############################################################################### SHELL := bash .ONESHELL: ############################################################################### ASM = $(wildcard *.s) ATT = $(EXE:=.att) BIN = $(SC:.s=.bin) BIT = $(notdir $(shell pwd)) EXE = $(basename $(ASM) $(SRC)) LOG = $(TMP:.s=.log) SC = $(sort $(wildcard [0-9]*.s)) SRC = $(wildcard *.c *.cc) IN = $(filter-out test%,$(basename $(SRC))) TMP = $(shell echo $(shell echo {$(IN)}-{$(SC)} | tr ' ' ',')) TXT = $(SC:.s=.txt) ############################################################################### ASFLAGS = -g -m$(BIT) -nostartfiles CFLAGS = -fno-stack-protector -g -m$(BIT) -Os -Wall CXXFLAGS = $(CFLAGS) LDFLAGS = -Wl,--no-warn-execstack -z execstack ############################################################################### all: demo att: $(ATT) bash: -sudo ln -sf bash /usr/bin/sh bin: $(BIN) clean: bash coreoff yamaon -rm -fv $(ATT) $(BIN) $(EXE) $(LOG) $(TXT) core.* *~ coreoff: -ulimit -c 0 coreon: -ulimit -c unlimited exe: $(EXE) demo: att txt log @(( n = (4 + $(words $(IN))) * 7 )) printf "%$${n}s\n" | tr ' ' '-' for ((i=0; i < 4 + $(words $(IN)); ++i )); do format+="%7s" done format+='\n' printf "$$format" "$(BIT)bits" size push 0x00 $(IN) printf "%$${n}s\n" | tr ' ' '-' for s in $(basename $(SC)); do printf '%7s%7s%7s%7s' "$$s.s" "$$(stat --printf='%s' $$s.bin)" "$$(grep -c push $$s.att | cut -d ':' -f 2)" "$$(grep -c '\\x00' $$s.txt | cut -d ':' -f 2)" for v in $(IN); do printf '%7s' "$$(cat $$v-$$s.log)" done printf '\n' done log: $(LOG) root: $(EXE) -sudo chown root:root $^ -sudo chmod +s $^ setuid: -find /{,usr/}{,s}bin -user root -perm -4000 txt: $(TXT) user: $(EXE) -sudo chown -f $$USER:$$USER $^ -sudo chmod -f -s $^ yamaon: -sudo sysctl kernel.yama.ptrace_scope=2 yamaoff: -sudo sysctl kernel.yama.ptrace_scope=0 zsh: -hash zsh || $$(echo 'necesito zsh...'; exit 1) -sudo ln -sf zsh /usr/bin/sh ############################################################################### arg-%.log: arg %.bin /bin/sh @echo no > $@ coproc ./$< "$$(cat $*.bin)" &> /dev/null echo 'echo yes > ./$@' >&$${COPROC[1]} cin-%.log: cin %.bin /bin/sh @echo no > $@ coproc { (cat $*.bin; echo; cat) | ./$< &> /dev/null; } sleep 0.1 echo 'echo yes > ./$@' >&$${COPROC[1]} env-%.log: env %.bin /bin/sh @echo no > $@ coproc shellcode="$$(cat $*.bin)" ./$< &> /dev/null echo 'echo yes > ./$@' >&$${COPROC[1]} find-%.log: find %.bin /bin/sh @echo no > $@ coproc shellcode="$$(cat $*.bin)" ./$< &> /dev/null echo 'echo yes > ./$@' >&$${COPROC[1]} regex-%.log: regex %.bin /bin/sh @echo no > $@ coproc shellcode="$$(cat $*.bin)" ./$< &> /dev/null echo 'echo yes > ./$@' >&$${COPROC[1]} stdin-%.log: stdin %.bin /bin/sh @echo no > $@ coproc { (cat $*.bin; echo; cat) | ./$< &> /dev/null; } echo 'echo yes > ./$@' >&$${COPROC[1]} strstr-%.log: strstr %.bin /bin/sh @echo no > $@ coproc shellcode="$$(cat $*.bin)" ./$< &> /dev/null echo 'echo yes > ./$@' >&$${COPROC[1]} static: CFLAGS+=-static s2: ASFLAGS+=-no-pie %.att: % objdump -Cd $< > $@ %.bin: % objcopy --dump-section .text=$@ $< %.txt: %.bin hexdump -e '"\\""x" 1/1 "%02x" ""' -v $< > $@ ############################################################################### .PHONY: all att bash bin clean exe demo log root txt user yamaoff yamaon zsh .PRECIOUS: $(ATT) $(BIN) $(LOG) $(TXT) ###############################################################################