-
Automatic Generation ofCompact Printable Shellcodes For x86WOOT ’20
Dhrumil PatelAditya BasuAnish Mathuria
August 11, 2020
-
Outline
IntroductionCurrently used AlgorithmsMotivationPrintable Shellcode Compiler (psc)ResultsConclusion
-
Printable Shellcodes
Defensive filters strip all the printable characters from input.This ruins most injection attacks.
Attacker’s Goal is to generate code that consists only of:0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz!\"#$%&\’()*+,-./:;?@[\\]^_‘{|}~
-
Currently Used AlgorithmsRiley Eller Algorithm“Any dword (4 bytes) can be derived from twoor three SUB instructions whose operands areprintable bytes”
Available as a Metasploit plugin
Ex. 0x89e3cd80 bytes from execv /bin/shshellcode
# Constants are printable (0x21-0x7E)sub $0x256d6d2d, %eaxsub $0x256d6d25, %eaxsub $0x34574225, %eaxpush %eax
Each byte is encoded with > 2.5 bytes
Source to Source ConversionGeczi and Ivanyi replace allnon-printable instructions with asequence of printableinstruction(s)
38 byte shellcode→ 9837 bytesprintable shellcode
Not publicly available
-
We Need Compact Shellcodes
Transforming to printable⇒ increases shellcode sizeSize restrictions on input
ExampleBu�er overflow exploits are limited by the bu�er size.
-
Printable Shellcode Compiler
OverviewEncoding SchemeRuntime DecoderTesting
-
psc: Printable Shellcode Compiler
Arbitrary shellcode→ Printable shellcodeSpecial encoding schemeHand-crafted decoder that is printable
Printableshellcode
Encodedpayload
Printableshellcode
Encodedshellcode
CustomXOR
Patcher
Decoderloop(size=73bytes) Encodedpayload
Printableshellcode
EncodedshellcodeDecoder(size=146bytes)
-
psc Encoding Scheme
b2b0 b3b10 0 00
0 b80 b9b5 b6 b7b4
b100 b110 b13 b14 b15b12
b10b8 b11b9 b13 b14 b15b12
Original Byte #2
Encoded B1 = 0x3F +
Encoded B2 = 0x3F +
Encoded B3 = 0x3F +
Encoded Range = 0x3F − 0x7E
b2b0 b3b1 b5 b6 b7b4
Original Byte #1
Range of EncodedBytes‖
(0x3F,0x7E)
-
psc Runtime Decoding
ECX:ReadPointerEDX:WritePointer
Initializer
B1=0x26
Recoverfirstbyte,R1← (B1>2
Recoversecondbyte,R2← (B2
-
Testing
CustomXOR
Patcher
Decoderloop(size=73bytes) Encodedpayload
EncodedshellcodeDecoder
SIGTERM
ForTesting
Signal handler checksRecovered Shellcode == Original Shellcode
-
psc In Action
Shellcode to spawn shell on 4444/TCP
\x31\xc0\x31\xdb\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x97\x31\xc0\x43\x50\x66\x68\x11\x5c\x66\x53\x89\xe1\x6a\x10\x51\x57\x89\xe1\xb0\x66\xcd\x80\x50\x57\x89\xe1\xb0\x66\x83\xc3\x02\xcd\x80\x50\x50\x57\x89\xe1\x04\x66\x43\xcd\x80\x93\x31\xc0\x31\xc9\xb1\x02\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x66\x68\x73\x68\x68\x2f\x2f\x62\x61\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
binary to
printable
‘PYj0X40HP[j0X0Y50AO0YO0Y‘0Aa0Ya0Ab0Yi0Aj0Yj0Ak0Ym0YnrII0Y70A80Y80A90Y=0Y>0YGQZOyI&t
-
Results
Encoding PerformanceTotal Output Size
-
Results: Only Encoded Shellcode
0 500 1000 1500 2000
execve /bin/sh
add root user
copy /etc/passwd
shell on 4444/TCP
download file & execute
HTTP Server on 8800/TCP
shell on 8080/TCP over SSL
bytes
Encoding Performance
Original
Riley Eller
psc
psc encoding is morecompact than Riley Elleralgorithm
-
Results: Decoder & Encoded Shellcode
0 500 1000 1500 2000
execve /bin/sh
add root user
copy /etc/passwd
shell on 4444/TCP
download file & execute
HTTP Server on 8800/TCP
shell on 8080/TCP over SSL
bytes
Total Output Size
Original
Riley Eller
psc
For large shellcodes, pscbeats the Riley Elleralgorithm
-
psc vs ALPHA3
psc encoding outperforms ALPHA3.ALPHA3 changes 1 byte→ 2 bytespsc changes 1 byte→ 1.5 bytes
However, the compact encoding makes our decoder complicated.
psc beats ALPHA3 for larger shellcodes (size > 236 bytes).
-
Concluding Remarks
We present a new encoding algorithm that uses looped decoding toreduce the size of the auto-generated printable shellcodes.
We produce about 40%− 50% smaller printable shellcodes as comparedto the Riley Eller algorithm.
Future PlanAdd support for x86_64 shellcodes
-
References
Riley EllerBypassing MSB Data Filters forBuffer Overflow Exploits on Intel Platformshttp://julianor.tripod.com/bc/bypass-msb.txt.
Zsolt Géczi and Peter Iványi (2018)Automatic translation of assembly shellcodesto printable byte codesPollack Periodica 13(04), 3–20.
B.J. WeverALPHA3https://github.com/SkyLined/alpha3.
http://julianor.tripod.com/bc/bypass-msb.txthttps://github.com/SkyLined/alpha3
-
Thanks!Dhrumil PatelDevops at Acko Technology and Services Private [email protected]
Aditya BasuPhD Student at Penn [email protected]
Anish MathuriaProfessor at [email protected]
[email protected]@[email protected]
Printable Shellcode CompilerOverview Encoding Scheme Runtime Decoder Testing
ResultsEncoding Performance Total Output Size