Download (03_2013) - Reverse Engineering Tutorials PDF

Title(03_2013) - Reverse Engineering Tutorials
TagsMalware Instruction Set Computer Program Subroutine Source Code
File Size10.1 MB
Total Pages60
Table of Contents
Editor’s Note
Reversing with Stack-Overflow and Exploitation
Malware Reverse Engineering: Zeus Trojan - Part1
Android Reverse Engineering:  an introductory guide to malware analysis
Write your own Debugger
Reverse Engineering  - Shellcodes Techniques
Deep Inside Malicious PDF
How to Reverse Engineer dot net Assemblies
Document Text Contents
Page 2

Page 30

30 03/2013








LF Reverse Engineering
– Shellcodes Techniques
The concept of reverse engineering process is well known, yet
in this article we are not about to discuss the technological
principles of reverse engineering but rather focus on one of the
core implementations of reverse engineering in the security arena.
Throughout this article we’ll go over the shellcodes’ concept,
the various types and the understanding of the analysis being
performed by a “shellcode” for a software/program.

Shellcode is named as it does since it is usu-ally starts with a specific shell command. The shellcode gives the initiator control of
the target machine by using vulnerability on the
aimed system and which was identified in ad-
vance. Shellcode is in fact a certain piece of code
(not too large) which is used as a payload (the part
of a computer virus which performs a malicious ac-
tion) for the purpose of an exploitation of software’s

Shellcode is commonly written in machine code
yet any relevant piece of code which performs the
relevant actions may be identified as a shellcode.
Shellcode’s purpose would mainly be to take con-
trol over a local or remote machine (via network) –
the form the shellcode will run depends mainly on
the initiator of the shellcode and his/hers goals by
executing it.

The Various Shellcodes’ Techniques
When the initiator of the shellcode has no limits
in means of accessing towards the destination
machine for vulnerability’s exploitation it is best
to perform a local shellcode. Local shellcode
is when a higher-privileged process can be ac-
cessed locally and once executed successfully,
will open the access to the target with high privi-
leges. The second option refers to a remote run,
when the initiator of the shellcode is limited as far
as the target where the vulnerable process is run-
ning (in case a machine is located on a local net-
work or intranet) – in this case the shellcode is
remote shellcode as it may provide penetration
to the target machine across the network and in

most cases there is the use of standard TCP/IP
socket connections to allow the access.

Remote shellcodes can be versatile and are
distinguished based on the manner in which the
connection is established: “Reverse shell” or
a “connect-back shellcode” is the remote shell-
code which enables the initiator to open a con-
nection towards the target machine as well as a
connection back to the source machine initiating
the shellcode. Another type of remote shellcode
is when the initiator wishes to bind to a certain
port and based on this unique access, may con-
nect to control the target machine, this is known
as a “bindshell shellcode”.

Another, less common, shellcode’s type is when
a connection which was established (yet not closed
prior to the run of the shellcode ) will be utilized to-
wards the vulnerable process and thus the initiator
can re-use this connection to communicate back to
the source – this is known as a “socket-reuse shell-
code” as the socket is re-used by the shellcode.

Due to the fact that “socket-reuse shellcode” re-
quires active connection detection and determina-
tion as to which connection can be re-used out of
(most likely) many open connections is it considered
a bit more difficult to activate such a shellcode, but
nonetheless there is a need for such a shellcode as
firewalls can detect the outgoing connections made
by “connect-back shellcodes” and /or incoming con-
nections made by “bindshell shellcodes”.

For these reasons a “socket-reuse shellcode”
should be used in highly secure systems as it does
not create any new connections and therefore is
harder to detect and block.

Page 31 31

A different type of shellcode is the “download
and execute shellcode”. This type of shellcode
directs the target to download a certain execut-
able file outside the target machine itself and to
locate it locally as well as executing it. A vari-
ation of this type of shellcode downloads and
loads a library.

This type of shellcode allows the code to be
smaller than usual as it does not require to spawn
a new process on the target system nor to clean
post execution (as it can be done via the library
loaded into the process).

An additional type of shellcode comes from the
need to run the exploitation in stages, due to the
limited amount of data that one can inject into the
target process in order to execute it usefully and
directly – such a shellcode is called a “staged

The form in which a staged shellcode may work
would be (for example) to first run a small piece
of shellcode which will trigger a download of an-
other piece of shellcode (most likely larger) and
then loading it to the process’s memory and ex-
ecuting it.

“Egg-hunt shellcode” and “Omelets shellcode”
are the last two types of shellcode which will be
mentioned. “Egg-hunt shellcode” is a form of
“staged shellcode” yet the difference is that in
“Egg-hunt shellcode” one cannot determine where
it will end up on the target process for the stage
in which the second piece of code is downloaded
and executed. When the initiator can only inject a
much smaller sized block of data into the process
the “Omelets shellcode” can be used as it looks
for multiple small blocks of data (eggs) and recom-
bines them into one larger block (the omelet) which
will be subsequently executed.

Introduction to MSFPAylOAD Command
In this part we’ll focus on the msfpayload command.
This command is used to generate and output all
of the various types of shellcode that are available
within Metasploit. This tool is mostly used for the
generation of shellcode for an exploit that is cur-
rently not available within the Metasploit’s frame-
work. Another use for this command is for testing
of the different types of shellcode and options be-
fore finalizing a module.

Although it is not fully visible within it’s “help ban-
ner” (as can be seen in the image below) this tool
has many different options and variables available
but they may not all be fully realized without a prop-
er introduction.

# msfpayload -h

Type the following command to show the vast
numbers of different types of shellcodes available
(based on which one can customize a specific ex-

# msfpayload –l

One can browse the wide list (as seen in the im-
age below) of payloads that are listed and shown
as the output for the msfpayload –l command:
Figure 2.

In this case we chose the “shell_bind_tcp” pay-
load as an example. Prior to the continuum of our
action let us change our working directory to the
Metasploit framework as so:

Figure 3. Listing the Shellcode Options

Figure 2. Msfpayload Payload List

Figure 1. Msfpayload Help Information

Page 59
T: +44 (0) 1905 888785

evaluate for free at

What do all these have in common?

They all use Nipper Studio
to audit their firewalls, switches & routers

pricing from

scaling to

enterprise level

Nipper Studio is an award winning configuration auditing tool which
analyses vulnerabilities and security weaknesses. You can use our point
and click interface or automate using scripts. Reports show:

1) Severity of the Threat & Ease of Resolution

2) Configuration Change Tracking & Analysis

3) Potential Solutions including Command Line Fixes to resolve the Issue

Nipper Studio doesn’t produce any network traffic, doesn’t need to
interact directly with devices and can be used in secure environments.

Similer Documents