Shellcode carving is the act of using certain instructions to manipulate the program's register values into creating our original shellcode on-the-fly within memory. The reason for using a carving method is where there are restrictions on bad characters that just cannot be avoided.

This blog briefly introduces the WoollyMammoth carving tool that can be used to carve any shellcode, not just egghunters (although the resulting payload is very large on anything other than egghunters).

ins1gn1a/WoollyMammoth
Toolkit for manual buffer exploitation, which features a basic network socket fuzzer, offset pattern generator and detector, bad character identifier, shellcode carver, and a vanilla EIP exploiter ...

Some Key References

I will admit that it took me a long time to fully understand the end-to-end process of successfully carving shellcode, and it wasn't without the help from content at blogs such as VelloSec and reading through the source-code of other tools that got me there in the end.

Intro

So, shellcode carving is a method of using the values of a register (e.g. EAX in this example) to construct our intended shellcode in memory. The reason for this is where there are certain restrictions on valid characters, such as \x83\xC4\x14 for the ADD ESP,20 instruction, we can't look to increment values or possibly don't have the availability of certain characters to encode the shellcode in something such as an XOR function.

However, if we are able to perform a SUB instruction, then we are able to calulate the necessary SUB commands to subtract EAX using two or more instructions, which will result in our intended 4 bytes of shellcode.

For example, the last four bytes of the Matt Miller egghunter are \x75\xe7\xff\xe7, and to calculate this from an EAX value of 0 we could use the following:

00402E85     25 4A4D4E55    AND EAX,554E4D4A    # Zero out EAX
00402E8A     25 3532312A    AND EAX,2A313235    # Zero out EAX
00402E8F     2D 45076F03    SUB EAX,0E7C0857    # Calculate 0 - 0E7C0857
00402E94     2D 2B062D06    SUB EAX,6600230     # Calculate F183F7A9 - 6600230
00402E99     2D 1B0B640E    SUB EAX,3240E04     # Calculate EB23F579 - 3240E04
00402E9E     50             PUSH EAX

This would then result in EAX being set as the last four bytes of our shellcode, which is then placed on the stack.

After this, then next 4 bytes are calculated and so on. There's a lot of good information around this in the VelloSec article, so I'd suggest reading that - I won't go over existing ground here.

WoollyMammoth 'Carve'

An automated shellcode carving feature has been built into the WoollyMammoth toolset, which will allow you to specify:

  • The start ESP address
  • The Destination ESP address (required for positioning where the shellcode is 'carved' to)
  • The shellcode string. E.g. an egghunter or msfvenom payload

Using the tool is simple, and only requires those three argument parameters, but the result will dynamically give you a full string that you can paste directly into an exploit.

Bad Chars

Now, the point of carving is to ensure that bad characters don't end up in the instructions. As such, WoollyMammoth allows you to specify a permitted character-set within the script, which will then be used to calculate the first possible combination of SUB instructions that can get you to where you want to go.

Amend the existing array here, or use the default one as necessary.

Running

Each run of the tool will provide a different output, even if you're using the same input argument parameters. I did take some inspiration from the code here, but in my version you don't need to hard code anything except bad characters, which allows any shellcode to be carved!

If you use a larger shellcode input it can obviously take a longer time to run, but you'll be able to see the rough progress as this goes on.

As mentioned, the size of a msfvenom (or other large) payload will have a massive overhead with the carved shell. Nevertheless, it's still possible!