5_linux_stack_bof.xml: wip

2026-02-23 04:08:02 +00:00 · 2021-02-22 22:53:32 +00:00
parent 4847657320
commit 9b14e3fb00
4 changed files with 23 additions and 96 deletions
--- a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp
+++ b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp
@@ -4,11 +4,14 @@ class simple_bof::install {
  $challenge_name = $secgen_parameters['challenge_name'][0]
  $storage_dir = $secgen_parameters['storage_directory'][0]

-
-  $install_dir = '/tmp/'
-
  # Generate the C file (either in the home directory or the supplied storage_directory)
-
+  $install_dir = '/root'
+  $c_file_path = "$install_dir/simple_bof.c"
+  file { 'simple_bof.c':
+    path                    => $c_file_path,
+    content                 => template('simple_bof/exploit_me.c.erb'),
+    mode                    => '0777',
+  }

  # Compile the binary
  ## ... we will need to add compiler parameters to the install_setgid_binary and install_setuid_binary modules
@@ -29,14 +32,14 @@ class simple_bof::install {
  # SetGID binary requires: Makefile and any .c files within it's <module_name>/files directory
  # Can we dynamically generate these before we call the install_setgid_binary function?

-  ::secgen_functions::install_setgid_binary { "simple_bof_$challenge_name":
-    source_module_name => 'simple_bof',
-    challenge_name     => $challenge_name,
-    group              => $group,
-    account            => $account,
-    flag               => $flag,
-    flag_name          => 'flag',
-    storage_dir        => $storage_dir,
-  }
+  # ::secgen_functions::install_setgid_binary { "simple_bof_$challenge_name":
+  #   source_module_name => 'simple_bof',
+  #   challenge_name     => $challenge_name,
+  #   group              => $group,
+  #   account            => $account,
+  #   flag               => $flag,
+  #   flag_name          => 'flag',
+  #   storage_dir        => $storage_dir,
+  # }

 }
--- a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb
+++ b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb
@@ -3,9 +3,7 @@

 int main(int argc, char* argv[]) {
  char buff[<%= @buffer_size %>];
-  <%- # seteuid(getuid()); -- include me for rop chains %>
  strcpy(buff, argv[1]);
  printf("input:%s\n", buff);
-  <%- #fflush(stdout); -- include me for bypassing NX stack exploits %>
  return 0;
 }
--- a/scenarios/labs/advanced_exploitation/5_linux_stack_smashing_bof.xml
+++ b/scenarios/labs/advanced_exploitation/5_linux_stack_smashing_bof.xml
@@ -1,81 +0,0 @@
-<?xml version="1.0"?>
-
-<scenario xmlns="http://www.github/cliffe/SecGen/scenario"
-		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-		xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
-
-  <name>Writing exploits: Stack-smashing Buffer Overflows on Linux</name>
-  <author>Thomas Shaw</author>
-  <description>
-    An introduction introduction into a simple buffer overflow exploit over the network. A copy of the compiled binary and the .c file can be accessed via the FTP server with anonymous login.
-	[Lab sheet here]().
-  </description>
-
-  <type>ctf-lab</type>
-  <type>lab-sheet</type>
-  <difficulty>intermediate</difficulty>
-
-  <system>
-    <system_name>metactf</system_name>
-    <base platform="linux" type="desktop" distro="Buster"/>
-
-    <utility module_path=".*/reversing_tools"/>
-
-    <utility module_path=".*/parameterised_accounts">
-      <input into="accounts" into_datastore="account">
-        <generator type="account">
-					<input into="username">
-						<generator type="random_sanitised_word">
-							<input into="wordlist">
-								<value>mythical_creatures</value>
-							</input>
-						</generator>
-					</input>
-					<input into="password">
-						<value>tiaspbiqe2r</value>
-					</input>
-					<input into="super_user">
-						<value>false</value>
-					</input>
-        </generator>
-      </input>
-    </utility>
-
-
-		<utility module_path=".*/kde_minimal">
-			<input into="autologin_user">
-				<datastore access="0" access_json="['username']">account</datastore>
-			</input>
-			<input into="accounts">
-				<datastore>account</datastore>
-			</input>
-			<input into="autostart_konsole">
-				<value>true</value>
-			</input>
-		</utility>
-		<utility module_path=".*/handy_cli_tools"/>
-		<utility module_path=".*/hash_tools"/>
-
-    <utility module_path=".*/metactf">
-      <input into="challenge_list">
-				<generator type="metactf_challenge">
-          <input into="challenge_path">
-            <value>src_csp/Ch1-2/Ch1_Ltrace</value>
-          </input>
-        </generator>
-        <generator type="metactf_challenge">
-          <input into="challenge_path">
-            <value>src_csp/Ch1-2/Ch1_Readelf</value>
-          </input>
-        </generator>
-
-      </input>
-      <input into="account">
-        <datastore>account</datastore>
-      </input>
-    </utility>
-
-    <network type="private_network" range="dhcp"/>
-  </system>
-
-</scenario>
--- a/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml
+++ b/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml
@@ -31,6 +31,13 @@
 			 - Web server containing a copy of the setgid binary and .c file, serving up at http://<ip_address>:80
 		-->

+		<!-- TODO: Parameter to serve up a directory as root directory? -->
+
+		<service module_path=".*/apache"/>
+
+		<vulnerability module_path=".*/simple_bof"/>
+
+
 		<network type="private_network">
 			<input into="IP_address">
 				<datastore access="0">IP_addresses</datastore>