Category: Protostar

Protostar exploit exercises – net0

 


Protostar exploit exercises – format4

Hacking: The Art of Exploitation, 2nd Edition has a section called Overwriting the Global Offset Table. After reading that section this exercise was relatively easy. I disassembled the binary with objdump: $ objdump -d /opt/protostar/bin/format4 At the last line of the vuln function the exit function is called. 080484d2 <vuln>: … 804850f: e8 d8 fe…


Protostar exploit exercises – format3

In the previous exercise we had to write a certain value into a memory address. That value was 64, which fits into 1 byte. In this exercise we have to write 0x01025544 into target. This can be accomplished if we write the value as two half-word. In this case we have to take care of…


Protostar exploit exercises – format2

This is quite similar to the previous exercise, but this time we have to set a certain value to a variable. The solution is almost the same as the previous one. %n writes the number of characters written so far into the variable. We can modify the written character if we append a %XXd in…


Protostar exploit exercises – format1

In this exercise we have to set a value to a variable other than zero. Let us suppose, that the address of the variable is the fourth word on the stack. The first word is always the address of the format string. We can select the fourth word by repeating %d twice before %n (%d%d%d%n). If…


Protostar exploit exercises – stack5

This is similar to the previous exercise, however there is no winner function we might be able to call. We have to provide our own shellcode and jump to it. I started with the solution of the previous exercise. I appended 0xcc after the address. 0xcc is INT 3. This instruction stops the application, so…


Protostar exploit exercises – format0

This exercise seems to be simple. We only need 64 characters and then the 0xdeadbeef value. However there is a hint that this exercise should be solved with less than 10 bytes. The sprintf function ‘transforms’ the passed arguments into the buffer. We can exploit this feature: if we pass %064x first, then it is…


Protostar exploit exercises – heap1

The heap1 exercise contains 2 strcpy call. Let us examine the allocated memory first. Set a breakpoint at 0x08048520. The idea is the following: First we overwrite the address of the i2->name with the first strcpy. We set the i2->name address to the address of the RET address on the stack. i2->name is the destination address…


Protostar exploit exercises – heap0

In this exercise we modify the heap memory to tweak the execution. Let us set breakpoints after each malloc function and examine the memory addresses. The first malloc returns 0x804a008, the second returns 0x804a050. Before each memory address there is 8 byte header which stores the size of the allocated space. In a more readable form: The second…


Protostar exploit exercises – stack4

In the previous exercises we had to set a variable to a certain value, then we had to set a function pointer to an address of a certain function. In this exercise we learn to modify the execution control in another way. Every time a function call occurs, the address of the next instruction is…