14

I came across this payload named "Shikata Ga Nai" (in Japanese it means nothing can be done about it). Some exe file was generated and when it is executed, a reverse shell can be obtained. But this can be done by many payloads on Metasploit. Is there anything unique about this encoder?

Edited: As mentioned by Micheal, it is not a payload but an encoder.

one
  • 1,781
  • 3
  • 18
  • 45

2 Answers2

19

Shikata Ga Nai is an encoder included in the Metasploit framework for the x86 architecture. From the available source code:

This encoder implements a polymorphic XOR additive feedback encoder. The decoder stub is generated based on dynamic instruction substitution and dynamic block ordering. Registers are also selected dynamically.

An academic paper describing techniques to extract encoded payloads offers the following explanation:

This encoder offers three features that provide advanced protection when combined.

  • First, the decoder stub generator uses metamorphic techniques, through code reordering and substitution, to produce different output each time it is used, in an effort to avoid signature recognition.
  • Second, it uses a chained self modifying key through additive feedback. This means that if the decoding input or keys are incorrect at any iteration then all subsequent output will be incorrect.
  • Third, the decoder stub is itself partially obfuscated via self-modifying of the current basic block as well as armored against emulation using FPU instructions.
amccormack
  • 3,971
  • 1
  • 15
  • 23
10

Shikata Ga Nai isn't a payload, but an encoder. The payload is the reverse shell.

Metasploit offers several encoders, Shikata Ga Nai being one of them. An encoder attempts to overcome detection by AV, network intrusion detection, and keep characters that can cause a crash of the victim out of the payload, like null bytes.

h4ckNinja
  • 3,006
  • 15
  • 24