SLAE: “Polymorphic” – Assignment 6

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:
Student ID: SLAE-1046
Assignment: Take 3 shellcodes from shell-storm and create “polymorphic” versions of them to beat pattern matching. The “polymorphic” versions cannot be larger than 150% of the existing shellcode.


I wanted to find a different way to zero out a register than using XOR. This thread on stack overflow proved helpful.

First shellcode – reversetcpbindshell

It can be found here and it’s a 92 bytes long reverse shell (not bind as the name implies).

Instead of using XOR reg, reg to zero out a register I decided to use SUB reg, reg, which worked nicely. On a few places I replaced PUSH with MOV and then re-aligned the stack. This is pretty cool since it’s possible to place items on the stack in a completely different order (code placement) than with PUSH, but still get it correctly placed (if this was unclear please review image below and compare push and mov byte ptr). Last I’ve replaced a few MOV reg, reg with PUSH POP instructions.

Original Length: 92 bytes
Modified Length: 105 bytes

And an action shot!

Second shellcode – kill all processes for Linux/x86

The second piece is a lot shorter but was quite fun to do. Running this shellcode will terminate all processes.

This time I checked out the instruction NEG, which flips 0xf7 (-9) to 0x9, cool! As well as replacing PUSH 0xFFFFFFFF with a DEC REG on a zeroed register.

Original Length: 11 bytes
Modified Length: 15 bytes

And an action shot! In this photo the shellcode terminates the screen session that’s running.

Third shellcode – forkbomb

This piece of shellcode forks itself and loop, essentially until the system crashes. It did however not crash right away due to built in protections. After the first attempt I got the tip to run ulimit -u unlimited, to allow unlimited processes to be spawned (more info here). However, it still did not crash when I ran it as an ordinary user. Then I tried to run it as root and voila, crash!

Since the shellcode is pretty short I decided to just go with XOR on the syscall number. As well as JNS instead of JMP.

Original Length: 7 bytes
Modified Length: 10 bytes

The program doesn’t look very interesting when ran.

The CPU does however look pretty funny when it executes

Github Links


Great success!