This repository provides a collection of environments to explore post CET exploitation. The structure is as follows:
tests-- contains two simple tests you can run to see if shadow stacks are enabled on Linux.tests/test_exec_shstk.cadditionally tests if the exec family syscalls disable shadow stacks.cfbending-- contains vulnerable programs where you can use Control-flow Bending attacks. Also provided are automated exploits for each program.dop-- contains a vulnerable program and an exploit for it, using Data-Oriented Programming.coop-- contains a vulnerable C++ program which can be exploited through COOP gadget chains. The exploit alongside it will achieve code execution through a chain of 2 COOP gadgets and a command injection.
If running on CET-enabled hardware and operating system, make sure you enable the corresponding GLIBC tunable:
$ source ./source_me.sh
# or you can do it yourself
$ export GLIBC_TUNABLES=glibc.cpu.hwcaps=SHSTK,IBT