SLAE64 - 1501
Success in these 7 assignments results in the Pentester Academy's SLAE64 certification.
All 3 files used in this assignment are here:
- Take up to 3 shell codes from Shell-Storm and create polymorphic versions of them to beat pattern matching
- The polymorphic versions cannot be larger than 150% of the existing shellcode
- Bonus points for making it shorter in length than original
I took the nasm file from the above link, nasm-compiled and linked it. Used a modified objdump command to extract its shellcode.
I pasted the shellcode into the shellcode.c template.
$ gcc -fno-stack-protector -z execstack shellcode1.c -o shellcode1
I executed the shellcode, confirmed that it executed "cat /etc/passwd", and noted it's size (82 bytes).
Polymorphic version of the original nasm
I made the following modifications to the original nasm to create a polymorphic version to evade pattern matching:
(did this in each of the four "xor rax, rax" commands.
I did the same thing for a "xor rdx, rdx" command.
I nasm compiled and linked it, then extracted its shellcode and pasted into the shellcode.c template.
I executed it, confirmed that it executed "cat /etc/passwd" and noted it had 97 bytes.
http://shell-storm.org/shellcode/files/shellcode-603.php - ("execve /bin/sh") (30 bytes)
I created a binary based upon the above shellcode, then a shellcode binary and executed it.
Then I created a polymorphic version of its nasm with the following edits.
Then I created shellcode from this nasm and executed it.
I confirmed that it executed "execve /bin/sh" as the original did and that it's size was 56 bytes.
http://shell-storm.org/shellcode/files/shellcode-896.php - (add "127.1.1.1 google.lk" to /etc/hosts) (113 bytes)
I made the following edits in 3.nasm.
I executed the new version of the shellcode, saw that it added the line to /etc/hosts, and that it's size was 133 bytes.
Files used in this assignment: