Exploit Exercises - Protostar Final 1

11 minute read Feb 5, 2012 Comments
Since I’ve been doing a lot of the format string exploits lately, I decided to do the Final 1 challenge. We start out the challenge by being given the following code: #include "../common/common.c" #include <syslog.h> #define NAME "final1" #define UID 0 #define GID 0 #define PORT 2994 char username[128]; char hostname[64]; void logit(char *pw) { char buf[512]; snprintf(buf, sizeof(buf), "Login from %s as [%s] with password [%s]\n", hostname, username, pw); syslog(LOG_USER|LOG_DEBUG, buf); } void trim(char *str) { char *q; q = strchr(str, '\r'); if(q) *q = 0; q = strchr(str, '\n'); if(q) *q = 0; } void parser() { char line[128]; printf("[final1] $ "); while(fgets(line, sizeof(line)-1, stdin)) { trim(line); if(strncmp(line, "username ", 9) == 0) { strcpy(username, line+9); } else if(strncmp(line, "login ", 6) == 0) { if(username[0] == 0) { printf("invalid protocol\n"); } else { logit(line + 6); printf("login failed\n"); } } printf("[final1] $ "); } } void getipport() { int l; struct sockaddr_in sin; l = sizeof(struct sockaddr_in); if(getpeername(0, &sin, &l) == -1) { err(1, "you don't exist"); } sprintf(hostname, "%s:%d", inet_ntoa(sin.

Exploit Exercises - Protostar Format 4

5 minute read Feb 2, 2012 Comments
Next up is the last challenge in the Format String series, Format 4. It starts out with the following code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void hello() { printf("code execution redirected! you win\n"); _exit(1); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv) { vuln(); } What initially caught my eye was the fact that there was a call to “exit()” as well as “_exit()“.

Exploit Exercises - Protostar Format 3

5 minute read Feb 1, 2012 Comments
Continuing in the String Format section, the next challenge we run across is Format 3. We’re first given the following code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void printbuffer(char *string) { printf(string); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printbuffer(buffer); if(target == 0x01025544) { printf("you have modified the target :)\n"); } else { printf("target is %08x :(\n", target); } } int main(int argc, char **argv) { vuln(); } This seems to be just like Format 2, except that we have to modify all 8 bytes instead of just 2.

Exploit Exercises - Protostar Format 2

2 minute read Jan 31, 2012 Comments
Continuing from where we left off, we arrive at Format 2. It presents us with the following code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); if(target == 64) { printf("you have modified the target :)\n"); } else { printf("target is %d :(\n", target); } } int main(int argc, char **argv) { vuln(); } This challenge seems very similar to Format 1, in all but 2 ways:

Exploit Exercises - Protostar Format 1

3 minute read Jan 30, 2012 Comments
Following the Format 0 challenge, I’ve had to do a bunch of reading on how format string exploits work on a very low level. Some resources that I’ve found greatly useful: Hacking: The Art of Exploitation, 2nd Edition Exploiting Format String Vulnerabilities SecurityTube.net Format String Vulnerabilities Megaprimer With this challenge, we’re given some c code in which we are to find the vulnerability. #include <stdlib.h> #include <unistd.h> #include <stdio.

Exploit Exercises - Protostar Format 0

3 minute read Jan 24, 2012 Comments
I’ll be honest, I’m new to format string exploits. I’ve been more experienced with stack overflows, and a little with heap overflows. So hopefully this information is correct, as it’s from my current understanding. Protostar Format 0 starts us off with the following vulnerable code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } Looking at this code, somehow we have to get the variable, “target”, which is never set anywhere other than to “0”, to equal “0xdeadbeef”.