diff --git a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp index fb9fffa73..8556f892b 100644 --- a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp +++ b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp @@ -4,11 +4,14 @@ class simple_bof::install { $challenge_name = $secgen_parameters['challenge_name'][0] $storage_dir = $secgen_parameters['storage_directory'][0] - - $install_dir = '/tmp/' - # Generate the C file (either in the home directory or the supplied storage_directory) - + $install_dir = '/root' + $c_file_path = "$install_dir/simple_bof.c" + file { 'simple_bof.c': + path => $c_file_path, + content => template('simple_bof/exploit_me.c.erb'), + mode => '0777', + } # Compile the binary ## ... we will need to add compiler parameters to the install_setgid_binary and install_setuid_binary modules @@ -29,14 +32,14 @@ class simple_bof::install { # SetGID binary requires: Makefile and any .c files within it's /files directory # Can we dynamically generate these before we call the install_setgid_binary function? - ::secgen_functions::install_setgid_binary { "simple_bof_$challenge_name": - source_module_name => 'simple_bof', - challenge_name => $challenge_name, - group => $group, - account => $account, - flag => $flag, - flag_name => 'flag', - storage_dir => $storage_dir, - } + # ::secgen_functions::install_setgid_binary { "simple_bof_$challenge_name": + # source_module_name => 'simple_bof', + # challenge_name => $challenge_name, + # group => $group, + # account => $account, + # flag => $flag, + # flag_name => 'flag', + # storage_dir => $storage_dir, + # } } diff --git a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb index a8ac7eeb4..0adb38e75 100644 --- a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb +++ b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb @@ -3,9 +3,7 @@ int main(int argc, char* argv[]) { char buff[<%= @buffer_size %>]; - <%- # seteuid(getuid()); -- include me for rop chains %> strcpy(buff, argv[1]); printf("input:%s\n", buff); - <%- #fflush(stdout); -- include me for bypassing NX stack exploits %> return 0; } \ No newline at end of file diff --git a/scenarios/labs/advanced_exploitation/5_linux_stack_smashing_bof.xml b/scenarios/labs/advanced_exploitation/5_linux_stack_smashing_bof.xml deleted file mode 100644 index ccf70ad00..000000000 --- a/scenarios/labs/advanced_exploitation/5_linux_stack_smashing_bof.xml +++ /dev/null @@ -1,81 +0,0 @@ - - - - - Writing exploits: Stack-smashing Buffer Overflows on Linux - Thomas Shaw - - An introduction introduction into a simple buffer overflow exploit over the network. A copy of the compiled binary and the .c file can be accessed via the FTP server with anonymous login. - [Lab sheet here](). - - - ctf-lab - lab-sheet - intermediate - - - metactf - - - - - - - - - - - mythical_creatures - - - - - tiaspbiqe2r - - - false - - - - - - - - - account - - - account - - - true - - - - - - - - - - src_csp/Ch1-2/Ch1_Ltrace - - - - - src_csp/Ch1-2/Ch1_Readelf - - - - - - account - - - - - - - diff --git a/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml b/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml index 17bdaa502..14ec80009 100644 --- a/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml +++ b/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml @@ -31,6 +31,13 @@ - Web server containing a copy of the setgid binary and .c file, serving up at http://:80 --> + + + + + + + IP_addresses