1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
TEAM TESO shellkit - your complete shellcode toolkit
====================================================
preliminary README file
Conditions and rules to be obeyed by the shellcodes
===================================================
To construct generic shellcodes one has to state the exact details and
requirements of each shellcode. The list below is what every shellcode within
the shellkit has to obey.
Conditions the shellcode encounters:
- Shellcode memory itself is writeable
- No register being properly set except the stack pointer
Requirements to the shellcode:
- Do not contain NUL (0x00), line-termination (0x0a, 0x0d) and
format-directive (0x25 = '%') bytes
- Do not expect to be terminated by a NUL ('\0') character
- Working on heap and stack (i.e. any writeable and executeable memory)
Suggestions (i.e. should be ...):
- Well tested on most common systems to be expected on the
architecture the shellcode runs on (i.e Solaris 2.[5678] on sparc,
IRIX 5.3, 6.[2345] on mips)
- Optimized for (in order of importance): stability, size
Types of shellcodes to create
=============================
This is a UNIX listing, since most shellcodes are not doable on Windows, so
this listing is for Unix derivates only. For the "configureable" values of the
shellcodes there are setup functions to set the values within the shellcode.
The listing is split into three different categories: chainables, local and
remote. The chainable codes work as stubs to prepend other shellcodes with.
This is done change certain settings in the environment, such as getting rid of
chroot, certain uid's and the like. The local shellcodes are for use in locally
exploitable vulnerabilities, while the remote shellcodes are designed to assist
you with remote exploitation over the network.
Chainables (6 codes)
--------------------
Chainable shellcodes should not influence the processing of the following
shellcode in violation to the condition above.
- chrootbreak, which breaks out of a chroot environment if possible on that
architecture (using the best and most promising method)
- read(fd, behind-myself, len), which reads len bytes from fd behind itself
and executes them. on certain architectures special considerations for
cache problems have to be obeyed
- setreuid(?,?), which sets the (e)uid to a configureable value
- setgid(?), which sets the gid to a configurable value
- spset, which sets the stackpointer before the shellcode
- nop shellcode (see below for description)
The "nop shellcode" is actually a function that will create a variadic amount
of nop space which is not just one opcode but a mix. This is done to evade IDS
systems. The generated nop-code should behave the same way a normal chainable
shellcode would (i.e. not violating the conditions of the shellcode).
Local (2 codes)
---------------
- chmod/chown/exit, which chowns and chmods a pathname of your choice, then
exits
- execve-sh, which executes a /bin/sh
- exit, which will just exit with an undetermined exit code
Remote (2 codes)
----------------
- portshell-sh, which listens on a defineable port and executes a /bin/sh
once a connection is experienced
- connect-sh, which connects to a defineable ip and port and executes a
/bin/sh once it is connected
Architectures
=============
arch os person(s)
------- --------------- -----------------------------------------
HPPA HP-UX caddis
MIPS IRIX scut
RS6000 AIX edi
SPARC Solaris caddis, skyper
x86 Solaris plasmoid
x86 Windows NT halvar
x86 Linux lorian, smiler
x86 *BSD dvorak, smiler
------- --------------- -----------------------------------------
Developing
==========
Please include all custom build utilities, Makefiles (!) and maybe specific
README files in the appropiate directory, so other people can join the fun or
modify the codes at source level.
Testing
=======
The shellcodes have to be tested thoroughly and on as much different systems as
possible.
Naming
======
Code Strings
<arch>-<os>-<code>
arch is one of:
hppa
mips
rs6000
sparc
x86
os is one of:
aix
bsd
hpux
irix
linux
solaris
windowsnt
code is one of:
chmod
chroot
connectsh
execvesh
exit
portshellsh
read
setreuid
setgid
spset
Example: The portshell shellcode for the MIPS architecture under the IRIX
operating system would be identified with "mips-irix-portshellsh"
Additional information
======================
Please use the included 'splocoder' utility to dump important system
information of the various architectures. There will be a documentation of what
the fields mean and how they can be used. Soon.
Credits
=======
This shellcode toolkit is the result of the hard work of numerous persons, here
is a list of the persons involved.
XXX/TODO: update, add missing persons
acpizer - splocoder
lorian - x86 linux/bsd codes
palmers - x86 linux codes
scut - mips irix, hppa hpux codes, framework and docs
smiler - x86 bsd codes
stealth - x86 bsd codes
==
vi:fo=tcrq:tw=79:
|
