From d804dd8bfba1bc86d356bf3c3de42bdea6d0eade Mon Sep 17 00:00:00 2001
From: thomashaw <thomashaw@gmail.com>
Date: Tue, 23 Feb 2021 00:27:08 +0000
Subject: [PATCH] 5_linux_stack_bof.xml: wip

---
 .../ctf/pwn/simple_bof/manifests/install.pp   |   4 +-
 .../pwn/simple_bof/templates/exploit_me.c.erb |   3 +-
 .../5_linux_stack_bof.xml                     | 144 ++++++++++--------
 3 files changed, 88 insertions(+), 63 deletions(-)

diff --git a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp
index b0cb74787..27a58fec0 100644
--- a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp
+++ b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/manifests/install.pp
@@ -1,8 +1,8 @@
 class simple_bof::install {
   $secgen_parameters = secgen_functions::get_parameters($::base64_inputs_file)
   # $buffer_size = inline_template("<%= (3..8).sample ^ 2 %>")   # randomised buffer size
-  $challenge_name = $secgen_parameters['challenge_name'][0]
-  $storage_dir = $secgen_parameters['storage_directory'][0]
+  # $challenge_name = $secgen_parameters['challenge_name'][0]
+  # $storage_dir = $secgen_parameters['storage_directory'][0]
 
   # Generate the C file (either in the home directory or the supplied storage_directory)
   $install_dir = '/root'
diff --git a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb
index 0adb38e75..e5946108e 100644
--- a/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb
+++ b/modules/vulnerabilities/unix/ctf/pwn/simple_bof/templates/exploit_me.c.erb
@@ -2,7 +2,8 @@
 #include <string.h>
 
 int main(int argc, char* argv[]) {
-  char buff[<%= @buffer_size %>];
+  // char buff[<%#= @buffer_size %>];
+  char buff[512];
   strcpy(buff, argv[1]);
   printf("input:%s\n", buff);
   return 0;
diff --git a/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml b/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml
index 14ec80009..b6dbdae38 100644
--- a/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml
+++ b/scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml
@@ -1,84 +1,108 @@
 <?xml version="1.0"?>
 
 <scenario xmlns="http://www.github/cliffe/SecGen/scenario"
-		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-		xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
+          xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+          xsi:schemaLocation="http://www.github/cliffe/SecGen/scenario">
 
-	<name>Writing Exploits: Linux and Stack-smashing Buffer Overflows</name>
+  <name>Writing Exploits: Linux and Stack-smashing Buffer Overflows</name>
   <author>Thomas Shaw</author>
   <description>
-[Lab sheet here](https://docs.google.com/document/d/1wgxLYHkdeLknRcbzZY73xZt36TWExuu-lfIJhRuHE-I/).
-	</description>
+    [Lab sheet here](https://docs.google.com/document/d/1wgxLYHkdeLknRcbzZY73xZt36TWExuu-lfIJhRuHE-I/).
+  </description>
 
-	<type>ctf-lab</type>
+  <type>ctf-lab</type>
   <type>lab-sheet</type>
   <difficulty>advanced</difficulty>
 
-	<system>
-		<system_name>linux_server</system_name>
-		<base platform="linux" type="desktop" distro="Buster"/>
+  <system>
+    <system_name>linux_server</system_name>
+    <base platform="linux" type="desktop" distro="Buster"/>
 
-		<input into_datastore="IP_addresses">
-			<!-- 0 linux_server-->
-			<value>172.16.0.2</value>
-			<!-- 1 kali -->
-			<value>172.16.0.3</value>
-		</input>
+    <input into_datastore="IP_addresses">
+      <!-- 0 linux_server-->
+      <value>172.16.0.2</value>
+      <!-- 1 kali -->
+      <value>172.16.0.3</value>
+    </input>
 
-		<!-- This system wants:
-			 - Binary challenge (no stack protections) hosted over the network with setgid
-			 - Binary challenge (no stack protections) hosted locally with setuid
-			 - Web server containing a copy of the setgid binary and .c file, serving up at http://<ip_address>:80
-		-->
+    <!-- This system wants:
+         - Binary challenge (no stack protections) hosted over the network with setgid
+         - Binary challenge (no stack protections) hosted locally with setuid
+         - Web server containing a copy of the setgid binary and .c file, serving up at http://<ip_address>:80
+    -->
 
-		<!-- TODO: Parameter to serve up a directory as root directory? -->
+    <!-- TODO: Parameter to serve up a directory as root directory? -->
 
-		<service module_path=".*/apache"/>
+    <service module_path=".*/apache"/>
 
-		<vulnerability module_path=".*/simple_bof"/>
+    <vulnerability module_path=".*/simple_bof"/>
 
+    <utility module_path=".*/metactf">
+      <input into="challenge_list">
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_csp/Ch3.7-3.9/Ch3_07_ScanfOverflow</value>
+          </input>
+        </generator>
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_csp/Ch3.7-3.9/Ch3_07_CanaryBypass</value>
+          </input>
+        </generator>
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_csp/Ch3.7-3.9/Ch3_07_StackSmash</value>
+          </input>
+        </generator>
+        <generator type="metactf_challenge">
+          <input into="challenge_path">
+            <value>src_csp/Ch3.7-3.9/Ch3_07_HijackPLT</value>
+          </input>
+        </generator>
+      </input>
+    </utility>
 
-		<network type="private_network">
-			<input into="IP_address">
-				<datastore access="0">IP_addresses</datastore>
-			</input>
-		</network>
-	</system>
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="0">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
 
-	<system>
-		<system_name>kali</system_name>
-		<base distro="Kali" name="MSF"/>
+  <system>
+    <system_name>kali</system_name>
+    <base distro="Kali" name="MSF"/>
 
-		<input into_datastore="kali_root_account">
-			<value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
-		</input>
+    <input into_datastore="kali_root_account">
+      <value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+    </input>
 
-		<!-- This system wants:
-			- Firefox to point at the web server
-		-->
+    <!-- This system wants:
+        - Firefox to point at the web server
+    -->
 
-		<utility module_path=".*/iceweasel">
-			<input into="accounts">
-				<value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
-			</input>
-			<input into="autostart">
-				<value>true</value>
-			</input>
-			<input into="start_page">
-				<datastore access="1">IP_addresses</datastore>
-			</input>
-		</utility>
+    <utility module_path=".*/iceweasel">
+      <input into="accounts">
+        <value>{"username":"root","password":"toor","super_user":"","strings_to_leak":[],"leaked_filenames":[]}</value>
+      </input>
+      <input into="autostart">
+        <value>true</value>
+      </input>
+      <input into="start_page">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </utility>
 
-		<utility module_path=".*/metasploit_framework"/>
-		<utility module_path=".*/armitage"/>
-		<utility module_path=".*/exploitdb"/>
-		<utility module_path=".*/handy_cli_tools"/>
-		<utility module_path=".*/nmap"/>
+    <utility module_path=".*/metasploit_framework"/>
+    <utility module_path=".*/armitage"/>
+    <utility module_path=".*/exploitdb"/>
+    <utility module_path=".*/handy_cli_tools"/>
+    <utility module_path=".*/nmap"/>
 
-		<network type="private_network" >
-			<input into="IP_address">
-				<datastore access="1">IP_addresses</datastore>
-			</input>
-		</network>
-	</system>
+    <network type="private_network">
+      <input into="IP_address">
+        <datastore access="1">IP_addresses</datastore>
+      </input>
+    </network>
+  </system>
 </scenario>