Korean Shellcode with ROP Based Decoding
Download: Paper (PDF)
Date: 27 Jul 2015
Document Type: Briefing Papers
Associated Event: NDSS Symposium 2015
Although we can hide shellcode in plain text (e.g., English shellcode), due to the signature of its decoder, it can be detected by defensive measures. In this paper, we present an approach to hide shellcode in Unicode encoded Korean text and to reconstruct it based on return-oriented programming. In our approach, shellcode is hidden within Korean text in the form of Chinese characters. By overwriting return addresses on the stack, control flow is directed through existing instructions, so that shellcode is reconstructed and then executed. Our approach is simple, yet it may be effective against payload inspection as well as last branch recording based defensive measures. With some modifications, we may hide shellcode in East Asian text and reconstruct other plain text encoded shellcode without the use of a decoder.