Exploit Exercises - Protostar Stack 7

5 minute read Jan 9, 2012 Comments
Welcome everyone to 2012! I took a bit of a break during these holidays, and am just starting to get back going. This challenge was very interesting to me. I figured it would build off of the previous one. However, it was its own standalone challenge. We are given the following code to the stack7 executable: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> char *getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret &amp; 0xb0000000) == 0xb0000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); return strdup(buffer); } int main(int argc, char **argv) { getpath(); } From tinkering with the stack7 executable, I knew I was going to do a stack overflow, and somehow needed to execute code from the stack.

Exploit Exercises - Protostar Stack 6

7 minute read Dec 22, 2011 Comments
The Stack6 challenge was definitely a learning experience for me. This actually went beyond my existing skills, and made me learn some new stuff. We are given the following code. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); } The first thing I tried to do, was to set it up just like I did on Stack 5.

Exploit Exercises - Protostar Stack 5

5 minute read Dec 17, 2011 Comments
Wow, this challenge was a tough one for me. I ran into some huge problems that I had to work out. Considering this is a “standard buffer overflow”, I figured it’d be as easy as some of the others I’ve done in the past. I’ll explain my frustrations inline. First, we’re given the following vulnerable program. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buffer[64]; gets(buffer); } The first task with this challenge was to find the offset of the EIP.

Exploit Exercises - Protostar Stack 4

2 minute read Dec 16, 2011 Comments
With this challenge, I think things really start to get fun, and more real-world. We are provided with the following C program: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); } This C app will simply read a value from user input, and store it in “buffer”. We then need to get it to somehow execute “win()”.

Exploit Exercises - Protostar Stack 3

2 minute read Dec 15, 2011 Comments
This challenge starts getting a little bit more involved than the previous ones. Instead of just providing a new value for the “modified” variable, we need to make the code jump to a method, changing the execution. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08x\n", fp); fp(); } } This means that first of all, we need to find the address of where the “win()” function is located in the program.

Exploit Exercises - Protostar Stack 2

1 minute read Dec 14, 2011 Comments
This challenge is pretty much the same as the previous challenge, except that the buffer comes from an environmental variable. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variable\n"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variable\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } This problem can simply be solved by running these commands:

Exploit Exercises - Protostar Stack 1

1 minute read Dec 13, 2011 Comments
This challenge is very similar to the previous one. The main difference is that instead of just validating that the “modified” value was changed, it validates that it was changed to a specific value, 0x61626364, or “dcba” in ASCII. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } To complete this, we simply run:

Exploit Exercises - Protostar Stack 0

2 minute read Dec 12, 2011 Comments
I’m still working on the Nebula chain of challenges, however, I’ve been stuck on Nebula 11 for a bit now, as well as busy outside work. In the meantime, I still have other challenges that can be solved while I learn how to do more advanced ones. Protostar is another challenge made by Exploit-Exercises, the same people who brought you Nebula. Protostar Stack 0 is a very easy challenge. After doing a bunch of these challenges, and seeing nobody else doing them, I finally found someone, Mito125.

Exploit Exercises - Nebula 10

4 minute read Dec 11, 2011 Comments
Challenge 10 is another nostalgic one for me. Back when I was first starting with linux, I remember reading about overflows and race conditions. This challenge is the latter, a race condition. We’re given a C/C++ app to exploit: #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <stdio.h> #include <fcntl.h> #include <errno.h> #include <sys/socket.h> #include <netinet/in.h> #include <string.h> int main(int argc, char **argv) { char *file; char *host; if(argc < 3) { printf("%s file host\n\tsends file to host if you have access to it\n", argv[0]); exit(1); } file = argv[1]; host = argv[2]; if(access(argv[1], R_OK) == 0) { int fd; int ffd; int rc; struct sockaddr_in sin; char buffer[4096]; printf("Connecting to %s:18211 .

Exploit Exercises - Nebula 09

4 minute read Dec 10, 2011 Comments
Challenge 09 gave me the most issues out of any other challenge so far. This may just be because I haven’t touched PHP since version 3 was just coming out. However, it is based on a dangerous function, known as preg_replace(). There are several more dangerous functions, some of which can be seen here. The challenge starts by giving us the source code of the program we will be exploiting.
Page 6 of 8 3 4 5 6 7 8