http://wiki.zenk-security.com/ 2026-05-05T10:42:39+02:00 http://wiki.zenk-security.com/ http://wiki.zenk-security.com/lib/tpl/dokuwiki/images/favicon.ico text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:final0&rev=1491744837&do=diff #include "../common/common.c" #define NAME "final0" #define UID 0 #define GID 0 #define PORT 2995 /* * Read the username in from the network */ char *get_username() { char buffer[512]; char *q; int i; memset(buffer, 0, sizeof(buffer)); gets(buffer); /* Strip off trailing new line characters */ q = strchr(buffer, '\n'); if(q) *q = 0; q = strchr(buffer, '\r'); if(q) *q = 0; /* Convert to lower case */ for(i = 0; i < strlen(buffer); i++) { … text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:final1&rev=1491744837&do=diff #include "../common/common.c" #include <syslog.h> #define NAME "final1" #define UID 0 #define GID 0 #define PORT 2994 char username[128]; char hostname[64]; void logit(char *pw) { char buf[512]; snprintf(buf, sizeof(buf), "Login from %s as [%s] with password [%s]\n", hostname, username, pw); syslog(LOG_USER|LOG_DEBUG, buf); } void trim(char *str) { char *q; q = strchr(str, '\r'); if(q) *q = 0; q = strchr(str, '\n'); if(q) *q = 0; } void parser() { char … text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:format0&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void vuln(char *string) { volatile int target; char buffer[64]; target = 0; sprintf(buffer, string); if(target == 0xdeadbeef) { printf("you have hit the target correctly :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:format1&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void vuln(char *string) { printf(string); if(target) { printf("you have modified the target :)\n"); } } int main(int argc, char **argv) { vuln(argv[1]); } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:format2&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); if(target == 64) { printf("you have modified the target :)\n"); } else { printf("target is %d :(\n", target); } } int main(int argc, char **argv) { vuln(); } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:format3&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void printbuffer(char *string) { printf(string); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printbuffer(buffer); if(target == 0x01025544) { printf("you have modified the target :)\n"); } else { printf("target is %08x :(\n", target); } } int main(int argc, char **argv) { vuln(); } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:format4&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int target; void hello() { printf("code execution redirected! you win\n"); _exit(1); } void vuln() { char buffer[512]; fgets(buffer, sizeof(buffer), stdin); printf(buffer); exit(1); } int main(int argc, char **argv) { vuln(); } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:heap0&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> struct data { char name[64]; }; struct fp { int (*fp)(); }; void winner() { printf("level passed\n"); } void nowinner() { printf("level has not been passed\n"); } int main(int argc, char **argv) { struct data *d; struct fp *f; d = malloc(sizeof(struct data)); f = malloc(sizeof(struct fp)); f->fp = nowinner; printf("data is at %p, fp is at %p\n", d, f); strcpy(d->name, argv[1])… text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:heap1&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <string.h> #include <stdio.h> #include <sys/types.h> struct internet { int priority; char *name; }; void winner() { printf("and we have a winner @ %d\n", time(NULL)); } int main(int argc, char **argv) { struct internet *i1, *i2, *i3; i1 = malloc(sizeof(struct internet)); i1->priority = 1; i1->name = malloc(8); i2 = malloc(sizeof(struct internet)); i2->priority = 2; i2->name = malloc(8); strcpy(i1->name, argv[1]); strcpy(i2->name,… text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:heap2&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <string.h> #include <sys/types.h> #include <stdio.h> struct auth { char name[32]; int auth; }; struct auth *auth; char *service; int main(int argc, char **argv) { char line[128]; while(1) { printf("[ auth = %p, service = %p ]\n", auth, service); if(fgets(line, sizeof(line), stdin) == NULL) break; if(strncmp(line, "auth ", 5) == 0) { auth = malloc(sizeof(auth)); memset(auth, 0, sizeof(auth)); if(strlen(line + 5) < 31) { … text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:net0&rev=1491744837&do=diff #include "../common/common.c" #define NAME "net0" #define UID 999 #define GID 999 #define PORT 2999 void run() { unsigned int i; unsigned int wanted; wanted = random(); printf("Please send '%d' as a little endian 32bit int\n", wanted); if(fread(&i, sizeof(i), 1, stdin) == NULL) { errx(1, ":(\n"); } if(i == wanted) { printf("Thank you sir/madam\n"); } else { printf("I'm sorry, you sent %d instead\n", i); } } int main(int argc, cha… text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:net1&rev=1491744837&do=diff #include "../common/common.c" #define NAME "net1" #define UID 998 #define GID 998 #define PORT 2998 void run() { char buf[12]; char fub[12]; char *q; unsigned int wanted; wanted = random(); sprintf(fub, "%d", wanted); if(write(0, &wanted, sizeof(wanted)) != sizeof(wanted)) { errx(1, ":(\n"); } if(fgets(buf, sizeof(buf)-1, stdin) == NULL) { errx(1, ":(\n"); } q = strchr(buf, '\r'); if(q) *q = 0; q = strchr(buf, '\n'); if(q) … text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:net2&rev=1491744837&do=diff #include "../common/common.c" #define NAME "net2" #define UID 997 #define GID 997 #define PORT 2997 void run() { unsigned int quad[4]; int i; unsigned int result, wanted; result = 0; for(i = 0; i < 4; i++) { quad[i] = random(); result += quad[i]; if(write(0, &(quad[i]), sizeof(result)) != sizeof(result)) { errx(1, ":(\n"); } } if(read(0, &wanted, sizeof(result)) != sizeof(result)) { errx(1, ":<\n"); } … text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:net3&rev=1491744837&do=diff #include "../common/common.c" #define NAME "net3" #define UID 996 #define GID 996 #define PORT 2996 /* * Extract a null terminated string from the buffer */ int get_string(char **result, unsigned char *buffer, u_int16_t len) { unsigned char byte; byte = *buffer; if(byte > len) errx(1, "badly formed packet"); *result = malloc(byte); strcpy(*result, buffer + 1); return byte + 1; } /* * Check to see if we can log into the host */ int login(unsigned char *buf… text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:stack0&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; modified = 0; gets(buffer); if(modified != 0) { printf("you have changed the 'modified' variable\n"); } else { printf("Try again?\n"); } } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:stack1&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; if(argc == 1) { errx(1, "please specify an argument\n"); } modified = 0; strcpy(buffer, argv[1]); if(modified == 0x61626364) { printf("you have correctly got the variable to the right value\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:stack2&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { volatile int modified; char buffer[64]; char *variable; variable = getenv("GREENIE"); if(variable == NULL) { errx(1, "please set the GREENIE environment variable\n"); } modified = 0; strcpy(buffer, variable); if(modified == 0x0d0a0d0a) { printf("you have correctly modified the variable\n"); } else { printf("Try again, you got 0x%08x\n", modified); } } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:stack3&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { volatile int (*fp)(); char buffer[64]; fp = 0; gets(buffer); if(fp) { printf("calling function pointer, jumping to 0x%08x\n", fp); fp(); } } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:stack4&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void win() { printf("code flow successfully changed\n"); } int main(int argc, char **argv) { char buffer[64]; gets(buffer); } Si vous n'avez aucune base en buffer overflow classique, je vous conseil de lire cet article : <http://www.ghostsinthestack.org/article-13-les-buffers-overflows.html> text/html 2012-09-01T14:48:21+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:stack5&rev=1346503701&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> int main(int argc, char **argv) { char buffer[64]; gets(buffer); } Le niveau est le même que le précédent, sauf que cette fois ci nous devons faire sauter le programme sur notre propre shellcode. On décidé de stocker notre shellcode dans une variable d'environnement. text/html 2012-09-01T15:03:53+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:stack6&rev=1346504633&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); } text/html 2017-04-09T15:33:57+02:00 http://wiki.zenk-security.com/doku.php?id=exploit_exercises_protostar:stack7&rev=1491744837&do=diff #include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> char *getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xb0000000) == 0xb0000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); return strdup(buffer); } int main(int argc, char **argv) { getpath(); }