Uma Abordagem para Redução do Tamanho de Shellcodes sem Comprometimento do Comportamento
Resumo
Apesar da evolução das diferentes técnicas de ataque por binários, os Shellcodes continuam fazendo parte dos currículos de cursos na área de cibersegurança. A criação de um shellcode pode demandar o uso de técnicas automatizadas dependentes de cenário e de arquitetura de computador, já construí-lo no menor tamanho exige um esforço maior. Este trabalho, que recapitula o tema, corroborando sua importância por meio de consulta nos conteúdos trabalhados em cursos das 20 maiores Universidades do mundo, tem como objetivo apresentar uma abordagem de otimização do tamanho de Shellcodes, que emprega técnicas manuais, tais como PNP, IM, RV. Os resultados mostram a efetividade da abordagem proposta, cujos códigos resultantes foram incorporados oficialmente ao projeto Metasploit.
Palavras-chave:
Shellcode, Código Binário para Ataque, Criação, Otimização de Tamanho, Manutenção do Comportamento
Referências
Abbasi, A., Wetzels, J., Holz, T., and Etalle, S. (2019). Challenges in Designing Exploit Mitigations for Deeply Embedded Systems. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P), pages 31–46.
AMD (2020). AMD64 Architecture Programmer’s Manual, Volume 1: Application Programming. Advanced Micro Devices, publication 24592, revision 3.23.
Anderson, J. P. (1972). Computer Security Technology Planning Study. Volume 2. Technical report, Anderson (James P) and Co Fort Washington PA.
Anley, C., Heasman, J., Linder, F., and Richarte, G. (2007). The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. John Wiley & Sons, Inc., USA, 2nd edition.
Arce, I. (2004). The Shellcode Generation. IEEE Security and Privacy, 2(5):72–76.
Basu, A., Mathuria, A., and Chowdary, N. (2014). Automatic generation of compact alphanumeric shellcodes for x86. In Prakash, A. and Shyamasundar, R., editors, Information Systems Security, pages 399–410, Cham. Springer International Publishing.
Bem, G. G. (2018). Linux Command Shell, Bind TCP Random Port Inline. In Metasploit 6.0.26. Github. [link]. dom_port.rb. Acessado: 05/04/2021.
Bem, G. G. (2021a). Linux Command Shell, Bind TCP Random Port Inline. In Metasploit 6.0.37. Github. [link]. Acessado: 29/01/2021.
Bem, G. G. (2021b). payload/x86/exec.rb refactoring, metasm, new NullFreeVersion option. In Metasploit. Github. https://github.com/rapid7/metasploit-framework/pull/14661. Acessado: 28/03/2021.
Biederman, E. W. (2020). exec: Factor bprm_stack_limits out of prepare_arg_pages. In Linux Kernel. Kernel. [link]. Acessado: 28/03/2021.
Cabaj, K., Domingos, D., Kotulski, Z., and Respício, A. (2018). Cybersecurity education: Evolution of the discipline and analysis of master programs. Computers & Security, 75:24–35.
Egypt (2014). Shellcode Golf: Every Byte is Sacred. https://www.rapid7.com/blog/post/2014/02/14/shellcode-golf. Acessado: 06/09/2021.
Erickson, J. (2008). Hacking: The Art of Exploitation. No Starch Press, USA, 2nd edition.
Foster, J. C., Osipov, V., Bhalla, N., Heinen, N., and Aitel, D. (2005). Buffer Overow Attacks. Syngress, Burlington.
Fox, B. and Ramey, C. (2021). shell.c. In GNU Bash, the Bourne Again SHell. Savannah. http://git.savannah.gnu.org/cgit/bash.git/tree/shell.c?h=bash5.1n505. Acessado: 29/03/2021.
Hoglund, G. and McGraw, G. R. (2004). Exploiting Software: How to Break Code. Addison-Wesley Professional, USA.
Joint Task Force on Cybersecurity Education (2018). Cybersecurity Curricula 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity. Association for Computing Machinery, New York, NY, USA.
Kaspersky ICS CERT (2020). Threat landscape for industrial automation systems. H2 2019. Kaspersky. [link]. Acessado: 26/03/2021.
Kennedy, D., O’Gorman, J., Kearns, D., and Aharoni, M. (2011). Metasploit: The Penetration Tester’s Guide. No Starch Press, USA, 1st edition.
Kerrisk, M. (2007). Add text noting that Linux allows 'argv' and 'envp' to be NULL. In Linux Kernel. Kernel. [link]. Acessado: 28/03/2021.
Kerrisk, M. (2010). The Linux Programming Interface: A Linux and UNIX System Programming Handbook. No Starch Press, USA, 1 edition.
Kerrisk, M. (2014). ip.7: Note cases where an ephemeral port is used. In Linux Kernel. Kernel. [link]. Acessado: 06/04/2021.
Kerrisk, M. (2021). execve(2) Linux manual page. man7. https://man7.org/linux/man-pages/man2/execve.2.html. Acessado: 02/04/2021.
MITRE (2020). CWE Top 25 Most Dangerous Software Weaknesses. MITRE. https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html. Acessado: 24/03/2021.
Németh, Z. L. and Erdodi, L. (2015). When every byte counts Writing minimal length shellcodes. In 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY), pages 269–274.
One, A. (1996). Smashing The Stack For Fun And Prot. Phrack Magazine, 7(49).
Patel, D., Basu, A., and Mathuria, A. (2020). Automatic Generation of Compact Printable Shellcodes for x86. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association.
Perla, E. and Oldani, M. (2010). A Guide to Kernel Exploitation: Attacking the Core. Syngress Publishing.
ricky (2021). Linux command shell, bind tcp inline. In Metasploit. Github. [link]. Acessado: 29/01/2021.
Sadeghi, A., Aminmansour, F., and Shahriari, H. R. (2015). Tiny jump-oriented programming attack (A class of code reuse attacks). In 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pages 52–57.
Shackelford, E. (2021). TAPing the Stack for Fun and Prot: Shelling Embedded Linux Devices via JTAG. IOActive Labs. https://labs.ioactive.com/2021/01/taping-stack-for-fun-and-profit.html. Acessado: 05/04/2021.
Spafford, E. H. (1989). The Internet Worm Program: An Analysis. SIGCOMM Comput. Commun. Rev., 19(1):17–57.
Spinellis, D. (2017). A Repository of Unix History and Evolution. Empirical Software Engineering, 22(3):1372–1404.
Symonds, Q. (2020). QS World University Rankings. Top Universities. [link]. Acessado: 13/03/2021.
Torvalds, L. (1991). Linux-0.01. In Linux Kernel. Kernel. [link]. Acessado: 05/04/2021.
AMD (2020). AMD64 Architecture Programmer’s Manual, Volume 1: Application Programming. Advanced Micro Devices, publication 24592, revision 3.23.
Anderson, J. P. (1972). Computer Security Technology Planning Study. Volume 2. Technical report, Anderson (James P) and Co Fort Washington PA.
Anley, C., Heasman, J., Linder, F., and Richarte, G. (2007). The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. John Wiley & Sons, Inc., USA, 2nd edition.
Arce, I. (2004). The Shellcode Generation. IEEE Security and Privacy, 2(5):72–76.
Basu, A., Mathuria, A., and Chowdary, N. (2014). Automatic generation of compact alphanumeric shellcodes for x86. In Prakash, A. and Shyamasundar, R., editors, Information Systems Security, pages 399–410, Cham. Springer International Publishing.
Bem, G. G. (2018). Linux Command Shell, Bind TCP Random Port Inline. In Metasploit 6.0.26. Github. [link]. dom_port.rb. Acessado: 05/04/2021.
Bem, G. G. (2021a). Linux Command Shell, Bind TCP Random Port Inline. In Metasploit 6.0.37. Github. [link]. Acessado: 29/01/2021.
Bem, G. G. (2021b). payload/x86/exec.rb refactoring, metasm, new NullFreeVersion option. In Metasploit. Github. https://github.com/rapid7/metasploit-framework/pull/14661. Acessado: 28/03/2021.
Biederman, E. W. (2020). exec: Factor bprm_stack_limits out of prepare_arg_pages. In Linux Kernel. Kernel. [link]. Acessado: 28/03/2021.
Cabaj, K., Domingos, D., Kotulski, Z., and Respício, A. (2018). Cybersecurity education: Evolution of the discipline and analysis of master programs. Computers & Security, 75:24–35.
Egypt (2014). Shellcode Golf: Every Byte is Sacred. https://www.rapid7.com/blog/post/2014/02/14/shellcode-golf. Acessado: 06/09/2021.
Erickson, J. (2008). Hacking: The Art of Exploitation. No Starch Press, USA, 2nd edition.
Foster, J. C., Osipov, V., Bhalla, N., Heinen, N., and Aitel, D. (2005). Buffer Overow Attacks. Syngress, Burlington.
Fox, B. and Ramey, C. (2021). shell.c. In GNU Bash, the Bourne Again SHell. Savannah. http://git.savannah.gnu.org/cgit/bash.git/tree/shell.c?h=bash5.1n505. Acessado: 29/03/2021.
Hoglund, G. and McGraw, G. R. (2004). Exploiting Software: How to Break Code. Addison-Wesley Professional, USA.
Joint Task Force on Cybersecurity Education (2018). Cybersecurity Curricula 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity. Association for Computing Machinery, New York, NY, USA.
Kaspersky ICS CERT (2020). Threat landscape for industrial automation systems. H2 2019. Kaspersky. [link]. Acessado: 26/03/2021.
Kennedy, D., O’Gorman, J., Kearns, D., and Aharoni, M. (2011). Metasploit: The Penetration Tester’s Guide. No Starch Press, USA, 1st edition.
Kerrisk, M. (2007). Add text noting that Linux allows 'argv' and 'envp' to be NULL. In Linux Kernel. Kernel. [link]. Acessado: 28/03/2021.
Kerrisk, M. (2010). The Linux Programming Interface: A Linux and UNIX System Programming Handbook. No Starch Press, USA, 1 edition.
Kerrisk, M. (2014). ip.7: Note cases where an ephemeral port is used. In Linux Kernel. Kernel. [link]. Acessado: 06/04/2021.
Kerrisk, M. (2021). execve(2) Linux manual page. man7. https://man7.org/linux/man-pages/man2/execve.2.html. Acessado: 02/04/2021.
MITRE (2020). CWE Top 25 Most Dangerous Software Weaknesses. MITRE. https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html. Acessado: 24/03/2021.
Németh, Z. L. and Erdodi, L. (2015). When every byte counts Writing minimal length shellcodes. In 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY), pages 269–274.
One, A. (1996). Smashing The Stack For Fun And Prot. Phrack Magazine, 7(49).
Patel, D., Basu, A., and Mathuria, A. (2020). Automatic Generation of Compact Printable Shellcodes for x86. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association.
Perla, E. and Oldani, M. (2010). A Guide to Kernel Exploitation: Attacking the Core. Syngress Publishing.
ricky (2021). Linux command shell, bind tcp inline. In Metasploit. Github. [link]. Acessado: 29/01/2021.
Sadeghi, A., Aminmansour, F., and Shahriari, H. R. (2015). Tiny jump-oriented programming attack (A class of code reuse attacks). In 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pages 52–57.
Shackelford, E. (2021). TAPing the Stack for Fun and Prot: Shelling Embedded Linux Devices via JTAG. IOActive Labs. https://labs.ioactive.com/2021/01/taping-stack-for-fun-and-profit.html. Acessado: 05/04/2021.
Spafford, E. H. (1989). The Internet Worm Program: An Analysis. SIGCOMM Comput. Commun. Rev., 19(1):17–57.
Spinellis, D. (2017). A Repository of Unix History and Evolution. Empirical Software Engineering, 22(3):1372–1404.
Symonds, Q. (2020). QS World University Rankings. Top Universities. [link]. Acessado: 13/03/2021.
Torvalds, L. (1991). Linux-0.01. In Linux Kernel. Kernel. [link]. Acessado: 05/04/2021.
Publicado
04/10/2021
Como Citar
BEM, Geyslan Gregório; ESMERALDO, Guilherme Álvaro Rodrigues Maia.
Uma Abordagem para Redução do Tamanho de Shellcodes sem Comprometimento do Comportamento. In: WORKSHOP DE TRABALHOS DE INICIAÇÃO CIENTÍFICA E DE GRADUAÇÃO - SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 21. , 2021, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 192-204.
DOI: https://doi.org/10.5753/sbseg_estendido.2021.17352.
