SLAE 32 – Assignment 7

Assignment 7 – Custom Shellcode Crypter

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1112

This is the last assignment in order to complete the SLAE (32bit) certification.

What is a Crypter?

A Crypter is a type of software that can encrypt, obfuscate, and manipulate malware, to make it harder to detect by security mechanisms. It is used by cybercriminals to create malware that can bypass security programs by presenting itself as a harmless program until it is executed.  – Trend Micro

Custom Shellcode Crypter

The objective for this Assignment is to create a Custom Crypter using any programming language and using any existing encryption schema. This implementation uses AES 128 in CBC mode.

This AES 128 implementation can be found at https://github.com/kokke/tiny-AES128-C.

The example to be encrypted is our old friend’s execve-stack Shellcode:

execve.png

Cryptor: aescrypt.c

The Shellcode encryption is done with the file aescrypt.c. It splits the Shellcode in 16 byte (128 bit) blocks and it performs Block-wise encryption with the defined key. If the Shellcode is not multiple of 16 bytes, the cryptor adds padding automatically with NOP instructions.

The key is also 16 Bytes (128bit) and is padded with Nulls if necessary.

In the following image it is possible to see the cryptor in action:

aescrypt.PNG

Here is the source code of the Cryptor:

crypterc.png

Compilation command:

gcc aescrypt.c aes.c -o aescrypt

 

Decryptor: decrypt_exec_shellcode.c

As it’s name suggests, this program decrypts the Shellcode and then executes it. In the following image it is possible to see the decryptor output:

decrypt.png

Here is the source code of the Decryptor:

decrypterc.png

Compilation command:

gcc decrypt_exec_shellcode.c aes.c -o decrypt_exec_shellcode -fno-stack-protector -z execstack

As always, the full code can be found in my SLAE Github repository.

With this I finish my last Assignment towards the SLAE32 certification. I would like to thank Vivek Ramachandran and the Pentester Academy team for putting together such a great course. See you in the SLAE64.

Advertisements