Create a custom encoding scheme like the “Insertionon Encoder” we showed you
PoC with using execve-stack as the shellcode to encode with your schema and execute
Source Code
The source code for this article can be found here
Strategy
My strategy for fulfulling this assignment will be the following:
Think about what sort of encoding algorithm I want to use
Write a python program that will take the execve-stack shellcode and encode it using the algorithm I decide on
Write an assembly program that contains the encoded shellcode, decodes, and then executes it
Encoding Algorithm
So what sort of algorithm shall I write? Off the top of my head I’m thinking
of a cycling encoder. Something like the following:
Jump, Call, Pop our shellcde location into esi
Think of a dword such as 0xdeadbeef.
Initialize eax and ebx with the dword
Initialize edx to zero. This will be our offset.
Place the length of the shellcode in ecx
Loop based on ecx executing the following
if ebx is 0x00000000, re-initialize it with eax
Xor the offset of shellcode with the lowest significant byte of ebx (bl)
Increment our offset
Shift right ebx making the second least significant byte the least significant byte
Jump to our decoded shellcode after looping has been exhausted
The algorithm sounds like it should work… Let’s give it a shot
The Assembly
The Python
Let’s try encoding the execve-stack shellcode, placing it
in our decoder assembly program, extracting the bytes and
placing those in our shellcode.c stub and see if we can get
some code execution as we would hope.
Grab the bytes of execve-stack shellcode. Make sure to adjust the cut
column count to 7 as the disassembly has bytes in the seventh column:
Throw the bytes in our python decoder program:
Throw the bytes and shellcode length in our decoder.nasm
Compile, get the bytes, and load into shellcode.c stub:
The execve-stack.nasm was compiled to execute an ls so when we execute our
shellcode stub we will be looking for a directory listing to be output:
And sure enough we are in luck. We get our directory listing. Lets now
open our code in the debugger and checkout our memory pre and post decoding.
Pre-Decoding
Post-Decoding
We can see that our cycling encoding scheme does encode and decode as we
intended it to as well as proceeding to execute our shellcode.