Protostar – heap0

Information This level introduces heap overflows and how they can influence code flow. This level is at /opt/protostar/bin/heap0 Source code Solution This level introduces heap overflow. In the code, ‘d’ is allocated in the heap before ‘f’. It means that if I can overflow ‘d’, it overwrites ‘f’. I need to find a vulnerability in ...

Protostar – format4

Information %p format4 looks at one method of redirecting execution in a process. Hints • objdump -TR is your friend This level is at /opt/protostar/bin/format4 Source code Solution In this level, I don’t have to overwrite the content of a variable but to redirect the program to the function hello(). The format string vulnerability is ...

Protostar – format3

Information This level advances from format2 and shows how to write more than 1 or 2 bytes of memory to the process. This also teaches you to carefully control what data is being written to the process memory. This level is at /opt/protostar/bin/format3 Source code Solution This is nearly the same code as in the ...

Protostar – format2

Information This level moves on from format1 and shows how specific values can be written in memory. This level is at /opt/protostar/bin/format2 Source code Solution This time the variable ‘buffer’ can’t be overloaded due to the using of : fgets(buffer, sizeof(buffer), stdin); But the program is vulnerable to format string because of this : printf(buffer); ...

Protostar – format1

Information This level shows how format strings can be used to modify arbitrary memory locations. Hints • objdump -t is your friend, and your input string lies far up the stack 🙂 This level is at /opt/protostar/bin/format1 Source code Solution This level introduces format string vulnerability and exploitation. The vulnerability lands here : printf(string); The ...

Protostar – format0

Information This level introduces format strings, and how attacker supplied format strings can modify the execution flow of programs. Hints • This level should be done in less than 10 bytes of input. • “Exploiting format string vulnerabilities” This level is at /opt/protostar/bin/format0 Source code Solution This level is not really about a format string ...

Protostar – stack7

Information Stack6 introduces return to .text to gain code execution. The metasploit tool “msfelfscan” can make searching for suitable instructions very easy, otherwise looking through objdump output will suffice. This level is at /opt/protostar/bin/stack7 Source code Solution Well, I don’t understand the point of this level. It is exactly the same as the previous one. ...

Protostar – stack6

Information Stack6 looks at what happens when you have restrictions on the return address. This level can be done in a couple of ways, such as finding the duplicate of the payload (objdump -s) will help with this), or ret2libc, or even return orientated programming. It is strongly suggested you experiment with multiple ways of ...

Protostar – stack5

Information Stack5 is a standard buffer overflow, this time introducing shellcode. This level is at /opt/protostar/bin/stack5 Hints • At this point in time, it might be easier to use someone elses shellcode • If debugging the shellcode, use xcc (int3) to stop the program executing and return to the debugger • remove the int3s once ...