SLAE Assignment #4 – x86 Linux Custom Shellcode Encoder

Hey, I’m back with my solution for assignment 4 (of 7). This time, I show you my custom shellcode encoder (written in Python, yeah) and the according assembly decoding stub.

Disclaimer:

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-890

The encoding scheme is based on the “Insertion encoding scheme” we learned about in the course. I refined it a bit to make it less obvious and also wrote my own Python script to generate stub+shellcode – ready to paste 🙂

Source codes are – as always – on my github page! Now, let’s start rolling.

First, let me explain the algorithm. It’s basically taking a shellcode byte, generating a random offset (int number), subtracting the offset from the shellcode byte and storing both bytes again (in the new shellcode). Not very space-efficient since it’s doubling the shellcode bytes … but so what. Many variations are possible (like have only one offset or a new offset every x bytes or or or …) – I’ll maybe try that at a later time.

The Python code to generate the obfuscated shellcode, looks like this:

Selection_090.png

The matching decoder (assembly) looks like this:

Selection_091

I wrote a small Python program (the allmighty Diffuscator) to get shellcode from STDIN, encode it and prepend the decoder stub to it. The resulting byte code will be printed out, ready for easy copy&paste 🙂

To test my stuff, I took a random shellcode from shell-storm. I found a nice and short one which prints /etc/passwd. Running it through my Python tool, it looks like this:

Selection_092

Now we just paste in the new shellcode into a skeleton shellcode.c, compile and run it – et voilà – check out my sweet /etc/passwd 🙂

Selection_093

Sending this shellcode through virustotal … not too bad, eh?

Selection_094.png

Hope you find this useful! Talk soon 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s