writeups

Protostar Stack-6 Writeup

Stack 6 Source code The following is the source code for Stack 6 challenge #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); } Challenge In this challenge we again need to modify saved eip like stack 5 but our return address cannot start with 0xb if this happens binary will exit and we wont be able to get a shell so this challenge can be done in numberous ways i am going to use return oriented programming in this

Protostar Stack-5 Writeup

Stack 5 Source code The following is the source code for Stack 5 challenge #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buffer[64]; gets(buffer); } Challenge This is a classic buffer overflow challenge in which we need to inject our own shellcode and then modify the saved eip to point to that payload we can find the offset using the same technique as in stack4 challenge and hence the offset is 72 to modify ebp and 76 to modify eip!

Protostar Stack-4 Writeup

Stack 4 Source code The following is the source code for Stack 4 challenge #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); } Challenge In this challenge we need to modify saved EIP in stack so that when the main returns instead of going back to caller function of main it goes to win function

Protostar Stack-3 Writeup

Stack 3 Source code The following is the source code for Stack 3 challenge #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08x\n", fp); fp(); } } Challenge In this challenge we needed to modify the fp variable to address of win function so first we needed to find the address of win function which i did using gdb

Protostar Stack-2 Writeup

Stack 2 Source Code The following is the source code for Stack 2 challenge #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variable\n"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variable\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } Challenge In this challenge the value of environment variable GREENIE is being copied to buffer and hence we need to set GREENIE environment variable with out playload that will overflow the buffer and will modify the value of modified to 0x0d0a0d0a so this can be done using export statement along with little python magic.

Protostar Stack-1 Writeup

Stack 1 Source Code The following is the source code for Stack 1 Challenge #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } Challenge In this challenge we needed to modify the modified variable with a specific value (i.

Protostar Stack-0 Writeup

Stack 0 Source Code Here is the source code for the Stack 0 challenge #include <stdlib.h> #include <unistd.h> #include <stdio.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); } } Challenge The challenge was to modify modified variable clearly by looking at the source code it’s a stack buffer overflow vulnerability so clearly by providing an input bigger than 64 bytes we can overwrite the modified variable and hence i did that