-
Notifications
You must be signed in to change notification settings - Fork 45
/
Jumping-to-Shellcode
137 lines (97 loc) · 4.62 KB
/
Jumping-to-Shellcode
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
Source: https://www.abatchy.com/2017/05/jumping-to-shellcode.html
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
1. JMP/CALL register
Conditions:
- A register points to shellcode.
Example:
[Register] → [Shellcode]
EIP → JMP/CALL [register]
EIP now points to [register] where shellcode.
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
2. POP RET / POP POP RET / POP POP POP RET
Condition:
- Address at [ESP+4], [ESP+8], [ESP+12] (and so on) points to address to shellcode OR directly to shellcode.
Example 1:
[ESP] → [4 bytes][Address to shellcode].
EIP → POP [register] followed by RET.
POP [register]: ESP now points to old_ESP + 4
RET: EIP now contains address to shellcode.
EIP now points to shellcode.
Example 2:
[ESP] → [8 bytes][Address to JMP ESP][shellcode].
EIP → POP [register] followed by POP [register] followed by RET:
POP [register], POP [register] will get rid of 8 bytes, new ESP → old ESP + 8 (Address to JMP ESP)
RET places address to JMP ESP in EIP and now ESP now points to shellcode.
JMP ESP: EIP now contains ESP
EIP points to current ESP value which points to start of shellcode.
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
3. PUSH RET
Condition:
- A register points to shellcode and can’t/don’t want to use method 1.
Example:
[Register] → [Shellcode]
EIP → PUSH [register], followed by RET
Stack will first push register, then pop it to EIP.
EIP now points to shellcode.
Pros:
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
4. JMP [register + offset]
Condition:
- A register + offset points to shellcode.
Example:
[Register] → [Shellcode]
EIP → JMP [register + offset]
EIP will point to [register + offset] where the shellcode starts.
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
5. Blind return
5. Blind return
Condition:
- Shellcode is always loaded to the same address.
- Address doesn’t contain a null byte.
- You control at least the first 4 bytes at [ESP]
Example:
Shellcode is always at 0xdeadbeef
Since you control the first 4 bytes at ESP, put 0xdeadbeef at ESP.
By pointing EIP to a RET, address at ESP will be popped to EIP.
EIP now points to address 0xdeadbeef where the shellcode starts.
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
6. POPAD
Condition:
- Shellcode is located at [ESP + 32x + offset]
- Enough controllable space to execute POPAD y times then JMP ESP.
Example:
[ESP + 240] → [Shellcode]
[ESP + 32 * 7] → [NOP sled]
[ESP] → POPAD 7 times followed by JMP ESP`
EIP → [JMP ESP]
EIP will execute POPAD 7 times, ESP = old_ESP + 224
EIP goes over NOP sled
EIP after executing NOP sled, it will point to [ESP + 240] where the shellcode starts.
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
7. Short jumps (backwards, forwards, conditional)
Condition:
- Shellcode is located at [ESP + offset] where -128 < offset < 127.
Example:
[ESP + 30] → [Shellcode]
[ESP] → JMP 30
EIP → [JMP ESP]
EIP will execute a short JMP
EIP will point to [ESP + 30] where the shellcode starts.
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------
8. Hardcoded address
Condition:
- Shellcode is always located at specific address.
Example:
0xdeadbeef → [shellcode]
EIP → JMP ESP
ESP → JMP 0xdeadbeef
---------------------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------------------