-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathxor-encoder.py
357 lines (271 loc) · 10.1 KB
/
xor-encoder.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
#!/usr/bin/python3
'''
Jean-Pierre LESUEUR (@DarkCoderSc)
jplesueur@phrozen.io
https://www.phrozen.io/
https://github.com/darkcodersc
License : MIT
---
SLAE32 Assignment 4 : Linux x86-32 Shellcode Encoder.
---
Description:
Encode shellcode using XOR.
Support shellcode from any size.
Support bad chars.
'''
import sys
import random
from textwrap import wrap
import argparse
############################################################################################################
verbose = False
shellcode = None
encoded_shellcode = None
############################################################################################################
#
# Define bad characters and white characters.
#
# white characters are characters used by the decoder itself so it can't be present in bad character array.
#
############################################################################################################
#
# Bad chars list
#
default_bad_chars = bytearray([0x00])
bad_chars = None
#
# Whitelist chars (Can't be in bad chars)
#
white_chars_base = bytearray([
0x01, 0x05, 0x1e, 0x24, 0x26, 0x2e, 0x30, 0x31,
0x43, 0x44, 0x46, 0x5e, 0x88, 0x8a, 0xc0, 0xc4,
0xc9, 0xdb, 0xe8, 0xeb, 0xf1, 0xff
])
white_chars_size8 = bytearray([0xb1, 0x1a])
white_chars_size16 = bytearray([0x66, 0xb9, 0x1c, 0xdf])
white_chars_size32 = bytearray([0xb9, 0x1d, 0xde])
white_chars = None
############################################################################################################
#
# Utilities Definitions
#
############################################################################################################
#
# Log Defs
#
def success(message):
print("[\033[32m+\033[39m] " + message)
def err(message):
print("[\033[31m-\033[39m] " + message)
def warn(message):
print("[\033[33m!\033[39m] " + message)
def info(message):
if verbose:
print("[\033[34m*\033[39m] " + message)
#
# Convert Byte Array to Byte String
#
def bytearr_to_bytestr(data):
return ''.join(f"\\x{'{:02x}'.format(x)}" for x in data)
#
# Convert Byte String to Byte Array
#
def bytestr_to_bytearr(data):
return list(bytearray.fromhex(data.replace("\\x", " ")))
############################################################################################################
#
# Prepare Badchar List (Need to be done before calling EncodeShellcode())
#
############################################################################################################
def PrepareBadChars(reg_size):
global bad_chars
global white_chars
result = True
bad_chars = bytearray()
white_chars = bytearray()
if argv.badchars_str:
bad_chars.extend(default_bad_chars)
white_chars.extend(white_chars_base)
if (reg_size == 8):
white_chars.extend(white_chars_size8)
elif (reg_size == 16):
white_chars.extend(white_chars_size16)
elif (reg_size == 32):
white_chars.extend(white_chars_size32)
for badchar in bytestr_to_bytearr(argv.badchars_str):
if (white_chars.find(badchar, 0) == -1):
bad_chars.append(badchar)
else:
warn(f"{hex(badchar)} is whitelisted. It can't be a badchar")
result = False
return result
############################################################################################################
#
# Encode Shellcode (XOR) Definition
#
############################################################################################################
def EncodeShellcode():
global shellcode
global encoded_shellcode
#
# Start encoding
#
encoded_shellcode = bytearray()
for opcode in shellcode:
candidates = random.sample(range(255), 255)
found = False
for candidate in candidates:
result = opcode ^ candidate
if (bad_chars.find(result, 0) == -1) and (bad_chars.find(candidate, 0) == -1):
found = True
break
if not found:
return False
encoded_shellcode.append(result)
encoded_shellcode.append(candidate)
return True
############################################################################################################
#
# Program Entry Point
#
############################################################################################################
parser = argparse.ArgumentParser(description='Shellcode Xor Encoder (@DarkCoderSc)')
parser.add_argument('-s', action="store", dest="shellcode_str", required=True, help="Shellcode to encode (Ex: \\x31\\xe2...\\xeb).")
parser.add_argument('-b', action="store", dest="badchars_str", required=False, help="Bad chars list (Ex: \\x0a\\x0d), NULL is always a bad char.")
parser.add_argument('-v', action="store_true", default=False, dest="verbose", required=False, help="Enable verbose.")
parser.add_argument('-j', action="store", dest="junk_length", type=int, default=0, required=False, help="Append junk opcode at the end of the original shellcode to vary it size.")
parser.add_argument('-p', action="store_true", default=False, dest="paranoid_bcheck", required=False, help="Check if final payload is really free of badchars (Paranoid mode).")
try:
argv = parser.parse_args()
verbose = argv.verbose
except IOError:
parse.error
sys.exit()
#
# Setup shellcode array
#
shellcode = bytestr_to_bytearr(argv.shellcode_str)
#
# Optionnaly append junk data at the end to vary shellcode size and avoid bad chars.
#
if (argv.junk_length > 0):
shellcode.extend(b"\x90"*argv.junk_length)
############################################################################################################
#
# Encode and ajust decoder
# (!) Retry encoding until no bad chars are found in generated opcode (during relocation)
#
############################################################################################################
shellcode_length = len(shellcode)
info(f"{shellcode_length} bytes loaded from shellcode to encode.")
reg_size = 0
if (shellcode_length <= (2**8-1)):
reg_size = 8
elif (shellcode_length <= (2**16-1)):
reg_size = 16
elif (shellcode_length <= (2**32-1)):
reg_size = 32
if (reg_size == 0):
err("Shellcode length is not compatible with our encoder.")
sys.exit()
#
# Prepare Badchars
#
info("Prepare bad chars list...")
if not PrepareBadChars(reg_size):
err("Invalid badchar, one or multiple badchar are not compatible with our encoder.")
sys.exit()
info("Done.")
#
# Encode Shellcode (XOR)
#
info("Start shellcode encoding...")
if not EncodeShellcode():
err("Could not encode shellcode, with current badchar list. Likely reason: to much bad chars.")
sys.exit()
info("Done.")
#
# Upgrade ecx counter / jmp / call relocation.
#
if (reg_size == 8):
counter_opcode = b"\xb1"
counter_opcode += shellcode_length.to_bytes(1, byteorder="little")
jmp_get_shellcode_opcode = b"\x1a"
call_decoder_opcode = b"\xe1"
elif (reg_size == 16):
counter_opcode = b"\x66\xb9"
counter_opcode += shellcode_length.to_bytes(2, byteorder="little")
jmp_get_shellcode_opcode = b"\x1c"
call_decoder_opcode = b"\xdf"
elif (reg_size == 32):
counter_opcode = b"\xb9"
counter_opcode += shellcode_length.to_bytes(4, byteorder="little")
jmp_get_shellcode_opcode = b"\x1d"
call_decoder_opcode = b"\xde"
info(f"counter opcode=[{bytearr_to_bytestr(counter_opcode)}]")
info(f"jmp_get_shellcode opcode=[{bytearr_to_bytestr(jmp_get_shellcode_opcode)}]")
info(f"call_decoder opcode=[{bytearr_to_bytestr(call_decoder_opcode)}]")
info("Checking if additional opcodes now include bad chars...")
for opcode in counter_opcode:
if bad_chars.find(opcode) != -1:
err(f"A badchar \"{hex(opcode)}\" was introduced during OpCode generation. Use option \"-j\" to vary shellcode length and try again.")
sys.exit()
info("Done.")
############################################################################################################
#
# Build Final Payload
#
############################################################################################################
info("Build our final payload...")
payload = b""
# <_start>:
payload += b"\xeb"
payload += jmp_get_shellcode_opcode # jmp <get_shellcode>
# <decoder>:
payload += b"\x5e" # pop esi
payload += b"\x31\xc9" # xor ecx,ecx
payload += b"\x31\xc0" # xor eax,eax
payload += b"\x31\xdb" # xor ebx,ebx
payload += counter_opcode # mov cl|cx|ecx, <EncodedShellcode / 2>
# <decode>:
payload += b"\x8a\x24\x1e" # mov ah,BYTE PTR [esi+ebx*1]
payload += b"\x8a\x44\x1e\x01" # mov al,BYTE PTR [esi+ebx*1+0x1]
payload += b"\x30\xc4" # xor ah,al
payload += b"\x88\x26" # mov BYTE PTR [esi],ah
payload += b"\x43" # inc ebx
payload += b"\x46" # inc esi
payload += b"\xe2\xf1" # loop <decode>
payload += b"\xeb\x05" # jmp <EncodedShellcode>
# <get_shellcode>:
payload += b"\xe8"
payload += call_decoder_opcode # call <decoder>
payload += b"\xff\xff\xff"
# <EncodedShellcode>:
payload += bytes(encoded_shellcode)
info("Done.")
############################################################################################################
#
# Verify if we don't have any badchars (Optional)
# Should never occurs, if it occurs it means we have a bug somewhere.
#
############################################################################################################
if argv.paranoid_bcheck:
for opcode in payload:
if bad_chars.find(opcode, 0) != -1:
err("Bad char found in final payload. Possible bug affects our encoder.")
sys.exit()
success("Final payload is completely free of bad chars.")
############################################################################################################
#
# Print C array payload to termina. Ready for use (Copy / Paste)
#
############################################################################################################
payload_str = bytearr_to_bytestr(payload)
size = int(len(payload_str) / 4)
final_payload = "// Shellcode size = {}\n".format(size)
final_payload += "unsigned char code[] = \\\n"
for l in wrap(payload_str, 64):
final_payload += "\t\"{}\"\n".format(l)
final_payload = final_payload[:-1] + ";"
print(f"\n{final_payload}\n")
success(f"Shellcode successfully encoded, payload size: {size}")