Skip to content

Commit

Permalink
O M F G
Browse files Browse the repository at this point in the history
  • Loading branch information
@zardus
zardus committed Nov 18, 2024
1 parent 7d18793 commit fd3633d
Show file tree
Hide file tree
Showing 18 changed files with 1,626 additions and 1 deletion.
1 change: 0 additions & 1 deletion binary-exploitation/first-overflow/DESCRIPTION.md
View file

This file was deleted.

9 changes: 9 additions & 0 deletions binary-exploitation/first-overflow/DESCRIPTION.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
This challenge is identical to its "easy" version from a security perspective, but has the following changes:

1. Unlike the easy version, it does not give you helpful debug output.
You will have to recover this information using a debugger.
2. **For all other "hard" versions**, the source code will not be provided, and you will need to reverse-engineer the binary using your knowledge of the "easy" version as a reference.
However, for this one challenge, to get you familiar with the differences between the easy and hard versions, we will provide the source code.
2. Some randomization is different.
Buffers might have different lengths, offsets might vary, etc.
You will need to reverse engineer this information from the binary!
101 changes: 101 additions & 0 deletions binary-exploitation/first-overflow/_0/binary-exploitation-first-overflow.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
#define _GNU_SOURCE 1

#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include <assert.h>
#include <libgen.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/signal.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <sys/sendfile.h>
#include <sys/prctl.h>
#include <sys/personality.h>
#include <arpa/inet.h>

void bin_padding()
{
asm volatile (".rept 621; nop; .endr");
}

void win()
{
static char flag[256];
static int flag_fd;
static int flag_length;

puts("You win! Here is your flag:");
flag_fd = open("/flag", 0);
if (flag_fd < 0)
{
printf("\n ERROR: Failed to open the flag -- %s!\n", strerror(errno));
if (geteuid() != 0)
{
printf(" Your effective user id is not 0!\n");
printf(" You must directly run the suid binary in order to have the correct permissions!\n");
}
exit(-1);
}
flag_length = read(flag_fd, flag, sizeof(flag));
if (flag_length <= 0)
{
printf("\n ERROR: Failed to read the flag -- %s!\n", strerror(errno));
exit(-1);
}
write(1, flag, flag_length);
printf("\n\n");
}

int challenge(int argc, char **argv, char **envp)
{
struct
{
char input[23];
int win_variable;
} data = {0} ;
char *input = &data.input;
int *win_variable = &data.win_variable;

unsigned long size = 0;

size = 4096;

printf("Send your payload (up to %lu bytes)!\n", size);
int received = read(0, input, (unsigned long) size);

if (received < 0)
{
printf("ERROR: Failed to read input -- %s!\n", strerror(errno));
exit(1);
}

if (*win_variable)
{
win();
}

puts("Goodbye!");

return 0;
}

int main(int argc, char **argv, char **envp)
{
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);

char crash_resistance[0x1000];

challenge(argc, argv, envp);

}
101 changes: 101 additions & 0 deletions binary-exploitation/first-overflow/_1/binary-exploitation-first-overflow.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
#define _GNU_SOURCE 1

#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include <assert.h>
#include <libgen.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/signal.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <sys/sendfile.h>
#include <sys/prctl.h>
#include <sys/personality.h>
#include <arpa/inet.h>

void bin_padding()
{
asm volatile (".rept 3417; nop; .endr");
}

void win()
{
static char flag[256];
static int flag_fd;
static int flag_length;

puts("You win! Here is your flag:");
flag_fd = open("/flag", 0);
if (flag_fd < 0)
{
printf("\n ERROR: Failed to open the flag -- %s!\n", strerror(errno));
if (geteuid() != 0)
{
printf(" Your effective user id is not 0!\n");
printf(" You must directly run the suid binary in order to have the correct permissions!\n");
}
exit(-1);
}
flag_length = read(flag_fd, flag, sizeof(flag));
if (flag_length <= 0)
{
printf("\n ERROR: Failed to read the flag -- %s!\n", strerror(errno));
exit(-1);
}
write(1, flag, flag_length);
printf("\n\n");
}

int challenge(int argc, char **argv, char **envp)
{
struct
{
char input[79];
int win_variable;
} data = {0} ;
char *input = &data.input;
int *win_variable = &data.win_variable;

unsigned long size = 0;

size = 4096;

printf("Send your payload (up to %lu bytes)!\n", size);
int received = read(0, input, (unsigned long) size);

if (received < 0)
{
printf("ERROR: Failed to read input -- %s!\n", strerror(errno));
exit(1);
}

if (*win_variable)
{
win();
}

puts("Goodbye!");

return 0;
}

int main(int argc, char **argv, char **envp)
{
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);

char crash_resistance[0x1000];

challenge(argc, argv, envp);

}
101 changes: 101 additions & 0 deletions binary-exploitation/first-overflow/_10/binary-exploitation-first-overflow.c
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
#define _GNU_SOURCE 1

#include <stdlib.h>
#include <stdint.h>
#include <stdbool.h>
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <time.h>
#include <errno.h>
#include <assert.h>
#include <libgen.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/signal.h>
#include <sys/mman.h>
#include <sys/ioctl.h>
#include <sys/sendfile.h>
#include <sys/prctl.h>
#include <sys/personality.h>
#include <arpa/inet.h>

void bin_padding()
{
asm volatile (".rept 3664; nop; .endr");
}

void win()
{
static char flag[256];
static int flag_fd;
static int flag_length;

puts("You win! Here is your flag:");
flag_fd = open("/flag", 0);
if (flag_fd < 0)
{
printf("\n ERROR: Failed to open the flag -- %s!\n", strerror(errno));
if (geteuid() != 0)
{
printf(" Your effective user id is not 0!\n");
printf(" You must directly run the suid binary in order to have the correct permissions!\n");
}
exit(-1);
}
flag_length = read(flag_fd, flag, sizeof(flag));
if (flag_length <= 0)
{
printf("\n ERROR: Failed to read the flag -- %s!\n", strerror(errno));
exit(-1);
}
write(1, flag, flag_length);
printf("\n\n");
}

int challenge(int argc, char **argv, char **envp)
{
struct
{
char input[52];
int win_variable;
} data = {0} ;
char *input = &data.input;
int *win_variable = &data.win_variable;

unsigned long size = 0;

size = 4096;

printf("Send your payload (up to %lu bytes)!\n", size);
int received = read(0, input, (unsigned long) size);

if (received < 0)
{
printf("ERROR: Failed to read input -- %s!\n", strerror(errno));
exit(1);
}

if (*win_variable)
{
win();
}

puts("Goodbye!");

return 0;
}

int main(int argc, char **argv, char **envp)
{
setvbuf(stdin, NULL, _IONBF, 0);
setvbuf(stdout, NULL, _IONBF, 0);

char crash_resistance[0x1000];

challenge(argc, argv, envp);

}
Loading

0 comments on commit fd3633d

Please sign in to comment.