SLAE: Assignment 4 of 7

Assignment #4:
- Create a custom encoding scheme like the "Insertion Encoder" demonstrated in the course
- Proof of concept using execve-stack as the shellcode to encode with your scheme and execute
=====================================================================

First we get the shellcode of the execve-stack:

"\x31\xc0\x50\x68\x2f\x2f\x6c\x73\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

\x68\x50\xc0\x31\x73\x6c\x2f\x2f\x69\x62\x2f\x68\x50\xe3\x89\x6e\x89\x53\xe2\x89\xcd\x0b\xb0\xe1\x90\x90\x90\x80
0x68,0x50,0xc0,0x31,0x73,0x6c,0x2f,0x2f,0x69,0x62,0x2f,0x68,0x50,0xe3,0x89,0x6e,0x89,0x53,0xe2,0x89,0xcd,0x0b,0xb0,0xe1,0x90,0x90,0x90,0x80

Note: Our encoder works and we now have our encoded shell. Now on to the assembly!

Note: We compile our decoder1.nasm code:

"\xeb\x12\x5e\xb1\x1c\x83\xe9\x04\x8b\x04\x0e\x0f\xc8\x50\x85\xc9\x75\xf3\xff\xe4\xe8\xe9\xff\xff\xff\x68\x50\xc0\x31\x73\x6c\x2f\x2f\x69\x62\x2f\x68\x50\xe3\x6e\x89\x53\xe2\x89\xcd\x0b\xb0\xe1\x90\x90\x90\x80"
Note: our original shellcode was:
"\x31\xc0\x50\x68\x2f\x2f\x6c\x73\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

Note: We run our decoder1 program in gdb, and check the decoded value on the stack:

Breakpoint 1, 0x08048072 in DECODESHELL ()
0xbffff3f4:    0x31    0xc0    0x50    0x68    0x2f    0x2f    0x6c    0x73
0xbffff3fc:    0x68    0x2f    0x62    0x69    0x6e    0x89    0xe3    0x50
0xbffff404:    0x89    0xe2    0x53    0x89    0xe1    0xb0    0x0b    0xcd
0xbffff40c:    0x80    0x90    0x90    0x90    0x01    0x00    0x00    0x00

Note: Upon executing the decoder, we see the execve('/bin/ls') execute from the stack as expected - Nice!

Now we can improve our encoder and decoder by encoding in a stack-friendly manner.
The idea is that we'll PUSH the DWORDS on the stack in reverse order (since stack is reverse)
This way, we can use the stack functionality to save a few decoder bytes.

Doing this is easy in Python. First we take our shellcode and split it in chunks of 4 bytes:
splittedshellcode = [shellcode[i:i+4] for i in range(0, len(shellcode), 4)]

Then we reverse the array obtained:
reversedshellcode = splittedshellcode[::-1]

Then we concatenate (join) the words without additional characters in between to form a new string.
joinedshellcode = "".join(reversedshellcode)

The above commands can be performed in a single command as follows:
shellcode_reversed = "".join([shellcode[i:i+4] for i in range(0, len(shellcode), 4)][::-1])

Our new encoder (encoder2.py):

\x90\x90\x90\x80\xcd\x0b\xb0\xe1\x89\x53\xe2\x89\x50\xe3\x89\x6e\x69\x62\x2f\x68\x73\x6c\x2f\x2f\x68\x50\xc0\x31
0x90,0x90,0x90,0x80,0xcd,0x0b,0xb0,0xe1,0x89,0x53,0xe2,0x89,0x50,0xe3,0x89,0x6e,0x69,0x62,0x2f,0x68,0x73,0x6c,0x2f,0x2f,0x68,0x50,0xc0,0x31

Note: Our encoder2 script works and we now have our encoded shell. Effectively we've reversed our whole shellcode
Our encoder can be simplified even more:
Our new encoder (encoder3.py):

We can now simplify the assembly decoder:

Note: The size of our finished assembly decoder is 10 bytes.

Note: We see the directory listing of our directory, which means our shellcode execve(/bin/ls) ran successfully

Filed under: Exclude from front page SLAE