A people's guide to search-shellcode

[dave <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm guessing every team out there has their own methodology on how to do
this, but these are the ones I know about.

In general the problem statement is that you want a SMALL (30-90 bytes
or so) shellcode that you can use when space is at a premium.

While some simple callbacks shellcodes (c.f. ordinal shellcodes,
shellcodes with known addresses, etc.) are also in this size range, the
payload for an exploit may require sophisticated techniques that are
unable to be compressed to that level. For example, an exploit targeting
a browser may require the ability to repair structures in the browser
after exploitation to prevent it from crashing under the user, alerting
them to the attack. Likewise, reliability or protocol tunnelling
constraints may requires a large, complex main shellcode. Hence the use
of a "search" shellcode.

Other design goals are speed - searching all of memory can take some
time, and the more time goes by the more likely the process being
searched is to crash or otherwise misbehave. Likewise, failing to
provide an exit for the shellcode reduces size slightly but sometimes
produces error conditions if the shellcode never finds the main payload,
and simply loops forever at 100% CPU. This tends to alert targets that
something is wrong.

In Windows search shellcode you do not have the ability to use system
functions and you can only use system calls that do not change (your
shellcode may be restricted to some useful subset of Windows versions).

The basic strategy originally was to create an SEH handler - this
essentially emulated the code of IsBadReadPtr() to look through all of
memory, but later versions of Windows (i.e. XP SP2->3) required some
trickery to bypass SafeSEH restrictions. Even more modern versions of
Widnows (Vista/2008/7) have effectively disabled this technique. This is
the technique you can read about in excruciating depth in the
Shellcoder's Handbook. (I wrote this, now obsolete, chapter so the code
you see in the book is cut and paste out of CANVAS.)

Unix exploit developers were already publishing shellcodes that did
their searching using system calls to have the kernel validate shellcode
addresses. You can see Matt Miller writing about using NtDisplayString()
for this purpose on Windows back in 2004 [1]. CANVAS's modern Win32
search shellcode (and I assume others'?) uses NtAddAtom()[2] to validate
the readability of an address.

This technique results in smaller and more compatible shellcode than the
SEH technique, but as Alex Sotirov has (on Twitter) complained of, is
adding lots of Atoms to the internal Kernel tables. (The maximum number
of new additional Atoms in the CANVAS shellcode is == the number of
readable pages in the process - possibly some other shellcodes are using
a per-byte or per-dword check? Likewise, NT should be fine with very
large numbers of Atoms. Be interesting to know what the top limit is
there). We've not seen a lot of instability related to this, but
anything is possible in Windows-land.

Other possibilities for search-shellcode are endless - for example,
parsing the heap structures themselves or searching through the freelist
(most of the time the shellcode is on the heap and often you have enough
control to place your shellcode on a specific freelist slot),
constructing big payloads from tiny fragments[3], optimizing for
reliability by doing checksums (many corrupted copies of your shellcode
often exist on the heap), parsing the PE header and calling
IsBadReadPtr(), disabling SafeSEH (without the use of VirtualProtect()
:>) and using the older SEH style code, or a thousand other things, like
so many different seashells on the beach.

- -dave

[1] http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
[2]
http://undocumented.ntinternals.net/UserMode/Undocumented%20Functions/Atoms/NtAddAtom.html
[3]
http://skypher.com/wiki/index.php/Hacking/Shellcode/Egg_hunt/w32_SEH_omelet_shellcode
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkszPjMACgkQtehAhL0ghepuwACZAZxBP7G2pMPu0ijj6u57G1y1
axgAmwS+Q1Bf2mdJ/MOS6YyzFBLobALh
=tSRj
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave