Probando shellcodes

Pues hoy vengo con poca cosa, andaba escribiendo algo para pasar el rato... un programilla para probar shellcodes ¿porque no?

Y este es el resultado [ shellcode_tester.c ] o al final coloreado con Pygments

La compilacion es simple, solo hay que hacer gcc shellcode_tester.c -o shellcode_tester

Las opciones al lanzarlo son: ./shellcode_tester [-nv] [-nw] [-nr] [-f ] -nv: No verbose (no se imprimira nada por pantalla)[--no-verbose] -nw: No write (no se permitira escribir en la memoria del shellcode)[--no- write] -nr: No read (no se permitira leer la memoria del shellcode)[--no-read] -f: Introduce el shellcode a traves de un archivo

Mas o menos, usarlo seria algo asi: kenkeiras@viaxante:~/%%%%%$ ./shellcode_tester Shellcode Tester

Introduce el shellcode: \x31\xdb\x8d\x43\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80\x31\xc0\x40\xcd\x80

Ejecutando Shellcode... [36] $ echo "Esto es otra shell :D}" Esto es otra shell :D} $ kenkeiras@viaxante:~/%%%%%$

/*

  • Shellcode Tester (Yet Another Shellcode Tester)

  • Copyright (c) 2010 Kenkeiras

*

  • DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE

  • Version 2, December 2004

*

*

  • Everyone is permitted to copy and distribute verbatim or modified

  • copies of this license document, and changing it is allowed as long

  • as the name is changed.

*

  • DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE

  • TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION

*

    1. You just DO WHAT THE FUCK YOU WANT TO.

*

*

*/

include

include

include

include

define max_size 1024 //Caracteres maximos para el shellcode

// Como (sh en Gnu/Linux de 32 bits)

/ / \x31\xdb\x8d\x43\x17\xcd\x80\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x8d\x42\x0b\xcd\x80\x31\xc0\x40\xcd\x80

char *scs = NULL;

char *sc = NULL;

char a2h(char c){

char r;

if (c>'9'){

   if (c>'Z')



       r=c-0x57;

   else

       r=c-0x37;

}

else

   r=c-0x30;

return r;

}

// Formas de leer los shellcode

// \x99\xAA\xaa (\x)

int bar_hexa(char in,char out){

char curr;

int i,r=-1,len=0;

for (i=0; (i < max_size) && in[i] != '\0'; i++){

   if((r == 2) || ((in[i] == '\\') && (r > 0))){



       r =- 1;

       out[len] = curr;



       len++;



   }

   if(in[i] == '\n'){



       break;

   }

   else if (in[i] == '\r'){



       continue;

   }

   else if (in[i] == 'x'){



       r = 0;

   }

   else if(r >- 1){



       if (r == 0){

           curr = a2h(in[i])*16;



       }

       else{

           curr = a2h(in[i]) + curr;



       }

       r++;

   }

}

return len;

}

// Escrito directamente

int raw_bin(char in,char out){

int i,len=strlen(in);

for (i = 0;i < len;i++){

   out[i] = in[i];

}

return len;

}

int main(int argc,char **argv){

FILE *f = stdin;

char verbose = 1;

char stack_write = 1;

char stack_read = 1;

int i,len,r;

sc=malloc(max_size+1);

if (argc>1){

   for (i=1;i<argc;i++){



       if ((strcmp(argv[i],"-nv") == 0) && (strcmp(argv[i],"--no-

verbose") == 0)){

           verbose = 0;

       }

       else if ((strcmp(argv[i],"-f") == 0) && ((i+1)<argc) ){



           f = fopen(argv[i+1],"r");

           i++;



       }

       else if ((strcmp(argv[i],"-nw") == 0) && (strcmp(argv

[i],"--no-write") == 0)){

           stack_write = 0;

       }

       else if ((strcmp(argv[i],"-nr") == 0) && (strcmp(argv

[i],"--no-read") == 0)){

           stack_read = 0;

       }

       else{

           printf("Uso: ./shellcode_tester [-nv] [-nw] [-nr] [-

f ]\n");

           printf("-nv: No verbose (no se imprimira nada por pantalla)[--

no-verbose]\n");

           printf("-nw: No write (no se permitira escribir en la memoria

del shellcode)[--no-write]\n");

           printf("-nr: No read (no se permitira leer la memoria del

shellcode)[--no-read]\n");

           printf("-f: Introduce el shellcode a traves de un archivo\n");

       }

   }

}

int PROT_MODE = PROT_EXEC|PROT_NONE ;

if (stack_write){

   PROT_MODE |= PROT_WRITE;

}

if (stack_read){

   PROT_MODE |= PROT_READ;

}

if (verbose){

   printf("\tShellcode Tester\n\n");

   printf("Introduce el shellcode: ");

}

char s = malloc((max_size4)+1);

  fgets(s,max_size*4,f);

r=-1;

len = bar_hexa(s,sc);

if (len < (strlen(s)/4)){

   len = raw_bin(s,sc);

}

free(s);

scs=mmap(0,len+1,PROT_MODE, MAP_ANONYMOUS | MAP_SHARED, -1, 0);

for (i=0;i<len;i++){

   scs[i]=sc[i];

}

free(sc);

if (verbose){

   printf("\nEjecutando Shellcode… [%i]\n",len);

}

((void()()) scs)();

if (verbose){

    printf("Fin del Shellcode\n");

}

return 0;

}

Hasta otra

untagged

Introduccion a la criptografia, con Python: AES (IV) » « Introduccion a la criptografia, con Python: ElGamal (V -1 )