Merge pull request #3 from aa9863/Week2Lab2

Week2 lab2
aa9863 · Jan 24, 2023 · dd1ee0711bbffebed4d94055540d695fe1fa5fe0 · dd1ee07
2 parents aa8adbd + 02f1130
commit dd1ee0711bbffebed4d94055540d695fe1fa5fe0
Show file tree

Hide file tree

Showing 14 changed files with 290 additions and 2 deletions.
diff --git a/.gitignore b/.gitignore
@@ -1 +1,2 @@
-*~
+*~
+solve
diff --git a/BaseImages/Server/server.c b/BaseImages/Server/server.c
@@ -25,7 +25,6 @@ int processConnection(int fd, int argc, char* argv[]) {
       printf("Running with ALSR turned off\n");
       fflush(stdout);
       int out = personalilty(ADDR_NO_RANDOMIZE);
-      //printf("Result %d\n", out);
       fflush(stdout);
     }
 

diff --git a/Week2_Lab2/32Bit_ALSR/Dockerfile b/Week2_Lab2/32Bit_ALSR/Dockerfile
@@ -0,0 +1,14 @@
+FROM 6048_builder as ClientBuilder
+
+ADD ./ret2winOne.c /opt/target.c
+
+WORKDIR /opt
+RUN gcc -m32 /opt/target.c -o /opt/target
+
+
+FROM 6048_server
+COPY --from=ClientBuilder /opt/target /home/cueh/target
+
+CMD ["/tmp/runscript.sh", "/home/cueh/target"]
+
+
diff --git a/Week2_Lab2/32Bit_ALSR/docker-compose.yaml b/Week2_Lab2/32Bit_ALSR/docker-compose.yaml
@@ -0,0 +1,11 @@
+version: "3.7"
+
+services:
+  server:
+    build:
+      context: .
+    ports:
+      - "1337:1337"
+      - "22:22"
+    privileged: true
+
diff --git a/Week2_Lab2/32Bit_ALSR/ret2winOne.c b/Week2_Lab2/32Bit_ALSR/ret2winOne.c
@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int INPUT=300; //Give enough to overflow
+int BUFFER=150;
+
+void win(void){
+    /*Win Condition
+      We Want to jump here
+    */
+    printf("\n ===== Win ===== \n\n");
+    system("/bin/sh");  //Tradition to get a shell
+}
+
+void lose(void){
+    /* Lose Condition */
+    printf("Lose :(\n");
+}
+
+int main(int argc, char* argv[]){
+    /* Main Function*/
+    char buffer[BUFFER];
+    char readBuffer[INPUT];
+
+    setvbuf(stdout, NULL, _IONBF, 0);
+    //Pointer to the lose function
+    void (*fp)(void) = lose;
+
+    printf("--- Overflow the Buffer ---\n");
+    printf("Current Memory Address is %p\n",lose);
+    printf("Aim for %p\n", win);    
+
+    printf("What is your input >");
+    //fflush(stdout);
+    fgets(readBuffer, INPUT, stdin);
+    //Strip newline
+    readBuffer[strcspn(readBuffer, "\n")] = 0;
+    printf("You entered >%s<\n", readBuffer);
+
+    memcpy(buffer, readBuffer, strlen(readBuffer));
+    printf("Off to %p\n",fp);
+    fp();
+
+    return 0;
+}
diff --git a/Week2_Lab2/32Bit_NoALSR/Dockerfile b/Week2_Lab2/32Bit_NoALSR/Dockerfile
@@ -0,0 +1,14 @@
+FROM 6048_builder as ClientBuilder
+
+ADD ./ret2winOne.c /opt/target.c
+
+WORKDIR /opt
+RUN gcc -m32 /opt/target.c -o /opt/target
+
+
+FROM 6048_server
+COPY --from=ClientBuilder /opt/target /home/cueh/target
+
+CMD ["/tmp/runscript.sh", "/home/cueh/target"]
+
+
diff --git a/Week2_Lab2/32Bit_NoALSR/docker-compose.yaml b/Week2_Lab2/32Bit_NoALSR/docker-compose.yaml
@@ -0,0 +1,14 @@
+version: "3.7"
+
+services:
+  server:
+    build:
+      context: .
+    ports:
+      - "1337:1337"
+      - "22:22"
+    #cap_add:
+    #  - CAP_SYS_ADMIN
+    privileged: true
+    environment:
+      - RUN_ALSR
diff --git a/Week2_Lab2/32Bit_NoALSR/ret2winOne.c b/Week2_Lab2/32Bit_NoALSR/ret2winOne.c
@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int INPUT=300; //Give enough to overflow
+int BUFFER=150;
+
+void win(void){
+    /*Win Condition
+      We Want to jump here
+    */
+    printf("\n ===== Win ===== \n\n");
+    system("/bin/sh");  //Tradition to get a shell
+}
+
+void lose(void){
+    /* Lose Condition */
+    printf("Lose :(\n");
+}
+
+int main(int argc, char* argv[]){
+    /* Main Function*/
+    char buffer[BUFFER];
+    char readBuffer[INPUT];
+
+    setvbuf(stdout, NULL, _IONBF, 0);
+    //Pointer to the lose function
+    void (*fp)(void) = lose;
+
+    printf("--- Overflow the Buffer ---\n");
+    printf("Current Memory Address is %p\n",lose);
+    printf("Aim for %p\n", win);    
+
+    printf("What is your input >");
+    //fflush(stdout);
+    fgets(readBuffer, INPUT, stdin);
+    //Strip newline
+    readBuffer[strcspn(readBuffer, "\n")] = 0;
+    printf("You entered >%s<\n", readBuffer);
+
+    memcpy(buffer, readBuffer, strlen(readBuffer));
+    printf("Off to %p\n",fp);
+    fp();
+
+    return 0;
+}
diff --git a/Week2_Lab2/64Bit_NoALSR/Dockerfile b/Week2_Lab2/64Bit_NoALSR/Dockerfile
@@ -0,0 +1,14 @@
+FROM 6048_builder as ClientBuilder
+
+ADD ./ret2winOne.c /opt/target.c
+
+WORKDIR /opt
+RUN gcc /opt/target.c -o /opt/target
+
+
+FROM 6048_server
+COPY --from=ClientBuilder /opt/target /home/cueh/target
+
+CMD ["/tmp/runscript.sh", "/home/cueh/target"]
+
+
diff --git a/Week2_Lab2/64Bit_NoALSR/docker-compose.yaml b/Week2_Lab2/64Bit_NoALSR/docker-compose.yaml
@@ -0,0 +1,12 @@
+version: "3.7"
+
+services:
+  server:
+    build:
+      context: .
+    ports:
+      - "1337:1337"
+      - "22:22"
+    privileged: true
+    environment:
+      - RUN_ALSR
diff --git a/Week2_Lab2/64Bit_NoALSR/ret2winOne.c b/Week2_Lab2/64Bit_NoALSR/ret2winOne.c
@@ -0,0 +1,55 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int INPUT=300; //Give enough to overflow
+int BUFFER=150;
+
+void win(void){
+    /*Win Condition
+      We Want to jump here
+    */
+    printf("\n ===== Win ===== \n\n");
+    system("/bin/sh");  //Tradition to get a shell
+}
+
+void lose(void){
+    /* Lose Condition */
+    printf("Lose :(\n");
+}
+
+void copyData(char* readBuffer){
+
+  char buffer[BUFFER];
+
+  strcpy(buffer, readBuffer);
+}
+
+int main(int argc, char* argv[]){
+
+    //Pointer to the lose function
+    void (*fp)(void) = lose;
+
+    /* Main Function*/
+    //char buffer[BUFFER];
+
+    char readBuffer[INPUT];
+
+    setvbuf(stdout, NULL, _IONBF, 0);
+
+    printf("--- Overflow the Buffer ---\n");
+    printf("Current Memory Address is %p\n",lose);
+    printf("Aim for %p\n", win);    
+
+    printf("What is your input >");
+    scanf("%s", readBuffer);
+    printf("You entered >%s<\n", readBuffer);
+    copyData(readBuffer);
+
+    printf("Off to %p\n",fp);
+    //fp();
+    lose();
+
+    return 0;
+}
diff --git a/Week2_Lab2/Pwntools/Makefile b/Week2_Lab2/Pwntools/Makefile
@@ -0,0 +1,13 @@
+# Build the first overflow target
+
+CC = gcc
+CFLAGS = -m32 -g -z execstack -fno-stack-protector -static
+
+
+ret2win: ret2winOne.c
+
+	$(CC) $(CFLAGS) ret2winOne.c -o ret2win
+
+
+all: ret2win
+
diff --git a/Week2_Lab2/Pwntools/ret2win-static b/Week2_Lab2/Pwntools/ret2win-static
diff --git a/Week2_Lab2/Pwntools/ret2winOne.c b/Week2_Lab2/Pwntools/ret2winOne.c
@@ -0,0 +1,47 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+int INPUT=300; //Give enough to overflow
+int BUFFER=150;
+
+void win(void){
+    /*Win Condition
+      We Want to jump here
+    */
+    printf("\n ===== Win ===== \n\n");
+    system("/bin/sh");  //Tradition to get a shell
+}
+
+void lose(void){
+    /* Lose Condition */
+    printf("Lose :(\n");
+}
+
+int main(int argc, char* argv[]){
+    /* Main Function*/
+    char buffer[BUFFER];
+    char readBuffer[INPUT];
+
+    setvbuf(stdout, NULL, _IONBF, 0);
+    //Pointer to the lose function
+    void (*fp)(void) = lose;
+
+    printf("--- Overflow the Buffer ---\n");
+    printf("Current Memory Address is %p\n",lose);
+    printf("Aim for %p\n", win);    
+
+    printf("What is your input >");
+    //fflush(stdout);
+    fgets(readBuffer, INPUT, stdin);
+    //Strip newline
+    readBuffer[strcspn(readBuffer, "\n")] = 0;
+    printf("You entered >%s<\n", readBuffer);
+
+    memcpy(buffer, readBuffer, strlen(readBuffer));
+    printf("Off to %p\n",fp);
+    fp();
+
+    return 0;
+}