SlideShare una empresa de Scribd logo

One Shellcode to Rule Them All: Cross-Platform Exploitation

Q
Quinn Wilton

As the internet of things becomes less a buzzword, and more a reality, we're noticing that it's growing increasingly common to see embedded software which runs across different architectures -whether that's the same router firmware running across different models, or the operating system for a smart TV being used by different manufacturers. In a world where even your toaster might have internet access, we suspect that the ability to write cross-platform shellcode is going transition from being a merely neat trick, to a viable tool for attackers. Writing cross-platform shellcode is tough, but there's a few techniques you can use to simplify the problem. We discuss one such method, which we used to great success during the DEFCON CTF qualifiers this year. Presented by Tinfoil Security founder Michael Borohovski and engineer Shane Wilton at Secuinside 2014, in Seoul. https://www.tinfoilsecurity.com/blog/cross-platform-exploitation

Tecnología
1 de 22
Descargar para leer sin conexión
One Shellcode To Rule Them All.
Who are we • Michael “Borski” Borohovski • Co-Founder / CTO @ Tinfoil Security • Member of “Samurai” CTF team • MIT Computer Science • Hacking since 13, won Defcon 20 CTF • Shane “ShaneWilton” Wilton • Engineer @ Tinfoil Security • Member of “Samurai” CTF team • University of Waterloo Computer Science • Hacking since he was just a wee little baby
Who are we • Best web application scanner on the market • Focused on Dev. and DevOps integrations • Empower developers to find and fix vulnerabilities before they’re deployed • Enable security teams to focus on the hard problems • Email secuinside@tinfoilsecurity.com for 2 free months
What is shellcode? • Small piece of (assembled) code used as payload to exploit a vulnerability • Common goals • Launch a shell • Read a file • Stage a larger payload • ??? • Lots of public examples of shellcode • Shell-storm, metasploit, etc.
Why write your own? • Often you need to perform unique actions. • Unlock a door, call out to a different binary, etc. • May have unique constraints • Can’t contain the $ character • Only alphanumeric characters • Runs under both little and big endian (Dalvik?) • Fun!
How do you write shellcode? • Learn the system calls for your platform • Man pages are your friend • Start simple, then build more complexity • First, just call the _exit syscall • Then, “hello world” followed by _write followed by _exit • … • Familiarize yourself with different calling conventions • x86 - cdecl, fastcall, etc. • PowerPC - registers • SPARC - register windows ● Have fun with this one, because we didn’t • Most importantly…
How do you write shellcode? • Comment • Comment • Comment • Commenting with ; is your best friend • If you think understanding your Ruby code a month later is tough, try deciphering shellcode you’ve optimized to fit into a tiny buffer
Why is multiplatform shellcode useful? • Deploy once, pwn always • Consider the recent futex bug • Allowed for priv. esc. on linux • The original proof of concept (PoC) was for x86 • Geohot used the bug to root an android phone (ARM) • Theoretically, a multi-platform payload could root any linux device • Difficult to probe architectures in the wild • Same version of software can run on completely different architectures • Common with routers, smart devices, etc. • Guess wrong, and the target crashes • Crashes lead to detection
Why is multiplatform shellcode useful? • Malware (but that’s bad, don’t do it!) • Internet of things – everything connected, built differently, lots of cheap hardware choices • “100,000 Refrigerators and other home appliances hacked to perform cyber attack” • Internet census 2012 attacked 1.2M devices • Exploit/binary targeted 9 different platforms/architectures.
Compiling your pieces • QEMU or Virtual Machine (VMWare, Parallels, etc.) • Write shellcode once • Load image for desired architecture in QEMU • qemu-img create -f qcow2 linuxppc.qcow2 5G • qemu-system-ppc -hda linuxppc.qcow2 -cdrom debian-ppc.iso -boot d -m 512 • Use nasm to assemble once in qemu • nasm –f bin shellcode.asm
Compiling your pieces • Capstone • Programmable disassembly framework • http://www.capstone-engine.org/ • Arm, Arm64 (Armv8), Mips, PowerPC, SPARC, SystemZ, XCore & Intel • Written in C but bindings for Ruby, Python, etc. • Useful for seeing how opcodes disassemble in different architectures • Same opcode under different architectures lead to different behaviors • Take shellcode, print out disassembly for ARM, PPC, X86, etc.
• Different architectures require different payloads • Each architecture has its own nuances • x86 has variable length instructions • SPARC has fixed-length 32-bit instructions • Shellcode must not crash on any platform • We have three goals • Write payloads for each architecture • Determine the architecture of the CPU • Jump to the payload for that architecture • How do we determine the architecture of the CPU? Multi-Platform Payloads
• The same bytes decode to different instructions on different architectures • A jump instruction on x86 might be a NOP on PowerPC • Example - “x37x37xebx78” • x86 • aaa; aaa; jmp 116+4 • MIPS • ori $s7, $t9, 0xeb78 • SPARC • sethi %hi(0xdfade000), %i3 CPU Switch Header
• Needs to jump in one architecture, and be NOP-like in all others • Can’t crash any architectures • Can’t modify PC • We don’t care about most other register state • Most architectures encode branch instructions in predictable formats. • SPARC - 00-a-bbbbb-010-<22-bit offset> • a - 1-bit annulment flag • bbbbb - 5-bit condition • We can fuzz all of the possible branch instructions! Finding “switch” instructions
• Compute all of the branch instructions for an architecture • Use Capstone to decode them in all other targeted architectures • Look for instructions which decode harmlessly in most other architectures • Easier than it sounds! • We structure our switch-table like an onion • “Peel” off an architecture with each instruction • i.e. an instruction can’t crash MIPS, if MIPS has already jumped to its payload by that point Choosing Jump Candidates
• Consider the case on two architectures, A and B • Let IA and IB be the sets of possible branch instructions for A and B • IA = {a1 , a2 , a3 } • IB = {b1 , b2 , b3 } • Let Din be the set of dependencies for instruction in • i.e. if a1 crashes on architecture B then Da1 = IB • We need an instruction from IA and an instruction from IB such that there exists an evaluation order which resolves all dependencies • Called a topological ordering on the dependency graph Dependency Resolution
1. Let S be the cartesian product of the sets of branch instructions 2. For each s ∈ S = (a, b, c, …) a. Construct a graph G with vertex set given by the elements of s b. Create a directed edge from vertex i to vertex j if instruction i crashes under the architecture for which j originates from c. Check for a topological ordering on G i. If one exists, return it, we are done ii. Otherwise, continue 3. If no ordering exists, we need to be clever a. Consider multi-stage payloads which split the targeted architectures into more manageable groupings Algorithmically…
• Polyglot @ DEFCON 22 CTF Quals • Construct a payload which reads a flag on x86, ARMEL (little endian), ARMEB (big endian), and PPC • The dependencies are resolvable as: • x86 -> PPC -> ARMEB -> ARMEL • tsort can do most of this work from the command-line! Putting It Together 73 12 00 00 48 00 01 70 9A 00 00 40 13 00 00 EA x86 jae 0x14 - - - PPC andi r1, r0, 72 bdnzfa- lt, 0x98 - - ARMEB tstvc r2, #0 stmdami r0, ... bls 0x110 - ARMEL ... ... ... b 0x60
• Each architecture is jumping to a different point, so we can simply insert our platform-specific shellcode at the correct offsets • Note the strange instructions • 48 00 01 70 -> bdnzfa- lt, 0x98 • Not a terribly useful instruction, but acts like a simple branch in our case • You just owned four different platforms with one payload • Congratulations! Putting It Together Cont.
• Hardware is becoming more and more varied, and will only get further fragmented over time • Knowing and being able to fingerprint one architecture will become a thing of the past • Writing one payload that works across many architectures was once a luxury, but is quickly becoming a requirement for launching attacks in the wild To sum it all up
• Basic idea: set up a jump table at the beginning of your shellcode, with one architecture falling through with each instruction • Find jmp/branch instructions in one architecture that are NOPs or NOP-like instructions in all others you’re targeting • To automate this search, you can reduce the problem to one of dependency resolution To sum it all up
감사합니다

Recomendados

ゲームインフラコンテナ実践導入
ゲームインフラコンテナ実践導入ゲームインフラコンテナ実践導入
ゲームインフラコンテナ実践導入
Hiroki Tamiya
 
Zararlı Yazılım Analizi ve Tespitinde YARA Kullanımı
Zararlı Yazılım Analizi ve Tespitinde YARA KullanımıZararlı Yazılım Analizi ve Tespitinde YARA Kullanımı
Zararlı Yazılım Analizi ve Tespitinde YARA Kullanımı
BGA Cyber Security
 
Metasploitでペネトレーションテスト
MetasploitでペネトレーションテストMetasploitでペネトレーションテスト
Metasploitでペネトレーションテスト
super_a1ice
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Beyaz Şapkalı Hacker başlangıç noktası eğitimi
Beyaz Şapkalı Hacker başlangıç noktası eğitimiBeyaz Şapkalı Hacker başlangıç noktası eğitimi
Beyaz Şapkalı Hacker başlangıç noktası eğitimi
Kurtuluş Karasu
 
Siber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı SistemiSiber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı Sistemi
BGA Cyber Security
 
Open Source SOC Kurulumu
Open Source SOC KurulumuOpen Source SOC Kurulumu
Open Source SOC Kurulumu
BGA Cyber Security
 
SIZMA TESTLERİNDE BİLGİ TOPLAMA
SIZMA TESTLERİNDE BİLGİ TOPLAMASIZMA TESTLERİNDE BİLGİ TOPLAMA
SIZMA TESTLERİNDE BİLGİ TOPLAMA
BGA Cyber Security
 

Recomendados

ゲームインフラコンテナ実践導入
ゲームインフラコンテナ実践導入ゲームインフラコンテナ実践導入
ゲームインフラコンテナ実践導入
Hiroki Tamiya
 
Zararlı Yazılım Analizi ve Tespitinde YARA Kullanımı
Zararlı Yazılım Analizi ve Tespitinde YARA KullanımıZararlı Yazılım Analizi ve Tespitinde YARA Kullanımı
Zararlı Yazılım Analizi ve Tespitinde YARA Kullanımı
BGA Cyber Security
 
Metasploitでペネトレーションテスト
MetasploitでペネトレーションテストMetasploitでペネトレーションテスト
Metasploitでペネトレーションテスト
super_a1ice
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 3
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Beyaz Şapkalı Hacker başlangıç noktası eğitimi
Beyaz Şapkalı Hacker başlangıç noktası eğitimiBeyaz Şapkalı Hacker başlangıç noktası eğitimi
Beyaz Şapkalı Hacker başlangıç noktası eğitimi
Kurtuluş Karasu
 
Siber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı SistemiSiber Saldırılar i̇çin Erken Uyarı Sistemi
Siber Saldırılar i̇çin Erken Uyarı Sistemi
BGA Cyber Security
 
Open Source SOC Kurulumu
Open Source SOC KurulumuOpen Source SOC Kurulumu
Open Source SOC Kurulumu
BGA Cyber Security
 
SIZMA TESTLERİNDE BİLGİ TOPLAMA
SIZMA TESTLERİNDE BİLGİ TOPLAMASIZMA TESTLERİNDE BİLGİ TOPLAMA
SIZMA TESTLERİNDE BİLGİ TOPLAMA
BGA Cyber Security
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma Testleri
BGA Cyber Security
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
BTRisk Bilgi Güvenliği ve BT Yönetişim Hizmetleri
 
Linux101
Linux101Linux101
Linux101
MURAT ARSLAN
 
Metasploit El Kitabı
Metasploit El KitabıMetasploit El Kitabı
Metasploit El Kitabı
BGA Cyber Security
 
Web Uygulama Güven(siz)liği
Web Uygulama Güven(siz)liğiWeb Uygulama Güven(siz)liği
Web Uygulama Güven(siz)liği
BGA Cyber Security
 
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıBeyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
PRISMA CSI
 
高負荷に耐えうるWeb application serverの作り方
高負荷に耐えうるWeb application serverの作り方高負荷に耐えうるWeb application serverの作り方
高負荷に耐えうるWeb application serverの作り方
yuta-ishiyama
 
9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...
9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...
9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...
NTT DATA Technology & Innovation
 
Siber Tehdit Avcılığı (Threat Hunting)
Siber Tehdit Avcılığı (Threat Hunting)Siber Tehdit Avcılığı (Threat Hunting)
Siber Tehdit Avcılığı (Threat Hunting)
BGA Cyber Security
 
AWSスポットインスタンスの真髄
AWSスポットインスタンスの真髄AWSスポットインスタンスの真髄
AWSスポットインスタンスの真髄
外道 父
 
Ruby - Dünyanın En Güzel Programlama Dili
Ruby - Dünyanın En Güzel Programlama DiliRuby - Dünyanın En Güzel Programlama Dili
Ruby - Dünyanın En Güzel Programlama Dili
Serdar Dogruyol
 
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriBeyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
PRISMA CSI
 
Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)
Ahmet Gürel
 
Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan
Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan
Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan
Koichi Fujikawa
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma Testleri
BGA Cyber Security
 
FPGA, AI, エッジコンピューティング
FPGA, AI, エッジコンピューティングFPGA, AI, エッジコンピューティング
FPGA, AI, エッジコンピューティング
Hideo Terada
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 4, 5, 6
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 4, 5, 6Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 4, 5, 6
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 4, 5, 6
BGA Cyber Security
 
WannaCry - NotPetya Olayları
WannaCry - NotPetya OlaylarıWannaCry - NotPetya Olayları
WannaCry - NotPetya Olayları
Alper Başaran
 
ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回
Naoyuki Yamada
 
Unified JVM Logging
Unified JVM LoggingUnified JVM Logging
Unified JVM Logging
Yuji Kubota
 
Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
Dhaval Kapil
 

Más contenido relacionado

La actualidad más candente

Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan
Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan
Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan
Koichi Fujikawa
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma Testleri
BGA Cyber Security
 

La actualidad más candente (20)

Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma Testleri
 
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
Uygulamali Sizma Testi (Pentest) Egitimi Sunumu - 1
 
Linux101
Linux101Linux101
Linux101
 
Metasploit El Kitabı
Metasploit El KitabıMetasploit El Kitabı
Metasploit El Kitabı
 
Web Uygulama Güven(siz)liği
Web Uygulama Güven(siz)liğiWeb Uygulama Güven(siz)liği
Web Uygulama Güven(siz)liği
 
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit AşamasıBeyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
Beyaz Şapkalı Hacker CEH Eğitimi - Post Exploit Aşaması
 
高負荷に耐えうるWeb application serverの作り方
高負荷に耐えうるWeb application serverの作り方高負荷に耐えうるWeb application serverの作り方
高負荷に耐えうるWeb application serverの作り方
 
9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...
9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...
9/14にリリースされたばかりの新LTS版Java 17、ここ3年間のJavaの変化を知ろう!(Open Source Conference 2021 O...
 
Siber Tehdit Avcılığı (Threat Hunting)
Siber Tehdit Avcılığı (Threat Hunting)Siber Tehdit Avcılığı (Threat Hunting)
Siber Tehdit Avcılığı (Threat Hunting)
 
AWSスポットインスタンスの真髄
AWSスポットインスタンスの真髄AWSスポットインスタンスの真髄
AWSスポットインスタンスの真髄
 
Ruby - Dünyanın En Güzel Programlama Dili
Ruby - Dünyanın En Güzel Programlama DiliRuby - Dünyanın En Güzel Programlama Dili
Ruby - Dünyanın En Güzel Programlama Dili
 
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik TemelleriBeyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
Beyaz Şapkalı Hacker CEH Eğitimi - Siber Güvenlik Temelleri
 
Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)Man in the Middle Atack (Ortadaki Adam Saldırısı)
Man in the Middle Atack (Ortadaki Adam Saldırısı)
 
Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan
Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan
Amazon Redshiftの開発者がこれだけは知っておきたい10のTIPS / 第18回 AWS User Group - Japan
 
Bilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma TestleriBilgi Güvenliğinde Sızma Testleri
Bilgi Güvenliğinde Sızma Testleri
 
FPGA, AI, エッジコンピューティング
FPGA, AI, エッジコンピューティングFPGA, AI, エッジコンピューティング
FPGA, AI, エッジコンピューティング
 
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 4, 5, 6
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 4, 5, 6Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 4, 5, 6
Beyaz Şapkalı Hacker CEH Eğitimi - Bölüm 4, 5, 6
 
WannaCry - NotPetya Olayları
WannaCry - NotPetya OlaylarıWannaCry - NotPetya Olayları
WannaCry - NotPetya Olayları
 
ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回ElasticSearch勉強会 第6回
ElasticSearch勉強会 第6回
 
Unified JVM Logging
Unified JVM LoggingUnified JVM Logging
Unified JVM Logging
 

Destacado

Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
DefconRussia
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Georg Wicherski
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
Amr Ali
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
Z Chen
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
Ryan Wincey
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Michele Orru
 

Destacado (20)

Cisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-oneCisco IOS shellcode: All-in-one
Cisco IOS shellcode: All-in-one
 
Shellcode injection
Shellcode injectionShellcode injection
Shellcode injection
 
Shellcode mastering
Shellcode masteringShellcode mastering
Shellcode mastering
 
Exploitation
ExploitationExploitation
Exploitation
 
Reverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniquesReverse engineering - Shellcodes techniques
Reverse engineering - Shellcodes techniques
 
Software to the slaughter
Software to the slaughterSoftware to the slaughter
Software to the slaughter
 
Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.Design and Implementation of Shellcodes.
Design and Implementation of Shellcodes.
 
The Dark Arts of Hacking.
The Dark Arts of Hacking.The Dark Arts of Hacking.
The Dark Arts of Hacking.
 
Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86 Creacion de shellcodes para Exploits en Linux/x86
Creacion de shellcodes para Exploits en Linux/x86
 
Anatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineeringAnatomy of A Shell Code, Reverse engineering
Anatomy of A Shell Code, Reverse engineering
 
Efficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode DetectionEfficient Bytecode Analysis: Linespeed Shellcode Detection
Efficient Bytecode Analysis: Linespeed Shellcode Detection
 
Linux Shellcode disassembling
Linux Shellcode disassemblingLinux Shellcode disassembling
Linux Shellcode disassembling
 
Design and implementation_of_shellcodes
Design and implementation_of_shellcodesDesign and implementation_of_shellcodes
Design and implementation_of_shellcodes
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
Shellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneycShellcode and heapspray detection in phoneyc
Shellcode and heapspray detection in phoneyc
 
Java Shellcode Execution
Java Shellcode ExecutionJava Shellcode Execution
Java Shellcode Execution
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit DevelopmentExploit Research and Development Megaprimer: Unicode Based Exploit Development
Exploit Research and Development Megaprimer: Unicode Based Exploit Development
 
Talking about exploit writing
Talking about exploit writingTalking about exploit writing
Talking about exploit writing
 

Similar a One Shellcode to Rule Them All: Cross-Platform Exploitation

Pipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructorPipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructor
Moshe Zioni
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
Alexandre Moneger
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
Peter Hlavaty
 
Open Source Swift Under the Hood
Open Source Swift Under the HoodOpen Source Swift Under the Hood
Open Source Swift Under the Hood
C4Media
 

Similar a One Shellcode to Rule Them All: Cross-Platform Exploitation (20)

Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Pipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructorPipiot - the double-architecture shellcode constructor
Pipiot - the double-architecture shellcode constructor
 
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build SystemsBare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
Bare Metal from a Hardware Perspective: Embedded Frameworks & Build Systems
 
Pune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCDPune-Cocoa: Blocks and GCD
Pune-Cocoa: Blocks and GCD
 
Eusecwest
EusecwestEusecwest
Eusecwest
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
 
Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!Ice Age melting down: Intel features considered usefull!
Ice Age melting down: Intel features considered usefull!
 
차세대컴파일러, VM의미래: 애플 오픈소스 LLVM
차세대컴파일러, VM의미래: 애플 오픈소스 LLVM차세대컴파일러, VM의미래: 애플 오픈소스 LLVM
차세대컴파일러, VM의미래: 애플 오픈소스 LLVM
 
The Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast StorageThe Linux Block Layer - Built for Fast Storage
The Linux Block Layer - Built for Fast Storage
 
Steelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with PythonSteelcon 2014 - Process Injection with Python
Steelcon 2014 - Process Injection with Python
 
High-Performance Computing with C++
High-Performance Computing with C++High-Performance Computing with C++
High-Performance Computing with C++
 
Open Source Swift Under the Hood
Open Source Swift Under the HoodOpen Source Swift Under the Hood
Open Source Swift Under the Hood
 
Swift 2 Under the Hood - Gotober 2015
Swift 2 Under the Hood - Gotober 2015Swift 2 Under the Hood - Gotober 2015
Swift 2 Under the Hood - Gotober 2015
 
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
Patching Windows Executables with the Backdoor Factory | DerbyCon 2013
 
Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4Project Basecamp: News From Camp 4
Project Basecamp: News From Camp 4
 
DevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile GamesDevOpsCon 2015 - DevOps in Mobile Games
DevOpsCon 2015 - DevOps in Mobile Games
 
Arduino Platform with C programming.
Arduino Platform with C programming.Arduino Platform with C programming.
Arduino Platform with C programming.
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Null mumbai-iot-workshop
Null mumbai-iot-workshopNull mumbai-iot-workshop
Null mumbai-iot-workshop
 
Reverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdfReverse Engineering Presentation.pdf
Reverse Engineering Presentation.pdf
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu SubbuApidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
Apidays Singapore 2024 - Modernizing Securities Finance by Madhu Subbu
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 

One Shellcode to Rule Them All: Cross-Platform Exploitation

  • 1. One Shellcode To Rule Them All.
  • 2. Who are we • Michael “Borski” Borohovski • Co-Founder / CTO @ Tinfoil Security • Member of “Samurai” CTF team • MIT Computer Science • Hacking since 13, won Defcon 20 CTF • Shane “ShaneWilton” Wilton • Engineer @ Tinfoil Security • Member of “Samurai” CTF team • University of Waterloo Computer Science • Hacking since he was just a wee little baby
  • 3. Who are we • Best web application scanner on the market • Focused on Dev. and DevOps integrations • Empower developers to find and fix vulnerabilities before they’re deployed • Enable security teams to focus on the hard problems • Email secuinside@tinfoilsecurity.com for 2 free months
  • 4. What is shellcode? • Small piece of (assembled) code used as payload to exploit a vulnerability • Common goals • Launch a shell • Read a file • Stage a larger payload • ??? • Lots of public examples of shellcode • Shell-storm, metasploit, etc.
  • 5. Why write your own? • Often you need to perform unique actions. • Unlock a door, call out to a different binary, etc. • May have unique constraints • Can’t contain the $ character • Only alphanumeric characters • Runs under both little and big endian (Dalvik?) • Fun!
  • 6. How do you write shellcode? • Learn the system calls for your platform • Man pages are your friend • Start simple, then build more complexity • First, just call the _exit syscall • Then, “hello world” followed by _write followed by _exit • … • Familiarize yourself with different calling conventions • x86 - cdecl, fastcall, etc. • PowerPC - registers • SPARC - register windows ● Have fun with this one, because we didn’t • Most importantly…
  • 7. How do you write shellcode? • Comment • Comment • Comment • Commenting with ; is your best friend • If you think understanding your Ruby code a month later is tough, try deciphering shellcode you’ve optimized to fit into a tiny buffer
  • 8. Why is multiplatform shellcode useful? • Deploy once, pwn always • Consider the recent futex bug • Allowed for priv. esc. on linux • The original proof of concept (PoC) was for x86 • Geohot used the bug to root an android phone (ARM) • Theoretically, a multi-platform payload could root any linux device • Difficult to probe architectures in the wild • Same version of software can run on completely different architectures • Common with routers, smart devices, etc. • Guess wrong, and the target crashes • Crashes lead to detection
  • 9. Why is multiplatform shellcode useful? • Malware (but that’s bad, don’t do it!) • Internet of things – everything connected, built differently, lots of cheap hardware choices • “100,000 Refrigerators and other home appliances hacked to perform cyber attack” • Internet census 2012 attacked 1.2M devices • Exploit/binary targeted 9 different platforms/architectures.
  • 10. Compiling your pieces • QEMU or Virtual Machine (VMWare, Parallels, etc.) • Write shellcode once • Load image for desired architecture in QEMU • qemu-img create -f qcow2 linuxppc.qcow2 5G • qemu-system-ppc -hda linuxppc.qcow2 -cdrom debian-ppc.iso -boot d -m 512 • Use nasm to assemble once in qemu • nasm –f bin shellcode.asm
  • 11. Compiling your pieces • Capstone • Programmable disassembly framework • http://www.capstone-engine.org/ • Arm, Arm64 (Armv8), Mips, PowerPC, SPARC, SystemZ, XCore & Intel • Written in C but bindings for Ruby, Python, etc. • Useful for seeing how opcodes disassemble in different architectures • Same opcode under different architectures lead to different behaviors • Take shellcode, print out disassembly for ARM, PPC, X86, etc.
  • 12. • Different architectures require different payloads • Each architecture has its own nuances • x86 has variable length instructions • SPARC has fixed-length 32-bit instructions • Shellcode must not crash on any platform • We have three goals • Write payloads for each architecture • Determine the architecture of the CPU • Jump to the payload for that architecture • How do we determine the architecture of the CPU? Multi-Platform Payloads
  • 13. • The same bytes decode to different instructions on different architectures • A jump instruction on x86 might be a NOP on PowerPC • Example - “x37x37xebx78” • x86 • aaa; aaa; jmp 116+4 • MIPS • ori $s7, $t9, 0xeb78 • SPARC • sethi %hi(0xdfade000), %i3 CPU Switch Header
  • 14. • Needs to jump in one architecture, and be NOP-like in all others • Can’t crash any architectures • Can’t modify PC • We don’t care about most other register state • Most architectures encode branch instructions in predictable formats. • SPARC - 00-a-bbbbb-010-<22-bit offset> • a - 1-bit annulment flag • bbbbb - 5-bit condition • We can fuzz all of the possible branch instructions! Finding “switch” instructions
  • 15. • Compute all of the branch instructions for an architecture • Use Capstone to decode them in all other targeted architectures • Look for instructions which decode harmlessly in most other architectures • Easier than it sounds! • We structure our switch-table like an onion • “Peel” off an architecture with each instruction • i.e. an instruction can’t crash MIPS, if MIPS has already jumped to its payload by that point Choosing Jump Candidates
  • 16. • Consider the case on two architectures, A and B • Let IA and IB be the sets of possible branch instructions for A and B • IA = {a1 , a2 , a3 } • IB = {b1 , b2 , b3 } • Let Din be the set of dependencies for instruction in • i.e. if a1 crashes on architecture B then Da1 = IB • We need an instruction from IA and an instruction from IB such that there exists an evaluation order which resolves all dependencies • Called a topological ordering on the dependency graph Dependency Resolution
  • 17. 1. Let S be the cartesian product of the sets of branch instructions 2. For each s ∈ S = (a, b, c, …) a. Construct a graph G with vertex set given by the elements of s b. Create a directed edge from vertex i to vertex j if instruction i crashes under the architecture for which j originates from c. Check for a topological ordering on G i. If one exists, return it, we are done ii. Otherwise, continue 3. If no ordering exists, we need to be clever a. Consider multi-stage payloads which split the targeted architectures into more manageable groupings Algorithmically…
  • 18. • Polyglot @ DEFCON 22 CTF Quals • Construct a payload which reads a flag on x86, ARMEL (little endian), ARMEB (big endian), and PPC • The dependencies are resolvable as: • x86 -> PPC -> ARMEB -> ARMEL • tsort can do most of this work from the command-line! Putting It Together 73 12 00 00 48 00 01 70 9A 00 00 40 13 00 00 EA x86 jae 0x14 - - - PPC andi r1, r0, 72 bdnzfa- lt, 0x98 - - ARMEB tstvc r2, #0 stmdami r0, ... bls 0x110 - ARMEL ... ... ... b 0x60
  • 19. • Each architecture is jumping to a different point, so we can simply insert our platform-specific shellcode at the correct offsets • Note the strange instructions • 48 00 01 70 -> bdnzfa- lt, 0x98 • Not a terribly useful instruction, but acts like a simple branch in our case • You just owned four different platforms with one payload • Congratulations! Putting It Together Cont.
  • 20. • Hardware is becoming more and more varied, and will only get further fragmented over time • Knowing and being able to fingerprint one architecture will become a thing of the past • Writing one payload that works across many architectures was once a luxury, but is quickly becoming a requirement for launching attacks in the wild To sum it all up
  • 21. • Basic idea: set up a jump table at the beginning of your shellcode, with one architecture falling through with each instruction • Find jmp/branch instructions in one architecture that are NOPs or NOP-like instructions in all others you’re targeting • To automate this search, you can reduce the problem to one of dependency resolution To sum it all up