Description: We've started this new Hack of the Day series and to follow them all please use this link: http://securitytube.net/tags/hod
In previous videos, we've talked about understanding and modifying shellcode. In this one, we will look at how to write a shellcode encoder from scratch in Python and then the decoder in assembly language. There are tons of encoders out there - XOR ... Shikata ga Nai etc. but what does it take to write your own?
Truth be told - writing your own encoder is EASY! However, creating an encoder which is not easily fingerprintable is DIFFICULT. In this video, I will take you through a new encoder - a very simple one but not done before (to the best of my limited googling skills). I've christened it the Poor Man's Encoder :)
The Poor Man's Encoder takes a piece of shellcode and reverses it (literally) so the last byte becomes the first etc. I've written this in Python as its really easy to reverse bytearrays and manipulate strings and data in this language.
The decoder however, is a different beast. We have 2 options - (1) You've probably guessed that this would be swapping the bytes back in the original order and JMP'ing to our shellcode and (2) A little unconventional approach --- The stack grows from High Memory to Low Memory, so if I push my reversed shellcode into the stack, then in the end ESP points to the shellcode in original order :) So all we have to do now is a JMP ESP :)
Of course, there are other interesting hurdles such as getting the address of our shellcode - which we solve using the familiar JMP-CALL-POP technique. The PUSH operation on the stack happens with a simple LOOP using the ECX register.
Enjoy the video and please leave behind your comments! :)
Tags: hod , shellcode , encoder , decoder ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
when you push eax, i think you will do pop eax and loop again! but the
jmp esp did the job better!
this is the best video tutorial which describes a basic encoding/decoding shellcode technique
thank you!
Thanks! I am using a different ID to post the videos but the best way to keep track of them is the "hod" tag.
I'd welcome someone to post a decoder in assembly which uses the byte swapping method as described in the video :) Feel free to post the code here or drop a link via pastebin or elsewhere.
Very, very nice Video.
Some notes from my side:
add esi, 4
has nullbytes, I'm using inc esi 4 times, but I think there are shortes ways to avoid nullbyte.
I had also problems with the command to get the shellcode (via objdump).
The command uses:
"cat -f1-6" somewhere in the middle, but one line in my shellcode was:
69 74 30 69 52 ca 32
which translates to:
imul $0xc132ca52,0x69(%eax,%esi,1),%esi
If we use cat -f1-6 it would truncat the 0x32 (last byte!).
Thus i have to use: -f1-7
Keep that in mind if you have long instructions.
I will try to implement the other aproach if I have time ;)
Nice work vivek! Thanks!
Here's second aproach, I think a little bit long, but it's working ;)
(forget the xor edx,edx at the end, the shellcode from exploit-db didn't do that, so this just fixes the shellcode)
http://pastebin.com/WSrJhd1q
@Juggl3r Thanks my friend! Good to know your enjoying!
Just a quick clarification - I used objdump and "add esi, 4" gives me "83 c6 04" as the opcode which does not have any nulls. Are you sure you have the right code?
Hm,
I have:
"81 c6 04 00 00 00": add esi,0x4
If I do:
echo -ne "\x83\xc6\x04" > tester
ndisasm -b32 tester
I get:
add esi, byte +x04
So it seems that you are just adding 1 byte (using opcode 83) and I'm adding dword (using opcode 81)