Advanced Shellcoding Techniques
Presentation
This paper expects a functioning information on fundamental shellcoding strategies, and x86 get together, I won't repeat these in this paper. I desire to show you a portion of the less popular shellcoding strategies that I have gotten, which will permit you to compose more modest and better shellcodes. I don't really have concocted any of these procedures, with the exception of the one that utilizes the div guidance.
The variety of mul
This procedure was initially evolved by Sorbo of darkircop.net. The mul guidance may, by all accounts, appear to be ordinary, and it's motivation self-evident. Be that as it may, when confronted with the troublesome test of contracting your shellcode, it ends up being very valuable. First some foundation data on the mul guidance itself.
mul plays out an unsigned increase of two numbers. It takes just a single operand, the other is certainly indicated by the %eax register. Thus, a typical mul guidance could look something like this:
movl $0x0a,%eax
mul $0x0a
This would duplicate the worth put away in %eax by the operand of mul, which for this situation would be 10*10. The outcome is then verifiably put away in EDX:EAX. The outcome is put away over a range of two registers since it can possibly be impressively bigger than the past worth, potentially surpassing the limit of a solitary register(this is likewise the way that drifting focuses are put away at times, as a fascinating sidenote).
Thus, presently comes the always significant inquiry. How might we utilize these characteristics for our potential benefit while composing shellcode? Indeed, we should think briefly, the guidance takes just a single operand, in this way, since it is an exceptionally considered normal guidance, it will produce just two bytes in our last shellcode. It duplicates whatever is passed to it by the worth put away in %eax, and stores the worth in both %edx and %eax, totally overwriting the items in the two registers, whether or not it is important to do as such, to store the consequence of the augmentation. We should put on our mathematician caps briefly, and consider this, what is the main conceivable consequence of a duplication by 0? The response, as you might have speculated, is 0. I believe the time is now for some model code, so it is right here:
xorl %ecx,%ecx
mul %ecx
What is this shellcode doing? Indeed, it 0's out the %ecx register utilizing the xor guidance, so we currently know that %ecx is 0. Then, at that point, it does a mul %ecx, which as we recently scholarly, duplicates it's operand by the worth in %eax, and afterward continues to store the consequence of this increase in EDX:EAX. In this way, no matter what %eax's past items, %eax should now be 0. Anyway that is not all, %edx is 0'd now as well, since, despite the fact that no flood happens, it actually overwrites the %edx register with the sign bit(left-most piece) of %eax. Involving this procedure we can no out three registers in just three bytes, though by some other method(that I am aware of) it would have taken no less than six.
The div guidance
Div is basically the same as mul, in that it takes just a single operand and certainly separates the operand by the worth in %eax. Additionally like, mul it stores the consequence of the separation in %eax. Once more, we will require the numerical side of our cerebrums to sort out how we can exploit this guidance. Above all, we should contemplate what is typically put away in the %eax register. The %eax register holds the return worth of capabilities and additionally syscalls. Most syscalls that are utilized in shellcoding will return - 1(on disappointment) or a positive worth or some likeness thereof, just seldom will they return 0(though it happens). In this way, on the off chance that we know that after a syscall is performed, %eax will have a non-zero worth, and that the guidance divl %eax will separate %eax without help from anyone else, and afterward store the outcome in %eax, we can say that executing the divl %eax guidance after a syscall will place the worth 1 into %eax. So...how is this relevant to shellcoding? Indeed, their is one more significant thing that %eax is utilized for, and that is to pass the particular syscall that you might want to call to int $0x80. It just so happens that the syscall that relates to the worth 1 is exit(). Presently for a model:
xorl %ebx,%ebx
mul %ebx
push %edx
pushl $0x3268732f
pushl $0x6e69622f
mov %esp, %ebx
push %edx
push %ebx
mov %esp,%ecx
movb $0xb, %al #execve() syscall, doesn't return at all except if it fizzles, in which case it returns - 1
int $0x80
divl %eax # - 1/ - 1 = 1
int $0x80
Presently, we have a 3 byte leave capability, where as before it was 5 bytes. Nonetheless, there is a trick, imagine a scenario where a syscall brings 0 back. Well in the odd circumstance in which that could occur, you could do a wide range of things, similar to inc %eax, dec %eax, not %eax anything that will make %eax non-zero. Certain individuals say that exit's are not significant in shellcode, on the grounds that your code gets executed whether or not or not it exits neatly. They are correct as well, in the event that you truly need to save 3 bytes to accommodate your shellcode in some place, the exit() isn't valuable. Nonetheless, when your code gets done, it will attempt to execute whatever was after your last guidance, which will in all probability create a SIG ILL(illegal guidance) which is a fairly odd mistake, and will be logged by the framework. Thus, an exit() basically adds an additional layer of secrecy to your endeavor, so that regardless of whether it comes up short or you can't wipe every one of the logs, essentially this piece of your presence will be clear.
Opening the force of leal
The leal guidance is a frequently dismissed guidance in shellcode, despite the fact that it is very valuable. Consider this short piece of shellcode.
xorl %ecx,%ecx
leal 0x10(%ecx),%eax
This will stack the worth 17 into eax, and clear every one of the incidental pieces of eax. This happens on the grounds that the leal guidance stacks a variable of the sort long into it's desitination operand. In it's generally expected utilization, this would stack the location of a variable into a register, consequently making a pointer of sorts. Notwithstanding, since ecx is 0'd and 0+17=17, we load the worth 17 into eax rather than any sort of real location. In an ordinary shellcode we would follow through with something like this, to achieve exactly the same thing:
xorl %eax,%eax
movb $0x10,%eax
I can hear you saying, yet that shellcode is a byte more limited than the leal one, and you're very correct. In any case, in a genuine shellcode you may as of now need to 0 out a register like ecx(or some other register), so the xorl guidance in the leal shellcode isn't counted. Here is a model:
xorl %eax,%eax
xorl %ebx,%ebx
movb $0x17,%al
int $0x80
xorl %ebx,%ebx
leal 0x17(%ebx),%al
int $0x80
Both of these shellcodes call setuid(0), yet one does it in 7 bytes while different does it in 8. Once more, I hear you saying yet that is just a single byte it doesn't have that a very remarkable effect, and you're right, here it doesn't make a big deal about a difference(except for in shellcode-size petty rivalries =p), however when applied to a lot bigger shellcodes, which have many capability calls and have to do things like this much of the time, it can save a lot of room.
End
I want to believe that all of you picked up something, and will go out and apply your insight to make more modest and better shellcodes. On the off chance that you realize who concocted the leal strategy, if it's not too much trouble, tell me and I will credit him/her.