Shellcode Development #2

Joas Antonio dos Santos

https://www.linkedin.com/in/joas-antonio-dos-santos
What is Shellcode
• Shellcode is a piece of code that is typically used as the payload in an
exploit when compromising a computer system. It is typically written in
machine code and is executed directly by the target system's processor.
• Shellcode is usually injected into a running process or written to a location
in memory that is then executed. It is often used to create a reverse shell,
which allows an attacker to remotely control the target system.
• Shellcode can be difficult to write because it must be self-contained and
must not contain any null bytes or other characters that might terminate
the string that it is stored in. It must also be able to execute on the target
system without the assistance of any external libraries or resources.
• Shellcode is often used in conjunction with other types of exploit code,
such as return-oriented programming (ROP) or heap spraying, to bypass
security measures and gain unauthorized access to a system.
Test your shellcode
• There are several ways to test your shellcode:
• Use a debugger: One of the most common ways to test shellcode is to use a debugger,
such as GDB (GNU Debugger) or Ollydbg. By setting breakpoints at strategic points in the
code and single-stepping through the execution, you can verify that the shellcode is
executing as expected.
• Use a disassembler: A disassembler, such as IDA Pro or Ghidra, can be used to analyze
the assembly language instructions in the shellcode and verify that they are correct.
• Use a sandbox: You can use a sandbox, such as a virtual machine or a container, to run
the shellcode in an isolated environment. This allows you to test the shellcode without
affecting the host system.
• Use a hex editor: You can use a hex editor, such as HxD or Hex Fiend, to verify that the
shellcode does not contain any null bytes or other characters that might terminate the
string it is stored in.
• It is important to test your shellcode thoroughly before using it in a real-world attack, as
any errors or bugs in the code could compromise the success of the exploit.
Test your shellcode - tools
• https://github.com/helviojunior/shellcodetester
• https://github.com/hellman/shtest
• https://github.com/NullByteGTK/Shellcode-Tester
• https://github.com/emptymonkey/drinkme
Shellcode Tools
• https://github.com/CaledoniaProject/awesome-opensource-
security/blob/master/shellcode-tools.md
• https://github.com/RischardV/emoji-shellcoding
• https://github.com/alphaSeclab/shellcode-resources
• https://github.com/sisoma2/ShellcodeLoader
• https://medium.com/@PenTest_duck/offensive-msfvenom-from-
generating-shellcode-to-creating-trojans-4be10179bb86
• https://github.com/thEpisode/Linux-Shellcode-Generator
Binary Exploitation
• https://gist.github.com/hashlash/8b6bccb796a1089b34a5871acd857c58
• https://milotruck.github.io/blog/Binary-Exploitation-Cheatsheet/
• https://bitvijays.github.io/LFC-BinaryExploitation.html
• https://vreugdenhil.dev/pwn_guide/
• https://trailofbits.github.io/ctf/exploits/binary1.html
• https://infosecwriteups.com/into-the-art-of-binary-exploitation-0x000001-stack-based-overflow-
50fe48d58f10
• https://www.youtube.com/watch?v=wa3sMSdLyHw&ab_channel=CryptoCat
• https://www.youtube.com/watch?v=tMN5N5oid2c&ab_channel=JohnHammond
• https://www.youtube.com/watch?v=hdlHPv48gNY&ab_channel=GuidedHacking
• https://ir0nstone.gitbook.io/notes/
• https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation
• https://medium.com/@0xvicio/binary-exploitation-basics-int-limits-buffer-overflow-e71af709becf
Buffer Overflow
• https://github.com/gh0x0st/Buffer_Overflow
• https://github.com/johnjhacking/Buffer-Overflow-Guide
• https://github.com/Tib3rius/Pentest-
Cheatsheets/blob/master/exploits/buffer-overflows.rst
• https://github.com/CyberSecurityUP/Buffer-Overflow-Labs
• https://academy.hackthebox.com/path/preview/intro-to-binary-
exploitation
• https://github.com/rhamaa/Binary-exploit-writeups
Rop
• Return-oriented programming (ROP) is a technique that can be used to bypass security
measures, such as data execution prevention (DEP) and address space layout
randomization (ASLR), in order to execute arbitrary code on a target system.
• In ROP, an attacker leverages the existing code in a program or library to execute a series
of return instructions, each of which transfers control to a different location in the code.
By carefully selecting these locations, the attacker can execute arbitrary code without
injecting new code into the target system.
• ROP is often used in conjunction with other exploit techniques, such as heap spraying, to
bypass security measures and gain unauthorized access to a system.
• To use ROP on a Linux system, an attacker must first identify a vulnerability that allows
them to control the flow of execution in the target program. They can then craft a ROP
chain, which is a series of return addresses that point to gadgets in the program's code or
in a shared library. When the vulnerability is exploited, the ROP chain is executed,
allowing the attacker to execute arbitrary code on the target system.
Rop Linux
• https://crypto.stanford.edu/~blynn/asm/rop.html
• https://shakuganz.com/2021/06/07/return-oriented-programming-rop-
gnu-linux-version/
• https://bufferoverflows.net/rop-manual-exploitation-on-x32-linux/
• https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/linux-
kernel-rop-ropping-your-way-to-part-1/
• https://valsamaras.medium.com/introduction-to-x64-linux-binary-
exploitation-part-3-rop-chains-3cdcf17e8826
• https://github.com/nnamon/linux-exploitation-
course/blob/master/lessons/6_bypass_nx_rop/lessonplan.md
• https://github.com/hardenedlinux/linux-exploit-development-
tutorial/blob/master/chapter2/linux-x86-rop.md
Rop Windows
• https://fuzzysecurity.com/tutorials/expDev/7.html
• https://connormcgarr.github.io/ROP/
• https://learn.microsoft.com/en-
us/openspecs/exchange_server_protocols/ms-oxcrops/13af6911-27e5-
4aa0-bb75-637b02d4f2ef
• https://github.com/catsmells/Windows-Exploit-Development-practice
• https://github.com/JonathanSalwan/ROPgadget
• https://www.offensive-security.com/vulndev/return-oriented-exploitation-
rop/
• https://resources.infosecinstitute.com/topic/return-oriented-
programming-rop-attacks/
RopChains
• https://www.ired.team/offensive-security/code-injection-process-
injection/binary-exploitation/rop-chaining-return-oriented-programming
• https://infosecwriteups.com/rop-chains-on-arm-3f087a95381e
• https://www.apriorit.com/dev-blog/434-rop-exploit-protection
• https://github.com/SQLab/ropchain
• https://github.com/kriw/ropchain
• https://www.usenix.org/conference/raid2020/presentation/bhattacharyya
• https://www.youtube.com/watch?v=HUfNUqsyb88&ab_channel=areyou1o
r0
• https://www.youtube.com/watch?v=f2ZYgFxlmoY&ab_channel=PaulViel
Rop With Shellcode
• Return-oriented programming (ROP) and shellcode are often used together in exploit
development. ROP can be used to bypass security measures, such as data execution
prevention (DEP) and address space layout randomization (ASLR), in order to execute
arbitrary code on a target system. Shellcode is a piece of code that is typically used as the
payload in an exploit, and is often injected into a running process or written to a location
in memory that is then executed.
• To use ROP with shellcode, an attacker must first identify a vulnerability that allows them
to control the flow of execution in the target program. They can then craft a ROP chain,
which is a series of return addresses that point to gadgets in the program's code or in a
shared library. When the vulnerability is exploited, the ROP chain is executed, allowing
the attacker to execute the shellcode on the target system.
• The shellcode can be used to perform a variety of actions, such as creating a reverse
shell, escalating privileges, or installing a rootkit. By combining ROP and shellcode, an
attacker can bypass security measures and gain unauthorized access to a system. It is
important to test both the ROP chain and the shellcode thoroughly before using them in
a real-world attack, as any errors or bugs in the code could compromise the success of
the exploit.
Rop With Shellcode
• https://github.com/VincentDary/rop-with-shellcode
• https://ir0nstone.gitbook.io/notes/types/stack/reliable-
shellcode/rop-and-shellcode
• https://www.youtube.com/watch?v=AsR8PFKK5Mw&ab_channel=No
bodyAtall
• https://failingsilently.wordpress.com/2017/12/17/rop-exploit-
mprotect-and-shellcode/
• https://infosecwriteups.com/arm-exploitation-defeating-nx-by-
invoking-mprotect-using-rop-1450b6667c16
Development shellcode run calc.exe

• Build your project in C++

Development shellcode run calc.exe
• Build your project using NASM or FASM
• Assemble the code using your assembler,
for example: nasm -f elf calc.asm
• Link the object file to create the shellcode:
ld -o calc calc.o (x64) or ld -m elf_i386 -s -o
calc calc.o
• Extract the shellcode from the executable:
objcopy -O binary calc shellcode
• The shellcode is now stored in the file
shellcode. You can use this shellcode in an
exploit to run calc.exe on the target
system.
Development shellcode run cmd.exe
• Assemble the code using your assembler, for example: nasm
-f elf cmd.asm
• Link the object file to create the shellcode: ld -o cmd cmd.o
(x64) or ld -m elf_i386 -s -o cmd cmd.o
• Extract the shellcode from the executable: objcopy -O binary
cmd shellcode
• The shellcode is now stored in the file shellcode. You can
use this shellcode in an exploit to run cmd.exe on the target
system.
• Note: This shellcode will open cmd.exe in the current
working directory. If you want to specify a different path for
cmd.exe, you can modify the code to push the path onto the
stack before the call to int 0x80.
Development shellcode run Bash

• Assemble the code using your assembler, for example: nasm

-f elf bash.asm
• Link the object file to create the shellcode: ld -o bash bash.o
(x64) or ld -m elf_i386 -s -o cmd cmd.o
• Extract the shellcode from the executable: objcopy -O binary
bash shellcode
• The shellcode is now stored in the file shellcode. You can
use this shellcode in an exploit to run bash on the target
system.
Development shellcode run Netcat

• Assemble the code using your assembler, for example: nasm

-f elf netcat.asm
• Link the object file to create the shellcode: ld -o netcat
netcat.o or ld -m elf_i386 -s -o netcat netcat.o
• Extract the shellcode from the executable: objcopy -O binary
netcat shellcode
• The shellcode is now stored in the file shellcode. You can
use this shellcode in an exploit to run netcat and listen on
port 4444 on a local interface.
Extractor Shellcode

1.#!/bin/bash
https://pastebin.com/p7b52GR0
2.if [ -z "$1" ]
3.then
4.echo "Use: $0 <Path Exe>"
5.exit
6.fi
7.objdump -d $1|grep '[0-9a-f]:'|grep -v
'file'|cut -f2 -d:|cut -f1-6 -d ' '|tr -s '
'|tr '\t' ' '|sed 's/$//g'|sed 's/
/\\x/g'|paste -d '' -s|sed 's/^/"/'|sed
's/$/"/g'
Shellcode Generate using MSFVENOM
• msfvenom -l payloads #Payloads
• msfvenom -l encoders #Encoders
Common params when creating a shellcode
• -b "\x00\x0a\x0d"
• -f c
• -e x86/shikata_ga_nai -i 5
• EXITFUNC=thread
• PrependSetuid=True #Use this to create a shellcode that will execute
something with SUID
Shellcode Generate using MSFVENOM
Shellcode Generate using MSFVENOM #2
 Shellcode Generate using MSFVENOM #3
• Limiting Shellcode Size
• You might have a tight shellcode space in memory for a BOF attack,
and you want to reduce the shellcode size to under a specific number
of bytes. In this case, you can use the -s no. option to specify the
upper limit of the size of the payload.
 Shellcode Generate using MSFVENOM #4
• NOP, or No Operation, is a type of shellcode that does nothing when it is
executed. It is often used as a placeholder or a "dummy" instruction in
shellcode payloads, particularly when exploiting vulnerabilities in software.
• The purpose of NOP shellcode is to make the payload larger and more
difficult to detect, as well as to help the payload evade intrusion detection
systems (IDS) and other security measures. By inserting a large number of
NOP instructions into the payload, an attacker can "pad" the payload with
meaningless code, making it harder for security tools to identify the
malicious intent of the shellcode.
• NOP shellcode is typically used in conjunction with other types of
shellcode, such as code that opens a command prompt or establishes a
connection to a remote server. When the NOP shellcode is executed, it
simply consumes processor cycles without performing any useful work,
while the other types of shellcode carry out the actual malicious actions.
Shellcode Generate using MSFVENOM #4

Don’t be alarmed if you don’t see the familiar string of \x90’s,

as Msfvenom defaults to using x86/opty2, which generates
multi-byte NOPs (like pseudo-NOPs; they aren’t actual \x90’s
but they effectively provide a similar effect). Plus, if you are
using an encoder such as shikata_ga_nai, the encoder will
further obfuscate the NOP sled.

https://medium.com/@PenTest_duck/offensive-msfvenom-
from-generating-shellcode-to-creating-trojans-4be10179bb86
Buffer Overflow - Shellcode
• Buffer overflow attacks are a type of vulnerability that can allow an attacker to execute arbitrary
code on a target system. One way to exploit a buffer overflow vulnerability is to develop shellcode
that is specifically designed to take advantage of the vulnerability.
• To develop shellcode for a buffer overflow attack, an attacker would typically follow these steps:
• Identify a target software application that is vulnerable to buffer overflow attacks.
• Develop or obtain a payload that contains the shellcode and any other necessary instructions or data.
• Determine the size of the buffer in the target application and the address in memory where the payload
should be placed.
• Create a buffer that is larger than the target buffer and fill it with the payload and a series of NOP instructions.
• Use the buffer overflow vulnerability to inject the buffer into the target application's memory.
• Execute the shellcode in the target application's memory, which can allow the attacker to gain control of the
system or carry out other malicious actions.
• It's important to note that developing shellcode for a buffer overflow attack can be a complex and
technical process, and requires a deep understanding of computer systems, networks, and
programming. It is also illegal in many jurisdictions to develop or use shellcode for malicious
purposes.
Decode Shellcode
• Shellcode is a type of code that is typically written in assembly language and is used to
exploit vulnerabilities in software. It is often used in buffer overflow attacks and other
types of exploits to execute arbitrary code on a target system.
• To decode shellcode, you will need to disassemble the code and examine the individual
instructions it contains. This can be done using a disassembler, which is a tool that
translates machine code (such as shellcode) into a human-readable form.
• There are many disassemblers available that can be used to decode shellcode, including
popular tools like objdump, gdb, and radare2. To use a disassembler, you will need to
provide the shellcode as input and specify the architecture (such as x86 or ARM) that the
code was compiled for. The disassembler will then translate the shellcode into assembly
language and display it on the screen or write it to a file.
• Once you have disassembled the shellcode, you can examine the individual instructions
to understand how the code works and what it does. This can be a complex and technical
process, as shellcode is often designed to be difficult to reverse engineer and
understand.
Shellcode Development – Examples #1
• Here is an example of how you might
develop shellcode in assembly
language that creates a new process
on a target system using the
CreateProcess function from the
kernel32.dll library:
• This shellcode will create a new
process using the CreateProcess
function from the kernel32.dll library,
passing the command line argument
"notepad.exe" to the function. You
can modify this shellcode to create a
different process by changing the
value of the cmdline buffer and
adjusting the other arguments as
needed.
• https://github.com/reg1reg1/Shellco
de

https://github.com/CyberSecurityUP/shellcode-
templates/blob/main/Assembly/ProcessCreate.asm
 Shellcode Development – Examples #2
• To load the ws2_32.dll library into the memory space of a
shellcode program in assembly language, you will need to
use the LoadLibrary function from the kernel32.dll library.
Here is an example of how you might do this:
• This shellcode will load the ws2_32.dll library into the
memory space of the shellcode program using the
LoadLibrary function from the kernel32.dll library. You can
modify this shellcode to load a different library by changing
the value of the ws2_32 buffer.
• It's important to note that this is just a high-level example
and may not be suitable for use in a real-world situation.
Developing shellcode that loads a DLL into memory in
assembly language can be a complex and technical process,
and requires a deep understanding of Windows internals,
assembly programming, and the LoadLibrary function. It is
also illegal in many jurisdictions to develop or use shellcode
for malicious purposes.
Shellcode Development – Examples #3
• Here is an example of how you might develop shellcode in assembly language
that creates a socket using the socket function from the ws2_32.dll library:
• https://github.com/CyberSecurityUP/shellcode-
templates/blob/main/Assembly/ws32_load_socket.asm
• This shellcode will create a new socket using the socket function from the
ws2_32.dll library. It will then check the return value of the function and exit the
program with a return code of 0 if the socket was successfully created, or -1 if an
error occurred.
• It's important to note that this is just a high-level example and may not be
suitable for use in a real-world situation. Developing shellcode that creates a
socket in assembly language can be a complex and technical process, and
requires a deep understanding of network programming, assembly programming,
and the socket function. It is also illegal in many jurisdictions to develop or use
shellcode for malicious purposes.