writeups

Protostar Format-0 Writeup

Format 0 Source Code The following is the source code for Format 0 Challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 #include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h> void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } Challenge In this challenge we need to modify target variable with 0xdeadbeef as this program uses sprintf function and hence it’s vulnerable to buffer overflow attack and hence filling the buffer with 'A'*64 and then adding the 0xdeadbeef in little endian format we completed this challenge

Protostar Stack-7 Writeup

Stack 7 The following is the source code for Stack 6 challenge Source code 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 char *getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); return strdup(buffer); } int main(int argc, char **argv) { getpath(); } Challenge In this our return address again cannot start with 0xb so we have to again return to user code in order to get crack this challenge, by looking at the source code we can see our input is being stored in heap as well so we can use heap’s address to jump to as it will be more reliable and hence by just breaking before the ret of getpath function we got the address of heap where we can jump to

Protostar Stack-6 Writeup

Stack 6 Source code The following is the source code for Stack 6 challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 #include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h> void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); } Challenge In this challenge we again need to modify saved eip like stack 5 but our return address cannot start with 0xb if this happens binary will exit and we wont be able to get a shell so this challenge can be done in numberous ways i am going to use return oriented programming in this

Protostar Stack-5 Writeup

Stack 5 Source code The following is the source code for Stack 5 challenge 1 2 3 4 5 6 7 8 9 10 11 #include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h> int main(int argc, char **argv) { char buffer[64]; gets(buffer); } Challenge This is a classic buffer overflow challenge in which we need to inject our own shellcode and then modify the saved eip to point to that payload

Protostar Stack-4 Writeup

Stack 4 Source code The following is the source code for Stack 4 challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 #include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); } Challenge In this challenge we need to modify saved EIP in stack so that when the main returns instead of going back to caller function of main it goes to win function

Protostar Stack-3 Writeup

Stack 3 Source code The following is the source code for Stack 3 challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 #include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08x\n", fp); fp(); } } Challenge In this challenge we needed to modify the fp variable to address of win function so first we needed to find the address of win function which i did using gdb

Protostar Stack-2 Writeup

Stack 2 Source Code The following is the source code for Stack 2 challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 #include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variable\n"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variable\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } Challenge In this challenge the value of environment variable GREENIE is being copied to buffer and hence we need to set GREENIE environment variable with out playload that will overflow the buffer and will modify the value of modified to 0x0d0a0d0a so this can be done using export statement along with little python magic.

Protostar Stack-1 Writeup

Stack 1 Source Code The following is the source code for Stack 1 Challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 #include <stdlib.h>#include <unistd.h>#include <stdio.h>#include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } Challenge In this challenge we needed to modify the modified variable with a specific value (i.

Protostar Stack-0 Writeup

Stack 0 Source Code Here is the source code for the Stack 0 challenge 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 #include <stdlib.h>#include <unistd.h>#include <stdio.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); } } Challenge The challenge was to modify modified variable clearly by looking at the source code it’s a stack buffer overflow vulnerability so clearly by providing an input bigger than 64 bytes we can overwrite the modified variable and hence i did that