diff --git a/lib/batch/batch_secgen.rb b/lib/batch/batch_secgen.rb index 91b03be43..9b13314a0 100644 --- a/lib/batch/batch_secgen.rb +++ b/lib/batch/batch_secgen.rb @@ -244,6 +244,7 @@ def start(options) log.close # Back up project flags, scenario, and log file + FileUtils.mkdir_p("#{backup_path}#{project_id}") unless Dir.exist?("#{backup_path}#{project_id}") FileUtils.cp(log_path, ("#{backup_path}#{project_id}/" + log_name)) FileUtils.cp("#{project_path}/#{FLAGS_FILENAME}", "#{backup_path}#{project_id}/") FileUtils.cp("#{project_path}/scenario.xml", "#{backup_path}#{project_id}/") diff --git a/modules/utilities/unix/ctf/metactf/files/repository/src_sse/SSE/Ch3_Format5_nTargetWrite/build.zsh b/modules/utilities/unix/ctf/metactf/files/repository/src_sse/SSE/Ch3_Format5_nTargetWrite/build.zsh deleted file mode 100644 index 67dd032e7..000000000 --- a/modules/utilities/unix/ctf/metactf/files/repository/src_sse/SSE/Ch3_Format5_nTargetWrite/build.zsh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/zsh - -SALT=`date +%N` -if [[ ARGC -gt 0 ]] then - BINNAME=`basename $PWD` - foreach USER ($@) - mkdir -p obj/$USER - HASH=`echo $USER $SALT $BINNAME | sha256sum | awk '{print $1}' | cut -c 1-2 | tr \[a-f\] \[A-F\]` - AA=`echo "ibase=16;$HASH+20" | bc` - BB=`echo $USER $SALT $BINNAME | openssl dgst -sha512 -binary | base64 | head -1 | tr -d /=+ | cut -c 1-3 | xxd -p | sed s/0a$/5a/` - cat program.c.template | sed s/AAAAAA/$AA/ >! program.c - gcc -m32 -fno-pie -no-pie -Wformat=0 -Wl,--section-start=.bss=0x$BB -o obj/$USER/$BINNAME program.c - end - rm program.c -else - echo "USAGE: build.zsh " -fi diff --git a/modules/utilities/unix/ctf/metactf/files/repository/src_sse/SSE/Ch3_Format5_nTargetWrite/program.c.template b/modules/utilities/unix/ctf/metactf/files/repository/src_sse/SSE/Ch3_Format5_nTargetWrite/program.c.template deleted file mode 100644 index 7d7eac5c0..000000000 --- a/modules/utilities/unix/ctf/metactf/files/repository/src_sse/SSE/Ch3_Format5_nTargetWrite/program.c.template +++ /dev/null @@ -1,130 +0,0 @@ -#include -#include -#include -#include -#include -#define USERDEF AAAAAA - -// Global variable to hijack -int key; -// = 0; - -// Introduction message -char msg[] = -"Previously, we placed the address to write to onto the stack so that it\n" -"was easy to discover and target with %n. Unfortunately, this will not\n" -"always be present. However, because the input string being used in the\n" -"printf call is usually stored on the stack, it is possible to inject the\n" -"address we want to write into as part of our input and then use a targeted\n" -"%n to write into the injected address. To do so, you will first locate\n" -"where the input string characters are located on the stack relative to\n" -"the vulnerable printf call by injecting a well-known string and then using\n" -"a series of %x format specifiers to determine its offset on the stack from\n" -"the printf call. To do so, use an input string similar to:\n" -" \"ABCD-%x-%x-%x-%x-%x....\"\n" -"Look at the resultant output to see where the hexadecimal representation\n" -"of ABCD appears (e.g. 44434241 for little-endian machines). Once we find\n" -"our input on the stack, note its parameter number since this is the\n" -"number we will then target with a subsequent %n. After noting this number\n" -"we can then replace the \"ABCD\" part of the input with an actual address.\n" -"At this point, we need to find what address to write to and the value\n" -"we need to write. For this level, you are asked to overwrite a variable\n" -"called key with a specific number. To determine the address of key and\n" -"the value to write into it, examine the disassembly of the program.\n" -"Locate the comparison that determines whether or not the level has been\n" -"completed. The value of key is moved from a specific memory location\n" -"to a register before being checked against a specific value. Note that\n" -"we have made the address of this memory location representable as an ASCII\n" -"string to make things easier for you to input as a string. By using this\n" -"in place of ABCD, you will then be able to follow it with an appropriately\n" -"calculated %x%$n to solve the level.\n\n"; - -// Print introduction message -/* Symbolic execution trap */ -void print_msg() { - unsigned int i,h1,h2; - unsigned int len=strlen(msg); - for (i = 0; i < 100*len; i++) { - h1 += msg[i%len] + msg[(i+1)%len]; - h2 += msg[(i+1)%len] + msg[(i+2)%len]; - } - if (h1 == h2) - printf("%s",msg); - else - printf("%s",msg); -} - -// Vulnerable format string function -int format_string(char input[]) { - - char string[128]; - // Putting input on the stack - strcpy(string, input); - - printf("You input: "); - printf(input); - printf("\n"); - -} - -void printflag() -{ - int fd; - int len; - unsigned char data[128]; - - fd = open("flag", O_RDONLY); - - if ( fd <= 0 ) { - printf("Failed to open flag.\n"); - return; - } - - len = lseek( fd, 0, SEEK_END); - lseek(fd, 0, SEEK_SET); - - if ( len > 128 ) { - len = 128; - } - - memset(data, 0, 128); - read( fd, data, len); - close(fd); - - printf("%s\n", data); - return; -} - -int main() { - char input[128]; - int i; - - // Initializing input - for(i = 0; i < 128; i++) { - input[i] = 0; - } - - // Print introduction message - print_msg(); - - // Get user input - printf("The key should equal to %d.\n", USERDEF); - printf("Enter the password: "); - //fgets(input, 51, stdin); - scanf("%50s",input); - - // Calling vulnerable function - format_string(input); - - printf("The key is equal to %d.\n", key); - - // Check if key has been hijacked - if(key == USERDEF){ - printf("Good Job.\n"); - printflag(); - } else { - printf("Try again.\n"); - } - - return 0; -} diff --git a/scenarios/labs/software_security_exploitation/5_linux_bof_format.xml b/scenarios/labs/software_security_exploitation/5_linux_bof_format.xml new file mode 100644 index 000000000..cddf010b9 --- /dev/null +++ b/scenarios/labs/software_security_exploitation/5_linux_bof_format.xml @@ -0,0 +1,99 @@ + + + + + Linux Buffer Overflows and Advanced Format String Attacks + Thomas Shaw + + [Lab sheet here](https://docs.google.com/document/d/1Ap-h6YSDtfU4bLwiKhxP5x2nf1vjSJ2V2zEL5wzW84U/edit?usp=sharing). + + + ctf-lab + lab-sheet + advanced + + + metactf_desktop + + + + + + 172.16.0.2 + + 172.16.0.3 + + + + + + + + + + + + + + + mythical_creatures + + + + + tiaspbiqe2r + + + false + + + + + + + + account + + + account + + + true + + + + + + + account + + + + + src_sse/Ch3.7-3.9/Ch3_07_ScanfOverflow + + + + + src_sse/Ch3.7-3.9/Ch3_07_StackSmash + + + + + src_sse/Ch3-ExtraFormatStr/Ch3_Format5_nTargetWrite + + + + + + + + IP_addresses + + + + + + diff --git a/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml b/scenarios/labs/software_security_exploitation/6_linux_stack_bof.xml similarity index 85% rename from scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml rename to scenarios/labs/software_security_exploitation/6_linux_stack_bof.xml index 217d359fc..7f8a87620 100644 --- a/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml +++ b/scenarios/labs/software_security_exploitation/6_linux_stack_bof.xml @@ -126,6 +126,11 @@ src_sse/Ch3-ExtraFormatStr/Ch3_Format5_nTargetWrite + + + src_sse/SSE/Ch_simple_BOF_1 + + @@ -136,23 +141,26 @@ - - - kali - + + kali + - - - + + {"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]} + - - - IP_addresses - - - + + + + + + + + + IP_addresses + + +