Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Shellcodecs"

From NetSec
Jump to: navigation, search
(Contents)
(Contents)
Line 27: Line 27:
 
:* A dynamic loader for remotely executable code ([[Shellcode/Appendix#socket-loader.c|socket-loader.c]])
 
:* A dynamic loader for remotely executable code ([[Shellcode/Appendix#socket-loader.c|socket-loader.c]])
 
</div>
 
</div>
 +
  
  
 
<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px">
 
<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px">
<center>'''Stubs'''</center>
+
<center>'''Tools'''</center>
  
 
-----
 
-----
  
:* A 32-bit getpc (%eax) example ''11 bytes'' ([[Shellcode/Appendix#getpc-32.s|getpc-32.s]]) ([[Shellcode/Environment#x86_.2832_bit.29|Docs]])
+
:* Nicely assemble and output shellcode in a variety of formats (raw, hex, and as a C variable) ([[Shellcode/Appendix#shellcode-generator.py|shellcode-generator.py]])
:* A 64-bit getpc (%rax) example ''12 bytes'' ([[Shellcode/Appendix#getpc-64.s|getpc-64.s]]) ([[Shellcode/Environment#x64|Docs]])
+
:* Hash-generator for self-linking shellcode ''81 bytes'' ([[Shellcode/Appendix#hash-generator.s|hash-generator.s]])
:* Alternative 64-bit getpc ''10 bytes'' ([[Shellcode/Appendix#getpc-64-alt.s|getpc-64-alt.s]]) ([[Shellcode/Environment#x64|Docs]])
+
:* Socket-reuse shellcode generator ([[Shellcode/Appendix#socket-reuse-generator.py|socket-reuse-generator.py]])
:* Int3 detection code ''24 bytes'' ([[Shellcode/Appendix#int3-detect-64.s|int3-detect-64.s]]) ([[Shellcode/Environment#int3_breakpoints|Docs]])
+
:* Polymorphic socket reuse generator ([[Shellcode/Appendix#poly-socket-reuse-generator.py|poly-socket-reuse-generator.py]])
:* 32-bit lastcall example code ''4 bytes'' ([[Shellcode/Appendix#lastcall-32.s|lastcall-32.s]]) ([[Shellcode/Environment#Null-free|Docs]])
+
:* Sends socket reuse shellcode ([[Shellcode/Appendix#socket-reuse.c|socket-reuse.c]])
:* 64-bit lastcall example code ''5 bytes'' ([[Shellcode/Appendix#lastcall-64.s|lastcall-64.s]]) ([[Shellcode/Environment#Null-free_2|Docs]])
+
:* 32-bit shellcode packer ''37 bytes'' ([[Shellcode/Appendix#packer-32.s|packer-32.s]]) ([[Shellcode/Self-modifying#32_bit]])
:* 64-bit alphanumeric lastcall example code ''13 bytes'' ([[Shellcode/Appendix#lastcall-alphanum.s|lastcall-alphanum.s]]) ([[Shellcode/Environment#Alphanumeric_2|Docs]])
+
:* 64-bit shellcode packer ''55 bytes'' ([[Shellcode/Appendix#packer-64.s|packer-64.s]]) ([[Shellcode/Self-modifying#64_bit]])
:* Alphanumeric x86* compatible getCPU ''15 bytes'' ([[Shellcode/Appendix#architecture_detection|architecture_detection]]) ([[Shellcode/Environment#Practically_Applied:_Code|Docs]])
+
:* 32-bit shellcode unpacker ''89 bytes'' ([[Shellcode/Appendix#decoder-32.s|decoder-32.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]])
+
:* 64-bit shellcode unpacker (mmap) ''102 bytes'' ([[Shellcode/Appendix#decoder-64.s|decoder-64.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]])
+
:* 64-bit shellcode unpacker ''69 bytes'' ([[Shellcode/Appendix#decoder-64.s|decoder-64.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]])
+
  
 
</div>
 
</div>
Line 62: Line 59:
 
:* Null-free polymorphic dynamic ELF64 socket reuse shellcode ''268 bytes'' ([[Shellcode/Appendix#poly-linker-fd-reuse.s|poly-linker-fd-reuse.s]])  
 
:* Null-free polymorphic dynamic ELF64 socket reuse shellcode ''268 bytes'' ([[Shellcode/Appendix#poly-linker-fd-reuse.s|poly-linker-fd-reuse.s]])  
 
</div>
 
</div>
 +
 +
  
 
<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px">
 
<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px">
<center>'''Tools'''</center>
+
<center>'''Stubs'''</center>
  
 
-----
 
-----
  
:* Nicely assemble and output shellcode in a variety of formats (raw, hex, and as a C variable) ([[Shellcode/Appendix#shellcode-generator.py|shellcode-generator.py]])
+
:* A 32-bit getpc (%eax) example ''11 bytes'' ([[Shellcode/Appendix#getpc-32.s|getpc-32.s]]) ([[Shellcode/Environment#x86_.2832_bit.29|Docs]])
:* Hash-generator for self-linking shellcode ''81 bytes'' ([[Shellcode/Appendix#hash-generator.s|hash-generator.s]])
+
:* A 64-bit getpc (%rax) example ''12 bytes'' ([[Shellcode/Appendix#getpc-64.s|getpc-64.s]]) ([[Shellcode/Environment#x64|Docs]])
:* Socket-reuse shellcode generator ([[Shellcode/Appendix#socket-reuse-generator.py|socket-reuse-generator.py]])
+
:* Alternative 64-bit getpc ''10 bytes'' ([[Shellcode/Appendix#getpc-64-alt.s|getpc-64-alt.s]]) ([[Shellcode/Environment#x64|Docs]])
:* Polymorphic socket reuse generator ([[Shellcode/Appendix#poly-socket-reuse-generator.py|poly-socket-reuse-generator.py]])
+
:* Int3 detection code ''24 bytes'' ([[Shellcode/Appendix#int3-detect-64.s|int3-detect-64.s]]) ([[Shellcode/Environment#int3_breakpoints|Docs]])
:* Sends socket reuse shellcode ([[Shellcode/Appendix#socket-reuse.c|socket-reuse.c]])
+
:* 32-bit lastcall example code ''4 bytes'' ([[Shellcode/Appendix#lastcall-32.s|lastcall-32.s]]) ([[Shellcode/Environment#Null-free|Docs]])
:* 32-bit shellcode packer ''37 bytes'' ([[Shellcode/Appendix#packer-32.s|packer-32.s]]) ([[Shellcode/Self-modifying#32_bit]])
+
:* 64-bit lastcall example code ''5 bytes'' ([[Shellcode/Appendix#lastcall-64.s|lastcall-64.s]]) ([[Shellcode/Environment#Null-free_2|Docs]])
:* 64-bit shellcode packer ''55 bytes'' ([[Shellcode/Appendix#packer-64.s|packer-64.s]]) ([[Shellcode/Self-modifying#64_bit]])
+
:* 64-bit alphanumeric lastcall example code ''13 bytes'' ([[Shellcode/Appendix#lastcall-alphanum.s|lastcall-alphanum.s]]) ([[Shellcode/Environment#Alphanumeric_2|Docs]])
 +
:* Alphanumeric x86* compatible getCPU ''15 bytes'' ([[Shellcode/Appendix#architecture_detection|architecture_detection]]) ([[Shellcode/Environment#Practically_Applied:_Code|Docs]])
 +
:* 32-bit shellcode unpacker ''89 bytes'' ([[Shellcode/Appendix#decoder-32.s|decoder-32.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]])
 +
:* 64-bit shellcode unpacker (mmap) ''102 bytes'' ([[Shellcode/Appendix#decoder-64.s|decoder-64.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]])
 +
:* 64-bit shellcode unpacker ''69 bytes'' ([[Shellcode/Appendix#decoder-64.s|decoder-64.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]])
  
 
</div>
 
</div>

Revision as of 03:11, 2 December 2012

Shellcodecs is a collection of shellcodes, loaders, sources, and generators designed to ease the exploitation and shellcode programming process.

These shellcodes are provided with documentation located at Shellcode

RPU0j.png END USER IS LIABLE FOR THEIR OWN ACTIONS

In order to run these shellcodes, the following dependencies are required:

Shellcodecs is a collection of shellcodes, loaders, sources, and generators designed to ease the exploitation and shellcode programming process.

Unless otherwise noted, code is amd64. There are various intel32 etc examples as well. If you're unaware, amd64 is the main linux tree for 64-bit, so if you have an intel, you should still be ok. If you think you may have an out of date version, or that the official version is out-of-sync with the site, the latest sources will be available 100% of the time in the shellcode appendix.

Contents

Loaders


Tools


Payloads


Stubs

Building the code

   * tar xzvf shellcode.tgz
   * cd shellcode
   * make 
   It is also possible to make exclusively x86 or x64 
   binaries using make x86 or make x64.  Please keep in
   mind, there is more support for 64-bit in this 
   package than 32-bit.    

Using the tools

   [loaders]
   [generators]   

Getting help

       Note: We are not your free tech support.
            03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)~~
          Reminder: Docs are available at 
      http://www.blackhatlibrary.net/shellcode 
  If you're using the tools and there's a problem, try 

re-reading the documentation before asking a question. If you're absolutely sure it is programmatical error and not user error preventing the code from working properly, you can let us know by joining our IRC or talking on the shellcode talk page.

  If you'd like to pay for professional training on the

materials contained in this courseware, please contact our sponsor at www.viralsec.com

Credits

 Lead developer:        Hatter
 Supporting developers: jtRIPper, eax
 Community:   www.blackhatlibrary.net
 Commercial:     www.viralsec.com