Exploit Exercises - Protostar Format 0

3 minute read Jan 24, 2012 Comments
I’ll be honest, I’m new to format string exploits. I’ve been more experienced with stack overflows, and a little with heap overflows. So hopefully this information is correct, as it’s from my current understanding. Protostar Format 0 starts us off with the following vulnerable code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } Looking at this code, somehow we have to get the variable, “target”, which is never set anywhere other than to “0”, to equal “0xdeadbeef”.

Exploit Exercises - Protostar Final 0

6 minute read Jan 22, 2012 Comments
I for some reason decided to look at the set of “final” challenges, and found the first one to be not too difficult. We start with the following code being given to us: #include "../common/common.c" #define NAME "final0" #define UID 0 #define GID 0 #define PORT 2995 /* * Read the username in from the network */ char *get_username() { char buffer[512]; char *q; int i; memset(buffer, 0, sizeof(buffer)); gets(buffer); /* Strip off trailing new line characters */ q = strchr(buffer, '\n'); if(q) *q = 0; q = strchr(buffer, '\r'); if(q) *q = 0; /* Convert to lower case */ for(i = 0; i &lt; strlen(buffer); i++) { buffer[i] = toupper(buffer[i]); } /* Duplicate the string and return it */ return strdup(buffer); } int main(int argc, char **argv, char **envp) { int fd; char *username; /* Run the process as a daemon */ background_process(NAME, UID, GID); /* Wait for socket activity and return */ fd = serve_forever(PORT); /* Set the client socket to STDIN, STDOUT, and STDERR */ set_io(fd); username = get_username(); printf("No such user %s\n", username); } This is a somewhat standard buffer overflow.

Exploit Exercises - Protostar Heap 1

5 minute read Jan 12, 2012 Comments
This challenge was different for me. The previous heap challenge was easy to pretend it was just a simple stack overflow. This one worked very different, and brought some different challenges with it. You first start out with the following code: #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> struct internet { int priority; char *name; }; void winner() { printf("and we have a winner @ %d\n", time(NULL)); } int main(int argc, char **argv) { struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i1->name, argv[1]); strcpy(i2->name, argv[2]); printf("and that's a wrap folks!

Exploit Exercises - Protostar Heap 0

2 minute read Jan 10, 2012 Comments
Now that I’ve completed all of the Stack section of protostar, I’ve started to move onto Heap. The first of these challenges, is Heap 0. We are given the following code: #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> struct data { char name[64]; }; struct fp { int (*fp)(); }; void winner() { printf("level passed\n"); } void nowinner() { printf("level has not been passed\n"); } int main(int argc, char **argv) { struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %p\n", d, f); strcpy(d->name, argv[1]); f->fp(); } I first needed to find the offset to where I could overwrite the EIP, so I connected to my other machine with the Metasploit Framework installed, and generated a unique string.

Exploit Exercises - Protostar Stack 7

5 minute read Jan 9, 2012 Comments
Welcome everyone to 2012! I took a bit of a break during these holidays, and am just starting to get back going. This challenge was very interesting to me. I figured it would build off of the previous one. However, it was its own standalone challenge. We are given the following code to the stack7 executable: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> char *getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret &amp; 0xb0000000) == 0xb0000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); return strdup(buffer); } int main(int argc, char **argv) { getpath(); } From tinkering with the stack7 executable, I knew I was going to do a stack overflow, and somehow needed to execute code from the stack.

Exploit Exercises - Protostar Stack 6

7 minute read Dec 22, 2011 Comments
The Stack6 challenge was definitely a learning experience for me. This actually went beyond my existing skills, and made me learn some new stuff. We are given the following code. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); } The first thing I tried to do, was to set it up just like I did on Stack 5.

Exploit Exercises - Protostar Stack 5

5 minute read Dec 17, 2011 Comments
Wow, this challenge was a tough one for me. I ran into some huge problems that I had to work out. Considering this is a “standard buffer overflow”, I figured it’d be as easy as some of the others I’ve done in the past. I’ll explain my frustrations inline. First, we’re given the following vulnerable program. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buffer[64]; gets(buffer); } The first task with this challenge was to find the offset of the EIP.

Exploit Exercises - Protostar Stack 4

2 minute read Dec 16, 2011 Comments
With this challenge, I think things really start to get fun, and more real-world. We are provided with the following C program: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); } This C app will simply read a value from user input, and store it in “buffer”. We then need to get it to somehow execute “win()”.

Exploit Exercises - Protostar Stack 3

2 minute read Dec 15, 2011 Comments
This challenge starts getting a little bit more involved than the previous ones. Instead of just providing a new value for the “modified” variable, we need to make the code jump to a method, changing the execution. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08x\n", fp); fp(); } } This means that first of all, we need to find the address of where the “win()” function is located in the program.

Exploit Exercises - Protostar Stack 2

1 minute read Dec 14, 2011 Comments
This challenge is pretty much the same as the previous challenge, except that the buffer comes from an environmental variable. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variable\n"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variable\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } This problem can simply be solved by running these commands:
Page 6 of 8 3 4 5 6 7 8