Exploit Exercises - Protostar Final 1

11 minute read Feb 5, 2012 Comments
Since I’ve been doing a lot of the format string exploits lately, I decided to do the Final 1 challenge. We start out the challenge by being given the following code: #include "../common/common.c" #include <syslog.h> #define NAME "final1" #define UID 0 #define GID 0 #define PORT 2994 char username[128]; char hostname[64]; void logit(char *pw) { char buf[512]; snprintf(buf, sizeof(buf), "Login from %s as [%s] with password [%s]\n", hostname, username, pw); syslog(LOG_USER|LOG_DEBUG, buf); } void trim(char *str) { char *q; q = strchr(str, '\r'); if(q) *q = 0; q = strchr(str, '\n'); if(q) *q = 0; } void parser() { char line[128]; printf("[final1] $ "); while(fgets(line, sizeof(line)-1, stdin)) { trim(line); if(strncmp(line, "username ", 9) == 0) { strcpy(username, line+9); } else if(strncmp(line, "login ", 6) == 0) { if(username[0] == 0) { printf("invalid protocol\n"); } else { logit(line + 6); printf("login failed\n"); } } printf("[final1] $ "); } } void getipport() { int l; struct sockaddr_in sin; l = sizeof(struct sockaddr_in); if(getpeername(0, &sin, &l) == -1) { err(1, "you don't exist"); } sprintf(hostname, "%s:%d", inet_ntoa(sin.
Read more formatstring wargames Protostar linux exploit-exercises hacking

Exploit Exercises - Protostar Format 4

5 minute read Feb 2, 2012 Comments
Next up is the last challenge in the Format String series, Format 4. It starts out with the following code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void hello() { printf("code execution redirected! you win\n"); _exit(1); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv) { vuln(); } What initially caught my eye was the fact that there was a call to “exit()” as well as “_exit()”.
Read more formatstring wargames Protostar linux exploit-exercises hacking

Exploit Exercises - Protostar Format 3

5 minute read Feb 1, 2012 Comments
Continuing in the String Format section, the next challenge we run across is Format 3. We’re first given the following code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void printbuffer(char *string) { printf(string); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printbuffer(buffer); if(target == 0x01025544) { printf("you have modified the target :)\n"); } else { printf("target is %08x :(\n", target); } } int main(int argc, char **argv) { vuln(); } This seems to be just like Format 2, except that we have to modify all 8 bytes instead of just 2.
Read more formatstring wargames Protostar linux exploit-exercises hacking

Exploit Exercises - Protostar Format 2

2 minute read Jan 31, 2012 Comments
Continuing from where we left off, we arrive at Format 2. It presents us with the following code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); if(target == 64) { printf("you have modified the target :)\n"); } else { printf("target is %d :(\n", target); } } int main(int argc, char **argv) { vuln(); } This challenge seems very similar to Format 1, in all but 2 ways:
Read more formatstring wargames Protostar linux exploit-exercises hacking

Exploit Exercises - Protostar Format 1

3 minute read Jan 30, 2012 Comments
Following the Format 0 challenge, I’ve had to do a bunch of reading on how format string exploits work on a very low level. Some resources that I’ve found greatly useful: Hacking: The Art of Exploitation, 2nd Edition Exploiting Format String Vulnerabilities SecurityTube.net Format String Vulnerabilities Megaprimer With this challenge, we’re given some c code in which we are to find the vulnerability. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.
Read more formatstring wargames Protostar linux exploit-exercises hacking

Exploit Exercises - Protostar Format 0

3 minute read Jan 24, 2012 Comments
I’ll be honest, I’m new to format string exploits. I’ve been more experienced with stack overflows, and a little with heap overflows. So hopefully this information is correct, as it’s from my current understanding. Protostar Format 0 starts us off with the following vulnerable code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } Looking at this code, somehow we have to get the variable, “target”, which is never set anywhere other than to “0”, to equal “0xdeadbeef”.
Read more formatstring wargames Protostar linux exploit-exercises hacking