libShellCode


What is libShellCode?

libShellCodes is a library you can include in your exploits. It provide same functions that generates on runtime a linux/BSD (on i386 architecture) ShellCode with the parameters you want. The package include a Front end fot the library.

The actual library version provide the following features:
- Mulplatform support. Now libShellCode support linux and BSD.
- Generate a ShellCode that execute a command. (linux, BSD)
- Generate a Shellcode that bind a program to a port (linux, BSD)
- Generate a Shellcode that connect to an IP:Port and execute a command (linux, BSD)
- Generate a Shellcode that reuse an opened connection for execute a command (linux, BSD)
- Generate a ShellCode that write a message to a file. (linux, BSD)
- Generate a ShellCode that write a message to the stout or stderr. (linux, BSD)
- Generazion of NOPs != 0x90, but equivalent to it.
- Possibility to encript the ShellCodes (Polymorphic Shellcodes).
- New ncurses front end. (see screenshots)


Table of supported ShellCodes on different platforms:
Arch OS write SC write to file SC exec SC bind SC connect back SC socket reuse SC
i386 Linux Yes Yes Yes Yes Yes Yes
i386 BSD Yes Yes Yes Yes Yes Yes


Table of supported functionalities on different platforms:
Arch OS setuid(0), setreuid(0,0), setresuid(0,0,0) setgid(0), setregid(0,0), setresgid(0,0,0) chroot() evasion Polymorhism
i386 Linux Yes Yes Yes Yes
i386 BSD Yes Yes No Yes


Examples

Here you can find some ShellCodes built with libShellCode 0.3.1.

example_1.c This is a Linux/i386 ShellCode that writes "I'm Here!!!" to stout.
example_2.c This is a BSD/i386 ShellCode that exec a setuid(0), then writes "Someone was here !!!" to /root/readme.
example_3.c This is a Linux/i386 ShellCode that exec a setuid(0), then writes "I'm looking you..." to /dev/tty.
example_4.c This is a BSD/i386 polymorphic ShellCode that exec a setuid(0) and a setgid(0), then executes /bin/sh and exit(0).
example_5.c This is a Linux/i386 polymorphic ShellCode that exec a setuid(0), then evade from chroot and executes /usr/X11R6/bin/xterm -display 192.168.1.50:0.0 and exit(0).
example_6.c This is a Linux/i386 ShellCode that exec a setuid(0) and a setgid(0), then listens to the port 12345 and when receves a connection fork()s. The child first evade from chroot then executes /bin/sh and exit(0). The father listens for the next connection.
example_7.c This is a Linux/i386 ShellCode that exec a setuid(0), then listens to the port 54321 and when receves a connection first evade from chroot then executes /bin/cat /etc/passwd /etc/shadow and exit(0).
example_8.c This is a Linux/i386 polymorphic ShellCode that opens a connection to 192.168.1.50:8000 and exec a setuid(0) and a setgid(0), then evade from chroot and executes /bin/sh and exit(0).
example_9.c This is a Linux/i386 polymorphic ShellCode that opens a connection to 192.168.1.50:9000 and exec a setuid(0), then evade from chroot and executes /bin/grep root /etc/shadow and exit(0).
example_10.c This is a Linux/i386 polymorphic ShellCode that reuse the opened connection from 192.168.1.50:80 and exec a setuid(0) and a setgid(0), then evade from chroot and executes /bin/sh and exit(0).



My Book is Out!!!

VulnerabilitÓ su Linux:
Guida pratica alle tecniche di exploiting



Currently the book is available only in Italian.
The English translation of the title should be:

Linux Vulnerabilities:
A practical guide to exploting techniques

In this book i explain how to exploit:

Buffer Overflow on the Stak
Buffer Overflow on the Heap
Buffer Overflow on Data Section
Buffer Overflow on BSS Section
Remote Buffer Overflow
Format String Bug on the Stack
Format String Bug not on the Stack
Remote Format String Bug
Integer Overflow/Underflow
Conversion errors

You will learn:

The organization of a process memory
How to execute arbitrary code (Shellcodes or library functions)
How to write powerful ShellCodes
How to easily find the ShellCcode in memory
How to execute advanced return in libc attacks
How to automatize the attacks
How to elude Network IDS
How to bypass input filters
How protection works and how to bypass them




Download

libShellCode 0.3.3 (5/10/2006) - Changelog - Actual release
libShellCode 0.3.2 (10/4/2006)
libShellCode 0.3.1 (11/7/2004)
libShellCode 0.3.0 (22/2/2004)
libShellCode 0.2.1 (17/10/2003)
libShellCode 0.2.0 (8/9/2003)
libShellCode 0.1.0 (24/5/2003) - First Public release


Projects that use libShellCode

libShellCode is a library, so can be included in other tools.
The projects known by me that use libShellCode are:

LibExploit - http://www.packetfactory.net/projects/libexploit


Bug Reports

For Bug Reports, comments, ASM optimization, and everithing else you want cantact me at: orkmail[at]katamail[dot]com