Merge branch 'master' of https://github.com/cliffe/SecGen

lib/batch/batch_secgen.rb

@@ -244,6 +244,7 @@ def start(options)
         log.close
 
         # Back up project flags, scenario, and log file
+        FileUtils.mkdir_p("#{backup_path}#{project_id}") unless Dir.exist?("#{backup_path}#{project_id}")
         FileUtils.cp(log_path, ("#{backup_path}#{project_id}/" + log_name))
         FileUtils.cp("#{project_path}/#{FLAGS_FILENAME}", "#{backup_path}#{project_id}/")
         FileUtils.cp("#{project_path}/scenario.xml", "#{backup_path}#{project_id}/")

modules/utilities/unix/ctf/metactf/files/repository/src_sse/SSE/Ch3_Format5_nTargetWrite/build.zsh

@@ -1,17 +0,0 @@
-#!/bin/zsh
-
-SALT=`date +%N`
-if [[ ARGC -gt 0 ]] then
-	BINNAME=`basename $PWD`
-	foreach USER ($@)
-		mkdir -p obj/$USER
-		HASH=`echo $USER $SALT $BINNAME | sha256sum | awk '{print $1}' | cut -c 1-2 | tr \[a-f\] \[A-F\]`
-		AA=`echo "ibase=16;$HASH+20" | bc`
-		BB=`echo $USER $SALT $BINNAME | openssl dgst -sha512 -binary | base64 | head -1 | tr -d /=+ | cut -c 1-3 | xxd -p | sed s/0a$/5a/`
-		cat program.c.template | sed s/AAAAAA/$AA/ >! program.c
-		gcc -m32 -fno-pie -no-pie -Wformat=0 -Wl,--section-start=.bss=0x$BB -o obj/$USER/$BINNAME program.c
-	end
-	rm program.c
-else
-	echo "USAGE: build.zsh <user_email(s)>"
-fi

modules/utilities/unix/ctf/metactf/files/repository/src_sse/SSE/Ch3_Format5_nTargetWrite/program.c.template

@@ -1,130 +0,0 @@
-#include <stdio.h>
-#include <fcntl.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#define USERDEF AAAAAA
-
-// Global variable to hijack
-int key;
-// = 0;
-
-// Introduction message
-char msg[] =
-"Previously, we placed the address to write to onto the stack so that it\n"
-"was easy to discover and target with %n.  Unfortunately, this will not\n"
-"always be present.  However, because the input string being used in the\n"
-"printf call is usually stored on the stack, it is possible to inject the\n"
-"address we want to write into as part of our input and then use a targeted\n"
-"%n to write into the injected address. To do so, you will first locate\n"
-"where the input string characters are located on the stack relative to\n"
-"the vulnerable printf call by injecting a well-known string and then using\n"
-"a series of %x format specifiers to determine its offset on the stack from\n"
-"the printf call.  To do so, use an input string similar to:\n"
-"   \"ABCD-%x-%x-%x-%x-%x....\"\n"
-"Look at the resultant output to see where the hexadecimal representation\n"
-"of ABCD appears (e.g. 44434241 for little-endian machines).  Once we find\n"
-"our input on the stack, note its parameter number since this is the\n"
-"number we will then target with a subsequent %n.  After noting this number\n"
-"we can then replace the \"ABCD\" part of the input with an actual address.\n"
-"At this point, we need to find what address to write to and the value\n"
-"we need to write.  For this level, you are asked to overwrite a variable\n"
-"called key with a specific number.  To determine the address of key and\n"
-"the value to write into it, examine the disassembly of the program.\n"
-"Locate the comparison that determines whether or not the level has been\n"
-"completed.  The value of key is moved from a specific memory location\n"
-"to a register before being checked against a specific value.  Note that\n"
-"we have made the address of this memory location representable as an ASCII\n"
-"string to make things easier for you to input as a string.  By using this\n"
-"in place of ABCD, you will then be able to follow it with an appropriately\n"
-"calculated %<num1>x%<num2>$n to solve the level.\n\n";
-
-// Print introduction message
-/* Symbolic execution trap */
-void print_msg() {
-  unsigned int i,h1,h2;
-  unsigned int len=strlen(msg);
-  for (i = 0; i < 100*len; i++) {
-    h1 += msg[i%len] + msg[(i+1)%len];
-    h2 += msg[(i+1)%len] + msg[(i+2)%len];
-  }
-  if (h1 == h2)
-    printf("%s",msg);
-  else
-    printf("%s",msg);
-}
-
-// Vulnerable format string function
-int format_string(char input[]) {
-
-	char string[128];
-	// Putting input on the stack
-	strcpy(string, input);
-
-	printf("You input: ");
-	printf(input);
-	printf("\n");
-
-}
-
-void printflag()
-{
-	int fd;
-	int len;
-	unsigned char data[128];
-
-	fd = open("flag", O_RDONLY);
-
-	if ( fd <= 0 ) {
-		printf("Failed to open flag.\n");
-		return;
-	}
-
-	len = lseek( fd, 0, SEEK_END);
-	lseek(fd, 0, SEEK_SET);
-
-	if ( len > 128 ) {
-		len = 128;
-	}
-
-	memset(data, 0, 128);
-	read( fd, data, len);
-	close(fd);
-
-	printf("%s\n", data);
-	return;
-}
-
-int main() {
-	char input[128];
-	int i;
-
-	// Initializing input
-	for(i = 0; i < 128; i++) {
-		input[i] = 0;
-	}
-
-	// Print introduction message
-	print_msg();
-
-	// Get user input
-	printf("The key should equal to %d.\n", USERDEF);
-	printf("Enter the password: ");
-	//fgets(input, 51, stdin);
-	scanf("%50s",input);
-
-	// Calling vulnerable function
-	format_string(input);
-
-	printf("The key is equal to %d.\n", key);
-
-	// Check if key has been hijacked
-	if(key == USERDEF){
-    	printf("Good Job.\n");
-		printflag();
-	} else {
-		printf("Try again.\n");
-	}
-
-	return 0;
-}

scenarios/labs/software_security_exploitation/5_linux_bof_format.xml

@@ -0,0 +1,99 @@
+<?xml version="1.0"?>
+
+<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+
+  <name>Linux Buffer Overflows and Advanced Format String Attacks</name>
+  <author>Thomas Shaw</author>
+  <description>
+    [Lab sheet here](https://docs.google.com/document/d/1Ap-h6YSDtfU4bLwiKhxP5x2nf1vjSJ2V2zEL5wzW84U/edit?usp=sharing).
+  </description>
+
+  <type>ctf-lab</type>
+  <type>lab-sheet</type>
+  <difficulty>advanced</difficulty>
+
+  <system>
+    <system_name>metactf_desktop</system_name>
+    <base platform="linux" type="desktop" distro="Buster"/>
+
+    <input into_datastore="IP_addresses">
+
+      <!-- 0 metactf_desktop -->
+      <value>172.16.0.2</value>
+      <!-- 1 kali -->
+      <value>172.16.0.3</value>
+
+      <!-- 0 linux_server -->
+      <!--      <value>172.16.0.4</value>-->
+    </input>
+
+    <utility module_path=".*/reversing_tools"/>
+    <utility module_path=".*/ghidra"/>
+
+    <utility module_path=".*/parameterised_accounts">
+      <input into="accounts" into_datastore="account">
+        <generator type="account">
+          <input into="username">
+            <generator type="random_sanitised_word">
+              <input into="wordlist">
+                <value>mythical_creatures</value>
+              </input>
+            </generator>
+          </input>
+          <input into="password">
+            <value>tiaspbiqe2r</value>
+          </input>
+          <input into="super_user">
+            <value>false</value>
+          </input>
+        </generator>
+      </input>
+    </utility>
+
+    <utility module_path=".*/kde_minimal">
+      <input into="autologin_user">
+        <datastore access="0" access_json="['username']">account</datastore>
+      </input>
+      <input into="accounts">
+        <datastore>account</datastore>
+      </input>
+      <input into="autostart_konsole">
+        <value>true</value>
+      </input>
+    </utility>
+    <utility module_path=".*/handy_cli_tools"/>
+    <utility module_path=".*/hash_tools"/>
+    <utility module_path=".*/metactf">
+      <input into="account">
+        <datastore>account</datastore>
+      </input>
+      <input into="challenge_list">
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_sse/Ch3.7-3.9/Ch3_07_ScanfOverflow</value>
+          </input>
+        </generator>
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_sse/Ch3.7-3.9/Ch3_07_StackSmash</value>
+          </input>
+        </generator>
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_sse/Ch3-ExtraFormatStr/Ch3_Format5_nTargetWrite</value>
+          </input>
+        </generator>
+      </input>
+    </utility>
+
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="0">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
+
+
+</scenario>

scenarios/labs/software_security_exploitation/6_linux_stack_bof.xml

@@ -126,6 +126,11 @@
             <value>src_sse/Ch3-ExtraFormatStr/Ch3_Format5_nTargetWrite</value>
           </input>
         </generator>
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_sse/SSE/Ch_simple_BOF_1</value>
+          </input>
+        </generator>
       </input>
     </utility>
 
@@ -136,23 +141,26 @@
     </network>
   </system>
 
-  <system>
-    <!-- This system wants:
-    - Firefox to point at the web server   [TODO status: not building]
-    -->
 
-    <system_name>kali</system_name>
-    <base distro="Kali" name="MSF"/>
+	<system>
+		<system_name>kali</system_name>
+		<base distro="Kali" name="MSF"/>
 
-    <utility module_path=".*/metasploit_framework"/>
-    <utility module_path=".*/handy_cli_tools"/>
-    <utility module_path=".*/nmap"/>
+		<input into_datastore="kali_root_account">
+			<value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+		</input>
 
-    <network type="private_network">
-      <input into="IP_address">
-        <datastore access="1">IP_addresses</datastore>
-      </input>
-    </network>
-  </system>
+		<utility module_path=".*/metasploit_framework"/>
+		<utility module_path=".*/armitage"/>
+		<utility module_path=".*/exploitdb"/>
+		<utility module_path=".*/handy_cli_tools"/>
+		<utility module_path=".*/nmap"/>
+
+		<network type="private_network" >
+			<input into="IP_address">
+				<datastore access="1">IP_addresses</datastore>
+			</input>
+		</network>
+	</system>
 
 </scenario>