Thursday, October 19, 2017

SLAE64 Exam - Assignment 6 of 7 (Polymorphic Shellcode)

This post is the sixth of 7 exam assignments of the Pentester Academy's x86/64 Assembly and Shellcoding on Linux.

SLAE64 - 1501

Success in these 7 assignments results in the Pentester Academy's SLAE64 certification.

All 3 files  used in this assignment are here:


  • Take up to 3 shell codes from Shell-Storm and create polymorphic versions of them to beat pattern matching
  • The polymorphic versions cannot be larger than 150% of the existing shellcode
  • Bonus points for making it shorter in length than original - (cat /etc/password)   (82 bytes)

I took the nasm file from the above link, nasm-compiled and linked it.  Used a modified objdump command to extract its shellcode.

I pasted the shellcode into the shellcode.c template.

I compiled the shellcode.c template with the modified gcc command:

$   gcc -fno-stack-protector -z execstack shellcode1.c -o shellcode1

I executed the shellcode, confirmed that it executed "cat /etc/passwd", and noted it's size (82 bytes).

    Polymorphic version of the original nasm

    I made the following modifications to the original nasm to create a polymorphic version to evade pattern matching:

    (did this in each of the four "xor rax, rax" commands.

    I did the same thing for a "xor rdx, rdx" command.

    I nasm compiled and linked it, then extracted its shellcode and pasted into the shellcode.c template.
    I executed it, confirmed that it executed "cat /etc/passwd" and noted it had 97 bytes.

    I created a binary based upon the above shellcode, then a shellcode binary  and executed it.

    Then I created a polymorphic version of its nasm with the following edits.

    Then I created shellcode from this nasm and executed it.

    I confirmed that it executed "execve /bin/sh" as the original did and that it's size was 56 bytes. - (add "" to /etc/hosts)  (113 bytes)

    I made the following edits in 3.nasm.

    I executed the new version of the shellcode, saw that it added the line to /etc/hosts, and that it's size was 133 bytes.

    Test results:

    Files used in this assignment:




    No comments:

    Post a Comment