finds coredump

nkcyber · Nov 11, 2024 · 0b2858e · 0b2858e
1 parent 94116c5
commit 0b2858e
Show file tree

Hide file tree

Showing 5 changed files with 107 additions and 84 deletions.
diff --git a/Makefile b/Makefile
@@ -1,10 +1,5 @@
-CC=gcc
-CFLAGS=-m32 -fno-stack-protector -z execstack
-SOURCE=example.c
-OUTPUT=example
-
 all: 
-	$(CC) $(SOURCE) $(CFLAGS) -o $(OUTPUT)
+	gcc example.c -m32 -o example -fno-stack-protector
 
 clean:
 	rm -f example example.o
diff --git a/attack.py b/attack.py
@@ -2,19 +2,27 @@
 
 from pwn import *
 from itertools import cycle
+import os
+
+def get_corefile_location(executable_name: str, pid: int) -> os.PathLike[str]:
+    with open("/proc/sys/kernel/core_pattern") as f:
+        core_pattern = f.read()
+        assert "%e" and "%p" in core_pattern
+        return core_pattern.replace("%e", executable_name).replace("%p", str(pid)).strip()
 
 # Generate a pattern of 100 bytes, larger than the buffer size
-pattern = cyclic(100)
+pattern = cyclic(1000)
 
 # Start the vulnerable binary
 with process('./example') as p:
     # Send the pattern as input
+    print("current pid", p.pid)
     p.sendline(pattern)
     p.wait()  # Wait for the program to crash
 
     # Examine the crash to find the offset
-    core = p.corefile  # Load the core dump created by the crash
-    offset = cyclic_find(core.read(core.rsp, 4))  # rsp holds the overwritten return address
+    core = Coredump(get_corefile_location("example", p.pid))
+    offset = cyclic_find(core.read(core.eip, 4))  # rsp holds the overwritten return address
 
     print(f"Offset to overwrite return address: {offset}")
 

diff --git a/bu_example.c b/bu_example.c
@@ -0,0 +1,79 @@
+#include <stdio.h>
+#include <string.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+/* void win_function(int arg1, int arg2) { */
+void win_function() {
+	/* printf("You won! arg1: 0x%x, arg2: 0x%x\n", arg1, arg2); */
+	printf("You won!\n");
+}
+
+void vulnerable_function() {
+	char buffer[32];  // Small buffer susceptible to overflow
+	printf("Enter some data: ");
+	fgets(buffer, 100, stdin); // improper bounds checking
+}
+
+int main() {
+	printf("start...");
+	vulnerable_function();
+	printf("done!");
+	return 0;
+}
+
+
+/* void rop1() { */
+/* printf("ROP 1!\n"); */
+/* } */
+
+/* [> void rop2(int a) { <] */
+/* void rop2() { */
+/* printf("ROP 2\n"); */
+/* } */
+
+/* [> void rop3(int a, int b) { <] */
+/* void rop3() { */
+/* printf("ROP 3\n"); */
+/* } */
+
+/* void vulnerable(char* string) { */
+/* char buffer[100]; */
+/* strcpy(buffer, string); */
+/* } */
+
+/* int main(int argc, char** argv) { */
+/* vulnerable(argv[1]); */
+/* return 0; */
+/* } */
+
+/* #include <stdio.h> */
+/* #include <stdlib.h> */
+
+/* #define BUFFER_SIZE 100 */
+
+/* int main() { */
+/* char buffer[BUFFER_SIZE]; */
+/* printf("Try to pwn me!\n"); */
+/* scanf("%s", buffer); */
+/* puts(buffer); */
+/* return 0; */
+/* } */
+
+
+/* void foo() { */
+/* printf("foo was called\n"); */
+/* } */
+
+/* void buffer_overflow() { */
+/* char buffer[BUFFER_SIZE]; */
+/* scanf("%s", buffer); */
+/* printf("You entered: %s\n", buffer); */
+/* } */
+
+/* int main() { */
+/* buffer_overflow(); */
+/* return 0; */
+/* } */
+
diff --git a/example.c b/example.c
@@ -1,79 +1,11 @@
-#include <stdio.h>
-#include <string.h>
-#include <stdio.h>
+// https://docs.pwntools.com/en/stable/elf/corefile.html#using-corefiles-to-automate-exploitation
 #include <string.h>
 #include <stdlib.h>
-
-/* void win_function(int arg1, int arg2) { */
-void win_function() {
-	/* printf("You won! arg1: 0x%x, arg2: 0x%x\n", arg1, arg2); */
-	printf("You won!\n");
-}
-
-void vulnerable_function() {
-	char buffer[32];  // Small buffer susceptible to overflow
-	printf("Enter some data: ");
-	fgets(buffer, 100, stdin); // improper bounds checking
+#include <unistd.h>
+void win() {
+    system("sh");
 }
-
-int main() {
-	printf("start...");
-	vulnerable_function();
-	printf("done!");
-	return 0;
+int main(int argc, char** argv) {
+    char buffer[64];
+    strcpy(buffer, argv[1]);
 }
-
-
-/* void rop1() { */
-/* printf("ROP 1!\n"); */
-/* } */
-
-/* [> void rop2(int a) { <] */
-/* void rop2() { */
-/* printf("ROP 2\n"); */
-/* } */
-
-/* [> void rop3(int a, int b) { <] */
-/* void rop3() { */
-/* printf("ROP 3\n"); */
-/* } */
-
-/* void vulnerable(char* string) { */
-/* char buffer[100]; */
-/* strcpy(buffer, string); */
-/* } */
-
-/* int main(int argc, char** argv) { */
-/* vulnerable(argv[1]); */
-/* return 0; */
-/* } */
-
-/* #include <stdio.h> */
-/* #include <stdlib.h> */
-
-/* #define BUFFER_SIZE 100 */
-
-/* int main() { */
-/* char buffer[BUFFER_SIZE]; */
-/* printf("Try to pwn me!\n"); */
-/* scanf("%s", buffer); */
-/* puts(buffer); */
-/* return 0; */
-/* } */
-
-
-/* void foo() { */
-/* printf("foo was called\n"); */
-/* } */
-
-/* void buffer_overflow() { */
-/* char buffer[BUFFER_SIZE]; */
-/* scanf("%s", buffer); */
-/* printf("You entered: %s\n", buffer); */
-/* } */
-
-/* int main() { */
-/* buffer_overflow(); */
-/* return 0; */
-/* } */
-
diff --git a/setup-host.sh b/setup-host.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+# set up host system
+
+# Disable aslr
+echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
+
+# set core dump location
+echo '/tmp/core.%e.%p' | sudo tee /proc/sys/kernel/core_pattern
+