lib-des-gnux/templates/shellcode, branch master Library of GNU Exploitation Ignore shellcode working files 2023-01-15T15:12:48+00:00 Malfurious m@lfurio.us 2023-01-15T14:57:27+00:00 8037b8c5acaeeeff32d6de01c06132a4f5e432bf Signed-off-by: Malfurious <m@lfurio.us> 
Signed-off-by: Malfurious <m@lfurio.us>
shellcode: Add sample for connecting a TCP socket 2023-01-15T15:12:48+00:00 Malfurious m@lfurio.us 2023-01-15T14:29:14+00:00 1418eaf3054967f1d9856279f1988279c1009ba1 This sample can be used to create a reverse shell when combined with the shell64 sample: cat examples/{tcp64,shell64}.asm >code.asm make ... Signed-off-by: Malfurious <m@lfurio.us> 
This sample can be used to create a reverse shell when combined with the
shell64 sample:

    cat examples/{tcp64,shell64}.asm >code.asm
    make
    ...

Signed-off-by: Malfurious <m@lfurio.us>
shellcode: Update /bin/sh shellcodes 2023-01-15T15:12:48+00:00 Malfurious m@lfurio.us 2023-01-15T13:06:42+00:00 f21e743212f02dbfb560fa74d983a7e156722d11 The shell-spawning shellcodes are rewritten to address the following concerns: - The array parameters to execve are now set properly, to valid arrays on the stack, instead of NULL pointers. - The cdq instruction is no longer used to sign-extend the rax register, since it has not been producing the expected results in gdb. - Labels, sections, and other file metadata are removed in order to support concatenation of shellcode samples to make more complex code. Signed-off-by: Malfurious <m@lfurio.us> 
The shell-spawning shellcodes are rewritten to address the following
concerns:

    - The array parameters to execve are now set properly, to valid
      arrays on the stack, instead of NULL pointers.

    - The cdq instruction is no longer used to sign-extend the rax
      register, since it has not been producing the expected results in
      gdb.

    - Labels, sections, and other file metadata are removed in order to
      support concatenation of shellcode samples to make more complex
      code.

Signed-off-by: Malfurious <m@lfurio.us>
shellcode: Remove shelltool 2023-01-15T15:12:48+00:00 Malfurious m@lfurio.us 2022-12-24T20:25:26+00:00 ad106276e2935085f9201ffa65423032f8fcff6b shelltool is now deprecated, made redundant by the updated Makefile. Signed-off-by: Malfurious <m@lfurio.us> 
shelltool is now deprecated, made redundant by the updated Makefile.

Signed-off-by: Malfurious <m@lfurio.us>
shellcode: Update Makefile 2023-01-15T15:12:48+00:00 Malfurious m@lfurio.us 2022-12-24T13:02:29+00:00 806f9029d160c5f47f0b49db288f469718424f7b This patch brings various improvements to the shellcoding experience: - There is no longer a hardcoded assembly sample that gets built Although the default was pretty sane, it will be more convenient to experiment, or build more complex shellcodes using a new untracked filename as the main build target: code.asm If code.asm is missing, then as before, it will be created from shell64.asm (the old hard default). The Makefile targets will compile code.* files. - Hex string generation and bad char detection are improved grep is used to highlight detected bad chars right in place. This entire feature is now implemented directly in the Makefile using a couple command lines, making shelltool deprecated. - Builtin disassembly Just run 'make disas' instead of manually invoking objdump. The output is also filtered through grep for bad char detection. - ELF executable is optional Rather than linking an executable all the time, just run 'make elf' when you need it. Signed-off-by: Malfurious <m@lfurio.us> 
This patch brings various improvements to the shellcoding experience:

    - There is no longer a hardcoded assembly sample that gets built

        Although the default was pretty sane, it will be more convenient
        to experiment, or build more complex shellcodes using a new
        untracked filename as the main build target: code.asm

        If code.asm is missing, then as before, it will be created from
        shell64.asm (the old hard default).

        The Makefile targets will compile code.* files.

    - Hex string generation and bad char detection are improved

        grep is used to highlight detected bad chars right in place.
        This entire feature is now implemented directly in the Makefile
        using a couple command lines, making shelltool deprecated.

    - Builtin disassembly

        Just run 'make disas' instead of manually invoking objdump.  The
        output is also filtered through grep for bad char detection.

    - ELF executable is optional

        Rather than linking an executable all the time, just run
        'make elf' when you need it.

Signed-off-by: Malfurious <m@lfurio.us>
shellcode: Move example code to a new directory 2023-01-15T15:12:48+00:00 Malfurious m@lfurio.us 2022-12-24T12:50:44+00:00 c41649b5077eb3e0d66043658df8bccbdfef0f1a This is mainly done to keep the top working directory (where the Makefile lives) cleaner. Signed-off-by: Malfurious <m@lfurio.us> 
This is mainly done to keep the top working directory (where the
Makefile lives) cleaner.

Signed-off-by: Malfurious <m@lfurio.us>
shellcode: Drop SYS_EXIT samples 2023-01-15T15:11:35+00:00 Malfurious m@lfurio.us 2022-12-24T12:42:07+00:00 d1853b2ea3b52cf20d08c428769a2a4fa3bf6b5c Signed-off-by: Malfurious <m@lfurio.us> 
Signed-off-by: Malfurious <m@lfurio.us>
shellcode: Initialize envp to NULL 2022-02-27T09:09:20+00:00 Malfurious m@lfurio.us 2022-02-27T09:09:20+00:00 880ba95060a03ef5e0dea93c14c4a5c56470b528 This issue was discovered a while back, during one of the CTFs, and was particularly a problem with the 32-bit shellcode. Because the third kernel argument register was not being set by the payload, we would essentially pass garbage. I'm only committing this now, as I've recently been able to reproduce the related failure and demonstrate this patch working. I never actually observed the 64-bit shellcode fail for this reason on a target, but it is also patched for correctness. Argument 3 to execve() is the environment pointer, a pointer to array of strings to define the process's environment variables. Although this argument should point to an empty array (ptr to NULL) if empty, Linux allows the pointer itself to be NULL in this case - thus the xor of the register. Signed-off-by: Malfurious <m@lfurio.us> 
This issue was discovered a while back, during one of the CTFs, and was
particularly a problem with the 32-bit shellcode.  Because the third
kernel argument register was not being set by the payload, we would
essentially pass garbage.

I'm only committing this now, as I've recently been able to reproduce
the related failure and demonstrate this patch working.  I never
actually observed the 64-bit shellcode fail for this reason on a target,
but it is also patched for correctness.

Argument 3 to execve() is the environment pointer, a pointer to array of
strings to define the process's environment variables.  Although this
argument should point to an empty array (ptr to NULL) if empty, Linux
allows the pointer itself to be NULL in this case - thus the xor of the
register.

Signed-off-by: Malfurious <m@lfurio.us>
Add Makefile for shellcode templates 2021-08-22T13:24:04+00:00 Malfurious m@lfurio.us 2021-08-22T13:24:04+00:00 d0e68f51eae112447289f2bcf541c4a4882ec741 The shell*.asm files are considered the default programs and the expected use-case for utilizing the templates is to edit these files to implement the desired shellcode. I figure that literal shellcode makes the most sense of what to expect by default. 'make all' will assemble and link the shellcode (so it can actually be directly executed via the output elf files), and feed the disassembly into shelltool for use elsewhere. Signed-off-by: Malfurious <m@lfurio.us> 
The shell*.asm files are considered the default programs and the
expected use-case for utilizing the templates is to edit these files to
implement the desired shellcode.  I figure that literal shellcode makes
the most sense of what to expect by default.

'make all' will assemble and link the shellcode (so it can actually be
directly executed via the output elf files), and feed the disassembly
into shelltool for use elsewhere.

Signed-off-by: Malfurious <m@lfurio.us>
Refactor genhex into shelltool 2021-08-22T12:25:26+00:00 Malfurious m@lfurio.us 2021-08-22T12:25:26+00:00 89c13129a55ccbecda31614c83e88612972c11a6 For convenience, I've rewritten my old shellcode parser program in Python. It is moved to the shellcode templates dir and renamed to shelltool. As a new feature, shelltool will now check the result for NULL bytes and newline bytes that may cause problems in an exploit. Signed-off-by: Malfurious <m@lfurio.us> 
For convenience, I've rewritten my old shellcode parser program in
Python.  It is moved to the shellcode templates dir and renamed to
shelltool.

As a new feature, shelltool will now check the result for NULL bytes and
newline bytes that may cause problems in an exploit.

Signed-off-by: Malfurious <m@lfurio.us>