Scribd
Upload
15 views37 pages

Shellcode Steganography Techniques

The document discusses 'Punk Ode', a method for embedding shellcode within image files using techniques like steganography and NOP sled generation. It covers the history of shellcode, the technical details of embedding in various image formats (PNG, JPEG), and the implications for security and IDS evasion. The presentation also includes practical applications and a demo of the tools used in this process.

Uploaded by

theactualrealbarackobama
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
15 views37 pages

Shellcode Steganography Techniques

The document discusses 'Punk Ode', a method for embedding shellcode within image files using techniques like steganography and NOP sled generation. It covers the history of shellcode, the technical details of embedding in various image formats (PNG, JPEG), and the implications for security and IDS evasion. The presentation also includes practical applications and a demo of the tools used in this process.

Uploaded by

theactualrealbarackobama
Copyright
© All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Punk Ode

Hiding Shellcode in Plain Sight

Greg MacManus
Researcher of stuff, iDefense Labs

Michael Sutton
Director, iDefense Labs

Contains VeriSign Confidential and Proprietary Information


Agenda
+ Background
_ Shellcode history

+ What is Punk Ode?


_ NOP sled generator++
_ Shellcode steganography
_ Image encoder with shellcode integrity checking

+ Embedding shellcode in image files


_ PNG images
_ JPEG images
_ Other Miscellaneous details

+ Demo
_ NOP-Palette
_ The other tool

+ (Im)practical applications
_ Efficient NOP sled generation
_ Bypass active scripting requirement
_ IDS evasion

+ Other file formats


_ Sound files
_ Video files
_ Office documents
_ Text files?

2
Contains VeriSign Confidential and Proprietary Information
Shellcode History – Trivial Overflows

+ In the beginning there were trivial command line or


environment variable overflows
+ The First Exploit Code (for a lot of people)
_ Smashing the stack for fun and profit – Aleph1
– Find a command-line overflow in a setuid root program
– Put a long string, the return address, a NOP sled and the shellcode
into an environment variable (EGG) and spawn a shell.
– Run “./vulnerable-program $EGG”
– Profit!

+ Even trivial exploits were not quite trivial


_ As everyone knows from the Aleph1 paper, shellcode cannot
have null bytes because it would terminate the string.
– So the shellcode has to be carefully written to avoid them.
– Or you could just use Aleph1’s code. (Results 1-10 of about 11,800 for Aleph1 shellcode.)

3
Contains VeriSign Confidential and Proprietary Information
Smashing the Stack – without removing null bytes
main(int argc,char *argv[])
{

+ Lets look a
char *env[32];
little
int i=0;
if(getenv("XXX"))abort();
harder at those assumptions.
The shellcode is put in a string.
– env[i++]="XXX=";
• A pointer to
env[i++]="\xC7\xC0\x01"; a null byte is a 0-length string.
env[i++]="";
The string is stored in the environment - an array of strings
– env[i++]="";
• A sequence
env[i++]="\xC7\xC3\x01”; of char*, terminated by a null pointer.
env[i++]="";
The whole environment is passed to the program
– env[i++]="\xcd\x80";
• Not
env[i++]=0; just the shellcode all strings in the environment.
execve(argv[0],argv,env);
–} Can this ‘exit(1)’ shellcode be passed in the environment?
(gdb) r
C7C0 01000000: mov $0x1,%eax
Starting program:C7C3
/tmp/x 01000000: mov $0x1,%ebx
Reading symbols from CD 80:object
shared int $0x80
read from target memory...done.
Read thesupplied
Loaded system environ(5) manpage carefully: The variable environ points to an array of strings
DSO at 0xb7f76000
called the 'environment‘. … By convention these strings have the form 'name=value’.

• Convention means it’s just an agreement; nothing is forcing it to


Program received signal SIGABRT, Aborted.

have this form.


0xb7f46402 in ?? ()
(gdb) x/3i environ[1]
0xbfa45fe6: mov $0x1,%eax
0xbfa45fec: mov $0x1,%ebx
0xbfa45ff2: int $0x80
(gdb) # so it looks like you can store shellcode with nulls in the environment.

4
Contains VeriSign Confidential and Proprietary Information
Shellcode History – cont’d

+ The previous trick is probably not all that useful now.


_ Non-executable stack and ASLR are becoming more common.

+ Some other limitations of using the environment or command line


_ Remote vulnerabilities
– Difficult to get the remote server to start with $EGG in the environment
• But there are CGI programs
– Limited buffer sizes
• How small can you make your shellcode?
_ Not just null bytes to worry about.
– More restricted characters as you look at more targets.
– No newlines, no spaces, no tabs, no commas, no colons, no semi-colons,
no equals, no high bits, no control characters at all.
• Write special shellcodes by hand for each special case!
– Hard work
_ IDS evasion
– As more people learned about the techniques, people started wanting to
know how they were getting owned.

5
Contains VeriSign Confidential and Proprietary Information
More Advanced Shellcode

+ Shellcode now is much more advanced than executing /bin/sh


_ E.g. Metasploit 2.5 contains 25 different payloads and 9 encoders for
Win32, from simply executing a command to injecting a VNC server into
a remote process.
– According to the schedule HD is actually talking in another room about the
latest version of Metasploit right now. And you are missing it.

+ Automatic shellcode generation.


_ Most use decoder stubs which extract and call the actual code
– XOR encoding
– Alphanumeric shellcode
– Unicode shellcode
_ NOP-sled generators
– to avoid IDS NOP-detection.
• If you see 1000 0x90 characters in a row go to your server, it may be
part of an exploit.

6
Contains VeriSign Confidential and Proprietary Information
What is Punk Ode?
+ Punk Ode = Pun Code
_ pun (n)
1. A play on words, sometimes on different senses of the same word and
sometimes on the similar sense or sound of different words.
_ Exploits the von Neumann architecture
– Data and code are indistinguishable to the computer
– The meaning of a sequence of bytes is dependant on context
• If you throw them at the screen, they become pixels
• If you make the computer jump into them, they become code

$ cat hello-von-Neumann.c
#include <stdio.h>
int main(int argc, char *argv[])
{
printf("Hello, von Neumann architecture!\n");
}
$ cc –o hello-von-Neumann hello-von-Neumann.c
$

The [Link] binary embedded in an image.

7
Contains VeriSign Confidential and Proprietary Information
What is Punk Ode?

+ Pun code
_ Punk Ode (n)
– A play on bytes.
_ It makes images which are visual puns
• Entirely comprised of a NOP-sled and shellcode.
• Load directly into your web browser
– PNG, GIF or JPEG format
• They look pretty much like lormal pictures.
– Only slightly(*) more work than embedding the
shellcode in a large image file to get it in memory
• Not just a theory.
– Actual working exploits have been tested using this
method.

8
Contains VeriSign Confidential and Proprietary Information
Proto-punk Ode – Way back in ‘02
+ First stage of research was
many years ago
_ Making huge, compressed
NOP-sleds.

+ Owning Netscape 6 for Fun


and Profit
_ Netscape Bug Bounty
– $US1000 for code
execution bugs.
– This motivated the initial
research.
_ An early attempt
– The colored stripes are
shellcode, other parts are
“\xeb\x40” repeated.
– If you saw this you would
know ‘something is odd’.
A section of the NOP-sled/shellcode file from an exploit for the ‘jar’ bug
reported here: [Link]

9
Contains VeriSign Confidential and Proprietary Information
Proto-punk Ode – The original motivation

+ The main question the initial version was written to answer was:
_ “How can I find my shellcode?”
_ The internal state of a web browser could be pretty much anything at
the time the victim was exploited.
– Multiple things going on
• Handling user input, Drawing the interface, Downloading images,
webpages, Updating cache files, Executing JavaScript, helper
applications, Creating and destroying objects, Checking mail and
newsgroups.
– The heap was in an unknown state.
• How long ago did they start the program? How many windows are
open?
_ If only there was a way to make the program allocate a huge amount in
a fixed location…
– malloc(size) used an mmap()ed chunk over certain size value.
– for large enough values, it was almost always in a predictable range
_ The only thing left was working out how to put shellcode in that range.

10
Contains VeriSign Confidential and Proprietary Information
Punk Ode - Psychophysics

_ Exploits the way people look at things


– The eye is very forgiving of certain types of display errors.
• Relative brightness is more important than absolute.
• Slight change in a color over space may be ok.
• A little ‘noise’ may be ok.
• Certain colors can be changed more than others.
– Brighter colors can have more variation from the
original values and still look ok.

11
Contains VeriSign Confidential and Proprietary Information
How are images stored?

+ 2D image = 1D array of bytes

+ Color encoding
_ Grayscale
_ RGB
_ CMYK
_ YCrCb
_ Indexed

+ Compression
_ None – e.g. Raw BMP
_ Lossless – e.g. PNG (zlib deflate compression, like gzip/pkzip)
_ Lossy – e.g. JPEG (psychophysics using discreet cosine transfer)

+ File in memory
_ Decompression results in 1D array in memory

12
Contains VeriSign Confidential and Proprietary Information
Punk Ode – PNM
+ PNM (Netpbm superformat ) P6
_ PBM – Portable Bitmap 32
– 1 bit per pixel 255
_ PGM – Portable Graymap !!~!~!~!!~~!~!~!~~
– 8 bit per pixel (grayscale) Contents of a PPM format image file
_ PPM – Portable Pix Map The 4th line is the image data.
– 24 bit per pixel

+ Very simple image format


+ Easy to process and generate
_ Used as intermediate format for Punk
Ode

+ Many open source utilities


_ Netpbm () [Link]/ How the above PPM format
image file displays (enlarged
+ Punk Ode from 3 pixels by 2 pixels)
_ Makes extensive use of this format.

13
Contains VeriSign Confidential and Proprietary Information
Punk Ode – PNG

_ A PNG contains at least


– A PNG header
– An image header,
– A image array (compressed with the gzip ‘deflate’ method)
Each row has an extra byte which does stuff to make the image smaller.

– An image footer.
– Every header (apart from the PNG header) has its CRC-32 stored next to it.

+ Additional relevant features supported by the specification and


some viewers.
_ Color correction mappings
– gAMA, cHRM, sRGB, iCCP
_ Transparency/Alpha
– Some programs store 24 bit pixels padded to 32-bit per pixel.
• The extra byte is sometimes for the alpha value.
• If not, you could try writing shellcode which has every 4th byte set to
the padding value.

14
Contains VeriSign Confidential and Proprietary Information
Punk Ode – PNG

+ Example
_ Original image - GIF
– 9KB
_ Converted to PNM, scaled up,
– 115MB
_ Passed through NOP-Palette to add shellcode and converted to PNG
– 1.2 MB

15
Contains VeriSign Confidential and Proprietary Information
Punk Ode – JPEG

+ More complex
_ JFIF – JPEG Format Image File
_ Joint Photographic Experts Group (JPEG)
– Designed for photographs
• Not appropriate for images with sharp lines and high contrast areas
_ Lossy
– Psychophysics – Removes detail typically unnoticeable by human eye
• Adds complexity for Punk Ode – will mangle shellcode and NOPs
– Changing a value in one location can impact adjacent locations

+ Punk Ode
_ Restricted values used for NOP sled and shellcode
_ ‘Lossy’ shellcode
– Maximize JPEG quality to limit loss
– Shellcode with padding that can be removed without major impact
– Carefully align shellcode
– We have a decoder stub which is ‘JPEG safe’

16
Contains VeriSign Confidential and Proprietary Information
Punk Ode – JPEG

+ Discrete Cosine Transfer (DCT)


_ Breaks image into 8x8 pixel blocks
_ Converts each block from spatial domain to frequency domain
_ Discards those frequencies which don’t contribute ‘much’ to the overall
image
_ Subject to rounding errors, therefore even maximum quality JPEG
images will experience loss

17
Contains VeriSign Confidential and Proprietary Information
Punk Ode – Windows Byte Order

+ In memory, Microsoft often stores images in BGR (blue, green, red)


byte order instead of RGB, which is utilized by most image formats

+ Punk Ode must account for this by flipping the red and blue
components of the shellcode and multi-byte NOPs

+ Internet Explorer handles images this way


_ This adjustment is trivial for simple formats such as PNM and PNG
_ This is a significant adjustment for complex formats such as JPEG
– Separate JPEG decoder stub created to handle this

18
Contains VeriSign Confidential and Proprietary Information
Punk Ode – Color mapped Files

+ Indexed file format (e.g. GIF)


_ Byte array stores pointers to a color map
_ Limits the number of colors that are available

+ Punk Ode
_ Limited color map also restricts values that can be used for shellcode
and NOPs
_ By changing the order of the color map, you can change the contents of
the file when compressed without impacting the structure of the image
when uncompressed
– This provides a trivial IDS evasion technique
• Similar to Metasploit’s WMF httpd using gzip transfer encoding.

19
Contains VeriSign Confidential and Proprietary Information
What about vector based images?

+ Vector based image formats


_ For example: SVG, WMF, CDR
_ Based on lines, curves and filled areas instead of dots
_ Almost everything described in this talk could work with vector graphics.
– Vector graphs aren’t as widely supported as raster images currently are.
• MS06-001 – WMF AbortProc() exploitation used a helper application.
– Depending on the type of file and the viewing application, it may not even be
rendered to memory which is accessible
• EMF and WMF for example do not appear to be rendered to a memory
buffer in the Windows Picture and Fax Viewer, but instead seem to only
use the GDI interface to handle display.
– Shellcode could still be put inside a file, crafted in such a way as to still
render correctly.
• could be put into an embedded image file within WMF file.

20
Contains VeriSign Confidential and Proprietary Information
Punk Ode – How the tools relate to the process

+ Punk Ode is a collection of script, programs and methods


_ Start with PNM base image
– This is what we want our shellcode to resemble
_ Convert to NOPs and add the shellcode
– The tool NOP-Palette
• No promises, but better looking images at the cost of extra processing
is the in development.
– The Other Tool
• This is for JPEG tricks.
_ Convert to Final Image type
– PNG
• Netpbm tool ‘pnmtopng’
– If you’re good, we may integrate some other code to NOP-Palette
to do this.
– JPEG
• libjpeg tool cjpeg with special command line options

21
Contains VeriSign Confidential and Proprietary Information
Punk Ode – Tool Demo

+ NOP-Palette

+ The Other Tool

22
Contains VeriSign Confidential and Proprietary Information
Punk Ode – Stages

1. Select original image

2. Rescale image
+ Larger images take up more memory

3. Convert image to NOP sled


+ Map each byte of the image to a valid op-codes (‘mostly’ NOPs)

4. Embed shellcode
+ Preferably somewhere it is not obvious (e.g. border, noisy area, etc.)

5. Convert this file to the final format


+ Lossy compression formats and other image traits may modify code
+ These modifications can often be accounted for

23
Contains VeriSign Confidential and Proprietary Information
Punk Ode – NOP Sled

+ The purpose of the NOP-sled is to give the CPU something to do


while it’s on its way to the shellcode.

+ Use safe instructions


_ never changes important stuff.
– 0x90 - xchg EAX, EAX
• More commonly known as ‘NOP’.
– 0x42 – inc EDX
• So long as you don’t need the original value of EDX in the shellcode.

+ Unsafe instructions
_ these will usually crash the sled.
– push, pop, call, ret
• all require a usable stack
– Anything which dereferences a register
– Privileged operations

24
Contains VeriSign Confidential and Proprietary Information
Punk Ode – Byte Frequency Counts

+ The original image – I think he’s a hacker or something.


_ The byte counts show the relative amounts of each color component
(the Y-axis) by the intensity of that color component (the X-axis).

Original image Intensity histogram of


original image

25
Contains VeriSign Confidential and Proprietary Information
Punk Ode – Spot the difference

+ Comparison of original and 8-bit indexed image


_ Nothing extremely obvious has changed.
_ The histogram has spikes.
256 color optimal palette.

Intensity histogram of
256 color image

26
Contains VeriSign Confidential and Proprietary Information
Good enough to pass casual inspection?

+ Comparison of original and NOP encoded images


_ His right arm looks like he’s been dumpster diving somewhere nasty.
– The original color values were in a range which contained lots of ‘unsafe’
instructions, and the closest safe ones were chosen.
Whole image is a NOP-sled

Intensity histogram of
NOP-sled image
The nearly empty space in the
center contains a large number
of ‘unsafe’ instructions.

27
Contains VeriSign Confidential and Proprietary Information
Punk Ode – Shellcode

+ The previous image was just a NOP-sled


_ We pretty much just changed the palette the image used.
– Also stopped it using too many prefixes and a couple of other things.
_ It’s possible to be more clever making the sled
– The range of op-codes from 0x70 to 0x7f is in the ‘unsafe’ range
• These are jump short instructions, so they could be safe under some
conditions.
– Other tricks based on what you are doing
• Only converting parts of an image
– From offsets in the image, and memory
• Analyzing it as you go may let you
– Force some conditional jumps and not change the skipped
bytes.
– Not modify opcode arguments
• A few other tricks.

+ Shellcode constraints
_ Lossless vs. lossy image compression
– What you see is not always what you got.
– Lossy compression kills shellcode.
• You have to code around it.

28
Contains VeriSign Confidential and Proprietary Information
Punk Ode –“Lossy Compression Safe” shellcode?

+ Challenge
_ Lossy compression results in loss of information, this can damage
instructions (NOPs, and shellcode)
– damage can be is non-localized
– Available instructions may be dependent upon instructions several bytes
away, or several lines away.
– Solutions
1. Carefully hand coded shellcode
– Can be done using multiple iterative checks of code which is time
consuming.
– Must adjust shellcode or placement if:
• Output image ≠ Input image
• Shellcode altered
_ Semi-automatic modification is possible, at least for JPEG…
2. Shellcode decoder stub
– Stub decoder uses the 1st approach so that the main shellcode doesn’t
have to.

29
Contains VeriSign Confidential and Proprietary Information
Other file formats –Speculation on the Media

+ Sound
_ PCM encoded WAV files – just like PNM except with sound
_ Other lossless types are somewhere between PNG and GIF
_ MP3 – More like JPEG

+ Video
_ MPEG,AVI
– Most are like JPEG, but harder to understand.
– Lossless types also exist – RLE encoding for example

+ Differences from images


_ These aren’t usually decompressed into memory all at once.
– Bad – perhaps we can’t fill as much memory at once
• Maybe we can… how many frames does it buffer?
– Good – We may not need to have a valid file if its big enough
• This isn’t really Punk Ode style though, just using big files.

30
Contains VeriSign Confidential and Proprietary Information
Punk Ode – Other file formats

+ Office Documents
_ Can store PNG files in them
_ Remember, if you can’t see it, it’s not Punk Ode
– But it still may work.

+ PDF
_ Works great.
_ Easy to inject the code.

+ Text files
_ Wouldn’t it be nice to be able use alphanumeric shellcode which read
like something in a natural language written by a human?
_ Is it possible?

31
Contains VeriSign Confidential and Proprietary Information
Punk Ode – (Im)practical applications

+ Why use a big image file?


_ When you can’t control the return address, make the return address
valid.
_ Doesn’t require JavaScript like variations on SkyLined’s heap spraying
technique.
– His method fills the heap with a long run of 0x0d followed by the shellcode.
– The 0x0d bytes mean 2 (or 3) things, depending on how they are being
used
• A 5 byte NOP-like instruction if it
– OR EAX, 0d0d0d0d
• A valid address (which points to a valid address)
– 0d0d0d0d: 0d0d0d0d ; self-referential pointer
– Many workarounds for vulnerabilities only workaround the exploit.
• Disabling JavaScript only stops JavaScript based vulnerabilities
• Doesn’t prevent weird HTML or other file format parsing exploits
– It could prevent an exploit using SkyLined’s shellcode method
– Would not stop Punk Ode method.

32
Contains VeriSign Confidential and Proprietary Information
Detection/counter-measures/counter-counter-measures

+ Look for big files!


_ Compression is good
– 8192x8192 light gray image with shellcode.
• 192MB uncompressed raw image
• PNG: 83KB, using mod_gzip to transfer it: 1084 bytes

+ Byte Frequency graphs


_ The histograms for the normal images and the NOP-sled image in the examples
were totally different.
– Page aligned memory allocation lets you do tricks with relative offsets in the file so,
without knowing precisely where in the image you are going to land, you can modify
only those areas where are at the right offset, modulus the page size.
– The rest of the image can be crafted to cancel out any disturbance from the expected
frequencies.

_ Possible counter-counter measure


– Slice up the image and analyze them slices independantly
– Look for variations in the variations between slices from different regions.
– A lot of work. Definitely not something to do realtime.

33
Contains VeriSign Confidential and Proprietary Information
IDS – Detecting the shellcode

_ IDS would have to be very fast and very smart


– What the targeted program is.
– How the targeted program handles that image format
• E.g: gAMA chunks in PNG format images: controls how things brighten
as the value increases.
– What is the default gamma value for the target application?
– Will it even read it from the file?
– What if the file is slightly malformed?
– 2 gAMA tags?
– A gAMA tag after the IDAT?
– Does it do the rightit correctly?
• filter:progid:[Link]()?!
– Where does the compositing happen?
– How many files which expand to over 100MB of what could be interpreted as
shellcode can your IDS system analyze per second?
_ If the IDS can emulates the browser, can the IDS be owned at the same
time? ;]

34
Contains VeriSign Confidential and Proprietary Information
Speculation on detection

+ It may be possible to detect abnormal compression patterns


_ Compare with compression applied to determine authorship/language
of text files.

+ But you really should be looking for some vulnerability being


triggered, not shellcode.

35
Contains VeriSign Confidential and Proprietary Information
One final nop sled example.

36
Contains VeriSign Confidential and Proprietary Information
Questions?

37
Contains VeriSign Confidential and Proprietary Information

You might also like