├── .gitignore ├── README.md ├── drafts ├── README.md ├── switch └── switch.c ├── reverse ├── r1 ├── r2 ├── r3 ├── r4 ├── r5 ├── r6 ├── r7 ├── r8 └── r9 └── sploit ├── README.md ├── h1 ├── h1.c ├── s1 ├── s1.c ├── s2 ├── s2.c ├── s3 ├── s3.c ├── s4 ├── s4.c ├── s5 ├── s5.c ├── s6 ├── s6.c ├── s7 ├── s7.c ├── s8 ├── s8.c ├── s9 └── s9.c /.gitignore: -------------------------------------------------------------------------------- 1 | reverse/*.c 2 | reverse/*.h 3 | */solve* -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # exrs 2 | Exercises for learning Reverse Engineering and Exploitation. 3 | 4 | All binaries for these challenges are ELF 64-bit LSB executable, x86-64. 5 | 6 | ## reverse engineering 7 | 8 | The goal is to run the chalenges like this `./rX password` and having them 9 | print out `password OK`. It's reverse engineering, not cracking. So don't 10 | patch the binnaries if you want to play by the rules. It gets really borring 11 | if you don't anyway. 12 | 13 | ## sploit 14 | 15 | All the sploit exercices are designed to be solvable with NX+ASLR 16 | without being dependant on which libc is used. The idea is you should 17 | only interact with stdin / stdout as if it was a remote service, 18 | argv & env is not needed for exploitation. 19 | 20 | The goal is of course to spawn a shell on each one. All of them are tested. 21 | 22 | 23 | Of course you can still do whatever you like, have fun! 24 | -------------------------------------------------------------------------------- /drafts/README.md: -------------------------------------------------------------------------------- 1 | Chalenges in this folder are work in progress, they might not be solvable, they 2 | might still be too easy, they might have too many solutions, etc... They will be 3 | moved to a category and given a final name once they are done. Feel free to try 4 | them and give feedback. 5 | -------------------------------------------------------------------------------- /drafts/switch: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/drafts/switch -------------------------------------------------------------------------------- /drafts/switch.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | #define DEBUG 0 7 | 8 | int main(int argc, char **argv) 9 | { 10 | int fd; 11 | void *storage[1024]; 12 | unsigned int stored = 0; 13 | 14 | (void) argc, (void) argv; 15 | 16 | if (argc != 2) 17 | fd = 0; 18 | else if ((fd = open(argv[1], O_RDONLY)) < 0) 19 | err(EXIT_FAILURE, "open"); 20 | 21 | while (1) 22 | { 23 | void **entries; 24 | unsigned int num; 25 | unsigned int space; 26 | 27 | if (read(fd, &num, sizeof num) != sizeof num || num == 0) 28 | break; 29 | space = num * sizeof *entries; 30 | 31 | if (DEBUG && num != 1) 32 | fprintf(stderr, "%#.8x entries will require %#x memory.\n", num, space); 33 | 34 | if (!(entries = malloc(space))) 35 | err(EXIT_FAILURE, "malloc"); 36 | 37 | /* 38 | ** Overflow doesn't occur when reading the data. 39 | ** This is because the original code looks like 40 | ** this: 41 | 42 | unsigned int i; 43 | 44 | for (i = 0; i < num; ++i) 45 | if (read(fd, &entries[i], sizeof *entries) < 0) 46 | err(EXIT_FAILURE, "read entry"); 47 | 48 | ** but it has been optimized to be faster when 49 | ** trying to write a proof of concept exploit: 50 | */ 51 | 52 | char *dest = (char *) entries; 53 | size_t todo = (size_t) num * sizeof *entries; 54 | 55 | if (DEBUG && num != 1) 56 | fprintf(stderr, "writing %#zx bytes from %p to %p\n", todo, dest, dest+todo); 57 | 58 | while (todo > 0) 59 | { 60 | ssize_t done; 61 | 62 | if ((done = read(fd, dest, todo)) <= 0) 63 | err(EXIT_FAILURE, "read entry %p + %zx, (%d)", dest, todo, fd); 64 | dest += done; 65 | todo -= done; 66 | } 67 | 68 | 69 | /* 70 | ** Back to the original code: 71 | */ 72 | 73 | storage[stored++] = entries; 74 | 75 | if (stored >= sizeof storage / sizeof *storage) 76 | { 77 | 78 | fprintf(stderr, "NO MORE SPACE - FREE\n"); 79 | while (stored) 80 | free(storage[--stored]); 81 | 82 | } 83 | } 84 | 85 | fprintf(stderr, "All done. %d entries left - FREE\n", stored); 86 | 87 | while (stored) 88 | free(storage[--stored]); 89 | 90 | return 0; 91 | } 92 | -------------------------------------------------------------------------------- /reverse/r1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/reverse/r1 -------------------------------------------------------------------------------- /reverse/r2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/reverse/r2 -------------------------------------------------------------------------------- /reverse/r3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/reverse/r3 -------------------------------------------------------------------------------- /reverse/r4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/reverse/r4 -------------------------------------------------------------------------------- /reverse/r5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/reverse/r5 -------------------------------------------------------------------------------- /reverse/r6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/reverse/r6 -------------------------------------------------------------------------------- /reverse/r7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/reverse/r7 -------------------------------------------------------------------------------- /reverse/r8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/reverse/r8 -------------------------------------------------------------------------------- /reverse/r9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/reverse/r9 -------------------------------------------------------------------------------- /sploit/README.md: -------------------------------------------------------------------------------- 1 | # sploit 2 | 3 | All the sploit exercices are designed to be solvable with NX+ASLR 4 | without being dependant on which libc is used. The idea is you should 5 | only interact with stdin / stdout as if it was a remote service, 6 | argv & env is not needed for exploitation. 7 | 8 | 9 | Of course you can still do whatever you like, have fun! 10 | 11 | It's build using: 12 | 13 | ``` bash 14 | for x in *.c; do gcc $x -o new_$x -no-pie -fno-stack-protector; done; 15 | rename.ul -- .c '' new*.c 16 | ``` 17 | -------------------------------------------------------------------------------- /sploit/h1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/h1 -------------------------------------------------------------------------------- /sploit/h1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) 7 | { 8 | char *cmds[3]; 9 | int i; 10 | 11 | (void) argc, (void) argv; 12 | 13 | i = 0; 14 | while (i < sizeof cmds / sizeof *cmds) 15 | { 16 | char *msg; 17 | int len; 18 | 19 | if (!(msg = malloc(4096))) 20 | err(EXIT_FAILURE, "malloc"); 21 | 22 | strcpy(msg, "echo you: "); 23 | if ((len = read(0, msg + 10, 4096 - 10)) <= 0) 24 | err(EXIT_FAILURE, "read"); 25 | 26 | msg[10+len-1] = 0; 27 | 28 | if (strspn(msg, ":0123456789abcdefghijklmnopqrstuvwxyz ") != 10+len-1) 29 | { 30 | printf("I'm playing this safe. Only [:0-9a-z ].\n"); 31 | continue; 32 | } 33 | 34 | system(msg); 35 | cmds[i++] = msg; 36 | free(msg); 37 | } 38 | 39 | srandom(time(NULL)); 40 | i = random() % (sizeof cmds / sizeof *cmds); 41 | printf("Lets do the %dth one again! That one was funny.\n", i); 42 | system(cmds[i]); 43 | 44 | return 0; 45 | } 46 | -------------------------------------------------------------------------------- /sploit/s1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/s1 -------------------------------------------------------------------------------- /sploit/s1.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | int b(void) 6 | { 7 | system("sh"); 8 | return 0; 9 | } 10 | 11 | int a(void) 12 | { 13 | char buffer[32]; 14 | 15 | printf("What is your password?\n"); 16 | 17 | if (read(0, buffer, 4096) <= 0) 18 | err(EXIT_FAILURE, "read"); 19 | 20 | return 0; 21 | } 22 | 23 | int main(int argc, char **argv) 24 | { 25 | (void) argc, (void) argv; 26 | 27 | printf("If you're cool you'll get a shell.\n"); 28 | 29 | return a(); 30 | } 31 | -------------------------------------------------------------------------------- /sploit/s2: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/s2 -------------------------------------------------------------------------------- /sploit/s2.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) 7 | { 8 | char buffer[32]; 9 | 10 | (void) argc, (void) argv; 11 | 12 | printf("What is your password?\n"); 13 | 14 | if (read(0, buffer, 4096) <= 0) 15 | err(EXIT_FAILURE, "read"); 16 | 17 | printf("If you're cool you'll get a shell.\n"); 18 | 19 | if (strcmp("pretend_you_dont_know_this", buffer) == 0) 20 | system("sh"); 21 | 22 | return 0; 23 | } 24 | -------------------------------------------------------------------------------- /sploit/s3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/s3 -------------------------------------------------------------------------------- /sploit/s3.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | char name[4096]; 7 | 8 | int main(int argc, char **argv) 9 | { 10 | char buffer[32]; 11 | ssize_t nbb; 12 | 13 | (void) argc, (void) argv; 14 | 15 | printf("What is your name?\n"); 16 | if ((nbb = read(0, name, sizeof name - 1)) <= 0) 17 | err(EXIT_FAILURE, "read"); 18 | name[nbb] = 0; 19 | 20 | printf("Welcome %s\n", name); 21 | printf("What is your password?\n"); 22 | 23 | if (read(0, buffer, 4096) <= 0) 24 | err(EXIT_FAILURE, "read"); 25 | 26 | printf("If you're cool you'll get a shell.\n"); 27 | 28 | if (strcmp("pretend_you_dont_know_this", buffer) == 0) 29 | system("whoami # not sh :)"); 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /sploit/s4: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/s4 -------------------------------------------------------------------------------- /sploit/s4.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | char name[4096]; 7 | 8 | int main(int argc, char **argv) 9 | { 10 | char buffer[32]; 11 | ssize_t nbb; 12 | 13 | (void) argc, (void) argv; 14 | 15 | printf("What is your name?\n"); 16 | if ((nbb = read(0, name, sizeof name - 1)) <= 0) 17 | err(EXIT_FAILURE, "read"); 18 | name[nbb] = 0; 19 | 20 | printf("Welcome %s\n", name); 21 | printf("What is your password?\n"); 22 | 23 | if (read(0, buffer, 64) <= 0) 24 | err(EXIT_FAILURE, "read"); 25 | 26 | printf("If you're cool you'll get a shell.\n"); 27 | 28 | if (strcmp("pretend_you_dont_know_this", buffer) == 0) 29 | system("whoami # not sh :)"); 30 | 31 | return 0; 32 | } 33 | -------------------------------------------------------------------------------- /sploit/s5: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/s5 -------------------------------------------------------------------------------- /sploit/s5.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) 7 | { 8 | char buffer[32]; 9 | 10 | (void) argc, (void) argv; 11 | 12 | printf("Welcome Stranger\n"); 13 | printf("What is your password?\n"); 14 | 15 | if (read(0, buffer, 4096) <= 0) 16 | err(EXIT_FAILURE, "read"); 17 | 18 | printf("If you're cool you'll get a shell.\n"); 19 | 20 | if (strcmp("pretend_you_dont_know_this", buffer) == 0) 21 | system("whoami # not sh :)"); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /sploit/s6: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/s6 -------------------------------------------------------------------------------- /sploit/s6.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) 7 | { 8 | char buffer[32]; 9 | 10 | (void) argc, (void) argv; 11 | 12 | printf("Welcome Stranger\n"); 13 | printf("What is your password?\n"); 14 | 15 | if (read(0, buffer, 48) <= 0) 16 | err(EXIT_FAILURE, "read"); 17 | 18 | printf("If you're cool you'll get a shell.\n"); 19 | 20 | if (strcmp("pretend_you_dont_know_this", buffer) == 0) 21 | system("whoami # not sh :)"); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /sploit/s7: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/s7 -------------------------------------------------------------------------------- /sploit/s7.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) 7 | { 8 | char buffer[32]; 9 | 10 | (void) argc, (void) argv; 11 | 12 | printf("Welcome Stranger\n"); 13 | printf("What is your password?\n"); 14 | 15 | if (read(0, buffer, 4096) <= 0) 16 | err(EXIT_FAILURE, "read"); 17 | 18 | printf("If you're cool you'll get a shell.\n"); 19 | 20 | if (strcmp("pretend_you_dont_know_this", buffer) == 0) 21 | printf("neo\n"); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /sploit/s8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/s8 -------------------------------------------------------------------------------- /sploit/s8.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) 7 | { 8 | char buffer[32]; 9 | 10 | (void) argc, (void) argv; 11 | 12 | printf("Welcome Stranger\n"); 13 | printf("What is your password?\n"); 14 | 15 | if (read(0, buffer, 48) <= 0) 16 | err(EXIT_FAILURE, "read"); 17 | 18 | printf("If you're cool you'll get a shell.\n"); 19 | 20 | if (strcmp("pretend_you_dont_know_this", buffer) == 0) 21 | printf("neo\n"); 22 | 23 | return 0; 24 | } 25 | -------------------------------------------------------------------------------- /sploit/s9: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/wapiflapi/exrs/9358500d507fc3eb060e4852dfc8bdfb63d555bd/sploit/s9 -------------------------------------------------------------------------------- /sploit/s9.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | int main(int argc, char **argv) 7 | { 8 | char buffer[16]; 9 | 10 | (void) argc, (void) argv; 11 | 12 | printf("Welcome Stranger\n"); 13 | printf("What is your password?\n"); 14 | 15 | if (read(0, buffer, 32) <= 0) 16 | err(EXIT_FAILURE, "read"); 17 | 18 | printf("If you're cool you'll get a shell.\n"); 19 | 20 | if (strcmp("pretend_you_dont_know_this", buffer) == 0) 21 | printf("neo\n"); 22 | 23 | return 0; 24 | } 25 | --------------------------------------------------------------------------------