This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert
I complete the assignment I opted to use python as well as an existing implementation of AES. Through some basic research I discovered an existing library called Fernet. Similar to the example from the crytor video, this encryption algorithm is Symmetric which means it uses the same key to encrypt and decrypt.
The code begins by requiring a passphrase to encrypt an existing bit of shellcode. I also provided a means to include a phrase and custom shellcode.
The code then continues to take the requested passphrase to transform that into an AES key. The key is then used to encrypt the shell code.
For the purposes of the exam I opted to have the original shell code, the encrypted shell code and then a decrypted copy of the shell code all displayed.
Finally I had the shell code execute from within Python.
Not being an encryption expert I’ll let my code speak for itself. One area of note was that I found an interesting example on the interwebz that allowed me to execute my opcode directly from within python.
Also as I was creating my python cryptor I took several days to realize that Python3 handled hex code differently than Python 2. Specifically I had some op code (\xc0) that kept getting transformed into \xc3. While not certain I believe this was due to Python3 using unicode.
#Author: Aaron Weathersby
#Assignment #7 Crypter
#created for completing the requirements of the SecurityTube Linux Assembly Expert certification: http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
from cryptography.fernet import Fernet
from ctypes import CDLL, c_char_p, c_void_p, memmove, cast, CFUNCTYPE
if len(sys.argv) ==2:
#Preshell Code for /bin/sh
elif len(sys.argv) >3 or len(sys.argv)==1:#or len(sys.argv)==3:
print "Format: slae-assignment7-encrypt.py <key> <hexcode>"
print " OR"
print "Format: slae-assignment7-encrypt.py <key> (a default shell of /bin/sh will be used)"
total = len(sys.argv)
#Code from tutorialsploit / using cryptography library
password = password_provided.encode() # Convert to type bytes
salt = b'salt_' # CHANGE THIS - recommend using a key from os.urandom(16), must be of type bytes
kdf = PBKDF2HMAC(
key = base64.urlsafe_b64encode(kdf.derive(password)) # Can only use kdf once
print "Provided Passphrase: "+sys.argv
print "Key: "+str(key)
f = Fernet(key)
for x in bytearray(code):
encoded+='%02x' % x
print "Default Shell Code is a /bin/sh"
print "Orginal Shell: "+ '"'+str(encoded)+'"'
print ("Encrypted Message: "+str(codeencrypted))
for x in bytearray(codeencrypted):
ce+='%02x' % x
print "Encrypted Shell: "+ '"'+ce+'"'
for x in bytearray(code):
decoded+='%02x' % x
print "DeEncrypted Message: "+str(decoded)#codedecrypted)
libc = CDLL('libc.so.6')
print "Executing Shell Code:"
shellcode = codedecrypted#bytearray(decodedrun)#hex(decoded)#.decode('hex')
#code snippet to run shell from python found at http://hacktracking.blogspot.com/2015/05/execute-shellcode-in-python.html
sc = c_char_p(shellcode)
size = len(shellcode)
addr = c_void_p(libc.valloc(size))
memmove(addr, sc, size)
libc.mprotect(addr, size, 0x7)
run = cast(addr, CFUNCTYPE(c_void_p))
if __name__== "__main__":