MorphAES

IDPS & SandBox & AntiVirus STEALTH KILLER.

MorphAES is the world’s first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it’s cross-platform as well and library-independent.

Properties:

• Polymorphism (AES encryption)
• Metamorphism (logic and constants changing)
• Platform independent (Linux/BSD/Windows)
• IDPS stealthing (the total number of possible signatures is more the number of atoms in the universe for one given code)
• Sandbox evasion (special assembly instructions)
• Bad characters avoiding (\x00, \x04, \x05, \x09, \x0a, \x20)
• Can produce executables and be exploited remotely
• Input code can have arbitrary length
• Possibility for a NOP sled

Dependencies for the morpher:

• Python 2.7 – main engine

Dependencies for the code execution:

• 64-bit Intel AES-NI – for decryption

Nonetheless, there are some limitations (aka white-hat aspects):

• Metamorphism is not very robust and can be detected using regular expressions (but can be improved pretty easily)
• Unicode null bytes might still work (but who cares?)
• It will only work on 64-bit Intel processors with AES-NI support, but since all the user’s PCs (like Pentium, Celeron, i3, i5, i7) and the industry’s servers (like Xeon) have it, it’s more a specification, rather than a limitation, thus a 32-bit implementation is unpractical
• Almost any shellcode is guarantee to work however, an arbitrary code doesn’t (to avoid malware abuse)
• Windows/BSD PoC and executables are in progress, as well as the ARM version

How it works

1. Shellcode padding with NOPs (since AES is a block cipher) and adding an optional NOP sled
2. Shellcode encryption with a random key using custom AES-128-ECB (not the best, but the simplest) – polymorphism
3. Constants randomization, logic changes, instructions modification and rewriting – metamorphism

HowTo

You will have to assemble my custom AESNI-128-ECB implementation using an Intel x64 CPU and put it in the same folder with the python script.

For Linux:

sudo apt-get install python

as --64 AES.s -o AES.o

ld AES.o -o AES

Execute the Python script and enter your shellcode or nothing for a default Linux shell. You can specify your own execution address as well.

It is also possible to build and execute on Windows/BSD/Mac, but I’m still testing it.

You can test the Linux PoC in assembly:

as --64 shellcodePoC.s -o shellcodePoC.o

ld shellcodePoC.o -o shellcodePoC

./shellcodePoC

or in C:

gcc -m64 -fno-stack-protector -z execstack shellcode.c -o shellcode

./shellcode

Download