• Free to use any existing encryption schema
• Can use any programming language
Searching for a starting point on this exercise I discovered the python pyaes library. (https://github.com/ricmoo/pyaes)
According to the git page this is a "Pure-Python implementation of AES block-cipher and common modes of operation."
Its README.md shows some common modes of operation and advises to use either Cipher Block Chaining (CBC) or the Counter (CTR) mode.
Since the implementation of this library also shows that for the CBC variant the plaintext needs to be 16byte we need to figure out how to solve this because changes are the shellcode size that is going to be provided is not equal to 16 bytes. Luckily for me in this exercise the CTR mode does not have this limitation::
plaintext = "Text may be any length you wish, no padding is required"
We start using the pyaes module that can be installed using - pip install pyaes-
We start writing the encrypter:
Note we have a hardcoded key and hardcoded shellcode. Should you want to change any of them, do it here.
The shellcode that is included is the shellcode created in assignment 6. The polymorphic code for ejecting the cdrom tray.
For further processing of the shellcode we need to add some additional quotes around the shellcode after which we end up by writing the encrypted shellcode in a file called body.
Creating the decrypter should not be that hard now that we have the encrypter
Since AES is a symmetric encryption , the same key is used for encrypting as well as for decrypting. So we need to make sure the decrypter file has the same key.
Now that we have solved the encryption / decryption issue we want to automate things a bit further:
I had some serious issues in automating the import of the shellcode. Ultimately I ended op using the eval () which I should not be using with no controlled input. At the moment this should not be an issue as the initial shellcode is hardcoded, but actually I was thinking about including the shellcode als an user supplied variable. That's something I'm not going to do now.
But for now I don't have any clue as how to bypass the issue and I don't think it matters as the purpose of this training is understanding the basics of assembly and not python file I/O handling...
For now I'm getting the same results (in relation to hardcoding the decrypted shellcode -- see commented line in decrypter.py) by opening and saving it to a variables using eval:
with open("body") as file:
shellcode = eval('str("' + file.read().strip() + '")')
We end the decrypting steps with writing the decrypted shellcode to a file (bodydec)
At this moment we have a working encrypting and decrypting proces. What remains is actual execution of the shellcode.
We are going to use a slightly modified version of the compile.sh script and rename it to compile7.sh. We skip the assembly and linking part and go straight into pasting the shellcode in the c file, after which it gets compiled
As input it will insert the shellcode from the created 'bodydec' file.
We run the shellcode file and verify that, again, magically our cdrom drive ejects. Mission accomplished!
