begood Posted March 4, 2010 Report Posted March 4, 2010 Exploit writing tutorial part 9 : Introduction to Win32 shellcodingPeter Van Eeckhoutte · Thursday, February 25th, 2010Over the last couple of months, I have written a set of tutorials about building exploits that target the Windows stack. One of the primary goals of anyone writing anexploit is to modify the normal execution flow of the application and trigger the application to run arbitrary code… code that is injected by the attacker and that couldallow the attacker to take control of the computer running the application.This type of code is often called “shellcode”, because one of the most used targets of running arbitrary code is to allow an attacker to get access to a remote shell /command prompt on the host, which will allow him/her to take further control of the host.While this type of shellcode is still used in a lot of cases, tools such as Metasploit have taken this concept one step further and provide frameworks to make this processeasier. Viewing the desktop, sniffing data from the network, dumping password hashes or using the owned device to attack hosts deeper into the network, are just someexamples of what can be done with the Metasploit meterpreter payload/console. People are creative, that’s for sure… and that leads to some really nice stuff.The reality is that all of this is “just” a variation on what you can do with shellcode. That is, complex shellcode, staged shellcode, but still shellcode.Usually, when people are in the process of building an exploit, they tend to try to use some simple/small shellcode first, just to prove that they can inject code and get itexecuted. The most well known and commonly used example is spawning calc.exe or something like that. Simple code, short, fast and does not require a lot of set up towork. (In fact, every time Windows calculator pops up on my screen, my wife cheers… even when I launched calc myself )In order to get a “pop calc” shellcode specimen, most people tend to use the already available shellcode generators in Metasploit, or copy ready made code from otherexploits on the net… just because it’s available and it works. (Well, I don’t recommend using shellcode that was found on the net for obvious reasons). Frankly, there’snothing wrong with Metasploit. In fact the payloads available in Metasploit are the result of hard work and dedication, sheer craftsmanship by a lot of people. These guysdeserve all respect and credits for that. Shellcoding is not just applying techniques, but requires a lot of knowledge, creativity and skills. It is not hard to write shellcode,but it is truly an art to write good shellcode.In most cases, the Metasploit (and other publicly available) payloads will be able to fulfill your needs and should allow you to prove your point – that you can own amachine because of a vulnerability.Nevertheless, today we’ll look at how you can write your own shellcode and how to get around certain restrictions that may stop the execution of your code (null bytes etal).A lot of papers and books have been written on this subject, and some really excellent websites are dedicated to the subject. But since I want to make this tutorial seriesas complete as possible, I decided to combine some of that information, throw in my 2 cents, and write my own “introduction to win32 shellcoding”.I think it is really important for exploit builders to understand what it takes to build good shellcode. The goal is not to tell people to write their own shellcode, but ratherto understand how shellcode works (knowledge that may come handy if you need to figure out why certain shellcode does not work) , and write their own if there is aspecific need for certain shellcode functionality, or modify existing shellcode if required.This paper will only cover existing concepts, allowing you to understand what it takes to build and use custom shellcode… it does not contain any new techniques or newtypes of shellcode – but I’m sure you don’t mind at this point.http://packetstormsecurity.org/papers/shellcode/win32-shellcoding.pdf Quote
