Polymorphic Shellcode | Linux x86_64

Introduction

In general polymorphism mean the ability to appear in many forms, it’s also referred to as a feature of object-oriented programing in computer science. In this post we will take three sample shellcodes off of exploit-db and mutate them in order to beat pattern matching. The final shellcode size should be less or equal to 150% of the original shellcode. Please refer to my SLAE32 series to learn more about polymorphism.

Shellcode I

The first shellcode we’ll look at issues power off command via reboot() function and its 19 bytes in size which means we have up to 28 bytes of space.

The following is the final polymorphic shellcode with a size of 27 bytes.

Shellcode II

The second shellcode we’re going to play with changes the hostname to "Rooted !" via sethostname() function and then terminate every process for which the calling process has permission to send signals to using kill() function. The original shellcode size is 33 bytes which leave us with 49 bytes.

The final shellcode size is 38 bytes.

Shellcode III

The last shellcode generates infinite child processes using fork() function which will effectively render the system unavailable. The original shellcode size is 11 bytes meaning we need to stay below 16 bytes.

I was able to shrink down the final shellcode size to 7 bytes which is 4 bytes less  than the original one. Defiantly an improvement compared to the other two.

Closing Thoughts

This post was a good opportunity for me to explore new functions that might come in handy in the future. All of the above code are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579

Leave a Reply

Your email address will not be published. Required fields are marked *