Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: xor encoding / decoding of shellcode

From: "Ryan Permeh" <ryan () eEye com>
Date: Wed, 28 Nov 2001 10:23:53 -0800
your general layout seems to be correct.
this is based off of x86 ideas, but asm is asm is asm, and everyone is
basically the same.

first thing, when building the shellcode, find your xor byte(so that no
shellcode bytes^xor byte == 0). next get the size of your shellcode.  now
xor the shellcode by the xor byte, and save it as a string(below referenced
by xorencodedshellcode)

  then just make your decoder point past your decoder to the start of your
encoded shellcode and loop an xor operation * the number of shellcode bytes
you need to decode.  at the end of the loop, the next byte should be the
beginning of your now xor decoded shellcode.

so it does look like this ( in a simple, best case scenario):
[nops][xordecoder][xorencodedshellcode][ret]
you ret hitsz the nops, or directly to the xordecoder, depending on how
exact you can get it, and the xordecoder will decode then step to the
shellcode.

good luck.

Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "KF" <dotslash () snosoft com>
To: <vuln-dev () security-focus com>
Sent: Wednesday, November 28, 2001 9:31 AM
Subject: xor encoding / decoding of shellcode



I have been working alot with asm lately on the ppc platform... my goal
has been to develop
shellcode for several different situations... I have come up with
shellcode that writes an xinetd.d
entry and one that binds a shell to a port as well as a few other
typical shellcode examples. The
problem that I am having is that alot of my instructions cause null. I
have a technique to remove
some of them but the method I use takes 2 instructions for every one
with null. I have been trying
to figure out how the stack needs to be layed out in order for me to xor
encode / decode my shellcode.
I imagine it is similar to <nops><xor decoder><xor encoded
shellcode><return addy>. At the moment
I am stuck on how to place a xor encoded string on the stack and then
use it as executable code.
In essence I need to learn how to write a xor decoder does anyone have
any tips on this technique?
I am trying to come up with something similar to ADMmutate that works on
power pc or other RISC processors.
-KF
Previous By Date Next
Previous By Thread Next

Current thread: