Description: A lot of times we download shellcode from sites like http://shell-storm.org and http://exploit-db.com but have no clue what that do. We believe what the shellcode description says and we are happy to run it. Would you trust a hacker? :) In this video, we look at the first step on how to systematically run and analyze shellcode.
In course of this video, we will discover that the shellcode in question uses a JMP-CALL-POP technique and uses XOR encoding to hide the real shellcode. We then move on to find the two syscalls it makes setreuid and execve. Upon analysis of the arguments of the syscall, we figure out that the shellcode after decoding itself, runs "/bin/ksh"
Link to Shellcode: http://www.shell-storm.org/shellcode/files/shellcode-809.php
Shellcode Author: https://twitter.com/@egeektronic
Tags: hod , shellcode , xor encoded , setreuid , execve ,
Root has the euid 0.
root has uid and gid = 0, basically the shellcode is trying to get root privileges on the vulnerable process
More elaboration my friends ....
Counter Question --- Why would a process try to escalate to root? I mean if it was running as a regular user, why would it be given root privilege? :)
See Vivek, after watching the whole video the shellcode bascially spawns a root ksh shell. It escalates the privilege to root because, root has the highest level of privilege under a *nix system. Just like SYSTEM under Windows family
root shell == complete pwnage
Let me ask the question differently:
Lets say I am a regular user on the system (not root and no special privileges) and I run this shellcode, what will happen then? Will I get a root via ksh? :)
Nope, you won't because lack of privlieges to setuid the process. That is what i think, correct me if I'm wrong. You'd only get a ksh shell under the context of the user running the process as setuid call will fail
So is there any condition under which a non-root user could get root privs? Because if this not possible, then only root could be root :) so why run this syscall to begin with? :)
Condition can be like there is local privilege elevation vulnerability, so attacker can escalate the privilege and then spawns a root ksh shell ?
Hello Vivek, first ; thank u for all of what u done for us , second; ( : ) ) can u categorize theese videos like megaprimes?
have a nice day.
Isn't shellcode typically used as a payload for say a buffer overflow exploit? The objective is now seen as how do we leverage say a SetUID root executable available to local users or worse remote visitors. But that isn't answering your question. It only rephrases it. That's all I got right now. Shellcode isn't the exploit, it is part of post exploit. The value of shellcode is that it's easier to admin a popped box from a shell prompt than it is by twisting other services to do our bidding.
@pirabog Welcome! The Hack-of-the-Day are meant to be on diverse topics so unless I end up creating at least 10 videos on a common topic, it might not be worthwhile making it into a Megaprimer.
@MaskedPhrogg On the right track and hopefully this should answer everyone's doubts:
http://www.makelinux.net/alp/083
Last and final hint:
securitytube@securitytube-VirtualBox:~/hod/1$ cat poc.c
#include<stdio.h>
#include<unistd.h>
#include<sys types.h="">
#include<stdlib.h>
main(int argc, char **argv)
{
printf("Dropping privs ...\n");
seteuid(113);
system("/bin/sh");
printf("Regaining privs ...\n");
seteuid(0);
system("/bin/sh");
return 0;
}
securitytube@securitytube-VirtualBox:~/hod/1$ gcc poc.c -o poc
securitytube@securitytube-VirtualBox:~/hod/1$
securitytube@securitytube-VirtualBox:~/hod/1$ whoami
securitytube
securitytube@securitytube-VirtualBox:~/hod/1$ ./poc
Dropping privs ...
$ whoami
securitytube
$ whoami
securitytube
$
Regaining privs ...
$ whoami
securitytube
$
securitytube@securitytube-VirtualBox:~/hod/1$ sudo ./poc
Dropping privs ...
$ whoami
hplip
$ exit
Regaining privs ...
# whoami
root
#
securitytube@securitytube-VirtualBox:~/hod/1$
securitytube@securitytube-VirtualBox:~/hod/1$
you are setting both uids (real+effective) to make sure the spawned shell (execve) will run under root!
cheers
-Ne0-32
Hi All specially you Vivek,
what i think is first zero is root the second zero is the return,which is the if zero do the rest of the shell code or whatever.
printf("Regaining privs ...\n");
seteuid(0); ------------- "first"
system("/bin/sh");
return 0; ------------ "second"
}
Thank you for response. Have a nice day.
Would this shell code not be used as an exploit against a vunarable program that was run set use id root? Even if the program dropped privliges the shell code could spawn a shell as the root user eg uid 0.
i have bought me the SLAE course but this is really a joke. You have to download 7gb of files and the download speed is 21,3 kb.
if the support dont give me a faster link i highly recommend you guys dont buy this. It is really really slow.
my internet connection at home is 32000 and this is really a joke what they have sent
X0rCodex, whats the big rush? Just leave it to download for a few hours and do something else. I've been looking through the downloads today, and I think, for $99 there is a lot of work, by our favorite hacker, gone in to this. It will take you a lot longer to watch, follow and understand than the few hours the download takes ;-)
There ya go biggles. That's what I was getting at earlier. If you can inject the shellcode as a buffer overflow against a SetUID 0(root) binary then you can spawn a superuser shell as a local user.
Thanx for the feedback Vivek. I had seen curious behaviour in the past with regards to running with root privs. There were times when some programs could still tell I wasn't really root. Now I understand better why. Sudo even leaves additional evidence in the environment by way of variables such as $SUDO_USER and $SUDO_UID that should probably be checked for when hardening binaries for use by legitimate root as opposed to just some admin with sudo privs :-) As the example/explanation you linked to shows, leaving setuid root binaries laying around is rarely a good idea.
There are rather a lot of these suid root programs on the average system too......
sudo find / -type f -perm +6000 -exec ls -l {} \; | less will list them. Can we inject this shellcode in to some of them :-)
@X0rCodex Not sure where you are located but I downloaded it quite fast in the US. The link shows its amazon s3 which is quite fast. Its not on their servers. I've seen a bunch of the videos and they are fantastic. Other comanies would have charged $2k - $3k for this material.
Patience is a virtue. Vivek has always given out fantastic material and to doubt his intentions would be wrong :) Try in sometime and you should get a good download.
Btw, regarding the questions asked - I think if we have a daemon which drops its privs from root to a normal user, then it can again call setreuid(0) to become root again. So if we exploit the daemon then once we get our shellcode in there, we can do this first and then call execve(/bin/sh) to get a root shell.
Vivek has given the final hint so unlikely he might respond here but looking at his example code, I think this is the right solution.
What do you guys think?
Sound about right to me John. Looks as though he is starting off as user hplip (I think this is a HP printer admin account) so may do stuff with root priv. This account has shell set to /bin/false though. Did he su to this from root?? I'll have a play around with this...
Hi all again,
now i know :), mean's root anyhow.
seteuid(113); ------------- "first" set to 0
system("/bin/sh");
printf("Regaining privs ...\n");
seteuid(0); ------------ "second"
system("/bin/sh");
return 0;
}
for people like me , respect ..!
http://refspecs.linux-foundation.org/LSB_3.2.0/LSB-Core-generic/LSB-Core-generic/usernames.html
http://www.yolinux.com/TUTORIALS/LinuxTutorialManagingGroups.html
now i have the full course :) first my download link was very slow. i decided me to contact vivek. i really must say this is the best support which i have seen :) he fixed the download link very fast :) i really appreciate vivek and the support. They are very very friendly and they answer all your emails within 5 minutes :) they have always fast solutions if you have any problems :) 99,9 % you will not have a problem with the download link. i think the download link was overload
now i enjoy the full course
@Vivek Another great video....just awsome...
If you make a megaprimer over Network monitering...helping people to make the whole concept very clear....
Thanks to share ur knowledge...
Great video Vivek!
what if I have a different shellcode, could this shellcode be in 64 bit and how gdb handle this or how I can recognize it? because I try to disasm it (generate assembly code)
it looks different as I try it like Vivek made it in this hack of the day video(untrusted shellcode).
Can somebody help me pls
Many thanks
Good Job.. Shared this
http://iadhyan.com/securitytube-hacking-and-computer-security-tutorials/