Paolo PeregoFollowSpecialista di sicurezza applicativa e certificato OSCE e OSCP, amo spaccare e ricostruire il codice in maniera sicura. Sono cintura nera di taekwon-do, marito e papà. Ranger Caotico Neutrale, scrivo su @codiceinsicuro.
Assignment #4: A custom encoder
2146
parole - Lo leggerai in 11 minuti
The fourth assignment for SLAE certification is to create a custom encoding
scheme and create a weaponized PoC using che execve-stack assembler code.
The assignment was written on an Ubuntu Linux 18.04, with a Linux kernel 4.15
version.
The starting payload
We start our weaponized proof of concept from this assembler code
This assembler code translates after compilation in this shellcode:
The schema
First step is to align this payload so to be a 4 multiple. Let’s use \x90 as padding.
Second step is to XOR this block with a KEY, that is 0xdeadbeef in our case.
We can swap first half and second half of each word
We prepend the payload with the actual number of byte of the shellcode, XOR-ed
with the obfuscation key 0xdeadbeef
We have 24 bytes as payload in our weaponized PoC that turns in \x18 as
hexdecimal. I’ll fill a 32 byte register with the payload length, this implies
that this encoding schema has a limitation for payload with size not longer
than 255 bytes.
Filling the register, turn it to “\x18\x18\x18\x18”. We then apply the XOR with
0xdeadbeef encoding key and we obtain “\xc6\xb5\xa6\xf7”. We then store it
swapped: “\xf7\xa6\xb5\xc6”
The final encoded payload is:
Decoding it
Given an encoded payload, the decoding route must be in place to make sure to
revert our strategy.
take the first dword, and XOR with hardcoded key. An important part here is
that we don’t need to revert the swapping action we did in encoding this first
value becase on the stack values are stored in a reverse order. So storing into
the stack, put the value in the correct order and we have just to XOR it back
to calculate the payload length.
divide the value stored in AL with 8 and store on EDX the number of words
the payload is length
for each of the n dword(s)
byte swap the words
xor with the encoding key
When we will reach the payload length during iteration we jump to the decoded
value in memory and the payload is executed for us.
The configurator
Here it is the python script I used to create different C programs containing
different payloads. Please note that I added also a function to change the EGG
value.
The proof of concept
This is the assembly weaponized PoC. It takes an encoded payload, it decodes it
and then it passes the execution to the extracted code.
Dumping the shellcode I obtained:
I added this shellcode into the same C program used in previous assignments to
test our shellcode and I executed it in order to check the payload is correct.
Virus Total
To prove my encoder on a real test bed, I used VirusTotal portal. Here it is
the
analysis.
As you may see, only 6 antivirus out of 59 detects the weaponized code as
malicious.
Code in action
Here you can find the custom encoder weaponized code in action.
SLAE Exam Statement
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Se questo post ti è piaciuto, sono abbastanza sicuro che troverai questi contenuti altrettanto interessanti. Buona lettura.
Episodio 32: Quando l'EDR fa crock
Introduzione
Ciao caro lettore. Ero come al solito in ritardo nella creazione di questo
numero della newsletter di cybersecurity più aperiodica dell’universo, quando
Internet si è rotta ancora.
Eh già… in questi mesi ho dato anima e corpo al canale YouTube ed ho trascurato un po’ il mio blog. Questa però è una delle cose che voglio prima raccontare qui, nella mia versione digitale di un Bullet Journal.