Questions about this topic? Sign up to ask in the talk tab.


From NetSec
Jump to: navigation, search
   04:01 <~hatter> So
   04:02 <~hatter> This is gonna be a panel so at this time I'd prefer that people just started asking questions
   04:02 <~hatter> I'll answer them as they come in
   04:02 <~hatter> or lorentz will
   04:02 <~hatter> topics are code compatibility
   04:02 <~hatter> ids evasion
   04:02 <~hatter> filter bypass
   04:02 <~hatter> (shellcode being the parent topic)
   04:04 <~hatter> if no one knows what shellcode is or the basics of how to write it, its ok to ask that too
   04:05 <~hatter> Right now there are two types of shellcode
   04:05 <~hatter> Executable shellcode
   04:05 <~hatter> and return oriented shellcode
   04:05 < rorschach> is there are mote efficient way to dump shellcode from objdump than coping and editting it with \x and such?
   04:05 <~hatter> return oriented code works by constructing a call stack to be read as data within the overflowed stack
   04:06 <~hatter> rorschach: I believe there's a bunch of different scripts for that, you could also
   04:06 <~hatter> write something using the elf format guidelines which would dump the hex from only the .text segment
   04:06 <~hatter> of the binary
   04:06   <   [email protected] [Ping timeout]
   04:06 < rorschach> ah, i see
   04:06 <~hatter> you can do the same thing with PE formatted code
   04:06 <~hatter> or
   04:07 <~hatter> if you get down with machine code
   04:07 <~hatter> you can just write it in opcodes
   04:07 <~hatter> (you have to have nearly insane memory for this)
   04:09 < rorschach> right
   04:12   <   [email protected] [Ping timeout]
   04:15   <   [email protected] [Ping timeout]
   04:15 <+Atlas> (cricket cricket)
   04:17 <~hatter> back
   04:17 <+Atlas> Welcome back
   04:18 <~hatter> so, shellcode is the code injected into memory at the time of buffer overflow exploitation- so its machine code (binary/represented in hex/asm)
   04:18 <~hatter> usually cannot have null bytes in it
   04:19 <~hatter> and sometimes it has to fit certain encoding criteriums
   04:20 <~hatter> so everyone in here is already a shellcode expert huh? lold
   04:21 < rorschach> xD
   04:21 < rorschach> wakey, wakey people
   04:23 < rorschach> is there any plotection against ROP shellcode, and what is the best way to bypass it (assuming executable is out of the question)
   04:23 < rorschach> protection*
   04:24 <~hatter> well
   04:24 <~hatter> supposedly windows 8 has some protect
   04:24 <~hatter> I haven't looked at it yet
   04:24 <~hatter> the linux kernel tries hard to to have some protect
   04:24 <~hatter> A lot of stuff is protected very well actually
   04:25 <~hatter> ultimately rop, a predictable offset attack, or something similar
   04:25 <~hatter> is the best way to break through the aslr
   04:25 <~hatter> and nx
   04:25 <~hatter> nx is what enforces a stack being marked as non-executable
   04:25 <~hatter> it is a hardware option.
   04:26 <~hatter> The other part of hardware that does this is the overflow flag register
   04:26 <~hatter> modern processors have a bit that gets set when an overflow occurs
   04:27 <~hatter> it is possible to modify all instances of the return instruction to utilize a safe return using this bit
   04:27 <~hatter> and the jo/jno instructions
   04:27 <~hatter> the linux kernel makes use of this at runtime extensively
   04:27 < rorschach> hmm
   04:30 < rorschach> can you make shell code that is architecture agnostic and short?
   04:30 <~hatter> it is possible, however it would take a long time.
   04:31 <~hatter> unless a generator was written
   04:41   >>> zz[email protected]
   04:47 <~hatter> there is a guy I've talked to
   04:47 <~hatter> from brazil, rorschach
   04:47 <~hatter> who supplied me with some
   04:47 <~hatter> multi arch shellcode
   04:47 <~hatter> lemme find it
   04:47 < rorschach> ah nice
   04:48 < rorschach> i think an assembler designed for shellcode would be awesome
   04:49 <~hatter> solaris/sparc linux/x86 irix/mips
   04:49 <~hatter> execve /bin/sh
   04:49 <~hatter> "\x37\x37\xeb\x2f\x30\x80\x00\x12\x04\x10\xff\xff\x24\x02\x03\xf3\x23\xff\x02\x14\x23\xe4\xfe\x08"
   04:49 <~hatter> "\x23\xe5\xfe\x10\xaf\xe4\xfe\x10\xaf\xe0\xfe\x14\xa3\xe0\xfe\x0f"
   04:49 <~hatter> "\x03\xff\xff\xcc"
   04:49 <~hatter> "/bin/sh"
   04:49 <~hatter> "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
   04:49 <~hatter> "\x37\x37\x37\x37\x37"
   04:49 <~hatter> "\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc\xa2\x14\x63\x68"
   04:49 <~hatter> "\xe0\x3b\xbf\xf0\xc0\x23\xbf\xf8\x90\x23\xa0\x10\xc0\x23\xbf\xec"
   04:49 <~hatter> "\xd0\x23\xbf\xe8\x92\x23\xa0\x18\x94\x22\x80\x0a\x82\x10\x20\x3b"
   04:49 <~hatter> "\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08";
   04:50 < rorschach> very nice
   04:50 < rorschach> 150 bytes or so?
   04:50 <~hatter> idk could prolly echo -e it and wc it
   04:50 < rorschach> yeah
   04:52 < rorschach> does it basically jmp if mips jmp if x86, etc?
   04:54   <   [email protected] [Excess Flood]
   04:54   >>> [email protected]
   04:54 < Zalgo> [rory] 18:55 <+Diogenes> Why are you guys humiliating me like this I didn't even do anything
   04:54 <~hatter> I haven't analyzed it extensively, to be honest
   04:54 <~hatter> I should check it out
   04:55 < rorschach> that's the method i would probably use
   04:56 < rorschach> although jumps would be architecture dependent, as well
   04:56 <~hatter> ^