Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Shellcodecs"
From NetSec
(→Contents) |
|||
| Line 14: | Line 14: | ||
== Contents == | == Contents == | ||
| − | + | <center> | |
<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px"> | <div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px"> | ||
| − | + | '''Loaders''' | |
----- | ----- | ||
| − | + | <div align="left"> | |
:* 32-bit executable mmap-based shellcode loader ''66 bytes'' ([[Shellcode/Appendix#loader-32.s|loader-32.s]]) ([[Shellcode/Loaders|Docs]]) | :* 32-bit executable mmap-based shellcode loader ''66 bytes'' ([[Shellcode/Appendix#loader-32.s|loader-32.s]]) ([[Shellcode/Loaders|Docs]]) | ||
:* 64-bit executable mmap-based shellcode loader ''79 bytes'' ([[Shellcode/Appendix#loader-64.s|loader-64.s]]) ([[Shellcode/Loaders|Docs]]) | :* 64-bit executable mmap-based shellcode loader ''79 bytes'' ([[Shellcode/Appendix#loader-64.s|loader-64.s]]) ([[Shellcode/Loaders|Docs]]) | ||
:* A dynamic loader for locally executable code in [[C]] ([[Shellcode/Appendix#dynamic-loader.c|dynamic-loader.c]]) | :* A dynamic loader for locally executable code in [[C]] ([[Shellcode/Appendix#dynamic-loader.c|dynamic-loader.c]]) | ||
:* A dynamic loader for remotely executable code ([[Shellcode/Appendix#socket-loader.c|socket-loader.c]]) | :* A dynamic loader for remotely executable code ([[Shellcode/Appendix#socket-loader.c|socket-loader.c]]) | ||
| − | </div> | + | </div></div> |
<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px"> | <div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px"> | ||
| − | + | '''Tools''' | |
----- | ----- | ||
| − | + | <div align="left"> | |
:* Nicely output shellcode in a variety of formats ([[Shellcode/Appendix#shellcode-generator.py|shellcode-generator.py]]) | :* Nicely output shellcode in a variety of formats ([[Shellcode/Appendix#shellcode-generator.py|shellcode-generator.py]]) | ||
:* Hash-generator for self-linking shellcode ''81 bytes'' ([[Shellcode/Appendix#hash-generator.s|hash-generator.s]]) | :* Hash-generator for self-linking shellcode ''81 bytes'' ([[Shellcode/Appendix#hash-generator.s|hash-generator.s]]) | ||
| Line 41: | Line 41: | ||
:* 64-bit shellcode packer ''55 bytes'' ([[Shellcode/Appendix#packer-64.s|packer-64.s]]) ([[Shellcode/Self-modifying#64_bit|Docs]]) | :* 64-bit shellcode packer ''55 bytes'' ([[Shellcode/Appendix#packer-64.s|packer-64.s]]) ([[Shellcode/Self-modifying#64_bit|Docs]]) | ||
:* ELF64 symbol table parser ''188 bytes'' ([[Shellcode/Appendix#elf64-parser.s|elf64-parser.s]]) ([[Shellcode/Parsing|Docs]]) | :* ELF64 symbol table parser ''188 bytes'' ([[Shellcode/Appendix#elf64-parser.s|elf64-parser.s]]) ([[Shellcode/Parsing|Docs]]) | ||
| − | </div> | + | </div></div> |
<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px"> | <div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px"> | ||
| − | + | '''Payloads''' | |
----- | ----- | ||
| − | + | <div align="left"> | |
:* Short unlinked 64-bit null-free setuid(0); execve('/bin/sh',0,0); ''32 bytes'' ([[Shellcode/Appendix#setuid_binsh.s|setuid_binsh.s]]) ([[Shellcode/Null-free#64-bit|Docs]]) | :* Short unlinked 64-bit null-free setuid(0); execve('/bin/sh',0,0); ''32 bytes'' ([[Shellcode/Appendix#setuid_binsh.s|setuid_binsh.s]]) ([[Shellcode/Null-free#64-bit|Docs]]) | ||
:* Small unlinked 32-bit null-free write-to-file payload ''90 bytes'' ([[Shellcode/Appendix#write-file-32.s|write-file-32.s]]) ([[Shellcode/Null-free#32-bit|Docs]]) | :* Small unlinked 32-bit null-free write-to-file payload ''90 bytes'' ([[Shellcode/Appendix#write-file-32.s|write-file-32.s]]) ([[Shellcode/Null-free#32-bit|Docs]]) | ||
| Line 56: | Line 56: | ||
:* Null-free dynamic ELF64 socket reuse shellcode ''268 bytes'' ([[Shellcode/Appendix#linker-fd-reuse.s|linker-fd-reuse.s]]) ([[Shellcode/Dynamic#The_dynamic_shell|Docs]]) | :* Null-free dynamic ELF64 socket reuse shellcode ''268 bytes'' ([[Shellcode/Appendix#linker-fd-reuse.s|linker-fd-reuse.s]]) ([[Shellcode/Dynamic#The_dynamic_shell|Docs]]) | ||
:* Null-free polymorphic dynamic ELF64 socket reuse shellcode ''268 bytes'' ([[Shellcode/Appendix#poly-linker-fd-reuse.s|poly-linker-fd-reuse.s]]) | :* Null-free polymorphic dynamic ELF64 socket reuse shellcode ''268 bytes'' ([[Shellcode/Appendix#poly-linker-fd-reuse.s|poly-linker-fd-reuse.s]]) | ||
| − | </div> | + | </div></div> |
<div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px"> | <div style="width:600px; overflow:none; border:1px solid black; margin:4px; padding: 3px; border-radius:11px"> | ||
| − | + | '''Stubs''' | |
----- | ----- | ||
| − | + | <div align="left"> | |
:* A 32-bit getpc (%eax) example ''11 bytes'' ([[Shellcode/Appendix#getpc-32.s|getpc-32.s]]) ([[Shellcode/Environment#x86_.2832_bit.29|Docs]]) | :* A 32-bit getpc (%eax) example ''11 bytes'' ([[Shellcode/Appendix#getpc-32.s|getpc-32.s]]) ([[Shellcode/Environment#x86_.2832_bit.29|Docs]]) | ||
:* A 64-bit getpc (%rax) example ''12 bytes'' ([[Shellcode/Appendix#getpc-64.s|getpc-64.s]]) ([[Shellcode/Environment#x64|Docs]]) | :* A 64-bit getpc (%rax) example ''12 bytes'' ([[Shellcode/Appendix#getpc-64.s|getpc-64.s]]) ([[Shellcode/Environment#x64|Docs]]) | ||
| Line 77: | Line 77: | ||
:* 64-bit shellcode unpacker ''69 bytes'' ([[Shellcode/Appendix#decoder-64.s|decoder-64.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]]) | :* 64-bit shellcode unpacker ''69 bytes'' ([[Shellcode/Appendix#decoder-64.s|decoder-64.s]]) ([[Shellcode/Self-modifying#The_unpacker|Docs]]) | ||
| − | </div> | + | </div></div> |
| + | </center> | ||
=Building the code= | =Building the code= | ||
Revision as of 23:16, 24 May 2013
Shellcodecs is a collection of shellcodes, loaders, sources, and generators designed to ease the exploitation and shellcode programming process.
These shellcodes are provided with documentation.
In order to run these shellcodes, the following dependencies are required:
Shellcodecs is a collection of shellcodes, loaders, sources, and generators designed to ease the exploitation and shellcode programming process.
Unless otherwise noted, code is amd64. There are various intel32 etc examples as well. If you think you may have an out of date version, or that the official version is out-of-sync with the site, the latest sources will be available 100% of the time in the shellcode appendix.
Contents
Loaders
- 32-bit executable mmap-based shellcode loader 66 bytes (loader-32.s) (Docs)
- 64-bit executable mmap-based shellcode loader 79 bytes (loader-64.s) (Docs)
- A dynamic loader for locally executable code in C (dynamic-loader.c)
- A dynamic loader for remotely executable code (socket-loader.c)
Tools
- Nicely output shellcode in a variety of formats (shellcode-generator.py)
- Hash-generator for self-linking shellcode 81 bytes (hash-generator.s)
- Socket-reuse shellcode generator (socket-reuse-generator.py)
- Polymorphic socket reuse generator (poly-socket-reuse-generator.py)
- Sends socket reuse shellcode (socket-reuse.c)
- 32-bit shellcode packer 37 bytes (packer-32.s) (Docs)
- 64-bit shellcode packer 55 bytes (packer-64.s) (Docs)
- ELF64 symbol table parser 188 bytes (elf64-parser.s) (Docs)
Payloads
- Short unlinked 64-bit null-free setuid(0); execve('/bin/sh',0,0); 32 bytes (setuid_binsh.s) (Docs)
- Small unlinked 32-bit null-free write-to-file payload 90 bytes (write-file-32.s) (Docs)
- Null-free unlinked same-socket-shell payload 115 bytes (socket-reuse.s) (Docs)
- Alphanumeric amd64 execve('/bin/sh',0,0) 104 bytes (ascii_binsh.s) (Docs)
- Null-free dynamic ELF64 exit code 135 bytes (linked-exit.s) (Docs)
- Null-free dynamic ELF64 socket reuse shellcode 268 bytes (linker-fd-reuse.s) (Docs)
- Null-free polymorphic dynamic ELF64 socket reuse shellcode 268 bytes (poly-linker-fd-reuse.s)
Stubs
- A 32-bit getpc (%eax) example 11 bytes (getpc-32.s) (Docs)
- A 64-bit getpc (%rax) example 12 bytes (getpc-64.s) (Docs)
- Alternative 64-bit getpc 10 bytes (getpc-64-alt.s) (Docs)
- Int3 detection code 24 bytes (int3-detect-64.s) (Docs)
- 32-bit lastcall example code 4 bytes (lastcall-32.s) (Docs)
- 64-bit lastcall example code 5 bytes (lastcall-64.s) (Docs)
- 64-bit alphanumeric lastcall example code 13 bytes (lastcall-alphanum.s) (Docs)
- Alphanumeric x86* compatible getCPU 15 bytes (architecture_detection) (Docs)
- 32-bit shellcode unpacker 89 bytes (decoder-32.s) (Docs)
- 64-bit shellcode unpacker (mmap) 102 bytes (decoder-64.s) (Docs)
- 64-bit shellcode unpacker 69 bytes (decoder-64.s) (Docs)
Building the code
- tar xzvf shellcode.tgz
- cd shellcode
- make
It is also possible to make exclusively x86 or x64 binaries using make x86 or make x64. Please keep in mind, there is more support for 64-bit in this package than 32-bit.
Using the tools
[loaders] [generators]
Getting help
|
If you're using the tools and there's a problem, try re-reading the documentation before asking a question. If you're absolutely sure it is programmatical error and not user error preventing the code from working properly, you can let us know by joining our IRC or talking on the shellcode talk page.
