Auditing an Oracle database for security issues is very important. PeteFinnigan.com provides all of the information and tools that you will need Click here for details of PeteFinnigan.com Limited's detailed Oracle database security audit service Click here for details of PeteFinnigan.com Limited's Oracle Security Training Courses
There are 61 visitors online    
Cookie Policy:We only use essential cookies on small sections of this website. For details see here.

Pete Finnigan's Oracle security weblog


Home » Archives » December 2004 » Three great papers on shell codes and encoding and decoding

[Previous entry: "Ed's latest post in the catpatch.sql series - missing SELECT ANY DICTIONARY PRIVILEGE"] [Next entry: "Next Edward Stangler post in the missing catpatch.sql series"]

Three great papers on shell codes and encoding and decoding

December 2nd, 2004 by Pete


OK, what are encoded or decoded shell codes? - First I had better say what shell code is. Shell code is the instructions (machine instructions) that a hacker sends to a server via a buffer overflow or similar to gain control of the server. This is a common practice in hacking computers. A hacker finds an incorrectly written piece of code in an application that allows you to send incorrect input that in turn ends up with the server running your own machine code rather than the application processing some business function.

Oracle seems to be very susceptible to this kind of attack in recent times. A lot of the alert 68 issues seem to be cases of PL/SQL built in procedures being exploited by sending long strings to them. This kind of attack can be used to send shell code via a PL/SQL function to the database server. So how does a hacker do this? Well part of the long string that the hacker would pass to a vulnerable PL/SQL function or procedure parameter would be shell code. A buffer overflow works because the string passed overflows the end of the buffer assigned to handle it and may go on to overflow a return address of a function on the machines stack (There are also other ways that this kind of overwrite attack can work but let's stick to this one for now). The idea is to get an executable instruction that is supplied by the hacker into the CPU. When the function returns the server will execute the hackers code instead. This kind of attack works because a hacker is able to send machine code to the server, either through a formal program parameter or as other supplied input or possibly via PL/SQL functions or procedures.

Applications are becoming more clever and various filters between the hacker and the server aim to filter out anything that could be machine code. This is where an encoding loop comes in, as it allows the hacker to use valid character sets such as A-Z0-9a-z and then the decoder takes care of making it executable.

I found this paper by Berend-Jan Wever (skylined) that is excellent. It gives some good ideas on how to write a decoder loop and gives some example source code at the end. This paper build on two previous papers, the first by Rix called "Writing ia32 alphanumeric shellcodes" and the second by obscou called "Building IA32 'Unicode-Proof' Shellcodes". It is worth reading these two papers first before skylineds paper.

If you want to understand how a hacker thinks and to understand the lengths that they will go to exploit applications including getting past filters then you need to read these papers. The two by Rix and obscou are superb and well worth reading. The paper by skylined that I found first is also excellent.

December 2004
SMTWTFS
   1234
567891011
12131415161718
19202122232425
262728293031 

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Weblog Home
Weblog Archives


Home
Oracle Security Tools page
Oracle security papers
Oracle Security alerts

Web Development
SQL Server Security

RSS 1.0 FEED
RSS 2.0 FEED
Atom 0.3 FEED
Powered by gm-rss 2.0.0


Valid XHTML 1.0!