[ROT-N + Shift-N + XOR-N] Shellcode Encoder | Linux x86_64

Introduction

Encoding schemes are used to transform data in a way that makes it consumable by different systems in a safe manner. In this post we’ll look at how we can bypass AVs by ab(using) this scheme to encode otherwise detectable shellcode.

Shellcode

We will be porting an x86 encoder I made a while back exploit-db to make it work with x86_64. Please refer to my SLAE32 series for more details on the encoder. I’ve also made a quick execve() shellcode to test with.

The encoder (python script) pretty much stays as is, all we need is feed it our newly created  /bin/sh shellcode and generate an encoded version of it.

Here’s Decoder.asm ported to x86_64 including previously generated encoded shellcode.

Let’s run it.

Out of curiosity, I decided to compare my x86 encoded shellcode VT results (taken at the time the original x86 encoder was created) with x86_64 one and I found the results quite interesting.

x86 VT Results
x86 VT Results
x86_64 VT Results
x86_64 VT Results

Closing Thoughts

The VT results clearly shows that AV vendors don’t care much for x86_64 shellcode at this point in time which is another good reason why we should use it more. All of the above code are available on my github. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html

Student ID: SLAE64 – 1579­

Leave a Reply

Your email address will not be published. Required fields are marked *