Ants, trees, etc.

[Dave Aitel <dave () immunitysec com>]

Here's my lame idea of the day, loosely based on watching a 4-ant 
hunting party climb up a palm tree. I spent a small portion of the day 
writing some shellcode, which always annoys me. It's easy, and boring, 
yet not done automatically by some python script. :< I tend to write my 
shellcode in a completely non optimized way, just so people can make fun 
of me. For example:
pushl $0 //arg3
pushl $1 //arg2
pushl $2 //arg1
pushl $SYS_SOCKET
int 0x80

This sort of thing should be easy for a program to fix up to avoid 
nulls, right? Most likely it could make it smaller in the process, 
right? Hence:

I want to write (or find out that someone already has written) a 
automatic shellcode generator with the following properties.

o I want to use the MOSDEF assembler because it also generates a ton of 
nice meta-data (if you use the right API) and this could come in handy
o I want to use some sort of generational evolutionary process, as 
described below
o It should avoid bad characters, and optimize for size
o It should take as input, another shellcode (in asm)
  o Obviously the problem is easier when you describe the shellcode in 
a higher level language of some sort, but that's a bit lame when you 
already have piles of shellcode laying around that do exactly what you 
want, hand written to be fairly decently small already.
o It should use a nice CPU emulator as well (Such as Chris Eagles IDA 
plugin, perhaps? I like the idea better of being able to use a true CPU 
for this, and it might be easier to set up, and possibly faster)
o The obvious problem here is that to optimize on size and avoid bad 
characters you need to somehow do non-obvious register allocation and 
other bizzare opcode substitutions.

My theory is this. You can take the shellcode and split it into blocks 
automatically - be they at jmps and int 0x80's, or simply randomly 
(which might actually be best).

To speed things up, I would define classes of instructions that are 
similar. Movs are more similar to XOR's than they are to JMPs, for 
example. I'd arrange them in some sort of nice bell curve that way. Add 
is very similar to inc, and also similar to sub. (Theoretically 
evolution uses a flat distrubution for this, but only until people 
figure out that it doesn't really use a flat algorithm, I'm guessing)

To mutate, I'd randomly pick substitutions for individual instructions. 
I'd probably weigh the picking process to pick additional substitutions 
near other substitutions. Some blocks would randomly move around, be 
double, deleted, and new blocks would also be randomly created and 
inserted. You can probably use the MOSDEF metadata smartly here, to 
speed things up as well.

To score, I'd run a quick algo across each block, and if it does what 
"primary" (original) block does (according to the emulator), then it 
would have a higher score. If the entire shellcode does what the primary 
shellcode does (i.e. pop a shell) then it would score highly as well. If 
the block has bad characters, it gets a lower score. If it is larger, it 
gets a lower score.

Anyone game? :>

-dave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave