Merge branch 'master' of github.com:isislab/Shellcode

Author: prole

.gitignore

@@ -10,3 +10,5 @@ doxydoc/
 *.pro.*
 *.pyc
 Doxyfile
+*.pyc
+*.*~

lib_research/elf_notes

@@ -0,0 +1,51 @@
+           typedef struct {
+               unsigned char e_ident[EI_NIDENT]; 0
+               uint16_t      e_type;		 16
+               uint16_t      e_machine;		 18
+               uint32_t      e_version;		 20
+               ElfN_Addr     e_entry;		 24
+               ElfN_Off      e_phoff;		 28
+               ElfN_Off      e_shoff;		 32
+               uint32_t      e_flags;		 36
+               uint16_t      e_ehsize;		 40
+               uint16_t      e_phentsize;	 42
+               uint16_t      e_phnum;		 44
+               uint16_t      e_shentsize;	 46
+               uint16_t      e_shnum;		 48
+               uint16_t      e_shstrndx;	 50
+           } ElfN_Ehdr;
+
+
+           typedef struct {
+               uint32_t   p_type;    0
+               Elf32_Off  p_offset;  4
+               Elf32_Addr p_vaddr;   8
+               Elf32_Addr p_paddr;   12
+               uint32_t   p_filesz;  16
+               uint32_t   p_memsz;   20
+               uint32_t   p_flags;   24
+               uint32_t   p_align;   28
+           } Elf32_Phdr;
+
+           typedef struct {
+               uint32_t   sh_name;	0	
+               uint32_t   sh_type;   	4
+               uint32_t   sh_flags;	8
+               Elf32_Addr sh_addr;	12
+               Elf32_Off  sh_offset;	16
+               uint32_t   sh_size;	20
+               uint32_t   sh_link;    	24
+               uint32_t   sh_info;	28
+               uint32_t   sh_addralign;	32
+               uint32_t   sh_entsize;	36
+           } Elf32_Shdr;
+
+           typedef struct {
+               uint32_t      st_name;    0
+               Elf32_Addr    st_value;	 4
+               uint32_t      st_size;	 8
+               unsigned char st_info;	 12
+               unsigned char st_other;	 13
+               uint16_t      st_shndx;	 14
+           } Elf32_Sym;
+

lib_research/gs.h

@@ -6,5 +6,7 @@ void* getLibc(void);
 void* gettextload(void);
 void* getCode(void);
 void* getpieload(void);
+void* getStringIndex(void);
+
 
 #endif

lib_research/gs.s

@@ -8,6 +8,28 @@
 	global getTLS
 	global getCode
 	global getpieload
+	global getStringIndex
+	
+	%define EI_NIDENT 16
+	
+getStringIndex:
+	push esi
+	push edi
+	call getLibc
+	
+	xor edx,edx
+	xor edi,edi
+	mov di, WORD [eax + 50 ];e_shstrndx man elf line 237
+	;; find section name string table
+	mov esi, DWORD [eax + 32]  	;e_shoff man elf line 192
+	mov dx, WORD[eax + 46];e_shentsize man elf 227
+	imul edi,edx
+	lea esi,[esi+edi]	;should be pointing to the string index
+	add eax,esi
+	pop edi
+	pop esi
+	ret
+	
 	
 getTLS:
 	mov eax,DWORD [gs:0]

lib_research/lib.c

@@ -1,6 +1,13 @@
 #include <stdio.h>
 #include "gs.h"
 
+
+#ifdef LIB
+extern void _start(void){
+  main();
+}
+#endif
+
 extern void print_hello(void){
   puts("hello");
   return;
@@ -13,25 +20,32 @@ extern int main(){
 }
 */
 
+void brake(void){
+  const char* b="\xcc\xc3";
+  ((void (*)(void))b)();
+  return;
+}
+
+
 extern int main(){
 
   printf("TLS : %p\n",getTLS());
   printf("libc : %p\n",getLibc());
   printf("code : %p\n",getCode());
+  printf("strings: %p\n",getStringIndex());
+
   void * pie_base=getpieload();
+  
   if(pie_base){
     printf("pie  : %p\n",getpieload());
   }
   else{
     printf("base : %p\n",gettextload());
   }
+  
+
+  brake();
+
   return 0;
 }
-/*
-extern void _start(){
-  __asm__(
-	  "int3\n"
-	  );
-  return 0;
-}
-*/
+

lib_research/loader/elf_offsets.s

@@ -0,0 +1,49 @@
+BITS 32
+	;; elf header
+%define      e_ident		 0
+%define      e_type		 16
+%define      e_machine		 18
+%define      e_version		 20
+%define      e_entry		 24
+%define      e_phoff		 28
+%define      e_shoff		 32
+%define      e_flags		 36
+%define      e_ehsize		 40
+%define      e_phentsize	 42
+%define      e_phnum		 44
+%define      e_shentsize	 46
+%define      e_shnum		 48
+%define      e_shstrndx	 	 50
+
+
+
+	;; prgm header
+%define		p_type    0
+%define  	p_offset  4
+%define 	p_vaddr   8
+%define 	p_paddr   12
+%define   	p_filesz  16
+%define   	p_memsz   20
+%define   	p_flags   24
+%define   	p_align   28
+
+	;; section header
+%define		sh_name		0	
+%define         sh_type   	4
+%define   	sh_flags	8
+%define 	sh_addr		12
+%define  	sh_offset	16
+%define   	sh_size		20
+%define   	sh_link    	24
+%define   	sh_info		28
+%define   	sh_addralign	32
+%define   	sh_entsize	36
+
+
+	;; Elf32_Sym
+%define		st_name    	0
+%define         st_value	4
+%define	 	st_size	 	8
+%define 	st_info	 	12
+%define 	st_other	13
+%define      	st_shndx	14

lib_research/loader/handler.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+ulimit -c unlimited
+socat TCP-LISTEN:12345,reuseaddr,fork EXEC:"./testShellcode"
+

lib_research/loader/loader.s

@@ -0,0 +1,42 @@
+BITS 32
+global main
+	;; http://en.wikipedia.org/wiki/Executable_and_Linkable_Format
+	;; program header shows what is used at runtime
+	%include "../../include/short32.s"
+	%include "elf_offsets.s"
+
+	
+	%define inputFD  0
+	%define READSIZE 0x10000 ;64k
+	%define PT_LOAD  1
+	
+	
+get_entry:
+	mov eax, DWORD [ebp + e_entry]	;entry point (RVA)
+	mov ecx, DWORD [ebp + e_phoff]	;RVA of prgm header table
+	add ecx, ebx			;addr of prgm header table
+	xor edx, edx			;make sure high bits of edx are 0
+	mov dx , WORD  [ebp + e_phnum]	;number of entries in prgm header table
+	xor ebx, ebx
+	mov bx , WORD  [ebp + e_phentsize] ;size of an entry in the prgm header table
+	ret
+
+	
+parse_sections:
+	
+	
+
+main:
+	sub esp, READSIZE 
+	mov eax, read
+	mov ebx, inputFD
+	mov ecx, esp
+	mov edx, READSIZE 
+	int 0x80		;read(inputFD,stack_buf,READSIZE);
+	
+	mov ebp,esp		;get_entry takes the base of the module in ebp
+	call get_entry
+	int3
+	call eax		;module's main()
+	
+	

lib_research/loader/makefile

@@ -0,0 +1,18 @@
+#Evan Jensen
+#Make template for testing shellcode
+shellcode = loader.s
+NFLAGS = elf
+CFLAGS = -m32 
+
+
+all: assemble link
+assemble:
+	nasm -f $(NFLAGS) $(shellcode) -o linkme.o
+	nasm $(shellcode) -o shellcode
+link:
+	gcc linkme.o -o testShellcode $(CFLAGS)
+
+clean:
+	rm -f linkme.o
+	rm -f testShellcode
+	rm -f shellcode

lib_research/loader/sendModule.py

@@ -0,0 +1,14 @@
+#!/usr/bin/env python
+from sys import argv
+from isis import *
+
+assert(len(argv)>=2)
+
+module_name=argv[1]
+module=file(module_name).read()
+
+s=get_socket(('localhost',12345))
+
+s.send(module)
+
+