SLAE64 - 1501
Success in these 7 assignments results in the Pentester Academy's SLAE64 certification.
http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
All 3 files used in this assignment are here:
https://github.com/clubjk/SLAE64-3/tree/master/exam/polymorphic
Assignment:
- Take up to 3 shell codes from Shell-Storm and create polymorphic versions of them to beat pattern matching
- The polymorphic versions cannot be larger than 150% of the existing shellcode
- Bonus points for making it shorter in length than original
I took the nasm file from the above link, nasm-compiled and linked it. Used a modified objdump command to extract its shellcode.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtbTOn2qUiAtTDMV1kzHOG0Ts3GFfx1hwfxrpdjRP8w5LOr6t7SefZcLXgqKoTtbF7iu7PkXbv4kznwFqFmhGyXBRxFs-xPQ0nUbZPzc06Xb0gxj55FQMC6sFmweFCXfclV6QK-NlP8agT/s640/Screen+Shot+2017-10-19+at+11.43.20+AM.png)
I pasted the shellcode into the shellcode.c template.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjsqE2BbAaypzZaxaAHhpXQJ-ShJu1K6XV9rXpmv1obPHgjGN1_GNFAJmXQMTlVh1ZJks2NdC9WOmgkFVoK7JKVNp08FiW1H_mXr3wB6JlDuMkl3qlFvKFVECOuT8i5P_4kCOAFEDLWKMc/s640/Screen+Shot+2017-10-19+at+11.46.04+AM.png)
$ gcc -fno-stack-protector -z execstack
shellcode1.c -o shellcode1
I executed the shellcode, confirmed that it executed "cat /etc/passwd", and noted it's size (82 bytes).
Polymorphic version of the original nasm
I made the following modifications to the original nasm to create a polymorphic version to evade pattern matching:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjhvBB48llOiN80vPWzLFtWpaCrmDbVBQVIAJEzWIAYTpWiUl6i6Of0DlWX5ZyUQQE-KZ77M2WO0BzaB-BQL0FF6HToQlQzNlqHdXWoY_NwN6_qWZUo6G6ShRg8oCzG5df3iyz_60h2Anl5/s400/Screen+Shot+2017-10-19+at+11.55.32+AM.png)
(did this in each of the four "xor rax, rax" commands.
I did the same thing for a "xor rdx, rdx" command.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuY1gvBcOlmlKH6o4f7ciFCV1Wr7vyaC__-TRD9irdOt8jVndK11vMNr6BIo8oK3EJXGyWJJzZzbyIpXpdtE-aFLg0jFmexgBBHm3GHBTsNtkmMccpKSPYSZLmWzGjKGfM4xbyWYo7Unog/s400/Screen+Shot+2017-10-19+at+11.58.35+AM.png)
I nasm compiled and linked it, then extracted its shellcode and pasted into the shellcode.c template.
I executed it, confirmed that it executed "cat /etc/passwd" and noted it had 97 bytes.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGWVryyCx1bKY4JpXbtjU72G8Lv-fgvb6nBkveuUX0CL_7OcYNCbfLTjnLTbZgPVQNB6zRaWTuFqtvnITz3pNkgtKfVkKzXUTI9pfYNZsN0HsXgN5EFU2IEpDbisDQBkOr0MLjoDGdlgv3/s400/Screen+Shot+2017-10-19+at+12.01.23+PM.png)
http://shell-storm.org/shellcode/files/shellcode-603.php - ("execve /bin/sh") (30 bytes)
I created a binary based upon the above shellcode, then a shellcode binary and executed it.
Then I created a polymorphic version of its nasm with the following edits.
Then I created shellcode from this nasm and executed it.
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9yoY7m8Sfwsjn0YlOixAWZourtDrkk5vWaudy0NBZEDw4id3UZpHHC75gsjhdpNgc2JARdf1XvMElxnNso6jcPZ-JZM9BzZZ4Mkh-OBd7fkEghVHi4MH3V2VvdQqThL6HbwR0sH6jfOld/s400/Screen+Shot+2017-10-19+at+12.26.07+PM.png)
I confirmed that it executed "execve /bin/sh" as the original did and that it's size was 56 bytes.
http://shell-storm.org/shellcode/files/shellcode-896.php - (add "127.1.1.1 google.lk" to /etc/hosts) (113 bytes)
I made the following edits in 3.nasm.
I executed the new version of the shellcode, saw that it added the line to /etc/hosts, and that it's size was 133 bytes.
Test results:
Files used in this assignment:
1.nasm
1poly.nasm
shellcode1.c
shellcode1poly.c
2.nasm
2poly.nasm
shellcode2.c
shellcode2poly.c
3.nasm
3poly.nasm
shellcode3.c
shellcode3poly.c
No comments:
Post a Comment