Summary
1. Remote shellcode several ways
2. Reuse the current connection technology of some of the issues and advantages
3. Win32 platform-specific implementation
4. Linux x86 platform specific implementation
5. AIX PowerPC platform-specific implementation
** Implementation introduction**
** 1. Remote shellcode several ways**
1.1 listening port
1.1.1 monitor the new port
1.1.2 re-use the original port
1.1.2.1 port multiplexing
1.1.2.2 re-binding
1.2 reverse connection
1.3 multiplexing of the current connected SOCKET
1.3.1 IIS the ECB structure
1.3.2 getpeername
1.3.3 fcntl to set the socket state
1.3.4 ioctl(Linux/Unix)and ioctlsocket(Win32)
1.3.5 using OOB features
1.3.6 Hook system The recv call
Reuse the current connection technology description
** 2. Reuse the current connection technology of some of the problems and advantages**
2.1 bind shell
Unix can be directly to the SOCKET as“/bin/sh”input and output handles. Under Win32, the socket()function implicitly specifies the overlap flag, it creates the SOCKET is overlapped socket(overlapped socket), not directly to the cmd. exe to the stdin, the stdout and stderr of the steering to the socket, only with a conduit(pipe)to the cmd. exe process the transmission data. winsock is recommended to use overlapped sockets, so the actual use as much as possible with pipes. WSASocket()to create the SOCKET the default is Non-overlapped sockets, can be directly to the cmd. exe to the stdin, the stdout and stderr of the steering to the socket.
Reuse the current connection technology description
2.2 multi-threaded environment, the search SOCKET
-=-=-=-=-=- start sample code=-=-=-=-=-=-=
s = WSASocket(2,1,…)
bind(s,…)
listen(s,…)
s2 = accept(s,…)
-=-=-=-=-=- end sample code=-=-=-=-=-=-
When s is in the accept state when any of the s-operation ofnetworkthe function will be in a wait state, until a connection is established. First with WaitForSingleObjectEx treatment handle, when s is in an accept state when it will return WAIT_TIMEOUT, can be used to handle returns WAIT_OBJECT_0. Then use the ioctlsocket/recv processing to determine whether the current connected socket.
Reuse the current connection technology description
2.3 advantages
Reuse the current connection technology is relatively hidden, but also for Win32 using the pipe binding cmd. exe, and server interaction data can be used to xor the approach to coding, further evade IDS detection. Just find SOCKET shellcode can be written relatively short, found a SOCKET, you can then continue to receive one period of the function more complex shellcode to the buffer, and then jump into the execution. For the subsequent shellcode will not have any character and length restrictions. Or even receive a dll file to achieve more complex functions.
Win32 platform-specific implementation
** 3. Win32 platform-specific implementation**
3.1 port multiplexing implementation
Port reuse shellcode requires the service to re-bind at 0. 0. 0. 0 address, but not using the SO_EXCLUSIVEADDRUSE option.
Client-side attacks when you need to put the service end of the specific IP and port write shellcode inside.
Shellcode is executed: the
setsockopt(s, 0xFFFF, 4, &d, 4);
bind(s, &sockaddr, 0x10);
With netstat-na on the server-side view can see the same port have 0. 0. 0. 0 and the specific IP of the two bindings. If the service terminal in the NAT environment, there may be a problem.
Win32 platform-specific implementation
3.2 re-binding of the original port of implementation
CreateProcess()to create a suspend mode of the process. GetThreadContext()to get the thread’s context structure and registers the information. Use VirtualAllocEx()in the process to allocate memory. Put the shellcode instruction with WriteProcessMemory()to write the process just allocated space. SetThreadContext()GetThreadContext()to get the EIP is modified to point to VirtualAllocEx () - allocated memory address. ResumeThread()to resume the suspend mode process. TerminateProcess(-1, 0)is to terminate the current process. The loop binding of the original port.
Win32 platform-specific implementation
3.3 getpeername to find the socket
The client sends the attack string before using the getsockname function to get the socket local information, the corresponding information is written into the shellcode. The service end of the shellcode starting from 1 incremented to find the socket, and use the getpeername function to get the socket remote information. If the two information match, you think to find the socket, out of the incremental cycle, and the shell bound in this socket. There is a big limitation, if the client is in a NAT network environment, the client getsockname to obtain the socket information and services to end getpeername to obtain the socket information is not necessarily consistent, leading to find the socket failed.
Win32 platform-specific implementation
3.4 string matching to find the socket
The client after sending the attack data packets, and then send a few bytes of the string, in the service end of the shellcode to an increment of the socket value to receive the corresponding byte of the string, and then matching whether the current connected socket. This method avoids the getpeername in the NAT network environment restrictions. A multi-threaded environment is easy to handle to accept the next socket, and in General the network function will enter a wait state until a connection is established. flier mentioned WaitForSingleObjectEx deal with this in the accept socket will return WAIT_TIMEOUT, can be used to handle returns WAIT_OBJECT_0.
Win32 platform-specific implementation
3.4 string matching to find the socket
The lookup process is as follows:
while (1)
{
i++;
ret = WaitForSingleObjectEx(i, 1 0, 1);
if (ret != 0) continue;
ret = ioctlsocket(i, FIONREAD, &ul);
if (ul != 4) continue;
recv(i, buff, 4, 0);
if( *(DWORD *)buff == ‘Xc0n’) goto shell;
}
bkbll testing to find the socket()function creates a handle to the in accept after the user has getsockname operation, then follow-up WaitForSingleObjectEx returns WAIT_TIMEOUT (0x102)。
Win32 platform-specific implementation
3.5 Hook system The recv call
Use VirtualProtect to set the real recv function the start address of the 5 bytes to be written. The real recv the beginning of the instruction to jump to a new recv function. In the new recv function to put the 5 bytes instruction change back. Call the real recv to perform a system would have the operation. Then the real recv function the start address of the 5 bytes to jump to a new recv instruction. Compare whether the received data is agreed string, 如果是就绑定一个cmd.exe otherwise jump to onto the stack the return address, the system continues to the original process. This method can bypass the rpc-like mechanism, it is possible to search again the connection of the socket.
Win32 platform-specific implementation
3.6 file upload and download capabilities to achieve
Must be client and the shellcode to make a tight fit. Upload files need for the client to open and read files sent to the service end, the service end of the shellcode to create and write to the file. Download file need service the end of the shellcode opens the Read file is sent to the client, the client creates and writes the file. Due to the non-blocking connection, Upload a file, the service end of the shellcode must determine the socket whether there is data to be received, if not close the handle, perform the follow-up process. Download the file, the client must determine the socket whether there is data. select and ioctlsocket can achieve this function. a select compilation of the implementation is relatively complex, ioctlsocket need in the transmission buffer block is greater than the receive buffer block case.
Win32 platform-specific implementation
3.6 file upload and download capabilities to achieve
The client and server end of the shellcode can use an agreed key for the transmission of data done xor operation, since the pipe binding cmd, then the interaction of the command is coded to further enhance concealment, evade IDS detection.
Linux x86 platform specific implementation
** 4. Linux x86 platform specific implementation**
4.1 fcntl to set the socket state
scz the earliest use of this method, the basic idea is as follows:
while (1)
{
i++;
oldflags = fcntl(i, F_GETFL, 0);
fcntl(i, F_SETFL, oldflags | O_NONBLOCK);
read(i, buf, 4);
fcntl( i, F_SETFL, oldflags );
if (buf == ‘Xc0n’) goto shell;
}
Linux x86 platform specific implementation
4.2 the use of OOB features
bkbll the first use of the technology. The Berkeley socket implementation of OOB data in General is not blocked, find the process roughly as follows:
while (1)
{
i++;
recv(i, buf, 1, 1);
if (buf == ‘I’) goto shell;
}
Unix/Linux the method is simple, and effective.
Linux x86 platform specific implementation
4.3 using ioctl function of some characteristics
the ioctl of FIONREAD can determine handle how much data can be read, and generally case will not be blocked. Find socket streamThe routine is as follows:
while (1)
{
i++;
ioctl(i, FIONREAD, &ul);
if (ul != 4) continue;
read(i, buf, 4);
if (buf == ‘Xc0n’) goto shell;
}
Linux x86 platform specific implementation
4.4 file upload and download capabilities to achieve
And Win32 implementations are similar, just the Linux/Unix seems to be no additional through a pipe to bind the/bin/sh, so the shell in interactive data can not be coded. Covert resistance may be poor.
AIX PowerPC specific implementation
** 5. AIX PowerPC platform-specific implementation**
The cache mechanism
instruction cache
data cache
AIX PowerPC specific implementation
PowerPC self-modifying code according to the following steps:
Store the modified instruction.
Perform dcbst instruction, mandatory contains a modified instruction of the cache lines stored.
Executes a sync instruction to ensure dcbst is completed.
Perform the icbi instruction, so that will be storing the modified instruction in the instruction cache line is invalid.
Perform the isync instruction, to clear all instructions in the instruction pipeline, those instructions at high speed
The cache line is set to invalid before may already be removed.
You can now run the modified command. When this instruction occurs when instruction cache fails, the result will be from the memory to obtain a modified instruction.
AIX PowerPC specific implementation
Some AIX is no cache management instructions.
The simple solution is to do self-modifying after execution of a system interrupt, then the back will be able to correctly perform a self-modified instruction.
To achieve the decoding of the shellcode, for the realization of complex shellcode to do good Foundation.
AIX PowerPC specific implementation
5.1 the use of OOB features
And Linux x86 to achieve a similar
Difficulties:
Each version of AIX, the system call number is not the same, resulting in the virus not available.