## https://sploitus.com/exploit?id=23FAEBD5-E85F-54D0-A218-11A487BF88CE
# Vuln
A simple program for practicing buffer overflow attacks.
## Getting Started
### Compiling
#### Using the Makefile
```sh
make
```
#### Manually
```sh
mkdir -p build
gcc -std=c99 -g -fno-stack-protector -z execstack -no-pie -m32 -o build/vuln src/vuln.c
```
### Disable ASLR
Address Space Layout Randomization will make it extremely difficult, if not
impossible, to successfully perform a buffer overflow attack. You must
disable ASLR entirely.
```sh
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
```
### Exploiting
This is only a basic overview, and assumes you're working from scratch. If
using the tools in this repo, some of the work is already done for you.
**Use of a debugger is required!**
1. Discover **saved EIP** offset from start of buffer by feeding `A` chars
into input until the program crashes. If you've overwritten the EIP
entirely, you'll see it crashes at `0x41414141`. Remove characters until
you find the exact offset of the saved EIP.
1. Add 4 `B` chars to end of input to confirm EIP control. Program should
segfault at address `0x42424242`. If you see that, you have the EIP
properly under control.
1. Use `tools/badchars.py` to generate `badchars.bin`, and feed that into
the program's input. Set a breakpoint and inspect the buffer's memory.
Make sure the memory matches what you've fed in. If not, there's one or
more bad characters in the input. Filter them out and try again.
1. Use existing shellcode matching your architecture and platform, or generate
some yourself using `msfvenom`, making sure that you exclude all bytes in
your bad char list.
1. Adjust `tools/exploit.py` to ensure the NOP sled, payload, and EIP are all
properly aligned. Then run `exploit.py` to generate `exploit.bin`.
Alternatively, write your own exploit code for practice.
1. Run the program, feeding `exploit.bin` to **STDIN**. If successful, it
should drop you into a new shell.
### Debugging
1. Set a breakpoint and run the program.
```
(gdb) break vuln.c:9
Breakpoint 1 at 0x80483c7: file vuln.c, line 9.
(gdb) run < exploit.bin
```
1. Print the buffer address.
```
(gdb) print &buf
```
1. View X (264 in this case) bytes of memory, in hex format, starting from
the buffer address.
```
(gdb) x/264xb &buf
```
1. View the saved EIP in the stack frame info.
```
(gdb) info frame
```
## License
Copyright: (c) 2025, Ryan Algar
([ralgar/vuln](https://gitlab.com/ralgar/vuln))
BSD 2-clause License (see [LICENSE](LICENSE) or
[BSD 2-clause](https://choosealicense.com/licenses/bsd-2-clause/))