
       				LibExploit API V 0.2
               		        --------------------

 - Introduction
 - Defines
 - Global Variables
 - Functions	
 - Shellcodes

<<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>>
 - Introduction
 --------------

	This file contains all the defines, global variables and functions
  declared in the LibExploit library. Use this file to learn what you
  can use to write your exploits :) 

	If something is not clear, read the source code!!

	IMPORTANT : Read the ADMmutate API to know how to use it, 
  because is not explained here. There is no point in repeating myself!! 
  Also check out libShellcode README.	

<<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>>
 - Defines
 ---------

	This section explains the "defines" already defined in 
   LibExploit library.

   () #define LIBXPLOITVER
	Current version of LibExploit.

   () #define NOP
	The common 0x90 :)

   () #define IDS_NOP
	An anti-ids NOP.

   () #define NOP_SIZE
	The NOP size, current 1 for x86.

   () #define IDS_NOP_SIZE
	The anti-ids NOP size, current 2 for x86.	

   () #define BIN
	Defines /bin.	

   () #define SH
	Defines /sh.
	
   () #define BASH
	Defines /bash.
	
   () #define BINSH
	Defines /bin/sh.
		
   () #define BINBASH 
	Defines /bin/bash.
	
   () #define ZERO
	As the define implies 0 :)
	
   () #define MAX1024
        To stablish a buffer of 1024.
	
   () #define FTP
	FTP port.	

   () #define SSH
	SSH port.

   () #define TELNET
	Telnet port.
	
   () #define SMTP
	SMTP port.
 	
   () #define DNS
	DNS port.

   () #define ORACLE_SQL_NET
	ORACLE SQL NET port.
	
   () #define HTTP
	HTTP port.

   () #define POP
	POP port.	

   () #define RPC
	RPC port.

   () #define IDENT	
	IDENT port.
   
   () #define NETBIOS_SESSION
	NETBIOS SESSION port.

   () #define IMAP	
	IMAP port.
   
   () #define SSL
	SSL port.

   () #define SMB
	SMB port.

   () #define MSSQL
	MS SQL port.

   () #define MSSQL_TCPIP
	MS SQL TCP port.

   () #define ORACLE
	Oracle port.

   () #define MSSQL7
	MS SQL7 port.

   () #define MYSQL
	MySQL port.

   () #define POSTGRESQL
	Postgre SQL port.

   () #define TOTALSHELL
	Number of all the shells avaliable.	

   () #define YES
	YES = 1;

   () #define NO	
	NO = 0;

   () #define TESTEXPLOIT
	A set of command to test if shell is given by an
	exploit. Nice for FTP exploits. (cd /; uname -a; pwd; id;\n)
  
   () #define OBJDUMP
	Objdump path. (/usr/bin/objdump)

   () #define GREP
	Grep path. (/bin/grep)

   () #define VALIDATESHELL
	Use it for shellcode validation. ( \/:*?"<>| )

<<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>>
 - Global Variables
 ------------------

	This section explains the global variables declared in 
   LibExploit library.

   () static char nop[]
	Another declaring of NOP operation. "\x90" for x86.

<<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>>
 - Functions	
 -----------

	This section explains the functions declared in 
   LibExploit library. Use them wise ;)

   FUNCTION : void LibExploit_InfoShell
   PARAMS   : char *shell
   RETURN   : ...
   ABSTRACT : Display a shell info on screen.

   FUNCTION : void LibExploit_Runshell
   PARAMS   : char *shell
   RETURN   : ...
   ABSTRACT : Run a shell for testing.

   FUNCTION : char *LibExploit_GiveHexShell
   PARAMS   : int numshell
   RETURN   : The selected shellcode in hex or
	      NULL if fails to find the selected shellcode.	
   ABSTRACT : Return the shellcode itself.

   FUNCTION : char *LibExploit_GiveSizeShell
   PARAMS   : int numshell
   RETURN   : The size of the seleted shellcode or
              -1 if fails to find the shellcode size.
   ABSTRACT : Return the shellcode size.

   FUNCTION : char *LibExploit_GiveNameShell
   PARAMS   : int numshell
   RETURN   : The name of the shellcode or
              NULL if fails to find the sellcode name.
   ABSTRACT : Return the shellcode Name.

   FUNCTION : char *LibExploit_GiveOsShell
   PARAMS   : int numshell
   RETURN   : The shellcode OS or
              NULL if fails to find shellcode os. 
   ABSTRACT : Return the shellcode OS.

   FUNCTION : char *LibExploit_GiveTypeShell
   PARAMS   : int numshell
   RETURN   : Shellcode type or
              NULL if fails to find shellcode type.
   ABSTRACT : Return the shellcode Type.

   FUNCTION : char *LibExploit_GivePlatformShell
   PARAMS   : int numshell
   RETURN   : Shellcode platform or
              NULL if fails to find shellcode platform.
   ABSTRACT : Return the shellcode Platform.

   FUNCTION : unsigned long LibExploit_CalculateRet
   PARAMS   : char *shell, char *path 
   RETURN   : Return address.
   ABSTRACT : Calculate the return address.

   FUNCTION : int LibExploit_DisplayShell
   PARAMS   : char  *shell, int len
   RETURN   : ...
   ABSTRACT : Display on screen a shellcode in hex.

   FUNCTION : int LibExploit_CheckShell
   PARAMS   : unsigned char *sh
   RETURN   : Return 0 if no NULL if found or
              a positive number if shellcode contains NULLs. 
   ABSTRACT : Check that shellcode do not contain a null char.

   FUNCTION : int LibExploit_FillRet
   PARAMS   : int eggsize, char *egg, long ret
   RETURN   : A char * filled with return address.
   ABSTRACT : Fill egg with return address.

   FUNCTION : int LibExploit_FillNOP
   PARAMS   : int eggsize, char *egg
   RETURN   : A char * filled with NOP.
   ABSTRACT : Fill egg with NOP.

   FUNCTION : void LibExploit_ExecuteShell
   PARAMS   : char *shl
   RETURN   : ...
   ABSTRACT : Execute a given shellcode.

   FUNCTION : char *LibExploit_LibshellcodeVer
   PARAMS   : ...
   RETURN   : Version of libShellCode
   ABSTRACT : Return LibShellcode Version.

   FUNCTION : char *LibExploit_GenerateWriteShell
   PARAMS   : int out, char *msg, int setuid, int xor
   RETURN   : A char * with the generated shellcode.
   ABSTRACT : Generate a write shell.

   FUNCTION : char *LibExploit_GenerateFileShell
   PARAMS   : char *file, char *msg, int setuid, int xor
   RETURN   : A char * with the generated shellcode.
   ABSTRACT : Generate a file write shell.

   FUNCTION : char *LibExploit_GenerateExecShell
   PARAMS   : char *prog, int setuid, int xit, int xor
   RETURN   : A char * with the generated shellcode.
   ABSTRACT : Generate a exec shell.

   FUNCTION : char *LibExploit_GenerateBindShell
   PARAMS   : char *prog, int setuid, int xit, int port, int fork, int xor
   RETURN   : A char * with the generated shellcode.
   ABSTRACT : Generate a bind shell.

   FUNCTION : char *LibExploit_GenerateConnectShell
   PARAMS   : char *prog, int setuid, int xit, char *ip, int port, int xor
   RETURN   : A char * with the generated shellcode.
   ABSTRACT : Generate a connect back shell.

   FUNCTION : char *LibExploit_ShellCreator
   PARAMS   : ...
   RETURN   : A char * with the generated shellcode.
   ABSTRACT : Interactive Shell Creator.

   FUNCTION : int LibExploit_InjectShell
   PARAMS   : int pid, char *shl
   RETURN   :  Return 0 on success or
               -1 if fails.
   ABSTRACT : Injects a given shellcode to the given
              proccess ID (pid).

   FUNCTION : int LibExploit_GetGOT 
   PARAMS   : const char *exe, const char *func
   RETURN   : Return the Global Offset Table (GOT)
              of the functions given or 0 if fails. 
   ABSTRACT : Get the GOT of a functions of the given program.

   FUNCTION : void LibExploit_SetObjdump
   PARAMS   : char *path
   RETURN   : ...
   ABSTRACT : Set Objdump path.

   FUNCTION : void LibExploit_SetGrep
   PARAMS   : char *path
   RETURN   : ...
   ABSTRACT : Set Grep path.

   FUNCTION : char *LibExploit_AddSetuid
   PARAMS   : char *shl
   RETURN   : Return a shellcode (char *) with a setuid(0) in front.
   ABSTRACT : Add a setuid(0) in front of shellcode.

   FUNCTION : char *LibExploit_AddNOP
   PARAMS   : char *shl, int num
   RETURN   : Returns a shellcode (char *) with X number of NOP in front.
   ABSTRACT : Add a X number of NOP in front a shellcode.

   FUNCTION : int LibExploit_ValidateShell
   PARAMS   : char *sh, unsigned char *str
   RETURN   : Returns 0 if shell is ok or
              a positive number if shellcode is not validate. 
   ABSTRACT : Validate a shellcode.

   FUNCTION : void LibExploit_DoShell
   PARAMS   : int Sock, char *test
   RETURN   : ...
   ABSTRACT : Connect and check if exploit worked.

   FUNCTION : char *LibExploit_GetLocalOS
   PARAMS   : ....
   RETURN   : Return Local OS or
              NULL if fails.
   ABSTRACT : Check the local OS given.

   FUNCTION : char *LibExploit_GetLocalPlatform
   PARAMS   : ...
   RETURN   : Return local platform or
              NULL if fails.
   ABSTRACT : Check the local platform given.

   FUNCTION : int LibExploit_MakeTrash
   PARAMS   : char car, int size
   RETURN   : A char * of the lenght defined.
   ABSTRACT : Make trash to fill a buffer.

   FUNCTION : int LibExploit_MakeTolower
   PARAMS   : char *data, int size
   RETURN   : ...
   ABSTRACT : Make buffer to lower.

   FUNCTION : int LibExploit_MakeToupper
   PARAMS   : char *data, int size
   RETURN   : ...
   ABSTRACT : Make buffer to upper.

   FUNCTION : int LibExploit_Error
   PARAMS   : ...
   RETURN   : A char * describing an error.
   ABSTRACT : Return error.

   FUNCTION : int LibExploit_OpenTerminal
   PARAMS   : ...
   RETURN   : Return 0 if success or
             -1 if fails. 
   ABSTRACT : Open a LibExploit Terminal.

   FUNCTION : int LibExploit_DoRequest
   PARAMS   : char cmd[]
   RETURN   : Return 0 or 1 on success or
              -1 if fails.
   ABSTRACT : Handle a command from the Terminal.

   FUNCTION : int LibExploit_ConnectShell
   PARAMS   : int sock
   RETURN   : Return 0 on success or
              -1 if fails.
   ABSTRACT : Connect to a bind shellcode.

   FUNCTION : int LibExploit_Connect
   PARAMS   : char *host, int port
   RETURN   : An int of the socket or
              -1 if fails.
   ABSTRACT : Connect to given host on port. 

   FUNCTION : int LibExploit_Write
   PARAMS   : int Sock, char *msg
   RETURN   : An int with the number of bytes written or
              -1 if fails.
   ABSTRACT : Write data to a socket.

   FUNCTION : unsigned long LibExploit_Resolve
   PARAMS   : char *host
   RETURN   : An unsigned long of the resolving host or
              -1 if fails. 
   ABSTRACT : Resolve host.

   FUNCTION : void LibExploit_Loginftp
   PARAMS   : int Sock, char *user, char *pass
   RETURN   : ...
   ABSTRACT : Do the ftp login procress.

   FUNCTION : int LibExploit_Send
   PARAMS   : int Sock, const char *msg
   RETURN   : An int with the numbers of characters sent or
              -1 if fails.
   ABSTRACT : Send data via socket.

   FUNCTION : int LibExploit_Close
   PARAMS   : int Sock
   RETURN   : 0 on success or
              -1 if fails.
   ABSTRACT : Close a socket.

   FUNCTION : int LibExploit_Read
   PARAMS   : int Sock, char data[MAX1024]
   RETURN   : An int with the number of bytes read or
              -1 if fails.
   ABSTRACT : Read data from socket.

   FUNCTION : int LibExploit_CheckBanner
   PARAMS   : int Sock, char *str
   RETURN   : 1 if banner is found or
              -1 if banner is not found.
   ABSTRACT : Check a banner port.

   FUNCTION : char *LibExploit_SendHTTPHead
   PARAMS   : int sock
   RETURN   : Return a char * with the server or
              "Not found" if server string is not
              found or NULL if fails.
   ABSTRACT : Send a HEAD Request to web server and
              server version.

   FUNCTION : unsigned long LibExploit_Getesp
   PARAMS   : ...
   RETURN   : The ESP of system.
   ABSTRACT : Get ESP on system. 

<<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>>
 - Shellcodes
 ------------

	This section explains the shellcodes declared in 
   LibExploit library.

  	Current number of shell at your disposal : 27
		
  () static struct Exploit_Shell ShellCodes[]
	Structure with all the shellcodes information.
	Members of the structure are:

	int num    : Number of the shellcode. (1,2,3, etc...)
	char *os   : OS shellcode. (linux, win, etc...)	
	char *platform : Platform shellcode (x86, sparc, etc...)
        char *type : Type of shellcode. (/bin/sh shell, portbinding, etc...) 
	char *name : Name of the shellcode. (Linux_x86_Binsh, etc...)
	int size   : Size of shellcode. (45, 129, etc...)

  # Shell Number 1		
  () static char Linux_x86_Binsh[]
	A common /bin/sh shell for Linux/x86.

  # Shell Number 2		
  () static char Linux_x86_PortBinding[]
	A portbinding linux shell on port 3879 for Linux/x86.

  # Shell Number 3
  () static char Linux_x86_Chroot[]
	A shellcode that breaks chroot for Linux/x86.

  # Shell Number 4 
  () static char Linux_x86_TolowerShell[]
	A shellcode that performs tolower evasion and
        drops a /bin/sh shell for Linux/x86.

  # Shell Number 5		
  () static char Linux_x86_ToupperShell[]
	A shellcode that performs toupper evasion and
        drops a /bin/sh shell for Linux/x86.

  # Shell Number 6
  () static char FreeBSD_x86_Binsh[]
	A common /bin/sh shell for FreeBSD/x86.

  # Shell Number 7 
  () static char BSDi_x86_Binsh[]
	A common /bin/sh shell for BSDi/x86.	

  # Shell Number 8 
  () static char BSDi_x86_ToupperShell[]
	A shellcode that performs toupper evasion and
        drops a /bin/sh shell for BSDi/x86.

  # Shell Number 9
  () static char HPUX_Binsh[]
	A common /bin/sh shell for HP-UX.

  # Shell Number 10
  () static char UnixWare_Binsh[]
	A common /bin/sh shell for UnixWare.

  # Shell Number 11
  () static char Solaris_x86_Binsh[]
	A setuid and execve /bin/sh shell for solaris/x86.

  # Shell Number 12
  () static char Linux_Sparc_Binsh[]
	A setuid and execve /bin/sh shell for Linux/Sparc.

  # Shell Number 13
  () static char Linux_Sparc_TolowerShell[]
	A setreuid and execve /bin/sh shell with tolower() for
        Linux/Sparc.

  # Shell Number 14
  () static char Solaris_Sparc_Binsh[]
	A common /bin/sh shell for Solaris/Sparc.

  # Shell Number 15
  () static char NetBSD_x86_Binsh[]
	A common /bin/sh shell for NetBSD/x86.

  # Shell Number 16
  () static char Windows_x86_PortBinding
	A portbinding windows shell on port 7788 for Windows/x86.
		
  # Shell Number 17
  () static char Irix_MIPS_Binsh
	A common /bin/sh shell for Irix/MIPS.
	
  # Shell Number 18
  () static char Linux_x86_RootPass
	Adds a root password for Linux/x86.

  # Shell Number 19
  () static char OpenBSD_x86_RootPass
	Adds a root password for OpenBSD/x86.
 	
  # Shell Number 20
  () static char SCO_Binsh
	A common /bin/sh shell for SCO.

  # Shell Number 21
  () static char SCO_Chroot
	A shellcode that breaks chroot for SCO.
	
  # Shell Number 22
  () static char Multios_x86_Binsh
	This Shellcode works on linux and FreeBSD, execute a /bin/sh.

  # Shell Number 23
  () static char Multios_x86_Reboot
	This Shellcode works on linux and FreeBSD, reboots system.

  # Shell Number 24
  () static char Multios1_x86_Binsh
	This Shellcode works on linux and BSD, execute a /bin/sh.
		
  # Shell Number 25
  () static char Linux_PPC_Binsh
	A Linux PPC /bin/sh shellcode.

  # Shell Number 26
  () static char Linux_Alpha_Binsh
	A Linux Alpha /bin/sh shellcode.

  # Shell Number 27
  () static char Linux_x86_ICMPShell
	A Linux ICMP shellcode.
 
<<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>>
<<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>>

	
