DavidBuchanan314/monomorph DavidBuchanan314/monomorph

  • Stars
    star
    763
  • Rank 59,519 (Top 2 %)
  • Language
    C
  • License
    MIT License
  • Created about 2 years ago
  • Updated about 2 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
DavidBuchanan314/monomorph
github

DavidBuchanan314

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

MD5-Monomorphic Shellcode Packer - all payloads have the same MD5 hash 
                                                
                                                
                                                
    ════════════════════════════════════╦═══    
     ╔═╦═╗ ╔═╗ ╔═╗ ╔═╗ ╔═╦═╗ ╔═╗ ╔══╔═╗ ╠═╗     
    ═╩ β•© β•©β•β•šβ•β•β•β•© β•©β•β•šβ•β•β•β•© β•© β•©β•β•šβ•β•β•β•©  ╠═╝═╩ ╩═    
    ════════════════════════════════╩═══════    
                                  By Retr0id    
                                                
    ═══ MD5-Monomorphic Shellcode Packer ═══    
                                                
                                                
USAGE: python3 monomorph.py input_file output_file [payload_file]

What does it do?

It packs up to 4KB of compressed shellcode into an executable binary, near-instantly. The output file will always have the same MD5 hash: 3cebbe60d91ce760409bbe513593e401

Currently, only Linux x86-64 is supported. It would be trivial to port this technique to other platforms, although each version would end up with a different MD5. It would also be possible to use a multi-platform polyglot file like APE.

Example usage:

$ python3 monomorph.py bin/monomorph.linux.x86-64.benign bin/monomorph.linux.x86-64.meterpreter sample_payloads/bin/linux.x64.meterpreter.bind_tcp.bin

Why?

People have previously used single collisions to toggle a binary between "good" and "evil" modes. Monomorph takes this concept to the next level.

Some people still insist on using MD5 to reference file samples, for various reasons that don't make sense to me. If any of these people end up investigating code packed using Monomorph, they're going to get very confused.

How does it work?

For every bit we want to encode, a colliding MD5 block has been pre-calculated using FastColl. As summarised here, each collision gives us a pair of blocks that we can swap out without changing the overall MD5 hash. The loader checks which block was chosen at runtime, to decode the bit.

To encode 4KB of data, we need to generate 4*1024*8 collisions (which takes a few hours), taking up 4MB of space in the final file.

To speed this up, I made some small tweaks to FastColl to make it even faster in practice, enabling it to be run in parallel. I'm sure there are smarter ways to parallelise it, but my naive approach is to start N instances simultaneously and wait for the first one to complete, then kill all the others.

Since I've already done the pre-computation, reconfiguring the payload can be done near-instantly. Swapping the state of the pre-computed blocks is done using a technique implemented by Ange Albertini.

Is it detectable?

Yes. It's not very stealthy at all, nor does it try to be. You can detect the collision blocks using detectcoll.

More Repositories

1

tweetable-polyglot-png

Pack up to 3MB of data into a tweetable PNG polyglot file.
Python
2,467
star
2

ambiguous-png-packer

Craft PNG files that appear completely different in Apple software [NOW PATCHED]
Python
1,055
star
3

dlinject

Inject a shared library (i.e. arbitrary code) into a live linux process, without ptrace
Python
707
star
4

NXLoader

My first Android app: Launch FusΓ©e GelΓ©e payloads from stock Android (CVE-2018-6242)
Java
491
star
5

pwn-mbr

A simple MBR hijack demonstration
C
172
star
6

libleakmydata

A simple LD_PRELOAD library to disable SSL certificate verification. Inspired by libeatmydata.
C
159
star
7

TARDIS

Trace And Rewrite Delays In Syscalls: Hooking time-related Linux syscalls to warp a process's perspective of time, using ptrace.
C
153
star
8

TwitterHD

A userscript that forces twitter to always load images and videos in full resolution
JavaScript
99
star
9

unsafe-python

A library to assist writing memory-unsafe code in "pure" python, without any imports (i.e. no ctypes etc.)
Python
83
star
10

Turbo-Recadmiumator

A remake of truedread/netflix-1080p which auto-patches cadmium-playercore at runtime to enable enhanced playback features. (NOTE: still working in 2023 despite no code updates for 2 years 😎)
JavaScript
69
star
11

parallel-png-proposal

Python
69
star
12

stelf-loader

A stealthy ELF loader - no files, no execve, no RWX
C
64
star
13

fusee-nano

A minimalist re-implementation of the FusΓ©e GelΓ©e exploit, designed to run on embedded Linux devices. (Zero dependencies)
C
60
star
14

fusee-lede

Instructions/files for building a custom LEDE image to turn cheap routers into a Nintendo Switch "modchip"/"dongle". Powered by https://github.com/DavidBuchanan314/fusee-nano
Makefile
53
star
15

RootMyTV

Placeholder repo πŸ‘€
47
star
16

WAMpage

WAMpage - A WebOS root LPE exploit chain (CVE-2022-23731)
JavaScript
46
star
17

6502-emu

A simple 6502 emulator, with I/O via a 6850 UART.
C
29
star
18

cowroot

Universal Android root tool based on CVE-2016-5195. Watch this space.
C
29
star
19

picopds

A minimum viable atproto PDS for protocol experimentation purposes
Python
28
star
20

boiga

A Python library enabling ergonomic Scratch 3.0 code generation.
Python
28
star
21

webos-vncserver

An extremely hacky VNC server for WebOS - Works by reading directly from the GPU's framebuffer.
C
26
star
22

wifi-sdcf

Reverse Engineering notes on the Dxingtek/Keytech(?) WiFi@SDCF card
Python
19
star
23

trumpogram

The World, according to Donald Trump
Python
16
star
24

aes-playground

My experiments in understanding AES, Whitebox AES, and related attacks
Python
16
star
25

p65a

Pythonic 6502 Assembler: An experimental alternative to traditional assemblers.
Python
15
star
26

rc4

A python3 RC4 implementation that doesn't suck. (i.e. it's actually binary-safe...)
Python
14
star
27

bitmap-font-css

Trying to make bitmap web fonts look better.
11
star
28

scratch-cryptography-library

Modern cryptography primitives implemented in Scratch, via Boiga
Python
10
star
29

scratch-vscode

Preview Scratch projects inside vscode, with live reload.
TypeScript
9
star
30

ScapyGuard

An extremely bare-bones Python3 WireGuard client.
Python
9
star
31

rsyscall-lkm

rsyscall is a dirty hack that allows you to execute syscalls in the context of another Linux process. MΜΆaΜΆyΜΆ Will explode your kernel.
C
8
star
32

hello_png

Example code from my blog post of the same title
Python
8
star
33

beatstar-tools

Scripts for datamining the Beatstar mobile game
Python
7
star
34

shellinject

Spawn a reverse TCP shell in the context of another Linux process
Python
7
star
35

python-bitsliced-aes

An experimental implementation of bitsliced aes in pure python. Quite possibly the fastest pure-python AES implementation on the planet.
Python
7
star
36

classic-ipod-tools

Tools for manipulating classic ipod firmware images etc.
C
6
star
37

bagel

[WIP] bagel is a Binary age aLternative - mostly the same as age but with a binary header format.
Python
6
star
38

python-ssh-server

A very incomplete, incompatible, and insecure implementation of RFC4253
Python
5
star
39

cursed-code

A repo to keep track of all the useful/hacky/cursed scripts and one-liners I write
Assembly
5
star
40

dag-cbrrr

A reasonably fast DAG-CBOR parser for Python
C
5
star
41

chip8

A simple CHIP-8 Emulator with a GTK+ frontend
C
5
star
42

merkle-search-tree

An abstract implementation of a Merkle Search Tree, structurally compatible with ATProto's instantiation
Python
5
star
43

fakeIoT

Yet another telnet honeypot.
Ruby
5
star
44

dram_emfi

playing with DDR DRAM bus fault injection
Python
5
star
45

imgur-anti-anti-hotlink

A very simple WebExtension to prevent imgur from preventing you from viewing images directly.
JavaScript
4
star
46

reveilid

WIP
Python
3
star
47

gif-enc

A rather inefficient GIF encoder, in python.
Python
3
star
48

magic-helloworld

A program that prints "Hello World!" by magic, with a single memcpy.
C
3
star
49

ipod-toslink-mod

Adding optical digital audio output to classic iPods
3
star
50

shellcode

My personal shellcode collection.
Python
3
star
51

iPodWizard-mirror

A git mirror of iPodWizard: https://sourceforge.net/projects/ipodwizard/
C++
3
star
52

picofeedgen

A minimum-viable atproto feed genedator
Python
3
star
53

irradiate.py

a simple script to simulate random "cosmic ray" memory errors against a linux process
Python
3
star
54

falling-block-game

resemblance to any other game is purely coincidental
Python
3
star
55

AnonymOS

Yet another unnamed operating system project.
C
2
star
56

6502-sbc

Documentation and code for my 6502 SBC
Assembly
2
star
57

distrust

A very very WIP type-2 hypervisor in Rust, which uses the Linux KVM API.
Rust
2
star
58

ROLL13

an (unfinished) TLSv1.3 client in pure python, hand-rolled from first principles.
Python
2
star
59

CVE-2017-13672

POCs for CVE-2017-13672 (OOB read in VGA Cirrus QEMU driver, causing DoS)
C
2
star
60

branflakes

Yet another x86_64 optimising Brainf*ck JIT compiler.
Brainfuck
2
star
61

pda-hax

Objective-C
1
star
62

zoom-enhance

CSI style "Zoom and Enhance" with Google Maps
JavaScript
1
star
63

fizzbuzz-ng

The fastest fizzbuzz in the universe.
1
star
64

duino-coin-fork

Python
1
star
65

english-letter-freqs

Useful generation scripts and precomputed LUTs useful for performing frequency analysis on English text.
Python
1
star
66

CHIP8-ROP

A chip8 emulator that translates programs into a giant ROP payload. Not my best idea...
C
1
star
67

branflakes-ng

An improved version of my older project "branflakes", an optimising brainfuck compiler.
Brainfuck
1
star
68

css-gradient-fixer

CSS Gradient Fixer
HTML
1
star
69

coursework

Random Cardiff uni CompSci coursework solutions, of varying quality.
PHP
1
star
70

pcb-pattern

Renders a random PCB pattern using HTML5 canvas.
JavaScript
1
star