An Approach to Reducing the Size of Shellcodes without Compromising of Behavior
Abstract
Despite the evolution of different binary attack techniques, Shellcodes are still part of the curricula of courses in the cybersecurity area. The creation of a shellcode may require the use of automated techniques dependent on the scenario and computer architecture, while building it in the smallest size requires a greater effort. This work, which recapitulates the theme, confirming its importance through consultation in the worked issues in courses of the 20 largest Universities in the world, aims to present an approach for optimizing the size of Shellcodes by employing manual techniques, such as PNP, IM , RV. The results show the effectiveness of the proposed approach, which resulting codes have been officially incorporated into the Metasploit project.
Keywords:
Shellcode, Binary Code for Attack, Creation, Size Optimization, Behavior Maintenance
References
Abbasi, A., Wetzels, J., Holz, T., and Etalle, S. (2019). Challenges in Designing Exploit Mitigations for Deeply Embedded Systems. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P), pages 31–46.
AMD (2020). AMD64 Architecture Programmer’s Manual, Volume 1: Application Programming. Advanced Micro Devices, publication 24592, revision 3.23.
Anderson, J. P. (1972). Computer Security Technology Planning Study. Volume 2. Technical report, Anderson (James P) and Co Fort Washington PA.
Anley, C., Heasman, J., Linder, F., and Richarte, G. (2007). The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. John Wiley & Sons, Inc., USA, 2nd edition.
Arce, I. (2004). The Shellcode Generation. IEEE Security and Privacy, 2(5):72–76.
Basu, A., Mathuria, A., and Chowdary, N. (2014). Automatic generation of compact alphanumeric shellcodes for x86. In Prakash, A. and Shyamasundar, R., editors, Information Systems Security, pages 399–410, Cham. Springer International Publishing.
Bem, G. G. (2018). Linux Command Shell, Bind TCP Random Port Inline. In Metasploit 6.0.26. Github. [link]. dom_port.rb. Acessado: 05/04/2021.
Bem, G. G. (2021a). Linux Command Shell, Bind TCP Random Port Inline. In Metasploit 6.0.37. Github. [link]. Acessado: 29/01/2021.
Bem, G. G. (2021b). payload/x86/exec.rb refactoring, metasm, new NullFreeVersion option. In Metasploit. Github. https://github.com/rapid7/metasploit-framework/pull/14661. Acessado: 28/03/2021.
Biederman, E. W. (2020). exec: Factor bprm_stack_limits out of prepare_arg_pages. In Linux Kernel. Kernel. [link]. Acessado: 28/03/2021.
Cabaj, K., Domingos, D., Kotulski, Z., and Respício, A. (2018). Cybersecurity education: Evolution of the discipline and analysis of master programs. Computers & Security, 75:24–35.
Egypt (2014). Shellcode Golf: Every Byte is Sacred. https://www.rapid7.com/blog/post/2014/02/14/shellcode-golf. Acessado: 06/09/2021.
Erickson, J. (2008). Hacking: The Art of Exploitation. No Starch Press, USA, 2nd edition.
Foster, J. C., Osipov, V., Bhalla, N., Heinen, N., and Aitel, D. (2005). Buffer Overow Attacks. Syngress, Burlington.
Fox, B. and Ramey, C. (2021). shell.c. In GNU Bash, the Bourne Again SHell. Savannah. http://git.savannah.gnu.org/cgit/bash.git/tree/shell.c?h=bash5.1n505. Acessado: 29/03/2021.
Hoglund, G. and McGraw, G. R. (2004). Exploiting Software: How to Break Code. Addison-Wesley Professional, USA.
Joint Task Force on Cybersecurity Education (2018). Cybersecurity Curricula 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity. Association for Computing Machinery, New York, NY, USA.
Kaspersky ICS CERT (2020). Threat landscape for industrial automation systems. H2 2019. Kaspersky. [link]. Acessado: 26/03/2021.
Kennedy, D., O’Gorman, J., Kearns, D., and Aharoni, M. (2011). Metasploit: The Penetration Tester’s Guide. No Starch Press, USA, 1st edition.
Kerrisk, M. (2007). Add text noting that Linux allows 'argv' and 'envp' to be NULL. In Linux Kernel. Kernel. [link]. Acessado: 28/03/2021.
Kerrisk, M. (2010). The Linux Programming Interface: A Linux and UNIX System Programming Handbook. No Starch Press, USA, 1 edition.
Kerrisk, M. (2014). ip.7: Note cases where an ephemeral port is used. In Linux Kernel. Kernel. [link]. Acessado: 06/04/2021.
Kerrisk, M. (2021). execve(2) Linux manual page. man7. https://man7.org/linux/man-pages/man2/execve.2.html. Acessado: 02/04/2021.
MITRE (2020). CWE Top 25 Most Dangerous Software Weaknesses. MITRE. https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html. Acessado: 24/03/2021.
Németh, Z. L. and Erdodi, L. (2015). When every byte counts Writing minimal length shellcodes. In 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY), pages 269–274.
One, A. (1996). Smashing The Stack For Fun And Prot. Phrack Magazine, 7(49).
Patel, D., Basu, A., and Mathuria, A. (2020). Automatic Generation of Compact Printable Shellcodes for x86. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association.
Perla, E. and Oldani, M. (2010). A Guide to Kernel Exploitation: Attacking the Core. Syngress Publishing.
ricky (2021). Linux command shell, bind tcp inline. In Metasploit. Github. [link]. Acessado: 29/01/2021.
Sadeghi, A., Aminmansour, F., and Shahriari, H. R. (2015). Tiny jump-oriented programming attack (A class of code reuse attacks). In 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pages 52–57.
Shackelford, E. (2021). TAPing the Stack for Fun and Prot: Shelling Embedded Linux Devices via JTAG. IOActive Labs. https://labs.ioactive.com/2021/01/taping-stack-for-fun-and-profit.html. Acessado: 05/04/2021.
Spafford, E. H. (1989). The Internet Worm Program: An Analysis. SIGCOMM Comput. Commun. Rev., 19(1):17–57.
Spinellis, D. (2017). A Repository of Unix History and Evolution. Empirical Software Engineering, 22(3):1372–1404.
Symonds, Q. (2020). QS World University Rankings. Top Universities. [link]. Acessado: 13/03/2021.
Torvalds, L. (1991). Linux-0.01. In Linux Kernel. Kernel. [link]. Acessado: 05/04/2021.
AMD (2020). AMD64 Architecture Programmer’s Manual, Volume 1: Application Programming. Advanced Micro Devices, publication 24592, revision 3.23.
Anderson, J. P. (1972). Computer Security Technology Planning Study. Volume 2. Technical report, Anderson (James P) and Co Fort Washington PA.
Anley, C., Heasman, J., Linder, F., and Richarte, G. (2007). The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. John Wiley & Sons, Inc., USA, 2nd edition.
Arce, I. (2004). The Shellcode Generation. IEEE Security and Privacy, 2(5):72–76.
Basu, A., Mathuria, A., and Chowdary, N. (2014). Automatic generation of compact alphanumeric shellcodes for x86. In Prakash, A. and Shyamasundar, R., editors, Information Systems Security, pages 399–410, Cham. Springer International Publishing.
Bem, G. G. (2018). Linux Command Shell, Bind TCP Random Port Inline. In Metasploit 6.0.26. Github. [link]. dom_port.rb. Acessado: 05/04/2021.
Bem, G. G. (2021a). Linux Command Shell, Bind TCP Random Port Inline. In Metasploit 6.0.37. Github. [link]. Acessado: 29/01/2021.
Bem, G. G. (2021b). payload/x86/exec.rb refactoring, metasm, new NullFreeVersion option. In Metasploit. Github. https://github.com/rapid7/metasploit-framework/pull/14661. Acessado: 28/03/2021.
Biederman, E. W. (2020). exec: Factor bprm_stack_limits out of prepare_arg_pages. In Linux Kernel. Kernel. [link]. Acessado: 28/03/2021.
Cabaj, K., Domingos, D., Kotulski, Z., and Respício, A. (2018). Cybersecurity education: Evolution of the discipline and analysis of master programs. Computers & Security, 75:24–35.
Egypt (2014). Shellcode Golf: Every Byte is Sacred. https://www.rapid7.com/blog/post/2014/02/14/shellcode-golf. Acessado: 06/09/2021.
Erickson, J. (2008). Hacking: The Art of Exploitation. No Starch Press, USA, 2nd edition.
Foster, J. C., Osipov, V., Bhalla, N., Heinen, N., and Aitel, D. (2005). Buffer Overow Attacks. Syngress, Burlington.
Fox, B. and Ramey, C. (2021). shell.c. In GNU Bash, the Bourne Again SHell. Savannah. http://git.savannah.gnu.org/cgit/bash.git/tree/shell.c?h=bash5.1n505. Acessado: 29/03/2021.
Hoglund, G. and McGraw, G. R. (2004). Exploiting Software: How to Break Code. Addison-Wesley Professional, USA.
Joint Task Force on Cybersecurity Education (2018). Cybersecurity Curricula 2017: Curriculum Guidelines for Post-Secondary Degree Programs in Cybersecurity. Association for Computing Machinery, New York, NY, USA.
Kaspersky ICS CERT (2020). Threat landscape for industrial automation systems. H2 2019. Kaspersky. [link]. Acessado: 26/03/2021.
Kennedy, D., O’Gorman, J., Kearns, D., and Aharoni, M. (2011). Metasploit: The Penetration Tester’s Guide. No Starch Press, USA, 1st edition.
Kerrisk, M. (2007). Add text noting that Linux allows 'argv' and 'envp' to be NULL. In Linux Kernel. Kernel. [link]. Acessado: 28/03/2021.
Kerrisk, M. (2010). The Linux Programming Interface: A Linux and UNIX System Programming Handbook. No Starch Press, USA, 1 edition.
Kerrisk, M. (2014). ip.7: Note cases where an ephemeral port is used. In Linux Kernel. Kernel. [link]. Acessado: 06/04/2021.
Kerrisk, M. (2021). execve(2) Linux manual page. man7. https://man7.org/linux/man-pages/man2/execve.2.html. Acessado: 02/04/2021.
MITRE (2020). CWE Top 25 Most Dangerous Software Weaknesses. MITRE. https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html. Acessado: 24/03/2021.
Németh, Z. L. and Erdodi, L. (2015). When every byte counts Writing minimal length shellcodes. In 2015 IEEE 13th International Symposium on Intelligent Systems and Informatics (SISY), pages 269–274.
One, A. (1996). Smashing The Stack For Fun And Prot. Phrack Magazine, 7(49).
Patel, D., Basu, A., and Mathuria, A. (2020). Automatic Generation of Compact Printable Shellcodes for x86. In 14th USENIX Workshop on Offensive Technologies (WOOT 20). USENIX Association.
Perla, E. and Oldani, M. (2010). A Guide to Kernel Exploitation: Attacking the Core. Syngress Publishing.
ricky (2021). Linux command shell, bind tcp inline. In Metasploit. Github. [link]. Acessado: 29/01/2021.
Sadeghi, A., Aminmansour, F., and Shahriari, H. R. (2015). Tiny jump-oriented programming attack (A class of code reuse attacks). In 2015 12th International Iranian Society of Cryptology Conference on Information Security and Cryptology (ISCISC), pages 52–57.
Shackelford, E. (2021). TAPing the Stack for Fun and Prot: Shelling Embedded Linux Devices via JTAG. IOActive Labs. https://labs.ioactive.com/2021/01/taping-stack-for-fun-and-profit.html. Acessado: 05/04/2021.
Spafford, E. H. (1989). The Internet Worm Program: An Analysis. SIGCOMM Comput. Commun. Rev., 19(1):17–57.
Spinellis, D. (2017). A Repository of Unix History and Evolution. Empirical Software Engineering, 22(3):1372–1404.
Symonds, Q. (2020). QS World University Rankings. Top Universities. [link]. Acessado: 13/03/2021.
Torvalds, L. (1991). Linux-0.01. In Linux Kernel. Kernel. [link]. Acessado: 05/04/2021.
Published
2021-10-04
How to Cite
BEM, Geyslan Gregório; ESMERALDO, Guilherme Álvaro Rodrigues Maia.
An Approach to Reducing the Size of Shellcodes without Compromising of Behavior. In: WORKSHOP ON SCIENTIFIC INITIATION AND UNDERGRADUATE WORKS - BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 21. , 2021, Evento Online.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2021
.
p. 192-204.
DOI: https://doi.org/10.5753/sbseg_estendido.2021.17352.
