SlideShare ist ein Scribd-Unternehmen logo

Shellcoding, an Introduction

Daniele Bellavista
Daniele Bellavista

An introduction for shellcoding,

Technologie
1 von 31
Downloaden Sie, um offline zu lesen
Shellcoding, an introduction Daniele Bellavista University of Bologna, Scuola di Ingegneria ed Architettura Cesena Security Network and Applications December 24, 2012
Outline (CeSeNA) December 24, 2012 2/1
Warm-Up Materiale iniziale La teoria di questa presentazione vale per sistemi Unix, FreeBSD e Windows. Il materiale ` tuttavia preparato per sistemi Linux 64 bit con kernel e >= 2.6 e processore > Pentium 4. Per chi non ha 64 bit sono disponibili anche gli esempi a 32 bit. Per chi non ha installato un OS Linux o non vuole sporcare il suo, sono disponibili due Virtual Machine: 32 bit: sorry non ho fatto in tempo. . . 64 bit: sorry non ho fatto in tempo. . . (CeSeNA) December 24, 2012 3/1
What is shellcoding? Exploiting software vulnerabilities Vulnerabilities like BOFs permit the insertion and the execution of a custom payload. The historical function of the payload is to spawn a shell (hence the name shell-code). If the exploited program runs as a privileged user, the payload can assume the control of the system. Prerequisites Basic notion of: Assembly language. Memory structure. System Calls. (CeSeNA) December 24, 2012 4/1
System Memory Memory management Memory management is a vast topic, so let’s discuss from an high-level viewpoint. Thanks to the Virtual Memory Management, each process sees a flat addressing space of 128 TiB (4 GiB in 32 bit processors). Users can create sections inside the memory with read, write and/or execute permissions. The basic operations for memory management are push and pop. push Insert a 64-bit value into the top of the stack (the bottom). pop Retrieve a 64-bit value from the top of the stack (the bottom). (CeSeNA) December 24, 2012 5/1
Figure : Linux 64 bit memory management (CeSeNA) December 24, 2012 6/1
Program Code Text segment and instruction pointer The code is saved in a RO and executable memory called Text segment. The current instruction is pointed by the Instruction Pointer. The instruction pointer is a value stored into the CPU. (CeSeNA) December 24, 2012 7/1
Program Stack The stack is where function context, called frame, resides. The Base pointer points to the begin of the frame. The Stack pointer points to the first available memory location. void f () { int xx = 1 2 ; i n t yy = 2 3 ; int zz = 24; int sum = xx + yy + z z ; } (CeSeNA) December 24, 2012 8/1
Assembly Language Low, low level programming Assembly is the final stage of the programming process. Each instruction is directly converted into an number. Writing the number on the CPU Command BUS cause the instruction to be executed. You can access to a set of 64 bit registers: rax, rbx, rcx, rdx, rsi, rdi, r8, r9, r10, r11, r12, r13, r14, r15 As instruction pointer, base pointer and stack pointer the CPU uses respectively rip, rbp and rsp. (CeSeNA) December 24, 2012 9/1
Assembly Language: function call The call/ret instructions call address push the RIP into the stack. ret pop the RIP from the stack. Creating a frame for the function The callee may need a stack for his own variables. RBP is saved (pushed) into the stack. The new RBP become the old RSP. Before doing ret, the opposite operations must be performed. (CeSeNA) December 24, 2012 10 / 1
Assembly Language: function call and stack (CeSeNA) December 24, 2012 11 / 1
Assembly Language: function call and parameters Where should I put the parameters? If you are coding in pure ASM, you can do what you want. Else, you have to follow the conventions (see http://en.wikipedia.org/wiki/X86_calling_conventions# List_of_x86_calling_conventions). Linux calling convention, parameter order First parameters: x86-64: rdi, rsi, rdx, rcx, r8, and r9. For system calls, r10 is used instead of rcx. IA-32: ecx, edx. For system calls ebx, ecx, edx, esi, edi, ebp. Other parameters are pushed into the stack. (CeSeNA) December 24, 2012 12 / 1
System calls Invoking the OS User’s programs run in the exterior ring with PL 3, while kernel runs in the inner ring with PL 0: Kernel can access to the hardware (files, devices, . . . ), user not. Syscalls form the interface between user and kernel. E.g.: open(), read(), write(), chmod(), exec(), . . . (CeSeNA) December 24, 2012 13 / 1
Try to use Syscalls Using assembly In order to ease the programmer duty, syscalls are identified by a number. In modern x86-64 processor, a syscall is invoked using the operation syscall, putting the id in the register rax. In modern x86 processor, a syscall is invoked using the operation sysenter but a lot of operation must be performed before, so in the following exercise we will use the old-fashion-way int 80h, which rises a software interrupt. 1 mov r d i , 0 1 mov ebx , 0 2 mov r a x , 60 2 mov eax , 1 3 syscall 3 i n t 80 h (CeSeNA) December 24, 2012 14 / 1
Linux Syscalls Linux Syscalls signatures: /. . . kernel-sources. . . /include/linux/syscall.h Syscalls numbers: /usr/include/asm/unistd 64.h 1 unistd 64.h 2 #d e f i n e N R e x i t 60 3 syscall.h 4 asmlinkage long s y s e x i t ( i n t error code ) ; (CeSeNA) December 24, 2012 15 / 1
Writing shellcodes The final preparation First steps. . . Testing platform: http://dl.dropbox.com/u/16169203/data.zip Use nasm to compile your assembly code Feed the tester with the output. Exercise 0 Create a shellcode that does nothing! Test it! (CeSeNA) December 24, 2012 16 / 1
Writing shellcodes Using a syscall Exercise 1: The exit syscall Use the exit syscall to terminate the program Change your code setting the return code to 13h (CeSeNA) December 24, 2012 17 / 1
Writing shellcodes Data reference I The reference problem When you write a program you can use global data because, at compile time, a static address is associated. But your shellcode is not compiled with the program it’s intended to run. You must use relative addressing, but before IA-64 it was not possible. (CeSeNA) December 24, 2012 18 / 1
Writing shellcodes Data reference II Old IA-32 way You use a trick: jmp just before the data location, then do a call. Et voil`! On the top of the stack there is the data address. a 1 jmp message 2 run : 3 pop ebx ; now ebx c o n t a i n s t h e s t r i n g r e f e r e n c e 4 ; . . . shellcode 5 message : 6 c a l l run 7 db ’ CeSeNA ’ , 0 x0a , 0 (CeSeNA) December 24, 2012 19 / 1
Writing shellcodes Data reference III New IA-64 way IA-64 introduces the RIP relative addressing. 1 l e a r d i , [ r e l message ] ; now ebx c o n t a i n s 2 ; the s t r i n g r e f e r e n c e 3 ; . . . shellcode 4 5 message db ’ CeSeNA ’ , 0 x0a , 0 (CeSeNA) December 24, 2012 20 / 1
Writing shellcodes Data reference IV Generic Way You can pop the string in hex format over the stack. The stack pointer is then the string reference. 1 push 0 x 0 0 0 a 4 1 4 e ; 0 x00 , 0 x0a , ’AN ’ 2 push 0 x65536543 ; ’ eSeC ’ 3 mov ebx , e s p ; now ebx c o n t a i n s t h e s t r i n g r e f e r e n c e 4 ; ... (CeSeNA) December 24, 2012 21 / 1
Writing shellcodes Data reference V Exercise 2: print on stdout Get the exercise skeleton. Understand the code Write your own message (CeSeNA) December 24, 2012 22 / 1
Writing shellcodes Execute a program 1 unistd 64 . h 2 #d e f i n e N R e x e c v e 59 3 syscall .h 4 i n t k e r n e l e x e c v e ( const char ∗ filename , 5 const char ∗ const argv [ ] , 6 c o n s t c h a r ∗ c o n s t envp [ ] ) ; Exercise 3: A real shellcode, exec a shell! 4 HaXoRs 4 g33k 4 n00bz (CeSeNA) December 24, 2012 23 / 1
Writing shellcodes Reverse shell I One shellcode to rule them all Step to execute: 1 Open a socket to the attacker server. 2 Duplicate the socket file descriptor into 0 and 1 (and optionally 2). 3 Exec a shell. Step1: Create a socket The standard procedure involves socket creation and connection. socket() and connect() syscalls. The sockaddr in structure requires port in network byte order (htons()) and ip address in numeric form (inet pton()). The usual sockaddr in size is 16. (CeSeNA) December 24, 2012 24 / 1
Writing shellcodes Reverse shell II 1 l o n g s y s s o c k e t ( i n t domain , 2 i n t type , 3 int protocol ) ; 4 l o n g s y s c o n n e c t ( i n t fd , 5 s t r u c t sockaddr user ∗, 6 int addrlen ) ; 1 struct sockaddr in { 2 short s i n f a m i l y ; // AF INET 3 unsigned short s i n p o r t ; // n e t w o r k o r d e r ( h t o n s ( ) ) 4 struct in addr s i n a d d r ; // As 32 b i t 5 char sin zero [8]; 6 }; (CeSeNA) December 24, 2012 25 / 1
Writing shellcodes Reverse shell III Step2: Duplicate the file descriptor The return value of socket() is the file descriptor. The syscall dup2() copy the file descriptor and close the destination. dup2(fd, 0); dup2(fd, 1), dup2(fd, 2); 1 long sys dup2 ( unsigned i n t oldfd , 2 u n s i g n e d i n t newfd ) (CeSeNA) December 24, 2012 26 / 1
Writing shellcodes Reverse shell IV Step3: Exec a shell Already seen ;) Exercise 4: Reverse shelling Remember to open a server listening into a known address! E.g.: nc -l -p 1234, preparing reverse shell for 127.0.0.1:1234 4 HaXoRs 4 g33k 4 n00bz (CeSeNA) December 24, 2012 27 / 1
Writing shellcodes Shellcode optimization Why optimization? When writing a shellcode, you must consider various factors. The most important are: 1 How the vulnerable program receives the payload. 2 How long the payload can be. The previous exercise solutions, for instance, are not suitable in most cases. The next slides will discuss about the NULL byte presence. About the payload length, it’s all about the exploiter expertise. (CeSeNA) December 24, 2012 28 / 1
Writing shellcodes String payload zero-bytes problem If the payload is red as a string, C interprets a zero byte as string terminator, cutting the shellcode. Zero-bytes presence is caused by data and addresses: mov rax, 11h is equivalent to mov rax, 0000000000000011h. lea rax, [rel message] is equivalent to lea rax, [rip + 0000. . . xxh]. execve for instance, requires a null terminated string and some null parameters. Solutions are quite straightforward: Use xor operation to zero a register. Use when possible smaller part of registers (e.g.: rax → eax → ax → [ah,al]) Use add operation: immediate operators are not expanded. Place not-null marker in strings and substitute them inside the code. When using relative addressing, place the message above: offset will be negative [?]. (CeSeNA) December 24, 2012 29 / 1
Writing shellcodes Zero-byte removal example ; S e t r a x = 60 h ; S e t t o 0 a mem a r e a xor rax , rax n u l l db ’ x x x x ’ mov a l , 60 x o r rbx , r b x mov [ r e l n u l l ] , ebx ; S e t r d i = 12 h xor rdi , r d i ; terminate s t r i n g with 0 add r d i , 12 h message db ’ CeSeNA ’ , ’ x ’ x o r rbx , r b x l e a r d i , [ r e l message ] mov [ r d i +7] , b l ; Negative refe rence message db ’ CeSeNA ’ , ’ x ’ l e a r d i , [ r e l message ] (CeSeNA) December 24, 2012 30 / 1
Writing shellcodes References (CeSeNA) December 24, 2012 31 / 1

Empfohlen

Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Building a Virtualized Continuum with Intel(r) Clear Containers
Building a Virtualized Continuum with Intel(r) Clear ContainersBuilding a Virtualized Continuum with Intel(r) Clear Containers
Building a Virtualized Continuum with Intel(r) Clear ContainersMichelle Holley
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 
Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Etsuji Nakai
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introductionsatyajit_t
 
Parallella: Embedded HPC For Everybody
Parallella: Embedded HPC For EverybodyParallella: Embedded HPC For Everybody
Parallella: Embedded HPC For Everybodyjerlbeck
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 

Empfohlen

Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Проведение криминалистической экспертизы и анализа руткит-программ на примере...
Проведение криминалистической экспертизы и анализа руткит-программ на примере...Alex Matrosov
 
Reconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemReconstructing Gapz: Position-Independent Code Analysis Problem
Reconstructing Gapz: Position-Independent Code Analysis ProblemAlex Matrosov
 
Building a Virtualized Continuum with Intel(r) Clear Containers
Building a Virtualized Continuum with Intel(r) Clear ContainersBuilding a Virtualized Continuum with Intel(r) Clear Containers
Building a Virtualized Continuum with Intel(r) Clear ContainersMichelle Holley
 
Mem forensic
Mem forensicMem forensic
Mem forensicChong-Kuan Chen
 
Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Inside Docker for Fedora20/RHEL7
Inside Docker for Fedora20/RHEL7Etsuji Nakai
 
Solaris DTrace, An Introduction
Solaris DTrace, An IntroductionSolaris DTrace, An Introduction
Solaris DTrace, An Introductionsatyajit_t
 
Parallella: Embedded HPC For Everybody
Parallella: Embedded HPC For EverybodyParallella: Embedded HPC For Everybody
Parallella: Embedded HPC For Everybodyjerlbeck
 
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Laterjohn-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types Later
john-devkit: 100 типов хешей спустя / john-devkit: 100 Hash Types LaterPositive Hack Days
 
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Derek Callaway
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...npinto
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...npinto
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyInsight Technology, Inc.
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack monad bobo
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments
Trusted Launch of Generic Virtual Machine Images in Public IaaS EnvironmentsTrusted Launch of Generic Virtual Machine Images in Public IaaS Environments
Trusted Launch of Generic Virtual Machine Images in Public IaaS Environmentsnpaladi
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithmsijsrd.com
 
IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)
IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)
IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)npinto
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCDerek Callaway
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Etsuji Nakai
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...RootedCON
 
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Priyanka Aash
 
Game Engine
Game EngineGame Engine
Game EngineDaniele Bellavista
 
Light talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for AndroidLight talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for AndroidKito Cheng
 

Weitere ähnliche Inhalte

Was ist angesagt?

Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Derek Callaway
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationKernel TLV
 
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...npinto
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAlex Matrosov
 
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...npinto
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]RootedCON
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack monad bobo
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaXKernel TLV
 
Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments
Trusted Launch of Generic Virtual Machine Images in Public IaaS EnvironmentsTrusted Launch of Generic Virtual Machine Images in Public IaaS Environments
Trusted Launch of Generic Virtual Machine Images in Public IaaS Environmentsnpaladi
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithmsijsrd.com
 
IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)
IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)
IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)npinto
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCDerek Callaway
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverAnne Nicolas
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON
 
Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Etsuji Nakai
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...RootedCON
 
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Priyanka Aash
 

Was ist angesagt? (20)

Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)
 
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege EscalationSemtex.c [CVE-2013-2094] - A Linux Privelege Escalation
Semtex.c [CVE-2013-2094] - A Linux Privelege Escalation
 
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
IAP09 CUDA@MIT 6.963 - Guest Lecture: Out-of-Core Programming with NVIDIA's C...
 
Advanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/GapzAdvanced Evasion Techniques by Win32/Gapz
Advanced Evasion Techniques by Win32/Gapz
 
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
IAP09 CUDA@MIT 6.963 - Lecture 01: GPU Computing using CUDA (David Luebke, NV...
 
A22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle HaileyA22 Introduction to DTrace by Kyle Hailey
A22 Introduction to DTrace by Kyle Hailey
 
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
Eloi Sanfelix - Hardware security: Side Channel Attacks [RootedCON 2011]
 
introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack introduction to linux kernel tcp/ip ptocotol stack
introduction to linux kernel tcp/ip ptocotol stack
 
grsecurity and PaX
grsecurity and PaXgrsecurity and PaX
grsecurity and PaX
 
Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments
Trusted Launch of Generic Virtual Machine Images in Public IaaS EnvironmentsTrusted Launch of Generic Virtual Machine Images in Public IaaS Environments
Trusted Launch of Generic Virtual Machine Images in Public IaaS Environments
 
Analysis of Cryptographic Algorithms
Analysis of Cryptographic AlgorithmsAnalysis of Cryptographic Algorithms
Analysis of Cryptographic Algorithms
 
IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)
IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)
IAP09 CUDA@MIT 6.963 - Lecture 04: CUDA Advanced #1 (Nicolas Pinto, MIT)
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
 
Kernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driverKernel Recipes 2015: Anatomy of an atomic KMS driver
Kernel Recipes 2015: Anatomy of an atomic KMS driver
 
44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar44CON London - Attacking VxWorks: from Stone Age to Interstellar
44CON London - Attacking VxWorks: from Stone Age to Interstellar
 
Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7
 
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
Francisco Jesús Gómez + Carlos Juan Diaz - Cloud Malware Distribution: DNS wi...
 
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
Wrangling with the Ghost: An Inside Story of Mitigating Speculative Execution...
 

Andere mochten auch

Light talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for AndroidLight talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for AndroidKito Cheng
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_softwaresanghwan ahn
 
Design and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationDesign and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationKito Cheng
 
References Are 'Nice' Pointers
References Are 'Nice' PointersReferences Are 'Nice' Pointers
References Are 'Nice' PointersGail Carmichael
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explainedTeja Babu
 
Rethinking the debugger
Rethinking the debuggerRethinking the debugger
Rethinking the debuggerIulian Dragos
 
Exception handling poirting in gcc
Exception handling poirting in gccException handling poirting in gcc
Exception handling poirting in gccShiva Chen
 
Programmazione Genetica per l'Inferenza di Reti di Kauffman
Programmazione Genetica per l'Inferenza di Reti di KauffmanProgrammazione Genetica per l'Inferenza di Reti di Kauffman
Programmazione Genetica per l'Inferenza di Reti di KauffmanDaniele Bellavista
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowVi Tính Hoàng Nam
 
ARM procedure calling conventions and recursion
ARM procedure calling conventions and recursionARM procedure calling conventions and recursion
ARM procedure calling conventions and recursionStephan Cadene
 
COSCUP 2014 : open source compiler 戰國時代的軍備競賽
COSCUP 2014 : open source compiler 戰國時代的軍備競賽COSCUP 2014 : open source compiler 戰國時代的軍備競賽
COSCUP 2014 : open source compiler 戰國時代的軍備競賽Kito Cheng
 
Android C Library: Bionic 成長計畫
Android C Library: Bionic 成長計畫Android C Library: Bionic 成長計畫
Android C Library: Bionic 成長計畫Kito Cheng
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Huntingsanghwan ahn
 

Andere mochten auch (20)

Game Engine
Game EngineGame Engine
Game Engine
 
Light talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for AndroidLight talk @ coscup 2011 : Incremental Global Prelink for Android
Light talk @ coscup 2011 : Incremental Global Prelink for Android
 
How to find_vulnerability_in_software
How to find_vulnerability_in_softwareHow to find_vulnerability_in_software
How to find_vulnerability_in_software
 
Algorithms
AlgorithmsAlgorithms
Algorithms
 
Function Call Stack
Function Call StackFunction Call Stack
Function Call Stack
 
Design and Implementation of GCC Register Allocation
Design and Implementation of GCC Register AllocationDesign and Implementation of GCC Register Allocation
Design and Implementation of GCC Register Allocation
 
References Are 'Nice' Pointers
References Are 'Nice' PointersReferences Are 'Nice' Pointers
References Are 'Nice' Pointers
 
Buffer overflow explained
Buffer overflow explainedBuffer overflow explained
Buffer overflow explained
 
Rethinking the debugger
Rethinking the debuggerRethinking the debugger
Rethinking the debugger
 
Exception handling poirting in gcc
Exception handling poirting in gccException handling poirting in gcc
Exception handling poirting in gcc
 
Programmazione Genetica per l'Inferenza di Reti di Kauffman
Programmazione Genetica per l'Inferenza di Reti di KauffmanProgrammazione Genetica per l'Inferenza di Reti di Kauffman
Programmazione Genetica per l'Inferenza di Reti di Kauffman
 
Program activation records
Program activation recordsProgram activation records
Program activation records
 
Buffer overflow
Buffer overflowBuffer overflow
Buffer overflow
 
FuelPHP
FuelPHPFuelPHP
FuelPHP
 
Buffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh SharmaBuffer Overflow Demo by Saurabh Sharma
Buffer Overflow Demo by Saurabh Sharma
 
Ceh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflowCeh v5 module 20 buffer overflow
Ceh v5 module 20 buffer overflow
 
ARM procedure calling conventions and recursion
ARM procedure calling conventions and recursionARM procedure calling conventions and recursion
ARM procedure calling conventions and recursion
 
COSCUP 2014 : open source compiler 戰國時代的軍備競賽
COSCUP 2014 : open source compiler 戰國時代的軍備競賽COSCUP 2014 : open source compiler 戰國時代的軍備競賽
COSCUP 2014 : open source compiler 戰國時代的軍備競賽
 
Android C Library: Bionic 成長計畫
Android C Library: Bionic 成長計畫Android C Library: Bionic 成長計畫
Android C Library: Bionic 成長計畫
 
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg HuntingSystem Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
System Hacking Tutorial #3 - Buffer Overflow - Egg Hunting
 

Ähnlich wie Shellcoding, an Introduction

NASM Introduction.pptx
NASM Introduction.pptxNASM Introduction.pptx
NASM Introduction.pptxAnshKarwa
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linuxAjin Abraham
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringSumutiu Marius
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Hajime Tazaki
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackTomer Zait
 
Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows DebuggingBala Subra
 
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...David Walker
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Vincenzo Iozzo
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackironSource
 
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptxCA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptxtrupeace
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)shimosawa
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathDennis Chung
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the databaseBernardo Damele A. G.
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 

Ähnlich wie Shellcoding, an Introduction (20)

Smashing The Stack
Smashing The StackSmashing The Stack
Smashing The Stack
 
NASM Introduction.pptx
NASM Introduction.pptxNASM Introduction.pptx
NASM Introduction.pptx
 
Shellcoding in linux
Shellcoding in linuxShellcoding in linux
Shellcoding in linux
 
The walking 0xDEAD
The walking 0xDEADThe walking 0xDEAD
The walking 0xDEAD
 
X86 assembly nasm syntax
X86 assembly nasm syntaxX86 assembly nasm syntax
X86 assembly nasm syntax
 
Shellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse EngineeringShellcode Disassembling - Reverse Engineering
Shellcode Disassembling - Reverse Engineering
 
Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014Direct Code Execution - LinuxCon Japan 2014
Direct Code Execution - LinuxCon Japan 2014
 
Buffer overflow – Smashing The Stack
Buffer overflow – Smashing The StackBuffer overflow – Smashing The Stack
Buffer overflow – Smashing The Stack
 
Advanced Windows Debugging
Advanced Windows DebuggingAdvanced Windows Debugging
Advanced Windows Debugging
 
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
The Effect of Hierarchical Memory on the Design of Parallel Algorithms and th...
 
Software Security
Software SecuritySoftware Security
Software Security
 
Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009Let your Mach-O fly, Black Hat DC 2009
Let your Mach-O fly, Black Hat DC 2009
 
3. Synthesis.pptx
3. Synthesis.pptx3. Synthesis.pptx
3. Synthesis.pptx
 
Buffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the StackBuffer Overflow - Smashing the Stack
Buffer Overflow - Smashing the Stack
 
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptxCA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
CA-Lec4-RISCV-Instructions-1aaaaaaaaaa.pptx
 
Linux Initialization Process (1)
Linux Initialization Process (1)Linux Initialization Process (1)
Linux Initialization Process (1)
 
Swug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainathSwug July 2010 - windows debugging by sainath
Swug July 2010 - windows debugging by sainath
 
SDAccel Design Contest: Xilinx SDAccel
SDAccel Design Contest: Xilinx SDAccel SDAccel Design Contest: Xilinx SDAccel
SDAccel Design Contest: Xilinx SDAccel
 
Expanding the control over the operating system from the database
Expanding the control over the operating system from the databaseExpanding the control over the operating system from the database
Expanding the control over the operating system from the database
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 

Kürzlich hochgeladen

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 

Kürzlich hochgeladen (20)

Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 

Shellcoding, an Introduction

  • 1. Shellcoding, an introduction Daniele Bellavista University of Bologna, Scuola di Ingegneria ed Architettura Cesena Security Network and Applications December 24, 2012
  • 2. Outline (CeSeNA) December 24, 2012 2/1
  • 3. Warm-Up Materiale iniziale La teoria di questa presentazione vale per sistemi Unix, FreeBSD e Windows. Il materiale ` tuttavia preparato per sistemi Linux 64 bit con kernel e >= 2.6 e processore > Pentium 4. Per chi non ha 64 bit sono disponibili anche gli esempi a 32 bit. Per chi non ha installato un OS Linux o non vuole sporcare il suo, sono disponibili due Virtual Machine: 32 bit: sorry non ho fatto in tempo. . . 64 bit: sorry non ho fatto in tempo. . . (CeSeNA) December 24, 2012 3/1
  • 4. What is shellcoding? Exploiting software vulnerabilities Vulnerabilities like BOFs permit the insertion and the execution of a custom payload. The historical function of the payload is to spawn a shell (hence the name shell-code). If the exploited program runs as a privileged user, the payload can assume the control of the system. Prerequisites Basic notion of: Assembly language. Memory structure. System Calls. (CeSeNA) December 24, 2012 4/1
  • 5. System Memory Memory management Memory management is a vast topic, so let’s discuss from an high-level viewpoint. Thanks to the Virtual Memory Management, each process sees a flat addressing space of 128 TiB (4 GiB in 32 bit processors). Users can create sections inside the memory with read, write and/or execute permissions. The basic operations for memory management are push and pop. push Insert a 64-bit value into the top of the stack (the bottom). pop Retrieve a 64-bit value from the top of the stack (the bottom). (CeSeNA) December 24, 2012 5/1
  • 6. Figure : Linux 64 bit memory management (CeSeNA) December 24, 2012 6/1
  • 7. Program Code Text segment and instruction pointer The code is saved in a RO and executable memory called Text segment. The current instruction is pointed by the Instruction Pointer. The instruction pointer is a value stored into the CPU. (CeSeNA) December 24, 2012 7/1
  • 8. Program Stack The stack is where function context, called frame, resides. The Base pointer points to the begin of the frame. The Stack pointer points to the first available memory location. void f () { int xx = 1 2 ; i n t yy = 2 3 ; int zz = 24; int sum = xx + yy + z z ; } (CeSeNA) December 24, 2012 8/1
  • 9. Assembly Language Low, low level programming Assembly is the final stage of the programming process. Each instruction is directly converted into an number. Writing the number on the CPU Command BUS cause the instruction to be executed. You can access to a set of 64 bit registers: rax, rbx, rcx, rdx, rsi, rdi, r8, r9, r10, r11, r12, r13, r14, r15 As instruction pointer, base pointer and stack pointer the CPU uses respectively rip, rbp and rsp. (CeSeNA) December 24, 2012 9/1
  • 10. Assembly Language: function call The call/ret instructions call address push the RIP into the stack. ret pop the RIP from the stack. Creating a frame for the function The callee may need a stack for his own variables. RBP is saved (pushed) into the stack. The new RBP become the old RSP. Before doing ret, the opposite operations must be performed. (CeSeNA) December 24, 2012 10 / 1
  • 11. Assembly Language: function call and stack (CeSeNA) December 24, 2012 11 / 1
  • 12. Assembly Language: function call and parameters Where should I put the parameters? If you are coding in pure ASM, you can do what you want. Else, you have to follow the conventions (see http://en.wikipedia.org/wiki/X86_calling_conventions# List_of_x86_calling_conventions). Linux calling convention, parameter order First parameters: x86-64: rdi, rsi, rdx, rcx, r8, and r9. For system calls, r10 is used instead of rcx. IA-32: ecx, edx. For system calls ebx, ecx, edx, esi, edi, ebp. Other parameters are pushed into the stack. (CeSeNA) December 24, 2012 12 / 1
  • 13. System calls Invoking the OS User’s programs run in the exterior ring with PL 3, while kernel runs in the inner ring with PL 0: Kernel can access to the hardware (files, devices, . . . ), user not. Syscalls form the interface between user and kernel. E.g.: open(), read(), write(), chmod(), exec(), . . . (CeSeNA) December 24, 2012 13 / 1
  • 14. Try to use Syscalls Using assembly In order to ease the programmer duty, syscalls are identified by a number. In modern x86-64 processor, a syscall is invoked using the operation syscall, putting the id in the register rax. In modern x86 processor, a syscall is invoked using the operation sysenter but a lot of operation must be performed before, so in the following exercise we will use the old-fashion-way int 80h, which rises a software interrupt. 1 mov r d i , 0 1 mov ebx , 0 2 mov r a x , 60 2 mov eax , 1 3 syscall 3 i n t 80 h (CeSeNA) December 24, 2012 14 / 1
  • 15. Linux Syscalls Linux Syscalls signatures: /. . . kernel-sources. . . /include/linux/syscall.h Syscalls numbers: /usr/include/asm/unistd 64.h 1 unistd 64.h 2 #d e f i n e N R e x i t 60 3 syscall.h 4 asmlinkage long s y s e x i t ( i n t error code ) ; (CeSeNA) December 24, 2012 15 / 1
  • 16. Writing shellcodes The final preparation First steps. . . Testing platform: http://dl.dropbox.com/u/16169203/data.zip Use nasm to compile your assembly code Feed the tester with the output. Exercise 0 Create a shellcode that does nothing! Test it! (CeSeNA) December 24, 2012 16 / 1
  • 17. Writing shellcodes Using a syscall Exercise 1: The exit syscall Use the exit syscall to terminate the program Change your code setting the return code to 13h (CeSeNA) December 24, 2012 17 / 1
  • 18. Writing shellcodes Data reference I The reference problem When you write a program you can use global data because, at compile time, a static address is associated. But your shellcode is not compiled with the program it’s intended to run. You must use relative addressing, but before IA-64 it was not possible. (CeSeNA) December 24, 2012 18 / 1
  • 19. Writing shellcodes Data reference II Old IA-32 way You use a trick: jmp just before the data location, then do a call. Et voil`! On the top of the stack there is the data address. a 1 jmp message 2 run : 3 pop ebx ; now ebx c o n t a i n s t h e s t r i n g r e f e r e n c e 4 ; . . . shellcode 5 message : 6 c a l l run 7 db ’ CeSeNA ’ , 0 x0a , 0 (CeSeNA) December 24, 2012 19 / 1
  • 20. Writing shellcodes Data reference III New IA-64 way IA-64 introduces the RIP relative addressing. 1 l e a r d i , [ r e l message ] ; now ebx c o n t a i n s 2 ; the s t r i n g r e f e r e n c e 3 ; . . . shellcode 4 5 message db ’ CeSeNA ’ , 0 x0a , 0 (CeSeNA) December 24, 2012 20 / 1
  • 21. Writing shellcodes Data reference IV Generic Way You can pop the string in hex format over the stack. The stack pointer is then the string reference. 1 push 0 x 0 0 0 a 4 1 4 e ; 0 x00 , 0 x0a , ’AN ’ 2 push 0 x65536543 ; ’ eSeC ’ 3 mov ebx , e s p ; now ebx c o n t a i n s t h e s t r i n g r e f e r e n c e 4 ; ... (CeSeNA) December 24, 2012 21 / 1
  • 22. Writing shellcodes Data reference V Exercise 2: print on stdout Get the exercise skeleton. Understand the code Write your own message (CeSeNA) December 24, 2012 22 / 1
  • 23. Writing shellcodes Execute a program 1 unistd 64 . h 2 #d e f i n e N R e x e c v e 59 3 syscall .h 4 i n t k e r n e l e x e c v e ( const char ∗ filename , 5 const char ∗ const argv [ ] , 6 c o n s t c h a r ∗ c o n s t envp [ ] ) ; Exercise 3: A real shellcode, exec a shell! 4 HaXoRs 4 g33k 4 n00bz (CeSeNA) December 24, 2012 23 / 1
  • 24. Writing shellcodes Reverse shell I One shellcode to rule them all Step to execute: 1 Open a socket to the attacker server. 2 Duplicate the socket file descriptor into 0 and 1 (and optionally 2). 3 Exec a shell. Step1: Create a socket The standard procedure involves socket creation and connection. socket() and connect() syscalls. The sockaddr in structure requires port in network byte order (htons()) and ip address in numeric form (inet pton()). The usual sockaddr in size is 16. (CeSeNA) December 24, 2012 24 / 1
  • 25. Writing shellcodes Reverse shell II 1 l o n g s y s s o c k e t ( i n t domain , 2 i n t type , 3 int protocol ) ; 4 l o n g s y s c o n n e c t ( i n t fd , 5 s t r u c t sockaddr user ∗, 6 int addrlen ) ; 1 struct sockaddr in { 2 short s i n f a m i l y ; // AF INET 3 unsigned short s i n p o r t ; // n e t w o r k o r d e r ( h t o n s ( ) ) 4 struct in addr s i n a d d r ; // As 32 b i t 5 char sin zero [8]; 6 }; (CeSeNA) December 24, 2012 25 / 1
  • 26. Writing shellcodes Reverse shell III Step2: Duplicate the file descriptor The return value of socket() is the file descriptor. The syscall dup2() copy the file descriptor and close the destination. dup2(fd, 0); dup2(fd, 1), dup2(fd, 2); 1 long sys dup2 ( unsigned i n t oldfd , 2 u n s i g n e d i n t newfd ) (CeSeNA) December 24, 2012 26 / 1
  • 27. Writing shellcodes Reverse shell IV Step3: Exec a shell Already seen ;) Exercise 4: Reverse shelling Remember to open a server listening into a known address! E.g.: nc -l -p 1234, preparing reverse shell for 127.0.0.1:1234 4 HaXoRs 4 g33k 4 n00bz (CeSeNA) December 24, 2012 27 / 1
  • 28. Writing shellcodes Shellcode optimization Why optimization? When writing a shellcode, you must consider various factors. The most important are: 1 How the vulnerable program receives the payload. 2 How long the payload can be. The previous exercise solutions, for instance, are not suitable in most cases. The next slides will discuss about the NULL byte presence. About the payload length, it’s all about the exploiter expertise. (CeSeNA) December 24, 2012 28 / 1
  • 29. Writing shellcodes String payload zero-bytes problem If the payload is red as a string, C interprets a zero byte as string terminator, cutting the shellcode. Zero-bytes presence is caused by data and addresses: mov rax, 11h is equivalent to mov rax, 0000000000000011h. lea rax, [rel message] is equivalent to lea rax, [rip + 0000. . . xxh]. execve for instance, requires a null terminated string and some null parameters. Solutions are quite straightforward: Use xor operation to zero a register. Use when possible smaller part of registers (e.g.: rax → eax → ax → [ah,al]) Use add operation: immediate operators are not expanded. Place not-null marker in strings and substitute them inside the code. When using relative addressing, place the message above: offset will be negative [?]. (CeSeNA) December 24, 2012 29 / 1
  • 30. Writing shellcodes Zero-byte removal example ; S e t r a x = 60 h ; S e t t o 0 a mem a r e a xor rax , rax n u l l db ’ x x x x ’ mov a l , 60 x o r rbx , r b x mov [ r e l n u l l ] , ebx ; S e t r d i = 12 h xor rdi , r d i ; terminate s t r i n g with 0 add r d i , 12 h message db ’ CeSeNA ’ , ’ x ’ x o r rbx , r b x l e a r d i , [ r e l message ] mov [ r d i +7] , b l ; Negative refe rence message db ’ CeSeNA ’ , ’ x ’ l e a r d i , [ r e l message ] (CeSeNA) December 24, 2012 30 / 1
  • 31. Writing shellcodes References (CeSeNA) December 24, 2012 31 / 1