5_linux_stack_bof.xml: wip

2026-02-21 19:28:02 +00:00 · 2021-02-23 00:27:08 +00:00
parent 5917ab9ae9
commit d804dd8bfb
3 changed files with 88 additions and 63 deletions
--- a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp
+++ b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp
@@ -1,8 +1,8 @@
 class simple_bof::install {
  $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
  # $buffer_size = inline_template("<%= (3..8).sample ^ 2 %>")   # randomised buffer size
-  $challenge_name = $secgen_parameters['challenge_name'][0]
-  $storage_dir = $secgen_parameters['storage_directory'][0]
+  # $challenge_name = $secgen_parameters['challenge_name'][0]
+  # $storage_dir = $secgen_parameters['storage_directory'][0]

  # Generate the C file (either in the home directory or the supplied storage_directory)
  $install_dir = '/root'
--- a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb
+++ b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb
@@ -2,7 +2,8 @@
 #include <string.h>

 int main(int argc, char* argv[]) {
-  char buff[<%= @buffer_size %>];
+  // char buff[<%#= @buffer_size %>];
+  char buff[512];
  strcpy(buff, argv[1]);
  printf("input:%s\n", buff);
  return 0;
--- a/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml
+++ b/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml
@@ -1,84 +1,108 @@
 <?xml version="1.0"?>

 <scenario xmlns="http://www.github/cliffe/SecGen/scenario"
-		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-		xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">

-	<name>Writing Exploits: Linux and Stack-smashing Buffer Overflows</name>
+  <name>Writing Exploits: Linux and Stack-smashing Buffer Overflows</name>
  <author>Thomas Shaw</author>
  <description>
-[Lab sheet here](https://docs.google.com/document/d/1wgxLYHkdeLknRcbzZY73xZt36TWExuu-lfIJhRuHE-I/).
-	</description>
+    [Lab sheet here](https://docs.google.com/document/d/1wgxLYHkdeLknRcbzZY73xZt36TWExuu-lfIJhRuHE-I/).
+  </description>

-	<type>ctf-lab</type>
+  <type>ctf-lab</type>
  <type>lab-sheet</type>
  <difficulty>advanced</difficulty>

-	<system>
-		<system_name>linux_server</system_name>
-		<base platform="linux" type="desktop" distro="Buster"/>
+  <system>
+    <system_name>linux_server</system_name>
+    <base platform="linux" type="desktop" distro="Buster"/>

-		<input into_datastore="IP_addresses">
-			<!-- 0 linux_server-->
-			<value>172.16.0.2</value>
-			<!-- 1 kali -->
-			<value>172.16.0.3</value>
-		</input>
+    <input into_datastore="IP_addresses">
+      <!-- 0 linux_server-->
+      <value>172.16.0.2</value>
+      <!-- 1 kali -->
+      <value>172.16.0.3</value>
+    </input>

-		<!-- This system wants:
-			 - Binary challenge (no stack protections) hosted over the network with setgid
-			 - Binary challenge (no stack protections) hosted locally with setuid
-			 - Web server containing a copy of the setgid binary and .c file, serving up at http://<ip_address>:80
-		-->
+    <!-- This system wants:
+         - Binary challenge (no stack protections) hosted over the network with setgid
+         - Binary challenge (no stack protections) hosted locally with setuid
+         - Web server containing a copy of the setgid binary and .c file, serving up at http://<ip_address>:80
+    -->

-		<!-- TODO: Parameter to serve up a directory as root directory? -->
+    <!-- TODO: Parameter to serve up a directory as root directory? -->

-		<service module_path=".*/apache"/>
+    <service module_path=".*/apache"/>

-		<vulnerability module_path=".*/simple_bof"/>
+    <vulnerability module_path=".*/simple_bof"/>

+    <utility module_path=".*/metactf">
+      <input into="challenge_list">
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_csp/Ch3.7-3.9/Ch3_07_ScanfOverflow</value>
+          </input>
+        </generator>
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_csp/Ch3.7-3.9/Ch3_07_CanaryBypass</value>
+          </input>
+        </generator>
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_csp/Ch3.7-3.9/Ch3_07_StackSmash</value>
+          </input>
+        </generator>
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_csp/Ch3.7-3.9/Ch3_07_HijackPLT</value>
+          </input>
+        </generator>
+      </input>
+    </utility>

-		<network type="private_network">
-			<input into="IP_address">
-				<datastore access="0">IP_addresses</datastore>
-			</input>
-		</network>
-	</system>
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="0">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>

-	<system>
-		<system_name>kali</system_name>
-		<base distro="Kali" name="MSF"/>
+  <system>
+    <system_name>kali</system_name>
+    <base distro="Kali" name="MSF"/>

-		<input into_datastore="kali_root_account">
-			<value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
-		</input>
+    <input into_datastore="kali_root_account">
+      <value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+    </input>

-		<!-- This system wants:
-			- Firefox to point at the web server
-		-->
+    <!-- This system wants:
+        - Firefox to point at the web server
+    -->

-		<utility module_path=".*/iceweasel">
-			<input into="accounts">
-				<value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
-			</input>
-			<input into="autostart">
-				<value>true</value>
-			</input>
-			<input into="start_page">
-				<datastore access="1">IP_addresses</datastore>
-			</input>
-		</utility>
+    <utility module_path=".*/iceweasel">
+      <input into="accounts">
+        <value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+      </input>
+      <input into="autostart">
+        <value>true</value>
+      </input>
+      <input into="start_page">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </utility>

-		<utility module_path=".*/metasploit_framework"/>
-		<utility module_path=".*/armitage"/>
-		<utility module_path=".*/exploitdb"/>
-		<utility module_path=".*/handy_cli_tools"/>
-		<utility module_path=".*/nmap"/>
+    <utility module_path=".*/metasploit_framework"/>
+    <utility module_path=".*/armitage"/>
+    <utility module_path=".*/exploitdb"/>
+    <utility module_path=".*/handy_cli_tools"/>
+    <utility module_path=".*/nmap"/>

-		<network type="private_network" >
-			<input into="IP_address">
-				<datastore access="1">IP_addresses</datastore>
-			</input>
-		</network>
-	</system>
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
 </scenario>