ephase/cours
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Begin TD6

Browse source
This commit is contained in:
Yorick Barbanneau 2023-03-17 17:10:01 +01:00
parent 558170c062
commit 72564e2e2d
9 changed files with 325 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

46
content/secu_logicielle/td6-format_strings_vulns/files/q1/Makefile Normal file
View file

@ -0,0 +1,46 @@
CC = gcc
CFLAGS = -fstack-protector-all -g -Wall -Wextra -fno-omit-frame-pointer
SRC = $(wildcard *.c)
TGT = $(subst .c,,$(SRC))
BUILD_DIR = build
DUMP_DIR = dump
pframe:
curl -o pframe.tgz https://dept-info.labri.fr/~thibault/SecuLog/pframe.tgz && \
tar -xf pframe.tgz &&\
rm -rf pframe.tgz
.gdbinit:
configure: pframe .gdbinit
$(shell echo "python import pframe" > .gdbinit)
$(BUILD_DIR)/%_32: %.c
$(shell mkdir -p $(BUILD_DIR))
$(CC) $(CFLAGS) -m32 -no-pie -o $@ $<
$(BUILD_DIR)/%_32-pie: %.c
$(CC) $(CFLAGS) -m32 -pie -o $@ $<
$(BUILD_DIR)/%_64: %.c
$(shell mkdir -p $(BUILD_DIR))
$(CC) $(CFLAGS) -m64 -no-pie -o $@ $<
$(BUILD_DIR)/%_64-pie: %.c
$(CC) $(CFLAGS) -m64 -pie -o $@ $<
build: $(addprefix $(BUILD_DIR)/, $(addsuffix _32, $(TGT))) \
$(addprefix $(BUILD_DIR)/, $(addsuffix _32-pie, $(TGT))) \
$(addprefix $(BUILD_DIR)/, $(addsuffix _64, $(TGT))) \
$(addprefix $(BUILD_DIR)/, $(addsuffix _64-pie, $(TGT))) \
PHONY: gdb_%
gdb_%: $(addprefix $(BUILD_DIR)/, $(subst gdb_,,%))
PYTHONPATH=${PWD}/pframe${PYTHONPATH:+:${PYTHONPATH}} setarch -R gdb $< --command=$(subst gdb_,,$@).gdb
PHONY: clean
clean:
@rm -rf $(BUILD_DIR) pframe .gdbinit

9
content/secu_logicielle/td6-format_strings_vulns/files/q1/printf-1.c Normal file
View file

@ -0,0 +1,9 @@
#include <stdio.h>
#include <stdlib.h>
int main (void) {
int value;
fprintf(stdout, "%c %s 0x%08x %2$s %n\n", 'c', "AAAA", 9, &value);
fprintf(stdout, "value = %d\n", value);
return EXIT_SUCCESS;
}

11
content/secu_logicielle/td6-format_strings_vulns/files/q1/printf.c Normal file
View file

@ -0,0 +1,11 @@
#include <stdlib.h>
#include <stdio.h>
int main(void) {
char buf[32];
while (1) {
fgets(buf, sizeof(buf), stdin);
printf(buf);
}
return 0;
}

12
content/secu_logicielle/td6-format_strings_vulns/files/q1/undefined.c Normal file
View file

@ -0,0 +1,12 @@
#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
bool plusone_doesnt_overflow(int x) {
return x+1 > x;
}
int main(void) {
printf("%d\n", plusone_doesnt_overflow(12));
return 0;
}

25
content/secu_logicielle/td6-format_strings_vulns/files/q1/vulnerable-1.c Normal file
View file

@ -0,0 +1,25 @@
#include <stdio.h>
#include <stdlib.h>
char passwd[] = "secret_password";
int target = 0x12333231;
void foo (char *string) {
printf (string);
if (target == 0x00025544)
printf ("you have hacked it!\n");
else if (target != 0x12333231)
printf ("you have modified the target to 0x%x!\n", target);
}
int main (void) {
volatile int var = 0xabcd;
char buf[128];
while (1) {
if (!fgets(buf, sizeof(buf), stdin))
break;
foo(buf);
}
return EXIT_SUCCESS;
}

2
content/secu_logicielle/td6-format_strings_vulns/files/q1/vulnerable-1_32.gdb Normal file
View file

@ -0,0 +1,2 @@
b printf
r

21
content/secu_logicielle/td6-format_strings_vulns/files/q1/vulnerable-4.c Normal file
View file

@ -0,0 +1,21 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void bar (void) {
printf ("code execution redirected! you win!\n");
_exit (EXIT_SUCCESS);
}
void foo (void) {
char buffer[512];
fgets (buffer, sizeof (buffer), stdin);
printf (buffer);
exit (EXIT_SUCCESS);
}
int main (void) {
foo ();
return EXIT_SUCCESS;
}

83
content/secu_logicielle/td6-format_strings_vulns/files/q1/vulnerable-5.c Normal file
View file

@ -0,0 +1,83 @@
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/wait.h>
#define LISTEN_PORT 4242
#define LENGTH 1024
int cnxfd = 0;
void fail(char *msg) {
perror(msg);
exit(EXIT_FAILURE);
}
void bindshell(void) {
/* Binding the process to the connexion */
dup2(cnxfd, STDIN_FILENO);
dup2(cnxfd, STDOUT_FILENO);
dup2(cnxfd, STDERR_FILENO);
/* Running the shell */
system("/bin/sh");
}
void server(int sockfd) {
char input[LENGTH], output[LENGTH];
while (true) {
struct sockaddr_in caddr;
socklen_t clen = sizeof(caddr);
if ((cnxfd = accept(sockfd, (struct sockaddr *) &caddr, &clen)) < 0)
fail("accept()");
/* Blanking memory */
memset(input, '\0', LENGTH);
memset(output, '\0', LENGTH);
/* Receiving and sending back the string */
send(cnxfd, "Waiting for data: ", 18, 0);
recv(cnxfd, input, LENGTH - 1, 0);
snprintf(output, sizeof(output), input);
output[sizeof(output) - 1] = '\0';
send(cnxfd, "Sending data: ", 14, 0);
send(cnxfd, output, strlen(output), 0);
/* Closing the connection */
close(cnxfd);
}
}
int main(void) {
int sockfd;
const struct sockaddr_in saddr = {
.sin_family = AF_INET,
.sin_addr.s_addr = htonl(INADDR_ANY),
.sin_port = htons(LISTEN_PORT)
};
while (true) {
if (!fork()) { /* Child process */
fprintf(stdout, "run (pid = %d)\n", getpid());
/* Socket initialization and error checking */
if ((sockfd = socket(PF_INET, SOCK_STREAM, 0)) < 0)
fail("socket()");
if (setsockopt(sockfd,
SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int)) < 0)
fail("setsockopt()");
if (bind(sockfd, (struct sockaddr *) &saddr, sizeof(saddr)) < 0)
fail("bind()");
if (listen(sockfd, LENGTH) < 0)
fail("listen()");
/* Running the server */
server(sockfd);
} else { /* Parent process (wait for child) */
wait(NULL);
close(sockfd);
}
}
return EXIT_SUCCESS;
}