Polymorphic Shellcode | Linux x86

Introduction

Polymorphism is a technique used to mutate code in a way that will keep the original function intact. For example, 1+1 and 4-2 both achieve the same result while using different values and operations. Polymorphic shellcode can aid in efforts to evade anti-virus and IDS/IPS. This post will look at couple shellcodes and how to produce polymorphic version of them.

Shellcode I

The first shellcode we’re going to work with is execve(), which basically spawn shell for us

Mutate code and use the comments section to explain the process

Compile and test

Shellcode II

The second shellcode we’re going to mangle is exit(), this one execute exit function with status code of 1

Mutate code and use the comments section to explain the process

Compile and test

Shellcode III

The third and last shellcode we’re going to deal with is fork(), this one will enter fork loop until system crashes

Mutate code and use the comments section to explain the process

Compile it

Note: Obviously we’re not going to test this one unless we want to crash the system

Closing Thoughts

I chose very simple shellcode examples so we can focus on the concept of polymorphism, hope you learned something from this post. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:    SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%206

 

Disecting Msfvenom Shellcode | Linux x86

Introduction

 In this post, we will analyze three samples of Linux x86 based shellcode generated by msfvenom using different tools. Now before going into the next section here’s the list of what is available to us.

Shellcode I

The first shellcode we’ll look at is adduser, the following are the options that needs to be feed into the payload

Generating shellcode

Compile and test

Use Ndisasm to dump assembly code

Analyze code line by line using the comments section

syscall reference setreuid(), open(), write(), exit()

Shellcode II

The second shellcode we’re going to look at is chmod, the following are the options that needs to be feed into the payload

Generating shellcode using default options

Compile and test

Use GDB with peda to dump assembly code

Analyze code line by line using the comments section

syscall reference chmod() and exit()

Shellcode III

The third and last shellcode we’re going to dissect is shell_bind_tcp, let’s check payload options

Generating shellcode

Compile and test

Use libemu to dump assembly code

Analyze code line by line using the comments section

syscall reference socketcall()dup2(), and execute()

Closing Thoughts

Stepping through msfvenom shellcode taught me few behind the scene tricks, also it cleared my doubts as far as how some of the commands work. Hope you learned something too! Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:    SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%2015

 

[ROT-N + Shift-N + XOR-N] Shellcode Encoder | Linux x86

Introduction

According to English dictionary, encode is converting something, such as a body of information from one system of communications to another; especially: to convert a message into code. This blog post will combine three basic encoding operations (more on that later) to encode sample shellcode and then decode/execute it to demonstrate the concept.

Encoder

In this section, we’ll create 3-phase encoder that takes one byte of given shellcode at a time, mangle it and then produce an encoded word (2 bytes). The following will describe what each phase will do. Phase I (ROT-N), in this phase we add number N to shellcode byte. Phase II (Shift-N), in this phase we shift stdout from phase one to left by N. Phase III (XOR-N), here we just XOR stdout from phase two to get the final encoded word. Before we start working on the encoder, let’s write shellcode that spawn shell to test with.

Let’s compile execve() code block and then dump shellcode

We’ll create python script that takes ROT, Shift, and XOR as user input and print original and encoded shellcode, please note you still need to change shellcode inside the script to your liking. For this post, we’ll use the one created earlier.  It’s worth noting that the script shift operation number can only be anything between 1 and 8 bits due to encoded_shellcode size (word) in the decoder. Also, we’ve added XOR input value to the end of the encoded shellcode as terminator, so if XOR operation in the decoder results in zero that means hey stop decoding.

Generate encoded shellcode

Decoder

Now comes the decoding part, let’s write code that basically takes encoded shellcode produced earlier , decode it in reverse order and then execute

Compile and dump shellcode

Add it to final exploit

Demo time

Closing Thoughts

I believe learning shellcode encoding is vital to exploit development, in order to evade modern anti-viruses and/or intrusion detection/prevention systems. Please note all of the code in this post were tested on Ubuntu 12.04.5 LTS. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel .

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:    SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%204

Egg Hunter for The Win | Linux x86

Introduction

What is egg hunter? and why on earth would you need it? This post will answer these questions and discuss access() syscall, which will be a vital part of our shellcode. The post will then conclude by demoing a working egg hunter shellcode. Please note all of the work here is based off of Skape’s paper.

Egg Hunting

Egg hunting is a technique used to search Virtual Address Space (VAS) for pattern referred to by Egg that usually marks the start of our desired payload. Now you would probably be asking what if we hit an unallocated memory while searching for that pattern? Well, the answer is the process will SIGSEGV leading to a crash! To prevent this kind of behavior we will abuse access() syscall to hunt for our egg without crashing (more on that later). A good example of egg hunter use case is buffer overflow exploit with limited buffer size that won’t allow for large payloads such as bind or reverse shell, so we use egg hunter as stager to capture and execute payload of our chosen.

access()

access() syscall is used to check what permissions the calling process has to a file referred to by pathname, and it consist of two arguments as shown below

Two reasons you’d want to use access() syscall, the first being it doesn’t have lots of arguments thus less registers to initialize, which translate to smaller size. The second reason is we’re looking for function that doesn’t write to the pointer, cause that will defeat the purpose. We’ll use pathname pointer to preform address validation by observing the ZF flag, when the pointer hits unallocated memory it will return EFAULT, meaning hey this memory page is bad try the next one. Let’s identify access() ID “EAX”

Also its worth noting that we’ll need to repeat our egg twice (8 bytes) to avoid collision of egg hunter with itself, so the egg hunter will have to have two matches before it jumps to payload.

Final Shellcode

Now that we know what egg hunter and access() does, let’s write egg hunter code and then test it!

Let’s compile and dump shellcode!

Here’s the final egg hunter shellcode coupled with “/bin/dash” from exploit-db

Demo time!

Closing Thoughts

I don’t know about you but I find egg hunter method really fascinating and I’m glad I learned how to write my own! Thank you Skape for your awesome work! Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel . All of the code is available on on my github as shown in the link below.

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:    SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%203

Creating Custom TCP Reverse Shell | Linux x86

Introduction

Reverse TCP shell consist of three syscalls, one for setting up socket that includes socket(), connect() functions. The second syscall is dup2() for file descriptors, and the last syscall execve() is used to spawn shell upon successful TCP connection. Please note that most of the functions mentioned here have already been covered in my previous blog post TCP Bind, hence this post will only focus on connect() function, which is the main difference between bind and reverse shell! The post will then conclude by tying all the pieces together to create working shellcode.

socket()

socket() is used to create medium for communication, for more information on this function please refer to TCP Bind blog post. let’s code!

connect()

This is where we’re going to spend most of our time, connect() function basically connect a socket referred to by sockfd file descriptor to an address specified by addr, and it consist of three arguments as shown below

sockfd is used to point to socket() created earlier, hence we will save its address to “ESI”. addr is where we specify our desired IP address and it’s broken down to three parts as shown below

Now sin_family is pretty self-explanatory so will go with “AF_INET”, which according to the first code block in socket() translates to “2”.  Also we’ll go with “1337” for sin_port and “192.168.80.129” for sin_addr both values needs to be pushed in network byte order “big-endian”, and here’s why RFC1700. The last argument would be addrlen which defines the size of addr in bytes, “16” in our case. Let’s identify ID for connect() function “EBX”

Back to the terminal

dup2()

dup2() is used to duplicate file descriptors, for more information on this function please refer to TCP Bind blog post. some more code!

execve()

execve() is used to execute a program, for more information on this function please refer to TCP Bind blog post

Final Shellcode

Now that we have all the pieces of the puzzle, let’s compile and test and then create python script that takes an IP address and port number and add it to our custom shellcode, here’s final code

Here’s graphical version of it

Demo time!

Let’s dump shellcode and then use it to create python script

Here’s the script

Running the script with same ip address and port will output exact same shellcode generated earlier!

Closing Thoughts

This post is continuation of TCP Bind one, hence did not have much information outside what we’ve already learned. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel . All of the code is available on on my github as shown in the link below. Hope this post has been a good resource and I’d like to thank you for viewing!

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:    SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%202

 

 

Creating Custom TCP Bind Shell | Linux x86

Introduction

Bind TCP shell require three syscalls, one for setting up socket that includes socket(), bind(), listen(), and accept() functions. The second syscall is dup2() for file descriptors, and the last syscall execve() used to spawn shell upon receiving a successful TCP connection. This post is an in depth analysis of those syscalls and/or functions as well as their corresponding assembly code. The post will then conclude by tying all the pieces together to create working shellcode.

socket()

The socket() function is responsible for creating a communication medium using file descriptors and it consist of three arguments domain, type, and protocol as shown below.

Domain argument specify the protocol family which will be used for communication, we will be dealing with IPv4 Internet protocols hence will use “AF_INET”. The second argument that we need to provide is type, type is responsible for selecting socket type “SOCK_STREAM” for TCP connections in our case. Protocol argument is used to specify what protocol can work with the socket, we only have single protocol hence will go with “0”. Now that we know what the function does let’s update it with our desired values

Let’s check socket syscall ID on Linux x86 system “EAX”

Now we need to find ID for “SOCK_STREAM”

And “AF_INET”

Finally, we need to figure out what system socket call function ID is “EBX”

Now that we have all the information we need, let’s start coding!

bind()

The bind() function is used to bind an address to a socket, and it consist of three arguments sockfd, addr, and addrlen as shown below

sockfd points to the socket() to bind an address to, hence we need to save the content of “EAX” after socketcall interrupt in socket() to “ESI”. The second argument addr is basically where you assign an IP address to the socket, but wait there is more to it than just assigning an IP address, according to ip(7) manpage under address format section addr consist of three parts sin_family, sin_port, and sin_addr as shown below

Now sin_family is pretty self-explanatory so will go with “AF_INET”, which according to the first code block in socket() translates to “2”. sin_port will be “2018” and needs to be pushed in network byte order “big-endian”, why you ask? Well, here’s quote from RFC1700

sin_addr on the other hand is were we actually put in an IP host address in network byte order, and hence we want to listen on all interfaces will go with “INADDR_ANY” which translates to “0”. The last argument would be addrlen which defines the size of addr in bytes. lets update bind() function

Its time to find ID for bind() function “EBX”

Back to the terminal

listen()

listen() function allow for socket referred to by socket file descriptor to listen for incoming connections. The function have two arguments sockfd and backlog as shown below

At this point I think we all know what socketfd does, hence will use “EDX” to point to socket(). The second argument backlog is where you store the maximum length of the queue for pending connections before it stop accepting new ones, in this case will use “1”. Let’s update listen()

Let’s check listen() function ID “EBX”

Now let’s code

accept()

accept() function is used to accept incoming connections for socket specified by sockfd. The function have three arguments which have already been covered in previous sections as shown below

Now in accept() case addr and adrrlen is referring to the peer socket which we don’t care about, hence will go with “0”. Let’s update accept()

Its time to check accept() function ID “EBX”

Off to the terminal we go

dup2()

dup2() syscall is used to duplicate file descriptors and by file descriptors I mean stdin, stout, and stderr, and it consist of two arguments oldfd and newfd as shown below

oldfd is basically peer socket file descriptor, hence we will store “EAX” content in “EBX” from accept(). newfd is where we specify new file descriptors. Let’s update dup2()

Let’s get dup2() syscall ID “EAX”

Coding we shall

execve()

execve() syscall basically execute a binary and/or script, and it consist of three arguments as shown below

filename is the pointer to the binary to be executed “/bin//sh” in our case, now the reason we went with “/bin//sh” instead of usual “/bin/sh” is the fact we need to push 8 bytes without effecting the executable, which we did! The second argument argv[] is an array of arguments to be passed on to the binary as strings, the first argument must contain the address of executable in question argv[0]. The last argument envp[] is an array of strings to be passed on to executable environment, we’re not going to use any hence will go with “0”. Let’s update execve()

Let’s check execve() syscall ID

Some more code!

Final Shellcode

In this section we will glue all of previous code blocks together as shown below and then produce our final working shellcode. Feel free to skip the following code and go right to the graphical representation!

Here’s graphical representation of the final code for your convenience

 

Its Demo Time! Let’s compile and run

Now that we know it works, let’s go ahead and generate shellcode and then create python script that takes port number as an input and add it to our shellcode

Here’s the script

Now running the script with port 2018 will output the exact same shellcode generated earlier!

Closing Thoughts

I most certainly picked up new skills writing this blog post and hope you did too! All of the above code is available on my github as shown in the link below. Feel free to contact me for questions using the comment section below or just tweet me @ihack4falafel . This post is one of many to come so stay tuned!

This blog post has been created for completing the requirements of the SecurityTube Linux
Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID:    SLAE-1115

Github Repo: https://github.com/ihack4falafel/SLAE32/tree/master/Assignment%201

C0m80 – Challenge

Introduction

This post is walk-through of how to root C0m80. The challenge is considered hard or at least it was for me. Shout out to @3mrgnc3 for putting it together, I did come out the other end with new tricks up my sleeves. You can download the VM from here. Lastly, my apologies for the lengthy post, I tried my best to keep it to minimal.

Walkthrough

Enumeration is KEY if you plan on conquering c0m80. We’ll start by firing off a quick n’ dirty recon script I made, which consist of nmap, nikto, dirb, and enum4linux. You can download the script from here, I also took the liberty of removing all of the junk output that we don’t care about!