SLAE ASSIGNMENT 4 | Custom ENCODER/DECODER - LINUX X86
This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE - 1342Hello Shellcoders,
Welcome to Pwsec land once again. Again it's been a week since I wrote my last article. But I guess I get the motivation to complete the assignment only during the weekend. If you haven’t seen my Assignment 3 blog post on EggHunter x86 shellcode, then you can check it [Here]. Today in this post we will be creating our own Custom Encoding Shema and will encode our execve-stack x86 Shellcode with it. Also we will be writing our encoder in python and decoder in ASM. This is the fourth assignment for the completion of SLAE exam. So, the requirement is:
- Create a Custom Encoding Scheme
- PoC with using execve-stack x86 shellcode to encode with our schema and execute.
So I thought a lot but I am not a cryptographer, Therefore, I decided to create a simple encoding scheme which will first add and then xor the output with 0xbb. Let’s start by creating the encoder in python.
Well as you can see we are first adding 73 and then XORing it with 0xBB. Well you must be wondering why 73? Right? Well I have been watching Big Bang Theory from so long now and I am a huge fan of Sheldon Cooper. In episode 73 "The Alien Parasite Hypothesis," the number 73 is actually pretty special. "73 is the 21st prime number," which Sheldon explains. "Its mirror, 37, is the 12th and its mirror, 21, is the product of multiplying 7 and 3 ... and in binary 73 is a palindrome, 1001001, which backward is 1001001." Haha xD Need any more explanation to why not to use it? and talking about 0xbb for xoring. Why? because why not? xD
Pretty easy, huh? If you still have any doubt, then please feel free to ping me on twitter [@Pwsecspirit].
Here is the output of what it looks like.
Now we have the encoded shellcode with us. Let’s write the decoder for it in assembly. Beginning with the assembly code.
aaaa Well, in this piece of code we will be taking a short jump to “call_shellcode”. Also, everything is explained in the comment, let me clear some stuff. In assembly we use ";" (semicolon) to comment something. Ez-Pz… right? Moving ahead.
So in this code, we will be calling the “shellcode” and the next line below the call instruction will get pushed onto the stack, which is nothing but our encoded shellcode. Also I have defined the mlen variable which stores the length of shell ( our encoded shellcode).
So now our encoded shellcode is on stack. Let’s pop it out inside the ESI register. Then we will be xoring the eax with eax to make it 0/null. Then we are moving the length of our encoded shellcode inside the AL register. Which are the lower 8 bits of EAX.
Pretty easy, huh? If you still have any doubt, then please feel free to ping me on twitter [@Pwsecspirit].
Here is the output of what it looks like.
Now we have the encoded shellcode with us. Let’s write the decoder for it in assembly. Beginning with the assembly code.
aaaa Well, in this piece of code we will be taking a short jump to “call_shellcode”. Also, everything is explained in the comment, let me clear some stuff. In assembly we use ";" (semicolon) to comment something. Ez-Pz… right? Moving ahead.
So in this code, we will be calling the “shellcode” and the next line below the call instruction will get pushed onto the stack, which is nothing but our encoded shellcode. Also I have defined the mlen variable which stores the length of shell ( our encoded shellcode).
So now our encoded shellcode is on stack. Let’s pop it out inside the ESI register. Then we will be xoring the eax with eax to make it 0/null. Then we are moving the length of our encoded shellcode inside the AL register. Which are the lower 8 bits of EAX.
This is the place where the real magic began. So first we are xoring the current ESI value with "0xbb" and then subtracting 73 from it because we have added 73. Then we are decreasing the value of al which is holding the length of the encoded shellcode. Once it set the zero flag then we will jump to the decoded shellcode else we will keep incrementing the ESI address by 1 i.e [ESI+1]..[ESI+n] and taking a short back jump to decode to do the whole process byte-by-byte till our whole shellcode gets decoded.
Here is the execve-stack x86 shellcode code.
In the 1st pane, I've just encoded the shellcode.
In pane 2, I have pasted it inside decode_shellcode.NASM and assembled the assembly file and linked the object file.
In pane 3, I have just copied the opcode of the disassembled decoder shellcode inside the shellcode.c and compiled it with GCC.
In pane 4, I have executed the shellcode.
Thanks,
Post a Comment:
Please tell us if we have done anything wrong :) and please share our website if you like.