======================================================
Classifiion / Shell (computer security)
======================================================
#[+] Discovered By : Inj3ct0r
#[+] Site : Inj3ct0r.com
#[+] support e-mail : submit[at]inj3ct0r.com
?----------------[0x01]---> ;
?----------------[0x02]---> Shell ;
// English description, review / Russia
// English
[0x01] -
An (from the same word in the French language, mning "achievement", or "accomplishment")
is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug,
glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software,
hardware, or something electronic (usually computerised). This frequently includes such things as gaining
control of a computer system or allowing privilege escalation or a denial of service attack.
-----------------------
[=>] Classifiion
-----------------------
There are several methods of classifying s. The most common is by how the contacts the vulnerable software.
A 'remote ' works over a network and s the security vulnerability without any prior access to the vulnerable system.
A 'local ' requires prior access to the vulnerable system and usually incrses the privileges of the person running the past those granted by the system administrator.
s against client appliions also exist, usually consisting of modified servers that send an if accessed with client appliion.
s against client appliions may also require some interaction with the user and thus may be used in combination with social engineering method.
Another classifiion is by the action against vulnerable system: unauthorized data access, arbitrary execution, denial of service.
Many s are designed to provide superuser-level access to a computer system. However, it is also possible to use several s, first to gain low-level access,
then to escalate privileges reptedly until one rches root.
Normally a single can only take advantage of a specific software vulnerability. Often, when an is published, the vulnerability is fixed through a and the becomes obsolete for newer versions of the software.
This is the rson why some blackhat s do not publish their s but keep them private to themselves or other s.
Such s are referred to as 'zero day s' and to obtain access to such s is the primary desire of unskilled attackers, often nicknamed script kiddies.
-----------------------
[=>] Types of
-----------------------
s are commonly egorized and named by these criteria:
* The type of vulnerability they .
* Whether they need to be run on the same machine as the program that has the vulnerability (local) or can be run on one machine to attack a program running on another machine (remote).
* The result of running the (EoP, DoS, Spoofing, etc...)
[0x02] - SHELL
In computer security, a shell is a small piece of used as the payload in the ation of a software vulnerability.
It is called "shell" because it typically starts a command shell from which the attacker can control the compromised machine.
Shell is commonly written in machine , but any piece of that performs a similar task can be called shell.
Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shell is insufficient.
However, attempts at replacing the term have not gained wide acceptance.
-----------------------
[=>] Types of shell
-----------------------
Shell can either be "local" or "remote", depending on whether it gives an attacker control over the same machine as it runs on (local) or over another machine through a network (remote).
In some situations when it is hard to inject and execute a shell with the desired functionality directly, "staged" shell may be used.
-----------------------
[=>] Local shell
-----------------------
A local shell is used by an attacker who has limited access to a machine but can a vulnerability in a process on that machine that has higher privileges.
If successfully executed, the shell will provide the attacker access to the machine with the same higher privileges as the targeted process.
Local shell is relatively sy to crte; often the only thing it does is execute a shell executable.
-----------------------
[=>] Remote shell
-----------------------
A remote shell is used when an attacker wants to target a vulnerable process running on another machine on the local network or internet.
If successfully executed, the shell can provide the attacker access to the target machine across the network.
Remote shell normally use standard TCP/IP socket connections to allow the attacker access to the shell on the target machine.
Such shell can be sub-divided based on how this connection is set up: if the shell can establish this connection, it is called connect-back shell
because the shell connects back to the attacker's machine. On the other hand, if the attacker needs to crte the connection,
the shell is called a bindshell because the shell binds to a certain port on which the attacker can connect to control it.
A third, much less common type is socket-reuse shell. This type of shell is sometimes used when an establishes a connection to the vulnerable
process that is not closed before the shell is run. The shell can then re-use this connection to communie with the attacker.
Socket re-using shell is harder to crte because the shell needs to find out which connection to re-use and the machine may have many connections open.
A firewall can be used to detect the outgoing connections made by connect-back shell and the attempt to accept incoming connections made by bindshells.
They can therefore offer some protection against an attacker, even if the system is vulnerable, by preventing the attacker from gaining access to the shell crted by the shell.
This is one rson why socket re-using shell is sometimes used: because it does not crte new connections and therefore is harder to detect and block.
-----------------------------------
[=>] Download and execute shell
-----------------------------------
This is a type of remote shell that downloads and executes some form of malware on the target system. This type of shell does not spawn a shell,
but rather instructs the machine to download a certain executable file off the network, save it to and execute it.
Nowadays, it is commonly used in drive-by download attacks, where a victim visits a malicious webpage that in turn attempts to run such a download and execute
shell in order to install software on the victim's machine. A variation of this type of shell downloads and loads a library.
Benefits of this technique are that the can be smaller, that it does not require the shell to spawn a new process on the target system and that the shell does not need
to "cln up" the targetted process (this can be done by the library loaded into the process.
---------------------
[=>] Staged shell
---------------------
When the amount of data that an attacker can inject into the target process is too limited to execute useful shell directly, it may be possible to execute it in stages.
First, a small piece of shell (stage 1) is executed. This then downloads a larger piece of shell (stage 2) into the process' memory and executes it.
-----------------------
[=>] Egg-hunt shell
-----------------------
Another form of staged shell, which is used if an attacker can inject a larger shell into the process, but cannot determine where in the process it will end up.
A small egg-hunt shell is injected into the process at a predictable loion and executed. This then srches the process' address space for the larger shell (the egg) and executes it.
---------------------
[=>] Omelet shell
---------------------
This type of shell is similar to egg-hunt shell, but looks for multiple small blocks of data (eggs) and recombines them into one larger block (the omelet) that is subsequently executed.
This is used when an attacker can only inject a of small blocks of data into the process.
---------------------------------
[=>] Shell execution strategy
---------------------------------
An will commonly inject a shell into the target process before or at the same time as it s a vulnerability to gain control over the program counter.
The program counter is adjusted to point to the shell, after which it gets executed and performs its task. Injecting the shell is often done by storing
the shell in data sent over the network to the vulnerable process, by supplying it in a file that is rd by the vulnerable process or through the command line or environment in the case of local s.
Shell encoding
Because most processes filter or restrict the data that can be injected, shell often need to be written to allow for these restrictions, this includes making the small, -free or alphanumeric.
Various solutions have been found to get around such restrictions, including:
* Design and implementation optimizations to decrse the size of the shell.
* Implementation modifiions to get around limitations in the range of bytes used in the shell.
* Self-modifying that modifies a of the bytes of its own before executing them to re-crte bytes that are normally impossible to inject into the process.
Since intrusion detection can detect signatures of simple shell being sent over the network, it is often end, made self-decrypting or polymorphic to avoid detection.
Percentage encoding
s that target browsers commonly en shell in a JavaScript string using Percent-encoding, "\uXXXX"-encoding or entity encoding. Some s also obfuse the end shell
string further to prevent detection by IDS. For example, on the IA-32 architecture, here's how two NOP instructions would look, first unend:
90 NOP
90 NOP
Then end into a string using percent-encoding (using the unescape() function to de):
unescape("%u9090");
Next end into a string using "\uXXXX"-encoding:
"\u9090";
And finally end into a string using entity encoding:
"邐"
or
"邐"
------------------------
[=>] free shell
------------------------
Most shell are written without the use of bytes because they are intended to be injected into a target process through -terminated strings.
When a -terminated string is copied, it will be copied up to and including the first but subsequent bytes of the shell will not be processed.
When shell that contains s is injected in this way, only part of the shell would be injected, making it very unlikely to run successfully.
To produce free shell from shell that contains bytes one can substitute machine instructions that contain zeroes with instructions that have the same effect but are free of s. For example, on the IA-32 architecture one could replace this instruction:
B8 01000000 MOV X,1 // Set the register X to 0x000000001
which contains zeroes as part of the literal (1 expands to 0x00000001) with these instructions:
33C0 XOR X,X // Set the register X to 0x000000000
40 INC X // Incrse X to 0x00000001
which have the same effect but take fewer bytes to en and are free of s.
-----------------------------------------
[=>] Alphanumeric and printable shell
-----------------------------------------
In certain circumstances, a target process will filter any byte from the injected shell that is not a printable or alphanumeric character.
Under such circumstances, the range of instructions that can be used to write a shell becomes very limited.
A solution to this problem was published by Rix in Phrack 57[6] in which he showed it was possible to turn any into alphanumeric .
A technique often used is to crte self-modifying , because this allows the to modify its own bytes to include bytes outside of the normally allowed range,
thereby expanding the range of instructions it can use. Using this trick, a self-modifying der can be crted that uses only bytes in the allowed range. The main of the shell is end,
also only using bytes in the allowed range. When the output shell is run, the der can modify its own to be able to use any instruction it requires to function properly and then continues to de the original shell.
After decoding the shell the der transfers control to it, so it can be executed as normal. It has been shown that it is possible to crte shell that looks like normal text in English.
----------------------------
[=>] Uni proof shell
----------------------------
Modern programs use Uni strings to allow internationalization of text. Often, these programs will convert incoming ASCII strings to Uni before processing them.
Uni strings end in UTF-16 use two bytes to en ch character (or four bytes for some special characters). When an ASCII string is transformed into UTF-16, a zero byte is inserted after ch byte in the original string.
Obscou proved in Phrack 61 that it is possible to write shell that can run successfully after this transformation. Programs that can automatically en any shell into alphanumeric UTF-16-proof shell exist,
based on the same principle of a small self-modifying der that de the original shell.
--------------
[=>] Platforms
--------------
Most shell is written in machine because of the low level at which the vulnerability being ed gives an attacker access to the process.
Shell is therefore often crted to target one specific combination of processor, operating system and service pack, called a platform.
For some s, due to the constraints put on the shell by the target process, a very specific shell must be crted.
However, it is not impossible for one shell to work for multiple s, service packs, operating systems and even processors.
Such versatility is commonly achieved by crting multiple versions of the shell that target the various platforms and crting a hder that branches to the correct version for the platform
the is running on. When executed, the behaves differently for different platforms and executes the right part of the shell for the platform it is running on.
Source -Inj3ct0r
No comments:
Post a Comment