SLAE ASSIGNMENT 7 | Custom Crypter for our execve-SHELLCODE - LINUX X86
This blog post has been created for completing the requirements of SecurityTube Linux Assembly Expert Certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student ID: SLAE - 1342Hello Shellcoders,
It has been two week since I wrote my last article. Well if you haven’t seen my Assignment 6 blog post on SLAE ASSIGNMENT 6 | POLYMORPHIC SHELLCODE'S - LINUX X86, then you can check it [Here]. Today in this post we will be writing the Crypter which will encrypt our execve-stack x86 Shellcode which is the final assignment for the SLAE exam.
So the requirement is:
- Create a custom crypter like the one shown in the "crypters" video.
- Free to use any existing encryption schema.
- Can use any programming language.
I will be using AES CBC Mode Encryption to encrypt the shellcode. I will be implementing the crypter in python3.
If you have any doubt, then please feel free to ping me on twitter [@Pwsecspirit].
Here is the python code of our Crypter:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/python3 | |
| # Author: Shubham Singh | |
| # Student ID: SLAE - 1342 | |
| from Crypto.Cipher import AES | |
| from Crypto import Random | |
| import base64,sys,binascii,os,getopt | |
| # Argument List | |
| argumentList = sys.argv[1:] | |
| # Options | |
| options = "hed:" | |
| # Long options | |
| long_options = ["help","encrypt", "decrypt"] | |
| # 16 Character long.Don't share it | |
| secret = 'slaespiritedwolf' | |
| BLOCK_SIZE = 16 | |
| # PADING | |
| def pad(s): | |
| return s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * chr(BLOCK_SIZE - len(s) % BLOCK_SIZE) | |
| # UNPADING -> It will be usefull while decrypting | |
| def unpad(s): | |
| return s[:-ord(s[len(s) - 1:])] | |
| # Encode the cipher with correct pading and encode it into base64. | |
| def encode_aes(cipher,s): | |
| return base64.b64encode(cipher.encrypt(pad(s))) | |
| # Encryption function which will encrypt our shellcode with AES , MODE: CBC | |
| def enc(shellcode): | |
| inp = shellcode.replace("\\x","") | |
| shellcode = inp.decode("hex") | |
| iv = Random.new().read(AES.block_size) | |
| cipher = AES.new(secret,AES.MODE_CBC, iv) | |
| encoded = base64.b64encode(iv + cipher.encrypt(pad(shellcode))) | |
| print("Encoded String:"+ encoded) | |
| return 1 | |
| # Decryption function which will decrypt our AES encrypted data | |
| def dec(encrypted_string): | |
| # print('stage 1:',encrypted_string) | |
| encrypt = base64.b64decode(encrypted_string) | |
| # print('stage 2:',encrypt) | |
| iv = encrypt[:16] | |
| # print('IV:', iv) | |
| cipher = AES.new(secret, AES.MODE_CBC, iv) | |
| cipher_1 = cipher.decrypt(encrypt) | |
| # print('FINAL 1:',cipher_1) | |
| cipher_2 = unpad(cipher_1) | |
| # print('FINAL 2:', cipher_2) | |
| convert_string_to_byte = bytes(cipher_2) | |
| hex_string = binascii.b2a_hex(convert_string_to_byte) | |
| # Decrypted shellcode | |
| lol = hex_string[32:] | |
| shell = lol | |
| # Add \x after every 2 character | |
| shell_for_copy = "\\x" | |
| shell_for_copy += '\\x'.join(a+b for a,b in zip(shell[::2], shell[1::2])) | |
| print(shell_for_copy) | |
| # Write the shellcode in our shellcode.c file | |
| write_to_file = open("shellcode.c", "w") | |
| write_to_file.write(""" | |
| #include<stdio.h> | |
| #include<string.h> | |
| unsigned char shellcode[]= \\ | |
| \"""") | |
| write_to_file.close() | |
| write_to_file = open("shellcode.c", "a") | |
| write_to_file.write(shell_for_copy) | |
| write_to_file.close() | |
| write_to_file = open("shellcode.c", "a") | |
| write_to_file.write('''\"; | |
| main() | |
| { | |
| printf(\"Shellcode length: %d\\n\", strlen(shellcode)); | |
| int (*ret)()=(int (*)())shellcode; | |
| ret(); | |
| } | |
| ''') | |
| write_to_file.close() | |
| # Compile the shellcode.c file with GCC compiler and execute the shellcode after compiling. | |
| os.system("gcc -fno-stack-protector -z execstack shellcode.c -o shellcode && ./shellcode") | |
| return 1 | |
| try: | |
| # Parsing argument | |
| arguments, values = getopt.getopt(argumentList, options, long_options) | |
| # Checking each argument | |
| for currentArgument, currentValue in arguments: | |
| if currentArgument in ("-h", "--help"): | |
| print ("Diplaying Help\n-h --help Show this Help Menu\n-e --encrypt Encrypt the shellcode using: python3 encrypt_aes.py -e <shellcode>\n-d --decrypt Decrypt the AES encrypted data using: python3 encrypt_aes.py -d <AES>") | |
| elif currentArgument in ("-e", "--encrypt"): | |
| shellcode = sys.argv[2] | |
| encrypted_arg = enc(shellcode) | |
| elif currentArgument in ("-d", "--decrypt"): | |
| decode_string = sys.argv[2] | |
| print(decode_string) | |
| print(type(decode_string)) | |
| decrypted_arg = dec(decode_string) | |
| except getopt.error as err: | |
| # output error, and return with an error code | |
| print (str(err)) |
Let's run it and see the help menu.
So, we can use -e or --encrypt to encrypt the shellcode. Let's encrypt it.
Amazing we have our encrypted shellcode data string. Let pass it to the decrypt option.
Amazing it decrypted and executed the shellcode as expected. I believe that's it for this assignment.
Thanks,
Thanks,