diff --git a/2013-Fall/README.md b/2013-Fall/README.md deleted file mode 100644 index 2ce5d00..0000000 --- a/2013-Fall/README.md +++ /dev/null @@ -1,242 +0,0 @@ -# NYU Poly [ISIS Lab](http://www.isis.poly.edu/)'s [Hack Night](http://www.isis.poly.edu/hack-night) - -## Week 0: Background -In order to get the most out of Hack Night, you should be familiar with some basic security concepts. - -### Lecture Materials -1. [PicoCTF Resources](https://picoctf.com/learn) - -### Resources -1. [Sun Certified Security Administrator for Solaris 9 & 10 Study Guide Chapter 1](http://www.mhprofessional.com/downloads/products/0072254238/0072254238_ch01.pdf) -2. [OWASP Application Security Principles](https://www.owasp.org/index.php/Category:Principle) -3. [OWASP Secure Coding Principles](https://www.owasp.org/index.php/Secure_Coding_Principles) -4. [The Hardware/Software Interface](https://class.coursera.org/hwswinterface-001/class/index) - - -## Week 1: Introduction -This is an introduction session to the Hack Night curriculum, this session tries to give an overview of what rest of Hack Night sessions is to be followed. More importantly, it also gives the -ethics necessary to keep in mind when you learn something as powerful as your going to do now. Next, we will cover various types of disclosure that hackers have followed since -its inception. - -Before diving into the Hack Night semester, we recommend you take a look at the resources below and become familiar with some of the material. - -### Lecture Materials -1. [Trends in Vulnerability Disclosure](http://vimeo.com/48914102) -2. [Intrusion via Web Application Flaws](http://vimeo.com/14983596) -3. [Intrusion via Client-Side Exploitation](http://vimeo.com/14983828) - -### Resources -1. [IRC: #hacknight on isis.poly.edu port 6697 (ssl only)](http://chat.mibbit.com/?server=isis.poly.edu%3A%2B6697&channel=%23hacknight) -2. [ISIS Lab Blog](https://isisblogs.poly.edu/) -3. [ISIS Lab Github](https://github.com/isislab/) -4. [Project Ideas](https://github.com/isislab/Project-Ideas/issues) -5. [Resources Wiki](https://github.com/isislab/Project-Ideas/wiki) -6. [CyFor](http://cyfor.isis.poly.edu/) -7. [Cyber Security Club Mailing List](https://isis.poly.edu/mailman/listinfo/csc) -8. [ISIS Lab Calendar](http://www.isis.poly.edu/calendar) - - -## Week 2: Code Auditing, Part 1 -This session will cover Code Auditing. Code Auditing an application is the process of analyzing application code (in source or binary form) to uncover vulnerabilities that attackers -might exploit. By going through this process, you can identify and close security holes that would otherwise put sensitive data and business resources at unnecessary risk. -Topics that will be covered are Identifying Architectural, Implementation and Operational vulnerabilities. - -### Lecture Materials -1. [Design & Operational Reviews](http://vimeo.com/29082852/) [[slides](http://pentest.cryptocity.net/files/code_analysis/design_review_fall2011.pdf)] -2. [Code Auditing 101](http://vimeo.com/30001189/) [[slides](http://pentest.cryptocity.net/files/code_analysis/code_audits_1_fall2011.pdf)] - -### Workshop Materials -1. [Client Request Access Protocol](http://pentest.cryptocity.net/files/code_analysis/designdoc-fall2010.pdf) -We believe this protocol to be severely flawed and require your assistance in identifying vulnerabilities in it. Your objective is to identify and informally describe as many of these issues that you can. - -### Resources -1. [Source Code Analysis](https://github.com/isislab/Project-Ideas/wiki/Source-Code-Analysis) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [The Art of Software Security Assessment](http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?s=books&ie=UTF8&qid=1367449909&sr=1-1&keywords=the+art+of+software+security+assessment) -4. [Integer Overflows](http://en.wikipedia.org/wiki/Integer_overflow) -5. [Catching Integer Overflows](http://www.fefe.de/intof.html) -6. [The Fortify Taxonomy of Software Security Flaws](http://www.fortify.com/vulncat/) - - -## Week 3: Code Auditing, Part 2 -This week we will continue with the final video on Code Auditing, and provide you with 2 more applications that are intentionally vulnerable. Your job is to audit the source code and find vulnerabilities in them. Test -the skills that you have learned last week to efficiently go over the process of auditing applications. - -### Lecture Materials -1. [Code Auditing 102](http://vimeo.com/29702192/) [[slides](http://pentest.cryptocity.net/files/code_analysis/code_audits_2_fall2011.pdf)] - -### Workshop Materials -1. [News Paper](http://pentest.cryptocity.net/files/code_analysis/fall2011_hw2.c) [Simple Usage](http://pentest.cryptocity.net/files/code_analysis/fall2011_install.sh) -This network service simulates a text-based terminal application. The general purpose of the application is to act as a "news server" or text file service. These are two types of users: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files). Assume the application runs on Linux and is compiled with gcc. -2. [Siberia Crimeware Pack](http://pentest.cryptocity.net/files/code_analysis/siberia.zip) (Password: infected) -The Siberia kit contains live exploit code and will likely set off AV, however none of the exploit code is in a state where it would be harmful to your computer. In addition to all of the vulnerabilites have been patched years ago, the exploits in Siberia need to be interpreted by PHP and read by your browser for them to have any effect. You can safely disable or create exceptions in your AV for this exercise or place the Siberia files inside a VM. - -### Resources -1. [Source Code Analysis](https://github.com/isislab/Project-Ideas/wiki/Source-Code-Analysis) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [The Art of Software Security Assessment](http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?s=books&ie=UTF8&qid=1367449909&sr=1-1&keywords=the+art+of+software+security+assessment) -4. [Integer Overflows](http://en.wikipedia.org/wiki/Integer_overflow) -5. [Catching Integer Overflows](http://www.fefe.de/intof.html) -6. [The Fortify Taxonomy of Software Security Flaws](http://www.fortify.com/vulncat/) - -### Tools -1. [Source Navigator](http://sourcenav.sourceforge.net/) -2. [Scitools Understand](http://www.scitools.com/) -3. [List of tools for static code analysis](http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis) - - -## Week 4: Web Hacking, Part 1 -This session will cover web hacking. This session is about getting familiarity with various vulnerabilities commonly found in web applications. You will be able to identify and exploit web application vulnerabilities. Topics to be covered are web application primer, Vuln. commonly found in web apps. (OWASP Top 10) and Basic web testing methodologies. - -### Lecture Materials -1. [Web Hacking 101](http://vimeo.com/32509769) [[slides](http://pentest.cryptocity.net/files/web/2011/Web%20Hacking%20Day%201%20-%202011.pdf)] - -### Workshop Materials -1. [Google Gruyere](http://google-gruyere.appspot.com/) - - -### Resources -1. [Web Security](https://github.com/isislab/Project-Ideas/wiki/Web-Security) -2. [The Tangled Web](http://nostarch.com/tangledweb.htm) -3. [OWASP Top 10](https://www.owasp.org/index.php/Top_10) -4. [OWASP Top 10 Tools and Tactics](http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/) - - -## Week 5: Web Hacking, Part 2 -In this session, we will continue with the second video on Web Hacking. We will then be using some more intentionally vulnerable web applications to identify and analyze the top ten vulnerabilities commonly found in the web applications You will be going through the steps of busticating a real site and throwing a fire sale using freely available tools. - -### Lecture Materials -1. [Web Hacking 102](http://vimeo.com/32550671) [[slides](http://pentest.cryptocity.net/files/web/2011/Web%20Hacking%20Day%202%20-%202011.pdf)] - -### Workshop Materials -1. [OWASP WebGoat](https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project) -2. [Damn Vulnerable Web Application](http://www.dvwa.co.uk/) - - -## Week 6: Reverse Engineering, Part 1 -This session is about Reverse Engineering. Most of the software we use everyday is closed source. You don't have the liberty to look at the source code, at this point we need to analyze the available compiled binary. Reversing a binary is no easy task but can be done with the proper methodology and the right tools. This is exactly what two of world's best reverse engineers are going to teach you. - -### Lecture Videos -1. [Reverse Engineering 101](http://vimeo.com/6764570) -2. [Reverse Engineering 102](http://vimeo.com/30076325) [[slides](http://pentest.cryptocity.net/files/reversing/sotirov-re-fall2011.pdf)] - -### Workshop Materials -1. [Challenge Application](http://128.238.66.181/easy32) - -### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) - - -## Week 7: Reverse Engineering, Part 2 -Picking up from previous session, we will watch the last video on Reverse Engineering, and present you with an application which has no source code. Your job is to understand what the application is doing and figure out any loopholes present in that application. You'll use static analysis tools like IDA and varied dynamic analysis to analyze the binary and get a complete understanding of the application. - -### Lecture Videos -1. [Dynamic Reverse Engineering](http://vimeo.com/30594548) [[slides](http://pentest.cryptocity.net/files/reversing/2011/dynamic_reversing_2011.pdf)] - -### Workshop Materials -1. [demo.exe](http://pentest.cryptocity.net/files/exploitation/demo.zip) (Password: infected) - -### Resources -1. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -2. [VMWare player](http://www.vmware.com/download/player/download.html) -3. [x86 Win32 Reverse Engineering Cheatsheet](http://pentest.cryptocity.net/files/reversing/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf) -4. [IDA Pro Shortcuts](http://pentest.cryptocity.net/files/reversing/IDA_Pro_Shortcuts.pdf) - - -## Week 8: Introduction to x86 -In this session we will cover [Introductory Intel x86: Architecture, Assembly, Applications, and Alliteration by Xeno Kovah](http://www.opensecuritytraining.info/IntroX86.html) from [OpenSecurityTraining](http://www.opensecuritytraining.info/Welcome.html). Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation. 50% of the time will be spent learning Windows/Linux tools and analysis of "simple" programs. - -### Lecture Materials -1. [Introductory Intel x86 Lectures](http://www.youtube.com/playlist?list=PL038BE01D3BAEFDB0) - -### Resources -1. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -2. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) - - -## Week 9: x86 Split-Workshop -Picking up from the last week's session, we will continue to explore the world of x86. This is going to be a workshop were we will write programs at assembly level. Once, we get familiar to basic x86 instructions we will switch to analyzing a real application and try to get high level understanding of what the application is doing. The goal would be to get familiar with calling conventions, stack and stack frames. - -### Workshop Materials -1. [CMU Bomb Lab](http://csapp.cs.cmu.edu/public/1e/bomb.tar) (Linux/IA32 binary) -2. [Write readFile.c in x86 by hand](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week9) - -### Resources -1. [nasm](http://www.nasm.us/) -2. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - - -## Week 10: Exploiting Memory Corruption, Part 1 -In this week's session, we will go over some advanced concepts related to computer security. Dino Dai Zovi will go over various memory errors that an application can cause often leading to catastrophic results. Topics that will be covered are various memory errors like buffer overflows, uninitialized variables, use after free etc. and how we can use them to take control of an application. We will also look at exploitation mitigation that your current OS implements, it's not 1988 anymore. Finally, we will look at some techniques used to bypass modern mitigations. - -### Lecture Materials -1. [Memory Corruption 101](http://vimeo.com/31348274) [[slides](http://pentest.cryptocity.net/files/exploitation/2011/memory_corruption_101.pdf)] - -### Workshop Materials -1. [Vulnerable Application](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week10) - -### Resources -1. [Exploitation](https://github.com/isislab/Project-Ideas/wiki/Exploitation) - - -## Week 11: Exploiting Memory Corruption, Part 2 -Picking up from the last session, we will finish watching Dino Dai Zovi's lecture and do a live exploitation of a vulnerable program. We will go through all the steps that Dino explained in his lecture to write a control flow hijacking exploit and take over the program. Once we are done with 1990's style exploitation, we will re-compile the program with modern mitigation technologies and look at various techniques used to bypass these mitigation's. - -### Lecture Materials -1. [Memory Corruption 101](http://vimeo.com/31348274) [[slides](http://pentest.cryptocity.net/files/exploitation/2011/memory_corruption_101.pdf)] - -### Workshop Materials -1. [demo.exe](http://pentest.cryptocity.net/files/exploitation/demo.zip) (Password: infected) - -### Resources -1. [VMWare Player](http://www.vmware.com/download/player/download.html) -2. [Linux Machine](http://www.ubuntu.com/download/desktop) (preferably, Ubuntu) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [Windbg](http://msdn.microsoft.com/en-us/library/windows/hardware/gg463009.aspx) - -### More Challenges -1. [Gera's Insecure Programming by Example](http://community.corest.com/~gera/InsecureProgramming/) -2. [Exploit-Exercises](http://exploit-exercises.com/) - - -## Week 12: Post-Exploitation -In this week, we will cover post-exploitation. Post-exploitation is the stage in the intrusion kill chain wherein the attacker uses persistence techniques after the victim's system is compromised to maintain his/her presence on the machine. In addition the attacker also wants his presence to be hidden, this includes evading antivirus software, covering his/her tracks, etc. We will look at various techniques used by attackers to achieve the aforementioned goals. - -### Lecture Material -1. [Post Exploitation](http://vimeo.com/33344191) - -### Workshop Material -As shown in the lecture video, setup two VM’s. One VM will have metasploit running, backtrack is preferred and the other machine will be a Windows box. Preferred, win xp professional or win 7 professional. -Use the psexec module available in metasploit to gain access to the Windows box. Once, you have a meterpreter session available, apply different techniques demonstrated in the lecture like getting the password hash of Administrator, so that you can re-login as Administrator which gives you elevated privileges. - -Having a meterpreter session open isn’t necessarily good enough. For instance, run cmd.exe in windows box; get back to your meterpreter session and find the pid of cmd.exe using “ps” command. Once you are able to figure out the pid, use the migrate command to switch to that process. Now, close the command prompt in the windows box. Do you still have the session open? What do you think a stable process might be to migrate? - -If you have found the stable process that you as an attacker want to migrate to, chances are your persistence is good. Although, this may not be the case if the victim restarts his machine. What do you think a better approach would be to keep your connection persistent, even after several reboots? Try to use this method and see for yourself, if you have a persistent connection or not. - -### Resources -1. [Symantec Stuxnet Dossier](http://pentest.cryptocity.net/files/operations/references/w32_stuxnet_dossier.pdf) -2. [Useful References](http://pentest.cryptocity.net/operations/references.html) - - -## Week 13: Fuzzing -In this, the last session of Hack Night. We will be going over Fuzzing and later have a short discussion on what you can do to continue improving your skills. Fuzzing is a black box software testing technique, which consists of finding implementation bugs by manipulating input data sent to an application automatically. We will go over different types of fuzzing, various methods used for fuzzing, and finally the process of "smart" fuzzing. - -### Lecture Material -1. [Fuzzing](https://vimeo.com/7574602) - -### Workshop Materials -1. [fuzz.py](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week13) -2. [HaikuSyscallFuzzer](https://github.com/isislab/HaikuSyscallFuzzer) - -### Resources -1. [Fuzzing](https://github.com/isislab/Project-Ideas/wiki/Fuzzing) -2. [Useful References](http://pentest.cryptocity.net/fuzzing/references.html) - - -## Conclusion -Hack Night is designed to culminate in each student developing some kind of deliverable related to computer security, the goal being that everyone leaves the program with more knowledge about security. - -### Research and Projects -1. [Project Ideas](https://github.com/isislab/Project-Ideas/issues) -2. [Project Ideas Wiki](https://github.com/isislab/Project-Ideas/wiki) diff --git a/2013-Fall/week10/bufferOverflowApplicationSecurity/bufferOverflow.c b/2013-Fall/week10/bufferOverflowApplicationSecurity/bufferOverflow.c deleted file mode 100644 index ef76d3f..0000000 --- a/2013-Fall/week10/bufferOverflowApplicationSecurity/bufferOverflow.c +++ /dev/null @@ -1,27 +0,0 @@ -#include - -#define READSIZE 0x1000 - -void countLines(FILE* f){ - char buf[0x400];//should be big enough for anybody - int lines=0; - fread(buf,READSIZE,1,f); - - for(int i=0;i<0x400;i++) - if(buf[i] == '\n') - lines++; - - - printf("The number of lines in the file is %d\n",lines); - return; -} - -int main(int argc,char** argv){ - if(argc<2){ - printf("Proper usage is %s \n",argv[0]); - exit(0); - } - FILE* myfile=fopen(argv[1],"r"); - countLines(myfile); - return 0; -} diff --git a/2013-Fall/week10/bufferOverflowApplicationSecurity/makefile b/2013-Fall/week10/bufferOverflowApplicationSecurity/makefile deleted file mode 100644 index f3fb357..0000000 --- a/2013-Fall/week10/bufferOverflowApplicationSecurity/makefile +++ /dev/null @@ -1,9 +0,0 @@ -all: compile suid aslr -compile: - gcc -fno-stack-protector -z execstack bufferOverflow.c -o bufferOverflow -std=c99 -m32 -suid: - sudo chown root:root bufferOverflow - sudo chmod 4777 bufferOverflow - -aslr: - sudo sysctl -w kernel.randomize_va_space=0 \ No newline at end of file diff --git a/2013-Fall/week10/readme b/2013-Fall/week10/readme deleted file mode 100644 index 08221bb..0000000 --- a/2013-Fall/week10/readme +++ /dev/null @@ -1 +0,0 @@ -This is a buffer overflow lab I wrote for the 2013 hacknight and application security classes. \ No newline at end of file diff --git a/2013-Fall/week13/fuzz.py b/2013-Fall/week13/fuzz.py deleted file mode 100644 index a9c2ad3..0000000 --- a/2013-Fall/week13/fuzz.py +++ /dev/null @@ -1,35 +0,0 @@ -#Written by Evan Jensen (wontonslim@github) - -import subprocess -from random import randint -from sys import argv - -FILENAME = argv[1] -BYTESTOCHANGE=1 #change this many bytes per play -crashcase=0 - -while True: - f = open(FILENAME,'r').read() - - - low = 200 - high = len(f) - - bytes = [i for i in f] #this is the file in memory as a chr array - - for i in range(BYTESTOCHANGE): #change random bytes to random vals - randByte = chr(randint(0,0xff)) - bytes[randint(low,high)] = randByte - - newdata = ''.join(bytes) #coalesce the bytes - - open(FILENAME,'w').write(newdata) #write back the file with changed bytes - - returnVal=subprocess.call(['mplayer','./'+FILENAME]) #does it crash? - - if(returnVal!=0):#zomg something interesting - file(FILENAME+'.crash_'+str(crashcase),'w').write(newdata)#save data - crashcase+=1 - print "ZOMG SOMETHING HAPPENED U GUYS!" - - diff --git a/2013-Fall/week13/readme b/2013-Fall/week13/readme deleted file mode 100644 index 2ba0b19..0000000 --- a/2013-Fall/week13/readme +++ /dev/null @@ -1 +0,0 @@ -This is a very simple random mutation file format fuzzer written for hacknight. \ No newline at end of file diff --git a/2013-Fall/week9/compileByHand/asm/example1.s b/2013-Fall/week9/compileByHand/asm/example1.s deleted file mode 100644 index 8550cd6..0000000 --- a/2013-Fall/week9/compileByHand/asm/example1.s +++ /dev/null @@ -1,86 +0,0 @@ -BITS 32 - global main - extern fread - extern fopen - extern printf - - -readInts: ;readInts(FILE* file, int* buffer){ - push ebp - mov ebp,esp - pusha - mov eax, [ebp+8] ;file - mov ebx, [ebp+12] ;buffer - ;fread(buffer, sizeof(int), BUFSIZE, file); - push eax - push 1024 - push 4 - push ebx - call fread - add esp,4*4 - popa - leave - ret - - - -printInts: ;void printInts(int * buffer, int number){ - push ebp - mov ebp,esp - sub esp,4 - pusha - mov esi, [ebp+8] ;buffer - mov ebx, [ebp+12] ;number - mov edi,0 -.top: - mov eax, [esi+edi*4+4] - push eax - mov eax,[esi+edi*4] - push eax - push format - call printf - add esp,4*3 - add edi,2 ;i - cmp edi, [ebp+12] ;if(i -#include -#define BUFSIZE 1024 - - -void printInts(int * buffer, int number){ - for(int i=0; i - -#define READSIZE 0x1000 - -void countLines(FILE* f){ - char buf[0x400];//should be big enough for anybody - int lines=0; - fread(buf,READSIZE,1,f); - - for(int i=0;i<0x400;i++) - if(buf[i] == '\n') - lines++; - - - printf("The number of lines in the file is %d\n",lines); - return; -} - -int main(int argc,char** argv){ - if(argc<2){ - printf("Proper usage is %s \n",argv[0]); - exit(0); - } - FILE* myfile=fopen(argv[1],"r"); - countLines(myfile); - return 0; -} diff --git a/2013-Spring/week11/bufferOverflowApplicationSecurity/makefile b/2013-Spring/week11/bufferOverflowApplicationSecurity/makefile deleted file mode 100644 index f3fb357..0000000 --- a/2013-Spring/week11/bufferOverflowApplicationSecurity/makefile +++ /dev/null @@ -1,9 +0,0 @@ -all: compile suid aslr -compile: - gcc -fno-stack-protector -z execstack bufferOverflow.c -o bufferOverflow -std=c99 -m32 -suid: - sudo chown root:root bufferOverflow - sudo chmod 4777 bufferOverflow - -aslr: - sudo sysctl -w kernel.randomize_va_space=0 \ No newline at end of file diff --git a/2013-Spring/week11/readme b/2013-Spring/week11/readme deleted file mode 100644 index 08221bb..0000000 --- a/2013-Spring/week11/readme +++ /dev/null @@ -1 +0,0 @@ -This is a buffer overflow lab I wrote for the 2013 hacknight and application security classes. \ No newline at end of file diff --git a/2013-Spring/week13/fuzz.py b/2013-Spring/week13/fuzz.py deleted file mode 100644 index a9c2ad3..0000000 --- a/2013-Spring/week13/fuzz.py +++ /dev/null @@ -1,35 +0,0 @@ -#Written by Evan Jensen (wontonslim@github) - -import subprocess -from random import randint -from sys import argv - -FILENAME = argv[1] -BYTESTOCHANGE=1 #change this many bytes per play -crashcase=0 - -while True: - f = open(FILENAME,'r').read() - - - low = 200 - high = len(f) - - bytes = [i for i in f] #this is the file in memory as a chr array - - for i in range(BYTESTOCHANGE): #change random bytes to random vals - randByte = chr(randint(0,0xff)) - bytes[randint(low,high)] = randByte - - newdata = ''.join(bytes) #coalesce the bytes - - open(FILENAME,'w').write(newdata) #write back the file with changed bytes - - returnVal=subprocess.call(['mplayer','./'+FILENAME]) #does it crash? - - if(returnVal!=0):#zomg something interesting - file(FILENAME+'.crash_'+str(crashcase),'w').write(newdata)#save data - crashcase+=1 - print "ZOMG SOMETHING HAPPENED U GUYS!" - - diff --git a/2013-Spring/week13/readme b/2013-Spring/week13/readme deleted file mode 100644 index 2ba0b19..0000000 --- a/2013-Spring/week13/readme +++ /dev/null @@ -1 +0,0 @@ -This is a very simple random mutation file format fuzzer written for hacknight. \ No newline at end of file diff --git a/2013-Spring/week9/compileByHand/asm/example1.s b/2013-Spring/week9/compileByHand/asm/example1.s deleted file mode 100644 index 8550cd6..0000000 --- a/2013-Spring/week9/compileByHand/asm/example1.s +++ /dev/null @@ -1,86 +0,0 @@ -BITS 32 - global main - extern fread - extern fopen - extern printf - - -readInts: ;readInts(FILE* file, int* buffer){ - push ebp - mov ebp,esp - pusha - mov eax, [ebp+8] ;file - mov ebx, [ebp+12] ;buffer - ;fread(buffer, sizeof(int), BUFSIZE, file); - push eax - push 1024 - push 4 - push ebx - call fread - add esp,4*4 - popa - leave - ret - - - -printInts: ;void printInts(int * buffer, int number){ - push ebp - mov ebp,esp - sub esp,4 - pusha - mov esi, [ebp+8] ;buffer - mov ebx, [ebp+12] ;number - mov edi,0 -.top: - mov eax, [esi+edi*4+4] - push eax - mov eax,[esi+edi*4] - push eax - push format - call printf - add esp,4*3 - add edi,2 ;i - cmp edi, [ebp+12] ;if(i -#include -#define BUFSIZE 1024 - - -void printInts(int * buffer, int number){ - for(int i=0; i ./articles/example.txt -echo "adding a default user as guest" -echo "guest" > ./users/guest.txt diff --git a/2014-Fall/workshops/week3/news_server.c b/2014-Fall/workshops/week3/news_server.c deleted file mode 100755 index 2912ef6..0000000 --- a/2014-Fall/workshops/week3/news_server.c +++ /dev/null @@ -1,619 +0,0 @@ -/* - NYU Polytechnic Institute - CS6573: Penetration Testing and Vulnerability Analysis - Code Auditing Homework Assignment - - There are a number of security holes in this network service, - but your assignment is to only find 3. - They could be both architectural or implementation problems. - Look for bad logic and memory mismanagement. -*/ - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#define PORT 9090 -#define USERNAME 0x01 -#define PASSWORD 0x02 -#define BADUSER "\x33\x44 BAD USERNAME!" -#define BADPASS "\x33\x45 BAD PASSWORD!" -#define READY "\x41\x41 READY!" -#define USERPATH "./users/" -#define ARTICLEPATH "./articles/" -#define LISTCOMMAND "ls ./articles/ > list.txt" -#define FILENOTAVAIL "\x33\x31 FILE NOT AVAILABLE!" -#define BEGINFILE "\x41\x41 BEGIN FILE: END WITH '!!!'" -#define ARTICLEWROTE "\x41\x42 ARTICLE HAS BEEN WRITTEN!" -#define LIST_ARTICLES 0x22 -#define READ_ARTICLE 0x23 -#define WRITE_ARTICLE 0x24 -#define COMMAND 0x25 -#define ADD_USER 0x26 - -void logData(FILE *logfile, char *format, ...); -int setupSock(FILE *logf, unsigned short port); -int writeSock(int sock, char *buf, size_t len); -int readSock(int sock, char *buf, size_t len); -void mainLoop(FILE *logf, int sock); -void handleConnection(FILE *logfile, int sock); -int userFunctions(FILE *logfile, int sock, char *user); -char *findarg(char *argbuf, char argtype); -int authenticate(FILE *logfile, char *user, char *pass); - -int writeSock(int sock, char *buf, size_t len) -{ - ssize_t byteswrote = 0; - ssize_t ret = 0; - - while (byteswrote < len) - { - ret = send(sock, buf + byteswrote, len - byteswrote, 0); - - if (ret < 0) - { - return -1; - } - - if (ret == 0) - { - break; - } - - byteswrote += ret; - } - - return byteswrote; -} - -int readSock(int sock, char *buf, size_t len) -{ - ssize_t ret = 0; - ssize_t bytesread = 0; - - while (bytesread < len) - { - ret = recv(sock, buf + bytesread, len - bytesread, 0); - - if (ret == 0) - { - break; - } - - if (ret < 0) - { - return -1; - } - - bytesread += ret; - } - - return bytesread; -} - -void writeArticle(int sock, FILE *logfile, char *action) -{ - FILE *file; - char *p; - size_t x, y; - int complete = 0; - char buf[1024]; - char path[1024]; - - strcpy(path, ARTICLEPATH); - strncat(path, &action[1], sizeof(path)); - - logData(logfile, "user writing article: %s", path); - - file = fopen(&action[1], "w"); - - if (!file) - { - writeSock(sock, FILENOTAVAIL, sizeof(FILENOTAVAIL)); - return; - } - - writeSock(sock, BEGINFILE, sizeof(BEGINFILE)); - - while (1) - { - memset(buf, 0, sizeof(buf)); - x = readSock(sock, buf, sizeof(buf)-1); - for (y = 0; y < x; ++y) - { - if (buf[y] == '!') - { - if (buf[y+1] == '!' && buf[y+2] == '!') - { - buf[y] = 0x0; - complete = 1; - } - } - } - fputs(buf, file); - if (complete) - { - break; - } - } - - writeSock(sock, ARTICLEWROTE, sizeof(ARTICLEWROTE)); - fclose(file); -} - - -void readArticle(int sock, FILE *logfile, char *action) -{ - FILE *file; - char buf[100]; - char path[100]; - - logData(logfile, &action[1]); - - strcpy(path, ARTICLEPATH); - strcat(path, &action[1]); - - logData(logfile, "user request to read article: %s", path); - - file = fopen(path, "r"); - - if (!file) - { - writeSock(sock, FILENOTAVAIL, sizeof(FILENOTAVAIL)); - return; - } - - /* fgets for the size of the buffer (100), from the file - writing the article to the user each time! */ - - while (fgets(buf, 1000, file)) - { - writeSock(sock, buf, strlen(buf)); - } - - fclose(file); - - return; -} - -void listArticles(int sock, FILE *logfile, char *action) -{ - char buf[100]; - FILE *list; - - logData(logfile, "user has requested a list of articles"); - - /* i wish i had more time! i wouldnt have to write - this code using system() to call things! */ - - memset(buf, 0, sizeof(buf)); - system(LISTCOMMAND); - - list = fopen("list.txt", "r"); - - while (fgets(buf, sizeof(buf)-1, list)) - { - writeSock(sock, buf, strlen(buf)); - } - - fclose(list); - return; -} - -void command(FILE *log, int sock, char *action) -{ - logData(log, "executing command: %s", &action[1]); - system(&action[1]); -} - -void addUser(FILE *log, int sock, char *action) -{ - char *p; - char buf[1024]; - - p = strchr(&action[1], ':'); - - if (!p) - { - return; - } - - *p = 0x0; - logData(log, "Adding user: %s with pass: %s", &action[1], &p[1]); - snprintf(buf, sizeof(buf)-1, "echo %s > %s%s.txt", &p[1], USERPATH, &action[1]); - return; -} - -int adminFunctions(FILE *logfile, int sock) -{ - char action[1024]; - size_t len; - while (1) - { - writeSock(sock, READY, sizeof(READY)); - memset(action, 0, sizeof(action)); - len = readSock(sock, action, sizeof(action)); - - if (action[0] == ADD_USER) - { - addUser(logfile, sock, action); - } - else if (action[0] == COMMAND) - { - command(logfile, sock, action); - } - else - { - logData(logfile, "unknown action: %x", action[0]); - } - } - -} - -int userFunctions(FILE *logfile, int sock, char *user) -{ - char action[1024]; - size_t len; - - if (0 == strncmp(user, "admin", 5)) - { - adminFunctions(logfile, sock); - return 0; - } - - while (1) - { - writeSock(sock, READY, sizeof(READY)); - memset(action, 0, sizeof(action)); - len = readSock(sock, action, sizeof(action)); - - if (action[0] == LIST_ARTICLES) - { - listArticles(sock, logfile, action); - } - else if (action[0] == READ_ARTICLE) - { - readArticle(sock, logfile, action); - } - else if (action[0] == WRITE_ARTICLE) - { - writeArticle(sock, logfile, action); - } - else - { - logData(logfile, "unknown action %x", action[0]); - return; - } - } - - return 0; -} - -/* return 1 for success, 2 on bad username, 3 on bad password */ -int authenticate(FILE *logfile, char *user, char *pass) -{ - char search[512]; - char path[1024]; - char userfile[1024]; - char data[1024]; - FILE *file; - int ret; - - memset(path, 0, sizeof(1024)); - - /* FIXME: hard coded admin backdoor for password recovery */ - if (memcmp(pass, "baCkDoOr", 9) == 0) - { - return 1; - } - - /* look up user by checking user files: done via system() to /bin/ls|grep user */ - logData(logfile, "performing lookup for user via system()!\n"); - snprintf(userfile, sizeof(userfile)-1, "%s.txt", user); - snprintf(search, sizeof(userfile)-1, "stat %s`ls %s | grep %s`", USERPATH, USERPATH, userfile); - ret = system(search); - - if (ret != 0) - { - return 2; - } - - snprintf(path, sizeof(path)-1, "%s%s", USERPATH, userfile); - - /* open file and check if contents == password */ - file = fopen(path, "r"); - - if (!file) - { - logData(logfile, "fopen for userfile failed\n"); - return 2; - } - - logData(logfile, "getting userfile info\n"); - fgets(data, sizeof(data)-1, file); - - fclose(file); - - /* Password Check! */ - if (memcmp(data, pass, 3)) - { - return 3; - } - - return 1; -} - -char *findarg(char *argbuf, char argtype) -{ - char *ptr1; - char *found = NULL; - char type = 0; - size_t size; - - ptr1 = argbuf; - - while (1) - { - memcpy((char *)&size, ptr1, 4); - if (size == 0) - { - break; - } - if (ptr1[4] == argtype) - { - found = &ptr1[5]; - break; - } - ptr1 += size; - } - - return found; -} - -void handleConnection(FILE *logfile, int sock) -{ - char buffer[1024]; - char argbuf[1024]; - char *user = NULL; - char *pass = NULL; - int len = 0; - int ret = 0; - size_t segloop; - size_t segmentcount; - size_t segnext; - size_t argsize; - char *ptr1; - char *ptr2; - - /* read in data */ - memset(buffer, 0, sizeof(buffer)); - len = readSock(sock, buffer, sizeof(buffer)); - logData(logfile, "handling connection"); - - if (len == -1) - { - return; - } - - /* parse protocol */ - ptr1 = buffer; - ptr2 = argbuf; - - /* get count of segments */ - memcpy((char *)&segmentcount, ptr1, 4); - - logData(logfile, "Segment count is %i", segmentcount); - - /* make sure there aren't too many segments! - so the count * 8(bytes) should be the max */ - if (segmentcount * 8 > sizeof(argbuf)) - { - logData(logfile, "bad segment count"); - return; - } - - ptr1 += 4; - - memset(argbuf, 0, sizeof(argbuf)); - - for (segloop = 0; segloop < segmentcount; ++segloop) - { - logData(logfile, "adding segment %i", segloop+1); - memcpy((char *)&segnext, ptr1, 4); - logData(logfile, "next segment offset %i", segnext); - ptr1 += 4; - memcpy((char *)&argsize, ptr1, 4); - logData(logfile, "argsize: %i", argsize); - memcpy(ptr2, ptr1, argsize); - ptr2 += argsize; - ptr1 += segnext; - } - - logData(logfile, "looking up user args"); - - user = findarg(argbuf, USERNAME); - pass = findarg(argbuf, PASSWORD); - - snprintf(buffer, sizeof(buffer)-1, "User attempting to authenticate: %s", user); - logData(logfile, buffer); - - logData(logfile, "calling authenticate"); - ret = authenticate(logfile, user, pass); - logData(logfile, "returned from authenticate"); - - if (ret != 1) - { - - if (ret == 2) - { - writeSock(sock, BADUSER, sizeof(BADUSER)); - } - - if (ret == 3) - { - writeSock(sock, BADPASS, sizeof(BADPASS)); - } - - snprintf(buffer, sizeof(buffer)-1,"user: %s failed to login with password %s", user, pass); - logData(logfile, buffer); - return; - } - - logData(logfile, "user %s authenticated!", user); - - userFunctions(logfile, sock, user); - - return; -} - -void mainLoop(FILE *logf, int sock) -{ - int clientfd = 0; - struct sockaddr_in client; - socklen_t clientlen = 0; - pid_t offspring = 0; - - memset((char *)&client, 0, sizeof(client)); - - logData(logf, "entering main loop..."); - - while (1) - { - clientfd = accept(sock, (struct sockaddr *)&client, &clientlen); - if (clientfd == -1) - { - continue; - } - - offspring = fork(); - - if (offspring == -1) - { - continue; - } - - if (offspring == 0) - { - handleConnection(logf, clientfd); - close(clientfd); - exit(0); - } - - close(clientfd); - } -} - -void spawnhandler(int signumber) -{ - pid_t pid; - int stat; - - while ((pid = waitpid(-1, &stat, WNOHANG))>0) - { - printf("circle of life completed for %i\n", pid); - } -} - -int setupSock(FILE *logf, unsigned short port) -{ - int sock = 0; - struct sockaddr_in sin; - int opt = 0; - - if (signal(SIGCHLD, spawnhandler)== SIG_ERR) - { - perror("fork() spawn handler setup failed!"); - return -1; - } - - memset((char *)&sin, 0, sizeof(sin)); - - sin.sin_family = AF_INET; - sin.sin_port = htons(port); - - sock = socket(AF_INET, SOCK_STREAM, 0); - - if (sock == -1) - { - logData(logf, "socket() failed"); - return -1; - } - - opt = 1; - - if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1) - { - logData(logf,"setsockopt() failed"); - return -1; - } - - if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1) - { - logData(logf, "bind() failed"); - return -1; - } - - if (listen(sock, 10) == -1) - { - logData(logf, "listen() failed"); - return -1; - } - - return sock; -} - -int main(int argc, char *argv[]) -{ - int sock; - FILE *logf; - - /* setup log file */ - logf = fopen("logfile.txt", "w"); - - if (!logf) - { - perror("unable to open log file\n"); - exit(1); - } - - /* go daemon */ - daemon(0,0); - - /* setup socket */ - sock = setupSock(logf, PORT); - - if (sock == -1) - { - logData(logf, "failed to setup socket, exiting"); - exit(1); - } - - logData(logf, "intial socket setup complete"); - - mainLoop(logf, sock); - - /* this should never execute */ - exit(0); -} - -/* printf-style data logging */ -void logData(FILE *logfile, char *format, ...) -{ - char buffer[4096]; - va_list arguments; - va_start(arguments, format); - vsnprintf(buffer, sizeof(buffer)-1, format, arguments); - va_end(arguments); - fprintf(logfile, "LoggedData [Proccess:%i]: %s\n", getpid(), buffer); - fflush(logfile); -} diff --git a/2014-Fall/workshops/week3/siberia.zip b/2014-Fall/workshops/week3/siberia.zip deleted file mode 100755 index 1ee2355..0000000 Binary files a/2014-Fall/workshops/week3/siberia.zip and /dev/null differ diff --git a/2014-Fall/workshops/week3/wireshark-1.8.5.tar.bz2 b/2014-Fall/workshops/week3/wireshark-1.8.5.tar.bz2 deleted file mode 100755 index 4415b95..0000000 Binary files a/2014-Fall/workshops/week3/wireshark-1.8.5.tar.bz2 and /dev/null differ diff --git a/2014-Fall/workshops/week7/bin1 b/2014-Fall/workshops/week7/bin1 deleted file mode 100755 index 8009c29..0000000 Binary files a/2014-Fall/workshops/week7/bin1 and /dev/null differ diff --git a/2014-Fall/workshops/week7/easy32 b/2014-Fall/workshops/week7/easy32 deleted file mode 100755 index c794604..0000000 Binary files a/2014-Fall/workshops/week7/easy32 and /dev/null differ diff --git a/2014-Spring/README.md b/2014-Spring/README.md deleted file mode 100644 index 235e273..0000000 --- a/2014-Spring/README.md +++ /dev/null @@ -1,319 +0,0 @@ -# NYU Poly [ISIS Lab](http://www.isis.poly.edu/)'s [Hack Night](http://isislab.github.io/Hack-Night/) -Developed from the materials of NYU Poly's [old Penetration Testing and Vulnerability Analysis course](http://pentest.cryptocity.net/), Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks. - -Hack Night culminates in a practical application of the skills and techniques taught, students complete a research project inspired by one of the lectures or exercise materials. By the end of the course, each student is expected to have a good understanding of all topics and a mastery of at least one topic. - -*Due to the involved nature of this course, we recommend students attend Hack Night in person.* - -## Logistics -If you have any questions, or would like to attend a Hack Night session, you can contact Evan Jensen or Marc Budofsky at HackNight@isis.poly.edu or you can [file a ticket](https://github.com/isislab/Hack-Night/issues) in Github. - -Sign up for the [Cyber Security Club mailing list](https://isis.poly.edu/mailman/listinfo/csc) to recieve weekly e-mails about seminars and training sessions brought to you by the [ISIS Lab](http://www.isis.poly.edu/). - -Hack Night is run every Wednesday during the regular semester at 6 PM in RH 219, check [our calendar for updates](http://www.isis.poly.edu/calendar). - -ISIS Lab, RH 219 -Six MetroTech Center -Brooklyn, NY 11201 - - -## Week 0: Background -In order to get the most out of Hack Night, you should be familiar with some basic security concepts. - -### Lecture Materials -1. [PicoCTF Resources](https://picoctf.com/learn) - -### Resources -#### General -1. [Sun Certified Security Administrator for Solaris 9 & 10 Study Guide Chapter 1](http://www.mhprofessional.com/downloads/products/0072254238/0072254238_ch01.pdf) - -#### Application Security -1. [OWASP Secure Coding Principles](https://www.owasp.org/index.php/Secure_Coding_Principles) - -#### Exploitation -1. [Windows ISV Software Security Defenses](http://msdn.microsoft.com/en-us/library/bb430720.aspx) - -#### Mobile Security -1. [OWASP Top 10](https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks) - -#### Network Security -1. [Common Types of Network Attacks](http://technet.microsoft.com/en-us/library/cc959354.aspx) - -#### Reverse Engineering -1. [University of Washington's The Hardware/Software Interface](https://class.coursera.org/hwswinterface-001/class) *Currently Unavailable to New Students* -2. [University of London's Malicious Software and its Underground Economy: Two Sides to Every Story](https://class.coursera.org/malsoftware-001/class) - -#### Web Security -1. [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) - - -## Week 1: Introduction -This is an introduction session to the Hack Night curriculum, this session tries to give an overview of what rest of Hack Night sessions is to be followed. More importantly, it also gives the -ethics necessary to keep in mind when you learn something as powerful as your going to do now. Next, we will cover various types of disclosure that hackers have followed since -its inception. - -Before diving into the Hack Night semester, we recommend you take a look at the resources below and become familiar with some of the material. - -### Lecture Materials -1. [Trends in Vulnerability Disclosure](http://vimeo.com/48914102) -2. [Intrusion via Web Application Flaws](http://vimeo.com/14983596) -3. [Intrusion via Client-Side Exploitation](http://vimeo.com/14983828) - -### Resources -1. [IRC: #hacknight on isis.poly.edu port 6697 (ssl only)](http://chat.mibbit.com/?server=isis.poly.edu%3A%2B6697&channel=%23hacknight) -2. [ISIS Lab Blog](https://isisblogs.poly.edu/) -3. [ISIS Lab Github](https://github.com/isislab/) -4. [Project Ideas](https://github.com/isislab/Project-Ideas/issues) -5. [Resources Wiki](https://github.com/isislab/Project-Ideas/wiki) -6. [CyFor](http://cyfor.isis.poly.edu/) -7. [Cyber Security Club Mailing List](https://isis.poly.edu/mailman/listinfo/csc) -8. [ISIS Lab Calendar](http://www.isis.poly.edu/calendar) - - -## Week 2: Source Code Auditing, Part 1 -This session will cover Code Auditing. Code Auditing an application is the process of analyzing application code (in source or binary form) to uncover vulnerabilities that attackers -might exploit. By going through this process, you can identify and close security holes that would otherwise put sensitive data and business resources at unnecessary risk. -Topics that will be covered are Identifying Architectural, Implementation and Operational vulnerabilities. - -### Lecture Materials -1. [Design & Operational Reviews](http://vimeo.com/29082852/) [[slides](http://pentest.cryptocity.net/files/code_analysis/design_review_fall2011.pdf)] -2. [Code Auditing 101](http://vimeo.com/30001189/) [[slides](http://pentest.cryptocity.net/files/code_analysis/code_audits_1_fall2011.pdf)] - -### Workshop Materials -1. [Client Request Access Protocol](http://pentest.cryptocity.net/files/code_analysis/designdoc-fall2010.pdf) -We believe this protocol to be severely flawed and require your assistance in identifying vulnerabilities in it. Your objective is to identify and informally describe as many of these issues that you can. - -### Resources -1. [Source Code Analysis](https://github.com/isislab/Project-Ideas/wiki/Source-Code-Analysis) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [The Art of Software Security Assessment](http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?s=books&ie=UTF8&qid=1367449909&sr=1-1&keywords=the+art+of+software+security+assessment) -4. [Integer Overflows](http://en.wikipedia.org/wiki/Integer_overflow) -5. [Catching Integer Overflows](http://www.fefe.de/intof.html) -6. [The Fortify Taxonomy of Software Security Flaws](http://www.fortify.com/vulncat/) - - -## Week 3: Source Code Auditing, Part 2 -This week we will continue with the final video on Code Auditing, and provide you with 2 more applications that are intentionally vulnerable. Your job is to audit the source code and find vulnerabilities in them. Test -the skills that you have learned last week to efficiently go over the process of auditing applications. - -### Lecture Materials -1. [Code Auditing 102](http://vimeo.com/29702192/) [[slides](http://pentest.cryptocity.net/files/code_analysis/code_audits_2_fall2011.pdf)] - -### Workshop Materials -1. [News Paper](http://pentest.cryptocity.net/files/code_analysis/fall2011_hw2.c) [Simple Usage](http://pentest.cryptocity.net/files/code_analysis/fall2011_install.sh) -This network service simulates a text-based terminal application. The general purpose of the application is to act as a "news server" or text file service. These are two types of users: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files). Assume the application runs on Linux and is compiled with gcc. -2. [Siberia Crimeware Pack](http://pentest.cryptocity.net/files/code_analysis/siberia.zip) (Password: infected) -The Siberia kit contains live exploit code and will likely set off AV, however none of the exploit code is in a state where it would be harmful to your computer. In addition to all of the vulnerabilites have been patched years ago, the exploits in Siberia need to be interpreted by PHP and read by your browser for them to have any effect. You can safely disable or create exceptions in your AV for this exercise or place the Siberia files inside a VM. - -### Resources -1. [Source Code Analysis](https://github.com/isislab/Project-Ideas/wiki/Source-Code-Analysis) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [The Art of Software Security Assessment](http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?s=books&ie=UTF8&qid=1367449909&sr=1-1&keywords=the+art+of+software+security+assessment) -4. [Integer Overflows](http://en.wikipedia.org/wiki/Integer_overflow) -5. [Catching Integer Overflows](http://www.fefe.de/intof.html) -6. [The Fortify Taxonomy of Software Security Flaws](http://www.fortify.com/vulncat/) - -### Tools -1. [Source Navigator](http://sourcenav.sourceforge.net/) -2. [Scitools Understand](http://www.scitools.com/) -3. [List of tools for static code analysis](http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis) - - -## Week 4: Web Security, Part 1 -This session will cover web hacking. This session is about getting familiarity with various vulnerabilities commonly found in web applications. You will be able to identify and exploit web application vulnerabilities. Topics to be covered are web application primer, Vuln. commonly found in web apps. (OWASP Top 10) and Basic web testing methodologies. - -### Lecture Materials -1. [Web Hacking 101](http://vimeo.com/32509769) [[slides](http://pentest.cryptocity.net/files/web/2011/Web%20Hacking%20Day%201%20-%202011.pdf)] - -### Workshop Materials -1. [Google Gruyere](http://google-gruyere.appspot.com/) - - -### Resources -1. [Web Security](https://github.com/isislab/Project-Ideas/wiki/Web-Security) -2. [The Tangled Web](http://nostarch.com/tangledweb.htm) -3. [OWASP Top 10](https://www.owasp.org/index.php/Top_10) -4. [OWASP Top 10 Tools and Tactics](http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/) - - -## Week 5: Web Security, Part 2 -In this session, we will continue with the second video on Web Hacking. We will then be using some more intentionally vulnerable web applications to identify and analyze the top ten vulnerabilities commonly found in the web applications You will be going through the steps of busticating a real site and throwing a fire sale using freely available tools. - -### Lecture Materials -1. [Web Hacking 102](http://vimeo.com/32550671) [[slides](http://pentest.cryptocity.net/files/web/2011/Web%20Hacking%20Day%202%20-%202011.pdf)] - -### Workshop Materials -1. [OWASP WebGoat](https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project) -2. [Damn Vulnerable Web Application](http://www.dvwa.co.uk/) - - -### Resources -1. [Web Security](https://github.com/isislab/Project-Ideas/wiki/Web-Security) -2. [The Tangled Web](http://nostarch.com/tangledweb.htm) -3. [OWASP Top 10](https://www.owasp.org/index.php/Top_10) -4. [OWASP Top 10 Tools and Tactics](http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/) - - -## Week 6: Reverse Engineering, Part 1 -This session is about Reverse Engineering. Most of the software we use everyday is closed source. You don't have the liberty to look at the source code, at this point we need to analyze the available compiled binary. Reversing a binary is no easy task but can be done with the proper methodology and the right tools. This is exactly what two of world's best reverse engineers are going to teach you. - -### Lecture Videos -1. [Reverse Engineering 101](http://vimeo.com/6764570) -2. [Reverse Engineering 102](http://vimeo.com/30076325) [[slides](http://pentest.cryptocity.net/files/reversing/sotirov-re-fall2011.pdf)] - -### Workshop Materials -1. [Challenge Application](http://128.238.66.181/easy32) - -### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](http://pentest.cryptocity.net/files/reversing/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf) -5. [IDA Pro Shortcuts](http://pentest.cryptocity.net/files/reversing/IDA_Pro_Shortcuts.pdf) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - - -## Week 7: Reverse Engineering, Part 2 -Picking up from previous session, we will watch the last video on Reverse Engineering, and present you with an application which has no source code. Your job is to understand what the application is doing and figure out any loopholes present in that application. You'll use static analysis tools like IDA and varied dynamic analysis to analyze the binary and get a complete understanding of the application. - -### Lecture Videos -1. [Dynamic Reverse Engineering](http://vimeo.com/30594548) [[slides](http://pentest.cryptocity.net/files/reversing/2011/dynamic_reversing_2011.pdf)] - -### Workshop Materials -1. [demo.exe](http://pentest.cryptocity.net/files/exploitation/demo.zip) (Password: infected) - -### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](http://pentest.cryptocity.net/files/reversing/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf) -5. [IDA Pro Shortcuts](http://pentest.cryptocity.net/files/reversing/IDA_Pro_Shortcuts.pdf) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - - -## Week 8: Reverse Engineering, Part 3 -In this session we will cover [Introductory Intel x86: Architecture, Assembly, Applications, and Alliteration by Xeno Kovah](http://www.opensecuritytraining.info/IntroX86.html) from [OpenSecurityTraining](http://www.opensecuritytraining.info/Welcome.html). Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation. 50% of the time will be spent learning Windows/Linux tools and analysis of "simple" programs. - -### Lecture Materials -1. [Introductory Intel x86 Lectures](http://www.youtube.com/playlist?list=PL038BE01D3BAEFDB0) - -### Workshop Materials -1. [CMU Bomb Lab](http://csapp.cs.cmu.edu/public/1e/bomb.tar) (Linux/IA32 binary) - -### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](http://pentest.cryptocity.net/files/reversing/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf) -5. [IDA Pro Shortcuts](http://pentest.cryptocity.net/files/reversing/IDA_Pro_Shortcuts.pdf) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - - -## Week 9: Reverse Engineering, Part 4 -Picking up from the last week's session, we will continue to explore the world of x86. This is going to be a workshop were we will write programs at assembly level. Once, we get familiar to basic x86 instructions we will switch to analyzing a real application and try to get high level understanding of what the application is doing. The goal would be to get familiar with calling conventions, stack and stack frames. - -### Lecture Materials -1. [Introductory Intel x86 Lectures](http://www.youtube.com/playlist?list=PL038BE01D3BAEFDB0) - -### Workshop Materials -1. [Write readFile.c in x86 by hand](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week9) - -### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](http://pentest.cryptocity.net/files/reversing/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf) -5. [IDA Pro Shortcuts](http://pentest.cryptocity.net/files/reversing/IDA_Pro_Shortcuts.pdf) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - - -## Week 10: Exploitation, Part 1 -In this week's session, we will go over some advanced concepts related to computer security. Dino Dai Zovi will go over various memory errors that an application can cause often leading to catastrophic results. Topics that will be covered are various memory errors like buffer overflows, uninitialized variables, use after free etc. and how we can use them to take control of an application. We will also look at exploitation mitigation that your current OS implements, it's not 1988 anymore. Finally, we will look at some techniques used to bypass modern mitigations. - -### Lecture Materials -1. [Memory Corruption 101](http://vimeo.com/31348274) [[slides](http://pentest.cryptocity.net/files/exploitation/2011/memory_corruption_101.pdf)] - -### Workshop Materials -1. [Vulnerable Application](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week10) - -### Resources -1. [Exploitation](https://github.com/isislab/Project-Ideas/wiki/Exploitation) -2. [VMWare Player](http://www.vmware.com/download/player/download.html) -3. [Linux Machine](http://www.ubuntu.com/download/desktop) (preferably, Ubuntu) -4. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -5. [Windbg](http://msdn.microsoft.com/en-us/library/windows/hardware/gg463009.aspx) - - -## Week 11: Exploitation, Part 2 -Picking up from the last session, we will finish watching Dino Dai Zovi's lecture and do a live exploitation of a vulnerable program. We will go through all the steps that Dino explained in his lecture to write a control flow hijacking exploit and take over the program. Once we are done with 1990's style exploitation, we will re-compile the program with modern mitigation technologies and look at various techniques used to bypass these mitigation's. - -### Lecture Materials -1. [Memory Corruption 101](http://vimeo.com/31348274) [[slides](http://pentest.cryptocity.net/files/exploitation/2011/memory_corruption_101.pdf)] - -### Workshop Materials -1. [demo.exe](http://pentest.cryptocity.net/files/exploitation/demo.zip) (Password: infected) - -### Resources -1. [Exploitation](https://github.com/isislab/Project-Ideas/wiki/Exploitation) -2. [VMWare Player](http://www.vmware.com/download/player/download.html) -3. [Linux Machine](http://www.ubuntu.com/download/desktop) (preferably, Ubuntu) -4. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -5. [Windbg](http://msdn.microsoft.com/en-us/library/windows/hardware/gg463009.aspx) - -### More Challenges -1. [Gera's Insecure Programming by Example](http://community.corest.com/~gera/InsecureProgramming/) -2. [Exploit-Exercises](http://exploit-exercises.com/) - - -## Week 12: Post-Exploitation -In this week, we will cover post-exploitation. Post-exploitation is the stage in the intrusion kill chain wherein the attacker uses persistence techniques after the victim's system is compromised to maintain his/her presence on the machine. In addition the attacker also wants his presence to be hidden, this includes evading antivirus software, covering his/her tracks, etc. We will look at various techniques used by attackers to achieve the aforementioned goals. - -### Lecture Material -1. [Post Exploitation](http://vimeo.com/33344191) - -### Workshop Material -As shown in the lecture video, setup two VM’s. One VM will have metasploit running, backtrack is preferred and the other machine will be a Windows box. Preferred, win xp professional or win 7 professional. -Use the psexec module available in metasploit to gain access to the Windows box. Once, you have a meterpreter session available, apply different techniques demonstrated in the lecture like getting the password hash of Administrator, so that you can re-login as Administrator which gives you elevated privileges. - -Having a meterpreter session open isn’t necessarily good enough. For instance, run cmd.exe in windows box; get back to your meterpreter session and find the pid of cmd.exe using “ps” command. Once you are able to figure out the pid, use the migrate command to switch to that process. Now, close the command prompt in the windows box. Do you still have the session open? What do you think a stable process might be to migrate? - -If you have found the stable process that you as an attacker want to migrate to, chances are your persistence is good. Although, this may not be the case if the victim restarts his machine. What do you think a better approach would be to keep your connection persistent, even after several reboots? Try to use this method and see for yourself, if you have a persistent connection or not. - -### Resources -1. [Symantec Stuxnet Dossier](http://pentest.cryptocity.net/files/operations/references/w32_stuxnet_dossier.pdf) -2. [Useful References](http://pentest.cryptocity.net/operations/references.html) - - -## Week 13: Application Security -In this, the last session of Hack Night. We will be going over Fuzzing and later have a short discussion on what you can do to continue improving your skills. Fuzzing is a black box software testing technique, which consists of finding implementation bugs by manipulating input data sent to an application automatically. We will go over different types of fuzzing, various methods used for fuzzing, and finally the process of "smart" fuzzing. - -### Lecture Material -1. [Fuzzing](https://vimeo.com/7574602) - -### Workshop Materials -1. [fuzz.py](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week13) -2. [HaikuSyscallFuzzer](https://github.com/isislab/HaikuSyscallFuzzer) - -### Resources -1. [Fuzzing](https://github.com/isislab/Project-Ideas/wiki/Fuzzing) -2. [Useful References](http://pentest.cryptocity.net/fuzzing/references.html) - - -## Conclusion -Hack Night is designed to culminate in each student developing some kind of deliverable related to computer security, the goal being that everyone leaves the program with more knowledge about security. - -### Research and Projects -1. [Project Ideas](https://github.com/isislab/Project-Ideas/issues) -2. [Project Ideas Wiki](https://github.com/isislab/Project-Ideas/wiki) diff --git a/2015-Fall/.DS_Store b/2015-Fall/.DS_Store deleted file mode 100644 index 5008ddf..0000000 Binary files a/2015-Fall/.DS_Store and /dev/null differ diff --git a/2015-Fall/Binary_Exploitation/Makefile b/2015-Fall/Binary_Exploitation/Makefile deleted file mode 100644 index da02e81..0000000 --- a/2015-Fall/Binary_Exploitation/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -EXEC = -z execstack -RM_COOK = -fno-stack-protector - -all: exploit_1 exploit_2 exploit_3 exploit_4 - -exploit_1: exploit_1.c - gcc $(EXEC) $(RM_COOK) -O0 -o exploit_1 exploit_1.c - -exploit_2: exploit_2.c - gcc $(EXEC) $(RM_COOK) -O0 -o exploit_2 exploit_2.c - -exploit_3: exploit_3.c - gcc $(EXEC) $(RM_COOK) -O0 -o exploit_3 exploit_3.c - -exploit_4: exploit_4.c - gcc $(NOCANARY) -O0 -o exploit_4 exploit_4.c - -exploit_5: exploit_5.c - gcc $(NOCANARY) -O0 -o exploit_5 exploit_5.c diff --git a/2015-Fall/Binary_Exploitation/Mikhail-Sosonkin-OSX-and-iOS.pdf b/2015-Fall/Binary_Exploitation/Mikhail-Sosonkin-OSX-and-iOS.pdf deleted file mode 100644 index 25f8a26..0000000 Binary files a/2015-Fall/Binary_Exploitation/Mikhail-Sosonkin-OSX-and-iOS.pdf and /dev/null differ diff --git a/2015-Fall/Binary_Exploitation/README.md b/2015-Fall/Binary_Exploitation/README.md deleted file mode 100644 index 49f62b7..0000000 --- a/2015-Fall/Binary_Exploitation/README.md +++ /dev/null @@ -1,35 +0,0 @@ -## Exploitation Part 1 - -### Part 1 - Straight up Overflow -Changing Stack Based Variables with a Buffer Overflow -#### Task -Get authenticated -#### Resources -* -* - -### Part 2 - Change Saved EIP -Changing Program Execution Flow with Stack Based Buffer Overflow -#### Task -Make the program execute code that it would otherwise would not have executed -#### Resources -* - -### Part 3 - Execute Shellcode -Changing Program Execution Flow by Returning to User Controlled Data with a Stack Based Buffer Overflow -#### Task -Make the program execute code (shellcode) by tricking the program into thinking that your input is a function pointer - -### Part 4 - ROP -Changing Program Execution Flow by Chaining Together Existing Code from the Program with a Stack Based Buffer Overflow -#### Task -Make the program execute certain functions in a sequential order -#### Resources -* - -### Part 5 - Return to Libc -Changing Program Execution Flow by Performing a Return To Libc attack with a Stack Based Buffer Overflow -#### Task -Modify the program's GOT in order to trick the program into calling a series of ROP gadgets which end up spawning a shell -#### Resources -* diff --git a/2015-Fall/Binary_Exploitation/brute_cookie.c b/2015-Fall/Binary_Exploitation/brute_cookie.c deleted file mode 100644 index afc01a7..0000000 --- a/2015-Fall/Binary_Exploitation/brute_cookie.c +++ /dev/null @@ -1,95 +0,0 @@ -#include -#include -#include -#include - -#include -#include -#include -#include - -#define KEYFILESIZE 41 -#define BUFF_SIZE 0X1000 -#define PORTNO 12345 - - -void readKey(sock){ - char buf[KEYFILESIZE]; - FILE* keyFile=fopen("./key","r"); - fread(buf,1,KEYFILESIZE,keyFile); - write(sock,buf,KEYFILESIZE); - return; -} - -void firstFunc(int FD){ - char buf[BUFF_SIZE]; - int cookie=*(int*)(buf+0x1000); - printf("cookie: %x\n",cookie); //the server operator gets this info - read(FD,buf,BUFF_SIZE*2); //overflow the buffer 2x - return; -} - -int servlet(int fd){ - char greetings[BUFF_SIZE]; - sprintf(greetings,"Greetings client #%d\n",fd); - write(fd,greetings,strlen(greetings)); - firstFunc(fd); - char* sorry="Sorry :(\nDid you hear about nginx getting owned in July?"; - write(fd,sorry,strlen(sorry)); - return 0; -} - -int main(int argc, char *argv[]) -{ - //char buffer[BUFFER_SIZE]; - int sockfd, newsockfd, portno, pid; - socklen_t clilen; - struct sockaddr_in serv_addr, cli_addr; - - /* if (argc < 2) { */ - /* fprintf(stderr,"ERROR, no port provided\n"); */ - /* exit(1); */ - /* } */ - - sockfd = socket(AF_INET, SOCK_STREAM, 0); - if (sockfd < 0){ - perror("ERROR opening socket"); - exit(1); - } - bzero((char *) &serv_addr, sizeof(serv_addr)); - // portno = atoi(argv[1]); - serv_addr.sin_family = AF_INET; - serv_addr.sin_addr.s_addr = INADDR_ANY; - serv_addr.sin_port = htons(PORTNO); - if (bind(sockfd, (struct sockaddr *) &serv_addr, - sizeof(serv_addr)) < 0){ - perror("ERROR on binding"); - exit(1); - } - listen(sockfd,5); - clilen = sizeof(cli_addr); - while (1) { - newsockfd = accept(sockfd, - (struct sockaddr *) &cli_addr, &clilen); - if (newsockfd < 0){ - perror("ERROR on accept"); - exit(1); - } - pid = fork(); - if (pid < 0){ - perror("ERROR on fork"); - exit(1); - } - if (pid == 0) { - close(sockfd); - servlet(newsockfd); - exit(0); - } - //make sure to wait at some point to avoid zombies - else close(newsockfd); - waitpid(-1, NULL, WNOHANG); - } - close(sockfd); - return 0; -} - diff --git a/2015-Fall/Binary_Exploitation/disable_aslr.sh b/2015-Fall/Binary_Exploitation/disable_aslr.sh deleted file mode 100644 index e93248e..0000000 --- a/2015-Fall/Binary_Exploitation/disable_aslr.sh +++ /dev/null @@ -1 +0,0 @@ -echo 0 | sudo tee /proc/sys/kernel/randomize_va_space diff --git a/2015-Fall/Binary_Exploitation/enable_aslr.sh b/2015-Fall/Binary_Exploitation/enable_aslr.sh deleted file mode 100644 index 7c0a39e..0000000 --- a/2015-Fall/Binary_Exploitation/enable_aslr.sh +++ /dev/null @@ -1 +0,0 @@ -echo 2 | sudo tee /proc/sys/kernel/randomize_va_space diff --git a/2015-Fall/Binary_Exploitation/exploit_1/Makefile b/2015-Fall/Binary_Exploitation/exploit_1/Makefile deleted file mode 100644 index 874bf96..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_1/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_1: exploit_1.c - gcc -o exploit_1 exploit_1.c -m32 -O0 -z execstack -fno-stack-protector diff --git a/2015-Fall/Binary_Exploitation/exploit_1/exploit_1.c b/2015-Fall/Binary_Exploitation/exploit_1/exploit_1.c deleted file mode 100644 index b8d874c..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_1/exploit_1.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Part 1 - Changing Stack Based Variables with a Buffer Overflow - * Task - Get authenticated - * */ - -#include -#include -#include -#include - -#define DEBUG 1 - -unsigned int BUFFER_SIZE = 0x16; - -void getPassword(char* password) { - FILE *fp; - fp = fopen("password.txt", "r"); - if(!fp){ - printf("Can't authenticate without a password file\n"); - exit(1); - } - fscanf(fp, "%s", password); - // printf("The password is: %s\n", password ); -} - -void printStack(int **stack, int* loggedIn, char* buffer) { - int **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x10; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((int *) stackAddress == loggedIn) - printf(" <-- loggedIn"); - if ((char *) stackAddress == buffer) - printf(" <-- enteredPassword"); - printf("\n"); - } - printf("\n"); -} - -int authenticateUser() { - // Notice the position of loggedIn in relation - // to the buffers were we can input data - // Note: integers on a 32bit system are 4 bytes - // while individual characters are only 1 byte - struct variables { - char password[16]; - char enteredPassword[16]; - int loggedIn; - } vars; - int **stack; - - vars.loggedIn = 0; - memset(vars.enteredPassword, 0, sizeof(vars.enteredPassword)); - memset(vars.password, 0, sizeof(vars.password)); - - // Basically, our stack from for this function will look - // like: - // TOP OF STACK (lower addresses) Data goes into buffers going down: - // ------------------------------- || - // | ... | || - // ------------------------------- \ || / - // | | \||/ - // | password (16 bytes) | \/ - // | | - // ------------------------------- When you read data to the stack, - // | | the data goes into the buffer downwards. - // | enteredPassword (16 bytes) | That is, data gets filled into the buffer - // | | moving away from the top of the stack - // ------------------------------- to the bottom of the stack. - // | loggedIn (4 bytes) | - // ------------------------------- - // | ... | - // ------------------------------- - // BOTTOM OF STACK (higher addresses) - - // Ask the user for their username and password - // - // How much data are we reading into each - // stack based buffer? - // Note: The c read function is defined as: - // read(int fileDescriptor, char* destination, unsinged int amountToRead) - getPassword(vars.password); - - puts("\nPassword: "); - fgets(vars.enteredPassword, BUFFER_SIZE, stdin); - - // Get rid of the trailing newline character - size_t len = strlen(vars.enteredPassword) - 1; - if (vars.enteredPassword[len] == '\n') - vars.enteredPassword[len] = '\0'; - - if (DEBUG) { - printf("loggedIn = (decimal) %d = (hex) %x\n", vars.loggedIn, vars.loggedIn); - } - - puts(""); - - // Load the password from a file into memory - - - if (DEBUG) { - stack = (int **) (&stack); - printStack(stack, &vars.loggedIn, vars.enteredPassword); - } - - puts("Checking to see if the user's account is legit..."); - if (strcmp(vars.password, vars.enteredPassword) == 0) { - vars.loggedIn = 1; - } else { - // What is the difference between having this line - // and not having this line? What can we do since - // this line is not actually a part of the program? - // - // loggedIn = 0; - } - - // If loggedIn has anything but 0, then the user is logged in - if (vars.loggedIn) return 1; - // ...else we say that they are not logged in - else return 0; -} - -void printFlag() { - FILE *fp; - char flag[64]; - - fp = fopen("flag", "r"); - if(!fp){ - printf("You won!, sadly the flag is nowhere to be seen\n"); - exit(1); - } - fscanf(fp, "%s", flag); - printf("Your flag is: %s\n", flag); - exit(0); -} - - -int main() { - puts("Welcome to the Login Portal -_-"); - - int authenticated = authenticateUser(); - - if (authenticated) { - puts("Hello, would you like to play a game?\n"); - puts("Oh, I guess you already won it lol\n"); - printFlag(); - } else { - puts("Sorry, I don't know who you are.\n"); - } -} - diff --git a/2015-Fall/Binary_Exploitation/exploit_1/flag b/2015-Fall/Binary_Exploitation/exploit_1/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_1/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2015-Fall/Binary_Exploitation/exploit_1/password.txt b/2015-Fall/Binary_Exploitation/exploit_1/password.txt deleted file mode 100644 index f52de66..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_1/password.txt +++ /dev/null @@ -1 +0,0 @@ -ima_password diff --git a/2015-Fall/Binary_Exploitation/exploit_2/Makefile b/2015-Fall/Binary_Exploitation/exploit_2/Makefile deleted file mode 100644 index 9194794..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_2/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_2: exploit_2.c - gcc -o exploit_2 exploit_2.c -m32 -O0 -fno-stack-protector -z execstack diff --git a/2015-Fall/Binary_Exploitation/exploit_2/exploit_2.c b/2015-Fall/Binary_Exploitation/exploit_2/exploit_2.c deleted file mode 100644 index 758dc05..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_2/exploit_2.c +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Part 2 - Changing Program Execution Flow with Stack Based - * Buffer Overflow - * Task - Make the program execute code that it would otherwise - * would not have executed - * */ - -#include -#include -#include -#include - -#define DEBUG 1 -#define BUFF_SIZE 64 - -void printStack(char **stack, void* returnAddr, char* startBuffer, char* endBuffer) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x10; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - if ((char *) stackAddress == startBuffer) - printf(" <-- Start of buffer"); - if ((char *) stackAddress == endBuffer) - printf(" <-- End of buffer"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack, char* sBuf, char* eBuf) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret, sBuf, eBuf); -} - -void doSomethingDifferent() { - FILE *fp; - char flag[BUFF_SIZE]; - - puts("Nice! You did something different for a change"); - - fp = fopen("flag", "r"); - if(!fp){ - printf("You won!, sadly the flag is nowhere to be seen\n"); - exit(1); - } - fscanf(fp, "%s", flag); - printf("Your flag is: %s\n", flag); - exit(0); -} - -void doSomething() { - int deadbeef = 0xdeadbeef; - int cafebabe = 0xcafebabe; - char buffer[BUFF_SIZE]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: doSomething\n"); - // Let the person know where the doSomethingDifferent function is - // located - printf("The doSomethingDifferent function is located at: %p\n", doSomethingDifferent); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - } - - // Can you make the next three lines alter the return address? - printf("Send me something special!: "); fflush(stdout); - read(0, buffer, 512); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - - puts("Leaving function: doSomething"); - } -} - -void doSomethingWithoutDebugInfo() { - int deadbeef = 0xdeadbeef; - int cafebabe = 0xcafebabe; - char buffer[BUFF_SIZE]; - - memset(buffer, 0, sizeof(buffer)); - - // Can you make the next three lines alter the return address? - printf("Send me something special!: "); fflush(stdout); - fgets(buffer, deadbeef - cafebabe, stdin); - - printf("\n"); -} - -int main() { - doSomething(); - - puts("I don't think you did anything different :C"); - - return 0; -} - diff --git a/2015-Fall/Binary_Exploitation/exploit_2/flag b/2015-Fall/Binary_Exploitation/exploit_2/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_2/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2015-Fall/Binary_Exploitation/exploit_3/Makefile b/2015-Fall/Binary_Exploitation/exploit_3/Makefile deleted file mode 100644 index 7ae74f8..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_3/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_3: exploit_3.c - gcc -o exploit_3 exploit_3.c -m32 -O0 -fno-stack-protector -z execstack diff --git a/2015-Fall/Binary_Exploitation/exploit_3/exploit_3.c b/2015-Fall/Binary_Exploitation/exploit_3/exploit_3.c deleted file mode 100644 index a03437d..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_3/exploit_3.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Part 3 - Changing Program Execution Flow by Returning to User Controlled - * data with a Stack Based Buffer Overflow - * Task - Make the program execute code (shellcode) by tricking the program - * into thinking that your input is a function pointer - * */ - -#include -#include -#include - -#define DEBUG 1 -#define BUFF_SIZE 128 - -void printStack(char **stack, void* returnAddr, char* startBuffer, char* endBuffer) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x20; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - if ((char *) stackAddress == startBuffer) - printf(" <-- Start of buffer"); - if ((char *) stackAddress == endBuffer) - printf(" <-- End of buffer"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack, char* sBuf, char* eBuf) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret, sBuf, eBuf); -} - -void gimmeSomeShellcode() { - char buffer[BUFF_SIZE]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: gimmeSomeShellcode\n"); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - } - - // Can you make the next three lines alter the return address? - printf("Send whatever you want: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - - puts("Leaving function: gimmeSomeShellcode"); - } -} - -void gimmeSomeShellcodeWithoutDebugInfo() { - char buffer[BUFF_SIZE]; - - memset(buffer, 0, sizeof(buffer)); - - // Can you make the next three lines alter the return address? - printf("Send whatever you want: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - - printf("\n"); -} - -int main() { - gimmeSomeShellcode(); - - puts("I don't think you poped a shell :C"); - - return 0; -} - diff --git a/2015-Fall/Binary_Exploitation/exploit_3/flag b/2015-Fall/Binary_Exploitation/exploit_3/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_3/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2015-Fall/Binary_Exploitation/exploit_4/Makefile b/2015-Fall/Binary_Exploitation/exploit_4/Makefile deleted file mode 100644 index a3f3855..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_4/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_4: exploit_4.c - gcc -o exploit_4 exploit_4.c -O0 -fno-stack-protector diff --git a/2015-Fall/Binary_Exploitation/exploit_4/exploit_4.c b/2015-Fall/Binary_Exploitation/exploit_4/exploit_4.c deleted file mode 100644 index 446d031..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_4/exploit_4.c +++ /dev/null @@ -1,103 +0,0 @@ -/* - * Part 4 - Changing Program Execution Flow by Chaining Together Existing - * Code from the Program with a Stack Based Buffer Overflow - * Task - Make the program execute certain functions in a sequential order - * */ - -#include -#include -#include -#include - -#define DEBUG 1 - -char command[8]; -void *function; - -void printStack(char **stack, void* returnAddr) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x20; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret); -} - -// Functions you should have in your ROP chain -void setCommand() { - strcpy(command, "/bin/sh\0"); -} - -void setFunction() { - function = system; -} - -void doTheThing() { - ((void(*)()) function)(command); -} - -void returnOrientedProgramming() { - char buffer[0]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: returnOrientedProgramming\n"); - - printf("setCommand is at: %p\n", setCommand); - printf("setFunction is at: %p\n", setFunction); - printf("doTheThing is at: %p\n", doTheThing); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - } - - // Can you make the next three lines alter the return address? - printf("What do you want me to chain for you?: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - - puts("Leaving function: returnOrientedProgramming"); - } -} - -void returnOrientedProgrammingWithoutDebugInfo() { - char buffer[0]; - - memset(buffer, 0, sizeof(buffer)); - - // Can you make the next three lines alter the return address? - printf("What do you want me to chain for you?: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - - printf("\n"); -} - -int main() { - returnOrientedProgramming(); - - puts("I don't think you ropped enough"); - - return 0; -} - - diff --git a/2015-Fall/Binary_Exploitation/exploit_4/flag b/2015-Fall/Binary_Exploitation/exploit_4/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_4/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2015-Fall/Binary_Exploitation/exploit_5/Makefile b/2015-Fall/Binary_Exploitation/exploit_5/Makefile deleted file mode 100644 index 86f38a8..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_5/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_5: exploit_5.c - gcc -o exploit_5 exploit_5.c -O0 -fno-stack-protector diff --git a/2015-Fall/Binary_Exploitation/exploit_5/exploit_5.c b/2015-Fall/Binary_Exploitation/exploit_5/exploit_5.c deleted file mode 100644 index b3c2524..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_5/exploit_5.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Part 5 - Changing Program Execution Flow by Performing a Return To Libc attack - * with a Stack Based Buffer Overflow - * Task - Modify the program's GOT in order to trick the program into calling a - * series of ROP gadgets which end up spawning a shell - * */ - -#include -#include -#include - -#define DEBUG 1 - -void printStack(char **stack, void* returnAddr) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x20; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret); -} - -void returnToLibc() { - char buffer[0]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: returnToLibc\n"); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - } - - printf("Can you Return to Libc Bro?: "); fflush(stdout); - read(0, buffer, 0x100); - write(1, buffer, 0x100); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - - puts("Leaving function: returnToLibc"); - } -} - -void returnToLibcWithoutDebugInfo() { - char buffer[0]; - - memset(buffer, 0, sizeof(buffer)); - - printf("Can you Return to Libc Bro?: "); fflush(stdout); - read(0, buffer, 0x100); - write(1, buffer, 0x100); - - printf("\n"); -} - -int main() { - returnToLibc(); - - puts("I don't think you returned to Libc :C"); - - return 0; -} - - - diff --git a/2015-Fall/Binary_Exploitation/exploit_5/flag b/2015-Fall/Binary_Exploitation/exploit_5/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Fall/Binary_Exploitation/exploit_5/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2015-Fall/Intro_to_C/README.md b/2015-Fall/Intro_to_C/README.md deleted file mode 100644 index e63bce5..0000000 --- a/2015-Fall/Intro_to_C/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# Intro to the C Language -A basic introduction to C and the parts that pertain to reverse engineering and binary exploitation \ No newline at end of file diff --git a/2015-Fall/Malware/README.md b/2015-Fall/Malware/README.md deleted file mode 100644 index fb0e6a3..0000000 --- a/2015-Fall/Malware/README.md +++ /dev/null @@ -1,9 +0,0 @@ - -Python Keylogger - -[pykeylogger](https://github.com/amoffat/pykeylogger) - -Pupy - -[pupy](https://github.com/n1nj4sec/pupy) - diff --git a/2015-Fall/Pentesting/Metasploit_and_Disclosure.key b/2015-Fall/Pentesting/Metasploit_and_Disclosure.key deleted file mode 100644 index f4f332b..0000000 Binary files a/2015-Fall/Pentesting/Metasploit_and_Disclosure.key and /dev/null differ diff --git a/2015-Fall/Pentesting/Metasploit_and_Disclosure.pdf b/2015-Fall/Pentesting/Metasploit_and_Disclosure.pdf deleted file mode 100644 index 755f0f7..0000000 Binary files a/2015-Fall/Pentesting/Metasploit_and_Disclosure.pdf and /dev/null differ diff --git a/2015-Fall/Pentesting/README.md b/2015-Fall/Pentesting/README.md deleted file mode 100644 index 1c165a2..0000000 --- a/2015-Fall/Pentesting/README.md +++ /dev/null @@ -1,7 +0,0 @@ -### Setup -Please checkout the setup section [here](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/README.md) to be able to replicate the things to try - -[Metasploitable](https://information.rapid7.com/metasploitable-download.html?LS=1631875&CS=web) - -["Download](https://community.rapid7.com/docs/DOC-1875) - diff --git a/2015-Fall/Python_Exploitation/README.md b/2015-Fall/Python_Exploitation/README.md deleted file mode 100644 index f42d36a..0000000 --- a/2015-Fall/Python_Exploitation/README.md +++ /dev/null @@ -1,14 +0,0 @@ -### Python examples of bad programming practice - -#### Learn Python -* Read through: - * [intro_to_python.md](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/Python_Exploitation/intro_to_python.md) - * [beyond_math.md](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/Python_Exploitation/beyond_math.md) - * [risky_python.md](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/Python_Exploitation/risky_python.md) -* Want to learn more? Check [this out](learnpythonthehardway.org/book/) - -#### Homework -* Try to exploit all of the programs here -* If you get stuck on exec2, [read this writeup](https://hexplo.it/escaping-the-csawctf-python-sandbox/) -* Find the flags on this site: isislab.pythonanywhere.com -* The source code is in exploit_app/ diff --git a/2015-Fall/Python_Exploitation/beyond_math.md b/2015-Fall/Python_Exploitation/beyond_math.md deleted file mode 100644 index 063aa79..0000000 --- a/2015-Fall/Python_Exploitation/beyond_math.md +++ /dev/null @@ -1,33 +0,0 @@ -# Beyond Math -## Strings -In addition to math, Python also has what are known as strings. Strings are letters, words, sentences, paragraphs, or even essays. Anything that is based off of a letter is a string. - -For example, -```python -x = "string" -``` -stores the value "string" in x. - -As you've probably guessed, Python has an understanding of what kind of data it is working with at a given time. This is known as its typing system. Each type has its own special properties and rules about how it can be mixed with other types. It's somewhat similar to how Pokemon and their moves have types. - -For example, you can add two integers by doing `2 + 2` and you will receive 4. But adding two strings `"2"+"2"` will give you `"22"`. The addition operator combined or, as the cool kids call it, concatenated the strings together since adding strings together mathematically doesn't make sense. - -Then the question would be, how do strings and integers interact? - -Try `2 + "2"` - -You should receive something discussing a `TypeError`. This is because the string type and the integer type cannot be added together. It doesn't even make sense. - -Instead we can perform what's known as a cast and convert the type of one of the operands. We can use `int()` to convert the `"2" to 2` which is not a string and will be added together to get `4`. - -> #### int(x=0) -> Convert a number or string x to an integer, or return 0 if no arguments are given. If x is a number, it can be a plain integer, a long integer, or a floating point number. - - -Or we can cast the integer to a string with `str()` which converts `2` to `"2"` which will be concatenated to create `"22"`. - -> #### str(object="") -> Return a string containing a nicely printable representation of an object. - -In the above example we introduce the int() and str() built-in functions. These functions are bundled into Python and are there for your use. - diff --git a/2015-Fall/Python_Exploitation/exec1.py b/2015-Fall/Python_Exploitation/exec1.py deleted file mode 100644 index 6f8fa6e..0000000 --- a/2015-Fall/Python_Exploitation/exec1.py +++ /dev/null @@ -1,3 +0,0 @@ -while True: - data = raw_input(">>> ") - exec data diff --git a/2015-Fall/Python_Exploitation/exec2.py b/2015-Fall/Python_Exploitation/exec2.py deleted file mode 100644 index aef4a28..0000000 --- a/2015-Fall/Python_Exploitation/exec2.py +++ /dev/null @@ -1,17 +0,0 @@ -banned = [ - "subprocess", - "kevin sucks", - "banned", - "cry sum more", - "sys" -] - -while True: - data = raw_input(">>> ") - - for no in banned: - if no.lower() in data.lower(): - print "No bueno" - break - else: # this means nobreak - exec data diff --git a/2015-Fall/Python_Exploitation/exploit_app/app.py b/2015-Fall/Python_Exploitation/exploit_app/app.py deleted file mode 100644 index d733d9e..0000000 --- a/2015-Fall/Python_Exploitation/exploit_app/app.py +++ /dev/null @@ -1,20 +0,0 @@ -from flask import Flask, render_template, request -app = Flask(__name__) - -# Try to print this out to you -flag = "flag{nice_you_won_:3}" -# If you get that, try to print out flag.txt -# HINT: If you get an error or debug page, read what it says -# HINT: you will have to use subprocess: -# http://stackoverflow.com/questions/4760215/running-shell-command-from-python-and-capturing-the-output - -@app.route('/', methods=['GET', 'POST']) -def do_thing(): - if request.method == 'POST': - out = eval(request.form["runme"]) - return render_template('index.html', output=out) - else: - return render_template('index.html', output=None) - -if __name__ == "__main__": - app.run(debug=True) diff --git a/2015-Fall/Python_Exploitation/exploit_app/flag.txt b/2015-Fall/Python_Exploitation/exploit_app/flag.txt deleted file mode 100644 index 64ea0bf..0000000 --- a/2015-Fall/Python_Exploitation/exploit_app/flag.txt +++ /dev/null @@ -1 +0,0 @@ -flag{nice_you_can_print_files} diff --git a/2015-Fall/Python_Exploitation/exploit_app/templates/index.html b/2015-Fall/Python_Exploitation/exploit_app/templates/index.html deleted file mode 100644 index f00cd29..0000000 --- a/2015-Fall/Python_Exploitation/exploit_app/templates/index.html +++ /dev/null @@ -1,33 +0,0 @@ - - - Fun with Python - - - - - -
-
-
-

JUST DO IT

-
-
-
- -
-
-
- - -
-
- {% if output %} -

Your output is...

- {{ output }} - {% endif %} -
-
-
- - - diff --git a/2015-Fall/Python_Exploitation/flag.txt b/2015-Fall/Python_Exploitation/flag.txt deleted file mode 100644 index 6e7a7df..0000000 --- a/2015-Fall/Python_Exploitation/flag.txt +++ /dev/null @@ -1 +0,0 @@ -flag{lol_money} diff --git a/2015-Fall/Python_Exploitation/input1.py b/2015-Fall/Python_Exploitation/input1.py deleted file mode 100644 index c54929b..0000000 --- a/2015-Fall/Python_Exploitation/input1.py +++ /dev/null @@ -1,10 +0,0 @@ -import random - -x = random.randrange(100) - -y = input() -while x != y: - print "Nuh uh" - y = input() - -print "YOU DID IT :D" diff --git a/2015-Fall/Python_Exploitation/input2.py b/2015-Fall/Python_Exploitation/input2.py deleted file mode 100644 index 6119233..0000000 --- a/2015-Fall/Python_Exploitation/input2.py +++ /dev/null @@ -1,17 +0,0 @@ -print "Welcome to mystery math!" - -flag = "this_is_a_flag" - -# 1 byte = a number from 0 to 255 - -while True: - x = input("Enter number 1> ") - x = (x*x) + (ord(flag[0]) * ord(flag[1])) + (ord(flag[2]) * x) - print "x is =", x - y = input("Enter number 2> ") - print "y is =",y - if round(x) == round(x): - print "Here ya go! ", flag - exit(0) - else: - print "Your lucky number is ", x - y diff --git a/2015-Fall/Python_Exploitation/input3.py b/2015-Fall/Python_Exploitation/input3.py deleted file mode 100644 index e5ebb5b..0000000 --- a/2015-Fall/Python_Exploitation/input3.py +++ /dev/null @@ -1,35 +0,0 @@ -from random import randint - -def printpegs(code): - print " --------------------- " - print " |", - for c in code: - print c, "|", - print "" - print " --------------------- " - -print "Master Mind Game" - -flag = "this_is_a_flag" - -mm_code = (randint(0,9), randint(0,9), randint(0,9), randint(0,9), randint(0,9)) -print "I've set my code. Guess it!" - -print "Rules: You should input your guesses as 5 digits separated by commas." -print " I will respond by marking the correct digits with a 2, marking" -print " digits in the wrong place with a 1, and marking wrong digits 0." - -while True: - guess = input('guess> ') - if len(guess) != 5: - print "You must guess a 5-digit code!" - continue - - printpegs(guess) - - right = map(lambda x,y: (x == y) + (x in mm_code), guess, mm_code) - printpegs(right) - - if guess == mm_code: - print "You got it right!" - exit(0) diff --git a/2015-Fall/Python_Exploitation/input4.py b/2015-Fall/Python_Exploitation/input4.py deleted file mode 100644 index 3c276e4..0000000 --- a/2015-Fall/Python_Exploitation/input4.py +++ /dev/null @@ -1,29 +0,0 @@ -from os import path -del __builtins__.__dict__['__import__'] -del __builtins__.__dict__['reload'] - -print "Welcome to the food menu!" -choices = ( - ("Chicken Asada Burrito", 7.69, "caburrito.txt"), - ("Beef Chow Mein", 6.69, "beefchow.txt"), - ("MeatBurger Deluxe", 10.49, "no description"), - # ... -) - -def print_description(n): - print "" - if n >= len(choices): - print "No such item!" - elif not path.exists(choices[n][2]): - print "No description yet, but we promise it's tasty!" - else: - print open(choices[n][2]).read() - -def show_menu(): - for i in xrange(len(choices)): - print "[% 2d] $% 3.2f %s" % (i, choices[i][1], choices[i][0]) - -while True: - print "Which description do you want to read?" - show_menu() - print_description(input('> ')) \ No newline at end of file diff --git a/2015-Fall/Python_Exploitation/intro_to_python.md b/2015-Fall/Python_Exploitation/intro_to_python.md deleted file mode 100644 index 62bac19..0000000 --- a/2015-Fall/Python_Exploitation/intro_to_python.md +++ /dev/null @@ -1,44 +0,0 @@ -# Intro to Python // Setup -Python is one of the most popular programming languages in the world. It is a great introductory language praised for it's readability, ease of use, and versatility. -## Setup -You can download Python at [the Python website](https://www.python.org/downloads/), but if you use Linux, OSX, or something in that vein, you probably have a version of Python installed. You can go into your terminal and type in `python` to drop into the Python interpreter. - -If you're on Windows, download Python, install it, and find the IDLE program in your start menu. Run IDLE and you will find a similar environment. - -From within the Python interpreter we can interact with Python and play with code immediately. The interpreter can act as a playground for our code and by entering code and hitting Enter, we can immediately see the results of our code. -## First Steps -For example, try entering `2 + 2` and hit enter. You should get back `4`. Standard math right? - -Here we have two `2`'s. They are known to computer scientists as integers. We also have the `+` sign. This is known to computer scientists as an operator. - -Besides addition, we can do all sorts of math from within Python. -### Math -Python supports these mathematics operators: - -* `+` - addition `2 + 2` -* `-` - subtraction `4 - 2` or negation `-2` -* `*` - multiplication `2 * 2` -* `/` - children's division (rounds every number down) `5 / 3` -* `%` - remainder or, as the cool kids call it, modulus `5 % 3` -* `**` - exponent 2 ** 3 - -You can use Python as a rudimentary calculator using just these operators. - -We can also create variables in Python to store values. - -Try typing in `x = 2` and then typing in `print x` - -You should receive `2` - -`print` is a Python statement which outputs your data to what's known as `standard output`, `standard out`, or `stdout`. `print` is very valuable for seeing data that you've generated or for checking the value of a variable when debugging. - -### Variables and Assignment -Here we also introduce the idea of assignment. - -We are assigning the variable `x` the value of `2` by using the equals sign or assignment operator (`=`). In reality, Python's variables are more like names for data but that's a discussion for later. - -Now that we've assigned `x` the value of `2` we can perform operations on `x` as if it was `2`. That means instead of `2 + 2` you can type in `x + 2` and you will receive back `4`. - -We can also chain all these operators to do slightly more complex mathematics. `x = 2 + 3 * 6`. This expression evaluates out the value of `20` and stores it in `x`. Order of operations (PEMDAS) applies. We can be more explicit about the order and say `x = 2 + (3 * 6)`. - -And also if we wanted to do operations with x but not have to type it out twice (like this: `x = x + 2`) we can use a short cut by typing `x += 2`. This same shortcut can be done with all the other mathematics operators we've discussed. diff --git a/2015-Fall/Python_Exploitation/risky_python.md b/2015-Fall/Python_Exploitation/risky_python.md deleted file mode 100644 index 542dd62..0000000 --- a/2015-Fall/Python_Exploitation/risky_python.md +++ /dev/null @@ -1,30 +0,0 @@ -# Risky Python -There are some dangerous things that exist in Python that we want to avoid. - -Two of these are the function `eval()` and the statement exec. - -`eval()` interprets a string as code, essentially allowing a Python program to run Python code within itself. It evaluates an expression and returns the return value. - -`x = eval(2+2)` stores `4` in `x`. `eval()` also has access to all the already defined variables and existing functions. Essentially if it's an expression, `eval()` can evaluate it. - -`exec` is similar except it allows for the execution of statements and does not return anything. - -`exec "print 'asdf'"` will simply print `asdf`. - -Now although it may seem simple, and it is, what happens when we allow user input to go into `eval()` or `exec`? - -For example, the `input()` function takes user input and runs it through `eval()`. It's basically `eval(raw_input())`. - -How could `input()` be exploited to gain a shell on the system? We can't import other modules with the import keyword, but is there some way that we can import other modules without using the keyword? - -The answer is surprisingly, yes. - -`__import__('math')` will import the module and return it. Using that we can bring other code into the currently running script meaning we can bring things like the os module or even the code module to allow for higher level access. - -This `__import__()` trick can be used to take advantage of most `eval()`s that accepted unfiltered user input. - -Two other functions that can be used are the `locals()` and `globals()` functions. - -These functions allow us to see and set currently existing variables. - -###### Python introduction by Kevin Chung diff --git a/2015-Fall/README.md b/2015-Fall/README.md deleted file mode 100644 index df0d830..0000000 --- a/2015-Fall/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# Hack Night - Fall 2015 - -## Topics -* Python Exploitation -* Network Reconnaissance -* Web Exploitation -* Introduction to C -* Reverse Engineering -* Binary Exploitation - -## Setup -In order to do most of the things talked about, you are going to need some sort of Linux virtual machine. First, if you don't already have one, you will need some sort of Virtual Machine software. We suggest either [VMware Player](https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0) (preferable if you have Windows), [VMware Fusion](http://www.vmware.com/products/fusion/) (preferable if you have a Mac), or [Virtual Box](https://www.virtualbox.org/) (any operating system and free). - -You will also need to download a linux distribution (our personal suggestion is [Kali Linux](https://www.offensive-security.com/kali-linux-vmware-arm-image-download/), just pick the download for the software you have), and [here's some reading about Linux](http://lifehacker.com/5778882/getting-started-with-linux-the-complete-guide)). - -You are going to want to learn a basic level of command line knowledge and for that you can check [this out](http://www.davidbaumgold.com/tutorials/command-line/). If you want a more in depth tutorial check [this out](https://www.codeacademy.com/courses/learn-the-command-line). diff --git a/2015-Fall/Recon_Networking/README.md b/2015-Fall/Recon_Networking/README.md deleted file mode 100644 index e7cd723..0000000 --- a/2015-Fall/Recon_Networking/README.md +++ /dev/null @@ -1 +0,0 @@ -# Recon / Networking diff --git a/2015-Fall/Recon_Networking/communicating-on-networks/Interacting with Computers on Networks.pptx b/2015-Fall/Recon_Networking/communicating-on-networks/Interacting with Computers on Networks.pptx deleted file mode 100644 index 9022c79..0000000 Binary files a/2015-Fall/Recon_Networking/communicating-on-networks/Interacting with Computers on Networks.pptx and /dev/null differ diff --git a/2015-Fall/Recon_Networking/communicating-on-networks/README.md b/2015-Fall/Recon_Networking/communicating-on-networks/README.md deleted file mode 100644 index 45d0dc3..0000000 --- a/2015-Fall/Recon_Networking/communicating-on-networks/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Interacting with Computers on Networks - -## Slides -[Download](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/Recon_Networking/communicating-on-networks/Interacting%20with%20Computers%20on%20Networks.pptx?raw=true) - -## Additional Resources -* [Introduction to Networking](http://www.net-intro.com/) (Recommended reading) -* [Using NetCat](https://www.digitalocean.com/community/tutorials/how-to-use-netcat-to-establish-and-test-tcp-and-udp-connections-on-a-vps) -* [Using NMAP Part 1](https://www.youtube.com/watch?v=Bn36zoApLm4) -* [Using NMAP Part 2](https://www.youtube.com/watch?v=nr10P55AlKc) - -## Things to Try -### Setup -Please checkout the setup section [here](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/README.md) to be able to replicate the things to try - -### Try it out -Note: When we tell you to type a command, disregard everything before the `#`. You should already see something similar in your terminal. -Open up a terminal (press ctrl+alt+t or click on the black icon on the top of the screen) and type: -```bash -ping 8.8.8.8 -``` -This command will try to talk to Google's Public DNS if you start seeing something like this: -```bash -root@kali:~# ping 8.8.8.8 -PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. -64 bytes from 8.8.8.8: icmp_req=1 ttl=128 time=2.93 ms -64 bytes from 8.8.8.8: icmp_req=2 ttl=128 time=2.91 ms -64 bytes from 8.8.8.8: icmp_req=3 ttl=128 time=3.08 ms -64 bytes from 8.8.8.8: icmp_req=4 ttl=128 time=2.82 ms -64 bytes from 8.8.8.8: icmp_req=5 ttl=128 time=2.80 ms -``` -Then you know that you are both connected to the Internet and Google's DNS Server is up :D - -If you want to see the path that your traffic takes from your computer to Google (what routers it goes to) try this: -```bash -root@kali:~# traceroute 8.8.8.8 -traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets - 1 172-16-76-2.DYNAPOOL.NYU.EDU (172.16.76.2) 0.234 ms 0.127 ms 0.141 ms - 2 * * * -... -``` -Note: you might get a lot of asterisks in your command output, that is most likely because one of the routers your traffic visits prevents you from doing `traceroute` on them. - -Netcat was also talked about during Hack Night and it is a really neat tool. To test out how it works try this: -1. Type this command: -``` -root@kali:~# nc www.google.com 80 -``` -2. Once you hit enter, it should look like it is trying to do something. This means that you are connected to Google and it is waiting for you to tell it to do something. So let's tell it to do something. Type the following and hit enter: -``` -GET / -``` -3. You should now see a bunch of HTML code streaming down your screen. You just visited Google's homepage! This is basically what your browser does everytime you tell it to get a page :D - -Another cool thing to try is opening another terminal window (press ctrl+shift+t) and typing: -``` -root@kali:~# nc -l -p 1337 127.0.0.1 -``` -And then click on the previous terminal window you were in and type: -``` -root@kali:~# nc 127.0.0.1 1337 -``` -And then start typing random words. Now check back at the new tab you opened. You should start seeing the same words poping up there. - -Essentially what you did was open a port on the localhost IP address (127.0.0.1 aka your computer). Netcat was then listening for any connections made to it. Once you connected to it and sent it somethings it printed them out. To stop them press ctrl+c in both terminal windows. - -Lastly, there was another cool tool called Nmap that was talked about. To test this out first have one terminal window open and type the same command from the last section: -``` -root@kali:~# nc -l -p 1337 127.0.0.1 -``` -In the other window type: -``` -root@kali:~# nmap -v -sT -p-2000 127.0.0.1 -``` -You should then see something similar to the follow: -``` -Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-12 16:23 EDT -Initiating Connect Scan at 16:23 -Scanning localhost (127.0.0.1) [2000 ports] -Discovered open port 111/tcp on 127.0.0.1 -Discovered open port 1337/tcp on 127.0.0.1 -Completed Connect Scan at 16:23, 0.03s elapsed (2000 total ports) -Nmap scan report for localhost (127.0.0.1) -Host is up (0.0014s latency). -Other addresses for localhost (not scanned): 127.0.0.1 -Not shown: 1998 closed ports -PORT STATE SERVICE -111/tcp open rpcbind -1337/tcp open waste - -Read data files from: /usr/bin/../share/nmap -Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds - Raw packets sent: 0 (0B) | Rcvd: 0 (0B) -``` -The command tells nmap to try to connect to all ports 1 to 2000 and it will report back with its results. -Notice that nmap found the 1337 port open? That is because you opened it yourself! - -If you followed along, you should by now have a good idea about what tools professionals use to test networks :D - diff --git a/2015-Fall/Recon_Networking/mitm-wireless-hacking/HN- Networking.pdf b/2015-Fall/Recon_Networking/mitm-wireless-hacking/HN- Networking.pdf deleted file mode 100644 index 3ef77d9..0000000 Binary files a/2015-Fall/Recon_Networking/mitm-wireless-hacking/HN- Networking.pdf and /dev/null differ diff --git a/2015-Fall/Recon_Networking/mitm-wireless-hacking/HN- Networking.pptx b/2015-Fall/Recon_Networking/mitm-wireless-hacking/HN- Networking.pptx deleted file mode 100644 index c026a9d..0000000 Binary files a/2015-Fall/Recon_Networking/mitm-wireless-hacking/HN- Networking.pptx and /dev/null differ diff --git a/2015-Fall/Recon_Networking/mitm-wireless-hacking/README.md b/2015-Fall/Recon_Networking/mitm-wireless-hacking/README.md deleted file mode 100644 index d5fbfc1..0000000 --- a/2015-Fall/Recon_Networking/mitm-wireless-hacking/README.md +++ /dev/null @@ -1,14 +0,0 @@ -## Steps for Hacking People on a Network -do not do this on actual networks, only do this locally on your own network - -1. Get on the Network -[Cracking a WEP password](https://www.youtube.com/watch?v=RydsjNhUjdg) - -2. Find Computers and Steal their Traffic -[Intercepting people's traffic with a Man in the Middle attack](https://www.youtube.com/watch?v=TDhGpAZ5IGg) - -3. Getting Around Encrypted Traffic -[Getting to know SSLStrip](https://www.youtube.com/watch?v=MFol6IMbZ7Y) - -4. Look for Passwords in their Traffic -[Using Wireshark to find passwords](https://www.youtube.com/watch?v=r0l_54thSYU) diff --git a/2015-Fall/Recon_Networking/network-scanner/arp_scan.py b/2015-Fall/Recon_Networking/network-scanner/arp_scan.py deleted file mode 100644 index 20c263a..0000000 --- a/2015-Fall/Recon_Networking/network-scanner/arp_scan.py +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env python - -import sys -from scapy.all import * - -if len(sys.argv) != 2: - print "Usage: python arp-scan.py 192.168.1.0/24" - sys.exit(1) - -try: - alive,dead=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=sys.argv[1]), timeout=2, verbose=0) - print "MAC - IP" - for i in range(0,len(alive)): - print alive[i][1].hwsrc + " - " + alive[i][1].psrc -except: - pass diff --git a/2015-Fall/Recon_Networking/network-scanner/arp_sniffer.c b/2015-Fall/Recon_Networking/network-scanner/arp_sniffer.c deleted file mode 100644 index 2f7c354..0000000 --- a/2015-Fall/Recon_Networking/network-scanner/arp_sniffer.c +++ /dev/null @@ -1,118 +0,0 @@ -/* Simple ARP Sniffer. */ -/* Author: Luis Martin Garcia. luis.martingarcia [.at.] gmail [d0t] com */ -/* To compile: gcc arpsniffer.c -o arpsniff -lpcap */ -/* Run as root! */ -/* */ -/* This code is distributed under the GPL License. For more info check: */ -/* http://www.gnu.org/copyleft/gpl.html */ - -#include -#include -#include - -/* ARP Header, (assuming Ethernet+IPv4) */ -#define ARP_REQUEST 1 /* ARP Request */ -#define ARP_REPLY 2 /* ARP Reply */ -typedef struct arphdr { - u_int16_t htype; /* Hardware Type */ - u_int16_t ptype; /* Protocol Type */ - u_char hlen; /* Hardware Address Length */ - u_char plen; /* Protocol Address Length */ - u_int16_t oper; /* Operation Code */ - u_char sha[6]; /* Sender hardware address */ - u_char spa[4]; /* Sender IP address */ - u_char tha[6]; /* Target hardware address */ - u_char tpa[4]; /* Target IP address */ -}arphdr_t; - -#define MAXBYTES2CAPTURE 2048 - - - -int main(int argc, char *argv[]){ - - int i=0; - bpf_u_int32 netaddr=0, mask=0; /* To Store network address and netmask */ - struct bpf_program filter; /* Place to store the BPF filter program */ - char errbuf[PCAP_ERRBUF_SIZE]; /* Error buffer */ - pcap_t *descr = NULL; /* Network interface handler */ - struct pcap_pkthdr pkthdr; /* Packet information (timestamp,size...) */ - const unsigned char *packet=NULL; /* Received raw data */ - arphdr_t *arpheader = NULL; /* Pointer to the ARP header */ - memset(errbuf,0,PCAP_ERRBUF_SIZE); - -if (argc != 2){ - printf("USAGE: arpsniffer \n"); - exit(1); -} - /* Open network device for packet capture */ - if ((descr = pcap_open_live(argv[1], MAXBYTES2CAPTURE, 0, 512, errbuf))==NULL){ - fprintf(stderr, "ERROR: %s\n", errbuf); - exit(1); - } - - /* Look up info from the capture device. */ - if( pcap_lookupnet( argv[1] , &netaddr, &mask, errbuf) == -1){ - fprintf(stderr, "ERROR: %s\n", errbuf); - exit(1); - } - - /* Compiles the filter expression into a BPF filter program */ -if ( pcap_compile(descr, &filter, "arp", 1, mask) == -1){ - fprintf(stderr, "ERROR: %s\n", pcap_geterr(descr) ); - exit(1); - } - - /* Load the filter program into the packet capture device. */ - if (pcap_setfilter(descr,&filter) == -1){ - fprintf(stderr, "ERROR: %s\n", pcap_geterr(descr) ); - exit(1); - } - - - while(1){ - - if ( (packet = pcap_next(descr,&pkthdr)) == NULL){ /* Get one packet */ - fprintf(stderr, "ERROR: Error getting the packet.\n", errbuf); - exit(1); - } - - arpheader = (struct arphdr *)(packet+14); /* Point to the ARP header */ - - printf("\n\nReceived Packet Size: %d bytes\n", pkthdr.len); - printf("Hardware type: %s\n", (ntohs(arpheader->htype) == 1) ? "Ethernet" : "Unknown"); - printf("Protocol type: %s\n", (ntohs(arpheader->ptype) == 0x0800) ? "IPv4" : "Unknown"); - printf("Operation: %s\n", (ntohs(arpheader->oper) == ARP_REQUEST)? "ARP Request" : "ARP Reply"); - - /* If is Ethernet and IPv4, print packet contents */ - if (ntohs(arpheader->htype) == 1 && ntohs(arpheader->ptype) == 0x0800){ - printf("Sender MAC: "); - - for(i=0; i<6;i++) - printf("%02X:", arpheader->sha[i]); - - printf("\nSender IP: "); - - for(i=0; i<4;i++) - printf("%d.", arpheader->spa[i]); - - printf("\nTarget MAC: "); - - for(i=0; i<6;i++) - printf("%02X:", arpheader->tha[i]); - - printf("\nTarget IP: "); - - for(i=0; i<4; i++) - printf("%d.", arpheader->tpa[i]); - - printf("\n"); - - } - - } - -return 0; - -} -/* EOF */ diff --git a/2015-Fall/Recon_Networking/network-scanner/ping.py b/2015-Fall/Recon_Networking/network-scanner/ping.py deleted file mode 100644 index ee8f9b3..0000000 --- a/2015-Fall/Recon_Networking/network-scanner/ping.py +++ /dev/null @@ -1,227 +0,0 @@ -#!/usr/bin/env python - -""" - A pure python ping implementation using raw socket. - - - Note that ICMP messages can only be sent from processes running as root. - - - Derived from ping.c distributed in Linux's netkit. That code is - copyright (c) 1989 by The Regents of the University of California. - That code is in turn derived from code written by Mike Muuss of the - US Army Ballistic Research Laboratory in December, 1983 and - placed in the public domain. They have my thanks. - - Bugs are naturally mine. I'd be glad to hear about them. There are - certainly word - size dependenceies here. - - Copyright (c) Matthew Dixon Cowles, . - Distributable under the terms of the GNU General Public License - version 2. Provided with no warranties of any sort. - - Original Version from Matthew Dixon Cowles: - -> ftp://ftp.visi.com/users/mdc/ping.py - - Rewrite by Jens Diemer: - -> http://www.python-forum.de/post-69122.html#69122 - - Rewrite by George Notaras: - -> http://www.g-loaded.eu/2009/10/30/python-ping/ - - Revision history - ~~~~~~~~~~~~~~~~ - - November 8, 2009 - ---------------- - Improved compatibility with GNU/Linux systems. - - Fixes by: - * George Notaras -- http://www.g-loaded.eu - Reported by: - * Chris Hallman -- http://cdhallman.blogspot.com - - Changes in this release: - - Re-use time.time() instead of time.clock(). The 2007 implementation - worked only under Microsoft Windows. Failed on GNU/Linux. - time.clock() behaves differently under the two OSes[1]. - - [1] http://docs.python.org/library/time.html#time.clock - - May 30, 2007 - ------------ - little rewrite by Jens Diemer: - - change socket asterisk import to a normal import - - replace time.time() with time.clock() - - delete "return None" (or change to "return" only) - - in checksum() rename "str" to "source_string" - - November 22, 1997 - ----------------- - Initial hack. Doesn't do much, but rather than try to guess - what features I (or others) will want in the future, I've only - put in what I need now. - - December 16, 1997 - ----------------- - For some reason, the checksum bytes are in the wrong order when - this is run under Solaris 2.X for SPARC but it works right under - Linux x86. Since I don't know just what's wrong, I'll swap the - bytes always and then do an htons(). - - December 4, 2000 - ---------------- - Changed the struct.pack() calls to pack the checksum and ID as - unsigned. My thanks to Jerome Poincheval for the fix. - - - Last commit info: - ~~~~~~~~~~~~~~~~~ - $LastChangedDate: $ - $Rev: $ - $Author: $ -""" - - -import os, sys, socket, struct, select, time - -# From /usr/include/linux/icmp.h; your milage may vary. -ICMP_ECHO_REQUEST = 8 # Seems to be the same on Solaris. - - -def checksum(source_string): - """ - I'm not too confident that this is right but testing seems - to suggest that it gives the same answers as in_cksum in ping.c - """ - sum = 0 - countTo = (len(source_string)/2)*2 - count = 0 - while count> 16) + (sum & 0xffff) - sum = sum + (sum >> 16) - answer = ~sum - answer = answer & 0xffff - - # Swap bytes. Bugger me if I know why. - answer = answer >> 8 | (answer << 8 & 0xff00) - - return answer - - -def receive_one_ping(my_socket, ID, timeout): - """ - receive the ping from the socket. - """ - timeLeft = timeout - while True: - startedSelect = time.time() - whatReady = select.select([my_socket], [], [], timeLeft) - howLongInSelect = (time.time() - startedSelect) - if whatReady[0] == []: # Timeout - return - - timeReceived = time.time() - recPacket, addr = my_socket.recvfrom(1024) - icmpHeader = recPacket[20:28] - type, code, checksum, packetID, sequence = struct.unpack( - "bbHHh", icmpHeader - ) - if packetID == ID: - bytesInDouble = struct.calcsize("d") - timeSent = struct.unpack("d", recPacket[28:28 + bytesInDouble])[0] - return timeReceived - timeSent - - timeLeft = timeLeft - howLongInSelect - if timeLeft <= 0: - return - - -def send_one_ping(my_socket, dest_addr, ID): - """ - Send one ping to the given >dest_addr<. - """ - dest_addr = socket.gethostbyname(dest_addr) - - # Header is type (8), code (8), checksum (16), id (16), sequence (16) - my_checksum = 0 - - # Make a dummy heder with a 0 checksum. - header = struct.pack("bbHHh", ICMP_ECHO_REQUEST, 0, my_checksum, ID, 1) - bytesInDouble = struct.calcsize("d") - data = (192 - bytesInDouble) * "Q" - data = struct.pack("d", time.time()) + data - - # Calculate the checksum on the data and the dummy header. - my_checksum = checksum(header + data) - - # Now that we have the right checksum, we put that in. It's just easier - # to make up a new header than to stuff it into the dummy. - header = struct.pack( - "bbHHh", ICMP_ECHO_REQUEST, 0, socket.htons(my_checksum), ID, 1 - ) - packet = header + data - my_socket.sendto(packet, (dest_addr, 1)) # Don't know about the 1 - - -def do_one(dest_addr, timeout): - """ - Returns either the delay (in seconds) or none on timeout. - """ - icmp = socket.getprotobyname("icmp") - try: - my_socket = socket.socket(socket.AF_INET, socket.SOCK_RAW, icmp) - except socket.error, (errno, msg): - if errno == 1: - # Operation not permitted - msg = msg + ( - " - Note that ICMP messages can only be sent from processes" - " running as root." - ) - raise socket.error(msg) - raise # raise the original error - - my_ID = os.getpid() & 0xFFFF - - send_one_ping(my_socket, dest_addr, my_ID) - delay = receive_one_ping(my_socket, my_ID, timeout) - - my_socket.close() - return delay - - -def verbose_ping(dest_addr, timeout = 2, count = 4): - """ - Send >count< ping to >dest_addr< with the given >timeout< and display - the result. - """ - for i in xrange(count): - print "ping %s..." % dest_addr, - try: - delay = do_one(dest_addr, timeout) - except socket.gaierror, e: - print "failed. (socket error: '%s')" % e[1] - break - - if delay == None: - print "failed. (timeout within %ssec.)" % timeout - else: - delay = delay * 1000 - print "get ping in %0.4fms" % delay - print - - -if __name__ == '__main__': - verbose_ping("heise.de") - verbose_ping("google.com") - verbose_ping("a-test-url-taht-is-not-available.com") - verbose_ping("192.168.1.1") diff --git a/2015-Fall/Recon_Networking/network-scanner/scanner.cpp b/2015-Fall/Recon_Networking/network-scanner/scanner.cpp deleted file mode 100644 index c8365e0..0000000 --- a/2015-Fall/Recon_Networking/network-scanner/scanner.cpp +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Scans ports on a given IP - * */ - -#include -#include -#include -#include -#include -#include -#include - -static bool port_is_open(const std::string& address, int port) -{ - return (sf::SocketTCP().connect(address, port) == sf::Socket::Done); -} - -static std::vector split(const std::string& string, - char delimiter = ' ', - bool allow_empty = false) -{ - std::vector tokens; - std::stringstream sstream(string); - std::string token; - while (std::getline(sstream, token, delimiter)) { - if (allow_empty || token.size() > 0) - tokens.push_back(token); - } - return tokens; -} - -static int string_to_int(const std::string& string) -{ - std::stringstream sstream(string); - int i; - sstream >> i; - return i; -} - -template -static void swap(T& a, T& b) -{ - T c = a; - a = b; - b = c; -} - -template -static std::vector range(T min, T max) -{ - if (min > max) - swap(min, max); - if (min == max) - return std::vector(1, min); - std::vector values; - for (; min <= max; ++min) - values.push_back(min); - return values; -} - -static std::vector parse_ports_list(const std::string& list) -{ - std::vector ports; - for (const std::string& token : split(list, ',')) { - std::vector strrange = split(token, '-'); - switch (strrange.size()) { - case 0: ports.push_back(string_to_int(token)); break; - case 1: ports.push_back(string_to_int(strrange[0])); break; - case 2: - { - int min = string_to_int(strrange[0]), - max = string_to_int(strrange[1]); - for (int port : range(min, max)) - ports.push_back(port); - break; - } - default: - break; - } - } - return ports; -} - -template -static T maximum(const std::vector& values) -{ - T max = values[0]; - for (T value : values) { - if (value > max) - max = value; - } - return max; -} - -template -static size_t digits(T value) -{ - size_t count = (value < 0) ? 1 : 0; - if (value == 0) - return 0; - while (value) { - value /= 10; - ++count; - }; - return count; -} - -int main(int argc, char* argv[]) -{ - std::string address; - std::vector ports; - if (argc == 3) { - address = argv[1]; - ports = parse_ports_list(std::string(argv[2])); - } else { - std::string port_list; - std::cout << "Address: " << std::flush; - std::getline(std::cin, address); - std::cout << "Port: " << std::flush; - std::getline(std::cin, port_list); - ports = parse_ports_list(port_list); - } - std::cout << "Showing open ports on " << address << "...\n"; - size_t width = digits(maximum(ports)); - for (int port : ports) { - if (port_is_open(address, port)) - std::cout << "Port " << std::setw(width) << port << " : OPEN\n"; - } - std::cout << std::flush; - return 0; -} diff --git a/2015-Fall/Recon_Networking/network-scanner/scanner.py b/2015-Fall/Recon_Networking/network-scanner/scanner.py deleted file mode 100644 index a44c068..0000000 --- a/2015-Fall/Recon_Networking/network-scanner/scanner.py +++ /dev/null @@ -1,52 +0,0 @@ - -# importing libraries to help us do math things and socket things -import socket, ping -from struct import unpack, pack - -# if any of these functions are confusing, read the socket documentation: -# https://docs.python.org/2.7/library/socket.html?highlight=socket#module-socket -my_ip = socket.gethostbyname(socket.gethostname()) -print "My computer IP address:", my_ip -my_deets = socket.gethostbyname_ex(socket.gethostname()) -print "My computer details:", my_deets - -# https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking -subnet_mask = "255.255.255.0" - -def ip2long(ip): - """ - Convert an IP string to long - """ - return unpack(">L", socket.inet_aton(ip))[0] - -def long2ip(ip): - """ - Convert a long to IP string - """ - return socket.inet_ntoa(pack('!L', ip)) - -# Applying the subnet mask to our IP -addr = ip2long(my_ip) -mask = ip2long("255.255.255.0") -prefix = addr & mask - -print "Base address for network", long2ip(prefix) - -# Get the number of possible computers on our network -all_computers = ip2long("255.255.255.255") -num_computers = all_computers ^ mask - -# Go through each computer -for ip_suffix in range(num_computers): - # Try to ping a computer on the network - test_ip = long2ip(prefix + ip_suffix) - try: - print "[*] Checking to see if host is up..." - timeout = ping.do_one(test_ip, 1) - print timeout - if timeout != None: - print "[+] Host is there:", test_ip - print "-"*100 - except socket.error, e: - print "[-] Host not there:", test_ip - diff --git a/2015-Fall/Recon_Networking/network-scanner/simple_listener.c b/2015-Fall/Recon_Networking/network-scanner/simple_listener.c deleted file mode 100644 index 5353518..0000000 --- a/2015-Fall/Recon_Networking/network-scanner/simple_listener.c +++ /dev/null @@ -1,78 +0,0 @@ -/* Simple Raw Sniffer */ -/* Author: Luis Martin Garcia. luis.martingarcia [.at.] gmail [d0t] com */ -/* To compile: gcc simplesniffer.c -o simplesniffer -lpcap */ -/* Run as root! */ -/* */ -/* This code is distributed under the GPL License. For more info check: */ -/* http://www.gnu.org/copyleft/gpl.html */ - -#include -#include -#include - -#define MAXBYTES2CAPTURE 2048 - - -/* processPacket(): Callback function called by pcap_loop() everytime a packet */ -/* arrives to the network card. This function prints the captured raw data in */ -/* hexadecimal. */ -void processPacket(u_char *arg, const struct pcap_pkthdr* pkthdr, const u_char * packet){ - - int i=0, *counter = (int *)arg; - - printf("Packet Count: %d\n", ++(*counter)); - printf("Received Packet Size: %d\n", pkthdr->len); - printf("Payload:\n"); - for (i=0; ilen; i++){ - - if ( isprint(packet[i]) ) /* If it is a printable character, print it */ - printf("%c ", packet[i]); - else - printf(". "); - - if( (i%16 == 0 && i!=0) || i==pkthdr->len-1 ) - printf("\n"); - } - return; -} - - - -/* main(): Main function. Opens network interface and calls pcap_loop() */ -int main(int argc, char *argv[] ){ - - int i=0, count=0; - pcap_t *descr = NULL; - char errbuf[PCAP_ERRBUF_SIZE], *device=NULL; - memset(errbuf,0,PCAP_ERRBUF_SIZE); - - if( argc > 1){ /* If user supplied interface name, use it. */ - device = argv[1]; - } - else{ /* Get the name of the first device suitable for capture */ - - if ( (device = pcap_lookupdev(errbuf)) == NULL){ - fprintf(stderr, "ERROR: %s\n", errbuf); - exit(1); - } - } - - printf("Opening device %s\n", device); - - /* Open device in promiscuous mode */ - if ( (descr = pcap_open_live(device, MAXBYTES2CAPTURE, 1, 512, errbuf)) == NULL){ - fprintf(stderr, "ERROR: %s\n", errbuf); - exit(1); - } - - /* Loop forever & call processPacket() for every received packet*/ - if ( pcap_loop(descr, -1, processPacket, (u_char *)&count) == -1){ - fprintf(stderr, "ERROR: %s\n", pcap_geterr(descr) ); - exit(1); - } - -return 0; - -} - -/* EOF*/ diff --git a/2015-Fall/Reverse_Engineering/README.md b/2015-Fall/Reverse_Engineering/README.md deleted file mode 100644 index 5e6bc85..0000000 --- a/2015-Fall/Reverse_Engineering/README.md +++ /dev/null @@ -1 +0,0 @@ -# Reverse Engineering \ No newline at end of file diff --git a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/Makefile b/2015-Fall/Reverse_Engineering/using-gdb/Graphic/Makefile deleted file mode 100644 index 3b3bdad..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -graphic: graphic.c - gcc -o graphic graphic.c -O0 -m32 -g diff --git a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/README.md b/2015-Fall/Reverse_Engineering/using-gdb/Graphic/README.md deleted file mode 100644 index 26bba13..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/README.md +++ /dev/null @@ -1,8 +0,0 @@ - -reverse the program to find a tree structure and see that the program traverses this tree given a certain input - -the goal is for the user to provide an input that generates a value that is the same - -possible solution: LRLLRRRLLRLRLRRRLLLRRLRLRLLLRLLLLRRRLRLL - - diff --git a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/flag.txt b/2015-Fall/Reverse_Engineering/using-gdb/Graphic/flag.txt deleted file mode 100644 index 122ab47..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/flag.txt +++ /dev/null @@ -1 +0,0 @@ -flag{th3r3_and_b4ck_again} diff --git a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/graphic b/2015-Fall/Reverse_Engineering/using-gdb/Graphic/graphic deleted file mode 100755 index a2c06d4..0000000 Binary files a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/graphic and /dev/null differ diff --git a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/graphic.c b/2015-Fall/Reverse_Engineering/using-gdb/Graphic/graphic.c deleted file mode 100644 index d2f6930..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/graphic.c +++ /dev/null @@ -1,99 +0,0 @@ -#include -#include -#include -#include -#define BUFFERSIZE 64 - -struct node { - struct node* left; - int value; - struct node* right; -}; - -void get_password() { - FILE *fp; - char *password; - unsigned int file_size; - - fp = fopen("flag.txt", "r"); - - fseek(fp, 0L, SEEK_END); - file_size = ftell(fp); - fseek(fp, 0L, SEEK_SET); - - password = (char *) malloc(file_size); - - fscanf(fp, "%s", password); - printf("%s\n", password ); - fflush(stdout); - - free(password); -} - -int main() { - int endValue = 1984717964; - char path[64]; - struct node paths[] = { - {&paths[18], 0xdeadbeef, &paths[5]}, - {&paths[13], 0xcafebabe, &paths[4]}, - {&paths[4], 0xdeadbabe, &paths[15]}, - {&paths[2], 0x8badf00d, &paths[16]}, - {&paths[9], 0xb16b00b5, &paths[20]}, - {&paths[8], 0xcafed00d, &paths[21]}, - {&paths[5], 0xdeadc0de, &paths[13]}, - {&paths[7], 0xdeadfa11, &paths[18]}, - {&paths[10], 0xdefec8ed, &paths[2]}, - {&paths[11], 0xdeadfeed, &paths[9]}, - {&paths[21], 0xfee1dead, &paths[8]}, - {&paths[20], 0xfaceb00b, &paths[14]}, - {&paths[19], 0xfacefeed, &paths[12]}, - {&paths[17], 0x000ff1ce, &paths[6]}, - {&paths[16], 0x12345678, &paths[3]}, - {&paths[15], 0x743029ab, &paths[0]}, - {&paths[1], 0xdeed1234, &paths[1]}, - {&paths[0], 0x00000000, &paths[17]}, - {&paths[3], 0x11111111, &paths[19]}, - {&paths[6], 0x11111112, &paths[1]}, - {&paths[12], 0x11111113, &paths[7]}, - {&paths[14], 0x42424242, &paths[10]}, - }; - - puts("You stumble into Mirkwood Forest without a map."); - puts("Without any sense of direction you look around in despair as you remember these woods are littered with the unforgiving Wood Elves and giant spiders."); - puts("You begin to try different paths in hopes that one of them will lead you out of the woods."); - fflush(stdout); - - fgets(path, BUFFERSIZE, stdin); - - struct node* step = &paths[0]; - int value = step->value; - - int i; - for (i = 0; i < BUFFERSIZE; i++) { - if (path[i] == 'L') { - step = step->left; - } else if (path[i] == 'R') { - step = step->right; - } else if (path[i] == '\0' || path[i] == '\n') { - break; - } - - printf("You found a: %x!\n", step->value); - fflush(stdout); - value ^= step->value; - } - - printf("At the end of your journey, your value became: %d\n", value); - - if (value == endValue) { - puts("You made it out alive!"); - fflush(stdout); - get_password(); - } else { - puts("You were eaten by spiders :c"); - puts("Game Over"); - fflush(stdout); - } - - return 0; -} diff --git a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/release/challenge_info.txt b/2015-Fall/Reverse_Engineering/using-gdb/Graphic/release/challenge_info.txt deleted file mode 100644 index f2a53ba..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/release/challenge_info.txt +++ /dev/null @@ -1,5 +0,0 @@ -Challenge Name: Graphic - -Description: - -Hint: diff --git a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/release/graphic b/2015-Fall/Reverse_Engineering/using-gdb/Graphic/release/graphic deleted file mode 100755 index a2c06d4..0000000 Binary files a/2015-Fall/Reverse_Engineering/using-gdb/Graphic/release/graphic and /dev/null differ diff --git a/2015-Fall/Reverse_Engineering/using-gdb/README.md b/2015-Fall/Reverse_Engineering/using-gdb/README.md deleted file mode 100644 index ffaf438..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/README.md +++ /dev/null @@ -1 +0,0 @@ -Using a disassembler we see a whole bunch of functions in an array and they are all called. Break after the loop and print out flag. diff --git a/2015-Fall/Reverse_Engineering/using-gdb/crackme1/Makefile b/2015-Fall/Reverse_Engineering/using-gdb/crackme1/Makefile deleted file mode 100644 index a603818..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/crackme1/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -crackme: crackme.c - gcc -o crackme crackme.c -m32 -O0 -g diff --git a/2015-Fall/Reverse_Engineering/using-gdb/crackme1/crackme b/2015-Fall/Reverse_Engineering/using-gdb/crackme1/crackme deleted file mode 100755 index 3a51864..0000000 Binary files a/2015-Fall/Reverse_Engineering/using-gdb/crackme1/crackme and /dev/null differ diff --git a/2015-Fall/Reverse_Engineering/using-gdb/crackme1/crackme.c b/2015-Fall/Reverse_Engineering/using-gdb/crackme1/crackme.c deleted file mode 100644 index 39a5aba..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/crackme1/crackme.c +++ /dev/null @@ -1,13 +0,0 @@ - -#include - -int main() -{ - int x = 0; - - if (x) { - puts("You did it! :)"); - } else { - puts("Nope, you didn't do it :("); - } -} diff --git a/2015-Fall/Reverse_Engineering/using-gdb/crackme1/patch.py b/2015-Fall/Reverse_Engineering/using-gdb/crackme1/patch.py deleted file mode 100644 index cf4e81f..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/crackme1/patch.py +++ /dev/null @@ -1,28 +0,0 @@ -import sys, os, stat - -# seq are the bytes you want to replace -# Ex: seq = "\xBB\x08\x00\x00\x00\xEB\x14\x0F\x1F\x40\x00\x8B\x48\x2C\x39\xD9" -seq = "\xc7\x44\x24\x1c\x00\x00\x00\x00" -rep_seq = "\xc7\x44\x24\x1c\xef\xbe\xad\xde" - -def main(): - if len(sys.argv) < 1: - print "[*] Usage: %s " - return - - file_in = sys.argv[1] - - with open(file_in, "rb") as f: - prog = f.read() - - prog = prog.replace(seq, rep_seq) - - with open(file_in, "wb") as f: - f.write(prog) - - st = os.stat(file_in) - os.chmod(file_in, st.st_mode | stat.S_IEXEC) - -if __name__ == "__main__": - main() - diff --git a/2015-Fall/Reverse_Engineering/using-gdb/crackme2/Makefile b/2015-Fall/Reverse_Engineering/using-gdb/crackme2/Makefile deleted file mode 100644 index c82d74d..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/crackme2/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -crackme: crackme.c - gcc -o crackme crackme.c -m32 -g diff --git a/2015-Fall/Reverse_Engineering/using-gdb/crackme2/crackme b/2015-Fall/Reverse_Engineering/using-gdb/crackme2/crackme deleted file mode 100755 index 30d3895..0000000 Binary files a/2015-Fall/Reverse_Engineering/using-gdb/crackme2/crackme and /dev/null differ diff --git a/2015-Fall/Reverse_Engineering/using-gdb/crackme2/crackme.c b/2015-Fall/Reverse_Engineering/using-gdb/crackme2/crackme.c deleted file mode 100644 index 6885bce..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/crackme2/crackme.c +++ /dev/null @@ -1,38 +0,0 @@ -#include -#include -#include - -typedef unsigned u_int; - -u_int do_hash_thing(unsigned char *str) { - u_int i, hash, len, tmp, shift; - - hash = 0xcafebabe; - len = strlen((char *) str); - len = len > 32 ? 32 : len; - - for (i = 0; i < len; i++) { - shift = (i % 4) * sizeof(u_int) * 2; - printf("[DEBUG] %d\n", shift); - tmp = str[i] << shift; - hash ^= tmp; - printf("[DEBUG] 0x%08x\n", hash); - } - - return hash; -} - -int main() -{ - char input[256]; - - printf("Can you crack me?: "); - fgets(input, 256, stdin); - - if (do_hash_thing((unsigned char *) input) == 0xdeadbeef) { - printf("You good brah\n"); - } - else { - printf("Check yo self\n"); - } -} diff --git a/2015-Fall/Reverse_Engineering/using-gdb/simple/Makefile b/2015-Fall/Reverse_Engineering/using-gdb/simple/Makefile deleted file mode 100644 index 0bb661a..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/simple/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -simple: simple.c - gcc -o simple simple.c -m32 -g diff --git a/2015-Fall/Reverse_Engineering/using-gdb/simple/peda-session-simple.txt b/2015-Fall/Reverse_Engineering/using-gdb/simple/peda-session-simple.txt deleted file mode 100644 index 9627211..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/simple/peda-session-simple.txt +++ /dev/null @@ -1,2 +0,0 @@ -break simple.c:7 - diff --git a/2015-Fall/Reverse_Engineering/using-gdb/simple/simple b/2015-Fall/Reverse_Engineering/using-gdb/simple/simple deleted file mode 100755 index 930fb22..0000000 Binary files a/2015-Fall/Reverse_Engineering/using-gdb/simple/simple and /dev/null differ diff --git a/2015-Fall/Reverse_Engineering/using-gdb/simple/simple.c b/2015-Fall/Reverse_Engineering/using-gdb/simple/simple.c deleted file mode 100644 index 6faea61..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/simple/simple.c +++ /dev/null @@ -1,13 +0,0 @@ - -int look_imma_function(int parameter1, char* parameter2) { - return 0xdeadbeef; -} - -int main() { - int x = 0x42; - char *string = "Cool beans\x00"; - - look_imma_function(x, string); - - return 0; -} diff --git a/2015-Fall/Reverse_Engineering/using-gdb/using_gdb/Makefile b/2015-Fall/Reverse_Engineering/using-gdb/using_gdb/Makefile deleted file mode 100644 index c82d74d..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/using_gdb/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -crackme: crackme.c - gcc -o crackme crackme.c -m32 -g diff --git a/2015-Fall/Reverse_Engineering/using-gdb/using_gdb/using_gdb.c b/2015-Fall/Reverse_Engineering/using-gdb/using_gdb/using_gdb.c deleted file mode 100644 index 6faea61..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/using_gdb/using_gdb.c +++ /dev/null @@ -1,13 +0,0 @@ - -int look_imma_function(int parameter1, char* parameter2) { - return 0xdeadbeef; -} - -int main() { - int x = 0x42; - char *string = "Cool beans\x00"; - - look_imma_function(x, string); - - return 0; -} diff --git a/2015-Fall/Reverse_Engineering/using-gdb/using_gdb_presentation.key b/2015-Fall/Reverse_Engineering/using-gdb/using_gdb_presentation.key deleted file mode 100644 index 888f102..0000000 Binary files a/2015-Fall/Reverse_Engineering/using-gdb/using_gdb_presentation.key and /dev/null differ diff --git a/2015-Fall/Reverse_Engineering/using-gdb/using_gdb_presentation.pdf b/2015-Fall/Reverse_Engineering/using-gdb/using_gdb_presentation.pdf deleted file mode 100644 index ce7f6de..0000000 Binary files a/2015-Fall/Reverse_Engineering/using-gdb/using_gdb_presentation.pdf and /dev/null differ diff --git a/2015-Fall/Reverse_Engineering/using-gdb/varrick/Makefile b/2015-Fall/Reverse_Engineering/using-gdb/varrick/Makefile deleted file mode 100644 index 20c0171..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/varrick/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -varrick: varrick.c - gcc -o varrick varrick.c -O0 -m32 -std=c99 diff --git a/2015-Fall/Reverse_Engineering/using-gdb/varrick/README.md b/2015-Fall/Reverse_Engineering/using-gdb/varrick/README.md deleted file mode 100644 index ffaf438..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/varrick/README.md +++ /dev/null @@ -1 +0,0 @@ -Using a disassembler we see a whole bunch of functions in an array and they are all called. Break after the loop and print out flag. diff --git a/2015-Fall/Reverse_Engineering/using-gdb/varrick/flag.txt b/2015-Fall/Reverse_Engineering/using-gdb/varrick/flag.txt deleted file mode 100644 index 466205a..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/varrick/flag.txt +++ /dev/null @@ -1 +0,0 @@ -flag{l0k_hype_1s_too_r3al} diff --git a/2015-Fall/Reverse_Engineering/using-gdb/varrick/peda-session-varrick.txt b/2015-Fall/Reverse_Engineering/using-gdb/varrick/peda-session-varrick.txt deleted file mode 100644 index 453aa05..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/varrick/peda-session-varrick.txt +++ /dev/null @@ -1,2 +0,0 @@ -break julie_do_the_thing - diff --git a/2015-Fall/Reverse_Engineering/using-gdb/varrick/sol.py b/2015-Fall/Reverse_Engineering/using-gdb/varrick/sol.py deleted file mode 100644 index 76bb3f4..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/varrick/sol.py +++ /dev/null @@ -1,261 +0,0 @@ -def thank_you_0(): return 0x0 -def thank_you_1(): return 0x1 -def thank_you_2(): return 0x2 -def thank_you_3(): return 0x3 -def thank_you_4(): return 0x4 -def thank_you_5(): return 0x5 -def thank_you_6(): return 0x6 -def thank_you_7(): return 0x7 -def thank_you_8(): return 0x8 -def thank_you_9(): return 0x9 -def thank_you_10(): return 0xa -def thank_you_11(): return 0xb -def thank_you_12(): return 0xc -def thank_you_13(): return 0xd -def thank_you_14(): return 0xe -def thank_you_15(): return 0xf -def thank_you_16(): return 0x10 -def thank_you_17(): return 0x11 -def thank_you_18(): return 0x6f -def thank_you_19(): return 0x13 -def thank_you_20(): return 0x14 -def thank_you_21(): return 0x15 -def thank_you_22(): return 0x16 -def thank_you_23(): return 0x17 -def thank_you_24(): return 0x18 -def thank_you_25(): return 0x19 -def thank_you_26(): return 0x1a -def thank_you_27(): return 0x1b -def thank_you_28(): return 0x1c -def thank_you_29(): return 0x1d -def thank_you_30(): return 0x1e -def thank_you_31(): return 0x1f -def thank_you_32(): return 0x20 -def thank_you_33(): return 0x21 -def thank_you_34(): return 0x22 -def thank_you_35(): return 0x23 -def thank_you_36(): return 0x24 -def thank_you_37(): return 0x25 -def thank_you_38(): return 0x26 -def thank_you_39(): return 0x27 -def thank_you_40(): return 0x28 -def thank_you_41(): return 0x29 -def thank_you_42(): return 0x2a -def thank_you_43(): return 0x2b -def thank_you_44(): return 0x2c -def thank_you_45(): return 0x2d -def thank_you_46(): return 0x2e -def thank_you_47(): return 0x2f -def thank_you_48(): return 0x30 -def thank_you_49(): return 0x31 -def thank_you_50(): return 0x32 -def thank_you_51(): return 0x33 -def thank_you_52(): return 0x34 -def thank_you_53(): return 0x35 -def thank_you_54(): return 0x36 -def thank_you_55(): return 0x37 -def thank_you_56(): return 0x38 -def thank_you_57(): return 0x39 -def thank_you_58(): return 0x3a -def thank_you_59(): return 0x3b -def thank_you_60(): return 0x3c -def thank_you_61(): return 0x3d -def thank_you_62(): return 0x3e -def thank_you_63(): return 0x3f -def thank_you_64(): return 0x40 -def thank_you_65(): return 0x41 -def thank_you_66(): return 0x42 -def thank_you_67(): return 0x43 -def thank_you_68(): return 0x44 -def thank_you_69(): return 0x45 -def thank_you_70(): return 0x46 -def thank_you_71(): return 0x47 -def thank_you_72(): return 0x48 -def thank_you_73(): return 0x49 -def thank_you_74(): return 0x4a -def thank_you_75(): return 0x4b -def thank_you_76(): return 0x4c -def thank_you_77(): return 0x4d -def thank_you_78(): return 0x4e -def thank_you_79(): return 0x4f -def thank_you_80(): return 0x50 -def thank_you_81(): return 0x51 -def thank_you_82(): return 0x52 -def thank_you_83(): return 0x53 -def thank_you_84(): return 0x54 -def thank_you_85(): return 0x55 -def thank_you_86(): return 0x56 -def thank_you_87(): return 0x57 -def thank_you_88(): return 0x58 -def thank_you_89(): return 0x59 -def thank_you_90(): return 0x5a -def thank_you_91(): return 0x5b -def thank_you_92(): return 0x5c -def thank_you_93(): return 0x5d -def thank_you_94(): return 0x5e -def thank_you_95(): return 0x5f -def thank_you_96(): return 0x60 -def thank_you_97(): return 0x61 -def thank_you_98(): return 0x62 -def thank_you_99(): return 0x63 -def thank_you_100(): return 0x64 -def thank_you_101(): return 0x65 -def thank_you_102(): return 0x6c -def thank_you_103(): return 0x67 -def thank_you_104(): return 0x68 -def thank_you_105(): return 0x69 -def thank_you_106(): return 0x6a -def thank_you_107(): return 0x6b -def thank_you_108(): return 0x66 -def thank_you_109(): return 0x6d -def thank_you_110(): return 0x6e -def thank_you_111(): return 0x12 -def thank_you_112(): return 0x70 -def thank_you_113(): return 0x71 -def thank_you_114(): return 0x72 -def thank_you_115(): return 0x73 -def thank_you_116(): return 0x74 -def thank_you_117(): return 0x75 -def thank_you_118(): return 0x76 -def thank_you_119(): return 0x77 -def thank_you_120(): return 0x78 -def thank_you_121(): return 0xd3 -def thank_you_122(): return 0x7a -def thank_you_123(): return 0x7b -def thank_you_124(): return 0x7c -def thank_you_125(): return 0x7d -def thank_you_126(): return 0x7e -def thank_you_127(): return 0x7f -def thank_you_128(): return 0x80 -def thank_you_129(): return 0x81 -def thank_you_130(): return 0x82 -def thank_you_131(): return 0x83 -def thank_you_132(): return 0x84 -def thank_you_133(): return 0x85 -def thank_you_134(): return 0x86 -def thank_you_135(): return 0x87 -def thank_you_136(): return 0x88 -def thank_you_137(): return 0x89 -def thank_you_138(): return 0x8a -def thank_you_139(): return 0x8b -def thank_you_140(): return 0x8c -def thank_you_141(): return 0x8d -def thank_you_142(): return 0x8e -def thank_you_143(): return 0x8f -def thank_you_144(): return 0x90 -def thank_you_145(): return 0x91 -def thank_you_146(): return 0x92 -def thank_you_147(): return 0x93 -def thank_you_148(): return 0x94 -def thank_you_149(): return 0x95 -def thank_you_150(): return 0x96 -def thank_you_151(): return 0x97 -def thank_you_152(): return 0x98 -def thank_you_153(): return 0x99 -def thank_you_154(): return 0x9a -def thank_you_155(): return 0x9b -def thank_you_156(): return 0x9c -def thank_you_157(): return 0x9d -def thank_you_158(): return 0x9e -def thank_you_159(): return 0x9f -def thank_you_160(): return 0xa0 -def thank_you_161(): return 0xa1 -def thank_you_162(): return 0xa2 -def thank_you_163(): return 0xa3 -def thank_you_164(): return 0xa4 -def thank_you_165(): return 0xa5 -def thank_you_166(): return 0xa6 -def thank_you_167(): return 0xa7 -def thank_you_168(): return 0xa8 -def thank_you_169(): return 0xa9 -def thank_you_170(): return 0xaa -def thank_you_171(): return 0xab -def thank_you_172(): return 0xac -def thank_you_173(): return 0xad -def thank_you_174(): return 0xae -def thank_you_175(): return 0xaf -def thank_you_176(): return 0xb0 -def thank_you_177(): return 0xb1 -def thank_you_178(): return 0xb2 -def thank_you_179(): return 0xb3 -def thank_you_180(): return 0xb4 -def thank_you_181(): return 0xb5 -def thank_you_182(): return 0xb6 -def thank_you_183(): return 0xb7 -def thank_you_184(): return 0xb8 -def thank_you_185(): return 0xb9 -def thank_you_186(): return 0xba -def thank_you_187(): return 0xbb -def thank_you_188(): return 0xbc -def thank_you_189(): return 0xbd -def thank_you_190(): return 0xbe -def thank_you_191(): return 0xbf -def thank_you_192(): return 0xc0 -def thank_you_193(): return 0xc1 -def thank_you_194(): return 0xc2 -def thank_you_195(): return 0xc3 -def thank_you_196(): return 0xc4 -def thank_you_197(): return 0xc5 -def thank_you_198(): return 0xc6 -def thank_you_199(): return 0xc7 -def thank_you_200(): return 0xc8 -def thank_you_201(): return 0xc9 -def thank_you_202(): return 0xca -def thank_you_203(): return 0xcb -def thank_you_204(): return 0xcc -def thank_you_205(): return 0xcd -def thank_you_206(): return 0xce -def thank_you_207(): return 0xcf -def thank_you_208(): return 0xd0 -def thank_you_209(): return 0xd1 -def thank_you_210(): return 0xd2 -def thank_you_211(): return 0x79 -def thank_you_212(): return 0xd4 -def thank_you_213(): return 0xd5 -def thank_you_214(): return 0xd6 -def thank_you_215(): return 0xd7 -def thank_you_216(): return 0xd8 -def thank_you_217(): return 0xd9 -def thank_you_218(): return 0xda -def thank_you_219(): return 0xdb -def thank_you_220(): return 0xdc -def thank_you_221(): return 0xdd -def thank_you_222(): return 0xde -def thank_you_223(): return 0xdf -def thank_you_224(): return 0xe0 -def thank_you_225(): return 0xe1 -def thank_you_226(): return 0xe2 -def thank_you_227(): return 0xe3 -def thank_you_228(): return 0xe4 -def thank_you_229(): return 0xe5 -def thank_you_230(): return 0xe6 -def thank_you_231(): return 0xe7 -def thank_you_232(): return 0xe8 -def thank_you_233(): return 0xe9 -def thank_you_234(): return 0xea -def thank_you_235(): return 0xeb -def thank_you_236(): return 0xec -def thank_you_237(): return 0xed -def thank_you_238(): return 0xee -def thank_you_239(): return 0xef -def thank_you_240(): return 0xf0 -def thank_you_241(): return 0xf1 -def thank_you_242(): return 0xf2 -def thank_you_243(): return 0xf3 -def thank_you_244(): return 0xf4 -def thank_you_245(): return 0xf5 -def thank_you_246(): return 0xf6 -def thank_you_247(): return 0xf7 -def thank_you_248(): return 0xf8 -def thank_you_249(): return 0xf9 -def thank_you_250(): return 0xfa -def thank_you_251(): return 0xfb -def thank_you_252(): return 0xfc -def thank_you_253(): return 0xfd -def thank_you_254(): return 0xfe - -funcs = [thank_you_108(), thank_you_102(), thank_you_97(), thank_you_103(), thank_you_123(), thank_you_102(), thank_you_48(), thank_you_107(), thank_you_95(), thank_you_104(), thank_you_211(), thank_you_112(), thank_you_101(), thank_you_95(), thank_you_49(), thank_you_115(), thank_you_95(), thank_you_116(), thank_you_18(), thank_you_18(), thank_you_95(), thank_you_114(), thank_you_51(), thank_you_97(), thank_you_102(), thank_you_125()] - -flag = ['{}'.format(chr(a)) for a in funcs] - -print ''.join(flag) diff --git a/2015-Fall/Reverse_Engineering/using-gdb/varrick/varrick b/2015-Fall/Reverse_Engineering/using-gdb/varrick/varrick deleted file mode 100755 index 31ae075..0000000 Binary files a/2015-Fall/Reverse_Engineering/using-gdb/varrick/varrick and /dev/null differ diff --git a/2015-Fall/Reverse_Engineering/using-gdb/varrick/varrick.c b/2015-Fall/Reverse_Engineering/using-gdb/varrick/varrick.c deleted file mode 100644 index 1bc7047..0000000 --- a/2015-Fall/Reverse_Engineering/using-gdb/varrick/varrick.c +++ /dev/null @@ -1,302 +0,0 @@ -#include -#include -#include - -char thank_you_0() { return 0x0; } -char thank_you_1() { return 0x1; } -char thank_you_2() { return 0x2; } -char thank_you_3() { return 0x3; } -char thank_you_4() { return 0x4; } -char thank_you_5() { return 0x5; } -char thank_you_6() { return 0x6; } -char thank_you_7() { return 0x7; } -char thank_you_8() { return 0x8; } -char thank_you_9() { return 0x9; } -char thank_you_10() { return 0xa; } -char thank_you_11() { return 0xb; } -char thank_you_12() { return 0xc; } -char thank_you_13() { return 0xd; } -char thank_you_14() { return 0xe; } -char thank_you_15() { return 0xf; } -char thank_you_16() { return 0x10; } -char thank_you_17() { return 0x11; } -char thank_you_18() { return 0x6f; } -char thank_you_19() { return 0x13; } -char thank_you_20() { return 0x14; } -char thank_you_21() { return 0x15; } -char thank_you_22() { return 0x16; } -char thank_you_23() { return 0x17; } -char thank_you_24() { return 0x18; } -char thank_you_25() { return 0x19; } -char thank_you_26() { return 0x1a; } -char thank_you_27() { return 0x1b; } -char thank_you_28() { return 0x1c; } -char thank_you_29() { return 0x1d; } -char thank_you_30() { return 0x1e; } -char thank_you_31() { return 0x1f; } -char thank_you_32() { return 0x20; } -char thank_you_33() { return 0x21; } -char thank_you_34() { return 0x22; } -char thank_you_35() { return 0x23; } -char thank_you_36() { return 0x24; } -char thank_you_37() { return 0x25; } -char thank_you_38() { return 0x26; } -char thank_you_39() { return 0x27; } -char thank_you_40() { return 0x28; } -char thank_you_41() { return 0x29; } -char thank_you_42() { return 0x2a; } -char thank_you_43() { return 0x2b; } -char thank_you_44() { return 0x2c; } -char thank_you_45() { return 0x2d; } -char thank_you_46() { return 0x2e; } -char thank_you_47() { return 0x2f; } -char thank_you_48() { return 0x30; } -char thank_you_49() { return 0x31; } -char thank_you_50() { return 0x32; } -char thank_you_51() { return 0x33; } -char thank_you_52() { return 0x34; } -char thank_you_53() { return 0x35; } -char thank_you_54() { return 0x36; } -char thank_you_55() { return 0x37; } -char thank_you_56() { return 0x38; } -char thank_you_57() { return 0x39; } -char thank_you_58() { return 0x3a; } -char thank_you_59() { return 0x3b; } -char thank_you_60() { return 0x3c; } -char thank_you_61() { return 0x3d; } -char thank_you_62() { return 0x3e; } -char thank_you_63() { return 0x3f; } -char thank_you_64() { return 0x40; } -char thank_you_65() { return 0x41; } -char thank_you_66() { return 0x42; } -char thank_you_67() { return 0x43; } -char thank_you_68() { return 0x44; } -char thank_you_69() { return 0x45; } -char thank_you_70() { return 0x46; } -char thank_you_71() { return 0x47; } -char thank_you_72() { return 0x48; } -char thank_you_73() { return 0x49; } -char thank_you_74() { return 0x4a; } -char thank_you_75() { return 0x4b; } -char thank_you_76() { return 0x4c; } -char thank_you_77() { return 0x4d; } -char thank_you_78() { return 0x4e; } -char thank_you_79() { return 0x4f; } -char thank_you_80() { return 0x50; } -char thank_you_81() { return 0x51; } -char thank_you_82() { return 0x52; } -char thank_you_83() { return 0x53; } -char thank_you_84() { return 0x54; } -char thank_you_85() { return 0x55; } -char thank_you_86() { return 0x56; } -char thank_you_87() { return 0x57; } -char thank_you_88() { return 0x58; } -char thank_you_89() { return 0x59; } -char thank_you_90() { return 0x5a; } -char thank_you_91() { return 0x5b; } -char thank_you_92() { return 0x5c; } -char thank_you_93() { return 0x5d; } -char thank_you_94() { return 0x5e; } -char thank_you_95() { return 0x5f; } -char thank_you_96() { return 0x60; } -char thank_you_97() { return 0x61; } -char thank_you_98() { return 0x62; } -char thank_you_99() { return 0x63; } -char thank_you_100() { return 0x64; } -char thank_you_101() { return 0x65; } -char thank_you_102() { return 0x6c; } -char thank_you_103() { return 0x67; } -char thank_you_104() { return 0x68; } -char thank_you_105() { return 0x69; } -char thank_you_106() { return 0x6a; } -char thank_you_107() { return 0x6b; } -char thank_you_108() { return 0x66; } -char thank_you_109() { return 0x6d; } -char thank_you_110() { return 0x6e; } -char thank_you_111() { return 0x12; } -char thank_you_112() { return 0x70; } -char thank_you_113() { return 0x71; } -char thank_you_114() { return 0x72; } -char thank_you_115() { return 0x73; } -char thank_you_116() { return 0x74; } -char thank_you_117() { return 0x75; } -char thank_you_118() { return 0x76; } -char thank_you_119() { return 0x77; } -char thank_you_120() { return 0x78; } -char thank_you_121() { return 0xd3; } -char thank_you_122() { return 0x7a; } -char thank_you_123() { return 0x7b; } -char thank_you_124() { return 0x7c; } -char thank_you_125() { return 0x7d; } -char thank_you_126() { return 0x7e; } -char thank_you_127() { return 0x7f; } -char thank_you_128() { return 0x80; } -char thank_you_129() { return 0x81; } -char thank_you_130() { return 0x82; } -char thank_you_131() { return 0x83; } -char thank_you_132() { return 0x84; } -char thank_you_133() { return 0x85; } -char thank_you_134() { return 0x86; } -char thank_you_135() { return 0x87; } -char thank_you_136() { return 0x88; } -char thank_you_137() { return 0x89; } -char thank_you_138() { return 0x8a; } -char thank_you_139() { return 0x8b; } -char thank_you_140() { return 0x8c; } -char thank_you_141() { return 0x8d; } -char thank_you_142() { return 0x8e; } -char thank_you_143() { return 0x8f; } -char thank_you_144() { return 0x90; } -char thank_you_145() { return 0x91; } -char thank_you_146() { return 0x92; } -char thank_you_147() { return 0x93; } -char thank_you_148() { return 0x94; } -char thank_you_149() { return 0x95; } -char thank_you_150() { return 0x96; } -char thank_you_151() { return 0x97; } -char thank_you_152() { return 0x98; } -char thank_you_153() { return 0x99; } -char thank_you_154() { return 0x9a; } -char thank_you_155() { return 0x9b; } -char thank_you_156() { return 0x9c; } -char thank_you_157() { return 0x9d; } -char thank_you_158() { return 0x9e; } -char thank_you_159() { return 0x9f; } -char thank_you_160() { return 0xa0; } -char thank_you_161() { return 0xa1; } -char thank_you_162() { return 0xa2; } -char thank_you_163() { return 0xa3; } -char thank_you_164() { return 0xa4; } -char thank_you_165() { return 0xa5; } -char thank_you_166() { return 0xa6; } -char thank_you_167() { return 0xa7; } -char thank_you_168() { return 0xa8; } -char thank_you_169() { return 0xa9; } -char thank_you_170() { return 0xaa; } -char thank_you_171() { return 0xab; } -char thank_you_172() { return 0xac; } -char thank_you_173() { return 0xad; } -char thank_you_174() { return 0xae; } -char thank_you_175() { return 0xaf; } -char thank_you_176() { return 0xb0; } -char thank_you_177() { return 0xb1; } -char thank_you_178() { return 0xb2; } -char thank_you_179() { return 0xb3; } -char thank_you_180() { return 0xb4; } -char thank_you_181() { return 0xb5; } -char thank_you_182() { return 0xb6; } -char thank_you_183() { return 0xb7; } -char thank_you_184() { return 0xb8; } -char thank_you_185() { return 0xb9; } -char thank_you_186() { return 0xba; } -char thank_you_187() { return 0xbb; } -char thank_you_188() { return 0xbc; } -char thank_you_189() { return 0xbd; } -char thank_you_190() { return 0xbe; } -char thank_you_191() { return 0xbf; } -char thank_you_192() { return 0xc0; } -char thank_you_193() { return 0xc1; } -char thank_you_194() { return 0xc2; } -char thank_you_195() { return 0xc3; } -char thank_you_196() { return 0xc4; } -char thank_you_197() { return 0xc5; } -char thank_you_198() { return 0xc6; } -char thank_you_199() { return 0xc7; } -char thank_you_200() { return 0xc8; } -char thank_you_201() { return 0xc9; } -char thank_you_202() { return 0xca; } -char thank_you_203() { return 0xcb; } -char thank_you_204() { return 0xcc; } -char thank_you_205() { return 0xcd; } -char thank_you_206() { return 0xce; } -char thank_you_207() { return 0xcf; } -char thank_you_208() { return 0xd0; } -char thank_you_209() { return 0xd1; } -char thank_you_210() { return 0xd2; } -char thank_you_211() { return 0x79; } -char thank_you_212() { return 0xd4; } -char thank_you_213() { return 0xd5; } -char thank_you_214() { return 0xd6; } -char thank_you_215() { return 0xd7; } -char thank_you_216() { return 0xd8; } -char thank_you_217() { return 0xd9; } -char thank_you_218() { return 0xda; } -char thank_you_219() { return 0xdb; } -char thank_you_220() { return 0xdc; } -char thank_you_221() { return 0xdd; } -char thank_you_222() { return 0xde; } -char thank_you_223() { return 0xdf; } -char thank_you_224() { return 0xe0; } -char thank_you_225() { return 0xe1; } -char thank_you_226() { return 0xe2; } -char thank_you_227() { return 0xe3; } -char thank_you_228() { return 0xe4; } -char thank_you_229() { return 0xe5; } -char thank_you_230() { return 0xe6; } -char thank_you_231() { return 0xe7; } -char thank_you_232() { return 0xe8; } -char thank_you_233() { return 0xe9; } -char thank_you_234() { return 0xea; } -char thank_you_235() { return 0xeb; } -char thank_you_236() { return 0xec; } -char thank_you_237() { return 0xed; } -char thank_you_238() { return 0xee; } -char thank_you_239() { return 0xef; } -char thank_you_240() { return 0xf0; } -char thank_you_241() { return 0xf1; } -char thank_you_242() { return 0xf2; } -char thank_you_243() { return 0xf3; } -char thank_you_244() { return 0xf4; } -char thank_you_245() { return 0xf5; } -char thank_you_246() { return 0xf6; } -char thank_you_247() { return 0xf7; } -char thank_you_248() { return 0xf8; } -char thank_you_249() { return 0xf9; } -char thank_you_250() { return 0xfa; } -char thank_you_251() { return 0xfb; } -char thank_you_252() { return 0xfc; } -char thank_you_253() { return 0xfd; } -char thank_you_254() { return 0xfe; } - -void julie_do_the_thing() { - char the_thing[26]; - void *things[26] = { - &thank_you_108, - &thank_you_102, - &thank_you_97, - &thank_you_103, - &thank_you_123, - &thank_you_102, - &thank_you_48, - &thank_you_107, - &thank_you_95, - &thank_you_104, - &thank_you_211, - &thank_you_112, - &thank_you_101, - &thank_you_95, - &thank_you_49, - &thank_you_115, - &thank_you_95, - &thank_you_116, - &thank_you_18, - &thank_you_18, - &thank_you_95, - &thank_you_114, - &thank_you_51, - &thank_you_97, - &thank_you_102, - &thank_you_125 - }; - - for (int i = 0; i < 26; i++) { - char (*thing)() = things[i]; - the_thing[i] = thing(); - } -} - -int main() { - julie_do_the_thing(); - puts("Nothing got printed out?"); - return 0; -} diff --git a/2015-Fall/Reverse_Engineering/using-ida/Using-IDA.key b/2015-Fall/Reverse_Engineering/using-ida/Using-IDA.key deleted file mode 100644 index adb550f..0000000 Binary files a/2015-Fall/Reverse_Engineering/using-ida/Using-IDA.key and /dev/null differ diff --git a/2015-Fall/Web_Exploitation/README.md b/2015-Fall/Web_Exploitation/README.md deleted file mode 100644 index 7d12e04..0000000 --- a/2015-Fall/Web_Exploitation/README.md +++ /dev/null @@ -1 +0,0 @@ -# Web Exploitation \ No newline at end of file diff --git a/2015-Fall/Web_Exploitation/cross_site_scripting/xss.pptx b/2015-Fall/Web_Exploitation/cross_site_scripting/xss.pptx deleted file mode 100644 index 944653f..0000000 Binary files a/2015-Fall/Web_Exploitation/cross_site_scripting/xss.pptx and /dev/null differ diff --git a/2015-Spring/README.md b/2015-Spring/README.md deleted file mode 100644 index 642d234..0000000 --- a/2015-Spring/README.md +++ /dev/null @@ -1,320 +0,0 @@ -# NYU Poly [ISIS Lab](http://www.isis.poly.edu/)'s [Hack Night](http://isislab.github.io/Hack-Night/) -Developed from the materials of NYU Poly's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks. - -Hack Night culminates in a practical application of the skills and techniques taught, students complete a research project inspired by one of the lectures or exercise materials. By the end of the course, each student is expected to have a good understanding of all topics and a mastery of at least one topic. - -*Due to the involved nature of this course, we recommend students attend Hack Night in person.* - -## Logistics -If you have any questions, or would like to attend a Hack Night session, you can contact Evan Jensen or Marc Budofsky at HackNight@isis.poly.edu or you can [file a ticket](https://github.com/isislab/Hack-Night/issues) in Github. - -Sign up for the [Cyber Security Club mailing list](https://isis.poly.edu/mailman/listinfo/csc) to recieve weekly e-mails about seminars and training sessions brought to you by the [ISIS Lab](http://www.isis.poly.edu/). - -Hack Night is run every Wednesday during the regular semester at 6 PM in RH 219, check [our calendar for updates](http://www.isis.poly.edu/calendar). - -ISIS Lab, RH 219 -Six MetroTech Center -Brooklyn, NY 11201 - - -## Week 0: Background -In order to get the most out of Hack Night, you should be familiar with some basic security concepts. - -### Lecture Materials -1. [PicoCTF Resources](https://picoctf.com/learn) - -### Resources -#### General -1. [Sun Certified Security Administrator for Solaris 9 & 10 Study Guide Chapter 1](http://www.mhprofessional.com/downloads/products/0072254238/0072254238_ch01.pdf) - -#### Application Security -1. [OWASP Secure Coding Principles](https://www.owasp.org/index.php/Secure_Coding_Principles) - -#### Exploitation -1. [Windows ISV Software Security Defenses](http://msdn.microsoft.com/en-us/library/bb430720.aspx) - -#### Mobile Security -1. [OWASP Top 10](https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks) - -#### Network Security -1. [Common Types of Network Attacks](http://technet.microsoft.com/en-us/library/cc959354.aspx) - -#### Reverse Engineering -1. [University of Washington's The Hardware/Software Interface](https://class.coursera.org/hwswinterface-001/class) *Currently Unavailable to New Students* -2. [University of London's Malicious Software and its Underground Economy: Two Sides to Every Story](https://class.coursera.org/malsoftware-001/class) - -#### Web Security -1. [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) - - -## Week 1: Introduction -This is an introduction session to the Hack Night curriculum, this session tries to give an overview of what rest of Hack Night sessions is to be followed. More importantly, it also gives the -ethics necessary to keep in mind when you learn something as powerful as your going to do now. Next, we will cover various types of disclosure that hackers have followed since -its inception. - -Before diving into the Hack Night semester, we recommend you take a look at the resources below and become familiar with some of the material. - -### Lecture Materials -1. [Trends in Vulnerability Disclosure](http://vimeo.com/48914102) -2. [Intrusion via Web Application Flaws](http://vimeo.com/14983596) -3. [Intrusion via Client-Side Exploitation](http://vimeo.com/14983828) - -### Resources -1. [IRC: #hacknight on isis.poly.edu port 6697 (ssl only)](http://chat.mibbit.com/?server=isis.poly.edu%3A%2B6697&channel=%23hacknight) -2. [ISIS Lab Blog](https://isisblogs.poly.edu/) -3. [ISIS Lab Github](https://github.com/isislab/) -4. [Project Ideas](https://github.com/isislab/Project-Ideas/issues) -5. [Resources Wiki](https://github.com/isislab/Project-Ideas/wiki) -6. [CyFor](http://cyfor.isis.poly.edu/) -7. [Cyber Security Club Mailing List](https://isis.poly.edu/mailman/listinfo/csc) -8. [ISIS Lab Calendar](http://www.isis.poly.edu/calendar) - - -## Week 2: Source Code Auditing, Part 1 -This session will cover Code Auditing. Code Auditing an application is the process of analyzing application code (in source or binary form) to uncover vulnerabilities that attackers -might exploit. By going through this process, you can identify and close security holes that would otherwise put sensitive data and business resources at unnecessary risk. -Topics that will be covered are Identifying Architectural, Implementation and Operational vulnerabilities. - -### Lecture Materials -1. [Design & Operational Reviews](http://vimeo.com/29082852/) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/design_review_fall2011.pdf?raw=true)] -2. [Code Auditing 101](http://vimeo.com/30001189/) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/code_audits_1_fall2011.pdf?raw=true)] - -### Workshop Materials -1. [Client Request Access Protocol](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week2/designdoc-fall2010.pdf?raw=true) -We believe this protocol to be severely flawed and require your assistance in identifying vulnerabilities in it. Your objective is to identify and informally describe as many of these issues that you can. - -### Resources -1. [Source Code Analysis](https://github.com/isislab/Project-Ideas/wiki/Source-Code-Analysis) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [The Art of Software Security Assessment](http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?s=books&ie=UTF8&qid=1367449909&sr=1-1&keywords=the+art+of+software+security+assessment) -4. [Integer Overflows](http://en.wikipedia.org/wiki/Integer_overflow) -5. [Catching Integer Overflows](http://www.fefe.de/intof.html) -6. [The Fortify Taxonomy of Software Security Flaws](http://www.fortify.com/vulncat/) - - -## Week 3: Source Code Auditing, Part 2 -This week we will continue with the final video on Code Auditing, and provide you with 2 more applications that are intentionally vulnerable. Your job is to audit the source code and find vulnerabilities in them. Test -the skills that you have learned last week to efficiently go over the process of auditing applications. - -### Lecture Materials -1. [Code Auditing 102](http://vimeo.com/29702192/) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/code_audits_2_fall2011.pdf?raw=true)] - -### Workshop Materials -1. [News Paper](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week3/news_server.c) [Simple Usage](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week3/news_install.sh) -This network service simulates a text-based terminal application. The general purpose of the application is to act as a "news server" or text file service. These are two types of users: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files). Assume the application runs on Linux and is compiled with gcc. -2. [Siberia Crimeware Pack](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week3/siberia.zip?raw=true) (Password: infected) -The Siberia kit contains live exploit code and will likely set off AV, however none of the exploit code is in a state where it would be harmful to your computer. In addition to all of the vulnerabilites have been patched years ago, the exploits in Siberia need to be interpreted by PHP and read by your browser for them to have any effect. You can safely disable or create exceptions in your AV for this exercise or place the Siberia files inside a VM. - -### Resources -1. [Source Code Analysis](https://github.com/isislab/Project-Ideas/wiki/Source-Code-Analysis) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [The Art of Software Security Assessment](http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?s=books&ie=UTF8&qid=1367449909&sr=1-1&keywords=the+art+of+software+security+assessment) -4. [Integer Overflows](http://en.wikipedia.org/wiki/Integer_overflow) -5. [Catching Integer Overflows](http://www.fefe.de/intof.html) -6. [The Fortify Taxonomy of Software Security Flaws](http://www.fortify.com/vulncat/) - -### Tools -1. [Source Navigator](http://sourcenav.sourceforge.net/) -2. [Scitools Understand](http://www.scitools.com/) -3. [List of tools for static code analysis](http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis) - - -## Week 4: Web Security, Part 1 -This session will cover web hacking. This session is about getting familiarity with various vulnerabilities commonly found in web applications. You will be able to identify and exploit web application vulnerabilities. Topics to be covered are web application primer, Vuln. commonly found in web apps. (OWASP Top 10) and Basic web testing methodologies. - -### Lecture Materials -1. [Web Hacking 101](http://vimeo.com/32509769) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/WebHackingDay1-2011.pdf?raw=true)] - -### Workshop Materials -1. [Google Gruyere](http://google-gruyere.appspot.com/) - - -### Resources -1. [Web Security](https://github.com/isislab/Project-Ideas/wiki/Web-Security) -2. [The Tangled Web](http://nostarch.com/tangledweb.htm) -3. [OWASP Top 10](https://www.owasp.org/index.php/Top_10) -4. [OWASP Top 10 Tools and Tactics](http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/) - - -## Week 5: Web Security, Part 2 -In this session, we will continue with the second video on Web Hacking. We will then be using some more intentionally vulnerable web applications to identify and analyze the top ten vulnerabilities commonly found in the web applications You will be going through the steps of busticating a real site and throwing a fire sale using freely available tools. - -### Lecture Materials -1. [Web Hacking 102](http://vimeo.com/32550671) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/WebHackingDay2-2011.pdf?raw=true)] - -### Workshop Materials -1. [OWASP WebGoat](https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project) -2. [Damn Vulnerable Web Application](http://www.dvwa.co.uk/) - - -### Resources -1. [Web Security](https://github.com/isislab/Project-Ideas/wiki/Web-Security) -2. [The Tangled Web](http://nostarch.com/tangledweb.htm) -3. [OWASP Top 10](https://www.owasp.org/index.php/Top_10) -4. [OWASP Top 10 Tools and Tactics](http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/) - - -## Week 6: Reverse Engineering, Part 1 -This session is about Reverse Engineering. Most of the software we use everyday is closed source. You don't have the liberty to look at the source code, at this point we need to analyze the available compiled binary. Reversing a binary is no easy task but can be done with the proper methodology and the right tools. This is exactly what two of world's best reverse engineers are going to teach you. - -### Lecture Videos -1. [Reverse Engineering 101](http://vimeo.com/6764570) -2. [Reverse Engineering 102](http://vimeo.com/30076325) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/sotirov-re-fall2011.pdf?raw=true)] - -### Workshop Materials -In this section we will go through the basic idea of a binary and how your source code is converted into an executable form. We will then look at the assembly language used by executable programs and develop our own low level programs. We will write simple assembly language programs and teach the basic skills needed to understand more complex assembly language uses. - -1. [Assembly Programming Exercises](https://github.com/blankwall/asm_prog_ex) - -### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) -5. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - - -## Week 7: Reverse Engineering, Part 2 -Picking up from previous session, we will watch the last video on Reverse Engineering, and present you with an application which has no source code. Your job is to understand what the application is doing and figure out any loopholes present in that application. You'll use static analysis tools like IDA and varied dynamic analysis to analyze the binary and get a complete understanding of the application. - -### Lecture Videos -1. [Dynamic Reverse Engineering](http://vimeo.com/30594548) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/dynamic_reversing_2011.pdf?raw=true)] - -### Workshop Materials -1. [Challenge Application 1](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week7/bin1?raw=true) -2. [Challenge Application 2](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week7/easy32?raw=true) - -### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) -5. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - - -## Week 8: Reverse Engineering, Part 3 -In this session we will cover [Introductory Intel x86: Architecture, Assembly, Applications, and Alliteration by Xeno Kovah](http://www.opensecuritytraining.info/IntroX86.html) from [OpenSecurityTraining](http://www.opensecuritytraining.info/Welcome.html). Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation. 50% of the time will be spent learning Windows/Linux tools and analysis of "simple" programs. - -### Lecture Materials -1. [Introductory Intel x86 Lectures](http://www.youtube.com/playlist?list=PL038BE01D3BAEFDB0) - -### Workshop Materials -1. [CMU Bomb Lab](http://csapp.cs.cmu.edu/public/1e/bomb.tar) (Linux/IA32 binary) - -### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) -5. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - - -## Week 9: Reverse Engineering, Part 4 -Picking up from the last week's session, we will continue to explore the world of x86. This is going to be a workshop were we will write programs at assembly level. Once, we get familiar to basic x86 instructions we will switch to analyzing a real application and try to get high level understanding of what the application is doing. The goal would be to get familiar with calling conventions, stack and stack frames. - -### Lecture Materials -1. [Introductory Intel x86 Lectures](http://www.youtube.com/playlist?list=PL038BE01D3BAEFDB0) - -### Workshop Materials -1. [RPI Bomb Lab](http://www.cs.rpi.edu/academics/courses/spring10/csci4971/rev2/bomb) -2. [Write readFile.c in x86 by hand](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week9) - -### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) -5. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [nasm](http://www.nasm.us/) -8. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - - -## Week 10: Exploitation, Part 1 -In this week's session, we will go over some advanced concepts related to computer security. Dino Dai Zovi will go over various memory errors that an application can cause often leading to catastrophic results. Topics that will be covered are various memory errors like buffer overflows, uninitialized variables, use after free etc. and how we can use them to take control of an application. We will also look at exploitation mitigation that your current OS implements, it's not 1988 anymore. Finally, we will look at some techniques used to bypass modern mitigations. - -### Lecture Materials -1. [Memory Corruption 101](http://vimeo.com/31348274) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/memory_corruption_101.pdf?raw=true)] - -### Workshop Materials -1. [Vulnerable Application](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week10) - -### Resources -1. [Exploitation](https://github.com/isislab/Project-Ideas/wiki/Exploitation) -2. [VMWare Player](http://www.vmware.com/download/player/download.html) -3. [Linux Machine](http://www.ubuntu.com/download/desktop) (preferably, Ubuntu) -4. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -5. [Windbg](http://msdn.microsoft.com/en-us/library/windows/hardware/gg463009.aspx) - - -## Week 11: Exploitation, Part 2 -Picking up from the last session, we will finish watching Dino Dai Zovi's lecture and do a live exploitation of a vulnerable program. We will go through all the steps that Dino explained in his lecture to write a control flow hijacking exploit and take over the program. Once we are done with 1990's style exploitation, we will re-compile the program with modern mitigation technologies and look at various techniques used to bypass these mitigation's. - -### Lecture Materials -1. [Memory Corruption 101](http://vimeo.com/31348274) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/memory_corruption_101.pdf?raw=true)] - -### Workshop Materials -1 [CSAW 2013 Exploitation 2](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week11/exploit2?raw=true) - -### Resources -1. [Exploitation](https://github.com/isislab/Project-Ideas/wiki/Exploitation) -2. [VMWare Player](http://www.vmware.com/download/player/download.html) -3. [Linux Machine](http://www.ubuntu.com/download/desktop) (preferably, Ubuntu) -4. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -5. [Windbg](http://msdn.microsoft.com/en-us/library/windows/hardware/gg463009.aspx) - -### More Challenges -1. [Gera's Insecure Programming by Example](http://community.corest.com/~gera/InsecureProgramming/) -2. [Exploit-Exercises](http://exploit-exercises.com/) - - -## Week 12: Post-Exploitation -In this week, we will cover post-exploitation. Post-exploitation is the stage in the intrusion kill chain wherein the attacker uses persistence techniques after the victim's system is compromised to maintain his/her presence on the machine. In addition the attacker also wants his presence to be hidden, this includes evading antivirus software, covering his/her tracks, etc. We will look at various techniques used by attackers to achieve the aforementioned goals. - -### Lecture Material -1. [Post Exploitation](http://vimeo.com/33344191) - -### Workshop Material -As shown in the lecture video, setup two VM’s. One VM will have metasploit running, backtrack is preferred and the other machine will be a Windows box. Preferred, win xp professional or win 7 professional. -Use the psexec module available in metasploit to gain access to the Windows box. Once, you have a meterpreter session available, apply different techniques demonstrated in the lecture like getting the password hash of Administrator, so that you can re-login as Administrator which gives you elevated privileges. - -Having a meterpreter session open isn’t necessarily good enough. For instance, run cmd.exe in windows box; get back to your meterpreter session and find the pid of cmd.exe using “ps” command. Once you are able to figure out the pid, use the migrate command to switch to that process. Now, close the command prompt in the windows box. Do you still have the session open? What do you think a stable process might be to migrate? - -If you have found the stable process that you as an attacker want to migrate to, chances are your persistence is good. Although, this may not be the case if the victim restarts his machine. What do you think a better approach would be to keep your connection persistent, even after several reboots? Try to use this method and see for yourself, if you have a persistent connection or not. - -### Resources -1. [Symantec Stuxnet Dossier](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/w32_stuxnet_dossier.pdf?raw=true) - - -## Week 13: Application Security -In this, the last session of Hack Night. We will be going over Fuzzing and later have a short discussion on what you can do to continue improving your skills. Fuzzing is a black box software testing technique, which consists of finding implementation bugs by manipulating input data sent to an application automatically. We will go over different types of fuzzing, various methods used for fuzzing, and finally the process of "smart" fuzzing. - -### Lecture Material -1. [Fuzzing](https://vimeo.com/7574602) - -### Workshop Materials -1. [fuzz.py](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week13) -2. [HaikuSyscallFuzzer](https://github.com/isislab/HaikuSyscallFuzzer) - -### Resources -1. [Fuzzing](https://github.com/isislab/Project-Ideas/wiki/Fuzzing) - - -## Conclusion -Hack Night is designed to culminate in each student developing some kind of deliverable related to computer security, the goal being that everyone leaves the program with more knowledge about security. - -### Research and Projects -1. [Project Ideas](https://github.com/isislab/Project-Ideas/issues) -2. [Project Ideas Wiki](https://github.com/isislab/Project-Ideas/wiki) diff --git a/2015-Spring/book-index.html.bak b/2015-Spring/book-index.html.bak deleted file mode 100644 index 4277631..0000000 --- a/2015-Spring/book-index.html.bak +++ /dev/null @@ -1,110 +0,0 @@ - - - - Hack Night Gitbook - - - - - - - - - - - - - - - -
- -
- -
- - -

- - Read Online - -

- -

You can also download this book as: ePUB, MOBI or PDF.

- -
- - - - - \ No newline at end of file diff --git a/2015-Spring/references/IDA_Pro_Shortcuts.pdf b/2015-Spring/references/IDA_Pro_Shortcuts.pdf deleted file mode 100644 index ed36709..0000000 Binary files a/2015-Spring/references/IDA_Pro_Shortcuts.pdf and /dev/null differ diff --git a/2015-Spring/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf b/2015-Spring/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf deleted file mode 100755 index 5909200..0000000 Binary files a/2015-Spring/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf and /dev/null differ diff --git a/2015-Spring/references/w32_stuxnet_dossier.pdf b/2015-Spring/references/w32_stuxnet_dossier.pdf deleted file mode 100755 index 038acd8..0000000 Binary files a/2015-Spring/references/w32_stuxnet_dossier.pdf and /dev/null differ diff --git a/2015-Spring/slides/WebHackingDay1-2011.pdf b/2015-Spring/slides/WebHackingDay1-2011.pdf deleted file mode 100755 index ffe0650..0000000 Binary files a/2015-Spring/slides/WebHackingDay1-2011.pdf and /dev/null differ diff --git a/2015-Spring/slides/WebHackingDay2-2011.pdf b/2015-Spring/slides/WebHackingDay2-2011.pdf deleted file mode 100755 index dce1520..0000000 Binary files a/2015-Spring/slides/WebHackingDay2-2011.pdf and /dev/null differ diff --git a/2015-Spring/slides/code_audits_1_fall2011.pdf b/2015-Spring/slides/code_audits_1_fall2011.pdf deleted file mode 100755 index ece40e7..0000000 Binary files a/2015-Spring/slides/code_audits_1_fall2011.pdf and /dev/null differ diff --git a/2015-Spring/slides/code_audits_2_fall2011.pdf b/2015-Spring/slides/code_audits_2_fall2011.pdf deleted file mode 100755 index ddf943d..0000000 Binary files a/2015-Spring/slides/code_audits_2_fall2011.pdf and /dev/null differ diff --git a/2015-Spring/slides/design_review_fall2011.pdf b/2015-Spring/slides/design_review_fall2011.pdf deleted file mode 100755 index f721b0a..0000000 Binary files a/2015-Spring/slides/design_review_fall2011.pdf and /dev/null differ diff --git a/2015-Spring/slides/memory_corruption_101.pdf b/2015-Spring/slides/memory_corruption_101.pdf deleted file mode 100755 index 9cb934c..0000000 Binary files a/2015-Spring/slides/memory_corruption_101.pdf and /dev/null differ diff --git a/2015-Spring/slides/sotirov-re-fall2011.pdf b/2015-Spring/slides/sotirov-re-fall2011.pdf deleted file mode 100755 index df6d35c..0000000 Binary files a/2015-Spring/slides/sotirov-re-fall2011.pdf and /dev/null differ diff --git a/2015-Spring/workshops/week1/README.md b/2015-Spring/workshops/week1/README.md deleted file mode 100644 index bfd88c5..0000000 --- a/2015-Spring/workshops/week1/README.md +++ /dev/null @@ -1,15 +0,0 @@ -### TODO: Small demo for each topic - -Process to finding bugs: - Playing with program to figure out how it works - Looking at source code - Changing it - See what happens - -Exploitation? - exploit exercises? - -Linux intro? - -patch a program? -pwn adventure? diff --git a/2015-Spring/workshops/week11/README.md b/2015-Spring/workshops/week11/README.md deleted file mode 100644 index 25c1a95..0000000 --- a/2015-Spring/workshops/week11/README.md +++ /dev/null @@ -1 +0,0 @@ -### user privledges? shellcode? kernel exploits? android rooting? diff --git a/2015-Spring/workshops/week11/exploit2 b/2015-Spring/workshops/week11/exploit2 deleted file mode 100755 index 2010dc6..0000000 Binary files a/2015-Spring/workshops/week11/exploit2 and /dev/null differ diff --git a/2015-Spring/workshops/week2/README.md b/2015-Spring/workshops/week2/README.md deleted file mode 100644 index d5d60b1..0000000 --- a/2015-Spring/workshops/week2/README.md +++ /dev/null @@ -1 +0,0 @@ -### Python examples of bad programming practice diff --git a/2015-Spring/workshops/week2/exec1.py b/2015-Spring/workshops/week2/exec1.py deleted file mode 100644 index 3be7f79..0000000 --- a/2015-Spring/workshops/week2/exec1.py +++ /dev/null @@ -1,11 +0,0 @@ -banned = [] - -while True: - data = raw_input(">>> ") - - for no in banned: - if no.lower() in data.lower(): - print "No bueno" - break - else: # this means nobreak - exec data diff --git a/2015-Spring/workshops/week2/exec2.py b/2015-Spring/workshops/week2/exec2.py deleted file mode 100644 index feaeafa..0000000 --- a/2015-Spring/workshops/week2/exec2.py +++ /dev/null @@ -1,22 +0,0 @@ -banned = [ - "import", - "exec", - "eval", - "pickle", - "os", - "subprocess", - "kevin sucks", - "banned", - "cry sum more", - "sys" -] - -while True: - data = raw_input(">>> ") - - for no in banned: - if no.lower() in data.lower(): - print "No bueno" - break - else: # this means nobreak - exec data diff --git a/2015-Spring/workshops/week2/input1.py b/2015-Spring/workshops/week2/input1.py deleted file mode 100644 index c54929b..0000000 --- a/2015-Spring/workshops/week2/input1.py +++ /dev/null @@ -1,10 +0,0 @@ -import random - -x = random.randrange(100) - -y = input() -while x != y: - print "Nuh uh" - y = input() - -print "YOU DID IT :D" diff --git a/2015-Spring/workshops/week2/input2.py b/2015-Spring/workshops/week2/input2.py deleted file mode 100644 index 921817e..0000000 --- a/2015-Spring/workshops/week2/input2.py +++ /dev/null @@ -1,13 +0,0 @@ -print "Welcome to mystery math!" - -flag = "this_is_a_flag" - -while True: - x = input("Enter number 1> ") - x = x*x + ord(flag[0]) * ord(flag[1]) + ord(flag[2]) * x - y = input("Enter number 2> ") - if round(y / 6 + 7 - y) == round(x): - print "Here ya go! ", flag - exit(0) - else: - print "Your lucky number is ", x - y diff --git a/2015-Spring/workshops/week2/input3.py b/2015-Spring/workshops/week2/input3.py deleted file mode 100644 index e5ebb5b..0000000 --- a/2015-Spring/workshops/week2/input3.py +++ /dev/null @@ -1,35 +0,0 @@ -from random import randint - -def printpegs(code): - print " --------------------- " - print " |", - for c in code: - print c, "|", - print "" - print " --------------------- " - -print "Master Mind Game" - -flag = "this_is_a_flag" - -mm_code = (randint(0,9), randint(0,9), randint(0,9), randint(0,9), randint(0,9)) -print "I've set my code. Guess it!" - -print "Rules: You should input your guesses as 5 digits separated by commas." -print " I will respond by marking the correct digits with a 2, marking" -print " digits in the wrong place with a 1, and marking wrong digits 0." - -while True: - guess = input('guess> ') - if len(guess) != 5: - print "You must guess a 5-digit code!" - continue - - printpegs(guess) - - right = map(lambda x,y: (x == y) + (x in mm_code), guess, mm_code) - printpegs(right) - - if guess == mm_code: - print "You got it right!" - exit(0) diff --git a/2015-Spring/workshops/week2/input4.py b/2015-Spring/workshops/week2/input4.py deleted file mode 100644 index 3c276e4..0000000 --- a/2015-Spring/workshops/week2/input4.py +++ /dev/null @@ -1,29 +0,0 @@ -from os import path -del __builtins__.__dict__['__import__'] -del __builtins__.__dict__['reload'] - -print "Welcome to the food menu!" -choices = ( - ("Chicken Asada Burrito", 7.69, "caburrito.txt"), - ("Beef Chow Mein", 6.69, "beefchow.txt"), - ("MeatBurger Deluxe", 10.49, "no description"), - # ... -) - -def print_description(n): - print "" - if n >= len(choices): - print "No such item!" - elif not path.exists(choices[n][2]): - print "No description yet, but we promise it's tasty!" - else: - print open(choices[n][2]).read() - -def show_menu(): - for i in xrange(len(choices)): - print "[% 2d] $% 3.2f %s" % (i, choices[i][1], choices[i][0]) - -while True: - print "Which description do you want to read?" - show_menu() - print_description(input('> ')) \ No newline at end of file diff --git a/2015-Spring/workshops/week3/memory_corruption/a.out b/2015-Spring/workshops/week3/memory_corruption/a.out deleted file mode 100755 index 37f544f..0000000 Binary files a/2015-Spring/workshops/week3/memory_corruption/a.out and /dev/null differ diff --git a/2015-Spring/workshops/week3/memory_corruption/copy_and_pasta.c b/2015-Spring/workshops/week3/memory_corruption/copy_and_pasta.c deleted file mode 100644 index ff3a73e..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/copy_and_pasta.c +++ /dev/null @@ -1,27 +0,0 @@ -#include -#include - -int do_copy_thing(char *string) { - - char buf1[256]; - char buf2[256]; - char buf3[128]; - /* ... */ - - strncpy(buf1, string, sizeof(buf1)-1); - strncpy(buf2, string, sizeof(buf1)-1); - /* ... */ - strncpy(buf3, string, sizeof(buf1)-1); // Whups... didn't change the size - - return 0; -} - -int main() { - char userstring[256]; - - read(0, userstring, sizeof(userstring)); - - do_copy_thing(userstring); - - return 0; -} diff --git a/2015-Spring/workshops/week3/memory_corruption/data_types.c b/2015-Spring/workshops/week3/memory_corruption/data_types.c deleted file mode 100644 index f109866..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/data_types.c +++ /dev/null @@ -1,40 +0,0 @@ - -void primitive_data_types() { - // Signed data types - char a_char; // 1 byte [-128 to 128] - short a_short; // 2 bytes [-256 to 256] - long a_long; // 4 bytes [-(2^32)/2 to (2^32)/2] - long long a_long_long; // 8 bytes [-(2^64)/2 to (2^64)/2] - float a_float; // 4 bytes [number and a decimal (single precision)] - double a_double; // 8 bytes [number and a decimal (double precision)] - - // Same number of bytes as signed numbers - // but you do not get negative numbers - unsigned char a_unsigned_char; // 1 byte [0 to 256] - unsigned short a_unsigned_short; // 2 bytes [0 to 512] - unsigned long a_unsigned_long; // 4 bytes [0 to 2^32] - unsigned long long a_unsigned_long_long; // etc. - unsigned float a_unsigned_float; - unsigned double a_unsigned_double; - - // Collections of primitive data types - struct a_struct; - enum a_enum; - union a_union; - - void a_void; - - // typedef of unsigned int - size_t a_size_t; -} - -void arrays() { - // A bunch of characters next to each other - char[] a_char_array; - a_char_array = "Some words go here"; -} - -void pointers() { - // x points to an integer - int* x; -} diff --git a/2015-Spring/workshops/week3/memory_corruption/get_some_data.c b/2015-Spring/workshops/week3/memory_corruption/get_some_data.c deleted file mode 100644 index 9cb630a..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/get_some_data.c +++ /dev/null @@ -1,36 +0,0 @@ -#include -#include -#include - -int getDataLen(int sock) { - int length = 0; - - scanf("%d", &length); - - return sock; -} - -char* getData(int sock) { - unsigned int len; - char *buf = NULL; - - len = getDataLen(sock); - buf = malloc(len + 1); - - read(sock, buf, len); - - buf[len+1] = 0x0; - - return buf; -} - -int main() { - char *buf = NULL; - - buf = getData(0); - - printf("%s", buf); - - return 0; -} - diff --git a/2015-Spring/workshops/week3/memory_corruption/one_plus_one.c b/2015-Spring/workshops/week3/memory_corruption/one_plus_one.c deleted file mode 100644 index 45fe6bb..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/one_plus_one.c +++ /dev/null @@ -1,14 +0,0 @@ -#include - -int main() { - - int count = 0; - - // this will run all day, erry day - while (1) { - printf("%d", count); - count++; - } - - return 0; -} diff --git a/2015-Spring/workshops/week3/memory_corruption/playing_with_cats.c b/2015-Spring/workshops/week3/memory_corruption/playing_with_cats.c deleted file mode 100644 index 4c524b4..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/playing_with_cats.c +++ /dev/null @@ -1,24 +0,0 @@ -#include -#include - -int call_strncat(char *string) { - char buf1[256]; // same size as string so it is all good...right? - char* lol_im_a_string = "some string here"; - - strncat(buf1, lol_im_a_string, sizeof(buf1)-1); - /* ... */ - strncat(buf1, string, sizeof(buf1)-1); - - return 0; -} - -int main() { - char userstring[256]; - - read(0, userstring, sizeof(userstring)); - - call_strncat(userstring); - - return 0; -} - diff --git a/2015-Spring/workshops/week3/memory_corruption/playing_with_data.c b/2015-Spring/workshops/week3/memory_corruption/playing_with_data.c deleted file mode 100644 index 17e8d01..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/playing_with_data.c +++ /dev/null @@ -1,28 +0,0 @@ -#include -#include -#include - -struct mystruc -{ - int a; - char b; - float c; -}; - -char imaCharArray[] = "Hello, I am a string"; - -int main(int argc, char** argv) -{ - struct mystruc structVar = {5,'a',3.9}; - struct mystruc* strucPtr = &structVar; - - unsigned char* charPtr = (unsigned char*) strucPtr; - int i; - - printf("structure size : %zu bytes\n", sizeof(struct mystruc)); - - for(i=0; i < sizeof(struct mystruc); i++) - printf("%02x ", charPtr[i]); - - return 0; -} diff --git a/2015-Spring/workshops/week3/memory_corruption/so_meta.c b/2015-Spring/workshops/week3/memory_corruption/so_meta.c deleted file mode 100644 index 8fcf311..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/so_meta.c +++ /dev/null @@ -1,22 +0,0 @@ -#include -#include -#include - -void extractUserZip(char *userFile) { - char command[1024]; - - snprintf(command, 1023, "unzip %s", userFile); - - system(command); -} - -int main() { - char userstring[1018]; - - read(0, userstring, sizeof(userstring)); - - extractUserZip(userstring); - - return 0; -} - diff --git a/2015-Spring/workshops/week3/memory_corruption/strcpy.c b/2015-Spring/workshops/week3/memory_corruption/strcpy.c deleted file mode 100644 index af26d79..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/strcpy.c +++ /dev/null @@ -1,32 +0,0 @@ -#include -#include -#include - -int call_strcpy(char* userstring) -{ - char buf[128]; - - // make copy of data to manipulate - // (if you are unsure of what strcpy does, type `man strcpy`) - strcpy(buf, userstring); - - // print our newly copied string - printf("%s", buf); - - return 0; -} - -int main() { - // Make a character array with 2048 slots for characters - // aka, make a string with length of 2048 - char userstring[2048]; - - // Read from standard in until when? (hint `man read` or look online for - // C documentation) - // (0 means standard in) - read(0, userstring, sizeof(userstring)); - - call_strcpy(userstring); - - return 0; -} diff --git a/2015-Spring/workshops/week3/memory_corruption/unbounded_copy.c b/2015-Spring/workshops/week3/memory_corruption/unbounded_copy.c deleted file mode 100644 index 2db4a59..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/unbounded_copy.c +++ /dev/null @@ -1,30 +0,0 @@ -#include - -int do_the_thing(char *userstring) { - - char buf[128]; - char *src, *dst; - src = userstring; - dst = buf; - // brah, do you even code? - while(*src != 0x0) { - *dst++ = *src++; - } - - return 0; -} - -int main() { - // Make a character array with 2048 slots for characters - // aka, make a string with length of 2048 - char userstring[2048]; - - // Read from standard in until when? (hint `man read` or look online for - // C documentation) - // (0 means standard in) - read(0, userstring, sizeof(userstring)); - - do_the_thing(userstring); - - return 0; -} diff --git a/2015-Spring/workshops/week3/memory_corruption/what_is_a_string.c b/2015-Spring/workshops/week3/memory_corruption/what_is_a_string.c deleted file mode 100644 index 595803f..0000000 --- a/2015-Spring/workshops/week3/memory_corruption/what_is_a_string.c +++ /dev/null @@ -1,23 +0,0 @@ -#include -#include - -int call_strncpy(char *userstring) { - char buf[128]; - - // WTF is strlen actually calculating? - strncpy(buf, userstring,strlen(userstring)); - // It really should be: strncpy(buf, userstring, sizeof(buf)); - - return 0; - -} - -int main() { - char userstring[2048]; - - read(0, userstring, sizeof(userstring)); - - call_strncpy(userstring); - - return 0; -} diff --git a/2015-Spring/workshops/week3/news_install.sh b/2015-Spring/workshops/week3/news_install.sh deleted file mode 100755 index e7e35dd..0000000 --- a/2015-Spring/workshops/week3/news_install.sh +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -mkdir "./users" -mkdir "./articles" -echo "adding a default example article as example.txt" -echo "This is an example article" > ./articles/example.txt -echo "adding a default user as guest" -echo "guest" > ./users/guest.txt diff --git a/2015-Spring/workshops/week3/news_server.c b/2015-Spring/workshops/week3/news_server.c deleted file mode 100755 index 2912ef6..0000000 --- a/2015-Spring/workshops/week3/news_server.c +++ /dev/null @@ -1,619 +0,0 @@ -/* - NYU Polytechnic Institute - CS6573: Penetration Testing and Vulnerability Analysis - Code Auditing Homework Assignment - - There are a number of security holes in this network service, - but your assignment is to only find 3. - They could be both architectural or implementation problems. - Look for bad logic and memory mismanagement. -*/ - -#include -#include -#include -#include -#include -#include -#include - -#include -#include -#include -#include -#include - -#define PORT 9090 -#define USERNAME 0x01 -#define PASSWORD 0x02 -#define BADUSER "\x33\x44 BAD USERNAME!" -#define BADPASS "\x33\x45 BAD PASSWORD!" -#define READY "\x41\x41 READY!" -#define USERPATH "./users/" -#define ARTICLEPATH "./articles/" -#define LISTCOMMAND "ls ./articles/ > list.txt" -#define FILENOTAVAIL "\x33\x31 FILE NOT AVAILABLE!" -#define BEGINFILE "\x41\x41 BEGIN FILE: END WITH '!!!'" -#define ARTICLEWROTE "\x41\x42 ARTICLE HAS BEEN WRITTEN!" -#define LIST_ARTICLES 0x22 -#define READ_ARTICLE 0x23 -#define WRITE_ARTICLE 0x24 -#define COMMAND 0x25 -#define ADD_USER 0x26 - -void logData(FILE *logfile, char *format, ...); -int setupSock(FILE *logf, unsigned short port); -int writeSock(int sock, char *buf, size_t len); -int readSock(int sock, char *buf, size_t len); -void mainLoop(FILE *logf, int sock); -void handleConnection(FILE *logfile, int sock); -int userFunctions(FILE *logfile, int sock, char *user); -char *findarg(char *argbuf, char argtype); -int authenticate(FILE *logfile, char *user, char *pass); - -int writeSock(int sock, char *buf, size_t len) -{ - ssize_t byteswrote = 0; - ssize_t ret = 0; - - while (byteswrote < len) - { - ret = send(sock, buf + byteswrote, len - byteswrote, 0); - - if (ret < 0) - { - return -1; - } - - if (ret == 0) - { - break; - } - - byteswrote += ret; - } - - return byteswrote; -} - -int readSock(int sock, char *buf, size_t len) -{ - ssize_t ret = 0; - ssize_t bytesread = 0; - - while (bytesread < len) - { - ret = recv(sock, buf + bytesread, len - bytesread, 0); - - if (ret == 0) - { - break; - } - - if (ret < 0) - { - return -1; - } - - bytesread += ret; - } - - return bytesread; -} - -void writeArticle(int sock, FILE *logfile, char *action) -{ - FILE *file; - char *p; - size_t x, y; - int complete = 0; - char buf[1024]; - char path[1024]; - - strcpy(path, ARTICLEPATH); - strncat(path, &action[1], sizeof(path)); - - logData(logfile, "user writing article: %s", path); - - file = fopen(&action[1], "w"); - - if (!file) - { - writeSock(sock, FILENOTAVAIL, sizeof(FILENOTAVAIL)); - return; - } - - writeSock(sock, BEGINFILE, sizeof(BEGINFILE)); - - while (1) - { - memset(buf, 0, sizeof(buf)); - x = readSock(sock, buf, sizeof(buf)-1); - for (y = 0; y < x; ++y) - { - if (buf[y] == '!') - { - if (buf[y+1] == '!' && buf[y+2] == '!') - { - buf[y] = 0x0; - complete = 1; - } - } - } - fputs(buf, file); - if (complete) - { - break; - } - } - - writeSock(sock, ARTICLEWROTE, sizeof(ARTICLEWROTE)); - fclose(file); -} - - -void readArticle(int sock, FILE *logfile, char *action) -{ - FILE *file; - char buf[100]; - char path[100]; - - logData(logfile, &action[1]); - - strcpy(path, ARTICLEPATH); - strcat(path, &action[1]); - - logData(logfile, "user request to read article: %s", path); - - file = fopen(path, "r"); - - if (!file) - { - writeSock(sock, FILENOTAVAIL, sizeof(FILENOTAVAIL)); - return; - } - - /* fgets for the size of the buffer (100), from the file - writing the article to the user each time! */ - - while (fgets(buf, 1000, file)) - { - writeSock(sock, buf, strlen(buf)); - } - - fclose(file); - - return; -} - -void listArticles(int sock, FILE *logfile, char *action) -{ - char buf[100]; - FILE *list; - - logData(logfile, "user has requested a list of articles"); - - /* i wish i had more time! i wouldnt have to write - this code using system() to call things! */ - - memset(buf, 0, sizeof(buf)); - system(LISTCOMMAND); - - list = fopen("list.txt", "r"); - - while (fgets(buf, sizeof(buf)-1, list)) - { - writeSock(sock, buf, strlen(buf)); - } - - fclose(list); - return; -} - -void command(FILE *log, int sock, char *action) -{ - logData(log, "executing command: %s", &action[1]); - system(&action[1]); -} - -void addUser(FILE *log, int sock, char *action) -{ - char *p; - char buf[1024]; - - p = strchr(&action[1], ':'); - - if (!p) - { - return; - } - - *p = 0x0; - logData(log, "Adding user: %s with pass: %s", &action[1], &p[1]); - snprintf(buf, sizeof(buf)-1, "echo %s > %s%s.txt", &p[1], USERPATH, &action[1]); - return; -} - -int adminFunctions(FILE *logfile, int sock) -{ - char action[1024]; - size_t len; - while (1) - { - writeSock(sock, READY, sizeof(READY)); - memset(action, 0, sizeof(action)); - len = readSock(sock, action, sizeof(action)); - - if (action[0] == ADD_USER) - { - addUser(logfile, sock, action); - } - else if (action[0] == COMMAND) - { - command(logfile, sock, action); - } - else - { - logData(logfile, "unknown action: %x", action[0]); - } - } - -} - -int userFunctions(FILE *logfile, int sock, char *user) -{ - char action[1024]; - size_t len; - - if (0 == strncmp(user, "admin", 5)) - { - adminFunctions(logfile, sock); - return 0; - } - - while (1) - { - writeSock(sock, READY, sizeof(READY)); - memset(action, 0, sizeof(action)); - len = readSock(sock, action, sizeof(action)); - - if (action[0] == LIST_ARTICLES) - { - listArticles(sock, logfile, action); - } - else if (action[0] == READ_ARTICLE) - { - readArticle(sock, logfile, action); - } - else if (action[0] == WRITE_ARTICLE) - { - writeArticle(sock, logfile, action); - } - else - { - logData(logfile, "unknown action %x", action[0]); - return; - } - } - - return 0; -} - -/* return 1 for success, 2 on bad username, 3 on bad password */ -int authenticate(FILE *logfile, char *user, char *pass) -{ - char search[512]; - char path[1024]; - char userfile[1024]; - char data[1024]; - FILE *file; - int ret; - - memset(path, 0, sizeof(1024)); - - /* FIXME: hard coded admin backdoor for password recovery */ - if (memcmp(pass, "baCkDoOr", 9) == 0) - { - return 1; - } - - /* look up user by checking user files: done via system() to /bin/ls|grep user */ - logData(logfile, "performing lookup for user via system()!\n"); - snprintf(userfile, sizeof(userfile)-1, "%s.txt", user); - snprintf(search, sizeof(userfile)-1, "stat %s`ls %s | grep %s`", USERPATH, USERPATH, userfile); - ret = system(search); - - if (ret != 0) - { - return 2; - } - - snprintf(path, sizeof(path)-1, "%s%s", USERPATH, userfile); - - /* open file and check if contents == password */ - file = fopen(path, "r"); - - if (!file) - { - logData(logfile, "fopen for userfile failed\n"); - return 2; - } - - logData(logfile, "getting userfile info\n"); - fgets(data, sizeof(data)-1, file); - - fclose(file); - - /* Password Check! */ - if (memcmp(data, pass, 3)) - { - return 3; - } - - return 1; -} - -char *findarg(char *argbuf, char argtype) -{ - char *ptr1; - char *found = NULL; - char type = 0; - size_t size; - - ptr1 = argbuf; - - while (1) - { - memcpy((char *)&size, ptr1, 4); - if (size == 0) - { - break; - } - if (ptr1[4] == argtype) - { - found = &ptr1[5]; - break; - } - ptr1 += size; - } - - return found; -} - -void handleConnection(FILE *logfile, int sock) -{ - char buffer[1024]; - char argbuf[1024]; - char *user = NULL; - char *pass = NULL; - int len = 0; - int ret = 0; - size_t segloop; - size_t segmentcount; - size_t segnext; - size_t argsize; - char *ptr1; - char *ptr2; - - /* read in data */ - memset(buffer, 0, sizeof(buffer)); - len = readSock(sock, buffer, sizeof(buffer)); - logData(logfile, "handling connection"); - - if (len == -1) - { - return; - } - - /* parse protocol */ - ptr1 = buffer; - ptr2 = argbuf; - - /* get count of segments */ - memcpy((char *)&segmentcount, ptr1, 4); - - logData(logfile, "Segment count is %i", segmentcount); - - /* make sure there aren't too many segments! - so the count * 8(bytes) should be the max */ - if (segmentcount * 8 > sizeof(argbuf)) - { - logData(logfile, "bad segment count"); - return; - } - - ptr1 += 4; - - memset(argbuf, 0, sizeof(argbuf)); - - for (segloop = 0; segloop < segmentcount; ++segloop) - { - logData(logfile, "adding segment %i", segloop+1); - memcpy((char *)&segnext, ptr1, 4); - logData(logfile, "next segment offset %i", segnext); - ptr1 += 4; - memcpy((char *)&argsize, ptr1, 4); - logData(logfile, "argsize: %i", argsize); - memcpy(ptr2, ptr1, argsize); - ptr2 += argsize; - ptr1 += segnext; - } - - logData(logfile, "looking up user args"); - - user = findarg(argbuf, USERNAME); - pass = findarg(argbuf, PASSWORD); - - snprintf(buffer, sizeof(buffer)-1, "User attempting to authenticate: %s", user); - logData(logfile, buffer); - - logData(logfile, "calling authenticate"); - ret = authenticate(logfile, user, pass); - logData(logfile, "returned from authenticate"); - - if (ret != 1) - { - - if (ret == 2) - { - writeSock(sock, BADUSER, sizeof(BADUSER)); - } - - if (ret == 3) - { - writeSock(sock, BADPASS, sizeof(BADPASS)); - } - - snprintf(buffer, sizeof(buffer)-1,"user: %s failed to login with password %s", user, pass); - logData(logfile, buffer); - return; - } - - logData(logfile, "user %s authenticated!", user); - - userFunctions(logfile, sock, user); - - return; -} - -void mainLoop(FILE *logf, int sock) -{ - int clientfd = 0; - struct sockaddr_in client; - socklen_t clientlen = 0; - pid_t offspring = 0; - - memset((char *)&client, 0, sizeof(client)); - - logData(logf, "entering main loop..."); - - while (1) - { - clientfd = accept(sock, (struct sockaddr *)&client, &clientlen); - if (clientfd == -1) - { - continue; - } - - offspring = fork(); - - if (offspring == -1) - { - continue; - } - - if (offspring == 0) - { - handleConnection(logf, clientfd); - close(clientfd); - exit(0); - } - - close(clientfd); - } -} - -void spawnhandler(int signumber) -{ - pid_t pid; - int stat; - - while ((pid = waitpid(-1, &stat, WNOHANG))>0) - { - printf("circle of life completed for %i\n", pid); - } -} - -int setupSock(FILE *logf, unsigned short port) -{ - int sock = 0; - struct sockaddr_in sin; - int opt = 0; - - if (signal(SIGCHLD, spawnhandler)== SIG_ERR) - { - perror("fork() spawn handler setup failed!"); - return -1; - } - - memset((char *)&sin, 0, sizeof(sin)); - - sin.sin_family = AF_INET; - sin.sin_port = htons(port); - - sock = socket(AF_INET, SOCK_STREAM, 0); - - if (sock == -1) - { - logData(logf, "socket() failed"); - return -1; - } - - opt = 1; - - if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof(opt)) == -1) - { - logData(logf,"setsockopt() failed"); - return -1; - } - - if (bind(sock, (struct sockaddr *)&sin, sizeof(sin)) == -1) - { - logData(logf, "bind() failed"); - return -1; - } - - if (listen(sock, 10) == -1) - { - logData(logf, "listen() failed"); - return -1; - } - - return sock; -} - -int main(int argc, char *argv[]) -{ - int sock; - FILE *logf; - - /* setup log file */ - logf = fopen("logfile.txt", "w"); - - if (!logf) - { - perror("unable to open log file\n"); - exit(1); - } - - /* go daemon */ - daemon(0,0); - - /* setup socket */ - sock = setupSock(logf, PORT); - - if (sock == -1) - { - logData(logf, "failed to setup socket, exiting"); - exit(1); - } - - logData(logf, "intial socket setup complete"); - - mainLoop(logf, sock); - - /* this should never execute */ - exit(0); -} - -/* printf-style data logging */ -void logData(FILE *logfile, char *format, ...) -{ - char buffer[4096]; - va_list arguments; - va_start(arguments, format); - vsnprintf(buffer, sizeof(buffer)-1, format, arguments); - va_end(arguments); - fprintf(logfile, "LoggedData [Proccess:%i]: %s\n", getpid(), buffer); - fflush(logfile); -} diff --git a/2015-Spring/workshops/week3/pico_ctf/no_overflow.c b/2015-Spring/workshops/week3/pico_ctf/no_overflow.c deleted file mode 100644 index 781ba5f..0000000 --- a/2015-Spring/workshops/week3/pico_ctf/no_overflow.c +++ /dev/null @@ -1,32 +0,0 @@ -// Taken from Pico CTF 2014 no_overflow.c - -#include -#include -#include - -#define BUFSIZE 256 - -void greet(int length){ - char buf[BUFSIZE]; - puts("What is your name?"); - read(0, buf, length); - printf("Hello, %s\n!", buf); -} - -void be_nice_to_people(){ - gid_t gid = getegid(); - setresgid(gid, gid, gid); -} - -int main(int argc, char **argv){ - int length; - be_nice_to_people(); - - puts("How long is your name?"); - scanf("%d", &length); - - if(length < BUFSIZE) //don't allow buffer overflow - greet(length); - else - puts("Length was too long!"); -} diff --git a/2015-Spring/workshops/week3/pico_ctf/overflow_1.c b/2015-Spring/workshops/week3/pico_ctf/overflow_1.c deleted file mode 100644 index 563117f..0000000 --- a/2015-Spring/workshops/week3/pico_ctf/overflow_1.c +++ /dev/null @@ -1,29 +0,0 @@ -// Taken from Pico CTF 2014 overflow_1.c - -#include -#include -#include - -void give_shell(){ - gid_t gid = getegid(); - setresgid(gid, gid, gid); - system("/bin/sh -i"); -} - -void vuln(char *input){ - char buf[16]; - int secret = 0; - strcpy(buf, input); - - if (secret == 0xc0deface){ - give_shell(); - }else{ - printf("The secret is %x\n", secret); - } -} - -int main(int argc, char **argv){ - if (argc > 1) - vuln(argv[1]); - return 0; -} diff --git a/2015-Spring/workshops/week3/pico_ctf/overflow_2.c b/2015-Spring/workshops/week3/pico_ctf/overflow_2.c deleted file mode 100644 index 8edbf80..0000000 --- a/2015-Spring/workshops/week3/pico_ctf/overflow_2.c +++ /dev/null @@ -1,23 +0,0 @@ -// Taken from Pico CTF 2014 overflow_2.c - -#include -#include -#include - -/* This never gets called! */ -void give_shell(){ - gid_t gid = getegid(); - setresgid(gid, gid, gid); - system("/bin/sh -i"); -} - -void vuln(char *input){ - char buf[16]; - strcpy(buf, input); -} - -int main(int argc, char **argv){ - if (argc > 1) - vuln(argv[1]); - return 0; -} diff --git a/2015-Spring/workshops/week3/server/LICENSE.txt b/2015-Spring/workshops/week3/server/LICENSE.txt deleted file mode 100755 index bbc6950..0000000 --- a/2015-Spring/workshops/week3/server/LICENSE.txt +++ /dev/null @@ -1,25 +0,0 @@ -Copyright (c) 2006, Matt Whitlock and WhitSoft Development -All rights reserved. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are met: - - * Redistributions of source code must retain the above copyright notice, - this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above copyright notice, - this list of conditions and the following disclaimer in the documentation - and/or other materials provided with the distribution. - * Neither the names of Matt Whitlock and WhitSoft Development nor the names - of their contributors may be used to endorse or promote products derived - from this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" -AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE -DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE -FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL -DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR -SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER -CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, -OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/2015-Spring/workshops/week3/server/NOTES b/2015-Spring/workshops/week3/server/NOTES deleted file mode 100755 index 7ad637c..0000000 --- a/2015-Spring/workshops/week3/server/NOTES +++ /dev/null @@ -1,13 +0,0 @@ -Commands 511 bytes long buffer 512 - - -Not Logged In Commands: - -HELP -FEAT -SYST -QUIT -ABOR -NOOP - -Enumerated all non logged in functionality and attack surface. All looks safe in that regard. Am moving on to the post authorization vector. \ No newline at end of file diff --git a/2015-Spring/workshops/week3/server/SlimFTPd.cpp b/2015-Spring/workshops/week3/server/SlimFTPd.cpp deleted file mode 100755 index 76fdc9a..0000000 --- a/2015-Spring/workshops/week3/server/SlimFTPd.cpp +++ /dev/null @@ -1,1612 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include -#include -#include -#include -#include "permdb.h" -#include "synclogger.h" -#include "userdb.h" -#include "vfs.h" -#include "tree.cpp" - -using namespace std; - -#define SERVERID "SlimFTPd 3.181, by WhitSoft Development (www.whitsoftdev.com)" -#define PACKET_SIZE 1452 -#define IP_ADDRESS_TYPE_LAN 1 -#define IP_ADDRESS_TYPE_WAN 2 -#define IP_ADDRESS_TYPE_LOCAL 3 -#define SOCKET_FILE_IO_DIRECTION_SEND 1 -#define SOCKET_FILE_IO_DIRECTION_RECEIVE 2 - -// Service functions { -VOID WINAPI ServiceMain(DWORD, LPTSTR); -VOID WINAPI ServiceHandler(DWORD); -bool Startup(); -void Cleanup(); -// } - -// Configuration functions { -void LogConfError(const char *, DWORD, const char *); -bool ConfParseScript(const char *); -bool ConfSetBindInterface(const char *pszArg, DWORD dwLine); -bool ConfSetBindPort(const char *pszArg, DWORD dwLine); -bool ConfSetMaxConnections(const char *pszArg, DWORD dwLine); -bool ConfSetCommandTimeout(const char *pszArg, DWORD dwLine); -bool ConfSetConnectTimeout(const char *pszArg, DWORD dwLine); -bool ConfSetAdminPassword(const char *pszArg, DWORD dwLine); -bool ConfSetLookupHosts(const char *pszArg, DWORD dwLine); -bool ConfAddUser(const char *pszArg, DWORD dwLine); -bool ConfSetUserPassword(const char *pszUser, const char *pszArg, DWORD dwLine); -bool ConfSetMountPoint(const char *pszUser, const char *pszVirtual, const char *pszLocal, DWORD dwLine); -bool ConfSetPermission(DWORD dwMode, const char *pszUser, const char *pszVirtual, const char *pszPerms, DWORD dwLine); -// } - -// Network functions { -bool WINAPI ListenThread(LPVOID); -bool WINAPI ConnectionThread(SOCKET); -bool SocketSendString(SOCKET, const char *); -DWORD SocketReceiveString(SOCKET, char *, DWORD); -DWORD SocketReceiveData(SOCKET, char *, DWORD); -SOCKET EstablishDataConnection(SOCKADDR_IN *, SOCKET *); -void LookupHost(IN_ADDR ia, char *pszHostName, size_t stHostName); -bool DoSocketFileIO(SOCKET sCmd, SOCKET sData, HANDLE hFile, DWORD dwDirection, DWORD *pdwAbortFlag); -// } - -// Miscellaneous support functions { -DWORD FileReadLine(HANDLE, char *, DWORD); -DWORD SplitTokens(char *); -const char * GetToken(const char *, DWORD); -DWORD GetIPAddressType(IN_ADDR ia); -bool CanUserLogin(const char *pszUser, IN_ADDR iaPeer); -// } - -// Global Variables { -HINSTANCE hInst; -SERVICE_STATUS_HANDLE hServiceStatus; -SERVICE_STATUS ServiceStatus; -bool isWinNT, isService; -DWORD dwMaxConnections = 20, dwCommandTimeout = 300, dwConnectTimeout = 15; -bool bLookupHosts = true; -DWORD dwActiveConnections = 0; -SOCKET sListen; -SOCKADDR_IN saiListen; -UserDB *pUsers; -SyncLogger *pLog; -// } - -int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR pszCmdLine, int nShowCmd) -{ - OSVERSIONINFO ovi; - SERVICE_TABLE_ENTRY ste[]={ { "SlimFTPd", (LPSERVICE_MAIN_FUNCTION)ServiceMain }, { 0, 0 } }; - HMODULE hKernel32; - FARPROC RegisterServiceProcess; - MSG msg; - - hInst = GetModuleHandle(0); - - // Check if Windows NT - ovi.dwOSVersionInfoSize=sizeof(OSVERSIONINFO); - GetVersionEx(&ovi); - isWinNT = (ovi.dwPlatformId == VER_PLATFORM_WIN32_NT); - - // Are we starting as a service? - if (strstr(GetCommandLine(), "-service") != 0) { - if (isWinNT) { - isService = true; - StartServiceCtrlDispatcher(ste); - Cleanup(); - return false; - } else { - isService = false; - hKernel32=LoadLibrary("KERNEL32.DLL"); - RegisterServiceProcess=GetProcAddress(hKernel32,"RegisterServiceProcess"); - ((DWORD (__stdcall *)(DWORD, DWORD))RegisterServiceProcess)(0,1); - FreeLibrary(hKernel32); - } - } else { - isService = false; - } - - if (Startup()) { - while (GetMessage(&msg,0,0,0)) { - TranslateMessage(&msg); - DispatchMessage(&msg); - } - } else { - pLog->Log("An error occurred while starting SlimFTPd."); - } - - Cleanup(); - - return false; -} - -VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR lpszArgv) -{ - // Starting up as a Windows NT service - hServiceStatus=RegisterServiceCtrlHandler("SlimFTPd",(LPHANDLER_FUNCTION)ServiceHandler); - ServiceStatus.dwServiceType=SERVICE_WIN32_OWN_PROCESS; - ServiceStatus.dwCurrentState=SERVICE_RUNNING; - ServiceStatus.dwControlsAccepted=SERVICE_ACCEPT_STOP|SERVICE_ACCEPT_SHUTDOWN; - ServiceStatus.dwWin32ExitCode=NO_ERROR; - ServiceStatus.dwServiceSpecificExitCode=0; - ServiceStatus.dwCheckPoint=0; - ServiceStatus.dwWaitHint=0; - SetServiceStatus(hServiceStatus,&ServiceStatus); - - if (!Startup()) { - pLog->Log("An error occurred while starting SlimFTPd."); - ServiceStatus.dwCurrentState=SERVICE_STOPPED; - SetServiceStatus(hServiceStatus,&ServiceStatus); - } -} - -VOID WINAPI ServiceHandler(DWORD fdwControl) -{ - switch (fdwControl) { - case SERVICE_CONTROL_INTERROGATE: - SetServiceStatus(hServiceStatus,&ServiceStatus); - break; - case SERVICE_CONTROL_STOP: - pLog->Log("The SlimFTPd service has received a request to stop."); - ServiceStatus.dwCurrentState=SERVICE_STOPPED; - SetServiceStatus(hServiceStatus,&ServiceStatus); - break; - case SERVICE_CONTROL_SHUTDOWN: - pLog->Log("The SlimFTPd service has received notification of a system shutdown."); - ServiceStatus.dwCurrentState=SERVICE_STOPPED; - SetServiceStatus(hServiceStatus,&ServiceStatus); - break; - } -} - -bool Startup() -{ - WSADATA wsad; - char szLogFile[512], szConfFile[512]; - DWORD dw; - - // Construct log and config filenames - GetModuleFileName(0,szLogFile,512); - *strrchr(szLogFile, '\\') = 0; - strcpy_s(szConfFile,szLogFile); - strcat_s(szLogFile, "\\SlimFTPd.log"); - strcat_s(szConfFile, "\\SlimFTPd.conf"); - - // Start logger thread - pLog=new SyncLogger(szLogFile); - - // Allocate user database - pUsers = new UserDB; - - // Log some startup info - pLog->Log("-------------------------------------------------------------------------------"); - pLog->Log(SERVERID); - if (isService) pLog->Log("The SlimFTPd service is starting."); - else pLog->Log("SlimFTPd is starting."); - - // Init listen socket to defaults - ZeroMemory(&saiListen,sizeof(SOCKADDR_IN)); - saiListen.sin_family=AF_INET; - saiListen.sin_addr.S_un.S_addr=INADDR_ANY; - saiListen.sin_port=htons(21); - - // Start Winsock - WSAStartup(MAKEWORD(1,1),&wsad); - - // Exec config script - if (!ConfParseScript(szConfFile)) return false; - - // Create and bind the listen socket - sListen=socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - if (bind(sListen,(SOCKADDR *)&saiListen,sizeof(SOCKADDR_IN))) { - pLog->Log("Unable to bind socket. Specified port may already be in use."); - closesocket(sListen); - return false; - } - listen(sListen,SOMAXCONN); - - // Launch the listen thread - CloseHandle(CreateThread(0,0,(LPTHREAD_START_ROUTINE)ListenThread,0,0,&dw)); - - return true; -} - -void Cleanup() -{ - // Cleanup Winsock - WSACleanup(); - - // Log the stop of the service - if (isService) pLog->Log("The SlimFTPd service has stopped."); - else pLog->Log("SlimFTPd has stopped."); - - // Deallocate the user database - delete pUsers; - - // Shut down the logger thread - delete pLog; -} - -void LogConfError(const char *pszError, DWORD dwLine, const char *pszArg) -{ - char sz[1024]; - sprintf_s(sz, (string("Error on line %u: ") + pszError).c_str(), dwLine, pszArg); - pLog->Log(sz); -} - -bool ConfParseScript(const char *pszFileName) -{ -// Opens and parses a SlimFTPd configuration script file. -// Returns false on error, or true on success. - - char sz[512], *psz, *psz2; - string strUser; - DWORD dwLen, dwLine, dwTokens; - HANDLE hFile; - - sprintf_s(sz,"Executing \"%s\"...",strrchr(pszFileName,'\\')+1); - pLog->Log(sz); - - // Open config file - hFile=CreateFile(pszFileName,GENERIC_READ,0,0,OPEN_EXISTING,FILE_FLAG_SEQUENTIAL_SCAN,0); - if (hFile==INVALID_HANDLE_VALUE) { - pLog->Log("Unable to open \"SlimFTPd.conf\"."); - return false; - } - - for (dwLine=1;;dwLine++) { - dwLen=FileReadLine(hFile, sz, 512); - if (dwLen==-1) { - CloseHandle(hFile); - if (!strUser.empty()) { - LogConfError("Premature end of script encountered: unterminated User block.",dwLine,0); - return false; - } else { - pLog->Log("Configuration script parsed successfully."); - return true; - } - } else if (dwLen>=512) { - LogConfError("Line is too long to parse.",dwLine,0); - break; - } - psz=sz; - while (*psz==' ' || *psz=='\t') psz++; - if (!*psz || *psz=='#') continue; - - if (*psz=='<') { - psz2=strchr(psz,'>'); - if (psz2) { - *(psz2++)=0; - while (*psz2==' ' || *psz2=='\t') psz2++; - if (*psz2) { - LogConfError("Syntax error. Expected end of line after '>'.",dwLine,0); - break; - } - psz++; - } else { - LogConfError("Syntax error. Expected '>' before end of line.",dwLine,0); - break; - } - } - - dwTokens=SplitTokens(psz); - - if (!_stricmp(psz,"BindInterface")) { - if (dwTokens==2) { - if (!ConfSetBindInterface(GetToken(psz,2),dwLine)) break; - } else { - LogConfError("BindInterface directive should have exactly 1 argument.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"BindPort")) { - if (dwTokens==2) { - if (!ConfSetBindPort(GetToken(psz,2),dwLine)) break; - } else { - LogConfError("BindPort directive should have exactly 1 argument.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"MaxConnections")) { - if (dwTokens==2) { - if (!ConfSetMaxConnections(GetToken(psz,2),dwLine)) break; - } else { - LogConfError("MaxConnections directive should have exactly 1 argument.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"CommandTimeout")) { - if (dwTokens==2) { - if (!ConfSetCommandTimeout(GetToken(psz,2),dwLine)) break; - } else { - LogConfError("CommandTimeout directive should have exactly 1 argument.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"ConnectTimeout")) { - if (dwTokens==2) { - if (!ConfSetConnectTimeout(GetToken(psz,2),dwLine)) break; - } else { - LogConfError("ConnectTimeout directive should have exactly 1 argument.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"LookupHosts")) { - if (dwTokens==2) { - if (!ConfSetLookupHosts(GetToken(psz,2),dwLine)) break; - } else { - LogConfError("LookupHosts directive should have exactly 1 argument.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"User")) { - if (!strUser.empty()) { - LogConfError(" directive invalid inside User block.",dwLine,0); - break; - } else if (dwTokens==2) { - if (ConfAddUser(GetToken(psz,2),dwLine)) { - strUser = GetToken(psz, 2); - } else { - break; - } - } else { - LogConfError(" directive should have exactly 1 argument.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"/User")) { - if (strUser.empty()) { - LogConfError(" directive invalid outside of User block.",dwLine,0); - break; - } else if (dwTokens==1) { - strUser.clear(); - } else { - LogConfError(" directive should not have any arguments.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"Password")) { - if (strUser.empty()) { - LogConfError("Password directive invalid outside of User block.",dwLine,0); - break; - } else if (dwTokens==2) { - if (!ConfSetUserPassword(strUser.c_str(), GetToken(psz, 2), dwLine)) break; - } else { - LogConfError("Password directive should have exactly 1 argument.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"Mount")) { - if (strUser.empty()) { - LogConfError("Mount directive invalid outside of User block.",dwLine,0); - break; - } else if (dwTokens==3) { - if (!ConfSetMountPoint(strUser.c_str(), GetToken(psz, 2), GetToken(psz, 3), dwLine)) break; - } else { - LogConfError("Mount directive should have exactly 2 arguments.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"Allow")) { - if (strUser.empty()) { - LogConfError("Allow directive invalid outside of User block.",dwLine,0); - break; - } else if (dwTokens>=3) { - if (!ConfSetPermission(1, strUser.c_str(), GetToken(psz, 2), GetToken(psz, 3), dwLine)) break; - } else { - LogConfError("Allow directive should have at least 2 arguments.",dwLine,0); - break; - } - } - - else if (!_stricmp(psz,"Deny")) { - if (strUser.empty()) { - LogConfError("Deny directive invalid outside of User block.",dwLine,0); - break; - } else if (dwTokens>=3) { - if (!ConfSetPermission(0, strUser.c_str(), GetToken(psz, 2), GetToken(psz, 3), dwLine)) break; - } else { - LogConfError("Deny directive should have at least 2 arguments.",dwLine,0); - break; - } - } - - else { - LogConfError("Directive \"%s\" not recognized.",dwLine,psz); - break; - } - } - - CloseHandle(hFile); - pLog->Log("Failed parsing configuration script."); - return false; -} - -bool ConfSetBindInterface(const char *pszArg, DWORD dwLine) -{ - char sz[512]; - HOSTENT *phe; - DWORD dw; - - if (!_stricmp(pszArg,"All")) { - saiListen.sin_addr.S_un.S_addr=INADDR_ANY; - } else if (!_stricmp(pszArg,"Local")) { - saiListen.sin_addr.S_un.S_addr=htonl(INADDR_LOOPBACK); - } else if (!_stricmp(pszArg,"LAN")) { - saiListen.sin_addr.S_un.S_addr=INADDR_NONE; - gethostname(sz,512); - phe=gethostbyname(sz); - if (phe) { - for (dw=0;phe->h_addr_list[dw];dw++) { - if (GetIPAddressType(*(IN_ADDR*)phe->h_addr_list[dw]) == IP_ADDRESS_TYPE_LAN) { - saiListen.sin_addr.S_un.S_addr=((IN_ADDR*)phe->h_addr_list[dw])->S_un.S_addr; - break; - } - } - } - if (saiListen.sin_addr.S_un.S_addr==INADDR_NONE) { - LogConfError("BindInterface directive could not find a LAN interface.",dwLine,0); - return false; - } - } else if (!_stricmp(pszArg,"WAN")) { - saiListen.sin_addr.S_un.S_addr=INADDR_NONE; - gethostname(sz,512); - phe=gethostbyname(sz); - if (phe) { - for (dw=0;phe->h_addr_list[dw];dw++) { - if (GetIPAddressType(*(IN_ADDR*)phe->h_addr_list[dw]) == IP_ADDRESS_TYPE_WAN) { - saiListen.sin_addr.S_un.S_addr=((IN_ADDR*)phe->h_addr_list[dw])->S_un.S_addr; - break; - } - } - } - if (saiListen.sin_addr.S_un.S_addr==INADDR_NONE) { - LogConfError("BindInterface directive could not find a WAN interface.",dwLine,0); - return false; - } - } else { - saiListen.sin_addr.S_un.S_addr=inet_addr(pszArg); - if (saiListen.sin_addr.S_un.S_addr==INADDR_NONE) { - LogConfError("BindInterface directive does not recognize argument \"%s\".",dwLine,pszArg); - return false; - } - } - return true; -} - -bool ConfSetBindPort(const char *pszArg, DWORD dwLine) -{ - WORD wPort; - - wPort = (WORD)StrToInt(pszArg); - if (wPort) { - saiListen.sin_port=htons(wPort); - return true; - } else { - LogConfError("BindPort directive does not recognize argument \"%s\".",dwLine,pszArg); - return false; - } -} - -bool ConfSetMaxConnections(const char *pszArg, DWORD dwLine) -{ - DWORD dw; - - if (!_stricmp(pszArg,"Off")) { - dwMaxConnections=-1; - return true; - } else { - dw = StrToInt(pszArg); - if (dw) { - dwMaxConnections=dw; - return true; - } else { - LogConfError("MaxConnections directive does not recognize argument \"%s\".",dwLine,pszArg); - return false; - } - } -} - -bool ConfSetCommandTimeout(const char *pszArg, DWORD dwLine) -{ - DWORD dw; - - dw = StrToInt(pszArg); - if (dw) { - dwCommandTimeout=dw; - return true; - } else { - LogConfError("CommandTimeout directive does not recognize argument \"%s\".",dwLine,pszArg); - return false; - } -} - -bool ConfSetConnectTimeout(const char *pszArg, DWORD dwLine) -{ - DWORD dw; - - dw = StrToInt(pszArg); - if (dw) { - dwConnectTimeout=dw; - return true; - } else { - LogConfError("ConnectTimeout directive does not recognize argument \"%s\".",dwLine,pszArg); - return false; - } -} - -bool ConfSetLookupHosts(const char *pszArg, DWORD dwLine) -{ - if (!_stricmp(pszArg,"Off")) { - bLookupHosts = false; - return true; - } else if (!_stricmp(pszArg,"On")) { - bLookupHosts = true; - return true; - } else { - LogConfError("LookupHosts directive does not recognize argument \"%s\".",dwLine,pszArg); - return false; - } -} - -bool ConfAddUser(const char *pszArg, DWORD dwLine) -{ - if (strlen(pszArg)<32) { - if (pUsers->Add(pszArg)) { - return true; - } else { - LogConfError("User \"%s\" already defined.",dwLine,pszArg); - return false; - } - } else { - LogConfError("Argument to User directive must be less than 32 characters long.",dwLine,0); - return false; - } -} - -bool ConfSetUserPassword(const char *pszUser, const char *pszArg, DWORD dwLine) -{ - if (strlen(pszArg)<32) { - pUsers->SetPassword(pszUser,pszArg); - return true; - } else { - LogConfError("Argument to Password directive must be less than 32 characters long.",dwLine,0); - return false; - } -} - -bool ConfSetMountPoint(const char *pszUser, const char *pszVirtual, const char *pszLocal, DWORD dwLine) -{ - VFS *pvfs; - string strVirtual, strLocal; - - VFS::CleanVirtualPath(pszVirtual, strVirtual); - - if (strVirtual.at(0) != '/') { - LogConfError("Mount directive cannot parse invalid virtual path \"%s\". Virtual paths must begin with a slash.", dwLine, strVirtual.c_str()); - return false; - } - if (pszLocal) { - strLocal = pszLocal; - replace(strLocal.begin(), strLocal.end(), '/', '\\'); - if (*strLocal.rbegin() == '\\') { - strLocal = strLocal.substr(0, strLocal.length() - 1); - } - if (GetFileAttributes(strLocal.c_str()) == -1) { - LogConfError("Mount directive cannot find local path \"%s\".", dwLine, strLocal.c_str()); - return false; - } - } - pvfs=pUsers->GetVFS(pszUser); - if (pvfs) pvfs->Mount(pszVirtual, pszLocal); - return true; -} - -bool ConfSetPermission(DWORD dwMode, const char *pszUser, const char *pszVirtual, const char *pszPerms, DWORD dwLine) -{ - PermDB *pperms; - - string strVirtual; - VFS::CleanVirtualPath(pszVirtual, strVirtual); - - if (strVirtual.at(0) != '/') { - if (dwMode) { - LogConfError("Allow directive cannot parse invalid virtual path \"%s\". Virtual paths must begin with a slash.", dwLine, strVirtual.c_str()); - } else { - LogConfError("Deny directive cannot parse invalid virtual path \"%s\". Virtual paths must begin with a slash.", dwLine, strVirtual.c_str()); - } - return false; - } - - pperms=pUsers->GetPermDB(pszUser); - if (!pperms) return false; - - while (*pszPerms) { - if (!_stricmp(pszPerms,"Read")) { - pperms->SetPerm(strVirtual.c_str(), PERM_READ, dwMode); - } else if (!_stricmp(pszPerms,"Write")) { - pperms->SetPerm(strVirtual.c_str(), PERM_WRITE, dwMode); - } else if (!_stricmp(pszPerms,"List")) { - pperms->SetPerm(strVirtual.c_str(), PERM_LIST, dwMode); - } else if (!_stricmp(pszPerms,"Admin")) { - pperms->SetPerm(strVirtual.c_str(), PERM_ADMIN, dwMode); - } else if (!_stricmp(pszPerms,"All")) { - pperms->SetPerm(strVirtual.c_str(), PERM_READ, dwMode); - pperms->SetPerm(strVirtual.c_str(), PERM_WRITE, dwMode); - pperms->SetPerm(strVirtual.c_str(), PERM_LIST, dwMode); - pperms->SetPerm(strVirtual.c_str(), PERM_ADMIN, dwMode); - } else { - if (dwMode) { - LogConfError("Allow directive does not recognize argument \"%s\".",dwLine,pszPerms); - } else { - LogConfError("Deny directive does not recognize argument \"%s\".",dwLine,pszPerms); - } - return false; - } - pszPerms=GetToken(pszPerms,2); - } - return true; -} - -bool WINAPI ListenThread(LPVOID lParam) -{ - SOCKET sIncoming; - DWORD dw; - - pLog->Log("Waiting for incoming connections..."); - - // Accept incoming connections and pass them to connection threads - while ((sIncoming=accept(sListen,0,0))!=INVALID_SOCKET) { - CloseHandle(CreateThread(0,0,(LPTHREAD_START_ROUTINE)ConnectionThread,(void *)sIncoming,0,&dw)); - } - - closesocket(sListen); - - return false; -} - -bool WINAPI ConnectionThread(SOCKET sCmd) -{ - SOCKET sData=0, sPasv=0; - SOCKADDR_IN saiCmd, saiCmdPeer, saiData, saiPasv; - char szPeerName[64], szOutput[1024], szCmd[512], *pszParam; - string strUser, strCurrentVirtual, strNewVirtual, strRnFr; - DWORD dw, dwRestOffset=0; - bool isLoggedIn = false; - HANDLE hFile; - SYSTEMTIME st; - FILETIME ft; - VFS *pVFS = NULL; - PermDB *pPerms = NULL; - VFS::listing_type listing; - UINT_PTR i; - - ZeroMemory(&saiData, sizeof(SOCKADDR_IN)); - - // Get peer address - dw=sizeof(SOCKADDR_IN); - getpeername(sCmd, (SOCKADDR *)&saiCmdPeer, (int *)&dw); - LookupHost(saiCmdPeer.sin_addr, szPeerName, 64); - - // Log incoming connection - sprintf_s(szOutput, "[%u] Incoming connection from %s:%u.", sCmd, szPeerName, ntohs(saiCmdPeer.sin_port)); - pLog->Log(szOutput); - - // Send greeting - sprintf_s(szOutput, "220-%s\r\n220-You are connecting from %s:%u.\r\n220 Proceed with login.\r\n", SERVERID, szPeerName, ntohs(saiCmdPeer.sin_port)); - SocketSendString(sCmd, szOutput); - - // Get host address - dw=sizeof(SOCKADDR_IN); - getsockname(sCmd, (SOCKADDR *)&saiCmd, (int *)&dw); - - // Command processing loop - for (;;) { - - dw=SocketReceiveString(sCmd,szCmd,511); - - if (dw==-1) { - // Connection dropped or timed out - SocketSendString(sCmd,"421 Connection timed out.\r\n"); - break; - } else if (dw>511) { - SocketSendString(sCmd,"500 Command line too long.\r\n"); - continue; - } - - // points to first space or the end of the line - if (pszParam = strchr(szCmd, ' ')) *(pszParam++) = 0; - else pszParam = szCmd+strlen(szCmd); - - // pszparam used to validate # of arguments to command - if (!_stricmp(szCmd, "USER")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - continue; - } else if (isLoggedIn) { - SocketSendString(sCmd, "503 Already logged in. Use REIN to change users.\r\n"); - continue; - } else { - strUser = pszParam; - //check if user needs a password? - if (pUsers->CheckPassword(strUser.c_str(), "")) { - //szCmd == PASS - strcpy_s(szCmd, "PASS"); - szCmd[5] = 0; - } else { - sprintf_s(szOutput, "331 Need password for user \"%s\".\r\n", strUser.c_str()); - SocketSendString(sCmd, szOutput); - continue; - } - } - } - - if (!_stricmp(szCmd, "PASS")) { - if (strUser.empty()) { - SocketSendString(sCmd, "503 Bad sequence of commands. Send USER first.\r\n"); - } else if (isLoggedIn) { - SocketSendString(sCmd, "503 Already logged in. Use REIN to change users.\r\n"); - } else { - if (pUsers->CheckPassword(strUser.c_str(), pszParam)) { - if (CanUserLogin(strUser.c_str(), saiCmdPeer.sin_addr)) { - isLoggedIn = true; - dwActiveConnections++; - strCurrentVirtual = "/"; - sprintf_s(szOutput, "230 User \"%s\" logged in.\r\n", strUser.c_str()); - SocketSendString(sCmd, szOutput); - sprintf_s(szOutput, "[%u] User \"%s\" logged in.", sCmd, strUser.c_str()); - pLog->Log(szOutput); - pVFS = pUsers->GetVFS(strUser.c_str()); - pPerms = pUsers->GetPermDB(strUser.c_str()); - } else { - SocketSendString(sCmd, "421 Your login was refused due to a server connection limit.\r\n"); - sprintf_s(szOutput, "[%u] Login for user \"%s\" refused due to connection limit.", sCmd, strUser.c_str()); - pLog->Log(szOutput); - break; - } - } else { - SocketSendString(sCmd,"530 Incorrect password.\r\n"); - } - } - } - - else if (!_stricmp(szCmd, "REIN")) { - if (isLoggedIn) { - isLoggedIn = false; - dwActiveConnections--; - sprintf_s(szOutput, "220-User \"%s\" logged out.\r\n", strUser.c_str()); - SocketSendString(sCmd, szOutput); - sprintf_s(szOutput, "[%u] User \"%s\" logged out.", sCmd, strUser.c_str()); - pLog->Log(szOutput); - strUser.clear(); - } - SocketSendString(sCmd, "220 REIN command successful.\r\n"); - } - - else if (!_stricmp(szCmd, "HELP")) { - SocketSendString(sCmd, "214 For help, please visit www.whitsoftdev.com.\r\n"); - } - - else if (!_stricmp(szCmd, "FEAT")) { - SocketSendString(sCmd, "211-Extensions supported:\r\n SIZE\r\n REST STREAM\r\n MDTM\r\n TVFS\r\n211 END\r\n"); - } - - else if (!_stricmp(szCmd, "SYST")) { - sprintf_s(szOutput, "215 WIN32 Type: L8 Version: %s\r\n", SERVERID); - SocketSendString(sCmd, szOutput); - } - - else if (!_stricmp(szCmd, "QUIT")) { - if (isLoggedIn) { - isLoggedIn = false; - dwActiveConnections--; - sprintf_s(szOutput, "221-User \"%s\" logged out.\r\n", strUser.c_str()); - SocketSendString(sCmd, szOutput); - sprintf_s(szOutput, "[%u] User \"%s\" logged out.", sCmd, strUser.c_str()); - pLog->Log(szOutput); - } - SocketSendString(sCmd, "221 Goodbye!\r\n"); - break; - } - - else if (!_stricmp(szCmd, "NOOP")) { - SocketSendString(sCmd, "200 NOOP command successful.\r\n"); - } - - else if (!_stricmp(szCmd, "PWD") || !_stricmp(szCmd, "XPWD")) { - if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - sprintf_s(szOutput, "257 \"%s\" is current directory.\r\n", strCurrentVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - - else if (!_stricmp(szCmd, "CWD") || !_stricmp(szCmd, "XCWD")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (pVFS->IsFolder(strNewVirtual.c_str())) { - strCurrentVirtual = strNewVirtual; - sprintf_s(szOutput, "250 \"%s\" is now current directory.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } else { - sprintf_s(szOutput, "550 \"%s\": Path not found.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - - else if (!_stricmp(szCmd, "CDUP") || !_stricmp(szCmd, "XCUP")) { - if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), "..", strNewVirtual); - strCurrentVirtual = strNewVirtual; - sprintf_s(szOutput,"250 \"%s\" is now current directory.\r\n", strCurrentVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - - else if (!_stricmp(szCmd,"TYPE")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - SocketSendString(sCmd, "200 TYPE command successful.\r\n"); - } - } - - else if (!_stricmp(szCmd, "REST")) { - if (!*pszParam || (!(dw = StrToInt(pszParam)) && (*pszParam!='0'))) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - dwRestOffset = dw; - sprintf_s(szOutput, "350 Ready to resume transfer at %u bytes.\r\n", dwRestOffset); - SocketSendString(sCmd, szOutput); - } - } - - else if (!_stricmp(szCmd, "PORT")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - ZeroMemory(&saiData, sizeof(SOCKADDR_IN)); - saiData.sin_family = AF_INET; - for (dw = 0; dw < 6; dw++) { - if (dw < 4) ((unsigned char *)&saiData.sin_addr)[dw] = (unsigned char)StrToInt(pszParam); - else ((unsigned char *)&saiData.sin_port)[dw-4] = (unsigned char)StrToInt(pszParam); - if (!(pszParam = strchr(pszParam, ','))) break; - pszParam++; - } - if (dw == 5) { - if (sPasv) { - closesocket(sPasv); - sPasv = 0; - } - SocketSendString(sCmd, "200 PORT command successful.\r\n"); - } else { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - ZeroMemory(&saiData, sizeof(SOCKADDR_IN)); - } - } - } - - else if (!_stricmp(szCmd, "PASV")) { - if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - if (sPasv) closesocket(sPasv); - ZeroMemory(&saiPasv, sizeof(SOCKADDR_IN)); - saiPasv.sin_family = AF_INET; - saiPasv.sin_addr.S_un.S_addr = INADDR_ANY; - saiPasv.sin_port = 0; - sPasv = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); - bind(sPasv, (SOCKADDR *)&saiPasv, sizeof(SOCKADDR_IN)); - listen(sPasv, 1); - dw = sizeof(SOCKADDR_IN); - getsockname(sPasv, (SOCKADDR *)&saiPasv, (int *)&dw); - sprintf_s(szOutput, "227 Entering Passive Mode (%u,%u,%u,%u,%u,%u)\r\n", saiCmd.sin_addr.S_un.S_un_b.s_b1, saiCmd.sin_addr.S_un.S_un_b.s_b2, saiCmd.sin_addr.S_un.S_un_b.s_b3, saiCmd.sin_addr.S_un.S_un_b.s_b4, ((unsigned char *)&saiPasv.sin_port)[0], ((unsigned char *)&saiPasv.sin_port)[1]); - SocketSendString(sCmd, szOutput); - } - } - - else if (!_stricmp(szCmd, "LIST") || !_stricmp(szCmd, "NLST")) { - if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - if (*pszParam == '-') if (pszParam = strchr(pszParam, ' ')) pszParam++; - if (pszParam && *pszParam) { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - } - else { - strNewVirtual = strCurrentVirtual; - } - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_LIST) == 1) { - if (pVFS->GetDirectoryListing(strNewVirtual.c_str(), strcmp(szCmd, "LIST"), listing)) { - sprintf_s(szOutput, "150 Opening %s mode data connection for listing of \"%s\".\r\n", sPasv ? "passive" : "active", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - sData = EstablishDataConnection(&saiData, &sPasv); - if (sData) { - for (VFS::listing_type::const_iterator it = listing.begin(); it != listing.end(); ++it) { - SocketSendString(sData, it->second.c_str()); - } - listing.clear(); - closesocket(sData); - sprintf_s(szOutput, "226 %s command successful.\r\n", _stricmp(szCmd, "NLST") ? "LIST" : "NLST"); - SocketSendString(sCmd, szOutput); - } else { - listing.clear(); - SocketSendString(sCmd, "425 Can't open data connection.\r\n"); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Path not found.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } else { - sprintf_s(szOutput, "550 \"%s\": List permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - - else if (!_stricmp(szCmd, "STAT")) { - if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - if (*pszParam == '-') if (pszParam = strchr(pszParam, ' ')) pszParam++; - if (pszParam && *pszParam) { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - } - else { - strNewVirtual = strCurrentVirtual; - } - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_LIST) == 1) { - if (pVFS->GetDirectoryListing(strNewVirtual.c_str(), 1, listing)) { - sprintf_s(szOutput, "212-Sending directory listing of \"%s\".\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd,szOutput); - for (VFS::listing_type::const_iterator it = listing.begin(); it != listing.end(); ++it) { - SocketSendString(sCmd, it->second.c_str()); - } - listing.clear(); - SocketSendString(sCmd, "212 STAT command successful.\r\n"); - } else { - sprintf_s(szOutput, "550 \"%s\": Path not found.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } else { - sprintf_s(szOutput ,"550 \"%s\": List permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - - else if (!_stricmp(szCmd, "RETR")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_READ) == 1) { - hFile = pVFS->CreateFile(strNewVirtual.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, OPEN_EXISTING); - if (hFile == INVALID_HANDLE_VALUE) { - sprintf_s(szOutput, "550 \"%s\": Unable to open file.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } else { - if (dwRestOffset) { - SetFilePointer(hFile, dwRestOffset, 0, FILE_BEGIN); - dwRestOffset = 0; - } - sprintf_s(szOutput, "150 Opening %s mode data connection for \"%s\".\r\n", sPasv ? "passive" : "active", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - sData = EstablishDataConnection(&saiData, &sPasv); - if (sData) { - sprintf_s(szOutput, "[%u] User \"%s\" began downloading \"%s\".", sCmd, strUser.c_str(), strNewVirtual.c_str()); - pLog->Log(szOutput); - if (DoSocketFileIO(sCmd, sData, hFile, SOCKET_FILE_IO_DIRECTION_SEND, &dw)) { - sprintf_s(szOutput, "226 \"%s\" transferred successfully.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - sprintf_s(szOutput, "[%u] Download completed.", sCmd); - pLog->Log(szOutput); - } else { - SocketSendString(sCmd, "426 Connection closed; transfer aborted.\r\n"); - if (dw) SocketSendString(sCmd, "226 ABOR command successful.\r\n"); - sprintf_s(szOutput, "[%u] Download aborted.", sCmd); - pLog->Log(szOutput); - } - closesocket(sData); - } else { - SocketSendString(sCmd,"425 Can't open data connection.\r\n"); - } - CloseHandle(hFile); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Read permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - - else if (!_stricmp(szCmd, "STOR") || !_stricmp(szCmd, "APPE")) { - if (!*pszParam) { - SocketSendString(sCmd,"501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd,"530 Not logged in.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_WRITE) == 1) { - hFile = pVFS->CreateFile(strNewVirtual.c_str(), GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, OPEN_ALWAYS); - if (hFile == INVALID_HANDLE_VALUE) { - sprintf_s(szOutput, "550 \"%s\": Unable to open file.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } else { - if (_stricmp(szCmd, "APPE") == 0) { - SetFilePointer(hFile, 0, 0, FILE_END); - } - else { - SetFilePointer(hFile, dwRestOffset, 0, FILE_BEGIN); - SetEndOfFile(hFile); - } - dwRestOffset = 0; - sprintf_s(szOutput, "150 Opening %s mode data connection for \"%s\".\r\n", sPasv ? "passive" : "active", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - sData = EstablishDataConnection(&saiData, &sPasv); - if (sData) { - sprintf_s(szOutput, "[%u] User \"%s\" began uploading \"%s\".", sCmd, strUser.c_str(), strNewVirtual.c_str()); - pLog->Log(szOutput); - if (DoSocketFileIO(sCmd, sData, hFile, SOCKET_FILE_IO_DIRECTION_RECEIVE, 0)) { - sprintf_s(szOutput, "226 \"%s\" transferred successfully.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - sprintf_s(szOutput, "[%u] Upload completed.", sCmd); - pLog->Log(szOutput); - } else { - SocketSendString(sCmd, "426 Connection closed; transfer aborted.\r\n"); - sprintf_s(szOutput, "[%u] Upload aborted.", sCmd); - pLog->Log(szOutput); - } - closesocket(sData); - } else { - SocketSendString(sCmd,"425 Can't open data connection.\r\n"); - } - CloseHandle(hFile); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Write permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - - else if (!_stricmp(szCmd, "ABOR")) { - if (sPasv) { - closesocket(sPasv); - sPasv = 0; - } - dwRestOffset = 0; - SocketSendString(sCmd,"200 ABOR command successful.\r\n"); - } - - else if (!_stricmp(szCmd, "SIZE")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_READ) == 1) { - hFile = pVFS->CreateFile(strNewVirtual.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, OPEN_EXISTING); - if (hFile == INVALID_HANDLE_VALUE) { - sprintf_s(szOutput, "550 \"%s\": File not found.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } else { - sprintf_s(szOutput, "213 %u\r\n", GetFileSize(hFile, 0)); - SocketSendString(sCmd, szOutput); - CloseHandle(hFile); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Read permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - - else if (!_stricmp(szCmd, "MDTM")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - for (i = 0; i < 14; i++) { - if ((pszParam[i] < '0') || (pszParam[i] > '9')) { - break; - } - } - //moving time into output buffer - if ((i == 14) && (pszParam[14] == ' ')) { - strncpy_s(szOutput, pszParam, 4); - szOutput[4] = 0; - st.wYear = StrToInt(szOutput); - strncpy_s(szOutput, pszParam + 4, 2); - szOutput[2] = 0; - st.wMonth = StrToInt(szOutput); - strncpy_s(szOutput, pszParam + 6, 2); - st.wDay = StrToInt(szOutput); - strncpy_s(szOutput, pszParam + 8, 2); - st.wHour = StrToInt(szOutput); - strncpy_s(szOutput, pszParam + 10, 2); - st.wMinute = StrToInt(szOutput); - strncpy_s(szOutput, pszParam + 12, 2); - st.wSecond = StrToInt(szOutput); - pszParam += 15; - dw = 1; - } else { - dw = 0; - } - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (dw) { - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_WRITE) == 1) { - hFile = pVFS->CreateFile(strNewVirtual.c_str(), GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, OPEN_EXISTING); - if (hFile == INVALID_HANDLE_VALUE) { - sprintf_s(szOutput, "550 \"%s\": File not found.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } else { - SystemTimeToFileTime(&st, &ft); - SetFileTime(hFile, 0, 0, &ft); - CloseHandle(hFile); - SocketSendString(sCmd, "250 MDTM command successful.\r\n"); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Write permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } else { - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_READ) == 1) { - hFile = pVFS->CreateFile(strNewVirtual.c_str(), GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, OPEN_EXISTING); - if (hFile == INVALID_HANDLE_VALUE) { - sprintf_s(szOutput, "550 \"%s\": File not found.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } else { - GetFileTime(hFile, 0, 0, &ft); - CloseHandle(hFile); - FileTimeToSystemTime(&ft, &st); - sprintf_s(szOutput, "213 %04u%02u%02u%02u%02u%02u\r\n", st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond); - SocketSendString(sCmd, szOutput); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Read permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - } - - else if (!_stricmp(szCmd, "DELE")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_ADMIN) == 1) { - if (pVFS->FileExists(strNewVirtual.c_str())) { - if (pVFS->DeleteFile(strNewVirtual.c_str())) { - sprintf_s(szOutput, "250 \"%s\" deleted successfully.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - sprintf_s(szOutput, "[%u] User \"%s\" deleted \"%s\".", sCmd, strUser.c_str(), strNewVirtual.c_str()); - pLog->Log(szOutput); - } else { - sprintf_s(szOutput, "550 \"%s\": Unable to delete file.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } else { - sprintf_s(szOutput, "550 \"%s\": File not found.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Admin permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd,szOutput); - } - } - } - - else if (!_stricmp(szCmd, "RNFR")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_ADMIN) == 1) { - if (pVFS->FileExists(strNewVirtual.c_str())) { - strRnFr = strNewVirtual; - sprintf_s(szOutput, "350 \"%s\": File exists; proceed with RNTO.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } else { - sprintf_s(szOutput, "550 \"%s\": File not found.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Admin permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - - else if (!_stricmp(szCmd, "RNTO")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else if (strRnFr.length() == 0) { - SocketSendString(sCmd, "503 Bad sequence of commands. Send RNFR first.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_ADMIN) == 1) { - if (pVFS->MoveFile(strRnFr.c_str(), strNewVirtual.c_str())) { - SocketSendString(sCmd, "250 RNTO command successful.\r\n"); - sprintf_s(szOutput, "[%u] User \"%s\" renamed \"%s\" to \"%s\".", sCmd, strUser.c_str(), strRnFr.c_str(), strNewVirtual.c_str()); - pLog->Log(szOutput); - strRnFr.clear(); - } else { - sprintf_s(szOutput, "553 \"%s\": Unable to rename file.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } else { - SocketSendString(sCmd, "550 Admin permission denied.\r\n"); - } - } - } - - else if (!_stricmp(szCmd, "MKD") || !_stricmp(szCmd, "XMKD")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_WRITE) == 1) { - if (pVFS->CreateDirectory(strNewVirtual.c_str())) { - sprintf_s(szOutput, "250 \"%s\" created successfully.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - sprintf_s(szOutput, "[%u] User \"%s\" created directory \"%s\".", sCmd, strUser.c_str(), strNewVirtual.c_str()); - pLog->Log(szOutput); - } else { - sprintf_s(szOutput, "550 \"%s\": Unable to create directory.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Write permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - - else if (!_stricmp(szCmd, "RMD") || !_stricmp(szCmd, "XRMD")) { - if (!*pszParam) { - SocketSendString(sCmd, "501 Syntax error in parameters or arguments.\r\n"); - } else if (!isLoggedIn) { - SocketSendString(sCmd, "530 Not logged in.\r\n"); - } else { - pVFS->ResolveRelative(strCurrentVirtual.c_str(), pszParam, strNewVirtual); - if (pPerms->GetPerm(strNewVirtual.c_str(), PERM_ADMIN) == 1) { - if (pVFS->RemoveDirectory(strNewVirtual.c_str())) { - sprintf_s(szOutput, "250 \"%s\" removed successfully.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - sprintf_s(szOutput, "[%u] User \"%s\" removed directory \"%s\".", sCmd, strUser.c_str(), strNewVirtual.c_str()); - pLog->Log(szOutput); - } else { - sprintf_s(szOutput, "550 \"%s\": Unable to remove directory.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } else { - sprintf_s(szOutput, "550 \"%s\": Admin permission denied.\r\n", strNewVirtual.c_str()); - SocketSendString(sCmd, szOutput); - } - } - } - - else { - sprintf_s(szOutput,"500 Syntax error, command \"%s\" unrecognized.\r\n",szCmd); - SocketSendString(sCmd,szOutput); - } - - } - - if (sPasv) closesocket(sPasv); - closesocket(sCmd); - - if (isLoggedIn) { - dwActiveConnections--; - } - - sprintf_s(szOutput,"[%u] Connection closed.",sCmd); - pLog->Log(szOutput); - - return false; -} - -bool SocketSendString(SOCKET s, const char *psz) -{ - if (send(s,psz,(INT)strlen(psz),0)==SOCKET_ERROR) return false; - else return true; -} - -DWORD SocketReceiveString(SOCKET s, char *psz, DWORD dwMaxChars) -{ - DWORD dw, dwBytes; - TIMEVAL tv; - fd_set fds; - - tv.tv_sec=dwCommandTimeout; - tv.tv_usec=0; - for (dwBytes=0;;dwBytes++) { - FD_ZERO(&fds); - FD_SET(s,&fds); - dw=select(0,&fds,0,0,&tv); - if (dw==SOCKET_ERROR || dw==0) return -1; // Timeout - dw=recv(s,psz,1,0); - if (dw==SOCKET_ERROR || dw==0) return -1; // Network error - if (*psz=='\r') *psz=0; - else if (*psz=='\n') { - *psz=0; - return dwBytes; - } - if (dwBytesh_name); - } - if (!bLookupHosts || !phe) { - strcpy_s(pszHostName, stHostName, inet_ntoa(ia)); - } -} - -bool DoSocketFileIO(SOCKET sCmd, SOCKET sData, HANDLE hFile, DWORD dwDirection, DWORD *pdwAbortFlag) -{ - char szBuffer[PACKET_SIZE]; - DWORD dw; - - if (pdwAbortFlag) *pdwAbortFlag = 0; - switch (dwDirection) { - case SOCKET_FILE_IO_DIRECTION_SEND: - for (;;) { - if (!ReadFile(hFile, szBuffer, PACKET_SIZE, &dw, 0)) return false; - if (!dw) return true; - if (send(sData, szBuffer, dw, 0) == SOCKET_ERROR) return false; - ioctlsocket(sCmd, FIONREAD, &dw); - if (dw) { - SocketReceiveString(sCmd, szBuffer, 511); - if (!_stricmp(szBuffer, "ABOR")) { - *pdwAbortFlag = 1; - return false; - } else { - SocketSendString(sCmd, "500 Only command allowed at this time is ABOR.\r\n"); - } - } - } - break; - case SOCKET_FILE_IO_DIRECTION_RECEIVE: - for (;;) { - dw = SocketReceiveData(sData, szBuffer, PACKET_SIZE); - if (dw == -1) return false; - if (dw == 0) return true; - if (!WriteFile(hFile, szBuffer, dw, &dw, 0)) return false; - } - break; - default: - return false; - } -} - -DWORD FileReadLine(HANDLE hFile, char *pszBuf, DWORD dwBufLen) -{ -// Reads a line from an open text file into a character buffer, discarding the -// trailing CR/LF, up to dwBufLen bytes. Any additional bytes are discarded. -// Returns the number of characters in the line, excluding the CR/LF, or -1 if -// the end of the file was reached. May be greater than dwBufLen to indicate -// that bytes were discarded. Note that a return value of 0 does not -// necessarily indicate an error; it could mean a blank line was read. - - DWORD dw, dwBytesRead, dwCount; - - for (dwCount=0;;) { - dw=ReadFile(hFile,pszBuf,1,&dwBytesRead,0); - if (!dw || (dw && !dwBytesRead && !dwCount)) return -1; - if (!dwBytesRead || *pszBuf=='\n') break; - if (*pszBuf!='\r') { - dwCount++; - if (dwCount - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - diff --git a/2015-Spring/workshops/week3/server/permdb.cpp b/2015-Spring/workshops/week3/server/permdb.cpp deleted file mode 100755 index 559db3f..0000000 --- a/2015-Spring/workshops/week3/server/permdb.cpp +++ /dev/null @@ -1,98 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "permdb.h" -#include "tree.h" -#include "tree.cpp" - -PermDB::PermDB() -{ - _root._data.dwPerms[PERM_READ] = 0; - _root._data.dwPerms[PERM_WRITE] = 0; - _root._data.dwPerms[PERM_LIST] = 0; - _root._data.dwPerms[PERM_ADMIN] = 0; -} - -void PermDB::SetPerm(const char *pszVirtual, DWORD dwPermId, DWORD dwStatus) -{ - tree *ptree, *pparent; - char sz[512], *psz, *pszCut; - - ptree = &_root; - strcpy_s(sz, pszVirtual + 1); - psz = sz; - while (*psz) { - if (pszCut = strchr(psz, '/')) *pszCut = 0; - pparent = ptree; - ptree = ptree->_pdown; - while (ptree && _stricmp(ptree->_data.strVirtual.c_str(), psz)) ptree = ptree->_pright; - if (!ptree) { - ptree=new tree(pparent); - ptree->_data.strVirtual = psz; - ptree->_data.dwPerms[PERM_READ] = -1; - ptree->_data.dwPerms[PERM_WRITE] = -1; - ptree->_data.dwPerms[PERM_LIST] = -1; - ptree->_data.dwPerms[PERM_ADMIN] = -1; - } - if (!pszCut) break; - psz = pszCut + 1; - } - ptree->_data.strVirtual = psz; - ptree->_data.dwPerms[dwPermId] = dwStatus; -} - -DWORD PermDB::GetPerm(const char *pszVirtual, DWORD dwPermId) -{ - return GetPermFunc(pszVirtual, dwPermId, &_root); -} - -DWORD PermDB::GetPermFunc(const char *pszVirtual, DWORD dwPermId, tree *ptree) -{ - const char *psz; - DWORD dw; - UINT_PTR dwLen; - - psz = strchr(pszVirtual, '/'); - if (psz) dwLen = psz - pszVirtual; - else dwLen = strlen(pszVirtual); - while (ptree) { - if ((ptree->_data.strVirtual.length() == dwLen) && (!dwLen || !_strnicmp(pszVirtual, ptree->_data.strVirtual.c_str(), dwLen))) { - if (psz) { - dw = GetPermFunc(psz + 1, dwPermId, ptree->_pdown); - if (dw != -1) return dw; - else return ptree->_data.dwPerms[dwPermId]; - } else { - return ptree->_data.dwPerms[dwPermId]; - } - } else { - ptree = ptree->_pright; - } - } - return -1; -} diff --git a/2015-Spring/workshops/week3/server/permdb.h b/2015-Spring/workshops/week3/server/permdb.h deleted file mode 100755 index f303bb1..0000000 --- a/2015-Spring/workshops/week3/server/permdb.h +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _INCL_PERMDB_H -#define _INCL_PERMDB_H - -#include -#include -#include "tree.h" - -using namespace std; - -#define PERM_READ 0 -#define PERM_WRITE 1 -#define PERM_LIST 2 -#define PERM_ADMIN 3 - -class PermDB -{ -private: - struct FTPPERM { - string strVirtual; - DWORD dwPerms[4]; - }; - - tree _root; - - static DWORD GetPermFunc(const char *pszVirtual, DWORD dwPermId, tree *ptree); - -public: - PermDB(); - void SetPerm(const char *pszVirtual, DWORD dwPermId, DWORD dwStatus); - DWORD GetPerm(const char *pszVirtual, DWORD dwPermId); -}; - -#endif \ No newline at end of file diff --git a/2015-Spring/workshops/week3/server/resource.h b/2015-Spring/workshops/week3/server/resource.h deleted file mode 100755 index 63cc7d8..0000000 --- a/2015-Spring/workshops/week3/server/resource.h +++ /dev/null @@ -1,14 +0,0 @@ -//{{NO_DEPENDENCIES}} -// Microsoft Visual C++ generated include file. -// Used by SlimFTPd.rc - -// Next default values for new objects -// -#ifdef APSTUDIO_INVOKED -#ifndef APSTUDIO_READONLY_SYMBOLS -#define _APS_NEXT_RESOURCE_VALUE 101 -#define _APS_NEXT_COMMAND_VALUE 40001 -#define _APS_NEXT_CONTROL_VALUE 1001 -#define _APS_NEXT_SYMED_VALUE 101 -#endif -#endif diff --git a/2015-Spring/workshops/week3/server/synclogger.cpp b/2015-Spring/workshops/week3/server/synclogger.cpp deleted file mode 100755 index 98b0f24..0000000 --- a/2015-Spring/workshops/week3/server/synclogger.cpp +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "synclogger.h" - -SyncLogger::SyncLogger(const char *pszFilename) -{ - _hLogFile=CreateFile(pszFilename,GENERIC_WRITE,FILE_SHARE_READ,0,OPEN_ALWAYS,0,0); - if (_hLogFile) { - SetFilePointer(_hLogFile,0,0,FILE_END); - _hLoggerThread=CreateThread(0,0,(LPTHREAD_START_ROUTINE)SyncLoggerThread,this,0,&_dwLoggerThreadId); - } -} - -SyncLogger::~SyncLogger() -{ - if (_hLoggerThread) { - PostThreadMessage(_dwLoggerThreadId,WM_QUIT,0,0); - WaitForSingleObject(_hLoggerThread,INFINITE); - CloseHandle(_hLoggerThread); - } - if (_hLogFile) CloseHandle(_hLogFile); -} - -void SyncLogger::Log(const char *pszText) -{ - char *psz; - DWORD dwDateLen, dwTimeLen; - - if (_hLogFile && _dwLoggerThreadId && pszText) { - dwDateLen=GetDateFormat(LOCALE_SYSTEM_DEFAULT,DATE_SHORTDATE,0,0,0,0); - dwTimeLen=GetTimeFormat(LOCALE_SYSTEM_DEFAULT,0,0,0,0,0); - size_t buflen = dwDateLen+dwTimeLen+strlen(pszText)+5; - psz=new char[buflen]; - psz[0]='['; - GetDateFormat(LOCALE_SYSTEM_DEFAULT,DATE_SHORTDATE,0,0,psz+1,dwDateLen); - psz[dwDateLen]=' ';//1 - GetTimeFormat(LOCALE_SYSTEM_DEFAULT,0,0,0,psz+dwDateLen+1,dwTimeLen); - strcat_s(psz, buflen, "] ");//2 - strcat_s(psz, buflen, pszText); - strcat_s(psz, buflen, "\r\n");//4 - while (!PostThreadMessage(_dwLoggerThreadId,WM_USER,0,(LPARAM)psz)) Sleep(0); - } -} - -DWORD WINAPI SyncLogger::SyncLoggerThread(SyncLogger *pthis) -{ - MSG msg; - DWORD dw; - - PeekMessage(&msg,0,0,0,PM_NOREMOVE); - while (GetMessage(&msg,0,0,0)) { - switch (msg.message) { - case WM_USER: - WriteFile(pthis->_hLogFile, (char *)msg.lParam, (DWORD)strlen((char *)msg.lParam), &dw, 0); - delete (char *)msg.lParam; - } - } - - return 0; -} diff --git a/2015-Spring/workshops/week3/server/synclogger.h b/2015-Spring/workshops/week3/server/synclogger.h deleted file mode 100755 index 4be293a..0000000 --- a/2015-Spring/workshops/week3/server/synclogger.h +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _INCL_SYNCLOGGER_H -#define _INCL_SYNCLOGGER_H - -#include - -class SyncLogger -{ -private: - HANDLE _hLogFile; - HANDLE _hLoggerThread; - DWORD _dwLoggerThreadId; - - static DWORD WINAPI SyncLoggerThread(SyncLogger *pthis); - -public: - SyncLogger(const char *pszFilename); - ~SyncLogger(); - void Log(const char *pszText); -}; - -#endif \ No newline at end of file diff --git a/2015-Spring/workshops/week3/server/tree.cpp b/2015-Spring/workshops/week3/server/tree.cpp deleted file mode 100755 index 6fe391f..0000000 --- a/2015-Spring/workshops/week3/server/tree.cpp +++ /dev/null @@ -1,62 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -template -tree::tree() -{ - _pup=0; - _pleft=0; - _pright=0; - _pdown=0; -} - -template -tree::tree(tree *pparent) -{ - if (pparent->_pdown) { - _pleft=pparent->_pdown; - while (_pleft->_pright) _pleft=_pleft->_pright; - _pleft->_pright=this; - } else { - pparent->_pdown=this; - _pleft=0; - } - _pup=pparent; - _pright=0; - _pdown=0; -} - -template -tree::~tree() -{ - while (_pdown) delete _pdown; - if (_pleft) _pleft->_pright=_pright; - if (_pright) _pright->_pleft=_pleft; - if (_pup && _pup->_pdown==this) _pup->_pdown=_pright; -} diff --git a/2015-Spring/workshops/week3/server/tree.h b/2015-Spring/workshops/week3/server/tree.h deleted file mode 100755 index a78f72c..0000000 --- a/2015-Spring/workshops/week3/server/tree.h +++ /dev/null @@ -1,50 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _INCL_TREE_H -#define _INCL_TREE_H - -#include - -template -class tree -{ -public: - tree *_pup; - tree *_pleft; - tree *_pright; - tree *_pdown; - T _data; - - tree(); - tree(tree *pparent); - ~tree(); -}; - -#endif \ No newline at end of file diff --git a/2015-Spring/workshops/week3/server/userdb.cpp b/2015-Spring/workshops/week3/server/userdb.cpp deleted file mode 100755 index 643197e..0000000 --- a/2015-Spring/workshops/week3/server/userdb.cpp +++ /dev/null @@ -1,77 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "userdb.h" - -#include "tree.cpp" - -bool UserDB::Add(const char *pszUsername) -{ - if (_users.find(pszUsername) == _users.end()) { - _users.insert(std::make_pair(pszUsername, USERDBRECORD())); - return true; - } else { - return false; - } -} - -bool UserDB::SetPassword(const char *pszUsername, const char *pszPassword) -{ - map_type::iterator it = _users.find(pszUsername); - if (it != _users.end()) { - it->second.strPassword = pszPassword; - return true; - } - return false; -} - -VFS * UserDB::GetVFS(const char *pszUsername) -{ - map_type::iterator it = _users.find(pszUsername); - if (it != _users.end()) { - return &it->second.vfs; - } - return NULL; -} - -PermDB * UserDB::GetPermDB(const char *pszUsername) -{ - map_type::iterator it = _users.find(pszUsername); - if (it != _users.end()) { - return &it->second.perms; - } - return NULL; -} - -bool UserDB::CheckPassword(const char *pszUsername, const char *pszPassword) -{ - map_type::iterator it = _users.find(pszUsername); - //ensure user exists and compare his password to the provided one - return (it != _users.end()) && (it->second.strPassword == pszPassword); -} diff --git a/2015-Spring/workshops/week3/server/userdb.h b/2015-Spring/workshops/week3/server/userdb.h deleted file mode 100755 index 8e004e2..0000000 --- a/2015-Spring/workshops/week3/server/userdb.h +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _INCL_USERDB_H -#define _INCL_USERDB_H - -#include -#include -#include "String.h" -#include "vfs.h" -#include "permdb.h" - -class UserDB { -private: - struct USERDBRECORD { - string strPassword; - VFS vfs; - PermDB perms; - }; - typedef std::map map_type; - map_type _users; - -public: - bool Add(const char *pszUsername); - bool SetPassword(const char *pszUsername, const char *pszPassword); - VFS *GetVFS(const char *pszUsername); - PermDB *GetPermDB(const char *pszUsername); - bool CheckPassword(const char *pszUsername, const char *pszPassword); -}; - -#endif diff --git a/2015-Spring/workshops/week3/server/vfs.cpp b/2015-Spring/workshops/week3/server/vfs.cpp deleted file mode 100755 index 4a86ded..0000000 --- a/2015-Spring/workshops/week3/server/vfs.cpp +++ /dev/null @@ -1,398 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#include "vfs.h" -#include -#include "tree.cpp" -#define STRSAFE_NO_DEPRECATE -#include - -VFS::VFS() -{ -} - -void VFS::Mount(const char *pszVirtual, const char *pszLocal) -// Creates a new mount point in the virtual file system. -{ - tree *ptree, *pparent; - - ptree = &_root; - size_t i = 0; - string dir; - while (pszVirtual[i] != 0) { - ++i; - if (pszVirtual[i] == 0) break; - size_t j = strcspn(pszVirtual + i, "/"); - dir.assign(pszVirtual + i, j); - pparent = ptree; - ptree = ptree->_pdown; - while (ptree && _stricmp(ptree->_data.strVirtual.c_str(), dir.c_str())) ptree = ptree->_pright; - if (!ptree) { - ptree = new tree(pparent); - ptree->_data.strVirtual = dir; - } - i += j; - } - ptree->_data.strLocal = pszLocal; -} - -DWORD VFS::GetDirectoryListing(const char *pszVirtual, DWORD dwIsNLST, listing_type &listing) -// Fills a map class with lines comprising an FTP-style directory listing. -// If dwIsNLST is non-zero, will return filenames only. -{ - char szLine[512]; - const char *pszMonthAbbr[]={"Jan","Feb","Mar","Apr","May","Jun","Jul","Aug","Sep","Oct","Nov","Dec"}; - LPVOID hFind; - WIN32_FIND_DATA w32fd; - SYSTEMTIME stCutoff, stFile; - - if (IsFolder(pszVirtual)) { - string str; - ResolveRelative(pszVirtual, "*", str); - hFind = FindFirstFile(str.c_str(), &w32fd); - } - else { - hFind = FindFirstFile(pszVirtual, &w32fd); - } - if (hFind) { - GetSystemTime(&stCutoff); - stCutoff.wYear--; - do { - if (!strcmp(w32fd.cFileName, ".") || !strcmp(w32fd.cFileName, "..")) continue; - FileTimeToSystemTime(&w32fd.ftLastWriteTime, &stFile); - if (dwIsNLST) { - strcpy_s(szLine, w32fd.cFileName); - if (w32fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) { - strcat_s(szLine, "/"); - } - } else { - wsprintf(szLine, "%c--------- 1 ftp ftp %10u %s %2u ", (w32fd.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) ? 'd' : '-', w32fd.nFileSizeLow, pszMonthAbbr[stFile.wMonth-1], stFile.wDay); - if ((stFile.wYear > stCutoff.wYear) || ((stFile.wYear == stCutoff.wYear) && ((stFile.wMonth > stCutoff.wMonth) || ((stFile.wMonth == stCutoff.wMonth) && (stFile.wDay > stCutoff.wDay))))) { - wsprintf(szLine + strlen(szLine), "%.2u:%.2u ", stFile.wHour, stFile.wMinute); - } else { - wsprintf(szLine + strlen(szLine), "%5u ", stFile.wYear); - } - strcat_s(szLine, w32fd.cFileName); - } - strcat_s(szLine,"\r\n"); - listing_type::iterator it = listing.find(w32fd.cFileName); - if (it != listing.end()) { - it->second = szLine; - } - else { - listing.insert(std::make_pair(w32fd.cFileName, szLine)); - } - } while (FindNextFile(hFind, &w32fd)); - FindClose(hFind); - return 1; - } else { - return 0; - } -} - -DWORD VFS::Map(const char *pszVirtual, string &strLocal, tree *ptree) -// Recursive function to map a virtual path to a local path. -{ - const char *psz; - UINT_PTR dwLen; - - psz = strchr(pszVirtual, '/'); - if (psz) dwLen = psz - pszVirtual; - else dwLen = strlen(pszVirtual); - while (ptree) { - if ((ptree->_data.strVirtual.length() == dwLen) && (!dwLen || !_strnicmp(pszVirtual, ptree->_data.strVirtual.c_str(), dwLen))) { - if (psz) { - if (Map(psz + 1, strLocal, ptree->_pdown)) return 1; - else { - if (ptree->_data.strLocal.length() != 0) { - strLocal = ptree->_data.strLocal; - strLocal += psz; - replace(strLocal.begin(), strLocal.end(), '/', '\\'); - return 1; - } else { - return 0; - } - } - } else { - strLocal = ptree->_data.strLocal; - return 1; - } - } else { - ptree = ptree->_pright; - } - } - strLocal.clear(); - return 0; -} - -tree * VFS::FindMountPoint(const char *pszVirtual, tree *ptree) -// Returns a pointer to the tree node described by pszVirtual, or 0. -{ - const char *psz; - UINT_PTR dwLen; - - if (!strcmp(pszVirtual, "/")) return ptree; - psz = strchr(pszVirtual, '/'); - if (psz) dwLen = psz - pszVirtual; - else dwLen = strlen(pszVirtual); - while (ptree) { - if ((ptree->_data.strVirtual.length() == dwLen) && (!dwLen || !_strnicmp(pszVirtual, ptree->_data.strVirtual.c_str(), dwLen))) { - if (psz) { - return FindMountPoint(psz + 1, ptree->_pdown); - } else { - return ptree; - } - } else { - ptree = ptree->_pright; - } - } - return 0; -} - -void VFS::CleanVirtualPath(const char *pszVirtual, string &strNewVirtual) -// Strips utter rubbish out of a virtual path. -// Ex: /home/./user//...\ftp/ => /home/ftp -{ - const char *in = pszVirtual; - char *buf = new char[strlen(pszVirtual) + 4]; - buf[0] = '\0'; buf[1] = '\0'; buf[2] = '\0'; - char *out = buf + 3; - do { - *out = *in; - if (*out == '\\') *out = '/'; // convert backslashes to forward slashes - if ((*out == '\0') || (*out == '/')) { - if (out[-1] == '.') { // output ends with "." - if (out[-2] == '\0') --out; // entire output is "." - else if (out[-2] == '/') { // output ends with "/." - if (out[-3] == '\0') --out; // entire output is "/." - else out -= 2; - } - else if (out[-2] == '.') { // output ends with ".." - if (out[-3] == '\0') out -= 2; // entire output is ".." - else if (out[-3] == '/') { // output ends with "/.." - if (out[-4] == '\0') out -= 2; // entire output is "/.." - else { - out -= 3; - while ((out[-1] != '\0') && (out[-1] != '/')) --out; - } - } - } - else ++in; - } - else { - ++in; - if (out[-1] != '/') ++out; - } - } - else ++in, ++out; - } while (in[-1] != '\0'); - strNewVirtual = buf + 3; - delete[] buf; -} - -void VFS::ResolveRelative(const char *pszCurrentVirtual, const char *pszRelativeVirtual, string &strNewVirtual) -// Concatenates pszRelativeVirtual to pszCurrentVirtual and resolves. -{ - if (*pszRelativeVirtual!='/') { - strNewVirtual = pszCurrentVirtual; - strNewVirtual += "/"; - strNewVirtual += pszRelativeVirtual; - CleanVirtualPath(strNewVirtual.c_str(), strNewVirtual); - } - else { - CleanVirtualPath(pszRelativeVirtual, strNewVirtual); - } -} - -bool VFS::WildcardMatch(const char *pszFilespec, const char *pszFilename) -// Returns true iff pszFilename matches wildcard pattern pszFilespec. -{ - if (*pszFilespec == 0) return true; - while (*pszFilespec) { - if (*pszFilespec == '*') { - pszFilespec++; - do { - if (WildcardMatch(pszFilespec, pszFilename)) return true; - } while (*pszFilename++); - return false; - } else if (((*pszFilespec | 0x20) != (*pszFilename | 0x20)) && (*pszFilespec != '?')) { - return false; - } - pszFilespec++; - pszFilename++; - } - if (!*pszFilespec && !*pszFilename) return true; - else return false; -} - -LPVOID VFS::FindFirstFile(const char *pszVirtual, WIN32_FIND_DATA *pw32fd) -// Returns a find handle if a match was found. Otherwise returns 0. -// Supports wildcards. -{ - FINDDATA *pfd; - const char *psz; - string str; - - psz = strrchr(pszVirtual, '/'); - if (psz == NULL) return NULL; - str.assign(pszVirtual, psz); - pfd = new FINDDATA; - pfd->hFind = 0; - pfd->strVirtual = pszVirtual; - pfd->strFilespec = psz + 1; - pfd->ptree = FindMountPoint(str.c_str(), &_root); - if (pfd->ptree) pfd->ptree = pfd->ptree->_pdown; - - if (FindNextFile(pfd, pw32fd)) return pfd; - else { - delete pfd; - return 0; - } -} - -bool VFS::FindNextFile(LPVOID lpFindHandle, WIN32_FIND_DATA *pw32fd) -{ - FINDDATA *pfd = (FINDDATA *)lpFindHandle; - string str; - - while (pfd->ptree) { - str = pfd->ptree->_data.strVirtual; - if (str.find_first_of('.') == string::npos) str.push_back('.'); - if (WildcardMatch(pfd->strFilespec.c_str(), str.c_str())) { - GetMountPointFindData(pfd->ptree, pw32fd); - pfd->ptree = pfd->ptree->_pright; - return true; - } - pfd->ptree = pfd->ptree->_pright; - } - - if (pfd->hFind) { - return ::FindNextFile(pfd->hFind, pw32fd) ? true : false; - } else { - if (!Map(pfd->strVirtual.c_str(), str, &_root)) return false; - if (str.length() != 0) { - pfd->hFind = ::FindFirstFile(str.c_str(), pw32fd); - return (pfd->hFind != INVALID_HANDLE_VALUE); - } else { - return false; - } - } -} - -void VFS::FindClose(LPVOID lpFindHandle) -{ - FINDDATA *pfd = (FINDDATA *)lpFindHandle; - - if (pfd->hFind) ::FindClose(pfd->hFind); - delete pfd; -} - -bool VFS::FileExists(const char *pszVirtual) -// Returns true iff pszVirtual denotes an existing file or folder. -// Supports wildcards. -{ - LPVOID hFind; - WIN32_FIND_DATA w32fd; - - hFind = FindFirstFile(pszVirtual, &w32fd); - if (hFind) { - FindClose(hFind); - return true; - } else { - return false; - } -} - -bool VFS::IsFolder(const char *pszVirtual) -// Returns true iff pszVirtual denotes an existing folder. -// Does NOT support wildcards. -{ - string strLocal; - DWORD dw; - - if (FindMountPoint(pszVirtual, &_root)) return true; - if (!Map(pszVirtual, strLocal, &_root)) return true; - dw = GetFileAttributes(strLocal.c_str()); - return ((dw != -1) && (dw & FILE_ATTRIBUTE_DIRECTORY)); -} - -void VFS::GetMountPointFindData(tree *ptree, WIN32_FIND_DATA *pw32fd) -// Fills in the WIN32_FIND_DATA structure with data about the mount point. -{ - HANDLE hFind; - SYSTEMTIME st = {1980, 1, 2, 1, 0, 0, 0, 0}; - - if ((ptree->_data.strLocal.length() != 0) && ((hFind = ::FindFirstFile(ptree->_data.strLocal.c_str(), pw32fd)) != INVALID_HANDLE_VALUE)) { - ::FindClose(hFind); - } else { - memset(pw32fd, 0, sizeof(WIN32_FIND_DATA)); - pw32fd->dwFileAttributes = FILE_ATTRIBUTE_DIRECTORY; - SystemTimeToFileTime(&st, &pw32fd->ftLastWriteTime); - } - strcpy_s(pw32fd->cFileName, sizeof(pw32fd->cFileName), ptree->_data.strVirtual.c_str()); -} - -HANDLE VFS::CreateFile(const char *pszVirtual, DWORD dwDesiredAccess, DWORD dwShareMode, DWORD dwCreationDisposition) -{ - string strLocal; - - if (Map(pszVirtual, strLocal, &_root)) { - return ::CreateFile(strLocal.c_str(), dwDesiredAccess, dwShareMode, 0, dwCreationDisposition, FILE_FLAG_SEQUENTIAL_SCAN, 0); - } else { - return INVALID_HANDLE_VALUE; - } -} - -BOOL VFS::DeleteFile(const char *pszVirtual) -{ - string strLocal; - - return (Map(pszVirtual, strLocal, &_root) && ::DeleteFile(strLocal.c_str())); -} - -BOOL VFS::MoveFile(const char *pszOldVirtual, const char *pszNewVirtual) -{ - string strOldLocal, strNewLocal; - - return (Map(pszOldVirtual, strOldLocal, &_root) && Map(pszNewVirtual, strNewLocal, &_root) && ::MoveFile(strOldLocal.c_str(), strNewLocal.c_str())); -} - -BOOL VFS::CreateDirectory(const char *pszVirtual) -{ - string strLocal; - - return (Map(pszVirtual, strLocal, &_root) && ::CreateDirectory(strLocal.c_str(), NULL)); -} - -BOOL VFS::RemoveDirectory(const char *pszVirtual) -{ - string strLocal; - - return (Map(pszVirtual, strLocal, &_root) && ::RemoveDirectory(strLocal.c_str())); -} \ No newline at end of file diff --git a/2015-Spring/workshops/week3/server/vfs.h b/2015-Spring/workshops/week3/server/vfs.h deleted file mode 100755 index bba8819..0000000 --- a/2015-Spring/workshops/week3/server/vfs.h +++ /dev/null @@ -1,81 +0,0 @@ -/* - * Copyright (c) 2006, Matt Whitlock and WhitSoft Development - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions are met: - * - * * Redistributions of source code must retain the above copyright notice, - * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * * Neither the names of Matt Whitlock and WhitSoft Development nor the - * names of their contributors may be used to endorse or promote products - * derived from this software without specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" - * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE - * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE - * POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef _INCL_VFS_H -#define _INCL_VFS_H - -#include -#include -#include -#include "tree.h" - -using namespace std; - -class VFS -{ -private: - struct MOUNTPOINT { - string strVirtual; - string strLocal; - }; - struct FINDDATA { - string strVirtual; - string strFilespec; - HANDLE hFind; - tree *ptree; - }; - - tree _root; - - static DWORD Map(const char *pszVirtual, string &strLocal, tree *ptree); - static tree * FindMountPoint(const char *pszVirtual, tree *ptree); - static bool WildcardMatch(const char *pszFilespec, const char *pszFilename); - static void GetMountPointFindData(tree *ptree, WIN32_FIND_DATA *pw32fd); - -public: - typedef map listing_type; - VFS(); - void Mount(const char *pszVirtual, const char *pszLocal); - DWORD GetDirectoryListing(const char *pszVirtual, DWORD dwIsNLST, listing_type &listing); - bool FileExists(const char *pszVirtual); - bool IsFolder(const char *pszVirtual); - LPVOID FindFirstFile(const char *pszVirtual, WIN32_FIND_DATA *pw32fd); - bool FindNextFile(LPVOID lpFindHandle, WIN32_FIND_DATA *pw32fd); - void FindClose(LPVOID lpFindHandle); - HANDLE CreateFile(const char *pszVirtual, DWORD dwDesiredAccess, DWORD dwShareMode, DWORD dwCreationDisposition); - BOOL DeleteFile(const char *pszVirtual); - BOOL MoveFile(const char *pszOldVirtual, const char *pszNewVirtual); - BOOL CreateDirectory(const char *pszVirtual); - BOOL RemoveDirectory(const char *pszVirtual); - static void CleanVirtualPath(const char *pszVirtual, string &strNewVirtual); - static void ResolveRelative(const char *pszCurrentVirtual, const char *pszRelativeVirtual, string &strNewVirtual); - static void strtr(char *psz, char cFrom, char cTo); -}; - -#endif \ No newline at end of file diff --git a/2015-Spring/workshops/week3/siberia.zip b/2015-Spring/workshops/week3/siberia.zip deleted file mode 100755 index 1ee2355..0000000 Binary files a/2015-Spring/workshops/week3/siberia.zip and /dev/null differ diff --git a/2015-Spring/workshops/week3/wireshark-1.8.5.tar.bz2 b/2015-Spring/workshops/week3/wireshark-1.8.5.tar.bz2 deleted file mode 100755 index 4415b95..0000000 Binary files a/2015-Spring/workshops/week3/wireshark-1.8.5.tar.bz2 and /dev/null differ diff --git a/2015-Spring/workshops/week4/README.md b/2015-Spring/workshops/week4/README.md deleted file mode 100644 index c4fce5a..0000000 --- a/2015-Spring/workshops/week4/README.md +++ /dev/null @@ -1 +0,0 @@ -### Some insecure applications which demonstrate common vulns diff --git a/2015-Spring/workshops/week5/Phubble.solve b/2015-Spring/workshops/week5/Phubble.solve deleted file mode 100644 index 0bddde4..0000000 --- a/2015-Spring/workshops/week5/Phubble.solve +++ /dev/null @@ -1,9 +0,0 @@ -XSS - Trigger Alert - flag{catching_your_attens10n} -Console - flag{c0nsole_your$elf} -flag.txt - flag{all_your_base_belongs_to_us} -styling - flag{3d_css_is_wher3_it_is_at} - flag.css -secret sql table - flag{3pic_sql_injecti0n} -secret user - flag{1m_not_a_u$er} -domo arigato - flag{$tyx_are_a_good_band} -disallowed - -become_admin - flag{lol_you_are_4dmin} \ No newline at end of file diff --git a/2015-Spring/workshops/week5/README.md b/2015-Spring/workshops/week5/README.md deleted file mode 100644 index b2b1c21..0000000 --- a/2015-Spring/workshops/week5/README.md +++ /dev/null @@ -1 +0,0 @@ -### Web CTF challenges diff --git a/2015-Spring/workshops/week6/README.md b/2015-Spring/workshops/week6/README.md deleted file mode 100644 index 1c35fc5..0000000 --- a/2015-Spring/workshops/week6/README.md +++ /dev/null @@ -1,2 +0,0 @@ -### basic code structures in C to assembly -### write some programs in asm diff --git a/2015-Spring/workshops/week7/bin1 b/2015-Spring/workshops/week7/bin1 deleted file mode 100755 index 8009c29..0000000 Binary files a/2015-Spring/workshops/week7/bin1 and /dev/null differ diff --git a/2015-Spring/workshops/week7/easy32 b/2015-Spring/workshops/week7/easy32 deleted file mode 100755 index c794604..0000000 Binary files a/2015-Spring/workshops/week7/easy32 and /dev/null differ diff --git a/2015-Spring/workshops/week8/README.md b/2015-Spring/workshops/week8/README.md deleted file mode 100644 index c946f6e..0000000 --- a/2015-Spring/workshops/week8/README.md +++ /dev/null @@ -1 +0,0 @@ -### PWN ADVENTURE SPEED HACK?!?! diff --git a/2015-Spring/workshops/week9/Makefile b/2015-Spring/workshops/week9/Makefile deleted file mode 100644 index da02e81..0000000 --- a/2015-Spring/workshops/week9/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -EXEC = -z execstack -RM_COOK = -fno-stack-protector - -all: exploit_1 exploit_2 exploit_3 exploit_4 - -exploit_1: exploit_1.c - gcc $(EXEC) $(RM_COOK) -O0 -o exploit_1 exploit_1.c - -exploit_2: exploit_2.c - gcc $(EXEC) $(RM_COOK) -O0 -o exploit_2 exploit_2.c - -exploit_3: exploit_3.c - gcc $(EXEC) $(RM_COOK) -O0 -o exploit_3 exploit_3.c - -exploit_4: exploit_4.c - gcc $(NOCANARY) -O0 -o exploit_4 exploit_4.c - -exploit_5: exploit_5.c - gcc $(NOCANARY) -O0 -o exploit_5 exploit_5.c diff --git a/2015-Spring/workshops/week9/README.md b/2015-Spring/workshops/week9/README.md deleted file mode 100644 index 49f62b7..0000000 --- a/2015-Spring/workshops/week9/README.md +++ /dev/null @@ -1,35 +0,0 @@ -## Exploitation Part 1 - -### Part 1 - Straight up Overflow -Changing Stack Based Variables with a Buffer Overflow -#### Task -Get authenticated -#### Resources -* -* - -### Part 2 - Change Saved EIP -Changing Program Execution Flow with Stack Based Buffer Overflow -#### Task -Make the program execute code that it would otherwise would not have executed -#### Resources -* - -### Part 3 - Execute Shellcode -Changing Program Execution Flow by Returning to User Controlled Data with a Stack Based Buffer Overflow -#### Task -Make the program execute code (shellcode) by tricking the program into thinking that your input is a function pointer - -### Part 4 - ROP -Changing Program Execution Flow by Chaining Together Existing Code from the Program with a Stack Based Buffer Overflow -#### Task -Make the program execute certain functions in a sequential order -#### Resources -* - -### Part 5 - Return to Libc -Changing Program Execution Flow by Performing a Return To Libc attack with a Stack Based Buffer Overflow -#### Task -Modify the program's GOT in order to trick the program into calling a series of ROP gadgets which end up spawning a shell -#### Resources -* diff --git a/2015-Spring/workshops/week9/brute_cookie.c b/2015-Spring/workshops/week9/brute_cookie.c deleted file mode 100644 index afc01a7..0000000 --- a/2015-Spring/workshops/week9/brute_cookie.c +++ /dev/null @@ -1,95 +0,0 @@ -#include -#include -#include -#include - -#include -#include -#include -#include - -#define KEYFILESIZE 41 -#define BUFF_SIZE 0X1000 -#define PORTNO 12345 - - -void readKey(sock){ - char buf[KEYFILESIZE]; - FILE* keyFile=fopen("./key","r"); - fread(buf,1,KEYFILESIZE,keyFile); - write(sock,buf,KEYFILESIZE); - return; -} - -void firstFunc(int FD){ - char buf[BUFF_SIZE]; - int cookie=*(int*)(buf+0x1000); - printf("cookie: %x\n",cookie); //the server operator gets this info - read(FD,buf,BUFF_SIZE*2); //overflow the buffer 2x - return; -} - -int servlet(int fd){ - char greetings[BUFF_SIZE]; - sprintf(greetings,"Greetings client #%d\n",fd); - write(fd,greetings,strlen(greetings)); - firstFunc(fd); - char* sorry="Sorry :(\nDid you hear about nginx getting owned in July?"; - write(fd,sorry,strlen(sorry)); - return 0; -} - -int main(int argc, char *argv[]) -{ - //char buffer[BUFFER_SIZE]; - int sockfd, newsockfd, portno, pid; - socklen_t clilen; - struct sockaddr_in serv_addr, cli_addr; - - /* if (argc < 2) { */ - /* fprintf(stderr,"ERROR, no port provided\n"); */ - /* exit(1); */ - /* } */ - - sockfd = socket(AF_INET, SOCK_STREAM, 0); - if (sockfd < 0){ - perror("ERROR opening socket"); - exit(1); - } - bzero((char *) &serv_addr, sizeof(serv_addr)); - // portno = atoi(argv[1]); - serv_addr.sin_family = AF_INET; - serv_addr.sin_addr.s_addr = INADDR_ANY; - serv_addr.sin_port = htons(PORTNO); - if (bind(sockfd, (struct sockaddr *) &serv_addr, - sizeof(serv_addr)) < 0){ - perror("ERROR on binding"); - exit(1); - } - listen(sockfd,5); - clilen = sizeof(cli_addr); - while (1) { - newsockfd = accept(sockfd, - (struct sockaddr *) &cli_addr, &clilen); - if (newsockfd < 0){ - perror("ERROR on accept"); - exit(1); - } - pid = fork(); - if (pid < 0){ - perror("ERROR on fork"); - exit(1); - } - if (pid == 0) { - close(sockfd); - servlet(newsockfd); - exit(0); - } - //make sure to wait at some point to avoid zombies - else close(newsockfd); - waitpid(-1, NULL, WNOHANG); - } - close(sockfd); - return 0; -} - diff --git a/2015-Spring/workshops/week9/disable_aslr.sh b/2015-Spring/workshops/week9/disable_aslr.sh deleted file mode 100644 index e93248e..0000000 --- a/2015-Spring/workshops/week9/disable_aslr.sh +++ /dev/null @@ -1 +0,0 @@ -echo 0 | sudo tee /proc/sys/kernel/randomize_va_space diff --git a/2015-Spring/workshops/week9/enable_aslr.sh b/2015-Spring/workshops/week9/enable_aslr.sh deleted file mode 100644 index 7c0a39e..0000000 --- a/2015-Spring/workshops/week9/enable_aslr.sh +++ /dev/null @@ -1 +0,0 @@ -echo 2 | sudo tee /proc/sys/kernel/randomize_va_space diff --git a/2015-Spring/workshops/week9/exploit_1/Makefile b/2015-Spring/workshops/week9/exploit_1/Makefile deleted file mode 100644 index 874bf96..0000000 --- a/2015-Spring/workshops/week9/exploit_1/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_1: exploit_1.c - gcc -o exploit_1 exploit_1.c -m32 -O0 -z execstack -fno-stack-protector diff --git a/2015-Spring/workshops/week9/exploit_1/exploit_1.c b/2015-Spring/workshops/week9/exploit_1/exploit_1.c deleted file mode 100644 index b8d874c..0000000 --- a/2015-Spring/workshops/week9/exploit_1/exploit_1.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Part 1 - Changing Stack Based Variables with a Buffer Overflow - * Task - Get authenticated - * */ - -#include -#include -#include -#include - -#define DEBUG 1 - -unsigned int BUFFER_SIZE = 0x16; - -void getPassword(char* password) { - FILE *fp; - fp = fopen("password.txt", "r"); - if(!fp){ - printf("Can't authenticate without a password file\n"); - exit(1); - } - fscanf(fp, "%s", password); - // printf("The password is: %s\n", password ); -} - -void printStack(int **stack, int* loggedIn, char* buffer) { - int **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x10; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((int *) stackAddress == loggedIn) - printf(" <-- loggedIn"); - if ((char *) stackAddress == buffer) - printf(" <-- enteredPassword"); - printf("\n"); - } - printf("\n"); -} - -int authenticateUser() { - // Notice the position of loggedIn in relation - // to the buffers were we can input data - // Note: integers on a 32bit system are 4 bytes - // while individual characters are only 1 byte - struct variables { - char password[16]; - char enteredPassword[16]; - int loggedIn; - } vars; - int **stack; - - vars.loggedIn = 0; - memset(vars.enteredPassword, 0, sizeof(vars.enteredPassword)); - memset(vars.password, 0, sizeof(vars.password)); - - // Basically, our stack from for this function will look - // like: - // TOP OF STACK (lower addresses) Data goes into buffers going down: - // ------------------------------- || - // | ... | || - // ------------------------------- \ || / - // | | \||/ - // | password (16 bytes) | \/ - // | | - // ------------------------------- When you read data to the stack, - // | | the data goes into the buffer downwards. - // | enteredPassword (16 bytes) | That is, data gets filled into the buffer - // | | moving away from the top of the stack - // ------------------------------- to the bottom of the stack. - // | loggedIn (4 bytes) | - // ------------------------------- - // | ... | - // ------------------------------- - // BOTTOM OF STACK (higher addresses) - - // Ask the user for their username and password - // - // How much data are we reading into each - // stack based buffer? - // Note: The c read function is defined as: - // read(int fileDescriptor, char* destination, unsinged int amountToRead) - getPassword(vars.password); - - puts("\nPassword: "); - fgets(vars.enteredPassword, BUFFER_SIZE, stdin); - - // Get rid of the trailing newline character - size_t len = strlen(vars.enteredPassword) - 1; - if (vars.enteredPassword[len] == '\n') - vars.enteredPassword[len] = '\0'; - - if (DEBUG) { - printf("loggedIn = (decimal) %d = (hex) %x\n", vars.loggedIn, vars.loggedIn); - } - - puts(""); - - // Load the password from a file into memory - - - if (DEBUG) { - stack = (int **) (&stack); - printStack(stack, &vars.loggedIn, vars.enteredPassword); - } - - puts("Checking to see if the user's account is legit..."); - if (strcmp(vars.password, vars.enteredPassword) == 0) { - vars.loggedIn = 1; - } else { - // What is the difference between having this line - // and not having this line? What can we do since - // this line is not actually a part of the program? - // - // loggedIn = 0; - } - - // If loggedIn has anything but 0, then the user is logged in - if (vars.loggedIn) return 1; - // ...else we say that they are not logged in - else return 0; -} - -void printFlag() { - FILE *fp; - char flag[64]; - - fp = fopen("flag", "r"); - if(!fp){ - printf("You won!, sadly the flag is nowhere to be seen\n"); - exit(1); - } - fscanf(fp, "%s", flag); - printf("Your flag is: %s\n", flag); - exit(0); -} - - -int main() { - puts("Welcome to the Login Portal -_-"); - - int authenticated = authenticateUser(); - - if (authenticated) { - puts("Hello, would you like to play a game?\n"); - puts("Oh, I guess you already won it lol\n"); - printFlag(); - } else { - puts("Sorry, I don't know who you are.\n"); - } -} - diff --git a/2015-Spring/workshops/week9/exploit_1/flag b/2015-Spring/workshops/week9/exploit_1/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Spring/workshops/week9/exploit_1/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2015-Spring/workshops/week9/exploit_1/password.txt b/2015-Spring/workshops/week9/exploit_1/password.txt deleted file mode 100644 index f52de66..0000000 --- a/2015-Spring/workshops/week9/exploit_1/password.txt +++ /dev/null @@ -1 +0,0 @@ -ima_password diff --git a/2015-Spring/workshops/week9/exploit_2/Makefile b/2015-Spring/workshops/week9/exploit_2/Makefile deleted file mode 100644 index 9194794..0000000 --- a/2015-Spring/workshops/week9/exploit_2/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_2: exploit_2.c - gcc -o exploit_2 exploit_2.c -m32 -O0 -fno-stack-protector -z execstack diff --git a/2015-Spring/workshops/week9/exploit_2/exploit_2.c b/2015-Spring/workshops/week9/exploit_2/exploit_2.c deleted file mode 100644 index 758dc05..0000000 --- a/2015-Spring/workshops/week9/exploit_2/exploit_2.c +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Part 2 - Changing Program Execution Flow with Stack Based - * Buffer Overflow - * Task - Make the program execute code that it would otherwise - * would not have executed - * */ - -#include -#include -#include -#include - -#define DEBUG 1 -#define BUFF_SIZE 64 - -void printStack(char **stack, void* returnAddr, char* startBuffer, char* endBuffer) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x10; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - if ((char *) stackAddress == startBuffer) - printf(" <-- Start of buffer"); - if ((char *) stackAddress == endBuffer) - printf(" <-- End of buffer"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack, char* sBuf, char* eBuf) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret, sBuf, eBuf); -} - -void doSomethingDifferent() { - FILE *fp; - char flag[BUFF_SIZE]; - - puts("Nice! You did something different for a change"); - - fp = fopen("flag", "r"); - if(!fp){ - printf("You won!, sadly the flag is nowhere to be seen\n"); - exit(1); - } - fscanf(fp, "%s", flag); - printf("Your flag is: %s\n", flag); - exit(0); -} - -void doSomething() { - int deadbeef = 0xdeadbeef; - int cafebabe = 0xcafebabe; - char buffer[BUFF_SIZE]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: doSomething\n"); - // Let the person know where the doSomethingDifferent function is - // located - printf("The doSomethingDifferent function is located at: %p\n", doSomethingDifferent); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - } - - // Can you make the next three lines alter the return address? - printf("Send me something special!: "); fflush(stdout); - read(0, buffer, 512); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - - puts("Leaving function: doSomething"); - } -} - -void doSomethingWithoutDebugInfo() { - int deadbeef = 0xdeadbeef; - int cafebabe = 0xcafebabe; - char buffer[BUFF_SIZE]; - - memset(buffer, 0, sizeof(buffer)); - - // Can you make the next three lines alter the return address? - printf("Send me something special!: "); fflush(stdout); - fgets(buffer, deadbeef - cafebabe, stdin); - - printf("\n"); -} - -int main() { - doSomething(); - - puts("I don't think you did anything different :C"); - - return 0; -} - diff --git a/2015-Spring/workshops/week9/exploit_2/flag b/2015-Spring/workshops/week9/exploit_2/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Spring/workshops/week9/exploit_2/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2015-Spring/workshops/week9/exploit_3/Makefile b/2015-Spring/workshops/week9/exploit_3/Makefile deleted file mode 100644 index 7ae74f8..0000000 --- a/2015-Spring/workshops/week9/exploit_3/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_3: exploit_3.c - gcc -o exploit_3 exploit_3.c -m32 -O0 -fno-stack-protector -z execstack diff --git a/2015-Spring/workshops/week9/exploit_3/exploit_3.c b/2015-Spring/workshops/week9/exploit_3/exploit_3.c deleted file mode 100644 index a03437d..0000000 --- a/2015-Spring/workshops/week9/exploit_3/exploit_3.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Part 3 - Changing Program Execution Flow by Returning to User Controlled - * data with a Stack Based Buffer Overflow - * Task - Make the program execute code (shellcode) by tricking the program - * into thinking that your input is a function pointer - * */ - -#include -#include -#include - -#define DEBUG 1 -#define BUFF_SIZE 128 - -void printStack(char **stack, void* returnAddr, char* startBuffer, char* endBuffer) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x20; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - if ((char *) stackAddress == startBuffer) - printf(" <-- Start of buffer"); - if ((char *) stackAddress == endBuffer) - printf(" <-- End of buffer"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack, char* sBuf, char* eBuf) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret, sBuf, eBuf); -} - -void gimmeSomeShellcode() { - char buffer[BUFF_SIZE]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: gimmeSomeShellcode\n"); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - } - - // Can you make the next three lines alter the return address? - printf("Send whatever you want: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - - puts("Leaving function: gimmeSomeShellcode"); - } -} - -void gimmeSomeShellcodeWithoutDebugInfo() { - char buffer[BUFF_SIZE]; - - memset(buffer, 0, sizeof(buffer)); - - // Can you make the next three lines alter the return address? - printf("Send whatever you want: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - - printf("\n"); -} - -int main() { - gimmeSomeShellcode(); - - puts("I don't think you poped a shell :C"); - - return 0; -} - diff --git a/2015-Spring/workshops/week9/exploit_3/flag b/2015-Spring/workshops/week9/exploit_3/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Spring/workshops/week9/exploit_3/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2015-Spring/workshops/week9/exploit_4/Makefile b/2015-Spring/workshops/week9/exploit_4/Makefile deleted file mode 100644 index a3f3855..0000000 --- a/2015-Spring/workshops/week9/exploit_4/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_4: exploit_4.c - gcc -o exploit_4 exploit_4.c -O0 -fno-stack-protector diff --git a/2015-Spring/workshops/week9/exploit_4/exploit_4.c b/2015-Spring/workshops/week9/exploit_4/exploit_4.c deleted file mode 100644 index 446d031..0000000 --- a/2015-Spring/workshops/week9/exploit_4/exploit_4.c +++ /dev/null @@ -1,103 +0,0 @@ -/* - * Part 4 - Changing Program Execution Flow by Chaining Together Existing - * Code from the Program with a Stack Based Buffer Overflow - * Task - Make the program execute certain functions in a sequential order - * */ - -#include -#include -#include -#include - -#define DEBUG 1 - -char command[8]; -void *function; - -void printStack(char **stack, void* returnAddr) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x20; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret); -} - -// Functions you should have in your ROP chain -void setCommand() { - strcpy(command, "/bin/sh\0"); -} - -void setFunction() { - function = system; -} - -void doTheThing() { - ((void(*)()) function)(command); -} - -void returnOrientedProgramming() { - char buffer[0]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: returnOrientedProgramming\n"); - - printf("setCommand is at: %p\n", setCommand); - printf("setFunction is at: %p\n", setFunction); - printf("doTheThing is at: %p\n", doTheThing); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - } - - // Can you make the next three lines alter the return address? - printf("What do you want me to chain for you?: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - - puts("Leaving function: returnOrientedProgramming"); - } -} - -void returnOrientedProgrammingWithoutDebugInfo() { - char buffer[0]; - - memset(buffer, 0, sizeof(buffer)); - - // Can you make the next three lines alter the return address? - printf("What do you want me to chain for you?: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - - printf("\n"); -} - -int main() { - returnOrientedProgramming(); - - puts("I don't think you ropped enough"); - - return 0; -} - - diff --git a/2015-Spring/workshops/week9/exploit_4/flag b/2015-Spring/workshops/week9/exploit_4/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Spring/workshops/week9/exploit_4/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2015-Spring/workshops/week9/exploit_5/Makefile b/2015-Spring/workshops/week9/exploit_5/Makefile deleted file mode 100644 index 86f38a8..0000000 --- a/2015-Spring/workshops/week9/exploit_5/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_5: exploit_5.c - gcc -o exploit_5 exploit_5.c -O0 -fno-stack-protector diff --git a/2015-Spring/workshops/week9/exploit_5/exploit_5.c b/2015-Spring/workshops/week9/exploit_5/exploit_5.c deleted file mode 100644 index b3c2524..0000000 --- a/2015-Spring/workshops/week9/exploit_5/exploit_5.c +++ /dev/null @@ -1,84 +0,0 @@ -/* - * Part 5 - Changing Program Execution Flow by Performing a Return To Libc attack - * with a Stack Based Buffer Overflow - * Task - Modify the program's GOT in order to trick the program into calling a - * series of ROP gadgets which end up spawning a shell - * */ - -#include -#include -#include - -#define DEBUG 1 - -void printStack(char **stack, void* returnAddr) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x20; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret); -} - -void returnToLibc() { - char buffer[0]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: returnToLibc\n"); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - } - - printf("Can you Return to Libc Bro?: "); fflush(stdout); - read(0, buffer, 0x100); - write(1, buffer, 0x100); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - - puts("Leaving function: returnToLibc"); - } -} - -void returnToLibcWithoutDebugInfo() { - char buffer[0]; - - memset(buffer, 0, sizeof(buffer)); - - printf("Can you Return to Libc Bro?: "); fflush(stdout); - read(0, buffer, 0x100); - write(1, buffer, 0x100); - - printf("\n"); -} - -int main() { - returnToLibc(); - - puts("I don't think you returned to Libc :C"); - - return 0; -} - - - diff --git a/2015-Spring/workshops/week9/exploit_5/flag b/2015-Spring/workshops/week9/exploit_5/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2015-Spring/workshops/week9/exploit_5/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2016-Spring/Binary_Exploitation/Makefile b/2016-Spring/Binary_Exploitation/Makefile deleted file mode 100644 index 486f395..0000000 --- a/2016-Spring/Binary_Exploitation/Makefile +++ /dev/null @@ -1,19 +0,0 @@ -EXEC = -z execstack -RM_COOK = -fno-stack-protector - -all: exploit_1 exploit_2 exploit_3 exploit_4 - -exploit_1: exploit_1.c - gcc $(EXEC) $(RM_COOK) -O0 -o exploit_1 exploit_1.c - -exploit_2: exploit_2.c - gcc $(EXEC) $(RM_COOK) -O0 -o exploit_2 exploit_2.c - -exploit_3: exploit_3.c - gcc $(EXEC) $(RM_COOK) -O0 -o exploit_3 exploit_3.c - -exploit_4: exploit_4.c - gcc $(NOCANARY) -O0 -o exploit_4 exploit_4.c - -exploit_5: exploit_5.c - gcc $(NOCANARY) -O0 -o exploit_5 exploit_5.c diff --git a/2016-Spring/Binary_Exploitation/Mikhail-Sosonkin-OSX-and-iOS.pdf b/2016-Spring/Binary_Exploitation/Mikhail-Sosonkin-OSX-and-iOS.pdf deleted file mode 100644 index 25f8a26..0000000 Binary files a/2016-Spring/Binary_Exploitation/Mikhail-Sosonkin-OSX-and-iOS.pdf and /dev/null differ diff --git a/2016-Spring/Binary_Exploitation/README.md b/2016-Spring/Binary_Exploitation/README.md deleted file mode 100644 index 35537fd..0000000 --- a/2016-Spring/Binary_Exploitation/README.md +++ /dev/null @@ -1,35 +0,0 @@ -## Exploitation Part 1 - -### Part 1 - Straight up Overflow -Changing Stack Based Variables with a Buffer Overflow -#### Task -Get authenticated -#### Resources -* -* - -### Part 2 - Change Saved EIP -Changing Program Execution Flow with Stack Based Buffer Overflow -#### Task -Make the program execute code that it would otherwise would not have executed -#### Resources -* - -### Part 3 - Execute Shellcode -Changing Program Execution Flow by Returning to User Controlled Data with a Stack Based Buffer Overflow -#### Task -Make the program execute code (shellcode) by tricking the program into thinking that your input is a function pointer - -### Part 4 - ROP -Changing Program Execution Flow by Chaining Together Existing Code from the Program with a Stack Based Buffer Overflow -#### Task -Make the program execute certain functions in a sequential order. ASLR should be enabled for this problem. -#### Resources -* - -### Part 5 - Return to Libc -Changing Program Execution Flow by Performing a Return To Libc attack with a Stack Based Buffer Overflow -#### Task -Modify the program's GOT in order to trick the program into calling a series of ROP gadgets which end up spawning a shell. ASLR should be enabled for this problem. -#### Resources -* diff --git a/2016-Spring/Binary_Exploitation/brute_cookie.c b/2016-Spring/Binary_Exploitation/brute_cookie.c deleted file mode 100644 index afc01a7..0000000 --- a/2016-Spring/Binary_Exploitation/brute_cookie.c +++ /dev/null @@ -1,95 +0,0 @@ -#include -#include -#include -#include - -#include -#include -#include -#include - -#define KEYFILESIZE 41 -#define BUFF_SIZE 0X1000 -#define PORTNO 12345 - - -void readKey(sock){ - char buf[KEYFILESIZE]; - FILE* keyFile=fopen("./key","r"); - fread(buf,1,KEYFILESIZE,keyFile); - write(sock,buf,KEYFILESIZE); - return; -} - -void firstFunc(int FD){ - char buf[BUFF_SIZE]; - int cookie=*(int*)(buf+0x1000); - printf("cookie: %x\n",cookie); //the server operator gets this info - read(FD,buf,BUFF_SIZE*2); //overflow the buffer 2x - return; -} - -int servlet(int fd){ - char greetings[BUFF_SIZE]; - sprintf(greetings,"Greetings client #%d\n",fd); - write(fd,greetings,strlen(greetings)); - firstFunc(fd); - char* sorry="Sorry :(\nDid you hear about nginx getting owned in July?"; - write(fd,sorry,strlen(sorry)); - return 0; -} - -int main(int argc, char *argv[]) -{ - //char buffer[BUFFER_SIZE]; - int sockfd, newsockfd, portno, pid; - socklen_t clilen; - struct sockaddr_in serv_addr, cli_addr; - - /* if (argc < 2) { */ - /* fprintf(stderr,"ERROR, no port provided\n"); */ - /* exit(1); */ - /* } */ - - sockfd = socket(AF_INET, SOCK_STREAM, 0); - if (sockfd < 0){ - perror("ERROR opening socket"); - exit(1); - } - bzero((char *) &serv_addr, sizeof(serv_addr)); - // portno = atoi(argv[1]); - serv_addr.sin_family = AF_INET; - serv_addr.sin_addr.s_addr = INADDR_ANY; - serv_addr.sin_port = htons(PORTNO); - if (bind(sockfd, (struct sockaddr *) &serv_addr, - sizeof(serv_addr)) < 0){ - perror("ERROR on binding"); - exit(1); - } - listen(sockfd,5); - clilen = sizeof(cli_addr); - while (1) { - newsockfd = accept(sockfd, - (struct sockaddr *) &cli_addr, &clilen); - if (newsockfd < 0){ - perror("ERROR on accept"); - exit(1); - } - pid = fork(); - if (pid < 0){ - perror("ERROR on fork"); - exit(1); - } - if (pid == 0) { - close(sockfd); - servlet(newsockfd); - exit(0); - } - //make sure to wait at some point to avoid zombies - else close(newsockfd); - waitpid(-1, NULL, WNOHANG); - } - close(sockfd); - return 0; -} - diff --git a/2016-Spring/Binary_Exploitation/disable_aslr.sh b/2016-Spring/Binary_Exploitation/disable_aslr.sh deleted file mode 100644 index e93248e..0000000 --- a/2016-Spring/Binary_Exploitation/disable_aslr.sh +++ /dev/null @@ -1 +0,0 @@ -echo 0 | sudo tee /proc/sys/kernel/randomize_va_space diff --git a/2016-Spring/Binary_Exploitation/enable_aslr.sh b/2016-Spring/Binary_Exploitation/enable_aslr.sh deleted file mode 100644 index 7c0a39e..0000000 --- a/2016-Spring/Binary_Exploitation/enable_aslr.sh +++ /dev/null @@ -1 +0,0 @@ -echo 2 | sudo tee /proc/sys/kernel/randomize_va_space diff --git a/2016-Spring/Binary_Exploitation/exploit_1/Makefile b/2016-Spring/Binary_Exploitation/exploit_1/Makefile deleted file mode 100644 index 874bf96..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_1/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_1: exploit_1.c - gcc -o exploit_1 exploit_1.c -m32 -O0 -z execstack -fno-stack-protector diff --git a/2016-Spring/Binary_Exploitation/exploit_1/exploit_1.c b/2016-Spring/Binary_Exploitation/exploit_1/exploit_1.c deleted file mode 100644 index b8d874c..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_1/exploit_1.c +++ /dev/null @@ -1,152 +0,0 @@ -/* - * Part 1 - Changing Stack Based Variables with a Buffer Overflow - * Task - Get authenticated - * */ - -#include -#include -#include -#include - -#define DEBUG 1 - -unsigned int BUFFER_SIZE = 0x16; - -void getPassword(char* password) { - FILE *fp; - fp = fopen("password.txt", "r"); - if(!fp){ - printf("Can't authenticate without a password file\n"); - exit(1); - } - fscanf(fp, "%s", password); - // printf("The password is: %s\n", password ); -} - -void printStack(int **stack, int* loggedIn, char* buffer) { - int **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x10; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((int *) stackAddress == loggedIn) - printf(" <-- loggedIn"); - if ((char *) stackAddress == buffer) - printf(" <-- enteredPassword"); - printf("\n"); - } - printf("\n"); -} - -int authenticateUser() { - // Notice the position of loggedIn in relation - // to the buffers were we can input data - // Note: integers on a 32bit system are 4 bytes - // while individual characters are only 1 byte - struct variables { - char password[16]; - char enteredPassword[16]; - int loggedIn; - } vars; - int **stack; - - vars.loggedIn = 0; - memset(vars.enteredPassword, 0, sizeof(vars.enteredPassword)); - memset(vars.password, 0, sizeof(vars.password)); - - // Basically, our stack from for this function will look - // like: - // TOP OF STACK (lower addresses) Data goes into buffers going down: - // ------------------------------- || - // | ... | || - // ------------------------------- \ || / - // | | \||/ - // | password (16 bytes) | \/ - // | | - // ------------------------------- When you read data to the stack, - // | | the data goes into the buffer downwards. - // | enteredPassword (16 bytes) | That is, data gets filled into the buffer - // | | moving away from the top of the stack - // ------------------------------- to the bottom of the stack. - // | loggedIn (4 bytes) | - // ------------------------------- - // | ... | - // ------------------------------- - // BOTTOM OF STACK (higher addresses) - - // Ask the user for their username and password - // - // How much data are we reading into each - // stack based buffer? - // Note: The c read function is defined as: - // read(int fileDescriptor, char* destination, unsinged int amountToRead) - getPassword(vars.password); - - puts("\nPassword: "); - fgets(vars.enteredPassword, BUFFER_SIZE, stdin); - - // Get rid of the trailing newline character - size_t len = strlen(vars.enteredPassword) - 1; - if (vars.enteredPassword[len] == '\n') - vars.enteredPassword[len] = '\0'; - - if (DEBUG) { - printf("loggedIn = (decimal) %d = (hex) %x\n", vars.loggedIn, vars.loggedIn); - } - - puts(""); - - // Load the password from a file into memory - - - if (DEBUG) { - stack = (int **) (&stack); - printStack(stack, &vars.loggedIn, vars.enteredPassword); - } - - puts("Checking to see if the user's account is legit..."); - if (strcmp(vars.password, vars.enteredPassword) == 0) { - vars.loggedIn = 1; - } else { - // What is the difference between having this line - // and not having this line? What can we do since - // this line is not actually a part of the program? - // - // loggedIn = 0; - } - - // If loggedIn has anything but 0, then the user is logged in - if (vars.loggedIn) return 1; - // ...else we say that they are not logged in - else return 0; -} - -void printFlag() { - FILE *fp; - char flag[64]; - - fp = fopen("flag", "r"); - if(!fp){ - printf("You won!, sadly the flag is nowhere to be seen\n"); - exit(1); - } - fscanf(fp, "%s", flag); - printf("Your flag is: %s\n", flag); - exit(0); -} - - -int main() { - puts("Welcome to the Login Portal -_-"); - - int authenticated = authenticateUser(); - - if (authenticated) { - puts("Hello, would you like to play a game?\n"); - puts("Oh, I guess you already won it lol\n"); - printFlag(); - } else { - puts("Sorry, I don't know who you are.\n"); - } -} - diff --git a/2016-Spring/Binary_Exploitation/exploit_1/flag b/2016-Spring/Binary_Exploitation/exploit_1/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_1/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2016-Spring/Binary_Exploitation/exploit_1/password.txt b/2016-Spring/Binary_Exploitation/exploit_1/password.txt deleted file mode 100644 index f52de66..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_1/password.txt +++ /dev/null @@ -1 +0,0 @@ -ima_password diff --git a/2016-Spring/Binary_Exploitation/exploit_2/Makefile b/2016-Spring/Binary_Exploitation/exploit_2/Makefile deleted file mode 100644 index 9194794..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_2/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_2: exploit_2.c - gcc -o exploit_2 exploit_2.c -m32 -O0 -fno-stack-protector -z execstack diff --git a/2016-Spring/Binary_Exploitation/exploit_2/exploit_2.c b/2016-Spring/Binary_Exploitation/exploit_2/exploit_2.c deleted file mode 100644 index 7d08fd6..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_2/exploit_2.c +++ /dev/null @@ -1,111 +0,0 @@ -/* - * Part 2 - Changing Program Execution Flow with Stack Based - * Buffer Overflow - * Task - Make the program execute code that it would otherwise - * would not have executed - * */ - -#include -#include -#include -#include - -#define DEBUG 1 -#define BUFF_SIZE 16 - -void printStack(char **stack, void* returnAddr, char* startBuffer, char* endBuffer) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x10; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - if ((char *) stackAddress == startBuffer) - printf(" <-- Start of buffer"); - if ((char *) stackAddress == endBuffer) - printf(" <-- End of buffer"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack, char* sBuf, char* eBuf) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret, sBuf, eBuf); -} - -void doSomethingDifferent() { - FILE *fp; - char flag[BUFF_SIZE]; - - puts("Nice! You did something different for a change"); - - fp = fopen("flag", "r"); - if(!fp){ - printf("You won!, sadly the flag is nowhere to be seen\n"); - exit(1); - } - fscanf(fp, "%s", flag); - printf("Your flag is: %s\n", flag); - exit(0); -} - -void doSomething() { - int deadbeef = 0xdeadbeef; - int cafebabe = 0xcafebabe; - char buffer[BUFF_SIZE]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: doSomething\n"); - // Let the person know where the doSomethingDifferent function is - // located - printf("The doSomethingDifferent function is located at: %p\n", doSomethingDifferent); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - } - - // Can you make the next three lines alter the return address? - printf("Send me something special!: "); fflush(stdout); - read(0, buffer, 512); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - - puts("Leaving function: doSomething"); - } -} - -void doSomethingWithoutDebugInfo() { - int deadbeef = 0xdeadbeef; - int cafebabe = 0xcafebabe; - char buffer[BUFF_SIZE]; - - memset(buffer, 0, sizeof(buffer)); - - // Can you make the next three lines alter the return address? - printf("Send me something special!: "); fflush(stdout); - fgets(buffer, deadbeef - cafebabe, stdin); - - printf("\n"); -} - -int main() { - doSomething(); - - puts("I don't think you did anything different :C"); - - return 0; -} - diff --git a/2016-Spring/Binary_Exploitation/exploit_2/flag b/2016-Spring/Binary_Exploitation/exploit_2/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_2/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2016-Spring/Binary_Exploitation/exploit_3/Makefile b/2016-Spring/Binary_Exploitation/exploit_3/Makefile deleted file mode 100644 index 7ae74f8..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_3/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_3: exploit_3.c - gcc -o exploit_3 exploit_3.c -m32 -O0 -fno-stack-protector -z execstack diff --git a/2016-Spring/Binary_Exploitation/exploit_3/exploit_3.c b/2016-Spring/Binary_Exploitation/exploit_3/exploit_3.c deleted file mode 100644 index 51fd42a..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_3/exploit_3.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * Part 3 - Changing Program Execution Flow by Returning to User Controlled - * data with a Stack Based Buffer Overflow - * Task - Make the program execute code (shellcode) by tricking the program - * into thinking that your input is a function pointer - * */ - -#include -#include -#include - -#define DEBUG 1 -#define BUFF_SIZE 32 - -void printStack(char **stack, void* returnAddr, char* startBuffer, char* endBuffer) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x10; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - if ((char *) stackAddress == startBuffer) - printf(" <-- Start of buffer"); - if ((char *) stackAddress == endBuffer) - printf(" <-- End of buffer"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack, char* sBuf, char* eBuf) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret, sBuf, eBuf); -} - -void gimmeSomeShellcode() { - char buffer[BUFF_SIZE]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: gimmeSomeShellcode\n"); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - } - - // Can you make the next three lines alter the return address? - printf("Send whatever you want: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack, buffer, buffer + BUFF_SIZE); - - puts("Leaving function: gimmeSomeShellcode"); - } -} - -void gimmeSomeShellcodeWithoutDebugInfo() { - char buffer[BUFF_SIZE]; - - memset(buffer, 0, sizeof(buffer)); - - // Can you make the next three lines alter the return address? - printf("Send whatever you want: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - - printf("\n"); -} - -int main() { - gimmeSomeShellcode(); - - puts("I don't think you poped a shell :C"); - - return 0; -} - diff --git a/2016-Spring/Binary_Exploitation/exploit_3/flag b/2016-Spring/Binary_Exploitation/exploit_3/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_3/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2016-Spring/Binary_Exploitation/exploit_4/Makefile b/2016-Spring/Binary_Exploitation/exploit_4/Makefile deleted file mode 100644 index d32f7fd..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_4/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_4: exploit_4.c - gcc -o exploit_4 exploit_4.c -O0 -m32 -fno-stack-protector diff --git a/2016-Spring/Binary_Exploitation/exploit_4/exploit_4.c b/2016-Spring/Binary_Exploitation/exploit_4/exploit_4.c deleted file mode 100644 index fcce7d3..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_4/exploit_4.c +++ /dev/null @@ -1,104 +0,0 @@ -/* - * Part 4 - Changing Program Execution Flow by Chaining Together Existing - * Code from the Program with a Stack Based Buffer Overflow - * Task - Make the program execute certain functions in a sequential order - * Note - ASLR Should be turned ON - * */ - -#include -#include -#include -#include - -#define DEBUG 1 - -char command[8]; -void *function; - -void printStack(char **stack, void* returnAddr) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x20; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret); -} - -// Functions you should have in your ROP chain -void setCommand() { - strcpy(command, "/bin/sh\0"); -} - -void setFunction() { - function = system; -} - -void doTheThing() { - ((void(*)()) function)(command); -} - -void returnOrientedProgramming() { - char buffer[0]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: returnOrientedProgramming\n"); - - printf("setCommand is at: %p\n", setCommand); - printf("setFunction is at: %p\n", setFunction); - printf("doTheThing is at: %p\n", doTheThing); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - } - - // Can you make the next three lines alter the return address? - printf("What do you want me to chain for you?: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - - puts("Leaving function: returnOrientedProgramming"); - } -} - -void returnOrientedProgrammingWithoutDebugInfo() { - char buffer[0]; - - memset(buffer, 0, sizeof(buffer)); - - // Can you make the next three lines alter the return address? - printf("What do you want me to chain for you?: "); fflush(stdout); - fgets(buffer, 0x100, stdin); - - printf("\n"); -} - -int main() { - returnOrientedProgramming(); - - puts("I don't think you ropped enough"); - - return 0; -} - - diff --git a/2016-Spring/Binary_Exploitation/exploit_4/flag b/2016-Spring/Binary_Exploitation/exploit_4/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_4/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2016-Spring/Binary_Exploitation/exploit_5/Makefile b/2016-Spring/Binary_Exploitation/exploit_5/Makefile deleted file mode 100644 index 86f38a8..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_5/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -exploit_5: exploit_5.c - gcc -o exploit_5 exploit_5.c -O0 -fno-stack-protector diff --git a/2016-Spring/Binary_Exploitation/exploit_5/exploit_5.c b/2016-Spring/Binary_Exploitation/exploit_5/exploit_5.c deleted file mode 100644 index 9d6980c..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_5/exploit_5.c +++ /dev/null @@ -1,85 +0,0 @@ -/* - * Part 5 - Changing Program Execution Flow by Performing a Return To Libc attack - * with a Stack Based Buffer Overflow - * Task - Modify the program's GOT in order to trick the program into calling a - * series of ROP gadgets which end up spawning a shell - * Note - ASLR should be turned ON - * */ - -#include -#include -#include - -#define DEBUG 1 - -void printStack(char **stack, void* returnAddr) { - char **stackAddress; - - printf("Our stack looks like\n"); - for (stackAddress = stack; stackAddress < stack + 0x20; stackAddress++) { - printf("%p : %p", stackAddress, *stackAddress); - if ((void *) *stackAddress == returnAddr) - printf(" <-- Saved EIP (return address)"); - printf("\n"); - } - printf("\n"); -} - -void printDebugInfo(void *ret, char **stack) { - // Print the return address of the function we are in - printf("Our return address is: %p\n", ret); - - // Print what our stack looks like right now - printStack(stack, ret); -} - -void returnToLibc() { - char buffer[0]; - char **stack; - - memset(buffer, 0, sizeof(buffer)); - - if (DEBUG) { - puts("Entered function: returnToLibc\n"); - - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - } - - printf("Can you Return to Libc Bro?: "); fflush(stdout); - read(0, buffer, 0x100); - write(1, buffer, 0x100); - printf("\n"); - - if (DEBUG) { - void *ret = __builtin_return_address(0); - stack = (char **) (&stack); - printDebugInfo(ret, stack); - - puts("Leaving function: returnToLibc"); - } -} - -void returnToLibcWithoutDebugInfo() { - char buffer[0]; - - memset(buffer, 0, sizeof(buffer)); - - printf("Can you Return to Libc Bro?: "); fflush(stdout); - read(0, buffer, 0x100); - write(1, buffer, 0x100); - - printf("\n"); -} - -int main() { - returnToLibc(); - - puts("I don't think you returned to Libc :C"); - - return 0; -} - - - diff --git a/2016-Spring/Binary_Exploitation/exploit_5/flag b/2016-Spring/Binary_Exploitation/exploit_5/flag deleted file mode 100644 index ba7ee7e..0000000 --- a/2016-Spring/Binary_Exploitation/exploit_5/flag +++ /dev/null @@ -1 +0,0 @@ -flag{you_are_really_exploiting_now} diff --git a/2016-Spring/Intro_to_C/README.md b/2016-Spring/Intro_to_C/README.md deleted file mode 100644 index e63bce5..0000000 --- a/2016-Spring/Intro_to_C/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# Intro to the C Language -A basic introduction to C and the parts that pertain to reverse engineering and binary exploitation \ No newline at end of file diff --git a/2016-Spring/Malware/README.md b/2016-Spring/Malware/README.md deleted file mode 100644 index fb0e6a3..0000000 --- a/2016-Spring/Malware/README.md +++ /dev/null @@ -1,9 +0,0 @@ - -Python Keylogger - -[pykeylogger](https://github.com/amoffat/pykeylogger) - -Pupy - -[pupy](https://github.com/n1nj4sec/pupy) - diff --git a/2016-Spring/Pentesting/Metasploit_and_Disclosure.key b/2016-Spring/Pentesting/Metasploit_and_Disclosure.key deleted file mode 100644 index f4f332b..0000000 Binary files a/2016-Spring/Pentesting/Metasploit_and_Disclosure.key and /dev/null differ diff --git a/2016-Spring/Pentesting/Metasploit_and_Disclosure.pdf b/2016-Spring/Pentesting/Metasploit_and_Disclosure.pdf deleted file mode 100644 index 755f0f7..0000000 Binary files a/2016-Spring/Pentesting/Metasploit_and_Disclosure.pdf and /dev/null differ diff --git a/2016-Spring/Pentesting/README.md b/2016-Spring/Pentesting/README.md deleted file mode 100644 index 1c165a2..0000000 --- a/2016-Spring/Pentesting/README.md +++ /dev/null @@ -1,7 +0,0 @@ -### Setup -Please checkout the setup section [here](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/README.md) to be able to replicate the things to try - -[Metasploitable](https://information.rapid7.com/metasploitable-download.html?LS=1631875&CS=web) - -["Download](https://community.rapid7.com/docs/DOC-1875) - diff --git a/2016-Spring/Python_Exploitation/README.md b/2016-Spring/Python_Exploitation/README.md deleted file mode 100644 index f42d36a..0000000 --- a/2016-Spring/Python_Exploitation/README.md +++ /dev/null @@ -1,14 +0,0 @@ -### Python examples of bad programming practice - -#### Learn Python -* Read through: - * [intro_to_python.md](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/Python_Exploitation/intro_to_python.md) - * [beyond_math.md](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/Python_Exploitation/beyond_math.md) - * [risky_python.md](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/Python_Exploitation/risky_python.md) -* Want to learn more? Check [this out](learnpythonthehardway.org/book/) - -#### Homework -* Try to exploit all of the programs here -* If you get stuck on exec2, [read this writeup](https://hexplo.it/escaping-the-csawctf-python-sandbox/) -* Find the flags on this site: isislab.pythonanywhere.com -* The source code is in exploit_app/ diff --git a/2016-Spring/Python_Exploitation/beyond_math.md b/2016-Spring/Python_Exploitation/beyond_math.md deleted file mode 100644 index 063aa79..0000000 --- a/2016-Spring/Python_Exploitation/beyond_math.md +++ /dev/null @@ -1,33 +0,0 @@ -# Beyond Math -## Strings -In addition to math, Python also has what are known as strings. Strings are letters, words, sentences, paragraphs, or even essays. Anything that is based off of a letter is a string. - -For example, -```python -x = "string" -``` -stores the value "string" in x. - -As you've probably guessed, Python has an understanding of what kind of data it is working with at a given time. This is known as its typing system. Each type has its own special properties and rules about how it can be mixed with other types. It's somewhat similar to how Pokemon and their moves have types. - -For example, you can add two integers by doing `2 + 2` and you will receive 4. But adding two strings `"2"+"2"` will give you `"22"`. The addition operator combined or, as the cool kids call it, concatenated the strings together since adding strings together mathematically doesn't make sense. - -Then the question would be, how do strings and integers interact? - -Try `2 + "2"` - -You should receive something discussing a `TypeError`. This is because the string type and the integer type cannot be added together. It doesn't even make sense. - -Instead we can perform what's known as a cast and convert the type of one of the operands. We can use `int()` to convert the `"2" to 2` which is not a string and will be added together to get `4`. - -> #### int(x=0) -> Convert a number or string x to an integer, or return 0 if no arguments are given. If x is a number, it can be a plain integer, a long integer, or a floating point number. - - -Or we can cast the integer to a string with `str()` which converts `2` to `"2"` which will be concatenated to create `"22"`. - -> #### str(object="") -> Return a string containing a nicely printable representation of an object. - -In the above example we introduce the int() and str() built-in functions. These functions are bundled into Python and are there for your use. - diff --git a/2016-Spring/Python_Exploitation/exec1.py b/2016-Spring/Python_Exploitation/exec1.py deleted file mode 100644 index 6f8fa6e..0000000 --- a/2016-Spring/Python_Exploitation/exec1.py +++ /dev/null @@ -1,3 +0,0 @@ -while True: - data = raw_input(">>> ") - exec data diff --git a/2016-Spring/Python_Exploitation/exec2.py b/2016-Spring/Python_Exploitation/exec2.py deleted file mode 100644 index aef4a28..0000000 --- a/2016-Spring/Python_Exploitation/exec2.py +++ /dev/null @@ -1,17 +0,0 @@ -banned = [ - "subprocess", - "kevin sucks", - "banned", - "cry sum more", - "sys" -] - -while True: - data = raw_input(">>> ") - - for no in banned: - if no.lower() in data.lower(): - print "No bueno" - break - else: # this means nobreak - exec data diff --git a/2016-Spring/Python_Exploitation/exploit_app/app.py b/2016-Spring/Python_Exploitation/exploit_app/app.py deleted file mode 100644 index d733d9e..0000000 --- a/2016-Spring/Python_Exploitation/exploit_app/app.py +++ /dev/null @@ -1,20 +0,0 @@ -from flask import Flask, render_template, request -app = Flask(__name__) - -# Try to print this out to you -flag = "flag{nice_you_won_:3}" -# If you get that, try to print out flag.txt -# HINT: If you get an error or debug page, read what it says -# HINT: you will have to use subprocess: -# http://stackoverflow.com/questions/4760215/running-shell-command-from-python-and-capturing-the-output - -@app.route('/', methods=['GET', 'POST']) -def do_thing(): - if request.method == 'POST': - out = eval(request.form["runme"]) - return render_template('index.html', output=out) - else: - return render_template('index.html', output=None) - -if __name__ == "__main__": - app.run(debug=True) diff --git a/2016-Spring/Python_Exploitation/exploit_app/flag.txt b/2016-Spring/Python_Exploitation/exploit_app/flag.txt deleted file mode 100644 index 64ea0bf..0000000 --- a/2016-Spring/Python_Exploitation/exploit_app/flag.txt +++ /dev/null @@ -1 +0,0 @@ -flag{nice_you_can_print_files} diff --git a/2016-Spring/Python_Exploitation/exploit_app/templates/index.html b/2016-Spring/Python_Exploitation/exploit_app/templates/index.html deleted file mode 100644 index f00cd29..0000000 --- a/2016-Spring/Python_Exploitation/exploit_app/templates/index.html +++ /dev/null @@ -1,33 +0,0 @@ - - - Fun with Python - - - - - -
-
-
-

JUST DO IT

-
-
-
- -
-
-
- - -
-
- {% if output %} -

Your output is...

- {{ output }} - {% endif %} -
-
-
- - - diff --git a/2016-Spring/Python_Exploitation/flag.txt b/2016-Spring/Python_Exploitation/flag.txt deleted file mode 100644 index 6e7a7df..0000000 --- a/2016-Spring/Python_Exploitation/flag.txt +++ /dev/null @@ -1 +0,0 @@ -flag{lol_money} diff --git a/2016-Spring/Python_Exploitation/input1.py b/2016-Spring/Python_Exploitation/input1.py deleted file mode 100644 index c54929b..0000000 --- a/2016-Spring/Python_Exploitation/input1.py +++ /dev/null @@ -1,10 +0,0 @@ -import random - -x = random.randrange(100) - -y = input() -while x != y: - print "Nuh uh" - y = input() - -print "YOU DID IT :D" diff --git a/2016-Spring/Python_Exploitation/input2.py b/2016-Spring/Python_Exploitation/input2.py deleted file mode 100644 index 6119233..0000000 --- a/2016-Spring/Python_Exploitation/input2.py +++ /dev/null @@ -1,17 +0,0 @@ -print "Welcome to mystery math!" - -flag = "this_is_a_flag" - -# 1 byte = a number from 0 to 255 - -while True: - x = input("Enter number 1> ") - x = (x*x) + (ord(flag[0]) * ord(flag[1])) + (ord(flag[2]) * x) - print "x is =", x - y = input("Enter number 2> ") - print "y is =",y - if round(x) == round(x): - print "Here ya go! ", flag - exit(0) - else: - print "Your lucky number is ", x - y diff --git a/2016-Spring/Python_Exploitation/input3.py b/2016-Spring/Python_Exploitation/input3.py deleted file mode 100644 index e5ebb5b..0000000 --- a/2016-Spring/Python_Exploitation/input3.py +++ /dev/null @@ -1,35 +0,0 @@ -from random import randint - -def printpegs(code): - print " --------------------- " - print " |", - for c in code: - print c, "|", - print "" - print " --------------------- " - -print "Master Mind Game" - -flag = "this_is_a_flag" - -mm_code = (randint(0,9), randint(0,9), randint(0,9), randint(0,9), randint(0,9)) -print "I've set my code. Guess it!" - -print "Rules: You should input your guesses as 5 digits separated by commas." -print " I will respond by marking the correct digits with a 2, marking" -print " digits in the wrong place with a 1, and marking wrong digits 0." - -while True: - guess = input('guess> ') - if len(guess) != 5: - print "You must guess a 5-digit code!" - continue - - printpegs(guess) - - right = map(lambda x,y: (x == y) + (x in mm_code), guess, mm_code) - printpegs(right) - - if guess == mm_code: - print "You got it right!" - exit(0) diff --git a/2016-Spring/Python_Exploitation/input4.py b/2016-Spring/Python_Exploitation/input4.py deleted file mode 100644 index 3c276e4..0000000 --- a/2016-Spring/Python_Exploitation/input4.py +++ /dev/null @@ -1,29 +0,0 @@ -from os import path -del __builtins__.__dict__['__import__'] -del __builtins__.__dict__['reload'] - -print "Welcome to the food menu!" -choices = ( - ("Chicken Asada Burrito", 7.69, "caburrito.txt"), - ("Beef Chow Mein", 6.69, "beefchow.txt"), - ("MeatBurger Deluxe", 10.49, "no description"), - # ... -) - -def print_description(n): - print "" - if n >= len(choices): - print "No such item!" - elif not path.exists(choices[n][2]): - print "No description yet, but we promise it's tasty!" - else: - print open(choices[n][2]).read() - -def show_menu(): - for i in xrange(len(choices)): - print "[% 2d] $% 3.2f %s" % (i, choices[i][1], choices[i][0]) - -while True: - print "Which description do you want to read?" - show_menu() - print_description(input('> ')) \ No newline at end of file diff --git a/2016-Spring/Python_Exploitation/intro_to_python.md b/2016-Spring/Python_Exploitation/intro_to_python.md deleted file mode 100644 index 62bac19..0000000 --- a/2016-Spring/Python_Exploitation/intro_to_python.md +++ /dev/null @@ -1,44 +0,0 @@ -# Intro to Python // Setup -Python is one of the most popular programming languages in the world. It is a great introductory language praised for it's readability, ease of use, and versatility. -## Setup -You can download Python at [the Python website](https://www.python.org/downloads/), but if you use Linux, OSX, or something in that vein, you probably have a version of Python installed. You can go into your terminal and type in `python` to drop into the Python interpreter. - -If you're on Windows, download Python, install it, and find the IDLE program in your start menu. Run IDLE and you will find a similar environment. - -From within the Python interpreter we can interact with Python and play with code immediately. The interpreter can act as a playground for our code and by entering code and hitting Enter, we can immediately see the results of our code. -## First Steps -For example, try entering `2 + 2` and hit enter. You should get back `4`. Standard math right? - -Here we have two `2`'s. They are known to computer scientists as integers. We also have the `+` sign. This is known to computer scientists as an operator. - -Besides addition, we can do all sorts of math from within Python. -### Math -Python supports these mathematics operators: - -* `+` - addition `2 + 2` -* `-` - subtraction `4 - 2` or negation `-2` -* `*` - multiplication `2 * 2` -* `/` - children's division (rounds every number down) `5 / 3` -* `%` - remainder or, as the cool kids call it, modulus `5 % 3` -* `**` - exponent 2 ** 3 - -You can use Python as a rudimentary calculator using just these operators. - -We can also create variables in Python to store values. - -Try typing in `x = 2` and then typing in `print x` - -You should receive `2` - -`print` is a Python statement which outputs your data to what's known as `standard output`, `standard out`, or `stdout`. `print` is very valuable for seeing data that you've generated or for checking the value of a variable when debugging. - -### Variables and Assignment -Here we also introduce the idea of assignment. - -We are assigning the variable `x` the value of `2` by using the equals sign or assignment operator (`=`). In reality, Python's variables are more like names for data but that's a discussion for later. - -Now that we've assigned `x` the value of `2` we can perform operations on `x` as if it was `2`. That means instead of `2 + 2` you can type in `x + 2` and you will receive back `4`. - -We can also chain all these operators to do slightly more complex mathematics. `x = 2 + 3 * 6`. This expression evaluates out the value of `20` and stores it in `x`. Order of operations (PEMDAS) applies. We can be more explicit about the order and say `x = 2 + (3 * 6)`. - -And also if we wanted to do operations with x but not have to type it out twice (like this: `x = x + 2`) we can use a short cut by typing `x += 2`. This same shortcut can be done with all the other mathematics operators we've discussed. diff --git a/2016-Spring/Python_Exploitation/risky_python.md b/2016-Spring/Python_Exploitation/risky_python.md deleted file mode 100644 index 542dd62..0000000 --- a/2016-Spring/Python_Exploitation/risky_python.md +++ /dev/null @@ -1,30 +0,0 @@ -# Risky Python -There are some dangerous things that exist in Python that we want to avoid. - -Two of these are the function `eval()` and the statement exec. - -`eval()` interprets a string as code, essentially allowing a Python program to run Python code within itself. It evaluates an expression and returns the return value. - -`x = eval(2+2)` stores `4` in `x`. `eval()` also has access to all the already defined variables and existing functions. Essentially if it's an expression, `eval()` can evaluate it. - -`exec` is similar except it allows for the execution of statements and does not return anything. - -`exec "print 'asdf'"` will simply print `asdf`. - -Now although it may seem simple, and it is, what happens when we allow user input to go into `eval()` or `exec`? - -For example, the `input()` function takes user input and runs it through `eval()`. It's basically `eval(raw_input())`. - -How could `input()` be exploited to gain a shell on the system? We can't import other modules with the import keyword, but is there some way that we can import other modules without using the keyword? - -The answer is surprisingly, yes. - -`__import__('math')` will import the module and return it. Using that we can bring other code into the currently running script meaning we can bring things like the os module or even the code module to allow for higher level access. - -This `__import__()` trick can be used to take advantage of most `eval()`s that accepted unfiltered user input. - -Two other functions that can be used are the `locals()` and `globals()` functions. - -These functions allow us to see and set currently existing variables. - -###### Python introduction by Kevin Chung diff --git a/2016-Spring/README.md b/2016-Spring/README.md deleted file mode 100644 index f0e235f..0000000 --- a/2016-Spring/README.md +++ /dev/null @@ -1,16 +0,0 @@ -# Hack Night - Spring 2016 - -## Topics -* Python Exploitation -* Network Reconnaissance -* Web Exploitation -* Introduction to C -* Reverse Engineering -* Binary Exploitation - -## Setup -In order to do most of the things talked about, you are going to need some sort of Linux virtual machine. First, if you don't already have one, you will need some sort of Virtual Machine software. We suggest either [VMware Player](https://my.vmware.com/web/vmware/free#desktop_end_user_computing/vmware_player/7_0) (preferable if you have Windows), [VMware Fusion](http://www.vmware.com/products/fusion/) (preferable if you have a Mac), or [Virtual Box](https://www.virtualbox.org/) (any operating system and free). - -You will also need to download a linux distribution (our personal suggestion is [Kali Linux](https://www.offensive-security.com/kali-linux-vmware-arm-image-download/), just pick the download for the software you have), and [here's some reading about Linux](http://lifehacker.com/5778882/getting-started-with-linux-the-complete-guide)). - -You are going to want to learn a basic level of command line knowledge and for that you can check [this out](http://www.davidbaumgold.com/tutorials/command-line/). If you want a more in depth tutorial check [this out](https://www.codeacademy.com/courses/learn-the-command-line). diff --git a/2016-Spring/Recon_Networking/README.md b/2016-Spring/Recon_Networking/README.md deleted file mode 100644 index e7cd723..0000000 --- a/2016-Spring/Recon_Networking/README.md +++ /dev/null @@ -1 +0,0 @@ -# Recon / Networking diff --git a/2016-Spring/Recon_Networking/communicating-on-networks/Interacting with Computers on Networks.pptx b/2016-Spring/Recon_Networking/communicating-on-networks/Interacting with Computers on Networks.pptx deleted file mode 100644 index 9022c79..0000000 Binary files a/2016-Spring/Recon_Networking/communicating-on-networks/Interacting with Computers on Networks.pptx and /dev/null differ diff --git a/2016-Spring/Recon_Networking/communicating-on-networks/README.md b/2016-Spring/Recon_Networking/communicating-on-networks/README.md deleted file mode 100644 index 45d0dc3..0000000 --- a/2016-Spring/Recon_Networking/communicating-on-networks/README.md +++ /dev/null @@ -1,99 +0,0 @@ -# Interacting with Computers on Networks - -## Slides -[Download](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/Recon_Networking/communicating-on-networks/Interacting%20with%20Computers%20on%20Networks.pptx?raw=true) - -## Additional Resources -* [Introduction to Networking](http://www.net-intro.com/) (Recommended reading) -* [Using NetCat](https://www.digitalocean.com/community/tutorials/how-to-use-netcat-to-establish-and-test-tcp-and-udp-connections-on-a-vps) -* [Using NMAP Part 1](https://www.youtube.com/watch?v=Bn36zoApLm4) -* [Using NMAP Part 2](https://www.youtube.com/watch?v=nr10P55AlKc) - -## Things to Try -### Setup -Please checkout the setup section [here](https://github.com/isislab/Hack-Night/blob/master/2015-Fall/README.md) to be able to replicate the things to try - -### Try it out -Note: When we tell you to type a command, disregard everything before the `#`. You should already see something similar in your terminal. -Open up a terminal (press ctrl+alt+t or click on the black icon on the top of the screen) and type: -```bash -ping 8.8.8.8 -``` -This command will try to talk to Google's Public DNS if you start seeing something like this: -```bash -root@kali:~# ping 8.8.8.8 -PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. -64 bytes from 8.8.8.8: icmp_req=1 ttl=128 time=2.93 ms -64 bytes from 8.8.8.8: icmp_req=2 ttl=128 time=2.91 ms -64 bytes from 8.8.8.8: icmp_req=3 ttl=128 time=3.08 ms -64 bytes from 8.8.8.8: icmp_req=4 ttl=128 time=2.82 ms -64 bytes from 8.8.8.8: icmp_req=5 ttl=128 time=2.80 ms -``` -Then you know that you are both connected to the Internet and Google's DNS Server is up :D - -If you want to see the path that your traffic takes from your computer to Google (what routers it goes to) try this: -```bash -root@kali:~# traceroute 8.8.8.8 -traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets - 1 172-16-76-2.DYNAPOOL.NYU.EDU (172.16.76.2) 0.234 ms 0.127 ms 0.141 ms - 2 * * * -... -``` -Note: you might get a lot of asterisks in your command output, that is most likely because one of the routers your traffic visits prevents you from doing `traceroute` on them. - -Netcat was also talked about during Hack Night and it is a really neat tool. To test out how it works try this: -1. Type this command: -``` -root@kali:~# nc www.google.com 80 -``` -2. Once you hit enter, it should look like it is trying to do something. This means that you are connected to Google and it is waiting for you to tell it to do something. So let's tell it to do something. Type the following and hit enter: -``` -GET / -``` -3. You should now see a bunch of HTML code streaming down your screen. You just visited Google's homepage! This is basically what your browser does everytime you tell it to get a page :D - -Another cool thing to try is opening another terminal window (press ctrl+shift+t) and typing: -``` -root@kali:~# nc -l -p 1337 127.0.0.1 -``` -And then click on the previous terminal window you were in and type: -``` -root@kali:~# nc 127.0.0.1 1337 -``` -And then start typing random words. Now check back at the new tab you opened. You should start seeing the same words poping up there. - -Essentially what you did was open a port on the localhost IP address (127.0.0.1 aka your computer). Netcat was then listening for any connections made to it. Once you connected to it and sent it somethings it printed them out. To stop them press ctrl+c in both terminal windows. - -Lastly, there was another cool tool called Nmap that was talked about. To test this out first have one terminal window open and type the same command from the last section: -``` -root@kali:~# nc -l -p 1337 127.0.0.1 -``` -In the other window type: -``` -root@kali:~# nmap -v -sT -p-2000 127.0.0.1 -``` -You should then see something similar to the follow: -``` -Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-12 16:23 EDT -Initiating Connect Scan at 16:23 -Scanning localhost (127.0.0.1) [2000 ports] -Discovered open port 111/tcp on 127.0.0.1 -Discovered open port 1337/tcp on 127.0.0.1 -Completed Connect Scan at 16:23, 0.03s elapsed (2000 total ports) -Nmap scan report for localhost (127.0.0.1) -Host is up (0.0014s latency). -Other addresses for localhost (not scanned): 127.0.0.1 -Not shown: 1998 closed ports -PORT STATE SERVICE -111/tcp open rpcbind -1337/tcp open waste - -Read data files from: /usr/bin/../share/nmap -Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds - Raw packets sent: 0 (0B) | Rcvd: 0 (0B) -``` -The command tells nmap to try to connect to all ports 1 to 2000 and it will report back with its results. -Notice that nmap found the 1337 port open? That is because you opened it yourself! - -If you followed along, you should by now have a good idea about what tools professionals use to test networks :D - diff --git a/2016-Spring/Recon_Networking/mitm-wireless-hacking/HN- Networking.pdf b/2016-Spring/Recon_Networking/mitm-wireless-hacking/HN- Networking.pdf deleted file mode 100644 index 3ef77d9..0000000 Binary files a/2016-Spring/Recon_Networking/mitm-wireless-hacking/HN- Networking.pdf and /dev/null differ diff --git a/2016-Spring/Recon_Networking/mitm-wireless-hacking/HN- Networking.pptx b/2016-Spring/Recon_Networking/mitm-wireless-hacking/HN- Networking.pptx deleted file mode 100644 index c026a9d..0000000 Binary files a/2016-Spring/Recon_Networking/mitm-wireless-hacking/HN- Networking.pptx and /dev/null differ diff --git a/2016-Spring/Recon_Networking/mitm-wireless-hacking/README.md b/2016-Spring/Recon_Networking/mitm-wireless-hacking/README.md deleted file mode 100644 index d5fbfc1..0000000 --- a/2016-Spring/Recon_Networking/mitm-wireless-hacking/README.md +++ /dev/null @@ -1,14 +0,0 @@ -## Steps for Hacking People on a Network -do not do this on actual networks, only do this locally on your own network - -1. Get on the Network -[Cracking a WEP password](https://www.youtube.com/watch?v=RydsjNhUjdg) - -2. Find Computers and Steal their Traffic -[Intercepting people's traffic with a Man in the Middle attack](https://www.youtube.com/watch?v=TDhGpAZ5IGg) - -3. Getting Around Encrypted Traffic -[Getting to know SSLStrip](https://www.youtube.com/watch?v=MFol6IMbZ7Y) - -4. Look for Passwords in their Traffic -[Using Wireshark to find passwords](https://www.youtube.com/watch?v=r0l_54thSYU) diff --git a/2016-Spring/Recon_Networking/network-scanner/arp_scan.py b/2016-Spring/Recon_Networking/network-scanner/arp_scan.py deleted file mode 100644 index 20c263a..0000000 --- a/2016-Spring/Recon_Networking/network-scanner/arp_scan.py +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env python - -import sys -from scapy.all import * - -if len(sys.argv) != 2: - print "Usage: python arp-scan.py 192.168.1.0/24" - sys.exit(1) - -try: - alive,dead=srp(Ether(dst="ff:ff:ff:ff:ff:ff")/ARP(pdst=sys.argv[1]), timeout=2, verbose=0) - print "MAC - IP" - for i in range(0,len(alive)): - print alive[i][1].hwsrc + " - " + alive[i][1].psrc -except: - pass diff --git a/2016-Spring/Recon_Networking/network-scanner/arp_sniffer.c b/2016-Spring/Recon_Networking/network-scanner/arp_sniffer.c deleted file mode 100644 index 2f7c354..0000000 --- a/2016-Spring/Recon_Networking/network-scanner/arp_sniffer.c +++ /dev/null @@ -1,118 +0,0 @@ -/* Simple ARP Sniffer. */ -/* Author: Luis Martin Garcia. luis.martingarcia [.at.] gmail [d0t] com */ -/* To compile: gcc arpsniffer.c -o arpsniff -lpcap */ -/* Run as root! */ -/* */ -/* This code is distributed under the GPL License. For more info check: */ -/* http://www.gnu.org/copyleft/gpl.html */ - -#include -#include -#include - -/* ARP Header, (assuming Ethernet+IPv4) */ -#define ARP_REQUEST 1 /* ARP Request */ -#define ARP_REPLY 2 /* ARP Reply */ -typedef struct arphdr { - u_int16_t htype; /* Hardware Type */ - u_int16_t ptype; /* Protocol Type */ - u_char hlen; /* Hardware Address Length */ - u_char plen; /* Protocol Address Length */ - u_int16_t oper; /* Operation Code */ - u_char sha[6]; /* Sender hardware address */ - u_char spa[4]; /* Sender IP address */ - u_char tha[6]; /* Target hardware address */ - u_char tpa[4]; /* Target IP address */ -}arphdr_t; - -#define MAXBYTES2CAPTURE 2048 - - - -int main(int argc, char *argv[]){ - - int i=0; - bpf_u_int32 netaddr=0, mask=0; /* To Store network address and netmask */ - struct bpf_program filter; /* Place to store the BPF filter program */ - char errbuf[PCAP_ERRBUF_SIZE]; /* Error buffer */ - pcap_t *descr = NULL; /* Network interface handler */ - struct pcap_pkthdr pkthdr; /* Packet information (timestamp,size...) */ - const unsigned char *packet=NULL; /* Received raw data */ - arphdr_t *arpheader = NULL; /* Pointer to the ARP header */ - memset(errbuf,0,PCAP_ERRBUF_SIZE); - -if (argc != 2){ - printf("USAGE: arpsniffer \n"); - exit(1); -} - /* Open network device for packet capture */ - if ((descr = pcap_open_live(argv[1], MAXBYTES2CAPTURE, 0, 512, errbuf))==NULL){ - fprintf(stderr, "ERROR: %s\n", errbuf); - exit(1); - } - - /* Look up info from the capture device. */ - if( pcap_lookupnet( argv[1] , &netaddr, &mask, errbuf) == -1){ - fprintf(stderr, "ERROR: %s\n", errbuf); - exit(1); - } - - /* Compiles the filter expression into a BPF filter program */ -if ( pcap_compile(descr, &filter, "arp", 1, mask) == -1){ - fprintf(stderr, "ERROR: %s\n", pcap_geterr(descr) ); - exit(1); - } - - /* Load the filter program into the packet capture device. */ - if (pcap_setfilter(descr,&filter) == -1){ - fprintf(stderr, "ERROR: %s\n", pcap_geterr(descr) ); - exit(1); - } - - - while(1){ - - if ( (packet = pcap_next(descr,&pkthdr)) == NULL){ /* Get one packet */ - fprintf(stderr, "ERROR: Error getting the packet.\n", errbuf); - exit(1); - } - - arpheader = (struct arphdr *)(packet+14); /* Point to the ARP header */ - - printf("\n\nReceived Packet Size: %d bytes\n", pkthdr.len); - printf("Hardware type: %s\n", (ntohs(arpheader->htype) == 1) ? "Ethernet" : "Unknown"); - printf("Protocol type: %s\n", (ntohs(arpheader->ptype) == 0x0800) ? "IPv4" : "Unknown"); - printf("Operation: %s\n", (ntohs(arpheader->oper) == ARP_REQUEST)? "ARP Request" : "ARP Reply"); - - /* If is Ethernet and IPv4, print packet contents */ - if (ntohs(arpheader->htype) == 1 && ntohs(arpheader->ptype) == 0x0800){ - printf("Sender MAC: "); - - for(i=0; i<6;i++) - printf("%02X:", arpheader->sha[i]); - - printf("\nSender IP: "); - - for(i=0; i<4;i++) - printf("%d.", arpheader->spa[i]); - - printf("\nTarget MAC: "); - - for(i=0; i<6;i++) - printf("%02X:", arpheader->tha[i]); - - printf("\nTarget IP: "); - - for(i=0; i<4; i++) - printf("%d.", arpheader->tpa[i]); - - printf("\n"); - - } - - } - -return 0; - -} -/* EOF */ diff --git a/2016-Spring/Recon_Networking/network-scanner/ping.py b/2016-Spring/Recon_Networking/network-scanner/ping.py deleted file mode 100644 index ee8f9b3..0000000 --- a/2016-Spring/Recon_Networking/network-scanner/ping.py +++ /dev/null @@ -1,227 +0,0 @@ -#!/usr/bin/env python - -""" - A pure python ping implementation using raw socket. - - - Note that ICMP messages can only be sent from processes running as root. - - - Derived from ping.c distributed in Linux's netkit. That code is - copyright (c) 1989 by The Regents of the University of California. - That code is in turn derived from code written by Mike Muuss of the - US Army Ballistic Research Laboratory in December, 1983 and - placed in the public domain. They have my thanks. - - Bugs are naturally mine. I'd be glad to hear about them. There are - certainly word - size dependenceies here. - - Copyright (c) Matthew Dixon Cowles, . - Distributable under the terms of the GNU General Public License - version 2. Provided with no warranties of any sort. - - Original Version from Matthew Dixon Cowles: - -> ftp://ftp.visi.com/users/mdc/ping.py - - Rewrite by Jens Diemer: - -> http://www.python-forum.de/post-69122.html#69122 - - Rewrite by George Notaras: - -> http://www.g-loaded.eu/2009/10/30/python-ping/ - - Revision history - ~~~~~~~~~~~~~~~~ - - November 8, 2009 - ---------------- - Improved compatibility with GNU/Linux systems. - - Fixes by: - * George Notaras -- http://www.g-loaded.eu - Reported by: - * Chris Hallman -- http://cdhallman.blogspot.com - - Changes in this release: - - Re-use time.time() instead of time.clock(). The 2007 implementation - worked only under Microsoft Windows. Failed on GNU/Linux. - time.clock() behaves differently under the two OSes[1]. - - [1] http://docs.python.org/library/time.html#time.clock - - May 30, 2007 - ------------ - little rewrite by Jens Diemer: - - change socket asterisk import to a normal import - - replace time.time() with time.clock() - - delete "return None" (or change to "return" only) - - in checksum() rename "str" to "source_string" - - November 22, 1997 - ----------------- - Initial hack. Doesn't do much, but rather than try to guess - what features I (or others) will want in the future, I've only - put in what I need now. - - December 16, 1997 - ----------------- - For some reason, the checksum bytes are in the wrong order when - this is run under Solaris 2.X for SPARC but it works right under - Linux x86. Since I don't know just what's wrong, I'll swap the - bytes always and then do an htons(). - - December 4, 2000 - ---------------- - Changed the struct.pack() calls to pack the checksum and ID as - unsigned. My thanks to Jerome Poincheval for the fix. - - - Last commit info: - ~~~~~~~~~~~~~~~~~ - $LastChangedDate: $ - $Rev: $ - $Author: $ -""" - - -import os, sys, socket, struct, select, time - -# From /usr/include/linux/icmp.h; your milage may vary. -ICMP_ECHO_REQUEST = 8 # Seems to be the same on Solaris. - - -def checksum(source_string): - """ - I'm not too confident that this is right but testing seems - to suggest that it gives the same answers as in_cksum in ping.c - """ - sum = 0 - countTo = (len(source_string)/2)*2 - count = 0 - while count> 16) + (sum & 0xffff) - sum = sum + (sum >> 16) - answer = ~sum - answer = answer & 0xffff - - # Swap bytes. Bugger me if I know why. - answer = answer >> 8 | (answer << 8 & 0xff00) - - return answer - - -def receive_one_ping(my_socket, ID, timeout): - """ - receive the ping from the socket. - """ - timeLeft = timeout - while True: - startedSelect = time.time() - whatReady = select.select([my_socket], [], [], timeLeft) - howLongInSelect = (time.time() - startedSelect) - if whatReady[0] == []: # Timeout - return - - timeReceived = time.time() - recPacket, addr = my_socket.recvfrom(1024) - icmpHeader = recPacket[20:28] - type, code, checksum, packetID, sequence = struct.unpack( - "bbHHh", icmpHeader - ) - if packetID == ID: - bytesInDouble = struct.calcsize("d") - timeSent = struct.unpack("d", recPacket[28:28 + bytesInDouble])[0] - return timeReceived - timeSent - - timeLeft = timeLeft - howLongInSelect - if timeLeft <= 0: - return - - -def send_one_ping(my_socket, dest_addr, ID): - """ - Send one ping to the given >dest_addr<. - """ - dest_addr = socket.gethostbyname(dest_addr) - - # Header is type (8), code (8), checksum (16), id (16), sequence (16) - my_checksum = 0 - - # Make a dummy heder with a 0 checksum. - header = struct.pack("bbHHh", ICMP_ECHO_REQUEST, 0, my_checksum, ID, 1) - bytesInDouble = struct.calcsize("d") - data = (192 - bytesInDouble) * "Q" - data = struct.pack("d", time.time()) + data - - # Calculate the checksum on the data and the dummy header. - my_checksum = checksum(header + data) - - # Now that we have the right checksum, we put that in. It's just easier - # to make up a new header than to stuff it into the dummy. - header = struct.pack( - "bbHHh", ICMP_ECHO_REQUEST, 0, socket.htons(my_checksum), ID, 1 - ) - packet = header + data - my_socket.sendto(packet, (dest_addr, 1)) # Don't know about the 1 - - -def do_one(dest_addr, timeout): - """ - Returns either the delay (in seconds) or none on timeout. - """ - icmp = socket.getprotobyname("icmp") - try: - my_socket = socket.socket(socket.AF_INET, socket.SOCK_RAW, icmp) - except socket.error, (errno, msg): - if errno == 1: - # Operation not permitted - msg = msg + ( - " - Note that ICMP messages can only be sent from processes" - " running as root." - ) - raise socket.error(msg) - raise # raise the original error - - my_ID = os.getpid() & 0xFFFF - - send_one_ping(my_socket, dest_addr, my_ID) - delay = receive_one_ping(my_socket, my_ID, timeout) - - my_socket.close() - return delay - - -def verbose_ping(dest_addr, timeout = 2, count = 4): - """ - Send >count< ping to >dest_addr< with the given >timeout< and display - the result. - """ - for i in xrange(count): - print "ping %s..." % dest_addr, - try: - delay = do_one(dest_addr, timeout) - except socket.gaierror, e: - print "failed. (socket error: '%s')" % e[1] - break - - if delay == None: - print "failed. (timeout within %ssec.)" % timeout - else: - delay = delay * 1000 - print "get ping in %0.4fms" % delay - print - - -if __name__ == '__main__': - verbose_ping("heise.de") - verbose_ping("google.com") - verbose_ping("a-test-url-taht-is-not-available.com") - verbose_ping("192.168.1.1") diff --git a/2016-Spring/Recon_Networking/network-scanner/scanner.cpp b/2016-Spring/Recon_Networking/network-scanner/scanner.cpp deleted file mode 100644 index c8365e0..0000000 --- a/2016-Spring/Recon_Networking/network-scanner/scanner.cpp +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Scans ports on a given IP - * */ - -#include -#include -#include -#include -#include -#include -#include - -static bool port_is_open(const std::string& address, int port) -{ - return (sf::SocketTCP().connect(address, port) == sf::Socket::Done); -} - -static std::vector split(const std::string& string, - char delimiter = ' ', - bool allow_empty = false) -{ - std::vector tokens; - std::stringstream sstream(string); - std::string token; - while (std::getline(sstream, token, delimiter)) { - if (allow_empty || token.size() > 0) - tokens.push_back(token); - } - return tokens; -} - -static int string_to_int(const std::string& string) -{ - std::stringstream sstream(string); - int i; - sstream >> i; - return i; -} - -template -static void swap(T& a, T& b) -{ - T c = a; - a = b; - b = c; -} - -template -static std::vector range(T min, T max) -{ - if (min > max) - swap(min, max); - if (min == max) - return std::vector(1, min); - std::vector values; - for (; min <= max; ++min) - values.push_back(min); - return values; -} - -static std::vector parse_ports_list(const std::string& list) -{ - std::vector ports; - for (const std::string& token : split(list, ',')) { - std::vector strrange = split(token, '-'); - switch (strrange.size()) { - case 0: ports.push_back(string_to_int(token)); break; - case 1: ports.push_back(string_to_int(strrange[0])); break; - case 2: - { - int min = string_to_int(strrange[0]), - max = string_to_int(strrange[1]); - for (int port : range(min, max)) - ports.push_back(port); - break; - } - default: - break; - } - } - return ports; -} - -template -static T maximum(const std::vector& values) -{ - T max = values[0]; - for (T value : values) { - if (value > max) - max = value; - } - return max; -} - -template -static size_t digits(T value) -{ - size_t count = (value < 0) ? 1 : 0; - if (value == 0) - return 0; - while (value) { - value /= 10; - ++count; - }; - return count; -} - -int main(int argc, char* argv[]) -{ - std::string address; - std::vector ports; - if (argc == 3) { - address = argv[1]; - ports = parse_ports_list(std::string(argv[2])); - } else { - std::string port_list; - std::cout << "Address: " << std::flush; - std::getline(std::cin, address); - std::cout << "Port: " << std::flush; - std::getline(std::cin, port_list); - ports = parse_ports_list(port_list); - } - std::cout << "Showing open ports on " << address << "...\n"; - size_t width = digits(maximum(ports)); - for (int port : ports) { - if (port_is_open(address, port)) - std::cout << "Port " << std::setw(width) << port << " : OPEN\n"; - } - std::cout << std::flush; - return 0; -} diff --git a/2016-Spring/Recon_Networking/network-scanner/scanner.py b/2016-Spring/Recon_Networking/network-scanner/scanner.py deleted file mode 100644 index a44c068..0000000 --- a/2016-Spring/Recon_Networking/network-scanner/scanner.py +++ /dev/null @@ -1,52 +0,0 @@ - -# importing libraries to help us do math things and socket things -import socket, ping -from struct import unpack, pack - -# if any of these functions are confusing, read the socket documentation: -# https://docs.python.org/2.7/library/socket.html?highlight=socket#module-socket -my_ip = socket.gethostbyname(socket.gethostname()) -print "My computer IP address:", my_ip -my_deets = socket.gethostbyname_ex(socket.gethostname()) -print "My computer details:", my_deets - -# https://www.digitalocean.com/community/tutorials/understanding-ip-addresses-subnets-and-cidr-notation-for-networking -subnet_mask = "255.255.255.0" - -def ip2long(ip): - """ - Convert an IP string to long - """ - return unpack(">L", socket.inet_aton(ip))[0] - -def long2ip(ip): - """ - Convert a long to IP string - """ - return socket.inet_ntoa(pack('!L', ip)) - -# Applying the subnet mask to our IP -addr = ip2long(my_ip) -mask = ip2long("255.255.255.0") -prefix = addr & mask - -print "Base address for network", long2ip(prefix) - -# Get the number of possible computers on our network -all_computers = ip2long("255.255.255.255") -num_computers = all_computers ^ mask - -# Go through each computer -for ip_suffix in range(num_computers): - # Try to ping a computer on the network - test_ip = long2ip(prefix + ip_suffix) - try: - print "[*] Checking to see if host is up..." - timeout = ping.do_one(test_ip, 1) - print timeout - if timeout != None: - print "[+] Host is there:", test_ip - print "-"*100 - except socket.error, e: - print "[-] Host not there:", test_ip - diff --git a/2016-Spring/Recon_Networking/network-scanner/simple_listener.c b/2016-Spring/Recon_Networking/network-scanner/simple_listener.c deleted file mode 100644 index 5353518..0000000 --- a/2016-Spring/Recon_Networking/network-scanner/simple_listener.c +++ /dev/null @@ -1,78 +0,0 @@ -/* Simple Raw Sniffer */ -/* Author: Luis Martin Garcia. luis.martingarcia [.at.] gmail [d0t] com */ -/* To compile: gcc simplesniffer.c -o simplesniffer -lpcap */ -/* Run as root! */ -/* */ -/* This code is distributed under the GPL License. For more info check: */ -/* http://www.gnu.org/copyleft/gpl.html */ - -#include -#include -#include - -#define MAXBYTES2CAPTURE 2048 - - -/* processPacket(): Callback function called by pcap_loop() everytime a packet */ -/* arrives to the network card. This function prints the captured raw data in */ -/* hexadecimal. */ -void processPacket(u_char *arg, const struct pcap_pkthdr* pkthdr, const u_char * packet){ - - int i=0, *counter = (int *)arg; - - printf("Packet Count: %d\n", ++(*counter)); - printf("Received Packet Size: %d\n", pkthdr->len); - printf("Payload:\n"); - for (i=0; ilen; i++){ - - if ( isprint(packet[i]) ) /* If it is a printable character, print it */ - printf("%c ", packet[i]); - else - printf(". "); - - if( (i%16 == 0 && i!=0) || i==pkthdr->len-1 ) - printf("\n"); - } - return; -} - - - -/* main(): Main function. Opens network interface and calls pcap_loop() */ -int main(int argc, char *argv[] ){ - - int i=0, count=0; - pcap_t *descr = NULL; - char errbuf[PCAP_ERRBUF_SIZE], *device=NULL; - memset(errbuf,0,PCAP_ERRBUF_SIZE); - - if( argc > 1){ /* If user supplied interface name, use it. */ - device = argv[1]; - } - else{ /* Get the name of the first device suitable for capture */ - - if ( (device = pcap_lookupdev(errbuf)) == NULL){ - fprintf(stderr, "ERROR: %s\n", errbuf); - exit(1); - } - } - - printf("Opening device %s\n", device); - - /* Open device in promiscuous mode */ - if ( (descr = pcap_open_live(device, MAXBYTES2CAPTURE, 1, 512, errbuf)) == NULL){ - fprintf(stderr, "ERROR: %s\n", errbuf); - exit(1); - } - - /* Loop forever & call processPacket() for every received packet*/ - if ( pcap_loop(descr, -1, processPacket, (u_char *)&count) == -1){ - fprintf(stderr, "ERROR: %s\n", pcap_geterr(descr) ); - exit(1); - } - -return 0; - -} - -/* EOF*/ diff --git a/2016-Spring/Reverse_Engineering/README.md b/2016-Spring/Reverse_Engineering/README.md deleted file mode 100644 index 5e6bc85..0000000 --- a/2016-Spring/Reverse_Engineering/README.md +++ /dev/null @@ -1 +0,0 @@ -# Reverse Engineering \ No newline at end of file diff --git a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/Makefile b/2016-Spring/Reverse_Engineering/using-gdb/Graphic/Makefile deleted file mode 100644 index 3b3bdad..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -graphic: graphic.c - gcc -o graphic graphic.c -O0 -m32 -g diff --git a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/README.md b/2016-Spring/Reverse_Engineering/using-gdb/Graphic/README.md deleted file mode 100644 index 26bba13..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/README.md +++ /dev/null @@ -1,8 +0,0 @@ - -reverse the program to find a tree structure and see that the program traverses this tree given a certain input - -the goal is for the user to provide an input that generates a value that is the same - -possible solution: LRLLRRRLLRLRLRRRLLLRRLRLRLLLRLLLLRRRLRLL - - diff --git a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/flag.txt b/2016-Spring/Reverse_Engineering/using-gdb/Graphic/flag.txt deleted file mode 100644 index 122ab47..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/flag.txt +++ /dev/null @@ -1 +0,0 @@ -flag{th3r3_and_b4ck_again} diff --git a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/graphic b/2016-Spring/Reverse_Engineering/using-gdb/Graphic/graphic deleted file mode 100755 index a2c06d4..0000000 Binary files a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/graphic and /dev/null differ diff --git a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/graphic.c b/2016-Spring/Reverse_Engineering/using-gdb/Graphic/graphic.c deleted file mode 100644 index d2f6930..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/graphic.c +++ /dev/null @@ -1,99 +0,0 @@ -#include -#include -#include -#include -#define BUFFERSIZE 64 - -struct node { - struct node* left; - int value; - struct node* right; -}; - -void get_password() { - FILE *fp; - char *password; - unsigned int file_size; - - fp = fopen("flag.txt", "r"); - - fseek(fp, 0L, SEEK_END); - file_size = ftell(fp); - fseek(fp, 0L, SEEK_SET); - - password = (char *) malloc(file_size); - - fscanf(fp, "%s", password); - printf("%s\n", password ); - fflush(stdout); - - free(password); -} - -int main() { - int endValue = 1984717964; - char path[64]; - struct node paths[] = { - {&paths[18], 0xdeadbeef, &paths[5]}, - {&paths[13], 0xcafebabe, &paths[4]}, - {&paths[4], 0xdeadbabe, &paths[15]}, - {&paths[2], 0x8badf00d, &paths[16]}, - {&paths[9], 0xb16b00b5, &paths[20]}, - {&paths[8], 0xcafed00d, &paths[21]}, - {&paths[5], 0xdeadc0de, &paths[13]}, - {&paths[7], 0xdeadfa11, &paths[18]}, - {&paths[10], 0xdefec8ed, &paths[2]}, - {&paths[11], 0xdeadfeed, &paths[9]}, - {&paths[21], 0xfee1dead, &paths[8]}, - {&paths[20], 0xfaceb00b, &paths[14]}, - {&paths[19], 0xfacefeed, &paths[12]}, - {&paths[17], 0x000ff1ce, &paths[6]}, - {&paths[16], 0x12345678, &paths[3]}, - {&paths[15], 0x743029ab, &paths[0]}, - {&paths[1], 0xdeed1234, &paths[1]}, - {&paths[0], 0x00000000, &paths[17]}, - {&paths[3], 0x11111111, &paths[19]}, - {&paths[6], 0x11111112, &paths[1]}, - {&paths[12], 0x11111113, &paths[7]}, - {&paths[14], 0x42424242, &paths[10]}, - }; - - puts("You stumble into Mirkwood Forest without a map."); - puts("Without any sense of direction you look around in despair as you remember these woods are littered with the unforgiving Wood Elves and giant spiders."); - puts("You begin to try different paths in hopes that one of them will lead you out of the woods."); - fflush(stdout); - - fgets(path, BUFFERSIZE, stdin); - - struct node* step = &paths[0]; - int value = step->value; - - int i; - for (i = 0; i < BUFFERSIZE; i++) { - if (path[i] == 'L') { - step = step->left; - } else if (path[i] == 'R') { - step = step->right; - } else if (path[i] == '\0' || path[i] == '\n') { - break; - } - - printf("You found a: %x!\n", step->value); - fflush(stdout); - value ^= step->value; - } - - printf("At the end of your journey, your value became: %d\n", value); - - if (value == endValue) { - puts("You made it out alive!"); - fflush(stdout); - get_password(); - } else { - puts("You were eaten by spiders :c"); - puts("Game Over"); - fflush(stdout); - } - - return 0; -} diff --git a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/release/challenge_info.txt b/2016-Spring/Reverse_Engineering/using-gdb/Graphic/release/challenge_info.txt deleted file mode 100644 index f2a53ba..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/release/challenge_info.txt +++ /dev/null @@ -1,5 +0,0 @@ -Challenge Name: Graphic - -Description: - -Hint: diff --git a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/release/graphic b/2016-Spring/Reverse_Engineering/using-gdb/Graphic/release/graphic deleted file mode 100755 index a2c06d4..0000000 Binary files a/2016-Spring/Reverse_Engineering/using-gdb/Graphic/release/graphic and /dev/null differ diff --git a/2016-Spring/Reverse_Engineering/using-gdb/README.md b/2016-Spring/Reverse_Engineering/using-gdb/README.md deleted file mode 100644 index ffaf438..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/README.md +++ /dev/null @@ -1 +0,0 @@ -Using a disassembler we see a whole bunch of functions in an array and they are all called. Break after the loop and print out flag. diff --git a/2016-Spring/Reverse_Engineering/using-gdb/crackme1/Makefile b/2016-Spring/Reverse_Engineering/using-gdb/crackme1/Makefile deleted file mode 100644 index a603818..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/crackme1/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -crackme: crackme.c - gcc -o crackme crackme.c -m32 -O0 -g diff --git a/2016-Spring/Reverse_Engineering/using-gdb/crackme1/crackme b/2016-Spring/Reverse_Engineering/using-gdb/crackme1/crackme deleted file mode 100755 index 3a51864..0000000 Binary files a/2016-Spring/Reverse_Engineering/using-gdb/crackme1/crackme and /dev/null differ diff --git a/2016-Spring/Reverse_Engineering/using-gdb/crackme1/crackme.c b/2016-Spring/Reverse_Engineering/using-gdb/crackme1/crackme.c deleted file mode 100644 index 39a5aba..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/crackme1/crackme.c +++ /dev/null @@ -1,13 +0,0 @@ - -#include - -int main() -{ - int x = 0; - - if (x) { - puts("You did it! :)"); - } else { - puts("Nope, you didn't do it :("); - } -} diff --git a/2016-Spring/Reverse_Engineering/using-gdb/crackme1/patch.py b/2016-Spring/Reverse_Engineering/using-gdb/crackme1/patch.py deleted file mode 100644 index cf4e81f..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/crackme1/patch.py +++ /dev/null @@ -1,28 +0,0 @@ -import sys, os, stat - -# seq are the bytes you want to replace -# Ex: seq = "\xBB\x08\x00\x00\x00\xEB\x14\x0F\x1F\x40\x00\x8B\x48\x2C\x39\xD9" -seq = "\xc7\x44\x24\x1c\x00\x00\x00\x00" -rep_seq = "\xc7\x44\x24\x1c\xef\xbe\xad\xde" - -def main(): - if len(sys.argv) < 1: - print "[*] Usage: %s " - return - - file_in = sys.argv[1] - - with open(file_in, "rb") as f: - prog = f.read() - - prog = prog.replace(seq, rep_seq) - - with open(file_in, "wb") as f: - f.write(prog) - - st = os.stat(file_in) - os.chmod(file_in, st.st_mode | stat.S_IEXEC) - -if __name__ == "__main__": - main() - diff --git a/2016-Spring/Reverse_Engineering/using-gdb/crackme2/Makefile b/2016-Spring/Reverse_Engineering/using-gdb/crackme2/Makefile deleted file mode 100644 index c82d74d..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/crackme2/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -crackme: crackme.c - gcc -o crackme crackme.c -m32 -g diff --git a/2016-Spring/Reverse_Engineering/using-gdb/crackme2/crackme b/2016-Spring/Reverse_Engineering/using-gdb/crackme2/crackme deleted file mode 100755 index 30d3895..0000000 Binary files a/2016-Spring/Reverse_Engineering/using-gdb/crackme2/crackme and /dev/null differ diff --git a/2016-Spring/Reverse_Engineering/using-gdb/crackme2/crackme.c b/2016-Spring/Reverse_Engineering/using-gdb/crackme2/crackme.c deleted file mode 100644 index 6885bce..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/crackme2/crackme.c +++ /dev/null @@ -1,38 +0,0 @@ -#include -#include -#include - -typedef unsigned u_int; - -u_int do_hash_thing(unsigned char *str) { - u_int i, hash, len, tmp, shift; - - hash = 0xcafebabe; - len = strlen((char *) str); - len = len > 32 ? 32 : len; - - for (i = 0; i < len; i++) { - shift = (i % 4) * sizeof(u_int) * 2; - printf("[DEBUG] %d\n", shift); - tmp = str[i] << shift; - hash ^= tmp; - printf("[DEBUG] 0x%08x\n", hash); - } - - return hash; -} - -int main() -{ - char input[256]; - - printf("Can you crack me?: "); - fgets(input, 256, stdin); - - if (do_hash_thing((unsigned char *) input) == 0xdeadbeef) { - printf("You good brah\n"); - } - else { - printf("Check yo self\n"); - } -} diff --git a/2016-Spring/Reverse_Engineering/using-gdb/simple/Makefile b/2016-Spring/Reverse_Engineering/using-gdb/simple/Makefile deleted file mode 100644 index 0bb661a..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/simple/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -simple: simple.c - gcc -o simple simple.c -m32 -g diff --git a/2016-Spring/Reverse_Engineering/using-gdb/simple/peda-session-simple.txt b/2016-Spring/Reverse_Engineering/using-gdb/simple/peda-session-simple.txt deleted file mode 100644 index 9627211..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/simple/peda-session-simple.txt +++ /dev/null @@ -1,2 +0,0 @@ -break simple.c:7 - diff --git a/2016-Spring/Reverse_Engineering/using-gdb/simple/simple b/2016-Spring/Reverse_Engineering/using-gdb/simple/simple deleted file mode 100755 index 930fb22..0000000 Binary files a/2016-Spring/Reverse_Engineering/using-gdb/simple/simple and /dev/null differ diff --git a/2016-Spring/Reverse_Engineering/using-gdb/simple/simple.c b/2016-Spring/Reverse_Engineering/using-gdb/simple/simple.c deleted file mode 100644 index 6faea61..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/simple/simple.c +++ /dev/null @@ -1,13 +0,0 @@ - -int look_imma_function(int parameter1, char* parameter2) { - return 0xdeadbeef; -} - -int main() { - int x = 0x42; - char *string = "Cool beans\x00"; - - look_imma_function(x, string); - - return 0; -} diff --git a/2016-Spring/Reverse_Engineering/using-gdb/using_gdb/Makefile b/2016-Spring/Reverse_Engineering/using-gdb/using_gdb/Makefile deleted file mode 100644 index c82d74d..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/using_gdb/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -crackme: crackme.c - gcc -o crackme crackme.c -m32 -g diff --git a/2016-Spring/Reverse_Engineering/using-gdb/using_gdb/using_gdb.c b/2016-Spring/Reverse_Engineering/using-gdb/using_gdb/using_gdb.c deleted file mode 100644 index 6faea61..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/using_gdb/using_gdb.c +++ /dev/null @@ -1,13 +0,0 @@ - -int look_imma_function(int parameter1, char* parameter2) { - return 0xdeadbeef; -} - -int main() { - int x = 0x42; - char *string = "Cool beans\x00"; - - look_imma_function(x, string); - - return 0; -} diff --git a/2016-Spring/Reverse_Engineering/using-gdb/using_gdb_presentation.key b/2016-Spring/Reverse_Engineering/using-gdb/using_gdb_presentation.key deleted file mode 100644 index 888f102..0000000 Binary files a/2016-Spring/Reverse_Engineering/using-gdb/using_gdb_presentation.key and /dev/null differ diff --git a/2016-Spring/Reverse_Engineering/using-gdb/using_gdb_presentation.pdf b/2016-Spring/Reverse_Engineering/using-gdb/using_gdb_presentation.pdf deleted file mode 100644 index ce7f6de..0000000 Binary files a/2016-Spring/Reverse_Engineering/using-gdb/using_gdb_presentation.pdf and /dev/null differ diff --git a/2016-Spring/Reverse_Engineering/using-gdb/varrick/Makefile b/2016-Spring/Reverse_Engineering/using-gdb/varrick/Makefile deleted file mode 100644 index 20c0171..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/varrick/Makefile +++ /dev/null @@ -1,2 +0,0 @@ -varrick: varrick.c - gcc -o varrick varrick.c -O0 -m32 -std=c99 diff --git a/2016-Spring/Reverse_Engineering/using-gdb/varrick/README.md b/2016-Spring/Reverse_Engineering/using-gdb/varrick/README.md deleted file mode 100644 index ffaf438..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/varrick/README.md +++ /dev/null @@ -1 +0,0 @@ -Using a disassembler we see a whole bunch of functions in an array and they are all called. Break after the loop and print out flag. diff --git a/2016-Spring/Reverse_Engineering/using-gdb/varrick/flag.txt b/2016-Spring/Reverse_Engineering/using-gdb/varrick/flag.txt deleted file mode 100644 index 466205a..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/varrick/flag.txt +++ /dev/null @@ -1 +0,0 @@ -flag{l0k_hype_1s_too_r3al} diff --git a/2016-Spring/Reverse_Engineering/using-gdb/varrick/peda-session-varrick.txt b/2016-Spring/Reverse_Engineering/using-gdb/varrick/peda-session-varrick.txt deleted file mode 100644 index 453aa05..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/varrick/peda-session-varrick.txt +++ /dev/null @@ -1,2 +0,0 @@ -break julie_do_the_thing - diff --git a/2016-Spring/Reverse_Engineering/using-gdb/varrick/sol.py b/2016-Spring/Reverse_Engineering/using-gdb/varrick/sol.py deleted file mode 100644 index 76bb3f4..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/varrick/sol.py +++ /dev/null @@ -1,261 +0,0 @@ -def thank_you_0(): return 0x0 -def thank_you_1(): return 0x1 -def thank_you_2(): return 0x2 -def thank_you_3(): return 0x3 -def thank_you_4(): return 0x4 -def thank_you_5(): return 0x5 -def thank_you_6(): return 0x6 -def thank_you_7(): return 0x7 -def thank_you_8(): return 0x8 -def thank_you_9(): return 0x9 -def thank_you_10(): return 0xa -def thank_you_11(): return 0xb -def thank_you_12(): return 0xc -def thank_you_13(): return 0xd -def thank_you_14(): return 0xe -def thank_you_15(): return 0xf -def thank_you_16(): return 0x10 -def thank_you_17(): return 0x11 -def thank_you_18(): return 0x6f -def thank_you_19(): return 0x13 -def thank_you_20(): return 0x14 -def thank_you_21(): return 0x15 -def thank_you_22(): return 0x16 -def thank_you_23(): return 0x17 -def thank_you_24(): return 0x18 -def thank_you_25(): return 0x19 -def thank_you_26(): return 0x1a -def thank_you_27(): return 0x1b -def thank_you_28(): return 0x1c -def thank_you_29(): return 0x1d -def thank_you_30(): return 0x1e -def thank_you_31(): return 0x1f -def thank_you_32(): return 0x20 -def thank_you_33(): return 0x21 -def thank_you_34(): return 0x22 -def thank_you_35(): return 0x23 -def thank_you_36(): return 0x24 -def thank_you_37(): return 0x25 -def thank_you_38(): return 0x26 -def thank_you_39(): return 0x27 -def thank_you_40(): return 0x28 -def thank_you_41(): return 0x29 -def thank_you_42(): return 0x2a -def thank_you_43(): return 0x2b -def thank_you_44(): return 0x2c -def thank_you_45(): return 0x2d -def thank_you_46(): return 0x2e -def thank_you_47(): return 0x2f -def thank_you_48(): return 0x30 -def thank_you_49(): return 0x31 -def thank_you_50(): return 0x32 -def thank_you_51(): return 0x33 -def thank_you_52(): return 0x34 -def thank_you_53(): return 0x35 -def thank_you_54(): return 0x36 -def thank_you_55(): return 0x37 -def thank_you_56(): return 0x38 -def thank_you_57(): return 0x39 -def thank_you_58(): return 0x3a -def thank_you_59(): return 0x3b -def thank_you_60(): return 0x3c -def thank_you_61(): return 0x3d -def thank_you_62(): return 0x3e -def thank_you_63(): return 0x3f -def thank_you_64(): return 0x40 -def thank_you_65(): return 0x41 -def thank_you_66(): return 0x42 -def thank_you_67(): return 0x43 -def thank_you_68(): return 0x44 -def thank_you_69(): return 0x45 -def thank_you_70(): return 0x46 -def thank_you_71(): return 0x47 -def thank_you_72(): return 0x48 -def thank_you_73(): return 0x49 -def thank_you_74(): return 0x4a -def thank_you_75(): return 0x4b -def thank_you_76(): return 0x4c -def thank_you_77(): return 0x4d -def thank_you_78(): return 0x4e -def thank_you_79(): return 0x4f -def thank_you_80(): return 0x50 -def thank_you_81(): return 0x51 -def thank_you_82(): return 0x52 -def thank_you_83(): return 0x53 -def thank_you_84(): return 0x54 -def thank_you_85(): return 0x55 -def thank_you_86(): return 0x56 -def thank_you_87(): return 0x57 -def thank_you_88(): return 0x58 -def thank_you_89(): return 0x59 -def thank_you_90(): return 0x5a -def thank_you_91(): return 0x5b -def thank_you_92(): return 0x5c -def thank_you_93(): return 0x5d -def thank_you_94(): return 0x5e -def thank_you_95(): return 0x5f -def thank_you_96(): return 0x60 -def thank_you_97(): return 0x61 -def thank_you_98(): return 0x62 -def thank_you_99(): return 0x63 -def thank_you_100(): return 0x64 -def thank_you_101(): return 0x65 -def thank_you_102(): return 0x6c -def thank_you_103(): return 0x67 -def thank_you_104(): return 0x68 -def thank_you_105(): return 0x69 -def thank_you_106(): return 0x6a -def thank_you_107(): return 0x6b -def thank_you_108(): return 0x66 -def thank_you_109(): return 0x6d -def thank_you_110(): return 0x6e -def thank_you_111(): return 0x12 -def thank_you_112(): return 0x70 -def thank_you_113(): return 0x71 -def thank_you_114(): return 0x72 -def thank_you_115(): return 0x73 -def thank_you_116(): return 0x74 -def thank_you_117(): return 0x75 -def thank_you_118(): return 0x76 -def thank_you_119(): return 0x77 -def thank_you_120(): return 0x78 -def thank_you_121(): return 0xd3 -def thank_you_122(): return 0x7a -def thank_you_123(): return 0x7b -def thank_you_124(): return 0x7c -def thank_you_125(): return 0x7d -def thank_you_126(): return 0x7e -def thank_you_127(): return 0x7f -def thank_you_128(): return 0x80 -def thank_you_129(): return 0x81 -def thank_you_130(): return 0x82 -def thank_you_131(): return 0x83 -def thank_you_132(): return 0x84 -def thank_you_133(): return 0x85 -def thank_you_134(): return 0x86 -def thank_you_135(): return 0x87 -def thank_you_136(): return 0x88 -def thank_you_137(): return 0x89 -def thank_you_138(): return 0x8a -def thank_you_139(): return 0x8b -def thank_you_140(): return 0x8c -def thank_you_141(): return 0x8d -def thank_you_142(): return 0x8e -def thank_you_143(): return 0x8f -def thank_you_144(): return 0x90 -def thank_you_145(): return 0x91 -def thank_you_146(): return 0x92 -def thank_you_147(): return 0x93 -def thank_you_148(): return 0x94 -def thank_you_149(): return 0x95 -def thank_you_150(): return 0x96 -def thank_you_151(): return 0x97 -def thank_you_152(): return 0x98 -def thank_you_153(): return 0x99 -def thank_you_154(): return 0x9a -def thank_you_155(): return 0x9b -def thank_you_156(): return 0x9c -def thank_you_157(): return 0x9d -def thank_you_158(): return 0x9e -def thank_you_159(): return 0x9f -def thank_you_160(): return 0xa0 -def thank_you_161(): return 0xa1 -def thank_you_162(): return 0xa2 -def thank_you_163(): return 0xa3 -def thank_you_164(): return 0xa4 -def thank_you_165(): return 0xa5 -def thank_you_166(): return 0xa6 -def thank_you_167(): return 0xa7 -def thank_you_168(): return 0xa8 -def thank_you_169(): return 0xa9 -def thank_you_170(): return 0xaa -def thank_you_171(): return 0xab -def thank_you_172(): return 0xac -def thank_you_173(): return 0xad -def thank_you_174(): return 0xae -def thank_you_175(): return 0xaf -def thank_you_176(): return 0xb0 -def thank_you_177(): return 0xb1 -def thank_you_178(): return 0xb2 -def thank_you_179(): return 0xb3 -def thank_you_180(): return 0xb4 -def thank_you_181(): return 0xb5 -def thank_you_182(): return 0xb6 -def thank_you_183(): return 0xb7 -def thank_you_184(): return 0xb8 -def thank_you_185(): return 0xb9 -def thank_you_186(): return 0xba -def thank_you_187(): return 0xbb -def thank_you_188(): return 0xbc -def thank_you_189(): return 0xbd -def thank_you_190(): return 0xbe -def thank_you_191(): return 0xbf -def thank_you_192(): return 0xc0 -def thank_you_193(): return 0xc1 -def thank_you_194(): return 0xc2 -def thank_you_195(): return 0xc3 -def thank_you_196(): return 0xc4 -def thank_you_197(): return 0xc5 -def thank_you_198(): return 0xc6 -def thank_you_199(): return 0xc7 -def thank_you_200(): return 0xc8 -def thank_you_201(): return 0xc9 -def thank_you_202(): return 0xca -def thank_you_203(): return 0xcb -def thank_you_204(): return 0xcc -def thank_you_205(): return 0xcd -def thank_you_206(): return 0xce -def thank_you_207(): return 0xcf -def thank_you_208(): return 0xd0 -def thank_you_209(): return 0xd1 -def thank_you_210(): return 0xd2 -def thank_you_211(): return 0x79 -def thank_you_212(): return 0xd4 -def thank_you_213(): return 0xd5 -def thank_you_214(): return 0xd6 -def thank_you_215(): return 0xd7 -def thank_you_216(): return 0xd8 -def thank_you_217(): return 0xd9 -def thank_you_218(): return 0xda -def thank_you_219(): return 0xdb -def thank_you_220(): return 0xdc -def thank_you_221(): return 0xdd -def thank_you_222(): return 0xde -def thank_you_223(): return 0xdf -def thank_you_224(): return 0xe0 -def thank_you_225(): return 0xe1 -def thank_you_226(): return 0xe2 -def thank_you_227(): return 0xe3 -def thank_you_228(): return 0xe4 -def thank_you_229(): return 0xe5 -def thank_you_230(): return 0xe6 -def thank_you_231(): return 0xe7 -def thank_you_232(): return 0xe8 -def thank_you_233(): return 0xe9 -def thank_you_234(): return 0xea -def thank_you_235(): return 0xeb -def thank_you_236(): return 0xec -def thank_you_237(): return 0xed -def thank_you_238(): return 0xee -def thank_you_239(): return 0xef -def thank_you_240(): return 0xf0 -def thank_you_241(): return 0xf1 -def thank_you_242(): return 0xf2 -def thank_you_243(): return 0xf3 -def thank_you_244(): return 0xf4 -def thank_you_245(): return 0xf5 -def thank_you_246(): return 0xf6 -def thank_you_247(): return 0xf7 -def thank_you_248(): return 0xf8 -def thank_you_249(): return 0xf9 -def thank_you_250(): return 0xfa -def thank_you_251(): return 0xfb -def thank_you_252(): return 0xfc -def thank_you_253(): return 0xfd -def thank_you_254(): return 0xfe - -funcs = [thank_you_108(), thank_you_102(), thank_you_97(), thank_you_103(), thank_you_123(), thank_you_102(), thank_you_48(), thank_you_107(), thank_you_95(), thank_you_104(), thank_you_211(), thank_you_112(), thank_you_101(), thank_you_95(), thank_you_49(), thank_you_115(), thank_you_95(), thank_you_116(), thank_you_18(), thank_you_18(), thank_you_95(), thank_you_114(), thank_you_51(), thank_you_97(), thank_you_102(), thank_you_125()] - -flag = ['{}'.format(chr(a)) for a in funcs] - -print ''.join(flag) diff --git a/2016-Spring/Reverse_Engineering/using-gdb/varrick/varrick b/2016-Spring/Reverse_Engineering/using-gdb/varrick/varrick deleted file mode 100755 index 31ae075..0000000 Binary files a/2016-Spring/Reverse_Engineering/using-gdb/varrick/varrick and /dev/null differ diff --git a/2016-Spring/Reverse_Engineering/using-gdb/varrick/varrick.c b/2016-Spring/Reverse_Engineering/using-gdb/varrick/varrick.c deleted file mode 100644 index 1bc7047..0000000 --- a/2016-Spring/Reverse_Engineering/using-gdb/varrick/varrick.c +++ /dev/null @@ -1,302 +0,0 @@ -#include -#include -#include - -char thank_you_0() { return 0x0; } -char thank_you_1() { return 0x1; } -char thank_you_2() { return 0x2; } -char thank_you_3() { return 0x3; } -char thank_you_4() { return 0x4; } -char thank_you_5() { return 0x5; } -char thank_you_6() { return 0x6; } -char thank_you_7() { return 0x7; } -char thank_you_8() { return 0x8; } -char thank_you_9() { return 0x9; } -char thank_you_10() { return 0xa; } -char thank_you_11() { return 0xb; } -char thank_you_12() { return 0xc; } -char thank_you_13() { return 0xd; } -char thank_you_14() { return 0xe; } -char thank_you_15() { return 0xf; } -char thank_you_16() { return 0x10; } -char thank_you_17() { return 0x11; } -char thank_you_18() { return 0x6f; } -char thank_you_19() { return 0x13; } -char thank_you_20() { return 0x14; } -char thank_you_21() { return 0x15; } -char thank_you_22() { return 0x16; } -char thank_you_23() { return 0x17; } -char thank_you_24() { return 0x18; } -char thank_you_25() { return 0x19; } -char thank_you_26() { return 0x1a; } -char thank_you_27() { return 0x1b; } -char thank_you_28() { return 0x1c; } -char thank_you_29() { return 0x1d; } -char thank_you_30() { return 0x1e; } -char thank_you_31() { return 0x1f; } -char thank_you_32() { return 0x20; } -char thank_you_33() { return 0x21; } -char thank_you_34() { return 0x22; } -char thank_you_35() { return 0x23; } -char thank_you_36() { return 0x24; } -char thank_you_37() { return 0x25; } -char thank_you_38() { return 0x26; } -char thank_you_39() { return 0x27; } -char thank_you_40() { return 0x28; } -char thank_you_41() { return 0x29; } -char thank_you_42() { return 0x2a; } -char thank_you_43() { return 0x2b; } -char thank_you_44() { return 0x2c; } -char thank_you_45() { return 0x2d; } -char thank_you_46() { return 0x2e; } -char thank_you_47() { return 0x2f; } -char thank_you_48() { return 0x30; } -char thank_you_49() { return 0x31; } -char thank_you_50() { return 0x32; } -char thank_you_51() { return 0x33; } -char thank_you_52() { return 0x34; } -char thank_you_53() { return 0x35; } -char thank_you_54() { return 0x36; } -char thank_you_55() { return 0x37; } -char thank_you_56() { return 0x38; } -char thank_you_57() { return 0x39; } -char thank_you_58() { return 0x3a; } -char thank_you_59() { return 0x3b; } -char thank_you_60() { return 0x3c; } -char thank_you_61() { return 0x3d; } -char thank_you_62() { return 0x3e; } -char thank_you_63() { return 0x3f; } -char thank_you_64() { return 0x40; } -char thank_you_65() { return 0x41; } -char thank_you_66() { return 0x42; } -char thank_you_67() { return 0x43; } -char thank_you_68() { return 0x44; } -char thank_you_69() { return 0x45; } -char thank_you_70() { return 0x46; } -char thank_you_71() { return 0x47; } -char thank_you_72() { return 0x48; } -char thank_you_73() { return 0x49; } -char thank_you_74() { return 0x4a; } -char thank_you_75() { return 0x4b; } -char thank_you_76() { return 0x4c; } -char thank_you_77() { return 0x4d; } -char thank_you_78() { return 0x4e; } -char thank_you_79() { return 0x4f; } -char thank_you_80() { return 0x50; } -char thank_you_81() { return 0x51; } -char thank_you_82() { return 0x52; } -char thank_you_83() { return 0x53; } -char thank_you_84() { return 0x54; } -char thank_you_85() { return 0x55; } -char thank_you_86() { return 0x56; } -char thank_you_87() { return 0x57; } -char thank_you_88() { return 0x58; } -char thank_you_89() { return 0x59; } -char thank_you_90() { return 0x5a; } -char thank_you_91() { return 0x5b; } -char thank_you_92() { return 0x5c; } -char thank_you_93() { return 0x5d; } -char thank_you_94() { return 0x5e; } -char thank_you_95() { return 0x5f; } -char thank_you_96() { return 0x60; } -char thank_you_97() { return 0x61; } -char thank_you_98() { return 0x62; } -char thank_you_99() { return 0x63; } -char thank_you_100() { return 0x64; } -char thank_you_101() { return 0x65; } -char thank_you_102() { return 0x6c; } -char thank_you_103() { return 0x67; } -char thank_you_104() { return 0x68; } -char thank_you_105() { return 0x69; } -char thank_you_106() { return 0x6a; } -char thank_you_107() { return 0x6b; } -char thank_you_108() { return 0x66; } -char thank_you_109() { return 0x6d; } -char thank_you_110() { return 0x6e; } -char thank_you_111() { return 0x12; } -char thank_you_112() { return 0x70; } -char thank_you_113() { return 0x71; } -char thank_you_114() { return 0x72; } -char thank_you_115() { return 0x73; } -char thank_you_116() { return 0x74; } -char thank_you_117() { return 0x75; } -char thank_you_118() { return 0x76; } -char thank_you_119() { return 0x77; } -char thank_you_120() { return 0x78; } -char thank_you_121() { return 0xd3; } -char thank_you_122() { return 0x7a; } -char thank_you_123() { return 0x7b; } -char thank_you_124() { return 0x7c; } -char thank_you_125() { return 0x7d; } -char thank_you_126() { return 0x7e; } -char thank_you_127() { return 0x7f; } -char thank_you_128() { return 0x80; } -char thank_you_129() { return 0x81; } -char thank_you_130() { return 0x82; } -char thank_you_131() { return 0x83; } -char thank_you_132() { return 0x84; } -char thank_you_133() { return 0x85; } -char thank_you_134() { return 0x86; } -char thank_you_135() { return 0x87; } -char thank_you_136() { return 0x88; } -char thank_you_137() { return 0x89; } -char thank_you_138() { return 0x8a; } -char thank_you_139() { return 0x8b; } -char thank_you_140() { return 0x8c; } -char thank_you_141() { return 0x8d; } -char thank_you_142() { return 0x8e; } -char thank_you_143() { return 0x8f; } -char thank_you_144() { return 0x90; } -char thank_you_145() { return 0x91; } -char thank_you_146() { return 0x92; } -char thank_you_147() { return 0x93; } -char thank_you_148() { return 0x94; } -char thank_you_149() { return 0x95; } -char thank_you_150() { return 0x96; } -char thank_you_151() { return 0x97; } -char thank_you_152() { return 0x98; } -char thank_you_153() { return 0x99; } -char thank_you_154() { return 0x9a; } -char thank_you_155() { return 0x9b; } -char thank_you_156() { return 0x9c; } -char thank_you_157() { return 0x9d; } -char thank_you_158() { return 0x9e; } -char thank_you_159() { return 0x9f; } -char thank_you_160() { return 0xa0; } -char thank_you_161() { return 0xa1; } -char thank_you_162() { return 0xa2; } -char thank_you_163() { return 0xa3; } -char thank_you_164() { return 0xa4; } -char thank_you_165() { return 0xa5; } -char thank_you_166() { return 0xa6; } -char thank_you_167() { return 0xa7; } -char thank_you_168() { return 0xa8; } -char thank_you_169() { return 0xa9; } -char thank_you_170() { return 0xaa; } -char thank_you_171() { return 0xab; } -char thank_you_172() { return 0xac; } -char thank_you_173() { return 0xad; } -char thank_you_174() { return 0xae; } -char thank_you_175() { return 0xaf; } -char thank_you_176() { return 0xb0; } -char thank_you_177() { return 0xb1; } -char thank_you_178() { return 0xb2; } -char thank_you_179() { return 0xb3; } -char thank_you_180() { return 0xb4; } -char thank_you_181() { return 0xb5; } -char thank_you_182() { return 0xb6; } -char thank_you_183() { return 0xb7; } -char thank_you_184() { return 0xb8; } -char thank_you_185() { return 0xb9; } -char thank_you_186() { return 0xba; } -char thank_you_187() { return 0xbb; } -char thank_you_188() { return 0xbc; } -char thank_you_189() { return 0xbd; } -char thank_you_190() { return 0xbe; } -char thank_you_191() { return 0xbf; } -char thank_you_192() { return 0xc0; } -char thank_you_193() { return 0xc1; } -char thank_you_194() { return 0xc2; } -char thank_you_195() { return 0xc3; } -char thank_you_196() { return 0xc4; } -char thank_you_197() { return 0xc5; } -char thank_you_198() { return 0xc6; } -char thank_you_199() { return 0xc7; } -char thank_you_200() { return 0xc8; } -char thank_you_201() { return 0xc9; } -char thank_you_202() { return 0xca; } -char thank_you_203() { return 0xcb; } -char thank_you_204() { return 0xcc; } -char thank_you_205() { return 0xcd; } -char thank_you_206() { return 0xce; } -char thank_you_207() { return 0xcf; } -char thank_you_208() { return 0xd0; } -char thank_you_209() { return 0xd1; } -char thank_you_210() { return 0xd2; } -char thank_you_211() { return 0x79; } -char thank_you_212() { return 0xd4; } -char thank_you_213() { return 0xd5; } -char thank_you_214() { return 0xd6; } -char thank_you_215() { return 0xd7; } -char thank_you_216() { return 0xd8; } -char thank_you_217() { return 0xd9; } -char thank_you_218() { return 0xda; } -char thank_you_219() { return 0xdb; } -char thank_you_220() { return 0xdc; } -char thank_you_221() { return 0xdd; } -char thank_you_222() { return 0xde; } -char thank_you_223() { return 0xdf; } -char thank_you_224() { return 0xe0; } -char thank_you_225() { return 0xe1; } -char thank_you_226() { return 0xe2; } -char thank_you_227() { return 0xe3; } -char thank_you_228() { return 0xe4; } -char thank_you_229() { return 0xe5; } -char thank_you_230() { return 0xe6; } -char thank_you_231() { return 0xe7; } -char thank_you_232() { return 0xe8; } -char thank_you_233() { return 0xe9; } -char thank_you_234() { return 0xea; } -char thank_you_235() { return 0xeb; } -char thank_you_236() { return 0xec; } -char thank_you_237() { return 0xed; } -char thank_you_238() { return 0xee; } -char thank_you_239() { return 0xef; } -char thank_you_240() { return 0xf0; } -char thank_you_241() { return 0xf1; } -char thank_you_242() { return 0xf2; } -char thank_you_243() { return 0xf3; } -char thank_you_244() { return 0xf4; } -char thank_you_245() { return 0xf5; } -char thank_you_246() { return 0xf6; } -char thank_you_247() { return 0xf7; } -char thank_you_248() { return 0xf8; } -char thank_you_249() { return 0xf9; } -char thank_you_250() { return 0xfa; } -char thank_you_251() { return 0xfb; } -char thank_you_252() { return 0xfc; } -char thank_you_253() { return 0xfd; } -char thank_you_254() { return 0xfe; } - -void julie_do_the_thing() { - char the_thing[26]; - void *things[26] = { - &thank_you_108, - &thank_you_102, - &thank_you_97, - &thank_you_103, - &thank_you_123, - &thank_you_102, - &thank_you_48, - &thank_you_107, - &thank_you_95, - &thank_you_104, - &thank_you_211, - &thank_you_112, - &thank_you_101, - &thank_you_95, - &thank_you_49, - &thank_you_115, - &thank_you_95, - &thank_you_116, - &thank_you_18, - &thank_you_18, - &thank_you_95, - &thank_you_114, - &thank_you_51, - &thank_you_97, - &thank_you_102, - &thank_you_125 - }; - - for (int i = 0; i < 26; i++) { - char (*thing)() = things[i]; - the_thing[i] = thing(); - } -} - -int main() { - julie_do_the_thing(); - puts("Nothing got printed out?"); - return 0; -} diff --git a/2016-Spring/Reverse_Engineering/using-ida/Using-IDA.key b/2016-Spring/Reverse_Engineering/using-ida/Using-IDA.key deleted file mode 100644 index adb550f..0000000 Binary files a/2016-Spring/Reverse_Engineering/using-ida/Using-IDA.key and /dev/null differ diff --git a/2016-Spring/Web_Exploitation/README.md b/2016-Spring/Web_Exploitation/README.md deleted file mode 100644 index 7d12e04..0000000 --- a/2016-Spring/Web_Exploitation/README.md +++ /dev/null @@ -1 +0,0 @@ -# Web Exploitation \ No newline at end of file diff --git a/2016-Spring/Web_Exploitation/cross_site_scripting/xss.pptx b/2016-Spring/Web_Exploitation/cross_site_scripting/xss.pptx deleted file mode 100644 index 944653f..0000000 Binary files a/2016-Spring/Web_Exploitation/cross_site_scripting/xss.pptx and /dev/null differ diff --git a/Crypto/Introduction to Cryptography.pdf b/Crypto/Introduction to Cryptography.pdf new file mode 100644 index 0000000..8d9e6da Binary files /dev/null and b/Crypto/Introduction to Cryptography.pdf differ diff --git a/Crypto/aead.py b/Crypto/aead.py new file mode 100644 index 0000000..0877331 --- /dev/null +++ b/Crypto/aead.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python2.7 +""" +aead.py + + Simple example of AEAD with ChaCha20Poly1305 + +""" +import os +from cryptography.hazmat.primitives.ciphers.aead import ChaCha20Poly1305 + +data = b"a secret message" +aad = b"authenticated but unencrypted data" + +# generate a random key and object instance +key = ChaCha20Poly1305.generate_key() +chacha = ChaCha20Poly1305(key) + +# create a random nonce +nonce = os.urandom(12) +ct = chacha.encrypt(nonce, data, aad) + +print(chacha.decrypt(nonce, ct, aad)) diff --git a/Crypto/caesar_bruteforce.py b/Crypto/caesar_bruteforce.py new file mode 100644 index 0000000..3294ff8 --- /dev/null +++ b/Crypto/caesar_bruteforce.py @@ -0,0 +1,35 @@ +#!/usr/bin/env python3 +""" +caesar_bruteforce.py + + Permutes shifts through every character of alphabet + against input message characters. +""" + +import sys + +LETTERS = "ABCDEFGHIJKLMNOPQRSTUVWXYZ" + +if __name__ == "__main__": + + # take an encrypted input message + message = sys.argv[1] + + for key in range(len(LETTERS)): + translated = "" + for symbol in message: + + # offset every letter in message by every letter in alphabet + if symbol in LETTERS: + + # get number position of symbol + num = LETTERS.find(symbol) + num = num - key + if num < 0: + num = num + len(LETTERS) + + translated = translated + LETTERS[num] + else: + translated = translated + symbol + + print("Key {} {}".format(key, translated)) diff --git a/Crypto/chosen_plaintext.py b/Crypto/chosen_plaintext.py new file mode 100644 index 0000000..fe811d9 --- /dev/null +++ b/Crypto/chosen_plaintext.py @@ -0,0 +1,97 @@ +#!/usr/bin/env python2.7 +""" +chosen_plaintext.py + + Demonstrates a challenge that involves encrypting blocks of information + using ECB, where the user has some level of control of the input, and sensitive + information exists within the blocks. +""" + +import os +import sys + +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes +from cryptography.hazmat.backends import default_backend + +KEY = os.urandom(16) +FLAG = "flag{ecb_1s_b4d}" + +def simple_pad(query): + query = query + 'A' + while len(query) % 16 != 0: + query = query + 'A' + return query + + +def encrypt(query): + query = query + FLAG + cipher = Cipher(algorithms.AES(KEY), modes.ECB(), backend=default_backend()) + aes_encrypt = cipher.encryptor() + + ct = aes_encrypt.update(simple_pad(query)) + aes_encrypt.finalize() + return ct.encode("hex") + + +def construct_query(first, last, age): + query = "query:" + query += str(int(age) * "0") + query += first + last + return encrypt(query) + + +def parse(ciphertext): + return [ + ciphertext[0:32], ciphertext[32:64], + ciphertext[64:96], ciphertext[96:128] + ] + + +def solve(): + flag = "" + + # server prepends 6 bytes of padding, so we add ten '0's to hit block boundary, + # and a full block of 'A's to represent first + last name + # + # First Name: AAAAA + # Last Name: AAAAA + # Age: 10 + cp = bytearray("query:0000000000" + "AAAAAAAAAAAAAAAA") + + insert_point = 16 + for i in range(0, 64): + + cp.insert(insert_point, '?') + + # iterate over characters + for b in range(0x20, 0x7E): + cp[insert_point] = chr(b) + + blocks = parse(encrypt(str(cp))) + print("{} <> {}".format(blocks[1], blocks[3])) + + # [query:0000000000] [AAAAAAAAAAAAAAAA] [flag{ecb_1s_b4d}] [] + # [query:0000000000] [?AAAAAAAAAAAAAAA] [Aflag{ecb_1s_b4d] [}] + # [query:0000000000] [??AAAAAAAAAAAAAA] [AAflag{ecb_1s_b4] [d}] + # [query:0000000000] [???AAAAAAAAAAAAA] [AAAflag{ecb_1s_b] [4d}] + + # check if the third block matches up with the first input block we control + if blocks[1] == blocks[3]: + flag = chr(b) + flag + break + + print("\n{}".format(flag)) + + +def main(): + if len(sys.argv) == 2: + if sys.argv[1] == "solve_me": + return solve() + + first = raw_input("First Name: ") + last = raw_input("Last Name: ") + age = raw_input("Age: ") + print("\n{}".format(construct_query(first, last, age))) + + +if __name__ == "__main__": + main() diff --git a/Crypto/ecb_insecurity.py b/Crypto/ecb_insecurity.py new file mode 100644 index 0000000..0f66cd2 --- /dev/null +++ b/Crypto/ecb_insecurity.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python +import os +import binascii + +from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes +from cryptography.hazmat.backends import default_backend + +BLOCKLEN = 16 + +def blocks(data): + split = [binascii.hexlify(data[i:i+BLOCKLEN]) for i in range(0, len(data), BLOCKLEN)] + return ' '.join(split) + + +if __name__ == "__main__": + + # initialize a random key + k = os.urandom(16) + print 'k = %s' % binascii.hexlify(k) + + # create an instance of AES-128 to encrypt and decrypt + cipher = Cipher(algorithms.AES(k), modes.ECB(), backend=default_backend()) + aes_encrypt = cipher.encryptor() + + # repeating inputs + p = '\x12' * BLOCKLEN *2 + + # encrypt plaintext p to ciphertext c + c = aes_encrypt.update(p) + aes_encrypt.finalize() + print 'enc(%s) = %s' % (blocks(p), blocks(c)) diff --git a/Crypto/xor_bruteforce.py b/Crypto/xor_bruteforce.py new file mode 100644 index 0000000..7dc4179 --- /dev/null +++ b/Crypto/xor_bruteforce.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python3 +""" +xor_bruteforce.py + + Performs a bruteforce attack against a single-byte XOR cipher, + and also performs character frequency analysis in order to aggregate + a frequency score. +""" + +import sys + +def get_english_score(input_bytes): + character_frequencies = { + 'a': .08167, 'b': .01492, 'c': .02782, 'd': .04253, + 'e': .12702, 'f': .02228, 'g': .02015, 'h': .06094, + 'i': .06094, 'j': .00153, 'k': .00772, 'l': .04025, + 'm': .02406, 'n': .06749, 'o': .07507, 'p': .01929, + 'q': .00095, 'r': .05987, 's': .06327, 't': .09056, + 'u': .02758, 'v': .00978, 'w': .02360, 'x': .00150, + 'y': .01974, 'z': .00074, ' ': .13000 + } + return sum([character_frequencies.get(chr(byte), 0) for byte in input_bytes.lower()]) + + +def single_char_xor(input_bytes, char_value): + """Returns the result of each byte being XOR'd with a single value. + """ + output_bytes = b'' + for byte in input_bytes: + output_bytes += bytes([byte ^ char_value]) + return output_bytes + + +def main(): + hexstring = sys.argv[1] + + ciphertext = bytes.fromhex(hexstring) + potential_messages = [] + for key_value in range(256): + message = single_char_xor(ciphertext, key_value) + score = get_english_score(message) + data = { + 'message': message, + 'score': score, + 'key': chr(key_value) + } + potential_messages.append(data) + best_score = sorted(potential_messages, key=lambda x: x['score'], reverse=True)[0] + for item in best_score: + print("{}: {}".format(item.title(), best_score[item])) + +if __name__ == '__main__': + main() diff --git a/Infra/Infrastructure_Security.pdf b/Infra/Infrastructure_Security.pdf new file mode 100644 index 0000000..9e44947 Binary files /dev/null and b/Infra/Infrastructure_Security.pdf differ diff --git a/Intro/OWASP_Top_10.pdf b/Intro/OWASP_Top_10.pdf new file mode 100644 index 0000000..41de976 Binary files /dev/null and b/Intro/OWASP_Top_10.pdf differ diff --git a/Intro/Week1.pdf b/Intro/Week1.pdf new file mode 100644 index 0000000..83bb88e Binary files /dev/null and b/Intro/Week1.pdf differ diff --git a/Intro/codeaudit/Dockerfile b/Intro/codeaudit/Dockerfile new file mode 100644 index 0000000..0dabcc9 --- /dev/null +++ b/Intro/codeaudit/Dockerfile @@ -0,0 +1,8 @@ +FROM ubuntu:18.04 +RUN apt-get update && apt-get upgrade -y +RUN apt-get install -y socat python3 + + +COPY . / + +CMD ["socat", "-T60", "TCP-LISTEN:8000,reuseaddr,fork", "EXEC:'/usr/bin/python3 /main.py'"] diff --git a/Intro/codeaudit/bank.py b/Intro/codeaudit/bank.py new file mode 100644 index 0000000..8c9dbf6 --- /dev/null +++ b/Intro/codeaudit/bank.py @@ -0,0 +1,51 @@ +class Account(object): + def __init__(self, name, balance=10): + self.name = name + self.balance = balance + + def transfer(self, amount, other): + if self.balance >= amount: + other.balance += amount + self.balance -= amount + return True + return False + + def __str__(self): + return "[ Account %s: $%d ]" % (self.name, self.balance) + + +class User(object): + def __init__(self, uname, passwd): + self.uname = uname + self.passwd = passwd + self.accounts = [] + self.balance = 10 + + def make_account(self, name, start_value): + new_account = None + if self.balance >= start_value: + new_account = Account(name, start_value) + self.accounts.append(new_account) + self.balance -= start_value + return new_account + + def close_account(self, account_id): + acc = self.get_account(account_id) + self.accounts.pop(account_id) + return acc + + def get_account(self, account_id): + return self.accounts[account_id] + + def calculate_total(self): + n = 0 + for acc in self.accounts: + n += acc.balance + return n + + def transfer(self, amount, other): + if self.balance >= amount: + other.balance += amount + self.balance -= amount + return True + return False diff --git a/Intro/codeaudit/flag.txt b/Intro/codeaudit/flag.txt new file mode 100644 index 0000000..483a286 --- /dev/null +++ b/Intro/codeaudit/flag.txt @@ -0,0 +1 @@ +flag{welcome_to_hacknight} diff --git a/Intro/codeaudit/login.py b/Intro/codeaudit/login.py new file mode 100644 index 0000000..140190f --- /dev/null +++ b/Intro/codeaudit/login.py @@ -0,0 +1,38 @@ +from bank import * + + +def strcmp(s1, s2): + """ thonk """ + l_s1 = len(s1) + l_s2 = len(s2) + if l_s1 != l_s2: + return False + + for i in range(l_s1): + if s1[i] != s2[i]: + return False + return True + + +class LoginService(object): + users = {} + banned_users = {} + + def __init__(self): + pass + + def register(self, uname, passwd): + if uname not in self.users: + self.users[uname] = User(uname, passwd) + + def check_login(self, uname, passwd): + if uname in self.banned_users: + return None + + elif not strcmp(self.users[uname].passwd, passwd): + return None + return self.users[uname] + + def ban(self, uname): + usr = self.users[uname] + banned_users[uname] = usr diff --git a/Intro/codeaudit/main.py b/Intro/codeaudit/main.py new file mode 100755 index 0000000..ab68c18 --- /dev/null +++ b/Intro/codeaudit/main.py @@ -0,0 +1,200 @@ +#!/usr/bin/python3 +import sys + +if sys.version_info[0] < 3: + input = raw_input + +from login import LoginService + +ls = LoginService() +user = None + + +def login_prompt(): + global user, ls + print("Please log in") + + while True: + uname = input("Username: ") + if uname not in ls.users: + print("User doesn't exist") + return + + pw = input("Password: ") + + user = ls.check_login(uname, pw) + if user: + print("Logged in as %s" % (uname)) + return + else: + print("Invalid password") + + +def register(): + global ls, user + uname = input("Username: ") + if uname in ls.users: + print("User already exists") + return + pw = input("Password: ") + + ls.register(uname, pw) + user = ls.users[uname] + + +def logout(): + print("You can't log out") + + +def print_accounts(target): + print("%s has %s on hand" % (target.uname, target.balance)) + if not target.accounts: + print("You have no accounts") + for account in range(len(target.accounts)): + print("%d: %s" % (account, target.accounts[account])) + + +def transfer(): + global ls, user + print_accounts(user) + account_id = input("Select your account: ") + if account_id.isdigit(): + account_id = int(account_id) + else: + print("Invalid account ID") + return + + account = user.get_account(account_id) + + amount = input("Enter your amount: ") + if amount.isdigit(): + amount = int(amount) + else: + print("Invalid amount") + return + + target_name = input("Enter the recipient's username: ") + if not target_name in ls.users: + print("User doesn't exist") + return + + target = ls.users[target_name] + print_accounts(target) + target_id = input("Enter the account ID to send to: ") + if target_id.isdigit(): + target_id = int(target_id) + else: + print("Invalid account ID") + return + + target_acc = target.get_account(target_id) + + if account.transfer(amount, target_acc): + print("Transfer successful") + else: + print("Transfer failed") + + +def new_account(): + global user + name = input("Account name: ") + deposit = 0 + if user.balance > 0: + print("You have %s on hand, how much do you want to deposit?" % (user.balance)) + deposit = input(">") + if deposit.isdigit(): + deposit = int(deposit) + else: + print("Invalid deposit") + return + + if user.make_account(name, deposit): + print("Account created successfully") + else: + print("Account creation failed") + + +def close(): + global ls, user + print_accounts(user) + account_id = input("Select your account: ") + if account_id.isdigit(): + account_id = int(account_id) + else: + print("Invalid account ID") + return + + account = user.close_account(account_id) + leftover = account.balance + user.balance += leftover + + +account_routes = { + "info": lambda: print_accounts(user), + "exit": None, + "transfer": transfer, + "create": new_account, + "close": close, + "help": lambda: help_func(account_routes), +} + + +def accounts(): + if user is None: + print("You aren't logged in") + return + + help_func(account_routes) + while True: + route = input("accounts> ") + if route == "exit": + return + + if route in account_routes: + account_routes[route]() + else: + print("Invalid route %s" % (route)) + + +def help_func(routes): + print("Commands: ") + for route in routes: + print("- %s" % (route)) + + +with open("flag.txt", "r") as FILE: + FLAG = FILE.read() + + +def flag(): + if user is None: + print("You aren't logged in") + + if user.calculate_total() > 100: + print(FLAG) + else: + print("You can't afford the flag") + + +routes = { + "login": login_prompt, + "register": register, + "logout": logout, + "accounts": accounts, + "flag": flag, + "help": lambda: help_func(routes), +} + + +def main(): + while True: + help_func(routes) + route = input("> ") + if route in routes: + routes[route]() + else: + print("Invalid route %s" % (route)) + + +if __name__ == "__main__": + main() diff --git a/Pwn/Heap Exploitation Part 1.pdf b/Pwn/Heap Exploitation Part 1.pdf new file mode 100644 index 0000000..19928fc Binary files /dev/null and b/Pwn/Heap Exploitation Part 1.pdf differ diff --git a/Pwn/Heap Metadata.pdf b/Pwn/Heap Metadata.pdf new file mode 100644 index 0000000..4aba9ac Binary files /dev/null and b/Pwn/Heap Metadata.pdf differ diff --git a/Pwn/Kernel_Stuff.pdf b/Pwn/Kernel_Stuff.pdf new file mode 100644 index 0000000..e0c7861 Binary files /dev/null and b/Pwn/Kernel_Stuff.pdf differ diff --git a/Pwn/Memory Corruption Part 1.pdf b/Pwn/Memory Corruption Part 1.pdf new file mode 100644 index 0000000..29605e0 Binary files /dev/null and b/Pwn/Memory Corruption Part 1.pdf differ diff --git a/Pwn/Memory Corruption Part 2.pdf b/Pwn/Memory Corruption Part 2.pdf new file mode 100644 index 0000000..ec75fcc Binary files /dev/null and b/Pwn/Memory Corruption Part 2.pdf differ diff --git a/Pwn/PyJail.pdf b/Pwn/PyJail.pdf new file mode 100644 index 0000000..883a193 Binary files /dev/null and b/Pwn/PyJail.pdf differ diff --git a/README.md b/README.md index 642d234..cfa852f 100644 --- a/README.md +++ b/README.md @@ -1,320 +1,292 @@ -# NYU Poly [ISIS Lab](http://www.isis.poly.edu/)'s [Hack Night](http://isislab.github.io/Hack-Night/) -Developed from the materials of NYU Poly's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks. +# NYU Tandon's [OSIRIS Lab](http://osiris.cyber.nyu.edu/)'s [Hack Night](https://www.osiris.cyber.nyu.edu/hack-night) +Developed from both the materials of the NYU Tandon's Introduction to Offensive Security and old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks. Hack Night culminates in a practical application of the skills and techniques taught, students complete a research project inspired by one of the lectures or exercise materials. By the end of the course, each student is expected to have a good understanding of all topics and a mastery of at least one topic. *Due to the involved nature of this course, we recommend students attend Hack Night in person.* ## Logistics -If you have any questions, or would like to attend a Hack Night session, you can contact Evan Jensen or Marc Budofsky at HackNight@isis.poly.edu or you can [file a ticket](https://github.com/isislab/Hack-Night/issues) in Github. +If you have any questions, or would like to attend a Hack Night session, you can contact or osiris@osiris.cyber.nyu.edu or you can ask us in [Discord](https://discord.com/invite/fSsjzMXtrX). -Sign up for the [Cyber Security Club mailing list](https://isis.poly.edu/mailman/listinfo/csc) to recieve weekly e-mails about seminars and training sessions brought to you by the [ISIS Lab](http://www.isis.poly.edu/). +Hack Night is run every Thursday during the regular semester at 7 PM on the 10th floor of 370. -Hack Night is run every Wednesday during the regular semester at 6 PM in RH 219, check [our calendar for updates](http://www.isis.poly.edu/calendar). - -ISIS Lab, RH 219 -Six MetroTech Center +OSIRIS Lab +370 Jay Street Brooklyn, NY 11201 -## Week 0: Background +## Week 0 (01/31): Background In order to get the most out of Hack Night, you should be familiar with some basic security concepts. ### Lecture Materials -1. [PicoCTF Resources](https://picoctf.com/learn) +1. [PicoCTF Resources](https://picoctf.com/resources) ### Resources -#### General -1. [Sun Certified Security Administrator for Solaris 9 & 10 Study Guide Chapter 1](http://www.mhprofessional.com/downloads/products/0072254238/0072254238_ch01.pdf) - #### Application Security 1. [OWASP Secure Coding Principles](https://www.owasp.org/index.php/Secure_Coding_Principles) -#### Exploitation -1. [Windows ISV Software Security Defenses](http://msdn.microsoft.com/en-us/library/bb430720.aspx) - -#### Mobile Security -1. [OWASP Top 10](https://www.owasp.org/index.php/Projects/OWASP_Mobile_Security_Project_-_Top_Ten_Mobile_Risks) - -#### Network Security -1. [Common Types of Network Attacks](http://technet.microsoft.com/en-us/library/cc959354.aspx) - -#### Reverse Engineering -1. [University of Washington's The Hardware/Software Interface](https://class.coursera.org/hwswinterface-001/class) *Currently Unavailable to New Students* -2. [University of London's Malicious Software and its Underground Economy: Two Sides to Every Story](https://class.coursera.org/malsoftware-001/class) - #### Web Security 1. [OWASP Top 10](https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project) -## Week 1: Introduction +## Week 1 (01/31): Introduction (Kent Ma) This is an introduction session to the Hack Night curriculum, this session tries to give an overview of what rest of Hack Night sessions is to be followed. More importantly, it also gives the -ethics necessary to keep in mind when you learn something as powerful as your going to do now. Next, we will cover various types of disclosure that hackers have followed since +ethics necessary to keep in mind when you learn something as powerful as you're going to do now. Next, we will cover various types of disclosure that hackers have followed since its inception. Before diving into the Hack Night semester, we recommend you take a look at the resources below and become familiar with some of the material. - -### Lecture Materials -1. [Trends in Vulnerability Disclosure](http://vimeo.com/48914102) -2. [Intrusion via Web Application Flaws](http://vimeo.com/14983596) -3. [Intrusion via Client-Side Exploitation](http://vimeo.com/14983828) - -### Resources -1. [IRC: #hacknight on isis.poly.edu port 6697 (ssl only)](http://chat.mibbit.com/?server=isis.poly.edu%3A%2B6697&channel=%23hacknight) -2. [ISIS Lab Blog](https://isisblogs.poly.edu/) -3. [ISIS Lab Github](https://github.com/isislab/) -4. [Project Ideas](https://github.com/isislab/Project-Ideas/issues) -5. [Resources Wiki](https://github.com/isislab/Project-Ideas/wiki) -6. [CyFor](http://cyfor.isis.poly.edu/) -7. [Cyber Security Club Mailing List](https://isis.poly.edu/mailman/listinfo/csc) -8. [ISIS Lab Calendar](http://www.isis.poly.edu/calendar) - - -## Week 2: Source Code Auditing, Part 1 This session will cover Code Auditing. Code Auditing an application is the process of analyzing application code (in source or binary form) to uncover vulnerabilities that attackers might exploit. By going through this process, you can identify and close security holes that would otherwise put sensitive data and business resources at unnecessary risk. Topics that will be covered are Identifying Architectural, Implementation and Operational vulnerabilities. -### Lecture Materials -1. [Design & Operational Reviews](http://vimeo.com/29082852/) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/design_review_fall2011.pdf?raw=true)] -2. [Code Auditing 101](http://vimeo.com/30001189/) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/code_audits_1_fall2011.pdf?raw=true)] - -### Workshop Materials -1. [Client Request Access Protocol](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week2/designdoc-fall2010.pdf?raw=true) -We believe this protocol to be severely flawed and require your assistance in identifying vulnerabilities in it. Your objective is to identify and informally describe as many of these issues that you can. - -### Resources -1. [Source Code Analysis](https://github.com/isislab/Project-Ideas/wiki/Source-Code-Analysis) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [The Art of Software Security Assessment](http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?s=books&ie=UTF8&qid=1367449909&sr=1-1&keywords=the+art+of+software+security+assessment) -4. [Integer Overflows](http://en.wikipedia.org/wiki/Integer_overflow) -5. [Catching Integer Overflows](http://www.fefe.de/intof.html) -6. [The Fortify Taxonomy of Software Security Flaws](http://www.fortify.com/vulncat/) - - -## Week 3: Source Code Auditing, Part 2 -This week we will continue with the final video on Code Auditing, and provide you with 2 more applications that are intentionally vulnerable. Your job is to audit the source code and find vulnerabilities in them. Test -the skills that you have learned last week to efficiently go over the process of auditing applications. ### Lecture Materials -1. [Code Auditing 102](http://vimeo.com/29702192/) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/code_audits_2_fall2011.pdf?raw=true)] - -### Workshop Materials -1. [News Paper](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week3/news_server.c) [Simple Usage](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week3/news_install.sh) -This network service simulates a text-based terminal application. The general purpose of the application is to act as a "news server" or text file service. These are two types of users: regular and administrator. Administrators can add users and execute back-end system commands. Users can view and contribute articles (aka text files). Assume the application runs on Linux and is compiled with gcc. -2. [Siberia Crimeware Pack](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week3/siberia.zip?raw=true) (Password: infected) -The Siberia kit contains live exploit code and will likely set off AV, however none of the exploit code is in a state where it would be harmful to your computer. In addition to all of the vulnerabilites have been patched years ago, the exploits in Siberia need to be interpreted by PHP and read by your browser for them to have any effect. You can safely disable or create exceptions in your AV for this exercise or place the Siberia files inside a VM. +1. [Slides](Intro/Week1.pdf) +2. [The Art of Software Security Assessment](http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?s=books&ie=UTF8&qid=1367449909&sr=1-1&keywords=the+art+of+software+security+assessment) +3. [Integer Overflows](http://en.wikipedia.org/wiki/Integer_overflow) +4. [Catching Integer Overflows](http://www.fefe.de/intof.html) +5. [The Fortify Taxonomy of Software Security Flaws](https://vulncat.fortify.com/data/Fortify_TaxonomyofSoftwareSecurityErrors.pdf) ### Resources -1. [Source Code Analysis](https://github.com/isislab/Project-Ideas/wiki/Source-Code-Analysis) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [The Art of Software Security Assessment](http://www.amazon.com/Art-Software-Security-Assessment-Vulnerabilities/dp/0321444426/ref=sr_1_1?s=books&ie=UTF8&qid=1367449909&sr=1-1&keywords=the+art+of+software+security+assessment) -4. [Integer Overflows](http://en.wikipedia.org/wiki/Integer_overflow) -5. [Catching Integer Overflows](http://www.fefe.de/intof.html) -6. [The Fortify Taxonomy of Software Security Flaws](http://www.fortify.com/vulncat/) +1. [IRC: #hacknight on isis.poly.edu port 6697 (ssl only)](http://chat.mibbit.com/?server=isis.poly.edu%3A%2B6697&channel=%23hacknight) +2. [OSIRIS Lab Blog](https://blog.osiris.cyber.nyu.edu/) +3. [OSIRIS Lab Github](https://github.com/osirislab/) +4. [Project Ideas](https://github.com/osirislab/Project-Ideas/issues) +5. [CTF 101](https://ctf101.org/) +6. [Mailing List](https://www.osiris.cyber.nyu.edu/newsletter) +7. [OSIRIS Lab Calendar](https://www.osiris.cyber.nyu.edu/calendar) ### Tools 1. [Source Navigator](http://sourcenav.sourceforge.net/) 2. [Scitools Understand](http://www.scitools.com/) 3. [List of tools for static code analysis](http://en.wikipedia.org/wiki/List_of_tools_for_static_code_analysis) +### Workshop +1. [OSIRIS Wargames](wargames.osiris.cyber.nyu.edu) + -## Week 4: Web Security, Part 1 -This session will cover web hacking. This session is about getting familiarity with various vulnerabilities commonly found in web applications. You will be able to identify and exploit web application vulnerabilities. Topics to be covered are web application primer, Vuln. commonly found in web apps. (OWASP Top 10) and Basic web testing methodologies. +## Week 2 (02/07): Client-Side Web Security (Kent Ma) +This session will cover client-side web hacking. This session is about familiarity with various client-side applications in web applications. We will also look at exploitation mitigations that your current browser implements. Topics include XSS, CSRF, Same-Origin Policy, XSS-Protection, and Content-Security-Policy. ### Lecture Materials -1. [Web Hacking 101](http://vimeo.com/32509769) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/WebHackingDay1-2011.pdf?raw=true)] +1. [Slides](Web/ClientSide.pdf) ### Workshop Materials -1. [Google Gruyere](http://google-gruyere.appspot.com/) - +1. [Google XSS game](https://xss-game.appspot.com/) +2. [Hacknight CSP Game]() ### Resources -1. [Web Security](https://github.com/isislab/Project-Ideas/wiki/Web-Security) 2. [The Tangled Web](http://nostarch.com/tangledweb.htm) 3. [OWASP Top 10](https://www.owasp.org/index.php/Top_10) 4. [OWASP Top 10 Tools and Tactics](http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/) +5. [OWASP XSS Filter Evasion Cheat Sheet](https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet) + -## Week 5: Web Security, Part 2 -In this session, we will continue with the second video on Web Hacking. We will then be using some more intentionally vulnerable web applications to identify and analyze the top ten vulnerabilities commonly found in the web applications You will be going through the steps of busticating a real site and throwing a fire sale using freely available tools. +## Weeks 3 (02/14): Server-side Web Security (John Cuniff) +This session will cover web hacking. This session is about getting familiarity with various vulnerabilities commonly found in web applications. You will be able to identify and exploit web application vulnerabilities. +Topics to be covered are: +* SQL Injection +* File inclusion +* Directory Traversal +* Object deserialization +* External Entities (XXE) Injection +* CRLF Injection +* Server-Side Request Forgery +* WAFs and filter bypasses ### Lecture Materials -1. [Web Hacking 102](http://vimeo.com/32550671) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/WebHackingDay2-2011.pdf?raw=true)] +1. [Slides](Web/ServerSide.pdf) ### Workshop Materials -1. [OWASP WebGoat](https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project) -2. [Damn Vulnerable Web Application](http://www.dvwa.co.uk/) - +1. [OSIRIS Wargames](wargames.osiris.cyber.nyu.edu) ### Resources -1. [Web Security](https://github.com/isislab/Project-Ideas/wiki/Web-Security) -2. [The Tangled Web](http://nostarch.com/tangledweb.htm) -3. [OWASP Top 10](https://www.owasp.org/index.php/Top_10) -4. [OWASP Top 10 Tools and Tactics](http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/) +1. [The Tangled Web](http://nostarch.com/tangledweb.htm) +2. [OWASP Top 10](https://www.owasp.org/index.php/Top_10) +3. [OWASP Top 10 Tools and Tactics](http://resources.infosecinstitute.com/owasp-top-10-tools-and-tactics/) +### Tools +1. [Burp suite](https://portswigger.net/) -## Week 6: Reverse Engineering, Part 1 -This session is about Reverse Engineering. Most of the software we use everyday is closed source. You don't have the liberty to look at the source code, at this point we need to analyze the available compiled binary. Reversing a binary is no easy task but can be done with the proper methodology and the right tools. This is exactly what two of world's best reverse engineers are going to teach you. +## Week 4 (02/21): Reverse Engineering, Part 1 (Mina Zhou) +This session is about Reverse Engineering. Most of the software we use everyday is closed source. You don't have the liberty to look at the source code, at this point we need to analyze the available compiled binary. Reversing a binary is no easy task but can be done with the proper methodology and the right tools. -### Lecture Videos -1. [Reverse Engineering 101](http://vimeo.com/6764570) -2. [Reverse Engineering 102](http://vimeo.com/30076325) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/sotirov-re-fall2011.pdf?raw=true)] +This first week will be a primer on x86 assembly and low level programming. + +### Lecture Materials +1. [Slides]() ### Workshop Materials In this section we will go through the basic idea of a binary and how your source code is converted into an executable form. We will then look at the assembly language used by executable programs and develop our own low level programs. We will write simple assembly language programs and teach the basic skills needed to understand more complex assembly language uses. +This is going to be a workshop were we will write programs at assembly level. Once, we get familiar to basic x86 instructions we will switch to analyzing a real application and try to get high level understanding of what the application is doing. The goal would be to get familiar with calling conventions, stack and stack frames. + 1. [Assembly Programming Exercises](https://github.com/blankwall/asm_prog_ex) ### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) -5. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) +1. [Binary Ninja Demo](https://binary.ninja/demo/) +2. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) +3. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) +4. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) +5. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) +6. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) +7. [nasm](http://www.nasm.us/) +8. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) -## Week 7: Reverse Engineering, Part 2 -Picking up from previous session, we will watch the last video on Reverse Engineering, and present you with an application which has no source code. Your job is to understand what the application is doing and figure out any loopholes present in that application. You'll use static analysis tools like IDA and varied dynamic analysis to analyze the binary and get a complete understanding of the application. +## Week 5 (02/28): Reverse Engineering, Part 2 (Roy Xu & Nobel Gautman) +We will present you with an application which has no source code. Your job is to understand what the application is doing and figure out any loopholes present in that application. You'll use static analysis tools like IDA to analyze the binary and get a complete understanding of the application. ### Lecture Videos -1. [Dynamic Reverse Engineering](http://vimeo.com/30594548) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/dynamic_reversing_2011.pdf?raw=true)] - -### Workshop Materials -1. [Challenge Application 1](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week7/bin1?raw=true) -2. [Challenge Application 2](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week7/easy32?raw=true) +1. [Slides]() ### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) -5. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) +1. [Binary Ninja Demo](https://binary.ninja/demo/) +2. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) +3. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) +4. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) +5. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) +6. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) +7. [nasm](http://www.nasm.us/) +8. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) -## Week 8: Reverse Engineering, Part 3 -In this session we will cover [Introductory Intel x86: Architecture, Assembly, Applications, and Alliteration by Xeno Kovah](http://www.opensecuritytraining.info/IntroX86.html) from [OpenSecurityTraining](http://www.opensecuritytraining.info/Welcome.html). Intel processors have been a major force in personal computing for more than 30 years. An understanding of low level computing mechanisms used in Intel chips as taught in this course serves as a foundation upon which to better understand other hardware, as well as many technical specialties such as reverse engineering, compiler design, operating system design, code optimization, and vulnerability exploitation. 50% of the time will be spent learning Windows/Linux tools and analysis of "simple" programs. +## Week 6 (03/07): Reverse Engineering, Part 3 (Sai Vegasena) +For this lesson, we will be looking at dynamically reversing a binary. We will use a debugger to look into a running process's memory. +Also, we will use + ### Lecture Materials 1. [Introductory Intel x86 Lectures](http://www.youtube.com/playlist?list=PL038BE01D3BAEFDB0) ### Workshop Materials -1. [CMU Bomb Lab](http://csapp.cs.cmu.edu/public/1e/bomb.tar) (Linux/IA32 binary) +1. [Pwndbg GDB Plugin](https://github.com/pwndbg/pwndbg) ### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) -5. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) -7. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -8. [nasm](http://www.nasm.us/) -9. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) - +1. [Binary Ninja Demo](https://binary.ninja/demo/) +2. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) +3. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) +4. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) +5. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) +6. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) +7. [nasm](http://www.nasm.us/) +8. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) +9. [GDB Commands Cheatsheet](http://users.ece.utexas.edu/~adnan/gdb-refcard.pdf) -## Week 9: Reverse Engineering, Part 4 -Picking up from the last week's session, we will continue to explore the world of x86. This is going to be a workshop were we will write programs at assembly level. Once, we get familiar to basic x86 instructions we will switch to analyzing a real application and try to get high level understanding of what the application is doing. The goal would be to get familiar with calling conventions, stack and stack frames. +## Week 7 (03/14): Reverse Engineering, Part 4 (Nick Gregory) +Last week you dynamically debugged and reverse engineered a program that used a basic anti-reverse engineering technique. We will be going over some anti-reverse engineering protections. ### Lecture Materials -1. [Introductory Intel x86 Lectures](http://www.youtube.com/playlist?list=PL038BE01D3BAEFDB0) +1. [Slides]() ### Workshop Materials -1. [RPI Bomb Lab](http://www.cs.rpi.edu/academics/courses/spring10/csci4971/rev2/bomb) -2. [Write readFile.c in x86 by hand](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week9) +1. [OSIRIS Wargames](wargames.osiris.cyber.nyu.edu) ### Resources -1. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) -2. [Application Security](https://github.com/isislab/Project-Ideas/wiki/Application-Security) -3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -4. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) -5. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) -6. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) +1. [Binary Ninja Demo](https://binary.ninja/demo/) +2. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) +3. [x86 Win32 Reverse Engineering Cheatsheet](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/X86_Win32_Reverse_Engineering_Cheat_Sheet.pdf?raw=true) +4. [IDA Pro Shortcuts](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/IDA_Pro_Shortcuts.pdf?raw=true) +5. [All Materials for Introductory Intel x86](http://www.opensecuritytraining.info/IntroX86_files/IntroX86_all_materials_with_pdf_1.zip) +6. [Reverse Engineering](https://github.com/isislab/Project-Ideas/wiki/Reverse-Engineering) 7. [nasm](http://www.nasm.us/) 8. [x86 Intel Manuals](http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html) +9. [GDB Commands Cheatsheet](http://users.ece.utexas.edu/~adnan/gdb-refcard.pdf) -## Week 10: Exploitation, Part 1 -In this week's session, we will go over some advanced concepts related to computer security. Dino Dai Zovi will go over various memory errors that an application can cause often leading to catastrophic results. Topics that will be covered are various memory errors like buffer overflows, uninitialized variables, use after free etc. and how we can use them to take control of an application. We will also look at exploitation mitigation that your current OS implements, it's not 1988 anymore. Finally, we will look at some techniques used to bypass modern mitigations. - +## Week 8 (03/28): Memory Corruption, Part 1 (Roy Xu) +In this week's session, we will go over some advanced concepts related to computer security. We will go over various memory errors that an application can cause often leading to catastrophic results. Topics that will be covered are various memory errors like buffer overflows, uninitialized variables, use after free etc. and how we can use them to take control of an application. ### Lecture Materials -1. [Memory Corruption 101](http://vimeo.com/31348274) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/memory_corruption_101.pdf?raw=true)] +1. [Slides]() ### Workshop Materials -1. [Vulnerable Application](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week10) +1. [OSIRIS Wargames](wargames.osiris.cyber.nyu.edu) ### Resources -1. [Exploitation](https://github.com/isislab/Project-Ideas/wiki/Exploitation) -2. [VMWare Player](http://www.vmware.com/download/player/download.html) -3. [Linux Machine](http://www.ubuntu.com/download/desktop) (preferably, Ubuntu) -4. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -5. [Windbg](http://msdn.microsoft.com/en-us/library/windows/hardware/gg463009.aspx) +1. [Smashing the Stack for Fun and Profit](http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf) +2. [Vagrant](https://www.vagrantup.com/) +3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) +4. [pwndbg](https://github.com/pwndbg/pwndbg) +5. [pwntools](https://github.com/Gallopsled/pwntools) -## Week 11: Exploitation, Part 2 -Picking up from the last session, we will finish watching Dino Dai Zovi's lecture and do a live exploitation of a vulnerable program. We will go through all the steps that Dino explained in his lecture to write a control flow hijacking exploit and take over the program. Once we are done with 1990's style exploitation, we will re-compile the program with modern mitigation technologies and look at various techniques used to bypass these mitigation's. +## Week 9 (04/04): Memory Corruption, Part 2 (Roy Xu) +This week, We will look at exploitation mitigation that your current OS implements, it's not 1988 anymore. We will look at some techniques used to bypass modern mitigations. We will also go over useful tools and techniques for writing exploits. ### Lecture Materials -1. [Memory Corruption 101](http://vimeo.com/31348274) [[slides](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/slides/memory_corruption_101.pdf?raw=true)] +1. [Slides](Pwn/Memory Corruption Part 2.pdf) ### Workshop Materials -1 [CSAW 2013 Exploitation 2](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/workshops/week11/exploit2?raw=true) +1. [OSIRIS Wargames](wargames.osiris.cyber.nyu.edu) ### Resources -1. [Exploitation](https://github.com/isislab/Project-Ideas/wiki/Exploitation) -2. [VMWare Player](http://www.vmware.com/download/player/download.html) -3. [Linux Machine](http://www.ubuntu.com/download/desktop) (preferably, Ubuntu) -4. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) -5. [Windbg](http://msdn.microsoft.com/en-us/library/windows/hardware/gg463009.aspx) +1. [Smashing the Stack for Fun and Profit](http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf) +2. [Vagrant](https://www.vagrantup.com/) +3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) +4. [pwndbg](https://github.com/pwndbg/pwndbg) +5. [pwntools](https://github.com/Gallopsled/pwntools) + + +## Week 10 (04/11): Heap Exploitation, Part 1 (Roy Xu) +In this week, we will cover the fundamentals of the Heap. We will primarily focus on the glibc implementation of the heap, but these techniques will apply to other implementations as well. +We will go over the basic idea of how Glibc malloc behaves and is implemented, and then go into the following introductory heap exploitation techniques: +* Use after free +* Heap spraying +* Heap overflows +* Unlink +* Overlapping chunks +* Nullbyte poison -### More Challenges -1. [Gera's Insecure Programming by Example](http://community.corest.com/~gera/InsecureProgramming/) -2. [Exploit-Exercises](http://exploit-exercises.com/) +### Lecture Materials +1. [Slides]() +### Workshop Materials +1. [OSIRIS Wargames](wargames.osiris.cyber.nyu.edu) -## Week 12: Post-Exploitation -In this week, we will cover post-exploitation. Post-exploitation is the stage in the intrusion kill chain wherein the attacker uses persistence techniques after the victim's system is compromised to maintain his/her presence on the machine. In addition the attacker also wants his presence to be hidden, this includes evading antivirus software, covering his/her tracks, etc. We will look at various techniques used by attackers to achieve the aforementioned goals. +### Resources +1. [Smashing the Stack for Fun and Profit](http://www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf) +2. [Vagrant](https://www.vagrantup.com/) +3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) +4. [pwndbg](https://github.com/pwndbg/pwndbg) +5. [pwntools](https://github.com/Gallopsled/pwntools) +6. [How2heap](https://github.com/shellphish/how2heap) ### Lecture Material 1. [Post Exploitation](http://vimeo.com/33344191) -### Workshop Material -As shown in the lecture video, setup two VM’s. One VM will have metasploit running, backtrack is preferred and the other machine will be a Windows box. Preferred, win xp professional or win 7 professional. -Use the psexec module available in metasploit to gain access to the Windows box. Once, you have a meterpreter session available, apply different techniques demonstrated in the lecture like getting the password hash of Administrator, so that you can re-login as Administrator which gives you elevated privileges. +## Week 11 (04/18): Heap Exploitation, Part 2 (Roy Xu) +In this week, we will cover the advanced heap exploitation techniques. -Having a meterpreter session open isn’t necessarily good enough. For instance, run cmd.exe in windows box; get back to your meterpreter session and find the pid of cmd.exe using “ps” command. Once you are able to figure out the pid, use the migrate command to switch to that process. Now, close the command prompt in the windows box. Do you still have the session open? What do you think a stable process might be to migrate? +### Lecture Materials +1. [Slides]() -If you have found the stable process that you as an attacker want to migrate to, chances are your persistence is good. Although, this may not be the case if the victim restarts his machine. What do you think a better approach would be to keep your connection persistent, even after several reboots? Try to use this method and see for yourself, if you have a persistent connection or not. +### Workshop Materials +1. [OSIRIS Wargames](wargames.osiris.cyber.nyu.edu) ### Resources -1. [Symantec Stuxnet Dossier](https://github.com/isislab/Hack-Night/blob/master/2014-Fall/references/w32_stuxnet_dossier.pdf?raw=true) +1. [How2heap](https://github.com/shellphish/how2heap) +2. [Vagrant](https://www.vagrantup.com/) +3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) +4. [pwndbg](https://github.com/pwndbg/pwndbg) +5. [pwntools](https://github.com/Gallopsled/pwntools) -## Week 13: Application Security -In this, the last session of Hack Night. We will be going over Fuzzing and later have a short discussion on what you can do to continue improving your skills. Fuzzing is a black box software testing technique, which consists of finding implementation bugs by manipulating input data sent to an application automatically. We will go over different types of fuzzing, various methods used for fuzzing, and finally the process of "smart" fuzzing. +## Week 12 (04/25): Kernel Exploitation +In thi sweek, we will cover the fundamentals of operating systems and how we can use our memory corruption skills for operating systems. The techniques and fundamentals will be the same, but there will be slight differences in the ecosystem, goals, and functions called for kernel exploitation. -### Lecture Material -1. [Fuzzing](https://vimeo.com/7574602) +### Lecture Materials +1. [Slides]() ### Workshop Materials -1. [fuzz.py](https://github.com/isislab/Hack-Night/tree/master/2013-Fall/week13) -2. [HaikuSyscallFuzzer](https://github.com/isislab/HaikuSyscallFuzzer) +1. [OSIRIS Wargames](wargames.osiris.cyber.nyu.edu) ### Resources -1. [Fuzzing](https://github.com/isislab/Project-Ideas/wiki/Fuzzing) - +1. [RPISEC's Modern Binary Exploitation](http://security.cs.rpi.edu/courses/binexp-spring2015/) +2. [Vagrant](https://www.vagrantup.com/) +3. [IDA Demo](https://www.hex-rays.com/products/ida/support/download_demo.shtml) +4. [pwndbg](https://github.com/pwndbg/pwndbg) +5. [pwntools](https://github.com/Gallopsled/pwntools) ## Conclusion Hack Night is designed to culminate in each student developing some kind of deliverable related to computer security, the goal being that everyone leaves the program with more knowledge about security. - -### Research and Projects -1. [Project Ideas](https://github.com/isislab/Project-Ideas/issues) -2. [Project Ideas Wiki](https://github.com/isislab/Project-Ideas/wiki) diff --git a/Rev/Reverse_Engineering.pdf b/Rev/Reverse_Engineering.pdf new file mode 100644 index 0000000..2718153 Binary files /dev/null and b/Rev/Reverse_Engineering.pdf differ diff --git a/Rev/dynamic/An Introduction to Dynamic Analysis for R.E. (2020).pdf b/Rev/dynamic/An Introduction to Dynamic Analysis for R.E. (2020).pdf new file mode 100644 index 0000000..e8e5aed Binary files /dev/null and b/Rev/dynamic/An Introduction to Dynamic Analysis for R.E. (2020).pdf differ diff --git a/Rev/dynamic/README.md b/Rev/dynamic/README.md new file mode 100644 index 0000000..ba6e02f --- /dev/null +++ b/Rev/dynamic/README.md @@ -0,0 +1,3 @@ +# Dynamic Analysis + +This repository contains code and snippets used when teaching dynamic analysis for reverse engineering for Hack Night. diff --git a/Rev/dynamic/angr_demo/flag.txt b/Rev/dynamic/angr_demo/flag.txt new file mode 100644 index 0000000..e4fd4ca --- /dev/null +++ b/Rev/dynamic/angr_demo/flag.txt @@ -0,0 +1 @@ +flag{y0u_fouN0_M3!} diff --git a/Rev/dynamic/angr_demo/normal b/Rev/dynamic/angr_demo/normal new file mode 100755 index 0000000..1576c7d Binary files /dev/null and b/Rev/dynamic/angr_demo/normal differ diff --git a/Rev/dynamic/angr_demo/symnorm.py b/Rev/dynamic/angr_demo/symnorm.py new file mode 100755 index 0000000..7e10578 --- /dev/null +++ b/Rev/dynamic/angr_demo/symnorm.py @@ -0,0 +1,18 @@ +#!/usr/bin/env python3 +import angr +import claripy + +def main(): + proj = angr.Project("./normal") + find = [0x40079b] + avoid = [0x400971] + + #answer_chars = [claripy.BVS('input_%d' % i, 8) for i in range(25)] + #answer = claripy.Concat(*answer_chars + [claripy.BVV(b'\n')]) + + state = proj.factory.entry_state() + + sm = proj.factory.simulation_manager(state) + sm.explore(find=find, avoid=avoid) + print(sm.found[0].posix.dumps(0)) +main() diff --git a/Rev/dynamic/execution_engine/solver.py b/Rev/dynamic/execution_engine/solver.py new file mode 100755 index 0000000..52a2d9c --- /dev/null +++ b/Rev/dynamic/execution_engine/solver.py @@ -0,0 +1,28 @@ +#!/usr/bin/env python +from manticore import Manticore + +m = Manticore("./strops.bin") + +m.context['flag'] = "" + +@m.hook(0x40076a) +def hook(state): + buffer_addr = state.cpu.RSI + state.cpu.write_bytes(buffer_addr, "a" * 50) + state.cpu.EIP = 0x40076f + +@m.hook(0x400798) +def hook(state): + m.context['flag'] += chr(state.cpu.EDX) + state.cpu.EAX = state.cpu.EDX + +@m.hook(0x4007b9) +def hook(state): + print(m.context['flag']) + m.terminate() + +@m.hook(0x40079c) +def hook(state): + state.abandon() + +m.run() diff --git a/Rev/dynamic/execution_engine/strops.bin b/Rev/dynamic/execution_engine/strops.bin new file mode 100755 index 0000000..3fdc41e Binary files /dev/null and b/Rev/dynamic/execution_engine/strops.bin differ diff --git a/Rev/dynamic/fuzz_example.c b/Rev/dynamic/fuzz_example.c new file mode 100644 index 0000000..0c8f5d8 --- /dev/null +++ b/Rev/dynamic/fuzz_example.c @@ -0,0 +1,37 @@ +/* + * fuzz_pseudocode.c + * + * Example test harness for a fuzzer, demonstrating + * how we would implement a test case that can help + * our fuzzer maximize program coverage. + * + */ + +#include + + +/* + * JSON file -> Object -> JSON dump 1 + * + * Check if JSON file == JSON dump + * + */ + +int main(int argc, char *argv[]) +{ + /* `argv[1]` is a JSON input test we read from */ + char *input = readFromFile(argv[1]); + size_t size = getFileInputSize(argv[1]); + + /* Parse our input, and an initial validation check */ + json_t *object = json_parse(input, size); + object.validate(); + + /* Dump back as a string */ + char *dump_output = object.dump(); + size_t dump_size = object.dump_size(); + + /* Check against our original input! */ + CHECK(input, dump_output); + exitSuccessfully(); +} diff --git a/Rev/dynamic/heartbleed_fuzz/README.md b/Rev/dynamic/heartbleed_fuzz/README.md new file mode 100644 index 0000000..6106c5f --- /dev/null +++ b/Rev/dynamic/heartbleed_fuzz/README.md @@ -0,0 +1,28 @@ +# OpenSSL Heartbleed Fuzz Example + +We use this to examine and find a real-world vulnerability, CVE-2014-0160, aka Heartbleed, in OpenSSL. This was a prominent attack, but the actual root cause analysis shows how rudimentary the actual bug was (lack of a bounds check on dynamically allocated memory == OOB read). + +# Setup + +The build setup is replicated from [afl-training](https://github.com/mykter/afl-training), which is really nice for rapidly getting an environment setup to perform fuzzing on some targets. + +Inside the vulnerable OpenSSL source: + +``` +$ CC=afl-clang CXX=afl-clang++ ./config +$ AFL_USE_ASAN=1 make +``` + +Building the target: + +``` +$ AFL_USE_ASAN=1 afl-clang-fast++ -g harness.cpp openssl/libssl.a openssl/libcrypto.a -o harness -I openssl/include -ldl +``` + +Running the fuzzer: + +``` +mkdir in/ +cat "AAAAAAAAAA" >> in/1 +afl-fuzz -i in -o out -m none ./harness +``` diff --git a/Rev/dynamic/heartbleed_fuzz/harness.cpp b/Rev/dynamic/heartbleed_fuzz/harness.cpp new file mode 100644 index 0000000..accb045 --- /dev/null +++ b/Rev/dynamic/heartbleed_fuzz/harness.cpp @@ -0,0 +1,56 @@ +// Copyright 2016 Google Inc. All Rights Reserved. +// Licensed under the Apache License, Version 2.0 (the "License"); +#include +#include +#include +#include +#include +#include + +#ifndef CERT_PATH +# define CERT_PATH +#endif + +SSL_CTX *Init() { + SSL_library_init(); + SSL_load_error_strings(); + ERR_load_BIO_strings(); + OpenSSL_add_all_algorithms(); + SSL_CTX *sctx; + assert (sctx = SSL_CTX_new(TLSv1_method())); + /* These two file were created with this command: + openssl req -x509 -newkey rsa:512 -keyout server.key \ + -out server.pem -days 9999 -nodes -subj /CN=a/ + */ + assert(SSL_CTX_use_certificate_file(sctx, "runtime/server.pem", + SSL_FILETYPE_PEM)); + assert(SSL_CTX_use_PrivateKey_file(sctx, "runtime/server.key", + SSL_FILETYPE_PEM)); + return sctx; +} + +int main() { + static SSL_CTX *sctx = Init(); + SSL *server = SSL_new(sctx); + BIO *sinbio = BIO_new(BIO_s_mem()); + BIO *soutbio = BIO_new(BIO_s_mem()); + SSL_set_bio(server, sinbio, soutbio); + SSL_set_accept_state(server); + + #ifdef __AFL_HAVE_MANUAL_CONTROL + __AFL_INIT(); + #endif + + uint8_t data[100] = {0}; + size_t size = read(STDIN_FILENO, data, 100); + if (size == -1) { + printf("Failed to read from stdin\n"); + return(-1); + } + + BIO_write(sinbio, data, size); + + SSL_do_handshake(server); + SSL_free(server); + return 0; +} diff --git a/Rev/dynamic/heartbleed_fuzz/runtime/server.key b/Rev/dynamic/heartbleed_fuzz/runtime/server.key new file mode 100644 index 0000000..fedf550 --- /dev/null +++ b/Rev/dynamic/heartbleed_fuzz/runtime/server.key @@ -0,0 +1,10 @@ +-----BEGIN PRIVATE KEY----- +MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAtTURFl4t1idG9/MM +Uc7gxpUpwWJGsyGA69URzbO36rBhlSHqaUjcxbxHfIrPw/3icF1B7qn/f2RHOx/G +rGUrxwIDAQABAkBrQXDOw4nv8ymfg33sQj5rbEjdzRS53H/ZlzFFhzW6NBMpkQXa +QQuOd1Yk5TPT3czt8Fz+SWYQQZx3JjgC3bRZAiEA4Nso0InHlJpRoGY0axvXFDQ9 +xU/a9TjbCFISSFKHsUUCIQDOTjqZGIZslQPyndykM+J0zPJH5/YWPh4KCXisqmFr +mwIgLxVVD426L+C8dOTR1xfGSqHByX42MCEOpEhjMaeuaC0CIHboFdQZk5jPxoe2 +vu4RTYt+eIJDSs4FHXExhlEWnrHTAiA7NMopO7x8fSz1pnjkp1LZYXKEK9nXmDds +7GxNWVFfwQ== +-----END PRIVATE KEY----- diff --git a/Rev/dynamic/heartbleed_fuzz/runtime/server.pem b/Rev/dynamic/heartbleed_fuzz/runtime/server.pem new file mode 100644 index 0000000..f8c0967 --- /dev/null +++ b/Rev/dynamic/heartbleed_fuzz/runtime/server.pem @@ -0,0 +1,10 @@ +-----BEGIN CERTIFICATE----- +MIIBbzCCARmgAwIBAgIUGsKrYOoBN8ARLDg9osZyETQCNzIwDQYJKoZIhvcNAQEL +BQAwDDEKMAgGA1UEAwwBYTAeFw0yMDA0MDIxOTE5MTZaFw00NzA4MTgxOTE5MTZa +MAwxCjAIBgNVBAMMAWEwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAtTURFl4t1idG +9/MMUc7gxpUpwWJGsyGA69URzbO36rBhlSHqaUjcxbxHfIrPw/3icF1B7qn/f2RH +Ox/GrGUrxwIDAQABo1MwUTAdBgNVHQ4EFgQU2PCyXZkq4XCra1vAY0XoCX6SI8Aw +HwYDVR0jBBgwFoAU2PCyXZkq4XCra1vAY0XoCX6SI8AwDwYDVR0TAQH/BAUwAwEB +/zANBgkqhkiG9w0BAQsFAANBAKyapIBkyMyb7QnwupicovjDXxcxXkLSocuQ3i0m +hyT1YtvAovjR312ScYwEFYQIt/ebL8Kj+UeezuTMUtc/9/4= +-----END CERTIFICATE----- diff --git a/Rev/dynamic/license_validator/README.md b/Rev/dynamic/license_validator/README.md new file mode 100644 index 0000000..e69de29 diff --git a/Rev/dynamic/license_validator/concrete_solver.py b/Rev/dynamic/license_validator/concrete_solver.py new file mode 100644 index 0000000..d82a852 --- /dev/null +++ b/Rev/dynamic/license_validator/concrete_solver.py @@ -0,0 +1,25 @@ +#!/usr/bin/env python2.7 +""" +concrete_solver.py + + Used to concretely find a key for the license + validator without the need of symbolic reasoning. +""" + +import re +from pwn import * + +# open binary, find target of interest +binary = ELF("./validator") +checkLicense = binary.symbols["checkLicense"] +print("checkLicense address: {}".format(hex(checkLicense))) + +# disassemble the function and distillate raw output +func_disasm = binary.disasm(checkLicense, 300).split() +cmp_vals = [ + func_disasm[idx + 1] + for idx, token in enumerate(func_disasm) + if token == "3c" +] + +print(cmp_vals) diff --git a/Rev/dynamic/license_validator/symbolic_solver.py b/Rev/dynamic/license_validator/symbolic_solver.py new file mode 100644 index 0000000..0d6b086 --- /dev/null +++ b/Rev/dynamic/license_validator/symbolic_solver.py @@ -0,0 +1,28 @@ +#!/usr/bin/env python3 +""" +symbolic_solver.py + + Demonstrates how we can crack the license validator automatically + with Manticore's symbolic execution engine. + +""" + +from manticore.native import Manticore + +m = Manticore("./validator") +m.verbosity(1) + + +@m.hook(0x400d24) +def hook(state): + cpu = state.cpu + print("Reached failed path") + + with m.locked_context() as context: + res = "".join(map(chr, state.solve_buffer(cpu.AL, 2))) + print("Character solved: ", res) + context["count"] += 1 + + +if __name__ == "__main__": + m.run() diff --git a/Rev/dynamic/license_validator/validator b/Rev/dynamic/license_validator/validator new file mode 100755 index 0000000..38e13dc Binary files /dev/null and b/Rev/dynamic/license_validator/validator differ diff --git a/Rev/dynamic/license_validator/validator.c b/Rev/dynamic/license_validator/validator.c new file mode 100644 index 0000000..85b61f8 --- /dev/null +++ b/Rev/dynamic/license_validator/validator.c @@ -0,0 +1,90 @@ +#include +#include + +/* +#include +#include +char brand[] = "http://www.julioauto.com/rants/anti_ptrace.htm"; +void anti_ptrace(void) +{ + pid_t child; + if(getenv("LD_PRELOAD")) + while(1); + child = fork(); + if (child){ + wait(NULL); + }else { + if (ptrace(PTRACE_TRACEME, 0, 1, 0) == -1) + while(1); + exit(0); + } + if (ptrace(PTRACE_TRACEME, 0, 0, 0) == -1) + while(1); +} +*/ + + +char xor(char a, char b) +{ + return a ^ b; +} + + +int checkLicense(void) +{ + char c; + if ( ((c = getchar(), (c >= 0)) && xor(c, 'A') == ('S' ^ 'A')) ){ + if ( ((c = getchar(), (c >= 0)) && xor(c, 'J') == ('C' ^ 'J')) ){ + if ( ((c = getchar(), (c < 0)) || xor(c, 'A') != ('R' ^ 'A')) ){ + if ( ((c = getchar(), (c < 0)) || xor(c, '7') != ('U' ^ '7')) ){ + return -1; + } else { + return -1; + } + } else { + if ( ((c = getchar(), (c >= 0)) && xor(c, '7') == ('T' ^ '7')) ){ + return 0; + }else { + return -1; + } + } + } else { + if ( ((c = getchar(), (c < 0)) || xor(c, 'A') != ('T' ^ 'A')) ){ + return -1; + } else { + return -1; + } + } + } else { + if ( ((c = getchar(), (c < 0)) || xor(c, 'J') != ('Z' ^ 'J')) ){ + if ( ((c = getchar(), (c >= 0)) && xor(c, 'A') == ('J' ^ 'A')) ){ + return -1; + } else { + return -1; + } + } else { + if ( ((c = getchar(), (c >= 0)) && xor(c, 'A') == ('1' ^ 'A')) ){ + return -1; + } else { + return -1; + } + } + } +} + + +int main(int argc, char *argv[]) +{ + /* + sleep(1); + anti_ptrace(); + */ + printf("Please enter your license key: "); + if (checkLicense() < 0) { + printf("\nInvalid license key!\n"); + exit(EXIT_FAILURE); + } else { + printf("\nCorrect and valid license key!\n"); + exit(EXIT_SUCCESS); + } +} diff --git a/Rev/dynamic/pwnable/README.md b/Rev/dynamic/pwnable/README.md new file mode 100644 index 0000000..e03dfbf --- /dev/null +++ b/Rev/dynamic/pwnable/README.md @@ -0,0 +1,25 @@ +# pwnable - collision challenge + +> Daddy told me about cool MD5 hash collision today. +> I wanna do something like that too! +> +> See challenge: http://pwnable.kr/play.php + +This challenge involved adding a binary that required a 20-byte input, which fed to a `check_password` +function that determined if it was equal to a local variable, `hashcode`. + +The concrete solution for this challenge would be to induce a hash collision by doing some math +and figuring out integers that are in total equal to the value in `hashcode`, 0x21DD09EC. + +With Manticore, we can instead have a solver compute concrete inputs that satisfy the constraint for the path that reveals +the flag. Through symbolic execution, we can have various edge cases that causes a hash collision and triggers the code path, +so in order to combat unreadable characters, we can constrain the result to include only valid ASCII characters. + +``` +$ python test.py +... +EDGE CASE: b'\xf5\x15^\x80\xfc?\x01\xd7@\xe1{C@\xfd\xfeB{\xd5\x02D' + +$ ./col `echo -n -e "\xf5\x15^\x80\xfc?\x01\xd7@\xe1{C@\xfd\xfeB{\xd5\x02D"` +daddy! I just managed to create a hash collision :) +``` diff --git a/Rev/dynamic/pwnable/col b/Rev/dynamic/pwnable/col new file mode 100755 index 0000000..759d9ee Binary files /dev/null and b/Rev/dynamic/pwnable/col differ diff --git a/Rev/dynamic/pwnable/win.py b/Rev/dynamic/pwnable/win.py new file mode 100644 index 0000000..5a73ba8 --- /dev/null +++ b/Rev/dynamic/pwnable/win.py @@ -0,0 +1,70 @@ +#!/usr/bin/env python3.6 +""" +pwnable - collision challenge + + $ python win.py + + Solves collision challenge from pwnable.kr, + using symbolic execution to determine edge cases that + can trigger a hash collision. + +""" +from manticore.native import Manticore +from manticore.core.smtlib import operators + +m = Manticore("./col", ["+" * 20]) +m.verbosity(2) + +m.context["solution"] = None +m.context["argv1"] = None + + +@m.init +def init(initial_state): + """ define constraints for symbolic ARGV before execution """ + + # determine argv[1] from state.input_symbols by label name + argv1 = next(sym for sym in initial_state.input_symbols if sym.name == "ARGV1") + if argv1 is None: + raise Exception("ARGV was not made symbolic") + + # apply constraint for only ASCII characters + for i in range(20): + initial_state.constrain( + operators.AND(ord(" ") <= argv1[i], argv1[i] <= ord("}")) + ) + + # store argv1 in global state + with m.locked_context() as context: + context["argv1"] = argv1 + + +# add fail_state callback to abandon +# paths we don't care about +def fail_state(state): + print("Fail state! Abandoning.") + state.abandon() + +for addr in [0x400C2F, 0x400BE7, 0x400BAC]: + m.add_hook(addr, fail_state) + + +@m.hook(0x400BA6) +def skip_syscalls(state): + """ skip error-checking syscalls """ + state.cpu.EIP = 0x400BFA + + +@m.hook(0x400C1C) +def success_state(state): + """ since input is symbolicated in argv, we search in + state.input_symbols to find the label """ + with m.locked_context() as context: + context["solution"] = state.solve_one(context["argv1"], 20) + m.kill() + + + +# run Manticore, and print solution +m.run() +print("EDGE CASE: ", m.context["solution"]) diff --git a/Rev/dynamic/se_example.c b/Rev/dynamic/se_example.c new file mode 100644 index 0000000..f56368a --- /dev/null +++ b/Rev/dynamic/se_example.c @@ -0,0 +1,33 @@ +/* + * Symbolic Execution Pseudocode Example + * + * Demonstrates how a symbolic executor would + * represents symbolic expressions and path constraints during + * its execution. + */ + + +void foo(int z) +{ + fail("%d is less than 10! Bad!", z); +} + + +void bar(int z) +{ + doSomething(z); + exitSuccessfully(); +} + + +int main(int argc, char *argv[]) +{ + int x = int(argv[0]); + int y = int(argv[1]); + + int z = x + y + if (x < 5 && y < 5) + foo(z) + else + bar(z) +} diff --git a/Rev/dynamic/str_ops/debugging_notes b/Rev/dynamic/str_ops/debugging_notes new file mode 100644 index 0000000..753c5fc --- /dev/null +++ b/Rev/dynamic/str_ops/debugging_notes @@ -0,0 +1,5 @@ +find flag length +point out important basic blocks +set b at 0x400759 before cmp +inspect memory at rax 0x601080 +only analyze a few bytes to avoid boredom diff --git a/Rev/dynamic/str_ops/script.gdb b/Rev/dynamic/str_ops/script.gdb new file mode 100755 index 0000000..a48a6ed --- /dev/null +++ b/Rev/dynamic/str_ops/script.gdb @@ -0,0 +1,150 @@ +gdb strops.bin \ + -ex "b *0x400795" \ + -ex "r" \ + -ex "set \$rax=\$rdx" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "set \$rax=\$rdx" \ + -ex "echo $rax" \ + -ex "c" \ + -ex "q" diff --git a/Rev/dynamic/str_ops/strops.bin b/Rev/dynamic/str_ops/strops.bin new file mode 100755 index 0000000..3fdc41e Binary files /dev/null and b/Rev/dynamic/str_ops/strops.bin differ diff --git a/Rev/dynamic/visualize/hard_symex b/Rev/dynamic/visualize/hard_symex new file mode 100755 index 0000000..88f4ca5 Binary files /dev/null and b/Rev/dynamic/visualize/hard_symex differ diff --git a/Rev/dynamic/visualize/hard_visual.c b/Rev/dynamic/visualize/hard_visual.c new file mode 100644 index 0000000..3b61666 --- /dev/null +++ b/Rev/dynamic/visualize/hard_visual.c @@ -0,0 +1,40 @@ +#include +#include +#include + +void win(){ + puts("yaaaay you win!!!\n"); + exit(0); +} + +void lose(){ + puts("You do not win : /"); + exit(0); +} + +int32_t get_number() { + char buf[0x80]; + fgets(buf, sizeof(buf), stdin); + return strtol(buf, NULL, 10); +} + +void main(){ + int score = 1337; + int32_t input = get_number(); + input += 69; + input -= 420; + input -= 1; + input += 123; + input -= 420; + input += 420; + input -= 7; + input -= 1337; + input += 5; + input -= 8; + input += 69; + if (input == score) { + win(); + } else { + lose(); + } +} diff --git a/Rev/dynamic/visualize/hard_z3.py b/Rev/dynamic/visualize/hard_z3.py new file mode 100755 index 0000000..d6c66ed --- /dev/null +++ b/Rev/dynamic/visualize/hard_z3.py @@ -0,0 +1,22 @@ +#!/usr/bin/env python +from z3 import * + +s = Solver() +alpha = Int("alpha") + +op1 = alpha + 0x45 +op2 = op1 - 0x1a4 +op3 = op2 - 1 +op4 = op3 + 0x7b +op5 = op4 - 0x1a4 +op6 = op5 + 0x1a4 +op7 = op6 - 0x7 +op8 = op7 - 0x539 +op9 = op8 + 5 +op10 = op9 - 8 +op11 = op10 + 0x45 + +s.add(op11 == 0x539) + +assert(s.check()) +print s.model()[alpha] diff --git a/Rev/dynamic/visualize/visual.c b/Rev/dynamic/visualize/visual.c new file mode 100644 index 0000000..e079e53 --- /dev/null +++ b/Rev/dynamic/visualize/visual.c @@ -0,0 +1,29 @@ +#include +#include +#include + +void win(){ + puts("yaaaay you win!!!\n"); + exit(0); +} + +void lose(){ + puts("You do not win : /"); + exit(0); +} + +int32_t get_number() { + char buf[0x80]; + fgets(buf, sizeof(buf), stdin); + return strtol(buf, NULL, 10); +} + +void main(){ + int32_t score = 1337; + int32_t input = get_number(); + if (input > score){ + win(); + } else { + lose(); + } +} diff --git a/Rev/dynamic/visualize/visual_symex b/Rev/dynamic/visualize/visual_symex new file mode 100755 index 0000000..93a711c Binary files /dev/null and b/Rev/dynamic/visualize/visual_symex differ diff --git a/Rev/intro/Practical Assembly from the Ground Up.pdf b/Rev/intro/Practical Assembly from the Ground Up.pdf new file mode 100644 index 0000000..25e44e2 Binary files /dev/null and b/Rev/intro/Practical Assembly from the Ground Up.pdf differ diff --git a/Rev/intro/Reverse Engineering, Part 1.pdf b/Rev/intro/Reverse Engineering, Part 1.pdf new file mode 100644 index 0000000..bbfc535 Binary files /dev/null and b/Rev/intro/Reverse Engineering, Part 1.pdf differ diff --git a/Rev/intro/hello.c b/Rev/intro/hello.c new file mode 100644 index 0000000..f2c1a27 --- /dev/null +++ b/Rev/intro/hello.c @@ -0,0 +1,6 @@ +#include + +int main() { + puts("hello world"); + return 0; +} diff --git a/Rev/intro/rev1 b/Rev/intro/rev1 new file mode 100755 index 0000000..7a0e102 Binary files /dev/null and b/Rev/intro/rev1 differ diff --git a/Rev/intro/rev2 b/Rev/intro/rev2 new file mode 100755 index 0000000..6036195 Binary files /dev/null and b/Rev/intro/rev2 differ diff --git a/Rev/intro/rev3 b/Rev/intro/rev3 new file mode 100755 index 0000000..68f8df7 Binary files /dev/null and b/Rev/intro/rev3 differ diff --git a/Rev/static/Reverse Engineering, Part 2.pdf b/Rev/static/Reverse Engineering, Part 2.pdf new file mode 100644 index 0000000..d5a1534 Binary files /dev/null and b/Rev/static/Reverse Engineering, Part 2.pdf differ diff --git a/Rev/static/chal b/Rev/static/chal new file mode 100755 index 0000000..32f6663 Binary files /dev/null and b/Rev/static/chal differ diff --git a/Web/ClientSide.pdf b/Web/ClientSide.pdf new file mode 100644 index 0000000..6fd3165 Binary files /dev/null and b/Web/ClientSide.pdf differ diff --git a/Web/NewClientSide.pdf b/Web/NewClientSide.pdf new file mode 100644 index 0000000..2cd2b45 Binary files /dev/null and b/Web/NewClientSide.pdf differ diff --git a/Web/ServerSide.pdf b/Web/ServerSide.pdf new file mode 100644 index 0000000..d45afb2 Binary files /dev/null and b/Web/ServerSide.pdf differ diff --git a/Web/Web 201.pdf b/Web/Web 201.pdf new file mode 100644 index 0000000..19fe4d7 Binary files /dev/null and b/Web/Web 201.pdf differ diff --git a/Web/chals/workshop1/Dockerfile b/Web/chals/workshop1/Dockerfile new file mode 100644 index 0000000..bfac5b8 --- /dev/null +++ b/Web/chals/workshop1/Dockerfile @@ -0,0 +1,21 @@ +FROM ubuntu:18.04 + +MAINTAINER Kent Ma + +RUN apt-get update -y && \ + apt-get install -y python-pip python-dev libgmp3-dev libmpfr-dev libmpc-dev + +# We copy just the requirements.txt first to leverage Docker cache +COPY ./requirements.txt /app/requirements.txt +COPY flag.txt /flag.txt + +WORKDIR /app + +RUN pip install -r requirements.txt + +COPY /site /app +EXPOSE 5000 + +ENTRYPOINT [ "python" ] + +CMD [ "app.py" ] diff --git a/Web/chals/workshop1/challenge.json b/Web/chals/workshop1/challenge.json new file mode 100644 index 0000000..104fcf7 --- /dev/null +++ b/Web/chals/workshop1/challenge.json @@ -0,0 +1,9 @@ +{ + "name":"lfi", + "category":"Web", + "description":"Read /flag.txt from the server. \n`http://recruit.osiris.cyber.nyu.edu:2001`", + "flag":"flag{sh0ut0ut_t0_3g1003_4_b3ing_an_3xampl3}", + "points":30, + "files":[], + "unlocked_by":"view source" +} diff --git a/Web/chals/workshop1/flag.txt b/Web/chals/workshop1/flag.txt new file mode 100644 index 0000000..bfb2592 --- /dev/null +++ b/Web/chals/workshop1/flag.txt @@ -0,0 +1 @@ +flag{locally_included_from_recruit} diff --git a/Web/chals/workshop1/requirements.txt b/Web/chals/workshop1/requirements.txt new file mode 100644 index 0000000..8ca2452 --- /dev/null +++ b/Web/chals/workshop1/requirements.txt @@ -0,0 +1,6 @@ +Click==7.0 +Flask==1.0.2 +itsdangerous==0.24 +Jinja2==2.10 +MarkupSafe==1.0 +Werkzeug==0.14.1 diff --git a/Web/chals/workshop1/site/app.py b/Web/chals/workshop1/site/app.py new file mode 100644 index 0000000..a07c6b7 --- /dev/null +++ b/Web/chals/workshop1/site/app.py @@ -0,0 +1,22 @@ +from flask import Flask, request, send_file, abort +import os.path + +app = Flask(__name__) + +@app.route('/', methods=['GET']) +def index(): + if 'page' in request.args: + page = request.args['page'] + else: + page = 'index.html' + page = './pages/' + page + if not os.path.isfile(page): + abort(404) + + + return send_file(page) + + + +if __name__ == "__main__": + app.run(host="0.0.0.0") diff --git a/Web/chals/workshop1/site/pages/index.html b/Web/chals/workshop1/site/pages/index.html new file mode 100644 index 0000000..110587e --- /dev/null +++ b/Web/chals/workshop1/site/pages/index.html @@ -0,0 +1,163 @@ + + +W3.CSS Template + + + + + + + + + +
+ + + + +
+ + +
+
+ CRYPTO +
+
+ + +
+

ABOUT ME

+

I love hacking

+

+ Welcome to my website. I am a programmer who aspires to create programs that help people do less. I want to put automation first, and scalability alongside. I dream of a world where the endless and the infinite become realities to mankind, and where the true value of life is preserved. Welcome to my website. I am a programmer who aspires to create programs that help people do less. I want to put automation first, and scalability alongside. I dream of a world where the endless and the infinite become realities to mankind, and where the true value of life is preserved. Welcome to my website. I am a programmer who aspires to create programs that help people do less. I want to put automation first, and scalability alongside. I dream of a world where the endless and the infinite become realities to mankind, and where the true value of life is preserved. +

+
+
+

Me (Crypto)


+ Photo of Me +
+ + +
+

Welcome to my website. I am a programmer who aspires to create programs that help people do less. I want to put automation first, and scalability alongside. I dream of a world where the endless and the infinite become realities to mankind, and where the true value of life is preserved. Welcome to my website. I am a programmer who aspires to create programs that help people do less. I want to put automation first, and scalability alongside. I dream of a world where the endless and the infinite become realities to mankind, and where the true value of life is preserved. Welcome to my website. I am a programmer who aspires to create programs that help people do less. I want to put automation first, and scalability alongside. I dream of a world where the endless and the infinite become realities to mankind, and where the true value of life is preserved. +

+
+
+

Im really good at:

+

Copying from W3schools.com

+
+
100%
+
+

Web Design

+
+
85%
+
+

Information Security

+
+
25%
+
+
+ +
+
+ 2+
+ Partners +
+
+ 0+
+ Projects Done +
+
+ 0+
+ Happy Clients +
+
+ 150+
+ Meetings +
+
+ + +
+
+ + + + + + +
+

Powered by w3.css

+
+ + + + + + diff --git a/Web/chals/workshop1/site/pages/me.jpg b/Web/chals/workshop1/site/pages/me.jpg new file mode 100644 index 0000000..9b1b9bd Binary files /dev/null and b/Web/chals/workshop1/site/pages/me.jpg differ diff --git a/Web/chals/workshop1/site/pages/projects.html b/Web/chals/workshop1/site/pages/projects.html new file mode 100644 index 0000000..74bb5bb --- /dev/null +++ b/Web/chals/workshop1/site/pages/projects.html @@ -0,0 +1,93 @@ + + +W3.CSS Template + + + + + + + + + +
+ + + + +
+ + +
+

PROJECTS

+

I love hacking

+

lol

+
+ + + + + + + diff --git a/Web/chals/workshop2/Dockerfile b/Web/chals/workshop2/Dockerfile new file mode 100644 index 0000000..82f5104 --- /dev/null +++ b/Web/chals/workshop2/Dockerfile @@ -0,0 +1,21 @@ +FROM ubuntu:18.04 + +MAINTAINER Ghost + +RUN apt-get update -y && \ + apt-get install -y python-pip python-dev + +# We copy just the requirements.txt first to leverage Docker cache +COPY ./requirements.txt /app/requirements.txt +COPY flag.txt /flag.txt + +WORKDIR /app + +RUN pip install -r requirements.txt + +COPY /site /app +EXPOSE 5000 + +ENTRYPOINT [ "python" ] + +CMD [ "app.py" ] diff --git a/Web/chals/workshop2/challenge.json b/Web/chals/workshop2/challenge.json new file mode 100644 index 0000000..baf6523 --- /dev/null +++ b/Web/chals/workshop2/challenge.json @@ -0,0 +1,9 @@ +{ + "name":"Template Programming", + "category":"Web", + "description":"Read /flag.txt from the server. http://recruit.osiris.cyber.nyu.edu:2000", + "flag":"flag{d0n't_eval_us3r_1nput!}", + "points":100, + "files":["site/app.py"], + "unlocked_by":"SQLi" +} diff --git a/Web/chals/workshop2/flag.txt b/Web/chals/workshop2/flag.txt new file mode 100644 index 0000000..5acd40e --- /dev/null +++ b/Web/chals/workshop2/flag.txt @@ -0,0 +1 @@ +flag{insert_flag_here} diff --git a/Web/chals/workshop2/requirements.txt b/Web/chals/workshop2/requirements.txt new file mode 100644 index 0000000..d2f917e --- /dev/null +++ b/Web/chals/workshop2/requirements.txt @@ -0,0 +1,6 @@ +Click==7.0 +Flask==1.0.2 +itsdangerous==0.24 +Jinja2==2.10.1 +MarkupSafe==1.0 +Werkzeug==0.14.1 diff --git a/Web/chals/workshop2/site/app.py b/Web/chals/workshop2/site/app.py new file mode 100755 index 0000000..e329cbc --- /dev/null +++ b/Web/chals/workshop2/site/app.py @@ -0,0 +1,17 @@ +#!/usr/bin/env python3 + +from flask import Flask, request, abort, render_template_string +import os.path + +app = Flask(__name__) + +@app.route('/', methods=['GET']) +def index(): + name = request.args.get('name') + if name is not None: + return render_template_string(open('templates/hello.html').read().format(name=name)) + + return render_template_string(open('templates/index.html').read()) + +if __name__ == "__main__": + app.run(host="0.0.0.0") diff --git a/Web/chals/workshop2/site/templates/hello.html b/Web/chals/workshop2/site/templates/hello.html new file mode 100644 index 0000000..868e66b --- /dev/null +++ b/Web/chals/workshop2/site/templates/hello.html @@ -0,0 +1,8 @@ + + + Hello! + + +

Hello {name}!

+ + diff --git a/Web/chals/workshop2/site/templates/index.html b/Web/chals/workshop2/site/templates/index.html new file mode 100644 index 0000000..6e81c30 --- /dev/null +++ b/Web/chals/workshop2/site/templates/index.html @@ -0,0 +1,12 @@ + + + Hello! + + +
+ +
+
+ + + diff --git a/Web/chals/workshop3/.gitignore b/Web/chals/workshop3/.gitignore new file mode 100644 index 0000000..a295864 --- /dev/null +++ b/Web/chals/workshop3/.gitignore @@ -0,0 +1,2 @@ +*.pyc +__pycache__ diff --git a/Web/chals/workshop3/chal/admin.py b/Web/chals/workshop3/chal/admin.py new file mode 100644 index 0000000..8dfc2dd --- /dev/null +++ b/Web/chals/workshop3/chal/admin.py @@ -0,0 +1,23 @@ +from functools import wraps + +from flask import Blueprint +from flask import abort, render_template, request + + +admin_page = Blueprint("admin_page", __name__, template_folder="templates") + + +def admin_required(): + if request.remote_addr != "127.0.0.1": + return abort(404) + + +@admin_page.route("/", methods=["GET", "POST"]) +def info(): + if request.remote_addr != "127.0.0.1": + return render_template("404.html") + + return render_template("admin.html") + + +admin_page.before_request(admin_required) diff --git a/Web/chals/workshop3/chal/app.py b/Web/chals/workshop3/chal/app.py new file mode 100644 index 0000000..39ac294 --- /dev/null +++ b/Web/chals/workshop3/chal/app.py @@ -0,0 +1,26 @@ +import os +from flask import Flask + +from views import views +from admin import admin_page +from models import db + + +def create_app(): + app = Flask(__name__) + # app.secret_key = os.environ.get("FLASK_SECRET_KEY", os.urandom(24)) + app.secret_key = "supersecretkey" + app.register_blueprint(views) + app.register_blueprint(admin_page, url_prefix="/admin") + app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:////tmp/chal.db" + db.init_app(app) + with app.app_context(): + db.create_all() + return app + + +app = create_app() + + +if __name__ == "__main__": + app.run("0.0.0.0", port=5000) diff --git a/Web/chals/workshop3/chal/chal_visitor.py b/Web/chals/workshop3/chal/chal_visitor.py new file mode 100644 index 0000000..a49aa29 --- /dev/null +++ b/Web/chals/workshop3/chal/chal_visitor.py @@ -0,0 +1,32 @@ +import requests + +from selenium import webdriver +from selenium.webdriver.firefox.options import Options + +from chal import BOT_USER_USERNAME, BOT_USER_PASSWORD + +LINK_ELEMENT_NAME = "post-link" + + +def botuser(base_url): + options = Options() + options.headless = True + driver = webdriver.Firefox(options=options) + try: + if base_url[-1] != "/": + base_url += "/" + url = base_url + "login" + + r = requests.post( + url, + data={"username": BOT_USER_USERNAME, "password": BOT_USER_PASSWORD}, + allow_redirects=False, + ) + cookie = r.cookies.get_dict() + driver.get(base_url) + driver.add_cookie({"name": "session_data", "value": cookie["session_data"]}) + driver.get(base_url) + except Exception: + pass + finally: + driver.quit() diff --git a/Web/chals/workshop3/chal/db.py b/Web/chals/workshop3/chal/db.py new file mode 100644 index 0000000..e1fcf20 --- /dev/null +++ b/Web/chals/workshop3/chal/db.py @@ -0,0 +1,55 @@ +import bcrypt +from models import db, User, Post + + +def add_user(username, password): + user = User.query.filter_by(username=username).first() + if user: + return (False, "User already exists") + + hashed = bcrypt.hashpw(password.encode("utf-8"), bcrypt.gensalt()) + + new_usr = User(username=username, password=hashed) + db.session.add(new_usr) + db.session.commit() + return (True, "User created") + + +def user_exists(username): + user = User.query.filter_by(username=username).first() + if not user: + return (False, "User does not exist") + + return (True, "User exists") + + +def check_user(username, password): + user = User.query.filter_by(username=username).first() + + if not user: + return (False, "User does not exist") + + if bcrypt.checkpw(password.encode("utf-8"), user.password): + return (True, user.username) + else: + return (False, "Invalid password") + + +def make_post(username, contents, preview=None): + pass + + +def get_post(post_id, username): + user = User.query.filter_by(username=username).first() + if not user: + return (False, "Please log in to see posts") + + post = Post.query.filter( + (Post.id == post_id) + & (user.username == "admin" | Post.posted_by == user.username) + ).first() + if post: + return + result = {"posted_by": post.posted_by, "id": post.id, "content": post.content} + + return (True, result) diff --git a/Web/chals/workshop3/chal/models.py b/Web/chals/workshop3/chal/models.py new file mode 100644 index 0000000..1c9c891 --- /dev/null +++ b/Web/chals/workshop3/chal/models.py @@ -0,0 +1,17 @@ +from flask_sqlalchemy import SQLAlchemy + +db = SQLAlchemy() + + +class User(db.Model): + __tablename__ = "user" + username = db.Column(db.String(100), unique=True, nullable=False, primary_key=True) + password = db.Column(db.String(100), nullable=False) + + +class Post(db.Model): + __tablename__ = "post" + id = db.Column(db.Integer, primary_key=True) + posted_by = db.Column(db.String(100), db.ForeignKey("user.username")) + content = db.Column(db.String(280)) + page_preview = db.Column(db.String(200)) diff --git a/Web/chals/workshop3/chal/templates/404.html b/Web/chals/workshop3/chal/templates/404.html new file mode 100644 index 0000000..7da6c4b --- /dev/null +++ b/Web/chals/workshop3/chal/templates/404.html @@ -0,0 +1,5 @@ +{% extends "base.html" %} +{% block title %}404{% endblock %} +{% block body %} + +{% endblock %} diff --git a/Web/chals/workshop3/chal/templates/admin.html b/Web/chals/workshop3/chal/templates/admin.html new file mode 100644 index 0000000..3f28f7b --- /dev/null +++ b/Web/chals/workshop3/chal/templates/admin.html @@ -0,0 +1,6 @@ +{% extends "base.html" %} +{% block title %}Admin{% endblock%} +{% block body %} + +{% endblock %} + diff --git a/Web/chals/workshop3/chal/templates/base.html b/Web/chals/workshop3/chal/templates/base.html new file mode 100644 index 0000000..76eb5fe --- /dev/null +++ b/Web/chals/workshop3/chal/templates/base.html @@ -0,0 +1,20 @@ + + + + + {% block title %}{% endblock %} + + + + {% block style %}{% endblock %} + + + + {% block body %}{% endblock %} + + + + {% block script %}{% endblock %} + + diff --git a/Web/chals/workshop3/chal/templates/index.html b/Web/chals/workshop3/chal/templates/index.html new file mode 100644 index 0000000..2421998 --- /dev/null +++ b/Web/chals/workshop3/chal/templates/index.html @@ -0,0 +1,12 @@ +{% extends "base.html" %} +{% block title %}Hello{% endblock%} +{% block body %} +
+
+ + +
+
+ +{% endblock %} + diff --git a/Web/chals/workshop3/chal/templates/login.html b/Web/chals/workshop3/chal/templates/login.html new file mode 100644 index 0000000..480a90f --- /dev/null +++ b/Web/chals/workshop3/chal/templates/login.html @@ -0,0 +1,26 @@ +{% extends "base.html" %} +{% block title %}Login{% endblock%} +{% block body %} +
+
+
Login
+ {% if err %} + + {% endif %} + +
+ +
+
+ +
+ + + +

New? Create an account.

+
+ +
+ +{% endblock %} + diff --git a/Web/chals/workshop3/chal/templates/register.html b/Web/chals/workshop3/chal/templates/register.html new file mode 100644 index 0000000..b0677bd --- /dev/null +++ b/Web/chals/workshop3/chal/templates/register.html @@ -0,0 +1,29 @@ +{% extends "base.html" %} +{% block title %}Register{% endblock%} +{% block body %} +
+ +
+
Register
+ {% if err %} + + {% endif %} +
+
+ +
+
+ +
+
+ +
+ + +
+
+ +
+ +{% endblock %} + diff --git a/Web/chals/workshop3/chal/templates/view.html b/Web/chals/workshop3/chal/templates/view.html new file mode 100644 index 0000000..b9ad536 --- /dev/null +++ b/Web/chals/workshop3/chal/templates/view.html @@ -0,0 +1,9 @@ +{% extends "base.html" %} +{% block title %}{% endblock %} + +{% block body %} + +{{ post.posted_by }} +{{ post.content }} + +{% endblock %} diff --git a/Web/chals/workshop3/chal/views.py b/Web/chals/workshop3/chal/views.py new file mode 100644 index 0000000..7cb0e1a --- /dev/null +++ b/Web/chals/workshop3/chal/views.py @@ -0,0 +1,111 @@ +from functools import wraps +import requests + +from flask import Blueprint +from flask import redirect, url_for, request, render_template, session, make_response + +from db import add_user, check_user, user_exists, get_post + +views = Blueprint("views", __name__, template_folder="templates") + + +def apply_csp(f): + @wraps(f) + def decorated_func(*args, **kwargs): + resp = make_response(f(*args, **kwargs)) + + csp = "; ".join( + [ + "default-src 'self'", + "style-src 'self' stackpath.bootstrapcdn.com", + "script-src 'self' stackpath.bootstrapcdn.com cdnjs.cloudflare.com code.jquery.com", + ] + ) + + resp.headers["Content-Security-Policy"] = csp + return resp + + return decorated_func + + +def login_required(f): + @wraps(f) + def decorated_func(*args, **kwargs): + uname = session.get("username") + if not uname or not user_exists(uname): + return redirect(url_for("views.login")) + return f(*args, **kwargs) + + return decorated_func + + +@views.route("/") +@login_required +@apply_csp +def index(): + return render_template("index.html") + + +def get_preview(contents): + pass + + +@views.route("/post", methods=["GET", "POST"]) +@login_required +@apply_csp +def post(): + if request.method == "POST": + uname = session.get("username") + contents = request.form.get("contents") + preview = get_preview(contents) + + +@views.route("/view") +@login_required +@apply_csp +def view_post(): + post_id = request.args.get("id", None) + post = None + + if post_id is not None: + if post_id.isdigit(): + post_id = int(post_id) + + ok, post = get_post(post_id) + + return render_template("view.html", post=post) + + +@views.route("/login", methods=["GET", "POST"]) +def login(): + uname = session.get("username") + if uname and user_exists(uname): + return redirect("/") + err = None + if request.method == "POST": + username = request.form.get("username", None) + password = request.form.get("password", None) + + ok, err = check_user(username, password) + if ok: + session["username"] = username + return redirect("/") + + return render_template("login.html", err=err) + + +@views.route("/register", methods=["GET", "POST"]) +def register(): + err = None + if request.method == "POST": + username = request.form.get("username", None) + password = request.form.get("password", None) + confirm = request.form.get("confirm-password", None) + if password != confirm: + return render_template("register.html", err="Passwords don't match") + + ok, err = add_user(username, password) + if ok: + return redirect(url_for("views.login")) + + return render_template("register.html", err=err) diff --git a/Web/chals/workshop3/flag.txt b/Web/chals/workshop3/flag.txt new file mode 100644 index 0000000..b7d94de --- /dev/null +++ b/Web/chals/workshop3/flag.txt @@ -0,0 +1 @@ +flag{now_go_do_recruit} diff --git a/Web/chals/workshop3/requirements.txt b/Web/chals/workshop3/requirements.txt new file mode 100644 index 0000000..02637b7 --- /dev/null +++ b/Web/chals/workshop3/requirements.txt @@ -0,0 +1,17 @@ +bcrypt==3.1.6 +certifi==2018.11.29 +cffi==1.11.5 +chardet==3.0.4 +Click==7.0 +Flask==1.0.2 +Flask-SQLAlchemy==2.3.2 +idna==2.8 +itsdangerous==1.1.0 +Jinja2==2.10.1 +MarkupSafe==1.1.0 +pycparser==2.19 +requests==2.21.0 +six==1.12.0 +SQLAlchemy==1.3.0 +urllib3==1.24.2 +Werkzeug==0.14.1 diff --git a/Web/clientsidechals/.gitignore b/Web/clientsidechals/.gitignore new file mode 100644 index 0000000..7dcf2d9 --- /dev/null +++ b/Web/clientsidechals/.gitignore @@ -0,0 +1,7 @@ +__pycache__ +*.pyc +bin +lib +include +pip-selfcheck.json +geckodriver.log diff --git a/Web/clientsidechals/Dockerfile-default b/Web/clientsidechals/Dockerfile-default new file mode 100644 index 0000000..cf07587 --- /dev/null +++ b/Web/clientsidechals/Dockerfile-default @@ -0,0 +1,18 @@ +FROM ubuntu:18.04 +MAINTAINER tnek +RUN apt-get update +RUN apt-get install -y firefox python python-pip +COPY geckodriver /usr/local/bin +COPY requirements.txt . + +RUN pip install -r requirements.txt + +RUN pip install gunicorn + +COPY chal ./ + +EXPOSE 5000 +#ENV FLAG flag{jsonppp} +#ENV CHALLENGE_CSP "default-src 'self'; script-src *.google.com; connect-src *" + +CMD ["gunicorn", "-w", "4", "-b", "0.0.0.0:5000", "app:app"] diff --git a/Web/clientsidechals/Dockerfile-jsonp b/Web/clientsidechals/Dockerfile-jsonp new file mode 100644 index 0000000..3e78c63 --- /dev/null +++ b/Web/clientsidechals/Dockerfile-jsonp @@ -0,0 +1,18 @@ +FROM ubuntu:18.04 +MAINTAINER tnek +RUN apt-get update +RUN apt-get install -y firefox python python-pip +COPY geckodriver /usr/local/bin +COPY requirements.txt . + +RUN pip install -r requirements.txt + +RUN pip install gunicorn + +COPY chal ./ + +EXPOSE 5000 +ENV FLAG flag{jsonppp} +ENV CHALLENGE_CSP "default-src 'self'; script-src *.google.com; connect-src *" + +CMD ["gunicorn", "-w", "4", "-b", "0.0.0.0:5000", "app:app"] diff --git a/Web/clientsidechals/chal/app.py b/Web/clientsidechals/chal/app.py new file mode 100644 index 0000000..4f37406 --- /dev/null +++ b/Web/clientsidechals/chal/app.py @@ -0,0 +1,84 @@ +import os +import uuid + +from flask import Flask, request, render_template +from flask import session, redirect, abort + +from chal_visitor import botuser, BOT_USER_PASSWORD +from chal import apply_csp, get_csp + +from db import db, get_post, get_posts, make_post + + +def create_app(): + app = Flask(__name__) + app.secret_key = os.environ.get("FLASK_SESSION_KEY", "someappsecretkey") + app.config["SQLALCHEMY_DATABASE_URI"] = "sqlite:////tmp/chal.db" + db.init_app(app) + with app.app_context(): + db.create_all() + return app + + +app = create_app() + + +@app.route("/post") +@apply_csp +def view_post(): + if "uuid" not in session: + abort(404) + + post_id = request.args.get("id", None) + if not post_id or not post_id.isdigit(): + abort(404) + + post_id = int(post_id) + ok, contents = get_post(session["uuid"], post_id) + if not ok: + abort(404) + + return render_template("post.html", contents=contents, post_id=post_id) + + +@app.route("/report") +def report(): + post_id = request.args.get("id", None) + if not post_id or not post_id.isdigit(): + abort(404) + + post_id = int(post_id) + botuser("http://127.0.0.1:5000", post_id) + return redirect("/") + + +@app.route("/botlogin") +def botlogin(): + secret_creds = request.args.get("id", None) + if secret_creds != BOT_USER_PASSWORD: + abort(404) + + session["uuid"] = "botuser" + return "ok" + + +@app.route("/", methods=["GET", "POST"]) +@apply_csp +def index(): + if request.method == "POST": + if not "uuid" in session: + session["uuid"] = str(uuid.uuid4()) + + content = request.form.get("content")[:280] + post_id = make_post(session["uuid"], content) + return redirect("/post?id=" + str(post_id)) + + posts = [] + if "uuid" in session: + posts = get_posts(session["uuid"]) + + return render_template("index.html", posts=posts, csp=get_csp()) + + +if __name__ == "__main__": + app.run("0.0.0.0", port=5000, debug=True) diff --git a/Web/clientsidechals/chal/chal.py b/Web/clientsidechals/chal/chal.py new file mode 100644 index 0000000..ceae8df --- /dev/null +++ b/Web/clientsidechals/chal/chal.py @@ -0,0 +1,31 @@ +import os +from functools import wraps +from flask import make_response + +FLAG = os.environ.get("CHALLENGE_FLAG", "flag{welcome_to_csp}") +CSP = os.environ.get("CHALLENGE_CSP", None) + + +def get_csp(): + if CSP is not None: + return CSP + + csp = "; ".join( + [ + "default-src 'self' 'unsafe-inline'", + "script-src " + " ".join(["'unsafe-inline'", "'self'"]), + "connect-src " + "*", + ] + ) + return csp + + +def apply_csp(f): + @wraps(f) + def decorated_func(*args, **kwargs): + resp = make_response(f(*args, **kwargs)) + resp.headers["Content-Security-Policy"] = get_csp() + + return resp + + return decorated_func diff --git a/Web/clientsidechals/chal/chal_visitor.py b/Web/clientsidechals/chal/chal_visitor.py new file mode 100644 index 0000000..70852e0 --- /dev/null +++ b/Web/clientsidechals/chal/chal_visitor.py @@ -0,0 +1,33 @@ +import os +import requests +import traceback + +from chal import FLAG +from selenium import webdriver +from selenium.webdriver.firefox.options import Options + +BOT_USER_PASSWORD = os.environ.get("BOT_USER_PASSWORD", "botuserpassword") + + +def botuser(base_url, post_id): + try: + if base_url[-1] != "/": + base_url += "/" + url = base_url + "botlogin" + + r = requests.get(url + "?id=" + BOT_USER_PASSWORD) + + cookie = r.cookies.get_dict() + + options = Options() + options.headless = True + + driver = webdriver.Firefox(options=options) + driver.get(base_url) + driver.add_cookie({"name": "session", "value": cookie["session"]}) + driver.add_cookie({"name": "flag", "value": FLAG}) + driver.get(base_url + "post?id=" + str(post_id)) + driver.quit() + + except Exception as e: + traceback.print_exc() diff --git a/Web/clientsidechals/chal/db.py b/Web/clientsidechals/chal/db.py new file mode 100644 index 0000000..726994c --- /dev/null +++ b/Web/clientsidechals/chal/db.py @@ -0,0 +1,24 @@ +from model import db, Post + + +def make_post(session_id, content): + new_post = Post(content=content, session_id=session_id) + db.session.add(new_post) + db.session.commit() + return new_post.id + + +def get_post(session_id, post_id): + if session_id == "botuser": + post = Post.query.filter_by(id=post_id).first() + else: + post = Post.query.filter_by(id=post_id, session_id=session_id).first() + if not post: + return (False, None) + + return (True, post.content) + + +def get_posts(session_id): + posts = Post.query.filter_by(session_id=session_id).all() + return [{"content": post.content, "id": post.id} for post in posts] diff --git a/Web/clientsidechals/chal/geckodriver.log b/Web/clientsidechals/chal/geckodriver.log new file mode 100644 index 0000000..e69de29 diff --git a/Web/clientsidechals/chal/model.py b/Web/clientsidechals/chal/model.py new file mode 100644 index 0000000..2c344e4 --- /dev/null +++ b/Web/clientsidechals/chal/model.py @@ -0,0 +1,10 @@ +from flask_sqlalchemy import SQLAlchemy + +db = SQLAlchemy() + + +class Post(db.Model): + __tablename__ = "post" + id = db.Column(db.Integer, primary_key=True) + session_id = db.Column(db.String(280)) + content = db.Column(db.String(280)) diff --git a/Web/clientsidechals/chal/templates/base.html b/Web/clientsidechals/chal/templates/base.html new file mode 100644 index 0000000..f264604 --- /dev/null +++ b/Web/clientsidechals/chal/templates/base.html @@ -0,0 +1,15 @@ + + + + {% block title %}{% endblock %} + + + + {% block style %}{% endblock %} + + {% block body %}{% endblock %} + + + diff --git a/Web/clientsidechals/chal/templates/index.html b/Web/clientsidechals/chal/templates/index.html new file mode 100644 index 0000000..869767e --- /dev/null +++ b/Web/clientsidechals/chal/templates/index.html @@ -0,0 +1,31 @@ +{% extends "base.html" %} +{% block title%}Hello{% endblock%} +{% block body %} +
CSP:

{{ csp }}

+
+ +
+
+

+ +
+
+ +
+ +
+ +Your posts: + +
    +{% if posts %} +{% for post in posts %} +
  • {{ post.content }}
    • +{% endfor %} +{% else %} +
  • You have no posts yet
    • +{% endif %} +
+
+ +{% endblock %} diff --git a/Web/clientsidechals/chal/templates/post.html b/Web/clientsidechals/chal/templates/post.html new file mode 100644 index 0000000..05b5b5c --- /dev/null +++ b/Web/clientsidechals/chal/templates/post.html @@ -0,0 +1,10 @@ +{% extends "base.html" %} +{% block title%}Hello{% endblock%} +{% block body %} +Back +Report to admin +
+
+{{ contents|safe }} +
+{% endblock %} diff --git a/Web/clientsidechals/geckodriver b/Web/clientsidechals/geckodriver new file mode 100755 index 0000000..5ad649b Binary files /dev/null and b/Web/clientsidechals/geckodriver differ diff --git a/Web/clientsidechals/geckodriver.log b/Web/clientsidechals/geckodriver.log new file mode 100644 index 0000000..b0bec78 --- /dev/null +++ b/Web/clientsidechals/geckodriver.log @@ -0,0 +1,65 @@ +1549576545835 mozrunner::runner INFO Running command: "/usr/bin/firefox" "-marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofile.OUy3FXaS8bio" +*** You are running in headless mode. +1549576546154 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: resource://pdf.js/ +1549576546155 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: about:reader* +1549576547365 Marionette INFO Listening on port 38485 +1549576547447 Marionette WARN TLS certificate errors will be ignored for this session +console.error: BroadcastService: + receivedBroadcastMessage: handler for + remote-settings/monitor_changes + threw error: + Message: Error: Polling for changes failed: NetworkError when attempting to fetch resource.. + Stack: + remoteSettingsFunction/remoteSettings.pollChanges@resource://services-settings/remote-settings.js:188:13 + +1549576631646 mozrunner::runner INFO Running command: "/usr/bin/firefox" "-marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofile.WiHoSlQEXb7R" +*** You are running in headless mode. +1549576631835 mozrunner::runner INFO Running command: "/usr/bin/firefox" "-marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofile.wVRzzA0zyLf8" +*** You are running in headless mode. +1549576631973 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: resource://pdf.js/ +1549576631973 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: about:reader* +1549576632170 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: resource://pdf.js/ +1549576632170 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: about:reader* +1549576633277 Marionette INFO Listening on port 39157 +1549576633352 Marionette WARN TLS certificate errors will be ignored for this session +1549576633573 Marionette INFO Listening on port 39675 +1549576633649 Marionette WARN TLS certificate errors will be ignored for this session +console.error: BroadcastService: + receivedBroadcastMessage: handler for + remote-settings/monitor_changes + threw error: + Message: Error: Polling for changes failed: NetworkError when attempting to fetch resource.. + Stack: + remoteSettingsFunction/remoteSettings.pollChanges@resource://services-settings/remote-settings.js:188:13 + +console.error: BroadcastService: + receivedBroadcastMessage: handler for + remote-settings/monitor_changes + threw error: + Message: Error: Polling for changes failed: NetworkError when attempting to fetch resource.. + Stack: + remoteSettingsFunction/remoteSettings.pollChanges@resource://services-settings/remote-settings.js:188:13 + +1549576708701 mozrunner::runner INFO Running command: "/usr/bin/firefox" "-marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofile.bQzuiD37tMHk" +*** You are running in headless mode. +1549576709025 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: resource://pdf.js/ +1549576709025 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: about:reader* +1549576710263 Marionette INFO Listening on port 42521 +1549576710310 Marionette WARN TLS certificate errors will be ignored for this session +1549576722637 mozrunner::runner INFO Running command: "/usr/bin/firefox" "-marionette" "-headless" "-foreground" "-no-remote" "-profile" "/tmp/rust_mozprofile.vLdFuBOQ6wWd" +*** You are running in headless mode. +1549576722958 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: resource://pdf.js/ +1549576722958 addons.webextension.screenshots@mozilla.org WARN Loading extension 'screenshots@mozilla.org': Reading manifest: Invalid host permission: about:reader* +1549576724249 Marionette INFO Listening on port 46449 +1549576724348 Marionette WARN TLS certificate errors will be ignored for this session +1549576724755 Marionette INFO Stopped listening on port 46449 +[Parent 4554, Gecko_IOThread] WARNING: pipe error (64): Connection reset by peer: file /build/firefox-HN7tk_/firefox-65.0+build2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 349 +[Parent 4554, Gecko_IOThread] WARNING: pipe error (73): Connection reset by peer: file /build/firefox-HN7tk_/firefox-65.0+build2/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 349 +console.error: BroadcastService: + receivedBroadcastMessage: handler for + remote-settings/monitor_changes + threw error: + Message: Error: Polling for changes failed: NetworkError when attempting to fetch resource.. + Stack: + remoteSettingsFunction/remoteSettings.pollChanges@resource://services-settings/remote-settings.js:188:13 + diff --git a/Web/clientsidechals/requirements.txt b/Web/clientsidechals/requirements.txt new file mode 100644 index 0000000..b776e1b --- /dev/null +++ b/Web/clientsidechals/requirements.txt @@ -0,0 +1,14 @@ +certifi==2018.11.29 +chardet==3.0.4 +Click==7.0 +Flask==1.0.2 +Flask-SQLAlchemy==2.3.2 +idna==2.8 +itsdangerous==1.1.0 +Jinja2==2.10.1 +MarkupSafe==1.1.0 +requests==2.21.0 +selenium==3.141.0 +SQLAlchemy>=1.3.0 +urllib3==1.24.2 +Werkzeug==0.14.1