govolution

SLAE Assignment 7: Crypter

Advertisements

This is the last one and it is about writing a crypter/decrypter. I used python and pycrypto for this task. The execve shellcode starts a shell. The scripts use AES for encryption and decryption.

Here is the code for encryption:

encode.py


from Crypto.Cipher import AES

plain=("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

obj=AES.new('Passphrase123456', AES.MODE_CBC, 'IVIVIVIVIVI12345')
l=len(plain)
r=l%16
p=16-r
print "offset: " + str(p)
plain = plain+"A"*p
ciph=obj.encrypt(plain)
encoded=""
for x in bytearray(ciph):
	encoded += '\\x'
	enc = '%02x' % x
	encoded += enc  
	
print encoded

The output shows first the offset, that is needed to encrypt the shellcode properly. This is needed later in the decryption code.

The offset and the encrypted shellcode have to be adapted in the decryption code. And here is the decryption code:

decode.py


from Crypto.Cipher import AES

offset=7
ciph=("\x2c\x5a\xd5\x5f\x2d\x16\xb6\xb9\x68\x30\x90\x9f\xc9\x6d\xa5\x45\x8a\x08\x01\x2e\xe6\x60\x5b\x9f\x23\xb4\xc5\xaa\x77\x0f\x8a\x7f")

obj=AES.new('Passphrase123456', AES.MODE_CBC, 'IVIVIVIVIVI12345')
t=obj.decrypt(ciph)
decoded=""
for x in bytearray(t) :
	decoded += '\\x'
	enc = '%02x' % (x & 0xff)
	decoded += enc	
	
print decoded[0:-offset*4]

Get the code.

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-342

Advertisements