Changeset 520

Timestamp:

04/19/06 01:18:17 (3 years ago)

Author:

common

Message:

nepenthes
- shellcode-signatures

• namespace alphanumericxor added
  
  • alphanumericxor::msfpexalphanum added
    
  • alphanumericxor::skylined added
    
• bindshell::augsburg added ( http://nepenthes.mwcollect.org/csni:shellcodes:augsburg ) as it uses alphanumericxor
  
• payload added as mapping value for namespace alphanumericxor::
  
• added namespace alphanumericxor::
  

Files:

• nepenthes/trunk/modules/shellcode-signatures/Makefile.am (modified) (1 diff)
• nepenthes/trunk/modules/shellcode-signatures/parser.h (modified) (2 diffs)
• nepenthes/trunk/modules/shellcode-signatures/parser.l (modified) (2 diffs)
• nepenthes/trunk/modules/shellcode-signatures/parser.y (modified) (6 diffs)
• nepenthes/trunk/modules/shellcode-signatures/sch_namespace_alphanumericxor.cpp (added)
• nepenthes/trunk/modules/shellcode-signatures/sch_namespace_alphanumericxor.hpp (added)
• nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp (modified) (2 diffs)
• nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc (modified) (3 diffs)

nepenthes/trunk/modules/shellcode-signatures/Makefile.am

@@ -28 +28 @@
-shellcodesignatures_la_SOURCES += sch_engine_unicode.cpp sch_engine_unicode.hpp
-shellcodesignatures_la_SOURCES += sch_namespace_konstanzxor.cpp sch_namespace_konstanzxor.hpp
+shellcodesignatures_la_SOURCES += sch_namespace_alphanumericxor.cpp sch_namespace_alphanumericxor.hpp
-shellcodesignatures_la_LDFLAGS = -module -no-undefined -avoid-version
-

nepenthes/trunk/modules/shellcode-signatures/parser.h

@@ -16 +16 @@
-        sc_url,
-        sc_bindfiletransfer,
-
+
+
-
-};
@@ -35 +36 @@
-        sc_none,
-        sc_hostkey,
-
+
+
-
-};

nepenthes/trunk/modules/shellcode-signatures/parser.l

@@ -54 +54 @@
-"bindfiletransfer"                              { return SC_BIND_FILETRANSFER; }
-"base64"                      { return SC_BASE64; }
+"alphanumericxor"                                       { return SC_ALPHANUMERICXOR; }
-
-"hostkey"                     { return SC_HOSTKEY; }
@@ -69 +70 @@
-"pre"                         { return SC_PRELOAD; }
-"post"                        { return SC_POSTLOAD; }
+"payload"                     { return SC_PAYLOAD; }
-
-

nepenthes/trunk/modules/shellcode-signatures/parser.y

@@ -34 +34 @@
-
-%token SC_ID SC_LPAR SC_RPAR SC_LBR SC_RBR SC_COMMA SC_SEMI SC_COLON SC_NONE SC_FLAGS SC_PATTERN SC_TYPE SC_MAPPING SC_STRING 
-
+SC_ALPHANUMERICXOR
-SC_BIND_SHELL 
-SC_CONNECTBACK_SHELL 
@@ -46 +46 @@
-SC_DECODER SC_PRELOAD SC_POSTLOAD
-SC_HOSTKEY SC_PORTKEY
+SC_PAYLOAD
-
-%start body
@@ -151 +152 @@
-                $$ = sc_base64;
-        }
-
+
+
+
+
+
+
-
-statements
@@ -251 +257 @@
-        {
-                $$ = sc_portkey;
+        }
+   | SC_PAYLOAD
+        {
+                $$ = sc_payload;
-        }
-        ;
@@ -335 +345 @@
-                "url",
-                "bindfiletransfer",
-
+
+
-        };
-
@@ -361 +372 @@
-                "none",
-                "hostkey",
-
+
+
-        };
-        if ( num >= sizeof(mapmapping)/sizeof(char *) )

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.cpp

@@ -42 +42 @@
-#include "sch_engine_unicode.hpp"
-#include "sch_namespace_konstanzxor.hpp"
+#include "sch_namespace_alphanumericxor.hpp"
-
-#include "ShellcodeManager.hpp"
@@ -174 +175 @@
-                case sc_base64:
-                        sch = new NamespaceBase64(sc);
+                        break;
+
+                case sc_alphanumericxor:
+                        sch = new NamespaceAlphaNumericXOR(sc);
-                        break;
-                }

nepenthes/trunk/modules/shellcode-signatures/shellcode-signatures.sc

@@ -197 +197 @@
-        mapping (none,pre,decoder,size,key,post);
-};
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-/*
@@ -261 +278 @@
-        mapping (key,key);
-};
+
-
-
@@ -559 +577 @@
-};
-
+
+
+bindshell::augsburg
+{
+        pattern
+        "\\x6A\\xEB\\x4D\\xE8\\xF9\\xFF\\xFF\\xFF\\x60\\x8B\\x6C\\x24\\x24\\x8B\\x45\\x3C\\x8B\\x7C\\x05\\x78\\x01\\xEF\\x8B\\x4F\\x18\\x8B\\x5F\\x20\\x01\\xEB\\x49\\x8B"
+        "\\x34\\x8B\\x01\\xEE\\x31\\xC0\\x99\\xAC\\x84\\xC0\\x74\\x07\\xC1\\xCA\\x0D\\x01\\xC2\\xEB\\xF4\\x3B\\x54\\x24\\x28\\x75\\xE5\\x8B\\x5F\\x24\\x01\\xEB\\x66\\x8B"
+        "\\x0C\\x4B\\x8B\\x5F\\x1C\\x01\\xEB\\x03\\x2C\\x8B\\x89\\x6C\\x24\\x1C\\x61\\xC3\\x31\\xDB\\x64\\x8B\\x43\\x30\\x8B\\x40\\x0C\\x8B\\x70\\x1C\\xAD\\x8B\\x40\\x08"
+        "\\x5E\\x68\\x8E\\x4E\\x0E\\xEC\\x50\\xFF\\xD6\\x66\\x53\\x66\\x68\\x33\\x32\\x68\\x77\\x73\\x32\\x5F\\x54\\xFF\\xD0\\x68\\xCB\\xED\\xFC\\x3B\\x50\\xFF\\xD6\\x5F"
+        "\\x89\\xE5\\x66\\x81\\xED\\x08\\x02\\x55\\x6A\\x02\\xFF\\xD0\\x68\\xD9\\x09\\xF5\\xAD\\x57\\xFF\\xD6\\x53\\x53\\x53\\x53\\x53\\x43\\x53\\x43\\x53\\xFF\\xD0\\x66"
+        "\\x68(..)\\x66\\x53\\x89\\xE1\\x95\\x68\\xA4\\x1A\\x70\\xC7\\x57\\xFF\\xD6\\x6A\\x10\\x51\\x55\\xFF\\xD0\\x68\\xA4\\xAD\\x2E\\xE9\\x57\\xFF\\xD6\\x53\\x55"
+        "\\xFF\\xD0\\x68\\xE5\\x49\\x86\\x49\\x57\\xFF\\xD6\\x50\\x54\\x54\\x55\\xFF\\xD0\\x93\\x68\\xE7\\x79\\xC6\\x79\\x57\\xFF\\xD6\\x55\\xFF\\xD0\\x66\\x6A\\x64\\x66"
+        "\\x68\\x63\\x6D\\x89\\xE5\\x6A\\x50\\x59\\x29\\xCC\\x89\\xE7\\x6A\\x44\\x89\\xE2\\x31\\xC0\\xF3\\xAA\\xFE\\x42\\x2D\\xFE\\x42\\x2C\\x93\\x8D\\x7A\\x38\\xAB\\xAB"
+        "\\xAB\\x68\\x72\\xFE\\xB3\\x16\\xFF\\x75\\x44\\xFF\\xD6\\x5B\\x57\\x52\\x51\\x51\\x51\\x6A\\x01\\x51\\x51\\x55\\x51\\xFF\\xD0\\x68\\xAD\\xD9\\x05\\xCE\\x53\\xFF"
+        "\\xD6\\x6A\\xFF\\xFF\\x37\\xFF\\xD0\\x8B\\x57\\xFC\\x83\\xC4\\x64\\xFF\\xD6\\x52\\xFF\\xD0\\x68\\xF0\\x8A\\x04\\x5F\\x53\\xFF\\xD6\\xFF\\xD0";
+        mapping (none,port);
+};
+
+
-connectbackshell::mandragore
-{