11

I have encountered a Malicious Shell-Code & i have ported the shellcode into a compatible C Code which can run the shellcode, i compiled it using gcc -fno-stack-protector -z execstack shellcode.c -o code which gives output ELF file code, i am planning to analyze the File by using gdb ./code command to see the functions & to research the Shell-Code.

Now my question is does an Untrusted ELF file running in gdb can cause File execution outside gdb ? Because if the shell-code is rm -rf / --no-preserve-root that it is a security Implication or a Shell-code which uses Remote connection is also a Threat, so does command gdb ./code runs the code completely or just simply port the code to gdb, because after that i can use Breakpoints before shell code execution to analyze.

Any answer would be appreciated.

Gerorge Timber
  • 464
  • 5
  • 17

1 Answers1

19

It certainly does. gdb will not isolate the process at all and will merely give you some control over it to understand what it does.

To do that kind of analysis, you should resort to a fully isolated system such as a VM with no network access.

Break points will be respected, but you should always account for human errors which can have drastic consequences. Should you be good enough to safely debug an unknown obfuscated program, you wouldn't need to run it as you would simply read the code to know what it does, which would be risk free.

Julie Pelletier
  • 1,919
  • 10
  • 18
  • Considering a case here, i ported a ELF File to gdb by `gdb ./code` . Assuming this file contains Harmful shell-code, Now. I set breakpoint exactly above where Shell-Code starts executing, Now if that ShellCode is using XOR obfuscation than it might be decoding it too. So i need to have set Another Breakpoint before it gives me Plain-Text output of what it does (For example using execv("/bin/ksh", 0, 0) )to spawn a new shell. Now The question stands is before i continue after setting breaks, does the code run or remain static at the first instance `gdb ./code` ? – Gerorge Timber Jun 09 '16 at 09:06
  • I updated my answer to reply to your question on breakpoints. – Julie Pelletier Jun 09 '16 at 09:16
  • Ty for the Update, But i don't think that all codes could be guessed by reading. For example, look this brilliant Malicious code exploit: http://pastebin.com/GM4sHj9t ,8/10 people by reading this code can only tell that is looks a RDP exploit which uses BOF to send payload to port 3389 via Socket. But ultimately that code even doesn't get executed only hex in shell code does ;) .So sometimes, debugging and finding Shellcode behaviour is also helpful but i can agree with you that an Isolation system with No network is a must :) – Gerorge Timber Jun 09 '16 at 09:39
  • 9
    That's actually **exactly** my point. You should not rely on your expertise to do something unsafe. Set up a safe environment to run your tests! – Julie Pelletier Jun 09 '16 at 10:33
  • 8
    A VM is [**not** an isolated system](https://en.wikipedia.org/wiki/Virtual_machine_escape). Using one will significantly reduce, but not eliminate entirely, the risk. If you want to eliminate your risk then you should use a system that you will afterwards either discard, or use only for purposes with no security requirements. A raspberry pi is a good candidate because of the low cost. – Jon Bentley Jun 09 '16 at 12:08
  • 2
    Exactly @JonBentley, i have been using Raspberry Pi for a time and it may work as a good candidate, Haven't yet testing Malwares on that but i will look forward. Some Codes are Anti-VM too, they won't even execute the main part even if Inetsim is on, so it's varied scopes which can be performed ! – Gerorge Timber Jun 09 '16 at 12:53