The Darker Sides of Assembly: Alex Radocea, Andrew Zonenberg
The Darker Sides of Assembly: Alex Radocea, Andrew Zonenberg
http://www.b3tards.com/v/1f879bbd15d3273880f9/1108.jpg
Moments in History
http://groups.csail.mit.edu/mac/classes/6.805/articles/morris-
worm.html
gets() payload in fingerd
Shellcode spotlight →
Robert Morris, Jr. worm
(Spaf)
http://scrapetv.com/News/News%20Pages/Science/Images/dune-sandworm.jpg
Spaf does it right
● Best analysis ever on The Morris Worm:
http://homes.cerias.purdue.edu/~spaf/tech-reps/823
Outline of Today's Agenda
● Moments in History
● Basic terminology
● Code injection
● Shellcode
● Building a virus
– The ELF format
– Injection Schemes
● ? Surprise us
Terminology
● Backdoor ● Program allowing remote, covert
access
● Virus ● Parasitic program
Self-propagating network-
Worm
●
●
enabled program
● Rootkit ● Tools to covertly maintain high-
level system access
● Malware/Spyware ● Harmful software (popups,
password/CC sniffers....)
● Botnet ● MMORPG – without the RPG
http://www.flickr.com/photos/andresrueda/2983149263/
Code injection we care about
● Runtime Arbitrary Code Execution
● Privileged Processes
● Signed/Trusted Code Execution Environments
● Remote programs
● Program File injection
● ???
Runtime Code Injection
● Remember all those crashmes?
● Local code injection
● Command line arguments, environment, pathname,
executable interpreter flags, program data
(heap,stack,...)
● Remote code injection
● Program data
Writing your first shellcode.
● Goal:
● do not fork bomb anything
● Print a message to the screen
BITS 32
asm
; nasm -f elf code.asm; ld -o code.bin code.o; ./code.bin
; nasm -f bin code.asm ; ndisasm -u ./code
global _start
_start:
xor eax, eax
mov eax, 4
jmp data
back:
xor ebx, ebx
pop ecx
mov edx, 13
int 0x80
mov eax, 1
int 0x80
data:
call back
db "HI csci4971",0x0a
demO
Minimization tips
● Data is code is data is code is data is code …
(von Neumann arch vs Harvard)
● NUL byte safe?
● Match constants to register sizes
● Avoid some instructions
● Use math to get values with NUL
● Encoder/Decoder
Minimization Tips (II)
● Size problems?
● Multi-staged payloads
– Establish data transfer
– Receive code
– Decode it
– Execute it
● Code crunch:
● extra credz for shortest, self-contained d/l and
execute binary code.
No shellcode necessary
● Ret2libc
● Solar Designer '97
● ...
Memory corruption can be hard, but
also very easy
● Linux local bugs:
● Off-by-one on gcc4 main()
● Truncates frame pointer by one byte
● Bypass ASLR
● “patched up”
● Still missing /proc/pid/stat
Writing a Virus
● Parasitic code
● Injects into drivers, system code files, executable
programs, runtime process memory, …
Plan of Action
● Harmless Linux ELF Infector
● Open a file
● Expand size
● Inject code
● Update offsets
● Save to filesystem
Useful links
● Cesare's http://vx.netlux.org/lib/static/vdat/tuunix02.htm
● Eresi: http://www.eresi-project.org/
● http://virus.bartolich.at/virus-writing-
HOWTO/_html/index.html
● http://felinemenace.org/~mercy/slides/RUXCON2004-
ELFfairytale.ppt
● http://www.vx.netlux.org/lib/vrn00.html
● http://www.phrack.com/issues.html?
issue=56&id=7&mode=txt
● ...
The ELF Format
● ELF Header
● Man 5 elf
● Program Headers
● Runtime
● Section Headers
● Link time
● Misc
More useful links
● http://www.sco.com/developers/gabi/latest/contents.html
http://www.sco.com/developers/devspecs/abi386-4.pdf
http://users.csc.calpoly.edu/~mhaungs/paper/img7.gif
ELF Header
typedef struct {
unsigned char e_ident[EI_NIDENT];
uint16_t e_type;
uint16_t e_machine;
uint32_t e_version;
ElfN_Addr e_entry;
ElfN_Off e_phoff;
ElfN_Off e_shoff;
uint32_t e_flags;
uint16_t e_ehsize;
uint16_t e_phentsize;
uint16_t e_phnum;
uint16_t e_shentsize;
uint16_t e_shnum;
uint16_t e_shstrndx;
} ElfN_Ehdr;
Program Headers
typedef struct {
uint32_t p_type; PT_LOAD
Elf32_Off p_offset;
Elf32_Addr p_vaddr;
Elf32_Addr p_paddr; PT_INTERP
uint32_t p_filesz;
uint32_t p_memsz;
uint32_t p_flags;
uint32_t p_align;
} Elf32_Phdr;
PF_X An executable segment.
PF_W A writable segment.
PF_R A readable segment.
Using readelf/objdump/etc
● Demo
Some ELF File Infection strategies
● Overwrite existing code
● Semantic nop injector (bukowski framework)
● Hijack GOT/PLT redirection
● Expand TEXT segment
● Insert new PF_X segment
● Replace Dynamic Interpreter
● Inject malicious shared object file paths
Simple infector
● >>
PHDR Injection
● Add a PF_X segment
● Add code
● Hijack entry point / branch
How do you do it all in asm?
● Need self propagation
● No compiler available (Sorry Ken)
All you need is...
● Open()
● Mmap()
● asm code
Infector demo
ELF Virus Detection
● Tripwire...
● Mismatched Section Headers
● Extra executable segments
● Strange shared libraries/dynamic interpreter
● Unusual entry point
● Q: Can the entry point be outside of the TEXT
segment?
● Linux AVs
● ???