Skip to main content

Polymorphic Shellcode x86 - SLAE Assignment 0x6

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding - http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

AGENDA : 
1. Introduction to Polymorphic Shellcode
2. Create a new version (polymorphic) of an existing shellcode taken from www.shell-storm.org
3. Newer version of shellcode should not be more than 150% of the original code

1. Introduction to Polymorphic Shellcode:

We replace assembly instructions with other equivalent assembly instructions in order to defeat signature based systems and the functionality of the shellcode remains intact.
For example, the following assembly code snippet should give you an idea of what this means:
xor eax,eax
xor edx,edx

This simply empty/zeroout eax and edx . Exactly the same functionality could be achieved by using:
sub eax,eax
cdq

2. Create a new version (polymorphic) of an existing shellcode taken from www.shell-storm.org :

We will see polymorphic version of three shellcodes obtained from shellstorm -
a) http://shell-storm.org/shellcode/files/shellcode-212.php - Kill all process
b) http://shell-storm.org/shellcode/files/shellcode-752.php - execve ("/bin/sh")
c) http://shell-storm.org/shellcode/files/shellcode-571.php - /bin/cat /etc//passwd

[x] Shellcode 1 : Kill all process
Shellstorm - http://shell-storm.org/shellcode/files/shellcode-212.php
The shellcode was downloaded from shellstorm and then tweaking of instructions are done inorder to achieve polymorphic shellcode.

Original Version from Shellstorm -

Polymorphic Version -

[x] Shellcode 2 : execve ("/bin/sh")
Shellstorm - http://shell-storm.org/shellcode/files/shellcode-752.php
The shellcode was downloaded from shellstorm and then tweaking of instructions are done inorder to achieve polymorphic shellcode.

Original Version from Shellstorm -
Polymorphic Version -

[x] Shellcode 3 : set system time to 0 and exit
Shellstorm -  http://shell-storm.org/shellcode/files/shellcode-571.php
The shellcode was downloaded from shellstorm and then tweaking of instructions are done inorder to achieve polymorphic shellcode.

Original Version from Shellstorm -

Polymorphic Version -


[x] All codes can be found here - https://github.com/hexachordanu/SLAE/tree/master/Assignment-6

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ 

Student-ID: SLAE-1219

Comments

Popular posts from this blog

Review of Pentester Academy - Attacking and Defending Active Directory Lab

Few months ago I didn't know what Active Directory is, and why should I care about it and never heard about ACL abuse and all. Although I had attended a BPAD (Breaking and Pwning Active Directory) training which was provided by Nullcon but I was not confident enough to go for this course exam, since my day-today activity involves VAPT stuffs related to Web/Network/Mobile and sometimes basic malware analysis (very basic one :p).  I started doing offshore lab and took help from some friends in understanding few Active Directory concepts. I did many silly mistakes during the lab and learned a lot. Meanwhile I registered for Active Directory Lab Course and got it in a discounted offer for first 50 students of about 11k INR  ( 1 mont lab access) :). Before wasting time any further let's dive into the review. The course -  https://www.pentesteracademy.com/activedirectorylab Certification - Certified Red Team Professional The Course Content  - After paying the course fee,

Shellcode Analysis x86 - SLAE Assignment 0x5

Before we start , I would like to bring your attention to this SLAE course from securitytube which will help you learn Shellcoding -  http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ We all use metasploit in our daily pentest engagements so let's break-up some of the shellcode comes with metasploit. Analysis :  1. linux/x86/chmod  2. linux/x86/exec  3. linux/x86/read_file 1. linux/x86/chmod -   msfvenom -p linux/x86/chmod -f raw | ndisasm -u - msfvenom -p linux/x86/chmod -f c msfvenom -p linux/x86/chmod -f raw | sctest -vvv -Ss 100000 -G chmod.dot dot chmod.dot -Tpng -o chmod.png  2. linux/x86/exec -   msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | ndisasm -u - msfvenom -p linux/x86/exec CMD=ls -f c msfvenom -p linux/x86/exec CMD=ls FILE=tmp.bin -f raw | /opt/libemu/bin/sctest -vvv -Ss 100000 -G exec.dot dot exec.dot -Tpng -o exec.png 3. linux/x86/read_file - msfvenom -p linux/x86/shell/revers

Backdoring PE files using code caves : OSCE/CTP Module 0x03 (OSCE Preparation)

Hello Readers, This post will cover Backdooring of P.E file by using code caves . There are already good tools to do this for you eg. Backdoor Factory and Shelter which will do the same job and even bypass some static analysis of few antiviruses . I will be covering the manual approach of backdooring a PE file . Let's understand some terms : [x] PE file : The Portable Executable (PE) format is a file format for executables, object code, and DLLs, used in 32-bit and 64-bit versions of Windows operating systems. [x] Code Cave : Wikipedia says - "A code cave is a series of null bytes in a process's memory. The code cave inside a process's memory is often a reference to a section of the code’s script functions that have capacity for the injection of custom instructions. For example, if a script’s memory allows for 5 bytes and only 3 bytes are used, then the remaining 2 bytes can be used to add external code to the script." [x] Shellcode : Wikipedia - &qu