This post is the seventh of 7 exam assignments of the Pentester Academy's x86 Assembly Language and Shellcoding on Linux course. Success in these 7 assignments results in the Pentester Academy's SLAE32 certification.
http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
SLAE - 901
The files used in this assignment are here:http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
SLAE - 901
https://github.com/clubjk/SLAE32/tree/master/exam/task7
Assignment 7 Requirements:
- Create a custom crypter like the one shown in the "crypters" video
- Free to use any existing encryption schema
- Can use any programming language
For this assigment I'll use the spritzer encryption algorithm (follow on to AES) to encrypt shellcode as well as decrypt/execute.
I used whitedome's spritzer encryption & decryption/execution script written in C with a modified key.
His script can be found here.
I began by extracting the shellcode from the execve-stack binary.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_EOC3eBYdMxkqvIrW81zqP-S86b35yw3KI_UDVWAGFfK5Pgh7sB2d81Ed4rn_Vknt8qtVFVGrDhRImlmIl1M-d9z8nAOUNyuMTMEzmdEI3nH9kIW4ciaErHxgeXMt122zXEwaHqieIFOi/s640/Screen+Shot+2017-04-03+at+3.59.21+PM.png)
I copied the shellcode into spritz.c
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnGYTcsMsUXgxpoP1EM0Bv5DEH3i24HRx6OVmj_PkvQK9JRFGHKKMh2qC0n0fbY28bppDrMW-PU0uTwsxksLs0fMxElCq1bQoALL1tCIRkJ_t7v0bTI-bXTiBIRypKxTcwhfmLHD-OVN2t/s640/Screen+Shot+2017-04-03+at+4.00.04+PM.png)
I compiled spritz.c with the following command:
$ gcc -ggdb -fno-stack-protector -z execstack spritz.c -o spritz
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjssyyRyRoHtlXRQda0cKptecpfpWQbd_zQudbedQQy2wU88tNwhNr711wuV5-pMu2AI713uBX-CTtxc2mYg-jtTmKI_LV4dcP1mHOPa-zgfXP_UCYdZGuBHUSQFEGABWbqelC6iR90DcaG/s640/Screen+Shot+2017-04-03+at+4.00.57+PM.png)
Then I executed the script which outputted the encoded shellcode.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgAUMAw9Bj68jO6c9tzMHVj7OKqPfdET-6p6-r-FZYudOnsWoyZn_JF3BO_F2M9Ap37o3R11ubMEc72jf55bQ-xyTPUSWgc7gXbVZuruSPZ8k72MEvrjhUaT1N-uZ3IG52kq6Gpjvf3MhO/s640/Screen+Shot+2017-04-03+at+5.21.38+PM.png)
I copied the encoded shellcode in spritz.c
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikt2bJfzKIXDs4EOlBUf9ah1CeESEOK0fpkXXkg964mTJZjpSyRK0s0MxDUK7DoM3HEq2ZOTEBp6HDnR2L_10kcL5XH5rsSLpx9xqSZe2LFHoV3DZo6zMNe228N-eJep91yNu9xxT6Auti/s640/Screen+Shot+2017-04-03+at+5.16.58+PM.png)
After compiling as I did before, I decoded and executed the shellcode string with the following command:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_nBJ2PbQMYVv2H9DrT0eBxzUS0jpjXxTR9fsilrCRtvkROEUxKwHg7yq-EFoNA1dweNGbHHb_jDdWbvvjBQFYzHa4gn_vMmvFSXNDorApduukJkUt5XnASMilTlAD9Ml06darfsiIlV1H/s400/Screen+Shot+2017-04-03+at+5.15.15+PM.png)
I used whitedome's spritzer encryption & decryption/execution script written in C with a modified key.
His script can be found here.
I began by extracting the shellcode from the execve-stack binary.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_EOC3eBYdMxkqvIrW81zqP-S86b35yw3KI_UDVWAGFfK5Pgh7sB2d81Ed4rn_Vknt8qtVFVGrDhRImlmIl1M-d9z8nAOUNyuMTMEzmdEI3nH9kIW4ciaErHxgeXMt122zXEwaHqieIFOi/s640/Screen+Shot+2017-04-03+at+3.59.21+PM.png)
I copied the shellcode into spritz.c
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgnGYTcsMsUXgxpoP1EM0Bv5DEH3i24HRx6OVmj_PkvQK9JRFGHKKMh2qC0n0fbY28bppDrMW-PU0uTwsxksLs0fMxElCq1bQoALL1tCIRkJ_t7v0bTI-bXTiBIRypKxTcwhfmLHD-OVN2t/s640/Screen+Shot+2017-04-03+at+4.00.04+PM.png)
I compiled spritz.c with the following command:
$ gcc -ggdb -fno-stack-protector -z execstack spritz.c -o spritz
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjssyyRyRoHtlXRQda0cKptecpfpWQbd_zQudbedQQy2wU88tNwhNr711wuV5-pMu2AI713uBX-CTtxc2mYg-jtTmKI_LV4dcP1mHOPa-zgfXP_UCYdZGuBHUSQFEGABWbqelC6iR90DcaG/s640/Screen+Shot+2017-04-03+at+4.00.57+PM.png)
Then I executed the script which outputted the encoded shellcode.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhgAUMAw9Bj68jO6c9tzMHVj7OKqPfdET-6p6-r-FZYudOnsWoyZn_JF3BO_F2M9Ap37o3R11ubMEc72jf55bQ-xyTPUSWgc7gXbVZuruSPZ8k72MEvrjhUaT1N-uZ3IG52kq6Gpjvf3MhO/s640/Screen+Shot+2017-04-03+at+5.21.38+PM.png)
I copied the encoded shellcode in spritz.c
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEikt2bJfzKIXDs4EOlBUf9ah1CeESEOK0fpkXXkg964mTJZjpSyRK0s0MxDUK7DoM3HEq2ZOTEBp6HDnR2L_10kcL5XH5rsSLpx9xqSZe2LFHoV3DZo6zMNe228N-eJep91yNu9xxT6Auti/s640/Screen+Shot+2017-04-03+at+5.16.58+PM.png)
After compiling as I did before, I decoded and executed the shellcode string with the following command:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_nBJ2PbQMYVv2H9DrT0eBxzUS0jpjXxTR9fsilrCRtvkROEUxKwHg7yq-EFoNA1dweNGbHHb_jDdWbvvjBQFYzHa4gn_vMmvFSXNDorApduukJkUt5XnASMilTlAD9Ml06darfsiIlV1H/s400/Screen+Shot+2017-04-03+at+5.15.15+PM.png)
No comments:
Post a Comment