Saturday, April 1, 2017

SLAE32 Exam - Assignment 6 of 7 (Polymorphic Shellcode)

This post is the sixth of 7 exam assignments of the Pentester Academy's x86 Assembly Language and Shellcoding on Linux course.  Success in these 7 assignments results in the Pentester Academy's SLAE32 certification.

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

SLAE - 901

The files used in this assignment are here:
https://github.com/clubjk/SLAE32/tree/master/exam/task6

Assignment 6 Requirements
  • Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matching
  • The polymorphic versions cannot be larger than 150% of the existing shellcode
  • Bonus points for making it shorter in length than original
For this assigment I'll  create polymorphic versions of three existing shellcodes on shell-storm.org:

http://shell-storm.org/shellcode/files/shellcode-863.php - an execve function
http://shell-storm.org/shellcode/files/shellcode-893.php - adds an entry in /etc/hosts
http://shell-storm.org/shellcode/files/shellcode-862.php - downloads a file from a web server

Shellcode 1 - http://shell-storm.org/shellcode/files/shellcode-863.php



  • Linux/x86 - jump-call-pop execve shell - 52 bytes by Paolo Stivanin
863 is an execve /bin/sh shell consisting of 52 bytes.

Testing the original

Testing the original's nasm

To test 863's assembly script, I pasted its assembly commands into a nasm file (poly1.nasm), and then compiled and linked it with the following commands:


$ nasm -f elf32 -o [filename].o [filename].nasm


$ ld -o [filename] [filename].o

I took the resulting poly1 binary and tested its functionality.

 
It worked.

Creating and testing the original nasm's shellcode

I used the objdump command to check poly1's shell bytes for null characters.



I visually inspected the shell bytes and was satisfied that there were no null bytes.

I extracted the shell bytes with a modifed objdump command:

$ objdump -d ./poly1|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'


I pasted the shell bytes in the shellcode.c template.


I compiled shellcode1.c with the following command:

$ gcc  -ggdb -fno-stack-protector -z execstack shellcode1.c -o shellcode1

I tested the resulting binary shellcode1 by executing it.








It worked.  The size of the shellcode was confirmed at 52 bytes.

Polymorphing the original

Polymorphing the original's nasm

I created a new instance of the orginal nasm script (poly1a.nasm).  Seeking to modify some commands with equivalents, I made the following modifications to the original:


I added a CLD (clear direction) and STD (set direction) commands.  I also modified the xor eax, eax command with a polymorphic equivalent.


In three instances of the push eax command (two depicted) I added polymorphic equivalents.

I saved, compiled, and executed the polymorphed binary (poly1a).


The polymorphed version of the original worked.

Creating and testing the polymorphed nasm's shellcode

I object dumped poly1a's shell bytes.


I confirmed that poly1a's shell bytes contained no null characters.  Then I extracted the shell bytes with a modified objdump command.

$ objdump -d ./poly1a|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'







I copied the shell bytes into the shellcode.c script template and saved it as shellcode1a.c.


I compiled shellcode1.c with the following command:

$ gcc  -ggdb -fno-stack-protector -z execstack shellcode1.c -o shellcode1

I tested the resulting binary shellcode1 by executing it.


It worked. Yay.  Size of the polymorphed shellcode was 75 bytes.


893's shellcode is designed to add a map to google in the /etc/hosts file.  A successful execution is intended to have the following entry in the hosts file:


Testing the original

Testing the original's nasm

I pasted 892's assembly instructions into poly3.nasm.  I compiled and linked as I did in the first example.  Then I executed it with the following command:


I verified success by running the following command:


It worked. I removed the google line from the hosts file in preparation for the next test.

Creating and testing the original nasm's shellcode

Reviewing poly3's shell bytes for nulls, extracting the shellcode, and creating shellcode3.c was uneventful.  I compiled and executed shellcode3.



It worked.  Size of the shellcode was confirmed at 77 bytes.

Polymorphing the original

Polymorphing the original's nasm

I made the following changes to the original nasm:


I added polymorphic equivalents to the xor and push commands.


Also added a CLD and STD commands.

I compiled and linked the polymorphed nasm (poly3a) and executed it.



It worked.

Creating and testing the polymorphed nasm's shellcode

Checking for null bytes, extracting the shell bytes and creating shellcode3a.c was uneventful.

I executed shellcode3a with the following command:



It worked.  Yay.  Size of the polymorphed shellcode was 79 bytes.


862's shellcode is designed to download an executable from a web server using wget, chmod'ing and executing it.  The code is set to download a binary called "x" on the server's web root.

(P.S. the chmod and execute did not work (for me) in this code but the wget did...)

Successful results of this nasm and shellcode look like this:


Testing the original

Testing the original's nasm

I copied 862's assembly instructions into poly4.nasm.  In order to test it, I needed to modify the code for my web server.


I also changed the name of the file the script downloaded to "xxxx" to balance the 4 byte increment of the push request.

I compiled, linked, and executed it.










It worked.

Creating and testing the original's shellcode

Checking for null bytes, extracting shell bytes, and creating shellcode4.c was uneventful.  I compiled shellcode4.c with gcc and executed it.


It worked.  Size of the shellcode was 113 bytes.

Polymorphing the original

Polymorphing the original's nasm

I made the following changes to 862's assembly instructions and named it poly4a.nasm:


I changed a xor command to it's polymorphic equivalent as well as adding a CLD and STD command.

Compiled and linked it, then executed it.




It worked.


Creating and testing the polymorphed nasm's shellcode

Checking for null bytes, extracting the shell bytes, and creating the shellcode version was uneventful (shellcode4a.c).  I compiled with gcc, and executed it.


It worked.  Yay.  Size of the shellcode was 123 bytes.




No comments:

Post a Comment