Category: Protostar

Protostar exploit exercises – final2

First I analyzed the program. Each request should be 128 bytes length and should start with “FSRD”. The program tries to find the ‘/’ character and copies the string after this character before the first occurence of ‘/’ character before “ROOT”. Also each request is copied into an allocated space. If the size of the…


Protostar exploit exercises – heap3

I found a quite good article here, which describes the technique used in this exploit. In short, the memory chunks are handled as doubly linked lists. The free function calls unlink, if there are two adjacent free chunk. This can be exploited to modify memory, if we overwrite the allocated chunk sizes with strcpy. The…


Protostar exploit exercises – heap2

First I started gdb and checked the heap memory after I sent several input. I sent “auth AAAA” and the “serviceBBBB” (without space after service!). The output was a little help ([ auth = 0x804c008, service = 0x804c018 ]). The first eight bytes were the header of the allocated space of auth. The interesting thing…


Protostar exploit exercises – final1

I analyzed the source code first. The program asks a username first, then a login password, finally it constructs a string from the passed username, login password and our ip/port with snprintf and passes this string to the syslog function. Syslog works the same way as printf: the second argument is treated as a control…


Protostar exploit exercises – final0

First I analyzed the source code. The program converts the first occurrences of ‘\r’ and ‘\n’ to 0x00. These characters are 0x0a and 0x0d. Then the program converts the string into uppercase. However if there is a character that is converted to zero, then the uppercase transformation ends there. First I created a proof of…


Protostar exploit exercises – stack7

In this exercise the ret filter is more restrictive. There is a hint that we have to use the return to .text technique. This means we have to utilize the assembly instructions from the .text segment of the application to jump our shellcode. There are a couple of ways to accomplish this. JMP ESP RET…


Protostar exploit exercises – stack6 – ret2libc

This article is really helpful to understand the ret2libc technique.   I have never created ret2libc exploit, so I decided to try with a simple one. I printed “/bin/sh” string with printf. I got the string from the environment variables. I started gdb, set a breakpoint in main, ran the application and checked the environment…


Protostar exploit exercises – stack6 – duplicate shellcode

__builtin_return_address returns the address the RET instruction restores when the function ends. This is the address we usually overwrite with buffer overflow. This exercise is a simple buffer overflow, however the ret address has restrictions. It cannot be an address from the 0xbf000000 section and we cannot jump to our own shellcode which resides on…


Protostar exploit exercises – net2

 


Protostar exploit exercises – net1