SLAE64: Assignment 6 – Polymorphic shellcodes

For assignment 6 of the SecurityTube Linux Assembly Expert certification the idea is to create polymorphic versions of existing shellcodes, specifically taken from shell-storm.org.

A polymorphic version of a shellcode is just the same functionality written with different instructions, registers and including nop instructions to break patterns and prevent detection.

For this assignment I chose the following shellcodes to work with:

  1. Linux/x86-64 – Read /etc/passwd – 82 bytes
  2. Linux/x86-64 – Add map in /etc/hosts file – 110 bytes
  3. Linux/x86-64 – setuid(0) + execve(/bin/sh) – 49 bytes

1. Linux/x86-64 – Read /etc/passwd – 82 bytes

I’m really proud of my achievement with this one. I’ve changed quite a lot, used a lot of operations that I only use when optimizing, like ror, imul, cdq (using it everyday more), xchg, sub, dec, inc and add. I managed to increase the size of the asm code by 6 lines but reduce the size of the shellcode to 74 bytes.

Original shellcode

Polymorphic version


2. Linux/x86-64 – Add map in /etc/hosts file – 110 bytes

This next shellcode is my own version of the above shellcode from shell-storm.org. In a nutshell, it adds some entry to /etc/hosts, this could be useful for exploring some phishing attack or maybe even some type of man-in-the-middle attack.

By relying on push-pop combos, together with different registry usage and some opcode alternatives it was possible to reduce the shellcode from 110 to 96 bytes.

Original shellcode

Polymorphic version


3. Linux/x86-64 – setuid(0) + execve(/bin/sh) – 49 bytes

For the last polymorphic shellcode I chose the setuid + execve(/bin/sh) version by evil.xi4oyu. This shellcode spawns a new root shell when ran from a privileged process.

Below is my polymorphic version. Although the code contains more instructions that the original, the size was actually decreased from 48 to 43 bytes.

Original shellcode

Polymorphic version


This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert Certification.

Student ID: SLAE64-1440

Leave a Reply

Your email address will not be published. Required fields are marked *