LibExploit API V 0.1a --------------------- - Introduction - Defines - Global Variables - Functions - Shellcodes <<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>> - Introduction -------------- This file contains all the defines, global variables and functions declared in the LibExploit library. Use this file to learn what you can use to write your exploits :) If something is not clear, read the source code!! IMPORTANT : Read the ADMmutate API to know how to use it, because is not explained here. There is no point in repeating myself!! <<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>> - Defines --------- This section explains the "defines" already defined in LibExploit library. () #define LIBXPLOITVER Current version of LibExploit. () #define NOP The common 0x90 :) () #define NOP_SIZE The NOP size, current 1 for x86 and 4 for sparc. () #define BIN Defines /bin. () #define SH Defines /sh. () #define BASH Defines /bash. () #define BINSH Defines /bin/sh. () #define BINBASH Defines /bin/bash. () #define ZERO As the define implies 0 :) () #define MAX1024 To stablish buffer of 1024. () #define FTP FTP port. () #define SSH SSH port. () #define TELNET Telnet port. () #define SMTP SMTP port. () #define DNS DNS port. () #define HTTP HTTP port. () #define POP POP port. () #define IDENT IDENT port. () #define IMAP IMAP port. () #define TOTALSHELL Number of all the shells avaliable. () #define YES YES = 1; () #define NO NO = 0; () #define TESTEXPLOIT A set of command to test if shell is given by an exploit. Nice for FTP exploits. (cd /; uname -a; pwd; id;\n) <<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>> - Global Variables ------------------ This section explains the global variables declared in LibExploit library. () static char nop[] Another declaring of NOP operation. "\x90" for x86 and "0xac15a16e" for sparc. <<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>> - Functions ----------- This section explains the functions declared in LibExploit library. Use them wise ;) () unsigned long LibExploit_Getesp(); Return the esp on the system. Both for x86 and sparc. () int LibExploit_Connect(char *host, int port); Connect to a given host on given port. Return -1 if it fails. () void LibExploit_Write(int Sock, char *msg); Write data to the socket. () unsigned long LibExploit_Resolve(char *host); Resolve hostname. Return -1 if it fails. () void LibExploit_Loginftp(int Sock, char *user, char *pass); Do the ftp login procress. () void LibExploit_InfoShell(int numshell) Display a shell info given by shell number on the screen. () void LibExploit_Runshell(int numshell) Run a shell given by shell number. () char *LibExploit_GiveHexShell(int numshell) Return the shellcode itself given by shell number. Return NULL if fail. () int LibExploit_GiveSizeShell(int numshell) Return the shellcode size given by shell number. Return -1 if fail. () char *LibExploit_GiveNameShell(int numshell) Return the shellcode name given by shell number. Return NULL if fail. () char *LibExploit_GiveOsShell(int numshell) Return the shellcode OS given by shell number. Return NULL if fail. () char *LibExploit_GivePlatformShell(int numshell) Return the shellcode platform given by shell number. Return NULL if fail. () char *LibExploit_GiveTypeShell(int numshell) Return the shellcode type given by shell number. Return NULL if fail. () int LibExploit_Send(int Sock, const char *msg) Send data via socket. Return -1 if fail. () int LibExploit_Close(int Sock) Close a socket. Return -1 if fail and 0 if success. () int LibExploit_Calculateret(char *shell, char *path) Calculate the return address, using the env technique. () void LibExploit_DisplayShell(char *shell, int len) Display on the screen the shellcode in hex format. It will stop if it founds a 0x00. () int LibExploit_CheckShell(char *shell, int len) Check if shellcode have 0x00. (BROKEN!) () int LibExploit_Max(int x, int y) Return the biggest between x and y. () void LibExploit_DoShell(int Soc, char *test) Check if shell was given by exploit. Nice for FTP exploits. In test put the command to check. (Ex. TESTEXPLOIT). () int LibExploit_GetLocalOS(char *host) Check if given OS is the current local host. () int LibExploit_GetLocalPlatform(char *host) Check if given platform is the current local host. () int LibExploit_Read(int Sock, char dt[MAX1024]) Read data from a socket. () int LibExploit_CheckBanner(int Sock, char str[MAX1024]) Check if banner have the "str" string. Return 1 if success or -1 if fails. () char *LibExploit_MakeTrash(char car, int size) Return a buffer of the size filled by a defined character. () void LibExploit_MakeTolower(char *data, int size) Make buffer to lower. () void LibExploit_MakeToupper(char *data, int size) Make buffer to upper. <<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>> - Shellcodes ------------ This section explains the shellcodes declared in LibExploit library. Current number of shell at your disposal : 21 () static struct Exploit_Shell ShellCodes[] Structure with all the shellcodes information. Members of the structure are: int num : Number of the shellcode. (1,2,3, etc...) char *os : OS shellcode. (linux, win, etc...) char *platform : Platform shellcode (x86, sparc, etc...) char *type : Type of shellcode. (/bin/sh shell, portbinding, etc...) char *name : Name of the shellcode. (Linux_x86_Binsh, etc...) int size : Size of shellcode. (45, 129, etc...) # Shell Number 1 () static char Linux_x86_Binsh[] A common /bin/sh shell for Linux/x86. # Shell Number 2 () static char Linux_x86_PortBinding[] A portbinding linux shell on port 3879 for Linux/x86. # Shell Number 3 () static char Linux_x86_Chroot[] A shellcode that breaks chroot for Linux/x86. # Shell Number 4 () static char Linux_x86_TolowerShell[] A shellcode that performs tolower evasion and drops a /bin/sh shell for Linux/x86. # Shell Number 5 () static char Linux_x86_ToupperShell[] A shellcode that performs toupper evasion and drops a /bin/sh shell for Linux/x86. # Shell Number 6 () static char FreeBSD_x86_Binsh[] A common /bin/sh shell for FreeBSD/x86. # Shell Number 7 () static char BSDi_x86_Binsh[] A common /bin/sh shell for BSDi/x86. # Shell Number 8 () static char BSDi_x86_ToupperShell[] A shellcode that performs toupper evasion and drops a /bin/sh shell for BSDi/x86. # Shell Number 9 () static char HPUX_Binsh[] A common /bin/sh shell for HP-UX. # Shell Number 10 () static char UnixWare_Binsh[] A common /bin/sh shell for UnixWare. # Shell Number 11 () static char Solaris_x86_Binsh[] A setuid and execve /bin/sh shell for solaris/x86. # Shell Number 12 () static char Linux_Sparc_Binsh[] A setuid and execve /bin/sh shell for Linux/Sparc. # Shell Number 13 () static char Linux_Sparc_TolowerShell[] A setreuid and execve /bin/sh shell with tolower() for Linux/Sparc. # Shell Number 14 () static char Solaris_Sparc_Binsh[] A common /bin/sh shell for Solaris/Sparc. # Shell Number 15 () static char NetBSD_x86_Binsh[] A common /bin/sh shell for NetBSD/x86. # Shell Number 16 () static char Windows_x86_PortBinding A portbinding windows shell on port 7788 for Windows/x86. # Shell Number 17 () static char Irix_MIPS_Binsh A common /bin/sh shell for Irix/MIPS. # Shell Number 18 () static char Linux_x86_RootPass Adds a root password for Linux/x86. # Shell Number 19 () static char OpenBSD_x86_RootPass Adds a root password for OpenBSD/x86. # Shell Number 20 () static char SCO_Binsh A common /bin/sh shell for SCO. # Shell Number 21 () static char SCO_Chroot A shellcode that breaks chroot for SCO. <<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>> <<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>><<>>