Thursday, October 19, 2017

SLAE64 Exam - Assignment 6 of 7 (Polymorphic Shellcode)

This post is the sixth of 7 exam assignments of the Pentester Academy's x86/64 Assembly and Shellcoding on Linux.

 SLAE64 - 1501

 Success in these 7 assignments results in the Pentester Academy's SLAE64 certification.

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

All 3 files  used in this assignment are here:
https://github.com/clubjk/SLAE64-3/tree/master/exam/polymorphic

Assignment:

  • Take up to 3 shell codes from Shell-Storm and create polymorphic versions of them to beat pattern matching
  • The polymorphic versions cannot be larger than 150% of the existing shellcode
  • Bonus points for making it shorter in length than original
http://shell-storm.org/shellcode/files/shellcode-878.php - (cat /etc/password)   (82 bytes)

I took the nasm file from the above link, nasm-compiled and linked it.  Used a modified objdump command to extract its shellcode.



I pasted the shellcode into the shellcode.c template.




I compiled the shellcode.c template with the modified gcc command:


$   gcc -fno-stack-protector -z execstack shellcode1.c -o shellcode1

I executed the shellcode, confirmed that it executed "cat /etc/passwd", and noted it's size (82 bytes).


     Polymorphic version of the original nasm

     I made the following modifications to the original nasm to create a polymorphic version to evade pattern matching:
    (did this in each of the four "xor rax, rax" commands.

    I did the same thing for a "xor rdx, rdx" command.



    I nasm compiled and linked it, then extracted its shellcode and pasted into the shellcode.c template.
    I executed it, confirmed that it executed "cat /etc/passwd" and noted it had 97 bytes.






    I created a binary based upon the above shellcode, then a shellcode binary  and executed it.


    Then I created a polymorphic version of its nasm with the following edits.





    Then I created shellcode from this nasm and executed it.



    I confirmed that it executed "execve /bin/sh" as the original did and that it's size was 56 bytes.


    http://shell-storm.org/shellcode/files/shellcode-896.php - (add "127.1.1.1 google.lk" to /etc/hosts)  (113 bytes)


    I made the following edits in 3.nasm.







    I executed the new version of the shellcode, saw that it added the line to /etc/hosts, and that it's size was 133 bytes.



    Test results:



    Files used in this assignment:

    1.nasm
    1poly.nasm
    shellcode1.c
    shellcode1poly.c

    2.nasm
    2poly.nasm
    shellcode2.c
    shellcode2poly.c

    3.nasm
    3poly.nasm
    shellcode3.c
    shellcode3poly.c

    Posted by at

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)