difficult as the boundary of separation is not clear.
Shellcode is made up of non-trivial data transformations. Even if the bytes representing the original shellcode was possible to separate from the exploit, rewriting it to a replacement shellcode would be non-trivial.
The shellcode and the exploit could be mutually dependent on each other. In that case, constraints could be posed upon the replacement shellcode which could be potentially complex [Bao, 2017].
Replacement of the shellcode is a possibility if the shellcode only makes system calls with the equivalent ones and NOP instructions [Yoon, 2016].
Assuming that shellme is used for this program and the library string.h is already added.
void main()
{
char u[10], p1[10], p2[10];
int res=1;
FILE *fp;
char filename[]= “user.dat”;
printf(“Enter your username and password. Please enter your password twice.”);
while(res!=0)
{
scanf(“%s %s %s”, u, p1, p2 );
res = strcmp(p1,p2);
}
fp=fopen(filename, “w+”);
if(fp)
{
fputs(u, fp);
fputs(p1, fp);
fputs(p2, fp);
}
else
{ printf(“Failed to open the file”);
}
fclose(fp);
}
The next step is to generate the shellcode through the shellme package. For that, we need to compile the above code first with the command, gcc -o user user.c
After doing that, we can write the command python, shellme.py -n user, to convert the above code into a shellcode(fig 1 & 2).
In reverse connection(in this case, reverse_tcp), the client opens the port for the server to connect to(the attacker in this case). Meterpreter is used as a payload which is advanced, dynamically extensive and uses in-memory DLL injections stagers which is extended over the network during runtime. It allows to remotely control the file system, sniff, keylog, hashdump, perform network pivoting etc. It has the best post modules and can load extensions, such as python interpreter etc.
The five different shellcode-generating approaches are as follows:
NASM- Writing the shellcode in assembly ourselves. To do that, NASM can be used which is a x86/x86_64 assembler. Major drawback is that we cannot write for any other architecture.(eg. Arm64 for android)
MsfVenom- Using the metasploit module called msfvenom where predefined shellcodes can be used and the output format can be chosen.
PWNtools- A CTF framework which contains shellcraft which allows to assembly code but using python.
Shellme- the tool to obtain shellcode and opcode quickly where this packs some nasm/objdump calls into neat script.
MsfPayload+MsfEncode- Msfpayload is the predecessor of msfvenom whereby the shellcode was generated using this tool. In order for the payload to function properly, it had to be encoded according to the specific target using Msfencode. Converting it into pure alpha-numeric, getting rid of bad character or encoding it for 64-bit target; all done by Msfencode.
Polymorphic shellcode is an effective way of defeating the intrusion detection system(IDS) i.e. bypassing it. By replacing assembly instruction with some other assembly instruction which does the same job/task as the former will make the code impossible to detect as a shellcode. Also, the shellcode can be encrypted in such a way that it bypasses the IDS only to be able to be executed by running a decoder on the victim machine and henceforth executing the malicious code. A simple example of polymorphism would be:
mov eax, 0x2 could be written as
Xor eax, eax
add eax, 0x2
Both codes do the same job of moving the contents of register 2 into eax
Misuse of the penetration toolkits can be done by getting unauthorised access to networks, applications and data of an enterprise by identifying the exploits which could be used for that purpose of getting higher privileges of an admin. It gives an opportunity of trolling through the network and getting a good idea of the network architecture/layout and the ports which are open and close and what services are running on the ports. The impact on the company can be financial, legal and social. The financial loss which comes with attacks like the ransomware is beyond repair. It could lead to bankruptcy and sensitive data leakage. Secondly, the government like the Australian Government have a set of policies which every company has to follow no matter what status or value. If the cyber-crime is due to the sheer negligence of the policies then it can put the company into a difficult position and a legal court case would likely be filed due to the callousness. In terms of social situation, the reputation of the company crumbles down. And there will be serious trust issues related to business tie-ups and no other company might ever want to do a joint project with that company.
2019-8-1-1564628620