SLAE64 - 1501
Success in these 7 assignments results in the Pentester Academy's SLAE64 certification.
http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
Task:
• Create a custom encoding scheme like the “Insertion Encoder” we showed you
• PoC with using execve-stack as the shellcode to encode with your schema and execute
All files used in this assignment are below:
https://github.com/clubjk/SLAE64-3/tree/master/exam/encoder
I used the execve-stack.nasm that we created in the course and used a xor encoder. Inspected it for null bytes and confirmed there were none.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFNrj3uIVRbOougX0Azd47Q1E3MPN0Cge2kowQsuhCcYVhIEblHygZOch7jdXEEHyaQnR8FyvVHyvFAOhgBr3vtjB980O2aFiGvsN9cVwiDRnRPQWgd3ysqHJ928H8HRE4kUazrLsX-kS1/s640/Screen+Shot+2017-10-13+at+9.19.08+AM.png)
I extracted its op code using a modified objdump command.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNEqA0gTFdFGQDBcIvUUrLI80Ve6YzcHWe8Wn3E8F15EomMTNO_e5bwKaP7cPCOqc7hlDlIOuA5ss0CfMeCaAfUiU1iFHGr3n64LHvef9gEPLBR1F22W7l1IFFzO25OIx3FkPm4o4Msbh4/s640/Screen+Shot+2017-10-13+at+9.19.50+AM.png)
I pasted the opcode in a xor encoding script. That script is here.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXkIFj-sPQVYhnbjA_NVuxzC8_CcCd5eOfrgJHDEoRS5KfaJcRRLnWqOSkkEFIaZ2ejAogeu3mpUlNBh6k3ZHuQ92cxSfF7aWEAgj3zroifKS_LOWSk2rlnKcgsJqke-ALm5oPRxDvPMM1/s640/Screen+Shot+2017-10-13+at+9.22.11+AM.png)
I executed the script and it outputted xor encoded opcode.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn4Ng_7HLVvslR4xHvhj30I-xkfD1lfEjhTezP-PrzxE5XF2_lztQ5d_7HRMUsejpWys1KYvNETGZ3FhkOIgEjnQOraomKBtCrmsaGbt6xkc7wfDxkLK2grrJLw3z68IFZshfW9me5wth2/s640/Screen+Shot+2017-10-13+at+9.20.21+AM.png)
Then I pasted the encoded opcode in a xor decoder nasm script. That script is here.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBhIHRfmBcSJdHr7gYcZkaE8JRWtoM2Nz63UMZ1awDSzkGKmB1GGamWCp2rBd0ONFbrhyraNAjGDac4IY2bCh2ZuU0gXVgekhoC-XG7UgAwEHOykaWRvVLrPNLlGCCgd9qDgFoURsOTOKU/s640/Screen+Shot+2017-10-13+at+9.22.45+AM.png)
After doing a nasm compile and link, I checked for null bytes using the objdump command.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5SlLDzWmupQkDdUxvhRXxoXpsP19jWdNEI_qNqhgWnjx-HA4k3toIHCMc5LKy15NTgpfCt6ehmGu6n2oM99nTG1A4849LOtIFVOD8wZOWSU72GMoxfucFIWVPugWzYybIlpCcmHyujXVi/s640/Screen+Shot+2017-10-13+at+9.20.58+AM.png)
I extracted the opcode using a modified objdump command.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLXMm8PS4qscUsddSe1LGd_qsOgjOiPuy5LRDTYBUubLDHK4HlJ2EezcnMj9RZLltv7O1CkZElE5c0Octso5Ey7r2PDpG3bBr3SHub7tYVh43yqLMdzWzvuQ3zyyuDTmtUxToqBvC0AFSN/s640/Screen+Shot+2017-10-13+at+9.21.23+AM.png)
Then, I pasted the opcode in the shellcode.c template.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi20bW94njjo4VwlnePvWdFWxQcbSGb3xGaWBR_89ijmB-xVv6kIYiw9OUdsHj32jWMNtpjsp6UBrhkGeworY9px8lb_yhBspKIlyCgKkXQWlpx7QE-WKyiCDvr3rlBkSzj4V9IFv3XTzJP/s640/Screen+Shot+2017-10-13+at+9.23.11+AM.png)
I compiled shellcode.c using the following command:
• Create a custom encoding scheme like the “Insertion Encoder” we showed you
• PoC with using execve-stack as the shellcode to encode with your schema and execute
All files used in this assignment are below:
https://github.com/clubjk/SLAE64-3/tree/master/exam/encoder
I used the execve-stack.nasm that we created in the course and used a xor encoder. Inspected it for null bytes and confirmed there were none.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgFNrj3uIVRbOougX0Azd47Q1E3MPN0Cge2kowQsuhCcYVhIEblHygZOch7jdXEEHyaQnR8FyvVHyvFAOhgBr3vtjB980O2aFiGvsN9cVwiDRnRPQWgd3ysqHJ928H8HRE4kUazrLsX-kS1/s640/Screen+Shot+2017-10-13+at+9.19.08+AM.png)
I extracted its op code using a modified objdump command.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNEqA0gTFdFGQDBcIvUUrLI80Ve6YzcHWe8Wn3E8F15EomMTNO_e5bwKaP7cPCOqc7hlDlIOuA5ss0CfMeCaAfUiU1iFHGr3n64LHvef9gEPLBR1F22W7l1IFFzO25OIx3FkPm4o4Msbh4/s640/Screen+Shot+2017-10-13+at+9.19.50+AM.png)
I pasted the opcode in a xor encoding script. That script is here.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXkIFj-sPQVYhnbjA_NVuxzC8_CcCd5eOfrgJHDEoRS5KfaJcRRLnWqOSkkEFIaZ2ejAogeu3mpUlNBh6k3ZHuQ92cxSfF7aWEAgj3zroifKS_LOWSk2rlnKcgsJqke-ALm5oPRxDvPMM1/s640/Screen+Shot+2017-10-13+at+9.22.11+AM.png)
I executed the script and it outputted xor encoded opcode.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgn4Ng_7HLVvslR4xHvhj30I-xkfD1lfEjhTezP-PrzxE5XF2_lztQ5d_7HRMUsejpWys1KYvNETGZ3FhkOIgEjnQOraomKBtCrmsaGbt6xkc7wfDxkLK2grrJLw3z68IFZshfW9me5wth2/s640/Screen+Shot+2017-10-13+at+9.20.21+AM.png)
Then I pasted the encoded opcode in a xor decoder nasm script. That script is here.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBhIHRfmBcSJdHr7gYcZkaE8JRWtoM2Nz63UMZ1awDSzkGKmB1GGamWCp2rBd0ONFbrhyraNAjGDac4IY2bCh2ZuU0gXVgekhoC-XG7UgAwEHOykaWRvVLrPNLlGCCgd9qDgFoURsOTOKU/s640/Screen+Shot+2017-10-13+at+9.22.45+AM.png)
After doing a nasm compile and link, I checked for null bytes using the objdump command.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj5SlLDzWmupQkDdUxvhRXxoXpsP19jWdNEI_qNqhgWnjx-HA4k3toIHCMc5LKy15NTgpfCt6ehmGu6n2oM99nTG1A4849LOtIFVOD8wZOWSU72GMoxfucFIWVPugWzYybIlpCcmHyujXVi/s640/Screen+Shot+2017-10-13+at+9.20.58+AM.png)
I extracted the opcode using a modified objdump command.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLXMm8PS4qscUsddSe1LGd_qsOgjOiPuy5LRDTYBUubLDHK4HlJ2EezcnMj9RZLltv7O1CkZElE5c0Octso5Ey7r2PDpG3bBr3SHub7tYVh43yqLMdzWzvuQ3zyyuDTmtUxToqBvC0AFSN/s640/Screen+Shot+2017-10-13+at+9.21.23+AM.png)
Then, I pasted the opcode in the shellcode.c template.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi20bW94njjo4VwlnePvWdFWxQcbSGb3xGaWBR_89ijmB-xVv6kIYiw9OUdsHj32jWMNtpjsp6UBrhkGeworY9px8lb_yhBspKIlyCgKkXQWlpx7QE-WKyiCDvr3rlBkSzj4V9IFv3XTzJP/s640/Screen+Shot+2017-10-13+at+9.23.11+AM.png)
I compiled shellcode.c using the following command:
$ gcc -fno-stack-protector -z execstack
shellcode.c -o shellcode
Then I executed the shellcode binary. It worked. Yay.
File used in this assignment:
No comments:
Post a Comment