Shellcode carving is the act of using certain instructions to manipulate the program's register values into creating our original shellcode on-the-fly within memory. The reason for using a carving method is where there are restrictions on bad characters that just cannot be avoided.
This blog briefly introduces the WoollyMammoth carving tool that can be used to carve any shellcode, not just egghunters (although the resulting payload is very large on anything other than egghunters).
Some Key References
I will admit that it took me a long time to fully understand the end-to-end process of successfully carving shellcode, and it wasn't without the help from content at blogs such as VelloSec and reading through the source-code of other tools that got me there in the end.
Intro
So, shellcode carving is a method of using the values of a register (e.g. EAX in this example) to construct our intended shellcode in memory. The reason for this is where there are certain restrictions on valid characters, such as \x83\xC4\x14 for the ADD ESP,20 instruction, we can't look to increment values or possibly don't have the availability of certain characters to encode the shellcode in something such as an XOR function.
However, if we are able to perform a SUB instruction, then we are able to calulate the necessary SUB commands to subtract EAX using two or more instructions, which will result in our intended 4 bytes of shellcode.
For example, the last four bytes of the Matt Miller egghunter are \x75\xe7\xff\xe7, and to calculate this from an EAX value of 0 we could use the following:
00402E85 25 4A4D4E55 AND EAX,554E4D4A # Zero out EAX
00402E8A 25 3532312A AND EAX,2A313235 # Zero out EAX
00402E8F 2D 45076F03 SUB EAX,0E7C0857 # Calculate 0 - 0E7C0857
00402E94 2D 2B062D06 SUB EAX,6600230 # Calculate F183F7A9 - 6600230
00402E99 2D 1B0B640E SUB EAX,3240E04 # Calculate EB23F579 - 3240E04
00402E9E 50 PUSH EAX
This would then result in EAX being set as the last four bytes of our shellcode, which is then placed on the stack.
After this, then next 4 bytes are calculated and so on. There's a lot of good information around this in the VelloSec article, so I'd suggest reading that - I won't go over existing ground here.
WoollyMammoth 'Carve'
An automated shellcode carving feature has been built into the WoollyMammoth toolset, which will allow you to specify:
- The start
ESPaddress - The Destination
ESPaddress (required for positioning where the shellcode is 'carved' to) - The shellcode string. E.g. an egghunter or msfvenom payload
Using the tool is simple, and only requires those three argument parameters, but the result will dynamically give you a full string that you can paste directly into an exploit.
Bad Chars
Now, the point of carving is to ensure that bad characters don't end up in the instructions. As such, WoollyMammoth allows you to specify a permitted character-set within the script, which will then be used to calculate the first possible combination of SUB instructions that can get you to where you want to go.
Amend the existing array here, or use the default one as necessary.
Running
Each run of the tool will provide a different output, even if you're using the same input argument parameters. I did take some inspiration from the code here, but in my version you don't need to hard code anything except bad characters, which allows any shellcode to be carved!
If you use a larger shellcode input it can obviously take a longer time to run, but you'll be able to see the rough progress as this goes on.
As mentioned, the size of a msfvenom (or other large) payload will have a massive overhead with the carved shell. Nevertheless, it's still possible!
