Share
## https://sploitus.com/exploit?id=23FAEBD5-E85F-54D0-A218-11A487BF88CE
# Vuln

A simple program for practicing buffer overflow attacks.

## Getting Started

### Compiling

#### Using the Makefile

```sh
make
```

#### Manually

```sh
mkdir -p build
gcc -std=c99 -g -fno-stack-protector -z execstack -no-pie -m32 -o build/vuln src/vuln.c
```

### Disable ASLR

Address Space Layout Randomization will make it extremely difficult, if not
 impossible, to successfully perform a buffer overflow attack. You must
 disable ASLR entirely.

```sh
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
```

### Exploiting

This is only a basic overview, and assumes you're working from scratch. If
 using the tools in this repo, some of the work is already done for you.

**Use of a debugger is required!**

1. Discover **saved EIP** offset from start of buffer by feeding `A` chars
   into input until the program crashes. If you've overwritten the EIP
   entirely, you'll see it crashes at `0x41414141`. Remove characters until
   you find the exact offset of the saved EIP.

1. Add 4 `B` chars to end of input to confirm EIP control. Program should
   segfault at address `0x42424242`. If you see that, you have the EIP
   properly under control.

1. Use `tools/badchars.py` to generate `badchars.bin`, and feed that into
   the program's input. Set a breakpoint and inspect the buffer's memory.
   Make sure the memory matches what you've fed in. If not, there's one or
   more bad characters in the input. Filter them out and try again.

1. Use existing shellcode matching your architecture and platform, or generate
   some yourself using `msfvenom`, making sure that you exclude all bytes in
   your bad char list.

1. Adjust `tools/exploit.py` to ensure the NOP sled, payload, and EIP are all
   properly aligned. Then run `exploit.py` to generate `exploit.bin`.
   Alternatively, write your own exploit code for practice.

1. Run the program, feeding `exploit.bin` to **STDIN**. If successful, it
   should drop you into a new shell.

### Debugging

1. Set a breakpoint and run the program.

   ```
   (gdb) break vuln.c:9
   Breakpoint 1 at 0x80483c7: file vuln.c, line 9.

   (gdb) run < exploit.bin
   ```

1. Print the buffer address.

   ```
   (gdb) print &buf
   ```

1. View X (264 in this case) bytes of memory, in hex format, starting from
   the buffer address.

   ```
   (gdb) x/264xb &buf
   ```

1. View the saved EIP in the stack frame info.

   ```
   (gdb) info frame
   ```


## License

Copyright: (c) 2025, Ryan Algar
 ([ralgar/vuln](https://gitlab.com/ralgar/vuln))

BSD 2-clause License (see [LICENSE](LICENSE) or
 [BSD 2-clause](https://choosealicense.com/licenses/bsd-2-clause/))