This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1290

Assignment:

The assignment scope is to create a custom shellcode encoder for the execve-stack shellcode.

Initial shellcode:

The sample shellcode would be the execve-stack one.

The encoder:

My custom encoder works like this: it takes each byte of the shellcode and increment it by one; so for example the first byte 0x31 would become 0x32, the second byte 0xc0 -> 0xc1, the sixth byte 0x61 -> 0x62 etc…

There is a control, to prevent the case when adding 1 to the byte, it becomes a null byte (The only case is when the primary byte is 0xff); whenever this happens, the byte is manually set to one. During the decoding phase, the 0x1 bytes are then decremented twice to get 0xff back. The decoding phase is pretty simple: the decoder iterates through all the shellcode bytes and decrement them by one ( Always taking into account the 0x1 case).

The generator:

I wrote a small C program that allows to generate encoded shellcodes based on the above schema.

Using the execve-stack shellcode, this program generates:

The decoder shellcode:

This is the decoder shellcode, which iterates through the encoded one and decodes each byte.

Let’s dump the shellcode and try it using our shellcode template.

 

 

Share it