| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This sample can be used to create a reverse shell when combined with the
shell64 sample:
cat examples/{tcp64,shell64}.asm >code.asm
make
...
Signed-off-by: Malfurious <m@lfurio.us>
|
|
The shell-spawning shellcodes are rewritten to address the following
concerns:
- The array parameters to execve are now set properly, to valid
arrays on the stack, instead of NULL pointers.
- The cdq instruction is no longer used to sign-extend the rax
register, since it has not been producing the expected results in
gdb.
- Labels, sections, and other file metadata are removed in order to
support concatenation of shellcode samples to make more complex
code.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
shelltool is now deprecated, made redundant by the updated Makefile.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This patch brings various improvements to the shellcoding experience:
- There is no longer a hardcoded assembly sample that gets built
Although the default was pretty sane, it will be more convenient
to experiment, or build more complex shellcodes using a new
untracked filename as the main build target: code.asm
If code.asm is missing, then as before, it will be created from
shell64.asm (the old hard default).
The Makefile targets will compile code.* files.
- Hex string generation and bad char detection are improved
grep is used to highlight detected bad chars right in place.
This entire feature is now implemented directly in the Makefile
using a couple command lines, making shelltool deprecated.
- Builtin disassembly
Just run 'make disas' instead of manually invoking objdump. The
output is also filtered through grep for bad char detection.
- ELF executable is optional
Rather than linking an executable all the time, just run
'make elf' when you need it.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This is mainly done to keep the top working directory (where the
Makefile lives) cleaner.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
This issue was discovered a while back, during one of the CTFs, and was
particularly a problem with the 32-bit shellcode. Because the third
kernel argument register was not being set by the payload, we would
essentially pass garbage.
I'm only committing this now, as I've recently been able to reproduce
the related failure and demonstrate this patch working. I never
actually observed the 64-bit shellcode fail for this reason on a target,
but it is also patched for correctness.
Argument 3 to execve() is the environment pointer, a pointer to array of
strings to define the process's environment variables. Although this
argument should point to an empty array (ptr to NULL) if empty, Linux
allows the pointer itself to be NULL in this case - thus the xor of the
register.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
The shell*.asm files are considered the default programs and the
expected use-case for utilizing the templates is to edit these files to
implement the desired shellcode. I figure that literal shellcode makes
the most sense of what to expect by default.
'make all' will assemble and link the shellcode (so it can actually be
directly executed via the output elf files), and feed the disassembly
into shelltool for use elsewhere.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
For convenience, I've rewritten my old shellcode parser program in
Python. It is moved to the shellcode templates dir and renamed to
shelltool.
As a new feature, shelltool will now check the result for NULL bytes and
newline bytes that may cause problems in an exploit.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Taken from github, see comment in file.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
The foremost tool in this collection is the brainfuck debugger. It was
written to assist with the 'boring flag checker' problem from RaRCTF
2021, but has good potential for general-purpose use.
The compiler and decompiler are much more niche, given brainfuck is not
typically a compiled language. They are from the same CTF and, although
highly problem-specific, are kept around for posterity.
A hello world program is saved under templates as a quick sanity check
for the tools as well as for reference purposes, should it become useful.
Signed-off-by: Malfurious <m@lfurio.us>
|
|
Signed-off-by: dusoleil <howcansocksbereal@gmail.com>
|
|
Signed-off-by: Malfurious <m@lfurio.us>
|
