kick-off class8

classes/class08/Dockerfile

@@ -0,0 +1,19 @@
+FROM debian:bookworm
+
+RUN apt update && apt install -y openssh-server gdb vim nano tmux make gcc python3 checksec python3-pip git
+
+RUN pip3 install --user ropper --break-system-packages
+
+RUN mkdir -p /var/run/sshd
+RUN mkdir -p /root/.ssh
+
+COPY sshd_config /etc/ssh/sshd_config
+COPY files /data/binary-exploit-class
+
+ENV TERM=xterm-256color
+
+RUN echo "PS1='\e[92m\u\e[0m@\e[94m\h\e[0m:\e[35m\w\e[0m# '" >> /root/.bashrc
+RUN echo "root:admin" | chpasswd
+RUN echo 'PATH=$PATH:/root/.local/bin' >> /root/.bashrc # for the ropper binary
+
+CMD ["/usr/sbin/sshd", "-D"]

classes/class08/docker-compose.yml

@@ -0,0 +1,19 @@
+version: '3.3'
+
+services:
+  class-08-exploit-lab:
+    build: .
+    platform: linux/amd64 # important
+    security_opt:
+      - seccomp:/classes/class08/seccomp-profile.json
+    stop_grace_period: 0s
+    hostname: class8-exploitation-lab
+    container_name: scl-class-08-exploitation-lab
+
+    networks:
+      playground-net:
+        ipv4_address: 172.20.0.115
+
+networks:
+  playground-net:
+    external: true

classes/class08/files/demo0/Makefile

@@ -0,0 +1,7 @@
+make: normal no-pie
+
+normal:
+	gcc main.c -o main
+
+no-pie:
+	gcc main.c -o main-no-pie -no-pie

classes/class08/files/demo0/main.c

@@ -0,0 +1,16 @@
+#include <stdio.h>
+#include <stdlib.h>
+
+int foo() {
+	return 0;
+}
+
+int main() {
+	int stackVar = 666;
+
+	printf("Address of a local variable        : %p\n", &stackVar);
+	printf("Address of a our 'foo' function    : %p\n", &foo);
+	printf("Address of a libc 'system' function: %p\n", &system);
+
+	return 0;
+}

classes/class08/files/stack0/Makefile

@@ -0,0 +1,2 @@
+make:
+	gcc main.c -o main

classes/class08/files/stack0/main.c

@@ -0,0 +1,19 @@
+#include <stdlib.h>
+#include <stdio.h>
+
+int main() {
+    volatile int modified;
+    char buffer[64];
+
+    modified = 0;
+
+    gets(buffer);
+
+    if (modified != 0 ) {
+   	 printf("Access granted\n");
+    } else {
+   	 printf("Access denied\n");
+    }
+
+    return 0;
+}

classes/class08/files/stack1/Makefile

@@ -0,0 +1,2 @@
+make:
+	gcc main.c -o main -fno-stack-protector -no-pie

classes/class08/files/stack1/exploit.py

@@ -0,0 +1,12 @@
+import struct
+import sys
+
+
+buff_size = 0x0  # CHANGE ME
+func_adrr = 0x0  # CHANGE ME
+
+buff = b"A"* (buff_size-8)
+buff += struct.pack("Q", func_adrr)
+buff += b"\n"
+
+sys.stdout.buffer.write(buff)

classes/class08/files/stack1/main.c

@@ -0,0 +1,22 @@
+#include <stdio.h>
+#include <string.h>
+
+void success() {
+	printf("Access granted!\n");
+}
+
+void failure() {
+	printf("Access denied!\n");
+}
+
+int main() {
+	volatile void (*fp)() = failure;
+
+	char buffer[64];
+
+	gets(buffer);
+
+	fp();
+
+	return 0;
+}

classes/class08/files/stack2/Makefile

@@ -0,0 +1,2 @@
+make:
+	gcc main.c -o main -no-pie -fno-stack-protector

classes/class08/files/stack2/exploit.py

@@ -0,0 +1,10 @@
+import struct
+import sys
+
+size = 0x0       # CHANGE ME
+func_addr = 0x0  # CHANGE ME
+
+buff = b""       # CHANGE ME
+buff += b"\n"
+
+sys.stdout.buffer.write(buff)

classes/class08/files/stack2/main.c

@@ -0,0 +1,14 @@
+#include <stdio.h>
+#include <string.h>
+
+void success() {
+	printf("Access granted!\n");
+}
+
+int main() {
+	char buffer[64];
+
+	gets(buffer);
+
+	return 0;
+}

classes/class08/files/stack3/Makefile

@@ -0,0 +1,2 @@
+make:
+	gcc main.c -o main -fno-stack-protector

classes/class08/files/stack3/exploit.py

@@ -0,0 +1,9 @@
+import struct
+import sys
+
+# Finish the exploit
+
+buff = b""
+buff += b"\n"
+
+sys.stdout.buffer.write(buff)

classes/class08/files/stack3/main.c

@@ -0,0 +1,12 @@
+#include <stdio.h>
+#include <string.h>
+
+int main() {
+	char buffer[64];
+
+	gets(buffer);
+
+	printf("%s\n", buffer);
+
+	return 0;
+}

classes/class08/meta.json

@@ -0,0 +1,7 @@
+{
+    "name": "Class 08 - Binary exploitation",
+    "id": "class-08",
+    "description": "The eight class focuses on binary exploitation and fuzzing. Please open the Google document provided to all registered students and follow the document.",
+    "google_doc_url": "",
+    "yt_recording_url": ""
+}