Questions about this topic? Sign up to ask in the talk tab.
Classes/Logs/2012/September/20/00-01
From NetSec
04:01 <~hatter> So 04:02 <~hatter> This is gonna be a panel so at this time I'd prefer that people just started asking questions 04:02 <~hatter> I'll answer them as they come in 04:02 <~hatter> or lorentz will 04:02 <~hatter> topics are code compatibility 04:02 <~hatter> ids evasion 04:02 <~hatter> filter bypass 04:02 <~hatter> (shellcode being the parent topic) 04:04 <~hatter> if no one knows what shellcode is or the basics of how to write it, its ok to ask that too 04:05 <~hatter> Right now there are two types of shellcode 04:05 <~hatter> Executable shellcode 04:05 <~hatter> and return oriented shellcode 04:05 < rorschach> is there are mote efficient way to dump shellcode from objdump than coping and editting it with \x and such? 04:05 <~hatter> return oriented code works by constructing a call stack to be read as data within the overflowed stack 04:06 <~hatter> rorschach: I believe there's a bunch of different scripts for that, you could also 04:06 <~hatter> write something using the elf format guidelines which would dump the hex from only the .text segment 04:06 <~hatter> of the binary 04:06 < [email protected] [Ping timeout] 04:06 < rorschach> ah, i see 04:06 <~hatter> you can do the same thing with PE formatted code 04:06 <~hatter> or 04:07 <~hatter> if you get down with machine code 04:07 <~hatter> you can just write it in opcodes 04:07 <~hatter> (you have to have nearly insane memory for this) 04:09 < rorschach> right 04:12 < [email protected] [Ping timeout] 04:15 < [email protected] [Ping timeout] 04:15 <+Atlas> (cricket cricket) 04:17 <~hatter> back 04:17 <+Atlas> Welcome back 04:18 <~hatter> so, shellcode is the code injected into memory at the time of buffer overflow exploitation- so its machine code (binary/represented in hex/asm) 04:18 <~hatter> usually cannot have null bytes in it 04:19 <~hatter> and sometimes it has to fit certain encoding criteriums 04:20 <~hatter> so everyone in here is already a shellcode expert huh? lold 04:21 < rorschach> xD 04:21 < rorschach> wakey, wakey people 04:23 < rorschach> is there any plotection against ROP shellcode, and what is the best way to bypass it (assuming executable is out of the question) 04:23 < rorschach> protection* 04:24 <~hatter> well 04:24 <~hatter> supposedly windows 8 has some protect 04:24 <~hatter> I haven't looked at it yet 04:24 <~hatter> the linux kernel tries hard to to have some protect 04:24 <~hatter> A lot of stuff is protected very well actually 04:25 <~hatter> ultimately rop, a predictable offset attack, or something similar 04:25 <~hatter> is the best way to break through the aslr 04:25 <~hatter> and nx 04:25 <~hatter> nx is what enforces a stack being marked as non-executable 04:25 <~hatter> it is a hardware option. 04:26 <~hatter> The other part of hardware that does this is the overflow flag register 04:26 <~hatter> modern processors have a bit that gets set when an overflow occurs 04:27 <~hatter> it is possible to modify all instances of the return instruction to utilize a safe return using this bit 04:27 <~hatter> and the jo/jno instructions 04:27 <~hatter> the linux kernel makes use of this at runtime extensively 04:27 < rorschach> hmm 04:30 < rorschach> can you make shell code that is architecture agnostic and short? 04:30 <~hatter> it is possible, however it would take a long time. 04:31 <~hatter> unless a generator was written 04:41 >>> [email protected] 04:47 <~hatter> there is a guy I've talked to 04:47 <~hatter> from brazil, rorschach 04:47 <~hatter> who supplied me with some 04:47 <~hatter> multi arch shellcode 04:47 <~hatter> lemme find it 04:47 < rorschach> ah nice 04:48 < rorschach> i think an assembler designed for shellcode would be awesome 04:49 <~hatter> solaris/sparc linux/x86 irix/mips 04:49 <~hatter> execve /bin/sh 04:49 <~hatter> "\x37\x37\xeb\x2f\x30\x80\x00\x12\x04\x10\xff\xff\x24\x02\x03\xf3\x23\xff\x02\x14\x23\xe4\xfe\x08" 04:49 <~hatter> "\x23\xe5\xfe\x10\xaf\xe4\xfe\x10\xaf\xe0\xfe\x14\xa3\xe0\xfe\x0f" 04:49 <~hatter> "\x03\xff\xff\xcc" 04:49 <~hatter> "/bin/sh" 04:49 <~hatter> "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" 04:49 <~hatter> "\x37\x37\x37\x37\x37" 04:49 <~hatter> "\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b\xcb\xdc\xa2\x14\x63\x68" 04:49 <~hatter> "\xe0\x3b\xbf\xf0\xc0\x23\xbf\xf8\x90\x23\xa0\x10\xc0\x23\xbf\xec" 04:49 <~hatter> "\xd0\x23\xbf\xe8\x92\x23\xa0\x18\x94\x22\x80\x0a\x82\x10\x20\x3b" 04:49 <~hatter> "\x91\xd0\x20\x08\x82\x10\x20\x01\x91\xd0\x20\x08"; 04:50 < rorschach> very nice 04:50 < rorschach> 150 bytes or so? 04:50 <~hatter> idk could prolly echo -e it and wc it 04:50 < rorschach> yeah 04:52 < rorschach> does it basically jmp if mips jmp if x86, etc? 04:54 < [email protected] [Excess Flood] 04:54 >>> [email protected] 04:54 < Zalgo> [rory] 18:55 <+Diogenes> Why are you guys humiliating me like this I didn't even do anything 04:54 <~hatter> I haven't analyzed it extensively, to be honest 04:54 <~hatter> I should check it out 04:55 < rorschach> that's the method i would probably use 04:56 < rorschach> although jumps would be architecture dependent, as well 04:56 <~hatter> ^