From c2cefeadb40edfa6dfa04b80686540dff6814f19 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Wed, 12 Jul 2017 15:32:57 +0530 Subject: [PATCH 01/24] test --- core/start.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/start.py b/core/start.py index b0c96b7..f64f2d4 100644 --- a/core/start.py +++ b/core/start.py @@ -16,7 +16,7 @@ def logo(): - print(color.color('red') + ''' + print(color.color('blue') + ''' ______ __ _____ _____ ______ _____ _____ / __ \ \ / /\ / ____| __ \ |___ // ____|/ ____| | | | \ \ /\ / / \ | (___ | |__) | / /| (___ | | From dc546730b7f0a709f7cfa7a86ed506ef566d6b5a Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Fri, 14 Jul 2017 20:49:30 +0530 Subject: [PATCH 02/24] Encoding for osx_x86 "exec" shellcode. --- core/commands.py | 5 ++--- core/encode.py | 4 ++++ core/start.py | 2 +- lib/encoder/osx_x86/__init__.py | 10 ++++++++++ 4 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 lib/encoder/osx_x86/__init__.py diff --git a/core/commands.py b/core/commands.py index f95a861..29de2e6 100644 --- a/core/commands.py +++ b/core/commands.py @@ -109,9 +109,8 @@ }, 'osx_x86': #generate sub command - os name { - 'exec': {'file_to_execute': ['none']}, #function of shellcode - 'system': - {'command_to_execute': ['none']}, #function of shellcode + 'exec': {'file_to_execute': ['none', 'add_random']}, #function of shellcode + 'system':{'command_to_execute': ['none']}, #function of shellcode 'chmod': {'file_to_perm&&perm_number': ['none']}, # function of shellcode }, diff --git a/core/encode.py b/core/encode.py index 54d09ca..512a776 100644 --- a/core/encode.py +++ b/core/encode.py @@ -76,4 +76,8 @@ def encode_process(encode, shellcode, os, func): elif 'sub_' in encode: from lib.encoder.windows_x86.sub_yourvalue import start return start(encode, shellcode, func) + elif 'osx_x86' == os: + if encode == 'add_random': + from lib.encoder.osx_x86.add_random import start + return start(shellcode, func) return shellcode diff --git a/core/start.py b/core/start.py index f64f2d4..b0c96b7 100644 --- a/core/start.py +++ b/core/start.py @@ -16,7 +16,7 @@ def logo(): - print(color.color('blue') + ''' + print(color.color('red') + ''' ______ __ _____ _____ ______ _____ _____ / __ \ \ / /\ / ____| __ \ |___ // ____|/ ____| | | | \ \ /\ / / \ | (___ | |__) | / /| (___ | | diff --git a/lib/encoder/osx_x86/__init__.py b/lib/encoder/osx_x86/__init__.py new file mode 100644 index 0000000..8c5a4c2 --- /dev/null +++ b/lib/encoder/osx_x86/__init__.py @@ -0,0 +1,10 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' + +pass From b7a59bfdcac9d95d55c5219e97c002c8684cdd63 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Fri, 14 Jul 2017 20:51:55 +0530 Subject: [PATCH 03/24] add the encoding for "exec" job --- lib/encoder/osx_x86/add_random.py | 57 +++++++++++++++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 lib/encoder/osx_x86/add_random.py diff --git a/lib/encoder/osx_x86/add_random.py b/lib/encoder/osx_x86/add_random.py new file mode 100644 index 0000000..862716a --- /dev/null +++ b/lib/encoder/osx_x86/add_random.py @@ -0,0 +1,57 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' +import random, binascii, string +from core.compatible import version +_version = version() +chars = string.digits + string.ascii_letters + +def start(shellcode, job): + if "exec" == job: + t = True + eax = str('0x3b') + while t: + if _version is 2: + eax_1 = binascii.b2a_hex(''.join(random.choice(chars) + for i in range(1))) + if _version is 3: + eax_1 = (binascii.b2a_hex((''.join(random.choice(chars) for i in range(1))).encode('latin-1'))).decode('latin-1') + eax_1 = str('0') + str(eax_1[1]) + eax_2 = "%x" % (int(eax, 16) - int(eax_1, 16)) + if eax > eax_1: + if '00' not in str(eax_1) and '00' not in str(eax_2): + t = False + + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_add = 'push $0x%s\npop %%eax\nneg %%eax\nadd $0x%s,%%eax\n' % (eax_2, eax_1) + + if A is 0: + eax_add = 'push $0x%s\npop %%eax\nadd $0x%s,%%eax\n' % (eax_2,eax_1) + shellcode = shellcode.replace('mov $0x3b,%al', eax_add) + + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len(line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + t = True + while t: + if _version is 2: + ebx_1 = binascii.b2a_hex(''.join(random.choice(chars)for i in range(4))) + if _version is 3: + ebx_1 = (binascii.b2a_hex((''.join(random.choice(chars) for i in range(4))).encode('latin-1'))).decode('latin-1') + ebx_2 = "%x" % (int(data, 16) - int(ebx_1, 16)) + if str('00') not in str(ebx_1) and str('00') not in str(ebx_2) and '-' in ebx_2 and len(ebx_2.replace('-', '')) >= 7 and len(ebx_1) >= 7 and '-' not in ebx_1: + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nneg %%eax\nadd %%ebx,%%eax\npush %%eax\n' % (str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + t = False + return shellcode + From 7cf3073e30077f44b4268a7b582e41060b986550 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 16:53:36 +0530 Subject: [PATCH 04/24] add random encoding for "system" job --- core/commands.py | 2 +- lib/encoder/osx_x86/add_random.py | 24 +++++++++++++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/core/commands.py b/core/commands.py index 29de2e6..18ec971 100644 --- a/core/commands.py +++ b/core/commands.py @@ -110,7 +110,7 @@ 'osx_x86': #generate sub command - os name { 'exec': {'file_to_execute': ['none', 'add_random']}, #function of shellcode - 'system':{'command_to_execute': ['none']}, #function of shellcode + 'system':{'command_to_execute': ['none', 'add_random']}, #function of shellcode 'chmod': {'file_to_perm&&perm_number': ['none']}, # function of shellcode }, diff --git a/lib/encoder/osx_x86/add_random.py b/lib/encoder/osx_x86/add_random.py index 862716a..db36c52 100644 --- a/lib/encoder/osx_x86/add_random.py +++ b/lib/encoder/osx_x86/add_random.py @@ -53,5 +53,27 @@ def start(shellcode, job): command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nneg %%eax\nadd %%ebx,%%eax\npush %%eax\n' % (str(ebx_1), str(ebx_2)) shellcode = shellcode.replace(line, command) t = False + if 'system' == job: + + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len(line) > 14: + # print(line) + data = line.rsplit('push')[1].rsplit('$0x')[1] + # print(data) + t = True + while t: + if _version is 2: + ebx_1 = binascii.b2a_hex(''.join(random.choice(chars)for i in range(4))) + + if _version is 3: + ebx_1 = (binascii.b2a_hex((''.join(random.choice( + chars) for i in range(4))).encode('latin-1')) + ).decode('latin-1') + if data= 7 and len(ebx_1) >= 7 and '-' not in ebx_1: + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nneg %%eax\nadd %%ebx,%%eax\npush %%eax\n' % (str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + t = False return shellcode - From 9f944f39e14d4057f6b255b3e7f72f40de7dd3f9 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 17:07:11 +0530 Subject: [PATCH 05/24] add_yourvalue encode for osx_x86 exec job --- core/commands.py | 4 +- core/encode.py | 3 ++ lib/encoder/osx_x86/add_yourvalue.py | 58 ++++++++++++++++++++++++++++ 3 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 lib/encoder/osx_x86/add_yourvalue.py diff --git a/core/commands.py b/core/commands.py index 18ec971..3969e7d 100644 --- a/core/commands.py +++ b/core/commands.py @@ -109,8 +109,8 @@ }, 'osx_x86': #generate sub command - os name { - 'exec': {'file_to_execute': ['none', 'add_random']}, #function of shellcode - 'system':{'command_to_execute': ['none', 'add_random']}, #function of shellcode + 'exec': {'file_to_execute': ['none', 'add_random', 'add_yourvalue']}, #function of shellcode + 'system':{'command_to_execute': ['none', 'add_random', 'add_yourvalue']}, #function of shellcode 'chmod': {'file_to_perm&&perm_number': ['none']}, # function of shellcode }, diff --git a/core/encode.py b/core/encode.py index 512a776..2e80519 100644 --- a/core/encode.py +++ b/core/encode.py @@ -80,4 +80,7 @@ def encode_process(encode, shellcode, os, func): if encode == 'add_random': from lib.encoder.osx_x86.add_random import start return start(shellcode, func) + elif encode =='add_yourvalue': + from lib.encoder.osx_x86.add_yourvalue import start + return start(encode, shellcode, func) return shellcode diff --git a/lib/encoder/osx_x86/add_yourvalue.py b/lib/encoder/osx_x86/add_yourvalue.py new file mode 100644 index 0000000..a2e9f82 --- /dev/null +++ b/lib/encoder/osx_x86/add_yourvalue.py @@ -0,0 +1,58 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' + +def start(type, shellcode, job): + if "exec" == job: + value = str(type.rsplit('add_')[1][2:]) + t = True + eax = str('0x3b909090') + eax_1 = value + eax_2 = "%x" % (int(eax, 16) - int(eax_1, 16)) + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_add = 'push $0x%s\npop %%eax\nneg %%eax\nadd $0x%s,%%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, eax_1) + + if A is 0: + eax_add = 'push $0x%s\npop %%eax\nadd $0x%s,%%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, eax_1) + shellcode = shellcode.replace('mov $0x3b,%al', eax_add) + A = 0 + for line in shellcode.rsplit('\n'): + if '_z3r0d4y_' in line: + A = 1 + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14 and A is 1: + data = line.rsplit('push')[1].rsplit('$0x')[1] + t = True + while t: + ebx_1 = value + ebx_2 = "%x" % (int(data, 16) - int(ebx_1, 16)) + + if str('00') not in str(ebx_1) and str('00') not in str( + ebx_2) and len(ebx_2) >= 7 and len( + ebx_1) >= 7 and '-' not in ebx_1: + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nadd %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + t = False + shellcode = shellcode.replace('_z3r0d4y_', '') + + if "system" == job: + + + + + + + return shellcode \ No newline at end of file From 088d6be9a4e208358e65ae765023fc8b52d56f73 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 17:14:39 +0530 Subject: [PATCH 06/24] add_yourvalue osx_x86 system job --- lib/encoder/osx_x86/add_yourvalue.py | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) diff --git a/lib/encoder/osx_x86/add_yourvalue.py b/lib/encoder/osx_x86/add_yourvalue.py index a2e9f82..3099651 100644 --- a/lib/encoder/osx_x86/add_yourvalue.py +++ b/lib/encoder/osx_x86/add_yourvalue.py @@ -49,10 +49,24 @@ def start(type, shellcode, job): shellcode = shellcode.replace('_z3r0d4y_', '') if "system" == job: + value = str(type.rsplit('add_')[1][2:]) + + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + ebx_1 = value + ebx_2 = "%x" % (int(data, 16) - int(ebx_1, 16)) + A = 0 + if str('-') in str(ebx_2): + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nneg %%eax\nadd %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + A = 1 + if A is 0: + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nadd %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) - - - - - + return shellcode \ No newline at end of file From 27b7fe66d8b13943496c07cf28f4c78b09f6b7d4 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 19:01:40 +0530 Subject: [PATCH 07/24] add dec encode for osx_x86 for exec and system jobs --- core/commands.py | 4 ++-- core/encode.py | 6 ++++++ lib/encoder/osx_x86/dec.py | 40 ++++++++++++++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 lib/encoder/osx_x86/dec.py diff --git a/core/commands.py b/core/commands.py index 3969e7d..cdb673e 100644 --- a/core/commands.py +++ b/core/commands.py @@ -109,8 +109,8 @@ }, 'osx_x86': #generate sub command - os name { - 'exec': {'file_to_execute': ['none', 'add_random', 'add_yourvalue']}, #function of shellcode - 'system':{'command_to_execute': ['none', 'add_random', 'add_yourvalue']}, #function of shellcode + 'exec': {'file_to_execute': ['none', 'add_random', 'add_yourvalue', 'dec', 'dec_timesyouwant']}, #function of shellcode + 'system':{'command_to_execute': ['none', 'add_random', 'add_yourvalue', 'dec', 'dec_timesyouwant']}, #function of shellcode 'chmod': {'file_to_perm&&perm_number': ['none']}, # function of shellcode }, diff --git a/core/encode.py b/core/encode.py index 2e80519..866ee19 100644 --- a/core/encode.py +++ b/core/encode.py @@ -83,4 +83,10 @@ def encode_process(encode, shellcode, os, func): elif encode =='add_yourvalue': from lib.encoder.osx_x86.add_yourvalue import start return start(encode, shellcode, func) + elif encode == 'dec': + from lib.encoder.osx_x86.dec import start + return start(shellcode, func) + elif encode == 'dec_timesyouwant': + from lib.encoder.osx_x86.dec_timesyouwant import start + return start(encode, shellcode, func) return shellcode diff --git a/lib/encoder/osx_x86/dec.py b/lib/encoder/osx_x86/dec.py new file mode 100644 index 0000000..567bf94 --- /dev/null +++ b/lib/encoder/osx_x86/dec.py @@ -0,0 +1,40 @@ +def start(shellcode, job): + if "exec" == job: + t = True + eax = str('0x3b909090') + eax_2 = "%x" % (int(eax, 16) + int('0x01', 16)) + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_add = 'push $0x%s\npop %%eax\ndec %%eax\nneg %%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2) + + if A is 0: + eax_add = 'push $0x%s\npop %%eax\ndec %%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2) + shellcode = shellcode.replace('mov $0x3b,%al', eax_add) + + A = 0 + for line in shellcode.rsplit('\n'): + if '_z3r0d4y_' in line: + A = 1 + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14 and A is 1: + data = line.rsplit('push')[1].rsplit('$0x')[1] + ebx_2 = "%x" % (int(data, 16) + int('0x01', 16)) + command = '\npush $0x%s\npop %%ebx\ndec %%ebx\npush %%ebx\n' % ( + str(ebx_2)) + shellcode = shellcode.replace(line, command) + shellcode = shellcode.replace('_z3r0d4y_', '') + + if "system" == job: + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + ebx_2 = "%x" % (int(data, 16) + int('01', 16)) + command = '\npush $0x%s\npop %%eax\ndec %%eax\npush %%eax\n' % (str(ebx_2)) + shellcode = shellcode.replace(line, command) + return shellcode \ No newline at end of file From c601a9ae65f50fbee65a0cc0458ef798440d2ff6 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 19:50:45 +0530 Subject: [PATCH 08/24] dec_timesyouwant encode for osx_x86 for exec and system --- lib/encoder/osx_x86/dec_timesyouwant.py | 55 +++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 lib/encoder/osx_x86/dec_timesyouwant.py diff --git a/lib/encoder/osx_x86/dec_timesyouwant.py b/lib/encoder/osx_x86/dec_timesyouwant.py new file mode 100644 index 0000000..a8e9e5a --- /dev/null +++ b/lib/encoder/osx_x86/dec_timesyouwant.py @@ -0,0 +1,55 @@ +def start(type, shellcode, job): + if "exec" == job: + times = int(type.rsplit('dec_')[1]) + t = True + eax_2, eax = str('0x3b909090'), str('0x3b909090') + n = 0 + while n < times: + eax_2 = "%x" % (int(eax_2, 16) + int('0x01', 16)) + n += 1 + dec = 'dec %eax\n' * n + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_add = 'push $0x%s\npop %%eax\n%s\nneg %%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, dec) + + if A is 0: + eax_add = 'push $0x%s\npop %%eax\n%s\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, dec) + shellcode = shellcode.replace('mov $0x3b,%al', eax_add) + + A = 0 + for line in shellcode.rsplit('\n'): + if '_z3r0d4y_' in line: + A = 1 + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14 and A is 1: + ebx_2 = line.rsplit('push')[1].rsplit('$0x')[1] + n = 0 + while n < times: + ebx_2 = "%x" % (int(ebx_2, 16) + int('0x01', 16)) + n += 1 + dec = 'dec %ebx\n' * n + command = '\npush $0x%s\npop %%ebx\n%s\npush %%ebx\n' % ( + str(ebx_2), dec) + shellcode = shellcode.replace(line, command) + shellcode = shellcode.replace('_z3r0d4y_', '') + if "system" == job: + times = int(type.rsplit('dec_')[1]) + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + ebx_2 = line.rsplit('push')[1].rsplit('$0x')[1] + n = 0 + while n < times: + ebx_2 = "%x" % (int(ebx_2, 16) + int('01', 16)) + n += 1 + dec = 'dec %eax\n' * n + command = '\npush $0x%s\npop %%eax\n%spush %%eax\n' % ( + str(ebx_2), str(dec)) + shellcode = shellcode.replace(line, command) + + return shellcode \ No newline at end of file From 7fd4267700bcd505ce71b24c18e02439ed70f4c1 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 19:58:12 +0530 Subject: [PATCH 09/24] add template for all encodings --- core/commands.py | 4 ++-- core/encode.py | 18 ++++++++++++++++++ 2 files changed, 20 insertions(+), 2 deletions(-) diff --git a/core/commands.py b/core/commands.py index cdb673e..81543b1 100644 --- a/core/commands.py +++ b/core/commands.py @@ -109,8 +109,8 @@ }, 'osx_x86': #generate sub command - os name { - 'exec': {'file_to_execute': ['none', 'add_random', 'add_yourvalue', 'dec', 'dec_timesyouwant']}, #function of shellcode - 'system':{'command_to_execute': ['none', 'add_random', 'add_yourvalue', 'dec', 'dec_timesyouwant']}, #function of shellcode + 'exec': {'file_to_execute': ['none', 'add_random', 'add_yourvalue', 'dec', 'dec_timesyouwant', 'inc', 'inc_timesyouwant', 'sub_random', 'sub_yourvalue', 'xor_random', 'xor_yourvalue']}, #function of shellcode + 'system':{'command_to_execute': ['none', 'add_random', 'add_yourvalue', 'dec', 'dec_timesyouwant', 'inc_timesyouwant', 'inc','sub_random', 'sub_yourvalue', 'xor_random', 'xor_yourvalue']}, #function of shellcode 'chmod': {'file_to_perm&&perm_number': ['none']}, # function of shellcode }, diff --git a/core/encode.py b/core/encode.py index 866ee19..2030109 100644 --- a/core/encode.py +++ b/core/encode.py @@ -89,4 +89,22 @@ def encode_process(encode, shellcode, os, func): elif encode == 'dec_timesyouwant': from lib.encoder.osx_x86.dec_timesyouwant import start return start(encode, shellcode, func) + elif encode == 'inc': + from lib.encoder.osx_x86.inc import start + return start(shellcode, func) + elif 'inc_timesyouwant' in encode: + from lib.encoder.osx_x86.inc_timesyouwant import start + return start(encode, shellcode, func) + elif encode == 'sub_random': + from lib.encoder.osx_x86.sub_random import start + return start(shellcode, func) + elif 'sub_yourvalue' in encode: + from lib.encoder.osx_x86.sub_yourvalue import start + return start(encode, shellcode, func) + elif encode == 'xor_random': + from lib.encoder.osx_x86.xor_random import start + return start(shellcode, func) + elif 'xor_' in encode: + from lib.encoder.osx_x86.xor_yourvalue import start + return start(encode, shellcode, func) return shellcode From 8102e9de2a752cad61a34d1437fb880eae91ab38 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 20:03:33 +0530 Subject: [PATCH 10/24] inc encode for osx_x86 for exec and system jobs --- lib/encoder/osx_x86/inc.py | 40 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 lib/encoder/osx_x86/inc.py diff --git a/lib/encoder/osx_x86/inc.py b/lib/encoder/osx_x86/inc.py new file mode 100644 index 0000000..de88b50 --- /dev/null +++ b/lib/encoder/osx_x86/inc.py @@ -0,0 +1,40 @@ +def start(shellcode, job): + if job == "exec": + t = True + eax = str('0x3b909090') + eax_2 = "%x" % (int(eax, 16) - int('0x01', 16)) + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_add = 'push $0x%s\npop %%eax\ninc %%eax\nneg %%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2) + + if A is 0: + eax_add = 'push $0x%s\npop %%eax\ninc %%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2) + shellcode = shellcode.replace('mov $0x3b,%al', eax_add) + + A = 0 + for line in shellcode.rsplit('\n'): + if '_z3r0d4y_' in line: + A = 1 + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14 and A is 1: + data = line.rsplit('push')[1].rsplit('$0x')[1] + ebx_2 = "%x" % (int(data, 16) - int('0x01', 16)) + command = '\npush $0x%s\npop %%ebx\ninc %%ebx\npush %%ebx\n' % ( + str(ebx_2)) + shellcode = shellcode.replace(line, command) + shellcode = shellcode.replace('_z3r0d4y_', '') + if job == "system": + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + ebx_2 = "%x" % (int(data, 16) - int('01', 16)) + command = '\npush $0x%s\npop %%eax\ninc %%eax\npush %%eax\n' % ( + str(ebx_2)) + shellcode = shellcode.replace(line, command) + return shellcode \ No newline at end of file From f4a8eb6f4163850f43ba711ea96659dbc1b9109c Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 20:03:51 +0530 Subject: [PATCH 11/24] inc_timesyouwant for osx_x86 for exec and system jobs --- lib/encoder/osx_x86/inc_timesyouwant.py | 66 +++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 lib/encoder/osx_x86/inc_timesyouwant.py diff --git a/lib/encoder/osx_x86/inc_timesyouwant.py b/lib/encoder/osx_x86/inc_timesyouwant.py new file mode 100644 index 0000000..213f9a5 --- /dev/null +++ b/lib/encoder/osx_x86/inc_timesyouwant.py @@ -0,0 +1,66 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' + + +def start(type, shellcode, job): + if "exec" == job: + times = int(type.rsplit('inc_')[1]) + t = True + eax_2, eax = str('0x3b909090'), str('0x3b909090') + n = 0 + while n < times: + eax_2 = "%x" % (int(eax_2, 16) - int('0x01', 16)) + n += 1 + inc = 'inc %eax\n' * n + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_add = 'push $0x%s\npop %%eax\n%s\nneg %%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, inc) + + if A is 0: + eax_add = 'push $0x%s\npop %%eax\n%s\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, inc) + shellcode = shellcode.replace('mov $0x3b,%al', eax_add) + + A = 0 + for line in shellcode.rsplit('\n'): + if '_z3r0d4y_' in line: + A = 1 + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14 and A is 1: + ebx_2 = line.rsplit('push')[1].rsplit('$0x')[1] + n = 0 + while n < times: + ebx_2 = "%x" % (int(ebx_2, 16) - int('0x01', 16)) + n += 1 + inc = 'inc %ebx\n' * n + command = '\npush $0x%s\npop %%ebx\n%s\npush %%ebx\n' % ( + str(ebx_2), inc) + shellcode = shellcode.replace(line, command) + shellcode = shellcode.replace('_z3r0d4y_', '') + + if "system" == job: + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + ebx_2 = line.rsplit('push')[1].rsplit('$0x')[1] + n = 0 + while n < times: + ebx_2 = "%x" % (int(ebx_2, 16) - int('01', 16)) + n += 1 + inc = 'inc %eax\n' * n + command = '\npush $0x%s\npop %%eax\n%spush %%eax\n' % ( + str(ebx_2), str(inc)) + shellcode = shellcode.replace(line, command) + + + return shellcode \ No newline at end of file From 8d19cfec03daca3d7d61dba247110e8a16467816 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 20:16:34 +0530 Subject: [PATCH 12/24] sub_random encode for osx_x86 for exec and system --- lib/encoder/osx_x86/sub_random.py | 95 +++++++++++++++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 lib/encoder/osx_x86/sub_random.py diff --git a/lib/encoder/osx_x86/sub_random.py b/lib/encoder/osx_x86/sub_random.py new file mode 100644 index 0000000..efd44e6 --- /dev/null +++ b/lib/encoder/osx_x86/sub_random.py @@ -0,0 +1,95 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' +import random, binascii, string +from core.compatible import version +_version = version() +chars = string.digits + string.ascii_letters + + +def start(shellcode, job): + + if job == "exec": + t = True + eax = str('0x3b') + while t: + if _version is 2: + eax_1 = binascii.b2a_hex(''.join(random.choice(chars) + for i in range(1))) + if _version is 3: + eax_1 = (binascii.b2a_hex((''.join(random.choice( + chars) for i in range(1))).encode('latin-1')) + ).decode('latin-1') + eax_1 = str('0') + str(eax_1[1]) + eax_2 = "%x" % (int(eax, 16) + int(eax_1, 16)) + if eax > eax_1: + if '00' not in str(eax_1) and '00' not in str(eax_2): + t = False + + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_sub = 'push $0x%s\npop %%eax\nneg %%eax\nsub $0x%s,%%eax\n' % ( + eax_2, eax_1) + + if A is 0: + eax_sub = 'push $0x%s\npop %%eax\nsub $0x%s,%%eax\n' % (eax_2, + eax_1) + shellcode = shellcode.replace('mov $0x3b,%al', eax_sub) + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + t = True + while t: + if _version is 2: + ebx_1 = binascii.b2a_hex(''.join(random.choice(chars) + for i in range(4))) + if _version is 3: + ebx_1 = (binascii.b2a_hex((''.join(random.choice( + chars) for i in range(4))).encode('latin-1')) + ).decode('latin-1') + ebx_2 = "%x" % (int(data, 16) + int(ebx_1, 16)) + if str('00') not in str(ebx_1) and str('00') not in str( + ebx_2) and len(ebx_2.replace( + '-', '')) >= 7 and len( + ebx_1) >= 7 and '-' not in ebx_1: + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nsub %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + t = False + + if job == "system": + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + t = True + while t: + if _version is 2: + ebx_1 = binascii.b2a_hex(''.join(random.choice(chars) + for i in range(4))) + if _version is 3: + ebx_1 = (binascii.b2a_hex((''.join(random.choice( + chars) for i in range(4))).encode('latin-1')) + ).decode('latin-1') + ebx_2 = "%x" % (int(data, 16) + int(ebx_1, 16)) + + if str('00') not in str(ebx_1) and str('00') not in str( + ebx_2) and len(ebx_2) >= 7 and len( + ebx_1) >= 7 and '-' not in ebx_1: + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nsub %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + t = False + + return shellcode \ No newline at end of file From b4b5652c9adaffa92076be65cbaff53cfb4aa9b5 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 20:17:12 +0530 Subject: [PATCH 13/24] sub_yourvalue encode for osx_x86 exec and system job --- lib/encoder/osx_x86/sub_yourvalue.py | 71 ++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 lib/encoder/osx_x86/sub_yourvalue.py diff --git a/lib/encoder/osx_x86/sub_yourvalue.py b/lib/encoder/osx_x86/sub_yourvalue.py new file mode 100644 index 0000000..f235998 --- /dev/null +++ b/lib/encoder/osx_x86/sub_yourvalue.py @@ -0,0 +1,71 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' + + +def start(type, shellcode, job): + + if job == "exec": + value = str(type.rsplit('sub_')[1][2:]) + t = True + eax = str('0x3b909090') + eax_1 = value + eax_2 = "%x" % (int(eax, 16) + int(eax_1, 16)) + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_sub = 'push $0x%s\npop %%eax\nneg %%eax\nsub $0x%s,%%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, eax_1) + + if A is 0: + eax_sub = 'push $0x%s\npop %%eax\nsub $0x%s,%%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, eax_1) + shellcode = shellcode.replace('mov $0x3b,%al', eax_sub) + A = 0 + for line in shellcode.rsplit('\n'): + if '_z3r0d4y_' in line: + A = 1 + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14 and A is 1: + data = line.rsplit('push')[1].rsplit('$0x')[1] + t = True + while t: + ebx_1 = value + ebx_2 = "%x" % (int(data, 16) + int(ebx_1, 16)) + + if str('00') not in str(ebx_1) and str('00') not in str( + ebx_2) and len(ebx_2) >= 7 and len( + ebx_1) >= 7 and '-' not in ebx_1: + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nsub %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + t = False + shellcode = shellcode.replace('_z3r0d4y_', '') + if job == "system": + value = str(type.rsplit('sub_')[1][2:]) + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + ebx_1 = value + ebx_2 = "%x" % (int(data, 16) + int(ebx_1, 16)) + A = 0 + if str('-') in str(ebx_2): + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nneg %%eax\nsub %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + A = 1 + if A is 0: + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nsub %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + + return shellcode \ No newline at end of file From 84447e6b7074e0029c1a66159de65d59c7fdc490 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 20:27:11 +0530 Subject: [PATCH 14/24] xor_random for exec/system for osx_x86 --- core/encode.py | 2 +- lib/encoder/osx_x86/xor_random.py | 94 +++++++++++++++++++++++++++++++ 2 files changed, 95 insertions(+), 1 deletion(-) create mode 100644 lib/encoder/osx_x86/xor_random.py diff --git a/core/encode.py b/core/encode.py index 2030109..0592928 100644 --- a/core/encode.py +++ b/core/encode.py @@ -104,7 +104,7 @@ def encode_process(encode, shellcode, os, func): elif encode == 'xor_random': from lib.encoder.osx_x86.xor_random import start return start(shellcode, func) - elif 'xor_' in encode: + elif 'xor_yourvalue' in encode: from lib.encoder.osx_x86.xor_yourvalue import start return start(encode, shellcode, func) return shellcode diff --git a/lib/encoder/osx_x86/xor_random.py b/lib/encoder/osx_x86/xor_random.py new file mode 100644 index 0000000..9e47bb8 --- /dev/null +++ b/lib/encoder/osx_x86/xor_random.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' +import random, binascii, string +from core.compatible import version +_version = version() +chars = string.digits + string.ascii_letters + + +def start(shellcode, job): + if "system" == job: + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + t = True + while t: + if _version is 2: + ebx_1 = binascii.b2a_hex(''.join(random.choice(chars) + for i in range(4))) + if _version is 3: + ebx_1 = (binascii.b2a_hex((''.join(random.choice( + chars) for i in range(4))).encode('latin-1')) + ).decode('latin-1') + ebx_2 = "%x" % (int(data, 16) ^ int(ebx_1, 16)) + + if str('00') not in str(ebx_1) and str('00') not in str( + ebx_2) and len(ebx_2) >= 7 and len( + ebx_1) >= 7 and '-' not in ebx_1: + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nxor %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + t = False + + if "exec" == job: + t = True + eax = str('0x3b') + while t: + if _version is 2: + eax_1 = binascii.b2a_hex(''.join(random.choice(chars) + for i in range(1))) + if _version is 3: + eax_1 = (binascii.b2a_hex((''.join(random.choice( + chars) for i in range(1))).encode('latin-1')) + ).decode('latin-1') + eax_1 = str('0') + str(eax_1[1]) + eax_2 = "%x" % (int(eax, 16) ^ int(eax_1, 16)) + if eax > eax_1: + if '00' not in str(eax_1) and '00' not in str(eax_2): + t = False + + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_xor = 'push $0x%s\npop %%eax\nneg %%eax\nxor $0x%s,%%eax\n' % ( + eax_2, eax_1) + + if A is 0: + eax_xor = 'push $0x%s\npop %%eax\nxor $0x%s,%%eax\n' % (eax_2, + eax_1) + shellcode = shellcode.replace('mov $0x3b,%al', eax_xor) + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + t = True + while t: + if _version is 2: + ebx_1 = binascii.b2a_hex(''.join(random.choice(chars) + for i in range(4))) + if _version is 3: + ebx_1 = (binascii.b2a_hex((''.join(random.choice( + chars) for i in range(4))).encode('latin-1')) + ).decode('latin-1') + ebx_2 = "%x" % (int(data, 16) ^ int(ebx_1, 16)) + if str('00') not in str(ebx_1) and str('00') not in str( + ebx_2) and len(ebx_2.replace( + '-', '')) >= 7 and len( + ebx_1) >= 7 and '-' not in ebx_1: + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nxor %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + t = False + + return shellcode \ No newline at end of file From 427271e24d091f4cbf1cc52da634300cd3691e37 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Sat, 15 Jul 2017 20:31:30 +0530 Subject: [PATCH 15/24] xor_yourvalue encode for exec/system for osx_x86 --- lib/encoder/osx_x86/xor_yourvalue.py | 72 ++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 lib/encoder/osx_x86/xor_yourvalue.py diff --git a/lib/encoder/osx_x86/xor_yourvalue.py b/lib/encoder/osx_x86/xor_yourvalue.py new file mode 100644 index 0000000..8470a12 --- /dev/null +++ b/lib/encoder/osx_x86/xor_yourvalue.py @@ -0,0 +1,72 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' + + +def start(type, shellcode, job): + + if "exec" == job: + value = str(type.rsplit('xor_')[1][2:]) + t = True + eax = str('0x3b909090') + eax_1 = value + eax_2 = "%x" % (int(eax, 16) ^ int(eax_1, 16)) + A = 0 + eax = 'push $%s' % (str(eax)) + if '-' in eax_2: + A = 1 + eax_2 = eax_2.replace('-', '') + eax_xor = 'push $0x%s\npop %%eax\nneg %%eax\nxor $0x%s,%%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, eax_1) + + if A is 0: + eax_xor = 'push $0x%s\npop %%eax\nxor $0x%s,%%eax\nshr $0x10,%%eax\nshr $0x08,%%eax\n_z3r0d4y_' % ( + eax_2, eax_1) + shellcode = shellcode.replace('mov $0x3b,%al', eax_xor) + A = 0 + for line in shellcode.rsplit('\n'): + if '_z3r0d4y_' in line: + A = 1 + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14 and A is 1: + data = line.rsplit('push')[1].rsplit('$0x')[1] + t = True + while t: + ebx_1 = value + ebx_2 = "%x" % (int(data, 16) ^ int(ebx_1, 16)) + + if str('00') not in str(ebx_1) and str('00') not in str( + ebx_2) and len(ebx_2) >= 7 and len( + ebx_1) >= 7 and '-' not in ebx_1: + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nxor %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + t = False + shellcode = shellcode.replace('_z3r0d4y_', '') + + if "system" == job: + value = str(type.rsplit('xor_')[1][2:]) + for line in shellcode.rsplit('\n'): + if 'push' in line and '$0x' in line and ',' not in line and len( + line) > 14: + data = line.rsplit('push')[1].rsplit('$0x')[1] + ebx_1 = value + ebx_2 = "%x" % (int(data, 16) ^ int(ebx_1, 16)) + A = 0 + if str('-') in str(ebx_2): + ebx_2 = ebx_2.replace('-', '') + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nneg %%eax\nxor %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + A = 1 + if A is 0: + command = '\npush $0x%s\npop %%ebx\npush $0x%s\npop %%eax\nxor %%ebx,%%eax\npush %%eax\n' % ( + str(ebx_1), str(ebx_2)) + shellcode = shellcode.replace(line, command) + + return shellcode \ No newline at end of file From 9d90be48f12fc7c594c8f4ef808c77e2c5836a8a Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Mon, 17 Jul 2017 18:42:45 +0530 Subject: [PATCH 16/24] fix errors in encoding calls --- core/encode.py | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/core/encode.py b/core/encode.py index 0592928..a802d9a 100644 --- a/core/encode.py +++ b/core/encode.py @@ -80,31 +80,31 @@ def encode_process(encode, shellcode, os, func): if encode == 'add_random': from lib.encoder.osx_x86.add_random import start return start(shellcode, func) - elif encode =='add_yourvalue': + elif 'add_' in encode: from lib.encoder.osx_x86.add_yourvalue import start return start(encode, shellcode, func) elif encode == 'dec': from lib.encoder.osx_x86.dec import start return start(shellcode, func) - elif encode == 'dec_timesyouwant': + elif 'dec_' in encode: from lib.encoder.osx_x86.dec_timesyouwant import start return start(encode, shellcode, func) elif encode == 'inc': from lib.encoder.osx_x86.inc import start return start(shellcode, func) - elif 'inc_timesyouwant' in encode: + elif 'inc_' in encode: from lib.encoder.osx_x86.inc_timesyouwant import start return start(encode, shellcode, func) elif encode == 'sub_random': from lib.encoder.osx_x86.sub_random import start return start(shellcode, func) - elif 'sub_yourvalue' in encode: + elif 'sub_' in encode: from lib.encoder.osx_x86.sub_yourvalue import start return start(encode, shellcode, func) elif encode == 'xor_random': from lib.encoder.osx_x86.xor_random import start return start(shellcode, func) - elif 'xor_yourvalue' in encode: + elif 'xor_' in encode: from lib.encoder.osx_x86.xor_yourvalue import start return start(encode, shellcode, func) return shellcode From 39f68334eebe9c6de146cccd1e777cd434f579ae Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Tue, 18 Jul 2017 13:31:19 +0530 Subject: [PATCH 17/24] simplify simple_ascii --- lib/encoder/python/simple_ascii.py | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/lib/encoder/python/simple_ascii.py b/lib/encoder/python/simple_ascii.py index fae105f..b2e2b46 100644 --- a/lib/encoder/python/simple_ascii.py +++ b/lib/encoder/python/simple_ascii.py @@ -15,9 +15,6 @@ def encode(f): for i in range(50)) ascii_data = ''.join([str(ord(i))+'*' for i in f])[:-1] data = var_name + ' = "' + ascii_data + '"' - var_data = ''.join( - random.choice(string.ascii_lowercase + string.ascii_uppercase) - for i in range(50)) var_counter = ''.join( random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(50)) @@ -37,10 +34,9 @@ def %s(%s): for %s in %s.split('*'): %s += chr(int(%s)) return %s -%s = %s exec(%s(%s)) ''' % (data, func_name, func_argv, var_str, var_counter, func_argv, var_str, - var_counter, var_str, var_data, var_name, func_name, var_data) + var_counter, var_str, func_name, var_name) return f From 0d803686739a519131c9032b9e3aa883d18197d5 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Tue, 18 Jul 2017 13:34:17 +0530 Subject: [PATCH 18/24] simplify python basec64_rev --- lib/encoder/python/simple_base64_rev.py | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/lib/encoder/python/simple_base64_rev.py b/lib/encoder/python/simple_base64_rev.py index 010582a..4fd725f 100644 --- a/lib/encoder/python/simple_base64_rev.py +++ b/lib/encoder/python/simple_base64_rev.py @@ -17,16 +17,13 @@ def encode(f): var_name = ''.join( random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(50)) - if _version is 2: rev_data = binascii.b2a_base64(f)[-2::-1] data = var_name + ' = "' + str(rev_data) + '"' if _version is 3: rev_data = binascii.b2a_base64(f.encode('utf8')).decode('utf8')[-2::-1] data = var_name + ' = "' + str(rev_data) + '"' - var_data = ''.join( - random.choice(string.ascii_lowercase + string.ascii_uppercase) - for i in range(50)) + func_name = ''.join( random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(50)) @@ -44,10 +41,9 @@ def %s(%s): return str(binascii.a2b_base64(%s[::-1]).encode('utf8'))[::-1].decode('utf8') else: sys.exit('Your python version is not supported!') -%s = %s exec(%s(%s)) -''' % (data, func_name, func_argv, func_argv, func_argv, var_data, var_name, - func_name, var_data) +''' % (data, func_name, func_argv, func_argv, func_argv, + func_name, var_name) return f From 60d11f4be1e8085dd59bc5ab13171f17180fa6ad Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Tue, 18 Jul 2017 14:09:26 +0530 Subject: [PATCH 19/24] simplify simple hex rev python --- lib/encoder/python/simple_hex_rev.py | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/lib/encoder/python/simple_hex_rev.py b/lib/encoder/python/simple_hex_rev.py index a406544..cf47379 100644 --- a/lib/encoder/python/simple_hex_rev.py +++ b/lib/encoder/python/simple_hex_rev.py @@ -24,10 +24,6 @@ def encode(f): if _version is 3: rev_data = binascii.b2a_hex(f.encode('utf8')).decode('utf8')[::-1] data = var_name + ' = "' + str(rev_data) + '"' - - var_data = ''.join( - random.choice(string.ascii_lowercase + string.ascii_uppercase) - for i in range(50)) func_name = ''.join( random.choice(string.ascii_lowercase + string.ascii_uppercase) for i in range(50)) @@ -45,10 +41,9 @@ def %s(%s): return str(binascii.a2b_hex(%s[::-1]).decode('utf8')) else: sys.exit('Your python version is not supported!') -%s = %s exec(%s(%s)) -''' % (data, func_name, func_argv, func_argv, func_argv, var_data, var_name, - func_name, var_data) +''' % (data, func_name, func_argv, func_argv, func_argv, + func_name, var_name) return f From b835898e852333c6c4ce292c86de5c3e3f69299e Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Tue, 18 Jul 2017 16:30:17 +0530 Subject: [PATCH 20/24] rot13 for python code --- core/commands.py | 2 +- lib/encoder/python/rot13.py | 56 +++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 lib/encoder/python/rot13.py diff --git a/core/commands.py b/core/commands.py index 81543b1..86417eb 100644 --- a/core/commands.py +++ b/core/commands.py @@ -130,7 +130,7 @@ ['simple_hex', 'base64', 'simple_hex_rev', 'simple_base64_rev', 'simple_ascii'], #encode types 'python': - ['simple_hex', 'simple_hex_rev', 'simple_base64_rev', 'simple_ascii'], + ['simple_hex', 'simple_hex_rev', 'simple_base64_rev', 'simple_ascii', 'rot13'], 'php': ['simple_hex', 'base64', 'simple_hex_rev', 'base64_rev', 'simple_ascii'], 'perl': diff --git a/lib/encoder/python/rot13.py b/lib/encoder/python/rot13.py new file mode 100644 index 0000000..7f015eb --- /dev/null +++ b/lib/encoder/python/rot13.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' +import binascii +import random +import string +import codecs +from core.compatible import version +_version = version() + + +def encode(f): + var_name = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + if _version is 2: + # rev_data = binascii.b2a_base64(f)[-2::-1] + rev_data = f.encode("rot13") + print(rev_data) + data = var_name + ' = """' + str(rev_data) + '"""' + if _version is 3: + rev_data = codecs.encode(f, "rot-13") + data = var_name + ' = """' + str(rev_data) + '"""' + + func_name = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + func_argv = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + f = ''' +import binascii +import sys +import codecs +%s +def %s(%s): + if sys.version_info.major is 2: + return str(%s.decode("rot13")) + elif sys.version_info.major is 3: + return str(codecs.decode(%s, "rot-13")) + else: + sys.exit('Your python version is not supported!') +exec(%s(%s)) +''' % (data, func_name, func_argv, func_argv, func_argv, + func_name, var_name) + return f + + +def start(content,cli): + return str(str('\'\'\'\n') + str(content.replace('\'\'\'', '\\\'\\\'\\\'')) + + str('\n\'\'\'') + str(encode(content)) + str('\n')) From 9792a692bd7512a3d5375c88829622810be3bc28 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Tue, 18 Jul 2017 18:58:25 +0530 Subject: [PATCH 21/24] rot13 for php --- core/commands.py | 8 ++-- lib/encoder/php/rot13.py | 73 +++++++++++++++++++++++++++++++++++++ lib/encoder/python/rot13.py | 2 - 3 files changed, 77 insertions(+), 6 deletions(-) create mode 100644 lib/encoder/php/rot13.py diff --git a/core/commands.py b/core/commands.py index 86417eb..cf5a52c 100644 --- a/core/commands.py +++ b/core/commands.py @@ -128,16 +128,16 @@ { 'javascript': #langauge name ['simple_hex', 'base64', 'simple_hex_rev', 'simple_base64_rev', - 'simple_ascii'], #encode types + 'simple_ascii', 'rot13'], #encode types 'python': ['simple_hex', 'simple_hex_rev', 'simple_base64_rev', 'simple_ascii', 'rot13'], 'php': - ['simple_hex', 'base64', 'simple_hex_rev', 'base64_rev', 'simple_ascii'], + ['simple_hex', 'base64', 'simple_hex_rev', 'base64_rev', 'simple_ascii', 'rot13'], 'perl': ['simple_hex', 'base64', 'simple_hex_rev', 'simple_base64_rev', - 'simple_ascii'], + 'simple_ascii', 'rot13'], 'ruby': - ['simple_hex', 'base64', 'simple_hex_rev', 'base64_rev', 'simple_ascii'], + ['simple_hex', 'base64', 'simple_hex_rev', 'base64_rev', 'simple_ascii', 'rot13'], } ], 'back': ['Go back one step', ''], diff --git a/lib/encoder/php/rot13.py b/lib/encoder/php/rot13.py new file mode 100644 index 0000000..ab0936b --- /dev/null +++ b/lib/encoder/php/rot13.py @@ -0,0 +1,73 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' +import binascii +import random +import string +import codecs +from core.compatible import version +from core.alert import * +from core.get_input import _input + +_version = version() + + +def encode(f): + val_name = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + data = '' + eval = '$' + val_name + if _version is 2: + data = '$' + val_name + "= <<<'EOT'" + str(f.encode("rot13")) + '\nEOT;\n' + + if _version is 3: + data = '$' + val_name + "=<<<'EOT'" + str(codecs.encode(f, "rot-13")) + '\nEOT;\n' + var_str = '$' + ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + var_data = '$' + ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + func_name = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + func_argv = '$' + ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + f = ''' +%s +function %s(%s) { + %s = str_rot13(%s); + return %s; +} +eval(%s(%s)); +?>''' % (data, func_name, func_argv, var_str, func_argv, var_str, func_name, eval) + return f + + +def start(content,cli): + if '' in content or ' or ', '') + elif answer == 'no' or answer == 'n': + pass + else: + warn('You had to answer with yes or no, We count that as "no"\n') + return str(str(' Date: Tue, 18 Jul 2017 19:54:02 +0530 Subject: [PATCH 22/24] rot13 for ruby --- hello.rb | 33 ++++++++++++++++++++ lib/encoder/ruby/rot13.py | 63 +++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 hello.rb create mode 100644 lib/encoder/ruby/rot13.py diff --git a/hello.rb b/hello.rb new file mode 100644 index 0000000..3eba3d6 --- /dev/null +++ b/hello.rb @@ -0,0 +1,33 @@ +=begin +def test(a1 = "Ruby", a2 = "Perl") + puts "The programming language is #{a1}" + puts "The programming language is #{a2}" +end +test "C", "C++" +test +=end +require "base64" +def rot13(t) + for i in 0..t.size-1 + x = t[i].ord + x = (x-97+13) % 26+97 if x.between?(97,122) + x = (x-65+13) % 26+65 if x.between?(65,90) + t[i] = x.chr + end + return t +end + +gvIUCZbYjItqdjcZQnxwgSMOgJeTwxkQOMQJZGsomXacBPANNJ= <<'EOF' +qrs grfg(n1 = "Ehol", n2 = "Crey") + chgf "Gur cebtenzzvat ynathntr vf #{n1}" + chgf "Gur cebtenzzvat ynathntr vf #{n2}" +raq +grfg "P", "P++" +grfg +EOF + +def ghNqQdJEoHeycdKlvoCFgRHMesNYyTaCSqjxRnrorZsiKTrvLX(oeGVxsNbsIarnScgQWJzbtrhJiiwFwZPTJFVfNyspVSPVPKUWzs) + vMOBjbMDtRwqWZkjKwzCkXtxshgVcYzcdPKKKREXBHsKwRYbbDr = rot13((oeGVxsNbsIarnScgQWJzbtrhJiiwFwZPTJFVfNyspVSPVPKUWzs)) + return vMOBjbMDtRwqWZkjKwzCkXtxshgVcYzcdPKKKREXBHsKwRYbbDr +end +eval(ghNqQdJEoHeycdKlvoCFgRHMesNYyTaCSqjxRnrorZsiKTrvLX(gvIUCZbYjItqdjcZQnxwgSMOgJeTwxkQOMQJZGsomXacBPANNJ)); diff --git a/lib/encoder/ruby/rot13.py b/lib/encoder/ruby/rot13.py new file mode 100644 index 0000000..a59bbda --- /dev/null +++ b/lib/encoder/ruby/rot13.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' +import binascii +import random +import string +import codecs +from core.compatible import version +_version = version() + + +def encode(f): + val_name = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + data = '' + if _version is 2: + data = val_name + "= <<'EOF'\n" + f.encode("rot13")+ "\nEOF\n" + + if _version is 3: + data = val_name + "= <<'EOF'\n" + codecs.encode(f, "rot-13")+ "\nEOF\n" + var_data = random.choice(string.ascii_lowercase) + ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + func_name = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + func_argv = random.choice(string.ascii_lowercase) + ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + var_str = random.choice(string.ascii_lowercase) + ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + f = ''' +require "base64" +def rot13(t) + for i in 0..t.size-1 + x = t[i].ord + x = (x-97+13) %% 26+97 if x.between?(97,122) + x = (x-65+13) %% 26+65 if x.between?(65,90) + t[i] = x.chr + end + return t +end + +%s +def %s(%s) + %s = rot13((%s)) + return %s +end +eval(%s(%s));''' % (data, func_name, func_argv, var_str, func_argv, var_str, func_name, val_name) + return f + + +def start(content,cli): + return str(str('=begin\n') + str(content.replace( + '=begin', '#=begin').replace('=end', '#=end')) + str('\n=end') + str( + encode(content)) + str('\n')) From b72708a3d1cdaa4813d6c55cf733c43abd406ced Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Tue, 18 Jul 2017 20:41:11 +0530 Subject: [PATCH 23/24] rot13 for js --- lib/encoder/javascript/rot13.py | 60 +++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 lib/encoder/javascript/rot13.py diff --git a/lib/encoder/javascript/rot13.py b/lib/encoder/javascript/rot13.py new file mode 100644 index 0000000..267e42d --- /dev/null +++ b/lib/encoder/javascript/rot13.py @@ -0,0 +1,60 @@ +#!/usr/bin/env python +''' +OWASP ZSC +https://www.owasp.org/index.php/OWASP_ZSC_Tool_Project +https://github.com/zscproject/OWASP-ZSC +http://api.z3r0d4y.com/ +https://groups.google.com/d/forum/owasp-zsc [ owasp-zsc[at]googlegroups[dot]com ] +''' +import binascii +import random +import string +import codecs +from core.compatible import version +_version = version() + + +def encode(f): + base64_arr = '' + val_name = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + data = '' + if _version is 2: + data = val_name + '= ` ' + str(f.encode("rot13")) + '`;' + if _version is 3: + data = val_name + '= `' + str(codecs.encode(f, "rot-13")) + '`;' + var_b64 = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + var_str = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + var_data = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + func_name = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + func_argv = ''.join( + random.choice(string.ascii_lowercase + string.ascii_uppercase) + for i in range(50)) + f = ''' +%s +function rot(s) { + return s.replace(/[a-zA-Z]/g, function (c) { + return String.fromCharCode((c <= "Z" ? 90 : 122) >= (c = c.charCodeAt(0) + 13) ? c : c - 26); + }); +} +function %s(%s) { + return rot(%s); + + +} +eval(%s(%s));''' % (data, func_name, func_argv, func_argv, func_name, val_name) + return f + + +def start(content,cli): + return str(str('/*\n') + str(content.replace('*/', '*_/')) + str('\n*/') + + str(encode(content)) + str('\n')) From 97d933344f6f014de348cb75a91e1f1f2f73b619 Mon Sep 17 00:00:00 2001 From: "Nikhil. R" Date: Wed, 19 Jul 2017 11:34:07 +0530 Subject: [PATCH 24/24] delete temp file --- hello.rb | 33 --------------------------------- 1 file changed, 33 deletions(-) delete mode 100644 hello.rb diff --git a/hello.rb b/hello.rb deleted file mode 100644 index 3eba3d6..0000000 --- a/hello.rb +++ /dev/null @@ -1,33 +0,0 @@ -=begin -def test(a1 = "Ruby", a2 = "Perl") - puts "The programming language is #{a1}" - puts "The programming language is #{a2}" -end -test "C", "C++" -test -=end -require "base64" -def rot13(t) - for i in 0..t.size-1 - x = t[i].ord - x = (x-97+13) % 26+97 if x.between?(97,122) - x = (x-65+13) % 26+65 if x.between?(65,90) - t[i] = x.chr - end - return t -end - -gvIUCZbYjItqdjcZQnxwgSMOgJeTwxkQOMQJZGsomXacBPANNJ= <<'EOF' -qrs grfg(n1 = "Ehol", n2 = "Crey") - chgf "Gur cebtenzzvat ynathntr vf #{n1}" - chgf "Gur cebtenzzvat ynathntr vf #{n2}" -raq -grfg "P", "P++" -grfg -EOF - -def ghNqQdJEoHeycdKlvoCFgRHMesNYyTaCSqjxRnrorZsiKTrvLX(oeGVxsNbsIarnScgQWJzbtrhJiiwFwZPTJFVfNyspVSPVPKUWzs) - vMOBjbMDtRwqWZkjKwzCkXtxshgVcYzcdPKKKREXBHsKwRYbbDr = rot13((oeGVxsNbsIarnScgQWJzbtrhJiiwFwZPTJFVfNyspVSPVPKUWzs)) - return vMOBjbMDtRwqWZkjKwzCkXtxshgVcYzcdPKKKREXBHsKwRYbbDr -end -eval(ghNqQdJEoHeycdKlvoCFgRHMesNYyTaCSqjxRnrorZsiKTrvLX(gvIUCZbYjItqdjcZQnxwgSMOgJeTwxkQOMQJZGsomXacBPANNJ));