SlideShare a Scribd company logo

Shellcode injection

Dhaval Kapil
Dhaval Kapil

A talk about injecting shellcode in a binary vulnerable to buffer overflow as well as bypassing ASLR(Address Space Layout Randomization)

Technology
1 of 26
Download to read offline
Shellcode Injection by Overflowing the Buffer and bypassing ASLR
● mount ● umount ● su ● sudo ● ping ● passwd
All are SUID binaries -rwsr-xr-x 1 root root 44168 May 8 2014 /bin/ping Execute with root permissions even when run by non-root users
char target[100]; strcpy(target, source); // Unrestricted copy - buffer overflow vulnerability Exploiting to execute your own code with root access!
@dhaval_kapil B. Tech Computer Science and Engineering Department IIT Roorkee DHAVAL KAPIL
Memory Layout of a C Program http://i.stack.imgur.com/1Yz9K.gif
Some Common Registers 1. %eip: instruction pointer register 2. %esp: stack pointer register 3. %ebp: base pointer register
Stack Layout
Overflowing the Buffer Overwriting return address char target[100]; strcpy(target, source); // Unrestricted copy - buffer overflow vulnerability
<return address> < %ebp > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ‘target’ points here Space allocated for ‘target’ Overwrite this STACK
● gets() ● scanf() ● sprintf() ● strcpy() ● strcat()
SHELLCODE INJECTION Make vulnerable programs execute your own code
Three step procedure: 1. Crafting Shellcode 2. Injecting Shellcode 3. Modify Execution Flow - Run the Shellcode
CRAFTING SHELLCODE ● Need to craft the compiled machine code ● Steps: ○ Write assembly code ○ Assemble this code ○ Extract bytes from machine code
x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex8 9xe3x50x89xe2x53x89xe1xb0x0bxcdx80
INJECTING SHELLCODE ● Input taken by the program ● External files read by the program ● Arguments to the program Somehow the shellcode injected should be loaded into the memory of the program with guessable addresses
TRANSFER EXECUTION FLOW ● Overwrite return address by overflowing the buffer ● Overwrite .got.plt/.fini_array section using a format string vulnerability Make any of these addresses point to your shellcode
<Address of target> random bytes - - - - random bytes random bytes random bytes shellcode - - - - shellcode shellcode ‘target’ points here Space allocated for ‘target’ STACK return address %ebp
Address of ‘target’ on the stack can be found using debuggers like gdb To prevent such attacks, modern operating systems implement ASLR
ASLR Address Space Layout Randomization ● Memory protection process ● Randomizes the location where executables are loaded in memory ● Nearly impossible to guess addresses on stack ● Probability of hitting a random address = 5.96046448e-8
NOP Sled ● Sequence of NOP(No-OPeration) instructions x90x90x90x90x90x90x90x90x90x90x90 ● ‘Slides’ CPU’s execution flow forward
Idea: ● payload = NOP sled(size n) + shellcode x90x90x90x90…x90 [SHELLCODE] ● Probability of success rate while attacking = n * 5.96046448 e-8 Bypassing ASLR
Size of NOP Sled Probability of shellcode execution Average no of tries needed to succeed once 40 2.384185e-06 419431 100 5.960464e-06 167773 500 2.980232e-05 33555 1000 5.960464e-05 16778 10000 5.960464e-04 1678 100000 5.960464e-03 168
● Inject payload in environment variable ● Not much restriction on size. Strings of order 100000 can be stored ● Environment variables are pushed on stack Bypassing payload size restriction
DEMO
Q & A Further Reading https://dhavalkapil.com/blogs/Shellcode-Injection/ Slides https://speakerdeck.com/dhavalkapil

Recommended

Demystifying the Microsoft Extended FAT File System (exFAT)
Demystifying the Microsoft Extended FAT File System (exFAT)Demystifying the Microsoft Extended FAT File System (exFAT)
Demystifying the Microsoft Extended FAT File System (exFAT)overcertified
 
Triển khai hệ thống mail cho doanh nghiệp với KERIO MAIL SERVER
Triển khai hệ thống mail cho doanh nghiệp với KERIO MAIL SERVERTriển khai hệ thống mail cho doanh nghiệp với KERIO MAIL SERVER
Triển khai hệ thống mail cho doanh nghiệp với KERIO MAIL SERVERlaonap166
 
Cap mang (network cable)
Cap mang (network cable)Cap mang (network cable)
Cap mang (network cable)np_thanh
 
--De cuong on tap hdh
--De cuong on tap hdh --De cuong on tap hdh
--De cuong on tap hdhBùi Văn Thiệu
 
Chapitre 3.pdf
Chapitre 3.pdfChapitre 3.pdf
Chapitre 3.pdfYounesAziz3
 
Automata slide DHBKHCM [S2NUCE.blogspot.com]
Automata slide DHBKHCM [S2NUCE.blogspot.com]Automata slide DHBKHCM [S2NUCE.blogspot.com]
Automata slide DHBKHCM [S2NUCE.blogspot.com]Tran Quyet
 
Data Center
Data CenterData Center
Data Centerdhana1663
 
Kiểm Thử Junit
Kiểm Thử Junit Kiểm Thử Junit
Kiểm Thử Junit Thanh Huong
 

Recommended

Demystifying the Microsoft Extended FAT File System (exFAT)
Demystifying the Microsoft Extended FAT File System (exFAT)Demystifying the Microsoft Extended FAT File System (exFAT)
Demystifying the Microsoft Extended FAT File System (exFAT)overcertified
 
Triển khai hệ thống mail cho doanh nghiệp với KERIO MAIL SERVER
Triển khai hệ thống mail cho doanh nghiệp với KERIO MAIL SERVERTriển khai hệ thống mail cho doanh nghiệp với KERIO MAIL SERVER
Triển khai hệ thống mail cho doanh nghiệp với KERIO MAIL SERVERlaonap166
 
Cap mang (network cable)
Cap mang (network cable)Cap mang (network cable)
Cap mang (network cable)np_thanh
 
--De cuong on tap hdh
--De cuong on tap hdh --De cuong on tap hdh
--De cuong on tap hdhBùi Văn Thiệu
 
Chapitre 3.pdf
Chapitre 3.pdfChapitre 3.pdf
Chapitre 3.pdfYounesAziz3
 
Automata slide DHBKHCM [S2NUCE.blogspot.com]
Automata slide DHBKHCM [S2NUCE.blogspot.com]Automata slide DHBKHCM [S2NUCE.blogspot.com]
Automata slide DHBKHCM [S2NUCE.blogspot.com]Tran Quyet
 
Data Center
Data CenterData Center
Data Centerdhana1663
 
Kiểm Thử Junit
Kiểm Thử Junit Kiểm Thử Junit
Kiểm Thử Junit Thanh Huong
 
Python code for Artificial Intelligence: Foundations of Computational Agents
Python code for Artificial Intelligence: Foundations of Computational AgentsPython code for Artificial Intelligence: Foundations of Computational Agents
Python code for Artificial Intelligence: Foundations of Computational AgentsADDI AI 2050
 
Giáo trình vb.net
Giáo trình vb.netGiáo trình vb.net
Giáo trình vb.netHung Pham
 
Linux và mã nguồn mở
Linux và mã nguồn mởLinux và mã nguồn mở
Linux và mã nguồn mởNguyễn Anh
 
Hệ điều hành (chương 4)
Hệ điều hành (chương 4)Hệ điều hành (chương 4)
Hệ điều hành (chương 4)realpotter
 
van Emde Boas trees
van Emde Boas treesvan Emde Boas trees
van Emde Boas treesBenjamin Sach
 
Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành
Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành
Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành nataliej4
 
Đề tài Quản lý tiền điện
Đề tài Quản lý tiền điệnĐề tài Quản lý tiền điện
Đề tài Quản lý tiền điệnDịch vụ viết thuê Khóa Luận - ZALO 0932091562
 
Quan ly bo nho ngoai trong linux
Quan ly bo nho ngoai trong linuxQuan ly bo nho ngoai trong linux
Quan ly bo nho ngoai trong linuxThu Lam
 
Dld ppt
Dld pptDld ppt
Dld pptSharad Institute of Technology,college of Engineering,Yadrav
 
Modular Data Center Design
Modular Data Center DesignModular Data Center Design
Modular Data Center DesignConsultingSpecifyingEngineer
 
Lập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketLập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketjackjohn45
 
What are the types of data centers
What are the types of data centersWhat are the types of data centers
What are the types of data centersLivin Jose
 
Giáo trình quản lý dự án
Giáo trình quản lý dự ánGiáo trình quản lý dự án
Giáo trình quản lý dự ánNguyễn Ngọc Phan Văn
 
Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...
Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...
Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...MasterCode.vn
 
Luan van xay_dung_he_thong_mang_lan_cho_truong_dai_hoc
Luan van xay_dung_he_thong_mang_lan_cho_truong_dai_hocLuan van xay_dung_he_thong_mang_lan_cho_truong_dai_hoc
Luan van xay_dung_he_thong_mang_lan_cho_truong_dai_hocDuc Nguyen
 
firewall
firewallfirewall
firewallKim Chan
 
Giải pháp kỹ thuật mạng LAN - Bệnh viện Việt Đức
Giải pháp kỹ thuật mạng LAN - Bệnh viện Việt ĐứcGiải pháp kỹ thuật mạng LAN - Bệnh viện Việt Đức
Giải pháp kỹ thuật mạng LAN - Bệnh viện Việt Đức3c telecom
 
[123doc] mo-hinh-thuc-the-moi-ket-hop
[123doc] mo-hinh-thuc-the-moi-ket-hop[123doc] mo-hinh-thuc-the-moi-ket-hop
[123doc] mo-hinh-thuc-the-moi-ket-hopMay Trang
 
120 cau mon quan tri mang public_sv
120 cau mon quan tri mang public_sv120 cau mon quan tri mang public_sv
120 cau mon quan tri mang public_svTin Thấy
 
Mẫu báo cáo bài tập lớn
Mẫu báo cáo bài tập lớnMẫu báo cáo bài tập lớn
Mẫu báo cáo bài tập lớnJohn MacTavish
 
Exploitation
ExploitationExploitation
ExploitationSecurity B-Sides
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode masteringPositive Hack Days
 

More Related Content

What's hot

Python code for Artificial Intelligence: Foundations of Computational Agents
Python code for Artificial Intelligence: Foundations of Computational AgentsPython code for Artificial Intelligence: Foundations of Computational Agents
Python code for Artificial Intelligence: Foundations of Computational AgentsADDI AI 2050
 
Giáo trình vb.net
Giáo trình vb.netGiáo trình vb.net
Giáo trình vb.netHung Pham
 
Linux và mã nguồn mở
Linux và mã nguồn mởLinux và mã nguồn mở
Linux và mã nguồn mởNguyễn Anh
 
Hệ điều hành (chương 4)
Hệ điều hành (chương 4)Hệ điều hành (chương 4)
Hệ điều hành (chương 4)realpotter
 
Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành
Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành
Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành nataliej4
 
Quan ly bo nho ngoai trong linux
Quan ly bo nho ngoai trong linuxQuan ly bo nho ngoai trong linux
Quan ly bo nho ngoai trong linuxThu Lam
 
Lập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketLập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketjackjohn45
 
What are the types of data centers
What are the types of data centersWhat are the types of data centers
What are the types of data centersLivin Jose
 
Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...
Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...
Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...MasterCode.vn
 
Luan van xay_dung_he_thong_mang_lan_cho_truong_dai_hoc
Luan van xay_dung_he_thong_mang_lan_cho_truong_dai_hocLuan van xay_dung_he_thong_mang_lan_cho_truong_dai_hoc
Luan van xay_dung_he_thong_mang_lan_cho_truong_dai_hocDuc Nguyen
 
Giải pháp kỹ thuật mạng LAN - Bệnh viện Việt Đức
Giải pháp kỹ thuật mạng LAN - Bệnh viện Việt ĐứcGiải pháp kỹ thuật mạng LAN - Bệnh viện Việt Đức
Giải pháp kỹ thuật mạng LAN - Bệnh viện Việt Đức3c telecom
 
[123doc] mo-hinh-thuc-the-moi-ket-hop
[123doc] mo-hinh-thuc-the-moi-ket-hop[123doc] mo-hinh-thuc-the-moi-ket-hop
[123doc] mo-hinh-thuc-the-moi-ket-hopMay Trang
 
120 cau mon quan tri mang public_sv
120 cau mon quan tri mang public_sv120 cau mon quan tri mang public_sv
120 cau mon quan tri mang public_svTin Thấy
 
Mẫu báo cáo bài tập lớn
Mẫu báo cáo bài tập lớnMẫu báo cáo bài tập lớn
Mẫu báo cáo bài tập lớnJohn MacTavish
 

What's hot (20)

Python code for Artificial Intelligence: Foundations of Computational Agents
Python code for Artificial Intelligence: Foundations of Computational AgentsPython code for Artificial Intelligence: Foundations of Computational Agents
Python code for Artificial Intelligence: Foundations of Computational Agents
 
Giáo trình vb.net
Giáo trình vb.netGiáo trình vb.net
Giáo trình vb.net
 
Linux và mã nguồn mở
Linux và mã nguồn mởLinux và mã nguồn mở
Linux và mã nguồn mở
 
Hệ điều hành (chương 4)
Hệ điều hành (chương 4)Hệ điều hành (chương 4)
Hệ điều hành (chương 4)
 
van Emde Boas trees
van Emde Boas treesvan Emde Boas trees
van Emde Boas trees
 
Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành
Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành
Bài Giảng Quản Lý Tiến Trình Trong Hệ Điều Hành
 
Đề tài Quản lý tiền điện
Đề tài Quản lý tiền điệnĐề tài Quản lý tiền điện
Đề tài Quản lý tiền điện
 
Quan ly bo nho ngoai trong linux
Quan ly bo nho ngoai trong linuxQuan ly bo nho ngoai trong linux
Quan ly bo nho ngoai trong linux
 
Dld ppt
Dld pptDld ppt
Dld ppt
 
Modular Data Center Design
Modular Data Center DesignModular Data Center Design
Modular Data Center Design
 
Lập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socketLập trình chương trình chat room sử dụng giao thức tcp socket
Lập trình chương trình chat room sử dụng giao thức tcp socket
 
What are the types of data centers
What are the types of data centersWhat are the types of data centers
What are the types of data centers
 
Giáo trình quản lý dự án
Giáo trình quản lý dự ánGiáo trình quản lý dự án
Giáo trình quản lý dự án
 
Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...
Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...
Bài 2: Lập trình hướng đối tượng & Collection - Lập trình winform - Giáo trìn...
 
Luan van xay_dung_he_thong_mang_lan_cho_truong_dai_hoc
Luan van xay_dung_he_thong_mang_lan_cho_truong_dai_hocLuan van xay_dung_he_thong_mang_lan_cho_truong_dai_hoc
Luan van xay_dung_he_thong_mang_lan_cho_truong_dai_hoc
 
firewall
firewallfirewall
firewall
 
Giải pháp kỹ thuật mạng LAN - Bệnh viện Việt Đức
Giải pháp kỹ thuật mạng LAN - Bệnh viện Việt ĐứcGiải pháp kỹ thuật mạng LAN - Bệnh viện Việt Đức
Giải pháp kỹ thuật mạng LAN - Bệnh viện Việt Đức
 
[123doc] mo-hinh-thuc-the-moi-ket-hop
[123doc] mo-hinh-thuc-the-moi-ket-hop[123doc] mo-hinh-thuc-the-moi-ket-hop
[123doc] mo-hinh-thuc-the-moi-ket-hop
 
120 cau mon quan tri mang public_sv
120 cau mon quan tri mang public_sv120 cau mon quan tri mang public_sv
120 cau mon quan tri mang public_sv
 
Mẫu báo cáo bài tập lớn
Mẫu báo cáo bài tập lớnMẫu báo cáo bài tập lớn
Mẫu báo cáo bài tập lớn
 

Viewers also liked

Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesEran Goldstein
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationQuinn Wilton
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneDefconRussia
 
Manual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT BrokerManual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT BrokerTelefónica
 
Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.Sumutiu Marius
 
Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86 Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86 Internet Security Auditors
 
The Dark Arts of Hacking.
The Dark Arts of Hacking.The Dark Arts of Hacking.
The Dark Arts of Hacking.Sumutiu Marius
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionGeorg Wicherski
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassemblingHarsh Daftary
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodesAmr Ali
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAbhineet Ayan
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode ExecutionRyan Wincey
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycZ Chen
 

Viewers also liked (20)

Exploitation
ExploitationExploitation
Exploitation
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode mastering
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
Dns security
Dns securityDns security
Dns security
 
One Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform ExploitationOne Shellcode to Rule Them All: Cross-Platform Exploitation
One Shellcode to Rule Them All: Cross-Platform Exploitation
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Manual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT BrokerManual de integración de Latch en Mosquito MQTT Broker
Manual de integración de Latch en Mosquito MQTT Broker
 
Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.
 
Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86 Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86
 
The Dark Arts of Hacking.
The Dark Arts of Hacking.The Dark Arts of Hacking.
The Dark Arts of Hacking.
 
DLL Injection
DLL InjectionDLL Injection
DLL Injection
 
DNS
DNSDNS
DNS
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
 

Similar to Shellcode injection

Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging BasicsBala Subra
 
Automate Payload Generation for a Given Binary and Perform Attack
Automate Payload Generation for a Given Binary and Perform AttackAutomate Payload Generation for a Given Binary and Perform Attack
Automate Payload Generation for a Given Binary and Perform AttackAbhishek BV
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance毅 吕
 
php & performance
php & performance php & performance
php & performancesimon8410
 
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Svetlana Gaivoronski
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsBrendan Gregg
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits Raleigh ISSA
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementationnkslides
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniquesVitaly Nikolenko
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits BVBA (freelancer)
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production OverviewDelve Labs
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Elvin Gentiles
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
Qore for the Perl Programmer
Qore for the Perl ProgrammerQore for the Perl Programmer
Qore for the Perl ProgrammerBrett Estrade
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Pluginsamiable_indian
 
Perl at SkyCon'12
Perl at SkyCon'12Perl at SkyCon'12
Perl at SkyCon'12Tim Bunce
 

Similar to Shellcode injection (20)

Back to the CORE
Back to the COREBack to the CORE
Back to the CORE
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
 
Driver Debugging Basics
Driver Debugging BasicsDriver Debugging Basics
Driver Debugging Basics
 
Automate Payload Generation for a Given Binary and Perform Attack
Automate Payload Generation for a Given Binary and Perform AttackAutomate Payload Generation for a Given Binary and Perform Attack
Automate Payload Generation for a Given Binary and Perform Attack
 
PHP & Performance
PHP & PerformancePHP & Performance
PHP & Performance
 
php & performance
php & performance php & performance
php & performance
 
Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86Shellcodes for ARM: Your Pills Don't Work on Me, x86
Shellcodes for ARM: Your Pills Don't Work on Me, x86
 
JavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame GraphsJavaOne 2015 Java Mixed-Mode Flame Graphs
JavaOne 2015 Java Mixed-Mode Flame Graphs
 
2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits 2011-03 Developing Windows Exploits
2011-03 Developing Windows Exploits
 
Exploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET ImplementationExploiting the Linux Kernel via Intel's SYSRET Implementation
Exploiting the Linux Kernel via Intel's SYSRET Implementation
 
Linux SMEP bypass techniques
Linux SMEP bypass techniquesLinux SMEP bypass techniques
Linux SMEP bypass techniques
 
AllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW SecurityAllBits presentation - Lower Level SW Security
AllBits presentation - Lower Level SW Security
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
 
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
Smash the Stack: Writing a Buffer Overflow Exploit (Win32)
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
Cuda debugger
Cuda debuggerCuda debugger
Cuda debugger
 
Qore for the Perl Programmer
Qore for the Perl ProgrammerQore for the Perl Programmer
Qore for the Perl Programmer
 
Writing Metasploit Plugins
Writing Metasploit PluginsWriting Metasploit Plugins
Writing Metasploit Plugins
 
Perl at SkyCon'12
Perl at SkyCon'12Perl at SkyCon'12
Perl at SkyCon'12
 

Recently uploaded

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGSujit Pal
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 

Recently uploaded (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Google AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAGGoogle AI Hackathon: LLM based Evaluator for RAG
Google AI Hackathon: LLM based Evaluator for RAG
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 

Shellcode injection

  • 1. Shellcode Injection by Overflowing the Buffer and bypassing ASLR
  • 2. ● mount ● umount ● su ● sudo ● ping ● passwd
  • 3. All are SUID binaries -rwsr-xr-x 1 root root 44168 May 8 2014 /bin/ping Execute with root permissions even when run by non-root users
  • 4. char target[100]; strcpy(target, source); // Unrestricted copy - buffer overflow vulnerability Exploiting to execute your own code with root access!
  • 5. @dhaval_kapil B. Tech Computer Science and Engineering Department IIT Roorkee DHAVAL KAPIL
  • 6. Memory Layout of a C Program http://i.stack.imgur.com/1Yz9K.gif
  • 7. Some Common Registers 1. %eip: instruction pointer register 2. %esp: stack pointer register 3. %ebp: base pointer register
  • 9. Overflowing the Buffer Overwriting return address char target[100]; strcpy(target, source); // Unrestricted copy - buffer overflow vulnerability
  • 10. <return address> < %ebp > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ‘target’ points here Space allocated for ‘target’ Overwrite this STACK
  • 11. ● gets() ● scanf() ● sprintf() ● strcpy() ● strcat()
  • 12. SHELLCODE INJECTION Make vulnerable programs execute your own code
  • 13. Three step procedure: 1. Crafting Shellcode 2. Injecting Shellcode 3. Modify Execution Flow - Run the Shellcode
  • 14. CRAFTING SHELLCODE ● Need to craft the compiled machine code ● Steps: ○ Write assembly code ○ Assemble this code ○ Extract bytes from machine code
  • 16. INJECTING SHELLCODE ● Input taken by the program ● External files read by the program ● Arguments to the program Somehow the shellcode injected should be loaded into the memory of the program with guessable addresses
  • 17. TRANSFER EXECUTION FLOW ● Overwrite return address by overflowing the buffer ● Overwrite .got.plt/.fini_array section using a format string vulnerability Make any of these addresses point to your shellcode
  • 18. <Address of target> random bytes - - - - random bytes random bytes random bytes shellcode - - - - shellcode shellcode ‘target’ points here Space allocated for ‘target’ STACK return address %ebp
  • 19. Address of ‘target’ on the stack can be found using debuggers like gdb To prevent such attacks, modern operating systems implement ASLR
  • 20. ASLR Address Space Layout Randomization ● Memory protection process ● Randomizes the location where executables are loaded in memory ● Nearly impossible to guess addresses on stack ● Probability of hitting a random address = 5.96046448e-8
  • 21. NOP Sled ● Sequence of NOP(No-OPeration) instructions x90x90x90x90x90x90x90x90x90x90x90 ● ‘Slides’ CPU’s execution flow forward
  • 22. Idea: ● payload = NOP sled(size n) + shellcode x90x90x90x90…x90 [SHELLCODE] ● Probability of success rate while attacking = n * 5.96046448 e-8 Bypassing ASLR
  • 23. Size of NOP Sled Probability of shellcode execution Average no of tries needed to succeed once 40 2.384185e-06 419431 100 5.960464e-06 167773 500 2.980232e-05 33555 1000 5.960464e-05 16778 10000 5.960464e-04 1678 100000 5.960464e-03 168
  • 24. ● Inject payload in environment variable ● Not much restriction on size. Strings of order 100000 can be stored ● Environment variables are pushed on stack Bypassing payload size restriction
  • 25. DEMO
  • 26. Q & A Further Reading https://dhavalkapil.com/blogs/Shellcode-Injection/ Slides https://speakerdeck.com/dhavalkapil