Difference between revisions of "Shellcodecs"
(→Contents) |
(→Contents) |
||
Line 18: | Line 18: | ||
'''Loaders''' | '''Loaders''' | ||
+ | --- | ||
* 32-bit executable mmap-based shellcode loader ''66 bytes'' ([[Shellcode/Appendix#loader-32.s|loader-32.s]]) ([[Shellcode/Loaders|Docs]]) | * 32-bit executable mmap-based shellcode loader ''66 bytes'' ([[Shellcode/Appendix#loader-32.s|loader-32.s]]) ([[Shellcode/Loaders|Docs]]) | ||
* 64-bit executable mmap-based shellcode loader ''79 bytes'' ([[Shellcode/Appendix#loader-64.s|loader-64.s]]) ([[Shellcode/Loaders|Docs]]) | * 64-bit executable mmap-based shellcode loader ''79 bytes'' ([[Shellcode/Appendix#loader-64.s|loader-64.s]]) ([[Shellcode/Loaders|Docs]]) | ||
* A dynamic loader for locally executable code in [[C]] ([[Shellcode/Appendix#dynamic-loader.c|dynamic-loader.c]]) | * A dynamic loader for locally executable code in [[C]] ([[Shellcode/Appendix#dynamic-loader.c|dynamic-loader.c]]) | ||
* A dynamic loader for remotely executable code ([[Shellcode/Appendix#socket-loader.c|socket-loader.c]]) | * A dynamic loader for remotely executable code ([[Shellcode/Appendix#socket-loader.c|socket-loader.c]]) | ||
+ | |||
+ | |||
'''Environment''' | '''Environment''' | ||
+ | --- | ||
Description: A 32-bit getpc (%eax) example | Description: A 32-bit getpc (%eax) example | ||
Filename: getpc-32.s | Filename: getpc-32.s | ||
Line 52: | Line 56: | ||
Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#Alphanumeric_2 | Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#Alphanumeric_2 | ||
Length: 13 bytes | Length: 13 bytes | ||
− | + | ||
+ | '''Payloads''' | ||
+ | |||
+ | |||
+ | '''''Null-free''''' | ||
+ | |||
Description: A very short setuid(0); execve('/bin/sh',0,0); | Description: A very short setuid(0); execve('/bin/sh',0,0); | ||
Filename: setuid_binsh.s | Filename: setuid_binsh.s | ||
Line 61: | Line 70: | ||
Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free | Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free | ||
Length: 90 bytes | Length: 90 bytes | ||
− | + | ''''' socket-reuse ''''' | |
Description: same-socket-shell payload | Description: same-socket-shell payload | ||
Filename: socket-reuse.s | Filename: socket-reuse.s |
Revision as of 01:10, 2 December 2012
Shellcodecs is a collection of shellcodes, loaders, sources, and generators designed to ease the exploitation and shellcode programming process.
These shellcodes are provided with documentation located at Shellcode
END USER IS LIABLE FOR THEIR OWN ACTIONS |
In order to run these shellcodes, the following dependencies are required:
Shellcodecs is a collection of shellcodes, loaders, sources, and generators designed to ease the exploitation and shellcode programming process.
Unless otherwise noted, code is amd64. There are various intel32 etc examples as well. If you're unaware, amd64 is the main linux tree for 64-bit, so if you have an intel, you should still be ok. If you think you may have an out of date version, or that the official version is out-of-sync with the site, the latest sources will be available 100% of the time in the shellcode appendix.
Contents
Contents
Loaders ---
- 32-bit executable mmap-based shellcode loader 66 bytes (loader-32.s) (Docs)
- 64-bit executable mmap-based shellcode loader 79 bytes (loader-64.s) (Docs)
- A dynamic loader for locally executable code in C (dynamic-loader.c)
- A dynamic loader for remotely executable code (socket-loader.c)
Environment ---
Description: A 32-bit getpc (%eax) example Filename: getpc-32.s Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc Length: 11 bytes Description: A 64-bit getpc (%rax) example Filename: getpc-64.s Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc Length: 12 bytes Description: Alternative 64-bit getpc (%rax) example Filename: getpc-64-alt.s Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc Length: 10 bytes Description: Breakpoint detection code Filename: int3-detect-64.s Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#int3_breakpoints Length: 24 bytes Description: 32-bit lastcall example code Filename: lastcall-32.s Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#32-bit Length: 4 bytes Description: 64-bit lastcall example Filename: lastcall-64.s Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#64-bit Length: 5 bytes Description: Alphanumeric lastcall Filename: lastcall-alphanum.s Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#Alphanumeric_2 Length: 13 bytes
Payloads
Null-free
Description: A very short setuid(0); execve('/bin/sh',0,0); Filename: setuid_binsh.s Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free Length: 32 bytes Description: A small write-to-file payload Filename: write-file-32.s Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free Length: 90 bytes
socket-reuse
Description: same-socket-shell payload Filename: socket-reuse.s Documentation: http://blackhatlibrary.net/Shellcode/Socket-reuse Length: 115 bytes Description: sends socket reuse shellcode Filename: socket-reuse.c
self-modifying
Description: 32-bit shellcode unpacker Filename: decoder-32.s Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker Length: 89 bytes Description: 64-bit decoder (mmap) Filename: decoder.s Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker Length: 102 bytes Description: 64-bit decoder Filename: decoder-no-mmap.s Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker Length: 69 bytes Description: 32-bit shellcode packer Filename: packer-32.s Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#32_bit Length: 37 bytes Description: 64-bit shellcode packer Filename: packer-64.s Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#64_bit Length: 55 bytes
alphanumeric
Filename: ascii_binsh.s Description: alphanumeric execve('/bin/sh',0,0) Documentation: http://www.blackhatlibrary.net/Shellcode/Alphanumeric Length: 111 bytes Filename: architecture_detection Description: alphanumeric x86* compatible architecture detection stub Documentation: http://www.blackhatlibrary.net/Shellcode/Environment Length: 15 bytes
dynamic
Description: Self-linking exit code Filename: linked-exit.s Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic Length: 135 bytes Description: Self-linking socket reuse shellcode Filename: linker-fd-reuse.s Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic#The_dynamic_shell Length: 268 bytes Description: Self-linking polymorphic socket reuse shellcode Filename: poly-linker-fd-reuse.s Documentation: None Length: 268 bytes
generators
Description: Hash generator for self-linking shellcode Filename: hash-generator.s Documentation: None Length: 81 bytes Description: Socket-reuse shellcode generator Filename: socket-reuse-generator.py Documentation: None Description: Polymorphic socket reuse generator Filename: poly-socket-reuse-generator.py Documentation: None Description: Nicely assemble and output shellcode in a variety of formats (raw, hex, and as a C variable) Filename: shellcode-generator.py Documentation: None
Building the code
* tar xzvf shellcode.tgz * cd shellcode * make It is also possible to make exclusively x86 or x64 binaries using make x86 or make x64. Please keep in mind, there is more support for 64-bit in this package than 32-bit.
Using the tools
[loaders] [generators]
Getting help
Note: We are not your free tech support. 03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)~~ Reminder: Docs are available at http://www.blackhatlibrary.net/shellcode If you're using the tools and there's a problem, try
re-reading the documentation before asking a question. If you're absolutely sure it is programmatical error and not user error preventing the code from working properly, you can let us know by joining our IRC or talking on the shellcode talk page.
If you'd like to pay for professional training on the
materials contained in this courseware, please contact our sponsor at www.viralsec.com
Credits
Lead developer: Hatter Supporting developers: jtRIPper, eax Community: www.blackhatlibrary.net Commercial: www.viralsec.com