Exploit Exercises - Protostar Net 3

5 minute read Feb 11, 2012 Comments
The last in the Net series of Protostar is Net 3. It was of course the most difficult of all of them. However, it still wasn’t too bad. First, we’re given the following code: #include "../common/common.c" #define NAME "net3" #define UID 996 #define GID 996 #define PORT 2996 /* * Extract a null terminated string from the buffer */ int get_string(char **result, unsigned char *buffer, u_int16_t len) { unsigned char byte; byte = *buffer; if(byte > len) errx(1, "badly formed packet"); *result = malloc(byte); strcpy(*result, buffer + 1); return byte + 1; } /* * Check to see if we can log into the host */ int login(unsigned char *buffer, u_int16_t len) { char *resource, *username, *password; int deduct; int success; if(len < 3) errx(1, "invalid login packet length"); resource = username = password = NULL; deduct = get_string(&resource, buffer, len); deduct += get_string(&username, buffer+deduct, len-deduct); deduct += get_string(&password, buffer+deduct, len-deduct); success = 0; success |= strcmp(resource, "net3"); success |= strcmp(username, "awesomesauce"); success |= strcmp(password, "password"); free(resource); free(username); free(password); return !

Exploit Exercises - Protostar Net 2

2 minute read Feb 10, 2012 Comments
So far, these Net challenges in Protostar have been pretty easy. This challenge, Net 2 got a small bit tougher. We are given the following code: #include "../common/common.c" #define NAME "net2" #define UID 997 #define GID 997 #define PORT 2997 void run() { unsigned int quad[4]; int i; unsigned int result, wanted; result = 0; for(i = 0; i < 4; i++) { quad[i] = random(); result += quad[i]; if(write(0, &(quad[i]), sizeof(result)) !

Exploit Exercises - Protostar Net 1

2 minute read Feb 9, 2012 Comments
Continuing with the “Net” series of Protostar, is Net 1. We are given the following code: #include "../common/common.c" #define NAME "net1" #define UID 998 #define GID 998 #define PORT 2998 void run() { char buf[12]; char fub[12]; char *q; unsigned int wanted; wanted = random(); sprintf(fub, "%d", wanted); if(write(0, &wanted, sizeof(wanted)) != sizeof(wanted)) { errx(1, ":(\n"); } if(fgets(buf, sizeof(buf)-1, stdin) == NULL) { errx(1, ":(\n"); } q = strchr(buf, '\r'); if(q) *q = 0; q = strchr(buf, '\n'); if(q) *q = 0; if(strcmp(fub, buf) == 0) { printf("you correctly sent the data\n"); } else { printf("you didn't send the data properly\n"); } } int main(int argc, char **argv, char **envp) { int fd; char *username; /* Run the process as a daemon */ background_process(NAME, UID, GID); /* Wait for socket activity and return */ fd = serve_forever(PORT); /* Set the client socket to STDIN, STDOUT, and STDERR */ set_io(fd); /* Don't do this :> */ srandom(time(NULL)); run(); } Similar to Net 0, it looks like this is another network daemon, this time running on port 2998.

Exploit Exercises - Protostar Net 0

2 minute read Feb 8, 2012 Comments
I recently started looking at the “Net” problems in Protostar, and found them to be quite a fun change in pace. Starting with Net 0, we are given the following code: #include "../common/common.c" #define NAME "net0" #define UID 999 #define GID 999 #define PORT 2999 void run() { unsigned int i; unsigned int wanted; wanted = random(); printf("Please send '%d' as a little endian 32bit int\n", wanted); if(fread(&i, sizeof(i), 1, stdin) == NULL) { errx(1, ":(\n"); } if(i == wanted) { printf("Thank you sir/madam\n"); } else { printf("I'm sorry, you sent %d instead\n", i); } } int main(int argc, char **argv, char **envp) { int fd; char *username; /* Run the process as a daemon */ background_process(NAME, UID, GID); /* Wait for socket activity and return */ fd = serve_forever(PORT); /* Set the client socket to STDIN, STDOUT, and STDERR */ set_io(fd); /* Don't do this :> */ srandom(time(NULL)); run(); } I started to analyze this program, to figure out what I was even supposed to do.

Exploit Exercises - Protostar Final 1

11 minute read Feb 5, 2012 Comments
Since I’ve been doing a lot of the format string exploits lately, I decided to do the Final 1 challenge. We start out the challenge by being given the following code: #include "../common/common.c" #include <syslog.h> #define NAME "final1" #define UID 0 #define GID 0 #define PORT 2994 char username[128]; char hostname[64]; void logit(char *pw) { char buf[512]; snprintf(buf, sizeof(buf), "Login from %s as [%s] with password [%s]\n", hostname, username, pw); syslog(LOG_USER|LOG_DEBUG, buf); } void trim(char *str) { char *q; q = strchr(str, '\r'); if(q) *q = 0; q = strchr(str, '\n'); if(q) *q = 0; } void parser() { char line[128]; printf("[final1] $ "); while(fgets(line, sizeof(line)-1, stdin)) { trim(line); if(strncmp(line, "username ", 9) == 0) { strcpy(username, line+9); } else if(strncmp(line, "login ", 6) == 0) { if(username[0] == 0) { printf("invalid protocol\n"); } else { logit(line + 6); printf("login failed\n"); } } printf("[final1] $ "); } } void getipport() { int l; struct sockaddr_in sin; l = sizeof(struct sockaddr_in); if(getpeername(0, &sin, &l) == -1) { err(1, "you don't exist"); } sprintf(hostname, "%s:%d", inet_ntoa(sin.

Exploit Exercises - Protostar Format 4

5 minute read Feb 2, 2012 Comments
Next up is the last challenge in the Format String series, Format 4. It starts out with the following code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void hello() { printf("code execution redirected! you win\n"); _exit(1); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv) { vuln(); } What initially caught my eye was the fact that there was a call to “exit()” as well as “_exit()”.

Exploit Exercises - Protostar Format 3

5 minute read Feb 1, 2012 Comments
Continuing in the String Format section, the next challenge we run across is Format 3. We’re first given the following code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void printbuffer(char *string) { printf(string); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printbuffer(buffer); if(target == 0x01025544) { printf("you have modified the target :)\n"); } else { printf("target is %08x :(\n", target); } } int main(int argc, char **argv) { vuln(); } This seems to be just like Format 2, except that we have to modify all 8 bytes instead of just 2.

Exploit Exercises - Protostar Format 2

2 minute read Jan 31, 2012 Comments
Continuing from where we left off, we arrive at Format 2. It presents us with the following code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); if(target == 64) { printf("you have modified the target :)\n"); } else { printf("target is %d :(\n", target); } } int main(int argc, char **argv) { vuln(); } This challenge seems very similar to Format 1, in all but 2 ways:

Exploit Exercises - Protostar Format 1

3 minute read Jan 30, 2012 Comments
Following the Format 0 challenge, I’ve had to do a bunch of reading on how format string exploits work on a very low level. Some resources that I’ve found greatly useful: Hacking: The Art of Exploitation, 2nd Edition Exploiting Format String Vulnerabilities SecurityTube.net Format String Vulnerabilities Megaprimer With this challenge, we’re given some c code in which we are to find the vulnerability. #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.

Exploit Exercises - Protostar Format 0

3 minute read Jan 24, 2012 Comments
I’ll be honest, I’m new to format string exploits. I’ve been more experienced with stack overflows, and a little with heap overflows. So hopefully this information is correct, as it’s from my current understanding. Protostar Format 0 starts us off with the following vulnerable code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } Looking at this code, somehow we have to get the variable, “target”, which is never set anywhere other than to “0”, to equal “0xdeadbeef”.
Page 1 of 3 1 2 3