SLAE32 Assignment 7 – Custom Crypter

Note: All related code can be found at My Github Repository.

Task:
– Create one program to encrypt the shellcode
– Create another program to decrypt and execute it

For this task we picked up the (TEA) Tiny Encryption Algorithm. It is a block cipher notable for its simplicity of description and implementation, designed by David Wheeler and Roger Needham of the Cambridge Computer Laboratory.

As input we are using the shellcode (\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80) as extracted from the execve-stack file, which simply spawns a /bin/sh shell.

Take the execve.nasm file

Compile and link the execve.nasm:

Use objdump to get the opcodes for execve.nasm

Of course, we could easily complicate the shellcode further, eg:
1. Use the XOREncoder.py with the opcodes from execve.nasm
2. Run “python XOREncoder.py” take the output 0x…
3. Update xor-decoder.nasm using the output from “python XOREncoder.py”
4. Compile and link the updated xor-decoder.nasm
5. Use objdump to get the opcodes from the compiled/linked xor-decoder
6. Feed our TEA-Encypter with code with opcodes from xor-decoder

TEA Encryptor

Compile and run

TEA DeCrypter & Executor

Compile and run

#####
This post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE- 461
#####

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

SLAE32 Assignment 6 – Polymorphic Shellcode III

Note: All related code can be found at My Github Repository.

Task:
– Create a new version (polymorphic) of an existing shellcode taken from www.shell-storm.org
– Newer version of shellcode should not be more than 150% of the original code

Copy code from http://shell-storm.org/shellcode/files/shellcode-213.php

Add in line 35, the following: printf("Shellcode Length: %d\n", strlen(shellcode));
Add in the following at the top of the program:

Compile with the highlighted changes and run:

Let’s put the code in an assembly skeleton program and transform to the Intel syntax:

Assemble:

Link:

Run to test it is working:

Now let’s attempt to change a few bits in the code, deleted code is prefixed/enclosed with ; or ;-----------:

Compile and run:

Do a quick disassembling:

Extract the shellcode:

Now copy the shellcode into your C shellcode skeleton program (213.v1.in.c.program.c), as:

Compile and run again:

Bonus proggie to play with stime function:

#####
This post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE- 461
#####

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

SLAE32 Assignment 6 – Polymorphic Shellcode II

Note: All related code can be found at My Github Repository.

Task:
– Create a new version (polymorphic) of an existing shellcode taken from www.shell-storm.org
– Newer version of shellcode should not be more than 150% of the original code

Copy code from http://shell-storm.org/shellcode/files/shellcode-571.php

Delete the space betwwen “pu” and “sh” at line 10
Add in line 23, the following: printf("Shellcode Length: %d\n", strlen(shellcode));
Add in the following at the top of the program:

Compile with the highlighted changes and run to determine the number of bytes of the shellcode:

The original shellcode is 43 bytes long.
Let’s convert to Intel flavor and put into a nasm skeleton program.

Assemble:

Link:

Run to test it is working:

Add some explanation to the code before start fiddling around:

Now let’s attempt to change a few bits in the code (comments inline with the code):

Assemble and link as before, then disassemble:

You will notice that at 8048075, 804807d and 8048085 the opcodes are 7, therefore you need to change “cut -f1-6 -d’ ‘” to “cut -f1-7 -d’ ‘” when extracting the shellcode to capture all instructions, see below:

Now copy the shellcode into your C shellcode skeleton program, as:

Compile and run:

#####
This post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE- 461
#####

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

SLAE32 Assignment 6 – Polymorphic Shellcode I

Note: All related code can be found at My Github Repository.

Task:
– Create a new version (polymorphic) of an existing shellcode taken from www.shell-storm.org
– Newer version of shellcode should not be more than 150% of the original code

Copy code from http://shell-storm.org/shellcode/files/shellcode-604.php and:

Add a “;” column at line 39 to close the char initialisation.
Add in line 40, the following: printf("Shellcode Length: %d\n", strlen(evil));
Add in the following at the top of the program:

Compile and run

So the original shellcode is 60 bytes.
For our convenience, copy the assembly code and transform it to the Intel code style:

Then build a skeleton.nasm file with the assembly code in Intel format:

Compile:

Link:

and extract opcodes:

Create C program with extracted shellcode

Compile:

Let’s attempt to explain the code from skeleton.nasm (comments inline with the code):

Now let’s attempt do a few changes in the code (comments inline with the code). Removed code is prefixed/enclosed with ; or ;-----------:

If you test the above code you will find that it gives us an overhead of 5 bytes in our original shellcode “Shellcode Length: 65“:

Note: The ping -c5 localhost does not serve any important purpose here, we are just using it to prolong the display of the extracted shellcode, so we copy it before vi shellcode.v0.improve.to.v1.c get executed.

Now let’s attempt do a few more changes in the code (comments inline with the code). Removed code is prefixed/enclosed with ; or ;-----------:

If you test the above code (shellcode.v1.improve.to.v2.nasm) you will find that it gives us an overhead of 16 bytes in our original shellcode “Shellcode Length: 76”:

Now let’s attempt do a even more changes in the code (comments inline with the code). Removed code is prefixed/enclosed with ; or ;-----------:

Compile and link the above code (./compile.nasm.sh shellcode.v2.improve.to.v3), you may use:

Generate the opcodes

In the above generated output, you will notice that at 804806a and 8048072 the opcodes are 7, therefore we need to change “cut -f1-6 -d’ ‘” to “cut -f1-7 -d’ ‘” in order to capture all opcodes, see below:

The C program now becomes

#####
This post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE- 461
#####

Facebooktwittergoogle_plusredditpinterestlinkedinmailby feather